diff --git a/.github/workflows/lint-specs.yml b/.github/workflows/lint-specs.yml
index a5cd33357f6..939efc9d261 100644
--- a/.github/workflows/lint-specs.yml
+++ b/.github/workflows/lint-specs.yml
@@ -77,19 +77,23 @@ jobs:
       # Set continue-on-error to true if we're blocking too many PRs here
       # We don't want this tool to have a low signal-to-noise ratio
       - name: Lint changed spec files
-        continue-on-error: true
         run: |
-          mkdir -p linted_specs
-          spec-cleaner -o linted_specs ${{ env.updated-specs }}
-          [ -n "$(ls -A linted_specs)" ] \
-          && echo "Specs are not correctly formatted." \
-          && echo "The linted_specs artifact contains linted versions of the specs you're checking in." \
-          && echo "Please properly format your specs according to that output before merging." \
-          && exit 1
+          touch linted_specs.diff
+          spec-cleaner -d --diff-prog="git --no-pager diff" ${{ env.updated-specs }} | tee linted_specs.diff
+          if [ -s linted_specs.diff ]
+          then
+            echo -e "\n====================== LINTING FAILED ======================"
+            echo "Specs are not correctly formatted."
+            echo "A diff of the changes required is printed above."
+            echo "Linting output is available in the linted_specs artifact."
+            echo "Please properly format your specs according to the output before merging."
+            exit 1
+          fi
+          exit 0
 
       - uses: actions/upload-artifact@v2
+        if: ${{ always() }}
         with:
           name: linted_specs
-          path: linted_specs
+          path: linted_specs.diff
           if-no-files-found: ignore
-          if: always()
diff --git a/.github/workflows/quickstart.yml b/.github/workflows/quickstart_1.0.yml
similarity index 75%
rename from .github/workflows/quickstart.yml
rename to .github/workflows/quickstart_1.0.yml
index 33643c2bd07..d13ad062e1e 100644
--- a/.github/workflows/quickstart.yml
+++ b/.github/workflows/quickstart_1.0.yml
@@ -3,7 +3,7 @@
 #
 # Workflow to automatedly verify the quickstart instructions
 
-name: Verify Quickstart
+name: Verify Quickstart 1.0
 
 on:
   workflow_dispatch:
@@ -11,7 +11,7 @@ on:
     - cron: "0 15 * * *"
 
 jobs:
-  iso_quickstart:
+  get_input-srpms:
     runs-on: ubuntu-18.04
 
     steps:
@@ -32,13 +32,34 @@ jobs:
         sudo apt-get update
         sudo apt -y install make tar wget curl rpm qemu-utils genisoimage pigz
 
-    - name: Configure the Environment
+    - name: Download SRPMS
       run: |
         pushd toolkit
         sudo make go-tools REBUILD_TOOLS=y
         sudo make input-srpms DOWNLOAD_SRPMS=y
         popd
 
+  iso_quickstart:
+    runs-on: ubuntu-18.04
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2.3.2
+      with:
+        ref: '1.0-stable'
+
+    - name: Set up Go 1.13
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.13
+      id: go
+
+    - name: Install Remaining Prerequisites
+      run: |
+        # Golang and docker are already installed on the agent
+        sudo apt-get update
+        sudo apt -y install make tar wget curl rpm qemu-utils genisoimage pigz
+
     - name: ISO Quick Start
       run: |
         pushd toolkit
@@ -66,13 +87,6 @@ jobs:
         sudo apt-get update
         sudo apt -y install make tar wget curl rpm qemu-utils genisoimage pigz
 
-    - name: Configure Environment
-      run: |
-        pushd toolkit
-        sudo make go-tools REBUILD_TOOLS=y
-        sudo make input-srpms DOWNLOAD_SRPMS=y
-        popd
-
     - name: VHDX Quick Start
       run: |
         pushd toolkit
diff --git a/README.md b/README.md
index da432ea81db..d6579860806 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,9 @@
 # CBL-Mariner
 
+| Release Branch | Status                                                                                                                                                                                                 |
+| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| 1.0            | [![1.0 Status](https://github.com/microsoft/CBL-Mariner/workflows/Verify%20Quickstart%201.0/badge.svg)](https://github.com/microsoft/CBL-Mariner/actions?query=workflow%3A%22Verify+Quickstart+1.0%22) |
+
 CBL-Mariner is an internal Linux distribution for Microsoft’s cloud infrastructure and edge products and services. CBL-Mariner is designed to provide a consistent platform for these devices and services and will enhance Microsoft’s ability to stay current on Linux updates. This initiative is part of Microsoft’s increasing investment in a wide range of Linux technologies, such as [SONiC](https://azure.microsoft.com/en-us/blog/sonic-the-networking-switch-software-that-powers-the-microsoft-global-cloud/), [Azure Sphere OS](https://docs.microsoft.com/en-us/azure-sphere/product-overview/what-is-azure-sphere) and [Windows Subsystem for Linux (WSL)](https://docs.microsoft.com/en-us/windows/wsl/about). CBL-Mariner is being shared publicly as part of Microsoft’s commitment to Open Source and to contribute back to the Linux community. CBL-Mariner does not change our approach or commitment to any existing third-party Linux distribution offerings. 
 
 CBL-Mariner has been engineered with the notion that a small common core set of packages can address the universal needs of first party cloud and edge services while allowing individual teams to layer additional packages on top of the common core to produce images for their workloads. This is made possible by a simple build system that enables:
diff --git a/SPECS-SIGNED/grub2-efi-binary-signed-aarch64/grub2-efi-binary-signed-aarch64.spec b/SPECS-SIGNED/grub2-efi-binary-signed-aarch64/grub2-efi-binary-signed-aarch64.spec
index 1a539e29a5d..bfb5d43560c 100644
--- a/SPECS-SIGNED/grub2-efi-binary-signed-aarch64/grub2-efi-binary-signed-aarch64.spec
+++ b/SPECS-SIGNED/grub2-efi-binary-signed-aarch64/grub2-efi-binary-signed-aarch64.spec
@@ -2,12 +2,11 @@
 Summary:        Signed GRand Unified Bootloader for aarch64 systems
 Name:           grub2-efi-binary-signed-aarch64
 Version:        2.02
-Release:        24%{?dist}
-URL:            https://www.gnu.org/software/grub
+Release:        25%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-
+URL:            https://www.gnu.org/software/grub
 # This package's "version" and "release" must reflect the unsigned version that
 # was signed.
 # An important consequence is that when making a change to this package, the
@@ -22,10 +21,8 @@ Distribution:   Mariner
 #   4. Build this spec
 Source0:        grub2-efi-unsigned-%{version}-%{release}.aarch64.rpm
 Source1:        grubaa64.efi
-
-ExclusiveArch:  aarch64
-
 Conflicts:      grub2-efi-binary
+ExclusiveArch:  aarch64
 
 %description
 This package contains the GRUB EFI image signed for secure boot. The package is
@@ -43,5 +40,8 @@ cp %{SOURCE1} %{buildroot}/boot/efi/EFI/BOOT/grubaa64.efi
 /boot/efi/EFI/BOOT/grubaa64.efi
 
 %changelog
+* Tue Nov 03 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.02-25
+- Updating release to be aligned with the unsigned bits.
+
 * Thu Aug 13 2020 Chris Co <chrco@microsoft.com> 2.02-24
-- Original version for CBL-Mariner.
\ No newline at end of file
+- Original version for CBL-Mariner.
diff --git a/SPECS-SIGNED/grub2-efi-binary-signed-x64/grub2-efi-binary-signed-x64.spec b/SPECS-SIGNED/grub2-efi-binary-signed-x64/grub2-efi-binary-signed-x64.spec
index b90a7dcc136..965cf6c4668 100644
--- a/SPECS-SIGNED/grub2-efi-binary-signed-x64/grub2-efi-binary-signed-x64.spec
+++ b/SPECS-SIGNED/grub2-efi-binary-signed-x64/grub2-efi-binary-signed-x64.spec
@@ -2,12 +2,11 @@
 Summary:        Signed GRand Unified Bootloader for x86_64 systems
 Name:           grub2-efi-binary-signed-x64
 Version:        2.02
-Release:        24%{?dist}
-URL:            https://www.gnu.org/software/grub
+Release:        25%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-
+URL:            https://www.gnu.org/software/grub
 # This package's "version" and "release" must reflect the unsigned version that
 # was signed.
 # An important consequence is that when making a change to this package, the
@@ -22,10 +21,8 @@ Distribution:   Mariner
 #   4. Build this spec
 Source0:        grub2-efi-unsigned-%{version}-%{release}.x86_64.rpm
 Source1:        grubx64.efi
-
-ExclusiveArch:  x86_64
-
 Conflicts:      grub2-efi-binary
+ExclusiveArch:  x86_64
 
 %description
 This package contains the GRUB EFI image signed for secure boot. The package is
@@ -43,5 +40,8 @@ cp %{SOURCE1} %{buildroot}/boot/efi/EFI/BOOT/grubx64.efi
 /boot/efi/EFI/BOOT/grubx64.efi
 
 %changelog
+* Tue Nov 03 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.02-25
+- Updating release to be aligned with the unsigned bits.
+
 * Thu Aug 13 2020 Chris Co <chrco@microsoft.com> 2.02-24
-- Original version for CBL-Mariner.
\ No newline at end of file
+- Original version for CBL-Mariner.
diff --git a/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec b/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec
index b5863ca549a..379aeebbb05 100644
--- a/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec
+++ b/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec
@@ -1,14 +1,14 @@
 %global debug_package %{nil}
+%define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for aarch64 systems
 Name:           kernel-signed-aarch64
-Version:        5.4.51
-Release:        11%{?dist}
+Version:        5.4.72
+Release:        3%{?dist}
 License:        GPLv2
-URL:            https://github.com/microsoft/WSL2-Linux-Kernel
-Group:          System Environment/Kernel
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 # This package's "version" and "release" must reflect the unsigned version that
 # was signed.
 # An important consequence is that when making a change to this package, the
@@ -23,18 +23,13 @@ Distribution:   Mariner
 #   4. Build this spec
 Source0:        kernel-%{version}-%{release}.aarch64.rpm
 Source1:        vmlinuz-%{version}-%{release}
-
-ExclusiveArch:  aarch64
-
 BuildRequires:  cpio
 Requires:       filesystem
 Requires:       kmod
 Requires(post): coreutils
 Requires(postun): coreutils
-
 Conflicts:      kernel
-
-%define uname_r %{version}-%{release}
+ExclusiveArch:  aarch64
 
 %description
 This package contains the Linux kernel package with kernel signed with the production key
@@ -85,29 +80,51 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
 
 %changelog
-*   Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-11
--   Update release number
-*   Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-10
--   Update release number to match kernel spec
-*   Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-9
--   Update release number
-*   Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.51-8
--   Update postun script to deal with removal in case of another installed kernel.
-*   Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-7
--   Update release number
-*   Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
--   Update release number
-*   Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
--   Update release number
-*   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4
--   Update release number
-*   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-3
--   Add missing requires
-*   Tue Sep 01 2020 Chris Co <chrco@microsoft.com> 5.4.51-2
--   Update release number
-*   Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.51-1
--   Update source to 5.4.51
-*   Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.42-12
--   Update release number
-*   Tue Aug 18 2020 Chris Co <chrco@microsoft.com> 5.4.42-11
--   Original version for CBL-Mariner.
+* Mon Nov 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.72-3
+- Update release number
+
+* Tue Nov 10 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.72-2
+- Update release number
+
+* Mon Oct 26 2020 Chris Co <chrco@microsoft.com> - 5.4.72-1
+- Update source to 5.4.72
+- Lint spec
+
+* Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.51-11
+- Update release number
+
+* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> - 5.4.51-10
+- Update release number to match kernel spec
+
+* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> - 5.4.51-9
+- Update release number
+
+* Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.51-8
+- Update postun script to deal with removal in case of another installed kernel.
+
+* Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.51-7
+- Update release number
+
+* Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> - 5.4.51-6
+- Update release number
+
+* Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> - 5.4.51-5
+- Update release number
+
+* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> - 5.4.51-4
+- Update release number
+
+* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> - 5.4.51-3
+- Add missing requires
+
+* Tue Sep 01 2020 Chris Co <chrco@microsoft.com> - 5.4.51-2
+- Update release number
+
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.51-1
+- Update source to 5.4.51
+
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.42-12
+- Update release number
+
+* Tue Aug 18 2020 Chris Co <chrco@microsoft.com> - 5.4.42-11
+- Original version for CBL-Mariner.
diff --git a/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec b/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec
index d5aa308a4af..ad5022c6bf5 100644
--- a/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec
+++ b/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec
@@ -1,14 +1,14 @@
 %global debug_package %{nil}
+%define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for x86_64 systems
 Name:           kernel-signed-x64
-Version:        5.4.51
-Release:        11%{?dist}
+Version:        5.4.72
+Release:        3%{?dist}
 License:        GPLv2
-URL:            https://github.com/microsoft/WSL2-Linux-Kernel
-Group:          System Environment/Kernel
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 # This package's "version" and "release" must reflect the unsigned version that
 # was signed.
 # An important consequence is that when making a change to this package, the
@@ -23,18 +23,13 @@ Distribution:   Mariner
 #   4. Build this spec
 Source0:        kernel-%{version}-%{release}.x86_64.rpm
 Source1:        vmlinuz-%{version}-%{release}
-
-ExclusiveArch:  x86_64
-
 BuildRequires:  cpio
 Requires:       filesystem
 Requires:       kmod
 Requires(post): coreutils
 Requires(postun): coreutils
-
 Conflicts:      kernel
-
-%define uname_r %{version}-%{release}
+ExclusiveArch:  x86_64
 
 %description
 This package contains the Linux kernel package with kernel signed with the production key
@@ -85,29 +80,51 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r}
 
 %changelog
-*   Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-11
--   Update release number
-*   Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-10
--   Update release number to match kernel spec
-*   Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-9
--   Update release number
-*   Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.51-8
--   Update postun script to deal with removal in case of another installed kernel.
-*   Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-7
--   Update release number
-*   Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
--   Update release number
-*   Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
--   Update release number
-*   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4
--   Update release number
-*   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-3
--   Add missing requires
-*   Tue Sep 01 2020 Chris Co <chrco@microsoft.com> 5.4.51-2
--   Update release number
-*   Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.51-1
--   Update source to 5.4.51
-*   Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.42-12
--   Update release number
-*   Tue Aug 18 2020 Chris Co <chrco@microsoft.com> 5.4.42-11
--   Original version for CBL-Mariner.
+* Mon Nov 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.72-3
+- Update release number
+
+* Tue Nov 10 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.72-2
+- Update release number
+
+* Mon Oct 26 2020 Chris Co <chrco@microsoft.com> - 5.4.72-1
+- Update source to 5.4.72
+- Lint spec
+
+* Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.51-11
+- Update release number
+
+* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> - 5.4.51-10
+- Update release number to match kernel spec
+
+* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> - 5.4.51-9
+- Update release number
+
+* Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.51-8
+- Update postun script to deal with removal in case of another installed kernel.
+
+* Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.51-7
+- Update release number
+
+* Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> - 5.4.51-6
+- Update release number
+
+* Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> - 5.4.51-5
+- Update release number
+
+* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> - 5.4.51-4
+- Update release number
+
+* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> - 5.4.51-3
+- Add missing requires
+
+* Tue Sep 01 2020 Chris Co <chrco@microsoft.com> - 5.4.51-2
+- Update release number
+
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.51-1
+- Update source to 5.4.51
+
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.42-12
+- Update release number
+
+* Tue Aug 18 2020 Chris Co <chrco@microsoft.com> - 5.4.42-11
+- Original version for CBL-Mariner.
diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
index d5ec285894e..ab9eddeac9c 100644
--- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
+++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
@@ -2,7 +2,7 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic
 
 | Origin    | License                           |   SPECS    |
 |-----------|-----------------------------------|------------|
-| Fedora    | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files)  |  attr <br> autoconf213 <br> babeltrace2 <br> brotli <br> calamares <br> catch <br> cpprest <br> cryptsetup <br> dnf <br> dos2unix <br> ebtables <br> extra-cmake-modules <br> gnu-efi <br> hardening-check <br> ipmitool <br> kde-settings <br> kexec-tools <br> kf5 <br> kf5-kconfig <br> kf5-kcoreaddons <br> kf5-ki18n <br> kf5-kwidgetsaddons <br> kpmcore-3.3.0 <br> libatasmart <br> libburn <br> libcgroup <br> libcomps <br> libdnf <br> libisoburn <br> libisofs <br> libpwquality <br> mokutil <br> mozjs60 <br> open-vm-tools <br> openssl <br> p11-kit <br> qt5-qtbase <br> qt5-qtdeclarative <br> qt5-qtsvg <br> qt5-qttools <br> qt5-rpm-macros <br> squashfs-tools <br> websocketpp <br> words <br> yaml-cpp <br> zipper <br> |
-| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md)    |  auoms <br> azure-iot-sdk-c <br> azure-iotedge <br> azure-storage-cpp <br> bond <br> ccache <br> clamav <br> cloud-hypervisor <br> dtc <br> fluent-bit <br> freefont <br> gflags <br> go-md2man <br> GSL <br> ivykis <br> jsonbuilder <br> libiothsm-std <br> libuv <br> libxml++ <br> lttng-consume <br> mariner-release <br> mariner-repos <br> mariner-rpm-macros <br> mm-common <br> msgpack <br> nlohmann-json <br> omi <br> pcre2 <br> perl-Test-Warnings <br> rocksdb <br> shim-unsigned-x64 <br> span-lite <br> swupdate <br> tinyxml2 <br> toml11 <br> tracelogging <br> vala <br> zstd  |
+| Fedora    | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files)  |  attr <br> autoconf213 <br> babeltrace2 <br> brotli <br> calamares <br> catch <br> cpprest <br> cryptsetup <br> dnf <br> dos2unix <br> ebtables <br> extra-cmake-modules <br> gnu-efi <br> hardening-check <br> heimdal <br> ipmitool <br> ipv6calc <br> kde-settings <br> kexec-tools <br> kf5 <br> kf5-kconfig <br> kf5-kcoreaddons <br> kf5-ki18n <br> kf5-kwidgetsaddons <br> kpmcore-3.3.0 <br> libatasmart <br> libburn <br> libcgroup <br> libcomps <br> libdnf <br> libisoburn <br> libisofs <br> libpwquality <br> libxcrypt <br> mokutil <br> mozjs60 <br> open-vm-tools <br> openssl <br> p11-kit <br> perl-JSON <br> qt5-qtbase <br> qt5-qtdeclarative <br> qt5-qtsvg <br> qt5-qttools <br> qt5-rpm-macros <br> squashfs-tools <br> websocketpp <br> words <br> yaml-cpp <br> zipper <br> |
+| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md)    | aspnetcore-runtime <br> auoms <br> azure-iot-sdk-c <br> azure-iotedge <br> azure-storage-cpp <br> bond <br> ccache <br> clamav <br> cloud-hypervisor <br> dtc <br> fluent-bit <br> freefont <br> gflags <br> go-md2man <br> GSL <br> ivykis <br> jsonbuilder <br> libiothsm-std <br> libuv <br> libxml++ <br> lttng-consume <br> mariner-release <br> mariner-repos <br> mariner-rpm-macros <br> mm-common <br> msgpack <br> nlohmann-json <br> omi <br> pcre2 <br> perl-Test-Warnings <br> rocksdb <br> shim-unsigned-x64 <br> span-lite <br> swupdate <br> tinyxml2 <br> toml11 <br> tracelogging <br> vala <br> zstd  |
 | Photon    | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2). <br>  Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). |  acl <br> alsa-lib <br> alsa-utils <br> ansible <br> ant <br> ant-contrib <br> apparmor <br> apr <br> apr-util <br> asciidoc <br> atftp <br> audit <br> autoconf <br> autoconf-archive <br> autofs <br> autogen <br> automake <br> babel <br> bash <br> bc <br> bcc <br> bind <br> binutils <br> bison <br> blktrace <br> boost <br> bridge-utils <br> btrfs-progs <br> bubblewrap <br> build-essential <br> bzip2 <br> c-ares <br> ca-certificates <br> cairo <br> cdrkit <br> check <br> chkconfig <br> chrpath <br> cifs-utils <br> clang <br> cloud-init <br> cloud-utils-growpart <br> cmake <br> cni <br> core-packages <br> coreutils <br> cpio <br> cppunit <br> cracklib <br> crash <br> crash-gcore-command <br> createrepo_c <br> cri-tools <br> cronie <br> ctags <br> curl <br> cyrus-sasl <br> cython <br> dbus <br> dbus-glib <br> dejagnu <br> device-mapper-multipath <br> dhcp <br> dialog <br> diffutils <br> dkms <br> dmidecode <br> dnsmasq <br> docbook-dtd-xml <br> docbook-style-xsl <br> dosfstools <br> dotnet-runtime-3.1 <br> dotnet-sdk-3.1 <br> dracut <br> dstat <br> e2fsprogs <br> ed <br> efibootmgr <br> efivar <br> elfutils <br> erlang <br> etcd <br> ethtool <br> expat <br> expect <br> fcgi <br> file <br> filesystem <br> findutils <br> finger <br> flex <br> fontconfig <br> fping <br> freetype <br> fuse <br> gawk <br> gc <br> gcc <br> gdb <br> gdbm <br> gettext <br> git <br> glib <br> glib-networking <br> glibc <br> glibmm24 <br> gmp <br> gnome-common <br> gnupg2 <br> gnuplot <br> gnutls <br> gobject-introspection <br> golang <br> golang <br> gperf <br> gperftools <br> gpgme <br> gptfdisk <br> grep <br> groff <br> grub2 <br> grub2-efi-binary-signed-aarch64 <br> grub2-efi-binary-signed-x64 <br> gtest <br> gtk-doc <br> guile <br> gzip <br> haproxy <br> harfbuzz <br> haveged <br> hdparm <br> http-parser <br> httpd <br> i2c-tools <br> iana-etc <br> icu <br> initramfs <br> initscripts <br> inotify-tools <br> intltool <br> iotop <br> iperf3 <br> ipmitool <br> iproute <br> ipset <br> iptables <br> iputils <br> ipvsadm <br> ipxe <br> irqbalance <br> itstool <br> jansson <br> jna <br> jq <br> json-c <br> json-glib <br> kbd <br> keepalived <br> kernel <br> kernel-headers <br> kernel-hyperv <br> kernel-signed-aarch64 <br> kernel-signed-x64 <br> kexec-tools <br> keyutils <br> kmod <br> krb5 <br> kubernetes <br> lapack <br> less <br> libaio <br> libarchive <br> libassuan <br> libatomic_ops <br> libcap <br> libcap-ng <br> libconfig <br> libdb <br> libdnet <br> libedit <br> libestr <br> libev <br> libevent <br> libfastjson <br> libffi <br> libgcrypt <br> libgpg-error <br> libgssglue <br> libgsystem <br> libgudev <br> libjpeg-turbo <br> libksba <br> liblogging <br> libmbim <br> libmnl <br> libmodulemd <br> libmpc <br> libmspack <br> libndp <br> libnetfilter_conntrack <br> libnetfilter_cthelper <br> libnetfilter_cttimeout <br> libnetfilter_queue <br> libnfnetlink <br> libnftnl <br> libnl3 <br> libnsl2 <br> libpcap <br> libpipeline <br> libpng <br> libpsl <br> libqmi <br> librelp <br> librepo <br> librsync <br> libseccomp <br> libselinux <br> libsepol <br> libserf <br> libsigc++20 <br> libsolv <br> libsoup <br> libssh2 <br> libtalloc <br> libtar <br> libtasn1 <br> libtiff <br> libtirpc <br> libtool <br> libunistring <br> libunwind <br> libusb <br> libvirt <br> libwebp <br> libxml2 <br> libxslt <br> libyaml <br> linux-firmware <br> lldb <br> lldpad <br> llvm <br> lm-sensors <br> lmdb <br> log4cpp <br> logrotate <br> lshw <br> lsof <br> lsscsi <br> ltrace <br> lttng-tools <br> lttng-ust <br> lua <br> lvm2 <br> lz4 <br> lzo <br> m2crypto <br> m4 <br> make <br> man-db <br> man-pages <br> mariadb <br> maven <br> mc <br> mercurial <br> meson <br> mlocate <br> ModemManager <br> mpfr <br> msr-tools <br> mysql <br> nano <br> nasm <br> ncurses <br> ndctl <br> net-snmp <br> net-tools <br> nettle <br> newt <br> nfs-utils <br> nghttp2 <br> nginx <br> ninja-build <br> nodejs <br> nodejs <br> npth <br> nspr <br> nss <br> nss-altfiles <br> ntp <br> numactl <br> numpy <br> nvme-cli <br> oniguruma <br> openipmi <br> openjdk8 <br> openjdk8 <br> openldap <br> openscap <br> openssh <br> openvswitch <br> ostree <br> pam <br> pango <br> parted <br> patch <br> pciutils <br> pcre <br> perl <br> perl-Canary-Stability <br> perl-CGI <br> perl-common-sense <br> perl-Crypt-SSLeay <br> perl-DBD-SQLite <br> perl-DBI <br> perl-DBIx-Simple <br> perl-Exporter-Tiny <br> perl-File-HomeDir <br> perl-File-Which <br> perl-IO-Socket-SSL <br> perl-JSON-Any <br> perl-JSON-XS <br> perl-libintl-perl <br> perl-List-MoreUtils <br> perl-Module-Build <br> perl-Module-Install <br> perl-Module-ScanDeps <br> perl-Net-SSLeay <br> perl-NetAddr-IP <br> perl-Object-Accessor <br> perl-Path-Class <br> perl-Try-Tiny <br> perl-Types-Serialiser <br> perl-WWW-Curl <br> perl-XML-Parser <br> perl-YAML <br> perl-YAML-Tiny <br> pgbouncer <br> pinentry <br> pixman <br> pkg-config <br> polkit <br> popt <br> postgresql <br> powershell <br> procps-ng <br> protobuf <br> protobuf-c <br> psmisc <br> pth <br> pyasn1-modules <br> pygobject3 <br> pyOpenSSL <br> PyPAM <br> pyparsing <br> pytest <br> python-appdirs <br> python-asn1crypto <br> python-atomicwrites <br> python-attrs <br> python-backports-ssl_match_hostname <br> python-bcrypt <br> python-boto3 <br> python-botocore <br> python-certifi <br> python-cffi <br> python-chardet <br> python-configobj <br> python-constantly <br> python-coverage <br> python-cryptography <br> python-daemon <br> python-dateutil <br> python-defusedxml <br> python-distro <br> python-docopt <br> python-docutils <br> python-ecdsa <br> python-enum34 <br> python-futures <br> python-gevent <br> python-greenlet <br> python-hyperlink <br> python-hypothesis <br> python-idna <br> python-imagesize <br> python-incremental <br> python-iniparse <br> python-ipaddr <br> python-ipaddress <br> python-jinja2 <br> python-jmespath <br> python-jsonpatch <br> python-jsonpointer <br> python-jsonschema <br> python-lockfile <br> python-lxml <br> python-m2r <br> python-mako <br> python-markupsafe <br> python-mistune <br> python-msgpack <br> python-netaddr <br> python-netifaces <br> python-ntplib <br> python-oauthlib <br> python-packaging <br> python-pam <br> python-pbr <br> python-pip <br> python-ply <br> python-prettytable <br> python-psutil <br> python-psycopg2 <br> python-py <br> python-pyasn1 <br> python-pycodestyle <br> python-pycparser <br> python-pycurl <br> python-Pygments <br> python-PyNaCl <br> python-pyvmomi <br> python-requests <br> python-setuptools <br> python-setuptools_scm <br> python-simplejson <br> python-six <br> python-snowballstemmer <br> python-sphinx <br> python-sphinx-theme-alabaster <br> python-sqlalchemy <br> python-Twisted <br> python-typing <br> python-urllib3 <br> python-vcversioner <br> python-virtualenv <br> python-wcwidth <br> python-webob <br> python-websocket-client <br> python-werkzeug <br> python-zope-interface <br> python2 <br> python3 <br> pytz <br> PyYAML <br> rapidjson <br> readline <br> redis <br> rng-tools <br> rpcbind <br> rpcsvc-proto <br> rpm <br> rpm-ostree <br> rrdtool <br> rsync <br> rsyslog <br> ruby <br> rubygem-bundler <br> runc <br> rust <br> scons <br> sed <br> sg3_utils <br> shadow-utils <br> slang <br> snappy <br> socat <br> sqlite <br> sshpass <br> strace <br> strongswan <br> subversion <br> sudo <br> swig <br> syslinux <br> syslog-ng <br> sysstat <br> systemd <br> systemtap <br> tar <br> tboot <br> tcl <br> tcpdump <br> tcp_wrappers <br> tcsh <br> tdnf <br> telegraf <br> texinfo <br> tmux <br> tpm2-abrmd <br> tpm2-tools <br> tpm2-tss <br> traceroute <br> tree <br> trousers <br> tzdata <br> unbound <br> unixODBC <br> unzip <br> usbutils <br> userspace-rcu <br> utf8proc <br> util-linux <br> valgrind <br> vim <br> vsftpd <br> WALinuxAgent <br> wget <br> which <br> wpa_supplicant <br> xerces-c <br> xfsprogs <br> xinetd <br> xmlsec1 <br> xmlto <br> xz <br> zchunk <br> zeromq <br> zip <br> zlib <br> zsh <br>  |
 | OpenMamba | [Openmamba](https://openmamba.org/en/) | bash-completion <br> |
\ No newline at end of file
diff --git a/SPECS/ant/ant.spec b/SPECS/ant/ant.spec
index 3b4a610fb78..8ff7a98b55c 100644
--- a/SPECS/ant/ant.spec
+++ b/SPECS/ant/ant.spec
@@ -1,23 +1,23 @@
+%define _prefix /var/opt/apache-%{name}
+%define _bindir %{_prefix}/bin
+%define _libdir %{_prefix}/lib
 Summary:        Apache Ant
 Name:           ant
 Version:        1.10.9
-Release:        1%{?dist}
-License:        ASL 2.0 and BSD and W3C
-URL:            https://ant.apache.org
-Group:          Applications/System
+Release:        2%{?dist}
+License:        ASL 2.0 AND BSD AND W3C
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-BuildArch:      noarch
+Group:          Applications/System
+URL:            https://ant.apache.org
 Source0:        https://archive.apache.org/dist/ant/source/apache-%{name}-%{version}-src.tar.gz
 Source1:        https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/hamcrest/hamcrest-1.3.tgz
 Source2:        https://dl.bintray.com/vmware/photon_sources/1.0/maven-ant-tasks-2.1.3.tar.gz
-
-Requires:      openjre8
-BuildRequires: openjre8
-BuildRequires: openjdk8
-%define _prefix /var/opt/apache-%{name}
-%define _bindir %{_prefix}/bin
-%define _libdir %{_prefix}/lib
+BuildRequires:  openjdk8
+BuildRequires:  openjre8
+Requires:       openjre8
+Requires:       which
+BuildArch:      noarch
 
 %description
 The Ant package contains binaries for a build system
@@ -118,6 +118,9 @@ bootstrap/bin/ant -v run-tests
 %{_bindir}/runant.pl
 
 %changelog
+* Wed Nov 18 2020 Joe Schmitt <joschmit@microsoft.com> - 1.10.9-2
+- Add runtime requires on which. It is used to find the java executable when ant runs.
+
 *   Wed Oct 21 2020 Henry Li <lihl@microsoft.com> - 1.10.9-1
 -   Updated to version 1.10.9 to resolve CVE-2020-11979
 *   Thu May 21 2020 Ruying Chen <v-ruyche@microsoft.com> - 1.10.8-1
diff --git a/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.signatures.json b/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.signatures.json
new file mode 100644
index 00000000000..78738445087
--- /dev/null
+++ b/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "aspnetcore-runtime-3.1.5-linux-x64.tar.gz": "bf202e612374eecf089b08db2085f36e54c09d6e93db0ff4244580ee47b9c61f"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.spec b/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.spec
new file mode 100644
index 00000000000..5f86b8844de
--- /dev/null
+++ b/SPECS/aspnetcore-runtime-3.1/aspnetcore-runtime-3.1.spec
@@ -0,0 +1,41 @@
+%define         debug_package %{nil}
+Summary:        Microsoft aspnetcore runtime
+Name:           aspnetcore-runtime-3.1
+Version:        3.1.5
+Release:        1%{?dist}
+License:        ASL 2.0
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          Development/Tools
+URL:            https://github.com/dotnet/aspnetcore
+Source0:        https://download.visualstudio.microsoft.com/download/pr/6827d794-a218-4352-b3b3-a19ec773c975/e3e53bc2f20df220a29c6e09f74d8a00/aspnetcore-runtime-3.1.5-linux-x64.tar.gz
+Requires:       dotnet-runtime-3.1
+ExclusiveArch:  x86_64
+
+%description
+ASP.NET Core is an open-source and cross-platform framework for building
+modern cloud based internet connected applications, such as web apps,
+IoT apps and mobile backends
+
+%prep
+%setup -qc -T -a 0 dotnet-runtime-%{version}
+
+%build
+
+%install
+mkdir -p %{buildroot}%{_libdir}/dotnet/shared
+cp -r shared/Microsoft.AspNetCore.App %{buildroot}%{_libdir}/dotnet/shared
+
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
+%files
+%license LICENSE.txt ThirdPartyNotices.txt
+%defattr(-,root,root,0755)
+%{_libdir}/dotnet/shared/Microsoft.AspNetCore.App
+
+%changelog
+* Thu Nov 12 2020 Henry Beberman <henry.beberman@microsoft.com> - 3.1.5-1
+- Add aspnetcore-runtime spec.
+- License verified
+- Original version for CBL-Mariner
\ No newline at end of file
diff --git a/SPECS/auoms/auoms.spec b/SPECS/auoms/auoms.spec
index 55fd11f0693..963eac05b76 100644
--- a/SPECS/auoms/auoms.spec
+++ b/SPECS/auoms/auoms.spec
@@ -1,10 +1,12 @@
 %define      debug_package %{nil}
-
 Summary:        Auditd plugin that forwards audit events to OMS Agent for Linux
 Name:           auoms
 Version:        2.2.5
-Release:        2%{?dist}
+Release:        4%{?dist}
 License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          Applications/System
 URL:            https://github.com/microsoft/OMS-Auditd-Plugin
 #Source0:       https://github.com/microsoft/OMS-Auditd-Plugin/archive/v2.2.5-0.tar.gz
 Source0:        %{name}-%{version}.tar.gz
@@ -15,30 +17,28 @@ Source2:        msgpack-c-cpp-2.0.0.zip
 #Source3:       https://github.com/Tencent/rapidjson/archive/v1.0.2.tar.gz
 Source3:        rapidjson-1.0.2.tar.gz
 Patch0:         auoms.patch
-Group:          Applications/System
-Vendor:         Microsoft Corporation
-Distribution:   Mariner
-
-BuildRequires:  unzip
-BuildRequires:  cmake
-BuildRequires:  wget
-BuildRequires:  sudo
-BuildRequires:  grep
-BuildRequires:  sed
+BuildRequires:  audit-devel
 BuildRequires:  bash
 BuildRequires:  bash-devel
-BuildRequires:  audit-devel
 BuildRequires:  boost-devel
+BuildRequires:  cmake
+BuildRequires:  grep
 BuildRequires:  python2
 BuildRequires:  python2-devel
-
+BuildRequires:  sed
+BuildRequires:  sudo
+BuildRequires:  unzip
+BuildRequires:  wget
 Requires:       audit
-Requires:       sudo
 Requires:       bash
-Requires:       sed
+Requires:       chkconfig
+Requires:       glibc
+Requires:       initscripts
 Requires:       libstdc++
 Requires:       perl
-Requires:       glibc
+Requires:       procps-ng
+Requires:       sed
+Requires:       sudo
 
 %description
 OMS Audit data collection daemon
@@ -53,8 +53,8 @@ cp %{SOURCE3} ./
 %build
 grep AUOMS_BUILDVERSION auoms.version | head -n 4 | cut -d'=' -f2 | tr '\n' '.' | sed 's/.$//' | sed 's/^/#define AUOMS_VERSION "/' > auoms_version.h
 sed -i 's/$/"/' auoms_version.h
-cp -R /usr/include/boost /usr/local/include/boost
-mv /usr/include/boost /usr/include/boost148
+cp -R %{_includedir}/boost /usr/local/include/boost
+mv %{_includedir}/boost /usr/include/boost148
 cd build
 ./configure --enable-ulinux && make clean && make
 
@@ -65,11 +65,11 @@ install -vdm 755 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms/outconf.d
 install -vdm 755 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms/rules.d
 install -vdm 755 %{buildroot}/opt/microsoft/auoms
 install -vdm 755 %{buildroot}/opt/microsoft/auoms/bin
-install -vdm 755 %{buildroot}/usr/share/selinux/packages/auoms
-install -vdm 750 %{buildroot}/var/opt/microsoft/auoms/data
-install -vdm 750 %{buildroot}/var/opt/microsoft/auoms/data/outputs
+install -vdm 755 %{buildroot}%{_datadir}/selinux/packages/auoms
+install -vdm 750 %{buildroot}%{_var}/opt/microsoft/auoms/data
+install -vdm 750 %{buildroot}%{_var}/opt/microsoft/auoms/data/outputs
 
-install -m 644 intermediate/selinux/*                           %{buildroot}/usr/share/selinux/packages/auoms
+install -m 644 intermediate/selinux/*                           %{buildroot}%{_datadir}/selinux/packages/auoms
 install -m 555 installer/auoms.init                             %{buildroot}%{_sysconfdir}/init.d/auoms
 install -m 644 installer/conf/auoms.conf                        %{buildroot}%{_sysconfdir}/opt/microsoft/auoms
 install -m 644 installer/conf/auomscollect.conf                 %{buildroot}%{_sysconfdir}/opt/microsoft/auoms
@@ -82,25 +82,25 @@ install -m 755 intermediate/builddir/release/bin/auoms          %{buildroot}/opt
 install -m 755 intermediate/builddir/release/bin/auomsctl       %{buildroot}/opt/microsoft/auoms/bin
 
 %clean
-rm -rf $RPM_BUILD_ROOT
+rm -rf %{buildroot}
 
 %pre
 #!/bin/sh
 
 if [ $1 -gt 1 ] ; then
-    if [ -e /etc/audisp/plugins.d/auoms.conf ]; then
+    if [ -e %{_sysconfdir}/audisp/plugins.d/auoms.conf ]; then
         echo "Pre: found etc/audisp/plugins.d/auoms.conf"
-        if [ -e /etc/audisp/plugins.d/auoms.conf.auomssave ]; then
-            rm /etc/audisp/plugins.d/auoms.conf.auomssave
+        if [ -e %{_sysconfdir}/audisp/plugins.d/auoms.conf.auomssave ]; then
+            rm %{_sysconfdir}/audisp/plugins.d/auoms.conf.auomssave
         fi
-        cp -p /etc/audisp/plugins.d/auoms.conf /etc/audisp/plugins.d/auoms.conf.auomssave
+        cp -p %{_sysconfdir}/audisp/plugins.d/auoms.conf %{_sysconfdir}/audisp/plugins.d/auoms.conf.auomssave
     fi
-    if [ -e /etc/audit/plugins.d/auoms.conf ]; then
+    if [ -e %{_sysconfdir}/audit/plugins.d/auoms.conf ]; then
         echo "Pre: found etc/audit/plugins.d/auoms.conf"
-        if [ -e /etc/audit/plugins.d/auoms.conf.auomssave ]; then
-            rm /etc/audit/plugins.d/auoms.conf.auomssave
+        if [ -e %{_sysconfdir}/audit/plugins.d/auoms.conf.auomssave ]; then
+            rm %{_sysconfdir}/audit/plugins.d/auoms.conf.auomssave
         fi
-        cp -p /etc/audit/plugins.d/auoms.conf /etc/audit/plugins.d/auoms.conf.auomssave
+        cp -p %{_sysconfdir}/audit/plugins.d/auoms.conf %{_sysconfdir}/audit/plugins.d/auoms.conf.auomssave
     fi
 fi
 
@@ -117,24 +117,24 @@ fi
 SERVICEDIR=/opt/microsoft/auoms
 
 if [ $1 -gt 1 ] ; then
-    if [ -e /etc/audisp/plugins.d/auoms.conf.auomssave ]; then
-        echo "Post: found /etc/audisp/plugins.d/auoms.conf"
-        if [ -e /etc/audisp/plugins.d/auoms.conf ]; then
-            rm /etc/audisp/plugins.d/auoms.conf
+    if [ -e %{_sysconfdir}/audisp/plugins.d/auoms.conf.auomssave ]; then
+        echo "Post: found %{_sysconfdir}/audisp/plugins.d/auoms.conf"
+        if [ -e %{_sysconfdir}/audisp/plugins.d/auoms.conf ]; then
+            rm %{_sysconfdir}/audisp/plugins.d/auoms.conf
         fi
-        cp -p /etc/audisp/plugins.d/auoms.conf.auomssave /etc/audisp/plugins.d/auoms.conf
+        cp -p %{_sysconfdir}/audisp/plugins.d/auoms.conf.auomssave %{_sysconfdir}/audisp/plugins.d/auoms.conf
     fi
-    if [ -e /etc/audit/plugins.d/auoms.conf.auomssave ]; then
-        echo "Post: found /etc/audit/plugins.d/auoms.conf"
-        if [ -e /etc/audit/plugins.d/auoms.conf ]; then
-            rm /etc/audit/plugins.d/auoms.conf
+    if [ -e %{_sysconfdir}/audit/plugins.d/auoms.conf.auomssave ]; then
+        echo "Post: found %{_sysconfdir}/audit/plugins.d/auoms.conf"
+        if [ -e %{_sysconfdir}/audit/plugins.d/auoms.conf ]; then
+            rm %{_sysconfdir}/audit/plugins.d/auoms.conf
         fi
-        cp -p /etc/audit/plugins.d/auoms.conf.auomssave /etc/audit/plugins.d/auoms.conf
+        cp -p %{_sysconfdir}/audit/plugins.d/auoms.conf.auomssave %{_sysconfdir}/audit/plugins.d/auoms.conf
     fi
     echo "Post: executing upgrade"
     /opt/microsoft/auoms/bin/auomsctl upgrade
 fi
-for dir in /usr/lib/systemd/system /lib/systemd/system; do
+for dir in %{_lib}/systemd/system /lib/systemd/system; do
     if [ -e $dir ]; then
         install -m 644 ${SERVICEDIR}/auoms.service $dir
         systemctl enable auoms.service
@@ -142,20 +142,20 @@ for dir in /usr/lib/systemd/system /lib/systemd/system; do
     fi
 done
 sudo /opt/microsoft/auoms/bin/auomsctl enable
-rm -f /etc/audisp/plugins.d/auoms.conf.*
-rm -f /etc/audit/plugins.d/auoms.conf.*
+rm -f %{_sysconfdir}/audisp/plugins.d/auoms.conf.*
+rm -f %{_sysconfdir}/audit/plugins.d/auoms.conf.*
 
 %postun
 #!/bin/sh
 
 if [ $1 -eq 0 ]; then
-    rm -f /etc/audisp/plugins.d/auoms.conf*
-    rm -f /etc/audit/plugins.d/auoms.conf*
+    rm -f %{_sysconfdir}/audisp/plugins.d/auoms.conf*
+    rm -f %{_sysconfdir}/audit/plugins.d/auoms.conf*
 
-    rm -rf -v /etc/opt/microsoft/auoms
-    rm -rf -v /var/opt/microsoft/auoms
+    rm -rf -v %{_sysconfdir}/opt/microsoft/auoms
+    rm -rf -v %{_var}/opt/microsoft/auoms
 fi
-for dir in /usr/lib/systemd/system /lib/systemd/system; do
+for dir in %{_lib}/systemd/system /lib/systemd/system; do
     if [ -e ${dir}/auoms.service ]; then
         systemctl disable auoms.service
         rm -f ${dir}/auoms.service
@@ -165,8 +165,8 @@ done
 
 %files
 %defattr(-,root,root)
-/usr/share/selinux/packages/auoms
-/usr/share/selinux/packages/auoms/*
+%{_datadir}/selinux/packages/auoms
+%{_datadir}/selinux/packages/auoms/*
 %{_sysconfdir}/init.d/auoms
 %{_sysconfdir}/opt/microsoft/auoms
 %{_sysconfdir}/opt/microsoft/auoms/auoms.conf
@@ -182,12 +182,21 @@ done
 /opt/microsoft/auoms/bin/auomscollect
 /opt/microsoft/auoms/bin/auoms
 /opt/microsoft/auoms/bin/auomsctl
-/var/opt/microsoft/auoms
-/var/opt/microsoft/auoms/data
-/var/opt/microsoft/auoms/data/outputs
+%{_var}/opt/microsoft/auoms
+%{_var}/opt/microsoft/auoms/data
+%{_var}/opt/microsoft/auoms/data/outputs
 
 %changelog
+* Wed Nov 11 2020 Daniel McIlvaney <damcilva@microsoft.com> - 2.2.5-4
+- Add dependnecy on chkconfig to avoid ownership conflict with /etc/init.d directory
+- Add dependency on procps-ng so auomsctl can use pgrep
+- Add dependnecy on initscripts so auomsctl can use /usr/sbin/service
+
+* Wed Nov 11 2020 Daniel McIlvaney <damcilva@microsoft.com> - 2.2.5-3
+- Clean up spec file with feedback from linter
+
 * Sat Oct 24 2020 Andrew Phelps <anphel@microsoft.com> 2.2.5-2
 - Fix setup macro
+
 * Thu Oct 22 2020 Andrew Phelps <anphel@microsoft.com> 2.2.5-1
 - Initial CBL-Mariner version.
diff --git a/SPECS/autoconf/autoconf.spec b/SPECS/autoconf/autoconf.spec
index 2f50c97d53b..45abc333cde 100644
--- a/SPECS/autoconf/autoconf.spec
+++ b/SPECS/autoconf/autoconf.spec
@@ -1,37 +1,40 @@
-Summary:	The package automatically configure source code
-Name:		autoconf
-Version:	2.69
-Release:        9%{?dist}
-License:	GPLv2
-URL:		http://www.gnu.org/software/autoconf
-Group:		System Environment/Base
+Summary:        The package automatically configure source code
+Name:           autoconf
+Version:        2.69
+Release:        10%{?dist}
+License:        GPLv2
+URL:            http://www.gnu.org/software/autoconf
+Group:          System Environment/Base
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Source0:	http://ftp.gnu.org/gnu/autoconf/%{name}-%{version}.tar.xz
-%define sha1 autoconf=e891c3193029775e83e0534ac0ee0c4c711f6d23
-Patch0:		autoconf-make-check.patch
+Source0:        http://ftp.gnu.org/gnu/autoconf/%{name}-%{version}.tar.xz
+Patch0:         autoconf-make-check.patch
 
-Requires:	perl
-BuildRequires:	m4
-Requires:	m4
+Requires:       perl
+BuildRequires:  m4
+Requires:       m4
 BuildArch:      noarch
 
 %description
 The package contains programs for producing shell scripts that can
 automatically configure source code.
+
 %prep
 %setup -q
 %patch0 -p1
+
 %build
 %configure \
-	--disable-silent-rules
+    --disable-silent-rules
 make %{?_smp_mflags}
+
 %install
 make DESTDIR=%{buildroot} install
 rm -rf %{buildroot}%{_infodir}
 
 %check
-make -k check %{?_smp_mflags}  TESTSUITEFLAGS="1-500"
+# Skip test 38 due to expected regex issue using perl 5.30 and autoconf
+make -k check %{?_smp_mflags} TESTSUITEFLAGS="1-37 39-500"
 
 %files
 %defattr(-,root,root)
@@ -39,10 +42,12 @@ make -k check %{?_smp_mflags}  TESTSUITEFLAGS="1-500"
 %{_bindir}/*
 %{_mandir}/*/*
 %{_datarootdir}/autoconf/*
-%changelog
-* Sat May 09 00:21:00 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.69-9
-- Added %%license line automatically
 
+%changelog
+*   Tue Nov 10 2020 Andrew Phelps <anphel@microsoft.com> 2.69-10
+-   Fix check tests
+*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 2.69-9
+-   Added %%license line automatically
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.69-8
 -   Initial CBL-Mariner import from Photon (license: Apache2).
 *   Wed Oct 17 2018 Dweep Advani <dadvani@vmware.com> 2.69-7
@@ -58,4 +63,4 @@ make -k check %{?_smp_mflags}  TESTSUITEFLAGS="1-500"
 *   Wed Jun 3 2015 Divya Thaluru <dthaluru@vmware.com> 2.69-2
 -   Adding perl packages to required packages
 *   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 2.69-1
--   Initial build.	First version
+-   Initial build. First version
diff --git a/SPECS/bash/CVE-2019-18276.nopatch b/SPECS/bash/CVE-2019-18276.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/bash/bash.spec b/SPECS/bash/bash.spec
index c6d15f24192..65306156ce1 100755
--- a/SPECS/bash/bash.spec
+++ b/SPECS/bash/bash.spec
@@ -1,45 +1,51 @@
 Summary:        Bourne-Again SHell
 Name:           bash
 Version:        4.4.18
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv3
-URL:            http://www.gnu.org/software/bash/
-Group:          System Environment/Base
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Source0:        http://ftp.gnu.org/gnu/bash/%{name}-%{version}.tar.gz
-%define sha1    bash=6cf9b3c23930ba8a721fee177d1558e5b7cb6104
+Group:          System Environment/Base
+URL:            https://www.gnu.org/software/bash/
+Source0:        https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.gz
 Source1:        bash_completion
 Patch0:         bash-4.4.patch
-Provides:       /bin/sh
-Provides:       /bin/bash
-Provides:       /usr/bin/sh
-Provides:       /usr/bin/bash
+# CVE-2019-18276 has a negligible security impact, 
+# since we don't ship bash with suid.
+# Backporting the patch is non-trivial, as well.
+Patch1:         CVE-2019-18276.nopatch
 BuildRequires:  readline
 Requires:       readline
-Requires(post):    /bin/grep
-Requires(post):    /bin/cp
-Requires(postun):  /bin/grep
-Requires(postun):  /bin/mv
+Requires(post):   /bin/cp
+Requires(post):   /bin/grep
+Requires(postun): /bin/grep
+Requires(postun): /bin/mv
+Provides:       /bin/sh
+Provides:       /bin/bash
+Provides:       %{_bindir}/sh
+Provides:       %{_bindir}/bash
+
 %description
 The package contains the Bourne-Again SHell
 
-%package    devel
-Summary:    Header and development files for bash
-Requires:   %{name} = %{version}
+%package        devel
+Summary:        Header and development files for bash
+Requires:       %{name} = %{version}
+
 %description    devel
 It contains the libraries and header files to create applications
 
 %package lang
-Summary: Additional language files for bash
-Group: System Environment/Base
-Requires: bash >= 4.4
+Summary:        Additional language files for bash
+Group:          System Environment/Base
+Requires:       bash >= 4.4
+
 %description lang
 These are the additional language files of bash.
 
 %prep
-%setup -q -n bash-4.4.18
-%patch0 -p1
+%autosetup -p 1
+
 %build
 %configure \
     "CFLAGS=-fPIC %{build_cflags}" \
@@ -48,21 +54,22 @@ These are the additional language files of bash.
     --without-bash-malloc \
     --with-installed-readline
 make %{?_smp_mflags}
+
 %install
 make DESTDIR=%{buildroot} install
 ln -s bash %{buildroot}/bin/sh
-install -vdm 755 %{buildroot}/etc
-install -vdm 755 %{buildroot}/etc/profile.d
-install -vdm 755 %{buildroot}/etc/skel
-install -vdm 755 %{buildroot}/usr/share/bash-completion
-install -m 0644 %{SOURCE1} %{buildroot}/usr/share/bash-completion
-rm %{buildroot}/usr/lib/bash/Makefile.inc
+install -vdm 755 %{buildroot}%{_sysconfdir}
+install -vdm 755 %{buildroot}%{_sysconfdir}/profile.d
+install -vdm 755 %{buildroot}%{_sysconfdir}/skel
+install -vdm 755 %{buildroot}%{_datadir}/bash-completion
+install -m 0644 %{SOURCE1} %{buildroot}%{_datadir}/bash-completion
+rm %{buildroot}%{_lib}/bash/Makefile.inc
 
 # Create dircolors
-cat > %{buildroot}/etc/profile.d/dircolors.sh << "EOF"
+cat > %{buildroot}%{_sysconfdir}/profile.d/dircolors.sh << "EOF"
 # Setup for /bin/ls and /bin/grep to support color, the alias is in /etc/bashrc.
-if [ -f "/etc/dircolors" ] ; then
-        eval $(dircolors -b /etc/dircolors)
+if [ -f "%{_sysconfdir}/dircolors" ] ; then
+        eval $(dircolors -b %{_sysconfdir}/dircolors)
 
         if [ -f "$HOME/.dircolors" ] ; then
                 eval $(dircolors -b $HOME/.dircolors)
@@ -75,27 +82,27 @@ if [ $? -eq 0 ]; then
 fi
 EOF
 
-cat > %{buildroot}/etc/profile.d/extrapaths.sh << "EOF"
-if [ -d /usr/local/lib/pkgconfig ] ; then
-        pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH
+cat > %{buildroot}%{_sysconfdir}/profile.d/extrapaths.sh << "EOF"
+if [ -d %{_prefix}/local/lib/pkgconfig ] ; then
+        pathappend %{_prefix}/local/lib/pkgconfig PKG_CONFIG_PATH
 fi
-if [ -d /usr/local/bin ]; then
-        pathprepend /usr/local/bin
+if [ -d %{_prefix}/local/bin ]; then
+        pathprepend %{_prefix}/local/bin
 fi
-if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then
-        pathprepend /usr/local/sbin
+if [ -d %{_prefix}/local/sbin -a $EUID -eq 0 ]; then
+        pathprepend %{_prefix}/local/sbin
 fi
 EOF
 
-cat > %{buildroot}/etc/profile.d/readline.sh << "EOF"
+cat > %{buildroot}%{_sysconfdir}/profile.d/readline.sh << "EOF"
 # Setup the INPUTRC environment variable.
 if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then
-        INPUTRC=/etc/inputrc
+        INPUTRC=%{_sysconfdir}/inputrc
 fi
 export INPUTRC
 EOF
 
-cat > %{buildroot}/etc/profile.d/umask.sh << "EOF"
+cat > %{buildroot}%{_sysconfdir}/profile.d/umask.sh << "EOF"
 # By default, the umask should be set.
 if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then
   umask 002
@@ -104,7 +111,7 @@ else
 fi
 EOF
 
-cat > %{buildroot}/etc/profile.d/i18n.sh << "EOF"
+cat > %{buildroot}%{_sysconfdir}/profile.d/i18n.sh << "EOF"
 # Begin /etc/profile.d/i18n.sh
 
 unset LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES \
@@ -112,8 +119,8 @@ unset LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES \
 
 if [ -n "$XDG_CONFIG_HOME" ] && [ -r "$XDG_CONFIG_HOME/locale.conf" ]; then
   . "$XDG_CONFIG_HOME/locale.conf"
-elif [ -r /etc/locale.conf ]; then
-  . /etc/locale.conf
+elif [ -r %{_sysconfdir}/locale.conf ]; then
+  . %{_sysconfdir}/locale.conf
 fi
 
 export LANG="${LANG:-C}"
@@ -134,21 +141,21 @@ export LANG="${LANG:-C}"
 EOF
 
 # bash completion
-cat > %{buildroot}/etc/profile.d/bash_completion.sh << "EOF"
+cat > %{buildroot}%{_sysconfdir}/profile.d/bash_completion.sh << "EOF"
 # check for interactive bash and only bash
 if [ -n "$BASH_VERSION" -a -n "$PS1" ]; then
 
 # enable bash completion in interactive shells
 if ! shopt -oq posix; then
-  if [ -f /usr/share/bash-completion/bash_completion ]; then
-    . /usr/share/bash-completion/bash_completion
+  if [ -f %{_datadir}/bash-completion/bash_completion ]; then
+    . %{_datadir}/bash-completion/bash_completion
   fi
 fi
 
 fi
 EOF
 
-cat > %{buildroot}/etc/bash.bashrc << "EOF"
+cat > %{buildroot}%{_sysconfdir}/bash.bashrc << "EOF"
 # Begin /etc/bash.bashrc
 # Written for Beyond Linux From Scratch
 # by James Robertson <jameswrobertson@earthlink.net>
@@ -187,13 +194,13 @@ fi
 unset RED GREEN NORMAL
 
 if test -n "$SSH_CONNECTION" -a -z "$PROFILEREAD"; then
-     . /etc/profile > /dev/null 2>&1
+     . %{_sysconfdir}/profile > /dev/null 2>&1
 fi
 # End /etc/bash.bashrc
 EOF
 
 
-cat > %{buildroot}/etc/skel/.bash_profile << "EOF"
+cat > %{buildroot}%{_sysconfdir}/skel/.bash_profile << "EOF"
 # Begin ~/.bash_profile
 # Written for Beyond Linux From Scratch
 # by James Robertson <jameswrobertson@earthlink.net>
@@ -221,7 +228,7 @@ fi
 # End ~/.bash_profile
 EOF
 
-cat > %{buildroot}/etc/skel/.bashrc << "EOF"
+cat > %{buildroot}%{_sysconfdir}/skel/.bashrc << "EOF"
 # Begin ~/.bashrc
 # Written for Beyond Linux From Scratch
 # by James Robertson <jameswrobertson@earthlink.net>
@@ -233,14 +240,14 @@ cat > %{buildroot}/etc/skel/.bashrc << "EOF"
 # programs are in /etc/profile.  System wide aliases and functions are
 # in /etc/bashrc.
 
-if [ -f "/etc/bash.bashrc" ] ; then
-  source /etc/bash.bashrc
+if [ -f "%{_sysconfdir}/bash.bashrc" ] ; then
+  source %{_sysconfdir}/bash.bashrc
 fi
 
 # End ~/.bashrc
 EOF
 
-cat > %{buildroot}/etc/skel/.bash_logout << "EOF"
+cat > %{buildroot}%{_sysconfdir}/skel/.bash_logout << "EOF"
 # Begin ~/.bash_logout
 # Written for Beyond Linux From Scratch
 # by James Robertson <jameswrobertson@earthlink.net>
@@ -250,7 +257,7 @@ cat > %{buildroot}/etc/skel/.bash_logout << "EOF"
 # End ~/.bash_logout
 EOF
 
-dircolors -p > %{buildroot}/etc/dircolors
+dircolors -p > %{buildroot}%{_sysconfdir}/dircolors
 %find_lang %{name}
 rm -rf %{buildroot}/%{_infodir}
 
@@ -260,22 +267,22 @@ make  NON_ROOT_USERNAME=nobody %{?_smp_mflags} check
 %post
 if [ $1 -eq 1 ] ; then
     if [ ! -f "/root/.bash_logout" ] ; then
-        cp /etc/skel/.bash_logout /root/.bash_logout
+        cp %{_sysconfdir}/skel/.bash_logout /root/.bash_logout
     fi
-    if [ ! -f /etc/shells ]; then
-        echo "/bin/sh" >> /etc/shells
-        echo "/bin/bash" >> /etc/shells
-        echo "%{_bindir}/sh" >> /etc/shells
-        echo "%{_bindir}/bash" >> /etc/shells
+    if [ ! -f %{_sysconfdir}/shells ]; then
+        echo "/bin/sh" >> %{_sysconfdir}/shells
+        echo "/bin/bash" >> %{_sysconfdir}/shells
+        echo "%{_bindir}/sh" >> %{_sysconfdir}/shells
+        echo "%{_bindir}/bash" >> %{_sysconfdir}/shells
     else
-        grep -q '^/bin/sh$' /etc/shells || \
-        echo "/bin/sh" >> /etc/shells
-        grep -q '^/bin/bash$' /etc/shells || \
-        echo "/bin/bash" >> /etc/shells
-        grep -q '^%{_bindir}/sh$' /etc/shells || \
-        echo "%{_bindir}/sh" >> /etc/shells
-        grep -q '^%{_bindir}/bash$' /etc/shells || \
-        echo "%{_bindir}/bash" >> /etc/shells
+        grep -q '^/bin/sh$' %{_sysconfdir}/shells || \
+        echo "/bin/sh" >> %{_sysconfdir}/shells
+        grep -q '^/bin/bash$' %{_sysconfdir}/shells || \
+        echo "/bin/bash" >> %{_sysconfdir}/shells
+        grep -q '^%{_bindir}/sh$' %{_sysconfdir}/shells || \
+        echo "%{_bindir}/sh" >> %{_sysconfdir}/shells
+        grep -q '^%{_bindir}/bash$' %{_sysconfdir}/shells || \
+        echo "%{_bindir}/bash" >> %{_sysconfdir}/shells
     fi
 fi
 
@@ -285,24 +292,24 @@ if [ $1 -eq 0 ] ; then
         rm -f /root/.bash_logout
     fi
     if [ ! -x /bin/sh ]; then
-        grep -v '^/bin/sh$'  /etc/shells | \
-        grep -v '^/bin/sh$' > /etc/shells.rpm && \
-        mv /etc/shells.rpm /etc/shells
+        grep -v '^/bin/sh$'  %{_sysconfdir}/shells | \
+        grep -v '^/bin/sh$' > %{_sysconfdir}/shells.rpm && \
+        mv %{_sysconfdir}/shells.rpm %{_sysconfdir}/shells
     fi
     if [ ! -x /bin/bash ]; then
-        grep -v '^/bin/bash$'  /etc/shells | \
-        grep -v '^/bin/bash$' > /etc/shells.rpm && \
-        mv /etc/shells.rpm /etc/shells
+        grep -v '^/bin/bash$'  %{_sysconfdir}/shells | \
+        grep -v '^/bin/bash$' > %{_sysconfdir}/shells.rpm && \
+        mv %{_sysconfdir}/shells.rpm %{_sysconfdir}/shells
     fi
     if [ ! -x %{_bindir}/sh ]; then
-        grep -v '^%{_bindir}/sh$'  /etc/shells | \
-        grep -v '^%{_bindir}/sh$' > /etc/shells.rpm && \
-        mv /etc/shells.rpm /etc/shells
+        grep -v '^%{_bindir}/sh$'  %{_sysconfdir}/shells | \
+        grep -v '^%{_bindir}/sh$' > %{_sysconfdir}/shells.rpm && \
+        mv %{_sysconfdir}/shells.rpm %{_sysconfdir}/shells
     fi
     if [ ! -x %{_bindir}/bash ]; then
-        grep -v '^%{_bindir}/bash$'  /etc/shells | \
-        grep -v '^%{_bindir}/bash$' > /etc/shells.rpm && \
-        mv /etc/shells.rpm /etc/shells
+        grep -v '^%{_bindir}/bash$'  %{_sysconfdir}/shells | \
+        grep -v '^%{_bindir}/bash$' > %{_sysconfdir}/shells.rpm && \
+        mv %{_sysconfdir}/shells.rpm %{_sysconfdir}/shells
     fi
 fi
 
@@ -315,7 +322,7 @@ fi
 %{_defaultdocdir}/%{name}-%{version}/*
 %{_defaultdocdir}/%{name}/*
 %{_mandir}/*/*
-/usr/share/bash-completion/
+%{_datadir}/bash-completion/
 
 %files devel
 %{_includedir}/%{name}/*
@@ -325,54 +332,81 @@ fi
 %defattr(-,root,root)
 
 %changelog
-*   Fri Jul 31 2020 Leandro Pereira <leperei@microsoft.com> 4.4.18-5
--   Don't stomp on CFLAGS.
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 4.4.18-4
--   Added %%license line automatically
-*   Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 4.4.18-3
--   Explicitly provide /usr/bin/sh and /usr/bin/bash
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.4.18-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Mon Sep 24 2018 Sujay G <gsujay@vmware.com> 4.4.18-1
--   Bump bash version to 4.4.18
-*   Fri Jan 26 2018 Alexey Makhalov <amakhalov@vmware.com> 4.4.12-3
--   Run bash_completion only for bash interactive shell
-*   Mon Dec 11 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.4.12-2
--   conditionally apply grep color alias
-*   Mon Nov 13 2017 Xiaolin Li <xiaolinl@vmware.com> 4.4.12-1
--   Upstream patch level 12 applied
-*   Mon Oct 02 2017 Kumar Kaushik <kaushikk@vmware.com> 4.4-6
--   Adding security fix for CVE-2017-5932.
-*   Thu Jun 8 2017 Bo Gan <ganb@vmware.com> 4.4-5
--   Fix dependency again
-*   Wed Jun 7 2017 Divya Thaluru <dthaluru@vmware.com>  4.4-4
--   Added /usr/bin/sh and /bin/sh entries in /etc/shells
-*   Sun Jun 4 2017 Bo Gan <ganb@vmware.com> 4.4-3
--   Fix dependency
-*   Thu Feb 2 2017 Divya Thaluru <dthaluru@vmware.com> 4.4-2
--   Modified bash entry in /etc/shells
-*   Fri Jan 13 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.4-1
--   Upgraded version to 4.4
-*   Tue Jan 10 2017 Divya Thaluru <dthaluru@vmware.com> 4.3.30-7
--   Added bash entry to /etc/shells
-*   Wed Nov 16 2016 Alexey Makhalov <amakhalov@vmware.com> 4.3.30-6
--   Add readline requirements
-*   Fri Aug 19 2016 Alexey Makhalov <amakhalov@vmware.com> 4.3.30-5
--   Enable bash completion support
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.3.30-4
--   GA - Bump release of all rpms
-*   Tue May 3 2016 Divya Thaluru <dthaluru@vmware.com>  4.3.30-3
--   Fixing spec file to handle rpm upgrade scenario correctly
-*   Thu Mar 10 2016 Divya Thaluru <dthaluru@vmware.com> 4.3.30-2
--   Adding compile options to load bash.bashrc file and
+* Thu Oct 22 2020 Thomas Crain <thcrain@microsoft.com> - 4.4.18-6
+- Nopatch CVE-2019-18276
+
+* Fri Jul 31 2020 Leandro Pereira <leperei@microsoft.com> - 4.4.18-5
+- Don't stomp on CFLAGS.
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 4.4.18-4
+- Added %%license line automatically
+
+* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> - 4.4.18-3
+- Explicitly provide /usr/bin/sh and /usr/bin/bash
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 4.4.18-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Mon Sep 24 2018 Sujay G <gsujay@vmware.com> - 4.4.18-1
+- Bump bash version to 4.4.18
+
+* Fri Jan 26 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.4.12-3
+- Run bash_completion only for bash interactive shell
+
+* Mon Dec 11 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 4.4.12-2
+- conditionally apply grep color alias
+
+* Mon Nov 13 2017 Xiaolin Li <xiaolinl@vmware.com> - 4.4.12-1
+- Upstream patch level 12 applied
+
+* Mon Oct 02 2017 Kumar Kaushik <kaushikk@vmware.com> - 4.4-6
+- Adding security fix for CVE-2017-5932.
+
+* Thu Jun 8 2017 Bo Gan <ganb@vmware.com> - 4.4-5
+- Fix dependency again
+
+* Wed Jun 7 2017 Divya Thaluru <dthaluru@vmware.com>  4.4-4
+- Added /usr/bin/sh and /bin/sh entries in /etc/shells
+
+* Sun Jun 4 2017 Bo Gan <ganb@vmware.com> - 4.4-3
+- Fix dependency
+
+* Thu Feb 2 2017 Divya Thaluru <dthaluru@vmware.com> - 4.4-2
+- Modified bash entry in /etc/shells
+
+* Fri Jan 13 2017 Dheeraj Shetty <dheerajs@vmware.com> - 4.4-1
+- Upgraded version to 4.4
+
+* Tue Jan 10 2017 Divya Thaluru <dthaluru@vmware.com> - 4.3.30-7
+- Added bash entry to /etc/shells
+
+* Wed Nov 16 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.3.30-6
+- Add readline requirements
+
+* Fri Aug 19 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.3.30-5
+- Enable bash completion support
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 4.3.30-4
+- GA - Bump release of all rpms
+
+* Tue May 3 2016 Divya Thaluru <dthaluru@vmware.com>  4.3.30-3
+- Fixing spec file to handle rpm upgrade scenario correctly
+
+* Thu Mar 10 2016 Divya Thaluru <dthaluru@vmware.com> - 4.3.30-2
+- Adding compile options to load bash.bashrc file and
     loading source file during non-inetractive non-login shell
-*   Tue Jan 12 2016 Xiaolin Li <xiaolinl@vmware.com> 4.3.30-1
--   Updated to version 4.3.30
-*   Wed Aug 05 2015 Kumar Kaushik <kaushikk@vmware.com> 4.3-4
--   Adding post unstall section.
-*   Wed Jul 22 2015 Alexey Makhalov <amakhalov@vmware.com> 4.3-3
--   Fix segfault in save_bash_input.
-*   Tue Jun 30 2015 Alexey Makhalov <amakhalov@vmware.com> 4.3-2
--   /etc/profile.d permission fix. Pack /etc files into rpm
-*   Wed Oct 22 2014 Divya Thaluru <dthaluru@vmware.com> 4.3-1
--   Initial version
+
+* Tue Jan 12 2016 Xiaolin Li <xiaolinl@vmware.com> - 4.3.30-1
+- Updated to version 4.3.30
+
+* Wed Aug 05 2015 Kumar Kaushik <kaushikk@vmware.com> - 4.3-4
+- Adding post unstall section.
+
+* Wed Jul 22 2015 Alexey Makhalov <amakhalov@vmware.com> - 4.3-3
+- Fix segfault in save_bash_input.
+
+* Tue Jun 30 2015 Alexey Makhalov <amakhalov@vmware.com> - 4.3-2
+- /etc/profile.d permission fix. Pack /etc files into rpm
+
+* Wed Oct 22 2014 Divya Thaluru <dthaluru@vmware.com> - 4.3-1
+- Initial version
diff --git a/SPECS/binutils/CVE-2019-12972.patch b/SPECS/binutils/CVE-2019-12972.patch
new file mode 100644
index 00000000000..fe0993efd29
--- /dev/null
+++ b/SPECS/binutils/CVE-2019-12972.patch
@@ -0,0 +1,12 @@
+--- a/bfd/elfcode.h
++++ b/bfd/elfcode.h
+@@ -755,7 +755,8 @@
+   /* A further sanity check.  */
+   if (i_ehdrp->e_shnum != 0)
+     {
+-      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd))
++      if (i_ehdrp->e_shstrndx >= elf_numsections (abfd)
++         || i_shdrp[i_ehdrp->e_shstrndx].sh_type != SHT_STRTAB)
+ 	{
+ 	  /* PR 2257:
+ 	     We used to just goto got_wrong_format_error here
diff --git a/SPECS/binutils/CVE-2019-14250.patch b/SPECS/binutils/CVE-2019-14250.patch
new file mode 100644
index 00000000000..4ee873ac810
--- /dev/null
+++ b/SPECS/binutils/CVE-2019-14250.patch
@@ -0,0 +1,17 @@
+--- a/libiberty/simple-object-elf.c
++++ b/libiberty/simple-object-elf.c
+@@ -548,6 +548,14 @@
+       XDELETE (eor);
+       return NULL;
+     }
++  
++  if (!eor->shstrndx)
++    {
++      *errmsg = "invalid ELF shstrndx == 0";
++      *err = 0;
++      XDELETE (eor);
++      return NULL;
++    }
+ 
+   return (void *) eor;
+ }
diff --git a/SPECS/binutils/CVE-2019-14444.patch b/SPECS/binutils/CVE-2019-14444.patch
new file mode 100644
index 00000000000..4647fb9314c
--- /dev/null
+++ b/SPECS/binutils/CVE-2019-14444.patch
@@ -0,0 +1,11 @@
+--- a/binutils/readelf.c
++++ b/binutils/readelf.c
+@@ -13213,7 +13213,7 @@
+ 	    }
+ 
+ 	  rloc = start + rp->r_offset;
+-	  if ((rloc + reloc_size) > end || (rloc < start))
++	  if (rloc >= end || (rloc + reloc_size) > end || (rloc < start))
+ 	    {
+ 	      warn (_("skipping invalid relocation offset 0x%lx in section %s\n"),
+ 		    (unsigned long) rp->r_offset,
diff --git a/SPECS/binutils/CVE-2019-17450.patch b/SPECS/binutils/CVE-2019-17450.patch
new file mode 100644
index 00000000000..a0956623966
--- /dev/null
+++ b/SPECS/binutils/CVE-2019-17450.patch
@@ -0,0 +1,72 @@
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -2803,13 +2803,13 @@
+ }
+ 
+ static bfd_boolean
+-find_abstract_instance (struct comp_unit *   unit,
+-			bfd_byte *           orig_info_ptr,
+-			struct attribute *   attr_ptr,
+-			const char **        pname,
+-			bfd_boolean *        is_linkage,
+-			char **              filename_ptr,
+-			int *                linenumber_ptr)
++find_abstract_instance (struct comp_unit *unit,
++			struct attribute *attr_ptr,
++           unsigned int recur_count,
++			const char **pname,
++			bfd_boolean *is_linkage,
++			char **filename_ptr,
++			int *linenumber_ptr)
+ {
+   bfd *abfd = unit->abfd;
+   bfd_byte *info_ptr;
+@@ -2820,6 +2820,14 @@
+   struct attribute attr;
+   const char *name = NULL;
+ 
++  if (recur_count == 100)
++    {
++      _bfd_error_handler
++       (_("DWARF error: abstract instance recursion detected"));
++      bfd_set_error (bfd_error_bad_value);
++      return FALSE;
++    }
++
+   /* DW_FORM_ref_addr can reference an entry in a different CU. It
+      is an offset from the .debug_info section, not the current CU.  */
+   if (attr_ptr->form == DW_FORM_ref_addr)
+@@ -2939,15 +2947,6 @@
+ 					 info_ptr, info_ptr_end);
+ 	      if (info_ptr == NULL)
+ 		break;
+-	      /* It doesn't ever make sense for DW_AT_specification to
+-		 refer to the same DIE.  Stop simple recursion.  */
+-	      if (info_ptr == orig_info_ptr)
+-		{
+-		  _bfd_error_handler
+-		    (_("DWARF error: abstract instance recursion detected"));
+-		  bfd_set_error (bfd_error_bad_value);
+-		  return FALSE;
+-		}
+ 	      switch (attr.name)
+ 		{
+ 		case DW_AT_name:
+@@ -2961,7 +2960,7 @@
+ 		    }
+ 		  break;
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, recur_count + 1,
+ 					       &name, is_linkage,
+ 					       filename_ptr, linenumber_ptr))
+ 		    return FALSE;
+@@ -3175,7 +3174,7 @@
+ 
+ 		case DW_AT_abstract_origin:
+ 		case DW_AT_specification:
+-		  if (!find_abstract_instance (unit, info_ptr, &attr,
++		  if (!find_abstract_instance (unit, &attr, 0,
+ 					       &func->name,
+ 					       &func->is_linkage,
+ 					       &func->file,
diff --git a/SPECS/binutils/CVE-2019-17451.patch b/SPECS/binutils/CVE-2019-17451.patch
new file mode 100644
index 00000000000..1afa4c8d0f4
--- /dev/null
+++ b/SPECS/binutils/CVE-2019-17451.patch
@@ -0,0 +1,20 @@
+--- a/bfd/dwarf2.c
++++ b/bfd/dwarf2.c
+@@ -4426,7 +4425,16 @@
+       for (total_size = 0;
+ 	   msec;
+ 	   msec = find_debug_info (debug_bfd, debug_sections, msec))
+-	total_size += msec->size;
++    {
++      /* Catch PR25070 testcase overflowing size calculation here.  */
++      if (total_size + msec->size < total_size
++          || total_size + msec->size < msec->size)
++       {
++         bfd_set_error (bfd_error_no_memory);
++         return FALSE;
++       }
++      total_size += msec->size;
++    }
+ 
+       stash->info_ptr_memory = (bfd_byte *) bfd_malloc (total_size);
+       if (stash->info_ptr_memory == NULL)
diff --git a/SPECS/binutils/CVE-2019-9070.nopatch b/SPECS/binutils/CVE-2019-9070.nopatch
index 6e4a2bf36ea..e69de29bb2d 100644
--- a/SPECS/binutils/CVE-2019-9070.nopatch
+++ b/SPECS/binutils/CVE-2019-9070.nopatch
@@ -1,2 +0,0 @@
-CVE-2019-9070 addresses a bug in GNU libiberty. GNU libiberty is now part of
-gcc. This bug was fixed in the gcc upstream.
\ No newline at end of file
diff --git a/SPECS/binutils/CVE-2019-9071.patch b/SPECS/binutils/CVE-2019-9071.patch
new file mode 100644
index 00000000000..7ccf14066f6
--- /dev/null
+++ b/SPECS/binutils/CVE-2019-9071.patch
@@ -0,0 +1,110 @@
+--- a/libiberty/cp-demangle.c
++++ b/libiberty/cp-demangle.c
+@@ -861,7 +861,7 @@
+ int
+ cplus_demangle_fill_name (struct demangle_component *p, const char *s, int len)
+ {
+-  if (p == NULL || s == NULL || len == 0)
++  if (p == NULL || s == NULL || len <= 0)
+     return 0;
+   p->d_printing = 0;
+   p->type = DEMANGLE_COMPONENT_NAME;
+@@ -4055,7 +4055,7 @@
+    are larger than the actual numbers encountered.  */
+ 
+ static void
+-d_count_templates_scopes (int *num_templates, int *num_scopes,
++d_count_templates_scopes (struct d_print_info *dpi,
+ 			  const struct demangle_component *dc)
+ {
+   if (dc == NULL)
+@@ -4075,13 +4075,13 @@
+       break;
+ 
+     case DEMANGLE_COMPONENT_TEMPLATE:
+-      (*num_templates)++;
++      dpi->num_copy_templates++;
+       goto recurse_left_right;
+ 
+     case DEMANGLE_COMPONENT_REFERENCE:
+     case DEMANGLE_COMPONENT_RVALUE_REFERENCE:
+       if (d_left (dc)->type == DEMANGLE_COMPONENT_TEMPLATE_PARAM)
+-	(*num_scopes)++;
++	dpi->num_saved_scopes++;
+       goto recurse_left_right;
+ 
+     case DEMANGLE_COMPONENT_QUAL_NAME:
+@@ -4146,42 +4146,42 @@
+     case DEMANGLE_COMPONENT_TAGGED_NAME:
+     case DEMANGLE_COMPONENT_CLONE:
+     recurse_left_right:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				d_left (dc));
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				d_right (dc));
++      /* PR 89394 - Check for too much recursion.  */
++      if (dpi->recursion > DEMANGLE_RECURSION_LIMIT)
++       /* FIXME: There ought to be a way to report to the
++          user that the recursion limit has been reached.  */
++          return;
++
++      ++ dpi->recursion;
++      d_count_templates_scopes (dpi, d_left (dc));
++      d_count_templates_scopes (dpi, d_right (dc));
++      -- dpi->recursion;
+       break;
+ 
+     case DEMANGLE_COMPONENT_CTOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				dc->u.s_ctor.name);
++      d_count_templates_scopes (dpi, dc->u.s_ctor.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_DTOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				dc->u.s_dtor.name);
++      d_count_templates_scopes (dpi, dc->u.s_dtor.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_EXTENDED_OPERATOR:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				dc->u.s_extended_operator.name);
++      d_count_templates_scopes (dpi, dc->u.s_extended_operator.name);
+       break;
+ 
+     case DEMANGLE_COMPONENT_FIXED_TYPE:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-                                dc->u.s_fixed.length);
++      d_count_templates_scopes (dpi, dc->u.s_fixed.length);
+       break;
+ 
+     case DEMANGLE_COMPONENT_GLOBAL_CONSTRUCTORS:
+     case DEMANGLE_COMPONENT_GLOBAL_DESTRUCTORS:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				d_left (dc));
++      d_count_templates_scopes (dpi, d_left (dc));
+       break;
+ 
+     case DEMANGLE_COMPONENT_LAMBDA:
+     case DEMANGLE_COMPONENT_DEFAULT_ARG:
+-      d_count_templates_scopes (num_templates, num_scopes,
+-				dc->u.s_unary_num.sub);
++      d_count_templates_scopes (dpi, dc->u.s_unary_num.sub);
+       break;
+     }
+ }
+@@ -4216,8 +4216,12 @@
+   dpi->next_copy_template = 0;
+   dpi->num_copy_templates = 0;
+ 
+-  d_count_templates_scopes (&dpi->num_copy_templates,
+-			    &dpi->num_saved_scopes, dc);
++  d_count_templates_scopes (dpi, dc);
++  /* If we did not reach the recursion limit, then reset the
++     current recursion value back to 0, so that we can print
++     the templates.  */
++  if (dpi->recursion < DEMANGLE_RECURSION_LIMIT)
++    dpi->recursion = 0;
+   dpi->num_copy_templates *= dpi->num_saved_scopes;
+ 
+   dpi->current_template = NULL;
diff --git a/SPECS/binutils/CVE-2019-9072.nopatch b/SPECS/binutils/CVE-2019-9072.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/binutils/CVE-2019-9073.patch b/SPECS/binutils/CVE-2019-9073.patch
new file mode 100644
index 00000000000..0d44fe81a6e
--- /dev/null
+++ b/SPECS/binutils/CVE-2019-9073.patch
@@ -0,0 +1,13 @@
+--- a/binutils/objdump.c
++++ b/binutils/objdump.c
+@@ -3178,7 +3178,9 @@
+ static void
+ dump_bfd_private_header (bfd *abfd)
+ {
+-  bfd_print_private_bfd_data (abfd, stdout);
++  if (!bfd_print_private_bfd_data (abfd, stdout))
++    non_fatal (_("warning: private headers incomplete: %s"),
++              bfd_errmsg (bfd_get_error ()));
+ }
+ 
+ static void
diff --git a/SPECS/binutils/CVE-2019-9074.patch b/SPECS/binutils/CVE-2019-9074.patch
new file mode 100644
index 00000000000..721b72a474a
--- /dev/null
+++ b/SPECS/binutils/CVE-2019-9074.patch
@@ -0,0 +1,33 @@
+--- a/bfd/pei-x86_64.c
++++ b/bfd/pei-x86_64.c
+@@ -541,7 +541,7 @@
+   /* virt_size might be zero for objects.  */
+   if (stop == 0 && strcmp (abfd->xvec->name, "pe-x86-64") == 0)
+     {
+-      stop = (datasize / onaline) * onaline;
++      stop = datasize;
+       virt_size_is_zero = TRUE;
+     }
+   else if (datasize < stop)
+@@ -551,8 +551,8 @@
+ 		 _("Warning: %s section size (%ld) is smaller than virtual size (%ld)\n"),
+ 		 pdata_section->name, (unsigned long) datasize,
+ 		 (unsigned long) stop);
+-	/* Be sure not to read passed datasize.  */
+-	stop = datasize / onaline;
++	/* Be sure not to read past datasize.  */
++	stop = datasize;
+       }
+ 
+   /* Display functions table.  */
+@@ -724,8 +724,7 @@
+ 	      altent += imagebase;
+ 
+ 	      if (altent >= pdata_vma
+-		  && (altent + PDATA_ROW_SIZE <= pdata_vma
+-		      + pei_section_data (abfd, pdata_section)->virt_size))
++		  && altent - pdata_vma + PDATA_ROW_SIZE <= stop)
+ 		{
+ 		  pex64_get_runtime_function
+ 		    (abfd, &arf, &pdata[altent - pdata_vma]);
+
diff --git a/SPECS/binutils/CVE-2019-9076.nopatch b/SPECS/binutils/CVE-2019-9076.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/binutils/binutils.spec b/SPECS/binutils/binutils.spec
index bd55d405122..353921a73f4 100644
--- a/SPECS/binutils/binutils.spec
+++ b/SPECS/binutils/binutils.spec
@@ -1,7 +1,7 @@
 Summary:        Contains a linker, an assembler, and other tools
 Name:           binutils
 Version:        2.32
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2+
 URL:            http://www.gnu.org/software/binutils
 Group:          System Environment/Base
@@ -11,6 +11,18 @@ Source0:        http://ftp.gnu.org/gnu/binutils/%{name}-%{version}.tar.xz
 Patch0:         CVE-2019-9070.nopatch
 Patch1:         CVE-2019-9075.patch
 Patch2:         CVE-2019-9077.patch
+Patch3:         CVE-2019-12972.patch
+Patch4:         CVE-2019-14250.patch
+Patch5:         CVE-2019-14444.patch
+Patch6:         CVE-2019-9071.patch
+# Binutils commmunity does not consider this a bug
+Patch7:         CVE-2019-9072.nopatch
+Patch8:         CVE-2019-9073.patch
+Patch9:         CVE-2019-9074.patch
+# Binutils community does not consider this a bug
+Patch10:        CVE-2019-9076.nopatch
+Patch11:        CVE-2019-17450.patch
+Patch12:        CVE-2019-17451.patch
 
 %description
 The Binutils package contains a linker, an assembler,
@@ -25,9 +37,7 @@ It contains the libraries and header files to create applications
 for handling compiled objects.
 
 %prep
-%setup -q
-%patch1 -p1
-%patch2 -p1
+%autosetup -p1
 
 %build
 %configure \
@@ -111,9 +121,20 @@ make %{?_smp_mflags} check
 %{_libdir}/libopcodes.so
 
 %changelog
-* Sat May 09 00:21:17 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.32-3
-- Added %%license line automatically
-
+*   Thu Oct 22 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.32-4
+-   Use autosetup
+-   Fix CVE-2019-12972.
+-   Fix CVE-2019-14250.
+-   Fix CVE-2019-14444.
+-   Fix CVE-2019-9071.
+-   No patch CVE-2019-9072.
+-   Fix CVE-2019-9073.
+-   Fix CVE-2019-9074.
+-   No patch CVE-2019-9076.
+-   Fix CVE-2019-17450.
+-   Fix CVE-2019-17451.
+*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 2.32-3
+-   Added %%license line automatically
 *   Wed May 06 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.32-2
 -   Fix CVE-2019-9077.
 -   Fix CVE-2019-9075.
diff --git a/SPECS/brotli/CVE-2020-8927.patch b/SPECS/brotli/CVE-2020-8927.patch
new file mode 100644
index 00000000000..f675a5c68b7
--- /dev/null
+++ b/SPECS/brotli/CVE-2020-8927.patch
@@ -0,0 +1,1205 @@
+Backported of:
+
+From 223d80cfbec8fd346e32906c732c8ede21f0cea6 Mon Sep 17 00:00:00 2001
+From: Eugene Kliuchnikov <eustas.ru@gmail.com>
+Date: Wed, 26 Aug 2020 12:32:27 +0200
+Subject: [PATCH] Update (#826)
+
+ * IMPORTANT: decoder: fix potential overflow when input chunk is >2GiB
+ * simplify max Huffman table size calculation
+ * eliminate symbol duplicates (static arrays in .h files)
+ * minor combing in research/ code
+
+---
+ c/common/constants.c       |  15 ++++
+ c/common/constants.h       |  18 +++++
+ c/common/context.c         | 156 +++++++++++++++++++++++++++++++++++++
+ c/common/context.h         | 156 +------------------------------------
+ c/common/platform.c        |  22 ++++++
+ c/common/platform.h        |  11 +--
+ c/dec/bit_reader.c         |  11 +++
+ c/dec/bit_reader.h         |  19 ++---
+ c/dec/decode.c             |   9 ++-
+ c/dec/huffman.h            |   8 +-
+ c/dec/prefix.h             |  18 -----
+ c/dec/state.c              |   7 +-
+ c/enc/brotli_bit_stream.c  |  21 +----
+ c/enc/command.c            |  28 +++++++
+ c/enc/command.h            |  24 +++---
+ c/enc/entropy_encode.c     |   2 +
+ c/enc/entropy_encode.h     |   4 +-
+ c/enc/fast_log.c           | 105 +++++++++++++++++++++++++
+ c/enc/fast_log.h           |  99 ++---------------------
+ research/brotli_decoder.c  |   1 +
+ research/draw_histogram.cc |  25 +++---
+ scripts/.bintray.json      |   2 +-
+ scripts/sources.lst        |   5 ++
+ setup.py                   |   5 ++
+ 24 files changed, 430 insertions(+), 341 deletions(-)
+ create mode 100644 c/common/constants.c
+ create mode 100644 c/common/context.c
+ create mode 100644 c/common/platform.c
+ create mode 100644 c/enc/command.c
+ create mode 100644 c/enc/fast_log.c
+
+diff --git a/c/common/constants.c b/c/common/constants.c
+new file mode 100644
+index 0000000..6bad9f6
+--- /dev/null
++++ b/c/common/constants.c
+@@ -0,0 +1,15 @@
++/* Copyright 2013 Google Inc. All Rights Reserved.
++
++   Distributed under MIT license.
++   See file LICENSE for detail or copy at https://opensource.org/licenses/MIT
++*/
++
++#include "./constants.h"
++
++const BrotliPrefixCodeRange
++    _kBrotliPrefixCodeRanges[BROTLI_NUM_BLOCK_LEN_SYMBOLS] = {
++        {1, 2},     {5, 2},     {9, 2},   {13, 2},    {17, 3},    {25, 3},
++        {33, 3},    {41, 3},    {49, 4},  {65, 4},    {81, 4},    {97, 4},
++        {113, 5},   {145, 5},   {177, 5}, {209, 5},   {241, 6},   {305, 6},
++        {369, 7},   {497, 8},   {753, 9}, {1265, 10}, {2289, 11}, {4337, 12},
++        {8433, 13}, {16625, 24}};
+diff --git a/c/common/constants.h b/c/common/constants.h
+index d1b88d1..c1c38d5 100644
+--- a/c/common/constants.h
++++ b/c/common/constants.h
+@@ -7,6 +7,9 @@
+ #ifndef BROTLI_COMMON_CONSTANTS_H_
+ #define BROTLI_COMMON_CONSTANTS_H_
+ 
++#include <brotli/port.h>
++#include <brotli/types.h>
++
+ /* Specification: 7.3. Encoding of the context map */
+ #define BROTLI_CONTEXT_MAP_MAX_RLE 16
+ 
+@@ -48,6 +51,10 @@
+ #define BROTLI_MAX_DISTANCE 0x3FFFFFC
+ #define BROTLI_MAX_ALLOWED_DISTANCE 0x7FFFFFFC
+ 
++
++/* Specification: 4. Encoding of Literal Insertion Lengths and Copy Lengths */
++#define BROTLI_NUM_INS_COPY_CODES 24
++
+ /* 7.1. Context modes and context ID lookup for literals */
+ /* "context IDs for literals are in the range of 0..63" */
+ #define BROTLI_LITERAL_CONTEXT_BITS 6
+@@ -61,4 +68,15 @@
+ #define BROTLI_WINDOW_GAP 16
+ #define BROTLI_MAX_BACKWARD_LIMIT(W) (((size_t)1 << (W)) - BROTLI_WINDOW_GAP)
+ 
++/* Represents the range of values belonging to a prefix code:
++   [offset, offset + 2^nbits) */
++typedef struct {
++  uint16_t offset;
++  uint8_t nbits;
++} BrotliPrefixCodeRange;
++
++/* "Soft-private", it is exported, but not "advertised" as API. */
++BROTLI_COMMON_API extern const BrotliPrefixCodeRange
++    _kBrotliPrefixCodeRanges[BROTLI_NUM_BLOCK_LEN_SYMBOLS];
++
+ #endif  /* BROTLI_COMMON_CONSTANTS_H_ */
+diff --git a/c/common/context.c b/c/common/context.c
+new file mode 100644
+index 0000000..2c2dceb
+--- /dev/null
++++ b/c/common/context.c
+@@ -0,0 +1,156 @@
++#include "./context.h"
++
++#include <brotli/types.h>
++
++/* Common context lookup table for all context modes. */
++const uint8_t _kBrotliContextLookupTable[2048] = {
++  /* CONTEXT_LSB6, last byte. */
++   0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
++  16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
++  32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
++  48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
++   0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
++  16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
++  32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
++  48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
++   0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
++  16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
++  32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
++  48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
++   0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
++  16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
++  32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
++  48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
++
++  /* CONTEXT_LSB6, second last byte, */
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++
++  /* CONTEXT_MSB6, last byte. */
++   0,  0,  0,  0,  1,  1,  1,  1,  2,  2,  2,  2,  3,  3,  3,  3,
++   4,  4,  4,  4,  5,  5,  5,  5,  6,  6,  6,  6,  7,  7,  7,  7,
++   8,  8,  8,  8,  9,  9,  9,  9, 10, 10, 10, 10, 11, 11, 11, 11,
++  12, 12, 12, 12, 13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15,
++  16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18, 19, 19, 19, 19,
++  20, 20, 20, 20, 21, 21, 21, 21, 22, 22, 22, 22, 23, 23, 23, 23,
++  24, 24, 24, 24, 25, 25, 25, 25, 26, 26, 26, 26, 27, 27, 27, 27,
++  28, 28, 28, 28, 29, 29, 29, 29, 30, 30, 30, 30, 31, 31, 31, 31,
++  32, 32, 32, 32, 33, 33, 33, 33, 34, 34, 34, 34, 35, 35, 35, 35,
++  36, 36, 36, 36, 37, 37, 37, 37, 38, 38, 38, 38, 39, 39, 39, 39,
++  40, 40, 40, 40, 41, 41, 41, 41, 42, 42, 42, 42, 43, 43, 43, 43,
++  44, 44, 44, 44, 45, 45, 45, 45, 46, 46, 46, 46, 47, 47, 47, 47,
++  48, 48, 48, 48, 49, 49, 49, 49, 50, 50, 50, 50, 51, 51, 51, 51,
++  52, 52, 52, 52, 53, 53, 53, 53, 54, 54, 54, 54, 55, 55, 55, 55,
++  56, 56, 56, 56, 57, 57, 57, 57, 58, 58, 58, 58, 59, 59, 59, 59,
++  60, 60, 60, 60, 61, 61, 61, 61, 62, 62, 62, 62, 63, 63, 63, 63,
++
++  /* CONTEXT_MSB6, second last byte, */
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++
++  /* CONTEXT_UTF8, last byte. */
++  /* ASCII range. */
++   0,  0,  0,  0,  0,  0,  0,  0,  0,  4,  4,  0,  0,  4,  0,  0,
++   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
++   8, 12, 16, 12, 12, 20, 12, 16, 24, 28, 12, 12, 32, 12, 36, 12,
++  44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 32, 32, 24, 40, 28, 12,
++  12, 48, 52, 52, 52, 48, 52, 52, 52, 48, 52, 52, 52, 52, 52, 48,
++  52, 52, 52, 52, 52, 48, 52, 52, 52, 52, 52, 24, 12, 28, 12, 12,
++  12, 56, 60, 60, 60, 56, 60, 60, 60, 56, 60, 60, 60, 60, 60, 56,
++  60, 60, 60, 60, 60, 56, 60, 60, 60, 60, 60, 24, 12, 28, 12,  0,
++  /* UTF8 continuation byte range. */
++  0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
++  0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
++  0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
++  0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
++  /* UTF8 lead byte range. */
++  2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3,
++  2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3,
++  2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3,
++  2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3,
++
++  /* CONTEXT_UTF8 second last byte. */
++  /* ASCII range. */
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
++  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1,
++  1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
++  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1,
++  1, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 1, 1, 1, 0,
++  /* UTF8 continuation byte range. */
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  /* UTF8 lead byte range. */
++  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
++  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
++
++  /* CONTEXT_SIGNED, last byte, same as the above values shifted by 3 bits. */
++   0, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
++  16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
++  16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
++  16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
++  24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
++  24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
++  24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
++  24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
++  32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
++  32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
++  32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
++  32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
++  40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
++  40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
++  40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
++  48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 56,
++
++  /* CONTEXT_SIGNED, second last byte. */
++  0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
++  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
++  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
++  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
++  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
++  4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
++  4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
++  4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
++  4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
++  5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
++  5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
++  5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
++  6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7,
++};
+diff --git a/c/common/context.h b/c/common/context.h
+index 24b3eb4..685a279 100755
+--- a/c/common/context.h
++++ b/c/common/context.h
+@@ -88,6 +88,7 @@
+ #ifndef BROTLI_COMMON_CONTEXT_H_
+ #define BROTLI_COMMON_CONTEXT_H_
+ 
++#include <brotli/port.h>
+ #include <brotli/types.h>
+ 
+ typedef enum ContextType {
+@@ -97,163 +98,14 @@ typedef enum ContextType {
+   CONTEXT_SIGNED = 3
+ } ContextType;
+ 
++/* "Soft-private", it is exported, but not "advertised" as API. */
+ /* Common context lookup table for all context modes. */
+-static const uint8_t kContextLookup[2048] = {
+-  /* CONTEXT_LSB6, last byte. */
+-   0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+-  16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+-  32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+-  48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+-   0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+-  16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+-  32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+-  48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+-   0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+-  16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+-  32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+-  48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+-   0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+-  16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+-  32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
+-  48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63,
+-
+-  /* CONTEXT_LSB6, second last byte, */
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-
+-  /* CONTEXT_MSB6, last byte. */
+-   0,  0,  0,  0,  1,  1,  1,  1,  2,  2,  2,  2,  3,  3,  3,  3,
+-   4,  4,  4,  4,  5,  5,  5,  5,  6,  6,  6,  6,  7,  7,  7,  7,
+-   8,  8,  8,  8,  9,  9,  9,  9, 10, 10, 10, 10, 11, 11, 11, 11,
+-  12, 12, 12, 12, 13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15,
+-  16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18, 19, 19, 19, 19,
+-  20, 20, 20, 20, 21, 21, 21, 21, 22, 22, 22, 22, 23, 23, 23, 23,
+-  24, 24, 24, 24, 25, 25, 25, 25, 26, 26, 26, 26, 27, 27, 27, 27,
+-  28, 28, 28, 28, 29, 29, 29, 29, 30, 30, 30, 30, 31, 31, 31, 31,
+-  32, 32, 32, 32, 33, 33, 33, 33, 34, 34, 34, 34, 35, 35, 35, 35,
+-  36, 36, 36, 36, 37, 37, 37, 37, 38, 38, 38, 38, 39, 39, 39, 39,
+-  40, 40, 40, 40, 41, 41, 41, 41, 42, 42, 42, 42, 43, 43, 43, 43,
+-  44, 44, 44, 44, 45, 45, 45, 45, 46, 46, 46, 46, 47, 47, 47, 47,
+-  48, 48, 48, 48, 49, 49, 49, 49, 50, 50, 50, 50, 51, 51, 51, 51,
+-  52, 52, 52, 52, 53, 53, 53, 53, 54, 54, 54, 54, 55, 55, 55, 55,
+-  56, 56, 56, 56, 57, 57, 57, 57, 58, 58, 58, 58, 59, 59, 59, 59,
+-  60, 60, 60, 60, 61, 61, 61, 61, 62, 62, 62, 62, 63, 63, 63, 63,
+-
+-  /* CONTEXT_MSB6, second last byte, */
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-
+-  /* CONTEXT_UTF8, last byte. */
+-  /* ASCII range. */
+-   0,  0,  0,  0,  0,  0,  0,  0,  0,  4,  4,  0,  0,  4,  0,  0,
+-   0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+-   8, 12, 16, 12, 12, 20, 12, 16, 24, 28, 12, 12, 32, 12, 36, 12,
+-  44, 44, 44, 44, 44, 44, 44, 44, 44, 44, 32, 32, 24, 40, 28, 12,
+-  12, 48, 52, 52, 52, 48, 52, 52, 52, 48, 52, 52, 52, 52, 52, 48,
+-  52, 52, 52, 52, 52, 48, 52, 52, 52, 52, 52, 24, 12, 28, 12, 12,
+-  12, 56, 60, 60, 60, 56, 60, 60, 60, 56, 60, 60, 60, 60, 60, 56,
+-  60, 60, 60, 60, 60, 56, 60, 60, 60, 60, 60, 24, 12, 28, 12,  0,
+-  /* UTF8 continuation byte range. */
+-  0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
+-  0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
+-  0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
+-  0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
+-  /* UTF8 lead byte range. */
+-  2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3,
+-  2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3,
+-  2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3,
+-  2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3, 2, 3,
+-
+-  /* CONTEXT_UTF8 second last byte. */
+-  /* ASCII range. */
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+-  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1,
+-  1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+-  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1,
+-  1, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+-  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 1, 1, 1, 1, 0,
+-  /* UTF8 continuation byte range. */
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  /* UTF8 lead byte range. */
+-  0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+-  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+-  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+-
+-  /* CONTEXT_SIGNED, last byte, same as the above values shifted by 3 bits. */
+-   0, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8,
+-  16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
+-  16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
+-  16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16,
+-  24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+-  24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+-  24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+-  24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,
+-  32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
+-  32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
+-  32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
+-  32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32,
+-  40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+-  40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+-  40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40,
+-  48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 48, 56,
+-
+-  /* CONTEXT_SIGNED, second last byte. */
+-  0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+-  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+-  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+-  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
+-  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+-  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+-  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+-  3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+-  4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
+-  4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
+-  4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
+-  4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
+-  5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+-  5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+-  5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
+-  6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 7,
+-};
++BROTLI_COMMON_API extern const uint8_t _kBrotliContextLookupTable[2048];
+ 
+ typedef const uint8_t* ContextLut;
+ 
+ /* typeof(MODE) == ContextType; returns ContextLut */
+-#define BROTLI_CONTEXT_LUT(MODE) (&kContextLookup[(MODE) << 9])
++#define BROTLI_CONTEXT_LUT(MODE) (&_kBrotliContextLookupTable[(MODE) << 9])
+ 
+ /* typeof(LUT) == ContextLut */
+ #define BROTLI_CONTEXT(P1, P2, LUT) ((LUT)[P1] | ((LUT) + 256)[P2])
+diff --git a/c/common/platform.c b/c/common/platform.c
+new file mode 100644
+index 0000000..aef39e9
+--- /dev/null
++++ b/c/common/platform.c
+@@ -0,0 +1,22 @@
++/* Copyright 2016 Google Inc. All Rights Reserved.
++
++   Distributed under MIT license.
++   See file LICENSE for detail or copy at https://opensource.org/licenses/MIT
++*/
++
++#include <stdlib.h>
++
++#include "./platform.h"
++#include <brotli/types.h>
++
++/* Default brotli_alloc_func */
++void* BrotliDefaultAllocFunc(void* opaque, size_t size) {
++  BROTLI_UNUSED(opaque);
++  return malloc(size);
++}
++
++/* Default brotli_free_func */
++void BrotliDefaultFreeFunc(void* opaque, void* address) {
++  BROTLI_UNUSED(opaque);
++  free(address);
++}
+diff --git a/c/common/platform.h b/c/common/platform.h
+index 84c448c..43c9b89 100755
+--- a/c/common/platform.h
++++ b/c/common/platform.h
+@@ -24,7 +24,6 @@
+ #define BROTLI_COMMON_PLATFORM_H_
+ 
+ #include <string.h>  /* memcpy */
+-#include <stdlib.h>  /* malloc, free */
+ 
+ #include <brotli/port.h>
+ #include <brotli/types.h>
+@@ -524,16 +523,10 @@ BROTLI_MIN_MAX(size_t) BROTLI_MIN_MAX(uint32_t) BROTLI_MIN_MAX(uint8_t)
+ }
+ 
+ /* Default brotli_alloc_func */
+-static void* BrotliDefaultAllocFunc(void* opaque, size_t size) {
+-  BROTLI_UNUSED(opaque);
+-  return malloc(size);
+-}
++BROTLI_COMMON_API void* BrotliDefaultAllocFunc(void* opaque, size_t size);
+ 
+ /* Default brotli_free_func */
+-static void BrotliDefaultFreeFunc(void* opaque, void* address) {
+-  BROTLI_UNUSED(opaque);
+-  free(address);
+-}
++BROTLI_COMMON_API void BrotliDefaultFreeFunc(void* opaque, void* address);
+ 
+ BROTLI_UNUSED_FUNCTION void BrotliSuppressUnusedFunctions(void) {
+   BROTLI_UNUSED(&BrotliSuppressUnusedFunctions);
+diff --git a/c/dec/bit_reader.c b/c/dec/bit_reader.c
+index 722fd90..67d4e25 100644
+--- a/c/dec/bit_reader.c
++++ b/c/dec/bit_reader.c
+@@ -15,6 +15,17 @@
+ extern "C" {
+ #endif
+ 
++const uint32_t kBrotliBitMask[33] = {   0x00000000,
++    0x00000001, 0x00000003, 0x00000007, 0x0000000F,
++    0x0000001F, 0x0000003F, 0x0000007F, 0x000000FF,
++    0x000001FF, 0x000003FF, 0x000007FF, 0x00000FFF,
++    0x00001FFF, 0x00003FFF, 0x00007FFF, 0x0000FFFF,
++    0x0001FFFF, 0x0003FFFF, 0x0007FFFF, 0x000FFFFF,
++    0x001FFFFF, 0x003FFFFF, 0x007FFFFF, 0x00FFFFFF,
++    0x01FFFFFF, 0x03FFFFFF, 0x07FFFFFF, 0x0FFFFFFF,
++    0x1FFFFFFF, 0x3FFFFFFF, 0x7FFFFFFF, 0xFFFFFFFF
++};
++
+ void BrotliInitBitReader(BrotliBitReader* const br) {
+   br->val_ = 0;
+   br->bit_pos_ = sizeof(br->val_) << 3;
+diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h
+index c06e914..b1c6f24 100644
+--- a/c/dec/bit_reader.h
++++ b/c/dec/bit_reader.h
+@@ -11,6 +11,7 @@
+ 
+ #include <string.h>  /* memcpy */
+ 
++#include "../common/constants.h"
+ #include "../common/platform.h"
+ #include <brotli/types.h>
+ 
+@@ -20,16 +21,7 @@ extern "C" {
+ 
+ #define BROTLI_SHORT_FILL_BIT_WINDOW_READ (sizeof(brotli_reg_t) >> 1)
+ 
+-static const uint32_t kBitMask[33] = {  0x00000000,
+-    0x00000001, 0x00000003, 0x00000007, 0x0000000F,
+-    0x0000001F, 0x0000003F, 0x0000007F, 0x000000FF,
+-    0x000001FF, 0x000003FF, 0x000007FF, 0x00000FFF,
+-    0x00001FFF, 0x00003FFF, 0x00007FFF, 0x0000FFFF,
+-    0x0001FFFF, 0x0003FFFF, 0x0007FFFF, 0x000FFFFF,
+-    0x001FFFFF, 0x003FFFFF, 0x007FFFFF, 0x00FFFFFF,
+-    0x01FFFFFF, 0x03FFFFFF, 0x07FFFFFF, 0x0FFFFFFF,
+-    0x1FFFFFFF, 0x3FFFFFFF, 0x7FFFFFFF, 0xFFFFFFFF
+-};
++BROTLI_INTERNAL extern const uint32_t kBrotliBitMask[33];
+ 
+ static BROTLI_INLINE uint32_t BitMask(uint32_t n) {
+   if (BROTLI_IS_CONSTANT(n) || BROTLI_HAS_UBFX) {
+@@ -37,7 +29,7 @@ static BROTLI_INLINE uint32_t BitMask(uint32_t n) {
+        "Unsigned Bit Field Extract" UBFX instruction on ARM. */
+     return ~((0xFFFFFFFFu) << n);
+   } else {
+-    return kBitMask[n];
++    return kBrotliBitMask[n];
+   }
+ }
+ 
+@@ -87,8 +79,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits(
+ }
+ 
+ /* Returns amount of unread bytes the bit reader still has buffered from the
+-   BrotliInput, including whole bytes in br->val_. */
++   BrotliInput, including whole bytes in br->val_. Result is capped with
++   maximal ring-buffer size (larger number won't be utilized anyway). */
+ static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) {
++  static const size_t kCap = (size_t)1 << BROTLI_LARGE_MAX_WBITS;
++  if (br->avail_in > kCap) return kCap;
+   return br->avail_in + (BrotliGetAvailableBits(br) >> 3);
+ }
+ 
+diff --git a/c/dec/decode.c b/c/dec/decode.c
+index 08bd76c..36111e7 100644
+--- a/c/dec/decode.c
++++ b/c/dec/decode.c
+@@ -867,8 +867,8 @@ static BROTLI_INLINE uint32_t ReadBlockLength(const HuffmanCode* table,
+   uint32_t code;
+   uint32_t nbits;
+   code = ReadSymbol(table, br);
+-  nbits = kBlockLengthPrefixCode[code].nbits;  /* nbits == 2..24 */
+-  return kBlockLengthPrefixCode[code].offset + BrotliReadBits(br, nbits);
++  nbits = _kBrotliPrefixCodeRanges[code].nbits;  /* nbits == 2..24 */
++  return _kBrotliPrefixCodeRanges[code].offset + BrotliReadBits(br, nbits);
+ }
+ 
+ /* WARNING: if state is not BROTLI_STATE_READ_BLOCK_LENGTH_NONE, then
+@@ -886,13 +886,14 @@ static BROTLI_INLINE BROTLI_BOOL SafeReadBlockLength(
+   }
+   {
+     uint32_t bits;
+-    uint32_t nbits = kBlockLengthPrefixCode[index].nbits;  /* nbits == 2..24 */
++    uint32_t nbits = _kBrotliPrefixCodeRanges[index].nbits;
++    uint32_t offset = _kBrotliPrefixCodeRanges[index].offset;
+     if (!BrotliSafeReadBits(br, nbits, &bits)) {
+       s->block_length_index = index;
+       s->substate_read_block_length = BROTLI_STATE_READ_BLOCK_LENGTH_SUFFIX;
+       return BROTLI_FALSE;
+     }
+-    *result = kBlockLengthPrefixCode[index].offset + bits;
++    *result = offset + bits;
+     s->substate_read_block_length = BROTLI_STATE_READ_BLOCK_LENGTH_NONE;
+     return BROTLI_TRUE;
+   }
+diff --git a/c/dec/huffman.h b/c/dec/huffman.h
+index b9f0716..5a70279 100644
+--- a/c/dec/huffman.h
++++ b/c/dec/huffman.h
+@@ -18,12 +18,6 @@ extern "C" {
+ 
+ #define BROTLI_HUFFMAN_MAX_CODE_LENGTH 15
+ 
+-/* Maximum possible Huffman table size for an alphabet size of (index * 32),
+-   max code length 15 and root table bits 8. */
+-static const uint16_t kMaxHuffmanTableSize[] = {
+-  256, 402, 436, 468, 500, 534, 566, 598, 630, 662, 694, 726, 758, 790, 822,
+-  854, 886, 920, 952, 984, 1016, 1048, 1080, 1112, 1144, 1176, 1208, 1240, 1272,
+-  1304, 1336, 1368, 1400, 1432, 1464, 1496, 1528};
+ /* BROTLI_NUM_BLOCK_LEN_SYMBOLS == 26 */
+ #define BROTLI_HUFFMAN_MAX_SIZE_26 396
+ /* BROTLI_MAX_BLOCK_TYPE_SYMBOLS == 258 */
+@@ -100,7 +94,7 @@ BROTLI_INTERNAL void BrotliBuildCodeLengthsHuffmanTable(HuffmanCode* root_table,
+ /* Builds Huffman lookup table assuming code lengths are in symbol order.
+    Returns size of resulting table. */
+ BROTLI_INTERNAL uint32_t BrotliBuildHuffmanTable(HuffmanCode* root_table,
+-    int root_bits, const uint16_t* const symbol_lists, uint16_t* count_arg);
++    int root_bits, const uint16_t* const symbol_lists, uint16_t* count);
+ 
+ /* Builds a simple Huffman table. The |num_symbols| parameter is to be
+    interpreted as follows: 0 means 1 symbol, 1 means 2 symbols,
+diff --git a/c/dec/prefix.h b/c/dec/prefix.h
+index 3ea062d..481a2c7 100644
+--- a/c/dec/prefix.h
++++ b/c/dec/prefix.h
+@@ -13,24 +13,6 @@
+ #include "../common/constants.h"
+ #include <brotli/types.h>
+ 
+-/* Represents the range of values belonging to a prefix code:
+-   [offset, offset + 2^nbits) */
+-struct PrefixCodeRange {
+-  uint16_t offset;
+-  uint8_t nbits;
+-};
+-
+-static const struct PrefixCodeRange
+-    kBlockLengthPrefixCode[BROTLI_NUM_BLOCK_LEN_SYMBOLS] = {
+-  {   1,  2}, {    5,  2}, {  9,   2}, {  13,  2},
+-  {  17,  3}, {   25,  3}, {  33,  3}, {  41,  3},
+-  {  49,  4}, {   65,  4}, {  81,  4}, {  97,  4},
+-  { 113,  5}, {  145,  5}, { 177,  5}, { 209,  5},
+-  { 241,  6}, {  305,  6}, { 369,  7}, { 497,  8},
+-  { 753,  9}, { 1265, 10}, {2289, 11}, {4337, 12},
+-  {8433, 13}, {16625, 24}
+-};
+-
+ typedef struct CmdLutElement {
+   uint8_t insert_len_extra_bits;
+   uint8_t copy_len_extra_bits;
+diff --git a/c/dec/state.c b/c/dec/state.c
+index e0b37c2..9ac8161 100644
+--- a/c/dec/state.c
++++ b/c/dec/state.c
+@@ -144,8 +144,11 @@ void BrotliDecoderStateCleanup(BrotliDecoderState* s) {
+ BROTLI_BOOL BrotliDecoderHuffmanTreeGroupInit(BrotliDecoderState* s,
+     HuffmanTreeGroup* group, uint32_t alphabet_size, uint32_t max_symbol,
+     uint32_t ntrees) {
+-  /* Pack two allocations into one */
+-  const size_t max_table_size = kMaxHuffmanTableSize[(alphabet_size + 31) >> 5];
++  /* 376 = 256 (1-st level table) + 4 + 7 + 15 + 31 + 63 (2-nd level mix-tables)
++     This number is discovered "unlimited" "enough" calculator; it is actually
++     a wee bigger than required in several cases (especially for alphabets with
++     less than 16 symbols). */
++  const size_t max_table_size = alphabet_size + 376;
+   const size_t code_size = sizeof(HuffmanCode) * ntrees * max_table_size;
+   const size_t htree_size = sizeof(HuffmanCode*) * ntrees;
+   /* Pointer alignment is, hopefully, wider than sizeof(HuffmanCode). */
+diff --git a/c/enc/brotli_bit_stream.c b/c/enc/brotli_bit_stream.c
+index aaf2dad..8e68059 100644
+--- a/c/enc/brotli_bit_stream.c
++++ b/c/enc/brotli_bit_stream.c
+@@ -34,33 +34,18 @@ extern "C" {
+   BROTLI_DISTANCE_ALPHABET_SIZE(0, 0, BROTLI_LARGE_MAX_DISTANCE_BITS)
+ /* MAX_SIMPLE_DISTANCE_ALPHABET_SIZE == 140 */
+ 
+-/* Represents the range of values belonging to a prefix code:
+-   [offset, offset + 2^nbits) */
+-typedef struct PrefixCodeRange {
+-  uint32_t offset;
+-  uint32_t nbits;
+-} PrefixCodeRange;
+-
+-static const PrefixCodeRange
+-    kBlockLengthPrefixCode[BROTLI_NUM_BLOCK_LEN_SYMBOLS] = {
+-  { 1, 2}, { 5, 2}, { 9, 2}, {13, 2}, {17, 3}, { 25, 3}, { 33, 3},
+-  {41, 3}, {49, 4}, {65, 4}, {81, 4}, {97, 4}, {113, 5}, {145, 5},
+-  {177, 5}, { 209,  5}, { 241,  6}, { 305,  6}, { 369,  7}, {  497,  8},
+-  {753, 9}, {1265, 10}, {2289, 11}, {4337, 12}, {8433, 13}, {16625, 24}
+-};
+-
+ static BROTLI_INLINE uint32_t BlockLengthPrefixCode(uint32_t len) {
+   uint32_t code = (len >= 177) ? (len >= 753 ? 20 : 14) : (len >= 41 ? 7 : 0);
+   while (code < (BROTLI_NUM_BLOCK_LEN_SYMBOLS - 1) &&
+-      len >= kBlockLengthPrefixCode[code + 1].offset) ++code;
++      len >= _kBrotliPrefixCodeRanges[code + 1].offset) ++code;
+   return code;
+ }
+ 
+ static BROTLI_INLINE void GetBlockLengthPrefixCode(uint32_t len, size_t* code,
+     uint32_t* n_extra, uint32_t* extra) {
+   *code = BlockLengthPrefixCode(len);
+-  *n_extra = kBlockLengthPrefixCode[*code].nbits;
+-  *extra = len - kBlockLengthPrefixCode[*code].offset;
++  *n_extra = _kBrotliPrefixCodeRanges[*code].nbits;
++  *extra = len - _kBrotliPrefixCodeRanges[*code].offset;
+ }
+ 
+ typedef struct BlockTypeCodeCalculator {
+diff --git a/c/enc/command.c b/c/enc/command.c
+new file mode 100644
+index 0000000..5e6c249
+--- /dev/null
++++ b/c/enc/command.c
+@@ -0,0 +1,28 @@
++/* Copyright 2013 Google Inc. All Rights Reserved.
++
++   Distributed under MIT license.
++   See file LICENSE for detail or copy at https://opensource.org/licenses/MIT
++*/
++
++#include "./command.h"
++
++#include <brotli/types.h>
++
++#if defined(__cplusplus) || defined(c_plusplus)
++extern "C" {
++#endif
++
++const uint32_t kBrotliInsBase[BROTLI_NUM_INS_COPY_CODES] = {
++    0,  1,  2,  3,  4,   5,   6,   8,   10,   14,   18,   26,
++    34, 50, 66, 98, 130, 194, 322, 578, 1090, 2114, 6210, 22594};
++const uint32_t kBrotliInsExtra[BROTLI_NUM_INS_COPY_CODES] = {
++    0, 0, 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 7, 8, 9, 10, 12, 14, 24};
++const uint32_t kBrotliCopyBase[BROTLI_NUM_INS_COPY_CODES] = {
++    2,  3,  4,  5,  6,  7,   8,   9,   10,  12,  14,   18,
++    22, 30, 38, 54, 70, 102, 134, 198, 326, 582, 1094, 2118};
++const uint32_t kBrotliCopyExtra[BROTLI_NUM_INS_COPY_CODES] = {
++    0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 2, 2, 3, 3, 4, 4, 5, 5, 6, 7, 8, 9, 10, 24};
++
++#if defined(__cplusplus) || defined(c_plusplus)
++}  /* extern "C" */
++#endif
+diff --git a/c/enc/command.h b/c/enc/command.h
+index 1aac856..d84e373 100644
+--- a/c/enc/command.h
++++ b/c/enc/command.h
+@@ -20,14 +20,14 @@
+ extern "C" {
+ #endif
+ 
+-static uint32_t kInsBase[] =   { 0, 1, 2, 3, 4, 5, 6, 8, 10, 14, 18, 26, 34, 50,
+-    66, 98, 130, 194, 322, 578, 1090, 2114, 6210, 22594 };
+-static uint32_t kInsExtra[] =  { 0, 0, 0, 0, 0, 0, 1, 1,  2,  2,  3,  3,  4,  4,
+-    5,   5,   6,   7,   8,   9,   10,   12,   14,    24 };
+-static uint32_t kCopyBase[] =  { 2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 14, 18, 22, 30,
+-    38, 54,  70, 102, 134, 198, 326,   582, 1094,  2118 };
+-static uint32_t kCopyExtra[] = { 0, 0, 0, 0, 0, 0, 0, 0,  1,  1,  2,  2,  3,  3,
+-     4,  4,   5,   5,   6,   7,   8,     9,   10,    24 };
++BROTLI_INTERNAL extern const uint32_t
++    kBrotliInsBase[BROTLI_NUM_INS_COPY_CODES];
++BROTLI_INTERNAL extern const uint32_t
++    kBrotliInsExtra[BROTLI_NUM_INS_COPY_CODES];
++BROTLI_INTERNAL extern const uint32_t
++    kBrotliCopyBase[BROTLI_NUM_INS_COPY_CODES];
++BROTLI_INTERNAL extern const uint32_t
++    kBrotliCopyExtra[BROTLI_NUM_INS_COPY_CODES];
+ 
+ static BROTLI_INLINE uint16_t GetInsertLengthCode(size_t insertlen) {
+   if (insertlen < 6) {
+@@ -89,19 +89,19 @@ static BROTLI_INLINE void GetLengthCode(size_t insertlen, size_t copylen,
+ }
+ 
+ static BROTLI_INLINE uint32_t GetInsertBase(uint16_t inscode) {
+-  return kInsBase[inscode];
++  return kBrotliInsBase[inscode];
+ }
+ 
+ static BROTLI_INLINE uint32_t GetInsertExtra(uint16_t inscode) {
+-  return kInsExtra[inscode];
++  return kBrotliInsExtra[inscode];
+ }
+ 
+ static BROTLI_INLINE uint32_t GetCopyBase(uint16_t copycode) {
+-  return kCopyBase[copycode];
++  return kBrotliCopyBase[copycode];
+ }
+ 
+ static BROTLI_INLINE uint32_t GetCopyExtra(uint16_t copycode) {
+-  return kCopyExtra[copycode];
++  return kBrotliCopyExtra[copycode];
+ }
+ 
+ typedef struct Command {
+diff --git a/c/enc/entropy_encode.c b/c/enc/entropy_encode.c
+index 97f9dfb..b50ccb5 100644
+--- a/c/enc/entropy_encode.c
++++ b/c/enc/entropy_encode.c
+@@ -18,6 +18,8 @@
+ extern "C" {
+ #endif
+ 
++const size_t kBrotliShellGaps[] = {132, 57, 23, 10, 4, 1};
++
+ BROTLI_BOOL BrotliSetDepth(
+     int p0, HuffmanTree* pool, uint8_t* depth, int max_depth) {
+   int stack[16];
+diff --git a/c/enc/entropy_encode.h b/c/enc/entropy_encode.h
+index f23d9c3..9618e1d 100644
+--- a/c/enc/entropy_encode.h
++++ b/c/enc/entropy_encode.h
+@@ -76,12 +76,12 @@ BROTLI_INTERNAL void BrotliConvertBitDepthsToSymbols(const uint8_t* depth,
+                                                      size_t len,
+                                                      uint16_t* bits);
+ 
++BROTLI_INTERNAL extern const size_t kBrotliShellGaps[6];
+ /* Input size optimized Shell sort. */
+ typedef BROTLI_BOOL (*HuffmanTreeComparator)(
+     const HuffmanTree*, const HuffmanTree*);
+ static BROTLI_INLINE void SortHuffmanTreeItems(HuffmanTree* items,
+     const size_t n, HuffmanTreeComparator comparator) {
+-  static const size_t gaps[] = {132, 57, 23, 10, 4, 1};
+   if (n < 13) {
+     /* Insertion sort. */
+     size_t i;
+@@ -101,7 +101,7 @@ static BROTLI_INLINE void SortHuffmanTreeItems(HuffmanTree* items,
+     /* Shell sort. */
+     int g = n < 57 ? 2 : 0;
+     for (; g < 6; ++g) {
+-      size_t gap = gaps[g];
++      size_t gap = kBrotliShellGaps[g];
+       size_t i;
+       for (i = gap; i < n; ++i) {
+         size_t j = i;
+diff --git a/c/enc/fast_log.c b/c/enc/fast_log.c
+new file mode 100644
+index 0000000..2319bae
+--- /dev/null
++++ b/c/enc/fast_log.c
+@@ -0,0 +1,105 @@
++/* Copyright 2013 Google Inc. All Rights Reserved.
++
++   Distributed under MIT license.
++   See file LICENSE for detail or copy at https://opensource.org/licenses/MIT
++*/
++
++#include "./fast_log.h"
++
++#if defined(__cplusplus) || defined(c_plusplus)
++extern "C" {
++#endif
++
++/* ", ".join(["%.16ff" % x for x in [0.0]+[log2(x) for x in range(1, 256)]]) */
++const double kBrotliLog2Table[BROTLI_LOG2_TABLE_SIZE] = {
++  0.0000000000000000f, 0.0000000000000000f, 1.0000000000000000f,
++  1.5849625007211563f, 2.0000000000000000f, 2.3219280948873622f,
++  2.5849625007211561f, 2.8073549220576042f, 3.0000000000000000f,
++  3.1699250014423126f, 3.3219280948873626f, 3.4594316186372978f,
++  3.5849625007211565f, 3.7004397181410922f, 3.8073549220576037f,
++  3.9068905956085187f, 4.0000000000000000f, 4.0874628412503400f,
++  4.1699250014423122f, 4.2479275134435852f, 4.3219280948873626f,
++  4.3923174227787607f, 4.4594316186372973f, 4.5235619560570131f,
++  4.5849625007211570f, 4.6438561897747244f, 4.7004397181410926f,
++  4.7548875021634691f, 4.8073549220576037f, 4.8579809951275728f,
++  4.9068905956085187f, 4.9541963103868758f, 5.0000000000000000f,
++  5.0443941193584534f, 5.0874628412503400f, 5.1292830169449664f,
++  5.1699250014423122f, 5.2094533656289501f, 5.2479275134435852f,
++  5.2854022188622487f, 5.3219280948873626f, 5.3575520046180838f,
++  5.3923174227787607f, 5.4262647547020979f, 5.4594316186372973f,
++  5.4918530963296748f, 5.5235619560570131f, 5.5545888516776376f,
++  5.5849625007211570f, 5.6147098441152083f, 5.6438561897747244f,
++  5.6724253419714961f, 5.7004397181410926f, 5.7279204545631996f,
++  5.7548875021634691f, 5.7813597135246599f, 5.8073549220576046f,
++  5.8328900141647422f, 5.8579809951275719f, 5.8826430493618416f,
++  5.9068905956085187f, 5.9307373375628867f, 5.9541963103868758f,
++  5.9772799234999168f, 6.0000000000000000f, 6.0223678130284544f,
++  6.0443941193584534f, 6.0660891904577721f, 6.0874628412503400f,
++  6.1085244567781700f, 6.1292830169449672f, 6.1497471195046822f,
++  6.1699250014423122f, 6.1898245588800176f, 6.2094533656289510f,
++  6.2288186904958804f, 6.2479275134435861f, 6.2667865406949019f,
++  6.2854022188622487f, 6.3037807481771031f, 6.3219280948873617f,
++  6.3398500028846252f, 6.3575520046180847f, 6.3750394313469254f,
++  6.3923174227787598f, 6.4093909361377026f, 6.4262647547020979f,
++  6.4429434958487288f, 6.4594316186372982f, 6.4757334309663976f,
++  6.4918530963296748f, 6.5077946401986964f, 6.5235619560570131f,
++  6.5391588111080319f, 6.5545888516776376f, 6.5698556083309478f,
++  6.5849625007211561f, 6.5999128421871278f, 6.6147098441152092f,
++  6.6293566200796095f, 6.6438561897747253f, 6.6582114827517955f,
++  6.6724253419714952f, 6.6865005271832185f, 6.7004397181410917f,
++  6.7142455176661224f, 6.7279204545631988f, 6.7414669864011465f,
++  6.7548875021634691f, 6.7681843247769260f, 6.7813597135246599f,
++  6.7944158663501062f, 6.8073549220576037f, 6.8201789624151887f,
++  6.8328900141647422f, 6.8454900509443757f, 6.8579809951275719f,
++  6.8703647195834048f, 6.8826430493618416f, 6.8948177633079437f,
++  6.9068905956085187f, 6.9188632372745955f, 6.9307373375628867f,
++  6.9425145053392399f, 6.9541963103868758f, 6.9657842846620879f,
++  6.9772799234999168f, 6.9886846867721664f, 7.0000000000000000f,
++  7.0112272554232540f, 7.0223678130284544f, 7.0334230015374501f,
++  7.0443941193584534f, 7.0552824355011898f, 7.0660891904577721f,
++  7.0768155970508317f, 7.0874628412503400f, 7.0980320829605272f,
++  7.1085244567781700f, 7.1189410727235076f, 7.1292830169449664f,
++  7.1395513523987937f, 7.1497471195046822f, 7.1598713367783891f,
++  7.1699250014423130f, 7.1799090900149345f, 7.1898245588800176f,
++  7.1996723448363644f, 7.2094533656289492f, 7.2191685204621621f,
++  7.2288186904958804f, 7.2384047393250794f, 7.2479275134435861f,
++  7.2573878426926521f, 7.2667865406949019f, 7.2761244052742384f,
++  7.2854022188622487f, 7.2946207488916270f, 7.3037807481771031f,
++  7.3128829552843557f, 7.3219280948873617f, 7.3309168781146177f,
++  7.3398500028846243f, 7.3487281542310781f, 7.3575520046180847f,
++  7.3663222142458151f, 7.3750394313469254f, 7.3837042924740528f,
++  7.3923174227787607f, 7.4008794362821844f, 7.4093909361377026f,
++  7.4178525148858991f, 7.4262647547020979f, 7.4346282276367255f,
++  7.4429434958487288f, 7.4512111118323299f, 7.4594316186372973f,
++  7.4676055500829976f, 7.4757334309663976f, 7.4838157772642564f,
++  7.4918530963296748f, 7.4998458870832057f, 7.5077946401986964f,
++  7.5156998382840436f, 7.5235619560570131f, 7.5313814605163119f,
++  7.5391588111080319f, 7.5468944598876373f, 7.5545888516776376f,
++  7.5622424242210728f, 7.5698556083309478f, 7.5774288280357487f,
++  7.5849625007211561f, 7.5924570372680806f, 7.5999128421871278f,
++  7.6073303137496113f, 7.6147098441152075f, 7.6220518194563764f,
++  7.6293566200796095f, 7.6366246205436488f, 7.6438561897747244f,
++  7.6510516911789290f, 7.6582114827517955f, 7.6653359171851765f,
++  7.6724253419714952f, 7.6794800995054464f, 7.6865005271832185f,
++  7.6934869574993252f, 7.7004397181410926f, 7.7073591320808825f,
++  7.7142455176661224f, 7.7210991887071856f, 7.7279204545631996f,
++  7.7347096202258392f, 7.7414669864011465f, 7.7481928495894596f,
++  7.7548875021634691f, 7.7615512324444795f, 7.7681843247769260f,
++  7.7747870596011737f, 7.7813597135246608f, 7.7879025593914317f,
++  7.7944158663501062f, 7.8008998999203047f, 7.8073549220576037f,
++  7.8137811912170374f, 7.8201789624151887f, 7.8265484872909159f,
++  7.8328900141647422f, 7.8392037880969445f, 7.8454900509443757f,
++  7.8517490414160571f, 7.8579809951275719f, 7.8641861446542798f,
++  7.8703647195834048f, 7.8765169465650002f, 7.8826430493618425f,
++  7.8887432488982601f, 7.8948177633079446f, 7.9008668079807496f,
++  7.9068905956085187f, 7.9128893362299619f, 7.9188632372745955f,
++  7.9248125036057813f, 7.9307373375628867f, 7.9366379390025719f,
++  7.9425145053392399f, 7.9483672315846778f, 7.9541963103868758f,
++  7.9600019320680806f, 7.9657842846620870f, 7.9715435539507720f,
++  7.9772799234999168f, 7.9829935746943104f, 7.9886846867721664f,
++  7.9943534368588578f
++};
++
++#if defined(__cplusplus) || defined(c_plusplus)
++}  /* extern "C" */
++#endif
+diff --git a/c/enc/fast_log.h b/c/enc/fast_log.h
+index cade123..34e268e 100644
+--- a/c/enc/fast_log.h
++++ b/c/enc/fast_log.h
+@@ -30,105 +30,18 @@ static BROTLI_INLINE uint32_t Log2FloorNonZero(size_t n) {
+ #endif
+ }
+ 
+-/* A lookup table for small values of log2(int) to be used in entropy
+-   computation.
++#define BROTLI_LOG2_TABLE_SIZE 256
+ 
+-   ", ".join(["%.16ff" % x for x in [0.0]+[log2(x) for x in range(1, 256)]]) */
+-static const float kLog2Table[] = {
+-  0.0000000000000000f, 0.0000000000000000f, 1.0000000000000000f,
+-  1.5849625007211563f, 2.0000000000000000f, 2.3219280948873622f,
+-  2.5849625007211561f, 2.8073549220576042f, 3.0000000000000000f,
+-  3.1699250014423126f, 3.3219280948873626f, 3.4594316186372978f,
+-  3.5849625007211565f, 3.7004397181410922f, 3.8073549220576037f,
+-  3.9068905956085187f, 4.0000000000000000f, 4.0874628412503400f,
+-  4.1699250014423122f, 4.2479275134435852f, 4.3219280948873626f,
+-  4.3923174227787607f, 4.4594316186372973f, 4.5235619560570131f,
+-  4.5849625007211570f, 4.6438561897747244f, 4.7004397181410926f,
+-  4.7548875021634691f, 4.8073549220576037f, 4.8579809951275728f,
+-  4.9068905956085187f, 4.9541963103868758f, 5.0000000000000000f,
+-  5.0443941193584534f, 5.0874628412503400f, 5.1292830169449664f,
+-  5.1699250014423122f, 5.2094533656289501f, 5.2479275134435852f,
+-  5.2854022188622487f, 5.3219280948873626f, 5.3575520046180838f,
+-  5.3923174227787607f, 5.4262647547020979f, 5.4594316186372973f,
+-  5.4918530963296748f, 5.5235619560570131f, 5.5545888516776376f,
+-  5.5849625007211570f, 5.6147098441152083f, 5.6438561897747244f,
+-  5.6724253419714961f, 5.7004397181410926f, 5.7279204545631996f,
+-  5.7548875021634691f, 5.7813597135246599f, 5.8073549220576046f,
+-  5.8328900141647422f, 5.8579809951275719f, 5.8826430493618416f,
+-  5.9068905956085187f, 5.9307373375628867f, 5.9541963103868758f,
+-  5.9772799234999168f, 6.0000000000000000f, 6.0223678130284544f,
+-  6.0443941193584534f, 6.0660891904577721f, 6.0874628412503400f,
+-  6.1085244567781700f, 6.1292830169449672f, 6.1497471195046822f,
+-  6.1699250014423122f, 6.1898245588800176f, 6.2094533656289510f,
+-  6.2288186904958804f, 6.2479275134435861f, 6.2667865406949019f,
+-  6.2854022188622487f, 6.3037807481771031f, 6.3219280948873617f,
+-  6.3398500028846252f, 6.3575520046180847f, 6.3750394313469254f,
+-  6.3923174227787598f, 6.4093909361377026f, 6.4262647547020979f,
+-  6.4429434958487288f, 6.4594316186372982f, 6.4757334309663976f,
+-  6.4918530963296748f, 6.5077946401986964f, 6.5235619560570131f,
+-  6.5391588111080319f, 6.5545888516776376f, 6.5698556083309478f,
+-  6.5849625007211561f, 6.5999128421871278f, 6.6147098441152092f,
+-  6.6293566200796095f, 6.6438561897747253f, 6.6582114827517955f,
+-  6.6724253419714952f, 6.6865005271832185f, 6.7004397181410917f,
+-  6.7142455176661224f, 6.7279204545631988f, 6.7414669864011465f,
+-  6.7548875021634691f, 6.7681843247769260f, 6.7813597135246599f,
+-  6.7944158663501062f, 6.8073549220576037f, 6.8201789624151887f,
+-  6.8328900141647422f, 6.8454900509443757f, 6.8579809951275719f,
+-  6.8703647195834048f, 6.8826430493618416f, 6.8948177633079437f,
+-  6.9068905956085187f, 6.9188632372745955f, 6.9307373375628867f,
+-  6.9425145053392399f, 6.9541963103868758f, 6.9657842846620879f,
+-  6.9772799234999168f, 6.9886846867721664f, 7.0000000000000000f,
+-  7.0112272554232540f, 7.0223678130284544f, 7.0334230015374501f,
+-  7.0443941193584534f, 7.0552824355011898f, 7.0660891904577721f,
+-  7.0768155970508317f, 7.0874628412503400f, 7.0980320829605272f,
+-  7.1085244567781700f, 7.1189410727235076f, 7.1292830169449664f,
+-  7.1395513523987937f, 7.1497471195046822f, 7.1598713367783891f,
+-  7.1699250014423130f, 7.1799090900149345f, 7.1898245588800176f,
+-  7.1996723448363644f, 7.2094533656289492f, 7.2191685204621621f,
+-  7.2288186904958804f, 7.2384047393250794f, 7.2479275134435861f,
+-  7.2573878426926521f, 7.2667865406949019f, 7.2761244052742384f,
+-  7.2854022188622487f, 7.2946207488916270f, 7.3037807481771031f,
+-  7.3128829552843557f, 7.3219280948873617f, 7.3309168781146177f,
+-  7.3398500028846243f, 7.3487281542310781f, 7.3575520046180847f,
+-  7.3663222142458151f, 7.3750394313469254f, 7.3837042924740528f,
+-  7.3923174227787607f, 7.4008794362821844f, 7.4093909361377026f,
+-  7.4178525148858991f, 7.4262647547020979f, 7.4346282276367255f,
+-  7.4429434958487288f, 7.4512111118323299f, 7.4594316186372973f,
+-  7.4676055500829976f, 7.4757334309663976f, 7.4838157772642564f,
+-  7.4918530963296748f, 7.4998458870832057f, 7.5077946401986964f,
+-  7.5156998382840436f, 7.5235619560570131f, 7.5313814605163119f,
+-  7.5391588111080319f, 7.5468944598876373f, 7.5545888516776376f,
+-  7.5622424242210728f, 7.5698556083309478f, 7.5774288280357487f,
+-  7.5849625007211561f, 7.5924570372680806f, 7.5999128421871278f,
+-  7.6073303137496113f, 7.6147098441152075f, 7.6220518194563764f,
+-  7.6293566200796095f, 7.6366246205436488f, 7.6438561897747244f,
+-  7.6510516911789290f, 7.6582114827517955f, 7.6653359171851765f,
+-  7.6724253419714952f, 7.6794800995054464f, 7.6865005271832185f,
+-  7.6934869574993252f, 7.7004397181410926f, 7.7073591320808825f,
+-  7.7142455176661224f, 7.7210991887071856f, 7.7279204545631996f,
+-  7.7347096202258392f, 7.7414669864011465f, 7.7481928495894596f,
+-  7.7548875021634691f, 7.7615512324444795f, 7.7681843247769260f,
+-  7.7747870596011737f, 7.7813597135246608f, 7.7879025593914317f,
+-  7.7944158663501062f, 7.8008998999203047f, 7.8073549220576037f,
+-  7.8137811912170374f, 7.8201789624151887f, 7.8265484872909159f,
+-  7.8328900141647422f, 7.8392037880969445f, 7.8454900509443757f,
+-  7.8517490414160571f, 7.8579809951275719f, 7.8641861446542798f,
+-  7.8703647195834048f, 7.8765169465650002f, 7.8826430493618425f,
+-  7.8887432488982601f, 7.8948177633079446f, 7.9008668079807496f,
+-  7.9068905956085187f, 7.9128893362299619f, 7.9188632372745955f,
+-  7.9248125036057813f, 7.9307373375628867f, 7.9366379390025719f,
+-  7.9425145053392399f, 7.9483672315846778f, 7.9541963103868758f,
+-  7.9600019320680806f, 7.9657842846620870f, 7.9715435539507720f,
+-  7.9772799234999168f, 7.9829935746943104f, 7.9886846867721664f,
+-  7.9943534368588578f
+-};
++/* A lookup table for small values of log2(int) to be used in entropy
++   computation. */
++BROTLI_INTERNAL extern const double kBrotliLog2Table[BROTLI_LOG2_TABLE_SIZE];
+ 
+ #define LOG_2_INV 1.4426950408889634
+ 
+ /* Faster logarithm for small integers, with the property of log2(0) == 0. */
+ static BROTLI_INLINE double FastLog2(size_t v) {
+-  if (v < sizeof(kLog2Table) / sizeof(kLog2Table[0])) {
+-    return kLog2Table[v];
++  if (v < BROTLI_LOG2_TABLE_SIZE) {
++    return kBrotliLog2Table[v];
+   }
+ #if (defined(_MSC_VER) && _MSC_VER <= 1700) || \
+     (defined(__ANDROID_API__) && __ANDROID_API__ < 18)
+diff --git a/research/brotli_decoder.c b/research/brotli_decoder.c
+index b1d556d..4b0bc4a 100644
+--- a/research/brotli_decoder.c
++++ b/research/brotli_decoder.c
+@@ -38,6 +38,7 @@ void cleanup(Context* ctx) {
+ 
+ void fail(Context* ctx, const char* message) {
+   fprintf(stderr, "%s\n", message);
++  cleanup(ctx);
+   exit(1);
+ }
+ 
+diff --git a/research/draw_histogram.cc b/research/draw_histogram.cc
+index b0192a2..6ea4069 100644
+--- a/research/draw_histogram.cc
++++ b/research/draw_histogram.cc
+@@ -178,20 +178,23 @@ int main(int argc, char* argv[]) {
+   FILE* fin = fopen(argv[1], "r");
+   FILE* fout = fopen(argv[2], "wb");
+ 
+-  uint8_t** pixel = new uint8_t*[height];
+-  int** histo = new int*[height];
+-  for (int i = 0; i < height; i++) {
+-    pixel[i] = new uint8_t[width];
+-    histo[i] = new int[width];
+-  }
++  if (fin != nullptr && fout != nullptr) {
++    uint8_t** pixel = new uint8_t*[height];
++    int** histo = new int*[height];
++    for (int i = 0; i < height; i++) {
++      pixel[i] = new uint8_t[width];
++      histo[i] = new int[width];
++    }
+ 
+-  BuildHistogram(fin, histo);
+-  fclose(fin);
++    BuildHistogram(fin, histo);
+ 
+-  ConvertToPixels(histo, pixel);
++    ConvertToPixels(histo, pixel);
++
++    DrawPixels(pixel, fout);
++  }
+ 
+-  DrawPixels(pixel, fout);
+-  fclose(fout);
++  if (fin) fclose(fin);
++  if (fout) fclose(fout);
+ 
+   return 0;
+ }
+diff --git a/scripts/.bintray.json b/scripts/.bintray.json
+index ef2ea9d..17f99ed 100644
+--- a/scripts/.bintray.json
++++ b/scripts/.bintray.json
+@@ -5,7 +5,7 @@
+         "subject": "eustas"
+     },
+ 
+-    "version": {"name": "snapshot"},
++    "version": {"name": "latest"},
+ 
+     "files": [
+         {
+diff --git a/scripts/sources.lst b/scripts/sources.lst
+index 5e8e817..19a6d00 100644
+--- a/scripts/sources.lst
++++ b/scripts/sources.lst
+@@ -5,7 +5,10 @@ BROTLI_CLI_C = \
+   c/tools/brotli.c
+ 
+ BROTLI_COMMON_C = \
++  c/common/constants.c \
++  c/common/context.c \
+   c/common/dictionary.c \
++  c/common/platform.c \
+   c/common/transform.c
+ 
+ BROTLI_COMMON_H = \
+@@ -35,12 +38,14 @@ BROTLI_ENC_C = \
+   c/enc/block_splitter.c \
+   c/enc/brotli_bit_stream.c \
+   c/enc/cluster.c \
++  c/enc/command.c \
+   c/enc/compress_fragment.c \
+   c/enc/compress_fragment_two_pass.c \
+   c/enc/dictionary_hash.c \
+   c/enc/encode.c \
+   c/enc/encoder_dict.c \
+   c/enc/entropy_encode.c \
++  c/enc/fast_log.c \
+   c/enc/histogram.c \
+   c/enc/literal_cost.c \
+   c/enc/memory.c \
+diff --git a/setup.py b/setup.py
+index 1491db3..62b1b9c 100644
+--- a/setup.py
++++ b/setup.py
+@@ -181,7 +181,10 @@ EXT_MODULES = [
+         '_brotli',
+         sources=[
+             'python/_brotli.cc',
++            'c/common/constants.c',
++            'c/common/context.c',
+             'c/common/dictionary.c',
++            'c/common/platform.c',
+             'c/common/transform.c',
+             'c/dec/bit_reader.c',
+             'c/dec/decode.c',
+@@ -193,12 +196,14 @@ EXT_MODULES = [
+             'c/enc/block_splitter.c',
+             'c/enc/brotli_bit_stream.c',
+             'c/enc/cluster.c',
++            'c/enc/command.c',
+             'c/enc/compress_fragment.c',
+             'c/enc/compress_fragment_two_pass.c',
+             'c/enc/dictionary_hash.c',
+             'c/enc/encode.c',
+             'c/enc/encoder_dict.c',
+             'c/enc/entropy_encode.c',
++            'c/enc/fast_log.c',
+             'c/enc/histogram.c',
+             'c/enc/literal_cost.c',
+             'c/enc/memory.c',
+-- 
+2.25.1
+
diff --git a/SPECS/brotli/brotli.spec b/SPECS/brotli/brotli.spec
index c0bfc04209b..da7e8f1c6d6 100644
--- a/SPECS/brotli/brotli.spec
+++ b/SPECS/brotli/brotli.spec
@@ -1,20 +1,17 @@
 %define python3_sitearch %(python3 -c "from distutils.sysconfig import get_python_lib; import sys; sys.stdout.write(get_python_lib(1))")
 %define python3_version 3.7
 %define python3_version_nodots 37
-
+Summary:        Lossless compression algorithm
 Name:           brotli
 Version:        1.0.7
-Release:        8%{?dist}
-Summary:        Lossless compression algorithm
-Group: Applications/File
-
+Release:        9%{?dist}
 License:        MIT
-URL:            https://github.com/google/brotli
-Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
-%define sha1 %{name}-%{version}=ee64a380152aa20fbc1098fe3799104884c570c1
-
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/File
+URL:            https://github.com/google/brotli
+Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2020-8927.patch
 BuildRequires:  cmake
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
@@ -30,8 +27,8 @@ to the best currently available general-purpose compression methods.
 It is similar in speed with deflate but offers more dense compression.
 
 %package -n python3-%{name}
-Summary:        Lossless compression algorithm (python 3)
 %{?python_provide:%python_provide python3-%{name}}
+Summary:        Lossless compression algorithm (python 3)
 
 %description -n python3-%{name}
 Brotli is a generic-purpose lossless compression algorithm that compresses
@@ -41,10 +38,9 @@ to the best currently available general-purpose compression methods.
 It is similar in speed with deflate but offers more dense compression.
 This package installs a Python 3 module.
 
-
 %package devel
 Summary:        Lossless compression algorithm (development files)
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
 
 %description devel
 Brotli is a generic-purpose lossless compression algorithm that compresses
@@ -55,7 +51,8 @@ It is similar in speed with deflate but offers more dense compression.
 This package installs the development files
 
 %prep
-%setup
+%autosetup -p1
+
 # fix permissions for -debuginfo
 # rpmlint will complain if I create an extra %%files section for
 # -debuginfo for this so we'll put it here instead
@@ -96,7 +93,6 @@ done
 %post -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
 
-
 %check
 cd build
 ctest -V
@@ -131,8 +127,12 @@ python3 setup.py test
 %{_mandir}/man3/encode.h.3brotli*
 %{_mandir}/man3/types.h.3brotli*
 
-
 %changelog
+* Fri Oct 30 2020 Thomas Crain <thcrain@microsoft.com> - 1.0.7-9
+- Patch CVE-2020-8927
+- Remove sha1 hash
+- Lint to Mariner style
+
 * Tue Oct 20 2020 Andrew Phelps <anphel@microsoft.com> 1.0.7-8
 - Fix check test
 
diff --git a/SPECS/cairo/CVE-2018-19876.patch b/SPECS/cairo/CVE-2018-19876.patch
new file mode 100644
index 00000000000..5aeda204272
--- /dev/null
+++ b/SPECS/cairo/CVE-2018-19876.patch
@@ -0,0 +1,14 @@
+--- a/src/cairo-ft-font.c
++++ b/src/cairo-ft-font.c
+@@ -2393,7 +2393,11 @@
+ done:
+         free (coords);
+         free (current_coords);
++#if HAVE_FT_DONE_MM_VAR
++        FT_Done_MM_Var (face->glyph->library, ft_mm_var);
++#else
+         free (ft_mm_var);
++#endif
+     }
+ }
+ 
diff --git a/SPECS/cairo/cairo.spec b/SPECS/cairo/cairo.spec
index ff2ab538e3e..a406b24dbb4 100644
--- a/SPECS/cairo/cairo.spec
+++ b/SPECS/cairo/cairo.spec
@@ -1,13 +1,14 @@
 Summary:        A 2D graphics library.
 Name:           cairo
 Version:        1.16.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        LGPLv2 or MPLv1.1
 URL:            http://cairographics.org
 Group:          System Environment/Libraries
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Source0:        http://cairographics.org/releases/%{name}-%{version}.tar.xz
+Patch0:         CVE-2018-19876.patch
 BuildRequires:  pkg-config
 BuildRequires:  libpng-devel
 BuildRequires:  libxml2-devel
@@ -33,7 +34,7 @@ Requires:       pixman-devel
 It contains the libraries and header files to create applications
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 ./configure \
@@ -72,9 +73,10 @@ find %{buildroot} -name '*.la' -delete
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
-* Sat May 09 00:21:39 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.16.0-4
-- Added %%license line automatically
-
+*  Mon Oct 26 2020 Nicolas Ontiveros <niontive@microsoft.com> 1.16.0-5
+-  Fix CVE-2018-19876
+*  Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.16.0-4
+-  Added %%license line automatically
 *  Mon Apr 20 2020 Nicolas Ontiveros <niontive@microsoft.com> 1.16.0-3
 -  Rename freetype2-devel to freetype-devel.
 -  Remove sha1 macro.
diff --git a/SPECS/clamav/clamav.signatures.json b/SPECS/clamav/clamav.signatures.json
index 1e5420d890d..63fbbd12831 100644
--- a/SPECS/clamav/clamav.signatures.json
+++ b/SPECS/clamav/clamav.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "clamav-0.101.2.tar.gz": "0a12ebdf6ff7a74c0bde2bdc2b55cae33449e6dd953ec90824a9e01291277634"
+  "clamav-0.103.0.tar.gz": "32a9745277bfdda80e77ac9ca2f5990897418e9416880f3c31553ca673e80546"
  }
 }
\ No newline at end of file
diff --git a/SPECS/clamav/clamav.spec b/SPECS/clamav/clamav.spec
index 6ba7e9f22ff..f393317db4b 100644
--- a/SPECS/clamav/clamav.spec
+++ b/SPECS/clamav/clamav.spec
@@ -3,8 +3,8 @@
 
 Summary:        Open source antivirus engine
 Name:           clamav
-Version:        0.101.2
-Release:        3%{?dist}
+Version:        0.103.0
+Release:        1%{?dist}
 License:        ASL 2.0 and BSD and bzip2-1.0.4 and GPLv2 and LGPLv2+ and MIT and Public Domain and UnRar
 Group:          System Environment/Security
 Vendor:         Microsoft Corporation
@@ -66,6 +66,8 @@ make %{?_smp_mflags} check
 
 
 %changelog
+* Tue Oct 27 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 0.103.0-1
+- Updating to 0.103.0 to fix: CVE-2019-12625, CVE-2019-15961.
 * Mon Oct 19 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 0.101.2-3
 - License verified.
 - Added %%license macro.
diff --git a/SPECS/cloud-init/CVE-2020-8631.patch b/SPECS/cloud-init/CVE-2020-8631.patch
new file mode 100644
index 00000000000..150d8e166d3
--- /dev/null
+++ b/SPECS/cloud-init/CVE-2020-8631.patch
@@ -0,0 +1,29 @@
+From 9e9a317f48e2b84949607c9e2cb74af53868f701 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Wed, 5 Feb 2020 00:33:05 +0000
+Subject: [PATCH] utils: use SystemRandom when generating random password.
+
+As noticed by Seth Arnold, non-deterministic SystemRandom should be
+used when creating security sensitive random strings.
+
+LP: #1860795
+---
+ cloudinit/util.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/util.py b/cloudinit/util.py
+index d99e82fa5..c02b3d9a5 100644
+--- a/cloudinit/util.py
++++ b/cloudinit/util.py
+@@ -397,9 +397,10 @@ def translate_bool(val, addons=None):
+ 
+ 
+ def rand_str(strlen=32, select_from=None):
++    r = random.SystemRandom()
+     if not select_from:
+         select_from = string.ascii_letters + string.digits
+-    return "".join([random.choice(select_from) for _x in range(0, strlen)])
++    return "".join([r.choice(select_from) for _x in range(0, strlen)])
+ 
+ 
+ def rand_dict_key(dictionary, postfix=None):
diff --git a/SPECS/cloud-init/CVE-2020-8632.patch b/SPECS/cloud-init/CVE-2020-8632.patch
new file mode 100644
index 00000000000..483b4b6e556
--- /dev/null
+++ b/SPECS/cloud-init/CVE-2020-8632.patch
@@ -0,0 +1,11 @@
+--- a/cloudinit/config/cc_set_passwords.py
++++ b/cloudinit/config/cc_set_passwords.py
+@@ -220,7 +220,7 @@
+         raise errors[-1]
+ 
+ 
+-def rand_user_password(pwlen=9):
++def rand_user_password(pwlen=20):
+     return util.rand_str(pwlen, select_from=PW_SET)
+ 
+ # vi: ts=4 expandtab
diff --git a/SPECS/cloud-init/cloud-init.spec b/SPECS/cloud-init/cloud-init.spec
index 9cd09bd9bb3..9cf224245d1 100644
--- a/SPECS/cloud-init/cloud-init.spec
+++ b/SPECS/cloud-init/cloud-init.spec
@@ -2,7 +2,7 @@
 
 Name:           cloud-init
 Version:        19.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Cloud instance init scripts
 Group:          System Environment/Base
 License:        GPLv3
@@ -14,14 +14,16 @@ Source1:        cloud-mariner.cfg
 Source2:        99-disable-networking-config.cfg
 
 Patch0:         mariner-distro.patch
-Patch2:         vca-admin-pwd.patch
-Patch3:         mariner-hosts-template.patch
-Patch5:         datasource-guestinfo.patch
-Patch6:         systemd-service-changes.patch
-Patch7:         makecheck.patch
-Patch8:         systemd-resolved-config.patch
-Patch9:         cloud-init-azureds.patch
-Patch10:        ds-identity.patch
+Patch1:         vca-admin-pwd.patch
+Patch2:         mariner-hosts-template.patch
+Patch3:         datasource-guestinfo.patch
+Patch4:         systemd-service-changes.patch
+Patch5:         makecheck.patch
+Patch6:         systemd-resolved-config.patch
+Patch7:         cloud-init-azureds.patch
+Patch8:         ds-identity.patch
+Patch9:         CVE-2020-8631.patch
+Patch10:        CVE-2020-8632.patch
 
 BuildRequires:  python3
 BuildRequires:  python3-libs
@@ -68,16 +70,7 @@ ssh keys and to let the user run various scripts.
 
 
 %prep
-%setup -q -n %{name}-%{version}
-%patch0 -p1
-%patch2 -p1
-%patch3 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
+%autosetup -p1 -n %{name}-%{version}
 
 find systemd -name "cloud*.service*" | xargs sed -i s/StandardOutput=journal+console/StandardOutput=journal/g
 
@@ -146,6 +139,10 @@ rm -rf $RPM_BUILD_ROOT
 %dir /var/lib/cloud
 
 %changelog
+*   Mon Oct 26 2020 Nicolas Ontiveros <niontive@microsoft.com> 19.1-5
+-   Use autosetup
+-   Fix CVE-2020-8631
+-   Fix CVE-2020-8632
 *   Mon Apr 13 2020 Emre Girgin <mrgirgin@microsoft.com> 19.1-4
 -   Rename iproute2 to iproute.
 -   License verified.
diff --git a/SPECS/coreutils/CVE-2013-0221.nopatch b/SPECS/coreutils/CVE-2013-0221.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/coreutils/CVE-2013-0222.nopatch b/SPECS/coreutils/CVE-2013-0222.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/coreutils/CVE-2013-0223.nopatch b/SPECS/coreutils/CVE-2013-0223.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/coreutils/CVE-2016-2781.nopatch b/SPECS/coreutils/CVE-2016-2781.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/coreutils/coreutils.spec b/SPECS/coreutils/coreutils.spec
index 944500f2352..62a35aba246 100644
--- a/SPECS/coreutils/coreutils.spec
+++ b/SPECS/coreutils/coreutils.spec
@@ -1,35 +1,44 @@
 Summary:        Basic system utilities
 Name:           coreutils
 Version:        8.30
-Release:        5%{?dist}
+Release:        7%{?dist}
 License:        GPLv3
-URL:            http://www.gnu.org/software/coreutils
-Group:          System Environment/Base
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Source0:        http://ftp.gnu.org/gnu/coreutils/%{name}-%{version}.tar.xz
+Group:          System Environment/Base
+URL:            https://www.gnu.org/software/coreutils
+Source0:        https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
 # make this package to own serial console profile since it utilizes stty tool
 Source1:        serial-console.sh
-Patch0:         http://www.linuxfromscratch.org/patches/downloads/coreutils/coreutils-8.30-i18n-1.patch
-Patch1:         http://www.linuxfromscratch.org/patches/downloads/coreutils/coreutils-8.10-uname-1.patch
+# The following two patches are sourced from RedHat via Photon
+Patch0:         coreutils-8.30-i18n-1.patch
+Patch1:         coreutils-8.10-uname-1.patch
+# Upstream community agreed to not fix this
+Patch2:         CVE-2016-2781.nopatch
+# CVE-2013-0221 is fixed in coreutils-8.30-i18n-1.patch
+Patch3:         CVE-2013-0221.nopatch
+# CVE-2013-0222 is fixed in coreutils-8.30-i18n-1.patch
+Patch4:         CVE-2013-0222.nopatch
+# CVE-2013-0223 is fixed in coreutils-8.30-i18n-1.patch
+Patch5:         CVE-2013-0223.nopatch
 Requires:       gmp
-Provides:       sh-utils
 Conflicts:      toybox
+Provides:       sh-utils
+
 %description
 The Coreutils package contains utilities for showing and setting
 the basic system
 
 %package lang
-Summary: Additional language files for coreutils
-Group: System Environment/Base
-Requires: coreutils >= %{version}
+Summary:        Additional language files for coreutils
+Group:          System Environment/Base
+Requires:       coreutils >= %{version}
+
 %description lang
 These are the additional language files of coreutils.
 
 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
+%autosetup -p1
 
 %build
 autoreconf -fi
@@ -52,8 +61,8 @@ mv -v %{buildroot}%{_mandir}/man1/chroot.1 %{buildroot}%{_mandir}/man8/chroot.8
 sed -i s/\"1\"/\"8\"/1 %{buildroot}%{_mandir}/man8/chroot.8
 mv -v %{buildroot}%{_bindir}/{head,sleep,nice} %{buildroot}/bin
 rm -rf %{buildroot}%{_infodir}
-install -vdm755 %{buildroot}/etc/profile.d
-install -m 0644 %{SOURCE1} %{buildroot}/etc/profile.d/
+install -vdm755 %{buildroot}%{_sysconfdir}/profile.d
+install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/profile.d/
 %find_lang %{name}
 
 %check
@@ -84,29 +93,50 @@ sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check"
 %defattr(-,root,root)
 
 %changelog
+* Tue Nov 10 2020 Thomas Crain <thcrain@microsoft.com> - 8.30-7
+- Nopatch CVE-2013-0222, CVE-2013-0223
+- Remove references to Linux From Scratch
+- Change Source0 to HTTPS url
+
+* Thu Oct 29 2020 Nicolas Ontiveros <niontive@microsoft.com> - 8.30-6
+- No patch CVE-2016-2781
+- No patch CVE-2013-0221
+
 * Mon Jun 15 2020 Andrew Phelps <anphel@microsoft.com> 8.30-5
 - Add patch for uname processor type
+
 * Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 8.30-4
 - Added %%license line automatically
+
 * Tue Dec 03 2019 Andrew Phelps <anphel@microsoft.com> 8.30-3
 - Run autoconf to remake build system files
+
 * Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 8.30-2
 - Initial CBL-Mariner import from Photon (license: Apache2).
+
 * Fri Sep 07 2018 Alexey Makhalov <amakhalov@vmware.com> 8.30-1
 - Version update to support glibc-2.28
+
 * Tue Aug 28 2018 Alexey Makhalov <amakhalov@vmware.com> 8.27-4
 - Add serial-console profile.d script
+
 * Mon Oct 02 2017 Alexey Makhalov <amakhalov@vmware.com> 8.27-3
 - Added conflicts toybox
+
 * Wed Aug 09 2017 Rongrong Qiu <rqiu@vmware.com> 8.27-2
 - Fix make check for bug 1900253
+
 * Thu Apr 06 2017 Anish Swaminathan <anishs@vmware.com> 8.27-1
 - Upgraded to version 8.27
+
 * Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 8.25-2
 - GA - Bump release of all rpms
+
 * Tue May 17 2016 Divya Thaluru <dthaluru@vmware.com> 8.25-1
 - Updated to version 8.25
+
 * Tue Jan 12 2016 Xiaolin Li <xiaolinl@vmware.com> 8.24-1
 - Updated to version 8.24
+
 * Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 8.22-1
 - Initial build. First version
diff --git a/SPECS/cpprest/cpprest.spec b/SPECS/cpprest/cpprest.spec
index e89f3a98e42..500c16939a9 100644
--- a/SPECS/cpprest/cpprest.spec
+++ b/SPECS/cpprest/cpprest.spec
@@ -3,7 +3,7 @@
 
 Name:           cpprest
 Version:        2.10.14
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        C++ REST library
 Group:          Applications/File
 License:        MIT
@@ -73,7 +73,9 @@ cd Release/build.release
 cd Release/build.release/Binaries
 ./test_runner *_test.so ||:
 
-%ldconfig_scriptlets
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
 
 %files
 %doc CONTRIBUTORS.txt
@@ -89,6 +91,9 @@ cd Release/build.release/Binaries
 
 
 %changelog
+* Sat Nov 21 2020 Thomas Crain <thcrain@microsoft.com> - 2.10.14-5
+- Replace %%ldconfig_scriptlets with actual post/postun sections
+
 * Tue Mar 31 2020 Paul Monson <paulmon@microsoft.com> 2.10.14-4
 - Fix Source0 URL. License verified.
 
diff --git a/SPECS/dbus/CVE-2019-12749.patch b/SPECS/dbus/CVE-2019-12749.patch
new file mode 100644
index 00000000000..213966c67c7
--- /dev/null
+++ b/SPECS/dbus/CVE-2019-12749.patch
@@ -0,0 +1,116 @@
+From 2a11ab9bbd21066b1508c8673821ba5c6d627321 Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@collabora.com>
+Date: Thu, 30 May 2019 12:53:03 +0100
+Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
+ owner
+
+The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
+of a shared home directory by having the server write a secret "cookie"
+into a .dbus-keyrings subdirectory of the desired identity's home
+directory with 0700 permissions, and having the client prove that it can
+read the cookie. This never actually worked for non-malicious clients in
+the case where server uid != client uid (unless the server and client
+both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
+Unix uid 0) because an unprivileged server would fail to write out the
+cookie, and an unprivileged client would be unable to read the resulting
+file owned by the server.
+
+Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
+is owned by the uid of the server (a side-effect of a check added to
+harden our use of XDG_RUNTIME_DIR), further ruling out successful use
+by a non-malicious client with a uid differing from the server's.
+
+Joe Vennix of Apple Information Security discovered that the
+implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
+attack: a malicious client with write access to its own home directory
+could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
+read and write in unintended locations. In the worst case this could
+result in the DBusServer reusing a cookie that is known to the
+malicious client, and treating that cookie as evidence that a subsequent
+client connection came from an attacker-chosen uid, allowing
+authentication bypass.
+
+This is mitigated by the fact that by default, the well-known system
+dbus-daemon (since 2003) and the well-known session dbus-daemon (in
+stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
+authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
+at an early stage, before manipulating cookies. As a result, this
+vulnerability only applies to:
+
+* system or session dbus-daemons with non-standard configuration
+* third-party dbus-daemon invocations such as at-spi2-core (although
+  in practice at-spi2-core also only accepts EXTERNAL by default)
+* third-party uses of DBusServer such as the one in Upstart
+
+Avoiding symlink attacks in a portable way is difficult, because APIs
+like openat() and Linux /proc/self/fd are not universally available.
+However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
+a non-matching uid, we can solve this vulnerability in an easier way
+without regressions, by rejecting it early (before looking at
+~/.dbus-keyrings) whenever the requested identity doesn't match the
+identity of the process hosting the DBusServer.
+
+Signed-off-by: Simon McVittie <smcv@collabora.com>
+Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
+Closes: CVE-2019-12749
+---
+ dbus/dbus-auth.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
+index 1c5d54587..9e8b2bc09 100644
+--- a/dbus/dbus-auth.c
++++ b/dbus/dbus-auth.c
+@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+   DBusString tmp2;
+   dbus_bool_t retval = FALSE;
+   DBusError error = DBUS_ERROR_INIT;
++  DBusCredentials *myself = NULL;
+ 
+   _dbus_string_set_length (&auth->challenge, 0);
+   
+@@ -574,6 +575,34 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+       return FALSE;
+     }
+ 
++  myself = _dbus_credentials_new_from_current_process ();
++
++  if (myself == NULL)
++    goto out;
++
++  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
++    {
++      /*
++       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
++       * client is anyone other than the user owning the process
++       * containing the DBusServer: we probably aren't allowed to write
++       * to other users' home directories. Even if we can (for example
++       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
++       * must not, because the other user controls their home directory,
++       * and could carry out symlink attacks to make us read from or
++       * write to unintended locations. It's difficult to avoid symlink
++       * attacks in a portable way, so we just don't try. This isn't a
++       * regression, because DBUS_COOKIE_SHA1 never worked for other
++       * users anyway.
++       */
++      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
++                     "but that doesn't match this process",
++                     DBUS_AUTH_NAME (auth),
++                     _dbus_string_get_const_data (data));
++      retval = send_rejected (auth);
++      goto out;
++    }
++
+   /* we cache the keyring for speed, so here we drop it if it's the
+    * wrong one. FIXME caching the keyring here is useless since we use
+    * a different DBusAuth for every connection.
+@@ -687,6 +716,7 @@ sha1_handle_first_client_response (DBusAuth         *auth,
+   _dbus_string_free (&tmp);
+   _dbus_string_zero (&tmp2);
+   _dbus_string_free (&tmp2);
++  _dbus_clear_credentials (&myself);
+ 
+   return retval;
+ }
+-- 
+GitLab
diff --git a/SPECS/dbus/dbus.spec b/SPECS/dbus/dbus.spec
index ee8b9147e9f..7858fadd11e 100644
--- a/SPECS/dbus/dbus.spec
+++ b/SPECS/dbus/dbus.spec
@@ -1,41 +1,45 @@
+%{!?_versioneddocdir: %global _versioneddocdir %{_docdir}/%{name}-%{version}}
 Summary:        DBus for systemd
 Name:           dbus
 Version:        1.13.6
-Release:        3%{?dist}
-License:        GPLv2+ or AFL
-URL:            http://www.freedesktop.org/wiki/Software/dbus
-Group:          Applications/File
-Source0:        http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
-%define sha1    dbus=368c14e3dde9524dd9d0775227ebf3932802c023
+Release:        4%{?dist}
+License:        GPLv2+ OR AFL
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/File
+URL:            https://www.freedesktop.org/wiki/Software/dbus
+Source0:        https://%{name}.freedesktop.org/releases/%{name}/%{name}-%{version}.tar.gz
+Patch0:         CVE-2019-12749.patch
 BuildRequires:  expat-devel
 BuildRequires:  systemd-devel
 BuildRequires:  xz-devel
 Requires:       expat
 Requires:       systemd
 Requires:       xz
+
 %description
 The dbus package contains dbus.
 
-%package    devel
-Summary:    Header and development files
-Requires:   %{name} = %{version}
-Requires:  expat-devel
+%package        devel
+Summary:        Header and development files
+Requires:       %{name} = %{version}
+Requires:       expat-devel
+
 %description    devel
 It contains the libraries and header files to create applications
 
 %prep
-%setup -q
+%autosetup -p1
+
 %build
-./configure --prefix=%{_prefix}                 \
-            --sysconfdir=%{_sysconfdir}         \
-            --localstatedir=%{_var}             \
-            --docdir=%{_datadir}/doc/dbus-1.11.12  \
-            --enable-libaudit=no --enable-selinux=no \
-            --with-console-auth-dir=/run/console
+%configure \
+    --docdir=%{_versioneddocdir}  \
+    --enable-libaudit=no \
+    --enable-selinux=no \
+    --with-console-auth-dir=/run/console
 
 make %{?_smp_mflags}
+
 %install
 make DESTDIR=%{buildroot} install
 install -vdm755 %{buildroot}%{_lib}
@@ -59,9 +63,9 @@ make %{?_smp_mflags} check
 %{_docdir}/*
 %{_datadir}/dbus-1
 
-#%{_sharedstatedir}/*
+#%%{_sharedstatedir}/*
 
-%files  devel
+%files devel
 %defattr(-,root,root)
 %{_includedir}/*
 %{_datadir}/xml/dbus-1
@@ -74,28 +78,41 @@ make %{?_smp_mflags} check
 %{_libdir}/*.so
 
 %changelog
-* Sat May 09 00:21:00 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.13.6-3
+* Thu Oct 22 2020 Thomas Crain <thcrain@microsoft.com> - 1.13.6-4
+- Patch CVE-2019-12749
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.13.6-3
 - Added %%license line automatically
 
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.13.6-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Mon Sep 10 2018 Ajay Kaher <akaher@vmware.com> 1.13.6-1
--   Update to 1.13.6
-*   Fri Apr 21 2017 Bo Gan <ganb@vmware.com> 1.11.12-1
--   Update to 1.11.12
-*   Tue Dec 20 2016 Xiaolin Li <xiaolinl@vmware.com> 1.8.8-8
--   Move all header files to devel subpackage.
-*   Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  1.8.8-7
--   Change systemd dependency
-*   Wed Oct 05 2016 ChangLee <changlee@vmware.com> 1.8.8-6
--   Modified %check
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.8.8-5
--   GA - Bump release of all rpms
-*   Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.8.8-4
--   Created devel sub-package
-*   Thu Jun 25 2015 Sharath George <sharathg@vmware.com> 1.8.8-3
--   Remove debug files.
-*   Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> 1.8.8-2
--   Update according to UsrMove.
-*   Sun Apr 06 2014 Sharath George <sharathg@vmware.com> 1.8.8
--   Initial build. First version
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 1.13.6-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Mon Sep 10 2018 Ajay Kaher <akaher@vmware.com> - 1.13.6-1
+- Update to 1.13.6
+
+* Fri Apr 21 2017 Bo Gan <ganb@vmware.com> - 1.11.12-1
+- Update to 1.11.12
+
+* Tue Dec 20 2016 Xiaolin Li <xiaolinl@vmware.com> - 1.8.8-8
+- Move all header files to devel subpackage.
+
+* Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  1.8.8-7
+- Change systemd dependency
+
+* Wed Oct 05 2016 ChangLee <changlee@vmware.com> - 1.8.8-6
+- Modified %check
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.8.8-5
+- GA - Bump release of all rpms
+
+* Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 1.8.8-4
+- Created devel sub-package
+
+* Thu Jun 25 2015 Sharath George <sharathg@vmware.com> - 1.8.8-3
+- Remove debug files.
+
+* Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> - 1.8.8-2
+- Update according to UsrMove.
+
+* Sun Apr 06 2014 Sharath George <sharathg@vmware.com> - 1.8.8
+- Initial build. First version
diff --git a/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.spec b/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.spec
index 9984504b4de..aecd4117aea 100644
--- a/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.spec
+++ b/SPECS/dotnet-runtime-3.1/dotnet-runtime-3.1.spec
@@ -1,96 +1,80 @@
 Summary:        Microsoft .NET Core Runtime
 Name:           dotnet-runtime-3.1
 Version:        3.1.5
-Release:        1%{?dist}
+Release:        2%{?dist}
+License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-License:        MIT
-Url:            https://github.com/dotnet/core
 Group:          Development/Tools
-ExclusiveArch:  x86_64
+URL:            https://github.com/dotnet/core
 Source0:        https://download.visualstudio.microsoft.com/download/pr/d00eaeea-6d7b-4e73-9d96-c0234ed3b665/0d25d9d1aeaebdeef01d15370d5cd22b/dotnet-runtime-3.1.5-linux-x64.tar.gz
-
+Requires:       glibc
 Requires:       icu
-Requires:       libunwind
 Requires:       krb5
+Requires:       libgcc
+Requires:       libstdc++
+Requires:       libunwind
 Requires:       lttng-ust
 Requires:       openssl
 Requires:       zlib
-Requires:       glibc
-Requires:       libgcc
-Requires:       libstdc++
+ExclusiveArch:  x86_64
 
 %description
 .NET Core is a development platform that you can use to build command-line
 applications, microservices and modern websites.
 
 %prep
-%setup -qc dotnet-runtime-%{version}
+%setup -qc -T -a 0 dotnet-runtime-%{version}
 
 %build
 
 %install
 mkdir -p %{buildroot}%{_libdir}/dotnet
-mkdir -p %{buildroot}%{_docdir}/dotnet-runtime-%{version}
-cp LICENSE.txt ThirdPartyNotices.txt %{buildroot}%{_docdir}/dotnet-runtime-%{version}
-rm LICENSE.txt ThirdPartyNotices.txt
+
 cp -r * %{buildroot}%{_libdir}/dotnet
 mkdir -p %{buildroot}%{_bindir}
 ln -sf %{_libdir}/dotnet/dotnet %{buildroot}%{_bindir}/dotnet
 
-# Pre-install
-%pre
-
-    # First argument is 1 => New Installation
-    # First argument is 2 => Upgrade
-
-# Post-install
-%post
-
-    # First argument is 1 => New Installation
-    # First argument is 2 => Upgrade
-
-    /sbin/ldconfig
-
-# Pre-uninstall
-%preun
-
-    # First argument is 0 => Uninstall
-    # First argument is 1 => Upgrade
-
-# Post-uninstall
-%postun
-
-    /sbin/ldconfig
-
-    # First argument is 0 => Uninstall
-    # First argument is 1 => Upgrade
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
 
 %files
-%license %{_docdir}/dotnet-runtime-%{version}/LICENSE.txt
+%license LICENSE.txt ThirdPartyNotices.txt
 %defattr(-,root,root,0755)
+%exclude %{_libdir}/dotnet/LICENSE.txt
+%exclude %{_libdir}/dotnet/ThirdPartyNotices.txt
 %exclude %{_libdir}/debug
-%{_docdir}/*
 %{_bindir}/dotnet
 %{_libdir}/*
 
 %changelog
+* Thu Nov 12 2020 Henry Beberman <henry.beberman@microsoft.com> - 3.1.5-2
+- Fix scriptlets and move licenses to the correct folder
+
 *   Fri Jun 19 2020 Andrew Phelps <anphel@microsoft.com> 3.1.5-1
 -   Update version to 3.1.5. Fix runtime requirements.
+
 *   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 3.1.3-4
 -   Added %%license line automatically
+
 *   Tue May 05 2020 Emre Girgin <mrgirgin@microsoft.com> 3.1.3-3
 -   Renaming dotnet-runtime to dotnet-runtime-3.1
+
 *   Mon May 04 2020 Emre Girgin <mrgirgin@microsoft.com> 3.1.3-2
 -   Replace BuildArch with ExclusiveArch
+
 *   Mon Mar 30 2020 Andrew Phelps <anphel@microsoft.com> 3.1.3-1
 -   Update to dotnet 3.1.3. License verified.
+
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.2.0-2
 -   Initial CBL-Mariner import from Photon (license: Apache2).
+
 *   Wed Dec 05 2018 Ajay Kaher <akaher@vmware.com> 2.2.0-1
 -   upgraded to version 2.2.0
+
 *   Thu Sep 27 2018 Ajay Kaher <akaher@vmware.com> 2.1.4-1
 -   upgraded to version 2.1.4
 -   add aarch64 support
+
 *   Wed Jan 31 2018 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.0.5-1
 -   Initial build for photon
diff --git a/SPECS/flex/CVE-2019-6293.nopatch b/SPECS/flex/CVE-2019-6293.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/flex/flex.signatures.json b/SPECS/flex/flex.signatures.json
index a459af5b49f..083eb2cb897 100644
--- a/SPECS/flex/flex.signatures.json
+++ b/SPECS/flex/flex.signatures.json
@@ -1,5 +1,6 @@
 {
  "Signatures": {
-  "flex-2.6.4.tar.gz": "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995"
+  "flex-2.6.4.tar.gz": "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995",
+  "lex": "7d09257b0186b94b3a5f972c295e3c1b912015dd18f9e45cd38c99375eacb08c"
  }
 }
\ No newline at end of file
diff --git a/SPECS/flex/flex.spec b/SPECS/flex/flex.spec
index 4ef9b4d9fd4..5f4d07cd34f 100644
--- a/SPECS/flex/flex.spec
+++ b/SPECS/flex/flex.spec
@@ -1,13 +1,16 @@
 Summary:        A utility for generating programs that recognize patterns in text
 Name:           flex
 Version:        2.6.4
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD
-URL:            https://github.com/westes/flex
-Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/System
+URL:            https://github.com/westes/flex
 Source0:        https://github.com/westes/flex/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Source1:        lex
+# Upstream community decided to not fix this
+Patch0:         CVE-2019-6293.nopatch
 BuildRequires:  m4
 Requires:       m4
 
@@ -16,9 +19,9 @@ The Flex package contains a utility for generating programs
 that recognize patterns in text.
 
 %package devel
-Summary: Development libraries and header files for the flex library
-Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
+Summary:        Development libraries and header files for the flex library
+Group:          Development/Libraries
+Requires:       %{name} = %{version}-%{release}
 
 %description devel
 The flex-devel package contains the development libraries and header files for
@@ -27,6 +30,7 @@ flex.
 %prep
 %setup -q
 sed -i -e '/test-bison/d' tests/Makefile.in
+
 %build
 CFLAGS="-D_GNU_SOURCE" \
 ./configure \
@@ -34,17 +38,11 @@ CFLAGS="-D_GNU_SOURCE" \
 	--docdir=%{_defaultdocdir}/%{name}-%{version} \
 	--disable-silent-rules
 make VERBOSE=1 %{?_smp_mflags}
+
 %install
 make DESTDIR=%{buildroot} install
-find %{buildroot}%{_libdir} -name '*.la' -delete
-cat > %{buildroot}/usr/bin/lex <<- "EOF"
-#!/bin/sh
-# Begin /usr/bin/lex
-
-	exec /usr/bin/flex -l "$@"
-
-# End /usr/bin/lex
-EOF
+find %{buildroot} -type f -name "*.la" -delete -print
+install -m 755 %{SOURCE1} %{buildroot}%{_bindir}/lex
 rm -rf %{buildroot}%{_infodir}
 %find_lang %{name}
 
@@ -53,6 +51,7 @@ make %{?_smp_mflags} check
 
 %post	-p /sbin/ldconfig
 %postun	-p /sbin/ldconfig
+
 %files -f %{name}.lang
 %defattr(-,root,root)
 %license COPYING
@@ -70,29 +69,43 @@ make %{?_smp_mflags} check
 %{_includedir}/*
 
 %changelog
-* Sat May 09 00:21:32 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.6.4-5
+* Thu Oct 29 2020 Nicolas Ontiveros <niontive@microsoft.com> - 2.6.4-6
+- No patch CVE-2019-6293
+- Move "lex" script to separate file
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 2.6.4-5
 - Added %%license line automatically
 
 *   Thu Apr 23 2020 Andrew Phelps <anphel@microsoft.com> 2.6.4-4
 -   Fix URL.
 -   License verified.
+
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.6.4-3
 -   Initial CBL-Mariner import from Photon (license: Apache2).
+
 *   Fri Aug 4 2017 Alexey Makhalov <amakhalov@vmware.com> 2.6.4-2
 -   Use _GNU_SOURCE
+
 *   Thu May 11 2017 Chang Lee <changlee@vmware.com> 2.6.4-1
 -   Updated to version 2.6.4
+
 *   Tue Apr 04 2017 Chang Lee <changlee@vmware.com> 2.6.0-1
 -   Updated to version 2.6.0
+
 *   Thu Oct 13 2016 Kumar Kaushik <kaushikk@vmware.com> 2.5.39-3
 -   Fixing Security bug CVE-2016-6354.
+
 *   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.5.39-2
 -   GA - Bump release of all rpms
+
 *   Tue Jan 12 2016 Xiaolin Li <xiaolinl@vmware.com> 2.5.39-1
 -   Updated to version 2.5.39
+
 *   Mon Oct 12 2015 Xiaolin Li <xiaolinl@vmware.com> 2.5.38-3
 -   Moving static lib files to devel package.
+
 *   Fri Jun 5 2015 Divya Thaluru <dthaluru@vmware.com> 2.5.38-2
 -   Adding m4 package to build and run time required package
+
 *   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 2.5.38-1
 -   Initial build. First version
diff --git a/SPECS/flex/lex b/SPECS/flex/lex
new file mode 100644
index 00000000000..8d85e8ea88c
--- /dev/null
+++ b/SPECS/flex/lex
@@ -0,0 +1,6 @@
+#!/bin/sh
+# Begin /usr/bin/lex
+
+	exec /usr/bin/flex -l "$@"
+
+# End /usr/bin/lex
\ No newline at end of file
diff --git a/SPECS/gdb/CVE-2019-1010180.nopatch b/SPECS/gdb/CVE-2019-1010180.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/gdb/gdb.spec b/SPECS/gdb/gdb.spec
index 2d68d1f0620..80e28e7ffb6 100644
--- a/SPECS/gdb/gdb.spec
+++ b/SPECS/gdb/gdb.spec
@@ -1,23 +1,26 @@
 Summary:        C debugger
 Name:           gdb
 Version:        8.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2+
-URL:            https://www.gnu.org/software/gdb
-Source0:        https://ftp.gnu.org/gnu/gdb/%{name}-%{version}.tar.xz
-Group:          Development/Tools
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Development/Tools
+URL:            https://www.gnu.org/software/gdb
+Source0:        https://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
 Patch0:         gdb-7.12-pstack.patch
-Requires:       expat
-Requires:       ncurses
-Requires:       python3
-Requires:       xz-libs
+# 8.3 contains a partial fix in the form of a warning when this bug is triggered
+# The complete fix is not easily backported from 9.1
+Patch1:         CVE-2019-1010180.nopatch
 BuildRequires:  expat-devel
 BuildRequires:  ncurses-devel
 BuildRequires:  python3-devel
 BuildRequires:  python3-libs
 BuildRequires:  xz-devel
+Requires:       expat
+Requires:       ncurses
+Requires:       python3
+Requires:       xz-libs
 %if %{with_check}
 BuildRequires:  dejagnu
 BuildRequires:  systemtap-sdt-devel
@@ -27,18 +30,17 @@ BuildRequires:  systemtap-sdt-devel
 GDB, the GNU Project debugger, allows you to see what is going on
 `inside' another program while it executes -- or what
 another program was doing at the moment it crashed.
+
 %prep
-%setup -q
-%patch0 -p1
+%autosetup -p1
 
 %build
-./configure \
-    --prefix=%{_prefix} \
-    --with-python=/usr/bin/python3
+%configure --with-python=%{_bindir}/python3
 make %{?_smp_mflags}
+
 %install
 make DESTDIR=%{buildroot} install
-find %{buildroot} -name '*.la' -delete
+find %{buildroot} -type f -name "*.la" -delete -print
 rm %{buildroot}%{_infodir}/dir
 
 # following files conflicts with binutils-2.24-1.x86_64
@@ -80,34 +82,50 @@ make %{?_smp_mflags} check || tail gdb/testsuite/gdb.sum  | grep "# of unexpecte
 %{_mandir}/*/*
 
 %changelog
-* Sat May 09 00:20:48 PST 2020 Nick Samson <nisamson@microsoft.com>
+* Thu Oct 22 2020 Thomas Crain <thcrain@microsoft.com> - 8.3-3
+- Patch CVE-2019-1010180
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 8.3-2
 - Added %%license line automatically
 
-*   Mon Mar 16 2020 Henry Beberman <henry.beberman@microsoft.com> 8.3-1
--   Update to 8.3. URL fixed. License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 8.2-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Fri Sep 14 2018 Keerthana K <keerthanak@vmware.com> 8.2-1
--   Update to version 8.2
-*   Thu Dec 07 2017 Alexey Makhalov <amakhalov@vmware.com> 7.12.1-8
--   Enable LZMA support
-*   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 7.12.1-7
--   Aarch64 support
-*   Mon Sep 11 2017 Rui Gu <ruig@vmware.com> 7.12.1-6
--   Enable make check in docker with part of checks disabled
-*   Thu Aug 10 2017 Alexey Makhalov <amakhalov@vmware.com> 7.12.1-5
--   Make check improvements
-*   Fri Jul 21 2017 Rui Gu <ruig@vmware.com> 7.12.1-4
--   Add pstack wrapper which will invoke gdb.
-*   Wed Jul 12 2017 Alexey Makhalov <amakhalov@vmware.com> 7.12.1-3
--   Get tcl, expect and dejagnu from packages
-*   Thu May 18 2017 Xiaolin Li <xiaolinl@vmware.com> 7.12.1-2
--   Build gdb with python3.
-*   Wed Mar 22 2017 Alexey Makhalov <amakhalov@vmware.com> 7.12.1-1
--   Version update
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 7.8.2-3
--   GA - Bump release of all rpms
-*   Tue Nov 10 2015 Xiaolin Li <xiaolinl@vmware.com> 7.8.2-2
--   Handled locale files with macro find_lang
-*   Wed Apr 08 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 7.8.2-1
--   Initial build. First version
+* Mon Mar 16 2020 Henry Beberman <henry.beberman@microsoft.com> - 8.3-1
+- Update to 8.3. URL fixed. License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 8.2-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Fri Sep 14 2018 Keerthana K <keerthanak@vmware.com> - 8.2-1
+- Update to version 8.2
+
+* Thu Dec 07 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.12.1-8
+- Enable LZMA support
+
+* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.12.1-7
+- Aarch64 support
+
+* Mon Sep 11 2017 Rui Gu <ruig@vmware.com> - 7.12.1-6
+- Enable make check in docker with part of checks disabled
+
+* Thu Aug 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.12.1-5
+- Make check improvements
+
+* Fri Jul 21 2017 Rui Gu <ruig@vmware.com> - 7.12.1-4
+- Add pstack wrapper which will invoke gdb.
+
+* Wed Jul 12 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.12.1-3
+- Get tcl, expect and dejagnu from packages
+
+* Thu May 18 2017 Xiaolin Li <xiaolinl@vmware.com> - 7.12.1-2
+- Build gdb with python3.
+
+* Wed Mar 22 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.12.1-1
+- Version update
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 7.8.2-3
+- GA - Bump release of all rpms
+
+* Tue Nov 10 2015 Xiaolin Li <xiaolinl@vmware.com> - 7.8.2-2
+- Handled locale files with macro find_lang
+
+* Wed Apr 08 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 7.8.2-1
+- Initial build. First version
diff --git a/SPECS/glibc/CVE-2019-19126.patch b/SPECS/glibc/CVE-2019-19126.patch
new file mode 100644
index 00000000000..1f5720dd60e
--- /dev/null
+++ b/SPECS/glibc/CVE-2019-19126.patch
@@ -0,0 +1,31 @@
+From 7966ce07e89fa4ccc8fdba00d4439fc652862462 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Marcin=20Ko=C5=9Bcielnicki?= <mwk@0x04.net>
+Date: Thu, 21 Nov 2019 00:20:15 +0100
+Subject: [PATCH] rtld: Check __libc_enable_secure before honoring
+ LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
+
+The problem was introduced in glibc 2.23, in commit
+b9eb92ab05204df772eb4929eccd018637c9f3e9
+("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
+
+(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
+---
+ sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+index 194369174d..ac694c032e 100644
+--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+@@ -31,7 +31,8 @@
+    environment variable, LD_PREFER_MAP_32BIT_EXEC.  */
+ #define EXTRA_LD_ENVVARS \
+   case 21:								  \
+-    if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)		  \
++    if (!__libc_enable_secure						  \
++	&& memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)		  \
+       GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \
+ 	|= bit_arch_Prefer_MAP_32BIT_EXEC;				  \
+     break;
+-- 
+2.18.4
diff --git a/SPECS/glibc/CVE-2019-7309.patch b/SPECS/glibc/CVE-2019-7309.patch
new file mode 100644
index 00000000000..5ec8fec5d34
--- /dev/null
+++ b/SPECS/glibc/CVE-2019-7309.patch
@@ -0,0 +1,217 @@
+diff --git a/./ChangeLog b/ChangeLog
+index 08b42bd..0e82190 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,14 @@
++2019-02-04  H.J. Lu  <hongjiu.lu@intel.com>
++
++	[BZ #24155]
++	CVE-2019-7309
++	* NEWS: Updated for CVE-2019-7309.
++	* sysdeps/x86_64/memcmp.S: Use RDX_LP for size.  Clear the
++	upper 32 bits of RDX register for x32.  Use unsigned Jcc
++	instructions, instead of signed.
++	* sysdeps/x86_64/x32/Makefile (tests): Add tst-size_t-memcmp-2.
++	* sysdeps/x86_64/x32/tst-size_t-memcmp-2.c: New test.
++
+ 2018-08-01  Carlos O'Donel  <carlos@redhat.com>
+ 
+ 	* version.h (RELEASE): Set to "stable".
+diff --git a/NEWS b/NEWS
+index 154ab22..d254097 100644
+--- a/NEWS
++++ b/NEWS
+@@ -240,6 +240,14 @@ Security related changes:
+   architecture could write beyond the target buffer, resulting in a buffer
+   overflow.  Reported by Andreas Schwab.
+ 
++  CVE-2019-7309: x86-64 memcmp used signed Jcc instructions to check
++  size.  For x86-64, memcmp on an object size larger than SSIZE_MAX
++  has undefined behavior.  On x32, the size_t argument may be passed
++  in the lower 32 bits of the 64-bit RDX register with non-zero upper
++  32 bits.  When it happened with the sign bit of RDX register set,
++  memcmp gave the wrong result since it treated the size argument as
++  zero.  Reported by H.J. Lu.
++
+ The following bugs are resolved with this release:
+ 
+   [1190] stdio: fgetc()/fread() behaviour is not POSIX compliant
+@@ -422,6 +430,7 @@ The following bugs are resolved with this release:
+   [23459] libc: COMMON_CPUID_INDEX_80000001 isn't populated for Intel
+     processors
+   [23467] dynamic-link: x86/CET: A property note parser bug
++  [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
+ 
+ 
+ Version 2.27
+
+diff --git a/sysdeps/x86_64/memcmp.S b/sysdeps/x86_64/memcmp.S
+index bcb4a2e88d..45918d375a 100644
+--- a/sysdeps/x86_64/memcmp.S
++++ b/sysdeps/x86_64/memcmp.S
+@@ -21,14 +21,18 @@
+ 
+ 	.text
+ ENTRY (memcmp)
+-	test	%rdx, %rdx
++#ifdef __ILP32__
++	/* Clear the upper 32 bits.  */
++	movl	%edx, %edx
++#endif
++	test	%RDX_LP, %RDX_LP
+ 	jz	L(finz)
+ 	cmpq	$1, %rdx
+-	jle	L(finr1b)
++	jbe	L(finr1b)
+ 	subq	%rdi, %rsi
+ 	movq	%rdx, %r10
+ 	cmpq	$32, %r10
+-	jge	L(gt32)
++	jae	L(gt32)
+ 	/* Handle small chunks and last block of less than 32 bytes.  */
+ L(small):
+ 	testq	$1, %r10
+@@ -156,7 +160,7 @@ L(A32):
+ 	movq	%r11, %r10
+ 	andq	$-32, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt16)
++        jae	L(mt16)
+ 	/* Pre-unroll to be ready for unrolled 64B loop.  */
+ 	testq	$32, %rdi
+ 	jz	L(A64)
+@@ -178,7 +182,7 @@ L(A64):
+ 	movq	%r11, %r10
+ 	andq	$-64, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt32)
++        jae	L(mt32)
+ 
+ L(A64main):
+ 	movdqu    (%rdi,%rsi), %xmm0
+@@ -216,7 +220,7 @@ L(mt32):
+ 	movq	%r11, %r10
+ 	andq	$-32, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt16)
++        jae	L(mt16)
+ 
+ L(A32main):
+ 	movdqu    (%rdi,%rsi), %xmm0
+@@ -254,7 +258,7 @@ L(ATR):
+ 	movq	%r11, %r10
+ 	andq	$-32, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt16)
++        jae	L(mt16)
+ 	testq	$16, %rdi
+ 	jz	L(ATR32)
+ 
+@@ -325,7 +329,7 @@ L(ATR64main):
+ 	movq	%r11, %r10
+ 	andq	$-32, %r10
+ 	cmpq	%r10, %rdi
+-        jge	L(mt16)
++        jae	L(mt16)
+ 
+ L(ATR32res):
+ 	movdqa    (%rdi,%rsi), %xmm0
+diff --git a/sysdeps/x86_64/x32/Makefile b/sysdeps/x86_64/x32/Makefile
+index f2ebc24..457c707 100644
+--- a/sysdeps/x86_64/x32/Makefile
++++ b/sysdeps/x86_64/x32/Makefile
+@@ -4,3 +4,7 @@ ifeq ($(subdir),math)
+ # 64-bit llround.  Add -fno-builtin-lround to silence the compiler.
+ CFLAGS-s_llround.c += -fno-builtin-lround
+ endif
++
++ifeq ($(subdir),string)
++ tests += tst-size_t-memcmp-2
++endif
+\ No newline at end of file
+diff --git a/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
+new file mode 100644
+index 0000000000..d8ae1a0813
+--- /dev/null
++++ b/sysdeps/x86_64/x32/tst-size_t-memcmp-2.c
+@@ -0,0 +1,79 @@
++/* Test memcmp with size_t in the lower 32 bits of 64-bit register.
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#define TEST_MAIN
++#ifdef WIDE
++# define TEST_NAME "wmemcmp"
++#else
++# define TEST_NAME "memcmp"
++#endif
++
++#include "test-size_t.h"
++
++#ifdef WIDE
++# include <inttypes.h>
++# include <wchar.h>
++
++# define MEMCMP wmemcmp
++# define CHAR wchar_t
++#else
++# define MEMCMP memcmp
++# define CHAR char
++#endif
++
++IMPL (MEMCMP, 1)
++
++typedef int (*proto_t) (const CHAR *, const CHAR *, size_t);
++
++static int
++__attribute__ ((noinline, noclone))
++do_memcmp (parameter_t a, parameter_t b)
++{
++  return CALL (&b, a.p, b.p, a.len);
++}
++
++static int
++test_main (void)
++{
++  test_init ();
++
++  parameter_t dest = { { page_size / sizeof (CHAR) }, buf1 };
++  parameter_t src = { { 0 }, buf2 };
++
++  memcpy (buf1, buf2, page_size);
++
++  CHAR *p = (CHAR *) buf1;
++  p[page_size / sizeof (CHAR) - 1] = (CHAR) 1;
++
++  int ret = 0;
++  FOR_EACH_IMPL (impl, 0)
++    {
++      src.fn = impl->fn;
++      int res = do_memcmp (dest, src);
++      if (res >= 0)
++	{
++	  error (0, 0, "Wrong result in function %s: %i >= 0",
++		 impl->name, res);
++	  ret = 1;
++	}
++    }
++
++  return ret ? EXIT_FAILURE : EXIT_SUCCESS;
++}
++
++#include <support/test-driver.c>
+--
diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec
index e5e258f149d..83b33879041 100644
--- a/SPECS/glibc/glibc.spec
+++ b/SPECS/glibc/glibc.spec
@@ -1,16 +1,15 @@
 %global security_hardening nonow
 %define glibc_target_cpu %{_build}
 %define debug_package %{nil}
-
 Summary:        Main C library
 Name:           glibc
 Version:        2.28
-Release:        12%{?dist}
+Release:        14%{?dist}
 License:        LGPLv2+
-URL:            https://www.gnu.org/software/libc
-Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/System
+URL:            https://www.gnu.org/software/libc
 Source0:        https://ftp.gnu.org/gnu/glibc/%{name}-%{version}.tar.xz
 Source1:        locale-gen.sh
 Source2:        locale-gen.conf
@@ -30,11 +29,15 @@ Patch9:         CVE-2019-6488.nopatch
 Patch10:        CVE-2020-1751.nopatch
 # Marked by upstream/Ubuntu/Red Hat as not a security bug, no fix available
 # Rationale: Exploit requires crafted pattern in regex compiler meant only for trusted content
-Patch11:		CVE-2018-20796.nopatch
-ExcludeArch:    armv7 ppc i386 i686
+Patch11:        CVE-2018-20796.nopatch
+Patch12:        CVE-2019-7309.patch
+# CVE-2019-19126 patch taken from upstream commit 7966ce07e89fa4ccc8fdba00d4439fc652862462
+Patch13:        CVE-2019-19126.patch
+Requires:       filesystem
 Provides:       rtld(GNU_HASH)
 Provides:       /sbin/ldconfig
-Requires:       filesystem
+ExcludeArch:    armv7 ppc i386 i686
+
 %description
 This library provides the basic routines for allocating memory,
 searching directories, opening and closing files, reading and
@@ -42,58 +45,56 @@ writing files, string handling, pattern matching, arithmetic,
 and so on.
 
 %package devel
-Summary: Header files for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Summary:        Header files for glibc
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
 %description devel
 These are the header files of glibc.
 
 %package lang
-Summary: Additional language files for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Summary:        Additional language files for glibc
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
 %description lang
 These are the additional language files of glibc.
 
 %package i18n
-Summary: Additional internationalization files for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Summary:        Additional internationalization files for glibc
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
 %description i18n
 These are the additional internationalization files of glibc.
 
 %package iconv
-Summary: gconv modules for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Summary:        gconv modules for glibc
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
 %description iconv
 These is gconv modules for iconv() and iconv tools.
 
 %package tools
-Summary: tools for glibc
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Summary:        tools for glibc
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
 %description tools
 Extra tools for glibc.
 
 %package nscd
-Summary: Name Service Cache Daemon
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
+Summary:        Name Service Cache Daemon
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
 %description nscd
 Name Service Cache Daemon
 
 %prep
-%setup -q
+%autosetup -p1
 sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
 install -vdm 755 %{_builddir}/%{name}-build
 # do not try to explicitly provide GLIBC_PRIVATE versioned libraries
 %define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh
@@ -105,7 +106,7 @@ cat > find_provides.sh << _EOF
 if [ -d /tools ]; then
 /tools/lib/rpm/find-provides | grep -v GLIBC_PRIVATE
 else
-%{_prefix}/lib/rpm/find-provides | grep -v GLIBC_PRIVATE
+%{_lib}/rpm/find-provides | grep -v GLIBC_PRIVATE
 fi
 exit 0
 _EOF
@@ -116,7 +117,7 @@ cat > find_requires.sh << _EOF
 if [ -d /tools ]; then
 /tools/lib/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE
 else
-%{_prefix}/lib/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE
+%{_lib}/rpm/find-requires %{buildroot} %{glibc_target_cpu} | grep -v GLIBC_PRIVATE
 fi
 _EOF
 chmod +x find_requires.sh
@@ -151,7 +152,7 @@ pushd %{_builddir}/glibc-build
 #       Create directories
 make install_root=%{buildroot} install
 install -vdm 755 %{buildroot}%{_sysconfdir}/ld.so.conf.d
-install -vdm 755 %{buildroot}/var/cache/nscd
+install -vdm 755 %{buildroot}%{_var}/cache/nscd
 install -vdm 755 %{buildroot}%{_libdir}/locale
 cp -v ../%{name}-%{version}/nscd/nscd.conf %{buildroot}%{_sysconfdir}/nscd.conf
 #       Install locale generation script and config file
@@ -182,21 +183,21 @@ cat > %{buildroot}%{_sysconfdir}/nsswitch.conf <<- "EOF"
 EOF
 cat > %{buildroot}%{_sysconfdir}/ld.so.conf <<- "EOF"
 #       Begin /etc/ld.so.conf
-	/usr/local/lib
+	%{_prefix}/local/lib
 	/opt/lib
-	include /etc/ld.so.conf.d/*.conf
+	include %{_sysconfdir}/ld.so.conf.d/*.conf
 EOF
 popd
 %find_lang %{name} --all-name
 pushd localedata
 # Generate out of locale-archive an (en_US.) UTF-8 locale
-mkdir -p %{buildroot}/usr/lib/locale
+mkdir -p %{buildroot}%{_lib}/locale
 I18NPATH=. GCONV_PATH=../../glibc-build/iconvdata LC_ALL=C ../../glibc-build/locale/localedef --no-archive --prefix=%{buildroot} -A ../intl/locale.alias -i locales/en_US -c -f charmaps/UTF-8 en_US.UTF-8
-mv %{buildroot}/usr/lib/locale/en_US.utf8 %{buildroot}/usr/lib/locale/en_US.UTF-8
+mv %{buildroot}%{_lib}/locale/en_US.utf8 %{buildroot}%{_lib}/locale/en_US.UTF-8
 popd
 # to do not depend on /bin/bash
-sed -i 's@#! /bin/bash@#! /bin/sh@' %{buildroot}/usr/bin/ldd
-sed -i 's@#!/bin/bash@#!/bin/sh@' %{buildroot}/usr/bin/tzselect
+sed -i 's@#! /bin/bash@#! /bin/sh@' %{buildroot}%{_bindir}/ldd
+sed -i 's@#!/bin/bash@#!/bin/sh@' %{buildroot}%{_bindir}/tzselect
 
 %check
 cd %{_builddir}/glibc-build
@@ -222,7 +223,6 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 [ `grep ^FAIL tests.sum | wc -l` -ne $n ] && exit 1 ||:
 
 %post -p /sbin/ldconfig
-
 %postun -p /sbin/ldconfig
 
 %files
@@ -250,32 +250,32 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %{_datadir}/i18n/locales/en_US
 %{_datarootdir}/locale/locale.alias
 %exclude %{_localstatedir}/lib/nss_db/Makefile
-%exclude /usr/bin/catchsegv
-%exclude /usr/bin/iconv
-%exclude /usr/bin/mtrace
-%exclude /usr/bin/pcprofiledump
-%exclude /usr/bin/pldd
-%exclude /usr/bin/sotruss
-%exclude /usr/bin/sprof
-%exclude /usr/bin/xtrace
+%exclude %{_bindir}/catchsegv
+%exclude %{_bindir}/iconv
+%exclude %{_bindir}/mtrace
+%exclude %{_bindir}/pcprofiledump
+%exclude %{_bindir}/pldd
+%exclude %{_bindir}/sotruss
+%exclude %{_bindir}/sprof
+%exclude %{_bindir}/xtrace
 
 %files iconv
 %defattr(-,root,root)
 %{_lib64dir}/gconv/*
-/usr/bin/iconv
-/usr/sbin/iconvconfig
+%{_bindir}/iconv
+%{_sbindir}/iconvconfig
 
 %files tools
 %defattr(-,root,root)
-/usr/bin/catchsegv
-/usr/bin/mtrace
-/usr/bin/pcprofiledump
-/usr/bin/pldd
-/usr/bin/sotruss
-/usr/bin/sprof
-/usr/bin/xtrace
-/usr/sbin/zdump
-/usr/sbin/zic
+%{_bindir}/catchsegv
+%{_bindir}/mtrace
+%{_bindir}/pcprofiledump
+%{_bindir}/pldd
+%{_bindir}/sotruss
+%{_bindir}/sprof
+%{_bindir}/xtrace
+%{_sbindir}/zdump
+%{_sbindir}/zic
 /sbin/sln
 %{_lib64dir}/audit/*
 /lib64/libpcprofile.so
@@ -283,7 +283,7 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %files nscd
 %defattr(-,root,root)
 %config(noreplace) %{_sysconfdir}/nscd.conf
-/usr/sbin/nscd
+%{_sbindir}/nscd
 %dir %{_localstatedir}/cache/nscd
 
 %files i18n
@@ -294,7 +294,6 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %exclude %{_datadir}/i18n/charmaps/ISO-8859-1.gz
 %exclude %{_datadir}/i18n/locales/en_US
 
-
 %files devel
 %defattr(-,root,root)
 # TODO: Excluding for now to remove dependency on PERL
@@ -306,8 +305,14 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %files -f %{name}.lang lang
 %defattr(-,root,root)
 
-
 %changelog
+* Tue Nov 10 2020 Thomas Crain <thcrain@microsoft.com> - 2.28-14
+- Patch CVE-2019-19126
+
+* Wed Oct 28 2020 Henry Li <lihl@microsoft.com> - 2.28-13
+- Used autosetup
+- Added patch to resolve CVE-2019-7309
+
 * Wed Jul 29 2020 Thomas Crain <thcrain@microsoft.com> - 2.28-12
 - Ignore CVE-2018-20796, as it is not a security issue
 
diff --git a/SPECS/golang/CVE-2020-24553.patch b/SPECS/golang/CVE-2020-24553.patch
new file mode 100644
index 00000000000..146cf2b2e8d
--- /dev/null
+++ b/SPECS/golang/CVE-2020-24553.patch
@@ -0,0 +1,182 @@
+From 4f5cd0c0331943c7ec72df3b827d972584f77833 Mon Sep 17 00:00:00 2001
+From: Roberto Clapis <roberto@golang.org>
+Date: Wed, 26 Aug 2020 08:53:03 +0200
+Subject: [PATCH] net/http/cgi,net/http/fcgi: add Content-Type detection
+
+This CL ensures that responses served via CGI and FastCGI
+have a Content-Type header based on the content of the
+response if not explicitly set by handlers.
+
+If the implementers of the handler did not explicitly
+specify a Content-Type both CGI implementations would default
+to "text/html", potentially causing cross-site scripting.
+
+Thanks to RedTeam Pentesting GmbH for reporting this.
+
+Fixes #40928
+Fixes CVE-2020-24553
+
+Change-Id: I82cfc396309b5ab2e8d6e9a87eda8ea7e3799473
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/823217
+Reviewed-by: Russ Cox <rsc@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/go/+/252179
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+---
+ src/net/http/cgi/child.go            | 36 +++++++++++------
+ src/net/http/fcgi/child.go           | 39 ++++++++++++++-----
+
+diff --git a/src/net/http/cgi/child.go b/src/net/http/cgi/child.go
+index d7d813e68a83..690986335c07 100644
+--- a/src/net/http/cgi/child.go
++++ b/src/net/http/cgi/child.go
+@@ -166,10 +166,12 @@ func Serve(handler http.Handler) error {
+ }
+ 
+ type response struct {
+-	req        *http.Request
+-	header     http.Header
+-	bufw       *bufio.Writer
+-	headerSent bool
++	req            *http.Request
++	header         http.Header
++	code           int
++	wroteHeader    bool
++	wroteCGIHeader bool
++	bufw           *bufio.Writer
+ }
+ 
+ func (r *response) Flush() {
+@@ -181,26 +183,38 @@ func (r *response) Header() http.Header {
+ }
+ 
+ func (r *response) Write(p []byte) (n int, err error) {
+-	if !r.headerSent {
++	if !r.wroteHeader {
+ 		r.WriteHeader(http.StatusOK)
+ 	}
++	if !r.wroteCGIHeader {
++		r.writeCGIHeader(p)
++	}
+ 	return r.bufw.Write(p)
+ }
+ 
+ func (r *response) WriteHeader(code int) {
+-	if r.headerSent {
++	if r.wroteHeader {
+ 		// Note: explicitly using Stderr, as Stdout is our HTTP output.
+ 		fmt.Fprintf(os.Stderr, "CGI attempted to write header twice on request for %s", r.req.URL)
+ 		return
+ 	}
+-	r.headerSent = true
+-	fmt.Fprintf(r.bufw, "Status: %d %s\r\n", code, http.StatusText(code))
++	r.wroteHeader = true
++	r.code = code
++}
+ 
+-	// Set a default Content-Type
++// writeCGIHeader finalizes the header sent to the client and writes it to the output.
++// p is not written by writeHeader, but is the first chunk of the body
++// that will be written. It is sniffed for a Content-Type if none is
++// set explicitly.
++func (r *response) writeCGIHeader(p []byte) {
++	if r.wroteCGIHeader {
++		return
++	}
++	r.wroteCGIHeader = true
++	fmt.Fprintf(r.bufw, "Status: %d %s\r\n", r.code, http.StatusText(r.code))
+ 	if _, hasType := r.header["Content-Type"]; !hasType {
+-		r.header.Add("Content-Type", "text/html; charset=utf-8")
++		r.header.Set("Content-Type", http.DetectContentType(p))
+ 	}
+-
+ 	r.header.Write(r.bufw)
+ 	r.bufw.WriteString("\r\n")
+ 	r.bufw.Flush()
+diff --git a/src/net/http/fcgi/child.go b/src/net/http/fcgi/child.go
+index 0e91042543b5..34761f32ee18 100644
+--- a/src/net/http/fcgi/child.go
++++ b/src/net/http/fcgi/child.go
+@@ -74,10 +74,12 @@ func (r *request) parseParams() {
+ 
+ // response implements http.ResponseWriter.
+ type response struct {
+-	req         *request
+-	header      http.Header
+-	w           *bufWriter
+-	wroteHeader bool
++	req            *request
++	header         http.Header
++	code           int
++	wroteHeader    bool
++	wroteCGIHeader bool
++	w              *bufWriter
+ }
+ 
+ func newResponse(c *child, req *request) *response {
+@@ -92,11 +94,14 @@ func (r *response) Header() http.Header {
+ 	return r.header
+ }
+ 
+-func (r *response) Write(data []byte) (int, error) {
++func (r *response) Write(p []byte) (n int, err error) {
+ 	if !r.wroteHeader {
+ 		r.WriteHeader(http.StatusOK)
+ 	}
+-	return r.w.Write(data)
++	if !r.wroteCGIHeader {
++		r.writeCGIHeader(p)
++	}
++	return r.w.Write(p)
+ }
+ 
+ func (r *response) WriteHeader(code int) {
+@@ -104,22 +109,34 @@ func (r *response) WriteHeader(code int) {
+ 		return
+ 	}
+ 	r.wroteHeader = true
++	r.code = code
+ 	if code == http.StatusNotModified {
+ 		// Must not have body.
+ 		r.header.Del("Content-Type")
+ 		r.header.Del("Content-Length")
+ 		r.header.Del("Transfer-Encoding")
+-	} else if r.header.Get("Content-Type") == "" {
+-		r.header.Set("Content-Type", "text/html; charset=utf-8")
+ 	}
+-
+ 	if r.header.Get("Date") == "" {
+ 		r.header.Set("Date", time.Now().UTC().Format(http.TimeFormat))
+ 	}
++}
+ 
+-	fmt.Fprintf(r.w, "Status: %d %s\r\n", code, http.StatusText(code))
++// writeCGIHeader finalizes the header sent to the client and writes it to the output.
++// p is not written by writeHeader, but is the first chunk of the body
++// that will be written. It is sniffed for a Content-Type if none is
++// set explicitly.
++func (r *response) writeCGIHeader(p []byte) {
++	if r.wroteCGIHeader {
++		return
++	}
++	r.wroteCGIHeader = true
++	fmt.Fprintf(r.w, "Status: %d %s\r\n", r.code, http.StatusText(r.code))
++	if _, hasType := r.header["Content-Type"]; r.code != http.StatusNotModified && !hasType {
++		r.header.Set("Content-Type", http.DetectContentType(p))
++	}
+ 	r.header.Write(r.w)
+ 	r.w.WriteString("\r\n")
++	r.w.Flush()
+ }
+ 
+ func (r *response) Flush() {
+@@ -293,6 +310,8 @@ func (c *child) serveRequest(req *request, body io.ReadCloser) {
+ 		httpReq = httpReq.WithContext(envVarCtx)
+ 		c.handler.ServeHTTP(r, httpReq)
+ 	}
++	// Make sure we serve something even if nothing was written to r
++	r.Write(nil)
+ 	r.Close()
+ 	c.mu.Lock()
+ 	delete(c.requests, req.reqId)
diff --git a/SPECS/golang/golang-1.13.spec b/SPECS/golang/golang-1.13.spec
index 431a5c5fd05..5e4b1402fd2 100644
--- a/SPECS/golang/golang-1.13.spec
+++ b/SPECS/golang/golang-1.13.spec
@@ -7,23 +7,22 @@
 %endif
 %define debug_package %{nil}
 %define __strip /bin/true
-
 # rpmbuild magic to keep from having meta dependency on libc.so.6
 %define _use_internal_dependency_generator 0
 %define __find_requires %{nil}
-
 Summary:        Go
 Name:           golang
 Version:        1.13.15
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
-URL:            https://golang.org
-Group:          System Environment/Security
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Security
+URL:            https://golang.org
 Source0:        https://dl.google.com/go/go%{version}.src.tar.gz
 Source1:        https://dl.google.com/go/go1.4-bootstrap-20171003.tar.gz
 Patch0:         go14_bootstrap_aarch64.patch
+Patch1:         CVE-2020-24553.patch
 Obsoletes:      %{name} < %{version}
 Provides:       %{name} = %{version}
 
@@ -38,7 +37,8 @@ patch -Np1 --ignore-whitespace < /usr/src/mariner/SOURCES/go14_bootstrap_aarch64
 %endif
 mv -v go go-bootstrap
 
-%setup -qn go
+%setup -q -n go
+%patch1 -p1
 
 %build
 # Build go 1.4 bootstrap
@@ -62,7 +62,6 @@ pushd src
 popd
 
 %install
-rm -rf %{buildroot}
 
 mkdir -p %{buildroot}%{_bindir}
 mkdir -p %{buildroot}%{goroot}
@@ -88,8 +87,8 @@ mkdir -p %{buildroot}%{gopath}/src/github.com/
 mkdir -p %{buildroot}%{gopath}/src/bitbucket.org/
 mkdir -p %{buildroot}%{gopath}/src/code.google.com/p/
 
-install -vdm755 %{buildroot}/etc/profile.d
-cat >> %{buildroot}/etc/profile.d/go-exports.sh <<- "EOF"
+install -vdm755 %{buildroot}%{_sysconfdir}/profile.d
+cat >> %{buildroot}%{_sysconfdir}/profile.d/go-exports.sh <<- "EOF"
 export GOROOT=%{goroot}
 export GOPATH=%{_datadir}/gocode
 export GOHOSTOS=linux
@@ -98,25 +97,21 @@ export GOOS=linux
 EOF
 
 %post -p /sbin/ldconfig
-
 %postun
 /sbin/ldconfig
 if [ $1 -eq 0 ]; then
   #This is uninstall
-  rm /etc/profile.d/go-exports.sh
+  rm %{_sysconfdir}/profile.d/go-exports.sh
   rm -rf /opt/go
   exit 0
 fi
 
-%clean
-rm -rf %{buildroot}/*
-
 %files
 %defattr(-,root,root)
 %license LICENSE
 %exclude %{goroot}/src/*.rc
 %exclude %{goroot}/include/plan9
-/etc/profile.d/go-exports.sh
+%{_sysconfdir}/profile.d/go-exports.sh
 %{goroot}/*
 %{gopath}/src
 %exclude %{goroot}/src/pkg/debug/dwarf/testdata
@@ -124,57 +119,86 @@ rm -rf %{buildroot}/*
 %{_bindir}/*
 
 %changelog
-*   Tue Sep 08 2020 Nicolas Ontiveros <niontive@microsoft.com> 1.13.15-1
--   Updated to version 1.13.15, which fixes CVE-2020-14039 and CVE-2020-16845.
-*   Sun May 24 2020 Mateusz Malisz <mamalisz@microsoft.com> 1.13.11-1
--   Updated to version 1.13.11
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.12.5-7
--   Added %%license line automatically
-*   Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> 1.12.5-6
--   Renaming go to golang
-*   Thu Apr 23 2020 Nicolas Ontiveros <niontive@microsoft.com> 1.12.5-5
--   Fix CVE-2019-14809.
-*   Fri Mar 27 2020 Andrew Phelps <anphel@microsoft.com> 1.12.5-4
--   Support building standalone by adding go 1.4 bootstrap.
-*   Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 1.12.5-3
--   Remove meta dependency on libc.so.6
-*   Thu Feb 6 2020 Andrew Phelps <anphel@microsoft.com> 1.12.5-2
--   Remove ExtraBuildRequires
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.12.5-1
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Mon Jan 21 2019 Bo Gan <ganb@vmware.com> 1.9.7-1
--   Update to 1.9.7
-*   Wed Oct 24 2018 Alexey Makhalov <amakhalov@vmware.com> 1.9.4-3
--   Use extra build requires
-*   Mon Apr 02 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.9.4-2
--   Fix for CVE-2018-7187
-*   Thu Mar 15 2018 Xiaolin Li <xiaolinl@vmware.com> 1.9.4-1
--   Update to golang release v1.9.4
-*   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 1.9.1-2
--   Aarch64 support
-*   Wed Nov 01 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.9.1-1
--   Update to golang release v1.9.1
-*   Wed May 31 2017 Xiaolin Li <xiaolinl@vmware.com> 1.8.1-2
--   Remove mercurial from buildrequires and requires.
-*   Tue Apr 11 2017 Danut Moraru <dmoraru@vmware.com> 1.8.1-1
--   Update Golang to version 1.8.1, updated patch0
-*   Wed Dec 28 2016 Xiaolin Li <xiaolinl@vmware.com> 1.7.4-1
--   Updated Golang to 1.7.4.
-*   Thu Oct 06 2016 ChangLee <changlee@vmware.com> 1.6.3-2
--   Modified %check
-*   Wed Jul 27 2016 Anish Swaminathan <anishs@vmware.com> 1.6.3-1
--   Update Golang to version 1.6.3 - fixes CVE 2016-5386
-*   Fri Jul 8 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.6.2-1
--   Updated the Golang to version 1.6.2
-*   Thu Jun 2 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.4.2-5
--   Fix script syntax
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.4.2-4
--   GA - Bump release of all rpms
-*   Thu May 05 2016 Kumar Kaushik <kaushikk@vmware.com> 1.4.2-3
--   Handling upgrade scenario pre/post/un scripts.
-*   Wed Dec 09 2015 Anish Swaminathan <anishs@vmware.com> 1.4.2-2
--   Edit post script.
-*   Mon Aug 03 2015 Vinay Kulkarni <kulkarniv@vmware.com> 1.4.2-1
--   Update to golang release version 1.4.2
-*   Fri Oct 17 2014 Divya Thaluru <dthaluru@vmware.com> 1.3.3-1
--   Initial build.  First version
+* Fri Oct 30 2020 Thomas Crain <thcrain@microsoft.com> - 1.13.15-2
+- Patch CVE-2020-24553
+
+* Tue Sep 08 2020 Nicolas Ontiveros <niontive@microsoft.com> - 1.13.15-1
+- Updated to version 1.13.15, which fixes CVE-2020-14039 and CVE-2020-16845.
+
+* Sun May 24 2020 Mateusz Malisz <mamalisz@microsoft.com> - 1.13.11-1
+- Updated to version 1.13.11
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.12.5-7
+- Added %%license line automatically
+
+* Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> - 1.12.5-6
+- Renaming go to golang
+
+* Thu Apr 23 2020 Nicolas Ontiveros <niontive@microsoft.com> - 1.12.5-5
+- Fix CVE-2019-14809.
+
+* Fri Mar 27 2020 Andrew Phelps <anphel@microsoft.com> - 1.12.5-4
+- Support building standalone by adding go 1.4 bootstrap.
+
+* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> - 1.12.5-3
+- Remove meta dependency on libc.so.6
+
+* Thu Feb 6 2020 Andrew Phelps <anphel@microsoft.com> - 1.12.5-2
+- Remove ExtraBuildRequires
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 1.12.5-1
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Mon Jan 21 2019 Bo Gan <ganb@vmware.com> - 1.9.7-1
+- Update to 1.9.7
+
+* Wed Oct 24 2018 Alexey Makhalov <amakhalov@vmware.com> - 1.9.4-3
+- Use extra build requires
+
+* Mon Apr 02 2018 Dheeraj Shetty <dheerajs@vmware.com> - 1.9.4-2
+- Fix for CVE-2018-7187
+
+* Thu Mar 15 2018 Xiaolin Li <xiaolinl@vmware.com> - 1.9.4-1
+- Update to golang release v1.9.4
+
+* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 1.9.1-2
+- Aarch64 support
+
+* Wed Nov 01 2017 Vinay Kulkarni <kulkarniv@vmware.com> - 1.9.1-1
+- Update to golang release v1.9.1
+
+* Wed May 31 2017 Xiaolin Li <xiaolinl@vmware.com> - 1.8.1-2
+- Remove mercurial from buildrequires and requires.
+
+* Tue Apr 11 2017 Danut Moraru <dmoraru@vmware.com> - 1.8.1-1
+- Update Golang to version 1.8.1, updated patch0
+
+* Wed Dec 28 2016 Xiaolin Li <xiaolinl@vmware.com> - 1.7.4-1
+- Updated Golang to 1.7.4.
+
+* Thu Oct 06 2016 ChangLee <changlee@vmware.com> - 1.6.3-2
+- Modified %check
+
+* Wed Jul 27 2016 Anish Swaminathan <anishs@vmware.com> - 1.6.3-1
+- Update Golang to version 1.6.3 - fixes CVE 2016-5386
+
+* Fri Jul 8 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 1.6.2-1
+- Updated the Golang to version 1.6.2
+
+* Thu Jun 2 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.4.2-5
+- Fix script syntax
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.4.2-4
+- GA - Bump release of all rpms
+
+* Thu May 05 2016 Kumar Kaushik <kaushikk@vmware.com> - 1.4.2-3
+- Handling upgrade scenario pre/post/un scripts.
+
+* Wed Dec 09 2015 Anish Swaminathan <anishs@vmware.com> - 1.4.2-2
+- Edit post script.
+
+* Mon Aug 03 2015 Vinay Kulkarni <kulkarniv@vmware.com> - 1.4.2-1
+- Update to golang release version 1.4.2
+
+* Fri Oct 17 2014 Divya Thaluru <dthaluru@vmware.com> - 1.3.3-1
+- Initial build.  First version
diff --git a/SPECS/gpgme/gpgme.spec b/SPECS/gpgme/gpgme.spec
index 1778480ec26..f247553b9f9 100644
--- a/SPECS/gpgme/gpgme.spec
+++ b/SPECS/gpgme/gpgme.spec
@@ -3,7 +3,7 @@
 Summary:        High-Level Crypto API
 Name:           gpgme
 Version:        1.13.1
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        GPLv2+ or LGPLv2+
 URL:            https://www.gnupg.org/(it)/related_software/gpgme/index.html
 Group:          System Environment/Security
@@ -70,7 +70,8 @@ rm -rf %{buildroot}/%{_infodir}
 %postun	-p /sbin/ldconfig
 
 %check
-make check
+cd tests
+make check-TESTS
 
 %files
 %defattr(-,root,root)
@@ -99,6 +100,8 @@ make check
 %{python_sitearch}/gpg/
 
 %changelog
+*   Tue Nov 10 2020 Andrew Phelps <anphel@microsoft.com> 1.13.1-6
+-   Fix check test.
 *   Thu Aug 20 2020 Mateusz Malisz <mamalisz@microsoft.com> 1.13.1-5
 -   Resolve file conflicts for shared objects.
 *   Wed May 13 2020 Emre Girgin <mrgirgin@microsoft.com> 1.13.1-4
diff --git a/SPECS/grub2/CVE-2020-15705.patch b/SPECS/grub2/CVE-2020-15705.patch
new file mode 100644
index 00000000000..b8269075157
--- /dev/null
+++ b/SPECS/grub2/CVE-2020-15705.patch
@@ -0,0 +1,75 @@
+###################################### PATCH NOTICE #######################################
+
+From Pawel Winogrodzki <pawelwi@microsoft.com>:
+
+The patch below has been backported to CBL-Mariner's version of the code.
+Retained original version in terms of code changes, only affected line numbers have been
+modified in order to be able to apply the patch.
+
+############################## ORIGINAL PATCH BELOW THIS LINE ##############################
+commit 53d1b600123f4a8229a6bc43ffb27ebeaf9a4917
+Author: Dimitri John Ledkov <xnox@ubuntu.com>
+Date:   Wed Jul 22 11:31:43 2020 +0100
+
+    linuxefi: fail kernel validation without shim protocol.
+    
+    If certificates that signed grub are installed into db, grub can be
+    booted directly. It will then boot any kernel without signature
+    validation. The booted kernel will think it was booted in secureboot
+    mode and will implement lockdown, yet it could have been tampered.
+    
+    CVE-2020-15705
+    
+    Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
+    Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+
+diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
+index a1ac7a3..83b19b7 100644
+--- a/grub-core/loader/arm64/linux.c
++++ b/grub-core/loader/arm64/linux.c
+@@ -328,7 +328,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
+ 
+   rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
+-  if (rc < 0)
++  if (rc <= 0)
+     {
+       grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
+       goto fail;
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index 80f4492..6e741f4 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -1084,6 +1084,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
+ 
+       return 0;
+     }
++  // -1 fall-through to fail
+ 
+ fail:
+   if (dev)
+diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
+index 0622dfa..c42c47c 100644
+--- a/grub-core/loader/efi/linux.c
++++ b/grub-core/loader/efi/linux.c
+@@ -33,6 +33,7 @@ struct grub_efi_shim_lock
+ };
+ typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
+ 
++// Returns 1 on success, -1 on error, 0 when not available
+ int
+ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
+ {
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index ea9f513..9318fdb 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -202,7 +202,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   grub_print_error();
+ 
+   rc = grub_linuxefi_secure_validate (kernel, filelen);
+-  if (rc < 0)
++  if (rc <= 0)
+     {
+       grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"),
+ 		  argv[0]);
diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec
index 0efc527c2c4..4d16dc1af79 100644
--- a/SPECS/grub2/grub2.spec
+++ b/SPECS/grub2/grub2.spec
@@ -3,141 +3,153 @@
 Summary:        GRand Unified Bootloader
 Name:           grub2
 Version:        2.02
-Release:        24%{?dist}
+Release:        25%{?dist}
 License:        GPLv3+
-URL:            https://www.gnu.org/software/grub
-Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/System
+URL:            https://www.gnu.org/software/grub
 Source0:        ftp://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz
 
-Patch0:     release-to-master.patch
-Patch1:     0001-Add-support-for-Linux-EFI-stub-loading.patch
-Patch2:     0002-Rework-linux-command.patch
-Patch3:     0003-Rework-linux16-command.patch
-Patch4:     0004-Add-secureboot-support-on-efi-chainloader.patch
-Patch5:     0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch
-Patch6:     0006-Handle-multi-arch-64-on-32-boot-in-linuxefi-loader.patch
-
+Patch0:         release-to-master.patch
+Patch1:         0001-Add-support-for-Linux-EFI-stub-loading.patch
+Patch2:         0002-Rework-linux-command.patch
+Patch3:         0003-Rework-linux16-command.patch
+Patch4:         0004-Add-secureboot-support-on-efi-chainloader.patch
+Patch5:         0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch
+Patch6:         0006-Handle-multi-arch-64-on-32-boot-in-linuxefi-loader.patch
 # CVE-2015-8370
-Patch7:     0067-Fix-security-issue-when-reading-username-and-passwor.patch
-
-Patch8:     0127-Core-TPM-support.patch
-Patch9:     0128-Measure-kernel-initrd.patch
-Patch10:    0131-Measure-the-kernel-commandline.patch
-Patch11:    0132-Measure-commands.patch
-Patch12:    0133-Measure-multiboot-images-and-modules.patch
-Patch13:    0135-Rework-TPM-measurements.patch
-Patch14:    0136-Fix-event-log-prefix.patch
-Patch15:    0139-Make-TPM-errors-less-fatal.patch
-Patch16:    0156-TPM-Fix-hash_log_extend_event-function-prototype.patch
-Patch17:    0157-TPM-Fix-compiler-warnings.patch
-Patch18:    0216-Disable-multiboot-multiboot2-and-linux16-modules-on-.patch
-Patch19:    0224-Rework-how-the-fdt-command-builds.patch
-
+Patch7:         0067-Fix-security-issue-when-reading-username-and-passwor.patch
+Patch8:         0127-Core-TPM-support.patch
+Patch9:         0128-Measure-kernel-initrd.patch
+Patch10:        0131-Measure-the-kernel-commandline.patch
+Patch11:        0132-Measure-commands.patch
+Patch12:        0133-Measure-multiboot-images-and-modules.patch
+Patch13:        0135-Rework-TPM-measurements.patch
+Patch14:        0136-Fix-event-log-prefix.patch
+Patch15:        0139-Make-TPM-errors-less-fatal.patch
+Patch16:        0156-TPM-Fix-hash_log_extend_event-function-prototype.patch
+Patch17:        0157-TPM-Fix-compiler-warnings.patch
+Patch18:        0216-Disable-multiboot-multiboot2-and-linux16-modules-on-.patch
+Patch19:        0224-Rework-how-the-fdt-command-builds.patch
 # These patches are not required but help to apply the BootHole patches and are
 # low risk to take on (mostly just additional security or bug fixes)
-Patch20:    0001-chainloader-Fix-gcc9-error-Waddress-of-packed-member.patch
-Patch21:    0001-efi-Fix-gcc9-error-Waddress-of-packed-member.patch
-Patch22:    0001-hfsplus-Fix-gcc9-error-with-Waddress-of-packed-membe.patch
-Patch23:    0001-btrfs-Move-the-error-logging-from-find_device-to-its.patch
-Patch24:    0001-btrfs-Avoid-a-rescan-for-a-device-which-was-already-.patch
-Patch25:    0001-multiboot2-Set-min-address-for-mbi-allocation-to-0x1.patch
-Patch26:    0001-Add-missing-strtoull_test.c.patch
-Patch27:    0001-misc-Make-grub_strtol-end-pointers-have-safer-const-.patch
+Patch20:        0001-chainloader-Fix-gcc9-error-Waddress-of-packed-member.patch
+Patch21:        0001-efi-Fix-gcc9-error-Waddress-of-packed-member.patch
+Patch22:        0001-hfsplus-Fix-gcc9-error-with-Waddress-of-packed-membe.patch
+Patch23:        0001-btrfs-Move-the-error-logging-from-find_device-to-its.patch
+Patch24:        0001-btrfs-Avoid-a-rescan-for-a-device-which-was-already-.patch
+Patch25:        0001-multiboot2-Set-min-address-for-mbi-allocation-to-0x1.patch
+Patch26:        0001-Add-missing-strtoull_test.c.patch
+Patch27:        0001-misc-Make-grub_strtol-end-pointers-have-safer-const-.patch
 
 # Start of BootHole security patches
 # CVE-2020-10713 - 0001-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
-Patch28:    CVE-2020-10713.patch
-Patch29:    0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
-Patch30:    0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
+Patch28:        CVE-2020-10713.patch
+Patch29:        0002-safemath-Add-some-arithmetic-primitives-that-check-f.patch
+Patch30:        0003-calloc-Make-sure-we-always-have-an-overflow-checking.patch
 # CVE-2020-14308 - 0004-calloc-Use-calloc-at-most-places.patch
-Patch31:    CVE-2020-14308.patch
+Patch31:        CVE-2020-14308.patch
 # CVE-2020-14309 - 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
 # CVE-2020-14310 - 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
 # CVE-2020-14311 - 0005-malloc-Use-overflow-checking-primitives-where-we-do-.patch
-Patch32:    CVE-2020-14309.patch
-Patch33:    CVE-2020-14310.nopatch
-Patch34:    CVE-2020-14311.nopatch
-Patch35:    0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
-Patch36:    0007-font-Do-not-load-more-than-one-NAME-section.patch
-Patch37:    0008-gfxmenu-Fix-double-free-in-load_image.patch
-Patch38:    0009-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch
+Patch32:        CVE-2020-14309.patch
+Patch33:        CVE-2020-14310.nopatch
+Patch34:        CVE-2020-14311.nopatch
+Patch35:        0006-iso9660-Don-t-leak-memory-on-realloc-failures.patch
+Patch36:        0007-font-Do-not-load-more-than-one-NAME-section.patch
+Patch37:        0008-gfxmenu-Fix-double-free-in-load_image.patch
+Patch38:        0009-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch
 # Ignore the json double-free patch. Grub added a json library well after 2.02.
 # Revisit this if we want to enable LUKS2 encryption.
 # 0010-json-Avoid-a-double-free-when-parsing-fails.patch
-Patch39:    0011-lzma-Make-sure-we-don-t-dereference-past-array.patch
-Patch40:    0012-term-Fix-overflow-on-user-inputs.patch
-Patch41:    0013-udf-Fix-memory-leak.patch
+Patch39:        0011-lzma-Make-sure-we-don-t-dereference-past-array.patch
+Patch40:        0012-term-Fix-overflow-on-user-inputs.patch
+Patch41:        0013-udf-Fix-memory-leak.patch
 # Ignore the multiboot memleak patch. The patch is to fix a memleak that was
 # introduced with Grub's verifiers feature, which landed after 2.02.
 # Revisit this if we want to enable the verifiers feature.
 # 0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch
-Patch42:    0015-tftp-Do-not-use-priority-queue.patch
-Patch43:    0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch
-Patch44:    0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch
-Patch45:    0018-script-Remove-unused-fields-from-grub_script_functio.patch
+Patch42:        0015-tftp-Do-not-use-priority-queue.patch
+Patch43:        0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch
+Patch44:        0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch
+Patch45:        0018-script-Remove-unused-fields-from-grub_script_functio.patch
 # CVE-2020-15706 - 0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch
-Patch46:    CVE-2020-15706.patch
-Patch47:    0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch
-Patch48:    0021-hfsplus-Fix-two-more-overflows.patch
-Patch49:    0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch
-Patch50:    0023-emu-Make-grub_free-NULL-safe.patch
-Patch51:    0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
-Patch52:    0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch
-Patch53:    0026-efi-Fix-use-after-free-in-halt-reboot-path.patch
-Patch54:    0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch
+Patch46:        CVE-2020-15706.patch
+Patch47:        0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch
+Patch48:        0021-hfsplus-Fix-two-more-overflows.patch
+Patch49:        0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch
+Patch50:        0023-emu-Make-grub_free-NULL-safe.patch
+Patch51:        0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
+Patch52:        0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch
+Patch53:        0026-efi-Fix-use-after-free-in-halt-reboot-path.patch
+Patch54:        0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch
 # CVE-2020-15707 - 0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch
-Patch55:    CVE-2020-15707.patch
+Patch55:        CVE-2020-15707.patch
+# CVE-2020-15705 - 0029-linuxefi-fail-kernel-validation-without-shim-protocol.patch
+# Patch adjusted to CBL-Mariner's git code. See comments inside the patch for more info.
+# Original version: https://bugzilla.suse.com/attachment.cgi?id=839944 (https://bugzilla.suse.com/show_bug.cgi?id=1174421).
+Patch56:        CVE-2020-15705.patch
+
 # End of BootHole security patches
 
-Patch100:   0001-efinet-do-not-start-EFI-networking-at-module-init-ti.patch
+Patch100:       0001-efinet-do-not-start-EFI-networking-at-module-init-ti.patch
 
 BuildRequires:  device-mapper-devel
-BuildRequires:  xz-devel
 BuildRequires:  systemd-devel
-Requires:   xz
-Requires:   device-mapper
+BuildRequires:  xz-devel
+
+Requires:       device-mapper
+Requires:       xz
+
 %description
 The GRUB package contains the GRand Unified Bootloader.
 
 %package lang
-Summary: Additional language files for grub
-Group: System Environment/Programming
-Requires: %{name} = %{version}
+Summary:        Additional language files for grub
+Group:          System Environment/Programming
+
+Requires:       %{name} = %{version}
+
 %description lang
 These are the additional language files of grub.
 
 %ifarch x86_64
 %package pc
-Summary: GRUB Library for BIOS
-Group: System Environment/Programming
-Requires: %{name} = %{version}
+Summary:        GRUB Library for BIOS
+Group:          System Environment/Programming
+
+Requires:       %{name} = %{version}
+
 %description pc
 Additional library files for grub
 %endif
 
 %package efi
-Summary: GRUB Library for UEFI
-Group: System Environment/Programming
-Requires: %{name} = %{version}
+Summary:        GRUB Library for UEFI
+Group:          System Environment/Programming
+
+Requires:       %{name} = %{version}
+
 %description efi
 Additional library files for grub
 
 %package efi-unsigned
-Summary: Unsigned GRUB UEFI image
-Group: System Environment/Base
+Summary:        Unsigned GRUB UEFI image
+Group:          System Environment/Base
+
 %description efi-unsigned
 Unsigned GRUB UEFI image
 
 %package efi-binary
-Summary: GRUB UEFI image
-Group: System Environment/Base
+Summary:        GRUB UEFI image
+Group:          System Environment/Base
+
 %description efi-binary
 GRUB UEFI bootloader binaries
 
 %prep
-%setup -qn grub-%{version}
+%setup -q -n grub-%{version}
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
@@ -196,6 +208,7 @@ GRUB UEFI bootloader binaries
 %patch53 -p1
 %patch54 -p1
 %patch55 -p1
+%patch56 -p1
 
 %build
 ./autogen.sh
@@ -275,12 +288,12 @@ chmod 600 %{buildroot}/boot/%{name}/grub.cfg
 rm -rf %{buildroot}%{_infodir}
 
 # Generate grub efi image
-install -d %{buildroot}/usr/share/grub2-efi
+install -d %{buildroot}%{_datadir}/grub2-efi
 %ifarch x86_64
-./install-for-efi/usr/bin/grub2-mkimage -d ./install-for-efi/usr/lib/grub/x86_64-efi/ -o %{buildroot}/usr/share/grub2-efi/grubx64.efi -p /boot/grub2 -O x86_64-efi fat iso9660 part_gpt part_msdos normal boot linux configfile loopback chain efifwsetup efi_gop efi_uga ls search search_label search_fs_uuid search_fs_file gfxterm gfxterm_background gfxterm_menu test all_video loadenv exfat ext2 udf halt gfxmenu png tga lsefi help probe echo lvm cryptodisk luks gcry_rijndael gcry_sha512
+./install-for-efi/usr/bin/grub2-mkimage -d ./install-for-efi/usr/lib/grub/x86_64-efi/ -o %{buildroot}%{_datadir}/grub2-efi/grubx64.efi -p /boot/grub2 -O x86_64-efi fat iso9660 part_gpt part_msdos normal boot linux configfile loopback chain efifwsetup efi_gop efi_uga ls search search_label search_fs_uuid search_fs_file gfxterm gfxterm_background gfxterm_menu test all_video loadenv exfat ext2 udf halt gfxmenu png tga lsefi help probe echo lvm cryptodisk luks gcry_rijndael gcry_sha512
 %endif
 %ifarch aarch64
-./install-for-efi/usr/bin/grub2-mkimage -d ./install-for-efi/usr/lib/grub/arm64-efi/ -o %{buildroot}/usr/share/grub2-efi/grubaa64.efi -p /boot/grub2 -O arm64-efi fat iso9660 part_gpt part_msdos normal boot linux configfile loopback chain efifwsetup efi_gop ls search search_label search_fs_uuid search_fs_file gfxterm gfxterm_background gfxterm_menu test all_video loadenv exfat ext2 udf halt gfxmenu png tga lsefi help probe echo lvm cryptodisk luks gcry_rijndael gcry_sha512
+./install-for-efi/usr/bin/grub2-mkimage -d ./install-for-efi/usr/lib/grub/arm64-efi/ -o %{buildroot}%{_datadir}/grub2-efi/grubaa64.efi -p /boot/grub2 -O arm64-efi fat iso9660 part_gpt part_msdos normal boot linux configfile loopback chain efifwsetup efi_gop ls search search_label search_fs_uuid search_fs_file gfxterm gfxterm_background gfxterm_menu test all_video loadenv exfat ext2 udf halt gfxmenu png tga lsefi help probe echo lvm cryptodisk luks gcry_rijndael gcry_sha512
 %endif
 
 # Install to efi directory
@@ -292,12 +305,12 @@ install -d $EFI_BOOT_DIR
 
 %ifarch x86_64
 GRUB_MODULE_NAME=grubx64.efi
-GRUB_MODULE_SOURCE=%{buildroot}/usr/share/grub2-efi/grubx64.efi
+GRUB_MODULE_SOURCE=%{buildroot}%{_datadir}/grub2-efi/grubx64.efi
 %endif
 
 %ifarch aarch64
 GRUB_MODULE_NAME=grubaa64.efi
-GRUB_MODULE_SOURCE=%{buildroot}/usr/share/grub2-efi/grubaa64.efi
+GRUB_MODULE_SOURCE=%{buildroot}%{_datadir}/grub2-efi/grubaa64.efi
 %endif
 
 cp $GRUB_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_MODULE_NAME
@@ -328,12 +341,13 @@ cp $GRUB_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_MODULE_NAME
 %ifarch x86_64
 %files pc
 %{_libdir}/grub/i386-pc
+
 %files efi
 %{_libdir}/grub/x86_64-efi
 %endif
 
 %files efi-unsigned
-/usr/share/grub2-efi/*
+%{_datadir}/grub2-efi/*
 
 %files efi-binary
 %ifarch x86_64
@@ -353,64 +367,91 @@ cp $GRUB_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_MODULE_NAME
 %{_datarootdir}/locale/*
 
 %changelog
-*   Thu Aug 13 2020 Chris Co <chrco@microsoft.com> 2.02-24
--   Remove signed subpackage and macro
-*   Thu Jul 30 2020 Chris Co <chrco@microsoft.com> 2.02-23
--   Fix CVE-2020-10713 (BootHole)
--   Fix CVE-2020-14308
--   Fix CVE-2020-14309
--   Fix CVE-2020-14310
--   Fix CVE-2020-14311
--   Fix CVE-2020-15706
--   Fix CVE-2020-15707
-*   Wed Jul 22 2020 Joe Schmitt <joschmit@microsoft.com> 2.02-22
--   Always include Patch100, but conditionally apply it.
--   Switch URL to https.
-*   Tue Jun 30 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.02-21
--   Add cryptodisk, luks, gcry_rijndael and gcry_sha512 modules to EFI files.
-*   Fri Jun 19 2020 Chris Co <chrco@microsoft.com> 2.02-20
--   Add grub2-efi-binary subpackage
--   Add grub2-efi-binary-signed subpackage and macros for adding offline signed grub binaries
-*   Mon Jun 01 2020 Henry Beberman <henry.beberman@microsoft.com> 2.02-19
--   Address compilation errors from hardened cflags.
-*   Tue May 26 2020 Emre Girgin <mrgirgin@microsoft.com> 2.02-18
--   Change /boot directory permissions to 600.
-*   Fri May 22 2020 Chris Co <chrco@microsoft.com> - 2.02-17
--   Create grubaa64.efi as part of the grub2-efi-unsigned subpackage
-*   Wed May 13 2020 Nick Samson <nisamson@microsoft.com> - 2.02-16
--   Added %%license line automatically
-*   Mon May 11 2020 Chris Co <chrco@microsoft.com> 2.02-15
--   Create new grub2-efi-unsigned subpackage containing grubx64.efi
-*   Thu Apr 30 2020 Chris Co <chrco@microsoft.com> 2.02-14
--   Add fdt rework patch to fix aarch64 build errors
--   Enable aarch64 build
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.02-13
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Feb 21 2019 Alexey Makhalov <amakhalov@vmware.com> 2.02-12
--   Update grub version from ~rc3 to release.
--   Enhance SB + TPM support (19 patches from grub2-2.02-70.fc30)
--   Remove i386-pc modules from grub2-efi
-*   Fri Jan 25 2019 Alexey Makhalov <amakhalov@vmware.com> 2.02-11
--   Disable efinet for aarch64 to workwround NXP ls1012a frwy PFE bug.
-*   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.02-10
--   Aarch64 support
-*   Fri Jun 2  2017 Bo Gan <ganb@vmware.com> 2.02-9
--   Split grub2 to grub2 and grub2-pc, remove grub2-efi spec
-*   Fri Apr 14 2017 Alexey Makhalov <amakhalov@vmware.com>  2.02-8
--   Version update to 2.02~rc2
-*   Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  2.02-7
--   Add fix for CVE-2015-8370
-*   Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  2.02-6
--   Change systemd dependency
-*   Thu Oct 06 2016 ChangLee <changlee@vmware.com> 2.02-5
--   Modified %check
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.02-4
--   GA - Bump release of all rpms
-*   Fri Oct 02 2015 Divya Thaluru <dthaluru@vmware.com> 2.02-3
--   Adding patch to boot entries with out password.
-*   Wed Jul 22 2015 Divya Thaluru <dthaluru@vmware.com> 2.02-2
--   Changing program name from grub to grub2.
-*   Mon Jun 29 2015 Divya Thaluru <dthaluru@vmware.com> 2.02-1
--   Updating grub to 2.02
-*   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 2.00-1
--   Initial build.  First version
+* Fri Oct 30 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.02-25
+- Fix CVE-2020-15705 (BootHole cont.).
+
+* Thu Aug 13 2020 Chris Co <chrco@microsoft.com> - 2.02-24
+- Remove signed subpackage and macro
+
+* Thu Jul 30 2020 Chris Co <chrco@microsoft.com> - 2.02-23
+- Fix CVE-2020-10713 (BootHole)
+- Fix CVE-2020-14308
+- Fix CVE-2020-14309
+- Fix CVE-2020-14310
+- Fix CVE-2020-14311
+- Fix CVE-2020-15706
+- Fix CVE-2020-15707
+
+* Wed Jul 22 2020 Joe Schmitt <joschmit@microsoft.com> - 2.02-22
+- Always include Patch100, but conditionally apply it.
+- Switch URL to https.
+
+* Tue Jun 30 2020 Nicolas Ontiveros <niontive@microsoft.com> - 2.02-21
+- Add cryptodisk, luks, gcry_rijndael and gcry_sha512 modules to EFI files.
+
+* Fri Jun 19 2020 Chris Co <chrco@microsoft.com> - 2.02-20
+- Add grub2-efi-binary subpackage
+- Add grub2-efi-binary-signed subpackage and macros for adding offline signed grub binaries
+
+* Mon Jun 01 2020 Henry Beberman <henry.beberman@microsoft.com> - 2.02-19
+- Address compilation errors from hardened cflags.
+
+* Tue May 26 2020 Emre Girgin <mrgirgin@microsoft.com> - 2.02-18
+- Change /boot directory permissions to 600.
+
+* Fri May 22 2020 Chris Co <chrco@microsoft.com> - 2.02-17
+- Create grubaa64.efi as part of the grub2-efi-unsigned subpackage
+
+* Wed May 13 2020 Nick Samson <nisamson@microsoft.com> - 2.02-16
+- Added %%license line automatically
+
+* Mon May 11 2020 Chris Co <chrco@microsoft.com> - 2.02-15
+- Create new grub2-efi-unsigned subpackage containing grubx64.efi
+
+* Thu Apr 30 2020 Chris Co <chrco@microsoft.com> - 2.02-14
+- Add fdt rework patch to fix aarch64 build errors
+- Enable aarch64 build
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 2.02-13
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Feb 21 2019 Alexey Makhalov <amakhalov@vmware.com> - 2.02-12
+- Update grub version from ~rc3 to release.
+- Enhance SB + TPM support (19 patches from grub2-2.02-70.fc30)
+- Remove i386-pc modules from grub2-efi
+
+* Fri Jan 25 2019 Alexey Makhalov <amakhalov@vmware.com> - 2.02-11
+- Disable efinet for aarch64 to workwround NXP ls1012a frwy PFE bug.
+
+* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 2.02-10
+- Aarch64 support
+
+* Fri Jun 2  2017 Bo Gan <ganb@vmware.com> - 2.02-9
+- Split grub2 to grub2 and grub2-pc, remove grub2-efi spec
+
+* Fri Apr 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 2.02-8
+- Version update to 2.02~rc2
+
+* Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com> - 2.02-7
+- Add fix for CVE-2015-8370
+
+* Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com> - 2.02-6
+- Change systemd dependency
+
+* Thu Oct 06 2016 ChangLee <changlee@vmware.com> - 2.02-5
+- Modified %check
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 2.02-4
+- GA - Bump release of all rpms
+
+* Fri Oct 02 2015 Divya Thaluru <dthaluru@vmware.com> - 2.02-3
+- Adding patch to boot entries with out password.
+
+* Wed Jul 22 2015 Divya Thaluru <dthaluru@vmware.com> - 2.02-2
+- Changing program name from grub to grub2.
+
+* Mon Jun 29 2015 Divya Thaluru <dthaluru@vmware.com> - 2.02-1
+- Updating grub to 2.02
+
+* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> - 2.00-1
+- Initial build.  First version
diff --git a/SPECS/heimdal/fix_test_rand_build_failure.patch b/SPECS/heimdal/fix_test_rand_build_failure.patch
new file mode 100644
index 00000000000..171a32c8e51
--- /dev/null
+++ b/SPECS/heimdal/fix_test_rand_build_failure.patch
@@ -0,0 +1,24 @@
+diff -ur heimdal-7.7.0-orig/lib/hcrypto/Makefile.am heimdal-7.7.0/lib/hcrypto/Makefile.am
+--- heimdal-7.7.0-orig/lib/hcrypto/Makefile.am	2019-06-07 06:21:35.000000000 +0000
++++ heimdal-7.7.0/lib/hcrypto/Makefile.am	2020-09-11 22:54:02.955215077 +0000
+@@ -297,7 +297,7 @@
+ 	libtommath/bn_mp_to_unsigned_bin_n.c
+ 
+ 
+-$(libhcrypto_la_OBJECTS): hcrypto-link
++$(libhcrypto_la_OBJECTS) $(test_rand_OBJECTS): hcrypto-link
+ 
+ libhcrypto_la_CPPFLAGS = -DBUILD_HCRYPTO_LIB $(AM_CPPFLAGS)
+ 
+diff -ur heimdal-7.7.0-orig/lib/hx509/Makefile.am heimdal-7.7.0/lib/hx509/Makefile.am
+--- heimdal-7.7.0-orig/lib/hx509/Makefile.am	2019-06-07 06:21:35.000000000 +0000
++++ heimdal-7.7.0/lib/hx509/Makefile.am	2020-09-12 00:13:46.535536094 +0000
+@@ -164,7 +164,7 @@
+ dist_hxtool_SOURCES = hxtool.c
+ nodist_hxtool_SOURCES = hxtool-commands.c hxtool-commands.h
+ 
+-$(hxtool_OBJECTS): hxtool-commands.h hx509_err.h
++$(hxtool_OBJECTS): hxtool-commands.h hx509_err.h $(nodist_include_HEADERS)
+ 
+ hxtool_LDADD = \
+ 	libhx509.la \
diff --git a/SPECS/heimdal/heimdal-1.6.0-c25f45a-rename-commands.patch b/SPECS/heimdal/heimdal-1.6.0-c25f45a-rename-commands.patch
new file mode 100644
index 00000000000..bc0f92bae23
--- /dev/null
+++ b/SPECS/heimdal/heimdal-1.6.0-c25f45a-rename-commands.patch
@@ -0,0 +1,55 @@
+From 15d0c5593079f0c75b0e3ed9209e549e5d2e7822 Mon Sep 17 00:00:00 2001
+From: Ken Dreyer <ktdreyer@ktdreyer.com>
+Date: Wed, 28 May 2014 15:00:44 -0600
+Subject: [PATCH 1/2] Fedora: add heimdal- prefixes to heimtools cmds
+
+The Fedora Heimdal package renames the klist and kswitch commands in
+/usr/bin to use "heimdal-" prefixes in order to avoid conflicting with
+MIT's utilities.
+
+Add these "heimdal-" names to the heimtools command configuration so
+that heimtools will recognize the commands under the new names as well
+as the old names.
+---
+ kuser/heimtools-commands.in | 2 ++
+ kuser/heimtools.c           | 4 ++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kuser/heimtools-commands.in b/kuser/heimtools-commands.in
+index b22a8c5..62388ce 100644
+--- a/kuser/heimtools-commands.in
++++ b/kuser/heimtools-commands.in
+@@ -34,6 +34,7 @@
+ command = {
+ 	name = "klist"
+ 	name = "list"
++	name = "heimdal-klist"
+ 	help = "List kerberos tickets"
+ 	option = {
+ 		long = "cache"
+@@ -136,6 +137,7 @@ command = {
+ command = {
+ 	name = "kswitch"
+ 	name = "switch"
++	name = "heimdal-kswitch"
+ 	help = "Switch default kerberos cache"
+ 	option = {
+ 		long = "type"
+diff --git a/kuser/heimtools.c b/kuser/heimtools.c
+index 70b23d6..c1ef60e 100644
+--- a/kuser/heimtools.c
++++ b/kuser/heimtools.c
+@@ -89,8 +89,8 @@ static int
+ command_alias(const char *name)
+ {
+     const char *aliases[] = {
+-	"kinit", "klist", "kswitch", "kgetcred", "kvno", "kdeltkt",
+-	"kdestroy", "kcpytkt", NULL
++	"kinit", "klist", "heimdal-klist", "kswitch", "heimdal-kswitch",
++	"kgetcred", "kvno", "kdeltkt", "kdestroy", "kcpytkt", NULL
+     }, **p = aliases;
+ 
+     while (*p && strcmp(name, *p) != 0)
+-- 
+1.9.3
+
diff --git a/SPECS/heimdal/heimdal-7.5.0-explicit-python2.patch b/SPECS/heimdal/heimdal-7.5.0-explicit-python2.patch
new file mode 100644
index 00000000000..a96b18ae048
--- /dev/null
+++ b/SPECS/heimdal/heimdal-7.5.0-explicit-python2.patch
@@ -0,0 +1,156 @@
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/hx509/quote.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/hx509/quote.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/hx509/quote.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python
++#!/usr/bin/python2
+ # -*- coding: utf-8 -*-
+ #
+ # Copyright (c) 2010 Kungliga Tekniska Högskolan
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/Makefile.am
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/Makefile.am
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/Makefile.am
+@@ -89,7 +89,7 @@ idn_lookup_SOURCES = idn-lookup.c
+ 
+ LDADD = libwind.la $(LIB_roken)
+ 
+-PYTHON = python
++PYTHON = python2
+ 
+ if !MAINTAINER_MODE
+ skip_python = test -f $@ ||
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/UnicodeData.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/UnicodeData.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/UnicodeData.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-bidi.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/gen-bidi.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-bidi.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-combining.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/gen-combining.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-combining.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-errorlist.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/gen-errorlist.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-errorlist.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-map.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/gen-map.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-map.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-normalize.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/gen-normalize.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-normalize.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-punycode-examples.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/gen-punycode-examples.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/gen-punycode-examples.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/generate.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/generate.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/generate.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/rfc3454.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/rfc3454.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/rfc3454.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/rfc4518.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/rfc4518.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/rfc4518.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/stringprep.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/stringprep.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/stringprep.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/util.py
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/lib/wind/util.py
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/lib/wind/util.py
+@@ -1,4 +1,4 @@
+-#!/usr/local/bin/python
++#!/usr/bin/python2
+ # -*- coding: iso-8859-1 -*-
+ 
+ # $Id$
+Index: heimdal-3e58559362dd3f485e6d6659d587a9169a131391/windows/NTMakefile.w32
+===================================================================
+--- heimdal-3e58559362dd3f485e6d6659d587a9169a131391.orig/windows/NTMakefile.w32
++++ heimdal-3e58559362dd3f485e6d6659d587a9169a131391/windows/NTMakefile.w32
+@@ -120,7 +120,7 @@ RC=rc
+ AWK_CMD=gawk.exe
+ YACC_CMD=bison.exe
+ LEX_CMD=flex.exe
+-PYTHON=python.exe
++PYTHON=python2.exe
+ PERL=perl.exe
+ CMP=cmp.exe
+ MAKECAT=makecat.exe
diff --git a/SPECS/heimdal/heimdal-7.7.0-configure.patch b/SPECS/heimdal/heimdal-7.7.0-configure.patch
new file mode 100644
index 00000000000..23f116ce496
--- /dev/null
+++ b/SPECS/heimdal/heimdal-7.7.0-configure.patch
@@ -0,0 +1,17 @@
+--- a/cf/check-var.m4	2013-04-24 20:07:35.000000000 -0600
++++ b/cf/check-var.m4	2020-01-07 11:36:36.493955390 -0700
+@@ -6,12 +6,12 @@ AC_MSG_CHECKING(for $1)
+ AC_CACHE_VAL(ac_cv_var_$1, [
+ m4_ifval([$2],[
+ 	AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2
+-	void * foo(void) { return &$1; }]],[[foo()]])],
++	__attribute__ ((used)) void * foo(void) { return &$1; }]],[[foo()]])],
+ 	    [ac_cv_var_$1=yes],[ac_cv_var_$1=no])])
+ if test "$ac_cv_var_$1" != yes ; then
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[$2
+ extern int $1;
+-int foo(void) { return $1; }]],[[foo()]])],
++__attribute__ ((used)) int foo(void) { return $1; }]],[[foo()]])],
+ 	    [ac_cv_var_$1=yes],[ac_cv_var_$1=no])
+ fi
+ ])
diff --git a/SPECS/heimdal/heimdal-bashrc b/SPECS/heimdal/heimdal-bashrc
new file mode 100644
index 00000000000..ceb7de64d86
--- /dev/null
+++ b/SPECS/heimdal/heimdal-bashrc
@@ -0,0 +1,7 @@
+alias kinit="/usr/bin/kinit.heimdal"
+alias kdestroy="/usr/bin/kdestroy.heimdal"
+alias klist="/usr/bin/klist.heimdal"
+alias kpasswd="/usr/bin/kpasswd.heimdal"
+alias kadmin="/usr/sbin/kadmin.heimdal"
+alias krb5-config="/usr/bin/krb5-config.heimdal"
+alias ktutil="/usr/sbin/ktutil.heimdal"
diff --git a/SPECS/heimdal/heimdal-ipropd-master.init b/SPECS/heimdal/heimdal-ipropd-master.init
new file mode 100644
index 00000000000..4931f0a71f4
--- /dev/null
+++ b/SPECS/heimdal/heimdal-ipropd-master.init
@@ -0,0 +1,102 @@
+#! /bin/sh
+#
+# ipropd-master Startup script for Heimdal ipropd-master
+#
+# chkconfig:   - 39 61
+# description: Starts and stops the Heimdal ipropd-master
+
+### BEGIN INIT INFO
+# Provides:       ipropd-master
+# Required-Start: $local_fs $network $named
+# Required-Stop:  $local_fs $network
+# Default-Start:
+# Default-Stop:
+# Short-Description: Starts and stops the Heimdal ipropd-master
+# Description:       Heimdal ipropd-master implements incremental propagation
+### END INIT INFO
+
+[ -f /etc/rc.d/init.d/functions ] && . /etc/rc.d/init.d/functions
+
+exec=/usr/libexec/ipropd-master
+prog=ipropd-master
+MASTER_ARGS="--detach"
+[ -e /etc/sysconfig/heimdal ] && . /etc/sysconfig/heimdal
+args="${MASTER_ARGS}"
+
+lockfile=/var/lock/subsys/$prog
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon "$exec $args"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc "$prog"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    restart
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    # run checks to determine if the service is running or use generic status
+    status $prog
+}
+
+rh_status_q() {
+    rh_status >/dev/null 2>&1
+}
+
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
+
diff --git a/SPECS/heimdal/heimdal-ipropd-master.service b/SPECS/heimdal/heimdal-ipropd-master.service
new file mode 100644
index 00000000000..c873f72f786
--- /dev/null
+++ b/SPECS/heimdal/heimdal-ipropd-master.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Heimdal ipropd-master incremental propagation service
+Documentation=man:iprop(8) info:heimdal http://www.h5l.org/
+After=syslog.target network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/libexec/ipropd-master --detach
+PIDFile=/var/run/ipropd-master.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SPECS/heimdal/heimdal-ipropd-slave-wrapper b/SPECS/heimdal/heimdal-ipropd-slave-wrapper
new file mode 100644
index 00000000000..6b7e2b4499a
--- /dev/null
+++ b/SPECS/heimdal/heimdal-ipropd-slave-wrapper
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e; set -o pipefail
+
+. /etc/sysconfig/heimdal
+
+if [[ -z "$MASTER" ]]; then
+   echo >&2 "MASTER must be specified in /etc/sysconfig/heimdal"
+   exit 1
+fi
+
+exec /usr/libexec/ipropd-slave --detach "$MASTER"
diff --git a/SPECS/heimdal/heimdal-ipropd-slave.init b/SPECS/heimdal/heimdal-ipropd-slave.init
new file mode 100644
index 00000000000..78d60e905e7
--- /dev/null
+++ b/SPECS/heimdal/heimdal-ipropd-slave.init
@@ -0,0 +1,102 @@
+#! /bin/sh
+#
+# ipropd-slave Startup script for Heimdal ipropd-slave
+#
+# chkconfig:   - 39 61
+# description: Starts and stops the Heimdal ipropd-slave
+
+### BEGIN INIT INFO
+# Provides:       ipropd-slave
+# Required-Start: $local_fs $network $named
+# Required-Stop:  $local_fs $network
+# Default-Start:
+# Default-Stop:
+# Short-Description: Starts and stops the Heimdal ipropd-slave
+# Description:       Heimdal ipropd-slave implements incremental propagation
+### END INIT INFO
+
+[ -f /etc/rc.d/init.d/functions ] && . /etc/rc.d/init.d/functions
+
+exec=/usr/libexec/ipropd-slave
+prog=ipropd-slave
+SLAVE_ARGS="--detach"
+[ -e /etc/sysconfig/heimdal ] && . /etc/sysconfig/heimdal
+args="${SLAVE_ARGS} ${MASTER}"
+
+lockfile=/var/lock/subsys/$prog
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon "$exec $args"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc "$prog"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    restart
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    # run checks to determine if the service is running or use generic status
+    status $prog
+}
+
+rh_status_q() {
+    rh_status >/dev/null 2>&1
+}
+
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
+
diff --git a/SPECS/heimdal/heimdal-ipropd-slave.service b/SPECS/heimdal/heimdal-ipropd-slave.service
new file mode 100644
index 00000000000..82171908eb8
--- /dev/null
+++ b/SPECS/heimdal/heimdal-ipropd-slave.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Heimdal ipropd-slave incremental propagation service
+Documentation=man:iprop(8) info:heimdal http://www.h5l.org/
+After=syslog.target network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/libexec/ipropd-slave-wrapper
+PIDFile=/var/run/ipropd-slave.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SPECS/heimdal/heimdal-kadmind.init b/SPECS/heimdal/heimdal-kadmind.init
new file mode 100644
index 00000000000..212c141ed5a
--- /dev/null
+++ b/SPECS/heimdal/heimdal-kadmind.init
@@ -0,0 +1,102 @@
+#! /bin/sh
+#
+# heimdal-kadmind Startup script for Heimdal kadmind
+#
+# chkconfig:   - 39 61
+# description: Starts and stops the Heimdal kadmind
+
+### BEGIN INIT INFO
+# Provides:       heimdal-kadmind
+# Required-Start: $local_fs $network $named
+# Required-Stop:  $local_fs $network
+# Default-Start:
+# Default-Stop:
+# Short-Description: Starts and stops the Heimdal kadmind
+# Description:       Heimdal kadmind implements remote administration in Heimdal
+### END INIT INFO
+
+[ -f /etc/rc.d/init.d/functions ] && . /etc/rc.d/init.d/functions
+
+exec=/usr/libexec/heimdal-kadmind
+prog=heimdal-kadmind
+KADMIND_ARGS=""
+[ -e /etc/sysconfig/heimdal ] && . /etc/sysconfig/heimdal
+args="${KADMIND_ARGS} &"
+
+lockfile=/var/lock/subsys/$prog
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon "$exec $args"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc "$prog"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    restart
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    # run checks to determine if the service is running or use generic status
+    status $prog
+}
+
+rh_status_q() {
+    rh_status >/dev/null 2>&1
+}
+
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
+
diff --git a/SPECS/heimdal/heimdal-kadmind.service b/SPECS/heimdal/heimdal-kadmind.service
new file mode 100644
index 00000000000..8765bc1d7ad
--- /dev/null
+++ b/SPECS/heimdal/heimdal-kadmind.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Heimdal kadmind remote administration service
+Documentation=man:heimdal-kadmind(8) info:heimdal http://www.h5l.org/
+After=syslog.target network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/libexec/heimdal-kadmind
+PIDFile=/var/run/heimdal-kadmind.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SPECS/heimdal/heimdal-kdc.conf b/SPECS/heimdal/heimdal-kdc.conf
new file mode 100644
index 00000000000..0cc6488cf05
--- /dev/null
+++ b/SPECS/heimdal/heimdal-kdc.conf
@@ -0,0 +1,10 @@
+[logging]
+  default = FILE:/var/log/heimdal/heimdal.log
+  kdc = FILE:/var/log/heimdal/kdc.log
+  admin_server = FILE:/var/log/heimdal/kadmind.log
+
+[kdc]
+  enable-http = true
+
+[kadmin]
+  require-preauth = true
diff --git a/SPECS/heimdal/heimdal-kdc.init b/SPECS/heimdal/heimdal-kdc.init
new file mode 100644
index 00000000000..625f2b973c8
--- /dev/null
+++ b/SPECS/heimdal/heimdal-kdc.init
@@ -0,0 +1,102 @@
+#! /bin/sh
+#
+# kdc Startup script for Heimdal kdc
+#
+# chkconfig:   - 39 61
+# description: Starts and stops the Heimdal kdc
+
+### BEGIN INIT INFO
+# Provides:       kdc
+# Required-Start: $local_fs $network $named
+# Required-Stop:  $local_fs $network
+# Default-Start:
+# Default-Stop:
+# Short-Description: Starts and stops the Heimdal kdc
+# Description:       Heimdal KDC is a Kerberos 5 Key Distribution Center server
+### END INIT INFO
+
+[ -f /etc/rc.d/init.d/functions ] && . /etc/rc.d/init.d/functions
+
+exec=/usr/libexec/kdc
+prog=kdc
+KDC_ARGS="--detach"
+[ -e /etc/sysconfig/heimdal ] && . /etc/sysconfig/heimdal
+args="${KDC_ARGS}"
+
+lockfile=/var/lock/subsys/$prog
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon "$exec $args"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc "$prog"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    restart
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    # run checks to determine if the service is running or use generic status
+    status $prog
+}
+
+rh_status_q() {
+    rh_status >/dev/null 2>&1
+}
+
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
+
diff --git a/SPECS/heimdal/heimdal-kdc.service b/SPECS/heimdal/heimdal-kdc.service
new file mode 100644
index 00000000000..e4461f541fc
--- /dev/null
+++ b/SPECS/heimdal/heimdal-kdc.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Heimdal KDC is a Kerberos 5 Key Distribution Center server
+Documentation=man:kdc(8) info:heimdal http://www.h5l.org/
+After=syslog.target network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/libexec/kdc
+PIDFile=/var/run/kdc.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SPECS/heimdal/heimdal-kpasswdd.init b/SPECS/heimdal/heimdal-kpasswdd.init
new file mode 100644
index 00000000000..a7dd64b7818
--- /dev/null
+++ b/SPECS/heimdal/heimdal-kpasswdd.init
@@ -0,0 +1,103 @@
+#! /bin/sh
+#
+# kpasswdd Startup script for Heimdal kpasswdd
+#
+# chkconfig:   - 39 61
+# description: Starts and stops the Heimdal kpasswdd
+
+### BEGIN INIT INFO
+# Provides:       kpasswdd
+# Required-Start: $local_fs $network $named
+# Required-Stop:  $local_fs $network
+# Default-Start:
+# Default-Stop:
+# Short-Description: Starts and stops the Heimdal kpasswdd
+# Description:       Heimdal kpasswdd allows Kerberos 5 users to change \
+#  their KDC passwords
+### END INIT INFO
+
+[ -f /etc/rc.d/init.d/functions ] && . /etc/rc.d/init.d/functions
+
+exec=/usr/libexec/kpasswdd
+prog=kpasswdd
+KPASSWD_ARGS=""
+[ -e /etc/sysconfig/heimdal ] && . /etc/sysconfig/heimdal
+args="${KPASSWD_ARGS} &"
+
+lockfile=/var/lock/subsys/$prog
+
+start() {
+    [ -x $exec ] || exit 5
+    [ -f $config ] || exit 6
+    echo -n $"Starting $prog: "
+    daemon "$exec $args"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && touch $lockfile
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping $prog: "
+    killproc "$prog"
+    retval=$?
+    echo
+    [ $retval -eq 0 ] && rm -f $lockfile
+    return $retval
+}
+
+restart() {
+    stop
+    start
+}
+
+reload() {
+    restart
+}
+
+force_reload() {
+    restart
+}
+
+rh_status() {
+    # run checks to determine if the service is running or use generic status
+    status $prog
+}
+
+rh_status_q() {
+    rh_status >/dev/null 2>&1
+}
+
+
+case "$1" in
+    start)
+        rh_status_q && exit 0
+        $1
+        ;;
+    stop)
+        rh_status_q || exit 0
+        $1
+        ;;
+    restart)
+        $1
+        ;;
+    reload)
+        rh_status_q || exit 7
+        $1
+        ;;
+    force-reload)
+        force_reload
+        ;;
+    status)
+        rh_status
+        ;;
+    condrestart|try-restart)
+        rh_status_q || exit 0
+        restart
+        ;;
+    *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
+        exit 2
+esac
+exit $?
+
diff --git a/SPECS/heimdal/heimdal-kpasswdd.service b/SPECS/heimdal/heimdal-kpasswdd.service
new file mode 100644
index 00000000000..1876f97a2e6
--- /dev/null
+++ b/SPECS/heimdal/heimdal-kpasswdd.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Heimdal kpasswdd allows users to change their KDC passwords
+Documentation=man:kpasswdd(8) info:heimdal http://www.h5l.org/
+After=syslog.target network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/libexec/kpasswdd
+PIDFile=/var/run/kpasswdd.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SPECS/heimdal/heimdal.csh b/SPECS/heimdal/heimdal.csh
new file mode 100644
index 00000000000..cc7836afbbd
--- /dev/null
+++ b/SPECS/heimdal/heimdal.csh
@@ -0,0 +1,3 @@
+if ( "${path}" !~ */usr/lib/heimdal/bin* ) then
+	set path = ( /usr/lib/heimdal/bin $path )
+endif
diff --git a/SPECS/heimdal/heimdal.logrotate b/SPECS/heimdal/heimdal.logrotate
new file mode 100644
index 00000000000..8b9fc012f81
--- /dev/null
+++ b/SPECS/heimdal/heimdal.logrotate
@@ -0,0 +1,9 @@
+/var/log/heimdal/*.log {
+    compress
+    delaycompress
+    maxage 100
+    minsize 100M
+    missingok
+    notifempty
+}
+
diff --git a/SPECS/heimdal/heimdal.sh b/SPECS/heimdal/heimdal.sh
new file mode 100644
index 00000000000..4e9b14ae207
--- /dev/null
+++ b/SPECS/heimdal/heimdal.sh
@@ -0,0 +1,3 @@
+if ! echo ${PATH} | /bin/grep -q /usr/lib/heimdal/bin ; then
+	PATH=/usr/lib/heimdal/bin:${PATH}
+fi
diff --git a/SPECS/heimdal/heimdal.signatures.json b/SPECS/heimdal/heimdal.signatures.json
new file mode 100644
index 00000000000..2428c10fa58
--- /dev/null
+++ b/SPECS/heimdal/heimdal.signatures.json
@@ -0,0 +1,23 @@
+{
+ "Signatures": {
+  "heimdal-7.7.0.tar.gz": "f02d3314d634cc55eb9cf04a1eae0d96b293e45a1f837de9d894e800161b7d1b",
+  "heimdal-bashrc": "606045acea4cddb8f0cb7697225382aa89505aa5e0b89c244da333650a372e4f",
+  "heimdal-ipropd-master.init": "ecd6d7dd613dcf4e255bc296ad0c6f76ffd0931ee9e8e2b94b0a7edeb92d1264",
+  "heimdal-ipropd-master.service": "fc70e57eb6118132d21bad1c01bf16ee5a8572867ee369a09d3f4dbd63adbf7a",
+  "heimdal-ipropd-slave-wrapper": "635cd27b5c669454edd8dcc824fe312e32208dfae64c31f712c66e52e7e9f22a",
+  "heimdal-ipropd-slave.init": "6b231843e5ebce922cfc4babfc05066a9c4db54cdd1a85f93cd3678e26e693f0",
+  "heimdal-ipropd-slave.service": "4f47b03fe7dda11538cc5044b64000ccb5fd6f2b5e25f1a8fae3000a0b291379",
+  "heimdal-kadmind.init": "8949c6b7ff7c5d155cca1a063b5379423d343373af804dbeb221f73487fabe72",
+  "heimdal-kadmind.service": "b1e9552b1eecfb6aecef4377df1ea2f1463cd1ab5e8b8f302711ad807ccc3279",
+  "heimdal-kdc.conf": "45deebc4d962e72ab98836cb68ef1b9db983f9ff32985389b1281713c0416f0f",
+  "heimdal-kdc.init": "5638e9097dba55d0b3262a2d7fe04953fe4bbb415368e2f9ad4ade5dbaea00f9",
+  "heimdal-kdc.service": "3f8b60c93dceca5ab87968b0b6a0a4bcaf3456da581b6285d555a0aa49e51cf0",
+  "heimdal-kpasswdd.init": "9a223d4c5f3f5b6a70683732cf17d39a747c1747052c00f3577134b60efb2350",
+  "heimdal-kpasswdd.service": "4a45e86920f02099a36d540b872a2d59304752f2b398ec20151682c6e647b437",
+  "heimdal.csh": "3b39878656dc4d8cca369da7ff48a006f6cb8e8f6840a3c297126c12f052dfed",
+  "heimdal.logrotate": "a92e7da78889cde1a228d38cd018536141b1a49be7e7c728573c6c4b0ff811d5",
+  "heimdal.sh": "dbdc05028a6679fa2309b78f51e868dcb85a4b257bc2b3cb9300cb9ecca41610",
+  "heimdal.sysconfig": "39f5e7a93d3cdcebeabdda5d049d0df14620b9767eedaa2565ac2eaa8d981d3a",
+  "krb5.conf.sample": "7352381f918c539c9197ea18d415668dc37bc44395ead4ea86ba50a7431a27cb"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/heimdal/heimdal.spec b/SPECS/heimdal/heimdal.spec
new file mode 100644
index 00000000000..870f13bc5ad
--- /dev/null
+++ b/SPECS/heimdal/heimdal.spec
@@ -0,0 +1,866 @@
+%global _hardened_build 1
+%global libdir %{_libdir}/heimdal
+%global bindir %{_lib}/heimdal
+# Use systemd unit files on RHEL 7 and above.
+%if ! (0%{?rhel} && 0%{?rhel} < 7)
+  %global _with_systemd 1
+%endif
+# This macro was added in Fedora 20. Use the old version if it's undefined
+# on older Fedoras and RHELs prior to RHEL 8.
+# https://fedoraproject.org/wiki/Changes/UnversionedDocdirs
+%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
+Summary:        A Kerberos 5 implementation without export restrictions
+Name:           heimdal
+Version:        7.7.0
+Release:        5%{?dist}
+License:        BSD AND MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+URL:            https://www.heimdal.software/
+Source0:        https://github.com/%{name}/%{name}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source3:        %{name}.sysconfig
+Source4:        %{name}.sh
+Source5:        %{name}.csh
+Source9:        krb5.conf.sample
+Source10:       %{name}.logrotate
+Source11:       %{name}-bashrc
+Source20:       %{name}-kdc.init
+Source21:       %{name}-ipropd-master.init
+Source22:       %{name}-ipropd-slave.init
+Source23:       %{name}-kadmind.init
+Source24:       %{name}-kpasswdd.init
+Source25:       %{name}-kdc.conf
+Source26:       %{name}-kdc.service
+Source27:       %{name}-ipropd-master.service
+Source28:       %{name}-ipropd-slave.service
+Source29:       %{name}-kadmind.service
+Source30:       %{name}-kpasswdd.service
+Source31:       %{name}-ipropd-slave-wrapper
+# klist, kswitch, and kvno are symlinks to "heimtools", and this utility needs
+# to know how to interpret the "heimdal-" prefixes.
+Patch1:         heimdal-1.6.0-c25f45a-rename-commands.patch
+# Use Python2 explicity.
+Patch3:         heimdal-7.5.0-explicit-python2.patch
+Patch4:         heimdal-7.7.0-configure.patch
+Patch5:         fix_test_rand_build_failure.patch
+BuildRequires:  bison
+#libcom_err-devel is in
+#BuildRequires:  libcom_err-devel
+BuildRequires:  e2fsprogs-devel
+BuildRequires:  e2fsprogs-libs
+BuildRequires:  flex
+BuildRequires:  gettext
+BuildRequires:  groff
+BuildRequires:  libcap-ng-devel
+BuildRequires:  libedit-devel
+BuildRequires:  libtool
+BuildRequires:  ncurses-devel
+BuildRequires:  openssl-devel
+#BuildRequires:  openldap-devel
+#Required for tests/ldap
+#BuildRequires:  openldap-servers
+BuildRequires:  pam-devel
+BuildRequires:  perl-JSON
+#BuildRequires:  doxygen
+#BuildRequires:  graphviz
+BuildRequires:  python2
+BuildRequires:  sqlite-devel
+BuildRequires:  systemd-devel
+BuildRequires:  texinfo
+#%if 0%{?_with_systemd}
+#BuildRequires: systemd-units
+#%endif
+# Bundled libtommath (https://bugzilla.redhat.com/1118462)
+Provides:       bundled(libtommath) = 0.42.0
+%if (0%{?rhel} && 0%{?rhel} < 7)
+BuildRequires:  db4-devel
+%else
+BuildRequires:  libdb-devel
+%endif
+
+%description
+Kerberos 5 is a network authentication and single sign-on system.
+Heimdal is a free Kerberos 5 implementation without export restrictions
+written from the spec (rfc1510 and successors) including advanced features
+like thread safety, IPv6, master-slave replication of Kerberos Key
+Distribution Center server and support for ticket delegation (S4U2Self,
+S4U2Proxy).
+This package can coexist with MIT Kerberos 5 packages. Hesiod is disabled
+by default since it is deemed too big a security risk by the packager.
+
+%package    workstation
+Summary:        Heimdal kerberos programs for use on workstations
+
+%description workstation
+This package contains Heimdal Kerberos 5 programs and utilities for
+use on workstations (kinit, klist, kdestroy, kpasswd)
+
+%package server
+Summary:        Heimdal kerberos server
+Requires:       logrotate
+Provides:       heimdal-kdc = %{version}-%{release}
+Obsoletes:      heimdal-kdc < 1.5
+%if 0%{?_with_systemd}
+Requires(post): systemd
+Requires(postun): systemd
+Requires(preun): systemd
+%else
+Requires(post): chkconfig
+Requires(postun): initscripts
+Requires(preun): chkconfig
+Requires(preun): initscripts
+%endif
+
+%description server
+This package contains the master Heimdal kerberos Key Distribution
+Center (KDC), admin interface server (admind) and master-slave
+synchronisation daemons. Install this package if you intend to
+set up Kerberos server.
+
+%package libs
+Summary:        Heimdal kerberos shared libraries
+#Requires(post): info
+#Requires(preun): info
+
+%description libs
+This package contains shared libraries required by several of the other
+Heimdal packages.
+
+%package devel
+Summary:        Header and other development files for Heimdal kerberos
+Provides:       %{name}-static = %{version}-%{release}
+
+%description devel
+Contains files needed to compile and link software using the Heimdal
+kerberos headers/libraries.
+
+%package path
+Summary:        Heimdal kerberos PATH manipulation
+Requires:       %{name}-libs
+# For /etc/profile.d
+#Requires: setup
+
+%description path
+This package prepends the Heimdal binary directory to the beginning of
+PATH.
+
+%prep
+%setup -q
+%patch1 -p1 -b .cmds
+%patch3 -p1 -b .python2
+%patch4 -p1 -b .config
+%patch5 -p1
+
+./autogen.sh
+
+%build
+%ifarch i386
+%global build_fix "-march=i686"
+%else
+%global build_fix ""
+%endif
+autoreconf -ivf
+%configure \
+        --prefix=%{_prefix} \
+        --includedir=%{_includedir}/%{name} \
+        --libdir=%{libdir} \
+        --enable-static \
+        --enable-shared \
+        --enable-pthread-support \
+        --without-x \
+        --without-hesiod \
+        --with-ipv6 \
+        --enable-kcm \
+        --enable-pk-init \
+        --with-openldap=%{_prefix} \
+        --with-sqlite3=%{_prefix} \
+        --with-libedit=%{_prefix} \
+        LIBS="-ltermcap" \
+        CFLAGS="-fPIC %{optflags} %{build_fix}"
+%make_build -j1 -C include krb5-types.h
+%make_build -j1
+%make_build -j1 -C doc html
+
+# po/localefiles is not in the tarball, which causes install to fail
+touch po/localefiles
+%make_build -C po mo
+
+%check
+# Several intermittent test failures here, so make this non-fatal:
+# (timeout to debug hard to reproduce stuck build)
+timeout 20m %make_build check || :
+
+%install
+%make_install
+# install the init files
+%if 0%{?_with_systemd}
+  # install systemd service files
+  mkdir -p %{buildroot}%{_unitdir}
+  pushd %{buildroot}%{_unitdir}
+    install -p -D -m 644 %{SOURCE26} heimdal-kdc.service
+    install -p -D -m 644 %{SOURCE27} heimdal-ipropd-master.service
+    install -p -D -m 644 %{SOURCE28} heimdal-ipropd-slave.service
+    install -p -D -m 644 %{SOURCE29} heimdal-kadmind.service
+    install -p -D -m 644 %{SOURCE30} heimdal-kpasswdd.service
+  popd
+  install -p -D -m 755 %{SOURCE31} %{buildroot}%{_libexecdir}/ipropd-slave-wrapper
+%else
+  # install legacy SysV init scripts
+  mkdir -p %{buildroot}%{_sysconfdir}/rc.d/init.d
+  pushd %{buildroot}%{_sysconfdir}/rc.d/init.d
+    install -p -D -m 755 %{SOURCE20} heimdal-kdc
+    install -p -D -m 755 %{SOURCE21} heimdal-ipropd-master
+    install -p -D -m 755 %{SOURCE22} heimdal-ipropd-slave
+    install -p -D -m 755 %{SOURCE23} heimdal-kadmind
+    install -p -D -m 755 %{SOURCE24} heimdal-kpasswdd
+  popd
+%endif
+install -p -D -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/sysconfig/heimdal
+install -p -D -m 644 %{SOURCE4}  %{buildroot}%{_sysconfdir}/profile.d/heimdal.sh
+install -p -D -m 644 %{SOURCE5}  %{buildroot}%{_sysconfdir}/profile.d/heimdal.csh
+install -p -D -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/logrotate.d/heimdal
+mkdir -p %{buildroot}%{_localstatedir}/heimdal/
+install -p -D -m 755 %{SOURCE25}  %{buildroot}%{_sysconfdir}/heimdal-kdc.conf
+ln -s %{_sysconfdir}/heimdal-kdc.conf %{buildroot}%{_localstatedir}/heimdal/kdc.conf
+echo "# see man heimdal-kadmind(8)" > %{buildroot}%{_sysconfdir}/heimdal-kadmind.acl
+ln -s %{_sysconfdir}/heimdal-kadmind.acl %{buildroot}%{_localstatedir}/heimdal/kadmind.acl
+touch    %{buildroot}%{_sysconfdir}/heimdal-slaves
+ln -s %{_sysconfdir}/heimdal-slaves %{buildroot}%{_localstatedir}/heimdal/slaves
+install -d -m 700 %{buildroot}%{_localstatedir}/log/heimdal
+install -d -m 755 %{buildroot}/%{_pkgdocdir}
+install -p -D -m 644 LICENSE    %{buildroot}/%{_pkgdocdir}/LICENSE
+install -p -D -m 644 %{SOURCE9} %{buildroot}/%{_pkgdocdir}/krb5.conf.sample
+install -p -D -m 644 %{SOURCE11} %{buildroot}/%{_pkgdocdir}/bashrc
+# we don't need pkgconfig file and info/dir
+rm -rf %{buildroot}%{libdir}/pkgconfig
+rm -rf %{buildroot}%{_infodir}/dir
+# NOTICE: no support for X11
+rm -f %{buildroot}%{_mandir}/man1/kx.1*
+rm -f %{buildroot}%{_mandir}/man1/rxtelnet.1*
+rm -f %{buildroot}%{_mandir}/man1/rxterm.1*
+rm -f %{buildroot}%{_mandir}/man1/tenletxr.1*
+rm -f %{buildroot}%{_mandir}/man1/xnlock.1*
+rm -f %{buildroot}%{_mandir}/man8/kxd.8*
+# Remove CAT files, they are not needed
+rm -rf %{buildroot}%{_mandir}/cat*
+# Remove libtool archives
+find %{buildroot} -type f -name "*.la" -delete -print
+
+mkdir -p %{buildroot}%{_sysconfdir}/ld.so.conf.d/
+cat >> %{buildroot}%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf << EOF
+%{_libdir}/%{name}
+EOF
+
+mkdir -p %{buildroot}%{bindir}/bin
+mkdir -p %{buildroot}%{_mandir}/%{name}/man{1,5,8}
+
+# rename clashes with other pkgs from <app> to heimdal-<app>
+for prog in kadmin kadmind kdestroy kinit klist kpasswd krb5-config ktutil su pagsh compile_et
+do
+   if [ -e %{buildroot}%{_bindir}/${prog} ]; then
+     mv %{buildroot}%{_bindir}/{,%{name}-}${prog}
+     ln -s %{_bindir}/%{name}-${prog} %{buildroot}%{bindir}/bin/${prog}
+   elif [ -e %{buildroot}%{_sbindir}/${prog} ]; then
+     mv %{buildroot}%{_sbindir}/{,%{name}-}${prog}
+     ln -s %{_sbindir}/%{name}-${prog} %{buildroot}%{bindir}/bin/${prog}
+   elif [ -e %{buildroot}%{_libexecdir}/${prog} ]; then
+     mv %{buildroot}%{_libexecdir}/{,%{name}-}${prog}
+   fi
+
+   if [ -e %{buildroot}%{_mandir}/man1/${prog}.1 ]; then
+     mv %{buildroot}%{_mandir}/man1/{,%{name}-}${prog}.1
+   elif [ -e %{buildroot}%{_mandir}/man8/${prog}.8 ]; then
+     mv %{buildroot}%{_mandir}/man8/{,%{name}-}${prog}.8
+   fi
+done
+
+# If we have the prefixed name in one pkg we want it in all.
+mv %{buildroot}%{_bindir}/{,%{name}-}kswitch
+ln -s %{_bindir}/%{name}-kswitch %{buildroot}%{bindir}/bin/kswitch
+mv %{buildroot}%{_mandir}/man1/{,%{name}-}kswitch.1
+
+ln -s %{name}-kinit %{buildroot}%{_bindir}/kauth
+
+mv %{buildroot}%{_mandir}/man5/{,%{name}-}krb5.conf.5
+
+rm %{buildroot}%{_mandir}/man5/qop.5
+ln -s mech.5.gz %{buildroot}%{_mandir}/man5/qop.5.gz
+
+%find_lang %{name} --all-name
+
+%post server
+%if 0%{?_with_systemd}
+  %systemd_post heimdal-kdc.service
+  %systemd_post heimdal-ipropd-master.service
+  %systemd_post heimdal-ipropd-slave.service
+  %systemd_post heimdal-kadmind.service
+  %systemd_post heimdal-kpasswdd.service
+%else
+  /sbin/chkconfig --add heimdal-kdc
+  /sbin/chkconfig --add heimdal-ipropd-master
+  /sbin/chkconfig --add heimdal-ipropd-slave
+  /sbin/chkconfig --add heimdal-kadmind
+  /sbin/chkconfig --add heimdal-kpasswdd
+%endif
+
+%preun server
+%if 0%{?_with_systemd}
+  %systemd_preun heimdal-kdc.service
+  %systemd_preun heimdal-ipropd-master.service
+  %systemd_preun heimdal-ipropd-slave.service
+  %systemd_preun heimdal-kadmind.service
+  %systemd_preun heimdal-kpasswdd.service
+%else
+  if [ $1 -eq 0 ] ; then
+     /sbin/service heimdal-kdc stop >/dev/null 2>&1 || :
+     /sbin/chkconfig --del heimdal-kdc
+     /sbin/service heimdal-ipropd-master stop >/dev/null 2>&1 || :
+     /sbin/chkconfig --del heimdal-ipropd-master
+     /sbin/service heimdal-ipropd-slave stop >/dev/null 2>&1 || :
+     /sbin/chkconfig --del heimdal-ipropd-slave
+     /sbin/service heimdal-kadmind stop >/dev/null 2>&1 || :
+     /sbin/chkconfig --del heimdal-kadmind
+     /sbin/service heimdal-kpasswdd stop >/dev/null 2>&1 || :
+     /sbin/chkconfig --del >/dev/null
+  fi
+%endif
+
+%postun server
+%if 0%{?_with_systemd}
+  %systemd_postun heimdal-kdc.service
+  %systemd_postun heimdal-ipropd-master.service
+  %systemd_postun heimdal-ipropd-slave.service
+  %systemd_postun heimdal-kadmind.service
+  %systemd_postun heimdal-kpasswdd.service
+%else
+  if [ $1 -eq 1 ] ; then
+     /sbin/service heimdal-kdc condrestart >/dev/null 2>&1 || :
+     /sbin/service heimdal-ipropd-master condrestart >/dev/null 2>&1 || :
+     /sbin/service heimdal-ipropd-slave condrestart >/dev/null 2>&1 || :
+     /sbin/service heimdal-kadmind condrestart >/dev/null 2>&1 || :
+     /sbin/service heimdal-kpasswdd condrestart >/dev/null 2>&1 || :
+  fi
+%endif
+
+%if (0%{?rhel} && 0%{?rhel} < 8)
+%post libs
+/sbin/ldconfig
+/sbin/install-info %{_infodir}/%{name}.info %{_infodir}/dir || :
+
+%preun libs
+if [ $1 = 0 ] ; then
+  /sbin/install-info --delete %{_infodir}/%{name}.info %{_infodir}/dir || :
+fi
+
+%postun libs -p /sbin/ldconfig
+%endif
+
+%files libs -f %{name}.lang
+%license LICENSE
+%doc %{_pkgdocdir}
+%dir %{bindir}
+%dir %{bindir}/bin
+%dir %{libdir}
+%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
+%{libdir}/lib*.so*
+%{libdir}/windc.so*
+%{_infodir}/heimdal.info*
+%{_infodir}/hx509.info*
+%{_mandir}/man5/%{name}-krb5.conf.5*
+%{_mandir}/man5/qop.5*
+%{_mandir}/man5/mech.5*
+%{_mandir}/man8/kerberos.8*
+%{_bindir}/string2key
+%{_mandir}/man8/string2key.8*
+%{_libexecdir}/kdigest
+%{_mandir}/man8/kdigest.8*
+%{_bindir}/verify_krb5_conf
+%{_mandir}/man8/verify_krb5_conf.8*
+%{_libexecdir}/digest-service
+
+%files server
+%if 0%{?_with_systemd}
+%{_unitdir}/*.service
+%else
+%{_initrddir}/*
+%endif
+%{_sysconfdir}/logrotate.d/heimdal
+%config(noreplace) %{_sysconfdir}/sysconfig/heimdal
+%dir %attr(700,root,root) %{_localstatedir}/heimdal
+%dir %attr(700,root,root) %{_localstatedir}/log/heimdal
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/heimdal-kdc.conf
+%config(noreplace) %{_localstatedir}/heimdal/kdc.conf
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/heimdal-kadmind.acl
+%config(noreplace) %{_localstatedir}/heimdal/kadmind.acl
+%config(noreplace) %attr(600,root,root) %{_sysconfdir}/heimdal-slaves
+%config(noreplace) %{_localstatedir}/heimdal/slaves
+%{_libexecdir}/hprop
+%{_mandir}/man8/hprop.8*
+%{_libexecdir}/hpropd
+%{_mandir}/man8/hpropd.8*
+%{_mandir}/man8/iprop.8*
+%{_sbindir}/iprop-log
+%{_mandir}/man8/iprop-log.8*
+%{_libexecdir}/ipropd-master
+%{_mandir}/man8/ipropd-master.8*
+%{_libexecdir}/ipropd-slave
+%{_mandir}/man8/ipropd-slave.8*
+%if 0%{?_with_systemd}
+%{_libexecdir}/ipropd-slave-wrapper
+%endif
+%{_libexecdir}/%{name}-kadmind
+%{_mandir}/man8/%{name}-kadmind.8*
+%{_libexecdir}/kdc
+%{_mandir}/man8/kdc.8*
+%{_libexecdir}/kpasswdd
+%{_mandir}/man8/kpasswdd.8*
+%{_sbindir}/kstash
+%{_mandir}/man8/kstash.8*
+
+%files workstation
+%{_bindir}/afslog
+%{_mandir}/man1/afslog.1*
+%{_bindir}/bsearch
+%{_mandir}/man1/bsearch.1*
+%{_bindir}/%{name}-pagsh
+%{bindir}/bin/pagsh
+%{_mandir}/man1/%{name}-pagsh.1*
+%{_bindir}/gsstool
+%{_bindir}/heimtools
+%{_bindir}/hxtool
+%{_bindir}/idn-lookup
+%{_bindir}/%{name}-kdestroy
+%{bindir}/bin/kdestroy
+%{_mandir}/man1/%{name}-kdestroy.1*
+%{_bindir}/kf
+%{_mandir}/man1/kf.1*
+%{_bindir}/kgetcred
+%{_mandir}/man1/kgetcred.1*
+%{_libexecdir}/kimpersonate
+%{_mandir}/man8/kimpersonate.8*
+%{_bindir}/%{name}-kinit
+%{bindir}/bin/kinit
+%{_bindir}/kauth
+%{_mandir}/man1/%{name}-kinit.1*
+%{_bindir}/%{name}-klist
+%{bindir}/bin/klist
+%{_mandir}/man1/%{name}-klist.1*
+%{_bindir}/%{name}-kpasswd
+%{bindir}/bin/kpasswd
+%{_mandir}/man1/%{name}-kpasswd.1*
+%{_bindir}/heimdal-kswitch
+%{bindir}/bin/kswitch
+%{_mandir}/man1/heimdal-kswitch.1*
+%{_bindir}/otp
+%{_mandir}/man1/otp.1*
+%{_bindir}/otpprint
+%{_mandir}/man1/otpprint.1*
+%{_bindir}/%{name}-kadmin
+%{bindir}/bin/kadmin
+%{_mandir}/man1/%{name}-kadmin.1*
+%{_libexecdir}/kcm
+%{_mandir}/man8/kcm.8*
+%{_libexecdir}/kfd
+%{_mandir}/man8/kfd.8*
+%{_bindir}/%{name}-ktutil
+%{bindir}/bin/ktutil
+%{_mandir}/man1/%{name}-ktutil.1*
+%attr(04550,root,root) %{_bindir}/%{name}-su
+%{bindir}/bin/su
+%{_mandir}/man1/%{name}-su.1*
+
+%files devel
+%dir %{_libexecdir}/%{name}
+%{_bindir}/%{name}-krb5-config
+%{bindir}/bin/krb5-config
+%{_mandir}/man1/%{name}-krb5-config.1*
+%{_includedir}/*
+%{libdir}/lib*.a
+%{libdir}/windc.a
+%{_mandir}/man3/*
+%{_mandir}/man7/*
+%{_libexecdir}/%{name}/asn1_compile
+%{_libexecdir}/%{name}/asn1_print
+%{_libexecdir}/%{name}/slc
+
+%files path
+%{_sysconfdir}/profile.d/%{name}.sh
+%{_sysconfdir}/profile.d/%{name}.csh
+
+%changelog
+* Wed Oct 21 2020 Henry Beberman <henry.beberman@microsoft.com> - 7.7.0-5
+- Initial CBL-Mariner import from Fedora 32 (license: MIT).
+- License verified.
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 7.7.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jan 17 2020 Jeff Law <law@redhat.com> - 7.7.0-3
+- Fix configure tests compromised by LTO
+
+* Sat Dec 21 2019 Alexander Boström <abo@root.snowtree.se> - 7.7.0-2
+- Set timeout on make check
+
+* Fri Dec 20 2019 Alexander Boström <abo@root.snowtree.se> - 7.7.0-1
+- Update to 7.7.0
+- Remove upstreamed patch
+- New project URL
+- Update buildreqs
+- Add locale build fix
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.0-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 7.5.0-7
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Sun Jan 06 2019 Björn Esser <besser82@fedoraproject.org> - 7.5.0-6
+- Add patch to explicitly use python2 binary, fixes FTBFS (#1604316)
+- Do not run 'make dist', fixes FTBFS (#1604316)
+- Make sure 'krb5-types.h' is build, fixes FTBFS (#1604316)
+- Remove el5 bits
+- Drop unneeded scriptlets for newer distros
+- Use %%make_build and %%make_install macros
+- Install license file using %%license in libs package
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Mar 15 2018 Iryna Shcherbina <ishcherb@redhat.com> - 7.5.0-4
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 7.5.0-2
+- Rebuilt for switch to libxcrypt
+
+* Thu Dec 14 2017 Ken Dreyer <ktdreyer@ktdreyer.com> - 7.5.0-1
+- Update to 7.5.0 GA release (CVE-2017-17439)
+
+* Mon Oct 23 2017 Alexander Boström <abo@root.snowtree.se> - 7.4.0-5
+- Backport fix to prevent wait() loop on non-existant child process
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.4.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.4.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Wed Jul 12 2017 Ken Dreyer <ktdreyer@ktdreyer.com> - 7.4.0-2
+- Make test failures non-fatal
+
+* Tue Jul 11 2017 Ken Dreyer <ktdreyer@ktdreyer.com> - 7.4.0-1
+- Update to 7.4.0 GA release (CVE-2017-11103)
+
+* Mon Apr 17 2017 Ken Dreyer <ktdreyer@ktdreyer.com> - 7.3.0-1
+- Update to 7.3.0 GA release (CVE-2017-6594)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Dec 29 2016 Ken Dreyer <ktdreyer@ktdreyer.com> - 7.1.0-1
+- Update to 7.1.0 GA release
+- Drop all remaining xinetd bits
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.0-0.13.20150115gitc25f45a
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Aug 10 2015 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.12.20150115gitc25f45a
+- Fix ld.so.conf.d file conflict between 32-bit and 64-bit packages
+  (rhbz#1244316)
+- Mark ld.so.conf.d as %%config(noreplace)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.0-0.11.20150115gitc25f45a
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Thu Jan 15 2015 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.10.20150115gitc25f45a
+- Update git snapshot to latest tip of heimdal-1-6-branch
+- Remove upstreamed patches
+- Add virtual provides for bundled(libtommath) (RHBZ #1118462)
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.0-0.10.20140621gita5adc06
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Mon Jul 07 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.9.20140621gita5adc06
+- Remove OpenSSL BR and go back to using hcrypto with bundled libtommath.
+  OpenSSL is not thread safe without callbacks (RHBZ #1118462)
+
+* Tue Jul 01 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.8.20140621gita5adc06
+- Patch for parallel build failure in kadm5. Thanks Jakub Čajka.
+- Remove comments about X11 binaries (we will never ship those).
+
+* Sun Jun 22 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.7.20140621gita5adc06
+- Update git snapshot to latest tip of heimdal-1-6-branch
+
+* Sat Jun 07 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.6.20140606git966108b
+- Update git snapshot to latest tip of heimdal-1-6-branch
+- Don't ship xinetd support if the distro has systemd (RHBZ #613001)
+
+* Fri May 30 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.5.20140529gitddde77b
+- Update git snapshot to latest tip of heimdal-1-6-branch
+- Use /sbin path in %%pre/%%post scripts for EL6 and EL5
+- Install login.users(5) normally, since it doesn't conflict with anything
+  (RHBZ #613001)
+- Don't ship ftpusers(5) (RHBZ #613001)
+- Patch heimtools to deal with the commands' "heimdal-" prefixes (RHBZ #613001)
+- Use "simple" systemd service type for kdc, kadmind, kpasswdd
+- Add "--detach" flag in heimdal-ipropd-slave-wrapper to match the systemd
+  forking service type
+- Patch kadmind to handle systemd's restrictions on setpgid() (RHBZ #613001)
+
+* Thu May 22 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.4.20140522git229d8c7
+- Update git snapshot to latest tip of heimdal-1-6-branch
+- Drop upstreamed text-fx patch
+- Install Texinfo files (RHBZ #613001)
+- Add Provides: heimdal-static to -devel subpackage (RHBZ #613001)
+- Drop %%defattr (RHBZ #613001)
+- Add text content to kadmind.acl to help users (and remove a zero-length file)
+- Install profile.d scripts with non-executable permissions
+- Remove .la files
+- Patch to remove AC_PROG_LIBTOOL macro
+- Reload xinetd when using systemd
+- Require logrotate and setup, since we drop config files into directories that
+  these packages own.
+- Add unowned Heimdal directories in %%files
+- Replace "heimdal" with %%{name} in %%files
+- Do not BR libcap-ng-devel on EL5
+
+* Tue Apr 29 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.3.20140429gitd60ba47
+- Add BR libdb-devel on Fedora (RHBZ #613001)
+- Add BR openssl-devel and libcap-ng-devel (RHBZ #613001)
+- Only set BuildRoot on el5
+- Alphabetize non-conditional BuildRequires
+- Remove duplicate BR openldap-devel
+
+* Tue Apr 29 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.2.20140326git7e6b55
+- Update git snapshot to latest tip of heimdal-1-6-branch
+- Rename Source11 with "heimdal-" prefix
+- Use newer macro for UnversionedDocdirs change
+
+* Mon Jan 06 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.6.0-0.1.20140106git46a508
+- Package git snapshot from master branch
+
+* Wed Oct 16 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.5.3-24.20130903gitb074e0b
+- Disable autogen and parallel make on EL5
+- Add pregenerated autoconf tarball as Source1
+- Add script to pregenerate autoconf files as Source2
+
+* Tue Sep 10 2013 Alexander Boström <abo@kth.se> - 1.5.3-23.20130903gitb074e0b
+- Fix build. (Problem with symlinks to kcc.)
+
+* Thu Sep 05 2013 Alexander Boström <abo@kth.se> - 1.5.3-22.20130903gitb074e0b
+- Rename rename kcc to heimdal-kcc (conflicts in el5 and fedora)
+- Rename kswitch to heimdal-kswitch in el6 too
+
+* Tue Sep 03 2013 Alexander Boström <abo@kth.se> - 1.5.3-21.20130903gitb074e0b
+- Update to latest git snapshot of heimdal-1-5-branch
+- remove upstreamed patch
+
+* Tue Sep 03 2013 Alexander Boström <abo@kth.se> - 1.5.3-20.20130813gitdcc7c13
+- Split ipv6_loopbacks_fix.patch into one backport and one smaller change
+
+* Tue Aug 20 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.5.3-19.20130813gitdcc7c13
+- Build against libedit instead of readline (avoid GPL entanglements)
+
+* Tue Aug 13 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.5.3-18.20130813gitdcc7c13
+- Update to latest git snapshot of heimdal-1-5-branch
+- remove upstreamed texinfo patches
+
+* Tue Aug 13 2013 Alexander Boström <abo@kth.se> - 1.5.3-17.20130730gitd9b3691
+- remove workaround for bogus check-iprop check failure
+
+* Mon Aug 12 2013 Alexander Boström <abo@kth.se> - 1.5.3-16.20130730gitd9b3691
+- buildreq groff on el6 and older
+- remove most comments from sysconfig file
+- systemd: only use /etc/sysconfig/heimdal to specify the iprop master
+  host, via a wrapper script
+- systemd: use Type=forking
+- make systemd the default, check for known sysv systems
+
+* Mon Aug 12 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.5.3-15.20130812git29f0a90
+- Update to latest git snapshot of heimdal-1-5-branch
+
+* Mon Aug 12 2013 Alexander Boström <abo@kth.se> - 1.5.3-14.20130730gitd9b3691
+- do not ghost files in owned directory
+
+* Mon Aug 12 2013 Alexander Boström <abo@kth.se> - 1.5.3-13.20130730gitd9b3691
+- use global instead of define
+
+* Mon Aug 12 2013 Alexander Boström <abo@kth.se> - 1.5.3-12.20130730gitd9b3691
+- add doc references to unit files
+
+* Mon Aug 12 2013 Alexander Boström <abo@kth.se> - 1.5.3-11.20130730gitd9b3691
+- add missing req on xinetd
+- remove slash after buildroot macro usage
+- preserve timestamps of installed files
+- move slaves config file to /etc
+- no attributes on symlinks
+- only ghost own the slave-stats file
+
+* Fri Aug 09 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.5.3-10.20130730gitd9b3691
+- add systemd files and _with_systemd conditional
+- remove "--detach" from sysconfig comments
+- tweak kadmind service description
+- add comments about texinfo patches
+
+* Fri Aug 09 2013 Alexander Boström <abo@kth.se> - 1.5.3-9.20130730gitd9b3691
+- SysV scriptlets and initscript cleanups
+- xinetd services ipv6 enabled
+
+* Thu Aug 08 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.5.3-8.20130730gitd9b3691
+- Add Debian's texinfo patch to hx509, plus my own hacks for 5.1
+
+* Thu Aug 08 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.5.3-7.20130730gitd9b3691
+- Add missing groff buildreq on F19 and above
+- Tweak Summary
+
+* Thu Aug 08 2013 Alexander Boström <abo@kth.se> - 1.5.3-6
+- Add missing buildreqs
+
+* Thu Aug 08 2013 Alexander Boström <abo@kth.se> - 1.5.3-5
+- Update to post 1.5.3 snapshot, deprecating a couple of patches
+- Add autogen.sh and extra BRs, build fixes.
+
+* Thu Aug 08 2013 Alexander Boström <abo@kth.se> - 1.5.3-4
+- No autoreconf
+- More robust ?rhel macro usage
+- BR libcom_err-devel instead of e2fsprogs-devel (but not on el5)
+- el5 build fixes
+
+* Tue Aug 06 2013 Alexander Boström <abo@kth.se> - 1.5.3-3
+- Add heimdal-des-key-selection.patch
+
+* Tue Aug 06 2013 Alexander Boström <abo@kth.se> - 1.5.3-2
+- Use upstream tarball.
+- Remove unused patches.
+- Fix heimdal-kdc.conf
+- Handle the case of no .mo files
+
+* Tue Aug 06 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 1.5.3-1
+- Update to 1.5.3 (tag from Git)
+- Use the find_lang macro to include the translation files
+- Add Getopt patch in order to build with Fedora's newer Perl
+- Adjust Group to satisfy rpmlint
+- Remove macros from comments to satisfy rpmlint
+
+* Mon Jul 29 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.19
+- really fix prefix munge patch
+- fix texi build
+
+* Wed Jul  3 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.18
+- fix prefix munge patch
+
+* Tue Jul  2 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.17
+- rename kswitch to heimdal-kswitch (except on el6)
+
+* Tue Jul  2 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.16
+- ignore missing otp binaries
+
+* Fri Jun 28 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.15
+- fix license, fix macro-in-changelog
+
+* Fri Jun 28 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.14
+- enable dns_lookup_realm and dns_lookup_kdc in the sample config file
+- changed logrotate conf, postrotate should not be required
+- add kdc.conf
+- move kadmind.acl to sysconfdir
+
+* Thu Jun 27 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.13
+- fix qop man symlink
+
+* Thu Jun 27 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.12
+- workstation does not require xinetd
+- fix paths in xinetd confs
+
+* Wed Jun 26 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.11
+- fix symlinks
+
+* Wed Jun 26 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.10
+- provide/obsolete heimdal-kdc
+
+* Wed Apr 10 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.9
+- make PATH manipulation an optional subpackage
+
+* Wed Apr 10 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.8
+- rename to heimdal-* instead of *.heimdal
+
+* Tue Apr  9 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.7
+- split init script into multiple services
+
+* Tue Apr  9 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.6
+- move su to the workstation subpkg
+
+* Tue Apr  9 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.5
+- Add symlinks in the bin dir.
+
+* Tue Apr  9 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.4
+- Reuse /etc/security/access.conf from PAM.
+
+* Tue Apr  9 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.3
+- move daemon binaries to regular libexec dir, with executable name suffix
+
+* Mon Apr  8 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.2
+- move binaries from /usr/lib64/heimdal/bin to /usr/lib/heimdal/bin
+
+* Mon Apr  8 2013 Alexander Boström <abo@kth.se> - 1.5.2-3.kth.1
+- disable tests
+
+* Wed Jul 4 2012 Rok Papež, ARNES <rok.papez@arnes.si> - 1.5.2-3
+  - updated to upstream 1.5.2
+  - added support for Fedora 17
+  - fixed wrong PATH on x86_64
+  - fixed IPv6 and multiple interfaces bug in krb5_parse_address:
+    https://bugzilla.redhat.com/show_bug.cgi?id=808147
+  - added support for .heimdal prefix to kcc
+
+* Tue Oct 4 2011 Rok Papež, ARNES <rok.papez@arnes.si> - 1.5.1-1
+  - updated to upstream 1.5.1
+
+* Tue Sep 27 2011 Rok Papež, ARNES <aaa-podpora@arnes.si> - 1.5.1.pre20110912git-2
+  - FESCo updates: https://fedorahosted.org/fesco/ticket/577
+  - Implicit requires removed, rpmbuild can figure them out itself
+  - Implicit provides removed, we are NOT compatible with krb5
+  - Enable hardened build:
+        https://fedoraproject.org/wiki/Packaging:Guidelines#PIE
+        https://fedoraproject.org/wiki/User:Kevin/DRAFT_When_to_use_PIE_compiler_flags
+  - Merged updates from Orion Poplawski
+
+* Mon Sep 12 2011 Rok Papež, ARNES <aaa-podpora@arnes.si> - 1.5.1.pre20110912git-1.arnes
+  - Updated to Heimdal 1.5.1.pre20110912git
+
+* Tue Nov 30 2010 Rok Papež, ARNES <aaa-podpora@arnes.si> - 1.4.1rc1-1.arnes
+  - Updated to Heimdal 1.4.1rc1
+
+* Fri Jul 09 2010 Rok Papež, ARNES <aaa-podpora@arnes.si> - 1.3.3-1.arnes
+  - Updated to Heimdal 1.3.3
+
+* Wed Apr 21 2010 Rok Papež, ARNES <aaa-podpora@arnes.si> - 1.3.2-2.arnes
+  - Updated to Heimdal 1.3.2
+
+* Thu Sep 17 2009 Rok Papež, ARNES <aaa-podpora@arnes.si> - 1.3.0pre9-1
+  - Updated to Heimdal 1.3.0pre9
+  - Building on CentOS 5.3 i386 and Fedora 11 x86_64.
+
+* Wed Jun 10 2009 Rok Papež, ARNES <aaa-podpora@arnes.si> - 1.2.1-9
+  - Fixed build for CentOS 4.7 (thanks to Nitzan Zaifman for bugreport)
+
+* Mon Jun 8 2009 Rok Papež, ARNES <aaa-podpora@arnes.si> - 1.2.1-8
+  - Fixed paths for building on CentOS 5.3
+  - Rebuilt for CentOS 5.3
+  - removed obsolete X11 dependency
+
+* Thu Feb 19 2009 Mitja Mihelic, ARNES <aaa-podpora@arnes.si> - 1.2.1-7
+  - added dependency on xinetd for heimdal-workstation
+
+* Tue Jan 20 2009 Rok Papež, ARNES <aaa-podpora@arnes.si>
+  - Fixed permissions
+
+* Wed Oct 8 2008 Rok Papež, ARNES <aaa-podpora@arnes.si>
+  - New specs for Heimdel 1.2.1, suggestions taken from both PDC and Mandrake specs file.
+  - Need to be compatible with MIT Kerberos 5 installation.
+  - Let MIT have priority
diff --git a/SPECS/heimdal/heimdal.sysconfig b/SPECS/heimdal/heimdal.sysconfig
new file mode 100644
index 00000000000..75271206cea
--- /dev/null
+++ b/SPECS/heimdal/heimdal.sysconfig
@@ -0,0 +1,2 @@
+# hostname of the iprop master
+#MASTER=""
diff --git a/SPECS/heimdal/krb5.conf.sample b/SPECS/heimdal/krb5.conf.sample
new file mode 100644
index 00000000000..af92166075b
--- /dev/null
+++ b/SPECS/heimdal/krb5.conf.sample
@@ -0,0 +1,42 @@
+[logging]
+  default = FILE:/var/log/heimdal/heimdal.log
+  kdc = FILE:/var/log/heimdal/kdc.log
+  admin_server = FILE:/var/log/heimdal/kadmind.log
+
+[libdefaults]
+  default_realm = EXAMPLE.COM
+  dns_lookup_realm = true
+  dns_lookup_kdc = true
+  ticket_lifetime = 24h
+  forwardable = yes
+
+[realms]
+  EXAMPLE.COM = {
+    kdc = kerberos.example.com:88
+    admin_server = kerberos.example.com:749
+    default_domain = example.com
+  }
+
+[domain_realm]
+  .example.com = EXAMPLE.COM
+  example.com = EXAMPLE.COM
+
+[appdefaults]
+  forwardable = true
+  proxiable = true
+  encrypt = true
+  forward = true
+  pam = {
+    debug = false
+    ticket_lifetime = 36000
+    renew_lifetime = 36000
+    forwardable = true
+    krb4_convert = false
+  }
+
+[kdc]
+  enable-https = true
+  check-ticket-addresses = true
+
+[kadmin]
+  require-preauth = true
diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
index 7c8319a6e19..7049cf65e6e 100644
--- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
+++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
@@ -6,6 +6,6 @@
   "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1",
   "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
   "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-  "linux-msft-5.4.51.tar.gz": "3bcd6b09e952fac4f708614658b508ce80c8e25c04780b6b44a481b1479a08e7"
+  "linux-msft-5.4.72.tar.gz": "3407ccf8505595ae3e7a7b30c206190a0762f3e202f21f9de88a8d59e182ddef"
  }
 }
\ No newline at end of file
diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec
index 73376f872cf..a33965f07be 100644
--- a/SPECS/hyperv-daemons/hyperv-daemons.spec
+++ b/SPECS/hyperv-daemons/hyperv-daemons.spec
@@ -6,52 +6,45 @@
 %global hv_fcopy_daemon hypervfcopyd
 # udev rules prefix
 %global udev_prefix 70
-
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        5.4.51
+Version:        5.4.72
 Release:        2%{?dist}
 License:        GPLv2+
-URL:            https://github.com/microsoft/WSL2-Linux-Kernel
-Group:          System/Kernel
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System/Kernel
+URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 Source0:        https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-%{version}.tar.gz
-
 # HYPERV KVP DAEMON
-Source1:  hypervkvpd.service
-Source2:  hypervkvp.rules
-
+Source1:        hypervkvpd.service
+Source2:        hypervkvp.rules
 # HYPERV VSS DAEMON
-Source101:  hypervvssd.service
-Source102:  hypervvss.rules
-
+Source101:      hypervvssd.service
+Source102:      hypervvss.rules
 # HYPERV FCOPY DAEMON
-Source201:  hypervfcopyd.service
-Source202:  hypervfcopy.rules
-
+Source201:      hypervfcopyd.service
+Source202:      hypervfcopy.rules
+BuildRequires:  gcc
+Requires:       hypervfcopyd = %{version}-%{release}
+Requires:       hypervkvpd = %{version}-%{release}
+Requires:       hypervvssd = %{version}-%{release}
 # Hyper-V is available only on x86 architectures
 # The base empty (a.k.a. virtual) package can not be noarch
 # due to http://www.rpm.org/ticket/78
-ExclusiveArch:  x86_64
-
-Requires:       hypervkvpd = %{version}-%{release}
-Requires:       hypervvssd = %{version}-%{release}
-Requires:       hypervfcopyd = %{version}-%{release}
-BuildRequires:  gcc
 
 %description
 Suite of daemons that are needed when Linux guest
 is running on Windows Host with Hyper-V.
 
-
 %package -n hypervkvpd
-Summary: Hyper-V key value pair (KVP) daemon
-Requires: %{name}-license = %{version}-%{release}
-BuildRequires: systemd, kernel-headers
-Requires(post):   systemd
-Requires(preun):  systemd
+Summary:        Hyper-V key value pair (KVP) daemon
+BuildRequires:  kernel-headers
+BuildRequires:  systemd
+Requires:       %{name}-license = %{version}-%{release}
+Requires(post): systemd
 Requires(postun): systemd
+Requires(preun): systemd
 
 %description -n hypervkvpd
 Hypervkvpd is an implementation of Hyper-V key value pair (KVP)
@@ -60,14 +53,14 @@ kernel driver. After this is done it collects information
 requested by Windows Host about the Linux Guest. It also supports
 IP injection functionality on the Guest.
 
-
 %package -n hypervvssd
-Summary: Hyper-V VSS daemon
-Requires: %{name}-license = %{version}-%{release}
-BuildRequires: systemd, kernel-headers
-Requires(post):   systemd
-Requires(preun):  systemd
+Summary:        Hyper-V VSS daemon
+BuildRequires:  kernel-headers
+BuildRequires:  systemd
+Requires:       %{name}-license = %{version}-%{release}
+Requires(post): systemd
 Requires(postun): systemd
+Requires(preun): systemd
 
 %description -n hypervvssd
 Hypervvssd is an implementation of Hyper-V VSS functionality
@@ -77,14 +70,14 @@ kernel driver. After this is done it waits for instructions
 from Windows Host if to "freeze" or "thaw" the filesystem
 on the Linux Guest.
 
-
 %package -n hypervfcopyd
-Summary: Hyper-V FCOPY daemon
-Requires: %{name}-license = %{version}-%{release}
-BuildRequires: systemd, kernel-headers
-Requires(post):   systemd
-Requires(preun):  systemd
+Summary:        Hyper-V FCOPY daemon
+BuildRequires:  kernel-headers
+BuildRequires:  systemd
+Requires:       %{name}-license = %{version}-%{release}
+Requires(post): systemd
 Requires(postun): systemd
+Requires(preun): systemd
 
 %description -n hypervfcopyd
 Hypervfcopyd is an implementation of file copy service functionality
@@ -93,17 +86,16 @@ a file (over VMBUS) into the Linux Guest. The daemon first registers
 with the kernel driver. After this is done it waits for instructions
 from Windows Host.
 
-
 %package license
-Summary:    License of the Hyper-V daemons suite
-BuildArch:  noarch
+Summary:        License of the Hyper-V daemons suite
+BuildArch:      noarch
 
 %description license
 Contains license of the Hyper-V daemons suite.
 
 %package -n hyperv-tools
-Summary:    Tools for Hyper-V guests
-BuildArch:  noarch
+Summary:        Tools for Hyper-V guests
+BuildArch:      noarch
 
 %description -n hyperv-tools
 Contains tools and scripts useful for Hyper-V guests.
@@ -115,21 +107,20 @@ Contains tools and scripts useful for Hyper-V guests.
 pushd tools/hv
 
 # HYPERV KVP DAEMON
-%{__cc} $RPM_OPT_FLAGS -c hv_kvp_daemon.c
+%{__cc} %{optflags} -c hv_kvp_daemon.c
 %{__cc} $RPM_LD_FLAGS  hv_kvp_daemon.o -o %{hv_kvp_daemon}
 
 # HYPERV VSS DAEMON
-%{__cc} $RPM_OPT_FLAGS -c hv_vss_daemon.c
+%{__cc} %{optflags} -c hv_vss_daemon.c
 %{__cc} $RPM_LD_FLAGS hv_vss_daemon.o -o %{hv_vss_daemon}
 
 # HYPERV FCOPY DAEMON
-%{__cc} $RPM_OPT_FLAGS -c hv_fcopy_daemon.c
+%{__cc} %{optflags} -c hv_fcopy_daemon.c
 %{__cc} $RPM_LD_FLAGS hv_fcopy_daemon.o -o %{hv_fcopy_daemon}
 
 popd
 
 %install
-rm -rf %{buildroot}
 
 mkdir -p %{buildroot}%{_sbindir}
 install -p -m 0755 tools/hv/%{hv_kvp_daemon} %{buildroot}%{_sbindir}
@@ -174,7 +165,6 @@ if [ "$1" -eq "0" ] ; then
     rm -rf %{_sharedstatedir}/hyperv || :
 fi
 
-
 %post -n hypervvssd
 if [ $1 -gt 1 ] ; then
 	# Upgrade
@@ -187,7 +177,6 @@ fi
 %preun -n hypervvssd
 %systemd_preun hypervvssd.service
 
-
 %post -n hypervfcopyd
 if [ $1 -gt 1 ] ; then
 	# Upgrade
@@ -200,7 +189,6 @@ fi
 %preun -n hypervfcopyd
 %systemd_preun hypervfcopyd.service
 
-
 %files
 # the base package does not contain any files.
 
@@ -228,15 +216,21 @@ fi
 %files -n hyperv-tools
 %{_sbindir}/lsvmbus
 
-
 %changelog
-* Tue Sep 01 2020 Chris Co <chrco@microsoft.com> 5.4.51-2
+* Wed Nov 11 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.72-2
+- Enable Hyper-V daemons package building for Arm64 arch
+
+* Mon Oct 26 2020 Chris Co <chrco@microsoft.com> - 5.4.72-1
+- Update source to 5.4.72
+- Lint spec
+
+* Tue Sep 01 2020 Chris Co <chrco@microsoft.com> - 5.4.51-2
 - Update source hash
 
-* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.51-1
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.51-1
 - Update source to 5.4.51
 
-* Tue Jun 16 2020 Paul Monson <paulmon@microsoft.com> 5.4.42-1
+* Tue Jun 16 2020 Paul Monson <paulmon@microsoft.com> - 5.4.42-1
 - Initial CBL-Mariner import from Fedora 32 (license: MIT)
 - Update to match version 5.4.42 of the kernel.
 
diff --git a/SPECS/ipv6calc/ipv6calc-2.2.0-patch-8c7eea58.diff b/SPECS/ipv6calc/ipv6calc-2.2.0-patch-8c7eea58.diff
new file mode 100644
index 00000000000..2eeb2d37d4a
--- /dev/null
+++ b/SPECS/ipv6calc/ipv6calc-2.2.0-patch-8c7eea58.diff
@@ -0,0 +1,27 @@
+diff --git a/ipv6logconv/ipv6logconv.c b/ipv6logconv/ipv6logconv.c
+index f31f5be..4483757 100644
+--- a/ipv6logconv/ipv6logconv.c
++++ b/ipv6logconv/ipv6logconv.c
+@@ -58,7 +58,7 @@ static void lineparser(const long int outputtype);
+ /* LRU cache */
+ 
+ #define CACHE_LRU_SIZE 200
+-
++int cache_lru_limit;
+ static int      cache_lru_max = 0;
+ static int      cache_lru_last = 0;
+ static char     cache_lru_key_token[CACHE_LRU_SIZE][NI_MAXHOST];
+diff --git a/ipv6logconv/ipv6logconv.h b/ipv6logconv/ipv6logconv.h
+index 946b042..9699e2c 100644
+--- a/ipv6logconv/ipv6logconv.h
++++ b/ipv6logconv/ipv6logconv.h
+@@ -20,8 +20,7 @@
+ #define DEBUG_ipv6logconv_general      0x00000001l
+ #define DEBUG_ipv6logconv_processing   0x00000002l
+ 
+-/* prototyping */
+-int cache_lru_limit;
++extern int cache_lru_limit;
+ 
+ extern int feature_reg;
+ extern int feature_ieee;
diff --git a/SPECS/ipv6calc/ipv6calc.signatures.json b/SPECS/ipv6calc/ipv6calc.signatures.json
new file mode 100644
index 00000000000..6c496c239bd
--- /dev/null
+++ b/SPECS/ipv6calc/ipv6calc.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "ipv6calc-2.2.0.tar.gz": "1935352f6171b07f18ce0487ee95ffcc006ea3f653f7cba564d2d8e135f04ca1"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/ipv6calc/ipv6calc.spec b/SPECS/ipv6calc/ipv6calc.spec
new file mode 100644
index 00000000000..eded9812395
--- /dev/null
+++ b/SPECS/ipv6calc/ipv6calc.spec
@@ -0,0 +1,634 @@
+# mod_ipv6calc related
+%{!?_httpd_apxs:    %{expand: %%global _httpd_apxs    %%{_sbindir}/apxs}}
+%{!?_httpd_moddir:  %{expand: %%global _httpd_moddir  %%{_libdir}/httpd/modules}}
+%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
+# database support (deselectable)
+%if "%{?_without_ip2location:0}%{?!_without_ip2location:1}" == "1"
+%define enable_ip2location 1
+%endif
+%if "%{?_without_geoip:0}%{?!_without_geoip:1}" == "1"
+%define enable_geoip 1
+%endif
+%if "%{?_without_dbip:0}%{?!_without_dbip:1}" == "1"
+%define enable_dbip 1
+%endif
+%if "%{?_without_external:0}%{?!_without_external:1}" == "1"
+%define enable_external 1
+%endif
+# database locations
+%define ip2location_db	%{_datadir}/IP2Location
+%define geoip_db	%{_datadir}/GeoIP
+%define dbip_db		%{_datadir}/DBIP
+%define external_db	%{_datadir}/%{name}/db
+# Berkeley DB selector
+%define require_db4 %(echo "%{dist}" | grep -E -q '^\.el(5|6)$' && echo 1 || echo 0)
+# shared library support (deselectable)
+%if "%{?_without_shared:0}%{?!_without_shared:1}" == "1"
+%define enable_shared 1
+%endif
+Summary:        IPv6 address format change and calculation utility
+Name:           ipv6calc
+Version:        2.2.0
+Release:        41%{?dist}
+License:        GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+URL:            http://www.deepspace6.net/projects/%{name}.html
+Source0:        ftp://ftp.bieringer.de/pub/linux/IPv6/ipv6calc/%{name}-%{version}.tar.gz
+Patch0:         ipv6calc-2.2.0-patch-8c7eea58.diff
+BuildRequires:  gcc
+BuildRequires:  openssl-devel
+BuildRequires:  perl
+BuildRequires:  procps-ng
+BuildRequires:  perl(Digest::MD5)
+BuildRequires:  perl(strict)
+BuildRequires:  perl(warnings)
+#Requires:	perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+%if %{enable_shared}
+Provides:       ipv6calc-libs = %{version}-%{release}
+%else
+Conflicts:      ipv6calc-libs
+%endif
+
+%if %{require_db4}
+BuildRequires:  db4-devel
+%else
+BuildRequires:  libdb-devel
+%endif
+
+%description
+ipv6calc is a small utility which formats and calculates IPv4/IPv6 addresses
+in different ways.
+
+Install this package, if you want to retrieve information about a particular
+IPv4/IPv6/MAC address (-i ADDRESS) or make life easier in adding entries to
+reverse IPv6 DNS zones (e.g. -a 2001:db8:1234::1/48).
+
+In addition many format and type conversions are supported, see online help
+and/or given URL for more.
+
+Also this package contains additional programs
+ - ipv6loganon: anonymize Apache web server logs
+ - ipv6logconv: special Apache web server log converter
+    (examples included for use with analog)
+ - ipv6logstats: create statistics from list of IPv4/IPv6 addresses
+    (examples included for use with gnu-plot)
+ - mod_ipv6calc: Apache module for anonymization/information logging on-the-fly
+
+Support for following databases
+ - IP2Location	%{?enable_ip2location:ENABLED}%{?!enable_ip2location:DISABLED}
+		default directory for downloaded db files: %{ip2location_db}
+		(requires also external library on system)
+
+ - GeoIP	%{?enable_geoip:ENABLED}%{?!enable_geoip:DISABLED}
+		default directory for downloaded db files: %{geoip_db}
+		(requires also external library on system)
+
+ - GeoIP v2	%{?enable_mmdb:ENABLED}%{?!enable_mmdb:DISABLED}
+		default directory for downloaded db files: %{geoip_db}
+		(requires also external library on system)
+
+ - db-ip.com	%{?enable_dbip:ENABLED}%{?!enable_dbip:DISABLED}
+		(once generated database files are found on system)
+		default directory for generated db files: %{dbip_db}
+
+ - db-ip.com v2	%{?enable_mmdb:ENABLED}%{?!enable_mmdb:DISABLED}
+		(once generated database files are found on system)
+		default directory for generated db files: %{dbip_db}
+
+ - External	%{?enable_external:ENABLED}%{?!enable_external:DISABLED}
+		default directory for generated db files: %{external_db}
+
+Built %{?enable_shared:WITH}%{?!enable_shared:WITHOUT} shared-library
+
+Available rpmbuild rebuild options:
+  --without ip2location
+  --without geoip
+  --without dbip
+  --without mmdb (which disables GeoIP v2 and db-ip.com v2)
+  --without external
+  --without shared
+  --without mod_ipv6calc
+
+%package ipv6calcweb
+Summary:        IP address information web utility
+BuildRequires:  perl(Digest::MD5)
+Requires:       httpd
+Requires:       ipv6calc
+Requires:       perl(Digest::MD5)
+
+%description ipv6calcweb
+ipv6calcweb contains a CGI program and a configuration file for
+displaying information of IP addresses on a web page using ipv6calc.
+
+Check/adjust %{_sysconfdir}/httpd/conf.d/ipv6calcweb.conf
+Default restricts access to localhost
+
+%prep
+%setup -q
+
+%patch0 -p1
+
+%configure \
+	%{?enable_ip2location:--enable-ip2location} \
+	%{?enable_ip2location:--with-ip2location-dynamic --with-ip2location-headers-fallback} \
+	--with-ip2location-db=%{ip2location_db} \
+	%{?enable_geoip:--enable-geoip} \
+	%{?enable_geoip:--with-geoip-dynamic --with-geoip-headers-fallback} \
+	--with-geoip-db=%{geoip_db} \
+	%{?enable_dbip:--enable-dbip} \
+	--with-dbip-db=%{dbip_db} \
+	%{?enable_mmdb:--enable-mmdb --with-mmdb-dynamic} \
+	%{?enable_external:--enable-external} \
+	--with-external-db=%{external_db} \
+	%{?enable_shared:--enable-shared} \
+	%{?enable_mod_ipv6calc:--enable-mod_ipv6calc}
+
+
+%build
+make clean
+make %{?_smp_mflags} COPTS="%{optflags}"
+
+
+%install
+make install DESTDIR=%{buildroot}
+
+## Install examples and helper files
+install -d -p %{buildroot}%{_docdir}/%{name}-%{version}/
+
+## examples
+install -d %{buildroot}%{_datadir}/%{name}/examples/
+
+# ipv6logconv
+install -d %{buildroot}%{_datadir}/%{name}/examples/ipv6logconv
+for file in examples/analog/*.{cfg,txt,tab,sh}; do
+	install $file %{buildroot}%{_datadir}/%{name}/examples/ipv6logconv/
+done
+
+# ipv6loganon
+install -d %{buildroot}%{_datadir}/%{name}/examples/ipv6loganon
+for file in ipv6loganon/README; do
+	install $file %{buildroot}%{_datadir}/%{name}/examples/ipv6loganon/
+done
+
+# ipv6logstats
+install -d %{buildroot}%{_datadir}/%{name}/examples/ipv6logstats
+for file in ipv6logstats/README ipv6logstats/example_* ipv6logstats/collect_ipv6logstats.pl; do
+	install $file %{buildroot}%{_datadir}/%{name}/examples/ipv6logstats/
+done
+
+
+# db directory
+install -d %{buildroot}%{external_db}
+
+# selinux
+install -d %{buildroot}%{_datadir}/%{name}/selinux
+
+
+# ipv6calcweb
+install -d %{buildroot}%{_sysconfdir}/httpd/conf.d
+install -d %{buildroot}%{_localstatedir}/www/cgi-bin
+
+install ipv6calcweb/ipv6calcweb.conf %{buildroot}%{_sysconfdir}/httpd/conf.d/
+install -m 755 ipv6calcweb/ipv6calcweb.cgi  %{buildroot}%{_localstatedir}/www/cgi-bin/
+install -m 644 ipv6calcweb/ipv6calcweb-databases-in-var.te  %{buildroot}%{_datadir}/%{name}/selinux/
+
+%clean
+rm -rf %{buildroot}
+
+%check
+%ifnarch ppc64
+	make test
+%endif
+
+
+%files
+%license COPYING LICENSE
+%doc ChangeLog README README.* CREDITS TODO USAGE doc/ipv6calc.lyx doc/ipv6calc.sgml doc/ipv6calc.html doc/ipv6calc.xml
+
+%defattr(644,root,root,755)
+
+# binaries
+%attr(755,-,-) %{_bindir}/*
+
+# man pages
+%{_mandir}/man8/*
+
+# tools
+%attr(755,-,-) %{_datadir}/%{name}/tools/*
+
+# selinux
+%attr(644,-,-) %{_datadir}/%{name}/selinux/*
+
+# shared library
+%{?enable_shared:%attr(755,-,-) %{_libdir}/libipv6calc*}
+
+# database directory
+%{external_db}
+
+# examples
+%attr(755,-,-) %{_datadir}/%{name}/examples/*/*.pl
+%attr(755,-,-) %{_datadir}/%{name}/examples/*/*.sh
+%{_datadir}/%{name}/examples/ipv6loganon/
+%{_datadir}/%{name}/examples/ipv6logconv/
+%{_datadir}/%{name}/examples/ipv6logstats/
+
+%files ipv6calcweb
+%license COPYING LICENSE
+%doc ipv6calcweb/README ipv6calcweb/USAGE
+
+%defattr(644,root,root,755)
+
+%attr(755,-,-) %{_localstatedir}/www/cgi-bin/ipv6calcweb.cgi
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/ipv6calcweb.conf
+
+%post
+%{_sbindir}/ldconfig
+
+%postun
+%{_sbindir}/ldconfig
+
+%changelog
+* Wed Oct 21 2020 Henry Beberman <henry.beberman@microsoft.com> - 2.2.0-41
+- Initial CBL-Mariner import from Fedora 32 (license: MIT).
+- License verified.
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.0-40
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jan 24 2020 Peter Bieringer <pb@bieringer.de> - 2.2.0-39
+- add patch for BZ#1793903
+
+* Sat Oct 12 2019 Peter Bieringer <pb@bieringer.de> - 2.2.0-38
+- new release 2.2.0
+
+* Sat Sep 07 2019 Peter Bieringer <pb@bieringer.de> - 2.1.1-36
+- new release 2.1.1
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-35
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.1.0-34
+- Perl 5.30 rebuild
+
+* Fri Apr 05 2019 Peter Bieringer <pb@bieringer.de> - 2.1.0-33
+- new release 2.1.0
+
+* Tue Feb 05 2019 Peter Bieringer <pb@bieringer.de> - 2.0.0-32
+- new release 2.0.0
+- subpackage ipv6calcweb: remove dependency Perl(Proc::ProcessTable)
+- add dependency libmaxminddb-devel
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-30
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Jan 26 2019 Peter Bieringer <pb@bieringer.de> - 1.1.0-29
+- new release 1.1.0
+- subpackage ipv6calcweb: add dependency Perl(Proc::ProcessTable)
+- fix bug in lib/libipv6addr.c
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-27
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1.0.0-26
+- Perl 5.28 rebuild
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-25
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Peter Bieringer <pb@bieringer.de> - 1.0.0-24
+- fix compiler warnings introduced with gcc8 and also code (BZ#1541367)
+
+* Mon Sep 18 2017 Peter Bieringer <pb@bieringer.de> - 1.0.0-23
+- mod_ipv6calc: fix missing link flags
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-22
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-21
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jun 23 2017 Peter Bieringer <pb@bieringer.de> - 1.0.0-20
+- new release 1.0.0
+
+* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 0.99.2-19
+- Perl 5.26 rebuild
+
+* Sun Apr 16 2017 Peter Bieringer <pb@bieringer.de>
+- add missing build requirement procps-ng
+
+* Sun Feb 12 2017 Peter Bieringer <pb@bieringer.de>
+- add ipv6calc-0.99.2-2017-02-12.patch to fix broken build
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.99.2-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Dec 28 2016 Peter Bieringer <pb@bieringer.de> - 0.99.2-17
+- new release 0.99.2
+- add support for git commit hash
+
+* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.99.1-16
+- Perl 5.24 rebuild
+
+* Thu Feb 04 2016 Peter Bieringer <pb@bieringer.de> - 0.99.1-15
+- minor fixes to make fedpkg lint happy
+
+* Wed Feb 03 2016 Peter Bieringer <pb@bieringer.de> - 0.99.1-14
+- conditionally set compiler option -Wno-unused-const-variable
+
+* Sat Sep 05 2015 Peter Bieringer <pb@bieringer.de> - 0.99.1-13
+- new release 0.99.1 (introduces new subpackage mod_ipv6calc)
+
+* Sat Jul 25 2015 Peter Bieringer <pb@bieringer.de>
+- Replace ipv6calc.{lyx,sgml,html,xml} by dedicated file.suffix
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.99.0-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Jun 06 2015 Jitka Plesnikova <jplesnik@redhat.com> - 0.99.0-11
+- Perl 5.22 rebuild
+
+* Sat May 02 2015 Peter Bieringer <pb@bieringer.de> - 0.99.0-10
+- new release 0.99.0
+
+* Mon Mar 02 2015 Peter Bieringer <pb@bieringer.de> - 0.98.0-10
+- new (fixed) upstream 0.98.0 tar.gz
+
+* Sun Mar 01 2015 Peter Bieringer <pb@bieringer.de> - 0.98.0-9
+- remove not necessary x-bits for some files by proper definition in files section
+
+* Fri Feb 20 2015 Peter Bieringer <pb@bieringer.de> - 0.98.0-8
+- new release 0.98.0
+
+* Wed Feb 18 2015 Peter Bieringer <pb@bieringer.de>
+- add support for conditional builds
+
+* Sat Oct 25 2014 Peter Bieringer <pb@bieringer.de>
+- add /usr/share/ipv6calc/db directory
+
+* Sat Oct 11 2014 Peter Bieringer <pb@bieringer.de>
+- add additional requirements for ipv6calc-ipv6calcweb
+- enable db-ip.com & external database support
+
+* Thu Aug 28 2014 Jitka Plesnikova <jplesnik@redhat.com> - 0.97.4-7
+- Perl 5.20 rebuild
+
+* Tue Aug 19 2014 Peter Bieringer <pb@bieringer.de> - 0.97.4-7
+- new package for EPEL6/EPEL7
+
+* Sun Aug 17 2014 Peter Bieringer <pb@bieringer.de>
+- add missing requirement for ipv6calc-ipv6calcweb
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.97.4-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Aug 02 2014 Peter Bieringer <pb@bieringer.de> - 0.97.4-5
+- new release 0.97.4
+
+* Thu Jul 31 2014 Peter Bieringer <pb@bieringer.de>
+- include also tools into main package
+- remove UTF-8 conversion, fixed in upstream now
+
+* Tue Jul 29 2014 Peter Bieringer <pb@bieringer.de>
+- introduce subpackage ipv6calcweb (align with upstream)
+- enable fallback option for IP2Location
+- build with dynamic load of GeoIP and IP2Location support
+
+* Thu Jul 17 2014 Peter Bieringer <pb@bieringer.de>
+- replace DESTDIR=$RPM_BUILD_ROOT with macro, define BuildRoot
+
+* Wed Jul 16 2014 Peter Bieringer <pb@bieringer.de>
+- change requirements from krb5-libs/devel to openssl(-libs)/-devel
+
+* Tue Jul 15 2014 Peter Bieringer <pb@bieringer.de> - 0.97.3-3
+- align package description with upstream
+
+* Mon Jul 14 2014 Peter Bieringer <pb@bieringer.de> - 0.97.3-2
+- new release 0.97.3
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.97.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Mon May 26 2014 Marcela Mašláňová <mmaslano@redhat.com> - 0.97.2-2
+- new release 0.97.2
+
+* Wed May 21 2014 Marcela Mašláňová <mmaslano@redhat.com> - 0.97.1-1
+- new release 0.97.1
+
+* Mon May 19 2014 Marcela Mašláňová <mmaslano@redhat.com> - 0.97.0-1
+- new release 0.97
+
+* Fri Feb 14 2014 Marcela Mašláňová <mmaslano@redhat.com> - 0.96.0-1
+- new release 0.96
+
+* Mon Dec  2 2013 Marcela Mašláňová <mmaslano@redhat.com> - 0.95.0-1
+- new release #1033041
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.94.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Sun Jul 21 2013 Petr Pisar <ppisar@redhat.com> - 0.94.1-2
+- Perl 5.18 rebuild
+
+* Tue May 14 2013 Marcela Mašláňová <mmaslano@redhat.com> - 0.94.1-1
+- update to 0.94.1
+
+* Mon Feb 18 2013 Marcela Mašláňová <mmaslano@redhat.com> - 0.93.1-6
+- fix days in changelog
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.93.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Aug  2 2012 Marcela Mašláňová <mmaslano@redhat.com> - 0.93.1-4
+- 804317 on ppc64 tests never fully worked, conditionalized
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.93.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jun 11 2012 Petr Pisar <ppisar@redhat.com> - 0.93.1-2
+- Perl 5.16 rebuild
+
+* Mon Feb  6 2012 Marcela Mašláňová <mmaslano@redhat.com> - 0.93.1-1
+- minor update
+
+* Sun Jan 22 2012 Marcela Mašláňová <mmaslano@redhat.com> - 0.93.0-1
+- update to 0.93 release
+- add Perl requirements for cgi
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.92.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Mon Oct 10 2011 Marcela Mašláňová <mmaslano@redhat.com> - 0.92.0-1
+- update to 0.92 release
+
+* Fri May 27 2011 Marcela Mašláňová <mmaslano@redhat.com> - 0.90.0-1
+- update to 0.90 release
+
+* Fri May  6 2011 Marcela Mašláňová <mmaslano@redhat.com> - 0.82.1-1
+- update to 0.82.1 release
+
+* Wed Mar 30 2011 Marcela Mašláňová <mmaslano@redhat.com> - 0.82.0-1
+- update to 0.82.0 release
+
+* Mon Feb 28 2011 Marcela Mašláňová <mmaslano@redhat.com> - 0.81.0-1
+- update to the new upstream version
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.80.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Jan  4 2011 Marcela Mašláňová <mmaslano@redhat.com> - 0.80.0-1
+- update to the latest version
+
+* Mon Mar 01 2010 Marcela Mašláňová <mmaslano@redhat.com> - 0.73.0-1
+- update to the latest version
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.72.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jun 01 2009 Marcela Mašláňová <mmaslano@redhat.com> - 0.72.1-1
+- update to the latest version
+- change installonly to standart DESTDIR
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.71.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Jul 31 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.71.0-3
+- fix license tag
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.71.0-2
+- Autorebuild for GCC 4.3
+
+* Mon Aug 20 2007 Marcela Maslanova <mmaslano@redhat.com> - 0.71.0-1
+- new version from upstream
+
+* Tue Feb 27 2007 Marcela Maslanova <mmaslano@redhat.com> - 0.61-2
+- package merge review
+- rhbz#225910
+
+* Fri Sep 01 2006 Marcela Maslanova <mmaslano@redhat.com> - 0.61-1
+- upgrade to 0.61-1 - from upstream
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 0.60.1-1.1
+- rebuild
+
+* Tue Jul 11 2006 Radek Vokál <rvokal@redhat.com> 0.60.1-1
+- upgrade to 0.60.1 - fix for big endian archs
+
+* Sun Jun 25 2006 Radek Vokál <rvokal@redhat.com> 0.60.0-1
+- upgrade to 0.60.0
+
+* Wed Feb 22 2006 Radek Vokál <rvokal@redhat.com> 0.51-1
+- upgrade to 0.51
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 0.50-1.2.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 0.50-1.2
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Fri Sep 16 2005 Radek Vokal <rvokal@redhat.com> 0.50-1
+- due to several other off-by-one bugs upgrade to 0.50
+
+* Thu Sep 15 2005 Radek Vokal <rvokal@redhat.com> 0.49-2
+- smash stack fix in ipv6calc_copy
+- increase len of tmpstr
+
+* Thu Sep 15 2005 Radek Vokal <rvokal@redhat.com> 0.49-1
+- upgrade to 0.49
+
+* Tue Apr 19 2005 Radek Vokal <rvokal@redhat.com> 0.48-5
+- using CVS tarball, patch clean-up
+
+* Sun Apr 17 2005 Robert Scheck <redhat@linuxnetz.de> 
+- lots of spec file cleanups (#155164)
+
+* Wed Apr 13 2005 Florian La Roche <laroche@redhat.com>
+- remove empty scripts
+
+* Fri Mar 04 2005 Radek Vokal <rvokal@redhat.com> 0.48-3
+- gcc4 rebuilt
+
+* Mon Nov 1 2004 Radek Vokal <rvokal@redhat.com> 0.48-2
+- spec file cleanup
+- md5 patch for makefile
+
+* Sat Oct 30 2004 Peter Bieringer <pb@bieringer.de> 
+- remove openssl(-devel) from requirements, no longer needed
+
+* Tue Oct 26 2004 Radek Vokal <rvokal@redhat.com> 0.47-4
+- spec file cleanup, typo patch
+
+* Mon Oct 18 2004 Radek Vokal <rvokal@redhat.com> 0.47-3
+- initial build for Fedora Core
+
+* Sat Nov 22 2003 Peter Bieringer <pb@bieringer.de>
+- adjustments
+
+* Fri Nov 21 2003 Peter Bieringer <pb@bieringer.de>
+- add ipv6logstats
+- add man pages
+- add configure options
+
+* Mon Nov 11 2002 Peter Bieringer <pb@bieringer.de>
+- change IPv6 address in description
+
+* Sat Apr 20 2002 Peter Bieringer <pb@bieringer.de>
+- Change URL
+
+* Sun Apr 07 2002 Peter Bieringer <pb@bieringer.de>
+- add more analog example files
+
+* Fri Apr 05 2002 Peter Bieringer <pb@bieringer.de>
+- remove BuildRequires extension, not needed for normal build
+
+* Sun Mar 24 2002 Peter Bieringer <pb@bieringer.de>
+- extend BuildRequires for perl /usr/bin/aggregate wget
+
+* Mon Mar 18 2002 Peter Bieringer <pb@bieringer.de>
+- add ipv6calcweb.cgi
+
+* Sat Mar 16 2002 Peter Bieringer <pb@bieringer.de>
+- add ipv6logconv, analog examples
+
+* Mon Mar 11 2002 Peter Bieringer <pb@bieringer.de>
+- Add perl to buildrequire and openssl to require
+
+* Mon Jan 21 2002 Peter Bieringer <pb@bieringer.de>
+- Add LICENSE + COPYING file
+
+* Thu Dec 27 2001 Peter Bieringer <pb@bieringer.de>
+- Add comment header
+- Add call to configure on build
+
+* Tue Dec 18 2001 Peter Bieringer <pb@bieringer.de>
+- Replace hardwired version number with autoconf/configure variable
+
+* Wed Apr 25 2001 Peter Bieringer <pb@bieringer.de>
+- Fix permissions of doc files
+
+* Thu Mar 15 2001 Peter Bieringer <pb@bieringer.de>
+- Add doc directory also to files to make sure the directory will be removed on update or deinstall
+- change install permissions for entries in doc directory
+- change "make install" to "make installonly" (make test should be only executed once)
+
+* Wed Mar 14 2001 Peter Bieringer <pb@bieringer.de>
+- Add "make clean" and "make test" on build
+
+* Tue Mar 13 2001 Peter Bieringer <pb@bieringer.de>
+- add CREDITS and TODO for install
+
+* Sat Mar 10 2001 Peter Bieringer <pb@bieringer.de>
+- enable "URL"
+
+* Sun Mar 04 2001 Peter Bieringer <pb@bieringer.de>
+- change install location to /bin
+
+* Tue Feb 27 2001 Peter Bieringer <pb@bieringer.de>
+- review for new release, now named "ipv6calc"
+- review install section for RedHat 7.0.91
+
+* Sun Feb 25 2001 Peter Bieringer <pb@bieringer.de>
+- initial build
diff --git a/SPECS/json-c/json-c.spec b/SPECS/json-c/json-c.spec
index 0806fc32567..b7b27c9e6d6 100644
--- a/SPECS/json-c/json-c.spec
+++ b/SPECS/json-c/json-c.spec
@@ -1,7 +1,7 @@
 Summary:        A JSON implementation in C
 Name:           json-c
 Version:        0.14
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Group:          System Environment/Base
 Vendor:         Microsoft Corporation
@@ -42,7 +42,8 @@ make DESTDIR=%{buildroot} install -C build
 rm -r %{buildroot}%{_libdir}/cmake/%{name}
 
 %check
-make %{?_smp_mflags} check -C build
+cd build/tests
+make %{?_smp_mflags} test
 
 %post   -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
@@ -59,6 +60,8 @@ make %{?_smp_mflags} check -C build
 %{_libdir}/pkgconfig/%{name}.pc
 
 %changelog
+*   Thu Nov 19 2020 Andrew Phelps <anphel@microsoft.com> 0.14-3
+-   Fix check tests
 *   Tue Aug 04 2020 Henry Beberman <henry.beberman@microsoft.com> 0.14-2
 -   Add a patch to fix a bug introduced by CVE-2020-12762.patch
 *   Mon Jun 08 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 0.14-1
diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json
index 5b8cb3407f4..77d9da1173f 100644
--- a/SPECS/kernel-headers/kernel-headers.signatures.json
+++ b/SPECS/kernel-headers/kernel-headers.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "linux-msft-5.4.51.tar.gz": "3bcd6b09e952fac4f708614658b508ce80c8e25c04780b6b44a481b1479a08e7"
+  "linux-msft-5.4.72.tar.gz": "3407ccf8505595ae3e7a7b30c206190a0762f3e202f21f9de88a8d59e182ddef"
  }
 }
\ No newline at end of file
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
index 02722f4bd62..2d83909dec2 100644
--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@@ -1,21 +1,25 @@
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        5.4.51
-Release:        2%{?dist}
+Version:        5.4.72
+Release:        1%{?dist}
 License:        GPLv2
-URL:            https://github.com/microsoft/WSL2-Linux-Kernel
-Group:          System Environment/Kernel
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 Source0:        https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-%{version}.tar.gz
 BuildArch:      noarch
+
 %description
 The Linux API Headers expose the kernel's API for use by Glibc.
+
 %prep
 %setup -q -n WSL2-Linux-Kernel-linux-msft-%{version}
+
 %build
 make mrproper
 make headers_check
+
 %install
 cd %{_builddir}/WSL2-Linux-Kernel-linux-msft-%{version}
 make headers
@@ -23,94 +27,144 @@ find usr/include -name '.*' -delete
 rm usr/include/Makefile
 mkdir -p /%{buildroot}%{_includedir}
 cp -rv usr/include/* /%{buildroot}%{_includedir}
+
 %files
 %defattr(-,root,root)
+%license COPYING
 %{_includedir}/*
+
 %changelog
-*   Tue Sep 01 2020 Chris Co <chrco@microsoft.com> 5.4.51-2
--   Update source hash
-*   Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.51-1
--   Update source to 5.4.51
-*   Fri Jun 12 2020 Chris Co <chrco@microsoft.com> 5.4.42-1
--   Update source to 5.4.42
-*   Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-2
--   Renaming linux-api-headers to kernel-headers
-*   Tue Dec 10 2019 Chris Co <chrco@microsoft.com> 5.4.23-1
--   Update to Microsoft Linux Kernel 5.4.23.
--   Use make headers since with 5.4, headers_install now requires rsync.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.19.52-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Mon Jun 17 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-1
--   Update to version 4.19.52
-*   Tue May 07 2019 Ajay Kaher <akaher@vmware.com> 4.19.40-1
--   Update to version 4.19.40
-*   Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1
--   Update to version 4.19.32
-*   Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1
--   Update to version 4.19.29
-*   Tue Mar 05 2019 Ajay Kaher <akaher@vmware.com> 4.19.26-1
--   Update to version 4.19.26
-*   Tue Jan 15 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.15-1
--   Update to version 4.19.15
-*   Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1
--   Update to version 4.19.6
-*   Mon Nov 05 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.1-1
--   Update to version 4.19.1
-*   Thu Sep 20 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1
--   Update to version 4.18.9
-*   Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1
--   Update to version 4.14.67
-*   Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.14.54-1
--   Update to version 4.14.54
-*   Fri Dec 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-1
--   Version update
-*   Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1
--   Version update
-*   Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1
--   Version update
-*   Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1
--   Version update
-*   Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1
--   Version update
-*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1
--   Version update
-*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1
--   Version update
-*   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1
--   Version update
-*   Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1
--   Version update
-*   Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1
--   Version update
-*   Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.28-1
--   Version update
-*   Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.27-1
--   Update to linux-4.9.27
-*   Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.26-1
--   Update to linux-4.9.26
-*   Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.24-1
--   Update to linux-4.9.24
-*   Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-1
--   Update to linux-4.9.13
-*   Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-1
--   Update to linux-4.9.9
-*   Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.2-1
--   Update to linux-4.9.2
-*   Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> 4.9.0-1
--   Update to linux-4.9.0
-*   Mon Nov 28 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-1
--   Update to linux-4.4.35
-*   Thu Nov 10 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-1
--   Update to linux-4.4.31
-*   Wed Sep  7 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-1
--   Update kernel version to 4.4.20
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.4.8-2
--   GA - Bump release of all rpms
-*   Thu Apr 28 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-1
--   Update to linux-4.4.8
-*   Wed Dec 16 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-1
--   Upgrading kernel version to 4.2.0.
-*   Wed Aug 12 2015 Sharath George <sharathg@vmware.com> 4.0.9-1
--   Upgrading kernel version.
-*   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 3.13.3-1
--   Initial build. First version
+* Mon Oct 26 2020 Chris Co <chrco@microsoft.com> - 5.4.72-1
+- Update source to 5.4.72
+- Add license file
+- Lint spec
+
+* Tue Sep 01 2020 Chris Co <chrco@microsoft.com> - 5.4.51-2
+- Update source hash
+
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.51-1
+- Update source to 5.4.51
+
+* Fri Jun 12 2020 Chris Co <chrco@microsoft.com> - 5.4.42-1
+- Update source to 5.4.42
+
+* Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-2
+- Renaming linux-api-headers to kernel-headers
+
+* Tue Dec 10 2019 Chris Co <chrco@microsoft.com> - 5.4.23-1
+- Update to Microsoft Linux Kernel 5.4.23.
+- Use make headers since with 5.4, headers_install now requires rsync.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 4.19.52-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Mon Jun 17 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-1
+- Update to version 4.19.52
+
+* Tue May 07 2019 Ajay Kaher <akaher@vmware.com> - 4.19.40-1
+- Update to version 4.19.40
+
+* Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1
+- Update to version 4.19.32
+
+* Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1
+- Update to version 4.19.29
+
+* Tue Mar 05 2019 Ajay Kaher <akaher@vmware.com> - 4.19.26-1
+- Update to version 4.19.26
+
+* Tue Jan 15 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.15-1
+- Update to version 4.19.15
+
+* Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1
+- Update to version 4.19.6
+
+* Mon Nov 05 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.1-1
+- Update to version 4.19.1
+
+* Thu Sep 20 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1
+- Update to version 4.18.9
+
+* Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1
+- Update to version 4.14.67
+
+* Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> - 4.14.54-1
+- Update to version 4.14.54
+
+* Fri Dec 22 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.14.8-1
+- Version update
+
+* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1
+- Version update
+
+* Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1
+- Version update
+
+* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1
+- Version update
+
+* Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1
+- Version update
+
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1
+- Version update
+
+* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.47-1
+- Version update
+
+* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.43-1
+- Version update
+
+* Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.34-1
+- Version update
+
+* Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.30-1
+- Version update
+
+* Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.28-1
+- Version update
+
+* Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.27-1
+- Update to linux-4.9.27
+
+* Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.26-1
+- Update to linux-4.9.26
+
+* Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.24-1
+- Update to linux-4.9.24
+
+* Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.13-1
+- Update to linux-4.9.13
+
+* Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.9-1
+- Update to linux-4.9.9
+
+* Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.2-1
+- Update to linux-4.9.2
+
+* Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.9.0-1
+- Update to linux-4.9.0
+
+* Mon Nov 28 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.35-1
+- Update to linux-4.4.35
+
+* Thu Nov 10 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-1
+- Update to linux-4.4.31
+
+* Wed Sep  7 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-1
+- Update kernel version to 4.4.20
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 4.4.8-2
+- GA - Bump release of all rpms
+
+* Thu Apr 28 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-1
+- Update to linux-4.4.8
+
+* Wed Dec 16 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-1
+- Upgrading kernel version to 4.2.0.
+
+* Wed Aug 12 2015 Sharath George <sharathg@vmware.com> - 4.0.9-1
+- Upgrading kernel version.
+
+* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> - 3.13.3-1
+- Initial build. First version
diff --git a/SPECS/kernel-hyperv/config b/SPECS/kernel-hyperv/config
index 5c119d3230d..59677cefb0c 100644
--- a/SPECS/kernel-hyperv/config
+++ b/SPECS/kernel-hyperv/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.4.51 Kernel Configuration
+# Linux/x86_64 5.4.72 Kernel Configuration
 #
 
 #
@@ -1761,7 +1761,6 @@ CONFIG_SCSI_NETLINK=y
 CONFIG_BLK_DEV_SD=y
 # CONFIG_CHR_DEV_ST is not set
 CONFIG_BLK_DEV_SR=y
-# CONFIG_BLK_DEV_SR_VENDOR is not set
 CONFIG_CHR_DEV_SG=y
 # CONFIG_CHR_DEV_SCH is not set
 # CONFIG_SCSI_CONSTANTS is not set
@@ -1982,6 +1981,7 @@ CONFIG_NETDEVICES=y
 CONFIG_NET_CORE=y
 # CONFIG_BONDING is not set
 CONFIG_DUMMY=m
+# CONFIG_WIREGUARD is not set
 # CONFIG_EQUALIZER is not set
 # CONFIG_NET_FC is not set
 # CONFIG_IFB is not set
@@ -2954,9 +2954,6 @@ CONFIG_HDMI=y
 # Console display driver support
 #
 CONFIG_VGA_CONSOLE=y
-CONFIG_VGACON_SOFT_SCROLLBACK=y
-CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64
-# CONFIG_VGACON_SOFT_SCROLLBACK_PERSISTENT_ENABLE_BY_DEFAULT is not set
 CONFIG_DUMMY_CONSOLE=y
 CONFIG_DUMMY_CONSOLE_COLUMNS=80
 CONFIG_DUMMY_CONSOLE_ROWS=25
@@ -3883,6 +3880,8 @@ CONFIG_CRYPTO_RSA=y
 CONFIG_CRYPTO_ECC=m
 CONFIG_CRYPTO_ECDH=m
 # CONFIG_CRYPTO_ECRDSA is not set
+# CONFIG_CRYPTO_CURVE25519 is not set
+# CONFIG_CRYPTO_CURVE25519_X86 is not set
 
 #
 # Authenticated Encryption with Associated Data
@@ -3929,6 +3928,8 @@ CONFIG_CRYPTO_CRC32C_INTEL=m
 # CONFIG_CRYPTO_CRC32 is not set
 # CONFIG_CRYPTO_CRC32_PCLMUL is not set
 # CONFIG_CRYPTO_XXHASH is not set
+# CONFIG_CRYPTO_BLAKE2S is not set
+# CONFIG_CRYPTO_BLAKE2S_X86 is not set
 CONFIG_CRYPTO_CRCT10DIF=y
 # CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set
 CONFIG_CRYPTO_GHASH=m
@@ -3945,7 +3946,6 @@ CONFIG_CRYPTO_SHA1=y
 # CONFIG_CRYPTO_SHA1_SSSE3 is not set
 # CONFIG_CRYPTO_SHA256_SSSE3 is not set
 # CONFIG_CRYPTO_SHA512_SSSE3 is not set
-CONFIG_CRYPTO_LIB_SHA256=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 # CONFIG_CRYPTO_SHA3 is not set
@@ -3958,12 +3958,10 @@ CONFIG_CRYPTO_SHA512=y
 #
 # Ciphers
 #
-CONFIG_CRYPTO_LIB_AES=y
 CONFIG_CRYPTO_AES=y
 # CONFIG_CRYPTO_AES_TI is not set
 CONFIG_CRYPTO_AES_NI_INTEL=m
 # CONFIG_CRYPTO_ANUBIS is not set
-CONFIG_CRYPTO_LIB_ARC4=m
 CONFIG_CRYPTO_ARC4=m
 # CONFIG_CRYPTO_BLOWFISH is not set
 # CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
@@ -3975,7 +3973,6 @@ CONFIG_CRYPTO_ARC4=m
 # CONFIG_CRYPTO_CAST5_AVX_X86_64 is not set
 # CONFIG_CRYPTO_CAST6 is not set
 # CONFIG_CRYPTO_CAST6_AVX_X86_64 is not set
-CONFIG_CRYPTO_LIB_DES=m
 CONFIG_CRYPTO_DES=m
 # CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
 # CONFIG_CRYPTO_FCRYPT is not set
@@ -4021,6 +4018,20 @@ CONFIG_CRYPTO_USER_API_SKCIPHER=m
 # CONFIG_CRYPTO_USER_API_RNG is not set
 # CONFIG_CRYPTO_USER_API_AEAD is not set
 CONFIG_CRYPTO_HASH_INFO=y
+
+#
+# Crypto library routines
+#
+CONFIG_CRYPTO_LIB_AES=y
+CONFIG_CRYPTO_LIB_ARC4=m
+# CONFIG_CRYPTO_LIB_BLAKE2S is not set
+# CONFIG_CRYPTO_LIB_CHACHA is not set
+# CONFIG_CRYPTO_LIB_CURVE25519 is not set
+CONFIG_CRYPTO_LIB_DES=m
+CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
+# CONFIG_CRYPTO_LIB_POLY1305 is not set
+# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set
+CONFIG_CRYPTO_LIB_SHA256=y
 CONFIG_CRYPTO_HW=y
 # CONFIG_CRYPTO_DEV_PADLOCK is not set
 # CONFIG_CRYPTO_DEV_ATMEL_ECC is not set
diff --git a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json
index 8aee336018e..6832d423009 100644
--- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json
+++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "config": "d71a61261f1ef2b2f72d78066d9be7c8b08fac607fe79c40032e0566c02053cd",
-  "linux-msft-5.4.51.tar.gz": "3bcd6b09e952fac4f708614658b508ce80c8e25c04780b6b44a481b1479a08e7"
+  "config": "6e5719a3e1a9e0c15507acabfae4116298aaf45cc1764b8a9087b4e83339061e",
+  "linux-msft-5.4.72.tar.gz": "3407ccf8505595ae3e7a7b30c206190a0762f3e202f21f9de88a8d59e182ddef"
  }
 }
\ No newline at end of file
diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec
index a8e56f1591c..9986226f219 100644
--- a/SPECS/kernel-hyperv/kernel-hyperv.spec
+++ b/SPECS/kernel-hyperv/kernel-hyperv.spec
@@ -1,35 +1,33 @@
 %global security_hardening none
+%define uname_r %{version}-%{release}
 Summary:        Linux Kernel optimized for Hyper-V
 Name:           kernel-hyperv
-Version:        5.4.51
-Release:        4%{?dist}
+Version:        5.4.72
+Release:        1%{?dist}
 License:        GPLv2
-URL:            https://github.com/microsoft/WSL2-Linux-Kernel
-Group:          System Environment/Kernel
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 Source0:        https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-%{version}.tar.gz
 Source1:        config
-
-ExclusiveArch:  x86_64
-
+BuildRequires:  audit-devel
 BuildRequires:  bc
 BuildRequires:  diffutils
+BuildRequires:  glib-devel
 BuildRequires:  kbd
 BuildRequires:  kmod-devel
-BuildRequires:  glib-devel
-BuildRequires:  xerces-c-devel
 BuildRequires:  libdnet-devel
 BuildRequires:  libmspack-devel
-BuildRequires:  pam-devel
 BuildRequires:  openssl-devel
+BuildRequires:  pam-devel
 BuildRequires:  procps-ng-devel
-BuildRequires:  audit-devel
-Requires:       filesystem kmod
+BuildRequires:  xerces-c-devel
+Requires:       filesystem
+Requires:       kmod
 Requires(post): coreutils
 Requires(postun): coreutils
-%define uname_r %{version}-%{release}
-
+ExclusiveArch:  x86_64
 # When updating the config files it is important to sanitize them.
 # Steps for updating a config file:
 #  1. Extract the linux sources into a folder
@@ -51,7 +49,9 @@ The kernel-hyperv package contains the Linux kernel, optimized for Hyper-V
 Summary:        Kernel Dev
 Group:          System Environment/Kernel
 Requires:       %{name} = %{version}-%{release}
-Requires:       python3 gawk
+Requires:       gawk
+Requires:       python3
+
 %description devel
 This package contains the Linux kernel dev files
 
@@ -59,6 +59,7 @@ This package contains the Linux kernel dev files
 Summary:        Kernel docs
 Group:          System Environment/Kernel
 Requires:       python3
+
 %description docs
 This package contains the Linux kernel doc files
 
@@ -66,6 +67,7 @@ This package contains the Linux kernel doc files
 Summary:        Kernel driver for oprofile, a statistical profiler for Linux systems
 Group:          System Environment/Kernel
 Requires:       %{name} = %{version}-%{release}
+
 %description oprofile
 Kernel driver for oprofile, a statistical profiler for Linux systems
 
@@ -74,6 +76,7 @@ Summary:        This package contains the 'perf' performance analysis tools for
 Group:          System/Tools
 Requires:       %{name} = %{version}
 Requires:       audit
+
 %description tools
 This package contains the 'perf' performance analysis tools for Linux kernel.
 
@@ -120,16 +123,16 @@ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \
 %define __spec_install_post\
     %{?__debug_package:%{__debug_install_post}}\
     %{__arch_install_post}\
-    %{__os_install_post}\
+    %__os_install_post\
     %{__modules_install_post}\
 %{nil}
 
 %install
-install -vdm 755 %{buildroot}/etc
+install -vdm 755 %{buildroot}%{_sysconfdir}
 install -vdm 700 %{buildroot}/boot
 install -vdm 755 %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
-install -vdm 755 %{buildroot}/usr/src/linux-headers-%{uname_r}
-install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}
+install -vdm 755 %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}
+install -vdm 755 %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}
 make INSTALL_MOD_PATH=%{buildroot} modules_install
 
 # Verify for build-id match
@@ -150,9 +153,9 @@ install -vm 600 arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r}
 install -vm 400 System.map %{buildroot}/boot/System.map-%{uname_r}
 install -vm 600 .config %{buildroot}/boot/config-%{uname_r}
 cp -r Documentation/*        %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
-install -vm 644 vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r}
+install -vm 644 vmlinux %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r}
 # `perf test vmlinux` needs it
-ln -s vmlinux-%{uname_r} %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux
+ln -s vmlinux-%{uname_r} %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux
 
 cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF"
 # GRUB Environment Block
@@ -172,16 +175,16 @@ EOF
 rm -rf %{buildroot}/lib/modules/%{uname_r}/source
 rm -rf %{buildroot}/lib/modules/%{uname_r}/build
 
-find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs  sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
-find arch/x86/include include scripts -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
-find $(find arch/x86 -name include -o -name scripts -type d) -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
-find arch/x86/include Module.symvers include scripts -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
+find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs  sh -c 'cp --parents "$@" %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}' copy
+find arch/x86/include include scripts -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}' copy
+find $(find arch/x86 -name include -o -name scripts -type d) -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}' copy
+find arch/x86/include Module.symvers include scripts -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}' copy
 # CONFIG_STACK_VALIDATION=y requires objtool to build external modules
-install -vsm 755 tools/objtool/objtool %{buildroot}/usr/src/linux-headers-%{uname_r}/tools/objtool/
-install -vsm 755 tools/objtool/fixdep %{buildroot}/usr/src/linux-headers-%{uname_r}/tools/objtool/
+install -vsm 755 tools/objtool/objtool %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}/tools/objtool/
+install -vsm 755 tools/objtool/fixdep %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}/tools/objtool/
 
-cp .config %{buildroot}/usr/src/linux-headers-%{uname_r} # copy .config manually to be where it's expected to be
-ln -sf "/usr/src/linux-headers-%{uname_r}" "%{buildroot}/lib/modules/%{uname_r}/build"
+cp .config %{buildroot}%{_prefix}/src/linux-headers-%{uname_r} # copy .config manually to be where it's expected to be
+ln -sf "%{_prefix}/src/linux-headers-%{uname_r}" "%{buildroot}/lib/modules/%{uname_r}/build"
 find %{buildroot}/lib/modules -name '*.ko' -print0 | xargs -0 chmod u+x
 
 # disable (JOBS=1) parallel build to fix this issue:
@@ -219,6 +222,7 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 
 %files
 %defattr(-,root,root)
+%license COPYING
 /boot/System.map-%{uname_r}
 /boot/config-%{uname_r}
 /boot/vmlinuz-%{uname_r}
@@ -238,7 +242,7 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %files devel
 %defattr(-,root,root)
 /lib/modules/%{uname_r}/build
-/usr/src/linux-headers-%{uname_r}
+%{_prefix}/src/linux-headers-%{uname_r}
 
 %files oprofile
 %defattr(-,root,root)
@@ -246,434 +250,608 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 
 %files tools
 %defattr(-,root,root)
-/usr/libexec
+%{_libexecdir}
 %exclude %{_libdir}/debug
-/usr/lib64/traceevent
+%{_lib64}/traceevent
 %{_bindir}
-/etc/bash_completion.d/*
-/usr/share/perf-core/strace/groups/file
-/usr/share/perf-core/strace/groups/string
-/usr/share/doc/*
+%{_sysconfdir}/bash_completion.d/*
+%{_datadir}/perf-core/strace/groups/file
+%{_datadir}/perf-core/strace/groups/string
+%{_docdir}/*
 %{_libdir}/perf/examples/bpf/*
 %{_libdir}/perf/include/bpf/*
 
 %changelog
-*   Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.51-4
--   Update postun script to deal with removal in case of another installed kernel.
-*   Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-3
--   Add code to check for missing config flags in the checked in configs
-*   Tue Sep 01 2020 Chris Co <chrco@microsoft.com> 5.4.51-2
--   Update source hash
-*   Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.51-1
--   Update source to 5.4.51
--   Remove signed subpackage
--   Enable DXGKRNL config
-*   Fri Aug 07 2020 Mateusz Malisz <mamalisz@microsoft.com> 5.4.42-6
--   Add crashkernel=128M to kernel cmdline
-*   Tue Aug 04 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 5.4.42-5
--   Updating "KBUILD_BUILD_VERSION" and "KBUILD_BUILD_HOST" with correct
-    distribution name.
-*   Mon Jul 06 2020 Chris Co <chrco@microsoft.com> 5.4.42-4
--   Add NVMe and Mellanox driver configs
-*   Wed Jun 24 2020 Chris Co <chrco@microsoft.com> 5.4.42-3
--   Add CONFIG_VETH=y to support virtual ethernet pair device
-*   Mon Jun 22 2020 Chris Co <chrco@microsoft.com> 5.4.42-2
--   Add kernel-hyperv-secure subpackage and macros for adding offline signed kernels
-*   Fri Jun 12 2020 Chris Co <chrco@microsoft.com> 5.4.42-1
--   Update source to 5.4.42
-*   Thu Jun 11 2020 Chris Co <chrco@microsoft.com> 5.4.23-12
--   Enable PAGE_POISONING configs
--   Enable RANDOM_TRUST_CPU config
--   Clean up spec file entries
-*   Mon Jun 01 2020 Nicolas Ontiveros <niontive@microsoft.com> 5.4.23-11
--   Add CONFIG_CRYPTO_XTS=y to config.
-*   Sun May 31 2020 Daniel Mihai <dmihai@microsoft.com> 5.4.23-10
--   Add CONFIG_ATA_PIIX, required for Hyper-V Gen1 DVD drive.
-*   Tue May 26 2020 Daniel Mihai <dmihai@microsoft.com> 5.4.23-9
--   Disabled Reliable Datagram Sockets protocol (CONFIG_RDS).
-*   Fri May 22 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-8
--   Change /boot directory permissions to 600.
-*   Thu May 21 2020 Daniel Mihai <dmihai@microsoft.com> 5.4.23-7
--   Picked-up fixes from kernel.spec.
--   Updated kernel config.
-*   Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-6
--   Renaming Linux-PAM to pam.
--   Update URL to use https.
-*   Thu Apr 30 2020 Chris Co <chrco@microsoft.com> 5.4.23-5
--   Add hyper-v optimized config and build steps
-*   Tue Apr 14 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-4
--   Remove linux-aws and linux-esx references.
--   Remove kat_build usage.
--   Remove ENA module.
-*   Fri Apr 10 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-3
--   Remove xml-security-c dependency.
-*   Wed Apr 08 2020 Nicolas Ontiveros <niontive@microsoft.com> 5.4.23-2
--   Remove toybox and only use coreutils for requires.
-*   Tue Dec 10 2019 Chris Co <chrco@microsoft.com> 5.4.23-1
--   Update to Microsoft Linux Kernel 5.4.23
--   Remove patches
--   Update ENA module to 2.1.2 to work with Linux 5.4.23
--   Remove xr module
--   Remove Xen tmem module from dracut module list to fix initramfs creation
--   Add patch to fix missing trans_pgd header in aarch64 build
-*   Fri Oct 11 2019 Henry Beberman <hebeberm@microsoft.com> 4.19.52-8
--   Enable Hyper-V TPM in config
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.19.52-7
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Jul 25 2019 Keerthana K <keerthanak@vmware.com> 4.19.52-6
--   Fix postun scriplet.
-*   Thu Jul 11 2019 Keerthana K <keerthanak@vmware.com> 4.19.52-5
--   Enable kernel configs necessary for BPF Compiler Collection (BCC).
-*   Wed Jul 10 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-4
--   Deprecate linux-aws-tools in favor of linux-tools.
-*   Tue Jul 02 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.52-3
--   Fix 9p vsock 16bit port issue.
-*   Thu Jun 20 2019 Tapas Kundu <tkundu@vmware.com> 4.19.52-2
--   Enabled CONFIG_I2C_CHARDEV to support lm-sensors
-*   Mon Jun 17 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-1
--   Update to version 4.19.52
--   Fix CVE-2019-12456, CVE-2019-12379, CVE-2019-12380, CVE-2019-12381,
--   CVE-2019-12382, CVE-2019-12378, CVE-2019-12455
-*   Tue May 28 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.40-3
--   Change default I/O scheduler to 'deadline' to fix performance issue.
-*   Tue May 14 2019 Keerthana K <keerthanak@vmware.com> 4.19.40-2
--   Fix to parse through /boot folder and update symlink (/boot/photon.cfg) if
--   mulitple kernels are installed and current linux kernel is removed.
-*   Tue May 07 2019 Ajay Kaher <akaher@vmware.com> 4.19.40-1
--   Update to version 4.19.40
-*   Thu Apr 11 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-3
--   Update config_aarch64 to fix ARM64 build.
-*   Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2
--   Fix CVE-2019-10125
-*   Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1
--   Update to version 4.19.32
-*   Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1
--   Update to version 4.19.29
-*   Tue Mar 05 2019 Ajay Kaher <akaher@vmware.com> 4.19.26-1
--   Update to version 4.19.26
-*   Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.19.15-3
--   Fix CVE-2019-8912
-*   Thu Jan 24 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.15-2
--   Add WiFi (ath10k), sensors (i2c,spi), usb support for NXP LS1012A board.
-*   Tue Jan 15 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.15-1
--   Update to version 4.19.15
-*   Fri Jan 11 2019 Srinidhi Rao <srinidhir@vmware.com> 4.19.6-7
--   Add Network support for NXP LS1012A board.
-*   Wed Jan 09 2019 Ankit Jain <ankitja@vmware.com> 4.19.6-6
--   Enable following for x86_64 and aarch64:
--    Enable Kernel Address Space Layout Randomization.
--    Enable CONFIG_SECURITY_NETWORK_XFRM
-*   Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-5
--   Enable AppArmor by default.
-*   Wed Jan 02 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-4
--   .config: added Compulab fitlet2 device drivers
--   .config_aarch64: added gpio sysfs support
--   renamed -sound to -drivers-sound
-*   Tue Jan 01 2019 Ajay Kaher <akaher@vmware.com> 4.19.6-3
--   .config: Enable CONFIG_PCI_HYPERV driver
-*   Wed Dec 19 2018 Srinidhi Rao <srinidhir@vmware.com> 4.19.6-2
--   Add NXP LS1012A support.
-*   Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1
--   Update to version 4.19.6
-*   Fri Dec 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.19.1-3
--   .config: added qmi wwan module
-*   Mon Nov 12 2018 Ajay Kaher <akaher@vmware.com> 4.19.1-2
--   Fix config_aarch64 for 4.19.1
-*   Mon Nov 05 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.1-1
--   Update to version 4.19.1
-*   Tue Oct 16 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.18.9-5
--   Change in config to enable drivers for zigbee and GPS
-*   Fri Oct 12 2018 Ajay Kaher <akaher@vmware.com> 4.18.9-4
--   Enable LAN78xx for aarch64 rpi3
-*   Fri Oct 5 2018 Ajay Kaher <akaher@vmware.com> 4.18.9-3
--   Fix config_aarch64 for 4.18.9
--   Add module.lds for aarch64
-*   Wed Oct 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-2
--   Use updated steal time accounting patch.
--   .config: Enable CONFIG_CPU_ISOLATION and a few networking options
--   that got accidentally dropped in the last update.
-*   Mon Oct 1 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1
--   Update to version 4.18.9
-*   Tue Sep 25 2018 Ajay Kaher <akaher@vmware.com> 4.14.67-2
--   Build hang (at make oldconfig) fix in config_aarch64
-*   Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1
--   Update to version 4.14.67
-*   Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-7
--   Add rdrand-based RNG driver to enhance kernel entropy.
-*   Sun Sep 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-6
--   Add full retpoline support by building with retpoline-enabled gcc.
-*   Thu Aug 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-5
--   Apply out-of-tree patches needed for AppArmor.
-*   Wed Aug 22 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.54-4
--   Fix overflow kernel panic in rsi driver.
--   .config: enable BT stack, enable GPIO sysfs.
--   Add Exar USB serial driver.
-*   Fri Aug 17 2018 Ajay Kaher <akaher@vmware.com> 4.14.54-3
--   Enabled USB PCI in config_aarch64
--   Build hang (at make oldconfig) fix in config_aarch64
-*   Thu Jul 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.54-2
--   .config: usb_serial_pl2303=m,wlan=y,can=m,gpio=y,pinctrl=y,iio=m
-*   Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.14.54-1
--   Update to version 4.14.54
-*   Fri Jan 26 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-2
--   Added vchiq entry to rpi3 dts
--   Added dtb-rpi3 subpackage
-*   Fri Dec 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-1
--   Version update
-*   Wed Dec 13 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-4
--   KAT build support
-*   Thu Dec 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-3
--   Aarch64 support
-*   Tue Dec 05 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-2
--   Sign and compress modules after stripping. fips=1 requires signed modules
-*   Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1
--   Version update
-*   Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1
--   Version update
-*   Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1
--   Version update
-*   Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3
--   Add patch "KVM: Don't accept obviously wrong gsi values via
+* Mon Oct 26 2020 Chris Co <chrco@microsoft.com> - 5.4.72-1
+- Update source to 5.4.72
+- Add license file
+- Lint spec
+
+* Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.51-4
+- Update postun script to deal with removal in case of another installed kernel.
+
+* Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> - 5.4.51-3
+- Add code to check for missing config flags in the checked in configs
+
+* Tue Sep 01 2020 Chris Co <chrco@microsoft.com> - 5.4.51-2
+- Update source hash
+
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.51-1
+- Update source to 5.4.51
+- Remove signed subpackage
+- Enable DXGKRNL config
+
+* Fri Aug 07 2020 Mateusz Malisz <mamalisz@microsoft.com> - 5.4.42-6
+- Add crashkernel=128M to kernel cmdline
+
+* Tue Aug 04 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.4.42-5
+- Updating "KBUILD_BUILD_VERSION" and "KBUILD_BUILD_HOST" with correct
+  distribution name.
+
+* Mon Jul 06 2020 Chris Co <chrco@microsoft.com> - 5.4.42-4
+- Add NVMe and Mellanox driver configs
+
+* Wed Jun 24 2020 Chris Co <chrco@microsoft.com> - 5.4.42-3
+- Add CONFIG_VETH=y to support virtual ethernet pair device
+
+* Mon Jun 22 2020 Chris Co <chrco@microsoft.com> - 5.4.42-2
+- Add kernel-hyperv-secure subpackage and macros for adding offline signed kernels
+
+* Fri Jun 12 2020 Chris Co <chrco@microsoft.com> - 5.4.42-1
+- Update source to 5.4.42
+
+* Thu Jun 11 2020 Chris Co <chrco@microsoft.com> - 5.4.23-12
+- Enable PAGE_POISONING configs
+- Enable RANDOM_TRUST_CPU config
+- Clean up spec file entries
+
+* Mon Jun 01 2020 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.23-11
+- Add CONFIG_CRYPTO_XTS=y to config.
+
+* Sun May 31 2020 Daniel Mihai <dmihai@microsoft.com> - 5.4.23-10
+- Add CONFIG_ATA_PIIX, required for Hyper-V Gen1 DVD drive.
+
+* Tue May 26 2020 Daniel Mihai <dmihai@microsoft.com> - 5.4.23-9
+- Disabled Reliable Datagram Sockets protocol (CONFIG_RDS).
+
+* Fri May 22 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-8
+- Change /boot directory permissions to 600.
+
+* Thu May 21 2020 Daniel Mihai <dmihai@microsoft.com> - 5.4.23-7
+- Picked-up fixes from kernel.spec.
+- Updated kernel config.
+
+* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-6
+- Renaming Linux-PAM to pam.
+- Update URL to use https.
+
+* Thu Apr 30 2020 Chris Co <chrco@microsoft.com> - 5.4.23-5
+- Add hyper-v optimized config and build steps
+
+* Tue Apr 14 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-4
+- Remove linux-aws and linux-esx references.
+- Remove kat_build usage.
+- Remove ENA module.
+
+* Fri Apr 10 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-3
+- Remove xml-security-c dependency.
+
+* Wed Apr 08 2020 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.23-2
+- Remove toybox and only use coreutils for requires.
+
+* Tue Dec 10 2019 Chris Co <chrco@microsoft.com> - 5.4.23-1
+- Update to Microsoft Linux Kernel 5.4.23
+- Remove patches
+- Update ENA module to 2.1.2 to work with Linux 5.4.23
+- Remove xr module
+- Remove Xen tmem module from dracut module list to fix initramfs creation
+- Add patch to fix missing trans_pgd header in aarch64 build
+
+* Fri Oct 11 2019 Henry Beberman <hebeberm@microsoft.com> - 4.19.52-8
+- Enable Hyper-V TPM in config
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 4.19.52-7
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Jul 25 2019 Keerthana K <keerthanak@vmware.com> - 4.19.52-6
+- Fix postun scriplet.
+
+* Thu Jul 11 2019 Keerthana K <keerthanak@vmware.com> - 4.19.52-5
+- Enable kernel configs necessary for BPF Compiler Collection (BCC).
+
+* Wed Jul 10 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-4
+- Deprecate linux-aws-tools in favor of linux-tools.
+
+* Tue Jul 02 2019 Alexey Makhalov <amakhalov@vmware.com> - 4.19.52-3
+- Fix 9p vsock 16bit port issue.
+
+* Thu Jun 20 2019 Tapas Kundu <tkundu@vmware.com> - 4.19.52-2
+- Enabled CONFIG_I2C_CHARDEV to support lm-sensors
+
+* Mon Jun 17 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-1
+- Update to version 4.19.52
+- Fix CVE-2019-12456, CVE-2019-12379, CVE-2019-12380, CVE-2019-12381,
+- CVE-2019-12382, CVE-2019-12378, CVE-2019-12455
+
+* Tue May 28 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.40-3
+- Change default I/O scheduler to 'deadline' to fix performance issue.
+
+* Tue May 14 2019 Keerthana K <keerthanak@vmware.com> - 4.19.40-2
+- Fix to parse through /boot folder and update symlink (/boot/photon.cfg) if
+- mulitple kernels are installed and current linux kernel is removed.
+
+* Tue May 07 2019 Ajay Kaher <akaher@vmware.com> - 4.19.40-1
+- Update to version 4.19.40
+
+* Thu Apr 11 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-3
+- Update config_aarch64 to fix ARM64 build.
+
+* Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2
+- Fix CVE-2019-10125
+
+* Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1
+- Update to version 4.19.32
+
+* Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1
+- Update to version 4.19.29
+
+* Tue Mar 05 2019 Ajay Kaher <akaher@vmware.com> - 4.19.26-1
+- Update to version 4.19.26
+
+* Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> - 4.19.15-3
+- Fix CVE-2019-8912
+
+* Thu Jan 24 2019 Alexey Makhalov <amakhalov@vmware.com> - 4.19.15-2
+- Add WiFi (ath10k), sensors (i2c,spi), usb support for NXP LS1012A board.
+
+* Tue Jan 15 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.15-1
+- Update to version 4.19.15
+
+* Fri Jan 11 2019 Srinidhi Rao <srinidhir@vmware.com> - 4.19.6-7
+- Add Network support for NXP LS1012A board.
+
+* Wed Jan 09 2019 Ankit Jain <ankitja@vmware.com> - 4.19.6-6
+- Enable following for x86_64 and aarch64:
+-  Enable Kernel Address Space Layout Randomization.
+-  Enable CONFIG_SECURITY_NETWORK_XFRM
+
+* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-5
+- Enable AppArmor by default.
+
+* Wed Jan 02 2019 Alexey Makhalov <amakhalov@vmware.com> - 4.19.6-4
+- .config: added Compulab fitlet2 device drivers
+- .config_aarch64: added gpio sysfs support
+- renamed -sound to -drivers-sound
+
+* Tue Jan 01 2019 Ajay Kaher <akaher@vmware.com> - 4.19.6-3
+- .config: Enable CONFIG_PCI_HYPERV driver
+
+* Wed Dec 19 2018 Srinidhi Rao <srinidhir@vmware.com> - 4.19.6-2
+- Add NXP LS1012A support.
+
+* Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1
+- Update to version 4.19.6
+
+* Fri Dec 07 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.19.1-3
+- .config: added qmi wwan module
+
+* Mon Nov 12 2018 Ajay Kaher <akaher@vmware.com> - 4.19.1-2
+- Fix config_aarch64 for 4.19.1
+
+* Mon Nov 05 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.1-1
+- Update to version 4.19.1
+
+* Tue Oct 16 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> - 4.18.9-5
+- Change in config to enable drivers for zigbee and GPS
+
+* Fri Oct 12 2018 Ajay Kaher <akaher@vmware.com> - 4.18.9-4
+- Enable LAN78xx for aarch64 rpi3
+
+* Fri Oct 5 2018 Ajay Kaher <akaher@vmware.com> - 4.18.9-3
+- Fix config_aarch64 for 4.18.9
+- Add module.lds for aarch64
+
+* Wed Oct 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-2
+- Use updated steal time accounting patch.
+- .config: Enable CONFIG_CPU_ISOLATION and a few networking options
+- that got accidentally dropped in the last update.
+
+* Mon Oct 1 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1
+- Update to version 4.18.9
+
+* Tue Sep 25 2018 Ajay Kaher <akaher@vmware.com> - 4.14.67-2
+- Build hang (at make oldconfig) fix in config_aarch64
+
+* Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1
+- Update to version 4.14.67
+
+* Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-7
+- Add rdrand-based RNG driver to enhance kernel entropy.
+
+* Sun Sep 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-6
+- Add full retpoline support by building with retpoline-enabled gcc.
+
+* Thu Aug 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-5
+- Apply out-of-tree patches needed for AppArmor.
+
+* Wed Aug 22 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.14.54-4
+- Fix overflow kernel panic in rsi driver.
+- .config: enable BT stack, enable GPIO sysfs.
+- Add Exar USB serial driver.
+
+* Fri Aug 17 2018 Ajay Kaher <akaher@vmware.com> - 4.14.54-3
+- Enabled USB PCI in config_aarch64
+- Build hang (at make oldconfig) fix in config_aarch64
+
+* Thu Jul 19 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.14.54-2
+- .config: usb_serial_pl2303=m,wlan=y,can=m,gpio=y,pinctrl=y,iio=m
+
+* Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> - 4.14.54-1
+- Update to version 4.14.54
+
+* Fri Jan 26 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.14.8-2
+- Added vchiq entry to rpi3 dts
+- Added dtb-rpi3 subpackage
+
+* Fri Dec 22 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.14.8-1
+- Version update
+
+* Wed Dec 13 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.66-4
+- KAT build support
+
+* Thu Dec 07 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.66-3
+- Aarch64 support
+
+* Tue Dec 05 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.66-2
+- Sign and compress modules after stripping. fips=1 requires signed modules
+
+* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1
+- Version update
+
+* Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1
+- Version update
+
+* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1
+- Version update
+
+* Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3
+- Add patch "KVM: Don't accept obviously wrong gsi values via
     KVM_IRQFD" to fix CVE-2017-1000252.
-*   Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.53-2
--   Build hang (at make oldconfig) fix.
-*   Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1
--   Version update
-*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-3
--   Allow privileged CLONE_NEWUSER from nested user namespaces.
-*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2
--   Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak)
-*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1
--   Version update
-*   Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2
--   Requires coreutils or toybox
-*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1
--   Fix CVE-2017-11600
-*   Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2
--   Add missing xen block drivers
-*   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1
--   Version update
--   [feature] new sysctl option unprivileged_userns_clone
-*   Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2
--   Fix CVE-2017-7542
--   [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid
+
+* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.53-2
+- Build hang (at make oldconfig) fix.
+
+* Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1
+- Version update
+
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-3
+- Allow privileged CLONE_NEWUSER from nested user namespaces.
+
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2
+- Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak)
+
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1
+- Version update
+
+* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.47-2
+- Requires coreutils or toybox
+
+* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.47-1
+- Fix CVE-2017-11600
+
+* Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> - 4.9.43-2
+- Add missing xen block drivers
+
+* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.43-1
+- Version update
+- [feature] new sysctl option unprivileged_userns_clone
+
+* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.41-2
+- Fix CVE-2017-7542
+- [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid
     panic on modprobe tcrypt
-*   Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1
--   Version update
-*   Fri Aug 04 2017 Bo Gan <ganb@vmware.com> 4.9.38-6
--   Fix initramfs triggers
-*   Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5
--   Allow some algorithms in FIPS mode
--   Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports
--   bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree
--   Enable additional NF features
-*   Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4
--   Add patches in Hyperv codebase
-*   Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3
--   Add missing hyperv drivers
-*   Thu Jul 20 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-2
--   Disable scheduler beef up patch
-*   Tue Jul 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-1
--   Fix CVE-2017-11176 and CVE-2017-10911
-*   Mon Jul 03 2017 Xiaolin Li <xiaolinl@vmware.com> 4.9.34-3
--   Add libdnet-devel, kmod-devel and libmspack-devel to BuildRequires
-*   Thu Jun 29 2017 Divya Thaluru <dthaluru@vmware.com> 4.9.34-2
--   Added obsolete for deprecated linux-dev package
-*   Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1
--   [feature] 9P FS security support
--   [feature] DM Delay target support
--   Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605
-*   Thu Jun 8 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.31-1
--   Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076
+
+* Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.41-1
+- Version update
+
+* Fri Aug 04 2017 Bo Gan <ganb@vmware.com> - 4.9.38-6
+- Fix initramfs triggers
+
+* Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> - 4.9.38-5
+- Allow some algorithms in FIPS mode
+- Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports
+- bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree
+- Enable additional NF features
+
+* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> - 4.9.38-4
+- Add patches in Hyperv codebase
+
+* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> - 4.9.38-3
+- Add missing hyperv drivers
+
+* Thu Jul 20 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.38-2
+- Disable scheduler beef up patch
+
+* Tue Jul 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.38-1
+- Fix CVE-2017-11176 and CVE-2017-10911
+
+* Mon Jul 03 2017 Xiaolin Li <xiaolinl@vmware.com> - 4.9.34-3
+- Add libdnet-devel, kmod-devel and libmspack-devel to BuildRequires
+
+* Thu Jun 29 2017 Divya Thaluru <dthaluru@vmware.com> - 4.9.34-2
+- Added obsolete for deprecated linux-dev package
+
+* Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.34-1
+- [feature] 9P FS security support
+- [feature] DM Delay target support
+- Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605
+
+* Thu Jun 8 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.31-1
+- Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076
     CVE-2017-9077 and CVE-2017-9242
--   [feature] IPV6 netfilter NAT table support
-*   Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1
--   Added ENA driver for AMI
--   Fix CVE-2017-7487 and CVE-2017-9059
-*   Wed May 17 2017 Vinay Kulkarni <kulkarniv@vmware.com> 4.9.28-2
--   Enable IPVLAN module.
-*   Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.28-1
--   Version update
-*   Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.27-1
--   Version update
-*   Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.26-1
--   Version update
--   Removed version suffix from config file name
-*   Thu Apr 27 2017 Bo Gan <ganb@vmware.com> 4.9.24-2
--   Support dynamic initrd generation
-*   Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.24-1
--   Fix CVE-2017-6874 and CVE-2017-7618.
--   Fix audit-devel BuildRequires.
--   .config: build nvme and nvme-core in kernel.
-*   Mon Mar 6 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-2
--   .config: NSX requirements for crypto and netfilter
-*   Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-1
--   Update to linux-4.9.13 to fix CVE-2017-5986 and CVE-2017-6074
-*   Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-1
--   Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546,
+- [feature] IPV6 netfilter NAT table support
+
+* Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.30-1
+- Added ENA driver for AMI
+- Fix CVE-2017-7487 and CVE-2017-9059
+
+* Wed May 17 2017 Vinay Kulkarni <kulkarniv@vmware.com> - 4.9.28-2
+- Enable IPVLAN module.
+
+* Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.28-1
+- Version update
+
+* Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.27-1
+- Version update
+
+* Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.26-1
+- Version update
+- Removed version suffix from config file name
+
+* Thu Apr 27 2017 Bo Gan <ganb@vmware.com> - 4.9.24-2
+- Support dynamic initrd generation
+
+* Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.24-1
+- Fix CVE-2017-6874 and CVE-2017-7618.
+- Fix audit-devel BuildRequires.
+- .config: build nvme and nvme-core in kernel.
+
+* Mon Mar 6 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.13-2
+- .config: NSX requirements for crypto and netfilter
+
+* Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.13-1
+- Update to linux-4.9.13 to fix CVE-2017-5986 and CVE-2017-6074
+
+* Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.9-1
+- Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546,
     CVE-2017-5547, CVE-2017-5548 and CVE-2017-5576.
--   .config: added CRYPTO_FIPS support.
-*   Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.2-1
--   Update to linux-4.9.2 to fix CVE-2016-10088
--   Move linux-tools.spec to linux.spec as -tools subpackage
-*   Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> 4.9.0-2
--   BuildRequires Linux-PAM-devel
-*   Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> 4.9.0-1
--   Update to linux-4.9.0
--   Add paravirt stolen time accounting feature (from linux-esx),
+- .config: added CRYPTO_FIPS support.
+
+* Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.2-1
+- Update to linux-4.9.2 to fix CVE-2016-10088
+- Move linux-tools.spec to linux.spec as -tools subpackage
+
+* Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> - 4.9.0-2
+- BuildRequires Linux-PAM-devel
+
+* Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.9.0-1
+- Update to linux-4.9.0
+- Add paravirt stolen time accounting feature (from linux-esx),
     but disable it by default (no-vmw-sta cmdline parameter)
-*   Thu Dec  8 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-3
--   net-packet-fix-race-condition-in-packet_set_ring.patch
+
+* Thu Dec  8 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.35-3
+- net-packet-fix-race-condition-in-packet_set_ring.patch
     to fix CVE-2016-8655
-*   Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-2
--   Expand `uname -r` with release number
--   Check for build-id matching
--   Added syscalls tracing support
--   Compress modules
-*   Mon Nov 28 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-1
--   Update to linux-4.4.35
--   vfio-pci-fix-integer-overflows-bitmask-check.patch
+
+* Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.35-2
+- Expand `uname -r` with release number
+- Check for build-id matching
+- Added syscalls tracing support
+- Compress modules
+
+* Mon Nov 28 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.35-1
+- Update to linux-4.4.35
+- vfio-pci-fix-integer-overflows-bitmask-check.patch
     to fix CVE-2016-9083
-*   Tue Nov 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-4
--   net-9p-vsock.patch
-*   Thu Nov 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-3
--   tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch
+
+* Tue Nov 22 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-4
+- net-9p-vsock.patch
+
+* Thu Nov 17 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-3
+- tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch
     to fix CVE-2015-8964
-*   Tue Nov 15 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-2
--   .config: add cgrup_hugetlb support
--   .config: add netfilter_xt_{set,target_ct} support
--   .config: add netfilter_xt_match_{cgroup,ipvs} support
-*   Thu Nov 10 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-1
--   Update to linux-4.4.31
-*   Fri Oct 21 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.26-1
--   Update to linux-4.4.26
-*   Wed Oct 19 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-6
--   net-add-recursion-limit-to-GRO.patch
--   scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch
-*   Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-5
--   ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch
--   tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch
-*   Mon Oct  3 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-4
--   Package vmlinux with PROGBITS sections in -debuginfo subpackage
-*   Tue Sep 27 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-3
--   .config: CONFIG_IP_SET_HASH_{IPMARK,MAC}=m
-*   Tue Sep 20 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-2
--   Add -release number for /boot/* files
--   Use initrd.img with version and release number
--   Rename -dev subpackage to -devel
-*   Wed Sep  7 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-1
--   Update to linux-4.4.20
--   apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch
--   keys-fix-asn.1-indefinite-length-object-parsing.patch
-*   Thu Aug 25 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-11
--   vmxnet3 patches to bumpup a version to 1.4.8.0
-*   Wed Aug 10 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-10
--   Added VSOCK-Detach-QP-check-should-filter-out-non-matching-QPs.patch
--   .config: pmem hotplug + ACPI NFIT support
--   .config: enable EXPERT mode, disable UID16 syscalls
-*   Thu Jul 07 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-9
--   .config: pmem + fs_dax support
-*   Fri Jun 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-8
--   patch: e1000e-prevent-div-by-zero-if-TIMINCA-is-zero.patch
--   .config: disable rt group scheduling - not supported by systemd
-*   Wed Jun 15 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-7
--   fixed the capitalization for - System.map
-*   Thu May 26 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-6
--   patch: REVERT-sched-fair-Beef-up-wake_wide.patch
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.4.8-5
--   GA - Bump release of all rpms
-*   Mon May 23 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-4
--   Fixed generation of debug symbols for kernel modules & vmlinux.
-*   Mon May 23 2016 Divya Thaluru <dthaluru@vmware.com> 4.4.8-3
--   Added patches to fix CVE-2016-3134, CVE-2016-3135
-*   Wed May 18 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-2
--   Enabled CONFIG_UPROBES in config as needed by ktap
-*   Wed May 04 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-1
--   Update to linux-4.4.8
--   Added net-Drivers-Vmxnet3-set-... patch
-*   Tue May 03 2016 Vinay Kulkarni <kulkarniv@vmware.com> 4.2.0-27
--   Compile Intel GigE and VMXNET3 as part of kernel.
-*   Thu Apr 28 2016 Nick Shi <nshi@vmware.com> 4.2.0-26
--   Compile cramfs.ko to allow mounting cramfs image
-*   Tue Apr 12 2016 Vinay Kulkarni <kulkarniv@vmware.com> 4.2.0-25
--   Revert network interface renaming disable in kernel.
-*   Tue Mar 29 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-24
--   Support kmsg dumping to vmware.log on panic
--   sunrpc: xs_bind uses ip_local_reserved_ports
-*   Mon Mar 28 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-23
--   Enabled Regular stack protection in Linux kernel in config
-*   Thu Mar 17 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-22
--   Restrict the permissions of the /boot/System.map-X file
-*   Fri Mar 04 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-21
--   Patch: SUNRPC: Do not reuse srcport for TIME_WAIT socket.
-*   Wed Mar 02 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-20
--   Patch: SUNRPC: Ensure that we wait for connections to complete
+
+* Tue Nov 15 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-2
+- .config: add cgrup_hugetlb support
+- .config: add netfilter_xt_{set,target_ct} support
+- .config: add netfilter_xt_match_{cgroup,ipvs} support
+
+* Thu Nov 10 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-1
+- Update to linux-4.4.31
+
+* Fri Oct 21 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.26-1
+- Update to linux-4.4.26
+
+* Wed Oct 19 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-6
+- net-add-recursion-limit-to-GRO.patch
+- scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch
+
+* Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-5
+- ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch
+- tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch
+
+* Mon Oct  3 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-4
+- Package vmlinux with PROGBITS sections in -debuginfo subpackage
+
+* Tue Sep 27 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-3
+- .config: CONFIG_IP_SET_HASH_{IPMARK,MAC}=m
+
+* Tue Sep 20 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-2
+- Add -release number for /boot/* files
+- Use initrd.img with version and release number
+- Rename -dev subpackage to -devel
+
+* Wed Sep  7 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-1
+- Update to linux-4.4.20
+- apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch
+- keys-fix-asn.1-indefinite-length-object-parsing.patch
+
+* Thu Aug 25 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-11
+- vmxnet3 patches to bumpup a version to 1.4.8.0
+
+* Wed Aug 10 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-10
+- Added VSOCK-Detach-QP-check-should-filter-out-non-matching-QPs.patch
+- .config: pmem hotplug + ACPI NFIT support
+- .config: enable EXPERT mode, disable UID16 syscalls
+
+* Thu Jul 07 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-9
+- .config: pmem + fs_dax support
+
+* Fri Jun 17 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-8
+- patch: e1000e-prevent-div-by-zero-if-TIMINCA-is-zero.patch
+- .config: disable rt group scheduling - not supported by systemd
+
+* Wed Jun 15 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.4.8-7
+- fixed the capitalization for - System.map
+
+* Thu May 26 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-6
+- patch: REVERT-sched-fair-Beef-up-wake_wide.patch
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 4.4.8-5
+- GA - Bump release of all rpms
+
+* Mon May 23 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.4.8-4
+- Fixed generation of debug symbols for kernel modules & vmlinux.
+
+* Mon May 23 2016 Divya Thaluru <dthaluru@vmware.com> - 4.4.8-3
+- Added patches to fix CVE-2016-3134, CVE-2016-3135
+
+* Wed May 18 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.4.8-2
+- Enabled CONFIG_UPROBES in config as needed by ktap
+
+* Wed May 04 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-1
+- Update to linux-4.4.8
+- Added net-Drivers-Vmxnet3-set-... patch
+
+* Tue May 03 2016 Vinay Kulkarni <kulkarniv@vmware.com> - 4.2.0-27
+- Compile Intel GigE and VMXNET3 as part of kernel.
+
+* Thu Apr 28 2016 Nick Shi <nshi@vmware.com> - 4.2.0-26
+- Compile cramfs.ko to allow mounting cramfs image
+
+* Tue Apr 12 2016 Vinay Kulkarni <kulkarniv@vmware.com> - 4.2.0-25
+- Revert network interface renaming disable in kernel.
+
+* Tue Mar 29 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-24
+- Support kmsg dumping to vmware.log on panic
+- sunrpc: xs_bind uses ip_local_reserved_ports
+
+* Mon Mar 28 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-23
+- Enabled Regular stack protection in Linux kernel in config
+
+* Thu Mar 17 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-22
+- Restrict the permissions of the /boot/System.map-X file
+
+* Fri Mar 04 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-21
+- Patch: SUNRPC: Do not reuse srcport for TIME_WAIT socket.
+
+* Wed Mar 02 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-20
+- Patch: SUNRPC: Ensure that we wait for connections to complete
     before retrying
-*   Fri Feb 26 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-19
--   Disable watchdog under VMware hypervisor.
-*   Thu Feb 25 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-18
--   Added rpcsec_gss_krb5 and nfs_fscache
-*   Mon Feb 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-17
--   Added sysctl param to control weighted_cpuload() behavior
-*   Thu Feb 18 2016 Divya Thaluru <dthaluru@vmware.com> 4.2.0-16
--   Disabling network renaming
-*   Sun Feb 14 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-15
--   veth patch: don’t modify ip_summed
-*   Thu Feb 11 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-14
--   Full tickless -> idle tickless + simple CPU time accounting
--   SLUB -> SLAB
--   Disable NUMA balancing
--   Disable stack protector
--   No build_forced no-CBs CPUs
--   Disable Expert configuration mode
--   Disable most of debug features from 'Kernel hacking'
-*   Mon Feb 08 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-13
--   Double tcp_mem limits, patch is added.
-*   Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com>  4.2.0-12
--   Fixes for CVE-2015-7990/6937 and CVE-2015-8660.
-*   Tue Jan 26 2016 Anish Swaminathan <anishs@vmware.com> 4.2.0-11
--   Revert CONFIG_HZ=250
-*   Fri Jan 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-10
--   Fix for CVE-2016-0728
-*   Wed Jan 13 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-9
--   CONFIG_HZ=250
-*   Tue Jan 12 2016 Mahmoud Bassiouny <mbassiouny@vmware.com> 4.2.0-8
--   Remove rootfstype from the kernel parameter.
-*   Mon Jan 04 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-7
--   Disabled all the tracing options in kernel config.
--   Disabled preempt.
--   Disabled sched autogroup.
-*   Thu Dec 17 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-6
--   Enabled kprobe for systemtap & disabled dynamic function tracing in config
-*   Fri Dec 11 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-5
--   Added oprofile kernel driver sub-package.
-*   Fri Nov 13 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 4.2.0-4
--   Change the linux image directory.
-*   Wed Nov 11 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-3
--   Added the build essential files in the dev sub-package.
-*   Mon Nov 09 2015 Vinay Kulkarni <kulkarniv@vmware.com> 4.2.0-2
--   Enable Geneve module support for generic kernel.
-*   Fri Oct 23 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-1
--   Upgraded the generic linux kernel to version 4.2.0 & and updated timer handling to full tickless mode.
-*   Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.9-5
--   Added driver support for frame buffer devices and ACPI
-*   Wed Sep 2 2015 Alexey Makhalov <amakhalov@vmware.com> 4.0.9-4
--   Added mouse ps/2 module.
-*   Fri Aug 14 2015 Alexey Makhalov <amakhalov@vmware.com> 4.0.9-3
--   Use photon.cfg as a symlink.
-*   Thu Aug 13 2015 Alexey Makhalov <amakhalov@vmware.com> 4.0.9-2
--   Added environment file(photon.cfg) for grub.
-*   Wed Aug 12 2015 Sharath George <sharathg@vmware.com> 4.0.9-1
--   Upgrading kernel version.
-*   Wed Aug 12 2015 Alexey Makhalov <amakhalov@vmware.com> 3.19.2-5
--   Updated OVT to version 10.0.0.
--   Rename -gpu-drivers to -drivers-gpu in accordance to directory structure.
--   Added -sound package/
-*   Tue Aug 11 2015 Anish Swaminathan<anishs@vmware.com> 3.19.2-4
--   Removed Requires dependencies.
-*   Fri Jul 24 2015 Harish Udaiya Kumar <hudaiyakumar@gmail.com> 3.19.2-3
--   Updated the config file to include graphics drivers.
-*   Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> 3.13.3-2
--   Update according to UsrMove.
-*   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 3.13.3-1
--   Initial build. First version
+
+* Fri Feb 26 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-19
+- Disable watchdog under VMware hypervisor.
+
+* Thu Feb 25 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-18
+- Added rpcsec_gss_krb5 and nfs_fscache
+
+* Mon Feb 22 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-17
+- Added sysctl param to control weighted_cpuload() behavior
+
+* Thu Feb 18 2016 Divya Thaluru <dthaluru@vmware.com> - 4.2.0-16
+- Disabling network renaming
+
+* Sun Feb 14 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-15
+- veth patch: don’t modify ip_summed
+
+* Thu Feb 11 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-14
+- Full tickless -> idle tickless + simple CPU time accounting
+- SLUB -> SLAB
+- Disable NUMA balancing
+- Disable stack protector
+- No build_forced no-CBs CPUs
+- Disable Expert configuration mode
+- Disable most of debug features from 'Kernel hacking'
+
+* Mon Feb 08 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-13
+- Double tcp_mem limits, patch is added.
+
+* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> -  4.2.0-12
+- Fixes for CVE-2015-7990/6937 and CVE-2015-8660.
+
+* Tue Jan 26 2016 Anish Swaminathan <anishs@vmware.com> - 4.2.0-11
+- Revert CONFIG_HZ=250
+
+* Fri Jan 22 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-10
+- Fix for CVE-2016-0728
+
+* Wed Jan 13 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-9
+- CONFIG_HZ=250
+
+* Tue Jan 12 2016 Mahmoud Bassiouny <mbassiouny@vmware.com> - 4.2.0-8
+- Remove rootfstype from the kernel parameter.
+
+* Mon Jan 04 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-7
+- Disabled all the tracing options in kernel config.
+- Disabled preempt.
+- Disabled sched autogroup.
+
+* Thu Dec 17 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-6
+- Enabled kprobe for systemtap & disabled dynamic function tracing in config
+
+* Fri Dec 11 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-5
+- Added oprofile kernel driver sub-package.
+
+* Fri Nov 13 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> - 4.2.0-4
+- Change the linux image directory.
+
+* Wed Nov 11 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-3
+- Added the build essential files in the dev sub-package.
+
+* Mon Nov 09 2015 Vinay Kulkarni <kulkarniv@vmware.com> - 4.2.0-2
+- Enable Geneve module support for generic kernel.
+
+* Fri Oct 23 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-1
+- Upgraded the generic linux kernel to version 4.2.0 & and updated timer handling to full tickless mode.
+
+* Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.0.9-5
+- Added driver support for frame buffer devices and ACPI
+
+* Wed Sep 2 2015 Alexey Makhalov <amakhalov@vmware.com> - 4.0.9-4
+- Added mouse ps/2 module.
+
+* Fri Aug 14 2015 Alexey Makhalov <amakhalov@vmware.com> - 4.0.9-3
+- Use photon.cfg as a symlink.
+
+* Thu Aug 13 2015 Alexey Makhalov <amakhalov@vmware.com> - 4.0.9-2
+- Added environment file(photon.cfg) for grub.
+
+* Wed Aug 12 2015 Sharath George <sharathg@vmware.com> - 4.0.9-1
+- Upgrading kernel version.
+
+* Wed Aug 12 2015 Alexey Makhalov <amakhalov@vmware.com> - 3.19.2-5
+- Updated OVT to version 10.0.0.
+- Rename -gpu-drivers to -drivers-gpu in accordance to directory structure.
+- Added -sound package/
+
+* Tue Aug 11 2015 Anish Swaminathan<anishs@vmware.com> - 3.19.2-4
+- Removed Requires dependencies.
+
+* Fri Jul 24 2015 Harish Udaiya Kumar <hudaiyakumar@gmail.com> - 3.19.2-3
+- Updated the config file to include graphics drivers.
+
+* Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> - 3.13.3-2
+- Update according to UsrMove.
+
+* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> - 3.13.3-1
+- Initial build. First version
diff --git a/SPECS/kernel/CVE-1999-0524.nopatch b/SPECS/kernel/CVE-1999-0524.nopatch
new file mode 100644
index 00000000000..b517265255e
--- /dev/null
+++ b/SPECS/kernel/CVE-1999-0524.nopatch
@@ -0,0 +1,3 @@
+CVE-1999-0524 - No upstream fix. Vulnerability is low severity.
+Users can mitigate the vulnerability by configuring their system firewall to
+not respond to certain ICMP requests.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-1999-0656.nopatch b/SPECS/kernel/CVE-1999-0656.nopatch
new file mode 100644
index 00000000000..f875d73ec59
--- /dev/null
+++ b/SPECS/kernel/CVE-1999-0656.nopatch
@@ -0,0 +1,2 @@
+CVE-1999-0656 - Not a kernel vulnerability. It is a vulnerability in the
+rpc.ugidd daemon, which is not provided by the kernel package.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2007-4998.nopatch b/SPECS/kernel/CVE-2007-4998.nopatch
new file mode 100644
index 00000000000..36b83288d95
--- /dev/null
+++ b/SPECS/kernel/CVE-2007-4998.nopatch
@@ -0,0 +1,2 @@
+CVE-2007-4998 - Not a kernel vulnerability. It is a vulnerability in the cp binary
+which can be supplied from multiple packages (coreutils, busybox, etc.)
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2008-4609.nopatch b/SPECS/kernel/CVE-2008-4609.nopatch
new file mode 100644
index 00000000000..eb8ef609e03
--- /dev/null
+++ b/SPECS/kernel/CVE-2008-4609.nopatch
@@ -0,0 +1,2 @@
+CVE-2008-4609 - No upstream fix. Vulnerability exploits design limitations in TCP protocol.
+Recommend using iptables mitigation - https://bugzilla.redhat.com/show_bug.cgi?id=465932
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2009-4484.nopatch b/SPECS/kernel/CVE-2009-4484.nopatch
new file mode 100644
index 00000000000..05ae34190a7
--- /dev/null
+++ b/SPECS/kernel/CVE-2009-4484.nopatch
@@ -0,0 +1,2 @@
+CVE-2009-4484 - Not a kernel vulnerability. It is a vulnerability in mysql when
+using the specific yaSSL implementation. We use openssl.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2010-0298.nopatch b/SPECS/kernel/CVE-2010-0298.nopatch
new file mode 100644
index 00000000000..54be70a52ea
--- /dev/null
+++ b/SPECS/kernel/CVE-2010-0298.nopatch
@@ -0,0 +1,3 @@
+CVE-2010-0298 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 1871c6020d7308afb99127bba51f04548e7ca84e
+Stable commit - 1871c6020d7308afb99127bba51f04548e7ca84e
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2010-0309.nopatch b/SPECS/kernel/CVE-2010-0309.nopatch
new file mode 100644
index 00000000000..48c5c142990
--- /dev/null
+++ b/SPECS/kernel/CVE-2010-0309.nopatch
@@ -0,0 +1,3 @@
+CVE-2010-0309 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - ee73f656a604d5aa9df86a97102e4e462dd79924
+Stable commit - ee73f656a604d5aa9df86a97102e4e462dd79924
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2010-4563.nopatch b/SPECS/kernel/CVE-2010-4563.nopatch
new file mode 100644
index 00000000000..02de956214f
--- /dev/null
+++ b/SPECS/kernel/CVE-2010-4563.nopatch
@@ -0,0 +1 @@
+CVE-2010-4563 - No upstream fix. Low security impact. No plans to fix.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2011-0640.nopatch b/SPECS/kernel/CVE-2011-0640.nopatch
new file mode 100644
index 00000000000..dc0a734f954
--- /dev/null
+++ b/SPECS/kernel/CVE-2011-0640.nopatch
@@ -0,0 +1,4 @@
+CVE-2011-0640 - Vulnerability disputed. No fix upstream.
+Vulnerability concerns arbitrary code execution when a malicious USB device is
+plugged in. The malicious USB device poses as a HID device and sends keystrokes
+to control the host system.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2011-2519.nopatch b/SPECS/kernel/CVE-2011-2519.nopatch
new file mode 100644
index 00000000000..ff8a501b174
--- /dev/null
+++ b/SPECS/kernel/CVE-2011-2519.nopatch
@@ -0,0 +1,2 @@
+CVE-2011-2519 - Not a kernel vulnerability. It is a vulnerability in the Xen
+hypervisor project when the guest executes the SAHF instruction.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2015-5738.nopatch b/SPECS/kernel/CVE-2015-5738.nopatch
new file mode 100644
index 00000000000..2f4118629c0
--- /dev/null
+++ b/SPECS/kernel/CVE-2015-5738.nopatch
@@ -0,0 +1,2 @@
+CVE-2015-5738 - Not a kernel vulnerability. It is a vulnerability in the RSA-CRT
+implementation within the Cavium SDK.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2017-8244.nopatch b/SPECS/kernel/CVE-2017-8244.nopatch
new file mode 100644
index 00000000000..61682a3a349
--- /dev/null
+++ b/SPECS/kernel/CVE-2017-8244.nopatch
@@ -0,0 +1,2 @@
+CVE-2017-8244 - Only applicable to Android kernel tree.
+Not a vulnerability in our kernel source as our tree does not host the affected component (drivers/media/platform/msm)
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2017-8245.nopatch b/SPECS/kernel/CVE-2017-8245.nopatch
new file mode 100644
index 00000000000..b28ca5fb5d2
--- /dev/null
+++ b/SPECS/kernel/CVE-2017-8245.nopatch
@@ -0,0 +1,2 @@
+CVE-2017-8245 - Only applicable to Android kernel tree.
+Not a vulnerability in our kernel source as our tree does not host the affected component (drivers/soc/qcom/qdsp6v2)
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2017-8246.nopatch b/SPECS/kernel/CVE-2017-8246.nopatch
new file mode 100644
index 00000000000..052d69d1f22
--- /dev/null
+++ b/SPECS/kernel/CVE-2017-8246.nopatch
@@ -0,0 +1,2 @@
+CVE-2017-8246 - Only applicable to Android kernel tree.
+Not a vulnerability in our kernel source as our tree does not host the affected component (sound/soc/msm/qdsp6v2)
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2018-1000026.nopatch b/SPECS/kernel/CVE-2018-1000026.nopatch
new file mode 100644
index 00000000000..1b402e44fa2
--- /dev/null
+++ b/SPECS/kernel/CVE-2018-1000026.nopatch
@@ -0,0 +1,3 @@
+CVE-2018-1000026 - Already patched in 5.4.51 stable kernel
+Upstream commit - 8914a595110a6eca69a5e275b323f5d09e18f4f9
+Stable tree commit id same as upstream commit id.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2018-16880.nopatch b/SPECS/kernel/CVE-2018-16880.nopatch
new file mode 100644
index 00000000000..7c4a8c62c0c
--- /dev/null
+++ b/SPECS/kernel/CVE-2018-16880.nopatch
@@ -0,0 +1,3 @@
+CVE-2018-16880 - Already patched in 5.4.51 stable kernel
+Upstream commit - b46a0bf78ad7b150ef5910da83859f7f5a514ffd
+Stable tree commit id same as upstream commit id.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2019-19338.nopatch b/SPECS/kernel/CVE-2019-19338.nopatch
new file mode 100644
index 00000000000..1b18daa233a
--- /dev/null
+++ b/SPECS/kernel/CVE-2019-19338.nopatch
@@ -0,0 +1,10 @@
+CVE-2019-19338 - already patched in linux-msft-5.4.72 stable kernel
+Patch 1
+Upstream commit - cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b
+Stable commit - cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b
+Patch 2
+Upstream commit - c11f83e0626bdc2b6c550fc8b9b6eeefbd8cefaa
+Stable commit - c11f83e0626bdc2b6c550fc8b9b6eeefbd8cefaa
+Patch 3
+Upstream commit - b07a5c53d42a8c87b208614129e947dd2338ff9c
+Stable commit - b07a5c53d42a8c87b208614129e947dd2338ff9c
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2019-20794.nopatch b/SPECS/kernel/CVE-2019-20794.nopatch
new file mode 100644
index 00000000000..894076a1c9b
--- /dev/null
+++ b/SPECS/kernel/CVE-2019-20794.nopatch
@@ -0,0 +1,4 @@
+CVE-2019-20794 - No upstream fix. Mitigation available.
+Mitigated by clearing the tasks stuck in Uninterruptible sleep state after the
+user namespace is gone and inflight operations are still in progress:
+    # echo 1 > /sys/fs/fuse/connections/$NUM/abort
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2019-20810.nopatch b/SPECS/kernel/CVE-2019-20810.nopatch
new file mode 100644
index 00000000000..c5ed87ae758
--- /dev/null
+++ b/SPECS/kernel/CVE-2019-20810.nopatch
@@ -0,0 +1,3 @@
+CVE-2019-20810 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 9453264ef58638ce8976121ac44c07a3ef375983
+Stable commit - 47f7b553434000750f9f918df8ca8c137b7fc50b
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2019-3016.nopatch b/SPECS/kernel/CVE-2019-3016.nopatch
new file mode 100644
index 00000000000..6394ce0743e
--- /dev/null
+++ b/SPECS/kernel/CVE-2019-3016.nopatch
@@ -0,0 +1,16 @@
+CVE-2019-3016 - already patched in linux-msft-5.4.72 stable kernel
+Patch 1
+Upstream commit - 1eff70a9abd46f175defafd29bc17ad456f398a7
+Stable commit - a3db2949904b81ae53a840d99f71021f02a01fd3
+Patch 2
+Upstream commit - 8c6de56a42e0c657955e12b882a81ef07d1d073e
+Stable commit - 68460ceba319a46ea14b36129bfd0a152e0f00c3
+Patch 3
+Upstream commit - 917248144db5d7320655dbb41d3af0b8a0f3d589
+Stable commit - f7c1a6c67ff36532f1b0b339e3aae7701a2c0b1e
+Patch 4
+Upstream commit - a6bd811f1209fe1c64c9f6fd578101d6436c6b6e
+Stable commit - 2aebc6ed84efeb1e255fd6417f9230388f2206cd
+Patch 5
+Upstream commit - b043138246a41064527cf019a3d51d9f015e9796
+Stable commit - d71eef9fcc0b81fd56e59afd305a215d81239894
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2019-3819.nopatch b/SPECS/kernel/CVE-2019-3819.nopatch
new file mode 100644
index 00000000000..d4e5e2f406a
--- /dev/null
+++ b/SPECS/kernel/CVE-2019-3819.nopatch
@@ -0,0 +1,3 @@
+CVE-2019-3819 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
+Stable commit - 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2019-3887.nopatch b/SPECS/kernel/CVE-2019-3887.nopatch
new file mode 100644
index 00000000000..aad4b1cab10
--- /dev/null
+++ b/SPECS/kernel/CVE-2019-3887.nopatch
@@ -0,0 +1,7 @@
+CVE-2019-3887 - already patched in linux-msft-5.4.72 stable kernel
+Patch 1
+Upstream commit - acff78477b9b4f26ecdf65733a4ed77fe837e9dc
+Stable commit - acff78477b9b4f26ecdf65733a4ed77fe837e9dc
+Patch 2
+Upstream commit - c73f4c998e1fd4249b9edfa39e23f4fda2b9b041
+Stable commit - c73f4c998e1fd4249b9edfa39e23f4fda2b9b041
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-10690.nopatch b/SPECS/kernel/CVE-2020-10690.nopatch
new file mode 100644
index 00000000000..eb01c526618
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-10690.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-10690 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - a33121e5487b424339636b25c35d3a180eaa5f5e
+Stable commit - bfa2e0cd3dfda64fde43c3dca3aeba298d2fe7ad
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-10711.nopatch b/SPECS/kernel/CVE-2020-10711.nopatch
new file mode 100644
index 00000000000..23763b33af7
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-10711.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-10711 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - eead1c2ea2509fd754c6da893a94f0e69e83ebe4
+Stable commit - 1c9dfc2d05d5edde2f8617e3087d9c7dfd55f3c7
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-10766.nopatch b/SPECS/kernel/CVE-2020-10766.nopatch
new file mode 100644
index 00000000000..b65b9437732
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-10766.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-10766 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - dbbe2ad02e9df26e372f38cc3e70dab9222c832e
+Stable commit - 209a76a5d46438011eab2eee2a17c8a93b6df8a5
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-10767.nopatch b/SPECS/kernel/CVE-2020-10767.nopatch
new file mode 100644
index 00000000000..20902f79b4c
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-10767.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-10767 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 21998a351512eba4ed5969006f0c55882d995ada
+Stable commit - 3e49da23913dc18ee4193dd6cdfd27efa1e58563
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-10768.nopatch b/SPECS/kernel/CVE-2020-10768.nopatch
new file mode 100644
index 00000000000..87a114972f0
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-10768.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-10768 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf
+Stable commit - 3027b9fecd11a63ed51804f982978c41c556537a
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-10781.nopatch b/SPECS/kernel/CVE-2020-10781.nopatch
new file mode 100644
index 00000000000..f9a9e3e119c
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-10781.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-10781 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 853eab68afc80f59f36bbdeb715e5c88c501e680
+Stable commit - edda9fd73f6269354ed945ed67e75eca0d116672
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-10942.nopatch b/SPECS/kernel/CVE-2020-10942.nopatch
new file mode 100644
index 00000000000..f5147a0b5f6
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-10942.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-10942 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 42d84c8490f9f0931786f1623191fcab397c3d64
+Stable commit - f09fbb1175cffdbbb36b28e2ff7db96dcc90de08
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-11608.nopatch b/SPECS/kernel/CVE-2020-11608.nopatch
new file mode 100644
index 00000000000..50886464ab2
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-11608.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-11608 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 998912346c0da53a6dbb71fab3a138586b596b30
+Stable commit - 0e01661c14e1e9b254aa550eb08adf582cb3b81f
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-11609.nopatch b/SPECS/kernel/CVE-2020-11609.nopatch
new file mode 100644
index 00000000000..aab1d92cd24
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-11609.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-11609 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 485b06aadb933190f4bc44e006076bc27a23f205
+Stable commit - c06050a34b9c09fe3a367409892b31f77fc64168
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-12464.nopatch b/SPECS/kernel/CVE-2020-12464.nopatch
new file mode 100644
index 00000000000..3f40a7de0c5
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-12464.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-12464 - Already fixed in 5.4.51 stable kernel
+Upstream commit - 056ad39ee9253873522f6469c3364964a322912b
+Stable commit - 4ea6153fc7f4deeb4b26b66f42c4d050b33df7f9
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-12465.nopatch b/SPECS/kernel/CVE-2020-12465.nopatch
new file mode 100644
index 00000000000..c8b7e9593c3
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-12465.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-12465 - Already fixed in 5.4.51 stable kernel
+Upstream commit - b102f0c522cf668c8382c56a4f771b37d011cda2
+Stable commit - 9980ae64ee8954e191a9f58663481dd584c2dc8a
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-12656.nopatch b/SPECS/kernel/CVE-2020-12656.nopatch
new file mode 100644
index 00000000000..865b83287b2
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-12656.nopatch
@@ -0,0 +1,2 @@
+CVE-2020-12656 - Disputed. Memory leak vulnerability occurs on module unload,
+which is already considered a privileged operation.
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-12659.nopatch b/SPECS/kernel/CVE-2020-12659.nopatch
new file mode 100644
index 00000000000..fd70f71af8a
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-12659.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-12659 - Already patched in 5.4.51 stable kernel
+Upstream commit - 99e3a236dd43d06c65af0a2ef9cb44306aef6e02
+Stable commit - 25de13b0ad039f81f5f1fe3f7f439ac8c489c96f
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-12768.nopatch b/SPECS/kernel/CVE-2020-12768.nopatch
new file mode 100644
index 00000000000..85406359302
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-12768.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-12768 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - d80b64ff297e40c2b6f7d7abc1b3eba70d22a068
+Stable commit - 6c4587c0d1d9d5a182ce5cf72dff52b7b00c73b7
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-12826.nopatch b/SPECS/kernel/CVE-2020-12826.nopatch
new file mode 100644
index 00000000000..b835fbd5eb2
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-12826.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-12826 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - d1e7fd6462ca9fc76650fbe6ca800e35b24267da
+Stable commit - 5a4734362d07ea0ae10dc738f9f03f87f4f09e2d
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-12888.nopatch b/SPECS/kernel/CVE-2020-12888.nopatch
new file mode 100644
index 00000000000..af5d238095d
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-12888.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-12888 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - abafbc551fddede3e0a08dee1dcde08fc0eb8476
+Stable commit - baa21d56a0aa3d29a9354c0dca3179713c1f3e82
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-14314.nopatch b/SPECS/kernel/CVE-2020-14314.nopatch
new file mode 100644
index 00000000000..06a30ddf169
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-14314.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-14314 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 5872331b3d91820e14716632ebb56b1399b34fe1
+Stable commit - 96a56b5433b3e633c02eea283a4433d623b40d33
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-14331.nopatch b/SPECS/kernel/CVE-2020-14331.nopatch
new file mode 100644
index 00000000000..95e2523ed55
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-14331.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-14331 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d
+Stable commit - 76b10c757e8554060f27f820f8f0079b9177fcea
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-14356.nopatch b/SPECS/kernel/CVE-2020-14356.nopatch
new file mode 100644
index 00000000000..6db80838f66
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-14356.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-14356 - Already patched in 5.4.72 stable kernel
+Upstream commit - ad0f75e5f57ccbceec13274e1e242f2b5a6397ed
+Stable commit - 4eaeb927a3230427c5b414030f4b838616d65b29
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-14385.nopatch b/SPECS/kernel/CVE-2020-14385.nopatch
new file mode 100644
index 00000000000..8ac1eb00ffc
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-14385.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-14385 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - f4020438fab05364018c91f7e02ebdd192085933
+Stable commit - 23f6872d1a9c3bf544cfa43cba1302e20de640bc
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-14386.nopatch b/SPECS/kernel/CVE-2020-14386.nopatch
new file mode 100644
index 00000000000..cabbbe7dfb9
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-14386.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-14386 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - acf69c946233259ab4d64f8869d4037a198c7f06
+Stable commit - 65f546d6c6586d0cc3dfc9ca65c9eee80c1abb80
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-14390.nopatch b/SPECS/kernel/CVE-2020-14390.nopatch
new file mode 100644
index 00000000000..94fef1b9df9
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-14390.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-14390 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 50145474f6ef4a9c19205b173da6264a644c7489
+Stable commit - f80b9009eee1e33de597245d9e09e27e76709673
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-15780.nopatch b/SPECS/kernel/CVE-2020-15780.nopatch
new file mode 100644
index 00000000000..6ecdede66dc
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-15780.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-15780 - Already fixed in 5.4.51 stable kernel
+Upstream commit - 75b0cea7bf307f362057cc778efe89af4c615354
+Stable commit - 67fb5a8aedd12e8adb1dddd324e90f904a4e1e00
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-16166.nopatch b/SPECS/kernel/CVE-2020-16166.nopatch
new file mode 100644
index 00000000000..4f00704c12b
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-16166.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-16166 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - f227e3ec3b5cad859ad15666874405e8c1bbc1d4
+Stable commit - 2b9faf229ed2741644e418cf81697cd3aa81ceb7
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-25211.nopatch b/SPECS/kernel/CVE-2020-25211.nopatch
new file mode 100644
index 00000000000..c77df952bcb
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-25211.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-25211 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6
+Stable commit - 8d479c9e2a1c8fdd1b18a2f657ec917c79b9f430
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-25212.nopatch b/SPECS/kernel/CVE-2020-25212.nopatch
new file mode 100644
index 00000000000..8e8db455c08
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-25212.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-25212 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - b4487b93545214a9db8cbf32e86411677b0cca21
+Stable commit - 4052ab9094b6efecb6dc7ed854b3579148ad4a09
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-25284.nopatch b/SPECS/kernel/CVE-2020-25284.nopatch
new file mode 100644
index 00000000000..9778a9ae70b
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-25284.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-25284 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - f44d04e696feaf13d192d942c4f14ad2e117065a
+Stable commit - ac9737182fff4387cc133369767e9e68772fc3cd
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-25285.nopatch b/SPECS/kernel/CVE-2020-25285.nopatch
new file mode 100644
index 00000000000..b3b5fb532a4
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-25285.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-25285 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 17743798d81238ab13050e8e2833699b54e15467
+Stable commit - 5fc45104613466d95955a9aedef83d36e58fd276
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-25641.nopatch b/SPECS/kernel/CVE-2020-25641.nopatch
new file mode 100644
index 00000000000..e333305b243
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-25641.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-25641 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 7e24969022cbd61ddc586f14824fc205661bb124
+Stable commit - adc61d4e217f0ad6d75a1aaed80f3259ec2cd7c2
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-25643.nopatch b/SPECS/kernel/CVE-2020-25643.nopatch
new file mode 100644
index 00000000000..68cacde5b93
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-25643.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-25643 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 66d42ed8b25b64eb63111a2b8582c5afc8bf1105
+Stable commit - 4215ee9dcf0a05080206c392a14d624a09171db3
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-25645.nopatch b/SPECS/kernel/CVE-2020-25645.nopatch
new file mode 100644
index 00000000000..c7015b49231
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-25645.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-25645 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 34beb21594519ce64a55a498c2fe7d567bc1ca20
+Stable commit - 700cfadb04a4f26008f882a2e945aa5a6884530f
\ No newline at end of file
diff --git a/SPECS/kernel/CVE-2020-26088.nopatch b/SPECS/kernel/CVE-2020-26088.nopatch
new file mode 100644
index 00000000000..67dd897c24b
--- /dev/null
+++ b/SPECS/kernel/CVE-2020-26088.nopatch
@@ -0,0 +1,3 @@
+CVE-2020-26088 - already patched in linux-msft-5.4.72 stable kernel
+Upstream commit - 26896f01467a28651f7a536143fe5ac8449d4041
+Stable commit - 04d588bb1dcda5418cbe3a903b97eea43f0865b0
\ No newline at end of file
diff --git a/SPECS/kernel/config b/SPECS/kernel/config
index fa30fe05070..67bff494c32 100644
--- a/SPECS/kernel/config
+++ b/SPECS/kernel/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 5.4.51 Kernel Configuration
+# Linux/x86_64 5.4.72 Kernel Configuration
 #
 
 #
@@ -1992,7 +1992,6 @@ CONFIG_SCSI_PROC_FS=y
 CONFIG_BLK_DEV_SD=y
 # CONFIG_CHR_DEV_ST is not set
 CONFIG_BLK_DEV_SR=y
-# CONFIG_BLK_DEV_SR_VENDOR is not set
 CONFIG_CHR_DEV_SG=y
 # CONFIG_CHR_DEV_SCH is not set
 # CONFIG_SCSI_CONSTANTS is not set
@@ -2276,6 +2275,7 @@ CONFIG_MII=m
 CONFIG_NET_CORE=y
 CONFIG_BONDING=m
 CONFIG_DUMMY=m
+# CONFIG_WIREGUARD is not set
 # CONFIG_EQUALIZER is not set
 # CONFIG_NET_FC is not set
 # CONFIG_IFB is not set
@@ -4065,9 +4065,6 @@ CONFIG_HDMI=y
 # Console display driver support
 #
 CONFIG_VGA_CONSOLE=y
-CONFIG_VGACON_SOFT_SCROLLBACK=y
-CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64
-# CONFIG_VGACON_SOFT_SCROLLBACK_PERSISTENT_ENABLE_BY_DEFAULT is not set
 CONFIG_DUMMY_CONSOLE=y
 CONFIG_DUMMY_CONSOLE_COLUMNS=80
 CONFIG_DUMMY_CONSOLE_ROWS=25
@@ -6143,6 +6140,8 @@ CONFIG_CRYPTO_DH=m
 CONFIG_CRYPTO_ECC=m
 CONFIG_CRYPTO_ECDH=m
 # CONFIG_CRYPTO_ECRDSA is not set
+# CONFIG_CRYPTO_CURVE25519 is not set
+# CONFIG_CRYPTO_CURVE25519_X86 is not set
 
 #
 # Authenticated Encryption with Associated Data
@@ -6189,6 +6188,8 @@ CONFIG_CRYPTO_CRC32C_INTEL=m
 # CONFIG_CRYPTO_CRC32 is not set
 # CONFIG_CRYPTO_CRC32_PCLMUL is not set
 # CONFIG_CRYPTO_XXHASH is not set
+# CONFIG_CRYPTO_BLAKE2S is not set
+# CONFIG_CRYPTO_BLAKE2S_X86 is not set
 CONFIG_CRYPTO_CRCT10DIF=y
 # CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set
 CONFIG_CRYPTO_GHASH=m
@@ -6205,7 +6206,6 @@ CONFIG_CRYPTO_SHA1=y
 # CONFIG_CRYPTO_SHA1_SSSE3 is not set
 # CONFIG_CRYPTO_SHA256_SSSE3 is not set
 # CONFIG_CRYPTO_SHA512_SSSE3 is not set
-CONFIG_CRYPTO_LIB_SHA256=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
 # CONFIG_CRYPTO_SHA3 is not set
@@ -6218,12 +6218,10 @@ CONFIG_CRYPTO_SHA512=y
 #
 # Ciphers
 #
-CONFIG_CRYPTO_LIB_AES=y
 CONFIG_CRYPTO_AES=y
 # CONFIG_CRYPTO_AES_TI is not set
 CONFIG_CRYPTO_AES_NI_INTEL=m
 # CONFIG_CRYPTO_ANUBIS is not set
-CONFIG_CRYPTO_LIB_ARC4=m
 CONFIG_CRYPTO_ARC4=m
 # CONFIG_CRYPTO_BLOWFISH is not set
 # CONFIG_CRYPTO_BLOWFISH_X86_64 is not set
@@ -6235,7 +6233,6 @@ CONFIG_CRYPTO_ARC4=m
 # CONFIG_CRYPTO_CAST5_AVX_X86_64 is not set
 # CONFIG_CRYPTO_CAST6 is not set
 # CONFIG_CRYPTO_CAST6_AVX_X86_64 is not set
-CONFIG_CRYPTO_LIB_DES=m
 CONFIG_CRYPTO_DES=m
 # CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
 # CONFIG_CRYPTO_FCRYPT is not set
@@ -6281,6 +6278,20 @@ CONFIG_CRYPTO_USER_API_SKCIPHER=m
 # CONFIG_CRYPTO_USER_API_RNG is not set
 # CONFIG_CRYPTO_USER_API_AEAD is not set
 CONFIG_CRYPTO_HASH_INFO=y
+
+#
+# Crypto library routines
+#
+CONFIG_CRYPTO_LIB_AES=y
+CONFIG_CRYPTO_LIB_ARC4=m
+# CONFIG_CRYPTO_LIB_BLAKE2S is not set
+# CONFIG_CRYPTO_LIB_CHACHA is not set
+# CONFIG_CRYPTO_LIB_CURVE25519 is not set
+CONFIG_CRYPTO_LIB_DES=m
+CONFIG_CRYPTO_LIB_POLY1305_RSIZE=11
+# CONFIG_CRYPTO_LIB_POLY1305 is not set
+# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set
+CONFIG_CRYPTO_LIB_SHA256=y
 CONFIG_CRYPTO_HW=y
 # CONFIG_CRYPTO_DEV_PADLOCK is not set
 # CONFIG_CRYPTO_DEV_ATMEL_ECC is not set
@@ -6486,7 +6497,7 @@ CONFIG_PAGE_POISONING_ZERO=y
 # CONFIG_DEBUG_PAGE_REF is not set
 # CONFIG_DEBUG_RODATA_TEST is not set
 # CONFIG_DEBUG_OBJECTS is not set
-CONFIG_SLUB_DEBUG_ON=y
+# CONFIG_SLUB_DEBUG_ON is not set
 # CONFIG_SLUB_STATS is not set
 CONFIG_HAVE_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KMEMLEAK is not set
diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64
index 078b4dbebc3..a044d0346ca 100644
--- a/SPECS/kernel/config_aarch64
+++ b/SPECS/kernel/config_aarch64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 5.4.51 Kernel Configuration
+# Linux/arm64 5.4.72 Kernel Configuration
 #
 
 #
@@ -48,6 +48,7 @@ CONFIG_HARDIRQS_SW_RESEND=y
 CONFIG_GENERIC_IRQ_CHIP=y
 CONFIG_IRQ_DOMAIN=y
 CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_IRQ_FASTEOI_HIERARCHY_HANDLERS=y
 CONFIG_GENERIC_MSI_IRQ=y
 CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
 CONFIG_IRQ_MSI_IOMMU=y
@@ -92,7 +93,8 @@ CONFIG_TASKSTATS=y
 CONFIG_TASK_DELAY_ACCT=y
 CONFIG_TASK_XACCT=y
 CONFIG_TASK_IO_ACCOUNTING=y
-# CONFIG_PSI is not set
+CONFIG_PSI=y
+# CONFIG_PSI_DEFAULT_DISABLED is not set
 # end of CPU/Task time and stats accounting
 
 CONFIG_CPU_ISOLATION=y
@@ -109,8 +111,8 @@ CONFIG_RCU_NEED_SEGCBLIST=y
 # end of RCU Subsystem
 
 CONFIG_IKCONFIG=y
-CONFIG_IKCONFIG_PROC=y
-# CONFIG_IKHEADERS is not set
+# CONFIG_IKCONFIG_PROC is not set
+CONFIG_IKHEADERS=m
 CONFIG_LOG_BUF_SHIFT=18
 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12
 CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13
@@ -119,11 +121,14 @@ CONFIG_GENERIC_SCHED_CLOCK=y
 #
 # Scheduler features
 #
+CONFIG_UCLAMP_TASK=y
+CONFIG_UCLAMP_BUCKETS_COUNT=5
 # end of Scheduler features
 
 CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
 CONFIG_ARCH_SUPPORTS_INT128=y
-# CONFIG_NUMA_BALANCING is not set
+CONFIG_NUMA_BALANCING=y
+CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y
 CONFIG_CGROUPS=y
 CONFIG_PAGE_COUNTER=y
 CONFIG_MEMCG=y
@@ -136,8 +141,9 @@ CONFIG_CGROUP_SCHED=y
 CONFIG_FAIR_GROUP_SCHED=y
 CONFIG_CFS_BANDWIDTH=y
 # CONFIG_RT_GROUP_SCHED is not set
+# CONFIG_UCLAMP_TASK_GROUP is not set
 CONFIG_CGROUP_PIDS=y
-# CONFIG_CGROUP_RDMA is not set
+CONFIG_CGROUP_RDMA=y
 CONFIG_CGROUP_FREEZER=y
 CONFIG_CGROUP_HUGETLB=y
 CONFIG_CPUSETS=y
@@ -145,6 +151,7 @@ CONFIG_PROC_PID_CPUSET=y
 CONFIG_CGROUP_DEVICE=y
 CONFIG_CGROUP_CPUACCT=y
 CONFIG_CGROUP_PERF=y
+CONFIG_CGROUP_BPF=y
 # CONFIG_CGROUP_DEBUG is not set
 CONFIG_SOCK_CGROUP_DATA=y
 CONFIG_NAMESPACES=y
@@ -153,8 +160,8 @@ CONFIG_IPC_NS=y
 CONFIG_USER_NS=y
 CONFIG_PID_NS=y
 CONFIG_NET_NS=y
-# CONFIG_CHECKPOINT_RESTORE is not set
-# CONFIG_SCHED_AUTOGROUP is not set
+CONFIG_CHECKPOINT_RESTORE=y
+CONFIG_SCHED_AUTOGROUP=y
 # CONFIG_SYSFS_DEPRECATED is not set
 CONFIG_RELAY=y
 CONFIG_BLK_DEV_INITRD=y
@@ -168,9 +175,11 @@ CONFIG_RD_LZ4=y
 CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y
 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
 CONFIG_SYSCTL=y
+CONFIG_HAVE_UID16=y
 CONFIG_SYSCTL_EXCEPTION_TRACE=y
 CONFIG_BPF=y
 CONFIG_EXPERT=y
+CONFIG_UID16=y
 CONFIG_MULTIUSER=y
 CONFIG_SGETMASK_SYSCALL=y
 CONFIG_SYSFS_SYSCALL=y
@@ -196,13 +205,15 @@ CONFIG_MEMBARRIER=y
 CONFIG_KALLSYMS=y
 CONFIG_KALLSYMS_ALL=y
 CONFIG_KALLSYMS_BASE_RELATIVE=y
-# CONFIG_BPF_SYSCALL is not set
-# CONFIG_USERFAULTFD is not set
+CONFIG_BPF_SYSCALL=y
+CONFIG_BPF_JIT_ALWAYS_ON=y
+CONFIG_USERFAULTFD=y
 CONFIG_ARCH_HAS_MEMBARRIER_SYNC_CORE=y
-# CONFIG_RSEQ is not set
+CONFIG_RSEQ=y
+# CONFIG_DEBUG_RSEQ is not set
 # CONFIG_EMBEDDED is not set
 CONFIG_HAVE_PERF_EVENTS=y
-# CONFIG_PC104 is not set
+CONFIG_PC104=y
 
 #
 # Kernel Performance Events And Counters
@@ -213,7 +224,7 @@ CONFIG_PERF_EVENTS=y
 
 CONFIG_VM_EVENT_COUNTERS=y
 CONFIG_SLUB_DEBUG=y
-# CONFIG_SLUB_MEMCG_SYSFS_ON is not set
+CONFIG_SLUB_MEMCG_SYSFS_ON=y
 # CONFIG_COMPAT_BRK is not set
 # CONFIG_SLAB is not set
 CONFIG_SLUB=y
@@ -258,35 +269,35 @@ CONFIG_ARCH_PROC_KCORE_TEXT=y
 #
 # Platform selection
 #
-# CONFIG_ARCH_ACTIONS is not set
-# CONFIG_ARCH_AGILEX is not set
+CONFIG_ARCH_ACTIONS=y
+CONFIG_ARCH_AGILEX=y
 CONFIG_ARCH_SUNXI=y
 # CONFIG_ARCH_ALPINE is not set
 CONFIG_ARCH_BCM2835=y
 CONFIG_ARCH_BCM_IPROC=y
 CONFIG_ARCH_BERLIN=y
-# CONFIG_ARCH_BITMAIN is not set
+CONFIG_ARCH_BITMAIN=y
 CONFIG_ARCH_BRCMSTB=y
-CONFIG_ARCH_EXYNOS=y
-# CONFIG_ARCH_K3 is not set
+# CONFIG_ARCH_EXYNOS is not set
+CONFIG_ARCH_K3=y
 CONFIG_ARCH_LAYERSCAPE=y
 CONFIG_ARCH_LG1K=y
 CONFIG_ARCH_HISI=y
 CONFIG_ARCH_MEDIATEK=y
 CONFIG_ARCH_MESON=y
 CONFIG_ARCH_MVEBU=y
-# CONFIG_ARCH_MXC is not set
+CONFIG_ARCH_MXC=y
 CONFIG_ARCH_QCOM=y
-# CONFIG_ARCH_REALTEK is not set
-# CONFIG_ARCH_RENESAS is not set
+CONFIG_ARCH_REALTEK=y
+CONFIG_ARCH_RENESAS=y
 CONFIG_ARCH_ROCKCHIP=y
 CONFIG_ARCH_SEATTLE=y
 CONFIG_ARCH_STRATIX10=y
-# CONFIG_ARCH_SYNQUACER is not set
+CONFIG_ARCH_SYNQUACER=y
 CONFIG_ARCH_TEGRA=y
 CONFIG_ARCH_SPRD=y
 CONFIG_ARCH_THUNDER=y
-# CONFIG_ARCH_THUNDER2 is not set
+CONFIG_ARCH_THUNDER2=y
 # CONFIG_ARCH_UNIPHIER is not set
 CONFIG_ARCH_VEXPRESS=y
 CONFIG_ARCH_XGENE=y
@@ -307,8 +318,11 @@ CONFIG_ARM64_ERRATUM_827319=y
 CONFIG_ARM64_ERRATUM_824069=y
 CONFIG_ARM64_ERRATUM_819472=y
 CONFIG_ARM64_ERRATUM_832075=y
+CONFIG_ARM64_ERRATUM_834220=y
+CONFIG_ARM64_ERRATUM_845719=y
 CONFIG_ARM64_ERRATUM_843419=y
 CONFIG_ARM64_ERRATUM_1024718=y
+CONFIG_ARM64_ERRATUM_1418040=y
 CONFIG_ARM64_ERRATUM_1165522=y
 CONFIG_ARM64_ERRATUM_1286807=y
 CONFIG_ARM64_ERRATUM_1463225=y
@@ -340,10 +354,10 @@ CONFIG_ARM64_PA_BITS=48
 # CONFIG_CPU_BIG_ENDIAN is not set
 CONFIG_SCHED_MC=y
 CONFIG_SCHED_SMT=y
-CONFIG_NR_CPUS=128
+CONFIG_NR_CPUS=256
 CONFIG_HOTPLUG_CPU=y
 CONFIG_NUMA=y
-CONFIG_NODES_SHIFT=10
+CONFIG_NODES_SHIFT=6
 CONFIG_USE_PERCPU_NUMA_NODE_ID=y
 CONFIG_HAVE_SETUP_PER_CPU_AREA=y
 CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
@@ -369,7 +383,11 @@ CONFIG_PARAVIRT=y
 # CONFIG_PARAVIRT_TIME_ACCOUNTING is not set
 CONFIG_KEXEC=y
 CONFIG_KEXEC_FILE=y
-# CONFIG_KEXEC_SIG is not set
+CONFIG_KEXEC_SIG=y
+
+#
+# Support for PE file signature verification disabled
+#
 CONFIG_CRASH_DUMP=y
 CONFIG_TRANS_TABLE=y
 CONFIG_XEN_DOM0=y
@@ -382,7 +400,12 @@ CONFIG_ARM64_SSBD=y
 CONFIG_RODATA_FULL_DEFAULT_ENABLED=y
 CONFIG_ARM64_SW_TTBR0_PAN=y
 CONFIG_ARM64_TAGGED_ADDR_ABI=y
-# CONFIG_COMPAT is not set
+CONFIG_COMPAT=y
+CONFIG_KUSER_HELPERS=y
+CONFIG_ARMV8_DEPRECATED=y
+CONFIG_SWP_EMULATION=y
+CONFIG_CP15_BARRIER_EMULATION=y
+CONFIG_SETEND_EMULATION=y
 
 #
 # ARMv8.1 architectural features
@@ -397,8 +420,8 @@ CONFIG_ARM64_VHE=y
 # ARMv8.2 architectural features
 #
 CONFIG_ARM64_UAO=y
-# CONFIG_ARM64_PMEM is not set
-# CONFIG_ARM64_RAS_EXTN is not set
+CONFIG_ARM64_PMEM=y
+CONFIG_ARM64_RAS_EXTN=y
 CONFIG_ARM64_CNP=y
 # end of ARMv8.2 architectural features
 
@@ -408,9 +431,10 @@ CONFIG_ARM64_CNP=y
 CONFIG_ARM64_PTR_AUTH=y
 # end of ARMv8.3 architectural features
 
-# CONFIG_ARM64_SVE is not set
+CONFIG_ARM64_SVE=y
 CONFIG_ARM64_MODULE_PLTS=y
-# CONFIG_ARM64_PSEUDO_NMI is not set
+CONFIG_ARM64_PSEUDO_NMI=y
+# CONFIG_ARM64_DEBUG_PRIORITY_MASKING is not set
 CONFIG_RELOCATABLE=y
 CONFIG_RANDOMIZE_BASE=y
 CONFIG_RANDOMIZE_MODULE_REGION_FULL=y
@@ -421,7 +445,7 @@ CONFIG_STACKPROTECTOR_PER_TASK=y
 #
 # Boot options
 #
-# CONFIG_ARM64_ACPI_PARKING_PROTOCOL is not set
+CONFIG_ARM64_ACPI_PARKING_PROTOCOL=y
 CONFIG_CMDLINE=""
 # CONFIG_CMDLINE_FORCE is not set
 CONFIG_EFI_STUB=y
@@ -429,6 +453,7 @@ CONFIG_EFI=y
 CONFIG_DMI=y
 # end of Boot options
 
+CONFIG_SYSVIPC_COMPAT=y
 CONFIG_ARCH_ENABLE_HUGEPAGE_MIGRATION=y
 
 #
@@ -441,12 +466,18 @@ CONFIG_SUSPEND_FREEZER=y
 CONFIG_PM_SLEEP=y
 CONFIG_PM_SLEEP_SMP=y
 # CONFIG_PM_AUTOSLEEP is not set
-# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM_WAKELOCKS=y
+CONFIG_PM_WAKELOCKS_LIMIT=100
+CONFIG_PM_WAKELOCKS_GC=y
 CONFIG_PM=y
-# CONFIG_PM_DEBUG is not set
+CONFIG_PM_DEBUG=y
+CONFIG_PM_ADVANCED_DEBUG=y
+# CONFIG_PM_TEST_SUSPEND is not set
+CONFIG_PM_SLEEP_DEBUG=y
+# CONFIG_DPM_WATCHDOG is not set
 CONFIG_PM_CLK=y
 CONFIG_PM_GENERIC_DOMAINS=y
-# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_WQ_POWER_EFFICIENT_DEFAULT=y
 CONFIG_PM_GENERIC_DOMAINS_SLEEP=y
 CONFIG_PM_GENERIC_DOMAINS_OF=y
 CONFIG_CPU_PM=y
@@ -491,11 +522,11 @@ CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE=y
 # CONFIG_CPU_FREQ_DEFAULT_GOV_CONSERVATIVE is not set
 # CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL is not set
 CONFIG_CPU_FREQ_GOV_PERFORMANCE=y
-CONFIG_CPU_FREQ_GOV_POWERSAVE=m
-CONFIG_CPU_FREQ_GOV_USERSPACE=m
-CONFIG_CPU_FREQ_GOV_ONDEMAND=m
-CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m
-# CONFIG_CPU_FREQ_GOV_SCHEDUTIL is not set
+CONFIG_CPU_FREQ_GOV_POWERSAVE=y
+CONFIG_CPU_FREQ_GOV_USERSPACE=y
+CONFIG_CPU_FREQ_GOV_ONDEMAND=y
+CONFIG_CPU_FREQ_GOV_CONSERVATIVE=y
+CONFIG_CPU_FREQ_GOV_SCHEDUTIL=y
 
 #
 # CPU frequency scaling drivers
@@ -503,11 +534,15 @@ CONFIG_CPU_FREQ_GOV_CONSERVATIVE=m
 CONFIG_CPUFREQ_DT=y
 CONFIG_CPUFREQ_DT_PLATDEV=y
 CONFIG_ACPI_CPPC_CPUFREQ=m
-# CONFIG_ARM_ARMADA_37XX_CPUFREQ is not set
-# CONFIG_ARM_ARMADA_8K_CPUFREQ is not set
-CONFIG_ARM_BRCMSTB_AVS_CPUFREQ=y
-# CONFIG_ARM_MEDIATEK_CPUFREQ is not set
-# CONFIG_ARM_QCOM_CPUFREQ_HW is not set
+CONFIG_ARM_ARMADA_37XX_CPUFREQ=m
+CONFIG_ARM_ARMADA_8K_CPUFREQ=m
+CONFIG_ARM_SCPI_CPUFREQ=m
+CONFIG_ARM_BRCMSTB_AVS_CPUFREQ=m
+CONFIG_ARM_IMX_CPUFREQ_DT=m
+CONFIG_ARM_MEDIATEK_CPUFREQ=m
+CONFIG_ARM_QCOM_CPUFREQ_HW=m
+CONFIG_ARM_RASPBERRYPI_CPUFREQ=m
+CONFIG_ARM_SCMI_CPUFREQ=m
 CONFIG_ARM_TEGRA20_CPUFREQ=y
 CONFIG_ARM_TEGRA124_CPUFREQ=y
 CONFIG_QORIQ_CPUFREQ=m
@@ -517,20 +552,24 @@ CONFIG_QORIQ_CPUFREQ=m
 #
 # Firmware Drivers
 #
-# CONFIG_ARM_SCMI_PROTOCOL is not set
-CONFIG_ARM_SCPI_PROTOCOL=y
-CONFIG_ARM_SCPI_POWER_DOMAIN=y
-# CONFIG_ARM_SDE_INTERFACE is not set
+CONFIG_ARM_SCMI_PROTOCOL=y
+CONFIG_ARM_SCMI_POWER_DOMAIN=m
+CONFIG_ARM_SCPI_PROTOCOL=m
+CONFIG_ARM_SCPI_POWER_DOMAIN=m
+CONFIG_ARM_SDE_INTERFACE=y
 CONFIG_FIRMWARE_MEMMAP=y
 CONFIG_DMIID=y
-# CONFIG_DMI_SYSFS is not set
-# CONFIG_ISCSI_IBFT is not set
+CONFIG_DMI_SYSFS=m
+CONFIG_ISCSI_IBFT=m
 CONFIG_RASPBERRYPI_FIRMWARE=y
-# CONFIG_FW_CFG_SYSFS is not set
-# CONFIG_INTEL_STRATIX10_SERVICE is not set
+CONFIG_FW_CFG_SYSFS=m
+# CONFIG_FW_CFG_SYSFS_CMDLINE is not set
+CONFIG_INTEL_STRATIX10_SERVICE=m
+# CONFIG_INTEL_STRATIX10_RSU is not set
 CONFIG_QCOM_SCM=y
 CONFIG_QCOM_SCM_64=y
 # CONFIG_QCOM_SCM_DOWNLOAD_MODE_DEFAULT is not set
+CONFIG_TI_SCI_PROTOCOL=y
 # CONFIG_TURRIS_MOX_RWTM is not set
 CONFIG_HAVE_ARM_SMCCC=y
 CONFIG_ARM_PSCI_FW=y
@@ -540,18 +579,25 @@ CONFIG_ARM_PSCI_FW=y
 #
 # EFI (Extensible Firmware Interface) Support
 #
-# CONFIG_EFI_VARS is not set
+CONFIG_EFI_VARS=y
 CONFIG_EFI_ESRT=y
+CONFIG_EFI_VARS_PSTORE=m
+# CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
+CONFIG_EFI_SOFT_RESERVE=y
 CONFIG_EFI_PARAMS_FROM_FDT=y
 CONFIG_EFI_RUNTIME_WRAPPERS=y
 CONFIG_EFI_ARMSTUB=y
 CONFIG_EFI_ARMSTUB_DTB_LOADER=y
+# CONFIG_EFI_BOOTLOADER_CONTROL is not set
 # CONFIG_EFI_CAPSULE_LOADER is not set
 # CONFIG_EFI_TEST is not set
 CONFIG_RESET_ATTACK_MITIGATION=y
 # end of EFI (Extensible Firmware Interface) Support
 
+CONFIG_UEFI_CPER=y
+CONFIG_UEFI_CPER_ARM=y
 CONFIG_EFI_EARLYCON=y
+CONFIG_EFI_CUSTOM_SSDT_OVERLAYS=y
 CONFIG_MESON_SM=y
 
 #
@@ -577,10 +623,10 @@ CONFIG_ACPI_SPCR_TABLE=y
 CONFIG_ACPI_EC_DEBUGFS=m
 CONFIG_ACPI_AC=y
 CONFIG_ACPI_BATTERY=y
-CONFIG_ACPI_BUTTON=m
-CONFIG_ACPI_FAN=m
-# CONFIG_ACPI_TAD is not set
-# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+CONFIG_ACPI_TAD=m
+CONFIG_ACPI_DOCK=y
 CONFIG_ACPI_PROCESSOR_IDLE=y
 CONFIG_ACPI_MCFG=y
 CONFIG_ACPI_CPPC_LIB=y
@@ -589,31 +635,74 @@ CONFIG_ACPI_IPMI=m
 CONFIG_ACPI_HOTPLUG_CPU=y
 CONFIG_ACPI_THERMAL=y
 CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
-# CONFIG_ACPI_TABLE_UPGRADE is not set
+CONFIG_ACPI_TABLE_UPGRADE=y
 # CONFIG_ACPI_DEBUG is not set
 CONFIG_ACPI_PCI_SLOT=y
 CONFIG_ACPI_CONTAINER=y
+CONFIG_ACPI_HOTPLUG_MEMORY=y
 CONFIG_ACPI_HED=y
 # CONFIG_ACPI_CUSTOM_METHOD is not set
-# CONFIG_ACPI_BGRT is not set
+CONFIG_ACPI_BGRT=y
 CONFIG_ACPI_REDUCED_HARDWARE_ONLY=y
+CONFIG_ACPI_NFIT=m
+# CONFIG_NFIT_SECURITY_DEBUG is not set
 CONFIG_ACPI_NUMA=y
-# CONFIG_ACPI_HMAT is not set
+CONFIG_ACPI_HMAT=y
 CONFIG_HAVE_ACPI_APEI=y
-# CONFIG_ACPI_APEI is not set
-CONFIG_PMIC_OPREGION=y
-# CONFIG_ACPI_CONFIGFS is not set
+CONFIG_ACPI_APEI=y
+CONFIG_ACPI_APEI_GHES=y
+CONFIG_ACPI_APEI_PCIEAER=y
+CONFIG_ACPI_APEI_SEA=y
+CONFIG_ACPI_APEI_MEMORY_FAILURE=y
+CONFIG_ACPI_APEI_EINJ=m
+# CONFIG_ACPI_APEI_ERST_DEBUG is not set
+# CONFIG_PMIC_OPREGION is not set
+CONFIG_ACPI_CONFIGFS=m
 CONFIG_ACPI_IORT=y
 CONFIG_ACPI_GTDT=y
 CONFIG_ACPI_PPTT=y
-CONFIG_IRQ_BYPASS_MANAGER=m
+CONFIG_HAVE_KVM_IRQCHIP=y
+CONFIG_HAVE_KVM_IRQFD=y
+CONFIG_HAVE_KVM_IRQ_ROUTING=y
+CONFIG_HAVE_KVM_EVENTFD=y
+CONFIG_KVM_MMIO=y
+CONFIG_HAVE_KVM_MSI=y
+CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
+CONFIG_KVM_VFIO=y
+CONFIG_HAVE_KVM_ARCH_TLB_FLUSH_ALL=y
+CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
+CONFIG_HAVE_KVM_IRQ_BYPASS=y
+CONFIG_HAVE_KVM_VCPU_RUN_PID_CHANGE=y
+CONFIG_IRQ_BYPASS_MANAGER=y
 CONFIG_VIRTUALIZATION=y
-# CONFIG_KVM is not set
+CONFIG_KVM=y
+CONFIG_KVM_ARM_HOST=y
+CONFIG_KVM_ARM_PMU=y
+CONFIG_KVM_INDIRECT_VECTORS=y
 CONFIG_VHOST_NET=m
 CONFIG_VHOST_VSOCK=m
 CONFIG_VHOST=m
 # CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
-# CONFIG_ARM64_CRYPTO is not set
+CONFIG_ARM64_CRYPTO=y
+CONFIG_CRYPTO_SHA256_ARM64=m
+CONFIG_CRYPTO_SHA512_ARM64=m
+CONFIG_CRYPTO_SHA1_ARM64_CE=m
+CONFIG_CRYPTO_SHA2_ARM64_CE=m
+CONFIG_CRYPTO_SHA512_ARM64_CE=m
+CONFIG_CRYPTO_SHA3_ARM64=m
+CONFIG_CRYPTO_SM3_ARM64_CE=m
+CONFIG_CRYPTO_SM4_ARM64_CE=m
+CONFIG_CRYPTO_GHASH_ARM64_CE=m
+CONFIG_CRYPTO_CRCT10DIF_ARM64_CE=m
+CONFIG_CRYPTO_AES_ARM64=m
+CONFIG_CRYPTO_AES_ARM64_CE=m
+CONFIG_CRYPTO_AES_ARM64_CE_CCM=m
+CONFIG_CRYPTO_AES_ARM64_CE_BLK=m
+CONFIG_CRYPTO_AES_ARM64_NEON_BLK=m
+CONFIG_CRYPTO_CHACHA20_NEON=m
+# CONFIG_CRYPTO_POLY1305_NEON is not set
+CONFIG_CRYPTO_NHPOLY1305_NEON=m
+CONFIG_CRYPTO_AES_ARM64_BS=m
 
 #
 # General architecture-dependent options
@@ -655,6 +744,7 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
 CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y
 CONFIG_HAVE_CMPXCHG_LOCAL=y
 CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
 CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
 CONFIG_SECCOMP_FILTER=y
 CONFIG_HAVE_ARCH_STACKLEAK=y
@@ -672,10 +762,15 @@ CONFIG_MODULES_USE_ELF_RELA=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
 CONFIG_ARCH_MMAP_RND_BITS=32
+CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS=11
 CONFIG_ARCH_WANT_DEFAULT_TOPDOWN_MMAP_LAYOUT=y
 CONFIG_HAVE_COPY_THREAD_TLS=y
 CONFIG_CLONE_BACKWARDS=y
+CONFIG_OLD_SIGSUSPEND3=y
+CONFIG_COMPAT_OLD_SIGACTION=y
 CONFIG_64BIT_TIME=y
+CONFIG_COMPAT_32BIT_TIME=y
 CONFIG_HAVE_ARCH_VMAP_STACK=y
 CONFIG_VMAP_STACK=y
 CONFIG_ARCH_HAS_STRICT_KERNEL_RWX=y
@@ -732,53 +827,61 @@ CONFIG_BLK_SCSI_REQUEST=y
 CONFIG_BLK_DEV_BSG=y
 CONFIG_BLK_DEV_BSGLIB=y
 CONFIG_BLK_DEV_INTEGRITY=y
-# CONFIG_BLK_DEV_ZONED is not set
+CONFIG_BLK_DEV_ZONED=y
 CONFIG_BLK_DEV_THROTTLING=y
 # CONFIG_BLK_DEV_THROTTLING_LOW is not set
-# CONFIG_BLK_CMDLINE_PARSER is not set
-# CONFIG_BLK_WBT is not set
+CONFIG_BLK_CMDLINE_PARSER=y
+CONFIG_BLK_WBT=y
 # CONFIG_BLK_CGROUP_IOLATENCY is not set
 # CONFIG_BLK_CGROUP_IOCOST is not set
+CONFIG_BLK_WBT_MQ=y
 CONFIG_BLK_DEBUG_FS=y
-# CONFIG_BLK_SED_OPAL is not set
+CONFIG_BLK_DEBUG_FS_ZONED=y
+CONFIG_BLK_SED_OPAL=y
 
 #
 # Partition Types
 #
 CONFIG_PARTITION_ADVANCED=y
 # CONFIG_ACORN_PARTITION is not set
-# CONFIG_AIX_PARTITION is not set
-# CONFIG_OSF_PARTITION is not set
-# CONFIG_AMIGA_PARTITION is not set
-# CONFIG_ATARI_PARTITION is not set
-# CONFIG_MAC_PARTITION is not set
+CONFIG_AIX_PARTITION=y
+CONFIG_OSF_PARTITION=y
+CONFIG_AMIGA_PARTITION=y
+CONFIG_ATARI_PARTITION=y
+CONFIG_MAC_PARTITION=y
 CONFIG_MSDOS_PARTITION=y
 CONFIG_BSD_DISKLABEL=y
 CONFIG_MINIX_SUBPARTITION=y
 CONFIG_SOLARIS_X86_PARTITION=y
 CONFIG_UNIXWARE_DISKLABEL=y
-# CONFIG_LDM_PARTITION is not set
-# CONFIG_SGI_PARTITION is not set
-# CONFIG_ULTRIX_PARTITION is not set
-# CONFIG_SUN_PARTITION is not set
-# CONFIG_KARMA_PARTITION is not set
+CONFIG_LDM_PARTITION=y
+# CONFIG_LDM_DEBUG is not set
+CONFIG_SGI_PARTITION=y
+CONFIG_ULTRIX_PARTITION=y
+CONFIG_SUN_PARTITION=y
+CONFIG_KARMA_PARTITION=y
 CONFIG_EFI_PARTITION=y
-# CONFIG_SYSV68_PARTITION is not set
-# CONFIG_CMDLINE_PARTITION is not set
+CONFIG_SYSV68_PARTITION=y
+CONFIG_CMDLINE_PARTITION=y
 # end of Partition Types
 
+CONFIG_BLOCK_COMPAT=y
 CONFIG_BLK_MQ_PCI=y
 CONFIG_BLK_MQ_VIRTIO=y
+CONFIG_BLK_MQ_RDMA=y
 CONFIG_BLK_PM=y
 
 #
 # IO Schedulers
 #
 CONFIG_MQ_IOSCHED_DEADLINE=y
-CONFIG_MQ_IOSCHED_KYBER=y
-# CONFIG_IOSCHED_BFQ is not set
+CONFIG_MQ_IOSCHED_KYBER=m
+CONFIG_IOSCHED_BFQ=m
+CONFIG_BFQ_GROUP_IOSCHED=y
+# CONFIG_BFQ_CGROUP_DEBUG is not set
 # end of IO Schedulers
 
+CONFIG_PREEMPT_NOTIFIERS=y
 CONFIG_ASN1=y
 CONFIG_ARCH_INLINE_SPIN_TRYLOCK=y
 CONFIG_ARCH_INLINE_SPIN_TRYLOCK_BH=y
@@ -846,6 +949,7 @@ CONFIG_FREEZER=y
 # Executable file formats
 #
 CONFIG_BINFMT_ELF=y
+CONFIG_COMPAT_BINFMT_ELF=y
 CONFIG_ELFCORE=y
 CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y
 CONFIG_BINFMT_SCRIPT=y
@@ -868,7 +972,9 @@ CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
 CONFIG_HAVE_FAST_GUP=y
 CONFIG_ARCH_KEEP_MEMBLOCK=y
 CONFIG_MEMORY_ISOLATION=y
-# CONFIG_MEMORY_HOTPLUG is not set
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
 CONFIG_SPLIT_PTLOCK_CPUS=4
 CONFIG_MEMORY_BALLOON=y
 CONFIG_BALLOON_COMPACTION=y
@@ -881,7 +987,8 @@ CONFIG_MMU_NOTIFIER=y
 CONFIG_KSM=y
 CONFIG_DEFAULT_MMAP_MIN_ADDR=32768
 CONFIG_ARCH_SUPPORTS_MEMORY_FAILURE=y
-# CONFIG_MEMORY_FAILURE is not set
+CONFIG_MEMORY_FAILURE=y
+CONFIG_HWPOISON_INJECT=m
 CONFIG_TRANSPARENT_HUGEPAGE=y
 CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
 # CONFIG_TRANSPARENT_HUGEPAGE_MADVISE is not set
@@ -895,7 +1002,7 @@ CONFIG_CMA_AREAS=7
 CONFIG_ZSWAP=y
 CONFIG_ZPOOL=y
 CONFIG_ZBUD=y
-CONFIG_Z3FOLD=y
+CONFIG_Z3FOLD=m
 CONFIG_ZSMALLOC=y
 CONFIG_PGTABLE_MAPPING=y
 # CONFIG_ZSMALLOC_STAT is not set
@@ -911,6 +1018,7 @@ CONFIG_ARCH_HAS_PTE_SPECIAL=y
 # end of Memory Management options
 
 CONFIG_NET=y
+CONFIG_COMPAT_NETLINK_MESSAGES=y
 CONFIG_NET_INGRESS=y
 CONFIG_NET_EGRESS=y
 CONFIG_SKB_EXTENSIONS=y
@@ -923,17 +1031,23 @@ CONFIG_PACKET_DIAG=m
 CONFIG_UNIX=y
 CONFIG_UNIX_SCM=y
 CONFIG_UNIX_DIAG=m
-# CONFIG_TLS is not set
+CONFIG_TLS=m
+CONFIG_TLS_DEVICE=y
 CONFIG_XFRM=y
+CONFIG_XFRM_OFFLOAD=y
 CONFIG_XFRM_ALGO=m
 CONFIG_XFRM_USER=m
-# CONFIG_XFRM_INTERFACE is not set
-CONFIG_XFRM_SUB_POLICY=y
-CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_INTERFACE=m
+# CONFIG_XFRM_SUB_POLICY is not set
+# CONFIG_XFRM_MIGRATE is not set
 CONFIG_XFRM_STATISTICS=y
 CONFIG_XFRM_IPCOMP=m
 CONFIG_NET_KEY=m
 # CONFIG_NET_KEY_MIGRATE is not set
+CONFIG_SMC=m
+CONFIG_SMC_DIAG=m
+CONFIG_XDP_SOCKETS=y
+CONFIG_XDP_SOCKETS_DIAG=m
 CONFIG_INET=y
 CONFIG_IP_MULTICAST=y
 CONFIG_IP_ADVANCED_ROUTER=y
@@ -956,32 +1070,32 @@ CONFIG_IP_PIMSM_V2=y
 CONFIG_SYN_COOKIES=y
 CONFIG_NET_IPVTI=m
 CONFIG_NET_UDP_TUNNEL=m
-# CONFIG_NET_FOU is not set
-# CONFIG_NET_FOU_IP_TUNNELS is not set
+CONFIG_NET_FOU=m
+CONFIG_NET_FOU_IP_TUNNELS=y
 CONFIG_INET_AH=m
 CONFIG_INET_ESP=m
-# CONFIG_INET_ESP_OFFLOAD is not set
+CONFIG_INET_ESP_OFFLOAD=m
 CONFIG_INET_IPCOMP=m
 CONFIG_INET_XFRM_TUNNEL=m
 CONFIG_INET_TUNNEL=m
 # CONFIG_INET_DIAG is not set
 CONFIG_TCP_CONG_ADVANCED=y
-# CONFIG_TCP_CONG_BIC is not set
+CONFIG_TCP_CONG_BIC=m
 CONFIG_TCP_CONG_CUBIC=y
-# CONFIG_TCP_CONG_WESTWOOD is not set
-# CONFIG_TCP_CONG_HTCP is not set
-# CONFIG_TCP_CONG_HSTCP is not set
-# CONFIG_TCP_CONG_HYBLA is not set
-# CONFIG_TCP_CONG_VEGAS is not set
-# CONFIG_TCP_CONG_NV is not set
-# CONFIG_TCP_CONG_SCALABLE is not set
-# CONFIG_TCP_CONG_LP is not set
-# CONFIG_TCP_CONG_VENO is not set
-# CONFIG_TCP_CONG_YEAH is not set
-# CONFIG_TCP_CONG_ILLINOIS is not set
-# CONFIG_TCP_CONG_DCTCP is not set
-# CONFIG_TCP_CONG_CDG is not set
-# CONFIG_TCP_CONG_BBR is not set
+CONFIG_TCP_CONG_WESTWOOD=m
+CONFIG_TCP_CONG_HTCP=m
+CONFIG_TCP_CONG_HSTCP=m
+CONFIG_TCP_CONG_HYBLA=m
+CONFIG_TCP_CONG_VEGAS=m
+CONFIG_TCP_CONG_NV=m
+CONFIG_TCP_CONG_SCALABLE=m
+CONFIG_TCP_CONG_LP=m
+CONFIG_TCP_CONG_VENO=m
+CONFIG_TCP_CONG_YEAH=m
+CONFIG_TCP_CONG_ILLINOIS=m
+CONFIG_TCP_CONG_DCTCP=m
+CONFIG_TCP_CONG_CDG=m
+CONFIG_TCP_CONG_BBR=m
 CONFIG_DEFAULT_CUBIC=y
 # CONFIG_DEFAULT_RENO is not set
 CONFIG_DEFAULT_TCP_CONG="cubic"
@@ -992,10 +1106,10 @@ CONFIG_IPV6_ROUTE_INFO=y
 CONFIG_IPV6_OPTIMISTIC_DAD=y
 CONFIG_INET6_AH=m
 CONFIG_INET6_ESP=m
-# CONFIG_INET6_ESP_OFFLOAD is not set
+CONFIG_INET6_ESP_OFFLOAD=m
 CONFIG_INET6_IPCOMP=m
 CONFIG_IPV6_MIP6=m
-# CONFIG_IPV6_ILA is not set
+CONFIG_IPV6_ILA=m
 CONFIG_INET6_XFRM_TUNNEL=m
 CONFIG_INET6_TUNNEL=m
 CONFIG_IPV6_VTI=m
@@ -1004,13 +1118,16 @@ CONFIG_IPV6_SIT_6RD=y
 CONFIG_IPV6_NDISC_NODETYPE=y
 CONFIG_IPV6_TUNNEL=m
 CONFIG_IPV6_GRE=m
+CONFIG_IPV6_FOU=m
+CONFIG_IPV6_FOU_TUNNEL=m
 CONFIG_IPV6_MULTIPLE_TABLES=y
 CONFIG_IPV6_SUBTREES=y
 CONFIG_IPV6_MROUTE=y
 CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
 CONFIG_IPV6_PIMSM_V2=y
-# CONFIG_IPV6_SEG6_LWTUNNEL is not set
-# CONFIG_IPV6_SEG6_HMAC is not set
+CONFIG_IPV6_SEG6_LWTUNNEL=y
+CONFIG_IPV6_SEG6_HMAC=y
+CONFIG_IPV6_SEG6_BPF=y
 CONFIG_NETLABEL=y
 CONFIG_NETWORK_SECMARK=y
 CONFIG_NET_PTP_CLASSIFY=y
@@ -1032,7 +1149,7 @@ CONFIG_NETFILTER_NETLINK_LOG=m
 CONFIG_NETFILTER_NETLINK_OSF=m
 CONFIG_NF_CONNTRACK=m
 CONFIG_NF_LOG_COMMON=m
-# CONFIG_NF_LOG_NETDEV is not set
+CONFIG_NF_LOG_NETDEV=m
 CONFIG_NETFILTER_CONNCOUNT=m
 CONFIG_NF_CONNTRACK_MARK=y
 CONFIG_NF_CONNTRACK_SECMARK=y
@@ -1059,7 +1176,8 @@ CONFIG_NF_CONNTRACK_SIP=m
 CONFIG_NF_CONNTRACK_TFTP=m
 CONFIG_NF_CT_NETLINK=m
 CONFIG_NF_CT_NETLINK_TIMEOUT=m
-# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+CONFIG_NF_CT_NETLINK_HELPER=m
+CONFIG_NETFILTER_NETLINK_GLUE_CT=y
 CONFIG_NF_NAT=m
 CONFIG_NF_NAT_AMANDA=m
 CONFIG_NF_NAT_FTP=m
@@ -1070,31 +1188,41 @@ CONFIG_NF_NAT_REDIRECT=y
 CONFIG_NF_NAT_MASQUERADE=y
 CONFIG_NETFILTER_SYNPROXY=m
 CONFIG_NF_TABLES=m
-# CONFIG_NF_TABLES_SET is not set
-# CONFIG_NF_TABLES_INET is not set
-# CONFIG_NF_TABLES_NETDEV is not set
+CONFIG_NF_TABLES_SET=m
+CONFIG_NF_TABLES_INET=y
+CONFIG_NF_TABLES_NETDEV=y
 CONFIG_NFT_NUMGEN=m
 CONFIG_NFT_CT=m
+CONFIG_NFT_FLOW_OFFLOAD=m
 CONFIG_NFT_COUNTER=m
-# CONFIG_NFT_CONNLIMIT is not set
+CONFIG_NFT_CONNLIMIT=m
 CONFIG_NFT_LOG=m
 CONFIG_NFT_LIMIT=m
 CONFIG_NFT_MASQ=m
 CONFIG_NFT_REDIR=m
+CONFIG_NFT_NAT=m
 CONFIG_NFT_TUNNEL=m
-# CONFIG_NFT_OBJREF is not set
+CONFIG_NFT_OBJREF=m
 CONFIG_NFT_QUEUE=m
 CONFIG_NFT_QUOTA=m
 CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
 CONFIG_NFT_COMPAT=m
 CONFIG_NFT_HASH=m
-# CONFIG_NFT_XFRM is not set
-# CONFIG_NFT_SOCKET is not set
-# CONFIG_NFT_OSF is not set
-# CONFIG_NFT_TPROXY is not set
-# CONFIG_NFT_SYNPROXY is not set
-# CONFIG_NF_FLOW_TABLE is not set
-CONFIG_NETFILTER_XTABLES=y
+CONFIG_NFT_FIB=m
+CONFIG_NFT_FIB_INET=m
+CONFIG_NFT_XFRM=m
+CONFIG_NFT_SOCKET=m
+CONFIG_NFT_OSF=m
+CONFIG_NFT_TPROXY=m
+CONFIG_NFT_SYNPROXY=m
+CONFIG_NF_DUP_NETDEV=m
+CONFIG_NFT_DUP_NETDEV=m
+CONFIG_NFT_FWD_NETDEV=m
+CONFIG_NFT_FIB_NETDEV=m
+CONFIG_NF_FLOW_TABLE_INET=m
+CONFIG_NF_FLOW_TABLE=m
+CONFIG_NETFILTER_XTABLES=m
 
 #
 # Xtables combined modules
@@ -1106,7 +1234,7 @@ CONFIG_NETFILTER_XT_SET=m
 #
 # Xtables targets
 #
-# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_NETFILTER_XT_TARGET_AUDIT=m
 CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
 CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
 CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
@@ -1116,7 +1244,7 @@ CONFIG_NETFILTER_XT_TARGET_DSCP=m
 CONFIG_NETFILTER_XT_TARGET_HL=m
 CONFIG_NETFILTER_XT_TARGET_HMARK=m
 CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
-# CONFIG_NETFILTER_XT_TARGET_LED is not set
+CONFIG_NETFILTER_XT_TARGET_LED=m
 CONFIG_NETFILTER_XT_TARGET_LOG=m
 CONFIG_NETFILTER_XT_TARGET_MARK=m
 CONFIG_NETFILTER_XT_NAT=m
@@ -1129,7 +1257,7 @@ CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
 CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
 CONFIG_NETFILTER_XT_TARGET_TEE=m
 CONFIG_NETFILTER_XT_TARGET_TPROXY=m
-# CONFIG_NETFILTER_XT_TARGET_TRACE is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=m
 CONFIG_NETFILTER_XT_TARGET_SECMARK=m
 CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
 CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
@@ -1156,10 +1284,10 @@ CONFIG_NETFILTER_XT_MATCH_ESP=m
 CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
 CONFIG_NETFILTER_XT_MATCH_HELPER=m
 CONFIG_NETFILTER_XT_MATCH_HL=m
-# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
 CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
 CONFIG_NETFILTER_XT_MATCH_IPVS=m
-# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=m
 CONFIG_NETFILTER_XT_MATCH_LENGTH=m
 CONFIG_NETFILTER_XT_MATCH_LIMIT=m
 CONFIG_NETFILTER_XT_MATCH_MAC=m
@@ -1195,7 +1323,7 @@ CONFIG_IP_SET_HASH_IPMARK=m
 CONFIG_IP_SET_HASH_IPPORT=m
 CONFIG_IP_SET_HASH_IPPORTIP=m
 CONFIG_IP_SET_HASH_IPPORTNET=m
-# CONFIG_IP_SET_HASH_IPMAC is not set
+CONFIG_IP_SET_HASH_IPMAC=m
 CONFIG_IP_SET_HASH_MAC=m
 CONFIG_IP_SET_HASH_NETPORTNET=m
 CONFIG_IP_SET_HASH_NET=m
@@ -1225,13 +1353,13 @@ CONFIG_IP_VS_RR=m
 CONFIG_IP_VS_WRR=m
 CONFIG_IP_VS_LC=m
 CONFIG_IP_VS_WLC=m
-# CONFIG_IP_VS_FO is not set
-# CONFIG_IP_VS_OVF is not set
+CONFIG_IP_VS_FO=m
+CONFIG_IP_VS_OVF=m
 CONFIG_IP_VS_LBLC=m
 CONFIG_IP_VS_LBLCR=m
 CONFIG_IP_VS_DH=m
 CONFIG_IP_VS_SH=m
-# CONFIG_IP_VS_MH is not set
+CONFIG_IP_VS_MH=m
 CONFIG_IP_VS_SED=m
 CONFIG_IP_VS_NQ=m
 
@@ -1258,10 +1386,14 @@ CONFIG_IP_VS_PE_SIP=m
 CONFIG_NF_DEFRAG_IPV4=m
 CONFIG_NF_SOCKET_IPV4=m
 CONFIG_NF_TPROXY_IPV4=m
-# CONFIG_NF_TABLES_IPV4 is not set
-# CONFIG_NF_TABLES_ARP is not set
+CONFIG_NF_TABLES_IPV4=y
+CONFIG_NFT_REJECT_IPV4=m
+CONFIG_NFT_DUP_IPV4=m
+CONFIG_NFT_FIB_IPV4=m
+CONFIG_NF_TABLES_ARP=y
+CONFIG_NF_FLOW_TABLE_IPV4=m
 CONFIG_NF_DUP_IPV4=m
-# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_ARP=m
 CONFIG_NF_LOG_IPV4=m
 CONFIG_NF_REJECT_IPV4=m
 CONFIG_NF_NAT_SNMP_BASIC=m
@@ -1295,7 +1427,11 @@ CONFIG_IP_NF_ARP_MANGLE=m
 #
 CONFIG_NF_SOCKET_IPV6=m
 CONFIG_NF_TPROXY_IPV6=m
-# CONFIG_NF_TABLES_IPV6 is not set
+CONFIG_NF_TABLES_IPV6=y
+CONFIG_NFT_REJECT_IPV6=m
+CONFIG_NFT_DUP_IPV6=m
+CONFIG_NFT_FIB_IPV6=m
+CONFIG_NF_FLOW_TABLE_IPV6=m
 CONFIG_NF_DUP_IPV6=m
 CONFIG_NF_REJECT_IPV6=m
 CONFIG_NF_LOG_IPV6=m
@@ -1309,7 +1445,7 @@ CONFIG_IP6_NF_MATCH_IPV6HEADER=m
 CONFIG_IP6_NF_MATCH_MH=m
 CONFIG_IP6_NF_MATCH_RPFILTER=m
 CONFIG_IP6_NF_MATCH_RT=m
-# CONFIG_IP6_NF_MATCH_SRH is not set
+CONFIG_IP6_NF_MATCH_SRH=m
 CONFIG_IP6_NF_TARGET_HL=m
 CONFIG_IP6_NF_FILTER=m
 CONFIG_IP6_NF_TARGET_REJECT=m
@@ -1323,8 +1459,18 @@ CONFIG_IP6_NF_TARGET_NPT=m
 # end of IPv6: Netfilter Configuration
 
 CONFIG_NF_DEFRAG_IPV6=m
-# CONFIG_NF_TABLES_BRIDGE is not set
-# CONFIG_NF_CONNTRACK_BRIDGE is not set
+
+#
+# DECnet: Netfilter Configuration
+#
+CONFIG_DECNET_NF_GRABULATOR=m
+# end of DECnet: Netfilter Configuration
+
+CONFIG_NF_TABLES_BRIDGE=m
+CONFIG_NFT_BRIDGE_META=m
+CONFIG_NFT_BRIDGE_REJECT=m
+CONFIG_NF_LOG_BRIDGE=m
+CONFIG_NF_CONNTRACK_BRIDGE=m
 CONFIG_BRIDGE_NF_EBTABLES=m
 CONFIG_BRIDGE_EBT_BROUTE=m
 CONFIG_BRIDGE_EBT_T_FILTER=m
@@ -1350,15 +1496,31 @@ CONFIG_BRIDGE_EBT_NFLOG=m
 # CONFIG_IP_DCCP is not set
 CONFIG_IP_SCTP=m
 # CONFIG_SCTP_DBG_OBJCNT is not set
-CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5=y
-# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1 is not set
+# CONFIG_SCTP_DEFAULT_COOKIE_HMAC_MD5 is not set
+CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y
 # CONFIG_SCTP_DEFAULT_COOKIE_HMAC_NONE is not set
 CONFIG_SCTP_COOKIE_HMAC_MD5=y
 CONFIG_SCTP_COOKIE_HMAC_SHA1=y
-# CONFIG_RDS is not set
-# CONFIG_TIPC is not set
-# CONFIG_ATM is not set
-# CONFIG_L2TP is not set
+CONFIG_RDS=m
+CONFIG_RDS_RDMA=m
+CONFIG_RDS_TCP=m
+# CONFIG_RDS_DEBUG is not set
+CONFIG_TIPC=m
+CONFIG_TIPC_MEDIA_IB=y
+CONFIG_TIPC_MEDIA_UDP=y
+CONFIG_TIPC_DIAG=m
+CONFIG_ATM=m
+CONFIG_ATM_CLIP=m
+# CONFIG_ATM_CLIP_NO_ICMP is not set
+CONFIG_ATM_LANE=m
+CONFIG_ATM_MPOA=m
+CONFIG_ATM_BR2684=m
+# CONFIG_ATM_BR2684_IPFILTER is not set
+CONFIG_L2TP=m
+CONFIG_L2TP_DEBUGFS=m
+CONFIG_L2TP_V3=y
+CONFIG_L2TP_IP=m
+CONFIG_L2TP_ETH=m
 CONFIG_STP=m
 CONFIG_GARP=m
 CONFIG_MRP=m
@@ -1366,19 +1528,54 @@ CONFIG_BRIDGE=m
 CONFIG_BRIDGE_IGMP_SNOOPING=y
 CONFIG_BRIDGE_VLAN_FILTERING=y
 CONFIG_HAVE_NET_DSA=y
-# CONFIG_NET_DSA is not set
+CONFIG_NET_DSA=m
+CONFIG_NET_DSA_TAG_8021Q=m
+CONFIG_NET_DSA_TAG_BRCM_COMMON=m
+CONFIG_NET_DSA_TAG_BRCM=m
+CONFIG_NET_DSA_TAG_BRCM_PREPEND=m
+CONFIG_NET_DSA_TAG_GSWIP=m
+CONFIG_NET_DSA_TAG_DSA=m
+CONFIG_NET_DSA_TAG_EDSA=m
+CONFIG_NET_DSA_TAG_MTK=m
+CONFIG_NET_DSA_TAG_KSZ=m
+CONFIG_NET_DSA_TAG_QCA=m
+CONFIG_NET_DSA_TAG_LAN9303=m
+CONFIG_NET_DSA_TAG_SJA1105=m
+CONFIG_NET_DSA_TAG_TRAILER=m
 CONFIG_VLAN_8021Q=m
 CONFIG_VLAN_8021Q_GVRP=y
 CONFIG_VLAN_8021Q_MVRP=y
-# CONFIG_DECNET is not set
+CONFIG_DECNET=m
+# CONFIG_DECNET_ROUTER is not set
 CONFIG_LLC=m
-# CONFIG_LLC2 is not set
-# CONFIG_ATALK is not set
-# CONFIG_X25 is not set
-# CONFIG_LAPB is not set
-# CONFIG_PHONET is not set
-# CONFIG_6LOWPAN is not set
-# CONFIG_IEEE802154 is not set
+CONFIG_LLC2=m
+CONFIG_ATALK=m
+CONFIG_DEV_APPLETALK=m
+# CONFIG_IPDDP is not set
+CONFIG_X25=m
+CONFIG_LAPB=m
+CONFIG_PHONET=m
+CONFIG_6LOWPAN=m
+# CONFIG_6LOWPAN_DEBUGFS is not set
+CONFIG_6LOWPAN_NHC=m
+CONFIG_6LOWPAN_NHC_DEST=m
+CONFIG_6LOWPAN_NHC_FRAGMENT=m
+CONFIG_6LOWPAN_NHC_HOP=m
+CONFIG_6LOWPAN_NHC_IPV6=m
+CONFIG_6LOWPAN_NHC_MOBILITY=m
+CONFIG_6LOWPAN_NHC_ROUTING=m
+CONFIG_6LOWPAN_NHC_UDP=m
+# CONFIG_6LOWPAN_GHC_EXT_HDR_HOP is not set
+# CONFIG_6LOWPAN_GHC_UDP is not set
+# CONFIG_6LOWPAN_GHC_ICMPV6 is not set
+# CONFIG_6LOWPAN_GHC_EXT_HDR_DEST is not set
+# CONFIG_6LOWPAN_GHC_EXT_HDR_FRAG is not set
+# CONFIG_6LOWPAN_GHC_EXT_HDR_ROUTE is not set
+CONFIG_IEEE802154=m
+# CONFIG_IEEE802154_NL802154_EXPERIMENTAL is not set
+CONFIG_IEEE802154_SOCKET=m
+CONFIG_IEEE802154_6LOWPAN=m
+CONFIG_MAC802154=m
 CONFIG_NET_SCHED=y
 
 #
@@ -1387,6 +1584,7 @@ CONFIG_NET_SCHED=y
 CONFIG_NET_SCH_CBQ=m
 CONFIG_NET_SCH_HTB=m
 CONFIG_NET_SCH_HFSC=m
+CONFIG_NET_SCH_ATM=m
 CONFIG_NET_SCH_PRIO=m
 CONFIG_NET_SCH_MULTIQ=m
 CONFIG_NET_SCH_RED=m
@@ -1394,23 +1592,23 @@ CONFIG_NET_SCH_SFB=m
 CONFIG_NET_SCH_SFQ=m
 CONFIG_NET_SCH_TEQL=m
 CONFIG_NET_SCH_TBF=m
-# CONFIG_NET_SCH_CBS is not set
+CONFIG_NET_SCH_CBS=m
 CONFIG_NET_SCH_ETF=m
-# CONFIG_NET_SCH_TAPRIO is not set
+CONFIG_NET_SCH_TAPRIO=m
 CONFIG_NET_SCH_GRED=m
 CONFIG_NET_SCH_DSMARK=m
 CONFIG_NET_SCH_NETEM=m
 CONFIG_NET_SCH_DRR=m
 CONFIG_NET_SCH_MQPRIO=m
-# CONFIG_NET_SCH_SKBPRIO is not set
+CONFIG_NET_SCH_SKBPRIO=m
 CONFIG_NET_SCH_CHOKE=m
 CONFIG_NET_SCH_QFQ=m
 CONFIG_NET_SCH_CODEL=m
 CONFIG_NET_SCH_FQ_CODEL=m
-# CONFIG_NET_SCH_CAKE is not set
+CONFIG_NET_SCH_CAKE=m
 CONFIG_NET_SCH_FQ=m
-# CONFIG_NET_SCH_HHF is not set
-# CONFIG_NET_SCH_PIE is not set
+CONFIG_NET_SCH_HHF=m
+CONFIG_NET_SCH_PIE=m
 CONFIG_NET_SCH_INGRESS=m
 CONFIG_NET_SCH_PLUG=m
 # CONFIG_NET_SCH_DEFAULT is not set
@@ -1431,7 +1629,7 @@ CONFIG_NET_CLS_RSVP6=m
 CONFIG_NET_CLS_FLOW=m
 CONFIG_NET_CLS_CGROUP=m
 CONFIG_NET_CLS_BPF=m
-# CONFIG_NET_CLS_FLOWER is not set
+CONFIG_NET_CLS_FLOWER=m
 CONFIG_NET_CLS_MATCHALL=m
 CONFIG_NET_EMATCH=y
 CONFIG_NET_EMATCH_STACK=32
@@ -1440,34 +1638,44 @@ CONFIG_NET_EMATCH_NBYTE=m
 CONFIG_NET_EMATCH_U32=m
 CONFIG_NET_EMATCH_META=m
 CONFIG_NET_EMATCH_TEXT=m
+CONFIG_NET_EMATCH_CANID=m
 CONFIG_NET_EMATCH_IPSET=m
-# CONFIG_NET_EMATCH_IPT is not set
+CONFIG_NET_EMATCH_IPT=m
 CONFIG_NET_CLS_ACT=y
 CONFIG_NET_ACT_POLICE=m
 CONFIG_NET_ACT_GACT=m
 CONFIG_GACT_PROB=y
 CONFIG_NET_ACT_MIRRED=m
-# CONFIG_NET_ACT_SAMPLE is not set
+CONFIG_NET_ACT_SAMPLE=m
 CONFIG_NET_ACT_IPT=m
 CONFIG_NET_ACT_NAT=m
 CONFIG_NET_ACT_PEDIT=m
-# CONFIG_NET_ACT_SIMP is not set
+CONFIG_NET_ACT_SIMP=m
 CONFIG_NET_ACT_SKBEDIT=m
 CONFIG_NET_ACT_CSUM=m
-# CONFIG_NET_ACT_MPLS is not set
-# CONFIG_NET_ACT_VLAN is not set
-# CONFIG_NET_ACT_BPF is not set
-# CONFIG_NET_ACT_CONNMARK is not set
-# CONFIG_NET_ACT_CTINFO is not set
-# CONFIG_NET_ACT_SKBMOD is not set
+CONFIG_NET_ACT_MPLS=m
+CONFIG_NET_ACT_VLAN=m
+CONFIG_NET_ACT_BPF=m
+CONFIG_NET_ACT_CONNMARK=m
+CONFIG_NET_ACT_CTINFO=m
+CONFIG_NET_ACT_SKBMOD=m
 # CONFIG_NET_ACT_IFE is not set
 CONFIG_NET_ACT_TUNNEL_KEY=m
-# CONFIG_NET_ACT_CT is not set
+CONFIG_NET_ACT_CT=m
 # CONFIG_NET_TC_SKB_EXT is not set
 CONFIG_NET_SCH_FIFO=y
 CONFIG_DCB=y
-CONFIG_DNS_RESOLVER=m
-# CONFIG_BATMAN_ADV is not set
+CONFIG_DNS_RESOLVER=y
+CONFIG_BATMAN_ADV=m
+# CONFIG_BATMAN_ADV_BATMAN_V is not set
+CONFIG_BATMAN_ADV_BLA=y
+CONFIG_BATMAN_ADV_DAT=y
+CONFIG_BATMAN_ADV_NC=y
+CONFIG_BATMAN_ADV_MCAST=y
+# CONFIG_BATMAN_ADV_DEBUGFS is not set
+# CONFIG_BATMAN_ADV_DEBUG is not set
+CONFIG_BATMAN_ADV_SYSFS=y
+# CONFIG_BATMAN_ADV_TRACING is not set
 CONFIG_OPENVSWITCH=m
 CONFIG_OPENVSWITCH_GRE=m
 CONFIG_OPENVSWITCH_VXLAN=m
@@ -1476,16 +1684,20 @@ CONFIG_VSOCKETS=m
 CONFIG_VSOCKETS_DIAG=m
 CONFIG_VIRTIO_VSOCKETS=m
 CONFIG_VIRTIO_VSOCKETS_COMMON=m
+CONFIG_HYPERV_VSOCKETS=m
 CONFIG_NETLINK_DIAG=m
 CONFIG_MPLS=y
 CONFIG_NET_MPLS_GSO=m
-# CONFIG_MPLS_ROUTING is not set
+CONFIG_MPLS_ROUTING=m
+CONFIG_MPLS_IPTUNNEL=m
 CONFIG_NET_NSH=m
-# CONFIG_HSR is not set
+CONFIG_HSR=m
 CONFIG_NET_SWITCHDEV=y
 CONFIG_NET_L3_MASTER_DEV=y
-# CONFIG_QRTR is not set
-# CONFIG_NET_NCSI is not set
+CONFIG_QRTR=m
+CONFIG_QRTR_TUN=m
+CONFIG_NET_NCSI=y
+CONFIG_NCSI_OEM_CMD_GET_MAC=y
 CONFIG_RPS=y
 CONFIG_RFS_ACCEL=y
 CONFIG_XPS=y
@@ -1494,25 +1706,172 @@ CONFIG_CGROUP_NET_CLASSID=y
 CONFIG_NET_RX_BUSY_POLL=y
 CONFIG_BQL=y
 CONFIG_BPF_JIT=y
+CONFIG_BPF_STREAM_PARSER=y
 CONFIG_NET_FLOW_LIMIT=y
 
 #
 # Network testing
 #
-# CONFIG_NET_PKTGEN is not set
+CONFIG_NET_PKTGEN=m
 CONFIG_NET_DROP_MONITOR=y
 # end of Network testing
 # end of Networking options
 
-# CONFIG_HAMRADIO is not set
-# CONFIG_CAN is not set
-# CONFIG_BT is not set
-# CONFIG_AF_RXRPC is not set
-# CONFIG_AF_KCM is not set
+CONFIG_HAMRADIO=y
+
+#
+# Packet Radio protocols
+#
+CONFIG_AX25=m
+CONFIG_AX25_DAMA_SLAVE=y
+CONFIG_NETROM=m
+CONFIG_ROSE=m
+
+#
+# AX.25 network device drivers
+#
+CONFIG_MKISS=m
+CONFIG_6PACK=m
+CONFIG_BPQETHER=m
+CONFIG_BAYCOM_SER_FDX=m
+CONFIG_BAYCOM_SER_HDX=m
+CONFIG_YAM=m
+# end of AX.25 network device drivers
+
+CONFIG_CAN=m
+CONFIG_CAN_RAW=m
+CONFIG_CAN_BCM=m
+CONFIG_CAN_GW=m
+# CONFIG_CAN_J1939 is not set
+
+#
+# CAN Device Drivers
+#
+CONFIG_CAN_VCAN=m
+CONFIG_CAN_VXCAN=m
+CONFIG_CAN_SLCAN=m
+CONFIG_CAN_DEV=m
+CONFIG_CAN_CALC_BITTIMING=y
+CONFIG_CAN_FLEXCAN=m
+CONFIG_CAN_GRCAN=m
+# CONFIG_CAN_KVASER_PCIEFD is not set
+CONFIG_CAN_XILINXCAN=m
+CONFIG_CAN_C_CAN=m
+CONFIG_CAN_C_CAN_PLATFORM=m
+CONFIG_CAN_C_CAN_PCI=m
+CONFIG_CAN_CC770=m
+CONFIG_CAN_CC770_ISA=m
+CONFIG_CAN_CC770_PLATFORM=m
+CONFIG_CAN_IFI_CANFD=m
+CONFIG_CAN_M_CAN=m
+# CONFIG_CAN_M_CAN_PLATFORM is not set
+# CONFIG_CAN_M_CAN_TCAN4X5X is not set
+CONFIG_CAN_PEAK_PCIEFD=m
+CONFIG_CAN_RCAR=m
+CONFIG_CAN_RCAR_CANFD=m
+CONFIG_CAN_SJA1000=m
+CONFIG_CAN_EMS_PCI=m
+# CONFIG_CAN_F81601 is not set
+CONFIG_CAN_KVASER_PCI=m
+CONFIG_CAN_PEAK_PCI=m
+CONFIG_CAN_PEAK_PCIEC=y
+CONFIG_CAN_PLX_PCI=m
+CONFIG_CAN_SJA1000_ISA=m
+CONFIG_CAN_SJA1000_PLATFORM=m
+CONFIG_CAN_SOFTING=m
+
+#
+# CAN SPI interfaces
+#
+CONFIG_CAN_HI311X=m
+CONFIG_CAN_MCP251X=m
+# end of CAN SPI interfaces
+
+#
+# CAN USB interfaces
+#
+CONFIG_CAN_8DEV_USB=m
+CONFIG_CAN_EMS_USB=m
+CONFIG_CAN_ESD_USB2=m
+CONFIG_CAN_GS_USB=m
+CONFIG_CAN_KVASER_USB=m
+CONFIG_CAN_MCBA_USB=m
+CONFIG_CAN_PEAK_USB=m
+CONFIG_CAN_UCAN=m
+# end of CAN USB interfaces
+
+# CONFIG_CAN_DEBUG_DEVICES is not set
+# end of CAN Device Drivers
+
+CONFIG_BT=m
+CONFIG_BT_BREDR=y
+CONFIG_BT_RFCOMM=m
+CONFIG_BT_RFCOMM_TTY=y
+CONFIG_BT_BNEP=m
+CONFIG_BT_BNEP_MC_FILTER=y
+CONFIG_BT_BNEP_PROTO_FILTER=y
+CONFIG_BT_CMTP=m
+CONFIG_BT_HIDP=m
+CONFIG_BT_HS=y
+CONFIG_BT_LE=y
+CONFIG_BT_6LOWPAN=m
+CONFIG_BT_LEDS=y
+# CONFIG_BT_SELFTEST is not set
+CONFIG_BT_DEBUGFS=y
+
+#
+# Bluetooth device drivers
+#
+CONFIG_BT_INTEL=m
+CONFIG_BT_BCM=m
+CONFIG_BT_RTL=m
+CONFIG_BT_QCA=m
+CONFIG_BT_HCIBTUSB=m
+CONFIG_BT_HCIBTUSB_AUTOSUSPEND=y
+CONFIG_BT_HCIBTUSB_BCM=y
+CONFIG_BT_HCIBTUSB_MTK=y
+CONFIG_BT_HCIBTUSB_RTL=y
+CONFIG_BT_HCIBTSDIO=m
+CONFIG_BT_HCIUART=m
+CONFIG_BT_HCIUART_SERDEV=y
+CONFIG_BT_HCIUART_H4=y
+CONFIG_BT_HCIUART_NOKIA=m
+CONFIG_BT_HCIUART_BCSP=y
+CONFIG_BT_HCIUART_ATH3K=y
+CONFIG_BT_HCIUART_LL=y
+CONFIG_BT_HCIUART_3WIRE=y
+CONFIG_BT_HCIUART_INTEL=y
+CONFIG_BT_HCIUART_BCM=y
+CONFIG_BT_HCIUART_RTL=y
+CONFIG_BT_HCIUART_QCA=y
+CONFIG_BT_HCIUART_AG6XX=y
+CONFIG_BT_HCIUART_MRVL=y
+CONFIG_BT_HCIBCM203X=m
+CONFIG_BT_HCIBPA10X=m
+CONFIG_BT_HCIBFUSB=m
+CONFIG_BT_HCIVHCI=m
+CONFIG_BT_MRVL=m
+CONFIG_BT_MRVL_SDIO=m
+CONFIG_BT_ATH3K=m
+CONFIG_BT_MTKSDIO=m
+CONFIG_BT_MTKUART=m
+CONFIG_BT_HCIRSI=m
+# end of Bluetooth device drivers
+
+CONFIG_AF_RXRPC=m
+CONFIG_AF_RXRPC_IPV6=y
+# CONFIG_AF_RXRPC_INJECT_LOSS is not set
+# CONFIG_AF_RXRPC_DEBUG is not set
+CONFIG_RXKAD=y
+CONFIG_AF_KCM=m
+CONFIG_STREAM_PARSER=y
 CONFIG_FIB_RULES=y
 CONFIG_WIRELESS=y
+CONFIG_WIRELESS_EXT=y
 CONFIG_WEXT_CORE=y
 CONFIG_WEXT_PROC=y
+CONFIG_WEXT_SPY=y
+CONFIG_WEXT_PRIV=y
 CONFIG_CFG80211=m
 # CONFIG_NL80211_TESTMODE is not set
 # CONFIG_CFG80211_DEVELOPER_WARNINGS is not set
@@ -1520,37 +1879,55 @@ CONFIG_CFG80211=m
 CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=y
 CONFIG_CFG80211_USE_KERNEL_REGDB_KEYS=y
 CONFIG_CFG80211_DEFAULT_PS=y
-# CONFIG_CFG80211_DEBUGFS is not set
+CONFIG_CFG80211_DEBUGFS=y
 CONFIG_CFG80211_CRDA_SUPPORT=y
 CONFIG_CFG80211_WEXT=y
+CONFIG_CFG80211_WEXT_EXPORT=y
+CONFIG_LIB80211=m
+CONFIG_LIB80211_CRYPT_WEP=m
+CONFIG_LIB80211_CRYPT_CCMP=m
+CONFIG_LIB80211_CRYPT_TKIP=m
+# CONFIG_LIB80211_DEBUG is not set
 CONFIG_MAC80211=m
 CONFIG_MAC80211_HAS_RC=y
 CONFIG_MAC80211_RC_MINSTREL=y
 CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y
 CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"
-# CONFIG_MAC80211_MESH is not set
+CONFIG_MAC80211_MESH=y
 CONFIG_MAC80211_LEDS=y
-# CONFIG_MAC80211_DEBUGFS is not set
-# CONFIG_MAC80211_MESSAGE_TRACING is not set
+CONFIG_MAC80211_DEBUGFS=y
+CONFIG_MAC80211_MESSAGE_TRACING=y
 # CONFIG_MAC80211_DEBUG_MENU is not set
 CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
-# CONFIG_WIMAX is not set
-# CONFIG_RFKILL is not set
+CONFIG_WIMAX=m
+CONFIG_WIMAX_DEBUG_LEVEL=8
+CONFIG_RFKILL=y
+CONFIG_RFKILL_LEDS=y
+CONFIG_RFKILL_INPUT=y
+CONFIG_RFKILL_GPIO=m
 CONFIG_NET_9P=m
 CONFIG_NET_9P_VIRTIO=m
-# CONFIG_NET_9P_XEN is not set
+CONFIG_NET_9P_XEN=m
+CONFIG_NET_9P_RDMA=m
 # CONFIG_NET_9P_DEBUG is not set
-# CONFIG_CAIF is not set
+CONFIG_CAIF=m
+# CONFIG_CAIF_DEBUG is not set
+CONFIG_CAIF_NETDEV=m
+CONFIG_CAIF_USB=m
 CONFIG_CEPH_LIB=m
 # CONFIG_CEPH_LIB_PRETTYDEBUG is not set
-# CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set
+CONFIG_CEPH_LIB_USE_DNS_RESOLVER=y
 # CONFIG_NFC is not set
-# CONFIG_PSAMPLE is not set
-# CONFIG_NET_IFE is not set
-# CONFIG_LWTUNNEL is not set
+CONFIG_PSAMPLE=m
+CONFIG_NET_IFE=m
+CONFIG_LWTUNNEL=y
+CONFIG_LWTUNNEL_BPF=y
 CONFIG_DST_CACHE=y
 CONFIG_GRO_CELLS=y
+CONFIG_SOCK_VALIDATE_XMIT=y
+CONFIG_NET_SOCK_MSG=y
 CONFIG_NET_DEVLINK=y
+CONFIG_PAGE_POOL=y
 CONFIG_FAILOVER=y
 CONFIG_HAVE_EBPF_JIT=y
 
@@ -1576,18 +1953,19 @@ CONFIG_PCIEASPM_DEFAULT=y
 # CONFIG_PCIEASPM_POWER_SUPERSAVE is not set
 # CONFIG_PCIEASPM_PERFORMANCE is not set
 CONFIG_PCIE_PME=y
-# CONFIG_PCIE_DPC is not set
-# CONFIG_PCIE_PTM is not set
+CONFIG_PCIE_DPC=y
+CONFIG_PCIE_PTM=y
 # CONFIG_PCIE_BW is not set
 CONFIG_PCI_MSI=y
 CONFIG_PCI_MSI_IRQ_DOMAIN=y
 CONFIG_PCI_QUIRKS=y
 # CONFIG_PCI_DEBUG is not set
-# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
-# CONFIG_PCI_STUB is not set
-# CONFIG_PCI_PF_STUB is not set
+CONFIG_PCI_REALLOC_ENABLE_AUTO=y
+CONFIG_PCI_STUB=m
+CONFIG_PCI_PF_STUB=m
 CONFIG_PCI_ATS=y
 CONFIG_PCI_ECAM=y
+CONFIG_PCI_BRIDGE_EMUL=y
 CONFIG_PCI_IOV=y
 CONFIG_PCI_PRI=y
 CONFIG_PCI_PASID=y
@@ -1595,51 +1973,65 @@ CONFIG_PCI_LABEL=y
 CONFIG_HOTPLUG_PCI=y
 CONFIG_HOTPLUG_PCI_ACPI=y
 CONFIG_HOTPLUG_PCI_ACPI_IBM=m
-# CONFIG_HOTPLUG_PCI_CPCI is not set
-# CONFIG_HOTPLUG_PCI_SHPC is not set
+CONFIG_HOTPLUG_PCI_CPCI=y
+CONFIG_HOTPLUG_PCI_SHPC=y
 
 #
 # PCI controller drivers
 #
-# CONFIG_PCI_AARDVARK is not set
+CONFIG_PCI_AARDVARK=y
 
 #
 # Cadence PCIe controllers support
 #
-# CONFIG_PCIE_CADENCE_HOST is not set
+CONFIG_PCIE_CADENCE=y
+CONFIG_PCIE_CADENCE_HOST=y
+CONFIG_PCIE_CADENCE_EP=y
 # end of Cadence PCIe controllers support
 
-# CONFIG_PCIE_XILINX_NWL is not set
-# CONFIG_PCI_FTPCI100 is not set
+CONFIG_PCIE_XILINX_NWL=y
+CONFIG_PCI_FTPCI100=y
 # CONFIG_PCI_TEGRA is not set
+CONFIG_PCIE_RCAR=y
 CONFIG_PCI_HOST_COMMON=y
 CONFIG_PCI_HOST_GENERIC=y
-# CONFIG_PCIE_XILINX is not set
+CONFIG_PCIE_XILINX=y
 CONFIG_PCI_XGENE=y
 CONFIG_PCI_XGENE_MSI=y
 CONFIG_PCIE_IPROC=y
 CONFIG_PCIE_IPROC_PLATFORM=y
 CONFIG_PCIE_IPROC_MSI=y
-# CONFIG_PCIE_ALTERA is not set
+CONFIG_PCIE_ALTERA=y
+CONFIG_PCIE_ALTERA_MSI=y
 CONFIG_PCI_HOST_THUNDER_PEM=y
 CONFIG_PCI_HOST_THUNDER_ECAM=y
-# CONFIG_PCIE_ROCKCHIP_HOST is not set
-# CONFIG_PCIE_MEDIATEK is not set
-# CONFIG_PCIE_MOBIVEIL is not set
+CONFIG_PCIE_ROCKCHIP=y
+CONFIG_PCIE_ROCKCHIP_HOST=m
+CONFIG_PCIE_ROCKCHIP_EP=y
+CONFIG_PCIE_MEDIATEK=y
+CONFIG_PCIE_MOBIVEIL=y
 
 #
 # DesignWare PCI Core Support
 #
 CONFIG_PCIE_DW=y
 CONFIG_PCIE_DW_HOST=y
-# CONFIG_PCIE_DW_PLAT_HOST is not set
+CONFIG_PCIE_DW_EP=y
+CONFIG_PCIE_DW_PLAT=y
+CONFIG_PCIE_DW_PLAT_HOST=y
+CONFIG_PCIE_DW_PLAT_EP=y
+CONFIG_PCI_IMX6=y
+CONFIG_PCI_KEYSTONE=y
+CONFIG_PCI_KEYSTONE_HOST=y
+CONFIG_PCI_KEYSTONE_EP=y
 CONFIG_PCI_LAYERSCAPE=y
+# CONFIG_PCI_LAYERSCAPE_EP is not set
 CONFIG_PCI_HISI=y
 CONFIG_PCIE_QCOM=y
 CONFIG_PCIE_ARMADA_8K=y
-# CONFIG_PCIE_KIRIN is not set
-# CONFIG_PCIE_HISI_STB is not set
-# CONFIG_PCI_MESON is not set
+CONFIG_PCIE_KIRIN=y
+CONFIG_PCIE_HISI_STB=y
+CONFIG_PCI_MESON=y
 # CONFIG_PCIE_AL is not set
 # end of DesignWare PCI Core Support
 # end of PCI controller drivers
@@ -1647,17 +2039,49 @@ CONFIG_PCIE_ARMADA_8K=y
 #
 # PCI Endpoint
 #
-# CONFIG_PCI_ENDPOINT is not set
+CONFIG_PCI_ENDPOINT=y
+CONFIG_PCI_ENDPOINT_CONFIGFS=y
+# CONFIG_PCI_EPF_TEST is not set
 # end of PCI Endpoint
 
 #
 # PCI switch controller drivers
 #
-# CONFIG_PCI_SW_SWITCHTEC is not set
+CONFIG_PCI_SW_SWITCHTEC=m
 # end of PCI switch controller drivers
 
-# CONFIG_PCCARD is not set
-# CONFIG_RAPIDIO is not set
+CONFIG_PCCARD=m
+# CONFIG_PCMCIA is not set
+CONFIG_CARDBUS=y
+
+#
+# PC-card bridges
+#
+CONFIG_YENTA=m
+CONFIG_YENTA_O2=y
+CONFIG_YENTA_RICOH=y
+CONFIG_YENTA_TI=y
+CONFIG_YENTA_ENE_TUNE=y
+CONFIG_YENTA_TOSHIBA=y
+CONFIG_RAPIDIO=y
+CONFIG_RAPIDIO_TSI721=m
+CONFIG_RAPIDIO_DISC_TIMEOUT=30
+# CONFIG_RAPIDIO_ENABLE_RX_TX_PORTS is not set
+CONFIG_RAPIDIO_DMA_ENGINE=y
+# CONFIG_RAPIDIO_DEBUG is not set
+CONFIG_RAPIDIO_ENUM_BASIC=m
+CONFIG_RAPIDIO_CHMAN=m
+CONFIG_RAPIDIO_MPORT_CDEV=m
+
+#
+# RapidIO Switch drivers
+#
+CONFIG_RAPIDIO_TSI57X=m
+CONFIG_RAPIDIO_CPS_XX=m
+CONFIG_RAPIDIO_TSI568=m
+CONFIG_RAPIDIO_CPS_GEN2=m
+CONFIG_RAPIDIO_RXS_GEN3=m
+# end of RapidIO Switch drivers
 
 #
 # Generic Driver Options
@@ -1673,9 +2097,11 @@ CONFIG_PREVENT_FIRMWARE_BUILD=y
 # Firmware loader
 #
 CONFIG_FW_LOADER=y
+CONFIG_FW_LOADER_PAGED_BUF=y
 CONFIG_EXTRA_FIRMWARE=""
-# CONFIG_FW_LOADER_USER_HELPER is not set
-# CONFIG_FW_LOADER_COMPRESS is not set
+CONFIG_FW_LOADER_USER_HELPER=y
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_FW_LOADER_COMPRESS=y
 # end of Firmware loader
 
 CONFIG_WANT_DEV_COREDUMP=y
@@ -1684,6 +2110,7 @@ CONFIG_DEV_COREDUMP=y
 # CONFIG_DEBUG_DRIVER is not set
 # CONFIG_DEBUG_DEVRES is not set
 # CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
+CONFIG_HMEM_REPORTING=y
 # CONFIG_TEST_ASYNC_DRIVER_PROBE is not set
 CONFIG_SYS_HYPERVISOR=y
 CONFIG_GENERIC_CPU_AUTOPROBE=y
@@ -1691,7 +2118,9 @@ CONFIG_GENERIC_CPU_VULNERABILITIES=y
 CONFIG_SOC_BUS=y
 CONFIG_REGMAP=y
 CONFIG_REGMAP_I2C=m
-CONFIG_REGMAP_SPI=m
+CONFIG_REGMAP_SPI=y
+CONFIG_REGMAP_SPMI=m
+CONFIG_REGMAP_W1=m
 CONFIG_REGMAP_MMIO=y
 CONFIG_DMA_SHARED_BUFFER=y
 # CONFIG_DMA_FENCE_TRACE is not set
@@ -1705,10 +2134,11 @@ CONFIG_ARM_CCI=y
 CONFIG_ARM_CCI400_COMMON=y
 CONFIG_BRCMSTB_GISB_ARB=y
 # CONFIG_MOXTET is not set
-# CONFIG_HISILICON_LPC is not set
+CONFIG_HISILICON_LPC=y
+CONFIG_IMX_WEIM=y
 CONFIG_QCOM_EBI2=y
-# CONFIG_SIMPLE_PM_BUS is not set
-# CONFIG_SUN50I_DE2_BUS is not set
+CONFIG_SIMPLE_PM_BUS=y
+CONFIG_SUN50I_DE2_BUS=y
 CONFIG_SUNXI_RSB=m
 # CONFIG_TEGRA_ACONNECT is not set
 # CONFIG_TEGRA_GMI is not set
@@ -1716,9 +2146,171 @@ CONFIG_VEXPRESS_CONFIG=y
 CONFIG_FSL_MC_BUS=y
 # end of Bus devices
 
-CONFIG_CONNECTOR=m
-# CONFIG_GNSS is not set
-# CONFIG_MTD is not set
+CONFIG_CONNECTOR=y
+CONFIG_PROC_EVENTS=y
+CONFIG_GNSS=m
+CONFIG_GNSS_SERIAL=m
+CONFIG_GNSS_MTK_SERIAL=m
+CONFIG_GNSS_SIRF_SERIAL=m
+CONFIG_GNSS_UBX_SERIAL=m
+CONFIG_MTD=m
+# CONFIG_MTD_TESTS is not set
+
+#
+# Partition parsers
+#
+CONFIG_MTD_AR7_PARTS=m
+CONFIG_MTD_CMDLINE_PARTS=m
+CONFIG_MTD_OF_PARTS=m
+CONFIG_MTD_AFS_PARTS=m
+CONFIG_MTD_REDBOOT_PARTS=m
+CONFIG_MTD_REDBOOT_DIRECTORY_BLOCK=-1
+# CONFIG_MTD_REDBOOT_PARTS_UNALLOCATED is not set
+# CONFIG_MTD_REDBOOT_PARTS_READONLY is not set
+# end of Partition parsers
+
+#
+# User Modules And Translation Layers
+#
+CONFIG_MTD_BLKDEVS=m
+CONFIG_MTD_BLOCK=m
+CONFIG_MTD_BLOCK_RO=m
+CONFIG_FTL=m
+CONFIG_NFTL=m
+CONFIG_NFTL_RW=y
+CONFIG_INFTL=m
+CONFIG_RFD_FTL=m
+CONFIG_SSFDC=m
+CONFIG_SM_FTL=m
+CONFIG_MTD_OOPS=m
+CONFIG_MTD_SWAP=m
+# CONFIG_MTD_PARTITIONED_MASTER is not set
+
+#
+# RAM/ROM/Flash chip drivers
+#
+CONFIG_MTD_CFI=m
+CONFIG_MTD_JEDECPROBE=m
+CONFIG_MTD_GEN_PROBE=m
+# CONFIG_MTD_CFI_ADV_OPTIONS is not set
+CONFIG_MTD_MAP_BANK_WIDTH_1=y
+CONFIG_MTD_MAP_BANK_WIDTH_2=y
+CONFIG_MTD_MAP_BANK_WIDTH_4=y
+CONFIG_MTD_CFI_I1=y
+CONFIG_MTD_CFI_I2=y
+CONFIG_MTD_CFI_INTELEXT=m
+CONFIG_MTD_CFI_AMDSTD=m
+CONFIG_MTD_CFI_STAA=m
+CONFIG_MTD_CFI_UTIL=m
+CONFIG_MTD_RAM=m
+CONFIG_MTD_ROM=m
+CONFIG_MTD_ABSENT=m
+# end of RAM/ROM/Flash chip drivers
+
+#
+# Mapping drivers for chip access
+#
+CONFIG_MTD_COMPLEX_MAPPINGS=y
+CONFIG_MTD_PHYSMAP=m
+# CONFIG_MTD_PHYSMAP_COMPAT is not set
+CONFIG_MTD_PHYSMAP_OF=y
+CONFIG_MTD_PHYSMAP_VERSATILE=y
+CONFIG_MTD_PHYSMAP_GEMINI=y
+CONFIG_MTD_PHYSMAP_GPIO_ADDR=y
+CONFIG_MTD_PCI=m
+CONFIG_MTD_INTEL_VR_NOR=m
+CONFIG_MTD_PLATRAM=m
+# end of Mapping drivers for chip access
+
+#
+# Self-contained MTD device drivers
+#
+CONFIG_MTD_PMC551=m
+# CONFIG_MTD_PMC551_BUGFIX is not set
+# CONFIG_MTD_PMC551_DEBUG is not set
+CONFIG_MTD_DATAFLASH=m
+# CONFIG_MTD_DATAFLASH_WRITE_VERIFY is not set
+CONFIG_MTD_DATAFLASH_OTP=y
+CONFIG_MTD_MCHP23K256=m
+CONFIG_MTD_SST25L=m
+CONFIG_MTD_SLRAM=m
+CONFIG_MTD_PHRAM=m
+CONFIG_MTD_MTDRAM=m
+CONFIG_MTDRAM_TOTAL_SIZE=4096
+CONFIG_MTDRAM_ERASE_SIZE=128
+CONFIG_MTD_BLOCK2MTD=m
+
+#
+# Disk-On-Chip Device Drivers
+#
+# CONFIG_MTD_DOCG3 is not set
+# end of Self-contained MTD device drivers
+
+CONFIG_MTD_NAND_CORE=m
+CONFIG_MTD_ONENAND=m
+CONFIG_MTD_ONENAND_VERIFY_WRITE=y
+CONFIG_MTD_ONENAND_GENERIC=m
+# CONFIG_MTD_ONENAND_OTP is not set
+CONFIG_MTD_ONENAND_2X_PROGRAM=y
+CONFIG_MTD_NAND_ECC_SW_HAMMING=m
+# CONFIG_MTD_NAND_ECC_SW_HAMMING_SMC is not set
+CONFIG_MTD_RAW_NAND=m
+CONFIG_MTD_NAND_ECC_SW_BCH=y
+
+#
+# Raw/parallel NAND flash controllers
+#
+CONFIG_MTD_NAND_DENALI=m
+CONFIG_MTD_NAND_DENALI_PCI=m
+CONFIG_MTD_NAND_DENALI_DT=m
+CONFIG_MTD_NAND_CAFE=m
+CONFIG_MTD_NAND_MARVELL=m
+CONFIG_MTD_NAND_BRCMNAND=m
+CONFIG_MTD_NAND_GPMI_NAND=m
+CONFIG_MTD_NAND_FSL_IFC=m
+CONFIG_MTD_NAND_MXC=m
+# CONFIG_MTD_NAND_SUNXI is not set
+CONFIG_MTD_NAND_HISI504=m
+CONFIG_MTD_NAND_QCOM=m
+CONFIG_MTD_NAND_MTK=m
+# CONFIG_MTD_NAND_MXIC is not set
+# CONFIG_MTD_NAND_TEGRA is not set
+CONFIG_MTD_NAND_MESON=m
+CONFIG_MTD_NAND_GPIO=m
+CONFIG_MTD_NAND_PLATFORM=m
+
+#
+# Misc
+#
+CONFIG_MTD_SM_COMMON=m
+CONFIG_MTD_NAND_NANDSIM=m
+CONFIG_MTD_NAND_RICOH=m
+CONFIG_MTD_NAND_DISKONCHIP=m
+# CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADVANCED is not set
+CONFIG_MTD_NAND_DISKONCHIP_PROBE_ADDRESS=0
+# CONFIG_MTD_NAND_DISKONCHIP_BBTWRITE is not set
+CONFIG_MTD_SPI_NAND=m
+
+#
+# LPDDR & LPDDR2 PCM memory drivers
+#
+CONFIG_MTD_LPDDR=m
+CONFIG_MTD_QINFO_PROBE=m
+# end of LPDDR & LPDDR2 PCM memory drivers
+
+CONFIG_MTD_SPI_NOR=m
+CONFIG_MTD_SPI_NOR_USE_4K_SECTORS=y
+CONFIG_SPI_CADENCE_QUADSPI=m
+CONFIG_SPI_HISI_SFC=m
+CONFIG_SPI_MTK_QUADSPI=m
+CONFIG_MTD_UBI=m
+CONFIG_MTD_UBI_WL_THRESHOLD=4096
+CONFIG_MTD_UBI_BEB_LIMIT=20
+CONFIG_MTD_UBI_FASTMAP=y
+CONFIG_MTD_UBI_GLUEBI=m
+CONFIG_MTD_UBI_BLOCK=y
+CONFIG_MTD_HYPERBUS=m
+CONFIG_HBMC_AM654=m
 CONFIG_DTC=y
 CONFIG_OF=y
 # CONFIG_OF_UNITTEST is not set
@@ -1744,24 +2336,29 @@ CONFIG_PNP=y
 #
 CONFIG_PNPACPI=y
 CONFIG_BLK_DEV=y
-# CONFIG_BLK_DEV_NULL_BLK is not set
+CONFIG_BLK_DEV_NULL_BLK=m
 CONFIG_CDROM=y
-# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
-# CONFIG_ZRAM is not set
-# CONFIG_BLK_DEV_UMEM is not set
+CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
+CONFIG_ZRAM=m
+CONFIG_ZRAM_WRITEBACK=y
+CONFIG_ZRAM_MEMORY_TRACKING=y
+CONFIG_BLK_DEV_UMEM=m
 CONFIG_BLK_DEV_LOOP=y
 CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
-# CONFIG_BLK_DEV_CRYPTOLOOP is not set
-# CONFIG_BLK_DEV_DRBD is not set
-# CONFIG_BLK_DEV_NBD is not set
-# CONFIG_BLK_DEV_SKD is not set
-# CONFIG_BLK_DEV_SX8 is not set
-CONFIG_BLK_DEV_RAM=y
+CONFIG_BLK_DEV_CRYPTOLOOP=m
+CONFIG_BLK_DEV_DRBD=m
+# CONFIG_DRBD_FAULT_INJECTION is not set
+CONFIG_BLK_DEV_NBD=m
+CONFIG_BLK_DEV_SKD=m
+CONFIG_BLK_DEV_SX8=m
+CONFIG_BLK_DEV_RAM=m
 CONFIG_BLK_DEV_RAM_COUNT=16
 CONFIG_BLK_DEV_RAM_SIZE=4096
-# CONFIG_CDROM_PKTCDVD is not set
-# CONFIG_ATA_OVER_ETH is not set
-CONFIG_XEN_BLKDEV_FRONTEND=m
+CONFIG_CDROM_PKTCDVD=m
+CONFIG_CDROM_PKTCDVD_BUFFERS=8
+# CONFIG_CDROM_PKTCDVD_WCACHE is not set
+CONFIG_ATA_OVER_ETH=m
+CONFIG_XEN_BLKDEV_FRONTEND=y
 CONFIG_XEN_BLKDEV_BACKEND=m
 CONFIG_VIRTIO_BLK=m
 # CONFIG_VIRTIO_BLK_SCSI is not set
@@ -1775,10 +2372,12 @@ CONFIG_NVME_CORE=y
 CONFIG_BLK_DEV_NVME=y
 # CONFIG_NVME_MULTIPATH is not set
 CONFIG_NVME_FABRICS=m
+# CONFIG_NVME_RDMA is not set
 # CONFIG_NVME_FC is not set
 # CONFIG_NVME_TCP is not set
 CONFIG_NVME_TARGET=m
 CONFIG_NVME_TARGET_LOOP=m
+# CONFIG_NVME_TARGET_RDMA is not set
 # CONFIG_NVME_TARGET_FC is not set
 # CONFIG_NVME_TARGET_TCP is not set
 # end of NVME Support
@@ -1789,7 +2388,8 @@ CONFIG_NVME_TARGET_LOOP=m
 # CONFIG_AD525X_DPOT is not set
 # CONFIG_DUMMY_IRQ is not set
 # CONFIG_PHANTOM is not set
-# CONFIG_TIFM_CORE is not set
+CONFIG_TIFM_CORE=m
+CONFIG_TIFM_7XX1=m
 # CONFIG_ICS932S401 is not set
 # CONFIG_ENCLOSURE_SERVICES is not set
 # CONFIG_HP_ILO is not set
@@ -1822,7 +2422,9 @@ CONFIG_EEPROM_93CX6=m
 # CONFIG_EEPROM_EE1004 is not set
 # end of EEPROM support
 
-# CONFIG_CB710_CORE is not set
+CONFIG_CB710_CORE=m
+# CONFIG_CB710_DEBUG is not set
+CONFIG_CB710_DEBUG_ASSUMPTIONS=y
 
 #
 # Texas Instruments shared transport line discipline
@@ -1869,6 +2471,7 @@ CONFIG_EEPROM_93CX6=m
 #
 # VOP Driver
 #
+CONFIG_VHOST_RING=m
 # end of Intel MIC & related support
 
 # CONFIG_GENWQE is not set
@@ -1895,7 +2498,6 @@ CONFIG_SCSI_PROC_FS=y
 CONFIG_BLK_DEV_SD=y
 # CONFIG_CHR_DEV_ST is not set
 CONFIG_BLK_DEV_SR=y
-# CONFIG_BLK_DEV_SR_VENDOR is not set
 CONFIG_CHR_DEV_SG=y
 # CONFIG_CHR_DEV_SCH is not set
 # CONFIG_SCSI_CONSTANTS is not set
@@ -1906,7 +2508,7 @@ CONFIG_SCSI_SCAN_ASYNC=y
 # SCSI Transports
 #
 CONFIG_SCSI_SPI_ATTRS=y
-CONFIG_SCSI_FC_ATTRS=m
+CONFIG_SCSI_FC_ATTRS=y
 CONFIG_SCSI_ISCSI_ATTRS=y
 CONFIG_SCSI_SAS_ATTRS=y
 CONFIG_SCSI_SAS_LIBSAS=m
@@ -1976,6 +2578,7 @@ CONFIG_SCSI_HPTIOP=m
 # CONFIG_SCSI_MYRB is not set
 # CONFIG_SCSI_MYRS is not set
 CONFIG_XEN_SCSI_FRONTEND=m
+CONFIG_HYPERV_STORAGE=y
 CONFIG_LIBFC=m
 CONFIG_LIBFCOE=m
 CONFIG_FCOE=m
@@ -1998,6 +2601,8 @@ CONFIG_SCSI_IPR_DUMP=y
 CONFIG_SCSI_QLOGIC_1280=m
 CONFIG_SCSI_QLA_FC=m
 CONFIG_SCSI_QLA_ISCSI=m
+# CONFIG_QEDI is not set
+# CONFIG_QEDF is not set
 CONFIG_SCSI_LPFC=m
 CONFIG_SCSI_LPFC_DEBUG_FS=y
 CONFIG_SCSI_DC395x=m
@@ -2030,6 +2635,7 @@ CONFIG_SATA_AHCI=y
 CONFIG_SATA_MOBILE_LPM_POLICY=0
 CONFIG_SATA_AHCI_PLATFORM=m
 CONFIG_AHCI_BRCM=m
+# CONFIG_AHCI_IMX is not set
 # CONFIG_AHCI_CEVA is not set
 # CONFIG_AHCI_MTK is not set
 CONFIG_AHCI_MVEBU=m
@@ -2058,6 +2664,7 @@ CONFIG_ATA_PIIX=y
 CONFIG_SATA_MV=y
 CONFIG_SATA_NV=y
 CONFIG_SATA_PROMISE=y
+# CONFIG_SATA_RCAR is not set
 CONFIG_SATA_SIL=y
 CONFIG_SATA_SIS=y
 CONFIG_SATA_SVW=y
@@ -2081,6 +2688,7 @@ CONFIG_PATA_HPT37X=y
 CONFIG_PATA_HPT3X2N=y
 CONFIG_PATA_HPT3X3=y
 CONFIG_PATA_HPT3X3_DMA=y
+# CONFIG_PATA_IMX is not set
 CONFIG_PATA_IT8213=y
 CONFIG_PATA_IT821X=y
 CONFIG_PATA_JMICRON=y
@@ -2162,6 +2770,7 @@ CONFIG_DM_VERITY=m
 # CONFIG_DM_SWITCH is not set
 # CONFIG_DM_LOG_WRITES is not set
 # CONFIG_DM_INTEGRITY is not set
+# CONFIG_DM_ZONED is not set
 # CONFIG_TARGET_CORE is not set
 CONFIG_FUSION=y
 CONFIG_FUSION_SPI=y
@@ -2179,10 +2788,11 @@ CONFIG_FUSION_LOGGING=y
 # end of IEEE 1394 (FireWire) support
 
 CONFIG_NETDEVICES=y
-CONFIG_MII=m
+CONFIG_MII=y
 CONFIG_NET_CORE=y
 CONFIG_BONDING=m
 CONFIG_DUMMY=m
+# CONFIG_WIREGUARD is not set
 # CONFIG_EQUALIZER is not set
 # CONFIG_NET_FC is not set
 # CONFIG_IFB is not set
@@ -2200,6 +2810,7 @@ CONFIG_NETCONSOLE=m
 CONFIG_NETCONSOLE_DYNAMIC=y
 CONFIG_NETPOLL=y
 CONFIG_NET_POLL_CONTROLLER=y
+# CONFIG_RIONET is not set
 CONFIG_TUN=m
 CONFIG_TAP=m
 # CONFIG_TUN_VNET_CROSS_LE is not set
@@ -2208,52 +2819,109 @@ CONFIG_VIRTIO_NET=y
 # CONFIG_NLMON is not set
 # CONFIG_NET_VRF is not set
 # CONFIG_VSOCKMON is not set
+CONFIG_SUNGEM_PHY=m
 # CONFIG_ARCNET is not set
+CONFIG_ATM_DRIVERS=y
+# CONFIG_ATM_DUMMY is not set
+# CONFIG_ATM_TCP is not set
+# CONFIG_ATM_LANAI is not set
+# CONFIG_ATM_ENI is not set
+# CONFIG_ATM_NICSTAR is not set
+# CONFIG_ATM_IDT77252 is not set
+# CONFIG_ATM_IA is not set
+# CONFIG_ATM_FORE200E is not set
+# CONFIG_ATM_HE is not set
+# CONFIG_ATM_SOLOS is not set
 
 #
 # CAIF transport drivers
 #
+CONFIG_CAIF_TTY=m
+CONFIG_CAIF_SPI_SLAVE=m
+# CONFIG_CAIF_SPI_SYNC is not set
+CONFIG_CAIF_HSI=m
+CONFIG_CAIF_VIRTIO=m
 
 #
 # Distributed Switch Architecture drivers
 #
+CONFIG_B53=m
+CONFIG_B53_SPI_DRIVER=m
+CONFIG_B53_MDIO_DRIVER=m
+CONFIG_B53_MMAP_DRIVER=m
+CONFIG_B53_SRAB_DRIVER=m
+CONFIG_B53_SERDES=m
+CONFIG_NET_DSA_BCM_SF2=m
+# CONFIG_NET_DSA_LOOP is not set
+CONFIG_NET_DSA_LANTIQ_GSWIP=m
+CONFIG_NET_DSA_MT7530=m
+CONFIG_NET_DSA_MV88E6060=m
+CONFIG_NET_DSA_MICROCHIP_KSZ_COMMON=m
+CONFIG_NET_DSA_MICROCHIP_KSZ9477=m
+# CONFIG_NET_DSA_MICROCHIP_KSZ9477_I2C is not set
+CONFIG_NET_DSA_MICROCHIP_KSZ9477_SPI=m
+# CONFIG_NET_DSA_MICROCHIP_KSZ8795 is not set
+CONFIG_NET_DSA_MV88E6XXX=m
+CONFIG_NET_DSA_MV88E6XXX_GLOBAL2=y
+CONFIG_NET_DSA_MV88E6XXX_PTP=y
+CONFIG_NET_DSA_SJA1105=m
+CONFIG_NET_DSA_SJA1105_PTP=y
+# CONFIG_NET_DSA_SJA1105_TAS is not set
+CONFIG_NET_DSA_QCA8K=m
+CONFIG_NET_DSA_REALTEK_SMI=m
+CONFIG_NET_DSA_SMSC_LAN9303=m
+CONFIG_NET_DSA_SMSC_LAN9303_I2C=m
+CONFIG_NET_DSA_SMSC_LAN9303_MDIO=m
+CONFIG_NET_DSA_VITESSE_VSC73XX=m
+CONFIG_NET_DSA_VITESSE_VSC73XX_SPI=m
+CONFIG_NET_DSA_VITESSE_VSC73XX_PLATFORM=m
 # end of Distributed Switch Architecture drivers
 
 CONFIG_ETHERNET=y
 CONFIG_MDIO=m
-# CONFIG_NET_VENDOR_3COM is not set
-# CONFIG_NET_VENDOR_ADAPTEC is not set
+CONFIG_NET_VENDOR_3COM=y
+CONFIG_VORTEX=m
+CONFIG_TYPHOON=m
+CONFIG_NET_VENDOR_ADAPTEC=y
+CONFIG_ADAPTEC_STARFIRE=m
 CONFIG_NET_VENDOR_AGERE=y
-# CONFIG_ET131X is not set
-# CONFIG_NET_VENDOR_ALACRITECH is not set
+CONFIG_ET131X=m
+CONFIG_NET_VENDOR_ALACRITECH=y
+CONFIG_SLICOSS=m
 CONFIG_NET_VENDOR_ALLWINNER=y
 # CONFIG_SUN4I_EMAC is not set
 CONFIG_NET_VENDOR_ALTEON=y
 CONFIG_ACENIC=m
 # CONFIG_ACENIC_OMIT_TIGON_I is not set
-# CONFIG_ALTERA_TSE is not set
-# CONFIG_NET_VENDOR_AMAZON is not set
+CONFIG_ALTERA_TSE=m
+CONFIG_NET_VENDOR_AMAZON=y
+CONFIG_ENA_ETHERNET=m
 CONFIG_NET_VENDOR_AMD=y
 CONFIG_AMD8111_ETH=m
 CONFIG_PCNET32=m
-# CONFIG_AMD_XGBE is not set
-# CONFIG_NET_XGENE is not set
-# CONFIG_NET_XGENE_V2 is not set
-# CONFIG_NET_VENDOR_AQUANTIA is not set
-# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_AMD_XGBE=m
+CONFIG_AMD_XGBE_DCB=y
+CONFIG_NET_XGENE=m
+CONFIG_NET_XGENE_V2=m
+CONFIG_NET_VENDOR_AQUANTIA=y
+CONFIG_AQTION=m
+CONFIG_NET_VENDOR_ARC=y
+CONFIG_ARC_EMAC_CORE=m
+CONFIG_EMAC_ROCKCHIP=m
 CONFIG_NET_VENDOR_ATHEROS=y
 CONFIG_ATL2=m
 CONFIG_ATL1=m
 CONFIG_ATL1E=m
 CONFIG_ATL1C=m
 CONFIG_ALX=m
-# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_VENDOR_AURORA=y
+CONFIG_AURORA_NB8800=m
 CONFIG_NET_VENDOR_BROADCOM=y
 CONFIG_B44=m
 CONFIG_B44_PCI_AUTOSELECT=y
 CONFIG_B44_PCICORE_AUTOSELECT=y
 CONFIG_B44_PCI=y
-# CONFIG_BCMGENET is not set
+CONFIG_BCMGENET=m
 CONFIG_BNX2=m
 CONFIG_CNIC=m
 CONFIG_TIGON3=m
@@ -2262,36 +2930,44 @@ CONFIG_BNX2X=m
 CONFIG_BNX2X_SRIOV=y
 CONFIG_BGMAC=y
 CONFIG_BGMAC_PLATFORM=y
-# CONFIG_SYSTEMPORT is not set
-# CONFIG_BNXT is not set
+CONFIG_SYSTEMPORT=m
+CONFIG_BNXT=m
+CONFIG_BNXT_SRIOV=y
+CONFIG_BNXT_FLOWER_OFFLOAD=y
+CONFIG_BNXT_DCB=y
+CONFIG_BNXT_HWMON=y
 CONFIG_NET_VENDOR_BROCADE=y
 CONFIG_BNA=m
 CONFIG_NET_VENDOR_CADENCE=y
-# CONFIG_MACB is not set
+CONFIG_MACB=m
+CONFIG_MACB_USE_HWSTAMP=y
+CONFIG_MACB_PCI=m
 CONFIG_NET_VENDOR_CAVIUM=y
-# CONFIG_THUNDER_NIC_PF is not set
-# CONFIG_THUNDER_NIC_VF is not set
-# CONFIG_THUNDER_NIC_BGX is not set
-# CONFIG_THUNDER_NIC_RGX is not set
-CONFIG_CAVIUM_PTP=y
-# CONFIG_LIQUIDIO is not set
-# CONFIG_LIQUIDIO_VF is not set
+CONFIG_THUNDER_NIC_PF=m
+CONFIG_THUNDER_NIC_VF=m
+CONFIG_THUNDER_NIC_BGX=m
+CONFIG_THUNDER_NIC_RGX=m
+CONFIG_CAVIUM_PTP=m
+CONFIG_LIQUIDIO=m
+CONFIG_LIQUIDIO_VF=m
 CONFIG_NET_VENDOR_CHELSIO=y
 CONFIG_CHELSIO_T1=m
 CONFIG_CHELSIO_T1_1G=y
 CONFIG_CHELSIO_T3=m
 CONFIG_CHELSIO_T4=m
-# CONFIG_CHELSIO_T4_DCB is not set
+CONFIG_CHELSIO_T4_DCB=y
+CONFIG_CHELSIO_T4_FCOE=y
 CONFIG_CHELSIO_T4VF=m
 CONFIG_CHELSIO_LIB=m
 CONFIG_NET_VENDOR_CISCO=y
 CONFIG_ENIC=m
 CONFIG_NET_VENDOR_CORTINA=y
-# CONFIG_GEMINI_ETHERNET is not set
-# CONFIG_DNET is not set
+CONFIG_GEMINI_ETHERNET=m
+CONFIG_DNET=m
 CONFIG_NET_VENDOR_DEC=y
 CONFIG_NET_TULIP=y
-# CONFIG_DE2104X is not set
+CONFIG_DE2104X=m
+CONFIG_DE2104X_DSL=0
 CONFIG_TULIP=m
 # CONFIG_TULIP_MWI is not set
 CONFIG_TULIP_MMIO=y
@@ -2300,6 +2976,7 @@ CONFIG_TULIP_NAPI=y
 # CONFIG_WINBOND_840 is not set
 # CONFIG_DM9102 is not set
 # CONFIG_ULI526X is not set
+# CONFIG_PCMCIA_XIRCOM is not set
 CONFIG_NET_VENDOR_DLINK=y
 CONFIG_DL2K=m
 CONFIG_SUNDANCE=m
@@ -2307,17 +2984,14 @@ CONFIG_SUNDANCE=m
 CONFIG_NET_VENDOR_EMULEX=y
 CONFIG_BE2NET=m
 CONFIG_BE2NET_HWMON=y
-# CONFIG_BE2NET_BE2 is not set
-# CONFIG_BE2NET_BE3 is not set
-# CONFIG_BE2NET_LANCER is not set
-# CONFIG_BE2NET_SKYHAWK is not set
-
-#
-# WARNING: be2net is useless without any enabled chip
-#
+CONFIG_BE2NET_BE2=y
+CONFIG_BE2NET_BE3=y
+CONFIG_BE2NET_LANCER=y
+CONFIG_BE2NET_SKYHAWK=y
 CONFIG_NET_VENDOR_EZCHIP=y
-# CONFIG_EZCHIP_NPS_MANAGEMENT_ENET is not set
+CONFIG_EZCHIP_NPS_MANAGEMENT_ENET=m
 CONFIG_NET_VENDOR_FREESCALE=y
+# CONFIG_FEC is not set
 CONFIG_FSL_FMAN=m
 CONFIG_DPAA_ERRATUM_A050385=y
 # CONFIG_FSL_PQ_MDIO is not set
@@ -2352,7 +3026,9 @@ CONFIG_IXGB=m
 CONFIG_IXGBE=m
 CONFIG_IXGBE_HWMON=y
 CONFIG_IXGBE_DCB=y
+CONFIG_IXGBE_IPSEC=y
 CONFIG_IXGBEVF=m
+CONFIG_IXGBEVF_IPSEC=y
 CONFIG_I40E=m
 CONFIG_I40E_DCB=y
 CONFIG_IAVF=m
@@ -2379,40 +3055,95 @@ CONFIG_MLX4_EN_DCB=y
 CONFIG_MLX4_CORE=m
 CONFIG_MLX4_DEBUG=y
 CONFIG_MLX4_CORE_GEN2=y
-# CONFIG_MLX5_CORE is not set
-# CONFIG_MLXSW_CORE is not set
-# CONFIG_MLXFW is not set
-# CONFIG_NET_VENDOR_MICREL is not set
+CONFIG_MLX5_CORE=m
+CONFIG_MLX5_ACCEL=y
+CONFIG_MLX5_FPGA=y
+CONFIG_MLX5_CORE_EN=y
+CONFIG_MLX5_EN_ARFS=y
+CONFIG_MLX5_EN_RXNFC=y
+CONFIG_MLX5_MPFS=y
+CONFIG_MLX5_ESWITCH=y
+CONFIG_MLX5_CORE_EN_DCB=y
+CONFIG_MLX5_CORE_IPOIB=y
+CONFIG_MLX5_FPGA_IPSEC=y
+CONFIG_MLX5_EN_IPSEC=y
+CONFIG_MLX5_FPGA_TLS=y
+CONFIG_MLX5_TLS=y
+CONFIG_MLX5_EN_TLS=y
+CONFIG_MLX5_SW_STEERING=y
+CONFIG_MLXSW_CORE=m
+CONFIG_MLXSW_CORE_HWMON=y
+CONFIG_MLXSW_CORE_THERMAL=y
+CONFIG_MLXSW_PCI=m
+CONFIG_MLXSW_I2C=m
+CONFIG_MLXSW_SWITCHIB=m
+CONFIG_MLXSW_SWITCHX2=m
+CONFIG_MLXSW_SPECTRUM=m
+CONFIG_MLXSW_SPECTRUM_DCB=y
+CONFIG_MLXSW_MINIMAL=m
+CONFIG_MLXFW=m
+CONFIG_NET_VENDOR_MICREL=y
+CONFIG_KS8842=m
+CONFIG_KS8851=m
+CONFIG_KS8851_MLL=m
+CONFIG_KSZ884X_PCI=m
 CONFIG_NET_VENDOR_MICROCHIP=y
-# CONFIG_ENC28J60 is not set
-# CONFIG_ENCX24J600 is not set
+CONFIG_ENC28J60=m
+# CONFIG_ENC28J60_WRITEVERIFY is not set
+CONFIG_ENCX24J600=m
 CONFIG_LAN743X=m
 CONFIG_NET_VENDOR_MICROSEMI=y
-# CONFIG_MSCC_OCELOT_SWITCH is not set
+CONFIG_MSCC_OCELOT_SWITCH=m
+CONFIG_MSCC_OCELOT_SWITCH_OCELOT=m
 CONFIG_NET_VENDOR_MYRI=y
 CONFIG_MYRI10GE=m
-# CONFIG_FEALNX is not set
-# CONFIG_NET_VENDOR_NATSEMI is not set
-# CONFIG_NET_VENDOR_NETERION is not set
-# CONFIG_NET_VENDOR_NETRONOME is not set
-# CONFIG_NET_VENDOR_NI is not set
+CONFIG_FEALNX=m
+CONFIG_NET_VENDOR_NATSEMI=y
+CONFIG_NATSEMI=m
+CONFIG_NS83820=m
+CONFIG_NET_VENDOR_NETERION=y
+CONFIG_S2IO=m
+CONFIG_VXGE=m
+# CONFIG_VXGE_DEBUG_TRACE_ALL is not set
+CONFIG_NET_VENDOR_NETRONOME=y
+CONFIG_NFP=m
+CONFIG_NFP_APP_FLOWER=y
+CONFIG_NFP_APP_ABM_NIC=y
+# CONFIG_NFP_DEBUG is not set
+CONFIG_NET_VENDOR_NI=y
+CONFIG_NI_XGE_MANAGEMENT_ENET=m
+CONFIG_NET_VENDOR_8390=y
+CONFIG_NE2K_PCI=m
 CONFIG_NET_VENDOR_NVIDIA=y
 CONFIG_FORCEDETH=m
-# CONFIG_NET_VENDOR_OKI is not set
-# CONFIG_ETHOC is not set
-# CONFIG_NET_VENDOR_PACKET_ENGINES is not set
+CONFIG_NET_VENDOR_OKI=y
+CONFIG_ETHOC=m
+CONFIG_NET_VENDOR_PACKET_ENGINES=y
+CONFIG_HAMACHI=m
+CONFIG_YELLOWFIN=m
 CONFIG_NET_VENDOR_PENSANDO=y
 # CONFIG_IONIC is not set
 CONFIG_NET_VENDOR_QLOGIC=y
-# CONFIG_QLA3XXX is not set
-# CONFIG_QLCNIC is not set
+CONFIG_QLA3XXX=m
+CONFIG_QLCNIC=m
+CONFIG_QLCNIC_SRIOV=y
+CONFIG_QLCNIC_DCB=y
+CONFIG_QLCNIC_HWMON=y
 CONFIG_NETXEN_NIC=m
-# CONFIG_QED is not set
+CONFIG_QED=m
+CONFIG_QED_LL2=y
+CONFIG_QED_SRIOV=y
+CONFIG_QEDE=m
+CONFIG_QED_RDMA=y
+CONFIG_QED_OOO=y
 CONFIG_NET_VENDOR_QUALCOMM=y
-# CONFIG_QCA7000_SPI is not set
-# CONFIG_QCOM_EMAC is not set
-# CONFIG_RMNET is not set
-# CONFIG_NET_VENDOR_RDC is not set
+CONFIG_QCA7000=m
+CONFIG_QCA7000_SPI=m
+CONFIG_QCA7000_UART=m
+CONFIG_QCOM_EMAC=m
+CONFIG_RMNET=m
+CONFIG_NET_VENDOR_RDC=y
+CONFIG_R6040=m
 CONFIG_NET_VENDOR_REALTEK=y
 CONFIG_8139CP=m
 CONFIG_8139TOO=m
@@ -2422,169 +3153,271 @@ CONFIG_8139TOO_8129=y
 # CONFIG_8139_OLD_RX_RESET is not set
 CONFIG_R8169=m
 CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_SH_ETH=m
+CONFIG_RAVB=m
 CONFIG_NET_VENDOR_ROCKER=y
-# CONFIG_ROCKER is not set
+CONFIG_ROCKER=m
 CONFIG_NET_VENDOR_SAMSUNG=y
-# CONFIG_SXGBE_ETH is not set
-# CONFIG_NET_VENDOR_SEEQ is not set
-# CONFIG_NET_VENDOR_SOLARFLARE is not set
-# CONFIG_NET_VENDOR_SILAN is not set
-# CONFIG_NET_VENDOR_SIS is not set
-# CONFIG_NET_VENDOR_SMSC is not set
-# CONFIG_NET_VENDOR_SOCIONEXT is not set
-# CONFIG_NET_VENDOR_STMICRO is not set
-# CONFIG_NET_VENDOR_SUN is not set
-# CONFIG_NET_VENDOR_SYNOPSYS is not set
-# CONFIG_NET_VENDOR_TEHUTI is not set
-# CONFIG_NET_VENDOR_TI is not set
-# CONFIG_NET_VENDOR_VIA is not set
-# CONFIG_NET_VENDOR_WIZNET is not set
-# CONFIG_FDDI is not set
+CONFIG_SXGBE_ETH=m
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SOLARFLARE=y
+CONFIG_SFC=m
+CONFIG_SFC_MTD=y
+CONFIG_SFC_MCDI_MON=y
+CONFIG_SFC_SRIOV=y
+CONFIG_SFC_MCDI_LOGGING=y
+CONFIG_SFC_FALCON=m
+CONFIG_SFC_FALCON_MTD=y
+CONFIG_NET_VENDOR_SILAN=y
+CONFIG_SC92031=m
+CONFIG_NET_VENDOR_SIS=y
+CONFIG_SIS900=m
+CONFIG_SIS190=m
+CONFIG_NET_VENDOR_SMSC=y
+CONFIG_SMC91X=y
+CONFIG_EPIC100=m
+CONFIG_SMSC911X=m
+CONFIG_SMSC9420=m
+CONFIG_NET_VENDOR_SOCIONEXT=y
+CONFIG_SNI_NETSEC=m
+CONFIG_NET_VENDOR_STMICRO=y
+CONFIG_STMMAC_ETH=m
+# CONFIG_STMMAC_SELFTESTS is not set
+CONFIG_STMMAC_PLATFORM=m
+CONFIG_DWMAC_DWC_QOS_ETH=m
+CONFIG_DWMAC_GENERIC=m
+CONFIG_DWMAC_IPQ806X=m
+CONFIG_DWMAC_MEDIATEK=m
+CONFIG_DWMAC_MESON=m
+CONFIG_DWMAC_QCOM_ETHQOS=m
+CONFIG_DWMAC_ROCKCHIP=m
+CONFIG_DWMAC_SOCFPGA=m
+# CONFIG_DWMAC_SUNXI is not set
+CONFIG_DWMAC_SUN8I=m
+# CONFIG_STMMAC_PCI is not set
+CONFIG_NET_VENDOR_SUN=y
+CONFIG_HAPPYMEAL=m
+CONFIG_SUNGEM=m
+CONFIG_CASSINI=m
+CONFIG_NIU=m
+CONFIG_NET_VENDOR_SYNOPSYS=y
+CONFIG_DWC_XLGMAC=m
+CONFIG_DWC_XLGMAC_PCI=m
+CONFIG_NET_VENDOR_TEHUTI=y
+CONFIG_TEHUTI=m
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_PHY_SEL is not set
+CONFIG_TLAN=m
+CONFIG_NET_VENDOR_VIA=y
+CONFIG_VIA_RHINE=m
+CONFIG_VIA_RHINE_MMIO=y
+CONFIG_VIA_VELOCITY=m
+CONFIG_NET_VENDOR_WIZNET=y
+CONFIG_WIZNET_W5100=m
+CONFIG_WIZNET_W5300=m
+# CONFIG_WIZNET_BUS_DIRECT is not set
+# CONFIG_WIZNET_BUS_INDIRECT is not set
+CONFIG_WIZNET_BUS_ANY=y
+CONFIG_WIZNET_W5100_SPI=m
+CONFIG_FDDI=y
+CONFIG_DEFXX=m
+# CONFIG_DEFXX_MMIO is not set
+CONFIG_SKFP=m
 # CONFIG_HIPPI is not set
-# CONFIG_NET_SB1000 is not set
+CONFIG_NET_SB1000=m
 CONFIG_MDIO_DEVICE=y
 CONFIG_MDIO_BUS=y
 # CONFIG_MDIO_BCM_IPROC is not set
-# CONFIG_MDIO_BCM_UNIMAC is not set
-# CONFIG_MDIO_BITBANG is not set
+CONFIG_MDIO_BCM_UNIMAC=m
+CONFIG_MDIO_BITBANG=m
 CONFIG_MDIO_BUS_MUX=y
 CONFIG_MDIO_BUS_MUX_BCM_IPROC=y
-# CONFIG_MDIO_BUS_MUX_GPIO is not set
+CONFIG_MDIO_BUS_MUX_GPIO=m
 CONFIG_MDIO_BUS_MUX_MESON_G12A=m
-# CONFIG_MDIO_BUS_MUX_MMIOREG is not set
-# CONFIG_MDIO_BUS_MUX_MULTIPLEXER is not set
-# CONFIG_MDIO_HISI_FEMAC is not set
-# CONFIG_MDIO_MSCC_MIIM is not set
-# CONFIG_MDIO_OCTEON is not set
+CONFIG_MDIO_BUS_MUX_MMIOREG=m
+CONFIG_MDIO_BUS_MUX_MULTIPLEXER=m
+CONFIG_MDIO_CAVIUM=m
+CONFIG_MDIO_GPIO=m
+CONFIG_MDIO_HISI_FEMAC=m
+CONFIG_MDIO_I2C=m
+CONFIG_MDIO_MSCC_MIIM=m
+CONFIG_MDIO_OCTEON=m
 # CONFIG_MDIO_SUN4I is not set
-# CONFIG_MDIO_THUNDER is not set
-# CONFIG_MDIO_XGENE is not set
+CONFIG_MDIO_THUNDER=m
+CONFIG_MDIO_XGENE=m
+CONFIG_PHYLINK=m
 CONFIG_PHYLIB=y
 CONFIG_SWPHY=y
-# CONFIG_LED_TRIGGER_PHY is not set
+CONFIG_LED_TRIGGER_PHY=y
 
 #
 # MII PHY device drivers
 #
+CONFIG_SFP=m
 # CONFIG_ADIN_PHY is not set
 CONFIG_AMD_PHY=m
-# CONFIG_AQUANTIA_PHY is not set
-# CONFIG_AX88796B_PHY is not set
+CONFIG_AQUANTIA_PHY=m
+CONFIG_AX88796B_PHY=m
 CONFIG_AT803X_PHY=m
 CONFIG_BCM7XXX_PHY=m
 CONFIG_BCM87XX_PHY=m
 CONFIG_BCM_NET_PHYLIB=m
 CONFIG_BROADCOM_PHY=m
-# CONFIG_CICADA_PHY is not set
-# CONFIG_CORTINA_PHY is not set
-# CONFIG_DAVICOM_PHY is not set
-# CONFIG_DP83822_PHY is not set
-# CONFIG_DP83TC811_PHY is not set
-# CONFIG_DP83848_PHY is not set
-# CONFIG_DP83867_PHY is not set
+CONFIG_CICADA_PHY=m
+CONFIG_CORTINA_PHY=m
+CONFIG_DAVICOM_PHY=m
+CONFIG_DP83822_PHY=m
+CONFIG_DP83TC811_PHY=m
+CONFIG_DP83848_PHY=m
+CONFIG_DP83867_PHY=m
 CONFIG_FIXED_PHY=y
-# CONFIG_ICPLUS_PHY is not set
-# CONFIG_INTEL_XWAY_PHY is not set
+CONFIG_ICPLUS_PHY=m
+CONFIG_INTEL_XWAY_PHY=m
 CONFIG_LSI_ET1011C_PHY=m
 CONFIG_LXT_PHY=m
 CONFIG_MARVELL_PHY=m
-# CONFIG_MARVELL_10G_PHY is not set
-# CONFIG_MESON_GXL_PHY is not set
+CONFIG_MARVELL_10G_PHY=m
+CONFIG_MESON_GXL_PHY=m
 CONFIG_MICREL_PHY=m
 CONFIG_MICROCHIP_PHY=m
 CONFIG_MICROCHIP_T1_PHY=m
-# CONFIG_MICROSEMI_PHY is not set
+CONFIG_MICROSEMI_PHY=m
 CONFIG_NATIONAL_PHY=m
-# CONFIG_NXP_TJA11XX_PHY is not set
-# CONFIG_QSEMI_PHY is not set
+CONFIG_NXP_TJA11XX_PHY=m
+CONFIG_QSEMI_PHY=m
 CONFIG_REALTEK_PHY=m
-# CONFIG_RENESAS_PHY is not set
-# CONFIG_ROCKCHIP_PHY is not set
-# CONFIG_SMSC_PHY is not set
+CONFIG_RENESAS_PHY=m
+CONFIG_ROCKCHIP_PHY=m
+CONFIG_SMSC_PHY=m
 CONFIG_STE10XP=m
-# CONFIG_TERANETICS_PHY is not set
-# CONFIG_VITESSE_PHY is not set
-# CONFIG_XILINX_GMII2RGMII is not set
-# CONFIG_MICREL_KS8995MA is not set
-# CONFIG_PPP is not set
-# CONFIG_SLIP is not set
-
-#
-# Host-side USB support is needed for USB Network Adapter support
-#
+CONFIG_TERANETICS_PHY=m
+CONFIG_VITESSE_PHY=m
+CONFIG_XILINX_GMII2RGMII=m
+CONFIG_MICREL_KS8995MA=m
+CONFIG_PPP=y
+CONFIG_PPP_BSDCOMP=m
+CONFIG_PPP_DEFLATE=m
+CONFIG_PPP_FILTER=y
+CONFIG_PPP_MPPE=m
+CONFIG_PPP_MULTILINK=y
+CONFIG_PPPOATM=m
+CONFIG_PPPOE=m
+CONFIG_PPTP=m
+CONFIG_PPPOL2TP=m
+CONFIG_PPP_ASYNC=m
+CONFIG_PPP_SYNC_TTY=m
+CONFIG_SLIP=m
+CONFIG_SLHC=y
+CONFIG_SLIP_COMPRESSED=y
+CONFIG_SLIP_SMART=y
+CONFIG_SLIP_MODE_SLIP6=y
 CONFIG_USB_NET_DRIVERS=m
-# CONFIG_USB_CATC is not set
-# CONFIG_USB_KAWETH is not set
-# CONFIG_USB_PEGASUS is not set
-# CONFIG_USB_RTL8150 is not set
-# CONFIG_USB_RTL8152 is not set
+CONFIG_USB_CATC=m
+CONFIG_USB_KAWETH=m
+CONFIG_USB_PEGASUS=m
+CONFIG_USB_RTL8150=m
+CONFIG_USB_RTL8152=m
 CONFIG_USB_LAN78XX=m
 CONFIG_USB_USBNET=m
 CONFIG_USB_NET_AX8817X=m
 CONFIG_USB_NET_AX88179_178A=m
-# CONFIG_USB_NET_CDCETHER is not set
-# CONFIG_USB_NET_CDC_EEM is not set
+CONFIG_USB_NET_CDCETHER=m
+CONFIG_USB_NET_CDC_EEM=m
 CONFIG_USB_NET_CDC_NCM=m
 CONFIG_USB_NET_HUAWEI_CDC_NCM=m
 CONFIG_USB_NET_CDC_MBIM=m
-# CONFIG_USB_NET_DM9601 is not set
-# CONFIG_USB_NET_SR9700 is not set
-# CONFIG_USB_NET_SR9800 is not set
-# CONFIG_USB_NET_SMSC75XX is not set
+CONFIG_USB_NET_DM9601=m
+CONFIG_USB_NET_SR9700=m
+CONFIG_USB_NET_SR9800=m
+CONFIG_USB_NET_SMSC75XX=m
 CONFIG_USB_NET_SMSC95XX=m
-# CONFIG_USB_NET_GL620A is not set
-# CONFIG_USB_NET_NET1080 is not set
-# CONFIG_USB_NET_PLUSB is not set
-# CONFIG_USB_NET_MCS7830 is not set
-# CONFIG_USB_NET_RNDIS_HOST is not set
-# CONFIG_USB_NET_CDC_SUBSET is not set
-# CONFIG_USB_NET_ZAURUS is not set
-# CONFIG_USB_NET_CX82310_ETH is not set
-# CONFIG_USB_NET_KALMIA is not set
+CONFIG_USB_NET_GL620A=m
+CONFIG_USB_NET_NET1080=m
+CONFIG_USB_NET_PLUSB=m
+CONFIG_USB_NET_MCS7830=m
+CONFIG_USB_NET_RNDIS_HOST=m
+CONFIG_USB_NET_CDC_SUBSET_ENABLE=m
+CONFIG_USB_NET_CDC_SUBSET=m
+CONFIG_USB_ALI_M5632=y
+CONFIG_USB_AN2720=y
+CONFIG_USB_BELKIN=y
+CONFIG_USB_ARMLINUX=y
+CONFIG_USB_EPSON2888=y
+CONFIG_USB_KC2190=y
+CONFIG_USB_NET_ZAURUS=m
+CONFIG_USB_NET_CX82310_ETH=m
+CONFIG_USB_NET_KALMIA=m
 CONFIG_USB_NET_QMI_WWAN=m
-# CONFIG_USB_NET_INT51X1 is not set
-# CONFIG_USB_IPHETH is not set
-# CONFIG_USB_SIERRA_NET is not set
-# CONFIG_USB_NET_CH9200 is not set
-# CONFIG_USB_NET_AQC111 is not set
+CONFIG_USB_HSO=m
+CONFIG_USB_NET_INT51X1=m
+CONFIG_USB_CDC_PHONET=m
+CONFIG_USB_IPHETH=m
+CONFIG_USB_SIERRA_NET=m
+CONFIG_USB_VL600=m
+CONFIG_USB_NET_CH9200=m
+CONFIG_USB_NET_AQC111=m
 CONFIG_WLAN=y
 # CONFIG_WIRELESS_WDS is not set
-# CONFIG_WLAN_VENDOR_ADMTEK is not set
+CONFIG_WLAN_VENDOR_ADMTEK=y
+CONFIG_ADM8211=m
 CONFIG_ATH_COMMON=m
 CONFIG_WLAN_VENDOR_ATH=y
 # CONFIG_ATH_DEBUG is not set
-# CONFIG_ATH5K is not set
-# CONFIG_ATH5K_PCI is not set
+CONFIG_ATH5K=m
+# CONFIG_ATH5K_DEBUG is not set
+# CONFIG_ATH5K_TRACER is not set
+CONFIG_ATH5K_PCI=y
 CONFIG_ATH9K_HW=m
 CONFIG_ATH9K_COMMON=m
+CONFIG_ATH9K_COMMON_DEBUG=y
 CONFIG_ATH9K_BTCOEX_SUPPORT=y
 CONFIG_ATH9K=m
 CONFIG_ATH9K_PCI=y
-# CONFIG_ATH9K_AHB is not set
-# CONFIG_ATH9K_DEBUGFS is not set
+CONFIG_ATH9K_AHB=y
+CONFIG_ATH9K_DEBUGFS=y
+CONFIG_ATH9K_STATION_STATISTICS=y
 # CONFIG_ATH9K_DYNACK is not set
-# CONFIG_ATH9K_WOW is not set
-# CONFIG_ATH9K_CHANNEL_CONTEXT is not set
+CONFIG_ATH9K_WOW=y
+CONFIG_ATH9K_RFKILL=y
+CONFIG_ATH9K_CHANNEL_CONTEXT=y
 CONFIG_ATH9K_PCOEM=y
 # CONFIG_ATH9K_PCI_NO_EEPROM is not set
-# CONFIG_ATH9K_HTC is not set
-# CONFIG_ATH9K_HWRNG is not set
-# CONFIG_CARL9170 is not set
-# CONFIG_ATH6KL is not set
-# CONFIG_AR5523 is not set
-# CONFIG_WIL6210 is not set
+CONFIG_ATH9K_HTC=m
+CONFIG_ATH9K_HTC_DEBUGFS=y
+CONFIG_ATH9K_HWRNG=y
+CONFIG_ATH9K_COMMON_SPECTRAL=y
+CONFIG_CARL9170=m
+CONFIG_CARL9170_LEDS=y
+# CONFIG_CARL9170_DEBUGFS is not set
+CONFIG_CARL9170_WPC=y
+CONFIG_CARL9170_HWRNG=y
+CONFIG_ATH6KL=m
+CONFIG_ATH6KL_SDIO=m
+CONFIG_ATH6KL_USB=m
+# CONFIG_ATH6KL_DEBUG is not set
+# CONFIG_ATH6KL_TRACING is not set
+CONFIG_AR5523=m
+CONFIG_WIL6210=m
+CONFIG_WIL6210_ISR_COR=y
+CONFIG_WIL6210_TRACING=y
+CONFIG_WIL6210_DEBUGFS=y
 CONFIG_ATH10K=m
 CONFIG_ATH10K_CE=y
 CONFIG_ATH10K_PCI=m
-# CONFIG_ATH10K_AHB is not set
-# CONFIG_ATH10K_SDIO is not set
-# CONFIG_ATH10K_USB is not set
-# CONFIG_ATH10K_SNOC is not set
+CONFIG_ATH10K_AHB=y
+CONFIG_ATH10K_SDIO=m
+CONFIG_ATH10K_USB=m
+CONFIG_ATH10K_SNOC=m
 # CONFIG_ATH10K_DEBUG is not set
-# CONFIG_ATH10K_DEBUGFS is not set
-# CONFIG_ATH10K_TRACING is not set
-# CONFIG_WCN36XX is not set
-# CONFIG_WLAN_VENDOR_ATMEL is not set
+CONFIG_ATH10K_DEBUGFS=y
+CONFIG_ATH10K_SPECTRAL=y
+CONFIG_ATH10K_TRACING=y
+CONFIG_WCN36XX=m
+# CONFIG_WCN36XX_DEBUGFS is not set
+CONFIG_WLAN_VENDOR_ATMEL=y
+CONFIG_ATMEL=m
+CONFIG_PCI_ATMEL=m
+CONFIG_AT76C50X_USB=m
 CONFIG_WLAN_VENDOR_BROADCOM=y
 CONFIG_B43=m
 CONFIG_B43_BCMA=y
@@ -2604,44 +3437,277 @@ CONFIG_B43_PHY_HT=y
 CONFIG_B43_LEDS=y
 CONFIG_B43_HWRNG=y
 # CONFIG_B43_DEBUG is not set
-# CONFIG_B43LEGACY is not set
+CONFIG_B43LEGACY=m
+CONFIG_B43LEGACY_PCI_AUTOSELECT=y
+CONFIG_B43LEGACY_PCICORE_AUTOSELECT=y
+CONFIG_B43LEGACY_LEDS=y
+CONFIG_B43LEGACY_HWRNG=y
+# CONFIG_B43LEGACY_DEBUG is not set
+CONFIG_B43LEGACY_DMA=y
+CONFIG_B43LEGACY_PIO=y
+CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y
+# CONFIG_B43LEGACY_DMA_MODE is not set
+# CONFIG_B43LEGACY_PIO_MODE is not set
 CONFIG_BRCMUTIL=m
-# CONFIG_BRCMSMAC is not set
+CONFIG_BRCMSMAC=m
 CONFIG_BRCMFMAC=m
 CONFIG_BRCMFMAC_PROTO_BCDC=y
+CONFIG_BRCMFMAC_PROTO_MSGBUF=y
 CONFIG_BRCMFMAC_SDIO=y
 CONFIG_BRCMFMAC_USB=y
-# CONFIG_BRCMFMAC_PCIE is not set
-# CONFIG_BRCM_TRACING is not set
+CONFIG_BRCMFMAC_PCIE=y
+CONFIG_BRCM_TRACING=y
 # CONFIG_BRCMDBG is not set
-# CONFIG_WLAN_VENDOR_CISCO is not set
-# CONFIG_WLAN_VENDOR_INTEL is not set
-# CONFIG_WLAN_VENDOR_INTERSIL is not set
-# CONFIG_WLAN_VENDOR_MARVELL is not set
-# CONFIG_WLAN_VENDOR_MEDIATEK is not set
-# CONFIG_WLAN_VENDOR_RALINK is not set
-# CONFIG_WLAN_VENDOR_REALTEK is not set
-# CONFIG_WLAN_VENDOR_RSI is not set
-# CONFIG_WLAN_VENDOR_ST is not set
-# CONFIG_WLAN_VENDOR_TI is not set
-# CONFIG_WLAN_VENDOR_ZYDAS is not set
-# CONFIG_WLAN_VENDOR_QUANTENNA is not set
-# CONFIG_MAC80211_HWSIM is not set
-# CONFIG_USB_NET_RNDIS_WLAN is not set
-# CONFIG_VIRT_WIFI is not set
-
-#
-# Enable WiMAX (Networking options) to see the WiMAX drivers
-#
-# CONFIG_WAN is not set
-CONFIG_XEN_NETDEV_FRONTEND=m
-# CONFIG_XEN_NETDEV_BACKEND is not set
-CONFIG_VMXNET3=y
-# CONFIG_FUJITSU_ES is not set
-# CONFIG_NETDEVSIM is not set
+CONFIG_WLAN_VENDOR_CISCO=y
+CONFIG_WLAN_VENDOR_INTEL=y
+CONFIG_IPW2100=m
+CONFIG_IPW2100_MONITOR=y
+# CONFIG_IPW2100_DEBUG is not set
+CONFIG_IPW2200=m
+CONFIG_IPW2200_MONITOR=y
+CONFIG_IPW2200_RADIOTAP=y
+CONFIG_IPW2200_PROMISCUOUS=y
+CONFIG_IPW2200_QOS=y
+# CONFIG_IPW2200_DEBUG is not set
+CONFIG_LIBIPW=m
+# CONFIG_LIBIPW_DEBUG is not set
+CONFIG_IWLEGACY=m
+CONFIG_IWL4965=m
+CONFIG_IWL3945=m
+
+#
+# iwl3945 / iwl4965 Debugging Options
+#
+# CONFIG_IWLEGACY_DEBUG is not set
+CONFIG_IWLEGACY_DEBUGFS=y
+# end of iwl3945 / iwl4965 Debugging Options
+
+CONFIG_IWLWIFI=m
+CONFIG_IWLWIFI_LEDS=y
+CONFIG_IWLDVM=m
+CONFIG_IWLMVM=m
+CONFIG_IWLWIFI_OPMODE_MODULAR=y
+# CONFIG_IWLWIFI_BCAST_FILTERING is not set
+
+#
+# Debugging Options
+#
+# CONFIG_IWLWIFI_DEBUG is not set
+CONFIG_IWLWIFI_DEBUGFS=y
+CONFIG_IWLWIFI_DEVICE_TRACING=y
+# end of Debugging Options
+
+CONFIG_WLAN_VENDOR_INTERSIL=y
+CONFIG_HOSTAP=m
+CONFIG_HOSTAP_FIRMWARE=y
+CONFIG_HOSTAP_FIRMWARE_NVRAM=y
+CONFIG_HOSTAP_PLX=m
+CONFIG_HOSTAP_PCI=m
+CONFIG_HERMES=m
+# CONFIG_HERMES_PRISM is not set
+CONFIG_HERMES_CACHE_FW_ON_INIT=y
+CONFIG_PLX_HERMES=m
+CONFIG_TMD_HERMES=m
+CONFIG_NORTEL_HERMES=m
+CONFIG_ORINOCO_USB=m
+CONFIG_P54_COMMON=m
+CONFIG_P54_USB=m
+CONFIG_P54_PCI=m
+CONFIG_P54_SPI=m
+# CONFIG_P54_SPI_DEFAULT_EEPROM is not set
+CONFIG_P54_LEDS=y
+# CONFIG_PRISM54 is not set
+CONFIG_WLAN_VENDOR_MARVELL=y
+CONFIG_LIBERTAS=m
+CONFIG_LIBERTAS_USB=m
+CONFIG_LIBERTAS_SDIO=m
+CONFIG_LIBERTAS_SPI=m
+# CONFIG_LIBERTAS_DEBUG is not set
+CONFIG_LIBERTAS_MESH=y
+CONFIG_LIBERTAS_THINFIRM=m
+# CONFIG_LIBERTAS_THINFIRM_DEBUG is not set
+CONFIG_LIBERTAS_THINFIRM_USB=m
+CONFIG_MWIFIEX=m
+CONFIG_MWIFIEX_SDIO=m
+CONFIG_MWIFIEX_PCIE=m
+CONFIG_MWIFIEX_USB=m
+CONFIG_MWL8K=m
+CONFIG_WLAN_VENDOR_MEDIATEK=y
+CONFIG_MT7601U=m
+CONFIG_MT76_CORE=m
+CONFIG_MT76_LEDS=y
+CONFIG_MT76_USB=m
+CONFIG_MT76x02_LIB=m
+CONFIG_MT76x02_USB=m
+CONFIG_MT76x0_COMMON=m
+CONFIG_MT76x0U=m
+CONFIG_MT76x0E=m
+CONFIG_MT76x2_COMMON=m
+CONFIG_MT76x2E=m
+CONFIG_MT76x2U=m
+CONFIG_MT7603E=m
+CONFIG_MT7615E=m
+CONFIG_WLAN_VENDOR_RALINK=y
+CONFIG_RT2X00=m
+CONFIG_RT2400PCI=m
+CONFIG_RT2500PCI=m
+CONFIG_RT61PCI=m
+CONFIG_RT2800PCI=m
+CONFIG_RT2800PCI_RT33XX=y
+CONFIG_RT2800PCI_RT35XX=y
+CONFIG_RT2800PCI_RT53XX=y
+CONFIG_RT2800PCI_RT3290=y
+CONFIG_RT2500USB=m
+CONFIG_RT73USB=m
+CONFIG_RT2800USB=m
+CONFIG_RT2800USB_RT33XX=y
+CONFIG_RT2800USB_RT35XX=y
+CONFIG_RT2800USB_RT3573=y
+CONFIG_RT2800USB_RT53XX=y
+CONFIG_RT2800USB_RT55XX=y
+CONFIG_RT2800USB_UNKNOWN=y
+CONFIG_RT2800_LIB=m
+CONFIG_RT2800_LIB_MMIO=m
+CONFIG_RT2X00_LIB_MMIO=m
+CONFIG_RT2X00_LIB_PCI=m
+CONFIG_RT2X00_LIB_USB=m
+CONFIG_RT2X00_LIB=m
+CONFIG_RT2X00_LIB_FIRMWARE=y
+CONFIG_RT2X00_LIB_CRYPTO=y
+CONFIG_RT2X00_LIB_LEDS=y
+# CONFIG_RT2X00_LIB_DEBUGFS is not set
+# CONFIG_RT2X00_DEBUG is not set
+CONFIG_WLAN_VENDOR_REALTEK=y
+CONFIG_RTL8180=m
+CONFIG_RTL8187=m
+CONFIG_RTL8187_LEDS=y
+CONFIG_RTL_CARDS=m
+CONFIG_RTL8192CE=m
+CONFIG_RTL8192SE=m
+CONFIG_RTL8192DE=m
+CONFIG_RTL8723AE=m
+CONFIG_RTL8723BE=m
+CONFIG_RTL8188EE=m
+CONFIG_RTL8192EE=m
+CONFIG_RTL8821AE=m
+CONFIG_RTL8192CU=m
+CONFIG_RTLWIFI=m
+CONFIG_RTLWIFI_PCI=m
+CONFIG_RTLWIFI_USB=m
+# CONFIG_RTLWIFI_DEBUG is not set
+CONFIG_RTL8192C_COMMON=m
+CONFIG_RTL8723_COMMON=m
+CONFIG_RTLBTCOEXIST=m
+CONFIG_RTL8XXXU=m
+CONFIG_RTL8XXXU_UNTESTED=y
+CONFIG_RTW88=m
+CONFIG_RTW88_CORE=m
+CONFIG_RTW88_PCI=m
+CONFIG_RTW88_8822BE=y
+CONFIG_RTW88_8822CE=y
+CONFIG_RTW88_DEBUG=y
+CONFIG_RTW88_DEBUGFS=y
+CONFIG_WLAN_VENDOR_RSI=y
+CONFIG_RSI_91X=m
+# CONFIG_RSI_DEBUGFS is not set
+CONFIG_RSI_SDIO=m
+CONFIG_RSI_USB=m
+CONFIG_RSI_COEX=y
+CONFIG_WLAN_VENDOR_ST=y
+CONFIG_CW1200=m
+CONFIG_CW1200_WLAN_SDIO=m
+CONFIG_CW1200_WLAN_SPI=m
+CONFIG_WLAN_VENDOR_TI=y
+CONFIG_WL1251=m
+CONFIG_WL1251_SPI=m
+CONFIG_WL1251_SDIO=m
+CONFIG_WL12XX=m
+CONFIG_WL18XX=m
+CONFIG_WLCORE=m
+CONFIG_WLCORE_SPI=m
+CONFIG_WLCORE_SDIO=m
+CONFIG_WILINK_PLATFORM_DATA=y
+CONFIG_WLAN_VENDOR_ZYDAS=y
+CONFIG_USB_ZD1201=m
+CONFIG_ZD1211RW=m
+# CONFIG_ZD1211RW_DEBUG is not set
+CONFIG_WLAN_VENDOR_QUANTENNA=y
+CONFIG_QTNFMAC=m
+CONFIG_QTNFMAC_PCIE=m
+CONFIG_MAC80211_HWSIM=m
+CONFIG_USB_NET_RNDIS_WLAN=m
+CONFIG_VIRT_WIFI=m
+
+#
+# WiMAX Wireless Broadband devices
+#
+CONFIG_WIMAX_I2400M=m
+CONFIG_WIMAX_I2400M_USB=m
+CONFIG_WIMAX_I2400M_DEBUG_LEVEL=8
+# end of WiMAX Wireless Broadband devices
+
+CONFIG_WAN=y
+CONFIG_HDLC=m
+CONFIG_HDLC_RAW=m
+CONFIG_HDLC_RAW_ETH=m
+CONFIG_HDLC_CISCO=m
+CONFIG_HDLC_FR=m
+CONFIG_HDLC_PPP=m
+CONFIG_HDLC_X25=m
+CONFIG_PCI200SYN=m
+CONFIG_WANXL=m
+CONFIG_PC300TOO=m
+CONFIG_FARSYNC=m
+CONFIG_SLIC_DS26522=m
+CONFIG_DLCI=m
+CONFIG_DLCI_MAX=8
+CONFIG_LAPBETHER=m
+CONFIG_X25_ASY=m
+CONFIG_IEEE802154_DRIVERS=m
+CONFIG_IEEE802154_FAKELB=m
+CONFIG_IEEE802154_AT86RF230=m
+CONFIG_IEEE802154_AT86RF230_DEBUGFS=y
+CONFIG_IEEE802154_MRF24J40=m
+CONFIG_IEEE802154_CC2520=m
+CONFIG_IEEE802154_ATUSB=m
+CONFIG_IEEE802154_ADF7242=m
+CONFIG_IEEE802154_CA8210=m
+CONFIG_IEEE802154_CA8210_DEBUGFS=y
+CONFIG_IEEE802154_MCR20A=m
+CONFIG_IEEE802154_HWSIM=m
+CONFIG_XEN_NETDEV_FRONTEND=y
+CONFIG_XEN_NETDEV_BACKEND=m
+CONFIG_VMXNET3=m
+CONFIG_FUJITSU_ES=m
+CONFIG_HYPERV_NET=y
+CONFIG_NETDEVSIM=m
 CONFIG_NET_FAILOVER=y
-# CONFIG_ISDN is not set
-# CONFIG_NVM is not set
+CONFIG_ISDN=y
+CONFIG_ISDN_CAPI=m
+CONFIG_CAPI_TRACE=y
+CONFIG_ISDN_CAPI_CAPI20=m
+CONFIG_ISDN_CAPI_MIDDLEWARE=y
+CONFIG_MISDN=m
+CONFIG_MISDN_DSP=m
+CONFIG_MISDN_L1OIP=m
+
+#
+# mISDN hardware drivers
+#
+CONFIG_MISDN_HFCPCI=m
+CONFIG_MISDN_HFCMULTI=m
+CONFIG_MISDN_HFCUSB=m
+CONFIG_MISDN_AVMFRITZ=m
+CONFIG_MISDN_SPEEDFAX=m
+CONFIG_MISDN_INFINEON=m
+CONFIG_MISDN_W6692=m
+CONFIG_MISDN_NETJET=m
+CONFIG_MISDN_HDLC=m
+CONFIG_MISDN_IPAC=m
+CONFIG_MISDN_ISAR=m
+CONFIG_NVM=y
+CONFIG_NVM_PBLK=m
+# CONFIG_NVM_PBLK_DEBUG is not set
 
 #
 # Input device support
@@ -2649,68 +3715,72 @@ CONFIG_NET_FAILOVER=y
 CONFIG_INPUT=y
 CONFIG_INPUT_LEDS=m
 CONFIG_INPUT_FF_MEMLESS=m
-# CONFIG_INPUT_POLLDEV is not set
-# CONFIG_INPUT_SPARSEKMAP is not set
-# CONFIG_INPUT_MATRIXKMAP is not set
+CONFIG_INPUT_POLLDEV=m
+CONFIG_INPUT_SPARSEKMAP=m
+CONFIG_INPUT_MATRIXKMAP=m
 
 #
 # Userland interfaces
 #
-CONFIG_INPUT_MOUSEDEV=m
-# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
 CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
 CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
 # CONFIG_INPUT_JOYDEV is not set
-CONFIG_INPUT_EVDEV=m
+# CONFIG_INPUT_EVDEV is not set
 # CONFIG_INPUT_EVBUG is not set
 
 #
 # Input Device Drivers
 #
 CONFIG_INPUT_KEYBOARD=y
-# CONFIG_KEYBOARD_ADP5588 is not set
-# CONFIG_KEYBOARD_ADP5589 is not set
+CONFIG_KEYBOARD_ADP5588=m
+CONFIG_KEYBOARD_ADP5589=m
 CONFIG_KEYBOARD_ATKBD=y
-# CONFIG_KEYBOARD_QT1050 is not set
-# CONFIG_KEYBOARD_QT1070 is not set
-# CONFIG_KEYBOARD_QT2160 is not set
-# CONFIG_KEYBOARD_DLINK_DIR685 is not set
-# CONFIG_KEYBOARD_LKKBD is not set
-# CONFIG_KEYBOARD_GPIO is not set
-# CONFIG_KEYBOARD_GPIO_POLLED is not set
-# CONFIG_KEYBOARD_TCA6416 is not set
-# CONFIG_KEYBOARD_TCA8418 is not set
-# CONFIG_KEYBOARD_MATRIX is not set
-# CONFIG_KEYBOARD_LM8323 is not set
-# CONFIG_KEYBOARD_LM8333 is not set
-# CONFIG_KEYBOARD_MAX7359 is not set
-# CONFIG_KEYBOARD_MCS is not set
-# CONFIG_KEYBOARD_MPR121 is not set
-# CONFIG_KEYBOARD_NEWTON is not set
+CONFIG_KEYBOARD_QT1050=m
+CONFIG_KEYBOARD_QT1070=m
+CONFIG_KEYBOARD_QT2160=m
+CONFIG_KEYBOARD_DLINK_DIR685=m
+CONFIG_KEYBOARD_LKKBD=m
+CONFIG_KEYBOARD_GPIO=m
+CONFIG_KEYBOARD_GPIO_POLLED=m
+CONFIG_KEYBOARD_TCA6416=m
+CONFIG_KEYBOARD_TCA8418=m
+CONFIG_KEYBOARD_MATRIX=m
+CONFIG_KEYBOARD_LM8323=m
+CONFIG_KEYBOARD_LM8333=m
+CONFIG_KEYBOARD_MAX7359=m
+CONFIG_KEYBOARD_MCS=m
+CONFIG_KEYBOARD_MPR121=m
+CONFIG_KEYBOARD_SNVS_PWRKEY=m
+CONFIG_KEYBOARD_IMX=m
+CONFIG_KEYBOARD_NEWTON=m
 # CONFIG_KEYBOARD_TEGRA is not set
-# CONFIG_KEYBOARD_OPENCORES is not set
-# CONFIG_KEYBOARD_SAMSUNG is not set
-# CONFIG_KEYBOARD_STOWAWAY is not set
-# CONFIG_KEYBOARD_SUNKBD is not set
+CONFIG_KEYBOARD_OPENCORES=m
+CONFIG_KEYBOARD_SAMSUNG=m
+CONFIG_KEYBOARD_STOWAWAY=m
+CONFIG_KEYBOARD_SUNKBD=m
 # CONFIG_KEYBOARD_SUN4I_LRADC is not set
-# CONFIG_KEYBOARD_OMAP4 is not set
-# CONFIG_KEYBOARD_TM2_TOUCHKEY is not set
-# CONFIG_KEYBOARD_XTKBD is not set
-# CONFIG_KEYBOARD_CAP11XX is not set
-# CONFIG_KEYBOARD_BCM is not set
+CONFIG_KEYBOARD_OMAP4=m
+CONFIG_KEYBOARD_TM2_TOUCHKEY=m
+CONFIG_KEYBOARD_XTKBD=m
+CONFIG_KEYBOARD_CAP11XX=m
+CONFIG_KEYBOARD_BCM=m
 CONFIG_INPUT_MOUSE=y
 CONFIG_MOUSE_PS2=m
 CONFIG_MOUSE_PS2_ALPS=y
-# CONFIG_MOUSE_PS2_BYD is not set
+CONFIG_MOUSE_PS2_BYD=y
 CONFIG_MOUSE_PS2_LOGIPS2PP=y
 CONFIG_MOUSE_PS2_SYNAPTICS=y
-# CONFIG_MOUSE_PS2_SYNAPTICS_SMBUS is not set
+CONFIG_MOUSE_PS2_SYNAPTICS_SMBUS=y
 CONFIG_MOUSE_PS2_CYPRESS=y
 CONFIG_MOUSE_PS2_TRACKPOINT=y
-# CONFIG_MOUSE_PS2_ELANTECH is not set
-# CONFIG_MOUSE_PS2_SENTELIC is not set
-# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_ELANTECH=y
+CONFIG_MOUSE_PS2_ELANTECH_SMBUS=y
+CONFIG_MOUSE_PS2_SENTELIC=y
+CONFIG_MOUSE_PS2_TOUCHKIT=y
 CONFIG_MOUSE_PS2_FOCALTECH=y
+CONFIG_MOUSE_PS2_SMBUS=y
 # CONFIG_MOUSE_SERIAL is not set
 # CONFIG_MOUSE_APPLETOUCH is not set
 # CONFIG_MOUSE_BCM5974 is not set
@@ -2724,55 +3794,79 @@ CONFIG_MOUSE_PS2_FOCALTECH=y
 # CONFIG_INPUT_TABLET is not set
 # CONFIG_INPUT_TOUCHSCREEN is not set
 CONFIG_INPUT_MISC=y
-# CONFIG_INPUT_AD714X is not set
-# CONFIG_INPUT_ATMEL_CAPTOUCH is not set
-# CONFIG_INPUT_BMA150 is not set
-# CONFIG_INPUT_E3X0_BUTTON is not set
-# CONFIG_INPUT_MSM_VIBRATOR is not set
-# CONFIG_INPUT_MMA8450 is not set
-# CONFIG_INPUT_GP2A is not set
-# CONFIG_INPUT_GPIO_BEEPER is not set
-# CONFIG_INPUT_GPIO_DECODER is not set
-# CONFIG_INPUT_GPIO_VIBRA is not set
-# CONFIG_INPUT_ATI_REMOTE2 is not set
-# CONFIG_INPUT_KEYSPAN_REMOTE is not set
-# CONFIG_INPUT_KXTJ9 is not set
-# CONFIG_INPUT_POWERMATE is not set
-# CONFIG_INPUT_YEALINK is not set
-# CONFIG_INPUT_CM109 is not set
-# CONFIG_INPUT_REGULATOR_HAPTIC is not set
-# CONFIG_INPUT_UINPUT is not set
-# CONFIG_INPUT_PCF8574 is not set
-# CONFIG_INPUT_PWM_BEEPER is not set
-# CONFIG_INPUT_PWM_VIBRA is not set
-# CONFIG_INPUT_GPIO_ROTARY_ENCODER is not set
-# CONFIG_INPUT_ADXL34X is not set
-# CONFIG_INPUT_IMS_PCU is not set
-# CONFIG_INPUT_CMA3000 is not set
-CONFIG_INPUT_XEN_KBDDEV_FRONTEND=y
-# CONFIG_INPUT_DRV260X_HAPTICS is not set
-# CONFIG_INPUT_DRV2665_HAPTICS is not set
-# CONFIG_INPUT_DRV2667_HAPTICS is not set
-# CONFIG_INPUT_HISI_POWERKEY is not set
-# CONFIG_RMI4_CORE is not set
+CONFIG_INPUT_AD714X=m
+CONFIG_INPUT_AD714X_I2C=m
+CONFIG_INPUT_AD714X_SPI=m
+CONFIG_INPUT_ATMEL_CAPTOUCH=m
+CONFIG_INPUT_BMA150=m
+CONFIG_INPUT_E3X0_BUTTON=m
+CONFIG_INPUT_MSM_VIBRATOR=m
+CONFIG_INPUT_MMA8450=m
+CONFIG_INPUT_GP2A=m
+CONFIG_INPUT_GPIO_BEEPER=m
+CONFIG_INPUT_GPIO_DECODER=m
+CONFIG_INPUT_GPIO_VIBRA=m
+CONFIG_INPUT_ATI_REMOTE2=m
+CONFIG_INPUT_KEYSPAN_REMOTE=m
+CONFIG_INPUT_KXTJ9=m
+# CONFIG_INPUT_KXTJ9_POLLED_MODE is not set
+CONFIG_INPUT_POWERMATE=m
+CONFIG_INPUT_YEALINK=m
+CONFIG_INPUT_CM109=m
+CONFIG_INPUT_REGULATOR_HAPTIC=m
+CONFIG_INPUT_UINPUT=y
+CONFIG_INPUT_PCF8574=m
+CONFIG_INPUT_PWM_BEEPER=m
+CONFIG_INPUT_PWM_VIBRA=m
+CONFIG_INPUT_GPIO_ROTARY_ENCODER=m
+CONFIG_INPUT_ADXL34X=m
+CONFIG_INPUT_ADXL34X_I2C=m
+CONFIG_INPUT_ADXL34X_SPI=m
+CONFIG_INPUT_IMS_PCU=m
+CONFIG_INPUT_CMA3000=m
+CONFIG_INPUT_CMA3000_I2C=m
+CONFIG_INPUT_XEN_KBDDEV_FRONTEND=m
+CONFIG_INPUT_SOC_BUTTON_ARRAY=m
+CONFIG_INPUT_DRV260X_HAPTICS=m
+CONFIG_INPUT_DRV2665_HAPTICS=m
+CONFIG_INPUT_DRV2667_HAPTICS=m
+CONFIG_INPUT_HISI_POWERKEY=m
+CONFIG_RMI4_CORE=m
+CONFIG_RMI4_I2C=m
+CONFIG_RMI4_SPI=m
+CONFIG_RMI4_SMB=m
+CONFIG_RMI4_F03=y
+CONFIG_RMI4_F03_SERIO=m
+CONFIG_RMI4_2D_SENSOR=y
+CONFIG_RMI4_F11=y
+CONFIG_RMI4_F12=y
+CONFIG_RMI4_F30=y
+CONFIG_RMI4_F34=y
+CONFIG_RMI4_F54=y
+CONFIG_RMI4_F55=y
 
 #
 # Hardware I/O ports
 #
 CONFIG_SERIO=y
-# CONFIG_SERIO_SERPORT is not set
-# CONFIG_SERIO_AMBAKMI is not set
-# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_SERPORT=m
+CONFIG_SERIO_AMBAKMI=m
+CONFIG_SERIO_PCIPS2=m
 CONFIG_SERIO_LIBPS2=y
-# CONFIG_SERIO_RAW is not set
-# CONFIG_SERIO_ALTERA_PS2 is not set
-# CONFIG_SERIO_PS2MULT is not set
-# CONFIG_SERIO_ARC_PS2 is not set
-# CONFIG_SERIO_APBPS2 is not set
+CONFIG_SERIO_RAW=m
+CONFIG_SERIO_ALTERA_PS2=m
+CONFIG_SERIO_PS2MULT=m
+CONFIG_SERIO_ARC_PS2=m
+CONFIG_SERIO_APBPS2=m
+CONFIG_HYPERV_KEYBOARD=y
 # CONFIG_SERIO_SUN4I_PS2 is not set
-# CONFIG_SERIO_GPIO_PS2 is not set
-# CONFIG_USERIO is not set
-# CONFIG_GAMEPORT is not set
+CONFIG_SERIO_GPIO_PS2=m
+CONFIG_USERIO=m
+CONFIG_GAMEPORT=m
+CONFIG_GAMEPORT_NS558=m
+CONFIG_GAMEPORT_L4=m
+CONFIG_GAMEPORT_EMU10K1=m
+CONFIG_GAMEPORT_FM801=m
 # end of Hardware I/O ports
 # end of Input device support
 
@@ -2788,9 +3882,18 @@ CONFIG_HW_CONSOLE=y
 CONFIG_VT_HW_CONSOLE_BINDING=y
 CONFIG_UNIX98_PTYS=y
 # CONFIG_LEGACY_PTYS is not set
-# CONFIG_SERIAL_NONSTANDARD is not set
-# CONFIG_NOZOMI is not set
-# CONFIG_N_GSM is not set
+CONFIG_SERIAL_NONSTANDARD=y
+CONFIG_ROCKETPORT=m
+CONFIG_CYCLADES=m
+# CONFIG_CYZ_INTR is not set
+CONFIG_MOXA_INTELLIO=m
+CONFIG_MOXA_SMARTIO=m
+CONFIG_SYNCLINKMP=m
+CONFIG_SYNCLINK_GT=m
+CONFIG_NOZOMI=m
+CONFIG_ISI=m
+CONFIG_N_HDLC=m
+CONFIG_N_GSM=m
 # CONFIG_TRACE_SINK is not set
 # CONFIG_NULL_TTY is not set
 # CONFIG_LDISC_AUTOLOAD is not set
@@ -2803,16 +3906,16 @@ CONFIG_SERIAL_EARLYCON=y
 CONFIG_SERIAL_8250=y
 CONFIG_SERIAL_8250_DEPRECATED_OPTIONS=y
 CONFIG_SERIAL_8250_PNP=y
-# CONFIG_SERIAL_8250_FINTEK is not set
+CONFIG_SERIAL_8250_FINTEK=y
 CONFIG_SERIAL_8250_CONSOLE=y
 CONFIG_SERIAL_8250_DMA=y
 CONFIG_SERIAL_8250_PCI=y
-# CONFIG_SERIAL_8250_EXAR is not set
-CONFIG_SERIAL_8250_NR_UARTS=32
-CONFIG_SERIAL_8250_RUNTIME_UARTS=4
+CONFIG_SERIAL_8250_EXAR=m
+CONFIG_SERIAL_8250_NR_UARTS=48
+CONFIG_SERIAL_8250_RUNTIME_UARTS=32
 CONFIG_SERIAL_8250_EXTENDED=y
 CONFIG_SERIAL_8250_MANY_PORTS=y
-# CONFIG_SERIAL_8250_ASPEED_VUART is not set
+CONFIG_SERIAL_8250_ASPEED_VUART=m
 CONFIG_SERIAL_8250_SHARE_IRQ=y
 # CONFIG_SERIAL_8250_DETECT_IRQ is not set
 CONFIG_SERIAL_8250_RSA=y
@@ -2820,48 +3923,66 @@ CONFIG_SERIAL_8250_DWLIB=y
 CONFIG_SERIAL_8250_BCM2835AUX=y
 CONFIG_SERIAL_8250_FSL=y
 CONFIG_SERIAL_8250_DW=y
-# CONFIG_SERIAL_8250_RT288X is not set
-# CONFIG_SERIAL_8250_MT6577 is not set
+CONFIG_SERIAL_8250_RT288X=y
+CONFIG_SERIAL_8250_OMAP=m
+CONFIG_SERIAL_8250_MT6577=y
 CONFIG_SERIAL_OF_PLATFORM=y
 
 #
 # Non-8250 serial port support
 #
-# CONFIG_SERIAL_AMBA_PL010 is not set
+CONFIG_SERIAL_AMBA_PL010=m
 CONFIG_SERIAL_AMBA_PL011=y
 CONFIG_SERIAL_AMBA_PL011_CONSOLE=y
-# CONFIG_SERIAL_EARLYCON_ARM_SEMIHOST is not set
-# CONFIG_SERIAL_MESON is not set
-# CONFIG_SERIAL_SAMSUNG is not set
-# CONFIG_SERIAL_MAX3100 is not set
-# CONFIG_SERIAL_MAX310X is not set
-# CONFIG_SERIAL_UARTLITE is not set
+CONFIG_SERIAL_EARLYCON_ARM_SEMIHOST=y
+CONFIG_SERIAL_MESON=y
+CONFIG_SERIAL_MESON_CONSOLE=y
+CONFIG_SERIAL_MAX3100=m
+CONFIG_SERIAL_MAX310X=y
+CONFIG_SERIAL_IMX=y
+CONFIG_SERIAL_IMX_CONSOLE=y
+CONFIG_SERIAL_UARTLITE=m
+CONFIG_SERIAL_UARTLITE_NR_UARTS=1
+CONFIG_SERIAL_SH_SCI=m
+CONFIG_SERIAL_SH_SCI_NR_UARTS=2
+CONFIG_SERIAL_SH_SCI_DMA=y
 CONFIG_SERIAL_CORE=y
 CONFIG_SERIAL_CORE_CONSOLE=y
-# CONFIG_SERIAL_JSM is not set
-# CONFIG_SERIAL_MSM is not set
-# CONFIG_SERIAL_SIFIVE is not set
-# CONFIG_SERIAL_SCCNXP is not set
+CONFIG_SERIAL_JSM=m
+CONFIG_SERIAL_MSM=y
+CONFIG_SERIAL_MSM_CONSOLE=y
+CONFIG_SERIAL_SIFIVE=m
+CONFIG_SERIAL_SCCNXP=y
+CONFIG_SERIAL_SCCNXP_CONSOLE=y
 CONFIG_SERIAL_SC16IS7XX_CORE=m
 CONFIG_SERIAL_SC16IS7XX=m
 CONFIG_SERIAL_SC16IS7XX_I2C=y
 CONFIG_SERIAL_SC16IS7XX_SPI=y
-# CONFIG_SERIAL_ALTERA_JTAGUART is not set
-# CONFIG_SERIAL_ALTERA_UART is not set
+CONFIG_SERIAL_ALTERA_JTAGUART=m
+CONFIG_SERIAL_ALTERA_UART=m
+CONFIG_SERIAL_ALTERA_UART_MAXPORTS=4
+CONFIG_SERIAL_ALTERA_UART_BAUDRATE=115200
 # CONFIG_SERIAL_IFX6X60 is not set
-# CONFIG_SERIAL_XILINX_PS_UART is not set
-# CONFIG_SERIAL_ARC is not set
-# CONFIG_SERIAL_RP2 is not set
-# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_SERIAL_XILINX_PS_UART=m
+CONFIG_SERIAL_ARC=m
+CONFIG_SERIAL_ARC_NR_PORTS=1
+CONFIG_SERIAL_RP2=m
+CONFIG_SERIAL_RP2_NR_UARTS=32
+CONFIG_SERIAL_FSL_LPUART=m
 # CONFIG_SERIAL_FSL_LINFLEXUART is not set
-# CONFIG_SERIAL_CONEXANT_DIGICOLOR is not set
-# CONFIG_SERIAL_SPRD is not set
-# CONFIG_SERIAL_MVEBU_UART is not set
+CONFIG_SERIAL_CONEXANT_DIGICOLOR=m
+CONFIG_SERIAL_SPRD=m
+CONFIG_SERIAL_MVEBU_UART=y
+CONFIG_SERIAL_MVEBU_CONSOLE=y
+CONFIG_SERIAL_OWL=y
+CONFIG_SERIAL_OWL_CONSOLE=y
 # end of Serial drivers
 
 CONFIG_SERIAL_MCTRL_GPIO=y
-# CONFIG_SERIAL_DEV_BUS is not set
-# CONFIG_TTY_PRINTK is not set
+CONFIG_SERIAL_DEV_BUS=y
+CONFIG_SERIAL_DEV_CTRL_TTYPORT=y
+CONFIG_TTY_PRINTK=y
+CONFIG_TTY_PRINTK_LEVEL=6
 CONFIG_HVC_DRIVER=y
 CONFIG_HVC_IRQ=y
 CONFIG_HVC_XEN=y
@@ -2875,23 +3996,23 @@ CONFIG_IPMI_PANIC_EVENT=y
 CONFIG_IPMI_PANIC_STRING=y
 CONFIG_IPMI_DEVICE_INTERFACE=m
 CONFIG_IPMI_SI=m
-# CONFIG_IPMI_SSIF is not set
+CONFIG_IPMI_SSIF=m
 CONFIG_IPMI_WATCHDOG=m
 CONFIG_IPMI_POWEROFF=m
-# CONFIG_IPMB_DEVICE_INTERFACE is not set
+CONFIG_IPMB_DEVICE_INTERFACE=m
 CONFIG_HW_RANDOM=y
 CONFIG_HW_RANDOM_TIMERIOMEM=m
 CONFIG_HW_RANDOM_BCM2835=m
 CONFIG_HW_RANDOM_IPROC_RNG200=m
-# CONFIG_HW_RANDOM_OMAP is not set
+CONFIG_HW_RANDOM_OMAP=m
 CONFIG_HW_RANDOM_VIRTIO=m
+CONFIG_HW_RANDOM_IMX_RNGC=m
 CONFIG_HW_RANDOM_HISI=m
 CONFIG_HW_RANDOM_XGENE=m
 CONFIG_HW_RANDOM_MESON=m
 CONFIG_HW_RANDOM_CAVIUM=m
-# CONFIG_HW_RANDOM_MTK is not set
-# CONFIG_HW_RANDOM_EXYNOS is not set
-# CONFIG_APPLICOM is not set
+CONFIG_HW_RANDOM_MTK=m
+CONFIG_APPLICOM=m
 CONFIG_RAW_DRIVER=m
 CONFIG_MAX_RAW_DEVS=8192
 CONFIG_TCG_TPM=y
@@ -2906,11 +4027,14 @@ CONFIG_TCG_ATMEL=m
 CONFIG_TCG_INFINEON=m
 CONFIG_TCG_XEN=m
 CONFIG_TCG_CRB=y
-# CONFIG_TCG_VTPM_PROXY is not set
-# CONFIG_TCG_TIS_ST33ZP24_I2C is not set
-# CONFIG_TCG_TIS_ST33ZP24_SPI is not set
+CONFIG_TCG_VTPM_PROXY=m
+CONFIG_TCG_TIS_ST33ZP24=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
+CONFIG_TCG_TIS_ST33ZP24_SPI=m
 # CONFIG_DEVPORT is not set
-# CONFIG_XILLYBUS is not set
+CONFIG_XILLYBUS=m
+CONFIG_XILLYBUS_PCIE=m
+CONFIG_XILLYBUS_OF=m
 # end of Character devices
 
 # CONFIG_RANDOM_TRUST_BOOTLOADER is not set
@@ -2922,27 +4046,28 @@ CONFIG_I2C=y
 CONFIG_ACPI_I2C_OPREGION=y
 CONFIG_I2C_BOARDINFO=y
 CONFIG_I2C_COMPAT=y
-CONFIG_I2C_CHARDEV=m
+CONFIG_I2C_CHARDEV=y
 CONFIG_I2C_MUX=m
 
 #
 # Multiplexer I2C Chip support
 #
-# CONFIG_I2C_ARB_GPIO_CHALLENGE is not set
-# CONFIG_I2C_MUX_GPIO is not set
-# CONFIG_I2C_MUX_GPMUX is not set
-# CONFIG_I2C_MUX_LTC4306 is not set
-# CONFIG_I2C_MUX_PCA9541 is not set
+CONFIG_I2C_ARB_GPIO_CHALLENGE=m
+CONFIG_I2C_MUX_GPIO=m
+CONFIG_I2C_MUX_GPMUX=m
+CONFIG_I2C_MUX_LTC4306=m
+CONFIG_I2C_MUX_PCA9541=m
 CONFIG_I2C_MUX_PCA954x=m
-# CONFIG_I2C_MUX_PINCTRL is not set
-# CONFIG_I2C_MUX_REG is not set
-# CONFIG_I2C_DEMUX_PINCTRL is not set
-# CONFIG_I2C_MUX_MLXCPLD is not set
+CONFIG_I2C_MUX_PINCTRL=m
+CONFIG_I2C_MUX_REG=m
+CONFIG_I2C_DEMUX_PINCTRL=m
+CONFIG_I2C_MUX_MLXCPLD=m
 # end of Multiplexer I2C Chip support
 
 CONFIG_I2C_HELPER_AUTO=y
 CONFIG_I2C_SMBUS=m
 CONFIG_I2C_ALGOBIT=y
+CONFIG_I2C_ALGOPCA=m
 
 #
 # I2C Hardware Bus support
@@ -2951,15 +4076,15 @@ CONFIG_I2C_ALGOBIT=y
 #
 # PC SMBus host controller drivers
 #
-# CONFIG_I2C_ALI1535 is not set
-# CONFIG_I2C_ALI1563 is not set
-# CONFIG_I2C_ALI15X3 is not set
+CONFIG_I2C_ALI1535=m
+CONFIG_I2C_ALI1563=m
+CONFIG_I2C_ALI15X3=m
 CONFIG_I2C_AMD756=m
 CONFIG_I2C_AMD8111=m
 # CONFIG_I2C_AMD_MP2 is not set
-# CONFIG_I2C_HIX5HD2 is not set
+CONFIG_I2C_HIX5HD2=m
 CONFIG_I2C_I801=m
-# CONFIG_I2C_ISCH is not set
+CONFIG_I2C_ISCH=m
 CONFIG_I2C_PIIX4=m
 # CONFIG_I2C_NFORCE2 is not set
 # CONFIG_I2C_NVIDIA_GPU is not set
@@ -2981,38 +4106,48 @@ CONFIG_I2C_BCM2835=m
 CONFIG_I2C_BCM_IPROC=y
 CONFIG_I2C_BRCMSTB=y
 # CONFIG_I2C_CADENCE is not set
-# CONFIG_I2C_CBUS_GPIO is not set
-# CONFIG_I2C_DESIGNWARE_PLATFORM is not set
-# CONFIG_I2C_DESIGNWARE_PCI is not set
+CONFIG_I2C_CBUS_GPIO=m
+CONFIG_I2C_DESIGNWARE_CORE=y
+CONFIG_I2C_DESIGNWARE_PLATFORM=y
+# CONFIG_I2C_DESIGNWARE_SLAVE is not set
+CONFIG_I2C_DESIGNWARE_PCI=m
 # CONFIG_I2C_EMEV2 is not set
-CONFIG_I2C_EXYNOS5=y
 CONFIG_I2C_GPIO=m
 # CONFIG_I2C_GPIO_FAULT_INJECTOR is not set
 CONFIG_I2C_IMX=m
-# CONFIG_I2C_MESON is not set
-# CONFIG_I2C_MT65XX is not set
+CONFIG_I2C_IMX_LPI2C=m
+CONFIG_I2C_MESON=m
+CONFIG_I2C_MT65XX=m
 CONFIG_I2C_MV64XXX=m
-# CONFIG_I2C_NOMADIK is not set
-# CONFIG_I2C_OCORES is not set
-# CONFIG_I2C_PCA_PLATFORM is not set
-# CONFIG_I2C_PXA is not set
+CONFIG_I2C_NOMADIK=m
+CONFIG_I2C_OCORES=m
+CONFIG_I2C_OMAP=y
+CONFIG_I2C_OWL=m
+CONFIG_I2C_PCA_PLATFORM=m
+CONFIG_I2C_PXA=m
+CONFIG_I2C_PXA_SLAVE=y
 CONFIG_I2C_QUP=m
+CONFIG_I2C_RIIC=m
 CONFIG_I2C_RK3X=m
-# CONFIG_I2C_SIMTEC is not set
-# CONFIG_I2C_SPRD is not set
-CONFIG_I2C_TEGRA=m
-# CONFIG_I2C_VERSATILE is not set
+CONFIG_I2C_SH_MOBILE=m
+CONFIG_I2C_SIMTEC=m
+CONFIG_I2C_SPRD=y
+CONFIG_I2C_SYNQUACER=m
+# CONFIG_I2C_TEGRA is not set
+CONFIG_I2C_VERSATILE=m
 CONFIG_I2C_THUNDERX=m
-# CONFIG_I2C_XILINX is not set
+CONFIG_I2C_XILINX=m
+CONFIG_I2C_XLP9XX=m
+CONFIG_I2C_RCAR=m
 
 #
 # External I2C/SMBus adapter drivers
 #
-# CONFIG_I2C_DIOLAN_U2C is not set
-# CONFIG_I2C_PARPORT_LIGHT is not set
-# CONFIG_I2C_ROBOTFUZZ_OSIF is not set
-# CONFIG_I2C_TAOS_EVM is not set
-# CONFIG_I2C_TINY_USB is not set
+CONFIG_I2C_DIOLAN_U2C=m
+CONFIG_I2C_PARPORT_LIGHT=m
+CONFIG_I2C_ROBOTFUZZ_OSIF=m
+CONFIG_I2C_TAOS_EVM=m
+CONFIG_I2C_TINY_USB=m
 
 #
 # Other I2C/SMBus bus drivers
@@ -3020,15 +4155,17 @@ CONFIG_I2C_THUNDERX=m
 CONFIG_I2C_XGENE_SLIMPRO=m
 # end of I2C Hardware Bus support
 
-# CONFIG_I2C_STUB is not set
+CONFIG_I2C_STUB=m
 CONFIG_I2C_SLAVE=y
-# CONFIG_I2C_SLAVE_EEPROM is not set
+CONFIG_I2C_SLAVE_EEPROM=m
 # CONFIG_I2C_DEBUG_CORE is not set
 # CONFIG_I2C_DEBUG_ALGO is not set
 # CONFIG_I2C_DEBUG_BUS is not set
 # end of I2C support
 
-# CONFIG_I3C is not set
+CONFIG_I3C=m
+CONFIG_CDNS_I3C_MASTER=m
+CONFIG_DW_I3C_MASTER=m
 CONFIG_SPI=y
 # CONFIG_SPI_DEBUG is not set
 CONFIG_SPI_MASTER=y
@@ -3037,53 +4174,79 @@ CONFIG_SPI_MEM=y
 #
 # SPI Master Controller Drivers
 #
-# CONFIG_SPI_ALTERA is not set
-# CONFIG_SPI_ARMADA_3700 is not set
-# CONFIG_SPI_AXI_SPI_ENGINE is not set
+CONFIG_SPI_ALTERA=m
+CONFIG_SPI_ARMADA_3700=m
+CONFIG_SPI_AXI_SPI_ENGINE=m
 CONFIG_SPI_BCM2835=m
 CONFIG_SPI_BCM2835AUX=m
-CONFIG_SPI_BCM_QSPI=y
+CONFIG_SPI_BCM_QSPI=m
 CONFIG_SPI_BITBANG=m
 CONFIG_SPI_CADENCE=m
-# CONFIG_SPI_DESIGNWARE is not set
-# CONFIG_SPI_FSL_QUADSPI is not set
-# CONFIG_SPI_NXP_FLEXSPI is not set
-# CONFIG_SPI_GPIO is not set
-CONFIG_SPI_FSL_LIB=m
-CONFIG_SPI_FSL_SPI=m
+CONFIG_SPI_DESIGNWARE=m
+CONFIG_SPI_DW_PCI=m
+CONFIG_SPI_DW_MID_DMA=y
+CONFIG_SPI_DW_MMIO=m
+CONFIG_SPI_FSL_LPSPI=m
+CONFIG_SPI_FSL_QUADSPI=m
+CONFIG_SPI_NXP_FLEXSPI=m
+CONFIG_SPI_GPIO=m
+CONFIG_SPI_IMX=m
+CONFIG_SPI_FSL_LIB=y
+CONFIG_SPI_FSL_SPI=y
 CONFIG_SPI_FSL_DSPI=m
-# CONFIG_SPI_MESON_SPICC is not set
-# CONFIG_SPI_MESON_SPIFC is not set
-# CONFIG_SPI_MT65XX is not set
-# CONFIG_SPI_OC_TINY is not set
-# CONFIG_SPI_ORION is not set
-# CONFIG_SPI_PL022 is not set
-# CONFIG_SPI_PXA2XX is not set
+CONFIG_SPI_MESON_SPICC=m
+CONFIG_SPI_MESON_SPIFC=m
+CONFIG_SPI_MT65XX=m
+CONFIG_SPI_OC_TINY=m
+CONFIG_SPI_OMAP24XX=y
+CONFIG_SPI_ORION=m
+CONFIG_SPI_PL022=m
+CONFIG_SPI_PXA2XX=m
+CONFIG_SPI_PXA2XX_PCI=m
 CONFIG_SPI_ROCKCHIP=m
-# CONFIG_SPI_QCOM_QSPI is not set
+CONFIG_SPI_RSPI=m
+CONFIG_SPI_QCOM_QSPI=m
 CONFIG_SPI_QUP=m
-# CONFIG_SPI_S3C64XX is not set
-# CONFIG_SPI_SC18IS602 is not set
-# CONFIG_SPI_SIFIVE is not set
-# CONFIG_SPI_SPRD is not set
+CONFIG_SPI_SC18IS602=m
+CONFIG_SPI_SH_MSIOF=m
+CONFIG_SPI_SH_HSPI=m
+CONFIG_SPI_SIFIVE=m
+CONFIG_SPI_SLAVE_MT27XX=m
+CONFIG_SPI_SPRD=m
 # CONFIG_SPI_SUN4I is not set
-# CONFIG_SPI_SUN6I is not set
-# CONFIG_SPI_MXIC is not set
+CONFIG_SPI_SUN6I=m
+CONFIG_SPI_SYNQUACER=m
+CONFIG_SPI_MXIC=m
 # CONFIG_SPI_TEGRA20_SFLASH is not set
 CONFIG_SPI_THUNDERX=m
-# CONFIG_SPI_XCOMM is not set
+CONFIG_SPI_XCOMM=m
 # CONFIG_SPI_XILINX is not set
-# CONFIG_SPI_ZYNQMP_GQSPI is not set
+CONFIG_SPI_XLP=m
+CONFIG_SPI_ZYNQMP_GQSPI=m
 
 #
 # SPI Protocol Masters
 #
 CONFIG_SPI_SPIDEV=m
-# CONFIG_SPI_LOOPBACK_TEST is not set
-# CONFIG_SPI_TLE62X0 is not set
-# CONFIG_SPI_SLAVE is not set
-# CONFIG_SPMI is not set
-# CONFIG_HSI is not set
+CONFIG_SPI_LOOPBACK_TEST=m
+CONFIG_SPI_TLE62X0=m
+CONFIG_SPI_SLAVE=y
+CONFIG_SPI_SLAVE_TIME=m
+CONFIG_SPI_SLAVE_SYSTEM_CONTROL=m
+CONFIG_SPI_DYNAMIC=y
+CONFIG_SPMI=m
+CONFIG_SPMI_MSM_PMIC_ARB=m
+CONFIG_HSI=m
+CONFIG_HSI_BOARDINFO=y
+
+#
+# HSI controllers
+#
+
+#
+# HSI clients
+#
+CONFIG_HSI_CHAR=m
 CONFIG_PPS=y
 # CONFIG_PPS_DEBUG is not set
 
@@ -3091,8 +4254,8 @@ CONFIG_PPS=y
 # PPS clients support
 #
 # CONFIG_PPS_CLIENT_KTIMER is not set
-# CONFIG_PPS_CLIENT_LDISC is not set
-# CONFIG_PPS_CLIENT_GPIO is not set
+CONFIG_PPS_CLIENT_LDISC=m
+CONFIG_PPS_CLIENT_GPIO=m
 
 #
 # PPS generators support
@@ -3104,69 +4267,81 @@ CONFIG_PPS=y
 CONFIG_PTP_1588_CLOCK=y
 CONFIG_PTP_1588_CLOCK_DTE=y
 CONFIG_PTP_1588_CLOCK_QORIQ=m
-# CONFIG_DP83640_PHY is not set
+CONFIG_DP83640_PHY=m
 # end of PTP clock support
 
 CONFIG_PINCTRL=y
+CONFIG_GENERIC_PINCTRL_GROUPS=y
 CONFIG_PINMUX=y
+CONFIG_GENERIC_PINMUX_FUNCTIONS=y
 CONFIG_PINCONF=y
 CONFIG_GENERIC_PINCONF=y
 # CONFIG_DEBUG_PINCTRL is not set
-# CONFIG_PINCTRL_AMD is not set
-# CONFIG_PINCTRL_MCP23S08 is not set
+CONFIG_PINCTRL_AMD=y
+CONFIG_PINCTRL_BM1880=y
+CONFIG_PINCTRL_MCP23S08=m
 CONFIG_PINCTRL_ROCKCHIP=y
-# CONFIG_PINCTRL_SINGLE is not set
-# CONFIG_PINCTRL_SX150X is not set
-# CONFIG_PINCTRL_STMFX is not set
-# CONFIG_PINCTRL_OCELOT is not set
+CONFIG_PINCTRL_SINGLE=y
+CONFIG_PINCTRL_SX150X=y
+CONFIG_PINCTRL_STMFX=m
+CONFIG_PINCTRL_OCELOT=y
+CONFIG_PINCTRL_OWL=y
+CONFIG_PINCTRL_S700=y
+CONFIG_PINCTRL_S900=y
 CONFIG_PINCTRL_BCM2835=y
 CONFIG_PINCTRL_IPROC_GPIO=y
 CONFIG_PINCTRL_NS2_MUX=y
-# CONFIG_PINCTRL_AS370 is not set
-# CONFIG_PINCTRL_BERLIN_BG4CT is not set
+CONFIG_PINCTRL_BERLIN=y
+CONFIG_PINCTRL_AS370=y
+CONFIG_PINCTRL_BERLIN_BG4CT=y
+CONFIG_PINCTRL_IMX=y
+CONFIG_PINCTRL_IMX8MM=y
+CONFIG_PINCTRL_IMX8MN=y
+CONFIG_PINCTRL_IMX8MQ=y
 CONFIG_PINCTRL_MVEBU=y
 CONFIG_PINCTRL_ARMADA_AP806=y
 CONFIG_PINCTRL_ARMADA_CP110=y
 CONFIG_PINCTRL_ARMADA_37XX=y
-# CONFIG_PINCTRL_APQ8064 is not set
-# CONFIG_PINCTRL_APQ8084 is not set
-# CONFIG_PINCTRL_IPQ4019 is not set
-# CONFIG_PINCTRL_IPQ8064 is not set
-# CONFIG_PINCTRL_IPQ8074 is not set
-# CONFIG_PINCTRL_MSM8660 is not set
-# CONFIG_PINCTRL_MSM8960 is not set
-# CONFIG_PINCTRL_MDM9615 is not set
-# CONFIG_PINCTRL_MSM8X74 is not set
-# CONFIG_PINCTRL_MSM8916 is not set
-# CONFIG_PINCTRL_MSM8994 is not set
-# CONFIG_PINCTRL_MSM8996 is not set
-# CONFIG_PINCTRL_MSM8998 is not set
-# CONFIG_PINCTRL_QCS404 is not set
-# CONFIG_PINCTRL_QDF2XXX is not set
-# CONFIG_PINCTRL_QCOM_SSBI_PMIC is not set
+CONFIG_PINCTRL_MSM=y
+CONFIG_PINCTRL_APQ8064=m
+CONFIG_PINCTRL_APQ8084=m
+CONFIG_PINCTRL_IPQ4019=m
+CONFIG_PINCTRL_IPQ8064=m
+CONFIG_PINCTRL_IPQ8074=m
+CONFIG_PINCTRL_MSM8660=m
+CONFIG_PINCTRL_MSM8960=m
+CONFIG_PINCTRL_MDM9615=m
+CONFIG_PINCTRL_MSM8X74=m
+CONFIG_PINCTRL_MSM8916=m
+CONFIG_PINCTRL_MSM8994=m
+CONFIG_PINCTRL_MSM8996=m
+CONFIG_PINCTRL_MSM8998=m
+CONFIG_PINCTRL_QCS404=m
+CONFIG_PINCTRL_QDF2XXX=m
+CONFIG_PINCTRL_QCOM_SPMI_PMIC=m
+CONFIG_PINCTRL_QCOM_SSBI_PMIC=m
 # CONFIG_PINCTRL_SC7180 is not set
-# CONFIG_PINCTRL_SDM660 is not set
-# CONFIG_PINCTRL_SDM845 is not set
-# CONFIG_PINCTRL_SM8150 is not set
-CONFIG_PINCTRL_SAMSUNG=y
-CONFIG_PINCTRL_EXYNOS=y
-CONFIG_PINCTRL_EXYNOS_ARM64=y
-# CONFIG_PINCTRL_SPRD is not set
+CONFIG_PINCTRL_SDM660=m
+CONFIG_PINCTRL_SDM845=m
+CONFIG_PINCTRL_SM8150=m
+CONFIG_PINCTRL_SH_PFC=y
+CONFIG_PINCTRL_SPRD=y
+CONFIG_PINCTRL_SPRD_SC9860=y
 CONFIG_PINCTRL_SUNXI=y
-# CONFIG_PINCTRL_SUN4I_A10 is not set
-# CONFIG_PINCTRL_SUN5I is not set
-# CONFIG_PINCTRL_SUN6I_A31 is not set
-# CONFIG_PINCTRL_SUN6I_A31_R is not set
-# CONFIG_PINCTRL_SUN8I_A23 is not set
-# CONFIG_PINCTRL_SUN8I_A33 is not set
-# CONFIG_PINCTRL_SUN8I_A83T is not set
-# CONFIG_PINCTRL_SUN8I_A83T_R is not set
-# CONFIG_PINCTRL_SUN8I_A23_R is not set
-# CONFIG_PINCTRL_SUN8I_H3 is not set
+CONFIG_PINCTRL_SUN4I_A10=y
+CONFIG_PINCTRL_SUN5I=y
+CONFIG_PINCTRL_SUN6I_A31=y
+CONFIG_PINCTRL_SUN6I_A31_R=y
+CONFIG_PINCTRL_SUN8I_A23=y
+CONFIG_PINCTRL_SUN8I_A33=y
+CONFIG_PINCTRL_SUN8I_A83T=y
+CONFIG_PINCTRL_SUN8I_A83T_R=y
+CONFIG_PINCTRL_SUN8I_A23_R=y
+CONFIG_PINCTRL_SUN8I_H3=y
 CONFIG_PINCTRL_SUN8I_H3_R=y
-# CONFIG_PINCTRL_SUN8I_V3S is not set
-# CONFIG_PINCTRL_SUN9I_A80 is not set
-# CONFIG_PINCTRL_SUN9I_A80_R is not set
+CONFIG_PINCTRL_SUN8I_V3S=y
+CONFIG_PINCTRL_SUN9I_A80=y
+CONFIG_PINCTRL_SUN9I_A80_R=y
 CONFIG_PINCTRL_SUN50I_A64=y
 CONFIG_PINCTRL_SUN50I_A64_R=y
 CONFIG_PINCTRL_SUN50I_H5=y
@@ -3182,20 +4357,22 @@ CONFIG_PINCTRL_TEGRA_XUSB=y
 #
 CONFIG_EINT_MTK=y
 CONFIG_PINCTRL_MTK=y
+CONFIG_PINCTRL_MTK_MOORE=y
 CONFIG_PINCTRL_MTK_PARIS=y
-# CONFIG_PINCTRL_MT2712 is not set
+CONFIG_PINCTRL_MT2712=y
 CONFIG_PINCTRL_MT6765=y
 CONFIG_PINCTRL_MT6797=y
-# CONFIG_PINCTRL_MT7622 is not set
+CONFIG_PINCTRL_MT7622=y
 CONFIG_PINCTRL_MT8173=y
 CONFIG_PINCTRL_MT8183=y
 CONFIG_PINCTRL_MT8516=y
 # end of MediaTek pinctrl drivers
 
 CONFIG_PINCTRL_MESON=y
-# CONFIG_PINCTRL_MESON_GXBB is not set
-# CONFIG_PINCTRL_MESON_GXL is not set
-# CONFIG_PINCTRL_MESON_AXG is not set
+CONFIG_PINCTRL_MESON_GXBB=y
+CONFIG_PINCTRL_MESON_GXL=y
+CONFIG_PINCTRL_MESON8_PMX=y
+CONFIG_PINCTRL_MESON_AXG=y
 CONFIG_PINCTRL_MESON_AXG_PMX=y
 CONFIG_PINCTRL_MESON_G12A=y
 CONFIG_GPIOLIB=y
@@ -3206,49 +4383,55 @@ CONFIG_GPIOLIB_IRQCHIP=y
 # CONFIG_DEBUG_GPIO is not set
 CONFIG_GPIO_SYSFS=y
 CONFIG_GPIO_GENERIC=y
+CONFIG_GPIO_MAX730X=m
 
 #
 # Memory mapped GPIO drivers
 #
-# CONFIG_GPIO_74XX_MMIO is not set
-# CONFIG_GPIO_ALTERA is not set
-# CONFIG_GPIO_AMDPT is not set
-CONFIG_GPIO_RASPBERRYPI_EXP=y
-CONFIG_GPIO_BRCMSTB=y
-# CONFIG_GPIO_CADENCE is not set
-# CONFIG_GPIO_DWAPB is not set
-# CONFIG_GPIO_EIC_SPRD is not set
-# CONFIG_GPIO_FTGPIO010 is not set
+CONFIG_GPIO_74XX_MMIO=m
+CONFIG_GPIO_ALTERA=m
+CONFIG_GPIO_AMDPT=m
+CONFIG_GPIO_RASPBERRYPI_EXP=m
+CONFIG_GPIO_BRCMSTB=m
+CONFIG_GPIO_CADENCE=m
+CONFIG_GPIO_DAVINCI=y
+CONFIG_GPIO_DWAPB=m
+CONFIG_GPIO_EIC_SPRD=m
+CONFIG_GPIO_EXAR=m
+CONFIG_GPIO_FTGPIO010=y
 CONFIG_GPIO_GENERIC_PLATFORM=y
-# CONFIG_GPIO_GRGPIO is not set
-# CONFIG_GPIO_HLWD is not set
-# CONFIG_GPIO_MB86S7X is not set
+CONFIG_GPIO_GRGPIO=m
+CONFIG_GPIO_HLWD=m
+CONFIG_GPIO_MB86S7X=m
 CONFIG_GPIO_MPC8XXX=y
 CONFIG_GPIO_MVEBU=y
-# CONFIG_GPIO_PL061 is not set
-# CONFIG_GPIO_SAMA5D2_PIOBU is not set
-# CONFIG_GPIO_SPRD is not set
-# CONFIG_GPIO_SYSCON is not set
+CONFIG_GPIO_MXC=y
+CONFIG_GPIO_PL061=y
+CONFIG_GPIO_RCAR=m
+CONFIG_GPIO_SAMA5D2_PIOBU=m
+CONFIG_GPIO_SPRD=m
+CONFIG_GPIO_SYSCON=m
 CONFIG_GPIO_TEGRA=y
-# CONFIG_GPIO_THUNDERX is not set
-# CONFIG_GPIO_XGENE is not set
-# CONFIG_GPIO_XGENE_SB is not set
-# CONFIG_GPIO_XILINX is not set
-# CONFIG_GPIO_ZYNQ is not set
-# CONFIG_GPIO_AMD_FCH is not set
+CONFIG_GPIO_THUNDERX=m
+CONFIG_GPIO_XGENE=y
+CONFIG_GPIO_XGENE_SB=m
+CONFIG_GPIO_XILINX=y
+CONFIG_GPIO_XLP=m
+CONFIG_GPIO_ZYNQ=m
+CONFIG_GPIO_AMD_FCH=m
 # end of Memory mapped GPIO drivers
 
 #
 # I2C GPIO expanders
 #
-# CONFIG_GPIO_ADP5588 is not set
-# CONFIG_GPIO_ADNP is not set
-# CONFIG_GPIO_GW_PLD is not set
-# CONFIG_GPIO_MAX7300 is not set
-# CONFIG_GPIO_MAX732X is not set
-# CONFIG_GPIO_PCA953X is not set
-# CONFIG_GPIO_PCF857X is not set
-# CONFIG_GPIO_TPIC2810 is not set
+CONFIG_GPIO_ADP5588=m
+CONFIG_GPIO_ADNP=m
+CONFIG_GPIO_GW_PLD=m
+CONFIG_GPIO_MAX7300=m
+CONFIG_GPIO_MAX732X=m
+CONFIG_GPIO_PCA953X=m
+CONFIG_GPIO_PCF857X=m
+CONFIG_GPIO_TPIC2810=m
 # end of I2C GPIO expanders
 
 #
@@ -3260,20 +4443,20 @@ CONFIG_GPIO_TEGRA=y
 # PCI GPIO expanders
 #
 # CONFIG_GPIO_BT8XX is not set
-# CONFIG_GPIO_PCI_IDIO_16 is not set
-# CONFIG_GPIO_PCIE_IDIO_24 is not set
-# CONFIG_GPIO_RDC321X is not set
+CONFIG_GPIO_PCI_IDIO_16=m
+CONFIG_GPIO_PCIE_IDIO_24=m
+CONFIG_GPIO_RDC321X=m
 # end of PCI GPIO expanders
 
 #
 # SPI GPIO expanders
 #
-# CONFIG_GPIO_74X164 is not set
-# CONFIG_GPIO_MAX3191X is not set
-# CONFIG_GPIO_MAX7301 is not set
-# CONFIG_GPIO_MC33880 is not set
-# CONFIG_GPIO_PISOSR is not set
-# CONFIG_GPIO_XRA1403 is not set
+CONFIG_GPIO_74X164=m
+CONFIG_GPIO_MAX3191X=m
+CONFIG_GPIO_MAX7301=m
+CONFIG_GPIO_MC33880=m
+CONFIG_GPIO_PISOSR=m
+CONFIG_GPIO_XRA1403=m
 # end of SPI GPIO expanders
 
 #
@@ -3282,146 +4465,218 @@ CONFIG_GPIO_TEGRA=y
 # end of USB GPIO expanders
 
 # CONFIG_GPIO_MOCKUP is not set
-# CONFIG_W1 is not set
-# CONFIG_POWER_AVS is not set
+CONFIG_W1=m
+CONFIG_W1_CON=y
+
+#
+# 1-wire Bus Masters
+#
+CONFIG_W1_MASTER_MATROX=m
+CONFIG_W1_MASTER_DS2490=m
+CONFIG_W1_MASTER_DS2482=m
+CONFIG_W1_MASTER_MXC=m
+CONFIG_W1_MASTER_DS1WM=m
+CONFIG_W1_MASTER_GPIO=m
+# CONFIG_W1_MASTER_SGI is not set
+# end of 1-wire Bus Masters
+
+#
+# 1-wire Slaves
+#
+CONFIG_W1_SLAVE_THERM=m
+CONFIG_W1_SLAVE_SMEM=m
+CONFIG_W1_SLAVE_DS2405=m
+CONFIG_W1_SLAVE_DS2408=m
+CONFIG_W1_SLAVE_DS2408_READBACK=y
+CONFIG_W1_SLAVE_DS2413=m
+CONFIG_W1_SLAVE_DS2406=m
+CONFIG_W1_SLAVE_DS2423=m
+CONFIG_W1_SLAVE_DS2805=m
+CONFIG_W1_SLAVE_DS2431=m
+CONFIG_W1_SLAVE_DS2433=m
+# CONFIG_W1_SLAVE_DS2433_CRC is not set
+CONFIG_W1_SLAVE_DS2438=m
+# CONFIG_W1_SLAVE_DS250X is not set
+CONFIG_W1_SLAVE_DS2780=m
+CONFIG_W1_SLAVE_DS2781=m
+CONFIG_W1_SLAVE_DS28E04=m
+CONFIG_W1_SLAVE_DS28E17=m
+# end of 1-wire Slaves
+
+CONFIG_POWER_AVS=y
+CONFIG_ROCKCHIP_IODOMAIN=m
 CONFIG_POWER_RESET=y
-CONFIG_POWER_RESET_BRCMSTB=y
-# CONFIG_POWER_RESET_GPIO is not set
-# CONFIG_POWER_RESET_GPIO_RESTART is not set
-# CONFIG_POWER_RESET_HISI is not set
-# CONFIG_POWER_RESET_MSM is not set
-# CONFIG_POWER_RESET_LTC2952 is not set
-# CONFIG_POWER_RESET_RESTART is not set
+# CONFIG_POWER_RESET_BRCMSTB is not set
+CONFIG_POWER_RESET_GPIO=y
+CONFIG_POWER_RESET_GPIO_RESTART=y
+CONFIG_POWER_RESET_HISI=y
+CONFIG_POWER_RESET_MSM=y
+CONFIG_POWER_RESET_LTC2952=y
+CONFIG_POWER_RESET_RESTART=y
 CONFIG_POWER_RESET_VEXPRESS=y
 # CONFIG_POWER_RESET_XGENE is not set
-# CONFIG_POWER_RESET_SYSCON is not set
-# CONFIG_POWER_RESET_SYSCON_POWEROFF is not set
-# CONFIG_SYSCON_REBOOT_MODE is not set
-# CONFIG_NVMEM_REBOOT_MODE is not set
+CONFIG_POWER_RESET_SYSCON=y
+CONFIG_POWER_RESET_SYSCON_POWEROFF=y
+CONFIG_REBOOT_MODE=m
+CONFIG_SYSCON_REBOOT_MODE=m
+CONFIG_NVMEM_REBOOT_MODE=m
 CONFIG_POWER_SUPPLY=y
 # CONFIG_POWER_SUPPLY_DEBUG is not set
-# CONFIG_PDA_POWER is not set
-# CONFIG_TEST_POWER is not set
-# CONFIG_CHARGER_ADP5061 is not set
-# CONFIG_BATTERY_DS2780 is not set
-# CONFIG_BATTERY_DS2781 is not set
-# CONFIG_BATTERY_DS2782 is not set
-# CONFIG_BATTERY_SBS is not set
-# CONFIG_CHARGER_SBS is not set
-# CONFIG_MANAGER_SBS is not set
-# CONFIG_BATTERY_BQ27XXX is not set
-# CONFIG_BATTERY_MAX17040 is not set
-# CONFIG_BATTERY_MAX17042 is not set
-# CONFIG_CHARGER_MAX8903 is not set
-# CONFIG_CHARGER_LP8727 is not set
-# CONFIG_CHARGER_GPIO is not set
-# CONFIG_CHARGER_MANAGER is not set
-# CONFIG_CHARGER_LT3651 is not set
-# CONFIG_CHARGER_DETECTOR_MAX14656 is not set
-# CONFIG_CHARGER_BQ2415X is not set
-# CONFIG_CHARGER_BQ24257 is not set
-# CONFIG_CHARGER_BQ24735 is not set
-# CONFIG_CHARGER_BQ25890 is not set
-# CONFIG_CHARGER_SMB347 is not set
-# CONFIG_BATTERY_GAUGE_LTC2941 is not set
-# CONFIG_CHARGER_RT9455 is not set
-# CONFIG_CHARGER_UCS1002 is not set
-CONFIG_HWMON=m
+CONFIG_POWER_SUPPLY_HWMON=y
+CONFIG_PDA_POWER=m
+CONFIG_TEST_POWER=m
+CONFIG_CHARGER_ADP5061=m
+CONFIG_BATTERY_DS2760=m
+CONFIG_BATTERY_DS2780=m
+CONFIG_BATTERY_DS2781=m
+CONFIG_BATTERY_DS2782=m
+CONFIG_BATTERY_SBS=m
+CONFIG_CHARGER_SBS=m
+CONFIG_MANAGER_SBS=m
+CONFIG_BATTERY_BQ27XXX=m
+CONFIG_BATTERY_BQ27XXX_I2C=m
+CONFIG_BATTERY_BQ27XXX_HDQ=m
+# CONFIG_BATTERY_BQ27XXX_DT_UPDATES_NVM is not set
+CONFIG_BATTERY_MAX17040=m
+CONFIG_BATTERY_MAX17042=m
+CONFIG_BATTERY_MAX1721X=m
+CONFIG_CHARGER_MAX8903=m
+CONFIG_CHARGER_LP8727=m
+CONFIG_CHARGER_GPIO=m
+CONFIG_CHARGER_MANAGER=y
+CONFIG_CHARGER_LT3651=m
+CONFIG_CHARGER_DETECTOR_MAX14656=m
+CONFIG_CHARGER_BQ2415X=m
+CONFIG_CHARGER_BQ24190=m
+CONFIG_CHARGER_BQ24257=m
+CONFIG_CHARGER_BQ24735=m
+CONFIG_CHARGER_BQ25890=m
+CONFIG_CHARGER_SMB347=m
+CONFIG_BATTERY_GAUGE_LTC2941=m
+CONFIG_CHARGER_RT9455=m
+CONFIG_CHARGER_UCS1002=m
+CONFIG_HWMON=y
+CONFIG_HWMON_VID=m
 # CONFIG_HWMON_DEBUG_CHIP is not set
 
 #
 # Native drivers
 #
-# CONFIG_SENSORS_AD7314 is not set
-# CONFIG_SENSORS_AD7414 is not set
-# CONFIG_SENSORS_AD7418 is not set
-# CONFIG_SENSORS_ADM1021 is not set
-# CONFIG_SENSORS_ADM1025 is not set
-# CONFIG_SENSORS_ADM1026 is not set
-# CONFIG_SENSORS_ADM1029 is not set
-# CONFIG_SENSORS_ADM1031 is not set
-# CONFIG_SENSORS_ADM9240 is not set
-# CONFIG_SENSORS_ADT7310 is not set
-# CONFIG_SENSORS_ADT7410 is not set
-# CONFIG_SENSORS_ADT7411 is not set
-# CONFIG_SENSORS_ADT7462 is not set
-# CONFIG_SENSORS_ADT7470 is not set
-# CONFIG_SENSORS_ADT7475 is not set
+CONFIG_SENSORS_AD7314=m
+CONFIG_SENSORS_AD7414=m
+CONFIG_SENSORS_AD7418=m
+CONFIG_SENSORS_ADM1021=m
+CONFIG_SENSORS_ADM1025=m
+CONFIG_SENSORS_ADM1026=m
+CONFIG_SENSORS_ADM1029=m
+CONFIG_SENSORS_ADM1031=m
+CONFIG_SENSORS_ADM9240=m
+CONFIG_SENSORS_ADT7X10=m
+CONFIG_SENSORS_ADT7310=m
+CONFIG_SENSORS_ADT7410=m
+CONFIG_SENSORS_ADT7411=m
+CONFIG_SENSORS_ADT7462=m
+CONFIG_SENSORS_ADT7470=m
+CONFIG_SENSORS_ADT7475=m
 # CONFIG_SENSORS_AS370 is not set
-# CONFIG_SENSORS_ASC7621 is not set
-# CONFIG_SENSORS_ARM_SCPI is not set
-# CONFIG_SENSORS_ASPEED is not set
-# CONFIG_SENSORS_ATXP1 is not set
-# CONFIG_SENSORS_DS620 is not set
-# CONFIG_SENSORS_DS1621 is not set
-# CONFIG_SENSORS_I5K_AMB is not set
-# CONFIG_SENSORS_F71805F is not set
-# CONFIG_SENSORS_F71882FG is not set
-# CONFIG_SENSORS_F75375S is not set
-# CONFIG_SENSORS_FTSTEUTATES is not set
-# CONFIG_SENSORS_GL518SM is not set
-# CONFIG_SENSORS_GL520SM is not set
-# CONFIG_SENSORS_G760A is not set
-# CONFIG_SENSORS_G762 is not set
-# CONFIG_SENSORS_GPIO_FAN is not set
-# CONFIG_SENSORS_HIH6130 is not set
-# CONFIG_SENSORS_IBMAEM is not set
-# CONFIG_SENSORS_IBMPEX is not set
-# CONFIG_SENSORS_IT87 is not set
-# CONFIG_SENSORS_JC42 is not set
-# CONFIG_SENSORS_POWR1220 is not set
-# CONFIG_SENSORS_LINEAGE is not set
-# CONFIG_SENSORS_LTC2945 is not set
-# CONFIG_SENSORS_LTC2990 is not set
-# CONFIG_SENSORS_LTC4151 is not set
-# CONFIG_SENSORS_LTC4215 is not set
-# CONFIG_SENSORS_LTC4222 is not set
-# CONFIG_SENSORS_LTC4245 is not set
-# CONFIG_SENSORS_LTC4260 is not set
-# CONFIG_SENSORS_LTC4261 is not set
-# CONFIG_SENSORS_MAX1111 is not set
-# CONFIG_SENSORS_MAX16065 is not set
-# CONFIG_SENSORS_MAX1619 is not set
-# CONFIG_SENSORS_MAX1668 is not set
-# CONFIG_SENSORS_MAX197 is not set
-# CONFIG_SENSORS_MAX31722 is not set
-# CONFIG_SENSORS_MAX6621 is not set
-# CONFIG_SENSORS_MAX6639 is not set
-# CONFIG_SENSORS_MAX6642 is not set
-# CONFIG_SENSORS_MAX6650 is not set
-# CONFIG_SENSORS_MAX6697 is not set
-# CONFIG_SENSORS_MAX31790 is not set
-# CONFIG_SENSORS_MCP3021 is not set
-# CONFIG_SENSORS_TC654 is not set
-# CONFIG_SENSORS_ADCXX is not set
-# CONFIG_SENSORS_LM63 is not set
-# CONFIG_SENSORS_LM70 is not set
-# CONFIG_SENSORS_LM73 is not set
-# CONFIG_SENSORS_LM75 is not set
-# CONFIG_SENSORS_LM77 is not set
-# CONFIG_SENSORS_LM78 is not set
-# CONFIG_SENSORS_LM80 is not set
-# CONFIG_SENSORS_LM83 is not set
-# CONFIG_SENSORS_LM85 is not set
-# CONFIG_SENSORS_LM87 is not set
+CONFIG_SENSORS_ASC7621=m
+CONFIG_SENSORS_ARM_SCMI=m
+CONFIG_SENSORS_ARM_SCPI=m
+CONFIG_SENSORS_ASPEED=m
+CONFIG_SENSORS_ATXP1=m
+CONFIG_SENSORS_DS620=m
+CONFIG_SENSORS_DS1621=m
+CONFIG_SENSORS_I5K_AMB=m
+CONFIG_SENSORS_F71805F=m
+CONFIG_SENSORS_F71882FG=m
+CONFIG_SENSORS_F75375S=m
+CONFIG_SENSORS_FTSTEUTATES=m
+CONFIG_SENSORS_GL518SM=m
+CONFIG_SENSORS_GL520SM=m
+CONFIG_SENSORS_G760A=m
+CONFIG_SENSORS_G762=m
+CONFIG_SENSORS_GPIO_FAN=m
+CONFIG_SENSORS_HIH6130=m
+CONFIG_SENSORS_IBMAEM=m
+CONFIG_SENSORS_IBMPEX=m
+CONFIG_SENSORS_IT87=m
+CONFIG_SENSORS_JC42=m
+CONFIG_SENSORS_POWR1220=m
+CONFIG_SENSORS_LINEAGE=m
+CONFIG_SENSORS_LTC2945=m
+CONFIG_SENSORS_LTC2990=m
+CONFIG_SENSORS_LTC4151=m
+CONFIG_SENSORS_LTC4215=m
+CONFIG_SENSORS_LTC4222=m
+CONFIG_SENSORS_LTC4245=m
+CONFIG_SENSORS_LTC4260=m
+CONFIG_SENSORS_LTC4261=m
+CONFIG_SENSORS_MAX1111=m
+CONFIG_SENSORS_MAX16065=m
+CONFIG_SENSORS_MAX1619=m
+CONFIG_SENSORS_MAX1668=m
+CONFIG_SENSORS_MAX197=m
+CONFIG_SENSORS_MAX31722=m
+CONFIG_SENSORS_MAX6621=m
+CONFIG_SENSORS_MAX6639=m
+CONFIG_SENSORS_MAX6642=m
+CONFIG_SENSORS_MAX6650=m
+CONFIG_SENSORS_MAX6697=m
+CONFIG_SENSORS_MAX31790=m
+CONFIG_SENSORS_MCP3021=m
+CONFIG_SENSORS_TC654=m
+CONFIG_SENSORS_ADCXX=m
+CONFIG_SENSORS_LM63=m
+CONFIG_SENSORS_LM70=m
+CONFIG_SENSORS_LM73=m
+CONFIG_SENSORS_LM75=m
+CONFIG_SENSORS_LM77=m
+CONFIG_SENSORS_LM78=m
+CONFIG_SENSORS_LM80=m
+CONFIG_SENSORS_LM83=m
+CONFIG_SENSORS_LM85=m
+CONFIG_SENSORS_LM87=m
 CONFIG_SENSORS_LM90=m
-# CONFIG_SENSORS_LM92 is not set
-# CONFIG_SENSORS_LM93 is not set
-# CONFIG_SENSORS_LM95234 is not set
-# CONFIG_SENSORS_LM95241 is not set
-# CONFIG_SENSORS_LM95245 is not set
-# CONFIG_SENSORS_PC87360 is not set
-# CONFIG_SENSORS_PC87427 is not set
-# CONFIG_SENSORS_NTC_THERMISTOR is not set
-# CONFIG_SENSORS_NCT6683 is not set
-# CONFIG_SENSORS_NCT6775 is not set
-# CONFIG_SENSORS_NCT7802 is not set
-# CONFIG_SENSORS_NCT7904 is not set
-# CONFIG_SENSORS_NPCM7XX is not set
+CONFIG_SENSORS_LM92=m
+CONFIG_SENSORS_LM93=m
+CONFIG_SENSORS_LM95234=m
+CONFIG_SENSORS_LM95241=m
+CONFIG_SENSORS_LM95245=m
+CONFIG_SENSORS_PC87360=m
+CONFIG_SENSORS_PC87427=m
+CONFIG_SENSORS_NTC_THERMISTOR=m
+CONFIG_SENSORS_NCT6683=m
+CONFIG_SENSORS_NCT6775=m
+CONFIG_SENSORS_NCT7802=m
+CONFIG_SENSORS_NCT7904=m
+CONFIG_SENSORS_NPCM7XX=m
 # CONFIG_SENSORS_OCC_P8_I2C is not set
-# CONFIG_SENSORS_PCF8591 is not set
-# CONFIG_PMBUS is not set
-# CONFIG_SENSORS_PWM_FAN is not set
+CONFIG_SENSORS_PCF8591=m
+CONFIG_PMBUS=m
+CONFIG_SENSORS_PMBUS=m
+CONFIG_SENSORS_ADM1275=m
+CONFIG_SENSORS_IBM_CFFPS=m
+# CONFIG_SENSORS_INSPUR_IPSPS is not set
+CONFIG_SENSORS_IR35221=m
+CONFIG_SENSORS_IR38064=m
+CONFIG_SENSORS_IRPS5401=m
+CONFIG_SENSORS_ISL68137=m
+CONFIG_SENSORS_LM25066=m
+CONFIG_SENSORS_LTC2978=m
+CONFIG_SENSORS_LTC2978_REGULATOR=y
+CONFIG_SENSORS_LTC3815=m
+CONFIG_SENSORS_MAX16064=m
+CONFIG_SENSORS_MAX20751=m
+CONFIG_SENSORS_MAX31785=m
+CONFIG_SENSORS_MAX34440=m
+CONFIG_SENSORS_MAX8688=m
+CONFIG_SENSORS_PXE1610=m
+CONFIG_SENSORS_TPS40422=m
+CONFIG_SENSORS_TPS53679=m
+CONFIG_SENSORS_UCD9000=m
+CONFIG_SENSORS_UCD9200=m
+CONFIG_SENSORS_ZL6100=m
+CONFIG_SENSORS_PWM_FAN=m
 CONFIG_SENSORS_RASPBERRYPI_HWMON=m
 # CONFIG_SENSORS_SHT15 is not set
 CONFIG_SENSORS_SHT21=m
@@ -3476,6 +4731,7 @@ CONFIG_SENSORS_INA2XX=m
 CONFIG_THERMAL=y
 # CONFIG_THERMAL_STATISTICS is not set
 CONFIG_THERMAL_EMERGENCY_POWEROFF_DELAY_MS=0
+CONFIG_THERMAL_HWMON=y
 CONFIG_THERMAL_OF=y
 CONFIG_THERMAL_WRITABLE_TRIPS=y
 CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
@@ -3493,8 +4749,11 @@ CONFIG_THERMAL_GOV_USER_SPACE=y
 # CONFIG_THERMAL_EMULATION is not set
 # CONFIG_THERMAL_MMIO is not set
 # CONFIG_HISI_THERMAL is not set
+# CONFIG_IMX_THERMAL is not set
 CONFIG_QORIQ_THERMAL=m
 CONFIG_ROCKCHIP_THERMAL=m
+# CONFIG_RCAR_THERMAL is not set
+# CONFIG_RCAR_GEN3_THERMAL is not set
 # CONFIG_ARMADA_THERMAL is not set
 CONFIG_MTK_THERMAL=y
 
@@ -3507,12 +4766,6 @@ CONFIG_MTK_THERMAL=y
 CONFIG_BCM_SR_THERMAL=y
 # end of Broadcom thermal drivers
 
-#
-# Samsung thermal drivers
-#
-# CONFIG_EXYNOS_THERMAL is not set
-# end of Samsung thermal drivers
-
 #
 # NVIDIA Tegra thermal drivers
 #
@@ -3548,17 +4801,19 @@ CONFIG_SOFT_WATCHDOG=m
 # CONFIG_ARM_SBSA_WATCHDOG is not set
 # CONFIG_ARMADA_37XX_WATCHDOG is not set
 # CONFIG_CADENCE_WATCHDOG is not set
-CONFIG_HAVE_S3C2410_WATCHDOG=y
-# CONFIG_S3C2410_WATCHDOG is not set
 # CONFIG_DW_WATCHDOG is not set
 # CONFIG_SUNXI_WATCHDOG is not set
 # CONFIG_MAX63XX_WATCHDOG is not set
 # CONFIG_IMX2_WDT is not set
+# CONFIG_IMX7ULP_WDT is not set
 # CONFIG_TEGRA_WATCHDOG is not set
 # CONFIG_QCOM_WDT is not set
 # CONFIG_MESON_GXBB_WATCHDOG is not set
 # CONFIG_MESON_WATCHDOG is not set
 # CONFIG_MEDIATEK_WATCHDOG is not set
+# CONFIG_RENESAS_WDT is not set
+# CONFIG_RENESAS_RZAWDT is not set
+CONFIG_RTD119X_WATCHDOG=y
 # CONFIG_SPRD_WATCHDOG is not set
 # CONFIG_ALIM7101_WDT is not set
 # CONFIG_I6300ESB_WDT is not set
@@ -3628,7 +4883,6 @@ CONFIG_MFD_CORE=y
 # CONFIG_MFD_DA9063 is not set
 # CONFIG_MFD_DA9150 is not set
 # CONFIG_MFD_DLN2 is not set
-# CONFIG_MFD_EXYNOS_LPASS is not set
 # CONFIG_MFD_MC13XXX_SPI is not set
 # CONFIG_MFD_MC13XXX_I2C is not set
 # CONFIG_MFD_HI6421_PMIC is not set
@@ -3636,7 +4890,7 @@ CONFIG_MFD_CORE=y
 # CONFIG_HTC_PASIC3 is not set
 # CONFIG_HTC_I2CPLD is not set
 CONFIG_LPC_ICH=m
-# CONFIG_LPC_SCH is not set
+CONFIG_LPC_SCH=m
 # CONFIG_MFD_JANZ_CMODIO is not set
 # CONFIG_MFD_KEMPLD is not set
 # CONFIG_MFD_88PM800 is not set
@@ -3661,7 +4915,8 @@ CONFIG_LPC_ICH=m
 # CONFIG_MFD_PCF50633 is not set
 # CONFIG_UCB1400_CORE is not set
 # CONFIG_MFD_QCOM_RPM is not set
-# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_SPMI_PMIC is not set
+CONFIG_MFD_RDC321X=m
 # CONFIG_MFD_RT5033 is not set
 # CONFIG_MFD_RC5T583 is not set
 # CONFIG_MFD_RK808 is not set
@@ -3687,6 +4942,7 @@ CONFIG_MFD_SYSCON=y
 # CONFIG_MFD_TPS65086 is not set
 # CONFIG_MFD_TPS65090 is not set
 # CONFIG_MFD_TPS65217 is not set
+# CONFIG_MFD_TPS68470 is not set
 # CONFIG_MFD_TI_LP873X is not set
 # CONFIG_MFD_TI_LP87565 is not set
 # CONFIG_MFD_TPS65218 is not set
@@ -3713,8 +4969,9 @@ CONFIG_MFD_SYSCON=y
 # CONFIG_MFD_ROHM_BD718XX is not set
 # CONFIG_MFD_ROHM_BD70528 is not set
 # CONFIG_MFD_STPMIC1 is not set
-# CONFIG_MFD_STMFX is not set
+CONFIG_MFD_STMFX=m
 CONFIG_MFD_VEXPRESS_SYSREG=y
+# CONFIG_RAVE_SP_CORE is not set
 # end of Multifunction device drivers
 
 CONFIG_REGULATOR=y
@@ -3750,6 +5007,7 @@ CONFIG_REGULATOR_FIXED_VOLTAGE=m
 # CONFIG_REGULATOR_PV88080 is not set
 # CONFIG_REGULATOR_PV88090 is not set
 # CONFIG_REGULATOR_PWM is not set
+# CONFIG_REGULATOR_QCOM_SPMI is not set
 # CONFIG_REGULATOR_SLG51000 is not set
 # CONFIG_REGULATOR_SY8106A is not set
 # CONFIG_REGULATOR_SY8824X is not set
@@ -3761,8 +5019,14 @@ CONFIG_REGULATOR_FIXED_VOLTAGE=m
 # CONFIG_REGULATOR_TPS6524X is not set
 # CONFIG_REGULATOR_VCTRL is not set
 # CONFIG_REGULATOR_VEXPRESS is not set
-CONFIG_CEC_CORE=m
-# CONFIG_RC_CORE is not set
+CONFIG_CEC_CORE=y
+CONFIG_CEC_NOTIFIER=y
+CONFIG_CEC_PIN=y
+CONFIG_RC_CORE=m
+CONFIG_RC_MAP=m
+# CONFIG_LIRC is not set
+# CONFIG_RC_DECODERS is not set
+# CONFIG_RC_DEVICES is not set
 CONFIG_MEDIA_SUPPORT=m
 
 #
@@ -3774,6 +5038,7 @@ CONFIG_MEDIA_CAMERA_SUPPORT=y
 # CONFIG_MEDIA_RADIO_SUPPORT is not set
 # CONFIG_MEDIA_SDR_SUPPORT is not set
 # CONFIG_MEDIA_CEC_SUPPORT is not set
+# CONFIG_CEC_PIN_ERROR_INJ is not set
 # CONFIG_MEDIA_CONTROLLER is not set
 CONFIG_VIDEO_DEV=m
 CONFIG_VIDEO_V4L2=m
@@ -3860,7 +5125,7 @@ CONFIG_USB_GSPCA=m
 #
 # Supported MMC/SDIO adapters
 #
-# CONFIG_CYPRESS_FIRMWARE is not set
+CONFIG_CYPRESS_FIRMWARE=m
 CONFIG_VIDEOBUF2_CORE=m
 CONFIG_VIDEOBUF2_V4L2=m
 CONFIG_VIDEOBUF2_MEMOPS=m
@@ -3870,6 +5135,7 @@ CONFIG_VIDEOBUF2_VMALLOC=m
 # Media ancillary drivers (tuners, sensors, i2c, spi, frontends)
 #
 # CONFIG_MEDIA_SUBDRV_AUTOSELECT is not set
+CONFIG_VIDEO_IR_I2C=m
 
 #
 # I2C Encoders, decoders, sensors and other helper chips
@@ -4014,6 +5280,7 @@ CONFIG_VGA_ARB=y
 CONFIG_VGA_ARB_MAX_GPUS=16
 # CONFIG_TEGRA_HOST1X is not set
 CONFIG_DRM=y
+CONFIG_DRM_MIPI_DBI=m
 CONFIG_DRM_MIPI_DSI=y
 # CONFIG_DRM_DP_AUX_CHARDEV is not set
 # CONFIG_DRM_DEBUG_MM is not set
@@ -4023,53 +5290,84 @@ CONFIG_DRM_KMS_FB_HELPER=y
 CONFIG_DRM_FBDEV_EMULATION=y
 CONFIG_DRM_FBDEV_OVERALLOC=100
 # CONFIG_DRM_FBDEV_LEAK_PHYS_SMEM is not set
-# CONFIG_DRM_LOAD_EDID_FIRMWARE is not set
-# CONFIG_DRM_DP_CEC is not set
+CONFIG_DRM_LOAD_EDID_FIRMWARE=y
+CONFIG_DRM_DP_CEC=y
+CONFIG_DRM_TTM=m
+CONFIG_DRM_VRAM_HELPER=m
 CONFIG_DRM_GEM_CMA_HELPER=y
 CONFIG_DRM_KMS_CMA_HELPER=y
 CONFIG_DRM_GEM_SHMEM_HELPER=y
+CONFIG_DRM_SCHED=m
 
 #
 # I2C encoder or helper chips
 #
-# CONFIG_DRM_I2C_CH7006 is not set
-# CONFIG_DRM_I2C_SIL164 is not set
-# CONFIG_DRM_I2C_NXP_TDA998X is not set
-# CONFIG_DRM_I2C_NXP_TDA9950 is not set
+CONFIG_DRM_I2C_CH7006=m
+CONFIG_DRM_I2C_SIL164=m
+CONFIG_DRM_I2C_NXP_TDA998X=m
+CONFIG_DRM_I2C_NXP_TDA9950=m
 # end of I2C encoder or helper chips
 
 #
 # ARM devices
 #
-# CONFIG_DRM_HDLCD is not set
-# CONFIG_DRM_MALI_DISPLAY is not set
-# CONFIG_DRM_KOMEDA is not set
+CONFIG_DRM_HDLCD=m
+# CONFIG_DRM_HDLCD_SHOW_UNDERRUN is not set
+CONFIG_DRM_MALI_DISPLAY=m
+CONFIG_DRM_KOMEDA=m
 # end of ARM devices
 
-# CONFIG_DRM_RADEON is not set
-# CONFIG_DRM_AMDGPU is not set
+CONFIG_DRM_RADEON=m
+# CONFIG_DRM_RADEON_USERPTR is not set
+CONFIG_DRM_AMDGPU=m
+CONFIG_DRM_AMDGPU_SI=y
+CONFIG_DRM_AMDGPU_CIK=y
+# CONFIG_DRM_AMDGPU_USERPTR is not set
+# CONFIG_DRM_AMDGPU_GART_DEBUGFS is not set
 
 #
 # ACP (Audio CoProcessor) Configuration
 #
+# CONFIG_DRM_AMD_ACP is not set
 # end of ACP (Audio CoProcessor) Configuration
 
-# CONFIG_DRM_NOUVEAU is not set
-# CONFIG_DRM_VGEM is not set
-# CONFIG_DRM_VKMS is not set
-# CONFIG_DRM_EXYNOS is not set
-# CONFIG_DRM_UDL is not set
-# CONFIG_DRM_AST is not set
-# CONFIG_DRM_MGAG200 is not set
+#
+# Display Engine Configuration
+#
+CONFIG_DRM_AMD_DC=y
+# CONFIG_DEBUG_KERNEL_DC is not set
+# end of Display Engine Configuration
+
+CONFIG_HSA_AMD=y
+CONFIG_DRM_NOUVEAU=m
+# CONFIG_NOUVEAU_LEGACY_CTX_SUPPORT is not set
+CONFIG_NOUVEAU_PLATFORM_DRIVER=y
+CONFIG_NOUVEAU_DEBUG=5
+CONFIG_NOUVEAU_DEBUG_DEFAULT=3
+# CONFIG_NOUVEAU_DEBUG_MMU is not set
+CONFIG_DRM_NOUVEAU_BACKLIGHT=y
+CONFIG_DRM_VGEM=m
+CONFIG_DRM_VKMS=m
+CONFIG_DRM_UDL=m
+CONFIG_DRM_AST=m
+CONFIG_DRM_MGAG200=m
 CONFIG_DRM_CIRRUS_QEMU=m
-# CONFIG_DRM_RCAR_DW_HDMI is not set
-# CONFIG_DRM_RCAR_LVDS is not set
+CONFIG_DRM_RCAR_DU=m
+CONFIG_DRM_RCAR_DW_HDMI=m
+CONFIG_DRM_RCAR_LVDS=m
 CONFIG_DRM_RCAR_WRITEBACK=y
-# CONFIG_DRM_SUN4I is not set
-# CONFIG_DRM_QXL is not set
-# CONFIG_DRM_BOCHS is not set
-# CONFIG_DRM_VIRTIO_GPU is not set
-CONFIG_DRM_MSM=y
+CONFIG_DRM_SUN4I=m
+CONFIG_DRM_SUN4I_HDMI=m
+CONFIG_DRM_SUN4I_HDMI_CEC=y
+CONFIG_DRM_SUN4I_BACKEND=m
+CONFIG_DRM_SUN6I_DSI=m
+CONFIG_DRM_SUN8I_DW_HDMI=m
+CONFIG_DRM_SUN8I_MIXER=m
+CONFIG_DRM_SUN8I_TCON_TOP=m
+CONFIG_DRM_QXL=m
+CONFIG_DRM_BOCHS=m
+CONFIG_DRM_VIRTIO_GPU=m
+CONFIG_DRM_MSM=m
 CONFIG_DRM_MSM_GPU_STATE=y
 # CONFIG_DRM_MSM_REGISTER_LOGGING is not set
 # CONFIG_DRM_MSM_GPU_SUDO is not set
@@ -4079,7 +5377,7 @@ CONFIG_DRM_MSM_DSI_PLL=y
 CONFIG_DRM_MSM_DSI_28NM_PHY=y
 CONFIG_DRM_MSM_DSI_20NM_PHY=y
 CONFIG_DRM_MSM_DSI_28NM_8960_PHY=y
-# CONFIG_DRM_MSM_DSI_14NM_PHY is not set
+CONFIG_DRM_MSM_DSI_14NM_PHY=y
 CONFIG_DRM_MSM_DSI_10NM_PHY=y
 # CONFIG_DRM_TEGRA is not set
 CONFIG_DRM_PANEL=y
@@ -4087,45 +5385,45 @@ CONFIG_DRM_PANEL=y
 #
 # Display Panels
 #
-# CONFIG_DRM_PANEL_ARM_VERSATILE is not set
-# CONFIG_DRM_PANEL_LVDS is not set
-# CONFIG_DRM_PANEL_SIMPLE is not set
-# CONFIG_DRM_PANEL_FEIYANG_FY07024DI26A30D is not set
-# CONFIG_DRM_PANEL_ILITEK_IL9322 is not set
-# CONFIG_DRM_PANEL_ILITEK_ILI9881C is not set
-# CONFIG_DRM_PANEL_INNOLUX_P079ZCA is not set
-# CONFIG_DRM_PANEL_JDI_LT070ME05000 is not set
-# CONFIG_DRM_PANEL_KINGDISPLAY_KD097D04 is not set
-# CONFIG_DRM_PANEL_SAMSUNG_LD9040 is not set
+CONFIG_DRM_PANEL_ARM_VERSATILE=m
+CONFIG_DRM_PANEL_LVDS=m
+CONFIG_DRM_PANEL_SIMPLE=m
+CONFIG_DRM_PANEL_FEIYANG_FY07024DI26A30D=m
+CONFIG_DRM_PANEL_ILITEK_IL9322=m
+CONFIG_DRM_PANEL_ILITEK_ILI9881C=m
+CONFIG_DRM_PANEL_INNOLUX_P079ZCA=m
+CONFIG_DRM_PANEL_JDI_LT070ME05000=m
+CONFIG_DRM_PANEL_KINGDISPLAY_KD097D04=m
+CONFIG_DRM_PANEL_SAMSUNG_LD9040=m
 # CONFIG_DRM_PANEL_LG_LB035Q02 is not set
-# CONFIG_DRM_PANEL_LG_LG4573 is not set
+CONFIG_DRM_PANEL_LG_LG4573=m
 # CONFIG_DRM_PANEL_NEC_NL8048HL11 is not set
 # CONFIG_DRM_PANEL_NOVATEK_NT39016 is not set
-# CONFIG_DRM_PANEL_OLIMEX_LCD_OLINUXINO is not set
-# CONFIG_DRM_PANEL_ORISETECH_OTM8009A is not set
-# CONFIG_DRM_PANEL_OSD_OSD101T2587_53TS is not set
-# CONFIG_DRM_PANEL_PANASONIC_VVX10F034N00 is not set
+CONFIG_DRM_PANEL_OLIMEX_LCD_OLINUXINO=m
+CONFIG_DRM_PANEL_ORISETECH_OTM8009A=m
+CONFIG_DRM_PANEL_OSD_OSD101T2587_53TS=m
+CONFIG_DRM_PANEL_PANASONIC_VVX10F034N00=m
 CONFIG_DRM_PANEL_RASPBERRYPI_TOUCHSCREEN=m
 # CONFIG_DRM_PANEL_RAYDIUM_RM67191 is not set
-# CONFIG_DRM_PANEL_RAYDIUM_RM68200 is not set
-# CONFIG_DRM_PANEL_ROCKTECH_JH057N00900 is not set
-# CONFIG_DRM_PANEL_RONBO_RB070D30 is not set
-# CONFIG_DRM_PANEL_SAMSUNG_S6D16D0 is not set
-# CONFIG_DRM_PANEL_SAMSUNG_S6E3HA2 is not set
-# CONFIG_DRM_PANEL_SAMSUNG_S6E63J0X03 is not set
-# CONFIG_DRM_PANEL_SAMSUNG_S6E63M0 is not set
-# CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0 is not set
-# CONFIG_DRM_PANEL_SEIKO_43WVF1G is not set
-# CONFIG_DRM_PANEL_SHARP_LQ101R1SX01 is not set
+CONFIG_DRM_PANEL_RAYDIUM_RM68200=m
+CONFIG_DRM_PANEL_ROCKTECH_JH057N00900=m
+CONFIG_DRM_PANEL_RONBO_RB070D30=m
+CONFIG_DRM_PANEL_SAMSUNG_S6D16D0=m
+CONFIG_DRM_PANEL_SAMSUNG_S6E3HA2=m
+CONFIG_DRM_PANEL_SAMSUNG_S6E63J0X03=m
+CONFIG_DRM_PANEL_SAMSUNG_S6E63M0=m
+CONFIG_DRM_PANEL_SAMSUNG_S6E8AA0=m
+CONFIG_DRM_PANEL_SEIKO_43WVF1G=m
+CONFIG_DRM_PANEL_SHARP_LQ101R1SX01=m
 # CONFIG_DRM_PANEL_SHARP_LS037V7DW01 is not set
-# CONFIG_DRM_PANEL_SHARP_LS043T1LE01 is not set
-# CONFIG_DRM_PANEL_SITRONIX_ST7701 is not set
-# CONFIG_DRM_PANEL_SITRONIX_ST7789V is not set
+CONFIG_DRM_PANEL_SHARP_LS043T1LE01=m
+CONFIG_DRM_PANEL_SITRONIX_ST7701=m
+CONFIG_DRM_PANEL_SITRONIX_ST7789V=m
 # CONFIG_DRM_PANEL_SONY_ACX565AKM is not set
 # CONFIG_DRM_PANEL_TPO_TD028TTEC1 is not set
 # CONFIG_DRM_PANEL_TPO_TD043MTEA1 is not set
-# CONFIG_DRM_PANEL_TPO_TPG110 is not set
-# CONFIG_DRM_PANEL_TRULY_NT35597_WQXGA is not set
+CONFIG_DRM_PANEL_TPO_TPG110=m
+CONFIG_DRM_PANEL_TRULY_NT35597_WQXGA=m
 # end of Display Panels
 
 CONFIG_DRM_BRIDGE=y
@@ -4134,45 +5432,57 @@ CONFIG_DRM_PANEL_BRIDGE=y
 #
 # Display Interface Bridges
 #
-# CONFIG_DRM_ANALOGIX_ANX78XX is not set
-# CONFIG_DRM_CDNS_DSI is not set
-# CONFIG_DRM_DUMB_VGA_DAC is not set
-# CONFIG_DRM_LVDS_ENCODER is not set
-# CONFIG_DRM_MEGACHIPS_STDPXXXX_GE_B850V3_FW is not set
-# CONFIG_DRM_NXP_PTN3460 is not set
-# CONFIG_DRM_PARADE_PS8622 is not set
-# CONFIG_DRM_SIL_SII8620 is not set
-# CONFIG_DRM_SII902X is not set
-# CONFIG_DRM_SII9234 is not set
-# CONFIG_DRM_THINE_THC63LVD1024 is not set
-# CONFIG_DRM_TOSHIBA_TC358764 is not set
-# CONFIG_DRM_TOSHIBA_TC358767 is not set
-# CONFIG_DRM_TI_TFP410 is not set
-# CONFIG_DRM_TI_SN65DSI86 is not set
-# CONFIG_DRM_I2C_ADV7511 is not set
+CONFIG_DRM_ANALOGIX_ANX78XX=m
+CONFIG_DRM_CDNS_DSI=m
+CONFIG_DRM_DUMB_VGA_DAC=m
+CONFIG_DRM_LVDS_ENCODER=m
+CONFIG_DRM_MEGACHIPS_STDPXXXX_GE_B850V3_FW=m
+CONFIG_DRM_NXP_PTN3460=m
+CONFIG_DRM_PARADE_PS8622=m
+CONFIG_DRM_SIL_SII8620=m
+CONFIG_DRM_SII902X=m
+CONFIG_DRM_SII9234=m
+CONFIG_DRM_THINE_THC63LVD1024=m
+CONFIG_DRM_TOSHIBA_TC358764=m
+CONFIG_DRM_TOSHIBA_TC358767=m
+CONFIG_DRM_TI_TFP410=m
+CONFIG_DRM_TI_SN65DSI86=m
+CONFIG_DRM_I2C_ADV7511=m
+CONFIG_DRM_I2C_ADV7511_AUDIO=y
+CONFIG_DRM_I2C_ADV7533=y
+CONFIG_DRM_I2C_ADV7511_CEC=y
+CONFIG_DRM_DW_HDMI=m
+CONFIG_DRM_DW_HDMI_AHB_AUDIO=m
+CONFIG_DRM_DW_HDMI_I2S_AUDIO=m
+CONFIG_DRM_DW_HDMI_CEC=m
 # end of Display Interface Bridges
 
 CONFIG_DRM_VC4=m
 CONFIG_DRM_VC4_HDMI_CEC=y
-# CONFIG_DRM_ETNAVIV is not set
-# CONFIG_DRM_ARCPGU is not set
-# CONFIG_DRM_HISI_HIBMC is not set
-# CONFIG_DRM_HISI_KIRIN is not set
-# CONFIG_DRM_MEDIATEK is not set
-# CONFIG_DRM_MXSFB is not set
-# CONFIG_DRM_MESON is not set
+CONFIG_DRM_ETNAVIV=m
+CONFIG_DRM_ETNAVIV_THERMAL=y
+CONFIG_DRM_ARCPGU=m
+CONFIG_DRM_HISI_HIBMC=m
+CONFIG_DRM_HISI_KIRIN=m
+CONFIG_DRM_MEDIATEK=m
+CONFIG_DRM_MEDIATEK_HDMI=m
+CONFIG_DRM_MXS=y
+CONFIG_DRM_MXSFB=m
+CONFIG_DRM_MESON=m
+CONFIG_DRM_MESON_DW_HDMI=m
 # CONFIG_DRM_GM12U320 is not set
-# CONFIG_TINYDRM_HX8357D is not set
-# CONFIG_TINYDRM_ILI9225 is not set
-# CONFIG_TINYDRM_ILI9341 is not set
-# CONFIG_TINYDRM_MI0283QT is not set
-# CONFIG_TINYDRM_REPAPER is not set
-# CONFIG_TINYDRM_ST7586 is not set
-# CONFIG_TINYDRM_ST7735R is not set
-# CONFIG_DRM_PL111 is not set
-# CONFIG_DRM_XEN is not set
-# CONFIG_DRM_LIMA is not set
-# CONFIG_DRM_PANFROST is not set
+CONFIG_TINYDRM_HX8357D=m
+CONFIG_TINYDRM_ILI9225=m
+CONFIG_TINYDRM_ILI9341=m
+CONFIG_TINYDRM_MI0283QT=m
+CONFIG_TINYDRM_REPAPER=m
+CONFIG_TINYDRM_ST7586=m
+CONFIG_TINYDRM_ST7735R=m
+CONFIG_DRM_PL111=m
+CONFIG_DRM_XEN=y
+CONFIG_DRM_XEN_FRONTEND=m
+CONFIG_DRM_LIMA=m
+CONFIG_DRM_PANFROST=m
 # CONFIG_DRM_LEGACY is not set
 CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
 
@@ -4182,7 +5492,7 @@ CONFIG_DRM_PANEL_ORIENTATION_QUIRKS=y
 CONFIG_FB_CMDLINE=y
 CONFIG_FB_NOTIFY=y
 CONFIG_FB=y
-# CONFIG_FIRMWARE_EDID is not set
+CONFIG_FIRMWARE_EDID=y
 CONFIG_FB_DDC=m
 CONFIG_FB_CFB_FILLRECT=y
 CONFIG_FB_CFB_COPYAREA=y
@@ -4193,65 +5503,108 @@ CONFIG_FB_SYS_IMAGEBLIT=y
 # CONFIG_FB_FOREIGN_ENDIAN is not set
 CONFIG_FB_SYS_FOPS=y
 CONFIG_FB_DEFERRED_IO=y
+CONFIG_FB_SVGALIB=m
 CONFIG_FB_BACKLIGHT=m
 CONFIG_FB_MODE_HELPERS=y
-# CONFIG_FB_TILEBLITTING is not set
+CONFIG_FB_TILEBLITTING=y
 
 #
 # Frame buffer hardware drivers
 #
 CONFIG_FB_CIRRUS=m
-# CONFIG_FB_PM2 is not set
-# CONFIG_FB_ARMCLCD is not set
-# CONFIG_FB_CYBER2000 is not set
-# CONFIG_FB_ASILIANT is not set
-# CONFIG_FB_IMSTT is not set
-# CONFIG_FB_UVESA is not set
+CONFIG_FB_PM2=m
+CONFIG_FB_PM2_FIFO_DISCONNECT=y
+CONFIG_FB_ARMCLCD=y
+CONFIG_FB_IMX=m
+CONFIG_FB_CYBER2000=m
+CONFIG_FB_CYBER2000_DDC=y
+CONFIG_FB_ASILIANT=y
+CONFIG_FB_IMSTT=y
+CONFIG_FB_UVESA=m
 CONFIG_FB_EFI=y
-# CONFIG_FB_OPENCORES is not set
-# CONFIG_FB_S1D13XXX is not set
+CONFIG_FB_OPENCORES=m
+CONFIG_FB_S1D13XXX=m
 CONFIG_FB_NVIDIA=m
-# CONFIG_FB_NVIDIA_I2C is not set
+CONFIG_FB_NVIDIA_I2C=y
 # CONFIG_FB_NVIDIA_DEBUG is not set
 CONFIG_FB_NVIDIA_BACKLIGHT=y
-# CONFIG_FB_RIVA is not set
+CONFIG_FB_RIVA=m
+CONFIG_FB_RIVA_I2C=y
+# CONFIG_FB_RIVA_DEBUG is not set
+CONFIG_FB_RIVA_BACKLIGHT=y
 CONFIG_FB_I740=m
-# CONFIG_FB_MATROX is not set
+CONFIG_FB_MATROX=m
+CONFIG_FB_MATROX_MILLENIUM=y
+CONFIG_FB_MATROX_MYSTIQUE=y
+CONFIG_FB_MATROX_G=y
+CONFIG_FB_MATROX_I2C=m
+CONFIG_FB_MATROX_MAVEN=m
 CONFIG_FB_RADEON=m
 CONFIG_FB_RADEON_I2C=y
 CONFIG_FB_RADEON_BACKLIGHT=y
 # CONFIG_FB_RADEON_DEBUG is not set
-# CONFIG_FB_ATY128 is not set
-# CONFIG_FB_ATY is not set
-# CONFIG_FB_S3 is not set
-# CONFIG_FB_SAVAGE is not set
-# CONFIG_FB_SIS is not set
-# CONFIG_FB_NEOMAGIC is not set
-# CONFIG_FB_KYRO is not set
-# CONFIG_FB_3DFX is not set
-# CONFIG_FB_VOODOO1 is not set
-# CONFIG_FB_VT8623 is not set
-# CONFIG_FB_TRIDENT is not set
-# CONFIG_FB_ARK is not set
-# CONFIG_FB_PM3 is not set
-# CONFIG_FB_CARMINE is not set
-# CONFIG_FB_SMSCUFX is not set
-# CONFIG_FB_UDL is not set
+CONFIG_FB_ATY128=m
+CONFIG_FB_ATY128_BACKLIGHT=y
+CONFIG_FB_ATY=m
+CONFIG_FB_ATY_CT=y
+# CONFIG_FB_ATY_GENERIC_LCD is not set
+CONFIG_FB_ATY_GX=y
+CONFIG_FB_ATY_BACKLIGHT=y
+CONFIG_FB_S3=m
+CONFIG_FB_S3_DDC=y
+CONFIG_FB_SAVAGE=m
+CONFIG_FB_SAVAGE_I2C=y
+# CONFIG_FB_SAVAGE_ACCEL is not set
+CONFIG_FB_SIS=m
+CONFIG_FB_SIS_300=y
+CONFIG_FB_SIS_315=y
+CONFIG_FB_NEOMAGIC=m
+CONFIG_FB_KYRO=m
+CONFIG_FB_3DFX=m
+# CONFIG_FB_3DFX_ACCEL is not set
+# CONFIG_FB_3DFX_I2C is not set
+CONFIG_FB_VOODOO1=m
+CONFIG_FB_VT8623=m
+CONFIG_FB_TRIDENT=m
+CONFIG_FB_ARK=m
+CONFIG_FB_PM3=m
+CONFIG_FB_CARMINE=m
+CONFIG_FB_CARMINE_DRAM_EVAL=y
+# CONFIG_CARMINE_DRAM_CUSTOM is not set
+CONFIG_FB_SH_MOBILE_LCDC=m
+CONFIG_FB_SMSCUFX=m
+CONFIG_FB_UDL=m
 # CONFIG_FB_IBM_GXT4500 is not set
-# CONFIG_FB_XILINX is not set
+CONFIG_FB_XILINX=m
 # CONFIG_FB_VIRTUAL is not set
 CONFIG_XEN_FBDEV_FRONTEND=m
-# CONFIG_FB_METRONOME is not set
-# CONFIG_FB_MB862XX is not set
-# CONFIG_FB_SIMPLE is not set
-# CONFIG_FB_SSD1307 is not set
-# CONFIG_FB_SM712 is not set
+CONFIG_FB_METRONOME=m
+CONFIG_FB_MB862XX=m
+CONFIG_FB_MB862XX_PCI_GDC=y
+CONFIG_FB_MB862XX_I2C=y
+CONFIG_FB_MX3=y
+CONFIG_FB_HYPERV=m
+CONFIG_FB_SIMPLE=y
+CONFIG_FB_SSD1307=m
+CONFIG_FB_SM712=m
 # end of Frame buffer Devices
 
 #
 # Backlight & LCD device support
 #
-# CONFIG_LCD_CLASS_DEVICE is not set
+CONFIG_LCD_CLASS_DEVICE=m
+# CONFIG_LCD_L4F00242T03 is not set
+# CONFIG_LCD_LMS283GF05 is not set
+# CONFIG_LCD_LTV350QV is not set
+# CONFIG_LCD_ILI922X is not set
+# CONFIG_LCD_ILI9320 is not set
+# CONFIG_LCD_TDO24M is not set
+# CONFIG_LCD_VGG2432A4 is not set
+# CONFIG_LCD_PLATFORM is not set
+# CONFIG_LCD_AMS369FG06 is not set
+# CONFIG_LCD_LMS501KF03 is not set
+# CONFIG_LCD_HX8357 is not set
+# CONFIG_LCD_OTM3225A is not set
 CONFIG_BACKLIGHT_CLASS_DEVICE=y
 CONFIG_BACKLIGHT_GENERIC=y
 # CONFIG_BACKLIGHT_PWM is not set
@@ -4268,6 +5621,7 @@ CONFIG_BACKLIGHT_GENERIC=y
 # end of Backlight & LCD device support
 
 CONFIG_VGASTATE=m
+CONFIG_VIDEOMODE_HELPERS=y
 CONFIG_HDMI=y
 
 #
@@ -4396,6 +5750,7 @@ CONFIG_SND_HDA_POWER_SAVE_DEFAULT=0
 # end of HD-Audio
 
 CONFIG_SND_HDA_CORE=m
+CONFIG_SND_HDA_COMPONENT=y
 CONFIG_SND_HDA_PREALLOC_SIZE=64
 CONFIG_SND_INTEL_NHLT=m
 CONFIG_SND_SPI=y
@@ -4432,6 +5787,7 @@ CONFIG_SND_SOC_FSL_SAI=m
 # CONFIG_SND_SOC_FSL_ESAI is not set
 # CONFIG_SND_SOC_FSL_MICFIL is not set
 # CONFIG_SND_SOC_IMX_AUDMUX is not set
+# CONFIG_SND_IMX_SOC is not set
 # end of SoC Audio for Freescale CPUs
 
 # CONFIG_SND_I2S_HI6210_I2S is not set
@@ -4459,7 +5815,14 @@ CONFIG_SND_SOC_FSL_SAI=m
 
 # CONFIG_SND_SOC_QCOM is not set
 # CONFIG_SND_SOC_ROCKCHIP is not set
-# CONFIG_SND_SOC_SAMSUNG is not set
+
+#
+# SoC Audio support for Renesas SoCs
+#
+# CONFIG_SND_SOC_SH4_FSI is not set
+# CONFIG_SND_SOC_RCAR is not set
+# end of SoC Audio support for Renesas SoCs
+
 # CONFIG_SND_SOC_SOF_TOPLEVEL is not set
 # CONFIG_SND_SOC_SPRD is not set
 
@@ -4541,6 +5904,7 @@ CONFIG_SND_SOC_HDMI_CODEC=m
 # CONFIG_SND_SOC_MAX98927 is not set
 # CONFIG_SND_SOC_MAX98373 is not set
 # CONFIG_SND_SOC_MAX9860 is not set
+# CONFIG_SND_SOC_MSM8916_WCD_ANALOG is not set
 # CONFIG_SND_SOC_MSM8916_WCD_DIGITAL is not set
 # CONFIG_SND_SOC_PCM1681 is not set
 # CONFIG_SND_SOC_PCM1789_I2C is not set
@@ -4629,136 +5993,154 @@ CONFIG_AC97_BUS=m
 # HID support
 #
 CONFIG_HID=m
-# CONFIG_HID_BATTERY_STRENGTH is not set
-# CONFIG_HIDRAW is not set
-# CONFIG_UHID is not set
+CONFIG_HID_BATTERY_STRENGTH=y
+CONFIG_HIDRAW=y
+CONFIG_UHID=m
 CONFIG_HID_GENERIC=m
 
 #
 # Special HID drivers
 #
 CONFIG_HID_A4TECH=m
-# CONFIG_HID_ACCUTOUCH is not set
-# CONFIG_HID_ACRUX is not set
+CONFIG_HID_ACCUTOUCH=m
+CONFIG_HID_ACRUX=m
+CONFIG_HID_ACRUX_FF=y
 CONFIG_HID_APPLE=m
-# CONFIG_HID_APPLEIR is not set
-# CONFIG_HID_ASUS is not set
-# CONFIG_HID_AUREAL is not set
+CONFIG_HID_APPLEIR=m
+CONFIG_HID_ASUS=m
+CONFIG_HID_AUREAL=m
 CONFIG_HID_BELKIN=m
-# CONFIG_HID_BETOP_FF is not set
-# CONFIG_HID_BIGBEN_FF is not set
+CONFIG_HID_BETOP_FF=m
+CONFIG_HID_BIGBEN_FF=m
 CONFIG_HID_CHERRY=m
-# CONFIG_HID_CHICONY is not set
-# CONFIG_HID_CORSAIR is not set
-# CONFIG_HID_COUGAR is not set
-# CONFIG_HID_MACALLY is not set
-# CONFIG_HID_PRODIKEYS is not set
-# CONFIG_HID_CMEDIA is not set
+CONFIG_HID_CHICONY=m
+CONFIG_HID_CORSAIR=m
+CONFIG_HID_COUGAR=m
+CONFIG_HID_MACALLY=m
+CONFIG_HID_PRODIKEYS=m
+CONFIG_HID_CMEDIA=m
+CONFIG_HID_CP2112=m
 # CONFIG_HID_CREATIVE_SB0540 is not set
-# CONFIG_HID_CYPRESS is not set
-# CONFIG_HID_DRAGONRISE is not set
-# CONFIG_HID_EMS_FF is not set
-# CONFIG_HID_ELAN is not set
-# CONFIG_HID_ELECOM is not set
-# CONFIG_HID_ELO is not set
+CONFIG_HID_CYPRESS=m
+CONFIG_HID_DRAGONRISE=m
+CONFIG_DRAGONRISE_FF=y
+CONFIG_HID_EMS_FF=m
+CONFIG_HID_ELAN=m
+CONFIG_HID_ELECOM=m
+CONFIG_HID_ELO=m
 CONFIG_HID_EZKEY=m
-# CONFIG_HID_GEMBIRD is not set
-# CONFIG_HID_GFRM is not set
-# CONFIG_HID_HOLTEK is not set
-# CONFIG_HID_GT683R is not set
-# CONFIG_HID_KEYTOUCH is not set
-# CONFIG_HID_KYE is not set
-# CONFIG_HID_UCLOGIC is not set
-# CONFIG_HID_WALTOP is not set
-# CONFIG_HID_VIEWSONIC is not set
-# CONFIG_HID_GYRATION is not set
-# CONFIG_HID_ICADE is not set
-# CONFIG_HID_ITE is not set
-# CONFIG_HID_JABRA is not set
-# CONFIG_HID_TWINHAN is not set
-# CONFIG_HID_KENSINGTON is not set
-# CONFIG_HID_LCPOWER is not set
-# CONFIG_HID_LED is not set
-# CONFIG_HID_LENOVO is not set
+CONFIG_HID_GEMBIRD=m
+CONFIG_HID_GFRM=m
+CONFIG_HID_HOLTEK=m
+CONFIG_HOLTEK_FF=y
+CONFIG_HID_GT683R=m
+CONFIG_HID_KEYTOUCH=m
+CONFIG_HID_KYE=m
+CONFIG_HID_UCLOGIC=m
+CONFIG_HID_WALTOP=m
+CONFIG_HID_VIEWSONIC=m
+CONFIG_HID_GYRATION=m
+CONFIG_HID_ICADE=m
+CONFIG_HID_ITE=m
+CONFIG_HID_JABRA=m
+CONFIG_HID_TWINHAN=m
+CONFIG_HID_KENSINGTON=m
+CONFIG_HID_LCPOWER=m
+CONFIG_HID_LED=m
+CONFIG_HID_LENOVO=m
 CONFIG_HID_LOGITECH=m
-# CONFIG_HID_LOGITECH_HIDPP is not set
-# CONFIG_LOGITECH_FF is not set
-# CONFIG_LOGIRUMBLEPAD2_FF is not set
-# CONFIG_LOGIG940_FF is not set
-# CONFIG_LOGIWHEELS_FF is not set
-# CONFIG_HID_MAGICMOUSE is not set
-# CONFIG_HID_MALTRON is not set
-# CONFIG_HID_MAYFLASH is not set
-# CONFIG_HID_REDRAGON is not set
+CONFIG_HID_LOGITECH_DJ=m
+CONFIG_HID_LOGITECH_HIDPP=m
+CONFIG_LOGITECH_FF=y
+CONFIG_LOGIRUMBLEPAD2_FF=y
+CONFIG_LOGIG940_FF=y
+CONFIG_LOGIWHEELS_FF=y
+CONFIG_HID_MAGICMOUSE=m
+CONFIG_HID_MALTRON=m
+CONFIG_HID_MAYFLASH=m
+CONFIG_HID_REDRAGON=m
 CONFIG_HID_MICROSOFT=m
 CONFIG_HID_MONTEREY=m
-# CONFIG_HID_MULTITOUCH is not set
-# CONFIG_HID_NTI is not set
-# CONFIG_HID_NTRIG is not set
-# CONFIG_HID_ORTEK is not set
-# CONFIG_HID_PANTHERLORD is not set
-# CONFIG_HID_PENMOUNT is not set
-# CONFIG_HID_PETALYNX is not set
-# CONFIG_HID_PICOLCD is not set
-# CONFIG_HID_PLANTRONICS is not set
-# CONFIG_HID_PRIMAX is not set
-# CONFIG_HID_RETRODE is not set
-# CONFIG_HID_ROCCAT is not set
-# CONFIG_HID_SAITEK is not set
-# CONFIG_HID_SAMSUNG is not set
-# CONFIG_HID_SONY is not set
-# CONFIG_HID_SPEEDLINK is not set
-# CONFIG_HID_STEAM is not set
-# CONFIG_HID_STEELSERIES is not set
-# CONFIG_HID_SUNPLUS is not set
-# CONFIG_HID_RMI is not set
-# CONFIG_HID_GREENASIA is not set
-# CONFIG_HID_SMARTJOYPLUS is not set
-# CONFIG_HID_TIVO is not set
-# CONFIG_HID_TOPSEED is not set
-# CONFIG_HID_THINGM is not set
-# CONFIG_HID_THRUSTMASTER is not set
-# CONFIG_HID_UDRAW_PS3 is not set
-# CONFIG_HID_U2FZERO is not set
-# CONFIG_HID_WACOM is not set
-# CONFIG_HID_WIIMOTE is not set
-# CONFIG_HID_XINMO is not set
-# CONFIG_HID_ZEROPLUS is not set
-# CONFIG_HID_ZYDACRON is not set
-# CONFIG_HID_SENSOR_HUB is not set
-# CONFIG_HID_ALPS is not set
+CONFIG_HID_MULTITOUCH=m
+CONFIG_HID_NTI=m
+CONFIG_HID_NTRIG=m
+CONFIG_HID_ORTEK=m
+CONFIG_HID_PANTHERLORD=m
+CONFIG_PANTHERLORD_FF=y
+CONFIG_HID_PENMOUNT=m
+CONFIG_HID_PETALYNX=m
+CONFIG_HID_PICOLCD=m
+CONFIG_HID_PICOLCD_FB=y
+CONFIG_HID_PICOLCD_BACKLIGHT=y
+CONFIG_HID_PICOLCD_LCD=y
+CONFIG_HID_PICOLCD_LEDS=y
+CONFIG_HID_PICOLCD_CIR=y
+CONFIG_HID_PLANTRONICS=m
+CONFIG_HID_PRIMAX=m
+CONFIG_HID_RETRODE=m
+CONFIG_HID_ROCCAT=m
+CONFIG_HID_SAITEK=m
+CONFIG_HID_SAMSUNG=m
+CONFIG_HID_SONY=m
+CONFIG_SONY_FF=y
+CONFIG_HID_SPEEDLINK=m
+CONFIG_HID_STEAM=m
+CONFIG_HID_STEELSERIES=m
+CONFIG_HID_SUNPLUS=m
+CONFIG_HID_RMI=m
+CONFIG_HID_GREENASIA=m
+CONFIG_GREENASIA_FF=y
+# CONFIG_HID_HYPERV_MOUSE is not set
+CONFIG_HID_SMARTJOYPLUS=m
+CONFIG_SMARTJOYPLUS_FF=y
+CONFIG_HID_TIVO=m
+CONFIG_HID_TOPSEED=m
+CONFIG_HID_THINGM=m
+CONFIG_HID_THRUSTMASTER=m
+CONFIG_THRUSTMASTER_FF=y
+CONFIG_HID_UDRAW_PS3=m
+CONFIG_HID_U2FZERO=m
+CONFIG_HID_WACOM=m
+CONFIG_HID_WIIMOTE=m
+CONFIG_HID_XINMO=m
+CONFIG_HID_ZEROPLUS=m
+CONFIG_ZEROPLUS_FF=y
+CONFIG_HID_ZYDACRON=m
+CONFIG_HID_SENSOR_HUB=m
+CONFIG_HID_SENSOR_CUSTOM_SENSOR=m
+CONFIG_HID_ALPS=m
 # end of Special HID drivers
 
 #
 # USB HID support
 #
 CONFIG_USB_HID=m
-# CONFIG_HID_PID is not set
-# CONFIG_USB_HIDDEV is not set
+CONFIG_HID_PID=y
+CONFIG_USB_HIDDEV=y
 
 #
 # USB HID Boot Protocol drivers
 #
-# CONFIG_USB_KBD is not set
-# CONFIG_USB_MOUSE is not set
+CONFIG_USB_KBD=m
+CONFIG_USB_MOUSE=m
 # end of USB HID Boot Protocol drivers
 # end of USB HID support
 
 #
 # I2C HID support
 #
-# CONFIG_I2C_HID is not set
+CONFIG_I2C_HID=m
 # end of I2C HID support
 # end of HID support
 
 CONFIG_USB_OHCI_LITTLE_ENDIAN=y
 CONFIG_USB_SUPPORT=y
-CONFIG_USB_COMMON=m
+CONFIG_USB_COMMON=y
 # CONFIG_USB_LED_TRIG is not set
 # CONFIG_USB_ULPI_BUS is not set
 # CONFIG_USB_CONN_GPIO is not set
 CONFIG_USB_ARCH_HAS_HCD=y
-CONFIG_USB=m
+CONFIG_USB=y
 CONFIG_USB_PCI=y
 CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
 
@@ -4766,7 +6148,7 @@ CONFIG_USB_ANNOUNCE_NEW_DEVICES=y
 # Miscellaneous USB options
 #
 CONFIG_USB_DEFAULT_PERSIST=y
-# CONFIG_USB_DYNAMIC_MINORS is not set
+CONFIG_USB_DYNAMIC_MINORS=y
 # CONFIG_USB_OTG is not set
 # CONFIG_USB_OTG_WHITELIST is not set
 # CONFIG_USB_OTG_BLACKLIST_HUB is not set
@@ -4777,46 +6159,48 @@ CONFIG_USB_AUTOSUSPEND_DELAY=2
 #
 # USB Host Controller Drivers
 #
-# CONFIG_USB_C67X00_HCD is not set
-CONFIG_USB_XHCI_HCD=m
-# CONFIG_USB_XHCI_DBGCAP is not set
-CONFIG_USB_XHCI_PCI=m
+CONFIG_USB_C67X00_HCD=m
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_DBGCAP=y
+CONFIG_USB_XHCI_PCI=y
 CONFIG_USB_XHCI_PLATFORM=m
-# CONFIG_USB_XHCI_HISTB is not set
-# CONFIG_USB_XHCI_MTK is not set
-# CONFIG_USB_XHCI_MVEBU is not set
-CONFIG_USB_EHCI_HCD=m
-# CONFIG_USB_EHCI_ROOT_HUB_TT is not set
+CONFIG_USB_XHCI_HISTB=m
+CONFIG_USB_XHCI_MTK=m
+CONFIG_USB_XHCI_MVEBU=m
+CONFIG_USB_XHCI_RCAR=m
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_EHCI_ROOT_HUB_TT=y
 CONFIG_USB_EHCI_TT_NEWSCHED=y
-CONFIG_USB_EHCI_PCI=m
-# CONFIG_USB_EHCI_FSL is not set
-# CONFIG_USB_EHCI_HCD_ORION is not set
+CONFIG_USB_EHCI_PCI=y
+CONFIG_USB_EHCI_FSL=m
+CONFIG_USB_EHCI_MXC=m
+CONFIG_USB_EHCI_HCD_ORION=y
 # CONFIG_USB_EHCI_TEGRA is not set
-# CONFIG_USB_EHCI_EXYNOS is not set
 CONFIG_USB_EHCI_HCD_PLATFORM=m
-# CONFIG_USB_OXU210HP_HCD is not set
-# CONFIG_USB_ISP116X_HCD is not set
-# CONFIG_USB_FOTG210_HCD is not set
-# CONFIG_USB_MAX3421_HCD is not set
-CONFIG_USB_OHCI_HCD=m
-CONFIG_USB_OHCI_HCD_PCI=m
-CONFIG_USB_OHCI_HCD_SSB=y
-# CONFIG_USB_OHCI_EXYNOS is not set
+CONFIG_USB_OXU210HP_HCD=m
+CONFIG_USB_ISP116X_HCD=m
+CONFIG_USB_FOTG210_HCD=m
+CONFIG_USB_MAX3421_HCD=m
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_OHCI_HCD_PCI=y
 CONFIG_USB_OHCI_HCD_PLATFORM=m
-CONFIG_USB_UHCI_HCD=m
-# CONFIG_USB_SL811_HCD is not set
-# CONFIG_USB_R8A66597_HCD is not set
-# CONFIG_USB_HCD_BCMA is not set
+CONFIG_USB_UHCI_HCD=y
+CONFIG_USB_SL811_HCD=m
+CONFIG_USB_SL811_HCD_ISO=y
+CONFIG_USB_R8A66597_HCD=m
+CONFIG_USB_RENESAS_USBHS_HCD=m
+CONFIG_USB_HCD_BCMA=m
 CONFIG_USB_HCD_SSB=m
 # CONFIG_USB_HCD_TEST_MODE is not set
+CONFIG_USB_RENESAS_USBHS=m
 
 #
 # USB Device Class drivers
 #
-# CONFIG_USB_ACM is not set
-# CONFIG_USB_PRINTER is not set
+CONFIG_USB_ACM=m
+CONFIG_USB_PRINTER=m
 CONFIG_USB_WDM=m
-# CONFIG_USB_TMC is not set
+CONFIG_USB_TMC=m
 
 #
 # NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may
@@ -4827,19 +6211,20 @@ CONFIG_USB_WDM=m
 #
 CONFIG_USB_STORAGE=m
 # CONFIG_USB_STORAGE_DEBUG is not set
-# CONFIG_USB_STORAGE_REALTEK is not set
-# CONFIG_USB_STORAGE_DATAFAB is not set
-# CONFIG_USB_STORAGE_FREECOM is not set
-# CONFIG_USB_STORAGE_ISD200 is not set
-# CONFIG_USB_STORAGE_USBAT is not set
-# CONFIG_USB_STORAGE_SDDR09 is not set
-# CONFIG_USB_STORAGE_SDDR55 is not set
-# CONFIG_USB_STORAGE_JUMPSHOT is not set
-# CONFIG_USB_STORAGE_ALAUDA is not set
-# CONFIG_USB_STORAGE_ONETOUCH is not set
-# CONFIG_USB_STORAGE_KARMA is not set
-# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
-# CONFIG_USB_STORAGE_ENE_UB6250 is not set
+CONFIG_USB_STORAGE_REALTEK=m
+CONFIG_REALTEK_AUTOPM=y
+CONFIG_USB_STORAGE_DATAFAB=m
+CONFIG_USB_STORAGE_FREECOM=m
+CONFIG_USB_STORAGE_ISD200=m
+CONFIG_USB_STORAGE_USBAT=m
+CONFIG_USB_STORAGE_SDDR09=m
+CONFIG_USB_STORAGE_SDDR55=m
+CONFIG_USB_STORAGE_JUMPSHOT=m
+CONFIG_USB_STORAGE_ALAUDA=m
+CONFIG_USB_STORAGE_ONETOUCH=m
+CONFIG_USB_STORAGE_KARMA=m
+CONFIG_USB_STORAGE_CYPRESS_ATACB=m
+CONFIG_USB_STORAGE_ENE_UB6250=m
 CONFIG_USB_UAS=m
 
 #
@@ -4854,24 +6239,23 @@ CONFIG_USB_UAS=m
 CONFIG_USB_DWC3=m
 CONFIG_USB_DWC3_HOST=y
 # CONFIG_USB_DWC3_GADGET is not set
+# CONFIG_USB_DWC3_DUAL_ROLE is not set
 
 #
 # Platform Glue Driver Support
 #
-CONFIG_USB_DWC3_EXYNOS=m
 CONFIG_USB_DWC3_PCI=m
 CONFIG_USB_DWC3_HAPS=m
+CONFIG_USB_DWC3_KEYSTONE=m
 CONFIG_USB_DWC3_MESON_G12A=m
 CONFIG_USB_DWC3_OF_SIMPLE=m
 CONFIG_USB_DWC3_QCOM=m
-CONFIG_USB_DWC2=m
-# CONFIG_USB_DWC2_HOST is not set
+CONFIG_USB_DWC2=y
+CONFIG_USB_DWC2_HOST=y
 
 #
 # Gadget/Dual-role mode requires USB Gadget support to be enabled
 #
-# CONFIG_USB_DWC2_PERIPHERAL is not set
-CONFIG_USB_DWC2_DUAL_ROLE=y
 # CONFIG_USB_DWC2_PCI is not set
 # CONFIG_USB_DWC2_DEBUG is not set
 # CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set
@@ -4964,6 +6348,7 @@ CONFIG_USB_SERIAL_WWAN=m
 # CONFIG_USB_HSIC_USB4604 is not set
 # CONFIG_USB_LINK_LAYER_TEST is not set
 # CONFIG_USB_CHAOSKEY is not set
+# CONFIG_USB_ATM is not set
 
 #
 # USB Physical Layer drivers
@@ -4971,6 +6356,7 @@ CONFIG_USB_SERIAL_WWAN=m
 # CONFIG_NOP_USB_XCEIV is not set
 # CONFIG_USB_GPIO_VBUS is not set
 # CONFIG_USB_ISP1301 is not set
+# CONFIG_USB_MXS_PHY is not set
 # CONFIG_USB_TEGRA_PHY is not set
 # CONFIG_USB_ULPI is not set
 # end of USB Physical Layer drivers
@@ -4985,9 +6371,12 @@ CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2
 #
 # USB Peripheral Controller
 #
+# CONFIG_USB_FSL_USB2 is not set
 # CONFIG_USB_FOTG210_UDC is not set
 # CONFIG_USB_GR_UDC is not set
 # CONFIG_USB_R8A66597 is not set
+# CONFIG_USB_RENESAS_USBHS_UDC is not set
+# CONFIG_USB_RENESAS_USB3 is not set
 # CONFIG_USB_PXA27X is not set
 # CONFIG_USB_MV_UDC is not set
 # CONFIG_USB_MV_U3D is not set
@@ -5024,6 +6413,7 @@ CONFIG_TYPEC=m
 CONFIG_USB_ROLE_SWITCH=m
 CONFIG_MMC=y
 CONFIG_PWRSEQ_EMMC=m
+# CONFIG_PWRSEQ_SD8787 is not set
 CONFIG_PWRSEQ_SIMPLE=m
 CONFIG_MMC_BLOCK=y
 CONFIG_MMC_BLOCK_MINORS=16
@@ -5040,41 +6430,71 @@ CONFIG_MMC_STM32_SDMMC=y
 CONFIG_MMC_SDHCI=y
 CONFIG_MMC_SDHCI_IO_ACCESSORS=y
 CONFIG_MMC_SDHCI_PCI=m
-# CONFIG_MMC_RICOH_MMC is not set
+CONFIG_MMC_RICOH_MMC=y
 CONFIG_MMC_SDHCI_ACPI=m
-CONFIG_MMC_SDHCI_PLTFM=y
-# CONFIG_MMC_SDHCI_OF_ARASAN is not set
+CONFIG_MMC_SDHCI_PLTFM=m
+CONFIG_MMC_SDHCI_OF_ARASAN=m
 # CONFIG_MMC_SDHCI_OF_ASPEED is not set
-# CONFIG_MMC_SDHCI_OF_AT91 is not set
-CONFIG_MMC_SDHCI_OF_ESDHC=y
-# CONFIG_MMC_SDHCI_OF_DWCMSHC is not set
-# CONFIG_MMC_SDHCI_CADENCE is not set
+CONFIG_MMC_SDHCI_OF_AT91=m
+CONFIG_MMC_SDHCI_OF_ESDHC=m
+CONFIG_MMC_SDHCI_OF_DWCMSHC=m
+CONFIG_MMC_SDHCI_CADENCE=m
+CONFIG_MMC_SDHCI_ESDHC_IMX=m
 # CONFIG_MMC_SDHCI_TEGRA is not set
-# CONFIG_MMC_SDHCI_PXAV3 is not set
-# CONFIG_MMC_SDHCI_F_SDH30 is not set
-CONFIG_MMC_SDHCI_IPROC=y
-# CONFIG_MMC_MESON_GX is not set
-# CONFIG_MMC_MESON_MX_SDIO is not set
+CONFIG_MMC_SDHCI_PXAV3=m
+CONFIG_MMC_SDHCI_F_SDH30=m
+CONFIG_MMC_SDHCI_IPROC=m
+CONFIG_MMC_MESON_GX=m
+CONFIG_MMC_MESON_MX_SDIO=m
 CONFIG_MMC_SDHCI_MSM=m
-# CONFIG_MMC_TIFM_SD is not set
-CONFIG_MMC_SPI=y
-# CONFIG_MMC_SDHCI_SPRD is not set
-# CONFIG_MMC_CB710 is not set
-# CONFIG_MMC_VIA_SDMMC is not set
-# CONFIG_MMC_DW is not set
-# CONFIG_MMC_VUB300 is not set
-# CONFIG_MMC_USHC is not set
-# CONFIG_MMC_USDHI6ROL0 is not set
-# CONFIG_MMC_SUNXI is not set
+CONFIG_MMC_MXC=m
+CONFIG_MMC_TIFM_SD=m
+CONFIG_MMC_SPI=m
+CONFIG_MMC_SDHCI_SPRD=m
+CONFIG_MMC_TMIO_CORE=m
+CONFIG_MMC_SDHI=m
+CONFIG_MMC_SDHI_SYS_DMAC=m
+CONFIG_MMC_SDHI_INTERNAL_DMAC=m
+CONFIG_MMC_CB710=m
+CONFIG_MMC_VIA_SDMMC=m
+CONFIG_MMC_CAVIUM_THUNDERX=m
+CONFIG_MMC_DW=m
+CONFIG_MMC_DW_PLTFM=m
+CONFIG_MMC_DW_BLUEFIELD=m
+CONFIG_MMC_DW_EXYNOS=m
+CONFIG_MMC_DW_HI3798CV200=m
+CONFIG_MMC_DW_K3=m
+CONFIG_MMC_DW_PCI=m
+CONFIG_MMC_DW_ROCKCHIP=m
+CONFIG_MMC_SH_MMCIF=m
+CONFIG_MMC_VUB300=m
+CONFIG_MMC_USHC=m
+CONFIG_MMC_USDHI6ROL0=m
+CONFIG_MMC_SUNXI=m
 CONFIG_MMC_CQHCI=m
-# CONFIG_MMC_TOSHIBA_PCI is not set
-CONFIG_MMC_BCM2835=y
-# CONFIG_MMC_MTK is not set
+CONFIG_MMC_TOSHIBA_PCI=m
+CONFIG_MMC_BCM2835=m
+CONFIG_MMC_MTK=m
 CONFIG_MMC_SDHCI_BRCMSTB=m
-# CONFIG_MMC_SDHCI_XENON is not set
-# CONFIG_MMC_SDHCI_OMAP is not set
-# CONFIG_MMC_SDHCI_AM654 is not set
-# CONFIG_MEMSTICK is not set
+CONFIG_MMC_SDHCI_XENON=m
+CONFIG_MMC_SDHCI_OMAP=m
+CONFIG_MMC_SDHCI_AM654=m
+CONFIG_MEMSTICK=m
+# CONFIG_MEMSTICK_DEBUG is not set
+
+#
+# MemoryStick drivers
+#
+# CONFIG_MEMSTICK_UNSAFE_RESUME is not set
+CONFIG_MSPRO_BLOCK=m
+CONFIG_MS_BLOCK=m
+
+#
+# MemoryStick Host Controller Drivers
+#
+CONFIG_MEMSTICK_TIFM_MS=m
+CONFIG_MEMSTICK_JMICRON_38X=m
+CONFIG_MEMSTICK_R592=m
 CONFIG_NEW_LEDS=y
 CONFIG_LEDS_CLASS=m
 # CONFIG_LEDS_CLASS_FLASH is not set
@@ -5129,6 +6549,7 @@ CONFIG_LEDS_TRIGGERS=y
 # CONFIG_LEDS_TRIGGER_TIMER is not set
 # CONFIG_LEDS_TRIGGER_ONESHOT is not set
 # CONFIG_LEDS_TRIGGER_DISK is not set
+# CONFIG_LEDS_TRIGGER_MTD is not set
 # CONFIG_LEDS_TRIGGER_HEARTBEAT is not set
 # CONFIG_LEDS_TRIGGER_BACKLIGHT is not set
 # CONFIG_LEDS_TRIGGER_CPU is not set
@@ -5146,16 +6567,49 @@ CONFIG_LEDS_TRIGGERS=y
 # CONFIG_LEDS_TRIGGER_PATTERN is not set
 # CONFIG_LEDS_TRIGGER_AUDIO is not set
 # CONFIG_ACCESSIBILITY is not set
-# CONFIG_INFINIBAND is not set
+CONFIG_INFINIBAND=m
+CONFIG_INFINIBAND_USER_MAD=m
+CONFIG_INFINIBAND_USER_ACCESS=m
+# CONFIG_INFINIBAND_EXP_LEGACY_VERBS_NEW_UAPI is not set
+CONFIG_INFINIBAND_USER_MEM=y
+CONFIG_INFINIBAND_ON_DEMAND_PAGING=y
+CONFIG_INFINIBAND_ADDR_TRANS=y
+CONFIG_INFINIBAND_ADDR_TRANS_CONFIGFS=y
+CONFIG_INFINIBAND_MTHCA=m
+# CONFIG_INFINIBAND_MTHCA_DEBUG is not set
+CONFIG_INFINIBAND_CXGB3=m
+CONFIG_INFINIBAND_CXGB4=m
+CONFIG_INFINIBAND_EFA=m
+CONFIG_INFINIBAND_I40IW=m
+CONFIG_MLX4_INFINIBAND=m
+CONFIG_MLX5_INFINIBAND=m
+CONFIG_INFINIBAND_OCRDMA=m
+CONFIG_INFINIBAND_VMWARE_PVRDMA=m
+CONFIG_INFINIBAND_BNXT_RE=m
+CONFIG_INFINIBAND_QEDR=m
+CONFIG_RDMA_RXE=m
+CONFIG_RDMA_SIW=m
+CONFIG_INFINIBAND_IPOIB=m
+CONFIG_INFINIBAND_IPOIB_CM=y
+# CONFIG_INFINIBAND_IPOIB_DEBUG is not set
+CONFIG_INFINIBAND_SRP=m
+CONFIG_INFINIBAND_ISER=m
 CONFIG_EDAC_SUPPORT=y
 CONFIG_EDAC=y
 # CONFIG_EDAC_LEGACY_SYSFS is not set
 # CONFIG_EDAC_DEBUG is not set
+CONFIG_EDAC_GHES=y
 CONFIG_EDAC_LAYERSCAPE=m
-# CONFIG_EDAC_THUNDERX is not set
-# CONFIG_EDAC_ALTERA is not set
-# CONFIG_EDAC_SYNOPSYS is not set
-# CONFIG_EDAC_XGENE is not set
+CONFIG_EDAC_THUNDERX=m
+CONFIG_EDAC_ALTERA=y
+CONFIG_EDAC_ALTERA_SDRAM=y
+CONFIG_EDAC_ALTERA_ETHERNET=y
+CONFIG_EDAC_ALTERA_NAND=y
+CONFIG_EDAC_ALTERA_USB=y
+CONFIG_EDAC_ALTERA_QSPI=y
+CONFIG_EDAC_ALTERA_SDMMC=y
+CONFIG_EDAC_SYNOPSYS=m
+CONFIG_EDAC_XGENE=m
 # CONFIG_EDAC_DMC520 is not set
 CONFIG_RTC_LIB=y
 CONFIG_RTC_CLASS=y
@@ -5164,7 +6618,7 @@ CONFIG_RTC_HCTOSYS_DEVICE="rtc0"
 CONFIG_RTC_SYSTOHC=y
 CONFIG_RTC_SYSTOHC_DEVICE="rtc0"
 # CONFIG_RTC_DEBUG is not set
-# CONFIG_RTC_NVMEM is not set
+CONFIG_RTC_NVMEM=y
 
 #
 # RTC interfaces
@@ -5178,103 +6632,116 @@ CONFIG_RTC_INTF_DEV=y
 #
 # I2C RTC drivers
 #
-# CONFIG_RTC_DRV_ABB5ZES3 is not set
-# CONFIG_RTC_DRV_ABEOZ9 is not set
-# CONFIG_RTC_DRV_ABX80X is not set
-CONFIG_RTC_DRV_BRCMSTB=y
-# CONFIG_RTC_DRV_DS1307 is not set
-# CONFIG_RTC_DRV_DS1374 is not set
-# CONFIG_RTC_DRV_DS1672 is not set
-# CONFIG_RTC_DRV_HYM8563 is not set
-# CONFIG_RTC_DRV_MAX6900 is not set
+CONFIG_RTC_DRV_ABB5ZES3=m
+CONFIG_RTC_DRV_ABEOZ9=m
+CONFIG_RTC_DRV_ABX80X=m
+CONFIG_RTC_DRV_BRCMSTB=m
+CONFIG_RTC_DRV_DS1307=m
+CONFIG_RTC_DRV_DS1307_CENTURY=y
+CONFIG_RTC_DRV_DS1374=m
+CONFIG_RTC_DRV_DS1374_WDT=y
+CONFIG_RTC_DRV_DS1672=m
+CONFIG_RTC_DRV_HYM8563=m
+CONFIG_RTC_DRV_MAX6900=m
 CONFIG_RTC_DRV_MESON_VRTC=m
-# CONFIG_RTC_DRV_RS5C372 is not set
-# CONFIG_RTC_DRV_ISL1208 is not set
-# CONFIG_RTC_DRV_ISL12022 is not set
-# CONFIG_RTC_DRV_ISL12026 is not set
-# CONFIG_RTC_DRV_X1205 is not set
-# CONFIG_RTC_DRV_PCF8523 is not set
-# CONFIG_RTC_DRV_PCF85063 is not set
-# CONFIG_RTC_DRV_PCF85363 is not set
-# CONFIG_RTC_DRV_PCF8563 is not set
-# CONFIG_RTC_DRV_PCF8583 is not set
-# CONFIG_RTC_DRV_M41T80 is not set
-# CONFIG_RTC_DRV_BQ32K is not set
-# CONFIG_RTC_DRV_S35390A is not set
-# CONFIG_RTC_DRV_FM3130 is not set
-# CONFIG_RTC_DRV_RX8010 is not set
-# CONFIG_RTC_DRV_RX8581 is not set
-# CONFIG_RTC_DRV_RX8025 is not set
-# CONFIG_RTC_DRV_EM3027 is not set
-# CONFIG_RTC_DRV_RV3028 is not set
-# CONFIG_RTC_DRV_RV8803 is not set
-# CONFIG_RTC_DRV_SD3078 is not set
+CONFIG_RTC_DRV_RS5C372=m
+CONFIG_RTC_DRV_ISL1208=m
+CONFIG_RTC_DRV_ISL12022=m
+CONFIG_RTC_DRV_ISL12026=m
+CONFIG_RTC_DRV_X1205=m
+CONFIG_RTC_DRV_PCF8523=m
+CONFIG_RTC_DRV_PCF85063=m
+CONFIG_RTC_DRV_PCF85363=m
+CONFIG_RTC_DRV_PCF8563=m
+CONFIG_RTC_DRV_PCF8583=m
+CONFIG_RTC_DRV_M41T80=m
+CONFIG_RTC_DRV_M41T80_WDT=y
+CONFIG_RTC_DRV_BQ32K=m
+CONFIG_RTC_DRV_S35390A=m
+CONFIG_RTC_DRV_FM3130=m
+CONFIG_RTC_DRV_RX8010=m
+CONFIG_RTC_DRV_RX8581=m
+CONFIG_RTC_DRV_RX8025=m
+CONFIG_RTC_DRV_EM3027=m
+CONFIG_RTC_DRV_RV3028=m
+CONFIG_RTC_DRV_RV8803=m
+CONFIG_RTC_DRV_SD3078=m
 
 #
 # SPI RTC drivers
 #
-# CONFIG_RTC_DRV_M41T93 is not set
-# CONFIG_RTC_DRV_M41T94 is not set
-# CONFIG_RTC_DRV_DS1302 is not set
-# CONFIG_RTC_DRV_DS1305 is not set
-# CONFIG_RTC_DRV_DS1343 is not set
-# CONFIG_RTC_DRV_DS1347 is not set
-# CONFIG_RTC_DRV_DS1390 is not set
-# CONFIG_RTC_DRV_MAX6916 is not set
-# CONFIG_RTC_DRV_R9701 is not set
-# CONFIG_RTC_DRV_RX4581 is not set
-# CONFIG_RTC_DRV_RX6110 is not set
-# CONFIG_RTC_DRV_RS5C348 is not set
-# CONFIG_RTC_DRV_MAX6902 is not set
-# CONFIG_RTC_DRV_PCF2123 is not set
-# CONFIG_RTC_DRV_MCP795 is not set
+CONFIG_RTC_DRV_M41T93=m
+CONFIG_RTC_DRV_M41T94=m
+CONFIG_RTC_DRV_DS1302=m
+CONFIG_RTC_DRV_DS1305=m
+CONFIG_RTC_DRV_DS1343=m
+CONFIG_RTC_DRV_DS1347=m
+CONFIG_RTC_DRV_DS1390=m
+CONFIG_RTC_DRV_MAX6916=m
+CONFIG_RTC_DRV_R9701=m
+CONFIG_RTC_DRV_RX4581=m
+CONFIG_RTC_DRV_RX6110=m
+CONFIG_RTC_DRV_RS5C348=m
+CONFIG_RTC_DRV_MAX6902=m
+CONFIG_RTC_DRV_PCF2123=m
+CONFIG_RTC_DRV_MCP795=m
 CONFIG_RTC_I2C_AND_SPI=y
 
 #
 # SPI and I2C RTC drivers
 #
-# CONFIG_RTC_DRV_DS3232 is not set
-# CONFIG_RTC_DRV_PCF2127 is not set
-# CONFIG_RTC_DRV_RV3029C2 is not set
+CONFIG_RTC_DRV_DS3232=m
+CONFIG_RTC_DRV_DS3232_HWMON=y
+CONFIG_RTC_DRV_PCF2127=m
+CONFIG_RTC_DRV_RV3029C2=m
+CONFIG_RTC_DRV_RV3029_HWMON=y
 
 #
 # Platform RTC drivers
 #
-# CONFIG_RTC_DRV_DS1286 is not set
-# CONFIG_RTC_DRV_DS1511 is not set
-# CONFIG_RTC_DRV_DS1553 is not set
-# CONFIG_RTC_DRV_DS1685_FAMILY is not set
-# CONFIG_RTC_DRV_DS1742 is not set
-# CONFIG_RTC_DRV_DS2404 is not set
-# CONFIG_RTC_DRV_EFI is not set
-# CONFIG_RTC_DRV_STK17TA8 is not set
-# CONFIG_RTC_DRV_M48T86 is not set
-# CONFIG_RTC_DRV_M48T35 is not set
-# CONFIG_RTC_DRV_M48T59 is not set
-# CONFIG_RTC_DRV_MSM6242 is not set
-# CONFIG_RTC_DRV_BQ4802 is not set
-# CONFIG_RTC_DRV_RP5C01 is not set
-# CONFIG_RTC_DRV_V3020 is not set
-# CONFIG_RTC_DRV_ZYNQMP is not set
+CONFIG_RTC_DRV_DS1286=m
+CONFIG_RTC_DRV_DS1511=m
+CONFIG_RTC_DRV_DS1553=m
+CONFIG_RTC_DRV_DS1685_FAMILY=m
+CONFIG_RTC_DRV_DS1685=y
+# CONFIG_RTC_DRV_DS1689 is not set
+# CONFIG_RTC_DRV_DS17285 is not set
+# CONFIG_RTC_DRV_DS17485 is not set
+# CONFIG_RTC_DRV_DS17885 is not set
+CONFIG_RTC_DRV_DS1742=m
+CONFIG_RTC_DRV_DS2404=m
+CONFIG_RTC_DRV_EFI=y
+CONFIG_RTC_DRV_STK17TA8=m
+CONFIG_RTC_DRV_M48T86=m
+CONFIG_RTC_DRV_M48T35=m
+CONFIG_RTC_DRV_M48T59=m
+CONFIG_RTC_DRV_MSM6242=m
+CONFIG_RTC_DRV_BQ4802=m
+CONFIG_RTC_DRV_RP5C01=m
+CONFIG_RTC_DRV_V3020=m
+CONFIG_RTC_DRV_ZYNQMP=m
 
 #
 # on-CPU RTC drivers
 #
+CONFIG_RTC_DRV_IMXDI=m
 CONFIG_RTC_DRV_FSL_FTM_ALARM=y
-CONFIG_HAVE_S3C_RTC=y
-# CONFIG_RTC_DRV_S3C is not set
-# CONFIG_RTC_DRV_PL030 is not set
-# CONFIG_RTC_DRV_PL031 is not set
-# CONFIG_RTC_DRV_SUN6I is not set
-# CONFIG_RTC_DRV_MV is not set
-# CONFIG_RTC_DRV_ARMADA38X is not set
-# CONFIG_RTC_DRV_CADENCE is not set
-# CONFIG_RTC_DRV_FTRTC010 is not set
+CONFIG_RTC_DRV_SH=m
+CONFIG_RTC_DRV_PL030=m
+CONFIG_RTC_DRV_PL031=m
+CONFIG_RTC_DRV_SUN6I=y
+CONFIG_RTC_DRV_MV=y
+CONFIG_RTC_DRV_ARMADA38X=m
+CONFIG_RTC_DRV_CADENCE=m
+CONFIG_RTC_DRV_FTRTC010=m
 # CONFIG_RTC_DRV_TEGRA is not set
-# CONFIG_RTC_DRV_SNVS is not set
+CONFIG_RTC_DRV_MXC=m
+CONFIG_RTC_DRV_MXC_V2=m
+CONFIG_RTC_DRV_SNVS=m
 CONFIG_RTC_DRV_MT7622=m
-# CONFIG_RTC_DRV_XGENE is not set
-# CONFIG_RTC_DRV_R7301 is not set
+CONFIG_RTC_DRV_XGENE=y
+CONFIG_RTC_DRV_R7301=m
+CONFIG_RTC_DRV_RTD119X=y
 
 #
 # HID Sensor RTC drivers
@@ -5285,52 +6752,65 @@ CONFIG_DMADEVICES=y
 #
 # DMA Devices
 #
+CONFIG_ASYNC_TX_ENABLE_CHANNEL_SWITCH=y
 CONFIG_DMA_ENGINE=y
-CONFIG_DMA_VIRTUAL_CHANNELS=m
+CONFIG_DMA_VIRTUAL_CHANNELS=y
 CONFIG_DMA_ACPI=y
 CONFIG_DMA_OF=y
-# CONFIG_ALTERA_MSGDMA is not set
-# CONFIG_AMBA_PL08X is not set
-# CONFIG_AXI_DMAC is not set
-# CONFIG_BCM_SBA_RAID is not set
-CONFIG_DMA_BCM2835=m
-# CONFIG_DMA_SUN6I is not set
-# CONFIG_DW_AXI_DMAC is not set
+CONFIG_ALTERA_MSGDMA=m
+CONFIG_AMBA_PL08X=y
+CONFIG_AXI_DMAC=m
+CONFIG_BCM_SBA_RAID=m
+CONFIG_DMA_BCM2835=y
+CONFIG_DMA_SUN6I=m
+CONFIG_DW_AXI_DMAC=m
 CONFIG_FSL_EDMA=m
-# CONFIG_FSL_QDMA is not set
-# CONFIG_INTEL_IDMA64 is not set
-# CONFIG_K3_DMA is not set
-# CONFIG_MV_XOR is not set
-# CONFIG_MV_XOR_V2 is not set
-# CONFIG_PL330_DMA is not set
-# CONFIG_SPRD_DMA is not set
+CONFIG_FSL_QDMA=m
+CONFIG_IMX_DMA=m
+CONFIG_IMX_SDMA=m
+CONFIG_INTEL_IDMA64=m
+CONFIG_K3_DMA=m
+CONFIG_MV_XOR=y
+CONFIG_MV_XOR_V2=y
+CONFIG_MXS_DMA=y
+CONFIG_MX3_IPU=y
+CONFIG_MX3_IPU_IRQS=4
+CONFIG_OWL_DMA=m
+CONFIG_PL330_DMA=m
+CONFIG_SPRD_DMA=m
 # CONFIG_TEGRA20_APB_DMA is not set
 # CONFIG_TEGRA210_ADMA is not set
-# CONFIG_XGENE_DMA is not set
-# CONFIG_XILINX_DMA is not set
-# CONFIG_XILINX_ZYNQMP_DMA is not set
-# CONFIG_MTK_HSDMA is not set
-# CONFIG_MTK_CQDMA is not set
+CONFIG_XGENE_DMA=m
+CONFIG_XILINX_DMA=m
+CONFIG_XILINX_ZYNQMP_DMA=m
+CONFIG_MTK_HSDMA=m
+CONFIG_MTK_CQDMA=m
+CONFIG_MTK_UART_APDMA=m
 CONFIG_QCOM_BAM_DMA=m
-# CONFIG_QCOM_HIDMA_MGMT is not set
-# CONFIG_QCOM_HIDMA is not set
-# CONFIG_DW_DMAC is not set
-# CONFIG_DW_DMAC_PCI is not set
-# CONFIG_DW_EDMA is not set
-# CONFIG_DW_EDMA_PCIE is not set
+CONFIG_QCOM_HIDMA_MGMT=m
+CONFIG_QCOM_HIDMA=m
+CONFIG_DW_DMAC_CORE=m
+CONFIG_DW_DMAC=m
+CONFIG_DW_DMAC_PCI=m
+CONFIG_DW_EDMA=m
+CONFIG_DW_EDMA_PCIE=m
+CONFIG_RENESAS_DMA=y
+CONFIG_RCAR_DMAC=m
+CONFIG_RENESAS_USB_DMAC=m
 
 #
 # DMA Clients
 #
-# CONFIG_ASYNC_TX_DMA is not set
+CONFIG_ASYNC_TX_DMA=y
 # CONFIG_DMATEST is not set
+CONFIG_DMA_ENGINE_RAID=y
 
 #
 # DMABUF options
 #
 CONFIG_SYNC_FILE=y
-# CONFIG_SW_SYNC is not set
-# CONFIG_UDMABUF is not set
+CONFIG_SW_SYNC=y
+CONFIG_UDMABUF=y
 # CONFIG_DMABUF_SELFTESTS is not set
 # end of DMABUF options
 
@@ -5345,6 +6825,7 @@ CONFIG_UIO_PCI_GENERIC=m
 # CONFIG_UIO_NETX is not set
 # CONFIG_UIO_PRUSS is not set
 # CONFIG_UIO_MF624 is not set
+# CONFIG_UIO_HV_GENERIC is not set
 CONFIG_VFIO_IOMMU_TYPE1=m
 CONFIG_VFIO_VIRQFD=m
 CONFIG_VFIO=m
@@ -5368,13 +6849,18 @@ CONFIG_VIRTIO_MMIO=y
 #
 # Microsoft Hyper-V guest support
 #
-# CONFIG_HYPERV is not set
+CONFIG_HYPERV=y
+CONFIG_HYPERV_TIMER=y
+CONFIG_HYPERV_UTILS=m
+CONFIG_HYPERV_BALLOON=y
+CONFIG_DXGKRNL=y
 # end of Microsoft Hyper-V guest support
 
 #
 # Xen driver support
 #
 CONFIG_XEN_BALLOON=y
+# CONFIG_XEN_BALLOON_MEMORY_HOTPLUG is not set
 CONFIG_XEN_SCRUB_PAGES_DEFAULT=y
 CONFIG_XEN_DEV_EVTCHN=m
 CONFIG_XEN_BACKEND=y
@@ -5391,6 +6877,7 @@ CONFIG_SWIOTLB_XEN=y
 CONFIG_XEN_PRIVCMD=m
 CONFIG_XEN_EFI=y
 CONFIG_XEN_AUTO_XLATE=y
+CONFIG_XEN_FRONT_PGDIR_SHBUF=m
 # end of Xen driver support
 
 # CONFIG_GREYBUS is not set
@@ -5406,6 +6893,7 @@ CONFIG_STAGING=y
 # CONFIG_VT6655 is not set
 # CONFIG_VT6656 is not set
 # CONFIG_FB_SM750 is not set
+# CONFIG_USB_EMXX is not set
 
 #
 # Speakup console speech
@@ -5447,6 +6935,15 @@ CONFIG_VIDEO_BCM2835=m
 # CONFIG_XIL_AXIS_FIFO is not set
 # CONFIG_FIELDBUS_DEV is not set
 # CONFIG_KPC2000 is not set
+
+#
+# ISDN CAPI drivers
+#
+# CONFIG_CAPI_AVM is not set
+# CONFIG_ISDN_DRV_GIGASET is not set
+# CONFIG_HYSDN is not set
+# end of ISDN CAPI drivers
+
 # CONFIG_USB_WUSB_CBAF is not set
 # CONFIG_UWB is not set
 # CONFIG_EXFAT_FS is not set
@@ -5465,35 +6962,47 @@ CONFIG_COMMON_CLK=y
 CONFIG_COMMON_CLK_VERSATILE=y
 CONFIG_CLK_SP810=y
 CONFIG_CLK_VEXPRESS_OSC=y
-# CONFIG_CLK_HSDK is not set
-# CONFIG_COMMON_CLK_MAX9485 is not set
-# CONFIG_COMMON_CLK_SCPI is not set
-# CONFIG_COMMON_CLK_SI5341 is not set
-# CONFIG_COMMON_CLK_SI5351 is not set
-# CONFIG_COMMON_CLK_SI514 is not set
-# CONFIG_COMMON_CLK_SI544 is not set
-# CONFIG_COMMON_CLK_SI570 is not set
-# CONFIG_COMMON_CLK_CDCE706 is not set
-# CONFIG_COMMON_CLK_CDCE925 is not set
-# CONFIG_COMMON_CLK_CS2000_CP is not set
+CONFIG_CLK_HSDK=y
+CONFIG_COMMON_CLK_MAX9485=m
+CONFIG_COMMON_CLK_SCMI=m
+CONFIG_COMMON_CLK_SCPI=m
+CONFIG_COMMON_CLK_SI5341=m
+CONFIG_COMMON_CLK_SI5351=m
+CONFIG_COMMON_CLK_SI514=m
+CONFIG_COMMON_CLK_SI544=m
+CONFIG_COMMON_CLK_SI570=m
+CONFIG_COMMON_CLK_CDCE706=m
+CONFIG_COMMON_CLK_CDCE925=m
+CONFIG_COMMON_CLK_CS2000_CP=m
 CONFIG_CLK_QORIQ=y
 CONFIG_COMMON_CLK_XGENE=y
-# CONFIG_COMMON_CLK_PWM is not set
-# CONFIG_COMMON_CLK_VC5 is not set
-# CONFIG_COMMON_CLK_FIXED_MMIO is not set
+CONFIG_COMMON_CLK_PWM=m
+CONFIG_COMMON_CLK_VC5=m
+CONFIG_COMMON_CLK_FIXED_MMIO=y
+CONFIG_CLK_ACTIONS=y
+CONFIG_CLK_OWL_S500=y
+CONFIG_CLK_OWL_S700=y
+CONFIG_CLK_OWL_S900=y
 CONFIG_CLK_BCM2835=y
 CONFIG_COMMON_CLK_IPROC=y
 CONFIG_CLK_BCM_NS2=y
-# CONFIG_CLK_BCM_SR is not set
-# CONFIG_CLK_RASPBERRYPI is not set
-# CONFIG_COMMON_CLK_HI3516CV300 is not set
-CONFIG_COMMON_CLK_HI3519=y
-# CONFIG_COMMON_CLK_HI3660 is not set
+CONFIG_CLK_BCM_SR=y
+CONFIG_CLK_RASPBERRYPI=m
+CONFIG_COMMON_CLK_HI3516CV300=m
+CONFIG_COMMON_CLK_HI3519=m
+CONFIG_COMMON_CLK_HI3660=y
 CONFIG_COMMON_CLK_HI3670=y
-# CONFIG_COMMON_CLK_HI3798CV200 is not set
+CONFIG_COMMON_CLK_HI3798CV200=m
 CONFIG_COMMON_CLK_HI6220=y
 CONFIG_RESET_HISI=y
-# CONFIG_STUB_CLK_HI6220 is not set
+CONFIG_STUB_CLK_HI6220=y
+CONFIG_STUB_CLK_HI3660=y
+CONFIG_MXC_CLK=y
+CONFIG_CLK_IMX8MM=y
+# CONFIG_CLK_IMX8MN is not set
+CONFIG_CLK_IMX8MQ=y
+CONFIG_TI_SCI_CLK=m
+# CONFIG_TI_SCI_CLK_PROBE_FROM_FW is not set
 
 #
 # Clock driver for MediaTek SoC
@@ -5543,11 +7052,12 @@ CONFIG_COMMON_CLK_G12A=y
 CONFIG_ARMADA_AP_CP_HELPER=y
 CONFIG_ARMADA_37XX_CLK=y
 CONFIG_ARMADA_AP806_SYSCON=y
+CONFIG_ARMADA_AP_CPU_CLK=y
 CONFIG_ARMADA_CP110_SYSCON=y
 # CONFIG_COMMON_CLK_QCOM is not set
-CONFIG_COMMON_CLK_SAMSUNG=y
-CONFIG_EXYNOS_ARM64_COMMON_CLK=y
-CONFIG_EXYNOS_AUDSS_CLK_CON=y
+CONFIG_CLK_RENESAS=y
+# CONFIG_CLK_R9A06G032 is not set
+# CONFIG_CLK_RCAR_USB2_CLOCK_SEL is not set
 # CONFIG_SPRD_COMMON_CLK is not set
 CONFIG_CLK_SUNXI=y
 CONFIG_CLK_SUNXI_CLOCKS=y
@@ -5576,6 +7086,7 @@ CONFIG_TIMER_ACPI=y
 CONFIG_TIMER_PROBE=y
 CONFIG_CLKSRC_MMIO=y
 CONFIG_ROCKCHIP_TIMER=y
+CONFIG_OWL_TIMER=y
 CONFIG_TEGRA_TIMER=y
 CONFIG_ARM_ARCH_TIMER=y
 CONFIG_ARM_ARCH_TIMER_EVTSTREAM=y
@@ -5588,17 +7099,21 @@ CONFIG_ARM_TIMER_SP804=y
 CONFIG_MTK_TIMER=y
 # CONFIG_SPRD_TIMER is not set
 CONFIG_CLKSRC_VERSATILE=y
+CONFIG_TIMER_IMX_SYS_CTR=y
 # end of Clock Source drivers
 
 CONFIG_MAILBOX=y
 # CONFIG_ARM_MHU is not set
+# CONFIG_IMX_MBOX is not set
 # CONFIG_PLATFORM_MHU is not set
 # CONFIG_PL320_MBOX is not set
 # CONFIG_ARMADA_37XX_RWTM_MBOX is not set
+# CONFIG_OMAP2PLUS_MBOX is not set
 CONFIG_ROCKCHIP_MBOX=y
 CONFIG_PCC=y
 # CONFIG_ALTERA_MBOX is not set
 CONFIG_BCM2835_MBOX=y
+CONFIG_TI_MESSAGE_MANAGER=y
 # CONFIG_HI3660_MBOX is not set
 # CONFIG_HI6220_MBOX is not set
 # CONFIG_MAILBOX_TEST is not set
@@ -5616,7 +7131,9 @@ CONFIG_IOMMU_SUPPORT=y
 #
 # Generic IOMMU Pagetable Support
 #
-# CONFIG_IOMMU_IO_PGTABLE_LPAE is not set
+CONFIG_IOMMU_IO_PGTABLE=y
+CONFIG_IOMMU_IO_PGTABLE_LPAE=y
+# CONFIG_IOMMU_IO_PGTABLE_LPAE_SELFTEST is not set
 # CONFIG_IOMMU_IO_PGTABLE_ARMV7S is not set
 # end of Generic IOMMU Pagetable Support
 
@@ -5625,7 +7142,8 @@ CONFIG_IOMMU_SUPPORT=y
 CONFIG_OF_IOMMU=y
 CONFIG_IOMMU_DMA=y
 # CONFIG_ROCKCHIP_IOMMU is not set
-# CONFIG_EXYNOS_IOMMU is not set
+# CONFIG_TEGRA_IOMMU_SMMU is not set
+# CONFIG_IPMMU_VMSA is not set
 # CONFIG_ARM_SMMU is not set
 # CONFIG_ARM_SMMU_V3 is not set
 # CONFIG_MTK_IOMMU is not set
@@ -5650,11 +7168,12 @@ CONFIG_IOMMU_DMA=y
 #
 # SOC (System On Chip) specific Drivers
 #
+# CONFIG_OWL_PM_DOMAINS is not set
 
 #
 # Amlogic SoC drivers
 #
-# CONFIG_MESON_CANVAS is not set
+CONFIG_MESON_CANVAS=m
 CONFIG_MESON_CLK_MEASURE=y
 # CONFIG_MESON_GX_SOCINFO is not set
 CONFIG_MESON_GX_PM_DOMAINS=y
@@ -5692,6 +7211,7 @@ CONFIG_DPAA2_CONSOLE=y
 #
 # i.MX SoC drivers
 #
+CONFIG_IMX_GPCV2_PM_DOMAINS=y
 # end of i.MX SoC drivers
 
 #
@@ -5711,17 +7231,24 @@ CONFIG_QCOM_COMMAND_DB=y
 # CONFIG_QCOM_GENI_SE is not set
 CONFIG_QCOM_GSBI=y
 # CONFIG_QCOM_LLCC is not set
-CONFIG_QCOM_MDT_LOADER=y
+CONFIG_QCOM_MDT_LOADER=m
+CONFIG_QCOM_QMI_HELPERS=m
 # CONFIG_QCOM_RMTFS_MEM is not set
 # CONFIG_QCOM_RPMH is not set
 # end of Qualcomm SoC drivers
 
+CONFIG_SOC_RENESAS=y
+# CONFIG_ARCH_R8A774A1 is not set
+# CONFIG_ARCH_R8A774C0 is not set
+# CONFIG_ARCH_R8A7795 is not set
+# CONFIG_ARCH_R8A7796 is not set
+# CONFIG_ARCH_R8A77965 is not set
+# CONFIG_ARCH_R8A77970 is not set
+# CONFIG_ARCH_R8A77980 is not set
+# CONFIG_ARCH_R8A77990 is not set
+# CONFIG_ARCH_R8A77995 is not set
 CONFIG_ROCKCHIP_GRF=y
 CONFIG_ROCKCHIP_PM_DOMAINS=y
-CONFIG_SOC_SAMSUNG=y
-CONFIG_EXYNOS_CHIPID=y
-CONFIG_EXYNOS_PMU=y
-CONFIG_EXYNOS_PM_DOMAINS=y
 CONFIG_SUNXI_SRAM=y
 CONFIG_ARCH_TEGRA_132_SOC=y
 CONFIG_ARCH_TEGRA_210_SOC=y
@@ -5730,12 +7257,16 @@ CONFIG_ARCH_TEGRA_210_SOC=y
 CONFIG_SOC_TEGRA_FUSE=y
 CONFIG_SOC_TEGRA_FLOWCTRL=y
 CONFIG_SOC_TEGRA_PMC=y
-# CONFIG_SOC_TI is not set
+# CONFIG_ARCH_K3_AM6_SOC is not set
+# CONFIG_ARCH_K3_J721E_SOC is not set
+CONFIG_SOC_TI=y
+# CONFIG_TI_SCI_PM_DOMAINS is not set
+CONFIG_TI_SCI_INTA_MSI_DOMAIN=y
 
 #
 # Xilinx SoC drivers
 #
-# CONFIG_XILINX_VCU is not set
+CONFIG_XILINX_VCU=m
 CONFIG_ZYNQMP_POWER=y
 CONFIG_ZYNQMP_PM_DOMAINS=y
 # end of Xilinx SoC drivers
@@ -5755,12 +7286,27 @@ CONFIG_DEVFREQ_GOV_SIMPLE_ONDEMAND=m
 #
 # DEVFREQ Drivers
 #
-# CONFIG_ARM_EXYNOS_BUS_DEVFREQ is not set
 # CONFIG_ARM_TEGRA_DEVFREQ is not set
 # CONFIG_ARM_RK3399_DMC_DEVFREQ is not set
 # CONFIG_PM_DEVFREQ_EVENT is not set
-# CONFIG_EXTCON is not set
-# CONFIG_MEMORY is not set
+CONFIG_EXTCON=y
+
+#
+# Extcon Device Drivers
+#
+# CONFIG_EXTCON_FSA9480 is not set
+# CONFIG_EXTCON_GPIO is not set
+# CONFIG_EXTCON_MAX3355 is not set
+# CONFIG_EXTCON_PTN5150 is not set
+# CONFIG_EXTCON_QCOM_SPMI_MISC is not set
+# CONFIG_EXTCON_RT8973A is not set
+# CONFIG_EXTCON_SM5502 is not set
+# CONFIG_EXTCON_USB_GPIO is not set
+CONFIG_MEMORY=y
+# CONFIG_ARM_PL172_MPMC is not set
+CONFIG_FSL_IFC=y
+CONFIG_MTK_SMI=y
+CONFIG_TEGRA_MC=y
 # CONFIG_IIO is not set
 # CONFIG_NTB is not set
 # CONFIG_VME_BUS is not set
@@ -5772,15 +7318,21 @@ CONFIG_PWM_BCM2835=m
 # CONFIG_PWM_BRCMSTB is not set
 # CONFIG_PWM_FSL_FTM is not set
 # CONFIG_PWM_HIBVT is not set
+# CONFIG_PWM_IMX1 is not set
+# CONFIG_PWM_IMX27 is not set
+# CONFIG_PWM_IMX_TPM is not set
 # CONFIG_PWM_MESON is not set
 # CONFIG_PWM_MTK_DISP is not set
 # CONFIG_PWM_MEDIATEK is not set
 # CONFIG_PWM_PCA9685 is not set
+# CONFIG_PWM_RCAR is not set
+# CONFIG_PWM_RENESAS_TPU is not set
 CONFIG_PWM_ROCKCHIP=m
-# CONFIG_PWM_SAMSUNG is not set
 # CONFIG_PWM_SPRD is not set
 # CONFIG_PWM_SUN4I is not set
 # CONFIG_PWM_TEGRA is not set
+# CONFIG_PWM_TIECAP is not set
+# CONFIG_PWM_TIEHRPWM is not set
 
 #
 # IRQ chip support
@@ -5799,6 +7351,7 @@ CONFIG_BCM7038_L1_IRQ=y
 CONFIG_BRCMSTB_L2_IRQ=y
 CONFIG_DW_APB_ICTL=y
 CONFIG_HISILICON_IRQ_MBIGEN=y
+CONFIG_IMX_GPCV2=y
 CONFIG_MVEBU_GICP=y
 CONFIG_MVEBU_ICU=y
 CONFIG_MVEBU_ODMI=y
@@ -5809,6 +7362,9 @@ CONFIG_PARTITION_PERCPU=y
 # CONFIG_QCOM_IRQ_COMBINER is not set
 CONFIG_MESON_IRQ_GPIO=y
 # CONFIG_QCOM_PDC is not set
+CONFIG_IMX_IRQSTEER=y
+CONFIG_TI_SCI_INTR_IRQCHIP=y
+CONFIG_TI_SCI_INTA_IRQCHIP=y
 # end of IRQ chip support
 
 # CONFIG_IPACK_BUS is not set
@@ -5816,12 +7372,15 @@ CONFIG_ARCH_HAS_RESET_CONTROLLER=y
 CONFIG_RESET_CONTROLLER=y
 CONFIG_RESET_BERLIN=y
 CONFIG_RESET_BRCMSTB=y
+CONFIG_RESET_IMX7=y
 CONFIG_RESET_MESON=y
 # CONFIG_RESET_MESON_AUDIO_ARB is not set
 # CONFIG_RESET_QCOM_AOSS is not set
 # CONFIG_RESET_QCOM_PDC is not set
+CONFIG_RESET_SCMI=y
 CONFIG_RESET_SIMPLE=y
 CONFIG_RESET_SUNXI=y
+# CONFIG_RESET_TI_SCI is not set
 # CONFIG_RESET_TI_SYSCON is not set
 # CONFIG_COMMON_RESET_HI3660 is not set
 CONFIG_COMMON_RESET_HI6220=y
@@ -5830,8 +7389,10 @@ CONFIG_COMMON_RESET_HI6220=y
 # PHY Subsystem
 #
 CONFIG_GENERIC_PHY=y
+CONFIG_GENERIC_PHY_MIPI_DPHY=y
 # CONFIG_PHY_XGENE is not set
-# CONFIG_PHY_SUN6I_MIPI_DPHY is not set
+# CONFIG_PHY_SUN4I_USB is not set
+CONFIG_PHY_SUN6I_MIPI_DPHY=m
 # CONFIG_PHY_SUN9I_USB is not set
 # CONFIG_PHY_MESON8B_USB2 is not set
 # CONFIG_PHY_MESON_GXL_USB2 is not set
@@ -5875,18 +7436,21 @@ CONFIG_PHY_MVEBU_A3700_UTMI=y
 # CONFIG_PHY_QCOM_QMP is not set
 # CONFIG_PHY_QCOM_QUSB2 is not set
 # CONFIG_PHY_QCOM_UFS is not set
+# CONFIG_PHY_RCAR_GEN2 is not set
+# CONFIG_PHY_RCAR_GEN3_PCIE is not set
+# CONFIG_PHY_RCAR_GEN3_USB2 is not set
+# CONFIG_PHY_RCAR_GEN3_USB3 is not set
 # CONFIG_PHY_ROCKCHIP_DP is not set
 # CONFIG_PHY_ROCKCHIP_EMMC is not set
 # CONFIG_PHY_ROCKCHIP_INNO_HDMI is not set
+# CONFIG_PHY_ROCKCHIP_INNO_USB2 is not set
 # CONFIG_PHY_ROCKCHIP_PCIE is not set
 # CONFIG_PHY_ROCKCHIP_TYPEC is not set
 # CONFIG_PHY_ROCKCHIP_USB is not set
-CONFIG_PHY_EXYNOS_DP_VIDEO=y
-CONFIG_PHY_EXYNOS_MIPI_VIDEO=y
-# CONFIG_PHY_EXYNOS_PCIE is not set
 CONFIG_PHY_SAMSUNG_USB2=m
-CONFIG_PHY_EXYNOS5_USBDRD=m
 # CONFIG_PHY_TEGRA_XUSB is not set
+# CONFIG_PHY_AM654_SERDES is not set
+# CONFIG_OMAP_USB2 is not set
 # end of PHY Subsystem
 
 # CONFIG_POWERCAP is not set
@@ -5902,11 +7466,13 @@ CONFIG_ARM_CCN=y
 CONFIG_ARM_PMU=y
 CONFIG_ARM_PMU_ACPI=y
 # CONFIG_ARM_DSU_PMU is not set
+# CONFIG_FSL_IMX8_DDR_PMU is not set
 # CONFIG_HISI_PMU is not set
 # CONFIG_QCOM_L2_PMU is not set
 # CONFIG_QCOM_L3_PMU is not set
-# CONFIG_XGENE_PMU is not set
-# CONFIG_ARM_SPE_PMU is not set
+CONFIG_THUNDERX2_PMU=m
+CONFIG_XGENE_PMU=y
+CONFIG_ARM_SPE_PMU=m
 # end of Performance monitor support
 
 CONFIG_RAS=y
@@ -5927,8 +7493,12 @@ CONFIG_OF_PMEM=y
 CONFIG_DAX_DRIVER=y
 CONFIG_DAX=y
 CONFIG_DEV_DAX=m
+CONFIG_DEV_DAX_HMEM=m
+CONFIG_DEV_DAX_KMEM=m
 CONFIG_NVMEM=y
 CONFIG_NVMEM_SYSFS=y
+# CONFIG_NVMEM_IMX_IIM is not set
+# CONFIG_NVMEM_IMX_OCOTP is not set
 # CONFIG_MTK_EFUSE is not set
 # CONFIG_QCOM_QFPROM is not set
 # CONFIG_ROCKCHIP_EFUSE is not set
@@ -5936,6 +7506,7 @@ CONFIG_NVMEM_BCM_OCOTP=y
 # CONFIG_NVMEM_SUNXI_SID is not set
 # CONFIG_MESON_EFUSE is not set
 # CONFIG_MESON_MX_EFUSE is not set
+# CONFIG_NVMEM_SNVS_LPGPR is not set
 # CONFIG_NVMEM_ZYNQMP is not set
 
 #
@@ -5948,6 +7519,17 @@ CONFIG_NVMEM_BCM_OCOTP=y
 # CONFIG_FPGA is not set
 # CONFIG_FSI is not set
 # CONFIG_TEE is not set
+CONFIG_MULTIPLEXER=m
+
+#
+# Multiplexer drivers
+#
+# CONFIG_MUX_ADG792A is not set
+# CONFIG_MUX_ADGS1408 is not set
+# CONFIG_MUX_GPIO is not set
+CONFIG_MUX_MMIO=m
+# end of Multiplexer drivers
+
 CONFIG_PM_OPP=y
 # CONFIG_SIOX is not set
 # CONFIG_SLIMBUS is not set
@@ -6053,7 +7635,9 @@ CONFIG_VFAT_FS=m
 CONFIG_FAT_DEFAULT_CODEPAGE=437
 CONFIG_FAT_DEFAULT_IOCHARSET="ascii"
 # CONFIG_FAT_DEFAULT_UTF8 is not set
-# CONFIG_NTFS_FS is not set
+CONFIG_NTFS_FS=m
+# CONFIG_NTFS_DEBUG is not set
+# CONFIG_NTFS_RW is not set
 # end of DOS/FAT/NT Filesystems
 
 #
@@ -6089,20 +7673,23 @@ CONFIG_MISC_FILESYSTEMS=y
 # CONFIG_BEFS_FS is not set
 # CONFIG_BFS_FS is not set
 # CONFIG_EFS_FS is not set
+# CONFIG_JFFS2_FS is not set
+# CONFIG_UBIFS_FS is not set
 CONFIG_CRAMFS=m
 CONFIG_CRAMFS_BLOCKDEV=y
-CONFIG_SQUASHFS=m
-CONFIG_SQUASHFS_FILE_CACHE=y
-# CONFIG_SQUASHFS_FILE_DIRECT is not set
+CONFIG_CRAMFS_MTD=y
+CONFIG_SQUASHFS=y
+# CONFIG_SQUASHFS_FILE_CACHE is not set
+CONFIG_SQUASHFS_FILE_DIRECT=y
 CONFIG_SQUASHFS_DECOMP_SINGLE=y
 # CONFIG_SQUASHFS_DECOMP_MULTI is not set
 # CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU is not set
-# CONFIG_SQUASHFS_XATTR is not set
+CONFIG_SQUASHFS_XATTR=y
 CONFIG_SQUASHFS_ZLIB=y
-# CONFIG_SQUASHFS_LZ4 is not set
+CONFIG_SQUASHFS_LZ4=y
 CONFIG_SQUASHFS_LZO=y
 CONFIG_SQUASHFS_XZ=y
-# CONFIG_SQUASHFS_ZSTD is not set
+CONFIG_SQUASHFS_ZSTD=y
 # CONFIG_SQUASHFS_4K_DEVBLK_SIZE is not set
 # CONFIG_SQUASHFS_EMBEDDED is not set
 CONFIG_SQUASHFS_FRAGMENT_CACHE_SIZE=3
@@ -6169,6 +7756,7 @@ CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
 CONFIG_SUNRPC_DEBUG=y
+CONFIG_SUNRPC_XPRT_RDMA=m
 CONFIG_CEPH_FS=m
 CONFIG_CEPH_FSCACHE=y
 CONFIG_CEPH_FS_POSIX_ACL=y
@@ -6182,6 +7770,7 @@ CONFIG_CIFS_DEBUG=y
 # CONFIG_CIFS_DEBUG2 is not set
 # CONFIG_CIFS_DEBUG_DUMP_KEYS is not set
 CONFIG_CIFS_DFS_UPCALL=y
+# CONFIG_CIFS_SMB_DIRECT is not set
 # CONFIG_CIFS_FSCACHE is not set
 # CONFIG_CODA_FS is not set
 # CONFIG_AFS_FS is not set
@@ -6249,6 +7838,7 @@ CONFIG_DLM=m
 # Security options
 #
 CONFIG_KEYS=y
+CONFIG_KEYS_COMPAT=y
 # CONFIG_KEYS_REQUEST_CACHE is not set
 # CONFIG_PERSISTENT_KEYRINGS is not set
 # CONFIG_BIG_KEYS is not set
@@ -6259,6 +7849,7 @@ CONFIG_SECURITY_DMESG_RESTRICT=y
 CONFIG_SECURITY=y
 CONFIG_SECURITYFS=y
 CONFIG_SECURITY_NETWORK=y
+# CONFIG_SECURITY_INFINIBAND is not set
 CONFIG_SECURITY_NETWORK_XFRM=y
 CONFIG_SECURITY_PATH=y
 CONFIG_LSM_MMAP_MIN_ADDR=4096
@@ -6305,6 +7896,7 @@ CONFIG_IMA_DEFAULT_HASH="sha256"
 CONFIG_IMA_WRITE_POLICY=y
 CONFIG_IMA_READ_POLICY=y
 # CONFIG_IMA_APPRAISE is not set
+# CONFIG_IMA_ARCH_POLICY is not set
 CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y
 CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y
 # CONFIG_EVM is not set
@@ -6343,6 +7935,8 @@ CONFIG_ASYNC_MEMCPY=m
 CONFIG_ASYNC_XOR=m
 CONFIG_ASYNC_PQ=m
 CONFIG_ASYNC_RAID6_RECOV=m
+CONFIG_ASYNC_TX_DISABLE_PQ_VAL_DMA=y
+CONFIG_ASYNC_TX_DISABLE_XOR_VAL_DMA=y
 CONFIG_CRYPTO=y
 
 #
@@ -6363,6 +7957,7 @@ CONFIG_CRYPTO_RNG_DEFAULT=m
 CONFIG_CRYPTO_AKCIPHER2=y
 CONFIG_CRYPTO_AKCIPHER=y
 CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=m
 CONFIG_CRYPTO_ACOMP2=y
 CONFIG_CRYPTO_MANAGER=y
 CONFIG_CRYPTO_MANAGER2=y
@@ -6376,14 +7971,17 @@ CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_CRYPTD=m
 CONFIG_CRYPTO_AUTHENC=m
 CONFIG_CRYPTO_TEST=m
+CONFIG_CRYPTO_SIMD=m
 
 #
 # Public-key cryptography
 #
 CONFIG_CRYPTO_RSA=y
 # CONFIG_CRYPTO_DH is not set
-# CONFIG_CRYPTO_ECDH is not set
+CONFIG_CRYPTO_ECC=m
+CONFIG_CRYPTO_ECDH=m
 # CONFIG_CRYPTO_ECRDSA is not set
+# CONFIG_CRYPTO_CURVE25519 is not set
 
 #
 # Authenticated Encryption with Associated Data
@@ -6405,9 +8003,10 @@ CONFIG_CRYPTO_CTS=m
 CONFIG_CRYPTO_ECB=y
 CONFIG_CRYPTO_LRW=m
 # CONFIG_CRYPTO_OFB is not set
-# CONFIG_CRYPTO_PCBC is not set
+CONFIG_CRYPTO_PCBC=m
 CONFIG_CRYPTO_XTS=y
 # CONFIG_CRYPTO_KEYWRAP is not set
+CONFIG_CRYPTO_NHPOLY1305=m
 # CONFIG_CRYPTO_ADIANTUM is not set
 CONFIG_CRYPTO_ESSIV=m
 
@@ -6423,24 +8022,24 @@ CONFIG_CRYPTO_HMAC=y
 # Digest
 #
 CONFIG_CRYPTO_CRC32C=y
-# CONFIG_CRYPTO_CRC32 is not set
+CONFIG_CRYPTO_CRC32=m
 # CONFIG_CRYPTO_XXHASH is not set
+# CONFIG_CRYPTO_BLAKE2S is not set
 CONFIG_CRYPTO_CRCT10DIF=y
 CONFIG_CRYPTO_GHASH=m
 # CONFIG_CRYPTO_POLY1305 is not set
 CONFIG_CRYPTO_MD4=m
 CONFIG_CRYPTO_MD5=y
-# CONFIG_CRYPTO_MICHAEL_MIC is not set
+CONFIG_CRYPTO_MICHAEL_MIC=m
 # CONFIG_CRYPTO_RMD128 is not set
 # CONFIG_CRYPTO_RMD160 is not set
 # CONFIG_CRYPTO_RMD256 is not set
 # CONFIG_CRYPTO_RMD320 is not set
 CONFIG_CRYPTO_SHA1=y
-CONFIG_CRYPTO_LIB_SHA256=y
 CONFIG_CRYPTO_SHA256=y
 CONFIG_CRYPTO_SHA512=y
-# CONFIG_CRYPTO_SHA3 is not set
-# CONFIG_CRYPTO_SM3 is not set
+CONFIG_CRYPTO_SHA3=m
+CONFIG_CRYPTO_SM3=m
 # CONFIG_CRYPTO_STREEBOG is not set
 # CONFIG_CRYPTO_TGR192 is not set
 # CONFIG_CRYPTO_WP512 is not set
@@ -6448,25 +8047,22 @@ CONFIG_CRYPTO_SHA512=y
 #
 # Ciphers
 #
-CONFIG_CRYPTO_LIB_AES=y
 CONFIG_CRYPTO_AES=y
 # CONFIG_CRYPTO_AES_TI is not set
 # CONFIG_CRYPTO_ANUBIS is not set
-CONFIG_CRYPTO_LIB_ARC4=m
 CONFIG_CRYPTO_ARC4=m
 # CONFIG_CRYPTO_BLOWFISH is not set
 # CONFIG_CRYPTO_CAMELLIA is not set
 # CONFIG_CRYPTO_CAST5 is not set
 # CONFIG_CRYPTO_CAST6 is not set
-CONFIG_CRYPTO_LIB_DES=m
 CONFIG_CRYPTO_DES=m
-# CONFIG_CRYPTO_FCRYPT is not set
+CONFIG_CRYPTO_FCRYPT=m
 # CONFIG_CRYPTO_KHAZAD is not set
 # CONFIG_CRYPTO_SALSA20 is not set
 # CONFIG_CRYPTO_CHACHA20 is not set
 # CONFIG_CRYPTO_SEED is not set
 # CONFIG_CRYPTO_SERPENT is not set
-# CONFIG_CRYPTO_SM4 is not set
+CONFIG_CRYPTO_SM4=m
 # CONFIG_CRYPTO_TEA is not set
 # CONFIG_CRYPTO_TWOFISH is not set
 
@@ -6496,6 +8092,23 @@ CONFIG_CRYPTO_USER_API_SKCIPHER=m
 # CONFIG_CRYPTO_USER_API_RNG is not set
 # CONFIG_CRYPTO_USER_API_AEAD is not set
 CONFIG_CRYPTO_HASH_INFO=y
+
+#
+# Crypto library routines
+#
+CONFIG_CRYPTO_LIB_AES=y
+CONFIG_CRYPTO_LIB_ARC4=m
+# CONFIG_CRYPTO_LIB_BLAKE2S is not set
+CONFIG_CRYPTO_ARCH_HAVE_LIB_CHACHA=m
+CONFIG_CRYPTO_LIB_CHACHA_GENERIC=m
+# CONFIG_CRYPTO_LIB_CHACHA is not set
+# CONFIG_CRYPTO_LIB_CURVE25519 is not set
+CONFIG_CRYPTO_LIB_DES=m
+CONFIG_CRYPTO_LIB_POLY1305_RSIZE=9
+CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m
+# CONFIG_CRYPTO_LIB_POLY1305 is not set
+# CONFIG_CRYPTO_LIB_CHACHA20POLY1305 is not set
+CONFIG_CRYPTO_LIB_SHA256=y
 CONFIG_CRYPTO_HW=y
 # CONFIG_CRYPTO_DEV_MARVELL_CESA is not set
 CONFIG_CRYPTO_DEV_FSL_CAAM_COMMON=m
@@ -6511,18 +8124,20 @@ CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI=y
 CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
 CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
 CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
-# CONFIG_CRYPTO_DEV_EXYNOS_RNG is not set
-# CONFIG_CRYPTO_DEV_S5P is not set
+# CONFIG_CRYPTO_DEV_SAHARA is not set
 # CONFIG_CRYPTO_DEV_ATMEL_ECC is not set
 # CONFIG_CRYPTO_DEV_ATMEL_SHA204A is not set
 # CONFIG_CRYPTO_DEV_CCP is not set
-# CONFIG_CAVIUM_CPT is not set
+# CONFIG_CRYPTO_DEV_MXS_DCP is not set
+CONFIG_CRYPTO_DEV_CPT=m
+CONFIG_CAVIUM_CPT=m
 # CONFIG_CRYPTO_DEV_NITROX_CNN55XX is not set
-# CONFIG_CRYPTO_DEV_CAVIUM_ZIP is not set
+CONFIG_CRYPTO_DEV_CAVIUM_ZIP=m
 # CONFIG_CRYPTO_DEV_QCE is not set
 # CONFIG_CRYPTO_DEV_QCOM_RNG is not set
 # CONFIG_CRYPTO_DEV_ROCKCHIP is not set
 # CONFIG_CRYPTO_DEV_CHELSIO is not set
+# CONFIG_CRYPTO_DEV_CHELSIO_TLS is not set
 # CONFIG_CRYPTO_DEV_VIRTIO is not set
 # CONFIG_CRYPTO_DEV_BCM_SPU is not set
 # CONFIG_CRYPTO_DEV_SAFEXCEL is not set
@@ -6563,7 +8178,7 @@ CONFIG_RAID6_PQ=m
 # end of RAID 6
 
 CONFIG_RAID6_PQ_BENCHMARK=y
-# CONFIG_PACKING is not set
+CONFIG_PACKING=y
 CONFIG_BITREVERSE=y
 CONFIG_HAVE_ARCH_BITREVERSE=y
 CONFIG_GENERIC_STRNCPY_FROM_USER=y
@@ -6572,9 +8187,10 @@ CONFIG_GENERIC_NET_UTILS=y
 CONFIG_CORDIC=m
 CONFIG_RATIONAL=y
 CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_STMP_DEVICE=y
 CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
 CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
-# CONFIG_INDIRECT_PIO is not set
+CONFIG_INDIRECT_PIO=y
 CONFIG_CRC_CCITT=y
 CONFIG_CRC16=y
 CONFIG_CRC_T10DIF=y
@@ -6589,10 +8205,11 @@ CONFIG_CRC64=m
 # CONFIG_CRC4 is not set
 CONFIG_CRC7=y
 CONFIG_LIBCRC32C=y
-# CONFIG_CRC8 is not set
+CONFIG_CRC8=m
 CONFIG_XXHASH=y
 CONFIG_AUDIT_GENERIC=y
 CONFIG_AUDIT_ARCH_COMPAT_GENERIC=y
+CONFIG_AUDIT_COMPAT_GENERIC=y
 # CONFIG_RANDOM32_SELFTEST is not set
 CONFIG_ZLIB_INFLATE=y
 CONFIG_ZLIB_DEFLATE=y
@@ -6600,7 +8217,7 @@ CONFIG_LZO_COMPRESS=y
 CONFIG_LZO_DECOMPRESS=y
 CONFIG_LZ4_DECOMPRESS=y
 CONFIG_ZSTD_COMPRESS=m
-CONFIG_ZSTD_DECOMPRESS=m
+CONFIG_ZSTD_DECOMPRESS=y
 CONFIG_XZ_DEC=y
 CONFIG_XZ_DEC_X86=y
 CONFIG_XZ_DEC_POWERPC=y
@@ -6617,11 +8234,15 @@ CONFIG_DECOMPRESS_XZ=y
 CONFIG_DECOMPRESS_LZO=y
 CONFIG_DECOMPRESS_LZ4=y
 CONFIG_GENERIC_ALLOCATOR=y
+CONFIG_REED_SOLOMON=m
+CONFIG_REED_SOLOMON_DEC16=y
+CONFIG_BCH=m
 CONFIG_TEXTSEARCH=y
 CONFIG_TEXTSEARCH_KMP=m
 CONFIG_TEXTSEARCH_BM=m
 CONFIG_TEXTSEARCH_FSM=m
 CONFIG_BTREE=y
+CONFIG_INTERVAL_TREE=y
 CONFIG_XARRAY_MULTI=y
 CONFIG_ASSOCIATIVE_ARRAY=y
 CONFIG_HAS_IOMEM=y
@@ -6637,6 +8258,7 @@ CONFIG_ARCH_HAS_SYNC_DMA_FOR_DEVICE=y
 CONFIG_ARCH_HAS_SYNC_DMA_FOR_CPU=y
 CONFIG_ARCH_HAS_DMA_PREP_COHERENT=y
 CONFIG_ARCH_HAS_DMA_COHERENT_TO_PFN=y
+CONFIG_DMA_VIRT_OPS=y
 CONFIG_SWIOTLB=y
 CONFIG_DMA_REMAP=y
 CONFIG_DMA_DIRECT_REMAP=y
@@ -6659,9 +8281,11 @@ CONFIG_DQL=y
 CONFIG_GLOB=y
 # CONFIG_GLOB_SELFTEST is not set
 CONFIG_NLATTR=y
+CONFIG_LRU_CACHE=m
 CONFIG_CLZ_TAB=y
 CONFIG_IRQ_POLL=y
 CONFIG_MPILIB=y
+CONFIG_DIMLIB=y
 CONFIG_LIBFDT=y
 CONFIG_OID_REGISTRY=y
 CONFIG_UCS2_STRING=y
@@ -6671,9 +8295,14 @@ CONFIG_FONT_SUPPORT=y
 # CONFIG_FONTS is not set
 CONFIG_FONT_8x8=y
 CONFIG_FONT_8x16=y
+CONFIG_SG_SPLIT=y
 CONFIG_SG_POOL=y
+CONFIG_ARCH_HAS_PMEM_API=y
 CONFIG_MEMREGION=y
+CONFIG_ARCH_HAS_UACCESS_FLUSHCACHE=y
 CONFIG_SBITMAP=y
+CONFIG_PARMAN=m
+CONFIG_OBJAGG=m
 # CONFIG_STRING_SELFTEST is not set
 # end of Library routines
 
@@ -6731,7 +8360,7 @@ CONFIG_PAGE_POISONING_ZERO=y
 # CONFIG_DEBUG_PAGE_REF is not set
 # CONFIG_DEBUG_RODATA_TEST is not set
 # CONFIG_DEBUG_OBJECTS is not set
-CONFIG_SLUB_DEBUG_ON=y
+# CONFIG_SLUB_DEBUG_ON is not set
 # CONFIG_SLUB_STATS is not set
 CONFIG_HAVE_DEBUG_KMEMLEAK=y
 # CONFIG_DEBUG_KMEMLEAK is not set
@@ -6847,8 +8476,10 @@ CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_BLK_DEV_IO_TRACE is not set
 CONFIG_KPROBE_EVENTS=y
 CONFIG_UPROBE_EVENTS=y
+CONFIG_BPF_EVENTS=y
 CONFIG_DYNAMIC_EVENTS=y
 CONFIG_PROBE_EVENTS=y
+# CONFIG_BPF_KPROBE_OVERRIDE is not set
 # CONFIG_HIST_TRIGGERS is not set
 # CONFIG_TRACEPOINT_BENCHMARK is not set
 # CONFIG_RING_BUFFER_BENCHMARK is not set
@@ -6880,6 +8511,7 @@ CONFIG_RUNTIME_TESTING_MENU=y
 # CONFIG_TEST_RHASHTABLE is not set
 # CONFIG_TEST_HASH is not set
 # CONFIG_TEST_IDA is not set
+# CONFIG_TEST_PARMAN is not set
 # CONFIG_TEST_LKM is not set
 # CONFIG_TEST_VMALLOC is not set
 # CONFIG_TEST_USER_COPY is not set
@@ -6892,6 +8524,7 @@ CONFIG_RUNTIME_TESTING_MENU=y
 # CONFIG_TEST_STATIC_KEYS is not set
 # CONFIG_TEST_KMOD is not set
 # CONFIG_TEST_MEMCAT_P is not set
+# CONFIG_TEST_OBJAGG is not set
 # CONFIG_TEST_STACKINIT is not set
 # CONFIG_TEST_MEMINIT is not set
 CONFIG_MEMTEST=y
diff --git a/SPECS/kernel/e1000e-add-support-for-comet-lake.patch b/SPECS/kernel/e1000e-add-support-for-comet-lake.patch
deleted file mode 100644
index c2d994eb1f9..00000000000
--- a/SPECS/kernel/e1000e-add-support-for-comet-lake.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 914ee9c436cbe90c8ca8a46ec8433cb614a2ada5 Mon Sep 17 00:00:00 2001
-From: Sasha Neftin <sasha.neftin@intel.com>
-Date: Thu, 10 Oct 2019 13:15:39 +0300
-Subject: [PATCH] e1000e: Add support for Comet Lake
-
-Add devices ID's for the next LOM generations that will be
-available on the next Intel Client platform (Comet Lake)
-This patch provides the initial support for these devices
-
-Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
-Tested-by: Aaron Brown <aaron.f.brown@intel.com>
-Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
----
- drivers/net/ethernet/intel/e1000e/hw.h     | 6 ++++++
- drivers/net/ethernet/intel/e1000e/netdev.c | 6 ++++++
- 2 files changed, 12 insertions(+)
-
-diff --git a/drivers/net/ethernet/intel/e1000e/hw.h b/drivers/net/ethernet/intel/e1000e/hw.h
-index eff75bd8a8f0b9..11fdc27faa82b8 100644
---- a/drivers/net/ethernet/intel/e1000e/hw.h
-+++ b/drivers/net/ethernet/intel/e1000e/hw.h
-@@ -86,6 +86,12 @@ struct e1000_hw;
- #define E1000_DEV_ID_PCH_ICP_I219_V8		0x15E0
- #define E1000_DEV_ID_PCH_ICP_I219_LM9		0x15E1
- #define E1000_DEV_ID_PCH_ICP_I219_V9		0x15E2
-+#define E1000_DEV_ID_PCH_CMP_I219_LM10		0x0D4E
-+#define E1000_DEV_ID_PCH_CMP_I219_V10		0x0D4F
-+#define E1000_DEV_ID_PCH_CMP_I219_LM11		0x0D4C
-+#define E1000_DEV_ID_PCH_CMP_I219_V11		0x0D4D
-+#define E1000_DEV_ID_PCH_CMP_I219_LM12		0x0D53
-+#define E1000_DEV_ID_PCH_CMP_I219_V12		0x0D55
-
- #define E1000_REVISION_4	4
-
-diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
-index 42f57ab8fb8eb9..731e1b3e103a15 100644
---- a/drivers/net/ethernet/intel/e1000e/netdev.c
-+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
-@@ -7749,6 +7749,12 @@ static const struct pci_device_id e1000_pci_tbl[] = {
- 	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ICP_I219_V8), board_pch_cnp },
- 	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ICP_I219_LM9), board_pch_cnp },
- 	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_ICP_I219_V9), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_LM10), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_V10), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_LM11), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_V11), board_pch_cnp },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_LM12), board_pch_spt },
-+	{ PCI_VDEVICE(INTEL, E1000_DEV_ID_PCH_CMP_I219_V12), board_pch_spt },
-
- 	{ 0, 0, 0, 0, 0, 0, 0 }	/* terminate list */
- };
diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json
index 7de9927d3b6..587774e9be0 100644
--- a/SPECS/kernel/kernel.signatures.json
+++ b/SPECS/kernel/kernel.signatures.json
@@ -1,7 +1,7 @@
 {
  "Signatures": {
-  "config": "b8c9e2a875e4e6655fdbeb626088529fd1cef401b8f67a481fc301d2a3a026c5",
-  "config_aarch64": "3057cf5c5f04b57c4d69f9783d4809de217fb46a4278694c19f6c3ffd81249c5",
-  "linux-msft-5.4.51.tar.gz": "3bcd6b09e952fac4f708614658b508ce80c8e25c04780b6b44a481b1479a08e7"
+  "config": "b8a4aa3fd3e234ff28dc43e5f95c53456eebd9a02d28593553b7c1a0615562dc",
+  "config_aarch64": "b12f419ff792eb8bd491c53431bf2be9f8070d90ef2059057f9738573663eb2d",
+  "linux-msft-5.4.72.tar.gz": "3407ccf8505595ae3e7a7b30c206190a0762f3e202f21f9de88a8d59e182ddef"
  }
 }
\ No newline at end of file
diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec
index 8f788dadb09..966d6c738fc 100644
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@@ -1,18 +1,19 @@
 %global security_hardening none
+%define uname_r %{version}-%{release}
 Summary:        Linux Kernel
 Name:           kernel
-Version:        5.4.51
-Release:        11%{?dist}
+Version:        5.4.72
+Release:        3%{?dist}
 License:        GPLv2
-URL:            https://github.com/microsoft/WSL2-Linux-Kernel
-Group:          System Environment/Kernel
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Kernel
+URL:            https://github.com/microsoft/WSL2-Linux-Kernel
 Source0:        https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-%{version}.tar.gz
 Source1:        config
 Source2:        config_aarch64
-Patch0:         e1000e-add-support-for-comet-lake.patch
-
+# Arm64 HyperV support required patch
+Patch0:         ver5_4_72_arm64_hyperv_support.patch
 # Kernel CVEs are addressed by moving to a newer version of the stable kernel.
 # Since kernel CVEs are filed against the upstream kernel version and not the
 # stable kernel version, our automated tooling will still flag the CVE as not
@@ -43,24 +44,76 @@ Patch1019:      CVE-2020-11668.nopatch
 Patch1020:      CVE-2020-12654.nopatch
 Patch1021:      CVE-2020-24394.nopatch
 Patch1022:      CVE-2020-8428.nopatch
-
+Patch1023:      CVE-2018-1000026.nopatch
+Patch1024:      CVE-2018-16880.nopatch
+Patch1025:      CVE-2020-12464.nopatch
+Patch1026:      CVE-2020-12465.nopatch
+Patch1027:      CVE-2020-12659.nopatch
+Patch1028:      CVE-2020-15780.nopatch
+Patch1029:      CVE-2020-14356.nopatch
+Patch1030:      CVE-2020-14386.nopatch
+Patch1031:      CVE-2020-25645.nopatch
+Patch1032:      CVE-2020-25643.nopatch
+Patch1033:      CVE-2020-25211.nopatch
+Patch1034:      CVE-2020-25212.nopatch
+Patch1035:      CVE-2008-4609.nopatch
+Patch1036:      CVE-2020-14331.nopatch
+Patch1037:      CVE-2010-0298.nopatch
+Patch1038:      CVE-2020-10690.nopatch
+Patch1039:      CVE-2020-25285.nopatch
+Patch1040:      CVE-2020-10711.nopatch
+Patch1041:      CVE-2019-3887.nopatch
+Patch1042:      CVE-2020-14390.nopatch
+Patch1043:      CVE-2019-19338.nopatch
+Patch1044:      CVE-2019-20810.nopatch
+Patch1045:      CVE-2020-10766.nopatch
+Patch1046:      CVE-2020-10767.nopatch
+Patch1047:      CVE-2020-10768.nopatch
+Patch1048:      CVE-2020-10781.nopatch
+Patch1049:      CVE-2020-12768.nopatch
+Patch1050:      CVE-2020-14314.nopatch
+Patch1051:      CVE-2020-14385.nopatch
+Patch1052:      CVE-2020-25641.nopatch
+Patch1053:      CVE-2020-26088.nopatch
+Patch1054:      CVE-2020-10942.nopatch
+Patch1055:      CVE-2020-12826.nopatch
+Patch1056:      CVE-2019-3016.nopatch
+Patch1057:      CVE-2019-3819.nopatch
+Patch1058:      CVE-2020-16166.nopatch
+Patch1059:      CVE-2020-11608.nopatch
+Patch1060:      CVE-2020-11609.nopatch
+Patch1061:      CVE-2020-25284.nopatch
+Patch1062:      CVE-2020-12888.nopatch
+Patch1063:      CVE-2017-8244.nopatch
+Patch1064:      CVE-2017-8245.nopatch
+Patch1065:      CVE-2017-8246.nopatch
+Patch1066:      CVE-2009-4484.nopatch
+Patch1067:      CVE-2015-5738.nopatch
+Patch1068:      CVE-2007-4998.nopatch
+Patch1069:      CVE-2010-0309.nopatch
+Patch1070:      CVE-2011-0640.nopatch
+Patch1071:      CVE-2020-12656.nopatch
+Patch1072:      CVE-2011-2519.nopatch
+Patch1073:      CVE-1999-0656.nopatch
+Patch1074:      CVE-2010-4563.nopatch
+Patch1075:      CVE-2019-20794.nopatch
+Patch1076:      CVE-1999-0524.nopatch
+BuildRequires:  audit-devel
 BuildRequires:  bc
 BuildRequires:  diffutils
+BuildRequires:  glib-devel
 BuildRequires:  kbd
 BuildRequires:  kmod-devel
-BuildRequires:  glib-devel
-BuildRequires:  xerces-c-devel
 BuildRequires:  libdnet-devel
 BuildRequires:  libmspack-devel
-BuildRequires:  pam-devel
 BuildRequires:  openssl-devel
+BuildRequires:  pam-devel
 BuildRequires:  procps-ng-devel
-BuildRequires:  audit-devel
-Requires:       filesystem kmod
+BuildRequires:  xerces-c-devel
+Requires:       filesystem
+Requires:       kmod
 Requires(post): coreutils
 Requires(postun): coreutils
-%define uname_r %{version}-%{release}
-
 # When updating the config files it is important to sanitize them.
 # Steps for updating a config file:
 #  1. Extract the linux sources into a folder
@@ -81,9 +134,11 @@ The kernel package contains the Linux kernel.
 %package devel
 Summary:        Kernel Dev
 Group:          System Environment/Kernel
-Obsoletes:      linux-dev
 Requires:       %{name} = %{version}-%{release}
-Requires:       python3 gawk
+Requires:       gawk
+Requires:       python3
+Obsoletes:      linux-dev
+
 %description devel
 This package contains the Linux kernel dev files
 
@@ -91,6 +146,7 @@ This package contains the Linux kernel dev files
 Summary:        Kernel Sound modules
 Group:          System Environment/Kernel
 Requires:       %{name} = %{version}-%{release}
+
 %description drivers-sound
 This package contains the Linux kernel sound support
 
@@ -98,6 +154,7 @@ This package contains the Linux kernel sound support
 Summary:        Kernel docs
 Group:          System Environment/Kernel
 Requires:       python3
+
 %description docs
 This package contains the Linux kernel doc files
 
@@ -106,6 +163,7 @@ This package contains the Linux kernel doc files
 Summary:        Kernel driver for oprofile, a statistical profiler for Linux systems
 Group:          System Environment/Kernel
 Requires:       %{name} = %{version}-%{release}
+
 %description oprofile
 Kernel driver for oprofile, a statistical profiler for Linux systems
 %endif
@@ -115,13 +173,16 @@ Summary:        This package contains the 'perf' performance analysis tools for
 Group:          System/Tools
 Requires:       %{name} = %{version}-%{release}
 Requires:       audit
+
 %description tools
 This package contains the 'perf' performance analysis tools for Linux kernel.
 
 %prep
 %setup -q -n WSL2-Linux-Kernel-linux-msft-%{version}
 
+%ifarch aarch64
 %patch0 -p1
+%endif
 
 %build
 make mrproper
@@ -173,16 +234,16 @@ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \
 %define __spec_install_post\
     %{?__debug_package:%{__debug_install_post}}\
     %{__arch_install_post}\
-    %{__os_install_post}\
+    %__os_install_post\
     %{__modules_install_post}\
 %{nil}
 
 %install
-install -vdm 755 %{buildroot}/etc
+install -vdm 755 %{buildroot}%{_sysconfdir}
 install -vdm 700 %{buildroot}/boot
 install -vdm 755 %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
-install -vdm 755 %{buildroot}/usr/src/linux-headers-%{uname_r}
-install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}
+install -vdm 755 %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}
+install -vdm 755 %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}
 make INSTALL_MOD_PATH=%{buildroot} modules_install
 
 %ifarch x86_64
@@ -209,9 +270,9 @@ install -vm 600 arch/arm64/boot/Image %{buildroot}/boot/vmlinuz-%{uname_r}
 install -vm 400 System.map %{buildroot}/boot/System.map-%{uname_r}
 install -vm 600 .config %{buildroot}/boot/config-%{uname_r}
 cp -r Documentation/*        %{buildroot}%{_defaultdocdir}/linux-%{uname_r}
-install -vm 644 vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r}
+install -vm 644 vmlinux %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r}
 # `perf test vmlinux` needs it
-ln -s vmlinux-%{uname_r} %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux
+ln -s vmlinux-%{uname_r} %{buildroot}%{_lib}/debug/lib/modules/%{uname_r}/vmlinux
 
 cat > %{buildroot}/boot/linux-%{uname_r}.cfg << "EOF"
 # GRUB Environment Block
@@ -231,22 +292,22 @@ EOF
 rm -rf %{buildroot}/lib/modules/%{uname_r}/source
 rm -rf %{buildroot}/lib/modules/%{uname_r}/build
 
-find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs  sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
-find arch/${archdir}/include include scripts -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
-find $(find arch/${archdir} -name include -o -name scripts -type d) -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
-find arch/${archdir}/include Module.symvers include scripts -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}/usr/src/linux-headers-%{uname_r}' copy
+find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs  sh -c 'cp --parents "$@" %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}' copy
+find arch/${archdir}/include include scripts -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}' copy
+find $(find arch/${archdir} -name include -o -name scripts -type d) -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}' copy
+find arch/${archdir}/include Module.symvers include scripts -type f | xargs  sh -c 'cp --parents "$@" %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}' copy
 %ifarch x86_64
 # CONFIG_STACK_VALIDATION=y requires objtool to build external modules
-install -vsm 755 tools/objtool/objtool %{buildroot}/usr/src/linux-headers-%{uname_r}/tools/objtool/
-install -vsm 755 tools/objtool/fixdep %{buildroot}/usr/src/linux-headers-%{uname_r}/tools/objtool/
+install -vsm 755 tools/objtool/objtool %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}/tools/objtool/
+install -vsm 755 tools/objtool/fixdep %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}/tools/objtool/
 %endif
 
-cp .config %{buildroot}/usr/src/linux-headers-%{uname_r} # copy .config manually to be where it's expected to be
-ln -sf "/usr/src/linux-headers-%{uname_r}" "%{buildroot}/lib/modules/%{uname_r}/build"
+cp .config %{buildroot}%{_prefix}/src/linux-headers-%{uname_r} # copy .config manually to be where it's expected to be
+ln -sf "%{_prefix}/src/linux-headers-%{uname_r}" "%{buildroot}/lib/modules/%{uname_r}/build"
 find %{buildroot}/lib/modules -name '*.ko' -print0 | xargs -0 chmod u+x
 
 %ifarch aarch64
-cp arch/arm64/kernel/module.lds %{buildroot}/usr/src/linux-headers-%{uname_r}/arch/arm64/kernel/
+cp arch/arm64/kernel/module.lds %{buildroot}%{_prefix}/src/linux-headers-%{uname_r}/arch/arm64/kernel/
 %endif
 
 # disable (JOBS=1) parallel build to fix this issue:
@@ -289,6 +350,7 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 
 %files
 %defattr(-,root,root)
+%license COPYING
 /boot/System.map-%{uname_r}
 /boot/config-%{uname_r}
 /boot/vmlinuz-%{uname_r}
@@ -310,7 +372,7 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %files devel
 %defattr(-,root,root)
 /lib/modules/%{uname_r}/build
-/usr/src/linux-headers-%{uname_r}
+%{_prefix}/src/linux-headers-%{uname_r}
 
 %files drivers-sound
 %defattr(-,root,root)
@@ -324,482 +386,692 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 
 %files tools
 %defattr(-,root,root)
-/usr/libexec
+%{_libexecdir}
 %exclude %{_libdir}/debug
 %ifarch x86_64
-/usr/lib64/traceevent
+%{_lib64}/traceevent
 %endif
 %ifarch aarch64
-/usr/lib/traceevent
+%{_lib}/traceevent
 %endif
 %{_bindir}
-/etc/bash_completion.d/*
-/usr/share/perf-core/strace/groups/file
-/usr/share/perf-core/strace/groups/string
-/usr/share/doc/*
+%{_sysconfdir}/bash_completion.d/*
+%{_datadir}/perf-core/strace/groups/file
+%{_datadir}/perf-core/strace/groups/string
+%{_docdir}/*
 %{_libdir}/perf/examples/bpf/*
 %{_libdir}/perf/include/bpf/*
 
 %changelog
-*   Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-11
--   Enable QAT kernel configs
-*   Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-10
--   Address CVE-2020-10757, CVE-2020-12653, CVE-2020-12657, CVE-2010-3865,
--   CVE-2020-11668, CVE-2020-12654, CVE-2020-24394, CVE-2020-8428
-*   Fri Oct 02 2020 Chris Co <chrco@microsoft.com> 5.4.51-9
--   Fix aarch64 build error
-*   Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.51-8
--   Update postun script to deal with removal in case of another installed kernel.
-*   Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.51-7
--   Enable Mellanox kernel configs
-*   Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-6
--   Enable CONFIG_IMA (measurement only) and associated configs
-*   Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> 5.4.51-5
--   Add code to check for missing config flags in the checked in configs
-*   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-4
--   Apply additional kernel hardening configs
-*   Thu Sep 03 2020 Chris Co <chrco@microsoft.com> 5.4.51-3
--   Bump release number due to kernel-signed-<arch> package update
--   Minor aarch64 config and changelog cleanup
-*   Tue Sep 01 2020 Chris Co <chrco@microsoft.com> 5.4.51-2
--   Update source hash
-*   Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.51-1
--   Update source to 5.4.51
--   Enable DXGKRNL config
--   Address CVE-2020-11494, CVE-2020-11565, CVE-2020-12655, CVE-2020-12771,
--   CVE-2020-13974, CVE-2020-15393, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649,
--   CVE-2020-9383, CVE-2020-11725
-*   Wed Aug 19 2020 Chris Co <chrco@microsoft.com> 5.4.42-12
--   Remove the signed package depends
-*   Tue Aug 18 2020 Chris Co <chrco@microsoft.com> 5.4.42-11
--   Remove signed subpackage
-*   Mon Aug 17 2020 Chris Co <chrco@microsoft.com> 5.4.42-10
--   Enable BPF, PC104, userfaultfd, SLUB sysfs, SMC, XDP sockets monitoring configs
-*   Fri Aug 07 2020 Mateusz Malisz <mamalisz@microsoft.com> 5.4.42-9
--   Add crashkernel=128M to the kernel cmdline
--   Update config to support kexec and kexec_file_load
-*   Tue Aug 04 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 5.4.42-8
--   Updating "KBUILD_BUILD_VERSION" and "KBUILD_BUILD_HOST" with correct
-    distribution name.
-*   Wed Jul 22 2020 Chris Co <chrco@microsoft.com> 5.4.42-7
--   Address CVE-2020-8992, CVE-2020-12770, CVE-2020-13143, CVE-2020-11884
-*   Fri Jul 17 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.42-6
--   Enable CONFIG_MLX5_CORE_IPOIB and CONFIG_INFINIBAND_IPOIB config flags
-*   Fri Jul 17 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.42-5
--   Adding XDP config flag
-*   Thu Jul 09 2020 Anand Muthurajan <anandm@microsoft.com> 5.4.42-4
--   Enable CONFIG_QED, CONFIG_QEDE, CONFIG_QED_SRIOV and CONFIG_QEDE_VXLAN flags
-*   Wed Jun 24 2020 Chris Co <chrco@microsoft.com> 5.4.42-3
--   Regenerate input config files
-*   Fri Jun 19 2020 Chris Co <chrco@microsoft.com> 5.4.42-2
--   Add kernel-secure subpackage and macros for adding offline signed kernels
-*   Fri Jun 12 2020 Chris Co <chrco@microsoft.com> 5.4.42-1
--   Update source to 5.4.42
-*   Thu Jun 11 2020 Chris Co <chrco@microsoft.com> 5.4.23-17
--   Enable PAGE_POISONING configs
--   Disable PROC_KCORE config
--   Enable RANDOM_TRUST_CPU config for x86_64
-*   Fri Jun 05 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.23-16
--   Adding BPF config flags
-*   Thu Jun 04 2020 Chris Co <chrco@microsoft.com> 5.4.23-15
--   Add config support for USB video class devices
-*   Wed Jun 03 2020 Nicolas Ontiveros <niontive@microsoft.com> 5.4.23-14
--   Add CONFIG_CRYPTO_XTS=y to config.
-*   Wed Jun 03 2020 Chris Co <chrco@microsoft.com> 5.4.23-13
--   Add patch to support CometLake e1000e ethernet
--   Remove drivers-gpu subpackage
--   Inline the initramfs trigger and postun source files
--   Remove rpi3 dtb and ls1012 dtb subpackages
-*   Wed May 27 2020 Chris Co <chrco@microsoft.com> 5.4.23-12
--   Update arm64 security configs
--   Disable devmem in x86_64 config
-*   Tue May 26 2020 Daniel Mihai <dmihai@microsoft.com> 5.4.23-11
--   Disabled Reliable Datagram Sockets protocol (CONFIG_RDS).
-*   Fri May 22 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-10
--   Change /boot directory permissions to 600.
-*   Thu May 21 2020 Chris Co <chrco@microsoft.com> 5.4.23-9
--   Update x86_64 security configs
-*   Wed May 20 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 5.4.23-8
--   Adding InfiniBand config flags
-*   Mon May 11 2020 Anand Muthurajan <anandm@microsoft.com> 5.4.23-7
--   Adding PPP config flags
-*   Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-6
--   Renaming Linux-PAM to pam
-*   Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-5
--   Renaming linux to kernel
-*   Tue Apr 14 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-4
--   Remove linux-aws and linux-esx references.
--   Remove kat_build usage.
--   Remove ENA module.
-*   Fri Apr 10 2020 Emre Girgin <mrgirgin@microsoft.com> 5.4.23-3
--   Remove xml-security-c dependency.
-*   Wed Apr 08 2020 Nicolas Ontiveros <niontive@microsoft.com> 5.4.23-2
--   Remove toybox and only use coreutils for requires.
-*   Tue Dec 10 2019 Chris Co <chrco@microsoft.com> 5.4.23-1
--   Update to Microsoft Linux Kernel 5.4.23
--   Remove patches
--   Update ENA module to 2.1.2 to work with Linux 5.4.23
--   Remove xr module
--   Remove Xen tmem module from dracut module list to fix initramfs creation
--   Add patch to fix missing trans_pgd header in aarch64 build
-*   Fri Oct 11 2019 Henry Beberman <hebeberm@microsoft.com> 4.19.52-8
--   Enable Hyper-V TPM in config
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.19.52-7
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Jul 25 2019 Keerthana K <keerthanak@vmware.com> 4.19.52-6
--   Fix postun scriplet.
-*   Thu Jul 11 2019 Keerthana K <keerthanak@vmware.com> 4.19.52-5
--   Enable kernel configs necessary for BPF Compiler Collection (BCC).
-*   Wed Jul 10 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-4
--   Deprecate linux-aws-tools in favor of linux-tools.
-*   Tue Jul 02 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.52-3
--   Fix 9p vsock 16bit port issue.
-*   Thu Jun 20 2019 Tapas Kundu <tkundu@vmware.com> 4.19.52-2
--   Enabled CONFIG_I2C_CHARDEV to support lm-sensors
-*   Mon Jun 17 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-1
--   Update to version 4.19.52
--   Fix CVE-2019-12456, CVE-2019-12379, CVE-2019-12380, CVE-2019-12381,
--   CVE-2019-12382, CVE-2019-12378, CVE-2019-12455
-*   Tue May 28 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.40-3
--   Change default I/O scheduler to 'deadline' to fix performance issue.
-*   Tue May 14 2019 Keerthana K <keerthanak@vmware.com> 4.19.40-2
--   Fix to parse through /boot folder and update symlink (/boot/photon.cfg) if
--   mulitple kernels are installed and current linux kernel is removed.
-*   Tue May 07 2019 Ajay Kaher <akaher@vmware.com> 4.19.40-1
--   Update to version 4.19.40
-*   Thu Apr 11 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-3
--   Update config_aarch64 to fix ARM64 build.
-*   Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2
--   Fix CVE-2019-10125
-*   Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1
--   Update to version 4.19.32
-*   Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1
--   Update to version 4.19.29
-*   Tue Mar 05 2019 Ajay Kaher <akaher@vmware.com> 4.19.26-1
--   Update to version 4.19.26
-*   Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.19.15-3
--   Fix CVE-2019-8912
-*   Thu Jan 24 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.15-2
--   Add WiFi (ath10k), sensors (i2c,spi), usb support for NXP LS1012A board.
-*   Tue Jan 15 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.15-1
--   Update to version 4.19.15
-*   Fri Jan 11 2019 Srinidhi Rao <srinidhir@vmware.com> 4.19.6-7
--   Add Network support for NXP LS1012A board.
-*   Wed Jan 09 2019 Ankit Jain <ankitja@vmware.com> 4.19.6-6
--   Enable following for x86_64 and aarch64:
--    Enable Kernel Address Space Layout Randomization.
--    Enable CONFIG_SECURITY_NETWORK_XFRM
-*   Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-5
--   Enable AppArmor by default.
-*   Wed Jan 02 2019 Alexey Makhalov <amakhalov@vmware.com> 4.19.6-4
--   .config: added Compulab fitlet2 device drivers
--   .config_aarch64: added gpio sysfs support
--   renamed -sound to -drivers-sound
-*   Tue Jan 01 2019 Ajay Kaher <akaher@vmware.com> 4.19.6-3
--   .config: Enable CONFIG_PCI_HYPERV driver
-*   Wed Dec 19 2018 Srinidhi Rao <srinidhir@vmware.com> 4.19.6-2
--   Add NXP LS1012A support.
-*   Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1
--   Update to version 4.19.6
-*   Fri Dec 07 2018 Alexey Makhalov <amakhalov@vmware.com> 4.19.1-3
--   .config: added qmi wwan module
-*   Mon Nov 12 2018 Ajay Kaher <akaher@vmware.com> 4.19.1-2
--   Fix config_aarch64 for 4.19.1
-*   Mon Nov 05 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.1-1
--   Update to version 4.19.1
-*   Tue Oct 16 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.18.9-5
--   Change in config to enable drivers for zigbee and GPS
-*   Fri Oct 12 2018 Ajay Kaher <akaher@vmware.com> 4.18.9-4
--   Enable LAN78xx for aarch64 rpi3
-*   Fri Oct 5 2018 Ajay Kaher <akaher@vmware.com> 4.18.9-3
--   Fix config_aarch64 for 4.18.9
--   Add module.lds for aarch64
-*   Wed Oct 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-2
--   Use updated steal time accounting patch.
--   .config: Enable CONFIG_CPU_ISOLATION and a few networking options
--   that got accidentally dropped in the last update.
-*   Mon Oct 1 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1
--   Update to version 4.18.9
-*   Tue Sep 25 2018 Ajay Kaher <akaher@vmware.com> 4.14.67-2
--   Build hang (at make oldconfig) fix in config_aarch64
-*   Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1
--   Update to version 4.14.67
-*   Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-7
--   Add rdrand-based RNG driver to enhance kernel entropy.
-*   Sun Sep 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-6
--   Add full retpoline support by building with retpoline-enabled gcc.
-*   Thu Aug 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-5
--   Apply out-of-tree patches needed for AppArmor.
-*   Wed Aug 22 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.54-4
--   Fix overflow kernel panic in rsi driver.
--   .config: enable BT stack, enable GPIO sysfs.
--   Add Exar USB serial driver.
-*   Fri Aug 17 2018 Ajay Kaher <akaher@vmware.com> 4.14.54-3
--   Enabled USB PCI in config_aarch64
--   Build hang (at make oldconfig) fix in config_aarch64
-*   Thu Jul 19 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.54-2
--   .config: usb_serial_pl2303=m,wlan=y,can=m,gpio=y,pinctrl=y,iio=m
-*   Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.14.54-1
--   Update to version 4.14.54
-*   Fri Jan 26 2018 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-2
--   Added vchiq entry to rpi3 dts
--   Added dtb-rpi3 subpackage
-*   Fri Dec 22 2017 Alexey Makhalov <amakhalov@vmware.com> 4.14.8-1
--   Version update
-*   Wed Dec 13 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-4
--   KAT build support
-*   Thu Dec 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-3
--   Aarch64 support
-*   Tue Dec 05 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.66-2
--   Sign and compress modules after stripping. fips=1 requires signed modules
-*   Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1
--   Version update
-*   Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1
--   Version update
-*   Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1
--   Version update
-*   Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3
--   Add patch "KVM: Don't accept obviously wrong gsi values via
+* Mon Nov 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.72-3
+- Disable kernel config SLUB_DEBUG_ON due to tcp throughput perf impact
+
+* Tue Nov 10 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.72-2
+- Enable kernel configs for Arm64 HyperV, Ampere and Cavium SoCs support
+
+* Mon Oct 26 2020 Chris Co <chrco@microsoft.com> - 5.4.72-1
+- Update source to 5.4.72
+- Remove patch to support CometLake e1000e ethernet. Integrated in 5.4.72.
+- Add license file
+- Lint spec
+- Address CVE-2018-1000026, CVE-2018-16880, CVE-2020-12464, CVE-2020-12465,
+  CVE-2020-12659, CVE-2020-15780, CVE-2020-14356, CVE-2020-14386, CVE-2020-25645,
+  CVE-2020-25643, CVE-2020-25211, CVE-2020-25212, CVE-2008-4609, CVE-2020-14331,
+  CVE-2010-0298, CVE-2020-10690, CVE-2020-25285, CVE-2020-10711, CVE-2019-3887,
+  CVE-2020-14390, CVE-2019-19338, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767,
+  CVE-2020-10768, CVE-2020-10781, CVE-2020-12768, CVE-2020-14314, CVE-2020-14385,
+  CVE-2020-25641, CVE-2020-26088, CVE-2020-10942, CVE-2020-12826, CVE-2019-3016,
+  CVE-2019-3819, CVE-2020-16166, CVE-2020-11608, CVE-2020-11609, CVE-2020-25284,
+  CVE-2020-12888, CVE-2017-8244, CVE-2017-8245, CVE-2017-8246, CVE-2009-4484,
+  CVE-2015-5738, CVE-2007-4998, CVE-2010-0309, CVE-2011-0640, CVE-2020-12656,
+  CVE-2011-2519, CVE-1999-0656, CVE-2010-4563, CVE-2019-20794, CVE-1999-0524
+
+* Fri Oct 16 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.51-11
+- Enable QAT kernel configs
+
+* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> - 5.4.51-10
+- Address CVE-2020-10757, CVE-2020-12653, CVE-2020-12657, CVE-2010-3865,
+  CVE-2020-11668, CVE-2020-12654, CVE-2020-24394, CVE-2020-8428
+
+* Fri Oct 02 2020 Chris Co <chrco@microsoft.com> - 5.4.51-9
+- Fix aarch64 build error
+
+* Wed Sep 30 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.51-8
+- Update postun script to deal with removal in case of another installed kernel.
+
+* Fri Sep 25 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.51-7
+- Enable Mellanox kernel configs
+
+* Wed Sep 23 2020 Daniel McIlvaney <damcilva@microsoft.com> - 5.4.51-6
+- Enable CONFIG_IMA (measurement only) and associated configs
+
+* Thu Sep 03 2020 Daniel McIlvaney <damcilva@microsoft.com> - 5.4.51-5
+- Add code to check for missing config flags in the checked in configs
+
+* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> - 5.4.51-4
+- Apply additional kernel hardening configs
+
+* Thu Sep 03 2020 Chris Co <chrco@microsoft.com> - 5.4.51-3
+- Bump release number due to kernel-signed-<arch> package update
+- Minor aarch64 config and changelog cleanup
+
+* Tue Sep 01 2020 Chris Co <chrco@microsoft.com> - 5.4.51-2
+- Update source hash
+
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.51-1
+- Update source to 5.4.51
+- Enable DXGKRNL config
+- Address CVE-2020-11494, CVE-2020-11565, CVE-2020-12655, CVE-2020-12771,
+  CVE-2020-13974, CVE-2020-15393, CVE-2020-8647, CVE-2020-8648, CVE-2020-8649,
+  CVE-2020-9383, CVE-2020-11725
+
+* Wed Aug 19 2020 Chris Co <chrco@microsoft.com> - 5.4.42-12
+- Remove the signed package depends
+
+* Tue Aug 18 2020 Chris Co <chrco@microsoft.com> - 5.4.42-11
+- Remove signed subpackage
+
+* Mon Aug 17 2020 Chris Co <chrco@microsoft.com> - 5.4.42-10
+- Enable BPF, PC104, userfaultfd, SLUB sysfs, SMC, XDP sockets monitoring configs
+
+* Fri Aug 07 2020 Mateusz Malisz <mamalisz@microsoft.com> - 5.4.42-9
+- Add crashkernel=128M to the kernel cmdline
+- Update config to support kexec and kexec_file_load
+
+* Tue Aug 04 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.4.42-8
+- Updating "KBUILD_BUILD_VERSION" and "KBUILD_BUILD_HOST" with correct
+  distribution name.
+
+* Wed Jul 22 2020 Chris Co <chrco@microsoft.com> - 5.4.42-7
+- Address CVE-2020-8992, CVE-2020-12770, CVE-2020-13143, CVE-2020-11884
+
+* Fri Jul 17 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.42-6
+- Enable CONFIG_MLX5_CORE_IPOIB and CONFIG_INFINIBAND_IPOIB config flags
+
+* Fri Jul 17 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.42-5
+- Adding XDP config flag
+
+* Thu Jul 09 2020 Anand Muthurajan <anandm@microsoft.com> - 5.4.42-4
+- Enable CONFIG_QED, CONFIG_QEDE, CONFIG_QED_SRIOV and CONFIG_QEDE_VXLAN flags
+
+* Wed Jun 24 2020 Chris Co <chrco@microsoft.com> - 5.4.42-3
+- Regenerate input config files
+
+* Fri Jun 19 2020 Chris Co <chrco@microsoft.com> - 5.4.42-2
+- Add kernel-secure subpackage and macros for adding offline signed kernels
+
+* Fri Jun 12 2020 Chris Co <chrco@microsoft.com> - 5.4.42-1
+- Update source to 5.4.42
+
+* Thu Jun 11 2020 Chris Co <chrco@microsoft.com> - 5.4.23-17
+- Enable PAGE_POISONING configs
+- Disable PROC_KCORE config
+- Enable RANDOM_TRUST_CPU config for x86_64
+
+* Fri Jun 05 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.23-16
+- Adding BPF config flags
+
+* Thu Jun 04 2020 Chris Co <chrco@microsoft.com> - 5.4.23-15
+- Add config support for USB video class devices
+
+* Wed Jun 03 2020 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.23-14
+- Add CONFIG_CRYPTO_XTS=y to config.
+
+* Wed Jun 03 2020 Chris Co <chrco@microsoft.com> - 5.4.23-13
+- Add patch to support CometLake e1000e ethernet
+- Remove drivers-gpu subpackage
+- Inline the initramfs trigger and postun source files
+- Remove rpi3 dtb and ls1012 dtb subpackages
+
+* Wed May 27 2020 Chris Co <chrco@microsoft.com> - 5.4.23-12
+- Update arm64 security configs
+- Disable devmem in x86_64 config
+
+* Tue May 26 2020 Daniel Mihai <dmihai@microsoft.com> - 5.4.23-11
+- Disabled Reliable Datagram Sockets protocol (CONFIG_RDS).
+
+* Fri May 22 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-10
+- Change /boot directory permissions to 600.
+
+* Thu May 21 2020 Chris Co <chrco@microsoft.com> - 5.4.23-9
+- Update x86_64 security configs
+
+* Wed May 20 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.4.23-8
+- Adding InfiniBand config flags
+
+* Mon May 11 2020 Anand Muthurajan <anandm@microsoft.com> - 5.4.23-7
+- Adding PPP config flags
+
+* Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-6
+- Renaming Linux-PAM to pam
+
+* Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-5
+- Renaming linux to kernel
+
+* Tue Apr 14 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-4
+- Remove linux-aws and linux-esx references.
+- Remove kat_build usage.
+- Remove ENA module.
+
+* Fri Apr 10 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.4.23-3
+- Remove xml-security-c dependency.
+
+* Wed Apr 08 2020 Nicolas Ontiveros <niontive@microsoft.com> - 5.4.23-2
+- Remove toybox and only use coreutils for requires.
+
+* Tue Dec 10 2019 Chris Co <chrco@microsoft.com> - 5.4.23-1
+- Update to Microsoft Linux Kernel 5.4.23
+- Remove patches
+- Update ENA module to 2.1.2 to work with Linux 5.4.23
+- Remove xr module
+- Remove Xen tmem module from dracut module list to fix initramfs creation
+- Add patch to fix missing trans_pgd header in aarch64 build
+
+* Fri Oct 11 2019 Henry Beberman <hebeberm@microsoft.com> - 4.19.52-8
+- Enable Hyper-V TPM in config
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 4.19.52-7
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Jul 25 2019 Keerthana K <keerthanak@vmware.com> - 4.19.52-6
+- Fix postun scriplet.
+
+* Thu Jul 11 2019 Keerthana K <keerthanak@vmware.com> - 4.19.52-5
+- Enable kernel configs necessary for BPF Compiler Collection (BCC).
+
+* Wed Jul 10 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-4
+- Deprecate linux-aws-tools in favor of linux-tools.
+
+* Tue Jul 02 2019 Alexey Makhalov <amakhalov@vmware.com> - 4.19.52-3
+- Fix 9p vsock 16bit port issue.
+
+* Thu Jun 20 2019 Tapas Kundu <tkundu@vmware.com> - 4.19.52-2
+- Enabled CONFIG_I2C_CHARDEV to support lm-sensors
+
+* Mon Jun 17 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.52-1
+- Update to version 4.19.52
+- Fix CVE-2019-12456, CVE-2019-12379, CVE-2019-12380, CVE-2019-12381,
+- CVE-2019-12382, CVE-2019-12378, CVE-2019-12455
+
+* Tue May 28 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.40-3
+- Change default I/O scheduler to 'deadline' to fix performance issue.
+
+* Tue May 14 2019 Keerthana K <keerthanak@vmware.com> - 4.19.40-2
+- Fix to parse through /boot folder and update symlink (/boot/photon.cfg) if
+- mulitple kernels are installed and current linux kernel is removed.
+
+* Tue May 07 2019 Ajay Kaher <akaher@vmware.com> - 4.19.40-1
+- Update to version 4.19.40
+
+* Thu Apr 11 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-3
+- Update config_aarch64 to fix ARM64 build.
+
+* Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2
+- Fix CVE-2019-10125
+
+* Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1
+- Update to version 4.19.32
+
+* Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1
+- Update to version 4.19.29
+
+* Tue Mar 05 2019 Ajay Kaher <akaher@vmware.com> - 4.19.26-1
+- Update to version 4.19.26
+
+* Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> - 4.19.15-3
+- Fix CVE-2019-8912
+
+* Thu Jan 24 2019 Alexey Makhalov <amakhalov@vmware.com> - 4.19.15-2
+- Add WiFi (ath10k), sensors (i2c,spi), usb support for NXP LS1012A board.
+
+* Tue Jan 15 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.15-1
+- Update to version 4.19.15
+
+* Fri Jan 11 2019 Srinidhi Rao <srinidhir@vmware.com> - 4.19.6-7
+- Add Network support for NXP LS1012A board.
+
+* Wed Jan 09 2019 Ankit Jain <ankitja@vmware.com> - 4.19.6-6
+- Enable following for x86_64 and aarch64:
+-  Enable Kernel Address Space Layout Randomization.
+-  Enable CONFIG_SECURITY_NETWORK_XFRM
+
+* Fri Jan 04 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-5
+- Enable AppArmor by default.
+
+* Wed Jan 02 2019 Alexey Makhalov <amakhalov@vmware.com> - 4.19.6-4
+- .config: added Compulab fitlet2 device drivers
+- .config_aarch64: added gpio sysfs support
+- renamed -sound to -drivers-sound
+
+* Tue Jan 01 2019 Ajay Kaher <akaher@vmware.com> - 4.19.6-3
+- .config: Enable CONFIG_PCI_HYPERV driver
+
+* Wed Dec 19 2018 Srinidhi Rao <srinidhir@vmware.com> - 4.19.6-2
+- Add NXP LS1012A support.
+
+* Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1
+- Update to version 4.19.6
+
+* Fri Dec 07 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.19.1-3
+- .config: added qmi wwan module
+
+* Mon Nov 12 2018 Ajay Kaher <akaher@vmware.com> - 4.19.1-2
+- Fix config_aarch64 for 4.19.1
+
+* Mon Nov 05 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.1-1
+- Update to version 4.19.1
+
+* Tue Oct 16 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> - 4.18.9-5
+- Change in config to enable drivers for zigbee and GPS
+
+* Fri Oct 12 2018 Ajay Kaher <akaher@vmware.com> - 4.18.9-4
+- Enable LAN78xx for aarch64 rpi3
+
+* Fri Oct 5 2018 Ajay Kaher <akaher@vmware.com> - 4.18.9-3
+- Fix config_aarch64 for 4.18.9
+- Add module.lds for aarch64
+
+* Wed Oct 03 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-2
+- Use updated steal time accounting patch.
+- .config: Enable CONFIG_CPU_ISOLATION and a few networking options
+- that got accidentally dropped in the last update.
+
+* Mon Oct 1 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.18.9-1
+- Update to version 4.18.9
+
+* Tue Sep 25 2018 Ajay Kaher <akaher@vmware.com> - 4.14.67-2
+- Build hang (at make oldconfig) fix in config_aarch64
+
+* Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1
+- Update to version 4.14.67
+
+* Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-7
+- Add rdrand-based RNG driver to enhance kernel entropy.
+
+* Sun Sep 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-6
+- Add full retpoline support by building with retpoline-enabled gcc.
+
+* Thu Aug 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-5
+- Apply out-of-tree patches needed for AppArmor.
+
+* Wed Aug 22 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.14.54-4
+- Fix overflow kernel panic in rsi driver.
+- .config: enable BT stack, enable GPIO sysfs.
+- Add Exar USB serial driver.
+
+* Fri Aug 17 2018 Ajay Kaher <akaher@vmware.com> - 4.14.54-3
+- Enabled USB PCI in config_aarch64
+- Build hang (at make oldconfig) fix in config_aarch64
+
+* Thu Jul 19 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.14.54-2
+- .config: usb_serial_pl2303=m,wlan=y,can=m,gpio=y,pinctrl=y,iio=m
+
+* Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> - 4.14.54-1
+- Update to version 4.14.54
+
+* Fri Jan 26 2018 Alexey Makhalov <amakhalov@vmware.com> - 4.14.8-2
+- Added vchiq entry to rpi3 dts
+- Added dtb-rpi3 subpackage
+
+* Fri Dec 22 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.14.8-1
+- Version update
+
+* Wed Dec 13 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.66-4
+- KAT build support
+
+* Thu Dec 07 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.66-3
+- Aarch64 support
+
+* Tue Dec 05 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.66-2
+- Sign and compress modules after stripping. fips=1 requires signed modules
+
+* Mon Dec 04 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.66-1
+- Version update
+
+* Tue Nov 21 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.64-1
+- Version update
+
+* Mon Nov 06 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.60-1
+- Version update
+
+* Wed Oct 11 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-3
+- Add patch "KVM: Don't accept obviously wrong gsi values via
     KVM_IRQFD" to fix CVE-2017-1000252.
-*   Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.53-2
--   Build hang (at make oldconfig) fix.
-*   Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1
--   Version update
-*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-3
--   Allow privileged CLONE_NEWUSER from nested user namespaces.
-*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2
--   Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak)
-*   Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1
--   Version update
-*   Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-2
--   Requires coreutils or toybox
-*   Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.47-1
--   Fix CVE-2017-11600
-*   Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> 4.9.43-2
--   Add missing xen block drivers
-*   Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.43-1
--   Version update
--   [feature] new sysctl option unprivileged_userns_clone
-*   Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-2
--   Fix CVE-2017-7542
--   [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid
+
+* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.53-2
+- Build hang (at make oldconfig) fix.
+
+* Thu Oct 05 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.53-1
+- Version update
+
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-3
+- Allow privileged CLONE_NEWUSER from nested user namespaces.
+
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-2
+- Fix CVE-2017-11472 (ACPICA: Namespace: fix operand cache leak)
+
+* Mon Oct 02 2017 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.9.52-1
+- Version update
+
+* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.47-2
+- Requires coreutils or toybox
+
+* Mon Sep 04 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.47-1
+- Fix CVE-2017-11600
+
+* Tue Aug 22 2017 Anish Swaminathan <anishs@vmware.com> - 4.9.43-2
+- Add missing xen block drivers
+
+* Mon Aug 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.43-1
+- Version update
+- [feature] new sysctl option unprivileged_userns_clone
+
+* Wed Aug 09 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.41-2
+- Fix CVE-2017-7542
+- [bugfix] Added ccm,gcm,ghash,lzo crypto modules to avoid
     panic on modprobe tcrypt
-*   Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.41-1
--   Version update
-*   Fri Aug 04 2017 Bo Gan <ganb@vmware.com> 4.9.38-6
--   Fix initramfs triggers
-*   Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-5
--   Allow some algorithms in FIPS mode
--   Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports
--   bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree
--   Enable additional NF features
-*   Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-4
--   Add patches in Hyperv codebase
-*   Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> 4.9.38-3
--   Add missing hyperv drivers
-*   Thu Jul 20 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-2
--   Disable scheduler beef up patch
-*   Tue Jul 18 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.38-1
--   Fix CVE-2017-11176 and CVE-2017-10911
-*   Mon Jul 03 2017 Xiaolin Li <xiaolinl@vmware.com> 4.9.34-3
--   Add libdnet-devel, kmod-devel and libmspack-devel to BuildRequires
-*   Thu Jun 29 2017 Divya Thaluru <dthaluru@vmware.com> 4.9.34-2
--   Added obsolete for deprecated linux-dev package
-*   Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.34-1
--   [feature] 9P FS security support
--   [feature] DM Delay target support
--   Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605
-*   Thu Jun 8 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.31-1
--   Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076
+
+* Mon Aug 07 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.41-1
+- Version update
+
+* Fri Aug 04 2017 Bo Gan <ganb@vmware.com> - 4.9.38-6
+- Fix initramfs triggers
+
+* Tue Aug 01 2017 Anish Swaminathan <anishs@vmware.com> - 4.9.38-5
+- Allow some algorithms in FIPS mode
+- Reverts 284a0f6e87b0721e1be8bca419893902d9cf577a and backports
+- bcf741cb779283081db47853264cc94854e7ad83 in the kernel tree
+- Enable additional NF features
+
+* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> - 4.9.38-4
+- Add patches in Hyperv codebase
+
+* Fri Jul 21 2017 Anish Swaminathan <anishs@vmware.com> - 4.9.38-3
+- Add missing hyperv drivers
+
+* Thu Jul 20 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.38-2
+- Disable scheduler beef up patch
+
+* Tue Jul 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.38-1
+- Fix CVE-2017-11176 and CVE-2017-10911
+
+* Mon Jul 03 2017 Xiaolin Li <xiaolinl@vmware.com> - 4.9.34-3
+- Add libdnet-devel, kmod-devel and libmspack-devel to BuildRequires
+
+* Thu Jun 29 2017 Divya Thaluru <dthaluru@vmware.com> - 4.9.34-2
+- Added obsolete for deprecated linux-dev package
+
+* Wed Jun 28 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.34-1
+- [feature] 9P FS security support
+- [feature] DM Delay target support
+- Fix CVE-2017-1000364 ("stack clash") and CVE-2017-9605
+
+* Thu Jun 8 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.31-1
+- Fix CVE-2017-8890, CVE-2017-9074, CVE-2017-9075, CVE-2017-9076
     CVE-2017-9077 and CVE-2017-9242
--   [feature] IPV6 netfilter NAT table support
-*   Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.30-1
--   Added ENA driver for AMI
--   Fix CVE-2017-7487 and CVE-2017-9059
-*   Wed May 17 2017 Vinay Kulkarni <kulkarniv@vmware.com> 4.9.28-2
--   Enable IPVLAN module.
-*   Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.28-1
--   Version update
-*   Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.27-1
--   Version update
-*   Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.26-1
--   Version update
--   Removed version suffix from config file name
-*   Thu Apr 27 2017 Bo Gan <ganb@vmware.com> 4.9.24-2
--   Support dynamic initrd generation
-*   Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.24-1
--   Fix CVE-2017-6874 and CVE-2017-7618.
--   Fix audit-devel BuildRequires.
--   .config: build nvme and nvme-core in kernel.
-*   Mon Mar 6 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-2
--   .config: NSX requirements for crypto and netfilter
-*   Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.13-1
--   Update to linux-4.9.13 to fix CVE-2017-5986 and CVE-2017-6074
-*   Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.9-1
--   Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546,
+- [feature] IPV6 netfilter NAT table support
+
+* Fri May 26 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.30-1
+- Added ENA driver for AMI
+- Fix CVE-2017-7487 and CVE-2017-9059
+
+* Wed May 17 2017 Vinay Kulkarni <kulkarniv@vmware.com> - 4.9.28-2
+- Enable IPVLAN module.
+
+* Tue May 16 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.28-1
+- Version update
+
+* Wed May 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.27-1
+- Version update
+
+* Sun May 7 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.26-1
+- Version update
+- Removed version suffix from config file name
+
+* Thu Apr 27 2017 Bo Gan <ganb@vmware.com> - 4.9.24-2
+- Support dynamic initrd generation
+
+* Tue Apr 25 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.24-1
+- Fix CVE-2017-6874 and CVE-2017-7618.
+- Fix audit-devel BuildRequires.
+- .config: build nvme and nvme-core in kernel.
+
+* Mon Mar 6 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.13-2
+- .config: NSX requirements for crypto and netfilter
+
+* Tue Feb 28 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.13-1
+- Update to linux-4.9.13 to fix CVE-2017-5986 and CVE-2017-6074
+
+* Thu Feb 09 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.9-1
+- Update to linux-4.9.9 to fix CVE-2016-10153, CVE-2017-5546,
     CVE-2017-5547, CVE-2017-5548 and CVE-2017-5576.
--   .config: added CRYPTO_FIPS support.
-*   Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> 4.9.2-1
--   Update to linux-4.9.2 to fix CVE-2016-10088
--   Move linux-tools.spec to linux.spec as -tools subpackage
-*   Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> 4.9.0-2
--   BuildRequires Linux-PAM-devel
-*   Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> 4.9.0-1
--   Update to linux-4.9.0
--   Add paravirt stolen time accounting feature (from linux-esx),
+- .config: added CRYPTO_FIPS support.
+
+* Tue Jan 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 4.9.2-1
+- Update to linux-4.9.2 to fix CVE-2016-10088
+- Move linux-tools.spec to linux.spec as -tools subpackage
+
+* Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> - 4.9.0-2
+- BuildRequires Linux-PAM-devel
+
+* Mon Dec 12 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.9.0-1
+- Update to linux-4.9.0
+- Add paravirt stolen time accounting feature (from linux-esx),
     but disable it by default (no-vmw-sta cmdline parameter)
-*   Thu Dec  8 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-3
--   net-packet-fix-race-condition-in-packet_set_ring.patch
+
+* Thu Dec  8 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.35-3
+- net-packet-fix-race-condition-in-packet_set_ring.patch
     to fix CVE-2016-8655
-*   Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-2
--   Expand `uname -r` with release number
--   Check for build-id matching
--   Added syscalls tracing support
--   Compress modules
-*   Mon Nov 28 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.35-1
--   Update to linux-4.4.35
--   vfio-pci-fix-integer-overflows-bitmask-check.patch
+
+* Wed Nov 30 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.35-2
+- Expand `uname -r` with release number
+- Check for build-id matching
+- Added syscalls tracing support
+- Compress modules
+
+* Mon Nov 28 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.35-1
+- Update to linux-4.4.35
+- vfio-pci-fix-integer-overflows-bitmask-check.patch
     to fix CVE-2016-9083
-*   Tue Nov 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-4
--   net-9p-vsock.patch
-*   Thu Nov 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-3
--   tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch
+
+* Tue Nov 22 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-4
+- net-9p-vsock.patch
+
+* Thu Nov 17 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-3
+- tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch
     to fix CVE-2015-8964
-*   Tue Nov 15 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-2
--   .config: add cgrup_hugetlb support
--   .config: add netfilter_xt_{set,target_ct} support
--   .config: add netfilter_xt_match_{cgroup,ipvs} support
-*   Thu Nov 10 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.31-1
--   Update to linux-4.4.31
-*   Fri Oct 21 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.26-1
--   Update to linux-4.4.26
-*   Wed Oct 19 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-6
--   net-add-recursion-limit-to-GRO.patch
--   scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch
-*   Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-5
--   ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch
--   tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch
-*   Mon Oct  3 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-4
--   Package vmlinux with PROGBITS sections in -debuginfo subpackage
-*   Tue Sep 27 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-3
--   .config: CONFIG_IP_SET_HASH_{IPMARK,MAC}=m
-*   Tue Sep 20 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-2
--   Add -release number for /boot/* files
--   Use initrd.img with version and release number
--   Rename -dev subpackage to -devel
-*   Wed Sep  7 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.20-1
--   Update to linux-4.4.20
--   apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch
--   keys-fix-asn.1-indefinite-length-object-parsing.patch
-*   Thu Aug 25 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-11
--   vmxnet3 patches to bumpup a version to 1.4.8.0
-*   Wed Aug 10 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-10
--   Added VSOCK-Detach-QP-check-should-filter-out-non-matching-QPs.patch
--   .config: pmem hotplug + ACPI NFIT support
--   .config: enable EXPERT mode, disable UID16 syscalls
-*   Thu Jul 07 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-9
--   .config: pmem + fs_dax support
-*   Fri Jun 17 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-8
--   patch: e1000e-prevent-div-by-zero-if-TIMINCA-is-zero.patch
--   .config: disable rt group scheduling - not supported by systemd
-*   Wed Jun 15 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-7
--   fixed the capitalization for - System.map
-*   Thu May 26 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-6
--   patch: REVERT-sched-fair-Beef-up-wake_wide.patch
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.4.8-5
--   GA - Bump release of all rpms
-*   Mon May 23 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-4
--   Fixed generation of debug symbols for kernel modules & vmlinux.
-*   Mon May 23 2016 Divya Thaluru <dthaluru@vmware.com> 4.4.8-3
--   Added patches to fix CVE-2016-3134, CVE-2016-3135
-*   Wed May 18 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.4.8-2
--   Enabled CONFIG_UPROBES in config as needed by ktap
-*   Wed May 04 2016 Alexey Makhalov <amakhalov@vmware.com> 4.4.8-1
--   Update to linux-4.4.8
--   Added net-Drivers-Vmxnet3-set-... patch
-*   Tue May 03 2016 Vinay Kulkarni <kulkarniv@vmware.com> 4.2.0-27
--   Compile Intel GigE and VMXNET3 as part of kernel.
-*   Thu Apr 28 2016 Nick Shi <nshi@vmware.com> 4.2.0-26
--   Compile cramfs.ko to allow mounting cramfs image
-*   Tue Apr 12 2016 Vinay Kulkarni <kulkarniv@vmware.com> 4.2.0-25
--   Revert network interface renaming disable in kernel.
-*   Tue Mar 29 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-24
--   Support kmsg dumping to vmware.log on panic
--   sunrpc: xs_bind uses ip_local_reserved_ports
-*   Mon Mar 28 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-23
--   Enabled Regular stack protection in Linux kernel in config
-*   Thu Mar 17 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-22
--   Restrict the permissions of the /boot/System.map-X file
-*   Fri Mar 04 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-21
--   Patch: SUNRPC: Do not reuse srcport for TIME_WAIT socket.
-*   Wed Mar 02 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-20
--   Patch: SUNRPC: Ensure that we wait for connections to complete
+
+* Tue Nov 15 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-2
+- .config: add cgrup_hugetlb support
+- .config: add netfilter_xt_{set,target_ct} support
+- .config: add netfilter_xt_match_{cgroup,ipvs} support
+
+* Thu Nov 10 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.31-1
+- Update to linux-4.4.31
+
+* Fri Oct 21 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.26-1
+- Update to linux-4.4.26
+
+* Wed Oct 19 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-6
+- net-add-recursion-limit-to-GRO.patch
+- scsi-arcmsr-buffer-overflow-in-arcmsr_iop_message_xfer.patch
+
+* Tue Oct 18 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-5
+- ipip-properly-mark-ipip-GRO-packets-as-encapsulated.patch
+- tunnels-dont-apply-GRO-to-multiple-layers-of-encapsulation.patch
+
+* Mon Oct  3 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-4
+- Package vmlinux with PROGBITS sections in -debuginfo subpackage
+
+* Tue Sep 27 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-3
+- .config: CONFIG_IP_SET_HASH_{IPMARK,MAC}=m
+
+* Tue Sep 20 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-2
+- Add -release number for /boot/* files
+- Use initrd.img with version and release number
+- Rename -dev subpackage to -devel
+
+* Wed Sep  7 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.20-1
+- Update to linux-4.4.20
+- apparmor-fix-oops-validate-buffer-size-in-apparmor_setprocattr.patch
+- keys-fix-asn.1-indefinite-length-object-parsing.patch
+
+* Thu Aug 25 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-11
+- vmxnet3 patches to bumpup a version to 1.4.8.0
+
+* Wed Aug 10 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-10
+- Added VSOCK-Detach-QP-check-should-filter-out-non-matching-QPs.patch
+- .config: pmem hotplug + ACPI NFIT support
+- .config: enable EXPERT mode, disable UID16 syscalls
+
+* Thu Jul 07 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-9
+- .config: pmem + fs_dax support
+
+* Fri Jun 17 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-8
+- patch: e1000e-prevent-div-by-zero-if-TIMINCA-is-zero.patch
+- .config: disable rt group scheduling - not supported by systemd
+
+* Wed Jun 15 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.4.8-7
+- fixed the capitalization for - System.map
+
+* Thu May 26 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-6
+- patch: REVERT-sched-fair-Beef-up-wake_wide.patch
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 4.4.8-5
+- GA - Bump release of all rpms
+
+* Mon May 23 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.4.8-4
+- Fixed generation of debug symbols for kernel modules & vmlinux.
+
+* Mon May 23 2016 Divya Thaluru <dthaluru@vmware.com> - 4.4.8-3
+- Added patches to fix CVE-2016-3134, CVE-2016-3135
+
+* Wed May 18 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.4.8-2
+- Enabled CONFIG_UPROBES in config as needed by ktap
+
+* Wed May 04 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.4.8-1
+- Update to linux-4.4.8
+- Added net-Drivers-Vmxnet3-set-... patch
+
+* Tue May 03 2016 Vinay Kulkarni <kulkarniv@vmware.com> - 4.2.0-27
+- Compile Intel GigE and VMXNET3 as part of kernel.
+
+* Thu Apr 28 2016 Nick Shi <nshi@vmware.com> - 4.2.0-26
+- Compile cramfs.ko to allow mounting cramfs image
+
+* Tue Apr 12 2016 Vinay Kulkarni <kulkarniv@vmware.com> - 4.2.0-25
+- Revert network interface renaming disable in kernel.
+
+* Tue Mar 29 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-24
+- Support kmsg dumping to vmware.log on panic
+- sunrpc: xs_bind uses ip_local_reserved_ports
+
+* Mon Mar 28 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-23
+- Enabled Regular stack protection in Linux kernel in config
+
+* Thu Mar 17 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-22
+- Restrict the permissions of the /boot/System.map-X file
+
+* Fri Mar 04 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-21
+- Patch: SUNRPC: Do not reuse srcport for TIME_WAIT socket.
+
+* Wed Mar 02 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-20
+- Patch: SUNRPC: Ensure that we wait for connections to complete
     before retrying
-*   Fri Feb 26 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-19
--   Disable watchdog under VMware hypervisor.
-*   Thu Feb 25 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-18
--   Added rpcsec_gss_krb5 and nfs_fscache
-*   Mon Feb 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-17
--   Added sysctl param to control weighted_cpuload() behavior
-*   Thu Feb 18 2016 Divya Thaluru <dthaluru@vmware.com> 4.2.0-16
--   Disabling network renaming
-*   Sun Feb 14 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-15
--   veth patch: don’t modify ip_summed
-*   Thu Feb 11 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-14
--   Full tickless -> idle tickless + simple CPU time accounting
--   SLUB -> SLAB
--   Disable NUMA balancing
--   Disable stack protector
--   No build_forced no-CBs CPUs
--   Disable Expert configuration mode
--   Disable most of debug features from 'Kernel hacking'
-*   Mon Feb 08 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-13
--   Double tcp_mem limits, patch is added.
-*   Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com>  4.2.0-12
--   Fixes for CVE-2015-7990/6937 and CVE-2015-8660.
-*   Tue Jan 26 2016 Anish Swaminathan <anishs@vmware.com> 4.2.0-11
--   Revert CONFIG_HZ=250
-*   Fri Jan 22 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-10
--   Fix for CVE-2016-0728
-*   Wed Jan 13 2016 Alexey Makhalov <amakhalov@vmware.com> 4.2.0-9
--   CONFIG_HZ=250
-*   Tue Jan 12 2016 Mahmoud Bassiouny <mbassiouny@vmware.com> 4.2.0-8
--   Remove rootfstype from the kernel parameter.
-*   Mon Jan 04 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-7
--   Disabled all the tracing options in kernel config.
--   Disabled preempt.
--   Disabled sched autogroup.
-*   Thu Dec 17 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-6
--   Enabled kprobe for systemtap & disabled dynamic function tracing in config
-*   Fri Dec 11 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-5
--   Added oprofile kernel driver sub-package.
-*   Fri Nov 13 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 4.2.0-4
--   Change the linux image directory.
-*   Wed Nov 11 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-3
--   Added the build essential files in the dev sub-package.
-*   Mon Nov 09 2015 Vinay Kulkarni <kulkarniv@vmware.com> 4.2.0-2
--   Enable Geneve module support for generic kernel.
-*   Fri Oct 23 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.2.0-1
--   Upgraded the generic linux kernel to version 4.2.0 & and updated timer handling to full tickless mode.
-*   Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 4.0.9-5
--   Added driver support for frame buffer devices and ACPI
-*   Wed Sep 2 2015 Alexey Makhalov <amakhalov@vmware.com> 4.0.9-4
--   Added mouse ps/2 module.
-*   Fri Aug 14 2015 Alexey Makhalov <amakhalov@vmware.com> 4.0.9-3
--   Use photon.cfg as a symlink.
-*   Thu Aug 13 2015 Alexey Makhalov <amakhalov@vmware.com> 4.0.9-2
--   Added environment file(photon.cfg) for grub.
-*   Wed Aug 12 2015 Sharath George <sharathg@vmware.com> 4.0.9-1
--   Upgrading kernel version.
-*   Wed Aug 12 2015 Alexey Makhalov <amakhalov@vmware.com> 3.19.2-5
--   Updated OVT to version 10.0.0.
--   Rename -gpu-drivers to -drivers-gpu in accordance to directory structure.
--   Added -sound package/
-*   Tue Aug 11 2015 Anish Swaminathan<anishs@vmware.com> 3.19.2-4
--   Removed Requires dependencies.
-*   Fri Jul 24 2015 Harish Udaiya Kumar <hudaiyakumar@gmail.com> 3.19.2-3
--   Updated the config file to include graphics drivers.
-*   Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> 3.13.3-2
--   Update according to UsrMove.
-*   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 3.13.3-1
--   Initial build. First version
+
+* Fri Feb 26 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-19
+- Disable watchdog under VMware hypervisor.
+
+* Thu Feb 25 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-18
+- Added rpcsec_gss_krb5 and nfs_fscache
+
+* Mon Feb 22 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-17
+- Added sysctl param to control weighted_cpuload() behavior
+
+* Thu Feb 18 2016 Divya Thaluru <dthaluru@vmware.com> - 4.2.0-16
+- Disabling network renaming
+
+* Sun Feb 14 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-15
+- veth patch: don’t modify ip_summed
+
+* Thu Feb 11 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-14
+- Full tickless -> idle tickless + simple CPU time accounting
+- SLUB -> SLAB
+- Disable NUMA balancing
+- Disable stack protector
+- No build_forced no-CBs CPUs
+- Disable Expert configuration mode
+- Disable most of debug features from 'Kernel hacking'
+
+* Mon Feb 08 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-13
+- Double tcp_mem limits, patch is added.
+
+* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> -  4.2.0-12
+- Fixes for CVE-2015-7990/6937 and CVE-2015-8660.
+
+* Tue Jan 26 2016 Anish Swaminathan <anishs@vmware.com> - 4.2.0-11
+- Revert CONFIG_HZ=250
+
+* Fri Jan 22 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-10
+- Fix for CVE-2016-0728
+
+* Wed Jan 13 2016 Alexey Makhalov <amakhalov@vmware.com> - 4.2.0-9
+- CONFIG_HZ=250
+
+* Tue Jan 12 2016 Mahmoud Bassiouny <mbassiouny@vmware.com> - 4.2.0-8
+- Remove rootfstype from the kernel parameter.
+
+* Mon Jan 04 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-7
+- Disabled all the tracing options in kernel config.
+- Disabled preempt.
+- Disabled sched autogroup.
+
+* Thu Dec 17 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-6
+- Enabled kprobe for systemtap & disabled dynamic function tracing in config
+
+* Fri Dec 11 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-5
+- Added oprofile kernel driver sub-package.
+
+* Fri Nov 13 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> - 4.2.0-4
+- Change the linux image directory.
+
+* Wed Nov 11 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-3
+- Added the build essential files in the dev sub-package.
+
+* Mon Nov 09 2015 Vinay Kulkarni <kulkarniv@vmware.com> - 4.2.0-2
+- Enable Geneve module support for generic kernel.
+
+* Fri Oct 23 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.2.0-1
+- Upgraded the generic linux kernel to version 4.2.0 & and updated timer handling to full tickless mode.
+
+* Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 4.0.9-5
+- Added driver support for frame buffer devices and ACPI
+
+* Wed Sep 2 2015 Alexey Makhalov <amakhalov@vmware.com> - 4.0.9-4
+- Added mouse ps/2 module.
+
+* Fri Aug 14 2015 Alexey Makhalov <amakhalov@vmware.com> - 4.0.9-3
+- Use photon.cfg as a symlink.
+
+* Thu Aug 13 2015 Alexey Makhalov <amakhalov@vmware.com> - 4.0.9-2
+- Added environment file(photon.cfg) for grub.
+
+* Wed Aug 12 2015 Sharath George <sharathg@vmware.com> - 4.0.9-1
+- Upgrading kernel version.
+
+* Wed Aug 12 2015 Alexey Makhalov <amakhalov@vmware.com> - 3.19.2-5
+- Updated OVT to version 10.0.0.
+- Rename -gpu-drivers to -drivers-gpu in accordance to directory structure.
+- Added -sound package/
+
+* Tue Aug 11 2015 Anish Swaminathan<anishs@vmware.com> - 3.19.2-4
+- Removed Requires dependencies.
+
+* Fri Jul 24 2015 Harish Udaiya Kumar <hudaiyakumar@gmail.com> - 3.19.2-3
+- Updated the config file to include graphics drivers.
+
+* Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> - 3.13.3-2
+- Update according to UsrMove.
+
+* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> - 3.13.3-1
+- Initial build. First version
diff --git a/SPECS/kernel/ver5_4_72_arm64_hyperv_support.patch b/SPECS/kernel/ver5_4_72_arm64_hyperv_support.patch
new file mode 100644
index 00000000000..57a031a53c0
--- /dev/null
+++ b/SPECS/kernel/ver5_4_72_arm64_hyperv_support.patch
@@ -0,0 +1,36 @@
+diff --git a/arch/arm64/Kbuild b/arch/arm64/Kbuild
+index 24694219f12e..3c01bff26399 100644
+--- a/arch/arm64/Kbuild
++++ b/arch/arm64/Kbuild
+@@ -3,5 +3,5 @@ obj-y			+= kernel/ mm/
+ obj-$(CONFIG_NET)	+= net/
+ obj-$(CONFIG_KVM)	+= kvm/
+ obj-$(CONFIG_XEN)	+= xen/
+-obj-$(CONFIG_HYPERV)	+= hyperv/
++obj-$(subst m,y,$(CONFIG_HYPERV)) += hyperv/
+ obj-$(CONFIG_CRYPTO)	+= crypto/
+diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
+index d0cf596db82c..8ff557ae5cc6 100644
+--- a/arch/arm64/kernel/efi.c
++++ b/arch/arm64/kernel/efi.c
+@@ -55,6 +55,7 @@ static __init pteval_t create_mapping_protection(efi_memory_desc_t *md)
+ 
+ /* we will fill this structure from the stub, so don't put it in .bss */
+ struct screen_info screen_info __section(.data);
++EXPORT_SYMBOL(screen_info);
+ 
+ int __init efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md)
+ {
+diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
+index fc0160e8ed33..1709e6a923de 100644
+--- a/drivers/iommu/Kconfig
++++ b/drivers/iommu/Kconfig
+@@ -467,7 +467,7 @@ config QCOM_IOMMU
+ 
+ config HYPERV_IOMMU
+ 	bool "Hyper-V x2APIC IRQ Handling"
+-	depends on HYPERV
++	depends on HYPERV && X86
+ 	select IOMMU_API
+ 	default HYPERV
+ 	help
diff --git a/SPECS/libmodulemd/libmodulemd.spec b/SPECS/libmodulemd/libmodulemd.spec
index 2dfdf4a5ddf..61aca9f76fb 100644
--- a/SPECS/libmodulemd/libmodulemd.spec
+++ b/SPECS/libmodulemd/libmodulemd.spec
@@ -3,7 +3,7 @@
 Summary:        Module manipulating metadata files
 Name:           libmodulemd
 Version:        2.5.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 URL:            https://github.com/fedora-modularity/libmodulemd
 Source0:        https://github.com/fedora-modularity/libmodulemd/releases/download/%{name}-%{version}/modulemd-%{version}.tar.xz
@@ -43,6 +43,7 @@ cd api1
 ninja
 
 %check
+export LC_CTYPE=C.utf8
 cd api1
 ninja test
 
@@ -69,6 +70,8 @@ DESTDIR=%{buildroot}/ ninja install
 %{_includedir}/modulemd/*
 
 %changelog
+*   Thu Nov 19 2020 Andrew Phelps <anphel@microsoft.com> 2.5.0-4
+-   Fix check test.
 *   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 2.5.0-3
 -   Added %%license line automatically
 *   Tue Apr 07 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.5.0-2
diff --git a/SPECS/libpwquality/libpwquality.spec b/SPECS/libpwquality/libpwquality.spec
index 4da87a03de0..cf923193fac 100644
--- a/SPECS/libpwquality/libpwquality.spec
+++ b/SPECS/libpwquality/libpwquality.spec
@@ -3,7 +3,7 @@
 Summary:       A library for password generation and password quality checking
 Name:          libpwquality
 Version:       1.4.2
-Release:       4%{?dist}
+Release:       6%{?dist}
 Vendor:        Microsoft Corporation
 Distribution:  Mariner
 URL:           https://github.com/libpwquality/libpwquality/
@@ -84,10 +84,9 @@ mkdir $RPM_BUILD_ROOT%{_secconfdir}/pwquality.conf.d
 
 %find_lang libpwquality
 
-%check
-# Nothing yet
+%post -p /sbin/ldconfig
 
-%ldconfig_scriptlets
+%postun -p /sbin/ldconfig
 
 %files -f libpwquality.lang
 %{!?_licensedir:%global license %%doc}
@@ -114,6 +113,12 @@ mkdir $RPM_BUILD_ROOT%{_secconfdir}/pwquality.conf.d
 %{python3_sitearch}/*.egg-info
 
 %changelog
+* Sat Nov 21 2020 Thomas Crain <thcrain@microsoft.com> - 1.4.2-6
+- Replace %%ldconfig_scriptlets with actual post/postun sections
+
+* Thu Nov 19 2020 Andrew Phelps <anphel@microsoft.com> 1.4.2-5
+- Remove empty check section.
+
 * Mon Jun 29 2020 Paul Monson <paulmon@microsoft.com> 1.4.2-4
 - Only create python3 symbolic link if /usr/bin/python3 does not exist.
 
@@ -211,4 +216,4 @@ mkdir $RPM_BUILD_ROOT%{_secconfdir}/pwquality.conf.d
   License field, Source URL, Require pam, other cleanups)
 
 * Mon Oct  3 2011 Tomas Mraz <tmraz@redhat.com> 0.9-1
-- first spec file for libpwquality
\ No newline at end of file
+- first spec file for libpwquality
diff --git a/SPECS/librepo/CVE-2020-14352.patch b/SPECS/librepo/CVE-2020-14352.patch
new file mode 100644
index 00000000000..7690dfc8c17
--- /dev/null
+++ b/SPECS/librepo/CVE-2020-14352.patch
@@ -0,0 +1,48 @@
+From 7daea2a2429a54dad68b1de9b37a5f65c5cf2600 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Wed, 12 Aug 2020 08:35:28 +0200
+Subject: [PATCH] Validate path read from repomd.xml (RhBug:1868639)
+
+= changelog =
+msg: Validate path read from repomd.xml
+type: security
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1868639
+---
+ librepo/yum.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/librepo/yum.c b/librepo/yum.c
+index 3059188..529257b 100644
+--- a/librepo/yum.c
++++ b/librepo/yum.c
+@@ -23,6 +23,7 @@
+ #define  BITS_IN_BYTE 8
+ 
+ #include <stdio.h>
++#include <libgen.h>
+ #include <assert.h>
+ #include <stdlib.h>
+ #include <errno.h>
+@@ -774,6 +75,22 @@ prepare_repo_download_targets(LrHandle *handle,
+             continue;
+ 
+         char *location_href = record->location_href;
++
++        char *dest_dir = realpath(handle->destdir, NULL);
++        path = lr_pathconcat(handle->destdir, record->location_href, NULL);
++        char *requested_dir = realpath(dirname(path), NULL);
++        lr_free(path);
++        if (!g_str_has_prefix(requested_dir, dest_dir)) {
++            g_debug("%s: Invalid path: %s", __func__, location_href);
++            g_set_error(err, LR_YUM_ERROR, LRE_IO, "Invalid path: %s", location_href);
++            g_slist_free_full(*targets, (GDestroyNotify) lr_downloadtarget_free);
++            free(requested_dir);
++            free(dest_dir);
++            return FALSE;
++        }
++        free(requested_dir);
++        free(dest_dir);
++
+         gboolean is_zchunk = FALSE;
+         #ifdef WITH_ZCHUNK
+         if (handle->cachedir && record->header_checksum)
diff --git a/SPECS/librepo/librepo.spec b/SPECS/librepo/librepo.spec
index 4311cc0f354..5f2753c6e16 100644
--- a/SPECS/librepo/librepo.spec
+++ b/SPECS/librepo/librepo.spec
@@ -1,33 +1,33 @@
 %{!?python2_sitelib: %define python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
 %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
 %define _python3_sitearch %(python3 -c "from distutils.sysconfig import get_python_lib; import sys; sys.stdout.write(get_python_lib(1))")
-
 Summary:        Repodata downloading library
 Name:           librepo
 Version:        1.11.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        LGPLv2+
-URL:            https://github.com/rpm-software-management/librepo
-Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/System
+URL:            https://github.com/rpm-software-management/librepo
 #Source0:       https://github.com/rpm-software-management/librepo/archive/%{version}.tar.gz
 Source0:        %{name}-%{version}.tar.gz
-
+# CVE-2020-14352 patch taken from upstream commit 7daea2a2429a54dad68b1de9b37a5f65c5cf2600
+Patch0:         CVE-2020-14352.patch
+BuildRequires:  attr-devel
+BuildRequires:  check
 BuildRequires:  cmake
+BuildRequires:  curl-devel
 BuildRequires:  gcc
-BuildRequires:  check
 BuildRequires:  glib-devel
 BuildRequires:  gpgme-devel
-BuildRequires:  attr-devel
-BuildRequires:  curl-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  openssl-devel
-BuildRequires:  zchunk-devel
 BuildRequires:  python-sphinx
 BuildRequires:  python2-devel
 BuildRequires:  python3-devel
 BuildRequires:  python3-sphinx
+BuildRequires:  zchunk-devel
 Requires:       curl-libs
 Requires:       gpgme
 Requires:       zchunk
@@ -38,42 +38,42 @@ metadata.
 
 %package devel
 Summary:        Repodata downloading library
-Requires:       curl-libs
-Requires:       curl-devel
 Requires:       %{name} = %{version}-%{release}
+Requires:       curl-devel
+Requires:       curl-libs
 
 %description devel
 Development files for librepo.
 
 %package -n python2-%{name}
-Summary:        Python bindings for the librepo library
 %{?python_provide:%python_provide python2-%{name}}
+Summary:        Python bindings for the librepo library
 Requires:       %{name} = %{version}-%{release}
 
 %description -n python2-%{name}
 Python 2 bindings for the librepo library.
 
 %package -n python3-%{name}
-Summary:        Python 3 bindings for the librepo library
 %{?python_provide:%python_provide python3-%{name}}
+Summary:        Python 3 bindings for the librepo library
 Requires:       %{name} = %{version}-%{release}
 
 %description -n python3-%{name}
 Python 3 bindings for the librepo library.
 
 %prep
-%setup -q
+%autosetup -p1
 mkdir build-py2
 mkdir build-py3
 
 %build
 pushd build-py2
-  %cmake -DPYTHON_DESIRED:FILEPATH=/usr/bin/python -DENABLE_PYTHON_TESTS=%{!?with_pythontests:OFF} ..
+  %cmake -DPYTHON_DESIRED:FILEPATH=%{_bindir}/python -DENABLE_PYTHON_TESTS=%{!?with_pythontests:OFF} ..
   make %{?_smp_mflags}
 popd
 
 pushd build-py3
-  %cmake -DPYTHON_DESIRED:FILEPATH=/usr/bin/python3 -DENABLE_PYTHON_TESTS=%{!?with_pythontests:OFF} ..
+  %cmake -DPYTHON_DESIRED:FILEPATH=%{_bindir}/python3 -DENABLE_PYTHON_TESTS=%{!?with_pythontests:OFF} ..
   make %{?_smp_mflags}
 popd
 
@@ -94,7 +94,6 @@ popd
 
 %files
 %license COPYING
-%doc COPYING
 %doc README.md
 %{_libdir}/%{name}.so.*
 
@@ -110,14 +109,21 @@ popd
 %{_python3_sitearch}/%{name}/
 
 %changelog
-* Sat May 09 00:21:34 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.11.0-2
+* Tue Nov 10 2020 Thomas Crain <thcrain@microsoft.com> - 1.11.0-3
+- Patch CVE-2020-14352
+- Lint to Mariner style
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.11.0-2
 - Added %%license line automatically
 
-*   Tue May 05 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 1.11.0-1
--   Update version to 1.11.0.
-*   Fri Mar 13 2020 Paul Monson <paulmon@microsoft.com> 1.10.3-1
--   Update to version 1.10.3. License verified.
-*   Wed Sep 25 2019 Saravanan Somasundaram <sarsoma@microsoft.com> 1.10.2-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Wed May 15 2019 Ankit Jain <ankitja@vmware.com> 1.10.2-1
--   Initial build. First version
+* Tue May 05 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.11.0-1
+- Update version to 1.11.0.
+
+* Fri Mar 13 2020 Paul Monson <paulmon@microsoft.com> - 1.10.3-1
+- Update to version 1.10.3. License verified.
+
+* Wed Sep 25 2019 Saravanan Somasundaram <sarsoma@microsoft.com> - 1.10.2-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Wed May 15 2019 Ankit Jain <ankitja@vmware.com> - 1.10.2-1
+- Initial build. First version
diff --git a/SPECS/libvirt/CVE-2020-25637.patch b/SPECS/libvirt/CVE-2020-25637.patch
new file mode 100644
index 00000000000..370a82bc90c
--- /dev/null
+++ b/SPECS/libvirt/CVE-2020-25637.patch
@@ -0,0 +1,138 @@
+--- a/src/rpc/gendispatch.pl
++++ b/src/rpc/gendispatch.pl
+@@ -2105,17 +2105,22 @@
+             my @acl;
+             foreach (@{$acl}) {
+                 my @bits = split /:/;
+-                push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2] }
++                push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2],
++                             param => $bits[3], value => $bits[4] }
+             }
+ 
+             my $checkflags = 0;
++            my $paramtocheck = undef;
+             for (my $i = 1 ; $i <= $#acl ; $i++) {
+                 if ($acl[$i]->{object} ne $acl[0]->{object}) {
+                     die "acl for '$call->{ProcName}' cannot check different objects";
+                 }
+-                if (defined $acl[$i]->{flags}) {
++                if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
+                     $checkflags = 1;
+                 }
++                if (defined $acl[$i]->{param}) {
++                    $paramtocheck = $acl[$i]->{param};
++                }
+             }
+ 
+             my $apiname = $prefix . $call->{ProcName};
+@@ -2151,6 +2156,9 @@
+             if ($checkflags) {
+                 push @argdecls, "unsigned int flags";
+             }
++            if (defined $paramtocheck) {
++                push @argdecls, "unsigned int " . $paramtocheck;
++            }
+ 
+             my $ret;
+             my $pass;
+@@ -2201,7 +2209,7 @@
+                     my $method = "virAccessManagerCheck" . $object;
+                     my $space = ' ' x length($method);
+                     print "    if (";
+-                    if (defined $acl->{flags}) {
++                    if (defined $acl->{flags} && length $acl->{flags}) {
+                         my $flags = $acl->{flags};
+                         if ($flags =~ /^\!/) {
+                             $flags = substr $flags, 1;
+@@ -2211,6 +2219,17 @@
+                         }
+                         print "        ";
+                     }
++                    if (defined $acl->{param}) {
++                        my $param = $acl->{param};
++                        my $value = $acl->{value};
++                        if ($value =~ /^\!/) {
++                            $value = substr $value, 1;
++                            print "($param != ($value)) &&\n";
++                        } else {
++                            print "($param == ($value)) &&\n";
++                        }
++                        print "        ";
++                    }
+                     print "(rv = $method(" . join(", ", @argvars, $perm) . ")) <= 0) {\n";
+                     print "        virObjectUnref(mgr);\n";
+                     if ($action eq "Ensure") {
+
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -3805,6 +3805,7 @@
+      *
+      * - @acl: <object>:<permission>
+      * - @acl: <object>:<permission>:<flagname>
++     * - @acl: <object>:<permission>::<param>:<value>
+      *
+      *   Declare the access control requirements for the API. May be repeated
+      *   multiple times, if multiple rules are required.
+@@ -3814,6 +3815,8 @@
+      *     <permission> is one of the permissions in access/viraccessperm.h
+      *     <flagname> indicates the rule only applies if the named flag
+      *     is set in the API call
++     *     <param> and <value> can be used to check an unsigned int parameter
++     *     against value
+      *
+      * - @aclfilter: <object>:<permission>
+      *
+@@ -6208,6 +6211,7 @@
+     /**
+      * @generate: none
+      * @acl: domain:read
++     * @acl: domain:write::source:VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT
+      */
+     REMOTE_PROC_DOMAIN_INTERFACE_ADDRESSES = 353,
+
+--- a/src/libxl/libxl_driver.c
++++ b/src/libxl/libxl_driver.c
+@@ -6331,7 +6331,7 @@
+     if (!(vm = libxlDomObjFromDomain(dom)))
+         goto cleanup;
+ 
+-    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
++    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+         goto cleanup;
+ 
+     if (virDomainObjCheckActive(vm) < 0)
+
+--- a/src/lxc/lxc_driver.c
++++ b/src/lxc/lxc_driver.c
+@@ -1698,7 +1698,7 @@
+     if (!(vm = lxcDomObjFromDomain(dom)))
+         goto cleanup;
+ 
+-    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
++    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+         goto cleanup;
+ 
+     if (virDomainObjCheckActive(vm) < 0)
+
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -21846,7 +21846,7 @@
+     if (!(vm = qemuDomainObjFromDomain(dom)))
+         goto cleanup;
+ 
+-    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
++    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+         goto cleanup;
+ 
+     if (virDomainObjCheckActive(vm) < 0)
+
+--- a/src/qemu/qemu_agent.c
++++ b/src/qemu/qemu_agent.c
+@@ -2186,6 +2186,7 @@
+ 
+         /* Has to be freed for each interface. */
+         virStringListFree(ifname);
++        ifname = NULL;
+ 
+         /* as well as IP address which - moreover -
+          * can be presented multiple times */
diff --git a/SPECS/libvirt/libvirt.spec b/SPECS/libvirt/libvirt.spec
index be2ad4a1d1b..a63ede26795 100644
--- a/SPECS/libvirt/libvirt.spec
+++ b/SPECS/libvirt/libvirt.spec
@@ -1,7 +1,7 @@
 Summary:        Virtualization API library that supports KVM, QEMU, Xen, ESX etc
 Name:           libvirt
 Version:        6.1.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        LGPL
 URL:            https://libvirt.org/
 Source0:        https://libvirt.org/sources/%{name}-%{version}.tar.xz
@@ -9,6 +9,7 @@ Source0:        https://libvirt.org/sources/%{name}-%{version}.tar.xz
 Patch0:         CVE-2019-3886.nopatch
 # The fix for this CVE is already in 6.1.0.
 Patch1:         CVE-2017-1000256.nopatch
+Patch2:         CVE-2020-25637.patch
 Group:          Virtualization/Libraries
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -62,7 +63,7 @@ Requires:       libtirpc-devel
 This contains development tools and libraries for libvirt.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %define _vpath_builddir build
 %build
@@ -127,6 +128,9 @@ make check
 %{_mandir}/*
 
 %changelog
+*   Mon Oct 26 2020 Nicolas Ontiveros <niontive@microsoft.com> 6.1.0-2
+-   Use autosetup
+-   Patch CVE-2020-25637
 *   Fri May 29 2020 Emre Girgin <mrgirgin@microsoft.com> 6.1.0-1
 -   Upgrade to 6.1.0.
 *   Sat May 09 00:21:42 PST 2020 Nick Samson <nisamson@microsoft.com> - 4.7.0-5
diff --git a/SPECS/libxcrypt/libxcrypt-4.4.17-enable_LTO_build.patch b/SPECS/libxcrypt/libxcrypt-4.4.17-enable_LTO_build.patch
new file mode 100644
index 00000000000..78a2bd866cf
--- /dev/null
+++ b/SPECS/libxcrypt/libxcrypt-4.4.17-enable_LTO_build.patch
@@ -0,0 +1,70 @@
+From a1bff4255fb9cad501a8a5d4bffb8f95df0f615f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Thu, 13 Aug 2020 18:51:50 +0200
+Subject: [PATCH] crypt-port: Add the bits for compiling with link-time
+ optimization.
+
+GCC 10.2 and LLVM/Clang 10 offer initial support for building
+libraries, that are using symbol versioning features, with LTO.
+
+To make use of this with GCC 10.2, the exported versioned symbols
+need to be declared explicitly with __attribute__((symver (...))).
+
+LLVM/Clang 10 supports symbol versioning with LTO out of the box
+without any changes needed.
+
+Fixes #24.
+---
+ lib/crypt-port.h | 25 ++++++++++++++++++++++++-
+ 1 file changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/lib/crypt-port.h b/lib/crypt-port.h
+index bec36ac..ca86261 100644
+--- a/lib/crypt-port.h
++++ b/lib/crypt-port.h
+@@ -179,11 +179,29 @@ _crypt_strcpy_or_abort (void *, const size_t, const void *);
+ # define _strong_alias(name, aliasname) \
+   extern __typeof (name) aliasname __THROW __attribute__ ((alias (#name)))
+ 
++/* Starting with GCC 10.2, we can use the symver attribute, which also works
++   with link-time optimization enabled.  */
++# if __GNUC__ > 10 || (__GNUC__ == 10 && __GNUC_MINOR__ >= 2)
++
++/* Referencing specific _compatibility_ symbols still needs inline asm.  */
++# define _symver_ref(extstr, intname, version) \
++  __asm__ (".symver " #intname "," extstr "@" #version)
++
++/* Set the symbol version for EXTNAME, which uses INTNAME as its
++   implementation.  */
++# define symver_set(extstr, intname, version, mode) \
++  extern __typeof (intname) intname __THROW \
++    __attribute__((symver (extstr mode #version)))
++
++# else
++
+ /* Set the symbol version for EXTNAME, which uses INTNAME as its
+    implementation.  */
+ # define symver_set(extstr, intname, version, mode) \
+   __asm__ (".symver " #intname "," extstr mode #version)
+ 
++# endif
++
+ #else
+ # error "Don't know how to do symbol versioning with this compiler"
+ #endif
+@@ -239,9 +257,14 @@ _crypt_strcpy_or_abort (void *, const size_t, const void *);
+ 
+ /* Tests may need to _refer_ to compatibility symbols, but should never need
+    to _define_ them.  */
+-
+ #define symver_ref(extstr, intname, version) \
++  _symver_ref(extstr, intname, version)
++
++/* Generic way for referencing specific _compatibility_ symbols.  */
++#ifndef _symver_ref
++#define _symver_ref(extstr, intname, version) \
+   symver_set(extstr, intname, version, "@")
++#endif
+ 
+ /* Define configuration macros used during compile-time by the
+    GOST R 34.11-2012 "Streebog" hash function.  */
diff --git a/SPECS/libxcrypt/libxcrypt.signatures.json b/SPECS/libxcrypt/libxcrypt.signatures.json
new file mode 100644
index 00000000000..1aafb32b57f
--- /dev/null
+++ b/SPECS/libxcrypt/libxcrypt.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "libxcrypt-4.4.17.tar.gz": "7665168d0409574a03f7b484682e68334764c29c21ca5df438955a381384ca07"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/libxcrypt/libxcrypt.spec b/SPECS/libxcrypt/libxcrypt.spec
new file mode 100644
index 00000000000..254799d073c
--- /dev/null
+++ b/SPECS/libxcrypt/libxcrypt.spec
@@ -0,0 +1,640 @@
+# This macro was added in Fedora 20. Use the old version if it's undefined
+# on older Fedoras and RHELs prior to RHEL 8.
+# https://fedoraproject.org/wiki/Changes/UnversionedDocdirs
+%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
+# Build with new api?
+%if 0%{?fedora} >= 30 || 0%{?rhel} >= 9
+%bcond_without new_api
+%else
+%bcond_with    new_api
+%endif
+# First version of glibc built without libcrypt.
+%global glibc_minver     2.27-12
+# The libxcrypt-devel package conflicts with out-dated manuals
+# shipped with the man-pages packages *before* this EVR.
+%global man_pages_minver 4.15-3
+# Hash methods and API supported by libcrypt.
+# NEVER EVER touch this, if you do NOT know what you are doing!
+%global hash_methods   all
+# Needed for the distribution README file.
+%if 0%{?fedora}
+%global distname .fedora
+%else
+%if 0%{?rhel}
+%global distname .rhel
+%else
+%global distname .distribution
+%endif
+%endif
+# Needed for out-of-tree builds.
+%global _configure "$(realpath ../configure)"
+# Common configure options.
+%global common_configure_options           \\\
+  --disable-failure-tokens                 \\\
+  --disable-silent-rules                   \\\
+  --enable-shared                          \\\
+%if %{with staticlib}                      \
+  --enable-static                          \\\
+%else                                      \
+  --disable-static                         \\\
+%endif                                     \
+  --disable-valgrind                       \\\
+  --srcdir=$(realpath ..)                  \\\
+  --with-pkgconfigdir=%{_libdir}/pkgconfig
+# Macros for shorthand.
+%global _fipsdir %{_libdir}/fipscheck
+# Fail linking if there are undefined symbols.
+# Required for proper ELF symbol versioning support.
+%global _ld_strict_symbol_defs 1
+# override_glibc and glibcversion are temporary to make libxcrypt install on top of glibc
+%define glibcversion 2.28
+%bcond_without override_glibc
+# Build the static library?
+%bcond_with new_api
+%bcond_with compat_pkg
+%bcond_with staticlib
+%bcond_with enosys_stubs
+# Build the compat package?
+%if !(0%{?fedora} >= 999 || 0%{?rhel} >= 99) && %{with new_api}
+%bcond_without compat_pkg
+%else
+%bcond_with    compat_pkg
+%endif
+# Replace obsolete functions with a stub?
+%if (0%{?fedora} >= 30 || 0%{?rhel} >= 9) && %{with compat_pkg}
+%bcond_without enosys_stubs
+%else
+%bcond_with    enosys_stubs
+%endif
+# Shared object version of libcrypt.
+%if %{with new_api}
+%global soc  2
+%global sol  0
+%global sof  0
+%global sov  %{soc}.%{sol}.%{sof}
+%else
+%global soc  1
+%global sol  1
+%global sof  0
+%global sov  %{soc}.%{sol}.%{sof}
+%endif
+%if %{with compat_pkg}
+%global csoc 1
+%global csol 1
+%global csof 0
+%global csov %{csoc}.%{csol}.%{csof}
+%endif
+%if %{with new_api}
+%global obsolete_api   no
+%else
+%global obsolete_api   glibc
+%endif
+%if %{with compat_pkg}
+%global compat_methods all
+%global compat_api     glibc
+%endif
+# Do we replace the obsolete API functions with stubs?
+%if %{with enosys_stubs}
+%global enosys_stubs   yes
+%else
+%global enosys_stubs   no
+%endif
+Summary:        Extended crypt library for descrypt, md5crypt, bcrypt, and others
+Name:           libxcrypt
+Version:        4.4.17
+Release:        3%{?dist}
+# For explicit license breakdown, see the
+# LICENSING file in the source tarball.
+License:        LGPLv2+ AND BSD AND Public Domain
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+URL:            https://github.com/besser82/%{name}
+Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
+# Patch 0000 - 2999: Backported patches from upstream.
+# Patch 3000 - 5999: Backported patches from pull requests.
+Patch3000:      libxcrypt-4.4.17-enable_LTO_build.patch
+# Patch 6000 - 9999: Downstream patches.
+BuildRequires:  autoconf
+BuildRequires:  automake
+#BuildRequires:  fipscheck
+BuildRequires:  gcc
+BuildRequires:  glibc-devel
+BuildRequires:  libtool
+# We do not need to keep this forever.
+%if !(0%{?fedora} > 31 || 0%{?rhel} > 10)
+# Inherited from former libcrypt package.
+Obsoletes:      libcrypt-nss < %{glibc_minver}
+Provides:       libcrypt-nss = %{glibc_minver}
+Provides:       libcrypt-nss%{?_isa} = %{glibc_minver}
+# Obsolete former libcrypt properly and provide a virtual libcrypt
+# package as it has been done by the former packages, which were
+# built by glibc before.
+Obsoletes:      libcrypt < %{glibc_minver}
+Provides:       libcrypt = %{glibc_minver}
+Provides:       libcrypt%{?_isa} = %{glibc_minver}
+# Obsolete former libxcrypt-common properly.
+Obsoletes:      %{name}-common < 4.3.3-4
+Provides:       %{name}-common = %{version}-%{release}
+%endif
+%if %{with new_api} && %{without compat_pkg}
+Obsoletes:      %{name}-compat < %{version}-%{release}
+%endif
+# We need a version of glibc, that doesn't build libcrypt anymore.
+#Requires:       glibc%{?_isa}         >= %{glibc_minver}
+%if %{with override_glibc}
+# Require a specific glibc version so the post macro is compatible.
+BuildRequires:  glibc-devel = %{glibcversion}
+Requires:       glibc = %{glibcversion}
+%endif
+%if 0%{?fedora} >= 30
+Recommends:     mkpasswd
+%endif
+
+%description
+libxcrypt is a modern library for one-way hashing of passwords.  It
+supports a wide variety of both modern and historical hashing methods:
+yescrypt, gost-yescrypt, scrypt, bcrypt, sha512crypt, sha256crypt,
+md5crypt, SunMD5, sha1crypt, NT, bsdicrypt, bigcrypt, and descrypt.
+It provides the traditional Unix crypt and crypt_r interfaces, as well
+as a set of extended interfaces pioneered by Openwall Linux, crypt_rn,
+crypt_ra, crypt_gensalt, crypt_gensalt_rn, and crypt_gensalt_ra.
+
+libxcrypt is intended to be used by login(1), passwd(1), and other
+similar programs; that is, to hash a small number of passwords during
+an interactive authentication dialogue with a human. It is not suitable
+for use in bulk password-cracking applications, or in any other situation
+where speed is more important than careful handling of sensitive data.
+However, it is intended to be fast and lightweight enough for use in
+servers that must field thousands of login attempts per minute.
+%if %{with new_api}
+This version of the library does not provide the legacy API functions
+that have been provided by glibc's libcrypt.so.1.
+%endif
+
+%if %{with compat_pkg}
+%package        compat
+Summary:        Compatibility library providing legacy API functions
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       glibc%{?_isa} >= %{glibc_minver}
+
+%description    compat
+This package contains the library providing the compatibility API
+for applications that are linked against glibc's libxcrypt, or that
+are still using the unsafe and deprecated, encrypt, encrypt_r,
+setkey, setkey_r, and fcrypt functions, which are still required by
+recent versions of POSIX, the Single UNIX Specification, and various
+other standards.
+
+All existing binary executables linked against glibc's libcrypt should
+work unmodified with the library supplied by this package.
+%endif
+
+
+%package        devel
+Summary:        Development files for %{name}
+#Conflicts:      man-pages              < %{man_pages_minver}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       glibc-devel%{?_isa} >= %{glibc_minver}
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+%if %{with staticlib}
+%package        static
+Summary:        Static library for -static linking with %{name}
+Requires:       %{name}-devel%{?_isa} = %{version}-%{release}
+Requires:       glibc-devel%{?_isa} >= %{glibc_minver}
+
+%description    static
+This package contains the libxcrypt static library for -static
+linking.
+
+You don't need this, unless you link statically, which is highly
+discouraged.
+%endif
+
+
+%prep
+%autosetup -p 1
+
+$(realpath ./autogen.sh)
+
+%if %{with new_api}
+cat << EOF >> README%{distname}
+This version of the %{name} package ships the libcrypt.so.2
+library and does not provide the legacy API functions that have
+been provided by glibc's libcrypt.so.1.  The removed functions
+by name are encrypt, encrypt_r, setkey, setkey_r, and fcrypt.
+%if %{with compat_pkg}
+
+If you are using a third-party application that links against
+those functions, or that is linked against glibc's libcrypt,
+you may need to install the %{name}-compat package manually.
+
+All existing binary executables linked against glibc's libcrypt
+should work unmodified with the libcrypt.so.1 library supplied
+by the %{name}-compat package.
+%endif
+EOF
+%endif
+
+%if %{with enosys_stubs}
+cat << EOF >> README.posix
+This version of the libcrypt.so.1 library has entirely removed
+the functionality of the encrypt, encrypt_r, setkey, setkey_r,
+and fcrypt functions, while keeping fully binary compatibility
+with existing (third-party) applications possibly still using
+those funtions.  If such an application attemps to call one of
+these functions, the corresponding function will indicate that
+it is not supported by the system in a POSIX-compliant way.
+
+For security reasons, the encrypt and encrypt_r functions will
+also overwrite their data-block argument with random bits.
+
+All existing binary executables linked against glibc's libcrypt
+should work unmodified with the provided version of the
+libcrypt.so.1 library in place.
+EOF
+%endif
+
+%if %{with staticlib}
+cat << EOF >> README.static
+Applications that use certain legacy APIs supplied by glibc’s
+libcrypt (encrypt, encrypt_r, setkey, setkey_r, and fcrypt)
+cannot be compiled nor linked against the supplied build of
+the object files provided in the static library libcrypt.a.
+EOF
+%endif
+
+
+%build
+mkdir -p %{_vpath_builddir}
+
+# Build the default system library.
+pushd %{_vpath_builddir}
+%configure                                       \
+  %{common_configure_options}                    \
+  --enable-hashes=%{hash_methods}                \
+  --enable-obsolete-api=%{obsolete_api}          \
+%if %{with new_api}
+  --enable-obsolete-api-enosys=%{obsolete_api}
+%else
+  --enable-obsolete-api-enosys=%{enosys_stubs}
+%endif
+%make_build
+popd
+
+%if %{with compat_pkg}
+mkdir -p %{_vpath_builddir}-compat
+
+# Build the compatibility library.
+pushd %{_vpath_builddir}-compat
+%configure                                       \
+  %{common_configure_options}                    \
+  --enable-hashes=%{compat_methods}              \
+  --enable-obsolete-api=%{compat_api}            \
+  --enable-obsolete-api-enosys=%{enosys_stubs}
+%make_build
+popd
+%endif
+
+
+%install
+%if %{with compat_pkg}
+# Install the compatibility library.
+%make_install -C %{_vpath_builddir}-compat
+
+# Cleanup everything we do not need from the compatibility library.
+find %{buildroot} -xtype f -not -name 'libcrypt.so.%{csoc}*' -delete -print
+find %{buildroot} -type l -not -name 'libcrypt.so.%{csoc}*' -delete -print
+%endif
+
+# Install the default system library.
+%make_install -C %{_vpath_builddir}
+
+# Get rid of libtool crap.
+find %{buildroot} -type f -name "*.la" -delete -print
+
+# Install documentation to shared %%_pkgdocdir.
+install -Dpm 0644 -t %{buildroot}%{_pkgdocdir} \
+  ChangeLog NEWS README* THANKS TODO
+
+# Drop README.md as it is identical to README.
+rm -f %{buildroot}%{_pkgdocdir}/README.md
+
+%if %{with override_glibc}
+mv %{buildroot}/%{_libdir}/libcrypt.so.%{sov} %{buildroot}/%{_libdir}/libxcrypt.so.%{sov}
+%endif
+
+
+%check
+build_dirs="%{_vpath_builddir}"
+%if %{with compat_pkg}
+build_dirs="${build_dirs} %{_vpath_builddir}-compat"
+%endif
+for dir in ${build_dirs}; do
+  %make_build -C ${dir} check || \
+    {
+      rc=$?;
+      echo "-----BEGIN TESTLOG: ${dir}-----";
+      cat ${dir}/test-suite.log;
+      echo "-----END TESTLOG: ${dir}-----";
+      exit $rc;
+    }
+done
+
+%if %{with override_glibc}
+# This posttrans section is a stopgap to allow installing
+# libxcrypt on a system that already has libcrypt from glibc.
+# In a future release these will be removed and libxcrypt will be default.
+%posttrans
+rm %{_libdir}/libcrypt.so.1
+ln -s %{_libdir}/libxcrypt.so.%{sov} %{_libdir}/libcrypt.so.1
+%endif
+
+%post -p /sbin/ldconfig
+
+%postun
+# See above comments about the %%posttrans section
+%if %{with override_glibc}
+rm %{_libdir}/libcrypt.so.1
+ln -s %{_libdir}/libcrypt-%{glibcversion}.so %{_libdir}/libcrypt.so.1
+%endif
+/sbin/ldconfig
+
+%if %{with compat_pkg}
+%post -n compat -p /sbin/ldconfig
+%postun -n compat -p /sbin/ldconfig
+%endif
+
+
+%files
+%license AUTHORS COPYING.LIB LICENSING
+#%dir %{_fipsdir}
+%doc %dir %{_pkgdocdir}
+%doc %{_pkgdocdir}/NEWS
+%doc %{_pkgdocdir}/README
+%if %{with new_api}
+%doc %{_pkgdocdir}/README%{distname}
+%endif
+%if %{with enosys_stubs} && %{without compat_pkg}
+%doc %{_pkgdocdir}/README.posix
+%endif
+%doc %{_pkgdocdir}/THANKS
+#%{_fipsdir}/libcrypt.so.%{soc}.hmac
+#%{_fipsdir}/libcrypt.so.%{sov}.hmac
+
+%if %{with override_glibc}
+%exclude %{_libdir}/libcrypt.so.%{soc}
+%{_libdir}/libxcrypt.so.%{sov}
+%else
+%{_libdir}/libcrypt.so.%{soc}
+%{_libdir}/libcrypt.so.%{sov}
+%endif
+
+%{_mandir}/man5/crypt.5*
+
+%if %{with compat_pkg}
+%files compat
+#%dir %{_fipsdir}
+%if %{with enosys_stubs}
+%doc %{_pkgdocdir}/README.posix
+%endif
+#%{_fipsdir}/libcrypt.so.%{csoc}.hmac
+#%{_fipsdir}/libcrypt.so.%{csov}.hmac
+%{_libdir}/libcrypt.so.%{csoc}
+%{_libdir}/libcrypt.so.%{csov}
+%endif
+
+
+%files devel
+%doc %{_pkgdocdir}/ChangeLog
+%doc %{_pkgdocdir}/TODO
+%if %{with override_glibc}
+%exclude %{_libdir}/libcrypt.so
+%exclude %{_includedir}/crypt.h
+%else
+%{_libdir}/libcrypt.so
+%{_includedir}/crypt.h
+%endif
+%if %{without new_api}
+%{_libdir}/libxcrypt.so
+%endif
+%if %{without new_api}
+%{_includedir}/xcrypt.h
+%endif
+%{_libdir}/pkgconfig/libcrypt.pc
+%{_libdir}/pkgconfig/%{name}.pc
+%{_mandir}/man3/crypt.3*
+%{_mandir}/man3/crypt_r.3*
+%{_mandir}/man3/crypt_ra.3*
+%{_mandir}/man3/crypt_rn.3*
+%{_mandir}/man3/crypt_checksalt.3*
+%{_mandir}/man3/crypt_gensalt.3*
+%{_mandir}/man3/crypt_gensalt_ra.3*
+%{_mandir}/man3/crypt_gensalt_rn.3*
+%{_mandir}/man3/crypt_preferred_method.3*
+
+%if %{with staticlib}
+%files static
+#%dir %{_fipsdir}
+%doc %{_pkgdocdir}/README.static
+#%{_fipsdir}/libcrypt.a.hmac
+%if %{without new_api}
+#%{_fipsdir}/libxcrypt.a.hmac
+%endif
+%{_libdir}/libcrypt.a
+%if %{without new_api}
+%{_libdir}/libxcrypt.a
+%endif
+%endif
+
+
+%changelog
+* Sat Nov 21 2020 Thomas Crain <thcrain@microsoft.com> - 4.4.17-3
+- Replace %%ldconfig_scriptlets with actual post/postun sections
+
+* Wed Oct 21 2020 Henry Beberman <henry.beberman@microsoft.com> - 4.4.17-2
+- Initial CBL-Mariner import from Fedora 31 (license: MIT).
+- Remove dependency on fipscheck
+- Add override_glibc to allow installs over libcrypt from glibc
+- License verified.
+
+* Sun Aug 23 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.17-1
+- New upstream release
+
+* Sat Aug 15 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.16-7
+- Add a patch to add support for LTO builds
+- Enable LTO
+- Add a patch to fix Wformat-overflow
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.16-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 4.4.16-5
+- Disable LTO
+
+* Fri Jun 19 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.16-4
+- Trim %%changelog starting with v4.4.0
+- Remove memcheck conditional
+
+* Sat Apr 25 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.16-3
+- Explicitly force linking with '-Wl,-z,defs'
+
+* Fri Apr 24 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.16-2
+- Move fipscheck hmac checksums to %%{_libdir}/fipscheck
+
+* Sat Apr 04 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.16-1
+- New upstream release
+
+* Thu Apr 02 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.15-2
+- Move library from %%_lib to %%_libdir
+
+* Wed Feb 26 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.15-1
+- New upstream release
+
+* Mon Feb 17 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.14-1
+- New upstream release
+
+* Sun Feb 16 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.13-1
+- New upstream release
+
+* Tue Feb 11 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.12-3
+- Add an upstream patch to fix a typo in the documentation
+
+* Wed Feb 05 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.12-2
+- Add two upstream patches to resolve minor bugs
+
+* Thu Jan 30 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.12-1
+- New upstream release
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.11-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan 18 2020 Björn Esser <besser82@fedoraproject.org> - 4.4.11-1
+- New upstream release
+
+* Sun Dec 15 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.10-2
+- Add two upstream patches to fix build with upcoming GCC-10
+
+* Wed Sep 18 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.10-1
+- New upstream release
+
+* Sat Sep 07 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.9-1
+- New upstream release (#1750010)
+
+* Sun Sep 01 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.8-1
+- New upstream release
+
+* Sat Aug 24 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.7-1
+- New upstream release
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jun 24 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.6-2
+- Build all hash methods for the compat package
+- Add a patch to fix Wformat in crypt-kat.c
+
+* Sun May 05 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.6-1
+- New upstream release
+
+* Sat May 04 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.5-1
+- New upstream release (#1706419)
+- Add patch to remove an unneeded union keyword
+- Add patch to make unalignment test really unaligned
+
+* Fri Mar 15 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.4-2
+- Change Recommends: whois-mkpasswd to Fedora 30 and later (#1687870)
+
+* Mon Mar 04 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.4-1
+- New upstream release
+
+* Tue Feb 19 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-10
+- Fix versioned requirements on glibc
+
+* Tue Feb 19 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-9
+- Fix conditional in __spec_install_post
+
+* Tue Feb 19 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-8
+- Update Obsoletes, Provides, and Requires to glibc 2.27
+- Add Recommends: whois-mkpasswd for Fedora
+- Optimize installation of the documentation files
+- Fix %%description
+- Use an absolute path for the configure script and srcdir
+
+* Tue Feb 19 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-7
+- Add patch to fix the output formatting of a test
+
+* Wed Feb 06 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-6
+- Always build all supported hash methods
+- Drop distcheck at the end of %%check stage
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan 30 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-4
+- Add a README.posix file with information about the stub functions
+- Add a README.static file with information about the static library
+
+* Wed Jan 30 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-3
+- Replace unsafe functions in libxcrypt-compat with stubs (#1670735)
+
+* Thu Jan 24 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-2
+- Fix and simplify the conditionals for the compat package
+- Add an option to replace unsafe functions in the compat lib with a stub
+- Add patch to fix another possible format-overflow
+
+* Thu Jan 24 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.3-1
+- New upstream release
+
+* Thu Jan 24 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.2-8
+- Optimize file removal for compatibility library
+
+* Mon Jan 21 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.2-7
+- Add two upstream patches to fix build with GCC 9
+
+* Mon Jan 21 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.2-6
+- Add upstream patch to add proper C++-guards in <xcrypt.h>
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.2-5
+- Build the compat package with glibc hashing methods only
+- Add an option to disable the compat-package for future use
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 4.4.2-4
+- Bump SO-name for Fedora >= 30 and enable compat package (#1666033)
+- Add distribution README file
+- Update description of the compat package
+- Conditionally remove non-built hashing methods from description
+
+* Sun Dec 23 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.2-3
+- Remove architecture bits from Recommends
+
+* Sun Dec 23 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.2-2
+- Update summary
+
+* Sat Dec 22 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.2-1
+- New upstream release
+
+* Thu Dec 06 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.1-1
+- New upstream release
+
+* Tue Dec 04 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.0-5
+- Sync -fno-plt patch with upstream commit
+
+* Tue Dec 04 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.0-4
+- Backport upstream commit to fix a memory leak from a static pointer
+
+* Tue Dec 04 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.0-3
+- Backport upstream PR to build with -fno-plt optimization
+
+* Mon Nov 26 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.0-2
+- Backport upstream commit to use a safer strcpy for the NT method
+- Backport upstream generating base64 encoded output for NT gensalt
+- Backport upstream commit to require less rbytes for NT gensalt
+- Backport upstream commit to test incremental hmac-sha256 computation
+- Add Recommends: mkpasswd for Fedora >= 30
+
+* Tue Nov 20 2018 Björn Esser <besser82@fedoraproject.org> - 4.4.0-1
+- New upstream release
diff --git a/SPECS/libxml2/CVE-2020-24977.patch b/SPECS/libxml2/CVE-2020-24977.patch
new file mode 100644
index 00000000000..f8ad63065c5
--- /dev/null
+++ b/SPECS/libxml2/CVE-2020-24977.patch
@@ -0,0 +1,35 @@
+From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Aug 2020 21:54:27 +0200
+Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
+
+Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
+array access.
+
+Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
+the report.
+
+Fixes #178.
+---
+ xmllint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xmllint.c b/xmllint.c
+index f6a8e4636..c647486f3 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -528,6 +528,12 @@ static void
+ xmlHTMLEncodeSend(void) {
+     char *result;
+ 
++    /*
++     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
++     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
++     * an out-of-bounds read.
++     */
++    memset(&buffer[sizeof(buffer)-4], 0, 4);
+     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+     if (result) {
+ 	xmlGenericError(xmlGenericErrorContext, "%s", result);
+-- 
+GitLab
diff --git a/SPECS/libxml2/libxml2.spec b/SPECS/libxml2/libxml2.spec
index 33282bda622..526488eb322 100644
--- a/SPECS/libxml2/libxml2.spec
+++ b/SPECS/libxml2/libxml2.spec
@@ -1,19 +1,18 @@
 %{!?python2_sitelib: %define python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
 %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")}
-
 Summary:        Libxml2
 Name:           libxml2
 Version:        2.9.10
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
-URL:            http://www.xmlsoft.org/
-Group:          System Environment/General Libraries
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/General Libraries
+URL:            http://www.xmlsoft.org/
 Source0:        ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz
 Patch0:         CVE-2019-20388.patch
 Patch1:         CVE-2020-7595.patch
-
+Patch2:         CVE-2020-24977.patch
 BuildRequires:  python2-devel
 BuildRequires:  python2-libs
 BuildRequires:  python3-devel
@@ -42,8 +41,8 @@ Requires:       python3
 Python3 libxml2.
 
 %package devel
-Summary:    Libraries and header files for libxml
-Requires:   %{name} = %{version}
+Summary:        Libraries and header files for libxml
+Requires:       %{name} = %{version}
 
 %description devel
 Static libraries and header files for the support library for libxml
@@ -60,13 +59,13 @@ make %{?_smp_mflags}
 %install
 [ %{buildroot} != "/"] && rm -rf %{buildroot}/*
 make DESTDIR=%{buildroot} install
-find %{buildroot}/%{_libdir} -name '*.la' -delete
+find %{buildroot} -type f -name "*.la" -delete -print
 %{_fixperms} %{buildroot}/*
 
 make clean
 %configure \
     --disable-static \
-    --with-python=/usr/bin/python3
+    --with-python=%{_bindir}/python3
 make %{?_smp_mflags}
 make install DESTDIR=%{buildroot}
 
@@ -75,8 +74,10 @@ make %{?_smp_mflags} check
 
 %post   -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
+
 %clean
 rm -rf %{buildroot}/*
+
 %files
 %defattr(-,root,root)
 %license COPYING
@@ -88,7 +89,6 @@ rm -rf %{buildroot}/*
 %{_datadir}/gtk-doc/*
 %{_mandir}/man1/*
 
-
 %files python
 %defattr(-,root,root)
 %{python2_sitelib}/*
@@ -105,6 +105,9 @@ rm -rf %{buildroot}/*
 %{_libdir}/cmake/libxml2/libxml2-config.cmake
 
 %changelog
+* Mon Oct 26 2020 Ruying Chen <v-ruyche@microsoft.com> - 2.9.10-3
+- Patch CVE-2020-24977.
+
 * Wed Sep 09 2020 Thomas Crain <thcrain@microsoft.com> - 2.9.10-2
 - Patch CVE-2019-20388 and CVE-2020-7595.
 
diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec
index bd8ecebfdfb..808257af588 100644
--- a/SPECS/mariner-release/mariner-release.spec
+++ b/SPECS/mariner-release/mariner-release.spec
@@ -1,7 +1,7 @@
 Summary:       CBL-Mariner release files
 Name:          mariner-release
 Version:       1.0
-Release:       10%{?dist}
+Release:       11%{?dist}
 License:       MIT
 Group:         System Environment/Base
 URL:           https://aka.ms/cbl-mariner
@@ -67,6 +67,8 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) /etc/issue.net
 
 %changelog
+*   Fri Nov 20 2020 Nicolas Guibourge <nicolasg@microsoft.com> - 1.0-11
+-   Updating version for November update
 *   Sat Oct 24 2020 Jon Slobodzian <joslobo@microsoft.com> - 1.0-10
 -   Updating version for October update
 *   Fri Sep 04 2020 Mateusz Malisz <mamalisz@microsoft.com> - 1.0-9
diff --git a/SPECS/mysql/CVE-2012-5627.nopatch b/SPECS/mysql/CVE-2012-5627.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/mysql/mysql.signatures.json b/SPECS/mysql/mysql.signatures.json
index e7e05b35ab0..07f98a37baf 100644
--- a/SPECS/mysql/mysql.signatures.json
+++ b/SPECS/mysql/mysql.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "mysql-boost-8.0.21.tar.gz": "37231a123372a95f409857364dc1deb196b6f2c0b1fe60cc8382c7686b487f11"
+  "mysql-boost-8.0.22.tar.gz": "ba765f74367c638d7cd1c546c05c14382fd997669bcd9680278e907f8d7eb484"
  }
 }
\ No newline at end of file
diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec
index 0b53e0cf623..9c35a6c93ad 100644
--- a/SPECS/mysql/mysql.spec
+++ b/SPECS/mysql/mysql.spec
@@ -1,19 +1,19 @@
 Summary:        MySQL.
 Name:           mysql
-Version:        8.0.21
-Release:        1%{?dist}
-License:        GPLv2 with exceptions and LGPLv2 and BSD
-Group:          Applications/Databases
+Version:        8.0.22
+Release:        2%{?dist}
+License:        GPLv2 with exceptions AND LGPLv2 AND BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Url:            https://www.mysql.com
+Group:          Applications/Databases
+URL:            https://www.mysql.com
 Source0:        https://cdn.mysql.com/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz
-
+Patch0:         CVE-2012-5627.nopatch
 BuildRequires:  cmake
-BuildRequires:  openssl-devel
-BuildRequires:  zlib-devel
 BuildRequires:  libtirpc-devel
+BuildRequires:  openssl-devel
 BuildRequires:  rpcsvc-proto-devel
+BuildRequires:  zlib-devel
 
 %description
 MySQL is a free, widely used SQL engine. It can be used as a fast database as well as a rock-solid DBMS using a modular engine architecture.
@@ -25,14 +25,13 @@ Requires:       %{name} = %{version}-%{release}
 %description devel
 Development headers for developing applications linking to maridb
 
-
 %prep
-%setup -q %{name}-boost-%{version}
+%autosetup -p1
 
 %build
 cmake . \
-      -DCMAKE_INSTALL_PREFIX=/usr   \
-      -DWITH_BOOST=boost/boost_1_72_0 \
+      -DCMAKE_INSTALL_PREFIX=%{_prefix}   \
+      -DWITH_BOOST=boost/boost_1_73_0 \
       -DINSTALL_MANDIR=share/man \
       -DINSTALL_DOCDIR=share/doc \
       -DINSTALL_DOCREADMEDIR=share/doc \
@@ -53,8 +52,8 @@ make test
 
 %files
 %defattr(-,root,root)
-%license LICENSE
-%doc LICENSE  README router/LICENSE.router router/README.router
+%license LICENSE router/LICENSE.router
+%doc README router/README.router
 %{_libdir}/plugin/*
 %{_libdir}/*.so.*
 %{_libdir}/mysqlrouter/*.so*
@@ -64,10 +63,11 @@ make test
 %{_mandir}/man1/*
 %{_mandir}/man8/*
 %{_datadir}/support-files/*
-%exclude /usr/mysql-test
-%exclude /usr/docs
-%exclude /usr/share
-%exclude /usr/*.router
+%{_prefix}/mysqlrouter-log-rotate
+%exclude %{_prefix}/mysql-test
+%exclude %{_prefix}/docs
+%exclude %{_datadir}
+%exclude %{_prefix}/*.router
 
 %files devel
 %{_libdir}/*.so
@@ -76,40 +76,63 @@ make test
 %{_libdir}/pkgconfig/mysqlclient.pc
 
 %changelog
+*   Thu Nov 05 2020 Rachel Menge <rachelmenge@microsoft.com> - 8.0.22-2
+-   Added no patch for CVE-2012-5627
+
+*   Tue Nov 03 2020 Rachel Menge <rachelmenge@microsoft.com> - 8.0.22-1
+-   Upgrade to 8.0.22. Fixes 40 CVES.
+-   Lint spec
+
 *   Tue Aug 18 2020 Henry Beberman <henry.beberman@microsoft.com> - 8.0.21-1
 -   Upgrade to 8.0.21. Fixes 32 CVEs.
+
 *   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 8.0.20-2
 -   Added %%license line automatically
+
 *   Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> 8.0.20-1
 -   Upgrade to 8.0.20. Fixes 70 CVEs.
 -   Update URL.
 -   Fix CVE-2020-2804.
+
 *   Fri Mar 13 2020 Paul Monson <paulmon@microsoft.com> 8.0.17-1
 -   Update to version 8.0.17. License verified.
+
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 8.0.14-2
 -   Initial CBL-Mariner import from Photon (license: Apache2).
+
 *   Tue Jan 22 2019 Siju Maliakkal <smaliakkal@vmware.com> 8.0.14-1
 -   Upgrade to 8.0.14
+
 *   Wed Jan 02 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 8.0.13-1
 -   Upgrade to version 8.0.13
 -   Workaround for broken DCMAKE_BUILD_TYPE=RELEASE(Mysql Bug#92945). Revert in next version
+
 *   Mon Nov 19 2018 Ajay Kaher <akaher@vmware.com> 8.0.12-4
 -   Enabling for aarch64
+
 *   Mon Oct 22 2018 Ajay Kaher <akaher@vmware.com> 8.0.12-3
 -   Adding BuildArch
+
 *   Fri Sep 21 2018 Alexey Makhalov <amakhalov@vmware.com> 8.0.12-2
 -   Use libtirpc instead obsoleted rpc from glibc.
+
 *   Mon Sep 10 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 8.0.12-1
 -   Update to version 8.0.12
+
 *   Wed Aug 08 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 5.7.23-1
 -   Update to version 5.7.23 to get it to build with gcc 7.3
+
 *   Thu Jan 25 2018 Divya Thaluru <dthaluru@vmware.com> 5.7.20-2
 -   Added patch for CVE-2018-2696
+
 *   Wed Oct 25 2017 Xiaolin Li <xiaolinl@vmware.com> 5.7.20-1
 -   Update to version 5.7.20
+
 *   Fri Oct 13 2017 Alexey Makhalov <amakhalov@vmware.com> 5.7.18-3
 -   Fix typo in description
+
 *   Fri Jul 14 2017 Xiaolin Li <xiaolinl@vmware.com> 5.7.18-2
 -   Run make test in the %check section
+
 *   Tue Jun 13 2017 Xiaolin Li <xiaolinl@vmware.com> 5.7.18-1
 -   Initial packaging for Photon
diff --git a/SPECS/net-snmp/net-snmp.signatures.json b/SPECS/net-snmp/net-snmp.signatures.json
index 1502c1193e6..83cb310cdb9 100644
--- a/SPECS/net-snmp/net-snmp.signatures.json
+++ b/SPECS/net-snmp/net-snmp.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "net-snmp-5.8.tar.gz": "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf",
+  "net-snmp-5.9.tar.gz": "04303a66f85d6d8b16d3cc53bde50428877c82ab524e17591dfceaeb94df6071",
   "snmpd.service": "5e17bf9f66f2b77e1a6c6dff7356cecb8ed488ce3df361738a72b4436096b694",
   "snmptrapd.service": "ef3e3dbe80c8ab455b30cd83db23db136263c1295ce2f23dcc4a1a1b60799229"
  }
diff --git a/SPECS/net-snmp/net-snmp.spec b/SPECS/net-snmp/net-snmp.spec
index 1e219e58016..7d714836dd5 100644
--- a/SPECS/net-snmp/net-snmp.spec
+++ b/SPECS/net-snmp/net-snmp.spec
@@ -1,35 +1,42 @@
 %global __requires_exclude perl\\(.*\\)
 Summary:        Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6.
 Name:           net-snmp
-Version:        5.8
-Release:        4%{?dist}
-License:        BSD (like)
-URL:            http://net-snmp.sourceforge.net/
-Group:          Productivity/Networking/Other
+Version:        5.9
+Release:        2%{?dist}
+License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Productivity/Networking/Other
+URL:            http://net-snmp.sourceforge.net/
 Source0:        http://sourceforge.net/projects/%{name}/files/%{name}/%{version}/%{name}-%{version}.tar.gz
-%define sha1 net-snmp=78f70731df9dcdb13fe8f60eb7d80d7583da4d2c
 Source1:        snmpd.service
 Source2:        snmptrapd.service
+
 BuildRequires:  openssl-devel
 BuildRequires:  perl
 BuildRequires:  systemd
+
+%if %{with_check}
+BuildRequires:  net-tools
+%endif
+
 Requires:       perl
 Requires:       systemd
+
 %description
  Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6.
 
 %package devel
-Group: Development/Libraries
-Summary: The includes and static libraries from the Net-SNMP package.
-Requires: net-snmp = %{version}
+Summary:    The includes and static libraries from the Net-SNMP package.
+Group:      Development/Libraries
+
+Requires:   net-snmp = %{version}
 
 %description devel
 The net-snmp-devel package contains headers and libraries for building SNMP applications.
 
 %prep
-%setup -q
+%autosetup
 
 %build
 %configure \
@@ -38,8 +45,8 @@ The net-snmp-devel package contains headers and libraries for building SNMP appl
                 --target=ia64-linux \
                 --sbindir=/sbin \
                 --with-sys-location="unknown" \
-                --with-logfile=/var/log/net-snmpd.log \
-                --with-persistent-directory=/var/lib/net-snmp \
+                --with-logfile=%{_var}/log/net-snmpd.log \
+                --with-persistent-directory=%{_sharedstatedir}/net-snmp \
                 --with-sys-contact="root@localhost" \
                 --with-defaults \
                 --with-systemd \
@@ -74,10 +81,11 @@ make %{?_smp_mflags} test
 %clean
 rm -rf %{buildroot}/*
 
+
 %files
-%doc COPYING NEWS README ChangeLog
-%defattr(-,root,root)
 %license COPYING
+%doc NEWS README ChangeLog
+%defattr(-,root,root)
 /lib/systemd/system/snmpd.service
 /lib/systemd/system/snmptrapd.service
 %{_bindir}
@@ -86,38 +94,60 @@ rm -rf %{buildroot}/*
 
 %files devel
 %defattr(-,root,root)
+%{_datadir}
 %{_includedir}
 %{_libdir}/*.la
-%{_libdir}/perl5
 %{_libdir}/*.so
-%{_datadir}
-%exclude /usr/lib/perl5/*/*/perllocal.pod
+%{_libdir}/perl5
+%{_libdir}/pkgconfig/*.pc
+%exclude %{_lib}/perl5/*/*/perllocal.pod
 
 %changelog
+* Tue Nov 10 2020 Andrew Phelps <anphel@microsoft.com> - 5.9-2
+- Fix check test by adding net-tools build requirement.
+
+* Fri Oct 30 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.9-1
+- Updating to 5.9 to fix CVE-2019-20892. A patch couldn't be applied without backporting.
+- Switching to %%autosetup.
+- License verified.
+- Removed %%sha1 macro.
+- Updating whitespaces to fix issues reported by the linter.
+
 * Sat May 09 00:20:48 PST 2020 Nick Samson <nisamson@microsoft.com> - 5.8-4
 - Added %%license line automatically
 
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 5.8-3
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Fri Sep 21 2018 Dweep Advani <dadvani@vmware.com> 5.8-2
--   Using %configure and changing for perl upgrade
-*   Wed Sep 19 2018 Keerthana K <keerthanak@vmware.com> 5.8-1
--   Update to version 5.8
-*   Tue Jul 31 2018 Ajay Kaher <akaher@vmware.com> 5.7.3-9
--   Excluded perllocal.pod for aarch64
-*   Mon Apr 16 2018 Xiaolin Li <xiaolinl@vmware.com> 5.7.3-8
--   Apply patch for CVE-2018-1000116
-*   Mon Jul 24 2017 Dheeraj Shetty <dheerajs@vmware.com> 5.7.3-7
--   Make service file a different source
-*   Tue Apr 04 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 5.7.3-6
--   Patch to remove U64 typedef
-*   Tue Oct 04 2016 ChangLee <changLee@vmware.com> 5.7.3-5
--   Modified %check
-*   Thu May 26 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 5.7.3-4
--   Excluded the perllocal.pod log.
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 5.7.3-3
--   GA - Bump release of all rpms
-*   Wed May 04 2016 Nick Shi <nshi@vmware.com> 5.7.3-2
--   Add snmpd and snmptrapd to systemd service.
-*   Mon Nov 30 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 5.7.3-1
--   Initial build.  First version
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 5.8-3
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Fri Sep 21 2018 Dweep Advani <dadvani@vmware.com> - 5.8-2
+- Using %configure and changing for perl upgrade
+
+* Wed Sep 19 2018 Keerthana K <keerthanak@vmware.com> - 5.8-1
+- Update to version 5.8
+
+* Tue Jul 31 2018 Ajay Kaher <akaher@vmware.com> - 5.7.3-9
+- Excluded perllocal.pod for aarch64
+
+* Mon Apr 16 2018 Xiaolin Li <xiaolinl@vmware.com> - 5.7.3-8
+- Apply patch for CVE-2018-1000116
+
+* Mon Jul 24 2017 Dheeraj Shetty <dheerajs@vmware.com> - 5.7.3-7
+- Make service file a different source
+
+* Tue Apr 04 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 5.7.3-6
+- Patch to remove U64 typedef
+
+* Tue Oct 04 2016 ChangLee <changLee@vmware.com> - 5.7.3-5
+- Modified %check
+
+* Thu May 26 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 5.7.3-4
+- Excluded the perllocal.pod log.
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 5.7.3-3
+- GA - Bump release of all rpms
+
+* Wed May 04 2016 Nick Shi <nshi@vmware.com> - 5.7.3-2
+- Add snmpd and snmptrapd to systemd service.
+
+* Mon Nov 30 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 5.7.3-1
+- Initial build.  First version
diff --git a/SPECS/nghttp2/nghttp2.signatures.json b/SPECS/nghttp2/nghttp2.signatures.json
index 213d8ac30bd..954a40ef400 100644
--- a/SPECS/nghttp2/nghttp2.signatures.json
+++ b/SPECS/nghttp2/nghttp2.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "nghttp2-1.33.0.tar.xz": "4879ce9ff3320f5344b910ee1c46ed5e366edc2272620cf17d8e762724d7df1e"
+  "nghttp2-1.41.0.tar.xz": "abc25b8dc601f5b3fefe084ce50fcbdc63e3385621bee0cbfa7b57f9ec3e67c2"
  }
 }
\ No newline at end of file
diff --git a/SPECS/nghttp2/nghttp2.spec b/SPECS/nghttp2/nghttp2.spec
index 52cc385bd7d..7c263598974 100644
--- a/SPECS/nghttp2/nghttp2.spec
+++ b/SPECS/nghttp2/nghttp2.spec
@@ -1,30 +1,29 @@
-Summary:    nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
-Name:       nghttp2
-Version:    1.33.0
-Release:        3%{?dist}
-License:    MIT
-URL:        https://nghttp2.org
-Group:      Applications/System
+Summary:        nghttp2 is an implementation of HTTP/2 and its header compression algorithm, HPACK.
+Name:           nghttp2
+Version:        1.41.0
+Release:        1%{?dist}
+License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Source0:	https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz
-%define sha1 nghttp2=0a11f7de6ea8e66fbecc9fe4ddc61b6ab40af469
+Group:          Applications/System
+URL:            https://nghttp2.org
+Source0:        https://github.com/nghttp2/nghttp2/releases/download/v%{version}/%{name}-%{version}.tar.xz
 
-BuildRequires: c-ares-devel
-BuildRequires: openssl-devel
-BuildRequires: systemd
-BuildRequires: zlib-devel
-BuildRequires: libxml2-devel
-BuildRequires: libevent-devel
-BuildRequires: jansson-devel
+BuildRequires:  c-ares-devel
+BuildRequires:  jansson-devel
+BuildRequires:  libevent-devel
+BuildRequires:  libxml2-devel
+BuildRequires:  openssl-devel
+BuildRequires:  systemd
+BuildRequires:  zlib-devel
 
 %description
 Implementation of the Hypertext Transfer Protocol version 2 in C.
 
 %package devel
-Summary: Header files for nghttp2
-#Requires: %{name}
-Requires: %{name} = %{version}-%{release}
+Summary:        Header files for nghttp2
+
+Requires:       %{name} = %{version}-%{release}
 
 %description devel
 These are the header files of nghttp2.
@@ -59,12 +58,19 @@ rm %{buildroot}/%{_libdir}/*.la
 %{_libdir}/pkgconfig/*.pc
 
 %changelog
+* Tue Nov 03 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.41.0-1
+- Upgrading to 1.41.0 to fix CVE-2020-11080.
+- License verified.
+- Removed %%sha1 macro.
+
 * Sat May 09 00:20:46 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.33.0-3
 - Added %%license line automatically
 
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.33.0-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Fri Sep 7 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 1.33.0-1
--   Upgrade to version 1.33.0
-*   Tue Jun 13 2017 Dheeraj Shetty <dheerajs@vmware.com> 1.23.1-1
--   First version
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 1.33.0-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Fri Sep 7 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> - 1.33.0-1
+- Upgrade to version 1.33.0
+
+* Tue Jun 13 2017 Dheeraj Shetty <dheerajs@vmware.com> - 1.23.1-1
+- First version
diff --git a/SPECS/nginx/CVE-2009-4487.nopatch b/SPECS/nginx/CVE-2009-4487.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/nginx/CVE-2019-20372.patch b/SPECS/nginx/CVE-2019-20372.patch
new file mode 100644
index 00000000000..ed5ad95f08a
--- /dev/null
+++ b/SPECS/nginx/CVE-2019-20372.patch
@@ -0,0 +1,17 @@
+diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
+index 4ffb2cc..76e6705 100644
+--- a/src/http/ngx_http_special_response.c
++++ b/src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
++    r->expect_tested = 1;
++
++    if (ngx_http_discard_request_body(r) != NGX_OK) {
++        r->keepalive = 0;
++    }
++
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {
diff --git a/SPECS/nginx/nginx.spec b/SPECS/nginx/nginx.spec
index a1b4299c415..65fbb727013 100644
--- a/SPECS/nginx/nginx.spec
+++ b/SPECS/nginx/nginx.spec
@@ -1,24 +1,26 @@
 Summary:        High-performance HTTP server and reverse proxy
 Name:           nginx
 Version:        1.16.1
-Release:        2%{?dist}
+Release:        4%{?dist}
 License:        BSD 2-Clause
-URL:            http://nginx.org/
-Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/System
+URL:            https://nginx.org/
 Source0:        https://nginx.org/download/%{name}-%{version}.tar.gz
 Source1:        nginx.service
 Source2:        nginx-njs-0.2.1.tar.gz
-%define sha1    nginx-njs=fd8c3f2d219f175be958796e3beaa17f3b465126
+Patch0:         CVE-2019-20372.patch
+Patch1:         CVE-2009-4487.nopatch
 BuildRequires:  openssl-devel
 BuildRequires:  pcre-devel
 BuildRequires:  which
+
 %description
 NGINX is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.
 
 %prep
-%setup -q
+%autosetup -p1
 pushd ../
 mkdir nginx-njs
 tar -C nginx-njs -xf %{SOURCE2}
@@ -27,12 +29,12 @@ popd
 %build
 sh configure \
     --prefix=%{_sysconfdir}//nginx              \
-    --sbin-path=/usr/sbin/nginx                 \
-    --conf-path=/etc/nginx/nginx.conf           \
-    --pid-path=/var/run/nginx.pid               \
-    --lock-path=/var/run/nginx.lock             \
-    --error-log-path=/var/log/nginx/error.log   \
-    --http-log-path=/var/log/nginx/access.log   \
+    --sbin-path=%{_sbindir}/nginx                 \
+    --conf-path=%{_sysconfdir}/nginx/nginx.conf           \
+    --pid-path=%{_var}/run/nginx.pid               \
+    --lock-path=%{_var}/run/nginx.lock             \
+    --error-log-path=%{_var}/log/nginx/error.log   \
+    --http-log-path=%{_var}/log/nginx/access.log   \
     --add-module=../nginx-njs/njs-0.2.1/nginx   \
     --with-http_ssl_module \
     --with-pcre \
@@ -43,13 +45,14 @@ sh configure \
     --with-http_stub_status_module
 
 make %{?_smp_mflags}
+
 %install
 make DESTDIR=%{buildroot} install
-install -vdm755 %{buildroot}/usr/lib/systemd/system
+install -vdm755 %{buildroot}%{_lib}/systemd/system
 install -vdm755 %{buildroot}%{_var}/log
 install -vdm755 %{buildroot}%{_var}/opt/nginx/log
 ln -sfv %{_var}/opt/nginx/log %{buildroot}%{_var}/log/nginx
-install -p -m 0644 %{SOURCE1} %{buildroot}/usr/lib/systemd/system/nginx.service
+install -p -m 0644 %{SOURCE1} %{buildroot}%{_lib}/systemd/system/nginx.service
 
 %files
 %defattr(-,root,root)
@@ -76,42 +79,66 @@ install -p -m 0644 %{SOURCE1} %{buildroot}/usr/lib/systemd/system/nginx.service
 %{_var}/log/nginx
 
 %changelog
+* Tue Nov 17 2020 Nicolas Guibourge <nicolasg@microsoft.com> - 1.16.1-4
+- nopatch for CVE-2009-4487
+
+* Wed Oct 28 2020 Henry Li <lihl@microsoft.com> - 1.16.1-3
+- Used autosetup
+- Added patch to resolve CVE-2019-20372
+
 * Sat May 09 00:21:09 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.16.1-2
 - Added %%license line automatically
 
 *   Fri Mar 13 2020 Paul Monson <paulmon@microsoft.com> 1.16.1-1
 -   Update to version 1.16.1. License verified.
+
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.15.3-5
 -   Initial CBL-Mariner import from Photon (license: Apache2).
+
 *   Fri Mar 15 2019 Keerthana K <keerthanak@vmware.com> 1.15.3-4
 -   Enable http_stub_status_module.
+
 *   Wed Nov 07 2018 Ajay Kaher <akaher@vmware.com> 1.15.3-3
 -   mark config files as non replaceable on upgrade.
+
 *   Mon Sep 17 2018 Keerthana K <keerthanak@vmware.com> 1.15.3-2
 -   Adding http_auth_request_module and http_sub_module.
+
 *   Fri Sep 7 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 1.15.3-1
 -   Upgrade to version 1.15.3
+
 *   Fri Jul 20 2018 Keerthana K <keerthanak@vmware.com> 1.13.8-3
 -   Restarting nginx on failure.
+
 *   Fri Jun 08 2018 Dheeraj Shetty <dheerajs@vmware.com> 1.13.8-2
 -   adding module njs.
+
 *   Fri May 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 1.13.8-1
 -   Update to version 1.13.8 to support nginx-ingress
+
 *   Thu Dec 28 2017 Divya Thaluru <dthaluru@vmware.com>  1.13.5-2
 -   Fixed the log file directory structure
+
 *   Wed Oct 04 2017 Xiaolin Li <xiaolinl@vmware.com> 1.13.5-1
 -   Update to version 1.13.5
+
 *   Mon May 01 2017 Dheeraj Shetty <dheerajs@vmware.com> 1.11.13-2
 -   adding module stream to nginx.
+
 *   Wed Apr 05 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.11.13-1
 -   update to 1.11.13
+
 *   Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  1.10.0-5
 -   Add patch for CVE-2016-4450
+
 *   Wed Jul 27 2016 Divya Thaluru<dthaluru@vmware.com> 1.10.0-4
 -   Removed packaging of debug files
+
 *   Fri Jul 8 2016 Divya Thaluru<dthaluru@vmware.com> 1.10.0-3
 -   Modified default pid filepath and fixed nginx systemd service
+
 *   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.10.0-2
 -   GA - Bump release of all rpms
+
 *   Mon May 16 2016 Xiaolin Li <xiaolinl@vmware.com> 1.10.0-1
 -   Initial build. First version
diff --git a/SPECS/openldap/CVE-2015-3276.patch b/SPECS/openldap/CVE-2015-3276.patch
new file mode 100644
index 00000000000..83d5b094af2
--- /dev/null
+++ b/SPECS/openldap/CVE-2015-3276.patch
@@ -0,0 +1,39 @@
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 715b433..c999602 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -620,18 +620,23 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum])
+ 			 */
+ 			if (mask || strength || protocol) {
+ 				for (i=0; i<ciphernum; i++) {
+-					if (((ciphers_def[i].attr & mask) ||
+-						 (ciphers_def[i].strength & strength) ||
+-						 (ciphers_def[i].version & protocol)) &&
+-						(cipher_list[i] != -1)) {
+-						/* Enable the NULL ciphers only if explicity
+-						 * requested */
+-						if (ciphers_def[i].attr & SSL_eNULL) {
+-							if (mask & SSL_eNULL)
+-								cipher_list[i] = action;
+-						} else
++					/* if more than one mask is provided
++					 * then AND logic applies (to match openssl)
++					 */
++					if ( cipher_list[i] == -1) )
++						continue;
++					if ( mask && ! (ciphers_def[i].attr & mask) )
++						continue;
++					if ( strength && ! (ciphers_def[i].strength & strength) )
++						continue;
++					if ( protocol && ! (ciphers_def[i].version & protocol) )
++						continue;
++					/* Enable the NULL ciphers only if explicity requested */
++					if (ciphers_def[i].attr & SSL_eNULL) {
++						if (mask & SSL_eNULL)
+ 							cipher_list[i] = action;
+-					}
++					} else
++						cipher_list[i] = action;
+ 				}
+ 			} else {
+ 				for (i=0; i<ciphernum; i++) {
diff --git a/SPECS/openldap/openldap.spec b/SPECS/openldap/openldap.spec
index 133d1de2323..3a8118807ec 100644
--- a/SPECS/openldap/openldap.spec
+++ b/SPECS/openldap/openldap.spec
@@ -2,7 +2,7 @@
 Summary:        OpenLDAP (Lightweight Directory Access Protocol)
 Name:           openldap
 Version:        2.4.50
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        OpenLDAP
 URL:            https://www.openldap.org/
 Group:          System Environment/Security
@@ -13,6 +13,7 @@ Source0:        https://gpl.savoirfairelinux.net/pub/mirrors/openldap/openldap-r
 
 Patch0:         openldap-2.4.40-gssapi-1.patch
 Patch1:         openldap-2.4.44-consolidated-2.patch
+Patch2:         CVE-2015-3276.patch
 Requires:       openssl >= 1.0.1, cyrus-sasl >= 2.1
 BuildRequires:  cyrus-sasl >= 2.1
 BuildRequires:  openssl-devel >= 1.0.1
@@ -29,9 +30,7 @@ over the Internet. The openldap package contains configuration files,
 libraries, and documentation for OpenLDAP.
 
 %prep
-%setup -q
-%patch0 -p1
-%patch1 -p1
+%autosetup -p1
 %build
 
 autoconf
@@ -77,6 +76,9 @@ rm -rf %{buildroot}/*
 /etc/openldap/*
 
 %changelog
+*   Mon Oct 26 2020 Henry Li <lihl@microsoft.com> 2.4.50-2
+-   Used autosetup.
+-   Added patch to resolve CVE-2015-3276.
 *   Wed Jun 03 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.4.50-1
 -   Upgrade to version 2.4.50, which resolves CVE-2020-12243.
 *   Tue May 12 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.4.48-1
diff --git a/SPECS/openssh/CVE-2007-2768.nopatch b/SPECS/openssh/CVE-2007-2768.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/openssh/CVE-2020-14145.nopatch b/SPECS/openssh/CVE-2020-14145.nopatch
new file mode 100644
index 00000000000..3811041da13
--- /dev/null
+++ b/SPECS/openssh/CVE-2020-14145.nopatch
@@ -0,0 +1 @@
+The CVE is a won't fix for OpenSSH (confirmed on their mailing list). See here: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
\ No newline at end of file
diff --git a/SPECS/openssh/CVE-2020-15778.nopatch b/SPECS/openssh/CVE-2020-15778.nopatch
new file mode 100644
index 00000000000..3811041da13
--- /dev/null
+++ b/SPECS/openssh/CVE-2020-15778.nopatch
@@ -0,0 +1 @@
+The CVE is a won't fix for OpenSSH (confirmed on their mailing list). See here: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf.
\ No newline at end of file
diff --git a/SPECS/openssh/openssh.spec b/SPECS/openssh/openssh.spec
index f6f65fefe3a..970452530f5 100644
--- a/SPECS/openssh/openssh.spec
+++ b/SPECS/openssh/openssh.spec
@@ -1,25 +1,30 @@
+%define systemd_units_rel 20191026
 Summary:        Free version of the SSH connectivity tools
 Name:           openssh
 Version:        8.0p1
-Release:        9%{?dist}
+Release:        12%{?dist}
 License:        BSD
-URL:            https://www.openssh.com/
-Group:          System Environment/Security
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Security
+URL:            https://www.openssh.com/
 Source0:        https://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-%define systemd_units_rel 20191026
 Source1:        http://www.linuxfromscratch.org/blfs/downloads/stable-systemd/blfs-systemd-units-%{systemd_units_rel}.tar.xz
 Source2:        sshd.service
 Source3:        sshd-keygen.service
 Patch0:         blfs_systemd_fixes.patch
 Patch1:         CVE-2019-16905.patch
+# Nopatches section
+# Community agreed to not patch this
+Patch100:       CVE-2007-2768.nopatch
+Patch101:       CVE-2020-14145.nopatch
+Patch102:       CVE-2020-15778.nopatch
+BuildRequires:  e2fsprogs-devel
+BuildRequires:  groff
+BuildRequires:  krb5-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
-BuildRequires:  krb5-devel
-BuildRequires:  e2fsprogs-devel
 BuildRequires:  systemd
-BuildRequires:  groff
 Requires:       openssh-clients = %{version}-%{release}
 Requires:       openssh-server = %{version}-%{release}
 
@@ -30,50 +35,59 @@ network. The ssh and scp commands are secure implementions of telnet
 and rcp respectively.
 
 %package clients
-Summary: openssh client applications.
-Requires:   openssl
+Summary:        openssh client applications.
+Requires:       openssl
+
 %description clients
 This provides the ssh client utilities.
 
 %package server
-Summary: openssh server applications
-Requires:   pam
-Requires:   shadow-utils
-Requires:   ncurses-term
-Requires:   openssh-clients = %{version}-%{release}
+Summary:        openssh server applications
+Requires:       ncurses-term
+Requires:       openssh-clients = %{version}-%{release}
+Requires:       pam
+Requires:       shadow-utils
 Requires(post): /bin/chown
-Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd
+Requires(pre):  %{_sbindir}/groupadd
+Requires(pre):  %{_sbindir}/useradd
+
 %description server
 This provides the ssh server daemons, utilities, configuration and service files.
 
 %prep
 %setup -q
 tar xf %{SOURCE1} --no-same-owner
-%patch0 -p0
-%patch1 -p0
+%patch0
+%patch1
+
 %build
 %configure \
-    --sysconfdir=/etc/ssh \
-    --datadir=/usr/share/sshd \
+    --sysconfdir=%{_sysconfdir}/ssh \
+    --datadir=%{_datadir}/sshd \
     --with-md5-passwords \
-    --with-privsep-path=/var/lib/sshd \
+    --with-privsep-path=%{_sharedstatedir}/sshd \
     --with-pam \
     --with-maintype=man \
     --enable-strip=no \
-    --with-kerberos5=/usr
+    --with-kerberos5=%{_prefix}
 make
+
 %install
 [ %{buildroot} != "/"] && rm -rf %{buildroot}/*
 make DESTDIR=%{buildroot} install
-install -vdm755 %{buildroot}/var/lib/sshd
-echo "AllowTcpForwarding no" >> %{buildroot}/etc/ssh/sshd_config
-echo "ClientAliveCountMax 2" >> %{buildroot}/etc/ssh/sshd_config
-echo "Compression no" >> %{buildroot}/etc/ssh/sshd_config
-#echo "MaxSessions 2" >> %{buildroot}/etc/ssh/sshd_config
-echo "TCPKeepAlive no" >> %{buildroot}/etc/ssh/sshd_config
-echo "AllowAgentForwarding no" >> %{buildroot}/etc/ssh/sshd_config
-echo "PermitRootLogin no" >> %{buildroot}/etc/ssh/sshd_config
-echo "UsePAM yes" >> %{buildroot}/etc/ssh/sshd_config
+install -vdm755 %{buildroot}%{_sharedstatedir}/sshd
+
+cat <<EOF >>%{buildroot}%{_sysconfdir}/ssh/sshd_config
+AllowTcpForwarding no
+ClientAliveCountMax 2
+Compression no
+#MaxSessions 2
+TCPKeepAlive no
+AllowAgentForwarding no
+PermitRootLogin no
+UsePAM yes
+EOF
+
 #   Install daemon script
 pushd blfs-systemd-units-%{systemd_units_rel}
 make DESTDIR=%{buildroot} install-sshd
@@ -90,18 +104,18 @@ install -m644 contrib/ssh-copy-id.1 %{buildroot}/%{_mandir}/man1/
 if ! getent passwd sshd >/dev/null; then
    useradd sshd
 fi
-if [ ! -d /var/lib/sshd ]; then
-   mkdir /var/lib/sshd
-   chmod 0755 /var/lib/sshd
+if [ ! -d %{_sharedstatedir}/sshd ]; then
+   mkdir %{_sharedstatedir}/sshd
+   chmod 0755 %{_sharedstatedir}/sshd
 fi
-cp %{buildroot}/usr/bin/scp /usr/bin
+cp %{buildroot}%{_bindir}/scp %{_bindir}
 chmod g+w . -R
 useradd test -G root -m
 sudo -u test -s /bin/bash -c "PATH=$PATH make tests"
 
 %pre server
 getent group sshd >/dev/null || groupadd -g 50 sshd
-getent passwd sshd >/dev/null || useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd
+getent passwd sshd >/dev/null || useradd -c 'sshd PrivSep' -d %{_sharedstatedir}/sshd -g sshd -s /bin/false -u 50 sshd
 
 %preun server
 %systemd_preun sshd.service sshd-keygen.service
@@ -109,7 +123,7 @@ getent passwd sshd >/dev/null || useradd -c 'sshd PrivSep' -d /var/lib/sshd -g s
 %post server
 /sbin/ldconfig
 if [ $1 -eq 1 ] ; then
-    chown -v root:sys /var/lib/sshd
+    chown -v root:sys %{_sharedstatedir}/sshd
 fi
 %systemd_post sshd.service sshd-keygen.service
 
@@ -128,13 +142,15 @@ fi
 %clean
 rm -rf %{buildroot}/*
 
+
+
 %files
 %license LICENCE
 
 %files server
 %defattr(-,root,root)
 %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
-%attr(700,root,sys)/var/lib/sshd
+%attr(700,root,sys) %{_sharedstatedir}/sshd
 /lib/systemd/system/sshd-keygen.service
 /lib/systemd/system/sshd.service
 /lib/systemd/system/sshd.socket
@@ -173,92 +189,143 @@ rm -rf %{buildroot}/*
 %{_mandir}/man8/ssh-pkcs11-helper.8.gz
 
 %changelog
-*   Mon Oct 19 2020 Andrew Phelps <anphel@microsoft.com> 8.0p1-9
--   Add patch for CVE-2019-16905
-*   Wed Sep 02 2020 Jim Perrin <jim.perrin@microsoft.com> 8.0p1-8
--   Add wants=sshd-keygen.service to sshd.service for easier service starting
-*   Thu Jun 04 2020 Chris Co <chrco@microsoft.com> 8.0p1-7
--   Use default MaxAuthTries value of 6
-*   Tue May 26 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 8.0p1-6
--   Adding the "%%license" macro.
-*   Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> 8.0p1-5
--   Renaming Linux-PAM to pam
-*   Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> 8.0p1-4
--   Rename shadow to shadow-utils.
-*   Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> 8.0p1-3
--   Rename ncurses-terminfo to ncurses-term.
-*   Fri Apr 24 2020 Nick Samson <nisamson@microsoft.com> 8.0p1-2
--   Updated Source0, Source1. blfs-systemd-units updated to latest recommended version (20191026).
-*   Thu Mar 12 2020 Paul Monson <paulmon@microsoft.com> 8.0p1-1
--   Update to version 8.0p1. License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 7.8p1-4
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Feb 14 2019 Ankit Jain <ankitja@vmware.comm> 7.8p1-3
--   Fix CVE-2018-20685.
-*   Tue Jan 08 2019 Alexey Makhalov <amakhalov@vmware.com> 7.8p1-2
--   Added BuildRequires groff
--   Use %configure
-*   Tue Sep 11 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 7.8p1-1
--   Update version
-*   Tue Nov 28 2017 Xiaolin Li <xiaolinl@vmware.comm> 7.5p1-11
--   Fix CVE-2017-15906.
-*   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-10
--   Fix: openssh-server requires(pre) shadow tools
-*   Tue Nov 14 2017 Anish Swaminathan <anishs@vmware.com> 7.5p1-9
--   Add ciphers aes128-gcm, aes256-gcm and kex dh14/16/18 in fips mode
-*   Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-8
--   No direct toybox dependency, shadow depends on toybox
-*   Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-7
--   Requires shadow or toybox
-*   Thu Sep 14 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-6
--   sshd config: revert MaxSessions to original value
-*   Thu Aug 31 2017 Alexey Makhalov <amakhalov@vmware.com> 7.5p1-5
--   sshd config hardening based on lynis recommendations
-*   Thu Aug 10 2017 Chang Lee <changlee@vmware.com> 7.5p1-4
--   Fixed %check
-*   Mon Jul 24 2017 Dheeraj Shetty <dheerajs@vmware.com> 7.5p1-3
--   Seperate the service file from the spec file
-*   Wed May 3  2017 Bo Gan <ganb@vmware.com> 7.5p1-2
--   Fixed openssh-server dependency on coreutils
-*   Tue Mar 28 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 7.5p1-1
--   Update version
-*   Thu Feb 09 2017 Anish Swaminathan <anishs@vmware.com> 7.4p1-3
--   Add patch to configure openssh FIPS mode
-*   Thu Feb 02 2017 Anish Swaminathan <anishs@vmware.com> 7.4p1-2
--   Add patch to support FIPS mode
-*   Fri Jan 06 2017 Xiaolin Li <xiaolinl@vmware.com> 7.4p1-1
--   Updated to version 7.4p1.
-*   Wed Dec 14 2016 Xiaolin Li <xiaolinl@vmware.com> 7.1p2-10
--   BuildRequires Linux-PAM-devel
-*   Mon Dec 12 2016 Anish Swaminathan <anishs@vmware.com> 7.1p2-9
--   Add patch to fix CVE-2016-8858
-*   Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 7.1p2-8
--   openssh-devel requires ncurses-terminfo to provide extra terms
+* Tue Nov 17 2020 Nicolas Guibourge <nicolasg@microsoft.com> - 8.0p1-12
+- Nopatching CVE-2020-15778.
+
+* Tue Nov 03 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.0p1-11
+- Nopatching CVE-2020-14145.
+
+* Fri Oct 30 2020 Nicolas Ontiveros <niontive@microsoft.com> - 8.0p1-10
+- Add no patch for CVE-2007-2768
+
+* Mon Oct 19 2020 Andrew Phelps <anphel@microsoft.com> - 8.0p1-9
+- Add patch for CVE-2019-16905
+
+* Wed Sep 02 2020 Jim Perrin <jim.perrin@microsoft.com> - 8.0p1-8
+- Add wants=sshd-keygen.service to sshd.service for easier service starting
+
+* Thu Jun 04 2020 Chris Co <chrco@microsoft.com> - 8.0p1-7
+- Use default MaxAuthTries value of 6
+
+* Tue May 26 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.0p1-6
+- Adding the "%%license" macro.
+
+* Tue Apr 28 2020 Emre Girgin <mrgirgin@microsoft.com> - 8.0p1-5
+- Renaming Linux-PAM to pam
+
+* Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> - 8.0p1-4
+- Rename shadow to shadow-utils.
+
+* Mon Apr 27 2020 Emre Girgin <mrgirgin@microsoft.com> - 8.0p1-3
+- Rename ncurses-terminfo to ncurses-term.
+
+* Fri Apr 24 2020 Nick Samson <nisamson@microsoft.com> - 8.0p1-2
+- Updated Source0, Source1. blfs-systemd-units updated to latest recommended version (20191026).
+
+* Thu Mar 12 2020 Paul Monson <paulmon@microsoft.com> - 8.0p1-1
+- Update to version 8.0p1. License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 7.8p1-4
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Feb 14 2019 Ankit Jain <ankitja@vmware.comm> - 7.8p1-3
+- Fix CVE-2018-20685.
+
+* Tue Jan 08 2019 Alexey Makhalov <amakhalov@vmware.com> - 7.8p1-2
+- Added BuildRequires groff
+- Use %configure
+
+* Tue Sep 11 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> - 7.8p1-1
+- Update version
+
+* Tue Nov 28 2017 Xiaolin Li <xiaolinl@vmware.comm> - 7.5p1-11
+- Fix CVE-2017-15906.
+
+* Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-10
+- Fix: openssh-server requires(pre) shadow tools
+
+* Tue Nov 14 2017 Anish Swaminathan <anishs@vmware.com> - 7.5p1-9
+- Add ciphers aes128-gcm, aes256-gcm and kex dh14/16/18 in fips mode
+
+* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-8
+- No direct toybox dependency, shadow depends on toybox
+
+* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-7
+- Requires shadow or toybox
+
+* Thu Sep 14 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-6
+- sshd config: revert MaxSessions to original value
+
+* Thu Aug 31 2017 Alexey Makhalov <amakhalov@vmware.com> - 7.5p1-5
+- sshd config hardening based on lynis recommendations
+
+* Thu Aug 10 2017 Chang Lee <changlee@vmware.com> - 7.5p1-4
+- Fixed %check
+
+* Mon Jul 24 2017 Dheeraj Shetty <dheerajs@vmware.com> - 7.5p1-3
+- Seperate the service file from the spec file
+
+* Wed May 3  2017 Bo Gan <ganb@vmware.com> - 7.5p1-2
+- Fixed openssh-server dependency on coreutils
+
+* Tue Mar 28 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 7.5p1-1
+- Update version
+
+* Thu Feb 09 2017 Anish Swaminathan <anishs@vmware.com> - 7.4p1-3
+- Add patch to configure openssh FIPS mode
+
+* Thu Feb 02 2017 Anish Swaminathan <anishs@vmware.com> - 7.4p1-2
+- Add patch to support FIPS mode
+
+* Fri Jan 06 2017 Xiaolin Li <xiaolinl@vmware.com> - 7.4p1-1
+- Updated to version 7.4p1.
+
+* Wed Dec 14 2016 Xiaolin Li <xiaolinl@vmware.com> - 7.1p2-10
+- BuildRequires Linux-PAM-devel
+
+* Mon Dec 12 2016 Anish Swaminathan <anishs@vmware.com> - 7.1p2-9
+- Add patch to fix CVE-2016-8858
+
+* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> - 7.1p2-8
+- openssh-devel requires ncurses-terminfo to provide extra terms
     for the clients
-*   Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 7.1p2-7
--   Required krb5-devel.
-*   Thu Nov 03 2016 Sharath George <sharathg@vmware.com> 7.1p2-6
--   Split openssh into client and server rpms.
-*   Wed Oct 05 2016 ChangLee <changlee@vmware.com> 7.1p2-5
--   Modified %check
-*   Thu Sep 15 2016 Anish Swaminathan <anishs@vmware.com> 7.1p2-4
--   Add patch to fix CVE-2016-6515
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 7.1p2-3
--   GA - Bump release of all rpms
-*   Wed May 04 2016 Anish Swaminathan <anishs@vmware.com> 7.1p2-2
--   Edit scriptlets.
-*   Thu Mar 17 2016 Xiaolin Li <xiaolinl@vmware.com> 7.1p2-1
--   Updated to version 7.1p2
-*   Fri Feb 05 2016 Anish Swaminathan <anishs@vmware.com> 6.6p1-6
--   Add pre install scripts in the rpm
-*   Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com>  6.6p1-5
--   Change config file attributes.
-*   Thu Dec 10 2015 Xiaolin Li <xiaolinl@vmware.com> 6.6p1-4
--   Add systemd to Requires and BuildRequires.
--   Use systemctl to enable/disable service.
-*   Fri Jul 17 2015 Divya Thaluru <dthaluru@vmware.com> 6.6p1-3
--   Enabling ssh-keygen service by default and fixed service file to execute only once.
-*   Tue May 19 2015 Sharath George <sharathg@vmware.com> 6.6p1-2
--   Bulding ssh server with kerberos 5.
-*   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 6.6p1-1
--   Initial build. First version
+
+* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> - 7.1p2-7
+- Required krb5-devel.
+
+* Thu Nov 03 2016 Sharath George <sharathg@vmware.com> - 7.1p2-6
+- Split openssh into client and server rpms.
+
+* Wed Oct 05 2016 ChangLee <changlee@vmware.com> - 7.1p2-5
+- Modified %check
+
+* Thu Sep 15 2016 Anish Swaminathan <anishs@vmware.com> - 7.1p2-4
+- Add patch to fix CVE-2016-6515
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 7.1p2-3
+- GA - Bump release of all rpms
+
+* Wed May 04 2016 Anish Swaminathan <anishs@vmware.com> - 7.1p2-2
+- Edit scriptlets.
+
+* Thu Mar 17 2016 Xiaolin Li <xiaolinl@vmware.com> - 7.1p2-1
+- Updated to version 7.1p2
+
+* Fri Feb 05 2016 Anish Swaminathan <anishs@vmware.com> - 6.6p1-6
+- Add pre install scripts in the rpm
+
+* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> - 6.6p1-5
+- Change config file attributes.
+
+* Thu Dec 10 2015 Xiaolin Li <xiaolinl@vmware.com> - 6.6p1-4
+- Add systemd to Requires and BuildRequires.
+- Use systemctl to enable/disable service.
+
+* Fri Jul 17 2015 Divya Thaluru <dthaluru@vmware.com> - 6.6p1-3
+- Enabling ssh-keygen service by default and fixed service file to execute only once.
+
+* Tue May 19 2015 Sharath George <sharathg@vmware.com> - 6.6p1-2
+- Bulding ssh server with kerberos 5.
+
+* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> - 6.6p1-1
+- Initial build. First version
diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec
index e69f3bb2ab4..bc2f203c4aa 100644
--- a/SPECS/openssl/openssl.spec
+++ b/SPECS/openssl/openssl.spec
@@ -1,7 +1,7 @@
 Summary:        Utilities from the general purpose cryptography library with TLS implementation
 Name:           openssl
 Version:        1.1.1g
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        OpenSSL
 URL:            http://www.openssl.org/
 Group:          System Environment/Security
@@ -137,7 +137,6 @@ export HASHBANGPERL=/usr/bin/perl
     no-sm4 \
     no-ssl \
     no-ssl3 \
-    no-tests \
     no-tls1 \
     no-tls1_1 \
     no-weak-ssl-ciphers \
@@ -257,6 +256,9 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
 rm -rf $RPM_BUILD_ROOT
 
 %changelog
+* Tue Nov 10 2020 Johnson George <johgeorg@microsoft.com> 1.1.1g-7
+- Updated the config option to enable package test
+
 * Tue Jul 28 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 1.1.1g-6
 - Replacing removal of functions through the 'no-<prot>-method' option
   with returning a method negotiating the highest supported protocol
diff --git a/SPECS/pcre/pcre.signatures.json b/SPECS/pcre/pcre.signatures.json
index d91c266eaee..71ad8c43cda 100644
--- a/SPECS/pcre/pcre.signatures.json
+++ b/SPECS/pcre/pcre.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "pcre-8.42.tar.bz2": "2cd04b7c887808be030254e8d77de11d3fe9d4505c39d4b15d2664ffe8bf9301"
+  "pcre-8.44.tar.bz2": "19108658b23b3ec5058edc9f66ac545ea19f9537234be1ec62b714c84399366d"
  }
 }
\ No newline at end of file
diff --git a/SPECS/pcre/pcre.spec b/SPECS/pcre/pcre.spec
index 2b099a49cd4..078e850aba3 100644
--- a/SPECS/pcre/pcre.spec
+++ b/SPECS/pcre/pcre.spec
@@ -1,42 +1,46 @@
 Summary:        Grep for perl compatible regular expressions
 Name:           pcre
-Version:        8.42
-Release:        4%{?dist}
+Version:        8.44
+Release:        1%{?dist}
 License:        BSD
-URL:            https://www.pcre.org
-Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/System
+URL:            https://www.pcre.org
 Source0:        https://ftp.pcre.org/pub/pcre/%{name}-%{version}.tar.bz2
 BuildRequires:  bzip2-devel
 BuildRequires:  readline-devel
 Requires:       libgcc
-Requires:       readline
 Requires:       libstdc++
 Requires:       pcre-libs = %{version}-%{release}
+Requires:       readline
+
 %description
 The PCRE package contains Perl Compatible Regular Expression libraries. These are useful for implementing regular expression pattern matching using the same syntax and semantics as Perl 5.
 
 %package        devel
-Group:          Development/Libraries
 Summary:        Headers and static lib for pcre development
+Group:          Development/Libraries
 Requires:       %{name} = %{version}-%{release}
 Provides:       pkgconfig(libpcre)
+
 %description    devel
 Install this package if you want do compile applications using the pcre
 library.
 
 %package libs
-Summary: Libraries for pcre
-Group:      System Environment/Libraries
+Summary:        Libraries for pcre
+Group:          System Environment/Libraries
+
 %description libs
 This package contains minimal set of shared pcre libraries.
 
 %prep
 %setup -q
+
 %build
-./configure --prefix=/usr                     \
-            --docdir=/usr/share/doc/pcre-%{version} \
+./configure --prefix=%{_prefix}                     \
+            --docdir=%{_docdir}/pcre-%{version} \
             --enable-unicode-properties       \
             --enable-pcre16                   \
             --enable-pcre32                   \
@@ -50,14 +54,15 @@ make %{?_smp_mflags}
 %install
 make DESTDIR=%{buildroot} install
 mv -v %{buildroot}/usr/lib/libpcre.so.* %{buildroot}/lib &&
-ln -sfv ../../lib/$(readlink %{buildroot}/usr/lib/libpcre.so) %{buildroot}/usr/lib/libpcre.so
-ln -sfv $(readlink %{buildroot}/usr/lib/libpcre.so) %{buildroot}/usr/lib/libpcre.so.0
+ln -sfv ../../lib/$(readlink %{buildroot}/usr/lib/libpcre.so) %{buildroot}%{_lib}/libpcre.so
+ln -sfv $(readlink %{buildroot}/usr/lib/libpcre.so) %{buildroot}%{_lib}/libpcre.so.0
 
 %check
 make %{?_smp_mflags} check
 
 %post   -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
+
 %files
 %defattr(-,root,root)
 %license COPYING
@@ -85,7 +90,10 @@ make %{?_smp_mflags} check
 %{_libdir}/libpcre.so.*
 
 %changelog
-* Sat May 09 00:21:28 PST 2020 Nick Samson <nisamson@microsoft.com> - 8.42-4
+* Thu Oct 29 2020 Joe Schmitt <joschmit@microsoft.com> - 8.44-1
+- Update to version 8.44 to fix CVE-2020-14155.
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 8.42-4
 - Added %%license line automatically
 
 *   Tue Apr 07 2020 Joe Schmitt <joschmit@microsoft.com> 8.42-3
@@ -93,31 +101,45 @@ make %{?_smp_mflags} check
 -   Update Source0 with valid URL.
 -   Remove sha1 macro.
 -   License verified.
+
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 8.42-2
 -   Initial CBL-Mariner import from Photon (license: Apache2).
+
 *   Tue Sep 11 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 8.42-1
 -   Update to version 8.42
+
 *   Wed Dec 20 2017 Xiaolin Li <xiaolinl@vmware.com> 8.41-1
 -   Update to version 8.41
+
 *   Wed Jul 19 2017 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 8.40-4
 -   Added fix for CVE-2017-11164 by adding stack recursion limit
+
 *   Wed May 24 2017 Divya Thaluru <dthaluru@vmware.com> 8.40-3
 -   Added fixes for CVE-2017-7244, CVE-2017-7245, CVE-2017-7246, CVE-2017-7186
+
 *   Fri Apr 14 2017 Alexey Makhalov <amakhalov@vmware.com> 8.40-2
 -   Added -libs subpackage
+
 *   Mon Apr 03 2017 Robert Qi <qij@vmware.com> 8.40-1
 -   Update to 8.40
+
 *   Wed Oct 05 2016 ChangLee <changlee@vmware.com> 8.39-2
 -   Modified %check
+
 *   Fri Sep 9 2016 Xiaolin Li <xiaolinl@vmware.com> 8.39-1
 -   Update to version 8.39
+
 *   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 8.38-3
 -   GA - Bump release of all rpms
+
 *   Fri Mar 18 2016 Anish Swaminathan <anishs@vmware.com>  8.38-2
 -   Add upstream fixes patch
+
 *   Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 8.38-1
 -   Updated to version 8.38
+
 *   Mon Nov 30 2015 Sharath George <sharathg@vmware.com> 8.36-2
     Add symlink for libpcre.so.1
+
 *   Thu Nov 06 2014 Sharath George <sharathg@vmware.com> 8.36-1
     Initial version
diff --git a/SPECS/perl-JSON-Any/perl-JSON-Any.spec b/SPECS/perl-JSON-Any/perl-JSON-Any.spec
index ad402445c2a..ece266419ae 100644
--- a/SPECS/perl-JSON-Any/perl-JSON-Any.spec
+++ b/SPECS/perl-JSON-Any/perl-JSON-Any.spec
@@ -1,7 +1,7 @@
 Summary:        Wrapper Class for the various JSON classes
 Name:           perl-JSON-Any
 Version:        1.39
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        Perl Artistic License 2.0
 Group:          Development/Libraries
 URL:            http://search.cpan.org/~ether/JSON-Any-1.39/lib/JSON/Any.pm
@@ -31,7 +31,8 @@ find %{buildroot} -depth -type d -exec rmdir {} 2>/dev/null \;
 
 %check
 export PERL_MM_USE_DEFAULT=1
-cpan Test::Fatal  Test::Requires Test::Warnings Test::Without::Module
+cpan local::lib
+cpan Test::Fatal Test::Requires Test::Warnings Test::Without::Module
 make test
 
 %files
@@ -40,6 +41,9 @@ make test
 %{_mandir}/man?/*
 
 %changelog
+* Fri Nov 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.39-7
+- Adding 'local::lib' perl5 library to fix test dependencies.
+
 * Sat May 09 00:20:40 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.39-6
 - Added %%license line automatically
 
diff --git a/SPECS/perl-JSON/perl-JSON.signatures.json b/SPECS/perl-JSON/perl-JSON.signatures.json
new file mode 100644
index 00000000000..ef8fa0c6a2a
--- /dev/null
+++ b/SPECS/perl-JSON/perl-JSON.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "perl-JSON-4.02.tar.gz": "444a88755a89ffa2a5424ab4ed1d11dca61808ebef57e81243424619a9e8627c"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/perl-JSON/perl-JSON.spec b/SPECS/perl-JSON/perl-JSON.spec
new file mode 100644
index 00000000000..6a74e15d06c
--- /dev/null
+++ b/SPECS/perl-JSON/perl-JSON.spec
@@ -0,0 +1,305 @@
+%global __provides_exclude %{?__provides_exclude:%__provides_exclude|}perl\\(JSON::(Backend::PP|backportPP::Boolean|Boolean|PP|PP::IncrParser)\\)
+%global __requires_exclude %{?__requires_exclude:%__requires_exclude|}perl\\(JSON::(backportPP|backportPP::Boolean)\\)
+Summary:        Parse and convert to JSON (JavaScript Object Notation)
+Name:           perl-JSON
+Version:        4.02
+Release:        5%{?dist}
+License:        GPL+ OR Artistic
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+URL:            https://metacpan.org/release/JSON
+#Source0:       https://cpan.metacpan.org/modules/by-module/JSON/JSON-%{version}.tar.gz
+Source0:        %{name}-%{version}.tar.gz
+BuildRequires:  coreutils
+BuildRequires:  findutils
+BuildRequires:  make
+BuildRequires:  perl
+BuildRequires:  perl(Carp)
+BuildRequires:  perl(Data::Dumper)
+BuildRequires:  perl(Encode)
+BuildRequires:  perl(Exporter)
+BuildRequires:  perl(ExtUtils::MakeMaker)
+BuildRequires:  perl(File::Spec)
+BuildRequires:  perl(Math::BigFloat)
+BuildRequires:  perl(Math::BigInt)
+BuildRequires:  perl(Scalar::Util)
+BuildRequires:  perl(Test)
+BuildRequires:  perl(Test::More)
+BuildRequires:  perl(base)
+BuildRequires:  perl(constant)
+BuildRequires:  perl(lib)
+Requires:       perl
+Provides:       perl(JSON)
+BuildArch:      noarch
+%{?perl_default_filter}
+%{?perl_default_subpackage_tests}
+
+%description
+This module converts between JSON (JavaScript Object Notation) and Perl
+data structure into each other. For JSON, see http://www.crockford.com/JSON/.
+
+%prep
+%setup -q -n JSON-%{version}
+
+# make rpmlint happy...
+find .  -type f -exec chmod -c -x {} +
+find t/ -type f -exec perl -pi -e 's|^#! perl|#!perl|' {} +
+sed -i 's/\r//' README t/*
+
+%build
+perl Makefile.PL INSTALLDIRS=vendor
+make %{?_smp_mflags}
+
+%install
+make pure_install DESTDIR=%{buildroot}
+find %{buildroot} -type f -name .packlist -delete
+%{_fixperms} -c %{buildroot}
+
+%check
+make test
+
+%files
+%license README
+%doc Changes
+%{perl_vendorlib}/*
+%{_mandir}/man3/*
+
+%changelog
+* Wed Oct 21 2020 Henry Beberman <henry.beberman@microsoft.com> - 4.02-5
+- Initial CBL-Mariner import from Fedora 32 (license: MIT).
+- License verified.
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.02-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.02-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 4.02-2
+- Perl 5.30 rebuild
+
+* Sat Feb 23 2019 Paul Howarth <paul@city-fan.org> - 4.02-1
+- Update to 4.02
+  - Fix a test that broke if perl was compiled with -Dquadmath (CPAN RT#128589)
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.01-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sun Jan 20 2019 Emmanuel Seyman <emmanuel@seyman.fr> - 4.01-1
+- Update to 4.01
+
+* Fri Dec  7 2018 Paul Howarth <paul@city-fan.org> - 4.00-1
+- Update to 4.00
+  - BACKWARD INCOMPATIBILITY: As JSON::XS 4.0 changed its policy and enabled
+    allow_nonref by default, JSON::PP, and thus JSON, also enabled allow_nonref
+    by default
+  - Updated backportPP with JSON::PP 4.00
+  - Allow PERL_JSON_PP_USE_B environmental variable to restore old number
+    detection behavior for compatibility
+- RPM version resynced with upstream
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.97.001-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.97.001-3
+- Perl 5.28 rebuild
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.97.001-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Dec 22 2017 Paul Howarth <paul@city-fan.org> - 2.97.001-1
+- Update to 2.97001
+  - Updated backportPP with JSON::PP 2.97001
+
+* Tue Nov 21 2017 Paul Howarth <paul@city-fan.org> - 2.97-1
+- Update to 2.97 (upstream 2.97000 but stick to two-digit minor version
+  downstream in case upstream changes back before version 3.x)
+
+* Mon Nov 20 2017 Paul Howarth <paul@city-fan.org> - 2.96-1
+- Update to 2.96
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.94-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Jun 10 2017 Emmanuel Seyman <emmanuel@seyman.fr> - 2.94-1
+- Update to 2.94
+
+* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.93-3
+- Perl 5.26 rebuild
+
+* Tue May 23 2017 Petr Pisar <ppisar@redhat.com> - 2.93-2
+- Filter private JSON::backportPP::Boolean
+
+* Mon May 22 2017 Emmanuel Seyman <emmanuel@seyman.fr> - 2.93-1
+- Update to 2.93
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.90-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.90-7
+- Perl 5.24 rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.90-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.90-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Jun 06 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.90-4
+- Perl 5.22 rebuild
+
+* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.90-3
+- Perl 5.20 rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.90-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sun Nov 03 2013 Emmanuel Seyman <emmanuel@seyman.fr> - 2.90-1
+- Update to 2.90
+
+* Sun Oct 20 2013 Emmanuel Seyman <emmanuel@seyman.fr> - 2.61-1
+- Update to 2.61
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.59-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Thu Jul 18 2013 Petr Pisar <ppisar@redhat.com> - 2.59-2
+- Perl 5.18 rebuild
+
+* Sun Jun 09 2013 Emmanuel Seyman <emmanuel@seyman.fr> - 2.59-1
+- Update to 2.59
+
+* Sun May 26 2013 Emmanuel Seyman <emmanuel@seyman.fr> - 2.58-1
+- Update to 2.58
+
+* Sun Apr 07 2013 Emmanuel Seyman <emmanuel@seyman.fr> - 2.57-1
+- Update to 2.57
+- Remove no-longer-used macros
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.53-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Nov 19 2012 Petr Šabata <contyk@redhat.com> - 2.53-7
+- Add some missing and remove some obsolete deps
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.53-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Jun 15 2012 Petr Pisar <ppisar@redhat.com> - 2.53-5
+- Perl 5.16 rebuild
+- Specify all dependencies
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.53-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Jul 20 2011 Iain Arnell <iarnell@gmail.com> 2.53-3
+- update filtering macros for rpm 4.9
+
+* Wed Jul 20 2011 Petr Sabata <contyk@redhat.com> - 2.53-2
+- Perl mass rebuild
+
+* Sun May 22 2011 Paul Howarth <paul@city-fan.org> 2.53-1
+- update to 2.53
+  - fixed to_json (CPAN RT#68359)
+  - backport JSON::PP 2.27200 (fixed incr_parse decoding string more correctly
+    - CPAN RT#68032)
+  - made Makefile.PL skip an installing XS question when set $ENV{PERL_ONLY} or
+    $ENV{NO_XS} (CPAN RT#66820)
+
+* Tue Mar  8 2011 Paul Howarth <paul@city-fan.org> 2.51-1
+- update to 2.51 (#683052)
+  - import JSON::PP 2.27105 as BackportPP
+  - fix documentation (CPAN RT#64738)
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.50-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Jan 27 2011 Paul Howarth <paul@city-fan.org> 2.50-1
+- update to 2.50 (#665621)
+  - JSON::PP split off into separate distribution and replaced with
+    JSON::backportPP instead for internal use
+- BR: perl(Test::Pod)
+- drop t/ from %%doc as the tests are in the -tests subpackage
+- filter private module perl(JSON::backportPP) from requires
+- filter private module perl(JSON::backportPP::Boolean) from provides
+- filter private module perl(JSON::Backend::PP) from provides
+- filter private module perl(JSON::Boolean) from provides
+- filter private module perl(JSON::PP) from provides (really JSON::backportPP)
+- filter private module perl(JSON::PP::IncrParser) from provides
+
+* Sun Nov 21 2010 Iain Arnell <iarnell@gmail.com> 2.27-1
+- update to latest upstream version
+- clean up spec for modern rpmbuild
+
+* Sun May 02 2010 Marcela Maslanova <mmaslano@redhat.com> - 2.17-2
+- Mass rebuild with perl-5.12.0
+
+* Sun Feb 28 2010 Chris Weyl <cweyl@alumni.drew.edu> 2.17-1
+- update by Fedora::App::MaintainerTools 0.004
+- PERL_INSTALL_ROOT => DESTDIR
+- dropped old BR on perl(HTTP::Request)
+- dropped old BR on perl(HTTP::Response)
+- dropped old requires on perl(HTTP::Daemon)
+- dropped old requires on perl(LWP::UserAgent)
+- dropped old requires on perl(Scalar::Util)
+
+* Wed Sep 02 2009 Chris Weyl <cweyl@alumni.drew.edu> 2.15-5
+- adjust filtering so we don't drop the versioned perl(JSON:PP) prov
+
+* Tue Sep 01 2009 Chris Weyl <cweyl@alumni.drew.edu> 2.15-4
+- bump
+
+* Mon Aug 31 2009 Chris Weyl <cweyl@alumni.drew.edu> 2.15-3
+- update filtering
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jun 22 2009 Chris Weyl <cweyl@alumni.drew.edu> 2.15-1
+- auto-update to 2.15 (by cpan-spec-update 0.01)
+
+* Sun Mar 01 2009 Chris Weyl <cweyl@alumni.drew.edu> 2.14-1
+- update to 2.14
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.12-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Thu Feb 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Sun Oct 12 2008 Chris Weyl <cweyl@alumni.drew.edu> 2.12-1
+- update to 2.12
+
+* Wed Jun 25 2008 Chris Weyl <cweyl@alumni.drew.edu> 2.11-1
+- update to 2.11
+
+* Wed May 28 2008 Chris Weyl <cweyl@alumni.drew.edu> 2.09-1
+- update to 2.09
+
+* Sun Mar 09 2008 Chris Weyl <cweyl@alumni.drew.edu> 2.07-1
+- update to 2.x series before F9
+
+* Wed Mar  5 2008 Tom "spot" Callaway <tcallawa@redhat.com> 1.15-2
+- rebuild for new perl
+
+* Mon Nov 26 2007 Chris Weyl <cweyl@alumni.drew.edu> 1.15-1
+- update to 1.15
+
+* Sun May 13 2007 Chris Weyl <cweyl@alumni.drew.edu> 1.14-1
+- update to 1.14
+
+* Wed May 09 2007 Chris Weyl <cweyl@alumni.drew.edu> 1.13-1
+- update to 1.13
+
+* Fri May 04 2007 Chris Weyl <cweyl@alumni.drew.edu> 1.12-1
+- update to 1.12
+- add t/ to %%doc
+
+* Wed Apr 25 2007 Chris Weyl <cweyl@alumni.drew.edu> 1.11-2
+- bump
+
+* Tue Apr 24 2007 Chris Weyl <cweyl@alumni.drew.edu> 1.11-1
+- update to 1.11
+
+* Wed Apr 18 2007 Chris Weyl <cweyl@alumni.drew.edu> 1.10-1
+- Specfile autogenerated by cpanspec 1.69.1.
diff --git a/SPECS/perl-List-MoreUtils/perl-List-MoreUtils.spec b/SPECS/perl-List-MoreUtils/perl-List-MoreUtils.spec
index d57a06278fd..abcb0a94da1 100644
--- a/SPECS/perl-List-MoreUtils/perl-List-MoreUtils.spec
+++ b/SPECS/perl-List-MoreUtils/perl-List-MoreUtils.spec
@@ -1,20 +1,22 @@
 # Got the intial spec from Fedora and modified it
-Summary:	Provide the stuff missing in List::Util
-Name:		perl-List-MoreUtils
-Version:	0.428
-Release:        4%{?dist}
-License:	GPL+ or Artistic
+Summary:        Provide the stuff missing in List::Util
+Name:           perl-List-MoreUtils
+Version:        0.428
+Release:        5%{?dist}
+License:        ASL 2.0 AND (GPLv1 OR Artistic)
 Group:          Development/Libraries
-URL:		http://search.cpan.org/dist/List-MoreUtils/
-Source0:	https://cpan.metacpan.org/authors/id/R/RE/REHSACK/List-MoreUtils-%{version}.tar.gz
-%define sha1 List-MoreUtils=fe63dcadb0e2a6ae3ce981d6913a19e96fc56a98
+URL:            http://search.cpan.org/dist/List-MoreUtils/
+Source0:        https://cpan.metacpan.org/authors/id/R/RE/REHSACK/List-MoreUtils-%{version}.tar.gz
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+
 BuildArch:      noarch
-BuildRequires:	perl >= 5.28.0
-Requires:	perl >= 5.28.0
-BuildRequires:	perl-Exporter-Tiny
-Requires:	perl-Exporter-Tiny
+
+BuildRequires:  perl >= 5.28.0
+BuildRequires:  perl-Exporter-Tiny
+
+Requires:       perl >= 5.28.0
+Requires:       perl-Exporter-Tiny
 
 %description
 List::MoreUtils provides some trivial but commonly needed functionality
@@ -36,17 +38,23 @@ find %{buildroot} -name 'perllocal.pod' -delete
 # Install required module List::MoreUtils::XS for maketest
 export PERL_MM_USE_DEFAULT=1
 echo "yes" | cpan -a
+cpan local::lib
 cpan -i List::MoreUtils::XS
 make test
 
 %files
-%license LICENSE
+%license ARTISTIC-1.0 GPL-1 LICENSE
 %{perl_vendorlib}/List/
 %{_mandir}/man3/List::MoreUtils.3*
 %{_mandir}/man3/List::MoreUtils::PP.3*
 %{_mandir}/man3/List::MoreUtils::Contributing.3.gz
 
 %changelog
+* Fri Nov 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.428-5
+- Adding 'local::lib' perl5 library to fix test dependencies.
+- Removed %%sha1 macro.
+- License verified and extended %%license macro to include all license files.
+
 * Sat May 09 00:21:01 PST 2020 Nick Samson <nisamson@microsoft.com> - 0.428-4
 - Added %%license line automatically
 
diff --git a/SPECS/perl-Net-SSLeay/perl-Net-SSLeay.spec b/SPECS/perl-Net-SSLeay/perl-Net-SSLeay.spec
index f4d68ce534c..69f39f79e79 100644
--- a/SPECS/perl-Net-SSLeay/perl-Net-SSLeay.spec
+++ b/SPECS/perl-Net-SSLeay/perl-Net-SSLeay.spec
@@ -1,7 +1,7 @@
 Summary:        Perl extension for using OpenSSL
 Name:           perl-Net-SSLeay
 Version:        1.88
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Artistic 2.0
 Group:          Development/Libraries
 URL:            https://metacpan.org/pod/distribution/Net-SSLeay/lib/Net/SSLeay.pod
@@ -48,6 +48,7 @@ find %{buildroot} -type f -name '*.bs' -empty -delete
 # Install required modules for test - Test::Pod, Test::Exception, Test::Warn and Test::NoWarnings
 export PERL_MM_USE_DEFAULT=1
 echo "yes" | cpan -a
+cpan local::lib
 cpan -i Test::Pod Test::Exception Test::Warn Test::NoWarnings
 make test
 
@@ -57,6 +58,9 @@ make test
 %{_mandir}/man?/*
 
 %changelog
+* Fri Nov 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.88-3
+- Adding 'local::lib' perl5 library to fix test dependencies.
+
 * Sat May 09 00:21:16 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.88-2
 - Added %%license line automatically
 
diff --git a/SPECS/perl-YAML/perl-YAML.spec b/SPECS/perl-YAML/perl-YAML.spec
index 916835c4343..3b7284da6ad 100644
--- a/SPECS/perl-YAML/perl-YAML.spec
+++ b/SPECS/perl-YAML/perl-YAML.spec
@@ -2,7 +2,7 @@
 Summary:        YAML Ain't Markup Language (tm)
 Name:           perl-YAML
 Version:        1.26
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPL+ or Artistic
 Group:          Development/Libraries
 URL:            http://search.cpan.org/dist/YAML/
@@ -40,6 +40,7 @@ find %{buildroot} -name 'perllocal.pod' -delete
 
 %check
 export PERL_MM_USE_DEFAULT=1
+cpan local::lib
 cpan Test::YAML
 make %{?_smp_mflags} test
 
@@ -84,6 +85,9 @@ make %{?_smp_mflags} test
 %{_mandir}/man3/YAML::Types.3*
 
 %changelog
+* Fri Nov 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.26-4
+- Adding 'local::lib' perl5 library to fix test dependencies.
+
 * Sat May 09 00:21:35 PST 2020 Nick Samson <nisamson@microsoft.com> - 1.26-3
 - Added %%license line automatically
 
diff --git a/SPECS/postgresql/CVE-2016-5423.patch b/SPECS/postgresql/CVE-2016-5423.patch
deleted file mode 100644
index cb2061cc555..00000000000
--- a/SPECS/postgresql/CVE-2016-5423.patch
+++ /dev/null
@@ -1,330 +0,0 @@
-From f0c7b789ab12fbc8248b671c7882dd96ac932ef4 Mon Sep 17 00:00:00 2001
-From: Tom Lane <tgl@sss.pgh.pa.us>
-Date: Mon, 8 Aug 2016 10:33:46 -0400
-Subject: [PATCH] Fix two errors with nested CASE/WHEN constructs.
-
-ExecEvalCase() tried to save a cycle or two by passing
-&econtext->caseValue_isNull as the isNull argument to its sub-evaluation of
-the CASE value expression.  If that subexpression itself contained a CASE,
-then *isNull was an alias for econtext->caseValue_isNull within the
-recursive call of ExecEvalCase(), leading to confusion about whether the
-inner call's caseValue was null or not.  In the worst case this could lead
-to a core dump due to dereferencing a null pointer.  Fix by not assigning
-to the global variable until control comes back from the subexpression.
-Also, avoid using the passed-in isNull pointer transiently for evaluation
-of WHEN expressions.  (Either one of these changes would have been
-sufficient to fix the known misbehavior, but it's clear now that each of
-these choices was in itself dangerous coding practice and best avoided.
-There do not seem to be any similar hazards elsewhere in execQual.c.)
-
-Also, it was possible for inlining of a SQL function that implements the
-equality operator used for a CASE comparison to result in one CASE
-expression's CaseTestExpr node being inserted inside another CASE
-expression.  This would certainly result in wrong answers since the
-improperly nested CaseTestExpr would be caused to return the inner CASE's
-comparison value not the outer's.  If the CASE values were of different
-data types, a crash might result; moreover such situations could be abused
-to allow disclosure of portions of server memory.  To fix, teach
-inline_function to check for "bare" CaseTestExpr nodes in the arguments of
-a function to be inlined, and avoid inlining if there are any.
-
-Heikki Linnakangas, Michael Paquier, Tom Lane
-
-Report: https://github.com/greenplum-db/gpdb/pull/327
-Report: <4DDCEEB8.50602@enterprisedb.com>
-Security: CVE-2016-5423
----
- src/backend/executor/execQual.c      | 22 +++++++---
- src/backend/optimizer/util/clauses.c | 81 ++++++++++++++++++++++++++++++++++++
- src/test/regress/expected/case.out   | 44 ++++++++++++++++++++
- src/test/regress/sql/case.sql        | 43 +++++++++++++++++++
- 4 files changed, 185 insertions(+), 5 deletions(-)
-
-diff --git a/src/backend/executor/execQual.c b/src/backend/executor/execQual.c
-index 69bf65d..cbb76d1 100644
---- a/src/backend/executor/execQual.c
-+++ b/src/backend/executor/execQual.c
-@@ -2943,19 +2943,30 @@ ExecEvalCase(CaseExprState *caseExpr, ExprContext *econtext,
- 
- 	/*
- 	 * If there's a test expression, we have to evaluate it and save the value
--	 * where the CaseTestExpr placeholders can find it. We must save and
-+	 * where the CaseTestExpr placeholders can find it.  We must save and
- 	 * restore prior setting of econtext's caseValue fields, in case this node
--	 * is itself within a larger CASE.
-+	 * is itself within a larger CASE.  Furthermore, don't assign to the
-+	 * econtext fields until after returning from evaluation of the test
-+	 * expression.  We used to pass &econtext->caseValue_isNull to the
-+	 * recursive call, but that leads to aliasing that variable within said
-+	 * call, which can (and did) produce bugs when the test expression itself
-+	 * contains a CASE.
-+	 *
-+	 * If there's no test expression, we don't actually need to save and
-+	 * restore these fields; but it's less code to just do so unconditionally.
- 	 */
- 	save_datum = econtext->caseValue_datum;
- 	save_isNull = econtext->caseValue_isNull;
- 
- 	if (caseExpr->arg)
- 	{
-+		bool		arg_isNull;
-+
- 		econtext->caseValue_datum = ExecEvalExpr(caseExpr->arg,
- 												 econtext,
--												 &econtext->caseValue_isNull,
-+												 &arg_isNull,
- 												 NULL);
-+		econtext->caseValue_isNull = arg_isNull;
- 	}
- 
- 	/*
-@@ -2994,10 +3005,11 @@ ExecEvalCase(CaseExprState *caseExpr, ExprContext *econtext,
- 	{
- 		CaseWhenState *wclause = lfirst(clause);
- 		Datum		clause_value;
-+		bool		clause_isNull;
- 
- 		clause_value = ExecEvalExpr(wclause->expr,
- 									econtext,
--									isNull,
-+									&clause_isNull,
- 									NULL);
- 
- 		/*
-@@ -3005,7 +3017,7 @@ ExecEvalCase(CaseExprState *caseExpr, ExprContext *econtext,
- 		 * statement is satisfied.  A NULL result from the test is not
- 		 * considered true.
- 		 */
--		if (DatumGetBool(clause_value) && !*isNull)
-+		if (DatumGetBool(clause_value) && !clause_isNull)
- 		{
- 			econtext->caseValue_datum = save_datum;
- 			econtext->caseValue_isNull = save_isNull;
-diff --git a/src/backend/optimizer/util/clauses.c b/src/backend/optimizer/util/clauses.c
-index a69af7c..4e23898 100644
---- a/src/backend/optimizer/util/clauses.c
-+++ b/src/backend/optimizer/util/clauses.c
-@@ -97,6 +97,8 @@ static bool contain_mutable_functions_walker(Node *node, void *context);
- static bool contain_volatile_functions_walker(Node *node, void *context);
- static bool contain_volatile_functions_not_nextval_walker(Node *node, void *context);
- static bool contain_nonstrict_functions_walker(Node *node, void *context);
-+static bool contain_context_dependent_node(Node *clause);
-+static bool contain_context_dependent_node_walker(Node *node, int *flags);
- static bool contain_leaked_vars_walker(Node *node, void *context);
- static Relids find_nonnullable_rels_walker(Node *node, bool top_level);
- static List *find_nonnullable_vars_walker(Node *node, bool top_level);
-@@ -1323,6 +1325,76 @@ contain_nonstrict_functions_walker(Node *node, void *context)
- }
- 
- /*****************************************************************************
-+ *		Check clauses for context-dependent nodes
-+ *****************************************************************************/
-+
-+/*
-+ * contain_context_dependent_node
-+ *	  Recursively search for context-dependent nodes within a clause.
-+ *
-+ * CaseTestExpr nodes must appear directly within the corresponding CaseExpr,
-+ * not nested within another one, or they'll see the wrong test value.  If one
-+ * appears "bare" in the arguments of a SQL function, then we can't inline the
-+ * SQL function for fear of creating such a situation.
-+ *
-+ * CoerceToDomainValue would have the same issue if domain CHECK expressions
-+ * could get inlined into larger expressions, but presently that's impossible.
-+ * Still, it might be allowed in future, or other node types with similar
-+ * issues might get invented.  So give this function a generic name, and set
-+ * up the recursion state to allow multiple flag bits.
-+ */
-+static bool
-+contain_context_dependent_node(Node *clause)
-+{
-+	int			flags = 0;
-+
-+	return contain_context_dependent_node_walker(clause, &flags);
-+}
-+
-+#define CCDN_IN_CASEEXPR	0x0001		/* CaseTestExpr okay here? */
-+
-+static bool
-+contain_context_dependent_node_walker(Node *node, int *flags)
-+{
-+	if (node == NULL)
-+		return false;
-+	if (IsA(node, CaseTestExpr))
-+		return !(*flags & CCDN_IN_CASEEXPR);
-+	if (IsA(node, CaseExpr))
-+	{
-+		CaseExpr   *caseexpr = (CaseExpr *) node;
-+
-+		/*
-+		 * If this CASE doesn't have a test expression, then it doesn't create
-+		 * a context in which CaseTestExprs should appear, so just fall
-+		 * through and treat it as a generic expression node.
-+		 */
-+		if (caseexpr->arg)
-+		{
-+			int			save_flags = *flags;
-+			bool		res;
-+
-+			/*
-+			 * Note: in principle, we could distinguish the various sub-parts
-+			 * of a CASE construct and set the flag bit only for some of them,
-+			 * since we are only expecting CaseTestExprs to appear in the
-+			 * "expr" subtree of the CaseWhen nodes.  But it doesn't really
-+			 * seem worth any extra code.  If there are any bare CaseTestExprs
-+			 * elsewhere in the CASE, something's wrong already.
-+			 */
-+			*flags |= CCDN_IN_CASEEXPR;
-+			res = expression_tree_walker(node,
-+									   contain_context_dependent_node_walker,
-+										 (void *) flags);
-+			*flags = save_flags;
-+			return res;
-+		}
-+	}
-+	return expression_tree_walker(node, contain_context_dependent_node_walker,
-+								  (void *) flags);
-+}
-+
-+/*****************************************************************************
-  *		  Check clauses for Vars passed to non-leakproof functions
-  *****************************************************************************/
- 
-@@ -4230,6 +4302,8 @@ evaluate_function(Oid funcid, Oid result_type, int32 result_typmod,
-  * doesn't work in the general case because it discards information such
-  * as OUT-parameter declarations.
-  *
-+ * Also, context-dependent expression nodes in the argument list are trouble.
-+ *
-  * Returns a simplified expression if successful, or NULL if cannot
-  * simplify the function.
-  */
-@@ -4424,6 +4498,13 @@ inline_function(Oid funcid, Oid result_type, Oid result_collid,
- 		contain_nonstrict_functions(newexpr))
- 		goto fail;
- 
-+ 	/*
-+	 * If any parameter expression contains a context-dependent node, we can't
-+	 * inline, for fear of putting such a node into the wrong context.
-+	 */
-+	if (contain_context_dependent_node((Node *) args))
-+		goto fail;
-+
- 	/*
- 	 * We may be able to do it; there are still checks on parameter usage to
- 	 * make, but those are most easily done in combination with the actual
-diff --git a/src/test/regress/expected/case.out b/src/test/regress/expected/case.out
-index c564eed..35b6476 100644
---- a/src/test/regress/expected/case.out
-+++ b/src/test/regress/expected/case.out
-@@ -297,7 +297,51 @@ SELECT * FROM CASE_TBL;
- (4 rows)
- 
- --
-+-- Nested CASE expressions
-+--
-+-- This test exercises a bug caused by aliasing econtext->caseValue_isNull
-+-- with the isNull argument of the inner CASE's ExecEvalCase() call.  After
-+-- evaluating the vol(null) expression in the inner CASE's second WHEN-clause,
-+-- the isNull flag for the case test value incorrectly became true, causing
-+-- the third WHEN-clause not to match.  The volatile function calls are needed
-+-- to prevent constant-folding in the planner, which would hide the bug.
-+CREATE FUNCTION vol(text) returns text as
-+  'begin return $1; end' language plpgsql volatile;
-+SELECT CASE
-+  (CASE vol('bar')
-+    WHEN 'foo' THEN 'it was foo!'
-+    WHEN vol(null) THEN 'null input'
-+    WHEN 'bar' THEN 'it was bar!' END
-+  )
-+  WHEN 'it was foo!' THEN 'foo recognized'
-+  WHEN 'it was bar!' THEN 'bar recognized'
-+  ELSE 'unrecognized' END;
-+      case      
-+----------------
-+ bar recognized
-+(1 row)
-+
-+-- In this case, we can't inline the SQL function without confusing things.
-+CREATE DOMAIN foodomain AS text;
-+CREATE FUNCTION volfoo(text) returns foodomain as
-+  'begin return $1::foodomain; end' language plpgsql volatile;
-+CREATE FUNCTION inline_eq(foodomain, foodomain) returns boolean as
-+  'SELECT CASE $2::text WHEN $1::text THEN true ELSE false END' language sql;
-+CREATE OPERATOR = (procedure = inline_eq,
-+                   leftarg = foodomain, rightarg = foodomain);
-+SELECT CASE volfoo('bar') WHEN 'foo'::foodomain THEN 'is foo' ELSE 'is not foo' END;
-+    case    
-+------------
-+ is not foo
-+(1 row)
-+
-+--
- -- Clean up
- --
- DROP TABLE CASE_TBL;
- DROP TABLE CASE2_TBL;
-+DROP OPERATOR = (foodomain, foodomain);
-+DROP FUNCTION inline_eq(foodomain, foodomain);
-+DROP FUNCTION volfoo(text);
-+DROP DOMAIN foodomain;
-+DROP FUNCTION vol(text);
-diff --git a/src/test/regress/sql/case.sql b/src/test/regress/sql/case.sql
-index 5f41753..b2377e4 100644
---- a/src/test/regress/sql/case.sql
-+++ b/src/test/regress/sql/case.sql
-@@ -157,8 +157,51 @@ UPDATE CASE_TBL
- SELECT * FROM CASE_TBL;
- 
- --
-+-- Nested CASE expressions
-+--
-+
-+-- This test exercises a bug caused by aliasing econtext->caseValue_isNull
-+-- with the isNull argument of the inner CASE's ExecEvalCase() call.  After
-+-- evaluating the vol(null) expression in the inner CASE's second WHEN-clause,
-+-- the isNull flag for the case test value incorrectly became true, causing
-+-- the third WHEN-clause not to match.  The volatile function calls are needed
-+-- to prevent constant-folding in the planner, which would hide the bug.
-+
-+CREATE FUNCTION vol(text) returns text as
-+  'begin return $1; end' language plpgsql volatile;
-+
-+SELECT CASE
-+  (CASE vol('bar')
-+    WHEN 'foo' THEN 'it was foo!'
-+    WHEN vol(null) THEN 'null input'
-+    WHEN 'bar' THEN 'it was bar!' END
-+  )
-+  WHEN 'it was foo!' THEN 'foo recognized'
-+  WHEN 'it was bar!' THEN 'bar recognized'
-+  ELSE 'unrecognized' END;
-+
-+-- In this case, we can't inline the SQL function without confusing things.
-+CREATE DOMAIN foodomain AS text;
-+
-+CREATE FUNCTION volfoo(text) returns foodomain as
-+  'begin return $1::foodomain; end' language plpgsql volatile;
-+
-+CREATE FUNCTION inline_eq(foodomain, foodomain) returns boolean as
-+  'SELECT CASE $2::text WHEN $1::text THEN true ELSE false END' language sql;
-+
-+CREATE OPERATOR = (procedure = inline_eq,
-+                   leftarg = foodomain, rightarg = foodomain);
-+
-+SELECT CASE volfoo('bar') WHEN 'foo'::foodomain THEN 'is foo' ELSE 'is not foo' END;
-+
-+--
- -- Clean up
- --
- 
- DROP TABLE CASE_TBL;
- DROP TABLE CASE2_TBL;
-+DROP OPERATOR = (foodomain, foodomain);
-+DROP FUNCTION inline_eq(foodomain, foodomain);
-+DROP FUNCTION volfoo(text);
-+DROP DOMAIN foodomain;
-+DROP FUNCTION vol(text);
--- 
-2.1.4
-
diff --git a/SPECS/postgresql/postgresql.signatures.json b/SPECS/postgresql/postgresql.signatures.json
index 865190cdc71..7ac4252f277 100644
--- a/SPECS/postgresql/postgresql.signatures.json
+++ b/SPECS/postgresql/postgresql.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "postgresql-12.1.tar.bz2": "a09bf3abbaf6763980d0f8acbb943b7629a8b20073de18d867aecdb7988483ed"
+  "postgresql-12.5.tar.bz2": "bd0d25341d9578b5473c9506300022de26370879581f5fddd243a886ce79ff95"
  }
 }
\ No newline at end of file
diff --git a/SPECS/postgresql/postgresql.spec b/SPECS/postgresql/postgresql.spec
index 9e696b1cc44..4b9853f5aa9 100644
--- a/SPECS/postgresql/postgresql.spec
+++ b/SPECS/postgresql/postgresql.spec
@@ -1,39 +1,39 @@
 Summary:        PostgreSQL database engine
 Name:           postgresql
-Version:        12.1
-Release:        3%{?dist}
+Version:        12.5
+Release:        1%{?dist}
 License:        PostgreSQL
-URL:            https://www.postgresql.org
-Group:          Applications/Databases
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-
+Group:          Applications/Databases
+URL:            https://www.postgresql.org
 Source0:        https://ftp.postgresql.org/pub/source/v%{version}/%{name}-%{version}.tar.bz2
+
 # Common libraries needed
 BuildRequires:  krb5-devel
 BuildRequires:  libxml2-devel
 BuildRequires:  openldap
+BuildRequires:  openssl-devel
 BuildRequires:  perl
 BuildRequires:  readline-devel
-BuildRequires:  openssl-devel
-BuildRequires:  zlib-devel
 BuildRequires:  tzdata
+BuildRequires:  zlib-devel
+
+Requires:       %{name}-libs = %{version}-%{release}
 Requires:       krb5
 Requires:       libxml2
 Requires:       openldap
 Requires:       openssl
 Requires:       readline
-Requires:       zlib
 Requires:       tzdata
-
-Requires:   %{name}-libs = %{version}-%{release}
+Requires:       zlib
 
 %description
 PostgreSQL is an object-relational database management system.
 
 %package libs
-Summary:    Libraries for use with PostgreSQL
-Group:      Applications/Databases
+Summary:        Libraries for use with PostgreSQL
+Group:          Applications/Databases
 
 %description libs
 The postgresql-libs package provides the essential shared libraries for any
@@ -44,6 +44,7 @@ PostgreSQL server.
 %package        devel
 Summary:        Development files for postgresql.
 Group:          Development/Libraries
+
 Requires:       postgresql = %{version}-%{release}
 
 %description    devel
@@ -52,6 +53,7 @@ developing applications that use postgresql.
 
 %prep
 %setup -q
+
 %build
 sed -i '/DEFAULT_PGSOCKET_DIR/s@/tmp@/run/postgresql@' src/include/pg_config_manual.h &&
 ./configure \
@@ -87,9 +89,11 @@ sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check"
 
 %post   -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
+
 %clean
 rm -rf %{buildroot}/*
 
+
 %files
 %defattr(-,root,root)
 %license COPYRIGHT
@@ -161,56 +165,86 @@ rm -rf %{buildroot}/*
 %{_libdir}/libpgtypes.a
 
 %changelog
-* Sat May 09 00:20:43 PST 2020 Nick Samson <nisamson@microsoft.com> - 12.1-3
+* Mon Nov 23 2020 Henry Beberman <henry.beberman@microsoft.com> - 12.5-1
+- Upgrading to 12.5 to fix CVE-2020-25695 and CVE-2020-25694.
+
+* Tue Nov 03 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 12.4-1
+- Upgrading to 12.4 to fix CVE-2020-14349 and CVE-2020-14350.
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 12.1-3
 - Added %%license line automatically
 
-*   Thu Mar 26 2020 Henry Beberman <henry.beberman@microsoft.com> 12.1-2
--   Manually run header generation.
-*   Fri Mar 13 2020 Paul Monson <paulmon@microsoft.com> 12.1-1
--   Update to version 12.1. License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 10.5-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Fri Sep 21 2018 Dweep Advani <dadvani@vmware.com> 10.5-1
--   Updated to version 10.5
-*   Tue Mar 27 2018 Dheeraj Shetty <dheerajs@vmware.com> 9.6.8-1
--   Updated to version 9.6.8 to fix CVE-2018-1058
-*   Mon Feb 12 2018 Dheeraj Shetty <dheerajs@vmware.com> 9.6.7-1
--   Updated to version 9.6.7
-*   Mon Nov 27 2017 Xiaolin Li <xiaolinl@vmware.com> 9.6.6-1
--   Updated to version 9.6.6
-*   Fri Sep 08 2017 Xiaolin Li <xiaolinl@vmware.com> 9.6.5-1
--   Updated to version 9.6.5
-*   Tue Aug 15 2017 Xiaolin Li <xiaolinl@vmware.com> 9.6.4-1
--   Updated to version 9.6.4
-*   Thu Aug 10 2017 Rongrong Qiu <rqiu@vmware.com> 9.6.3-3
--   add sleep 5 when initdb in make check for bug 1900371
-*   Wed Jul 05 2017 Divya Thaluru <dthaluru@vmware.com> 9.6.3-2
--   Added postgresql-devel
-*   Tue Jun 06 2017 Divya Thaluru <dthaluru@vmware.com> 9.6.3-1
--   Upgraded to 9.6.3
-*   Mon Apr 03 2017 Rongrong Qiu <rqiu@vmware.com> 9.6.2-1
--   Upgrade to 9.6.2 for Photon upgrade bump
-*   Thu Dec 15 2016 Xiaolin Li <xiaolinl@vmware.com> 9.5.3-6
--   Applied CVE-2016-5423.patch
-*   Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> 9.5.3-5
--   Required krb5-devel.
-*   Mon Oct 03 2016 ChangLee <changLee@vmware.com> 9.5.3-4
--   Modified %check
-*   Thu May 26 2016 Xiaolin Li <xiaolinl@vmware.com> 9.5.3-3
--   Add tzdata to buildrequires and requires.
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 9.5.3-2
--   GA - Bump release of all rpms
-*   Fri May 20 2016 Divya Thaluru <dthaluru@vmware.com> 9.5.3-1
--   Updated to version 9.5.3
-*   Wed Apr 13 2016 Michael Paquier <mpaquier@vmware.com> 9.5.2-1
--   Updated to version 9.5.2
-*   Tue Feb 23 2016 Xiaolin Li <xiaolinl@vmware.com> 9.5.1-1
--   Updated to version 9.5.1
-*   Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> 9.5.0-1
--   Updated to version 9.5.0
-*   Thu Aug 13 2015 Divya Thaluru <dthaluru@vmware.com> 9.4.4-1
--   Update to version 9.4.4.
-*   Mon Jul 13 2015 Alexey Makhalov <amakhalov@vmware.com> 9.4.1-2
--   Exclude /usr/lib/debug
-*   Fri May 15 2015 Sharath George <sharathg@vmware.com> 9.4.1-1
--   Initial build. First version
+* Thu Mar 26 2020 Henry Beberman <henry.beberman@microsoft.com> - 12.1-2
+- Manually run header generation.
+
+* Fri Mar 13 2020 Paul Monson <paulmon@microsoft.com> - 12.1-1
+- Update to version 12.1. License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 10.5-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Fri Sep 21 2018 Dweep Advani <dadvani@vmware.com> - 10.5-1
+- Updated to version 10.5
+
+* Tue Mar 27 2018 Dheeraj Shetty <dheerajs@vmware.com> - 9.6.8-1
+- Updated to version 9.6.8 to fix CVE-2018-1058
+
+* Mon Feb 12 2018 Dheeraj Shetty <dheerajs@vmware.com> - 9.6.7-1
+- Updated to version 9.6.7
+
+* Mon Nov 27 2017 Xiaolin Li <xiaolinl@vmware.com> - 9.6.6-1
+- Updated to version 9.6.6
+
+* Fri Sep 08 2017 Xiaolin Li <xiaolinl@vmware.com> - 9.6.5-1
+- Updated to version 9.6.5
+
+* Tue Aug 15 2017 Xiaolin Li <xiaolinl@vmware.com> - 9.6.4-1
+- Updated to version 9.6.4
+
+* Thu Aug 10 2017 Rongrong Qiu <rqiu@vmware.com> - 9.6.3-3
+- add sleep 5 when initdb in make check for bug 1900371
+
+* Wed Jul 05 2017 Divya Thaluru <dthaluru@vmware.com> - 9.6.3-2
+- Added postgresql-devel
+
+* Tue Jun 06 2017 Divya Thaluru <dthaluru@vmware.com> - 9.6.3-1
+- Upgraded to 9.6.3
+
+* Mon Apr 03 2017 Rongrong Qiu <rqiu@vmware.com> - 9.6.2-1
+- Upgrade to 9.6.2 for Photon upgrade bump
+
+* Thu Dec 15 2016 Xiaolin Li <xiaolinl@vmware.com> - 9.5.3-6
+- Applied CVE-2016-5423.patch
+
+* Thu Nov 24 2016 Alexey Makhalov <amakhalov@vmware.com> - 9.5.3-5
+- Required krb5-devel.
+
+* Mon Oct 03 2016 ChangLee <changLee@vmware.com> - 9.5.3-4
+- Modified %check
+
+* Thu May 26 2016 Xiaolin Li <xiaolinl@vmware.com> - 9.5.3-3
+- Add tzdata to buildrequires and requires.
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 9.5.3-2
+- GA - Bump release of all rpms
+
+* Fri May 20 2016 Divya Thaluru <dthaluru@vmware.com> - 9.5.3-1
+- Updated to version 9.5.3
+
+* Wed Apr 13 2016 Michael Paquier <mpaquier@vmware.com> - 9.5.2-1
+- Updated to version 9.5.2
+
+* Tue Feb 23 2016 Xiaolin Li <xiaolinl@vmware.com> - 9.5.1-1
+- Updated to version 9.5.1
+
+* Thu Jan 21 2016 Xiaolin Li <xiaolinl@vmware.com> - 9.5.0-1
+- Updated to version 9.5.0
+
+* Thu Aug 13 2015 Divya Thaluru <dthaluru@vmware.com> - 9.4.4-1
+- Update to version 9.4.4.
+
+* Mon Jul 13 2015 Alexey Makhalov <amakhalov@vmware.com> - 9.4.1-2
+- Exclude /usr/lib/debug
+
+* Fri May 15 2015 Sharath George <sharathg@vmware.com> - 9.4.1-1
+- Initial build. First version
diff --git a/SPECS/python-setuptools/python-setuptools.spec b/SPECS/python-setuptools/python-setuptools.spec
index 79c2b460305..e64aae15d72 100644
--- a/SPECS/python-setuptools/python-setuptools.spec
+++ b/SPECS/python-setuptools/python-setuptools.spec
@@ -3,7 +3,7 @@
 Summary:        Download, build, install, upgrade, and uninstall Python packages
 Name:           python-setuptools
 Version:        40.2.0
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        MIT
 Group:          Development/Languages
 Vendor:         Microsoft Corporation
@@ -17,6 +17,7 @@ BuildRequires: python2
 BuildRequires: python2-libs
 BuildRequires: unzip
 
+Requires: python-xml
 Requires: python2
 Requires: python2-libs
 
@@ -54,6 +55,9 @@ python2 setup.py test
 %{python2_sitelib}/*
 
 %changelog
+* Mon Nov 16 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 40.2.0-6
+- Adding explicit runtime dependency on 'python-xml'.
+
 * Sat May 09 00:21:39 PST 2020 Nick Samson <nisamson@microsoft.com> - 40.2.0-5
 - Added %%license line automatically
 
diff --git a/SPECS/python2/CVE-2007-4559.nopatch b/SPECS/python2/CVE-2007-4559.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/python2/CVE-2017-18207.patch b/SPECS/python2/CVE-2017-18207.patch
new file mode 100644
index 00000000000..9aa7f30b5fd
--- /dev/null
+++ b/SPECS/python2/CVE-2017-18207.patch
@@ -0,0 +1,54 @@
+--- a/Lib/aifc.py
++++ b/Lib/aifc.py
+@@ -465,6 +465,10 @@
+         self._nframes = _read_long(chunk)
+         self._sampwidth = (_read_short(chunk) + 7) // 8
+         self._framerate = int(_read_float(chunk))
++        if self._sampwidth <= 0:
++            raise Error('bad sample width')
++        if self._nchannels <= 0:
++            raise Error('bad # of channels')
+         self._framesize = self._nchannels * self._sampwidth
+         if self._aifc:
+             #DEBUG: SGI's soundeditor produces a bad size :-(
+
+--- a/Lib/sunau.py
++++ b/Lib/sunau.py
+@@ -194,6 +194,8 @@
+             raise Error, 'unknown encoding'
+         self._framerate = int(_read_u32(file))
+         self._nchannels = int(_read_u32(file))
++        if not self._nchannels:
++            raise Error('bad # of channels')
+         self._framesize = self._framesize * self._nchannels
+         if self._hdr_size > 24:
+             self._info = file.read(self._hdr_size - 24)
+
+--- a/Lib/wave.py
++++ b/Lib/wave.py
+@@ -266,12 +266,22 @@
+     #
+ 
+     def _read_fmt_chunk(self, chunk):
+-        wFormatTag, self._nchannels, self._framerate, dwAvgBytesPerSec, wBlockAlign = struct.unpack('<HHLLH', chunk.read(14))
++        try:
++            wFormatTag, self._nchannels, self._framerate, dwAvgBytesPerSec, wBlockAlign = struct.unpack_from('<HHLLH', chunk.read(14))
++        except struct.error:
++            raise EOFError
+         if wFormatTag == WAVE_FORMAT_PCM:
+-            sampwidth = struct.unpack('<H', chunk.read(2))[0]
++            try:
++                sampwidth = struct.unpack_from('<H', chunk.read(2))[0]
++            except struct.error:
++                raise EOFError
+             self._sampwidth = (sampwidth + 7) // 8
++            if not self._sampwidth:
++                raise Error('bad sample width')
+         else:
+-            raise Error, 'unknown format: %r' % (wFormatTag,)
++            raise Error('unknown format: %r' % (wFormatTag,))
++        if not self._nchannels:
++            raise Error('bad # of channels')
+         self._framesize = self._nchannels * self._sampwidth
+         self._comptype = 'NONE'
+         self._compname = 'not compressed'
diff --git a/SPECS/python2/CVE-2019-18348.nopatch b/SPECS/python2/CVE-2019-18348.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/python2/CVE-2019-20907.patch b/SPECS/python2/CVE-2019-20907.patch
new file mode 100644
index 00000000000..fccab202802
--- /dev/null
+++ b/SPECS/python2/CVE-2019-20907.patch
@@ -0,0 +1,27 @@
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -1400,6 +1400,8 @@
+ 
+             length, keyword = match.groups()
+             length = int(length)
++            if length == 0:
++                raise InvalidHeaderError("invalid header")
+             value = buf[match.end(2) + 1:match.start(1) + length - 1]
+ 
+             keyword = keyword.decode("utf8")
+
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -321,6 +321,12 @@
+                 with self.assertRaisesRegexp(tarfile.ReadError, "unexpected end of data"):
+                     tar.extractfile(t).read()
+ 
++    def test_length_zero_header(self):
++        # bpo-39017 (CVE-2019-20907): reading a zero-length header should fail
++        # with an exception
++        with self.assertRaisesRegex(tarfile.ReadError, "file could not be opened successfully"):
++            with tarfile.open(support.findfile('recursion.tar')) as tar:
++                pass
+ 
+ class MiscReadTest(CommonReadTest):
+     taropen = tarfile.TarFile.taropen
diff --git a/SPECS/python2/CVE-2019-9674.nopatch b/SPECS/python2/CVE-2019-9674.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/python2/CVE-2020-26116.patch b/SPECS/python2/CVE-2020-26116.patch
new file mode 100644
index 00000000000..108c46ceb38
--- /dev/null
+++ b/SPECS/python2/CVE-2020-26116.patch
@@ -0,0 +1,84 @@
+--- a/Lib/httplib.py
++++ b/Lib/httplib.py
+@@ -257,6 +257,10 @@
+ #  _is_allowed_url_pchars_re = re.compile(r"^[/!$&'()*+,;=:@%a-zA-Z0-9._~-]+$")
+ # We are more lenient for assumed real world compatibility purposes.
+ 
++# These characters are not allowed within HTTP method names
++# to prevent http header injection.
++_contains_disallowed_method_pchar_re = re.compile('[\x00-\x1f]')
++
+ # We always set the Content-Length header for these methods because some
+ # servers will otherwise respond with a 411
+ _METHODS_EXPECTING_BODY = {'PATCH', 'POST', 'PUT'}
+@@ -935,6 +939,8 @@
+         else:
+             raise CannotSendRequest()
+ 
++        self._validate_method(method)
++
+         # Save the method for use later in the response phase
+         self._method = method
+ 
+@@ -1020,6 +1026,16 @@
+         # On Python 2, request is already encoded (default)
+         return request
+ 
++    def _validate_method(self, method):
++        """Validate a method name for putrequest."""
++        # prevent http header injection
++        match = _contains_disallowed_method_pchar_re.search(method)
++        if match:
++            raise ValueError(
++                    "method can't contain control characters. %r "
++                    "(found at least %r)"
++                    % (method, match.group()))
++
+     def _validate_path(self, url):
+         """Validate a url for putrequest."""
+         # Prevent CVE-2019-9740.
+
+--- a/Lib/test/test_httplib.py
++++ b/Lib/test/test_httplib.py
+@@ -385,6 +385,28 @@
+                 conn.putheader(name, value)
+ 
+ 
++class HttpMethodTests(TestCase):
++    def test_invalid_method_names(self):
++        methods = (
++            'GET\r',
++            'POST\n',
++            'PUT\n\r',
++            'POST\nValue',
++            'POST\nHOST:abc',
++            'GET\nrHost:abc\n',
++            'POST\rRemainder:\r',
++            'GET\rHOST:\n',
++            '\nPUT'
++        )
++
++        for method in methods:
++            with self.assertRaisesRegex(
++                    ValueError, "method can't contain control characters"):
++                conn = client.HTTPConnection('example.com')
++                conn.sock = FakeSocket(None)
++                conn.request(method=method, url="/")
++
++
+ class BasicTest(TestCase):
+     def test_status_lines(self):
+         # Test HTTP status lines
+@@ -1009,9 +1031,9 @@
+ 
+ @test_support.reap_threads
+ def test_main(verbose=None):
+-    test_support.run_unittest(HeaderTests, OfflineTest, BasicTest, TimeoutTest,
+-                              HTTPTest, HTTPSTest, SourceAddressTest,
+-                              TunnelTests)
++    test_support.run_unittest(HeaderTests, OfflineTest, HttpMethodTests,
++                              BasicTest, TimeoutTest, HTTPTest, HTTPSTest,
++                              SourceAddressTest, TunnelTests)
+ 
+ if __name__ == '__main__':
+     test_main()
diff --git a/SPECS/python2/CVE-2020-27619.patch b/SPECS/python2/CVE-2020-27619.patch
new file mode 100644
index 00000000000..dac59bb12b9
--- /dev/null
+++ b/SPECS/python2/CVE-2020-27619.patch
@@ -0,0 +1,55 @@
+From e912e945f2960029d039d3390ea08835ad39374b Mon Sep 17 00:00:00 2001
+From: "Miss Skeleton (bot)" <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 19 Oct 2020 21:46:10 -0700
+Subject: [PATCH] bpo-41944: No longer call eval() on content received via HTTP
+ in the CJK codec tests (GH-22566) (GH-22579)
+
+(cherry picked from commit 2ef5caa58febc8968e670e39e3d37cf8eef3cab8)
+
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+---
+ Lib/test/multibytecodec_support.py            | 22 +++++++------------
+ 1 file changed, 7 insertions(+), 15 deletions(-)
+
+diff --git a/Lib/test/multibytecodec_support.py b/Lib/test/multibytecodec_support.py
+index f9884c68ebaa4..98feec2f60b19 100644
+--- a/Lib/test/multibytecodec_support.py
++++ b/Lib/test/multibytecodec_support.py
+@@ -279,30 +279,22 @@ def test_mapping_file(self):
+             self._test_mapping_file_plain()
+
+     def _test_mapping_file_plain(self):
+-        _unichr = lambda c: eval("u'\\U%08x'" % int(c, 16))
+-        unichrs = lambda s: u''.join(_unichr(c) for c in s.split('+'))
++        def unichrs(s):
++            return u''.join(unichr(int(x, 16)) for x in s.split('+'))
+         urt_wa = {}
+
+         with self.open_mapping_file() as f:
+             for line in f:
+                 if not line:
+                     break
+-                data = line.split('#')[0].strip().split()
++                data = line.split('#')[0].split()
+                 if len(data) != 2:
+                     continue
+
+-                csetval = eval(data[0])
+-                if csetval <= 0x7F:
+-                    csetch = chr(csetval & 0xff)
+-                elif csetval >= 0x1000000:
+-                    csetch = chr(csetval >> 24) + chr((csetval >> 16) & 0xff) + \
+-                             chr((csetval >> 8) & 0xff) + chr(csetval & 0xff)
+-                elif csetval >= 0x10000:
+-                    csetch = chr(csetval >> 16) + \
+-                             chr((csetval >> 8) & 0xff) + chr(csetval & 0xff)
+-                elif csetval >= 0x100:
+-                    csetch = chr(csetval >> 8) + chr(csetval & 0xff)
+-                else:
++                if data[0][:2] != '0x':
++                    self.fail('Invalid line: %s' % repr(line))
++                csetch = bytes.fromhex(data[0][2:])
++                if len(csetch) == 1 and 0x80 <= csetch[0]:
+                     continue
+
+                 unich = unichrs(data[1])
diff --git a/SPECS/python2/python2.spec b/SPECS/python2/python2.spec
index 307d3a67dde..82371d8675e 100644
--- a/SPECS/python2/python2.spec
+++ b/SPECS/python2/python2.spec
@@ -3,7 +3,7 @@
 Summary:        A high-level scripting language
 Name:           python2
 Version:        2.7.18
-Release:        3%{?dist}
+Release:        5%{?dist}
 License:        PSF
 URL:            http://www.python.org/
 Group:          System Environment/Programming
@@ -14,13 +14,23 @@ Patch0:         cgi.patch
 Patch1:         added-pyopenssl-ipaddress-certificate-validation.patch
 Patch2:         python2-support-mariner-platform.patch
 Patch3:         Replace-unsupported-TLS-methods.patch
+Patch4:         CVE-2019-20907.patch
+Patch5:         CVE-2020-26116.patch
+Patch6:         CVE-2017-18207.patch
 # Ignore CVE-2015-5652 because it only applies to Windows
-Patch4:         CVE-2015-5652.nopatch
+Patch7:         CVE-2015-5652.nopatch
 # Ignore CVE-2017-17522 as Upstream, Red Hat, Debian, and Ubuntu all agree it is not exploitable        
 # and is not a security issue
-Patch5:         CVE-2017-17522.nopatch
-# Ignore CVE-2013-1753 as it was patched in upstream 2.7.9, but NVD has not been updated with that fact
-Patch6:         CVE-2013-1753.nopatch
+Patch8:         CVE-2017-17522.nopatch
+# Ignore CVE-2019-9674 since the community agreed it shouldn't be patched and upstream
+# documentation is updated
+Patch9:         CVE-2019-9674.nopatch
+# Ignore CVE-2007-4559 since upstream community agreed it shouldn't be patched
+Patch10:        CVE-2007-4559.nopatch
+# Ignore CVE-2019-18348 since it is patched in Python 2.7
+Patch11:        CVE-2019-18348.nopatch
+# CVE-2020-27619 patch backported from 3.6
+Patch12:        CVE-2020-27619.patch
 BuildRequires:  pkg-config >= 0.28
 BuildRequires:  bzip2-devel
 BuildRequires:  openssl-devel
@@ -117,11 +127,7 @@ Requires: python2 = %{version}-%{release}
 The test package contains all regression tests for Python as well as the modules test.support and test.regrtest. test.support is used to enhance your tests while test.regrtest drives the testing suite.
 
 %prep
-%setup -q -n Python-%{version}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
+%autosetup -p1 -n Python-%{version}
 
 %build
 export OPT="${CFLAGS} %{openssl_flags}"
@@ -241,6 +247,19 @@ make test
 %{_libdir}/python2.7/test/*
 
 %changelog
+* Tue Nov 03 2020 Thomas Crain <thcrain@microsoft.com> - 2.7.18-5
+- Patch CVE-2020-27619
+
+* Thu Oct 22 2020 Nicolas Ontiveros <niontive@microsoft.com> - 2.7.18-4
+- Use autosetup
+- Remove CVE-2013-1753 no patch
+- Ignore CVE-2019-9674
+- Fix CVE-2019-20907
+- Fix CVE-2020-26116
+- Ignore CVE-2007-4559
+- Fix CVE-2017-18207
+- Ignore CVE-2019-18348
+
 * Thu Sep 10 2020 Thomas Crain <thcrain@microsoft.com> - 2.7.18-3
 - Ignore CVE-2017-17522 because it is widely agreed upon to not be a security vulnerability
 - Ignore CVE-2013-1753 because NVD erroneously lists this version as being vulnerable
diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec
index 5c1533fe822..eb8d10504e5 100644
--- a/SPECS/python3/python3.spec
+++ b/SPECS/python3/python3.spec
@@ -2,7 +2,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.7.9
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -119,6 +119,7 @@ The PyPA recommended tool for installing Python packages.
 %package        setuptools
 Summary:        Download, build, install, upgrade, and uninstall Python packages.
 Group:          Development/Tools
+Requires:       python3-xml
 Requires:       python3 = %{version}-%{release}
 BuildArch:      noarch
 
@@ -263,6 +264,9 @@ rm -rf %{buildroot}/*
 %{_libdir}/python3.7/test/*
 
 %changelog
+* Mon Nov 16 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.7.9-3
+- Adding explicit runtime dependency on 'python3-xml' for the 'python3-setuptool' subpackage.
+
 * Fri Nov 06 2020 Thomas Crain <thcrain@microsoft.com> - 3.7.9-2
 - Patch CVE-2020-27619
 
diff --git a/SPECS/qemu-kvm/CVE-2015-7504.nopatch b/SPECS/qemu-kvm/CVE-2015-7504.nopatch
deleted file mode 100644
index a4242bf6b56..00000000000
--- a/SPECS/qemu-kvm/CVE-2015-7504.nopatch
+++ /dev/null
@@ -1 +0,0 @@
-# CVE-2015-7504 was fixed in 2.5.0, but the CVE database was not updated. (837f21aacf5a714c23ddaadbbc5212f9b661e3f7)
\ No newline at end of file
diff --git a/SPECS/qemu-kvm/CVE-2016-7161.nopatch b/SPECS/qemu-kvm/CVE-2016-7161.nopatch
deleted file mode 100644
index b9e0ecbbc28..00000000000
--- a/SPECS/qemu-kvm/CVE-2016-7161.nopatch
+++ /dev/null
@@ -1 +0,0 @@
-# CVE-2016-7161 was fixed in 2.7.0, but the CVE database was not updated. (a0d1cbdacff5df4ded16b753b38fdd9da6092968)
\ No newline at end of file
diff --git a/SPECS/qemu-kvm/CVE-2017-14167.nopatch b/SPECS/qemu-kvm/CVE-2017-14167.nopatch
deleted file mode 100644
index 68d9f5ae58f..00000000000
--- a/SPECS/qemu-kvm/CVE-2017-14167.nopatch
+++ /dev/null
@@ -1 +0,0 @@
-# CVE-2017-14167 was fixed in 2.11.0, but the CVE database was not updated. (ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb)
\ No newline at end of file
diff --git a/SPECS/qemu-kvm/CVE-2017-5931.nopatch b/SPECS/qemu-kvm/CVE-2017-5931.nopatch
deleted file mode 100644
index f705f04ae37..00000000000
--- a/SPECS/qemu-kvm/CVE-2017-5931.nopatch
+++ /dev/null
@@ -1 +0,0 @@
-# CVE-2017-5931 was fixed in 2.9.0, but the CVE database was not updated.  (a08aaff811fb194950f79711d2afe5a892ae03a4)
\ No newline at end of file
diff --git a/SPECS/qemu-kvm/CVE-2018-12617.patch b/SPECS/qemu-kvm/CVE-2018-12617.patch
new file mode 100644
index 00000000000..ca0d3a3e4e4
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2018-12617.patch
@@ -0,0 +1,386 @@
+From a528fc1f446cdfb2ff648d1c0bfa0348e36cdfe2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Tue, 14 Apr 2020 15:30:42 +0200
+Subject: [PATCH 1/3] qga: Extract guest_file_handle_find() to
+ commands-common.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+As we are going to reuse this method, declare it in common
+header.
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Backported upstream commit 5d3586b834633c8ac462d4741b85b4036cbc0f93
+---
+ qga/commands-common.h | 18 ++++++++++++++++++
+ qga/commands-posix.c  |  7 ++++---
+ qga/commands-win32.c  |  7 ++++---
+ 3 files changed, 26 insertions(+), 6 deletions(-)
+ create mode 100644 qga/commands-common.h
+
+diff --git a/qga/commands-common.h b/qga/commands-common.h
+new file mode 100644
+index 00000000..af90e548
+--- /dev/null
++++ b/qga/commands-common.h
+@@ -0,0 +1,18 @@
++/*
++ * QEMU Guest Agent common/cross-platform common commands
++ *
++ * Copyright (c) 2020 Red Hat, Inc.
++ *
++ * This work is licensed under the terms of the GNU GPL, version 2 or later.
++ * See the COPYING file in the top-level directory.
++ */
++#ifndef QGA_COMMANDS_COMMON_H
++#define QGA_COMMANDS_COMMON_H
++
++#include "qga-qapi-types.h"
++
++typedef struct GuestFileHandle GuestFileHandle;
++
++GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp);
++
++#endif
+diff --git a/qga/commands-posix.c b/qga/commands-posix.c
+index 1c1a165d..6aa68033 100644
+--- a/qga/commands-posix.c
++++ b/qga/commands-posix.c
+@@ -26,6 +26,7 @@
+ #include "qemu/sockets.h"
+ #include "qemu/base64.h"
+ #include "qemu/cutils.h"
++#include "commands-common.h"
+ 
+ #ifdef HAVE_UTMPX
+ #include <utmpx.h>
+@@ -226,12 +227,12 @@ typedef enum {
+     RW_STATE_WRITING,
+ } RwState;
+ 
+-typedef struct GuestFileHandle {
++struct GuestFileHandle {
+     uint64_t id;
+     FILE *fh;
+     RwState state;
+     QTAILQ_ENTRY(GuestFileHandle) next;
+-} GuestFileHandle;
++};
+ 
+ static struct {
+     QTAILQ_HEAD(, GuestFileHandle) filehandles;
+@@ -257,7 +258,7 @@ static int64_t guest_file_handle_add(FILE *fh, Error **errp)
+     return handle;
+ }
+ 
+-static GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp)
++GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp)
+ {
+     GuestFileHandle *gfh;
+ 
+diff --git a/qga/commands-win32.c b/qga/commands-win32.c
+index 55ba5b26..b0f90e34 100644
+--- a/qga/commands-win32.c
++++ b/qga/commands-win32.c
+@@ -37,6 +37,7 @@
+ #include "qemu/queue.h"
+ #include "qemu/host-utils.h"
+ #include "qemu/base64.h"
++#include "commands-common.h"
+ 
+ #ifndef SHTDN_REASON_FLAG_PLANNED
+ #define SHTDN_REASON_FLAG_PLANNED 0x80000000
+@@ -50,11 +51,11 @@
+ 
+ #define INVALID_SET_FILE_POINTER ((DWORD)-1)
+ 
+-typedef struct GuestFileHandle {
++struct GuestFileHandle {
+     int64_t id;
+     HANDLE fh;
+     QTAILQ_ENTRY(GuestFileHandle) next;
+-} GuestFileHandle;
++};
+ 
+ static struct {
+     QTAILQ_HEAD(, GuestFileHandle) filehandles;
+@@ -126,7 +127,7 @@ static int64_t guest_file_handle_add(HANDLE fh, Error **errp)
+     return handle;
+ }
+ 
+-static GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp)
++GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp)
+ {
+     GuestFileHandle *gfh;
+     QTAILQ_FOREACH(gfh, &guest_file_state.filehandles, next) {
+-- 
+2.17.1
+
+
+From 352427fe776b7925c481fd1febbf9c95ae4f7c50 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Tue, 14 Apr 2020 15:30:43 +0200
+Subject: [PATCH 2/3] qga: Extract qmp_guest_file_read() to common commands.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Extract the common code shared by both POSIX/Win32 implementations.
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Backported upstream commit ead83a136d54f7faa315922aff26fa11d216909f
+Modified to apply to Mariner 4.2.0 by: Daniel McIlvaney <damcilva@microsoft.com>
+---
+ qga/commands-common.h |  3 +++
+ qga/commands-posix.c  | 22 +++-------------------
+ qga/commands-win32.c  | 20 +++-----------------
+ qga/commands.c        | 26 ++++++++++++++++++++++++++
+ 4 files changed, 35 insertions(+), 36 deletions(-)
+
+diff --git a/qga/commands-common.h b/qga/commands-common.h
+index af90e548..90785ed4 100644
+--- a/qga/commands-common.h
++++ b/qga/commands-common.h
+@@ -15,4 +15,7 @@ typedef struct GuestFileHandle GuestFileHandle;
+ 
+ GuestFileHandle *guest_file_handle_find(int64_t id, Error **errp);
+ 
++GuestFileRead *guest_file_read_unsafe(GuestFileHandle *gfh,
++                                      int64_t count, Error **errp);
++
+ #endif
+diff --git a/qga/commands-posix.c b/qga/commands-posix.c
+index 6aa68033..c443da08 100644
+--- a/qga/commands-posix.c
++++ b/qga/commands-posix.c
+@@ -450,29 +450,14 @@ void qmp_guest_file_close(int64_t handle, Error **errp)
+     g_free(gfh);
+ }
+ 
+-struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
+-                                          int64_t count, Error **errp)
++GuestFileRead *guest_file_read_unsafe(GuestFileHandle *gfh,
++                                      int64_t count, Error **errp)
+ {
+-    GuestFileHandle *gfh = guest_file_handle_find(handle, errp);
+     GuestFileRead *read_data = NULL;
+     guchar *buf;
+-    FILE *fh;
++    FILE *fh = gfh->fh;
+     size_t read_count;
+ 
+-    if (!gfh) {
+-        return NULL;
+-    }
+-
+-    if (!has_count) {
+-        count = QGA_READ_COUNT_DEFAULT;
+-    } else if (count < 0 || count >= UINT32_MAX) {
+-        error_setg(errp, "value '%" PRId64 "' is invalid for argument count",
+-                   count);
+-        return NULL;
+-    }
+-
+-    fh = gfh->fh;
+-
+     /* explicitly flush when switching from writing to reading */
+     if (gfh->state == RW_STATE_WRITING) {
+         int ret = fflush(fh);
+@@ -487,7 +472,6 @@ struct GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
+     read_count = fread(buf, 1, count, fh);
+     if (ferror(fh)) {
+         error_setg_errno(errp, errno, "failed to read file");
+-        slog("guest-file-read failed, handle: %" PRId64, handle);
+     } else {
+         buf[read_count] = 0;
+         read_data = g_new0(GuestFileRead, 1);
+diff --git a/qga/commands-win32.c b/qga/commands-win32.c
+index b0f90e34..42c3b639 100644
+--- a/qga/commands-win32.c
++++ b/qga/commands-win32.c
+@@ -321,33 +321,19 @@ void qmp_guest_shutdown(bool has_mode, const char *mode, Error **errp)
+     }
+ }
+ 
+-GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
+-                                   int64_t count, Error **errp)
++GuestFileRead *guest_file_read_unsafe(GuestFileHandle *gfh,
++                                      int64_t count, Error **errp)
+ {
+     GuestFileRead *read_data = NULL;
+     guchar *buf;
+-    HANDLE fh;
++    HANDLE fh = gfh->fh;
+     bool is_ok;
+     DWORD read_count;
+-    GuestFileHandle *gfh = guest_file_handle_find(handle, errp);
+-
+-    if (!gfh) {
+-        return NULL;
+-    }
+-    if (!has_count) {
+-        count = QGA_READ_COUNT_DEFAULT;
+-    } else if (count < 0 || count >= UINT32_MAX) {
+-        error_setg(errp, "value '%" PRId64
+-                   "' is invalid for argument count", count);
+-        return NULL;
+-    }
+ 
+-    fh = gfh->fh;
+     buf = g_malloc0(count+1);
+     is_ok = ReadFile(fh, buf, count, &read_count, NULL);
+     if (!is_ok) {
+         error_setg_win32(errp, GetLastError(), "failed to read file");
+-        slog("guest-file-read failed, handle %" PRId64, handle);
+     } else {
+         buf[read_count] = 0;
+         read_data = g_new0(GuestFileRead, 1);
+diff --git a/qga/commands.c b/qga/commands.c
+index 0c7d1385..73bf92ea 100644
+--- a/qga/commands.c
++++ b/qga/commands.c
+@@ -18,6 +18,7 @@
+ #include "qemu/base64.h"
+ #include "qemu/cutils.h"
+ #include "qemu/atomic.h"
++#include "commands-common.h"
+ 
+ /* Maximum captured guest-exec out_data/err_data - 16MB */
+ #define GUEST_EXEC_MAX_OUTPUT (16*1024*1024)
+@@ -542,3 +543,28 @@ error:
+     g_free(info);
+     return NULL;
+ }
++
++GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
++                                   int64_t count, Error **errp)
++{
++    GuestFileHandle *gfh = guest_file_handle_find(handle, errp);
++    GuestFileRead *read_data;
++
++    if (!gfh) {
++        return NULL;
++    }
++    if (!has_count) {
++        count = QGA_READ_COUNT_DEFAULT;
++    } else if (count < 0 || count >= UINT32_MAX) {
++        error_setg(errp, "value '%" PRId64 "' is invalid for argument count",
++                   count);
++        return NULL;
++    }
++
++    read_data = guest_file_read_unsafe(gfh, count, errp);
++    if (!read_data) {
++        slog("guest-file-write failed, handle: %" PRId64, handle);
++    }
++
++    return read_data;
++}
+-- 
+2.17.1
+
+
+From 7b645bdf29f4fe0367956906b9f15b268c4cf574 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Tue, 14 Apr 2020 15:30:44 +0200
+Subject: [PATCH 3/3] qga: Restrict guest-file-read count to 48 MB to avoid
+ crashes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On [*] Daniel Berrangé commented:
+
+  The QEMU guest agent protocol is not sensible way to access huge
+  files inside the guest. It requires the inefficient process of
+  reading the entire data into memory than duplicating it again in
+  base64 format, and then copying it again in the JSON serializer /
+  monitor code.
+
+  For arbitrary general purpose file access, especially for large
+  files, use a real file transfer program or use a network block
+  device, not the QEMU guest agent.
+
+To avoid bug reports as BZ#1594054 (CVE-2018-12617), follow his
+suggestion to put a low, hard limit on "count" in the guest agent
+QAPI schema, and don't allow count to be larger than 48 MB.
+
+[*] https://www.mail-archive.com/qemu-devel@nongnu.org/msg693176.html
+
+Fixes: CVE-2018-12617
+Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1594054
+Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com>
+Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+*update schema documentation to indicate 48MB limit instead of 10MB
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+
+Backported upstream commit 1329651fb4d4c5068ad12fd86aff7e52f9e18c34
+---
+ qga/commands.c       | 9 ++++++++-
+ qga/qapi-schema.json | 6 ++++--
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/qga/commands.c b/qga/commands.c
+index 73bf92ea..d840c3e1 100644
+--- a/qga/commands.c
++++ b/qga/commands.c
+@@ -11,6 +11,7 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include "qemu/units.h"
+ #include "guest-agent-core.h"
+ #include "qga-qapi-commands.h"
+ #include "qapi/error.h"
+@@ -24,6 +25,12 @@
+ #define GUEST_EXEC_MAX_OUTPUT (16*1024*1024)
+ /* Allocation and I/O buffer for reading guest-exec out_data/err_data - 4KB */
+ #define GUEST_EXEC_IO_SIZE (4*1024)
++/*
++ * Maximum file size to read - 48MB
++ *
++ * (48MB + Base64 3:4 overhead = JSON parser 64 MB limit)
++ */
++#define GUEST_FILE_READ_COUNT_MAX (48 * MiB)
+ 
+ /* Note: in some situations, like with the fsfreeze, logging may be
+  * temporarilly disabled. if it is necessary that a command be able
+@@ -555,7 +562,7 @@ GuestFileRead *qmp_guest_file_read(int64_t handle, bool has_count,
+     }
+     if (!has_count) {
+         count = QGA_READ_COUNT_DEFAULT;
+-    } else if (count < 0 || count >= UINT32_MAX) {
++    } else if (count < 0 || count > GUEST_FILE_READ_COUNT_MAX) {
+         error_setg(errp, "value '%" PRId64 "' is invalid for argument count",
+                    count);
+         return NULL;
+diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
+index fb4605cc..e4cecda6 100644
+--- a/qga/qapi-schema.json
++++ b/qga/qapi-schema.json
+@@ -266,11 +266,13 @@
+ ##
+ # @guest-file-read:
+ #
+-# Read from an open file in the guest. Data will be base64-encoded
++# Read from an open file in the guest. Data will be base64-encoded.
++# As this command is just for limited, ad-hoc debugging, such as log
++# file access, the number of bytes to read is limited to 48 MB.
+ #
+ # @handle: filehandle returned by guest-file-open
+ #
+-# @count: maximum number of bytes to read (default is 4KB)
++# @count: maximum number of bytes to read (default is 4KB, maximum is 48MB)
+ #
+ # Returns: @GuestFileRead on success.
+ #
+-- 
+2.17.1
+
diff --git a/SPECS/qemu-kvm/CVE-2018-19665.patch b/SPECS/qemu-kvm/CVE-2018-19665.patch
new file mode 100644
index 00000000000..491061cbfdb
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2018-19665.patch
@@ -0,0 +1,804 @@
+From: Prasad J Pandit <address@hidden>
+
+The length parameter values are not negative, thus use an unsigned
+type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
+calls. If it was negative, it could lead to memory corruption issues.
+Add check to avoid it.
+
+Reported-by: Arash TC <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ bt-host.c              |  8 +++---
+ bt-vhci.c              |  7 +++---
+ hw/bt/core.c           |  2 +-
+ hw/bt/hci-csr.c        | 32 ++++++++++++------------
+ hw/bt/hci.c            | 38 ++++++++++++++--------------
+ hw/bt/hid.c            | 10 ++++----
+ hw/bt/l2cap.c          | 56 ++++++++++++++++++++++--------------------
+ hw/bt/sdp.c            |  6 ++---
+ hw/usb/dev-bluetooth.c | 12 ++++-----
+ include/hw/bt.h        |  8 +++---
+ include/sysemu/bt.h    | 10 ++++----
+ 11 files changed, 96 insertions(+), 93 deletions(-)
+
+Update v2: modify assert calls
+  -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg01036.html
+
+diff --git a/bt-host.c b/bt-host.c
+index 2f8f631c25..b73a44d07d 100644
+--- a/bt-host.c
++++ b/bt-host.c
+@@ -43,7 +43,7 @@ struct bt_host_hci_s {
+ };
+ 
+ static void bt_host_send(struct HCIInfo *hci,
+-                int type, const uint8_t *data, int len)
++                int type, const uint8_t *data, size_t len)
+ {
+     struct bt_host_hci_s *s = (struct bt_host_hci_s *) hci;
+     uint8_t pkt = type;
+@@ -63,17 +63,17 @@ static void bt_host_send(struct HCIInfo *hci,
+     }
+ }
+ 
+-static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, int len)
++static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, size_t len)
+ {
+     bt_host_send(hci, HCI_COMMAND_PKT, data, len);
+ }
+ 
+-static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, int len)
++static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, size_t len)
+ {
+     bt_host_send(hci, HCI_ACLDATA_PKT, data, len);
+ }
+ 
+-static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, int len)
++static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, size_t len)
+ {
+     bt_host_send(hci, HCI_SCODATA_PKT, data, len);
+ }
+diff --git a/bt-vhci.c b/bt-vhci.c
+index 9d277c32bf..765773188d 100644
+--- a/bt-vhci.c
++++ b/bt-vhci.c
+@@ -90,7 +90,7 @@ static void vhci_read(void *opaque)
+ }
+ 
+ static void vhci_host_send(void *opaque,
+-                int type, const uint8_t *data, int len)
++                int type, const uint8_t *data, size_t len)
+ {
+     struct bt_vhci_s *s = (struct bt_vhci_s *) opaque;
+ #if 0
+@@ -113,6 +113,7 @@ static void vhci_host_send(void *opaque,
+     static uint8_t buf[4096];
+ 
+     buf[0] = type;
++    assert(len < sizeof(buf));
+     memcpy(buf + 1, data, len);
+ 
+     while (write(s->fd, buf, len + 1) < 0)
+@@ -125,13 +126,13 @@ static void vhci_host_send(void *opaque,
+ }
+ 
+ static void vhci_out_hci_packet_event(void *opaque,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     vhci_host_send(opaque, HCI_EVENT_PKT, data, len);
+ }
+ 
+ static void vhci_out_hci_packet_acl(void *opaque,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     vhci_host_send(opaque, HCI_ACLDATA_PKT, data, len);
+ }
+diff --git a/hw/bt/core.c b/hw/bt/core.c
+index 78370e64f5..62720d1663 100644
+--- a/hw/bt/core.c
++++ b/hw/bt/core.c
+@@ -45,7 +45,7 @@ static void bt_dummy_lmp_disconnect_master(struct bt_link_s *link)
+ }
+ 
+ static void bt_dummy_lmp_acl_resp(struct bt_link_s *link,
+-                const uint8_t *data, int start, int len)
++                const uint8_t *data, int start, size_t len)
+ {
+     error_report("%s: stray ACL response PDU, fixme", __func__);
+     exit(-1);
+diff --git a/hw/bt/hci-csr.c b/hw/bt/hci-csr.c
+index 0341ded50c..26bd516d31 100644
+--- a/hw/bt/hci-csr.c
++++ b/hw/bt/hci-csr.c
+@@ -103,7 +103,7 @@ static inline void csrhci_fifo_wake(struct csrhci_s *s)
+ }
+ 
+ #define csrhci_out_packetz(s, len) memset(csrhci_out_packet(s, len), 0, len)
+-static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len)
++static uint8_t *csrhci_out_packet(struct csrhci_s *s, size_t len)
+ {
+     int off = s->out_start + s->out_len;
+ 
+@@ -112,14 +112,14 @@ static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len)
+ 
+     if (off < FIFO_LEN) {
+         if (off + len > FIFO_LEN && (s->out_size = off + len) > FIFO_LEN * 2) {
+-            error_report("%s: can't alloc %i bytes", __func__, len);
++            error_report("%s: can't alloc %zu bytes", __func__, len);
+             exit(-1);
+         }
+         return s->outfifo + off;
+     }
+ 
+     if (s->out_len > s->out_size) {
+-        error_report("%s: can't alloc %i bytes", __func__, len);
++        error_report("%s: can't alloc %zu bytes", __func__, len);
+         exit(-1);
+     }
+ 
+@@ -127,7 +127,7 @@ static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len)
+ }
+ 
+ static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s,
+-                int type, int len)
++                int type, size_t len)
+ {
+     uint8_t *ret = csrhci_out_packetz(s, len + 2);
+ 
+@@ -138,7 +138,7 @@ static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s,
+ }
+ 
+ static inline uint8_t *csrhci_out_packet_event(struct csrhci_s *s,
+-                int evt, int len)
++                int evt, size_t len)
+ {
+     uint8_t *ret = csrhci_out_packetz(s,
+                     len + 1 + sizeof(struct hci_event_hdr));
+@@ -151,7 +151,7 @@ static inline uint8_t *csrhci_out_packet_event(struct csrhci_s *s,
+ }
+ 
+ static void csrhci_in_packet_vendor(struct csrhci_s *s, int ocf,
+-                uint8_t *data, int len)
++                uint8_t *data, size_t len)
+ {
+     int offset;
+     uint8_t *rpkt;
+@@ -320,18 +320,18 @@ static int csrhci_write(struct Chardev *chr,
+     struct csrhci_s *s = (struct csrhci_s *)chr;
+     int total = 0;
+ 
+-    if (!s->enable)
++    if (!s->enable || len <= 0)
+         return 0;
+ 
+     for (;;) {
+         int cnt = MIN(len, s->in_needed - s->in_len);
+-        if (cnt) {
+-            memcpy(s->inpkt + s->in_len, buf, cnt);
+-            s->in_len += cnt;
+-            buf += cnt;
+-            len -= cnt;
+-            total += cnt;
+-        }
++        assert(cnt > 0);
++
++        memcpy(s->inpkt + s->in_len, buf, cnt);
++        s->in_len += cnt;
++        buf += cnt;
++        len -= cnt;
++        total += cnt;
+ 
+         if (s->in_len < s->in_needed) {
+             break;
+@@ -363,7 +363,7 @@ static int csrhci_write(struct Chardev *chr,
+ }
+ 
+ static void csrhci_out_hci_packet_event(void *opaque,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     struct csrhci_s *s = (struct csrhci_s *) opaque;
+     uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1);	/* Align */
+@@ -375,7 +375,7 @@ static void csrhci_out_hci_packet_event(void *opaque,
+ }
+ 
+ static void csrhci_out_hci_packet_acl(void *opaque,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     struct csrhci_s *s = (struct csrhci_s *) opaque;
+     uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1);	/* Align */
+diff --git a/hw/bt/hci.c b/hw/bt/hci.c
+index c6b2cc1d48..c59ccc55b9 100644
+--- a/hw/bt/hci.c
++++ b/hw/bt/hci.c
+@@ -32,7 +32,7 @@
+ 
+ struct bt_hci_s {
+     uint8_t *(*evt_packet)(void *opaque);
+-    void (*evt_submit)(void *opaque, int len);
++    void (*evt_submit)(void *opaque, size_t len);
+     void *opaque;
+     uint8_t evt_buf[256];
+ 
+@@ -62,7 +62,7 @@ struct bt_hci_s {
+         struct bt_hci_master_link_s {
+             struct bt_link_s *link;
+             void (*lmp_acl_data)(struct bt_link_s *link,
+-                            const uint8_t *data, int start, int len);
++                            const uint8_t *data, int start, size_t len);
+             QEMUTimer *acl_mode_timer;
+         } handle[HCI_HANDLES_MAX];
+         uint32_t role_bmp;
+@@ -434,7 +434,7 @@ static const uint8_t bt_event_reserved_mask[8] = {
+ };
+ 
+ 
+-static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int len)
++static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, size_t len)
+ {
+ }
+ 
+@@ -452,13 +452,13 @@ struct HCIInfo null_hci = {
+ 
+ 
+ static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
+-                int evt, int len)
++                int evt, size_t len)
+ {
+     uint8_t *packet, mask;
+     int mask_byte;
+ 
+     if (len > 255) {
+-        error_report("%s: HCI event params too long (%ib)", __func__, len);
++        error_report("%s: HCI event params too long (%zub)", __func__, len);
+         exit(-1);
+     }
+ 
+@@ -475,7 +475,7 @@ static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci,
+ }
+ 
+ static inline void bt_hci_event(struct bt_hci_s *hci, int evt,
+-                void *params, int len)
++                void *params, size_t len)
+ {
+     uint8_t *packet = bt_hci_event_start(hci, evt, len);
+ 
+@@ -500,7 +500,7 @@ static inline void bt_hci_event_status(struct bt_hci_s *hci, int status)
+ }
+ 
+ static inline void bt_hci_event_complete(struct bt_hci_s *hci,
+-                void *ret, int len)
++                void *ret, size_t len)
+ {
+     uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE,
+                     len + EVT_CMD_COMPLETE_SIZE);
+@@ -1477,7 +1477,7 @@ static inline void bt_hci_event_num_comp_pkts(struct bt_hci_s *hci,
+ }
+ 
+ static void bt_submit_hci(struct HCIInfo *info,
+-                const uint8_t *data, int length)
++                const uint8_t *data, size_t length)
+ {
+     struct bt_hci_s *hci = hci_from_info(info);
+     uint16_t cmd;
+@@ -1971,7 +1971,7 @@ static void bt_submit_hci(struct HCIInfo *info,
+         break;
+ 
+     short_hci:
+-        error_report("%s: HCI packet too short (%iB)", __func__, length);
++        error_report("%s: HCI packet too short (%zuB)", __func__, length);
+         bt_hci_event_status(hci, HCI_INVALID_PARAMETERS);
+         break;
+     }
+@@ -1982,7 +1982,7 @@ static void bt_submit_hci(struct HCIInfo *info,
+  * know that a packet contained the last fragment of the SDU when the next
+  * SDU starts.  */
+ static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
+-                const uint8_t *data, int start, int len)
++                const uint8_t *data, int start, size_t len)
+ {
+     struct hci_acl_hdr *pkt = (void *) hci->acl_buf;
+ 
+@@ -1990,7 +1990,7 @@ static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
+     /* TODO: avoid memcpy'ing */
+ 
+     if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) {
+-        error_report("%s: can't take ACL packets %i bytes long",
++        error_report("%s: can't take ACL packets %zu bytes long",
+                      __func__, len);
+         return;
+     }
+@@ -2004,7 +2004,7 @@ static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle,
+ }
+ 
+ static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink,
+-                const uint8_t *data, int start, int len)
++                const uint8_t *data, int start, size_t len)
+ {
+     struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink;
+ 
+@@ -2013,14 +2013,14 @@ static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink,
+ }
+ 
+ static void bt_hci_lmp_acl_data_host(struct bt_link_s *link,
+-                const uint8_t *data, int start, int len)
++                const uint8_t *data, int start, size_t len)
+ {
+     bt_hci_lmp_acl_data(hci_from_device(link->host),
+                     link->handle, data, start, len);
+ }
+ 
+ static void bt_submit_acl(struct HCIInfo *info,
+-                const uint8_t *data, int length)
++                const uint8_t *data, size_t length)
+ {
+     struct bt_hci_s *hci = hci_from_info(info);
+     uint16_t handle;
+@@ -2028,7 +2028,7 @@ static void bt_submit_acl(struct HCIInfo *info,
+     struct bt_link_s *link;
+ 
+     if (length < HCI_ACL_HDR_SIZE) {
+-        error_report("%s: ACL packet too short (%iB)", __func__, length);
++        error_report("%s: ACL packet too short (%zuB)", __func__, length);
+         return;
+     }
+ 
+@@ -2046,7 +2046,7 @@ static void bt_submit_acl(struct HCIInfo *info,
+     handle &= ~HCI_HANDLE_OFFSET;
+ 
+     if (datalen > length) {
+-        error_report("%s: ACL packet too short (%iB < %iB)",
++        error_report("%s: ACL packet too short (%zuB < %iB)",
+                      __func__, length, datalen);
+         return;
+     }
+@@ -2088,7 +2088,7 @@ static void bt_submit_acl(struct HCIInfo *info,
+ }
+ 
+ static void bt_submit_sco(struct HCIInfo *info,
+-                const uint8_t *data, int length)
++                const uint8_t *data, size_t length)
+ {
+     struct bt_hci_s *hci = hci_from_info(info);
+     uint16_t handle;
+@@ -2107,7 +2107,7 @@ static void bt_submit_sco(struct HCIInfo *info,
+     }
+ 
+     if (datalen > length) {
+-        error_report("%s: SCO packet too short (%iB < %iB)",
++        error_report("%s: SCO packet too short (%zuB < %iB)",
+                      __func__, length, datalen);
+         return;
+     }
+@@ -2128,7 +2128,7 @@ static uint8_t *bt_hci_evt_packet(void *opaque)
+     return s->evt_buf;
+ }
+ 
+-static void bt_hci_evt_submit(void *opaque, int len)
++static void bt_hci_evt_submit(void *opaque, size_t len)
+ {
+     /* TODO: notify upper layer */
+     struct bt_hci_s *s = opaque;
+diff --git a/hw/bt/hid.c b/hw/bt/hid.c
+index 056291f9b5..c5ecc8bdcd 100644
+--- a/hw/bt/hid.c
++++ b/hw/bt/hid.c
+@@ -96,7 +96,7 @@ struct bt_hid_device_s {
+     int data_type;
+     int intr_state;
+     struct {
+-        int len;
++        size_t len;
+         uint8_t buffer[1024];
+     } dataother, datain, dataout, feature, intrdataout;
+     enum {
+@@ -169,7 +169,7 @@ static void bt_hid_disconnect(struct bt_hid_device_s *s)
+ }
+ 
+ static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     uint8_t *pkt, hdr = (BT_DATA << 4) | type;
+     int plen;
+@@ -190,7 +190,7 @@ static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type,
+ }
+ 
+ static void bt_hid_control_transaction(struct bt_hid_device_s *s,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     uint8_t type, parameter;
+     int rlen, ret = -1;
+@@ -362,7 +362,7 @@ static void bt_hid_control_transaction(struct bt_hid_device_s *s,
+         bt_hid_send_handshake(s, ret);
+ }
+ 
+-static void bt_hid_control_sdu(void *opaque, const uint8_t *data, int len)
++static void bt_hid_control_sdu(void *opaque, const uint8_t *data, size_t len)
+ {
+     struct bt_hid_device_s *hid = opaque;
+ 
+@@ -388,7 +388,7 @@ static void bt_hid_datain(HIDState *hs)
+                         hid->datain.buffer, hid->datain.len);
+ }
+ 
+-static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, int len)
++static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, size_t len)
+ {
+     struct bt_hid_device_s *hid = opaque;
+ 
+diff --git a/hw/bt/l2cap.c b/hw/bt/l2cap.c
+index 9cf27f0df6..efd9a4b66a 100644
+--- a/hw/bt/l2cap.c
++++ b/hw/bt/l2cap.c
+@@ -32,10 +32,10 @@ struct l2cap_instance_s {
+     int role;
+ 
+     uint8_t frame_in[65535 + L2CAP_HDR_SIZE] __attribute__ ((aligned (4)));
+-    int frame_in_len;
++    uint32_t frame_in_len;
+ 
+     uint8_t frame_out[65535 + L2CAP_HDR_SIZE] __attribute__ ((aligned (4)));
+-    int frame_out_len;
++    uint32_t frame_out_len;
+ 
+     /* Signalling channel timers.  They exist per-request but we can make
+      * sure we have no more than one outstanding request at any time.  */
+@@ -49,7 +49,7 @@ struct l2cap_instance_s {
+         struct bt_l2cap_conn_params_s params;
+ 
+         void (*frame_in)(struct l2cap_chan_s *chan, uint16_t cid,
+-                        const l2cap_hdr *hdr, int len);
++                        const l2cap_hdr *hdr, size_t len);
+         int mps;
+         int min_mtu;
+ 
+@@ -68,7 +68,7 @@ struct l2cap_instance_s {
+ 
+         /* Only flow-controlled, connection-oriented channels */
+         uint8_t sdu[65536]; /* TODO: dynamically allocate */
+-        int len_cur, len_total;
++        uint32_t len_cur, len_total;
+         int rexmit;
+         int monitor_timeout;
+         QEMUTimer *monitor_timer;
+@@ -140,7 +140,7 @@ static const uint16_t l2cap_fcs16_table[256] = {
+     0x8201, 0x42c0, 0x4380, 0x8341, 0x4100, 0x81c1, 0x8081, 0x4040,
+ };
+ 
+-static uint16_t l2cap_fcs16(const uint8_t *message, int len)
++static uint16_t l2cap_fcs16(const uint8_t *message, size_t len)
+ {
+     uint16_t fcs = 0x0000;
+ 
+@@ -186,7 +186,7 @@ static void l2cap_monitor_timer_update(struct l2cap_chan_s *ch)
+ }
+ 
+ static void l2cap_command_reject(struct l2cap_instance_s *l2cap, int id,
+-                uint16_t reason, const void *data, int plen)
++                uint16_t reason, const void *data, size_t plen)
+ {
+     uint8_t *pkt;
+     l2cap_cmd_hdr *hdr;
+@@ -247,7 +247,7 @@ static void l2cap_connection_response(struct l2cap_instance_s *l2cap,
+ }
+ 
+ static void l2cap_configuration_request(struct l2cap_instance_s *l2cap,
+-                int dcid, int flag, const uint8_t *data, int len)
++                int dcid, int flag, const uint8_t *data, size_t len)
+ {
+     uint8_t *pkt;
+     l2cap_cmd_hdr *hdr;
+@@ -275,7 +275,7 @@ static void l2cap_configuration_request(struct l2cap_instance_s *l2cap,
+ }
+ 
+ static void l2cap_configuration_response(struct l2cap_instance_s *l2cap,
+-                int scid, int flag, int result, const uint8_t *data, int len)
++                int scid, int flag, int result, const uint8_t *data, size_t len)
+ {
+     uint8_t *pkt;
+     l2cap_cmd_hdr *hdr;
+@@ -322,7 +322,7 @@ static void l2cap_disconnection_response(struct l2cap_instance_s *l2cap,
+ }
+ 
+ static void l2cap_echo_response(struct l2cap_instance_s *l2cap,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     uint8_t *pkt;
+     l2cap_cmd_hdr *hdr;
+@@ -343,7 +343,7 @@ static void l2cap_echo_response(struct l2cap_instance_s *l2cap,
+ }
+ 
+ static void l2cap_info_response(struct l2cap_instance_s *l2cap, int type,
+-                int result, const uint8_t *data, int len)
++                int result, const uint8_t *data, size_t len)
+ {
+     uint8_t *pkt;
+     l2cap_cmd_hdr *hdr;
+@@ -366,16 +366,18 @@ static void l2cap_info_response(struct l2cap_instance_s *l2cap, int type,
+     l2cap->signalling_ch.params.sdu_submit(&l2cap->signalling_ch.params);
+ }
+ 
+-static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, int len);
++static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm,
++                size_t len);
+ static void l2cap_bframe_submit(struct bt_l2cap_conn_params_s *parms);
+ #if 0
+-static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, int len);
++static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm,
++                size_t len);
+ static void l2cap_iframe_submit(struct bt_l2cap_conn_params_s *parm);
+ #endif
+ static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+-                const l2cap_hdr *hdr, int len);
++                const l2cap_hdr *hdr, size_t len);
+ static void l2cap_iframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+-                const l2cap_hdr *hdr, int len);
++                const l2cap_hdr *hdr, size_t len);
+ 
+ static int l2cap_cid_new(struct l2cap_instance_s *l2cap)
+ {
+@@ -499,7 +501,7 @@ static void l2cap_channel_config_req_event(struct l2cap_instance_s *l2cap,
+ 
+ static int l2cap_channel_config(struct l2cap_instance_s *l2cap,
+                 struct l2cap_chan_s *ch, int flag,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     l2cap_conf_opt *opt;
+     l2cap_conf_opt_qos *qos;
+@@ -684,7 +686,7 @@ static int l2cap_channel_config(struct l2cap_instance_s *l2cap,
+ }
+ 
+ static void l2cap_channel_config_req_msg(struct l2cap_instance_s *l2cap,
+-                int flag, int cid, const uint8_t *data, int len)
++                int flag, int cid, const uint8_t *data, size_t len)
+ {
+     struct l2cap_chan_s *ch;
+ 
+@@ -716,7 +718,7 @@ static void l2cap_channel_config_req_msg(struct l2cap_instance_s *l2cap,
+ }
+ 
+ static int l2cap_channel_config_rsp_msg(struct l2cap_instance_s *l2cap,
+-                int result, int flag, int cid, const uint8_t *data, int len)
++                int result, int flag, int cid, const uint8_t *data, size_t len)
+ {
+     struct l2cap_chan_s *ch;
+ 
+@@ -784,7 +786,7 @@ static void l2cap_info(struct l2cap_instance_s *l2cap, int type)
+ }
+ 
+ static void l2cap_command(struct l2cap_instance_s *l2cap, int code, int id,
+-                const uint8_t *params, int len)
++                const uint8_t *params, size_t len)
+ {
+     int err;
+ 
+@@ -939,7 +941,7 @@ static void l2cap_rexmit_enable(struct l2cap_chan_s *ch, int enable)
+ }
+ 
+ /* Command frame SDU */
+-static void l2cap_cframe_in(void *opaque, const uint8_t *data, int len)
++static void l2cap_cframe_in(void *opaque, const uint8_t *data, size_t len)
+ {
+     struct l2cap_instance_s *l2cap = opaque;
+     const l2cap_cmd_hdr *hdr;
+@@ -967,7 +969,7 @@ static void l2cap_cframe_in(void *opaque, const uint8_t *data, int len)
+ }
+ 
+ /* Group frame SDU */
+-static void l2cap_gframe_in(void *opaque, const uint8_t *data, int len)
++static void l2cap_gframe_in(void *opaque, const uint8_t *data, size_t len)
+ {
+ }
+ 
+@@ -978,7 +980,7 @@ static void l2cap_sframe_in(struct l2cap_chan_s *ch, uint16_t ctrl)
+ 
+ /* Basic L2CAP mode Information frame */
+ static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+-                const l2cap_hdr *hdr, int len)
++                const l2cap_hdr *hdr, size_t len)
+ {
+     /* We have a full SDU, no further processing */
+     ch->params.sdu_in(ch->params.opaque, hdr->data, len);
+@@ -986,7 +988,7 @@ static void l2cap_bframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+ 
+ /* Flow Control and Retransmission mode frame */
+ static void l2cap_iframe_in(struct l2cap_chan_s *ch, uint16_t cid,
+-                const l2cap_hdr *hdr, int len)
++                const l2cap_hdr *hdr, size_t len)
+ {
+     uint16_t fcs = lduw_le_p(hdr->data + len - 2);
+ 
+@@ -1077,7 +1079,7 @@ static void l2cap_frame_in(struct l2cap_instance_s *l2cap,
+ 
+ /* "Recombination" */
+ static void l2cap_pdu_in(struct l2cap_instance_s *l2cap,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     const l2cap_hdr *hdr = (void *) l2cap->frame_in;
+ 
+@@ -1124,7 +1126,7 @@ static inline void l2cap_pdu_submit(struct l2cap_instance_s *l2cap)
+             (l2cap->link, l2cap->frame_out, 1, l2cap->frame_out_len);
+ }
+ 
+-static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, int len)
++static uint8_t *l2cap_bframe_out(struct bt_l2cap_conn_params_s *parm, size_t len)
+ {
+     struct l2cap_chan_s *chan = (struct l2cap_chan_s *) parm;
+ 
+@@ -1147,7 +1149,7 @@ static void l2cap_bframe_submit(struct bt_l2cap_conn_params_s *parms)
+ 
+ #if 0
+ /* Stub: Only used if an emulated device requests outgoing flow control */
+-static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, int len)
++static uint8_t *l2cap_iframe_out(struct bt_l2cap_conn_params_s *parm, size_t len)
+ {
+     struct l2cap_chan_s *chan = (struct l2cap_chan_s *) parm;
+ 
+@@ -1292,7 +1294,7 @@ static void l2cap_lmp_disconnect_slave(struct bt_link_s *link)
+ }
+ 
+ static void l2cap_lmp_acl_data_slave(struct bt_link_s *link,
+-                const uint8_t *data, int start, int len)
++                const uint8_t *data, int start, size_t len)
+ {
+     struct slave_l2cap_instance_s *l2cap =
+             (struct slave_l2cap_instance_s *) link;
+@@ -1305,7 +1307,7 @@ static void l2cap_lmp_acl_data_slave(struct bt_link_s *link,
+ 
+ /* Stub */
+ static void l2cap_lmp_acl_data_host(struct bt_link_s *link,
+-                const uint8_t *data, int start, int len)
++                const uint8_t *data, int start, size_t len)
+ {
+     struct bt_l2cap_device_s *dev = (struct bt_l2cap_device_s *) link->host;
+     struct l2cap_instance_s *l2cap =
+diff --git a/hw/bt/sdp.c b/hw/bt/sdp.c
+index f4aba9d74f..163d315874 100644
+--- a/hw/bt/sdp.c
++++ b/hw/bt/sdp.c
+@@ -497,7 +497,7 @@ static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_sdp_state_s *sdp,
+     return end + 2;
+ }
+ 
+-static void bt_l2cap_sdp_sdu_in(void *opaque, const uint8_t *data, int len)
++static void bt_l2cap_sdp_sdu_in(void *opaque, const uint8_t *data, size_t len)
+ {
+     struct bt_l2cap_sdp_state_s *sdp = opaque;
+     enum bt_sdp_cmd pdu_id;
+@@ -507,7 +507,7 @@ static void bt_l2cap_sdp_sdu_in(void *opaque, const uint8_t *data, int len)
+     int rsp_len = 0;
+ 
+     if (len < 5) {
+-        error_report("%s: short SDP PDU (%iB).", __func__, len);
++        error_report("%s: short SDP PDU (%zuB).", __func__, len);
+         return;
+     }
+ 
+@@ -518,7 +518,7 @@ static void bt_l2cap_sdp_sdu_in(void *opaque, const uint8_t *data, int len)
+     len -= 5;
+ 
+     if (len != plen) {
+-        error_report("%s: wrong SDP PDU length (%iB != %iB).",
++        error_report("%s: wrong SDP PDU length (%iB != %zuB).",
+                         __func__, plen, len);
+         err = SDP_INVALID_PDU_SIZE;
+         goto respond;
+diff --git a/hw/usb/dev-bluetooth.c b/hw/usb/dev-bluetooth.c
+index eac7365b0a..cf46ba06c6 100644
+--- a/hw/usb/dev-bluetooth.c
++++ b/hw/usb/dev-bluetooth.c
+@@ -265,7 +265,7 @@ static void usb_bt_fifo_reset(struct usb_hci_in_fifo_s *fifo)
+ }
+ 
+ static void usb_bt_fifo_enqueue(struct usb_hci_in_fifo_s *fifo,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     int off = fifo->dstart + fifo->dlen;
+     uint8_t *buf;
+@@ -274,13 +274,13 @@ static void usb_bt_fifo_enqueue(struct usb_hci_in_fifo_s *fifo,
+     if (off <= DFIFO_LEN_MASK) {
+         if (off + len > DFIFO_LEN_MASK + 1 &&
+                         (fifo->dsize = off + len) > (DFIFO_LEN_MASK + 1) * 2) {
+-            fprintf(stderr, "%s: can't alloc %i bytes\n", __func__, len);
++            fprintf(stderr, "%s: can't alloc %zu bytes\n", __func__, len);
+             exit(-1);
+         }
+         buf = fifo->data + off;
+     } else {
+         if (fifo->dlen > fifo->dsize) {
+-            fprintf(stderr, "%s: can't alloc %i bytes\n", __func__, len);
++            fprintf(stderr, "%s: can't alloc %zu bytes\n", __func__, len);
+             exit(-1);
+         }
+         buf = fifo->data + off - fifo->dsize;
+@@ -319,7 +319,7 @@ static inline void usb_bt_fifo_dequeue(struct usb_hci_in_fifo_s *fifo,
+ 
+ static inline void usb_bt_fifo_out_enqueue(struct USBBtState *s,
+                 struct usb_hci_out_fifo_s *fifo,
+-                void (*send)(struct HCIInfo *, const uint8_t *, int),
++                void (*send)(struct HCIInfo *, const uint8_t *, size_t),
+                 int (*complete)(const uint8_t *, int),
+                 USBPacket *p)
+ {
+@@ -478,7 +478,7 @@ static void usb_bt_handle_data(USBDevice *dev, USBPacket *p)
+ }
+ 
+ static void usb_bt_out_hci_packet_event(void *opaque,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     struct USBBtState *s = (struct USBBtState *) opaque;
+ 
+@@ -489,7 +489,7 @@ static void usb_bt_out_hci_packet_event(void *opaque,
+ }
+ 
+ static void usb_bt_out_hci_packet_acl(void *opaque,
+-                const uint8_t *data, int len)
++                const uint8_t *data, size_t len)
+ {
+     struct USBBtState *s = (struct USBBtState *) opaque;
+ 
+diff --git a/include/hw/bt.h b/include/hw/bt.h
+index b5e11d4d43..bc362aa662 100644
+--- a/include/hw/bt.h
++++ b/include/hw/bt.h
+@@ -94,9 +94,9 @@ struct bt_device_s {
+     void (*lmp_disconnect_master)(struct bt_link_s *link);
+     void (*lmp_disconnect_slave)(struct bt_link_s *link);
+     void (*lmp_acl_data)(struct bt_link_s *link, const uint8_t *data,
+-                    int start, int len);
++                    int start, size_t len);
+     void (*lmp_acl_resp)(struct bt_link_s *link, const uint8_t *data,
+-                    int start, int len);
++                    int start, size_t len);
+     void (*lmp_mode_change)(struct bt_link_s *link);
+ 
+     void (*handle_destroy)(struct bt_device_s *device);
+@@ -148,12 +148,12 @@ struct bt_l2cap_device_s {
+ 
+ struct bt_l2cap_conn_params_s {
+     /* Input */
+-    uint8_t *(*sdu_out)(struct bt_l2cap_conn_params_s *chan, int len);
++    uint8_t *(*sdu_out)(struct bt_l2cap_conn_params_s *chan, size_t len);
+     void (*sdu_submit)(struct bt_l2cap_conn_params_s *chan);
+     int remote_mtu;
+     /* Output */
+     void *opaque;
+-    void (*sdu_in)(void *opaque, const uint8_t *data, int len);
++    void (*sdu_in)(void *opaque, const uint8_t *data, size_t len);
+     void (*close)(void *opaque);
+ };
+ 
+diff --git a/include/sysemu/bt.h b/include/sysemu/bt.h
+index ddb05cd109..db935c695d 100644
+--- a/include/sysemu/bt.h
++++ b/include/sysemu/bt.h
+@@ -5,12 +5,12 @@
+ 
+ typedef struct HCIInfo {
+     int (*bdaddr_set)(struct HCIInfo *hci, const uint8_t *bd_addr);
+-    void (*cmd_send)(struct HCIInfo *hci, const uint8_t *data, int len);
+-    void (*sco_send)(struct HCIInfo *hci, const uint8_t *data, int len);
+-    void (*acl_send)(struct HCIInfo *hci, const uint8_t *data, int len);
++    void (*cmd_send)(struct HCIInfo *hci, const uint8_t *data, size_t len);
++    void (*sco_send)(struct HCIInfo *hci, const uint8_t *data, size_t len);
++    void (*acl_send)(struct HCIInfo *hci, const uint8_t *data, size_t len);
+     void *opaque;
+-    void (*evt_recv)(void *opaque, const uint8_t *data, int len);
+-    void (*acl_recv)(void *opaque, const uint8_t *data, int len);
++    void (*evt_recv)(void *opaque, const uint8_t *data, size_t len);
++    void (*acl_recv)(void *opaque, const uint8_t *data, size_t len);
+ } HCIInfo;
+ 
+ /* bt-host.c */
+-- 
+2.17.2
diff --git a/SPECS/qemu-kvm/CVE-2020-10702.patch b/SPECS/qemu-kvm/CVE-2020-10702.patch
new file mode 100644
index 00000000000..0eedda36dab
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-10702.patch
@@ -0,0 +1,48 @@
+From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001
+From: Vincent Dehors <vincent.dehors@smile.fr>
+Date: Thu, 23 Jan 2020 15:22:38 +0000
+Subject: [PATCH] target/arm: Fix PAuth sbox functions
+
+In the PAC computation, sbox was applied over wrong bits.
+As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16.
+
+Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was
+used to verify one computation of the pauth_computepac() function which
+uses sbox2.
+
+Launchpad: https://bugs.launchpad.net/bugs/1859713
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr>
+Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr>
+Message-id: 20200116230809.19078-2-richard.henderson@linaro.org
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ target/arm/pauth_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c
+index d3194f2..0a5f41e 100644
+--- a/target/arm/pauth_helper.c
++++ b/target/arm/pauth_helper.c
+@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i)
+     uint64_t o = 0;
+     int b;
+ 
+-    for (b = 0; b < 64; b += 16) {
++    for (b = 0; b < 64; b += 4) {
+         o |= (uint64_t)sub[(i >> b) & 0xf] << b;
+     }
+     return o;
+@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i)
+     uint64_t o = 0;
+     int b;
+ 
+-    for (b = 0; b < 64; b += 16) {
++    for (b = 0; b < 64; b += 4) {
+         o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b;
+     }
+     return o;
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm/CVE-2020-10761.patch b/SPECS/qemu-kvm/CVE-2020-10761.patch
new file mode 100644
index 00000000000..6c1f34d87f0
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-10761.patch
@@ -0,0 +1,148 @@
+diff --git a/block.c b/block.c
+index 8416376c9b71..6dbcb7e083ea 100644
+--- a/block.c
++++ b/block.c
+@@ -6809,8 +6809,11 @@ void bdrv_refresh_filename(BlockDriverState *bs)
+         pstrcpy(bs->filename, sizeof(bs->filename), bs->exact_filename);
+     } else {
+         QString *json = qobject_to_json(QOBJECT(bs->full_open_options));
+-        snprintf(bs->filename, sizeof(bs->filename), "json:%s",
+-                 qstring_get_str(json));
++        if (snprintf(bs->filename, sizeof(bs->filename), "json:%s",
++                     qstring_get_str(json)) >= sizeof(bs->filename)) {
++            /* Give user a hint if we truncated things. */
++            strcpy(bs->filename + sizeof(bs->filename) - 4, "...");
++        }
+         qobject_unref(json);
+     }
+ }
+diff --git a/block/nbd.c b/block/nbd.c
+index 4ac23c8f6299..eed160c5cda1 100644
+--- a/block/nbd.c
++++ b/block/nbd.c
+@@ -1984,6 +1984,7 @@ static void nbd_refresh_filename(BlockDriverState *bs)
+ {
+     BDRVNBDState *s = bs->opaque;
+     const char *host = NULL, *port = NULL, *path = NULL;
++    size_t len = 0;
+
+     if (s->saddr->type == SOCKET_ADDRESS_TYPE_INET) {
+         const InetSocketAddress *inet = &s->saddr->u.inet;
+@@ -1996,17 +1997,21 @@ static void nbd_refresh_filename(BlockDriverState *bs)
+     } /* else can't represent as pseudo-filename */
+
+     if (path && s->export) {
+-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
+-                 "nbd+unix:///%s?socket=%s", s->export, path);
++        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
++                       "nbd+unix:///%s?socket=%s", s->export, path);
+     } else if (path && !s->export) {
+-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
+-                 "nbd+unix://?socket=%s", path);
++        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
++                       "nbd+unix://?socket=%s", path);
+     } else if (host && s->export) {
+-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
+-                 "nbd://%s:%s/%s", host, port, s->export);
++        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
++                       "nbd://%s:%s/%s", host, port, s->export);
+     } else if (host && !s->export) {
+-        snprintf(bs->exact_filename, sizeof(bs->exact_filename),
+-                 "nbd://%s:%s", host, port);
++        len = snprintf(bs->exact_filename, sizeof(bs->exact_filename),
++                       "nbd://%s:%s", host, port);
++    }
++    if (len > sizeof(bs->exact_filename)) {
++        /* Name is too long to represent exactly, so leave it empty. */
++        bs->exact_filename[0] = '\0';
+     }
+ }
+ 
+diff --git a/nbd/server.c b/nbd/server.c
+index 24ebc1a..92d5207 100644
+--- a/nbd/server.c
++++ b/nbd/server.c
+@@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type,
+ 
+     msg = g_strdup_vprintf(fmt, va);
+     len = strlen(msg);
+-    assert(len < 4096);
++    assert(len < NBD_MAX_STRING_SIZE);
+     trace_nbd_negotiate_send_rep_err(msg);
+     ret = nbd_negotiate_send_rep_len(client, type, len, errp);
+     if (ret < 0) {
+@@ -231,6 +231,27 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type,
+     return 0;
+ }
+ 
++/*
++ * Truncate a potentially-long user-supplied string into something
++ * more suitable for an error reply.
++ */
++static const char *
++nbd_truncate_name(const char *name)
++{
++#define SANE_LENGTH 80
++    static char buf[SANE_LENGTH + 3 + 1]; /* Trailing '...', NUL */
++
++    if (strlen(name) < SANE_LENGTH) {
++        return name;
++    }
++    memcpy(buf, name, SANE_LENGTH);
++    buf[SANE_LENGTH] = '.';
++    buf[SANE_LENGTH + 1] = '.';
++    buf[SANE_LENGTH + 2] = '.';
++    buf[SANE_LENGTH + 3] = '\0';
++    return buf;
++}
++
+ /* Send an error reply.
+  * Return -errno on error, 0 on success. */
+ static int GCC_FMT_ATTR(4, 5)
+@@ -597,7 +618,7 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp)
+     if (!exp) {
+         return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN,
+                                           errp, "export '%s' not present",
+-                                          name);
++                                          nbd_truncate_name(name));
+     }
+ 
+     /* Don't bother sending NBD_INFO_NAME unless client requested it */
+@@ -996,7 +1017,8 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
+     meta->exp = nbd_export_find(export_name);
+     if (meta->exp == NULL) {
+         return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp,
+-                            "export '%s' not present", export_name);
++                            "export '%s' not present",
++                            nbd_truncate_name(export_name));
+     }
+ 
+     ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp);
+diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143
+index f649b36..b0b1cff 100755
+--- a/tests/qemu-iotests/143
++++ b/tests/qemu-iotests/143
+@@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \
+ $QEMU_IO_PROG -f raw -c quit \
+     "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \
+     | _filter_qemu_io | _filter_nbd
++# Likewise, with longest possible name permitted in NBD protocol
++$QEMU_IO_PROG -f raw -c quit \
++    "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \
++    | _filter_qemu_io | _filter_nbd | sed 's/aa.*aa/aa...aa/'
+ 
+ _send_qemu_cmd $QEMU_HANDLE \
+     "{ 'execute': 'quit' }" \
+diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out
+index 1f4001c..be1f3a6 100644
+--- a/tests/qemu-iotests/143.out
++++ b/tests/qemu-iotests/143.out
+@@ -5,6 +5,8 @@ QA output created by 143
+ {"return": {}}
+ qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available
+ server reported: export 'no_such_export' not present
++qemu-io: can't open device nbd+unix:///aa...aa1?socket=SOCK_DIR/nbd: Requested export not available
++server reported: export 'aa...aa...' not present
+ { 'execute': 'quit' }
+ {"return": {}}
+ {"timestamp": {"seconds":  TIMESTAMP, "microseconds":  TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
diff --git a/SPECS/qemu-kvm/CVE-2020-11869.patch b/SPECS/qemu-kvm/CVE-2020-11869.patch
new file mode 100644
index 00000000000..35f44cd4708
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-11869.patch
@@ -0,0 +1,73 @@
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 42e8231..23a8ae0 100644
+--- a/hw/display/ati_2d.c
++++ b/hw/display/ati_2d.c
+@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s)
+             s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds),
+             surface_bits_per_pixel(ds),
+             (s->regs.dp_mix & GMC_ROP3_MASK) >> 16);
+-    int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+-                 s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
+-    int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+-                 s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
++    unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
++                      s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width);
++    unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
++                      s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height);
+     int bpp = ati_bpp_from_datatype(s);
++    if (!bpp) {
++        qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n");
++        return;
++    }
+     int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch;
++    if (!dst_stride) {
++        qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n");
++        return;
++    }
+     uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
+                         s->regs.dst_offset : s->regs.default_offset);
+ 
+@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s)
+     switch (s->regs.dp_mix & GMC_ROP3_MASK) {
+     case ROP3_SRCCOPY:
+     {
+-        int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
+-                     s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
+-        int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
+-                     s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
++        unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
++                       s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width);
++        unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
++                       s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height);
+         int src_stride = DEFAULT_CNTL ?
+                          s->regs.src_pitch : s->regs.default_pitch;
++        if (!src_stride) {
++            qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n");
++            return;
++        }
+         uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ?
+                             s->regs.src_offset : s->regs.default_offset);
+ 
+@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s)
+                                     dst_y * surface_stride(ds),
+                                     s->regs.dst_height * surface_stride(ds));
+         }
+-        s->regs.dst_x += s->regs.dst_width;
+-        s->regs.dst_y += s->regs.dst_height;
++        s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ?
++                         dst_x + s->regs.dst_width : dst_x);
++        s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
++                         dst_y + s->regs.dst_height : dst_y);
+         break;
+     }
+     case ROP3_PATCOPY:
+@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s)
+                                     dst_y * surface_stride(ds),
+                                     s->regs.dst_height * surface_stride(ds));
+         }
+-        s->regs.dst_y += s->regs.dst_height;
++        s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ?
++                         dst_y + s->regs.dst_height : dst_y);
+         break;
+     }
+     default:
diff --git a/SPECS/qemu-kvm/CVE-2020-12829.nopatch b/SPECS/qemu-kvm/CVE-2020-12829.nopatch
new file mode 100644
index 00000000000..a1f438739ae
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-12829.nopatch
@@ -0,0 +1,5 @@
+CVE-2020-12829 affects the sm501 video driver, which is only used for powerpc and SuperH emulation
+CONFIG_SM501 is selected by CONFIG_SAM460EX and CONFIG_R2D (from ppc-softmmu and sh4 targets respectively)
+We only build for the native architecture so we can nopatch this.
+
+This is resolved in qemu >= 5.0
\ No newline at end of file
diff --git a/SPECS/qemu-kvm/CVE-2020-13253.patch b/SPECS/qemu-kvm/CVE-2020-13253.patch
new file mode 100644
index 00000000000..284511aed97
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-13253.patch
@@ -0,0 +1,134 @@
+###################################### PATCH NOTICE #######################################
+
+From Pawel Winogrodzki <pawelwi@microsoft.com>:
+
+The patch below has been backported to the 4.2.0 version of QEMU.
+Retained original version in terms of code changes, only affected line numbers have been
+modified in order to apply the patch.
+
+############################## ORIGINAL PATCH BELOW THIS LINE ##############################
+From 790762e5487114341cccc5bffcec4cb3c022c3cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
+Date: Thu, 4 Jun 2020 19:22:29 +0200
+Subject: [PATCH] hw/sd/sdcard: Do not switch to ReceivingData if address is
+ invalid
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Only move the state machine to ReceivingData if there is no
+pending error. This avoids later OOB access while processing
+commands queued.
+
+  "SD Specifications Part 1 Physical Layer Simplified Spec. v3.01"
+
+  4.3.3 Data Read
+
+  Read command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+  occurred and no data transfer is performed.
+
+  4.3.4 Data Write
+
+  Write command is rejected if BLOCK_LEN_ERROR or ADDRESS_ERROR
+  occurred and no data transfer is performed.
+
+WP_VIOLATION errors are not modified: the error bit is set, we
+stay in receive-data state, wait for a stop command. All further
+data transfer is ignored. See the check on sd->card_status at the
+beginning of sd_read_data() and sd_write_data().
+
+Fixes: CVE-2020-13253
+Cc: qemu-stable@nongnu.org
+Reported-by: Alexander Bulekov <alxndr@bu.edu>
+Buglink: https://bugs.launchpad.net/qemu/+bug/1880822
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Message-Id: <20200630133912.9428-6-f4bug@amsat.org>
+---
+ hw/sd/sd.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/hw/sd/sd.c b/hw/sd/sd.c
+index 49b83576..5b4760d5 100644
+--- a/hw/sd/sd.c
++++ b/hw/sd/sd.c
+@@ -1150,12 +1150,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+     case 17:	/* CMD17:  READ_SINGLE_BLOCK */
+         switch (sd->state) {
+         case sd_transfer_state:
++
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_sendingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+-
+-            if (sd->data_start + sd->blk_len > sd->size)
+-                sd->card_status |= ADDRESS_ERROR;
+             return sd_r1;
+ 
+         default:
+@@ -1166,12 +1169,15 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+     case 18:	/* CMD18:  READ_MULTIPLE_BLOCK */
+         switch (sd->state) {
+         case sd_transfer_state:
++
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_sendingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+-
+-            if (sd->data_start + sd->blk_len > sd->size)
+-                sd->card_status |= ADDRESS_ERROR;
+             return sd_r1;
+ 
+         default:
+@@ -1211,13 +1217,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+             /* Writing in SPI mode not implemented.  */
+             if (sd->spi)
+                 break;
++
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_receivingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size)
+-                sd->card_status |= ADDRESS_ERROR;
+             if (sd_wp_addr(sd, sd->data_start))
+                 sd->card_status |= WP_VIOLATION;
+             if (sd->csd[14] & 0x30)
+@@ -1235,13 +1245,17 @@ static sd_rsp_type_t sd_normal_command(SDState *sd, SDRequest req)
+             /* Writing in SPI mode not implemented.  */
+             if (sd->spi)
+                 break;
++
++            if (addr + sd->blk_len > sd->size) {
++                sd->card_status |= ADDRESS_ERROR;
++                return sd_r1;
++            }
++
+             sd->state = sd_receivingdata_state;
+             sd->data_start = addr;
+             sd->data_offset = 0;
+             sd->blk_written = 0;
+ 
+-            if (sd->data_start + sd->blk_len > sd->size)
+-                sd->card_status |= ADDRESS_ERROR;
+             if (sd_wp_addr(sd, sd->data_start))
+                 sd->card_status |= WP_VIOLATION;
+             if (sd->csd[14] & 0x30)
+-- 
diff --git a/SPECS/qemu-kvm/CVE-2020-13361.patch b/SPECS/qemu-kvm/CVE-2020-13361.patch
new file mode 100644
index 00000000000..17155dd9cf5
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-13361.patch
@@ -0,0 +1,32 @@
+diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
+index f9e9f2a..6a28dab 100644
+--- a/hw/audio/es1370.c
++++ b/hw/audio/es1370.c
+@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
+     int csc_bytes = (csc + 1) << d->shift;
+     int cnt = d->frame_cnt >> 16;
+     int size = d->frame_cnt & 0xffff;
++    if (size < cnt) {
++        return;
++    }
+     int left = ((size - cnt + 1) << 2) + d->leftover;
+     int transferred = 0;
+     int temp = MIN (max, MIN (left, csc_bytes));
+@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
+     addr += (cnt << 2) + d->leftover;
+ 
+     if (index == ADC_CHANNEL) {
+-        while (temp) {
++        while (temp > 0) {
+             int acquired, to_copy;
+ 
+             to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
+@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
+     else {
+         SWVoiceOut *voice = s->dac_voice[index];
+ 
+-        while (temp) {
++        while (temp > 0) {
+             int copied, to_copy;
+ 
+             to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
diff --git a/SPECS/qemu-kvm/CVE-2020-13362.patch b/SPECS/qemu-kvm/CVE-2020-13362.patch
new file mode 100644
index 00000000000..19cf5abc2f2
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-13362.patch
@@ -0,0 +1,97 @@
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index de9bd20..616322b 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -86,34 +86,34 @@ typedef struct MegasasState {
+     MemoryRegion queue_io;
+     uint32_t frame_hi;
+ 
+-    int fw_state;
++    uint32_t fw_state;
+     uint32_t fw_sge;
+     uint32_t fw_cmds;
+     uint32_t flags;
+-    int fw_luns;
+-    int intr_mask;
+-    int doorbell;
+-    int busy;
+-    int diag;
+-    int adp_reset;
++    int32_t fw_luns;
++    uint32_t intr_mask;
++    uint32_t doorbell;
++    uint32_t busy;
++    uint32_t diag;
++    uint32_t adp_reset;
+     OnOffAuto msi;
+     OnOffAuto msix;
+ 
+     MegasasCmd *event_cmd;
+-    int event_locale;
++    uint16_t event_locale;
+     int event_class;
+-    int event_count;
+-    int shutdown_event;
+-    int boot_event;
++    uint32_t event_count;
++    uint32_t shutdown_event;
++    uint32_t boot_event;
+ 
+     uint64_t sas_addr;
+     char *hba_serial;
+ 
+     uint64_t reply_queue_pa;
+     void *reply_queue;
+-    int reply_queue_len;
+-    int reply_queue_head;
+-    int reply_queue_tail;
++    uint16_t reply_queue_len;
++    uint16_t reply_queue_head;
++    uint16_t reply_queue_tail;
+     uint64_t consumer_pa;
+     uint64_t producer_pa;
+ 
+@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s,
+ 
+     index = s->reply_queue_head;
+ 
+-    while (num < s->fw_cmds) {
++    while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) {
+         if (s->frames[index].pa && s->frames[index].pa == frame) {
+             cmd = &s->frames[index];
+             break;
+@@ -504,7 +504,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
+     cmd->pa = frame;
+     /* Map all possible frames */
+     cmd->frame = pci_dma_map(pcid, frame, &frame_size_p, 0);
+-    if (frame_size_p != frame_size) {
++    if (!cmd->frame || frame_size_p != frame_size) {
+         trace_megasas_qf_map_failed(cmd->index, (unsigned long)frame);
+         if (cmd->frame) {
+             megasas_unmap_frame(s, cmd);
+@@ -2259,9 +2259,9 @@ static const VMStateDescription vmstate_megasas_gen1 = {
+         VMSTATE_PCI_DEVICE(parent_obj, MegasasState),
+         VMSTATE_MSIX(parent_obj, MegasasState),
+ 
+-        VMSTATE_INT32(fw_state, MegasasState),
+-        VMSTATE_INT32(intr_mask, MegasasState),
+-        VMSTATE_INT32(doorbell, MegasasState),
++        VMSTATE_UINT32(fw_state, MegasasState),
++        VMSTATE_UINT32(intr_mask, MegasasState),
++        VMSTATE_UINT32(doorbell, MegasasState),
+         VMSTATE_UINT64(reply_queue_pa, MegasasState),
+         VMSTATE_UINT64(consumer_pa, MegasasState),
+         VMSTATE_UINT64(producer_pa, MegasasState),
+@@ -2278,9 +2278,9 @@ static const VMStateDescription vmstate_megasas_gen2 = {
+         VMSTATE_PCI_DEVICE(parent_obj, MegasasState),
+         VMSTATE_MSIX(parent_obj, MegasasState),
+ 
+-        VMSTATE_INT32(fw_state, MegasasState),
+-        VMSTATE_INT32(intr_mask, MegasasState),
+-        VMSTATE_INT32(doorbell, MegasasState),
++        VMSTATE_UINT32(fw_state, MegasasState),
++        VMSTATE_UINT32(intr_mask, MegasasState),
++        VMSTATE_UINT32(doorbell, MegasasState),
+         VMSTATE_UINT64(reply_queue_pa, MegasasState),
+         VMSTATE_UINT64(consumer_pa, MegasasState),
+         VMSTATE_UINT64(producer_pa, MegasasState),
diff --git a/SPECS/qemu-kvm/CVE-2020-13754.patch b/SPECS/qemu-kvm/CVE-2020-13754.patch
new file mode 100644
index 00000000000..b06ce09c3a9
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-13754.patch
@@ -0,0 +1,59 @@
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Richard Henderson <rth@twiddle.net>
+Fixes: CVE-2020-13754
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
+Fixes: a014ed07bd5a ("memory: accept mismatching sizes in 
+memory_region_access_valid")
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+---
+ memory.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/memory.c b/memory.c
+index 91ceaf9fcf..3e9388fb74 100644
+--- a/memory.c
++++ b/memory.c
+@@ -1352,35 +1352,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
+                                 bool is_write,
+                                 MemTxAttrs attrs)
+ {
+-    int access_size_min, access_size_max;
+-    int access_size, i;
++    if (mr->ops->valid.accepts
++        && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
++        return false;
++    }
+ 
+     if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+         return false;
+     }
+ 
+-    if (!mr->ops->valid.accepts) {
++    /* Treat zero as compatibility all valid */
++    if (!mr->ops->valid.max_access_size) {
+         return true;
+     }
+ 
+-    access_size_min = mr->ops->valid.min_access_size;
+-    if (!mr->ops->valid.min_access_size) {
+-        access_size_min = 1;
++    if (size > mr->ops->valid.max_access_size
++        || size < mr->ops->valid.min_access_size) {
++        return false;
+     }
+-
+-    access_size_max = mr->ops->valid.max_access_size;
+-    if (!mr->ops->valid.max_access_size) {
+-        access_size_max = 4;
+-    }
+-
+-    access_size = MAX(MIN(size, access_size_max), access_size_min);
+-    for (i = 0; i < size; i += access_size) {
+-        if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
+-                                    is_write, attrs)) {
+-            return false;
+-        }
+-    }
+-
+     return true;
+ }
diff --git a/SPECS/qemu-kvm/CVE-2020-13791.patch b/SPECS/qemu-kvm/CVE-2020-13791.patch
new file mode 100644
index 00000000000..f3348baee8f
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-13791.patch
@@ -0,0 +1,70 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While reading PCI configuration bytes, a guest may send an
+address towards the end of the configuration space. It may lead
+to an OOB access issue. Add check to ensure 'address + size' is
+within PCI configuration space.
+
+Reported-by: Ren Ding <rding@gatech.edu>
+Reported-by: Hanqing Zhao <hanqing@gatech.edu>
+Reported-by: Yi Ren <c4tren@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/display/ati.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Update v2: add check to avoid OOB PCI configuration space access
+  -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html
+
+diff --git a/hw/display/ati.c b/hw/display/ati.c
+index bda4a2d816..6671959e5d 100644
+--- a/hw/display/ati.c
++++ b/hw/display/ati.c
+@@ -384,7 +384,10 @@ static uint64_t ati_mm_read(void *opaque
+         val = s->regs.crtc_pitch;
+         break;
+     case 0xf00 ... 0xfff:
+-        val = pci_default_read_config(&s->dev, addr - 0xf00, size);
++        addr = addr - 0xf00;
++        if (addr + size <= 0xff) {
++            val = pci_default_read_config(&s->dev, addr, size);
++        }        
+         break;
+     case CUR_OFFSET:
+         val = s->regs.cur_offset;
+-- 
+2.26.2
+
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+While reading PCI configuration bytes, a guest may send an
+address towards the end of the configuration space. It may lead
+to an OOB access issue. Add check to ensure 'address + len' is
+within PCI configuration space.
+
+Reported-by: Ren Ding <rding@gatech.edu>
+Reported-by: Hanqing Zhao <hanqing@gatech.edu>
+Reported-by: Yi Ren <c4tren@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/pci/pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/pci/pci.c b/hw/pci/pci.c
+index 70c66965f5..4429fa9401 100644
+--- a/hw/pci/pci.c
++++ b/hw/pci/pci.c
+@@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
+         ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
+         pcie_sync_bridge_lnk(d);
+     }
+-    memcpy(&val, d->config + address, len);
++    if (address + len <= pci_config_size(d)) {
++        memcpy(&val, d->config + address, len);
++    }
+     return le32_to_cpu(val);
+ }
+ 
+-- 
+2.26.2
\ No newline at end of file
diff --git a/SPECS/qemu-kvm/CVE-2020-13800.patch b/SPECS/qemu-kvm/CVE-2020-13800.patch
new file mode 100644
index 00000000000..14f9d1a1689
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-13800.patch
@@ -0,0 +1,59 @@
+From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 4 Jun 2020 14:38:30 +0530
+Subject: [PATCH] ati-vga: check mm_index before recursive call
+ (CVE-2020-13800)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+While accessing VGA registers via ati_mm_read/write routines,
+a guest may set 's->regs.mm_index' such that it leads to infinite
+recursion. Check mm_index value to avoid such recursion. Log an
+error message for wrong values.
+
+Reported-by: Ren Ding <rding@gatech.edu>
+Reported-by: Hanqing Zhao <hanqing@gatech.edu>
+Reported-by: Yi Ren <c4tren@gmail.com>
+Message-id: 20200604090830.33885-1-ppandit@redhat.com
+Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
+Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/ati.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/ati.c b/hw/display/ati.c
+index 065f197..67604e6 100644
+--- a/hw/display/ati.c
++++ b/hw/display/ati.c
+@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
+             if (idx <= s->vga.vram_size - size) {
+                 val = ldn_le_p(s->vga.vram_ptr + idx, size);
+             }
+-        } else {
++        } else if (s->regs.mm_index > MM_DATA + 3) {
+             val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
++        } else {
++            qemu_log_mask(LOG_GUEST_ERROR,
++                "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
+         }
+         break;
+     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
+@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
+             if (idx <= s->vga.vram_size - size) {
+                 stn_le_p(s->vga.vram_ptr + idx, size, data);
+             }
+-        } else {
++        } else if (s->regs.mm_index > MM_DATA + 3) {
+             ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
++        } else {
++            qemu_log_mask(LOG_GUEST_ERROR,
++                "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
+         }
+         break;
+     case BIOS_0_SCRATCH ... BUS_CNTL - 1:
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm/CVE-2020-14364.patch b/SPECS/qemu-kvm/CVE-2020-14364.patch
new file mode 100644
index 00000000000..d0037bb60ed
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-14364.patch
@@ -0,0 +1,88 @@
+From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 25 Aug 2020 07:36:36 +0200
+Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364)
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index 5abd128..5234dcc 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+     int request, value, index;
++    unsigned int setup_len;
+ 
+     if (p->iov.size != 8) {
+         p->status = USB_RET_STALL;
+@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+     usb_packet_copy(p, s->setup_buf, p->iov.size);
+     s->setup_index = 0;
+     p->actual_length = 0;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+     int i, request, value, index;
++    unsigned int setup_len;
+ 
+     for (i = 0; i < 8; i++) {
+         s->setup_buf[i] = p->parameter >> (i*8);
+     }
+ 
+     s->setup_state = SETUP_STATE_PARAM;
+-    s->setup_len   = (s->setup_buf[7] << 8) | s->setup_buf[6];
+     s->setup_index = 0;
+ 
+     request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+     value   = (s->setup_buf[3] << 8) | s->setup_buf[2];
+     index   = (s->setup_buf[5] << 8) | s->setup_buf[4];
+ 
+-    if (s->setup_len > sizeof(s->data_buf)) {
++    setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++    if (setup_len > sizeof(s->data_buf)) {
+         fprintf(stderr,
+                 "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+-                s->setup_len, sizeof(s->data_buf));
++                setup_len, sizeof(s->data_buf));
+         p->status = USB_RET_STALL;
+         return;
+     }
++    s->setup_len = setup_len;
+ 
+     if (p->pid == USB_TOKEN_OUT) {
+         usb_packet_copy(p, s->data_buf, s->setup_len);
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm/CVE-2020-14415.patch b/SPECS/qemu-kvm/CVE-2020-14415.patch
new file mode 100644
index 00000000000..2e59fe99222
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-14415.patch
@@ -0,0 +1,13 @@
+diff --git a/audio/ossaudio.c b/audio/ossaudio.c
+index c43faee..9456491 100644
+--- a/audio/ossaudio.c
++++ b/audio/ossaudio.c
+@@ -420,7 +420,7 @@ static size_t oss_write(HWVoiceOut *hw, void *buf, size_t len)
+             size_t to_copy = MIN(len, hw->size_emul - hw->pos_emul);
+             memcpy(hw->buf_emul + hw->pos_emul, buf, to_copy);
+ 
+-            hw->pos_emul = (hw->pos_emul + to_copy) % hw->pos_emul;
++            hw->pos_emul = (hw->pos_emul + to_copy) % hw->size_emul;
+             buf += to_copy;
+             len -= to_copy;
+         }
diff --git a/SPECS/qemu-kvm/CVE-2020-15469.patch b/SPECS/qemu-kvm/CVE-2020-15469.patch
new file mode 100644
index 00000000000..0ae9639ea4f
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-15469.patch
@@ -0,0 +1,253 @@
+diff --git a/hw/misc/imx7_ccm.c b/hw/misc/imx7_ccm.c
+index 02fc1ae..5ac5ecf 100644
+--- a/hw/misc/imx7_ccm.c
++++ b/hw/misc/imx7_ccm.c
+@@ -131,8 +131,15 @@ static const struct MemoryRegionOps imx7_set_clr_tog_ops = {
+     },
+ };
+ 
++static void imx7_digprog_write(void *opaque, hwaddr addr,
++                                        uint64_t data, unsigned size)
++{
++    qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
++}
++
+ static const struct MemoryRegionOps imx7_digprog_ops = {
+     .read = imx7_set_clr_tog_read,
++    .write = imx7_digprog_write,
+     .endianness = DEVICE_NATIVE_ENDIAN,
+     .impl = {
+         .min_access_size = 4,
+diff --git a/hw/misc/tz-ppc.c b/hw/misc/tz-ppc.c
+index 181a5f1..350ada8 100644
+--- a/hw/misc/tz-ppc.c
++++ b/hw/misc/tz-ppc.c
+@@ -196,7 +196,21 @@ static bool tz_ppc_dummy_accepts(void *opaque, hwaddr addr,
+     g_assert_not_reached();
+ }
+ 
++static uint64_t tz_ppc_dummy_read(void *opaque, hwaddr addr, unsigned size)
++{
++    g_assert_not_reached();
++}
++
++static void tz_ppc_dummy_write(void *opaque, hwaddr addr,
++                                        uint64_t data, unsigned size)
++{
++    g_assert_not_reached();
++}
++
+ static const MemoryRegionOps tz_ppc_dummy_ops = {
++    /* define r/w methods to avoid assert failure in memory_region_init_io */
++    .read = tz_ppc_dummy_read,
++    .write = tz_ppc_dummy_write,
+     .valid.accepts = tz_ppc_dummy_accepts,
+ };
+ 
+diff --git a/hw/nvram/nrf51_nvm.c b/hw/nvram/nrf51_nvm.c
+index 4d678f9..3d56566 100644
+--- a/hw/nvram/nrf51_nvm.c
++++ b/hw/nvram/nrf51_nvm.c
+@@ -273,6 +273,10 @@ static const MemoryRegionOps io_ops = {
+         .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
++static uint64_t flash_read(void *opaque, hwaddr offset, unsigned size)
++{
++    g_assert_not_reached();
++}
+ 
+ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
+         unsigned int size)
+@@ -300,6 +304,7 @@ static void flash_write(void *opaque, hwaddr offset, uint64_t value,
+ 
+ 
+ static const MemoryRegionOps flash_ops = {
++    .read = flash_read,
+     .write = flash_write,
+     .valid.min_access_size = 4,
+     .valid.max_access_size = 4,
+diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
+index 71e9b0d..17ad489 100644
+--- a/hw/pci-host/designware.c
++++ b/hw/pci-host/designware.c
+@@ -21,6 +21,7 @@
+ #include "qemu/osdep.h"
+ #include "qapi/error.h"
+ #include "qemu/module.h"
++#include "qemu/log.h"
+ #include "hw/pci/msi.h"
+ #include "hw/pci/pci_bridge.h"
+ #include "hw/pci/pci_host.h"
+@@ -63,6 +64,13 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root)
+     return DESIGNWARE_PCIE_HOST(bus->parent);
+ }
+ 
++static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr,
++                                              unsigned size)
++{
++    qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
++    return 0;
++}
++
+ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
+                                            uint64_t val, unsigned len)
+ {
+@@ -77,6 +85,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
+ }
+ 
+ static const MemoryRegionOps designware_pci_host_msi_ops = {
++    .read = designware_pcie_root_msi_read,
+     .write = designware_pcie_root_msi_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .valid = {
+diff --git a/hw/pci-host/prep.c b/hw/pci-host/prep.c
+index 85d7ba9..7f366d9 100644
+--- a/hw/pci-host/prep.c
++++ b/hw/pci-host/prep.c
+@@ -26,6 +26,7 @@
+ #include "qemu/osdep.h"
+ #include "qemu-common.h"
+ #include "qemu/units.h"
++#include "qemu/log.h"
+ #include "qapi/error.h"
+ #include "hw/pci/pci.h"
+ #include "hw/pci/pci_bus.h"
+@@ -119,8 +120,15 @@ static uint64_t raven_intack_read(void *opaque, hwaddr addr,
+     return pic_read_irq(isa_pic);
+ }
+ 
++static void raven_intack_write(void *opaque, hwaddr addr,
++                                        uint64_t data, unsigned size)
++{
++    qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
++}
++
+ static const MemoryRegionOps raven_intack_ops = {
+     .read = raven_intack_read,
++    .write = raven_intack_write,
+     .valid = {
+         .max_access_size = 1,
+     },
+diff --git a/hw/ppc/prep_systemio.c b/hw/ppc/prep_systemio.c
+index 86e83e2..e712a9a 100644
+--- a/hw/ppc/prep_systemio.c
++++ b/hw/ppc/prep_systemio.c
+@@ -23,6 +23,7 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "hw/irq.h"
+ #include "hw/isa/isa.h"
+ #include "hw/qdev-properties.h"
+@@ -235,8 +236,15 @@ static uint64_t ppc_parity_error_readl(void *opaque, hwaddr addr,
+     return val;
+ }
+ 
++static void ppc_parity_error_writel(void *opaque, hwaddr addr,
++                                    uint64_t data, unsigned size)
++{
++    qemu_log_mask(LOG_GUEST_ERROR, "%s: invalid write access\n", __func__);
++}
++
+ static const MemoryRegionOps ppc_parity_error_ops = {
+     .read = ppc_parity_error_readl,
++    .write = ppc_parity_error_writel,
+     .valid = {
+         .min_access_size = 4,
+         .max_access_size = 4,
+diff --git a/hw/ppc/spapr_pci.c b/hw/ppc/spapr_pci.c
+index f6fbcf9..e886211 100644
+--- a/hw/ppc/spapr_pci.c
++++ b/hw/ppc/spapr_pci.c
+@@ -52,6 +52,7 @@
+ #include "sysemu/kvm.h"
+ #include "sysemu/hostmem.h"
+ #include "sysemu/numa.h"
++#include "qemu/log.h"
+ 
+ /* Copied from the kernel arch/powerpc/platforms/pseries/msi.c */
+ #define RTAS_QUERY_FN           0
+@@ -738,6 +739,12 @@ static PCIINTxRoute spapr_route_intx_pin_to_irq(void *opaque, int pin)
+     return route;
+ }
+ 
++static uint64_t spapr_msi_read(void *opaque, hwaddr addr, unsigned size)
++{
++    qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
++    return 0;
++}
++
+ /*
+  * MSI/MSIX memory region implementation.
+  * The handler handles both MSI and MSIX.
+@@ -755,8 +762,10 @@ static void spapr_msi_write(void *opaque, hwaddr addr,
+ }
+ 
+ static const MemoryRegionOps spapr_msi_ops = {
+-    /* There is no .read as the read result is undefined by PCI spec */
+-    .read = NULL,
++    /* .read result is undefined by PCI spec
++     * define .read method to avoid assert failure in memory_region_init_io
++     */
++    .read = spapr_msi_read,
+     .write = spapr_msi_write,
+     .endianness = DEVICE_LITTLE_ENDIAN
+ };
+diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
+index 136f3a9..c3e5cab 100644
+--- a/hw/vfio/pci-quirks.c
++++ b/hw/vfio/pci-quirks.c
+@@ -13,6 +13,7 @@
+ #include "qemu/osdep.h"
+ #include "exec/memop.h"
+ #include "qemu/units.h"
++#include "qemu/log.h"
+ #include "qemu/error-report.h"
+ #include "qemu/main-loop.h"
+ #include "qemu/module.h"
+@@ -278,8 +279,15 @@ static uint64_t vfio_ati_3c3_quirk_read(void *opaque,
+     return data;
+ }
+ 
++static void vfio_ati_3c3_quirk_write(void *opaque, hwaddr addr,
++                                        uint64_t data, unsigned size)
++{
++    qemu_log_mask(LOG_GUEST_ERROR, "%s not implemented\n", __func__);
++}
++
+ static const MemoryRegionOps vfio_ati_3c3_quirk = {
+     .read = vfio_ati_3c3_quirk_read,
++    .write = vfio_ati_3c3_quirk_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+ };
+ 
+diff --git a/memory.c b/memory.c
+index 06484c2..019e7e5 100644
+--- a/memory.c
++++ b/memory.c
+@@ -1495,7 +1495,13 @@ void memory_region_init_io(MemoryRegion *mr,
+                            uint64_t size)
+ {
+     memory_region_init(mr, owner, name, size);
+-    mr->ops = ops ? ops : &unassigned_mem_ops;
++    if (ops) {
++        assert(ops->read || ops->read_with_attrs);
++        assert(ops->write || ops->write_with_attrs);
++        mr->ops = ops;
++    } else {
++        mr->ops = &unassigned_mem_ops;
++    }
+     mr->opaque = opaque;
+     mr->terminates = true;
+ }
+@@ -1684,6 +1690,8 @@ void memory_region_init_rom_device_nomigrate(MemoryRegion *mr,
+ {
+     Error *err = NULL;
+     assert(ops);
++    assert(ops->read || ops->read_with_attrs);
++    assert(ops->write || ops->write_with_attrs);
+     memory_region_init(mr, owner, name, size);
+     mr->ops = ops;
+     mr->opaque = opaque;
diff --git a/SPECS/qemu-kvm/CVE-2020-15859.patch b/SPECS/qemu-kvm/CVE-2020-15859.patch
new file mode 100644
index 00000000000..ed3341c7c20
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-15859.patch
@@ -0,0 +1,88 @@
+diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
+index 9b76f82..1355a94 100644
+--- a/hw/net/e1000e_core.c
++++ b/hw/net/e1000e_core.c
+@@ -2423,32 +2423,27 @@ e1000e_set_dbal(E1000ECore *core, int index, uint32_t val)
+ static void
+ e1000e_set_tctl(E1000ECore *core, int index, uint32_t val)
+ {
+-    E1000E_TxRing txr;
+     core->mac[index] = val;
+ 
+     if (core->mac[TARC0] & E1000_TARC_ENABLE) {
+-        e1000e_tx_ring_init(core, &txr, 0);
+-        e1000e_start_xmit(core, &txr);
++        qemu_bh_schedule(core->tx[0].tx_bh);
+     }
+ 
+     if (core->mac[TARC1] & E1000_TARC_ENABLE) {
+-        e1000e_tx_ring_init(core, &txr, 1);
+-        e1000e_start_xmit(core, &txr);
++        qemu_bh_schedule(core->tx[1].tx_bh);
+     }
+ }
+ 
+ static void
+ e1000e_set_tdt(E1000ECore *core, int index, uint32_t val)
+ {
+-    E1000E_TxRing txr;
+     int qidx = e1000e_mq_queue_idx(TDT, index);
+     uint32_t tarc_reg = (qidx == 0) ? TARC0 : TARC1;
+ 
+     core->mac[index] = val & 0xffff;
+ 
+     if (core->mac[tarc_reg] & E1000_TARC_ENABLE) {
+-        e1000e_tx_ring_init(core, &txr, qidx);
+-        e1000e_start_xmit(core, &txr);
++        qemu_bh_schedule(core->tx[qidx].tx_bh);
+     }
+ }
+ 
+@@ -3313,6 +3308,16 @@ e1000e_vm_state_change(void *opaque, int running, RunState state)
+     }
+ }
+ 
++static void e1000e_core_tx_bh(void *opaque)
++{
++    struct e1000e_tx *tx = opaque;
++    E1000ECore *core = tx->core;
++    E1000E_TxRing txr;
++
++    e1000e_tx_ring_init(core, &txr, tx - &core->tx[0]);
++    e1000e_start_xmit(core, &txr);
++}
++
+ void
+ e1000e_core_pci_realize(E1000ECore     *core,
+                         const uint16_t *eeprom_templ,
+@@ -3331,6 +3336,8 @@ e1000e_core_pci_realize(E1000ECore     *core,
+     for (i = 0; i < E1000E_NUM_QUEUES; i++) {
+         net_tx_pkt_init(&core->tx[i].tx_pkt, core->owner,
+                         E1000E_MAX_TX_FRAGS, core->has_vnet);
++        core->tx[i].core = core;
++        core->tx[i].tx_bh = qemu_bh_new(e1000e_core_tx_bh, &core->tx[i]);
+     }
+ 
+     net_rx_pkt_init(&core->rx_pkt, core->has_vnet);
+@@ -3358,6 +3365,8 @@ e1000e_core_pci_uninit(E1000ECore *core)
+     for (i = 0; i < E1000E_NUM_QUEUES; i++) {
+         net_tx_pkt_reset(core->tx[i].tx_pkt);
+         net_tx_pkt_uninit(core->tx[i].tx_pkt);
++        qemu_bh_delete(core->tx[i].tx_bh);
++        core->tx[i].tx_bh = NULL;
+     }
+ 
+     net_rx_pkt_uninit(core->rx_pkt);
+diff --git a/hw/net/e1000e_core.h b/hw/net/e1000e_core.h
+index 49abb13..83c3be3 100644
+--- a/hw/net/e1000e_core.h
++++ b/hw/net/e1000e_core.h
+@@ -77,6 +77,8 @@ struct E1000Core {
+         unsigned char sum_needed;
+         bool cptse;
+         struct NetTxPkt *tx_pkt;
++        QEMUBH *tx_bh;
++        E1000ECore *core;
+     } tx[E1000E_NUM_QUEUES];
+ 
+     struct NetRxPkt *rx_pkt;
diff --git a/SPECS/qemu-kvm/CVE-2020-24352.patch b/SPECS/qemu-kvm/CVE-2020-24352.patch
new file mode 100644
index 00000000000..328d111b411
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-24352.patch
@@ -0,0 +1,28 @@
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 23a8ae0..4dc10ea 100644
+--- a/hw/display/ati_2d.c
++++ b/hw/display/ati_2d.c
+@@ -67,8 +75,9 @@ void ati_2d_blt(ATIVGAState *s)
+         dst_stride *= bpp;
+     }
+     uint8_t *end = s->vga.vram_ptr + s->vga.vram_size;
+-    if (dst_bits >= end || dst_bits + dst_x + (dst_y + s->regs.dst_height) *
+-        dst_stride >= end) {
++    if (dst_x > 0x3fff || dst_y > 0x3fff || dst_bits >= end
++        || dst_bits + dst_x
++         + (dst_y + s->regs.dst_height) * dst_stride >= end) {
+         qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+         return;
+     }
+@@ -95,8 +108,9 @@ void ati_2d_blt(ATIVGAState *s)
+             src_bits += s->regs.crtc_offset & 0x07ffffff;
+             src_stride *= bpp;
+         }
+-        if (src_bits >= end || src_bits + src_x +
+-            (src_y + s->regs.dst_height) * src_stride >= end) {
++        if (src_x > 0x3fff || src_y > 0x3fff || src_bits >= end
++            || src_bits + src_x
++             + (src_y + s->regs.dst_height) * src_stride >= end) {
+             qemu_log_mask(LOG_UNIMP, "blt outside vram not implemented\n");
+             return;
+         }
diff --git a/SPECS/qemu-kvm/CVE-2020-25742.patch b/SPECS/qemu-kvm/CVE-2020-25742.patch
new file mode 100644
index 00000000000..069b906568c
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-25742.patch
@@ -0,0 +1,14 @@
+diff --git a/hw/pci/pci.c b/hw/pci/pci.c
+index cbc7a32..fa58e7a 100644
+--- a/hw/pci/pci.c
++++ b/hw/pci/pci.c
+@@ -255,6 +255,9 @@ static void pci_change_irq_level(PCIDevice *pci_dev, int irq_num, int change)
+     PCIBus *bus;
+     for (;;) {
+         bus = pci_get_bus(pci_dev);
++        if (!bus) {
++            return;
++        }
+         irq_num = bus->map_irq(pci_dev, irq_num);
+         if (bus->set_irq)
+             break;
diff --git a/SPECS/qemu-kvm/CVE-2020-25743.patch b/SPECS/qemu-kvm/CVE-2020-25743.patch
new file mode 100644
index 00000000000..86cdef73f6b
--- /dev/null
+++ b/SPECS/qemu-kvm/CVE-2020-25743.patch
@@ -0,0 +1,28 @@
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index 754ff4d..39da759 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -718,6 +718,7 @@ void ide_cancel_dma_sync(IDEState *s)
+      * whole DMA operation will be submitted to disk with a single
+      * aio operation with preadv/pwritev.
+      */
++    assert(s->blk);
+     if (s->bus->dma->aiocb) {
+         trace_ide_cancel_dma_sync_remaining();
+         blk_drain(s->blk);
+diff --git a/hw/ide/pci.c b/hw/ide/pci.c
+index cce1da8..81cd312 100644
+--- a/hw/ide/pci.c
++++ b/hw/ide/pci.c
+@@ -295,7 +295,10 @@ void bmdma_cmd_writeb(BMDMAState *bm, uint32_t val)
+     /* Ignore writes to SSBM if it keeps the old value */
+     if ((val & BM_CMD_START) != (bm->cmd & BM_CMD_START)) {
+         if (!(val & BM_CMD_START)) {
+-            ide_cancel_dma_sync(idebus_active_if(bm->bus));
++            IDEState *s = idebus_active_if(bm->bus);
++            if (s->blk) {
++                ide_cancel_dma_sync(s);
++            }
+             bm->status &= ~BM_STATUS_DMAING;
+         } else {
+             bm->cur_addr = bm->addr;
diff --git a/SPECS/qemu-kvm/qemu-kvm.spec b/SPECS/qemu-kvm/qemu-kvm.spec
index 6becd32182b..61cc8351bd8 100644
--- a/SPECS/qemu-kvm/qemu-kvm.spec
+++ b/SPECS/qemu-kvm/qemu-kvm.spec
@@ -1,42 +1,55 @@
-Summary:       QEMU is a machine emulator and virtualizer
-Name:          qemu-kvm
-Version:       4.2.0
-Release:       13%{?dist}
-License:       GPLv2 and GPLv2+ and CC-BY and BSD
-Group:         Development/Tools
-URL:           https://www.qemu.org/
-Vendor:        Microsoft Corporation
-Distribution:  Mariner
-Source0:       https://download.qemu.org/qemu-%{version}.tar.xz
-Source1:       65-kvm.rules
+Summary:        QEMU is a machine emulator and virtualizer
+Name:           qemu-kvm
+Version:        4.2.0
+Release:        21%{?dist}
+License:        GPLv2 AND GPLv2+ AND CC-BY AND BSD
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          Development/Tools
+URL:            https://www.qemu.org/
+Source0:        https://download.qemu.org/qemu-%{version}.tar.xz
+Source1:        65-kvm.rules
 # https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850
-Patch0:        CVE-2020-11102.patch
+Patch0:         CVE-2020-11102.patch
 # This vulnerability is in libslirp source code. And qemu is exposed to it when configured with libslirp.
 # Since Mariner does not have libslirp, it is not applicable.
-Patch1:        CVE-2020-7039.nopatch
-Patch2:        CVE-2020-1711.patch
-Patch3:        CVE-2020-7211.patch
-Patch4:        CVE-2019-20175.patch
-Patch5:        CVE-2020-13659.patch
-Patch6:        CVE-2020-16092.patch
-Patch7:        CVE-2020-15863.patch
-# CVE-2016-7161 was fixed in 2.7.0, but the CVE database was not updated. (a0d1cbdacff5df4ded16b753b38fdd9da6092968)
-Patch8:        CVE-2016-7161.nopatch
-# CVE-2015-7504 was fixed in 2.5.0, but the CVE database was not updated. (837f21aacf5a714c23ddaadbbc5212f9b661e3f7)
-Patch9:        CVE-2015-7504.nopatch
-# CVE-2017-5931 was fixed in 2.9.0, but the CVE database was not updated.  (a08aaff811fb194950f79711d2afe5a892ae03a4)
-Patch10:       CVE-2017-5931.nopatch
-# CVE-2017-14167 was fixed in 2.11.0, but the CVE database was not updated. (ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb)
-Patch11:       CVE-2017-14167.nopatch
-
-BuildRequires: python3-devel
-BuildRequires: glib-devel
-BuildRequires: pixman-devel
-BuildRequires: alsa-lib-devel
-BuildRequires: zlib-devel
-Requires: alsa-lib
-Requires: cyrus-sasl
-Requires: pixman
+Patch1:         CVE-2020-7039.nopatch
+Patch2:         CVE-2020-1711.patch
+Patch3:         CVE-2020-7211.patch
+Patch4:         CVE-2019-20175.patch
+Patch5:         CVE-2020-13659.patch
+Patch6:         CVE-2020-16092.patch
+Patch7:         CVE-2020-15863.patch
+Patch8:         CVE-2020-10702.patch
+Patch9:         CVE-2020-10761.patch
+# CVE-2020-13253 backported to 4.2.0. Original version: https://github.com/qemu/qemu/commit/790762e5487114341cccc5bffcec4cb3c022c3cd
+Patch10:        CVE-2020-13253.patch
+Patch11:        CVE-2020-13754.patch
+Patch12:        CVE-2020-13800.patch
+Patch13:        CVE-2020-14364.patch
+Patch14:        CVE-2020-13791.patch
+# CVE-2018-19665 patch never merged upstream, link: https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
+Patch15:        CVE-2018-19665.patch
+Patch16:        CVE-2020-13361.patch
+Patch17:        CVE-2020-11869.patch
+Patch18:        CVE-2020-14415.patch
+Patch19:        CVE-2020-15859.patch
+Patch20:        CVE-2020-13362.patch
+Patch21:        CVE-2020-25742.patch
+Patch22:        CVE-2020-25743.patch
+Patch23:        CVE-2020-15469.patch
+Patch24:        CVE-2020-24352.patch
+# CVE-2020-12820 only affects powerpc and SuperH emulation (see .nopatch file for details). Resloved fully in qemu >=5.0.0
+Patch25:        CVE-2020-12829.nopatch
+Patch26:        CVE-2018-12617.patch
+BuildRequires:  alsa-lib-devel
+BuildRequires:  glib-devel
+BuildRequires:  pixman-devel
+BuildRequires:  python3-devel
+BuildRequires:  zlib-devel
+Requires:       alsa-lib
+Requires:       cyrus-sasl
+Requires:       pixman
 
 %description
 QEMU is a generic and open source machine & userspace emulator and virtualizer.
@@ -44,11 +57,11 @@ QEMU is a generic and open source machine & userspace emulator and virtualizer.
 %global debug_package %{nil}
 
 %package -n qemu-img
-Summary: QEMU command line tool for manipulating disk images
-Group: Development/Tools
-Requires: glib
-Requires: pixman
-Requires: libstdc++
+Summary:        QEMU command line tool for manipulating disk images
+Group:          Development/Tools
+Requires:       glib
+Requires:       libstdc++
+Requires:       pixman
 
 %description -n qemu-img
 This package provides a command line tool for manipulating disk images.
@@ -62,6 +75,24 @@ This package provides a command line tool for manipulating disk images.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch26 -p1
 
 %build
 
@@ -122,36 +153,87 @@ chmod 755 %{buildroot}%{_bindir}/qemu
 %{_bindir}/qemu-nbd
 
 %changelog
-*   Tue Sep 29 2020 Daniel McIlvaney <damcilva@microsoft.com> 4.2.0-13
--   Nopatch CVE-2015-7504, it was fixed in 2.5.0
--   Nopatch CVE-2017-5931, it was fixed in 2.9.0
--   Nopatch CVE-2017-14167, it was fixed in 2.11.0
-*   Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 4.2.0-12
--   Nopatch CVE-2016-7161, it was fixed in 2.7
-*   Mon Sep 14 2020 Nicolas Guibourge <nicolasg@microsoft.com> 4.2.0-11
--   Add patch for CVE-2020-15863
-*   Wed Sep 02 2020 Nicolas Ontiveros <niontive@microsoft.com> 4.2.0-10
--   Add patch for CVE-2020-16092
-*   Tue Jun 09 2020 Paul Monson <paulmon@microsoft.com> 4.2.0-9
--   Add patch for CVE-2019-20175
--   Add patch for CVE-2020-13659
-*   Thu May 21 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 4.2.0-8
--   Fix CVE-2020-1711 and CVE-2020-7211.
-*   Sat May 09 00:20:51 PST 2020 Nick Samson <nisamson@microsoft.com> - 4.2.0-7
--   Added %%license line automatically
-*   Fri May  1 2020 Emre Girgin <mrgirgin@microsoft.com> 4.2.0-6
--   Renaming qemu to qemu-kvm
-*   Tue Apr 21 2020 Emre Girgin <mrgirgin@microsoft.com> 4.2.0-5
--   Fix CVE-2020-11102.
--   Ignore CVE-2020-7039.
--   Update license and URL.
--   License verified.
-*   Mon Mar 30 2020 Chris Co <chrco@microsoft.com> 4.2.0-4
--   Fix changelog to not define a sha1 macro
-*   Fri Mar 27 2020 Chris Co <chrco@microsoft.com> 4.2.0-3
--   Add elf2dmp and virtfs-proxy-helper binaries to package
--   Delete unused sha1
-*   Tue Mar 24 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 4.2.0-2
--   Add Qemu KVM support
-*   Wed Jan 8 2020 Paul Monson <paulmon@microsoft.com> 4.2.0-1
--   Original version for CBL-Mariner.
+* Tue Nov 17 2020 Daniel McIlvaney <damcilva@microsoft.com> - 4.2.0-21
+- Backport fix for CVE-2018-12617 from 5.0.0
+
+* Mon Nov 16 2020 Daniel McIlvaney <damcilva@microsoft.com> - 4.2.0-20
+- Noatch CVE-2020-12829, only affects SuperH and PowerPC emulation
+
+* Wed Nov 11 2020 Henry Li <lihl@microsoft.com> - 4.2.0-19
+- Patch CVE-2020-13361
+- Patch CVE-2020-11869
+- Patch CVE-2020-14415
+- Patch CVE-2020-15859
+- Patch CVE-2020-13362
+- Patch CVE-2020-25742
+- Patch CVE-2020-25743
+- Patch CVE-2020-15469
+- Patch CVE-2020-24352
+
+* Fri Oct 30 2020 Thomas Crain <thcrain@microsoft.com> - 4.2.0-18
+- Patch CVE-2018-19665
+- Remove nopatch files for CVE-2016-7161, CVE-2015-7504, CVE-2017-5931,
+  CVE-2017-14167, as NIST data for those has been corrected
+
+* Thu Oct 29 2020 Ruying Chen <v-ruyche@microsoft.com> - 4.2.0-17
+- Patch CVE-2020-13791.
+
+* Thu Oct 29 2020 Joe Schmitt <joschmit@microsoft.com> - 4.2.0-16
+- Patch CVE-2020-13800.
+- Patch CVE-2020-14364.
+
+* Wed Oct 28 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.2.0-15
+- Add patch for CVE-2020-13253.
+- Add patch for CVE-2020-13754.
+- Adding back regular %%setup as %%autosetup fails on the *.nopatch files.
+
+* Tue Oct 27 2020 Henry Li <lihl@microsoft.com> - 4.2.0-14
+- Add patch for CVE-2020-10702
+- Add patch for CVE-2020-10761
+- Use autosetup
+
+* Tue Sep 29 2020 Daniel McIlvaney <damcilva@microsoft.com> - 4.2.0-13
+- Nopatch CVE-2015-7504, it was fixed in 2.5.0
+- Nopatch CVE-2017-5931, it was fixed in 2.9.0
+- Nopatch CVE-2017-14167, it was fixed in 2.11.0
+
+* Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> - 4.2.0-12
+- Nopatch CVE-2016-7161, it was fixed in 2.7
+
+* Mon Sep 14 2020 Nicolas Guibourge <nicolasg@microsoft.com> - 4.2.0-11
+- Add patch for CVE-2020-15863
+
+* Wed Sep 02 2020 Nicolas Ontiveros <niontive@microsoft.com> - 4.2.0-10
+- Add patch for CVE-2020-16092
+
+* Tue Jun 09 2020 Paul Monson <paulmon@microsoft.com> - 4.2.0-9
+- Add patch for CVE-2019-20175
+- Add patch for CVE-2020-13659
+
+* Thu May 21 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 4.2.0-8
+- Fix CVE-2020-1711 and CVE-2020-7211.
+
+* Sat May 09 00:20:51 PST 2020 Nick Samson <nisamson@microsoft.com> - 4.2.0-7
+- Added %%license line automatically
+
+* Fri May  1 2020 Emre Girgin <mrgirgin@microsoft.com> - 4.2.0-6
+- Renaming qemu to qemu-kvm
+
+* Tue Apr 21 2020 Emre Girgin <mrgirgin@microsoft.com> - 4.2.0-5
+- Fix CVE-2020-11102.
+- Ignore CVE-2020-7039.
+- Update license and URL.
+- License verified.
+
+* Mon Mar 30 2020 Chris Co <chrco@microsoft.com> - 4.2.0-4
+- Fix changelog to not define a sha1 macro
+
+* Fri Mar 27 2020 Chris Co <chrco@microsoft.com> - 4.2.0-3
+- Add elf2dmp and virtfs-proxy-helper binaries to package
+- Delete unused sha1
+
+* Tue Mar 24 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 4.2.0-2
+- Add Qemu KVM support
+
+* Wed Jan 8 2020 Paul Monson <paulmon@microsoft.com> - 4.2.0-1
+- Original version for CBL-Mariner.
diff --git a/SPECS/redis/CVE-2020-14147.patch b/SPECS/redis/CVE-2020-14147.patch
new file mode 100644
index 00000000000..7648c5e5ed6
--- /dev/null
+++ b/SPECS/redis/CVE-2020-14147.patch
@@ -0,0 +1,41 @@
+diff --git a/deps/lua/src/lua_struct.c b/deps/lua/src/lua_struct.c
+index 4d5f027..c58c8e7 100644
+--- a/deps/lua/src/lua_struct.c
++++ b/deps/lua/src/lua_struct.c
+@@ -89,12 +89,14 @@ typedef struct Header {
+ } Header;
+ 
+ 
+-static int getnum (const char **fmt, int df) {
++static int getnum (lua_State *L, const char **fmt, int df) {
+   if (!isdigit(**fmt))  /* no number? */
+     return df;  /* return default value */
+   else {
+     int a = 0;
+     do {
++      if (a > (INT_MAX / 10) || a * 10 > (INT_MAX - (**fmt - '0')))
++        luaL_error(L, "integral size overflow");
+       a = a*10 + *((*fmt)++) - '0';
+     } while (isdigit(**fmt));
+     return a;
+@@ -115,9 +117,9 @@ static size_t optsize (lua_State *L, char opt, const char **fmt) {
+     case 'f':  return sizeof(float);
+     case 'd':  return sizeof(double);
+     case 'x': return 1;
+-    case 'c': return getnum(fmt, 1);
++    case 'c': return getnum(L, fmt, 1);
+     case 'i': case 'I': {
+-      int sz = getnum(fmt, sizeof(int));
++      int sz = getnum(L, fmt, sizeof(int));
+       if (sz > MAXINTSIZE)
+         luaL_error(L, "integral size %d is larger than limit of %d",
+                        sz, MAXINTSIZE);
+@@ -150,7 +152,7 @@ static void controloptions (lua_State *L, int opt, const char **fmt,
+     case '>': h->endian = BIG; return;
+     case '<': h->endian = LITTLE; return;
+     case '!': {
+-      int a = getnum(fmt, MAXALIGN);
++      int a = getnum(L, fmt, MAXALIGN);
+       if (!isp2(a))
+         luaL_error(L, "alignment %d is not a power of 2", a);
+       h->align = a;
diff --git a/SPECS/redis/redis.spec b/SPECS/redis/redis.spec
index 8085d9be45a..7646d748821 100644
--- a/SPECS/redis/redis.spec
+++ b/SPECS/redis/redis.spec
@@ -1,30 +1,29 @@
-Summary:	advanced key-value store
-Name:		redis
-Version:	5.0.5
-Release:        3%{?dist}
-License:	BSD
-URL:		http://redis.io/
-Group:		Applications/Databases
+Summary:	    advanced key-value store
+Name:		    redis
+Version:	    5.0.5
+Release:        4%{?dist}
+License:	    BSD
+URL:		    https://redis.io/
+Group:		    Applications/Databases
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-Source0:	http://download.redis.io/releases/%{name}-%{version}.tar.gz
-%define sha1 redis=71e38ae09ac70012b5bc326522b976bcb8e269d6
+Source0:	    https://download.redis.io/releases/%{name}-%{version}.tar.gz
 Patch0:         redis-conf.patch
+Patch1:         CVE-2020-14147.patch
 BuildRequires:  gcc
 BuildRequires:  systemd
 BuildRequires:  make
 BuildRequires:  which
 BuildRequires:  tcl
 BuildRequires:  tcl-devel
-Requires:	systemd
+Requires:	    systemd
 Requires(pre):  /usr/sbin/useradd /usr/sbin/groupadd
 
 %description
 Redis is an in-memory data structure store, used as database, cache and message broker.
 
 %prep
-%setup -q
-%patch0 -p1
+%autosetup -p1
 
 %build
 make %{?_smp_mflags}
@@ -84,6 +83,8 @@ exit 0
 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf
 
 %changelog
+* Fri Oct 23 2020 Henry Li <lihl@microsoft.com> - 5.0.5-4
+- Add patch to resolve CVE-2020-14147
 * Sat May 09 00:21:01 PST 2020 Nick Samson <nisamson@microsoft.com> - 5.0.5-3
 - Added %%license line automatically
 
diff --git a/SPECS/ruby/CVE-2020-25613.patch b/SPECS/ruby/CVE-2020-25613.patch
new file mode 100644
index 00000000000..d1b52ed33ba
--- /dev/null
+++ b/SPECS/ruby/CVE-2020-25613.patch
@@ -0,0 +1,35 @@
+From 8946bb38b4d87549f0d99ed73c62c41933f97cc7 Mon Sep 17 00:00:00 2001
+From: Yusuke Endoh <mame@ruby-lang.org>
+Date: Tue, 29 Sep 2020 13:15:58 +0900
+Subject: [PATCH] Make it more strict to interpret some headers
+
+Some regexps were too tolerant.
+---
+ lib/webrick/httprequest.rb | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/webrick/httprequest.rb b/lib/webrick/httprequest.rb
+index 294bd91..d34eac7 100644
+--- a/lib/webrick/httprequest.rb
++++ b/lib/webrick/httprequest.rb
+@@ -226,9 +226,9 @@ def parse(socket=nil)
+         raise HTTPStatus::BadRequest, "bad URI `#{@unparsed_uri}'."
+       end
+ 
+-      if /close/io =~ self["connection"]
++      if /\Aclose\z/io =~ self["connection"]
+         @keep_alive = false
+-      elsif /keep-alive/io =~ self["connection"]
++      elsif /\Akeep-alive\z/io =~ self["connection"]
+         @keep_alive = true
+       elsif @http_version < "1.1"
+         @keep_alive = false
+@@ -503,7 +503,7 @@ def read_body(socket, block)
+       return unless socket
+       if tc = self['transfer-encoding']
+         case tc
+-        when /chunked/io then read_chunked(socket, block)
++        when /\Achunked\z/io then read_chunked(socket, block)
+         else raise HTTPStatus::NotImplemented, "Transfer-Encoding: #{tc}."
+         end
+       elsif self['content-length'] || @remaining_size
diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec
index 8fbb4e49624..3a0ac044262 100644
--- a/SPECS/ruby/ruby.spec
+++ b/SPECS/ruby/ruby.spec
@@ -1,34 +1,39 @@
 Summary:        Ruby
 Name:           ruby
 Version:        2.6.6
-Release:        1%{?dist}
-License:        (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
-URL:            https://www.ruby-lang.org/en/
-Group:          System Environment/Security
+Release:        2%{?dist}
+License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Security
+URL:            https://www.ruby-lang.org/en/
 Source0:        https://cache.ruby-lang.org/pub/ruby/2.6/%{name}-%{version}.tar.xz
+Patch0:         CVE-2020-25613.patch
 BuildRequires:  openssl-devel
-BuildRequires:  readline-devel
 BuildRequires:  readline
+BuildRequires:  readline-devel
 BuildRequires:  tzdata
-Requires:       openssl
 Requires:       gmp
+Requires:       openssl
+
 %description
 The Ruby package contains the Ruby development environment.
 This is useful for object-oriented scripting.
 
 %prep
-%setup -q
+%autosetup -p1
+
 %build
 %configure \
         --enable-shared \
         --with-compress-debug-sections=no \
         --docdir=%{_docdir}/%{name}-%{version}
 make %{?_smp_mflags} COPY="cp -p"
+
 %install
 [ %{buildroot} != "/"] && rm -rf %{buildroot}/*
 make DESTDIR=%{buildroot} install
+
 %check
 chmod g+w . -R
 useradd test -G root -m
@@ -36,8 +41,7 @@ sudo -u test  make check TESTS="-v"
 
 %post   -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
-%clean
-rm -rf %{buildroot}/*
+
 %files
 %defattr(-,root,root)
 %license COPYING
@@ -53,52 +57,78 @@ rm -rf %{buildroot}/*
 %{_mandir}/man5/*
 
 %changelog
-*   Thu Oct 15 2020 Emre Girgin <mrgirgin@microsoft.com> 2.6.6-1
--   Upgrade to 2.6.6 to resolve CVEs.
+* Thu Oct 22 2020 Thomas Crain <thcrain@microsoft.com> - 2.6.6-2
+- Patch CVE-2020-25613
+
+* Thu Oct 15 2020 Emre Girgin <mrgirgin@microsoft.com> - 2.6.6-1
+- Upgrade to 2.6.6 to resolve CVEs.
+
 *   Sat May 09 00:20:42 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.6.3-3
 -   Added %%license line automatically
+
 *   Wed May 06 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.6.3-2
 -   Removing *Requires for "ca-certificates".
+
 *   Fri Mar 13 2020 Paul Monson <paulmon@microsoft.com> 2.6.3-1
 -   Update to version 2.6.3. License verified.
+
 *   Mon Feb 3 2020 Andrew Phelps <anphel@microsoft.com> 2.5.3-3
 -   Disable compressing debug sections
+
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.5.3-2
 -   Initial CBL-Mariner import from Photon (license: Apache2).
+
 *   Tue Jan 01 2019 Sujay G <gsujay@vmware.com> 2.5.3-1
 -   Update to version 2.5.3, to fix CVE-2018-16395 & CVE-2018-16396
+
 *   Tue Sep 11 2018 srinidhira0 <srinidhir@vmware.com> 2.5.1-1
 -   Update to version 2.5.1
+
 *   Fri Jan 12 2018 Xiaolin Li <xiaolinl@vmware.com> 2.4.3-2
 -   Fix CVE-2017-17790
+
 *   Wed Jan 03 2018 Xiaolin Li <xiaolinl@vmware.com> 2.4.3-1
 -   Update to version 2.4.3, fix CVE-2017-17405
+
 *   Fri Sep 29 2017 Xiaolin Li <xiaolinl@vmware.com> 2.4.2-1
 -   Update to version 2.4.2
+
 *   Fri Sep 15 2017 Xiaolin Li <xiaolinl@vmware.com> 2.4.1-5
 -   [security] CVE-2017-14064
+
 *   Tue Sep 05 2017 Chang Lee <changlee@vmware.com> 2.4.1-4
 -   Built with copy preserve mode and fixed %check
+
 *   Mon Jul 24 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.1-3
 -   [security] CVE-2017-9228
+
 *   Tue Jun 13 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.4.1-2
 -   [security] CVE-2017-9224,CVE-2017-9225
 -   [security] CVE-2017-9227,CVE-2017-9229
+
 *   Thu Apr 13 2017 Siju Maliakkal <smaliakkal@vmware.com> 2.4.1-1
 -   Update to latest 2.4.1
+
 *   Wed Jan 18 2017 Anish Swaminathan <anishs@vmware.com> 2.4.0-1
 -   Update to 2.4.0 - Fixes CVE-2016-2339
+
 *   Mon Oct 10 2016 ChangLee <changlee@vmware.com> 2.3.0-4
 -   Modified %check
+
 *   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.3.0-3
 -   GA - Bump release of all rpms
+
 *   Wed Mar 09 2016 Divya Thaluru <dthaluru@vmware.com> 2.3.0-2
 -   Adding readline support
+
 *   Wed Jan 20 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.3.0-1
 -   Updated to 2.3.0-1
+
 *   Tue Apr 28 2015 Fabio Rapposelli <fabio@vmware.com> 2.2.1-2
 -   Added SSL support
+
 *   Mon Apr 6 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 2.2.1-1
 -   Version upgrade to 2.2.1
+
 *   Fri Oct 10 2014 Divya Thaluru <dthaluru@vmware.com> 2.1.3-1
 -   Initial build.  First version
diff --git a/SPECS/subversion/subversion.spec b/SPECS/subversion/subversion.spec
index d38599cb0a0..080ab2edc2b 100644
--- a/SPECS/subversion/subversion.spec
+++ b/SPECS/subversion/subversion.spec
@@ -1,46 +1,57 @@
 Summary:        The Apache Subversion control system
 Name:           subversion
 Version:        1.14.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
-URL:            https://subversion.apache.org/
-Group:          Utilities/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Utilities/System
+URL:            https://subversion.apache.org/
 Source0:        https://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.bz2
 
-Requires:       apr
-Requires:       apr-util
-Requires:       libserf
 BuildRequires:  apr-devel
 BuildRequires:  apr-util
 BuildRequires:  apr-util-devel
-BuildRequires:  sqlite-devel
-BuildRequires:  libtool
 BuildRequires:  expat-devel
 BuildRequires:  libserf-devel
+BuildRequires:  libtool
 BuildRequires:  lz4
-BuildRequires:  utf8proc-devel
+BuildRequires:  sqlite-devel
 BuildRequires:  swig
+BuildRequires:  utf8proc-devel
+
+%if %{with_check}
+BuildRequires:  python-xml
+BuildRequires:  python2
+BuildRequires:  shadow-utils
+BuildRequires:  sudo
+%endif
+
+Requires:       apr
+Requires:       apr-util
+Requires:       libserf
 Requires:       utf8proc
 
 %description
 The Apache version control system.
 
 %package    devel
-Summary:    Header and development files for mesos
-Requires:   %{name} = %{version}
+Summary:        Header and development files for mesos
+
+Requires:       %{name} = %{version}
+
 %description    devel
  subversion-devel package contains header files, libraries.
 
 %package    perl
-Summary:    Allows Perl scripts to directly use Subversion repositories.
-Requires:   perl
-Requires:   %{name} = %{version}
+Summary:        Allows Perl scripts to directly use Subversion repositories.
+
+Requires:       %{name} = %{version}
+Requires:       perl
+
 %description    perl
 Provides Perl (SWIG) support for Subversion version control system.
 
-
 %prep
 %setup -q
 
@@ -95,52 +106,78 @@ sudo -u test make check && userdel test -r -f
 %exclude %{_libdir}/perl5/*/*/perllocal.pod
 
 %changelog
-*   Thu Jun 11 2020 Henry Beberman <henry.beberman@microsoft.com> 1.14.0-2
--   Add -Wformat to fix the build because -Werror=format-security is enabled.
-*   Tue Jun 09 2020 Andrew Phelps <anphel@microsoft.com> 1.14.0-1
--   Update to 1.14.0 to fix: CVE-2019-0203, CVE-2018-11782, CVE-2018-11803
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.10.2-7
--   Added %%license line automatically
-*   Mon Apr 13 2020 Emre Girgin <mrgirgin@microsoft.com> 1.10.2-6
--   Rename serf to libserf.
--   Update Source0 and URL to use https. Update License. License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.10.2-5
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Tue Mar 05 2019 Siju Maliakkal <smaliakkal@vmware.com> 1.10.2-4
--   Excluding conflicting perllocal.pod
-*   Tue Oct 02 2018 Siju Maliakkal <smaliakkal@vmware.com> 1.10.2-3
--   Added Perl bindings
-*   Fri Sep 21 2018 Ankit Jain <ankitja@vmware.com> 1.10.2-2
--   Added utf8proc as Requires.
-*   Wed Sep 19 2018 Ankit Jain <ankitja@vmware.com> 1.10.2-1
--   Updated to version 1.10.2
-*   Mon Jan 22 2018 Xiaolin Li <xiaolinl@vmware.com> 1.9.7-2
--   Compile subversion with https repository access module support
-*   Mon Aug 28 2017 Xiaolin Li <xiaolinl@vmware.com> 1.9.7-1
--   Update to version 1.9.7.
-*   Thu Jun 15 2017 Xiaolin Li <xiaolinl@vmware.com> 1.9.5-2
--   Fix make check issues.
-*   Wed Apr 12 2017 Vinay Kulkarni <kulkarniv@vmware.com> 1.9.5-1
--   Update to version 1.9.5
-*   Tue Dec 27 2016 Xiaolin Li <xiaolinl@vmware.com> 1.9.4-2
--   Moved pkgconfig/*.pc to devel subpackage.
-*   Wed Nov 23 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.9.4-1
--   Upgraded to version 1.9.4, fixes CVE-2016-2167  CVE-2016-2168
-*   Wed Nov 16 2016 Alexey Makhalov <ppadmavilasom@vmware.com> 1.9.3-8
--   Use sqlite-{devel,libs}
-*   Mon Oct 10 2016 ChangLee <changlee@vmware.com> 1.9.3-7
--   Modified %check
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.9.3-6
--   GA - Bump release of all rpms
-*   Tue Feb 23 2016 Xiaolin Li <xiaolinl@vmware.com> 1.9.3-1
--   Updated to version 1.9.3
-*   Tue Nov 10 2015 Xiaolin Li <xiaolinl@vmware.com> 1.8.13-5
--   Handled locale files with macro find_lang
-*   Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 1.8.13-4
--   Updated build-requires after creating devel package for apr.
-*   Mon Sep 21 2015 Xiaolin Li <xiaolinl@vmware.com> 1.8.13-3
--   Move .a, and .so files to devel pkg.
-*   Tue Sep 08 2015 Vinay Kulkarni <kulkarniv@vmware.com> 1.8.13-2
--   Move headers into devel pkg.
-*   Fri Jun 26 2015 Sarah Choi <sarahc@vmware.com> 1.8.13-1
--   Initial build. First version
+* Wed Nov 18 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.14.0-3
+- Adding 'BuildRequires' on 'python', 'shadow-utils' and 'sudo' to fix the package tests.
+
+* Thu Jun 11 2020 Henry Beberman <henry.beberman@microsoft.com> - 1.14.0-2
+- Add -Wformat to fix the build because -Werror=format-security is enabled.
+
+* Tue Jun 09 2020 Andrew Phelps <anphel@microsoft.com> - 1.14.0-1
+- Update to 1.14.0 to fix: CVE-2019-0203, CVE-2018-11782, CVE-2018-11803
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.10.2-7
+- Added %%license line automatically
+
+* Mon Apr 13 2020 Emre Girgin <mrgirgin@microsoft.com> - 1.10.2-6
+- Rename serf to libserf.
+- Update Source0 and URL to use https. Update License. License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 1.10.2-5
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Tue Mar 05 2019 Siju Maliakkal <smaliakkal@vmware.com> - 1.10.2-4
+- Excluding conflicting perllocal.pod
+
+* Tue Oct 02 2018 Siju Maliakkal <smaliakkal@vmware.com> - 1.10.2-3
+- Added Perl bindings
+
+* Fri Sep 21 2018 Ankit Jain <ankitja@vmware.com> - 1.10.2-2
+- Added utf8proc as Requires.
+
+* Wed Sep 19 2018 Ankit Jain <ankitja@vmware.com> - 1.10.2-1
+- Updated to version 1.10.2
+
+* Mon Jan 22 2018 Xiaolin Li <xiaolinl@vmware.com> - 1.9.7-2
+- Compile subversion with https repository access module support
+
+* Mon Aug 28 2017 Xiaolin Li <xiaolinl@vmware.com> - 1.9.7-1
+- Update to version 1.9.7.
+
+* Thu Jun 15 2017 Xiaolin Li <xiaolinl@vmware.com> - 1.9.5-2
+- Fix make check issues.
+
+* Wed Apr 12 2017 Vinay Kulkarni <kulkarniv@vmware.com> - 1.9.5-1
+- Update to version 1.9.5
+
+* Tue Dec 27 2016 Xiaolin Li <xiaolinl@vmware.com> - 1.9.4-2
+- Moved pkgconfig/*.pc to devel subpackage.
+
+* Wed Nov 23 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 1.9.4-1
+- Upgraded to version 1.9.4, fixes CVE-2016-2167  CVE-2016-2168
+
+* Wed Nov 16 2016 Alexey Makhalov <ppadmavilasom@vmware.com> - 1.9.3-8
+- Use sqlite-{devel,libs}
+
+* Mon Oct 10 2016 ChangLee <changlee@vmware.com> - 1.9.3-7
+- Modified %check
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.9.3-6
+- GA - Bump release of all rpms
+
+* Tue Feb 23 2016 Xiaolin Li <xiaolinl@vmware.com> - 1.9.3-1
+- Updated to version 1.9.3
+
+* Tue Nov 10 2015 Xiaolin Li <xiaolinl@vmware.com> - 1.8.13-5
+- Handled locale files with macro find_lang
+
+* Tue Sep 22 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 1.8.13-4
+- Updated build-requires after creating devel package for apr.
+
+* Mon Sep 21 2015 Xiaolin Li <xiaolinl@vmware.com> - 1.8.13-3
+- Move .a, and .so files to devel pkg.
+
+* Tue Sep 08 2015 Vinay Kulkarni <kulkarniv@vmware.com> - 1.8.13-2
+- Move headers into devel pkg.
+
+* Fri Jun 26 2015 Sarah Choi <sarahc@vmware.com> - 1.8.13-1
+- Initial build. First version
diff --git a/SPECS/sysstat/sysstat.spec b/SPECS/sysstat/sysstat.spec
index 06d43cef792..fa93af63204 100644
--- a/SPECS/sysstat/sysstat.spec
+++ b/SPECS/sysstat/sysstat.spec
@@ -1,7 +1,7 @@
 Summary:        The Sysstat package contains utilities to monitor system performance and usage activity
 Name:           sysstat
 Version:        12.3.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 URL:            http://sebastien.godard.pagesperso-orange.fr/
 Group:          Development/Debuggers
@@ -9,8 +9,11 @@ Vendor:         Microsoft Corporation
 Distribution:   Mariner
 #Source0:       https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
 Source0:        %{name}-%{version}.tar.gz
+
 BuildRequires:  cronie
+
 Requires:       cronie
+
 %description
  The Sysstat package contains utilities to monitor system performance and usage activity. Sysstat contains the sar utility, common to many commercial Unixes, and tools you can schedule via cron to collect and historize performance and activity data.
 
@@ -37,9 +40,6 @@ install -D -m 0644 %{_builddir}/%{name}-%{version}/cron/sysstat-collect.service
 
 %find_lang %{name}
 
-%check
-make test
-
 %clean
 rm -rf %{buildroot}/*
 
@@ -57,30 +57,45 @@ rm -rf %{buildroot}/*
 
 
 %changelog
-*   Mon Jun 08 2020 Ruying Chen <v-ruyche@microsoft.com> 12.3.3-1
--   Update to 12.3.3
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 12.1.2-4
--   Added %%license line automatically
-*   Tue Apr 07 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 12.1.2-3
--   Fixed "Source0" tag and moved to GitHub sources.
--   License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 12.1.2-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Jan 03 2019 Keerthana K <keerthanak@vmware.com> 12.1.2-1
--   Update to 12.1.2 to fix CVEs.
-*   Mon Sep 17 2018 Tapas Kundu <tkundu@vmware.com> 12.0.1-1
--   Updated to 12.0.1 release
-*   Thu Apr 27 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 11.4.3-2
--   Ensure debuginfo
-*   Tue Apr 11 2017 Vinay Kulkarni <kulkarniv@vmware.com> 11.4.3-1
--   Update to version 11.4.3
-*   Thu Jan 05 2017 Xiaolin Li <xiaolinl@vmware.com> 11.4.2-1
--   Updated to version 11.4.2 and enable install cron.
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 11.2.0-3
--   GA - Bump release of all rpms
-*   Wed May 4 2016 Divya Thaluru <dthaluru@vmware.com> 11.2.0-2
--   Adding systemd service file
-*   Wed Jan 20 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 11.2.0-1
--   Update to 11.2.0-1.
-*   Mon Nov 30 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 11.1.8-1
--   Initial build.  First version
+* Mon Nov 16 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 12.3.3-2
+- Removing %%check section as the package doesn't have a test suite.
+
+* Mon Jun 08 2020 Ruying Chen <v-ruyche@microsoft.com> - 12.3.3-1
+- Update to 12.3.3
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 12.1.2-4
+- Added %%license line automatically
+
+* Tue Apr 07 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 12.1.2-3
+- Fixed "Source0" tag and moved to GitHub sources.
+- License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 12.1.2-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Jan 03 2019 Keerthana K <keerthanak@vmware.com> - 12.1.2-1
+- Update to 12.1.2 to fix CVEs.
+
+* Mon Sep 17 2018 Tapas Kundu <tkundu@vmware.com> - 12.0.1-1
+- Updated to 12.0.1 release
+
+* Thu Apr 27 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 11.4.3-2
+- Ensure debuginfo
+
+* Tue Apr 11 2017 Vinay Kulkarni <kulkarniv@vmware.com> - 11.4.3-1
+- Update to version 11.4.3
+
+* Thu Jan 05 2017 Xiaolin Li <xiaolinl@vmware.com> - 11.4.2-1
+- Updated to version 11.4.2 and enable install cron.
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 11.2.0-3
+- GA - Bump release of all rpms
+
+* Wed May 4 2016 Divya Thaluru <dthaluru@vmware.com> - 11.2.0-2
+- Adding systemd service file
+
+* Wed Jan 20 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 11.2.0-1
+- Update to 11.2.0-1.
+
+* Mon Nov 30 2015 Harish Udaiya Kumar <hudaiyakumar@vmware.com> - 11.1.8-1
+- Initial build.  First version
diff --git a/SPECS/systemd/CVE-2019-20386.patch b/SPECS/systemd/CVE-2019-20386.patch
new file mode 100644
index 00000000000..59788bc955f
--- /dev/null
+++ b/SPECS/systemd/CVE-2019-20386.patch
@@ -0,0 +1,10 @@
+--- a/src/login/logind-button.c
++++ b/src/login/logind-button.c
+@@ -341,6 +341,7 @@
+ 
+         (void) button_set_mask(b);
+ 
++        b->io_event_source = sd_event_source_unref(b->io_event_source);
+         r = sd_event_add_io(b->manager->event, &b->io_event_source, b->fd, EPOLLIN, button_dispatch, b);
+         if (r < 0) {
+                 log_error_errno(r, "Failed to add button event: %m");
diff --git a/SPECS/systemd/CVE-2019-3842.patch b/SPECS/systemd/CVE-2019-3842.patch
new file mode 100644
index 00000000000..e99f1ac8335
--- /dev/null
+++ b/SPECS/systemd/CVE-2019-3842.patch
@@ -0,0 +1,134 @@
+--- a/src/login/pam_systemd.c
++++ b/src/login/pam_systemd.c
+@@ -37,6 +37,7 @@
+                 int argc, const char **argv,
+                 const char **class,
+                 const char **type,
++                const char **desktop,
+                 bool *debug) {
+ 
+         unsigned i;
+@@ -45,24 +46,30 @@
+         assert(argc == 0 || argv);
+ 
+         for (i = 0; i < (unsigned) argc; i++) {
+-                if (startswith(argv[i], "class=")) {
++                const char *p;
++
++                if ((p = startswith(argv[i], "class="))) {
+                         if (class)
+-                                *class = argv[i] + 6;
++                                *class = p;
+ 
+-                } else if (startswith(argv[i], "type=")) {
++                } else if ((p = startswith(argv[i], "type="))) {
+                         if (type)
+-                                *type = argv[i] + 5;
++                                *type = p;
++
++                } else if ((p = startswith(argv[i], "desktop="))) {
++                        if (desktop)
++                                *desktop = p;
+ 
+                 } else if (streq(argv[i], "debug")) {
+                         if (debug)
+                                 *debug = true;
+ 
+-                } else if (startswith(argv[i], "debug=")) {
++                } else if ((p = startswith(argv[i], "debug="))) {
+                         int k;
+ 
+-                        k = parse_boolean(argv[i] + 6);
++                        k = parse_boolean(p);
+                         if (k < 0)
+-                                pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring.");
++                                pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring: %s", p);
+                         else if (debug)
+                                 *debug = k;
+ 
+@@ -274,6 +281,33 @@
+         return 0;
+ }
+ 
++ static const char* getenv_harder(pam_handle_t *handle, const char *key, const char *fallback) {
++        const char *v;
++        
++        assert(handle);
++        assert(key);
++        
++        /* Looks for an environment variable, preferrably in the environment block associated with the
++         * specified PAM handle, falling back to the process' block instead. Why check both? Because we want
++         * to permit configuration of session properties from unit files that invoke PAM services, so that
++         * PAM services don't have to be reworked to set systemd-specific properties, but these properties
++         * can still be set from the unit file Environment= block. */
++
++        v = pam_getenv(handle, key);
++        if (!isempty(v))
++                return v;
++
++        /* We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally
++         * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they
++         * currently don't (to be precise, they clean up the environment they pass to their children, but
++         * not their own environ[]). */
++        v = secure_getenv(key);
++        if (!isempty(v))
++                return v;
++
++        return fallback;
++}
++
+ _public_ PAM_EXTERN int pam_sm_open_session(
+                 pam_handle_t *handle,
+                 int flags,
+@@ -288,7 +322,7 @@
+                 *remote_user = NULL, *remote_host = NULL,
+                 *seat = NULL,
+                 *type = NULL, *class = NULL,
+-                *class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL,
++                *class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL, *desktop_pam = NULL,
+                 *memory_max = NULL, *tasks_max = NULL, *cpu_weight = NULL, *io_weight = NULL;
+         _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
+         int session_fd = -1, existing, r;
+@@ -307,6 +341,7 @@
+                        argc, argv,
+                        &class_pam,
+                        &type_pam,
++                       &desktop_pam,
+                        &debug) < 0)
+                 return PAM_SESSION_ERR;
+ 
+@@ -352,29 +387,11 @@
+         pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
+         pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
+ 
+-        seat = pam_getenv(handle, "XDG_SEAT");
+-        if (isempty(seat))
+-                seat = getenv("XDG_SEAT");
+-
+-        cvtnr = pam_getenv(handle, "XDG_VTNR");
+-        if (isempty(cvtnr))
+-                cvtnr = getenv("XDG_VTNR");
+-
+-        type = pam_getenv(handle, "XDG_SESSION_TYPE");
+-        if (isempty(type))
+-                type = getenv("XDG_SESSION_TYPE");
+-        if (isempty(type))
+-                type = type_pam;
+-
+-        class = pam_getenv(handle, "XDG_SESSION_CLASS");
+-        if (isempty(class))
+-                class = getenv("XDG_SESSION_CLASS");
+-        if (isempty(class))
+-                class = class_pam;
+-
+-        desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP");
+-        if (isempty(desktop))
+-                desktop = getenv("XDG_SESSION_DESKTOP");
++        seat = getenv_harder(handle, "XDG_SEAT", NULL);
++        cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
++        type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
++        class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
++        desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
+ 
+         tty = strempty(tty);
+ 
diff --git a/SPECS/systemd/CVE-2019-3843.patch b/SPECS/systemd/CVE-2019-3843.patch
new file mode 100644
index 00000000000..ff7e38170e4
--- /dev/null
+++ b/SPECS/systemd/CVE-2019-3843.patch
@@ -0,0 +1,428 @@
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -1,12 +1,14 @@
+ /* SPDX-License-Identifier: LGPL-2.1+ */
+ 
+ #include <errno.h>
++#include <fcntl.h>
+ #include <linux/seccomp.h>
+ #include <seccomp.h>
+ #include <stddef.h>
+ #include <sys/mman.h>
+ #include <sys/prctl.h>
+ #include <sys/shm.h>
++#include <sys/stat.h>
+ 
+ #include "af-list.h"
+ #include "alloc-util.h"
+@@ -1742,3 +1744,133 @@
+ 
+         return 0;
+ }
++
++int seccomp_restrict_suid_sgid(void) {
++        uint32_t arch;
++        int r;
++
++        SECCOMP_FOREACH_LOCAL_ARCH(arch) {
++                _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
++
++                r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
++                if (r < 0)
++                        return r;
++
++                /* Checks the mode_t parameter of the following system calls:
++                 *
++                 *       → chmod() + fchmod() + fchmodat()
++                 *       → open() + creat() + openat()
++                 *       → mkdir() + mkdirat()
++                 *       → mknod() + mknodat()
++                 */
++
++                for (unsigned bit = 0; bit < 2; bit ++) {
++                        /* Block S_ISUID in the first iteration, S_ISGID in the second */
++                        mode_t m = bit == 0 ? S_ISUID : S_ISGID;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(chmod),
++                                        1,
++                                        SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(fchmod),
++                                        1,
++                                        SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(fchmodat),
++                                        1,
++                                        SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(mkdir),
++                                        1,
++                                        SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(mkdirat),
++                                        1,
++                                        SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(mknod),
++                                        1,
++                                        SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(mknodat),
++                                        1,
++                                        SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(open),
++                                        2,
++                                        SCMP_A1(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT),
++                                        SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(openat),
++                                        2,
++                                        SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT),
++                                        SCMP_A3(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++
++                        r = seccomp_rule_add_exact(
++                                        seccomp,
++                                        SCMP_ACT_ERRNO(EPERM),
++                                        SCMP_SYS(creat),
++                                        1,
++                                        SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
++                        if (r < 0)
++                                break;
++                }
++                if (r < 0) {
++                        log_debug_errno(r, "Failed to add suid/sgid rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
++                        continue;
++                }
++
++                r = seccomp_load(seccomp);
++                if (IN_SET(r, -EPERM, -EACCES))
++                        return r;
++                if (r < 0)
++                        log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
++        }
++
++        return 0;
++}
+\ No newline at end of file
+--- a/src/shared/seccomp-util.h
++++ b/src/shared/seccomp-util.h
+@@ -85,6 +85,7 @@
+ int seccomp_restrict_realtime(void);
+ int seccomp_memory_deny_write_execute(void);
+ int seccomp_lock_personality(unsigned long personality);
++ int seccomp_restrict_suid_sgid(void); 
+ 
+ extern const uint32_t seccomp_local_archs[];
+
+--- a/src/core/dbus-execute.c
++++ b/src/core/dbus-execute.c
+@@ -769,6 +769,7 @@
+         SD_BUS_PROPERTY("ConfigurationDirectory", "as", NULL, offsetof(ExecContext, directories[EXEC_DIRECTORY_CONFIGURATION].paths), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST),
++        SD_BUS_PROPERTY("RestrictSUIDSGID", "b", bus_property_get_bool, offsetof(ExecContext, restrict_suid_sgid), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("RestrictNamespaces", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("BindPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
+         SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
+@@ -1127,6 +1128,9 @@
+         if (streq(name, "RestrictRealtime"))
+                 return bus_set_transient_bool(u, name, &c->restrict_realtime, message, flags, error);
+ 
++        if (streq(name, "RestrictSUIDSGID"))
++                return bus_set_transient_bool(u, name, &c->restrict_suid_sgid, message, flags, error);
++
+         if (streq(name, "DynamicUser"))
+                 return bus_set_transient_bool(u, name, &c->dynamic_user, message, flags, error);
+
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -1366,6 +1366,7 @@
+         return context_has_address_families(c) ||
+                 c->memory_deny_write_execute ||
+                 c->restrict_realtime ||
++                c->restrict_suid_sgid ||
+                 exec_context_restrict_namespaces_set(c) ||
+                 c->protect_kernel_tunables ||
+                 c->protect_kernel_modules ||
+@@ -1470,6 +1471,19 @@
+         return seccomp_restrict_realtime();
+ }
+ 
++static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) {
++        assert(u);
++        assert(c);
++
++        if (!c->restrict_suid_sgid)
++                return 0;
++
++        if (skip_seccomp_unavailable(u, "RestrictSUIDSGID="))
++                return 0;
++
++        return seccomp_restrict_suid_sgid();
++}
++
+ static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
+         assert(u);
+         assert(c);
+@@ -3331,6 +3345,12 @@
+                         return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
+                 }
+ 
++                r = apply_restrict_suid_sgid(unit, context);
++                if (r < 0) {
++                        *exit_status = EXIT_SECCOMP;
++                        return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m");
++                }
++
+                 r = apply_restrict_namespaces(unit, context);
+                 if (r < 0) {
+                         *exit_status = EXIT_SECCOMP;
+@@ -3920,6 +3940,7 @@
+                 "%sIgnoreSIGPIPE: %s\n"
+                 "%sMemoryDenyWriteExecute: %s\n"
+                 "%sRestrictRealtime: %s\n"
++                "%sRestrictSUIDSGID: %s\n"
+                 "%sKeyringMode: %s\n",
+                 prefix, c->umask,
+                 prefix, c->working_directory ? c->working_directory : "/",
+@@ -3938,6 +3959,7 @@
+                 prefix, yes_no(c->ignore_sigpipe),
+                 prefix, yes_no(c->memory_deny_write_execute),
+                 prefix, yes_no(c->restrict_realtime),
++                prefix, yes_no(c->restrict_suid_sgid),
+                 prefix, exec_keyring_mode_to_string(c->keyring_mode));
+ 
+         if (c->root_image)
+
+--- a/src/core/execute.h
++++ b/src/core/execute.h
+@@ -260,6 +260,7 @@
+ 
+         bool memory_deny_write_execute;
+         bool restrict_realtime;
++        bool restrict_suid_sgid;
+ 
+         bool oom_score_adjust_set:1;
+         bool nice_set:1;
+
+--- a/src/core/load-fragment-gperf.gperf.m4
++++ b/src/core/load-fragment-gperf.gperf.m4
+@@ -72,6 +72,7 @@
+ $1.MemoryDenyWriteExecute,       config_parse_bool,                  0,                             offsetof($1, exec_context.memory_deny_write_execute)
+ $1.RestrictNamespaces,           config_parse_restrict_namespaces,   0,                             offsetof($1, exec_context)
+ $1.RestrictRealtime,             config_parse_bool,                  0,                             offsetof($1, exec_context.restrict_realtime)
++$1.RestrictSUIDSGID,             config_parse_bool,                  0,                             offsetof($1, exec_context.restrict_suid_sgid)
+ $1.RestrictAddressFamilies,      config_parse_address_families,      0,                             offsetof($1, exec_context)
+ $1.LockPersonality,              config_parse_bool,                  0,                             offsetof($1, exec_context.lock_personality)',
+ `$1.SystemCallFilter,            config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
+@@ -80,6 +81,7 @@
+ $1.MemoryDenyWriteExecute,       config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
+ $1.RestrictNamespaces,           config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
+ $1.RestrictRealtime,             config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
++$1.RestrictSUIDSGID,             config_parse_warn_compat,           DISABLED_CONFIGURATION,        0 
+ $1.RestrictAddressFamilies,      config_parse_warn_compat,           DISABLED_CONFIGURATION,        0
+ $1.LockPersonality,              config_parse_warn_compat,           DISABLED_CONFIGURATION,        0')
+ $1.LimitCPU,                     config_parse_rlimit,                RLIMIT_CPU,                    offsetof($1, exec_context.rlimit)
+
+--- a/src/shared/bus-unit-util.c
++++ b/src/shared/bus-unit-util.c
+@@ -697,7 +697,7 @@
+                        "PrivateMounts", "NoNewPrivileges", "SyslogLevelPrefix",
+                        "MemoryDenyWriteExecute", "RestrictRealtime", "DynamicUser", "RemoveIPC",
+                        "ProtectKernelTunables", "ProtectKernelModules", "ProtectControlGroups",
+-                       "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality"))
++                       "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality", "RestrictSUIDSGID"))
+ 
+                 return bus_append_parse_boolean(m, field, eq);
+
+--- a/test/fuzz-corpus/unit-file/directives.service
++++ b/test/fuzz-corpus/unit-file/directives.service
+@@ -847,6 +847,7 @@
+ RestrictAddressFamilies=
+ RestrictNamespaces=
+ RestrictRealtime=
++RestrictSUIDSGID=
+ RuntimeDirectory=
+ RuntimeDirectoryMode=
+ RuntimeDirectoryPreserve=
+
+--- a/doc/TRANSIENT-SETTINGS.md
++++ b/doc/TRANSIENT-SETTINGS.md
+@@ -147,6 +147,7 @@
+ ✓ MemoryDenyWriteExecute=
+ ✓ RestrictNamespaces=
+ ✓ RestrictRealtime=
++✓ RestrictSUIDSGID=
+ ✓ RestrictAddressFamilies=
+ ✓ LockPersonality=
+ ✓ LimitCPU=
+
+--- a/units/systemd-coredump@.service.in
++++ b/units/systemd-coredump@.service.in
+@@ -31,6 +31,7 @@
+ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX
+ SystemCallFilter=@system-service
+
+--- a/units/systemd-hostnamed.service.in
++++ b/units/systemd-hostnamed.service.in
+@@ -27,6 +27,7 @@
+ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX
+ SystemCallFilter=@system-service sethostname
+
+--- a/units/systemd-journal-remote.service.in
++++ b/units/systemd-journal-remote.service.in
+@@ -26,6 +26,7 @@
+ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ SystemCallArchitectures=native
+
+--- a/units/systemd-journald.service.in
++++ b/units/systemd-journald.service.in
+@@ -27,6 +27,7 @@
+ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+ SystemCallFilter=@system-service
+
+--- a/units/systemd-localed.service.in
++++ b/units/systemd-localed.service.in
+@@ -27,6 +27,7 @@
+ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX
+ SystemCallFilter=@system-service
+
+--- a/units/systemd-logind.service.in
++++ b/units/systemd-logind.service.in
+@@ -28,6 +28,7 @@
+ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+ SystemCallFilter=@system-service
+
+--- a/units/systemd-networkd.service.in
++++ b/units/systemd-networkd.service.in
+@@ -33,6 +33,7 @@
+ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
+ SystemCallFilter=@system-service
+
+--- a/units/systemd-resolved.service.in
++++ b/units/systemd-resolved.service.in
+@@ -36,6 +36,7 @@
+ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+ SystemCallFilter=@system-service
+
+--- a/units/systemd-timedated.service.in
++++ b/units/systemd-timedated.service.in
+@@ -25,6 +25,7 @@
+ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX
+ SystemCallFilter=@system-service @clock
+
+--- a/units/systemd-timesyncd.service.in
++++ b/units/systemd-timesyncd.service.in
+@@ -35,6 +35,7 @@
+ ProtectKernelModules=yes
+ MemoryDenyWriteExecute=yes
+ RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ RestrictNamespaces=yes
+ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+ RuntimeDirectory=systemd/timesync
+
+--- a/units/systemd-udevd.service.in
++++ b/units/systemd-udevd.service.in
+@@ -27,8 +27,9 @@
+ TasksMax=infinity
+ PrivateMounts=yes
+ MemoryDenyWriteExecute=yes
+-RestrictRealtime=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
++RestrictRealtime=yes
++RestrictSUIDSGID=yes
+ SystemCallFilter=@system-service @module @raw-io
+ SystemCallErrorNumber=EPERM
+ SystemCallArchitectures=native
diff --git a/SPECS/systemd/CVE-2019-3844.patch b/SPECS/systemd/CVE-2019-3844.patch
new file mode 100644
index 00000000000..edaf998e277
--- /dev/null
+++ b/SPECS/systemd/CVE-2019-3844.patch
@@ -0,0 +1,25 @@
+--- a/src/core/unit.c
++++ b/src/core/unit.c
+@@ -4131,14 +4131,20 @@
+                                         return -ENOMEM;
+                         }
+ 
+-                        /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID
+-                         * around in the file system or on IPC objects. Hence enforce a strict sandbox. */
++                        /* If the dynamic user option is on, let's make sure that the unit can't leave its
++                         * UID/GID around in the file system or on IPC objects. Hence enforce a strict
++                         * sandbox. */
+ 
+                         ec->private_tmp = true;
+                         ec->remove_ipc = true;
+                         ec->protect_system = PROTECT_SYSTEM_STRICT;
+                         if (ec->protect_home == PROTECT_HOME_NO)
+                                 ec->protect_home = PROTECT_HOME_READ_ONLY;
++                        
++                        /* Make sure this service can neither benefit from SUID/SGID binaries nor create
++                         * them. */
++                        ec->no_new_privileges = true;
++                        ec->restrict_suid_sgid = true;
+                 }
+         }
+
diff --git a/SPECS/systemd/CVE-2019-6454.patch b/SPECS/systemd/CVE-2019-6454.patch
new file mode 100644
index 00000000000..e1bb0252532
--- /dev/null
+++ b/SPECS/systemd/CVE-2019-6454.patch
@@ -0,0 +1,237 @@
+Adapted from upstream systemd patches:
+* sd-bus: if we receive an invalid dbus message, ignore and proceeed (https://github.com/systemd/systemd/commit/6d586a13717ae057aa1b4127400c3de61cd5b9e7)
+* Allocate temporary strings to hold dbus paths on the heap (https://github.com/systemd/systemd/commit/f519a19bcd5afe674a9b8fc462cd77d8bad403c1)
+
+--- a/src/libsystemd/sd-bus/bus-internal.c
++++ b/src/libsystemd/sd-bus/bus-internal.c
+@@ -45,7 +45,7 @@
+         if (slash)
+                 return false;
+ 
+-        return true;
++        return (q - p) <= BUS_PATH_SIZE_MAX;
+ }
+ 
+ char* object_path_startswith(const char *a, const char *b) {
+
+--- a/src/libsystemd/sd-bus/bus-internal.h
++++ b/src/libsystemd/sd-bus/bus-internal.h
+@@ -333,6 +333,10 @@
+ 
+ #define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
+ #define BUS_AUTH_SIZE_MAX (64*1024)
++/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
++ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
++ * to not clash unnecessarily with real-life applications. */
++#define BUS_PATH_SIZE_MAX (64*1024)
+ 
+ #define BUS_CONTAINER_DEPTH 128
+
+--- a/src/libsystemd/sd-bus/bus-objects.c
++++ b/src/libsystemd/sd-bus/bus-objects.c
+@@ -1134,7 +1134,8 @@
+                 const char *path,
+                 sd_bus_error *error) {
+ 
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -1150,7 +1151,12 @@
+                 return 0;
+ 
+         /* Second, add fallback vtables registered for any of the prefixes */
+-        prefix = alloca(strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++        
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
+                 if (r < 0)
+@@ -1346,6 +1352,7 @@
+ }
+ 
+ int bus_process_object(sd_bus *bus, sd_bus_message *m) {
++        _cleanup_free_ char *prefix = NULL;
+         int r;
+         size_t pl;
+         bool found_object = false;
+@@ -1370,9 +1377,11 @@
+         assert(m->member);
+ 
+         pl = strlen(m->path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
+         do {
+-                char prefix[pl+1];
+-
+                 bus->nodes_modified = false;
+ 
+                 r = object_find_and_run(bus, m, m->path, false, &found_object);
+@@ -1499,9 +1508,15 @@
+ 
+         n = hashmap_get(bus->nodes, path);
+         if (!n) {
+-                char *prefix;
++                _cleanup_free_ char *prefix = NULL;
++                size_t pl;
++
++                pl = strlen(path);
++                assert(pl <= BUS_PATH_SIZE_MAX);
++                prefix = new(char, pl + 1);
++                if (!prefix)
++                        return -ENOMEM;
+ 
+-                prefix = alloca(strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         n = hashmap_get(bus->nodes, prefix);
+                         if (n)
+@@ -2090,9 +2105,9 @@
+                 const char *interface,
+                 char **names) {
+ 
+-        BUS_DONT_DESTROY(bus);
++        _cleanup_free_ char *prefix = NULL;
+         bool found_interface = false;
+-        char *prefix;
++        size_t pl;
+         int r;
+ 
+         assert_return(bus, -EINVAL);
+@@ -2110,6 +2125,14 @@
+            included in the PropertiesChanged message. */
+         if (names && names[0] == NULL)
+                 return 0;
++        
++        BUS_DONT_DESTROY(bus);
++
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
+ 
+         do {
+                 bus->nodes_modified = false;
+@@ -2120,7 +2143,6 @@
+                 if (bus->nodes_modified)
+                         continue;
+ 
+-                prefix = alloca(strlen(path) + 1);
+                 OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                         r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
+                         if (r != 0)
+@@ -2252,7 +2274,8 @@
+ 
+ static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2296,8 +2319,13 @@
+                 return r;
+         if (bus->nodes_modified)
+                 return 0;
++        
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
+ 
+-        prefix = alloca(strlen(path) + 1);
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2436,7 +2464,8 @@
+ 
+ static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
+         _cleanup_set_free_ Set *s = NULL;
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2467,8 +2496,13 @@
+                 return r;
+         if (bus->nodes_modified)
+                 return 0;
++        
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
+ 
+-        prefix = alloca(strlen(path) + 1);
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
+                 if (r < 0)
+@@ -2618,7 +2652,8 @@
+                 const char *path,
+                 const char *interface) {
+ 
+-        char *prefix;
++        _cleanup_free_ char *prefix = NULL;
++        size_t pl;
+         int r;
+ 
+         assert(bus);
+@@ -2632,7 +2667,12 @@
+         if (bus->nodes_modified)
+                 return 0;
+ 
+-        prefix = alloca(strlen(path) + 1);
++        pl = strlen(path);
++        assert(pl <= BUS_PATH_SIZE_MAX);
++        prefix = new(char, pl + 1);
++        if (!prefix)
++                return -ENOMEM;
++
+         OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
+                 r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
+                 if (r != 0)
+
+--- a/src/libsystemd/sd-bus/bus-socket.c
++++ b/src/libsystemd/sd-bus/bus-socket.c
+@@ -1081,7 +1081,7 @@
+ }
+ 
+ static int bus_socket_make_message(sd_bus *bus, size_t size) {
+-        sd_bus_message *t;
++        sd_bus_message *t = NULL;
+         void *b;
+         int r;
+ 
+@@ -1106,7 +1106,9 @@
+                                     bus->fds, bus->n_fds,
+                                     NULL,
+                                     &t);
+-        if (r < 0) {
++        if (r == -EBADMSG)
++                log_debug_errno(r, "Received invalid message from connection %s, dropping.", strna(bus->description));
++        else if (r < 0) {
+                 free(b);
+                 return r;
+         }
+@@ -1117,7 +1119,8 @@
+         bus->fds = NULL;
+         bus->n_fds = 0;
+ 
+-        bus->rqueue[bus->rqueue_size++] = t;
++        if (t)
++                bus->rqueue[bus->rqueue_size++] = t;
+ 
+         return 1;
+ }
diff --git a/SPECS/systemd/CVE-2020-13776.patch b/SPECS/systemd/CVE-2020-13776.patch
new file mode 100644
index 00000000000..d935469d89f
--- /dev/null
+++ b/SPECS/systemd/CVE-2020-13776.patch
@@ -0,0 +1,43 @@
+--- a/src/basic/user-util.c
++++ b/src/basic/user-util.c
+@@ -49,7 +49,7 @@
+         assert(s);
+ 
+         assert_cc(sizeof(uid_t) == sizeof(uint32_t));
+-        r = safe_atou32(s, &uid);
++        r = safe_atou32_full(s, 10, &uid);
+         if (r < 0)
+                 return r;
+
+--- a/src/test/test-user-util.c
++++ b/src/test/test-user-util.c
+@@ -49,6 +49,14 @@
+ 
+         r = parse_uid("asdsdas", &uid);
+         assert_se(r == -EINVAL);
++
++        r = parse_uid("0x1234", &uid);
++        assert_se(r == -EINVAL);
++        assert_se(uid == 100);
++
++        r = parse_uid("01234", &uid);
++        assert_se(r == 0);
++        assert_se(uid == 1234);
+ }
+ 
+ static void test_uid_ptr(void) {
+
+--- a/src/basic/parse-util.h
++++ b/src/basic/parse-util.h
+@@ -50,6 +50,11 @@
+ 
+ int safe_atoi16(const char *s, int16_t *ret);
+ 
++static inline int safe_atou32_full(const char *s, unsigned base, uint32_t *ret_u) {
++        assert_cc(sizeof(uint32_t) == sizeof(unsigned));
++        return safe_atou_full(s, base, (unsigned*) ret_u);
++}
++
+ static inline int safe_atou32(const char *s, uint32_t *ret_u) {
+         assert_cc(sizeof(uint32_t) == sizeof(unsigned));
+         return safe_atou(s, (unsigned*) ret_u);
diff --git a/SPECS/systemd/CVE-2020-1712.patch b/SPECS/systemd/CVE-2020-1712.patch
new file mode 100644
index 00000000000..6395890492d
--- /dev/null
+++ b/SPECS/systemd/CVE-2020-1712.patch
@@ -0,0 +1,598 @@
+Adapted from systemd upstream patch: https://github.com/systemd/systemd/commit/ea0d0ede03c6f18dbc5036c5e9cccf97e415ccc2
+
+Changes for Mariner:
+* Add two kinds of references to bus messages (https://github.com/systemd/systemd/commit/1b3f9dd759ca0ea215e7b89f8ce66d1b724497b9)
+* Use queue message references for managing r/w message queues in connection objects (https://github.com/systemd/systemd/commit/c1757a70eac0382c4837a3833d683919f6a48ed7)
+
+--- a/man/rules/meson.build
++++ b/man/rules/meson.build
+@@ -168,6 +168,7 @@
+    'sd_bus_open_system_remote',
+    'sd_bus_open_user'],
+   ''],
++['sd_bus_enqueue_for_read', '3', [], ''],
+  ['sd_bus_error',
+   '3',
+   ['SD_BUS_ERROR_MAKE_CONST',
+
+--- a/man/sd_bus_enqueue_for_read.xml
++++ b/man/sd_bus_enqueue_for_read.xml
+@@ -0,0 +1,88 @@
++<?xml version='1.0'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
++  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
++<!-- SPDX-License-Identifier: LGPL-2.1+ -->
++
++<refentry id="sd_bus_enqueue_for_read"
++          xmlns:xi="http://www.w3.org/2001/XInclude">
++
++  <refentryinfo>
++    <title>sd_bus_enqueue_for_read</title>
++    <productname>systemd</productname>
++  </refentryinfo>
++
++  <refmeta>
++    <refentrytitle>sd_bus_enqueue_for_read</refentrytitle>
++    <manvolnum>3</manvolnum>
++  </refmeta>
++
++  <refnamediv>
++    <refname>sd_bus_enqueue_for_read</refname>
++
++    <refpurpose>Re-enqueue a bus message on a bus connection, for reading.</refpurpose>
++  </refnamediv>
++
++  <refsynopsisdiv>
++    <funcsynopsis>
++      <funcsynopsisinfo>#include &lt;systemd/sd-bus.h&gt;</funcsynopsisinfo>
++
++      <funcprototype>
++        <funcdef>int <function>sd_bus_enqueue_for_read</function></funcdef>
++        <paramdef>sd_bus *<parameter>bus</parameter></paramdef>
++        <paramdef>sd_bus_message *<parameter>message</parameter></paramdef>
++      </funcprototype>
++
++    </funcsynopsis>
++  </refsynopsisdiv>
++
++  <refsect1>
++    <title>Description</title>
++
++    <para><function>sd_bus_enqueue_for_read()</function> may be used to re-enqueue an incoming bus message on
++    the local read queue, so that it is processed and dispatched locally again, similar to how an incoming
++    message from the peer is processed. Takes a bus connection object and the message to enqueue. A reference
++    is taken of the message and the caller's reference thus remains in possession of the caller. The message
++    is enqueued at the end of the queue, thus will be dispatched after all other already queued messages are
++    dispatched.</para>
++
++    <para>This call is primarily useful for dealing with incoming method calls that may be processed only
++    after an additional asynchronous operation completes. One example are PolicyKit authorization requests
++    that are determined to be necessary to autorize a newly incoming method call: when the PolicyKit response
++    is received the original method call may be re-enqueued to process it again, this time with the
++    authorization result known.</para>
++  </refsect1>
++
++  <refsect1>
++    <title>Return Value</title>
++
++    <para>On success, this function return 0 or a positive integer. On failure, it returns a negative errno-style
++    error code.</para>
++
++    <refsect2>
++      <title>Errors</title>
++
++      <para>Returned errors may indicate the following problems:</para>
++
++      <variablelist>
++        <varlistentry>
++          <term><constant>-ECHILD</constant></term>
++
++          <listitem><para>The bus connection has been created in a different process.</para></listitem>
++        </varlistentry>
++      </variablelist>
++    </refsect2>
++  </refsect1>
++
++  <xi:include href="libsystemd-pkgconfig.xml" />
++
++  <refsect1>
++    <title>See Also</title>
++
++    <para>
++      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
++      <citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
++      <citerefentry><refentrytitle>sd_bus_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
++    </para>
++  </refsect1>
++
++</refentry>
+
+--- a/src/shared/bus-util.c
++++ b/src/shared/bus-util.c
+@@ -319,10 +319,9 @@
+ 
+ typedef struct AsyncPolkitQuery {
+         sd_bus_message *request, *reply;
+-        sd_bus_message_handler_t callback;
+-        void *userdata;
+         sd_bus_slot *slot;
+         Hashmap *registry;
++        sd_event_source *defer_event_source;
+ } AsyncPolkitQuery;
+ 
+ static void async_polkit_query_free(AsyncPolkitQuery *q) {
+@@ -338,9 +337,22 @@
+         sd_bus_message_unref(q->request);
+         sd_bus_message_unref(q->reply);
+ 
++        sd_event_source_disable_unref(q->defer_event_source);
+         free(q);
+ }
+ 
++static int async_polkit_defer(sd_event_source *s, void *userdata) {
++        AsyncPolkitQuery *q = userdata;
++
++        assert(s);
++
++        /* This is called as idle event source after we processed the async polkit reply, hopefully after the
++         * method call we re-enqueued has been properly processed. */
++
++        async_polkit_query_free(q);
++        return 0;
++}
++
+ static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_error *error) {
+         _cleanup_(sd_bus_error_free) sd_bus_error error_buffer = SD_BUS_ERROR_NULL;
+         AsyncPolkitQuery *q = userdata;
+@@ -349,19 +361,44 @@
+         assert(reply);
+         assert(q);
+
++        assert(q->slot);
+         q->slot = sd_bus_slot_unref(q->slot);
++
++        assert(!q->reply);
+         q->reply = sd_bus_message_ref(reply);
+
++        /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
++         * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
++         * again.
++         *
++         * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
++         * i.e. after the second time the message is processed is complete. */
++
++        assert(!q->defer_event_source);
++        r = sd_event_add_defer(sd_bus_get_event(sd_bus_message_get_bus(reply)), &q->defer_event_source, async_polkit_defer, q);
++        if (r < 0)
++                goto fail;
++        
++        r = sd_event_source_set_priority(q->defer_event_source, SD_EVENT_PRIORITY_IDLE);
++        if (r < 0)
++                goto fail;
++        
++        r = sd_event_source_set_enabled(q->defer_event_source, SD_EVENT_ONESHOT);
++        if (r < 0)
++                goto fail;
++        
+         r = sd_bus_message_rewind(q->request, true);
+-        if (r < 0) {
+-                r = sd_bus_reply_method_errno(q->request, r, NULL);
+-                goto finish;
+-        }
+-
+-        r = q->callback(q->request, q->userdata, &error_buffer);
+-        r = bus_maybe_reply_error(q->request, r, &error_buffer);
++        if (r < 0)
++                goto fail;
+
+-finish:
++        r = sd_bus_enqueue_for_read(sd_bus_message_get_bus(q->request), q->request);
++        if (r < 0)
++                goto fail;
++        
++        return 1;
++fail:
++        log_debug_errno(r, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
++        (void) sd_bus_reply_method_errno(q->request, r, NULL);
+         async_polkit_query_free(q);
+
+         return r;
+@@ -382,11 +419,12 @@
+ #if ENABLE_POLKIT
+         _cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
+         AsyncPolkitQuery *q;
+-        const char *sender, **k, **v;
++        const char **k, **v;
+         sd_bus_message_handler_t callback;
+         void *userdata;
+         int c;
+ #endif
++        const char *sender;
+         int r;
+ 
+         assert(call);
+@@ -444,20 +482,11 @@
+         else if (r > 0)
+                 return 1;
+ 
+-#if ENABLE_POLKIT
+-        if (sd_bus_get_current_message(call->bus) != call)
+-                return -EINVAL;
+-
+-        callback = sd_bus_get_current_handler(call->bus);
+-        if (!callback)
+-                return -EINVAL;
+-
+-        userdata = sd_bus_get_current_userdata(call->bus);
+-
+         sender = sd_bus_message_get_sender(call);
+         if (!sender)
+                 return -EBADMSG;
+ 
++#if ENABLE_POLKIT
+         c = sd_bus_message_get_allow_interactive_authorization(call);
+         if (c < 0)
+                 return c;
+@@ -509,8 +538,6 @@
+                 return -ENOMEM;
+ 
+         q->request = sd_bus_message_ref(call);
+-        q->callback = callback;
+-        q->userdata = userdata;
+ 
+         r = hashmap_put(*registry, call, q);
+         if (r < 0) {
+
+--- a/src/libsystemd/libsystemd.sym
++++ b/src/libsystemd/libsystemd.sym
+@@ -556,6 +556,7 @@
+ 
+ LIBSYSTEMD_239 {
+ global:
++        sd_bus_enqueue_for_read;
+         sd_bus_open_with_description;
+         sd_bus_open_user_with_description;
+         sd_bus_open_system_with_description;
+
+--- a/src/libsystemd/sd-bus/sd-bus.c
++++ b/src/libsystemd/sd-bus/sd-bus.c
+@@ -148,13 +148,13 @@
+         assert(b);
+ 
+         while (b->rqueue_size > 0)
+-                sd_bus_message_unref(b->rqueue[--b->rqueue_size]);
++                bus_message_unref_queued(b->rqueue[--b->rqueue_size], b);
+ 
+         b->rqueue = mfree(b->rqueue);
+         b->rqueue_allocated = 0;
+ 
+         while (b->wqueue_size > 0)
+-                sd_bus_message_unref(b->wqueue[--b->wqueue_size]);
++                bus_message_unref_queued(b->wqueue[--b->wqueue_size], b);
+ 
+         b->wqueue = mfree(b->wqueue);
+         b->wqueue_allocated = 0;
+@@ -493,7 +493,7 @@
+ 
+         /* Insert at the very front */
+         memmove(bus->rqueue + 1, bus->rqueue, sizeof(sd_bus_message*) * bus->rqueue_size);
+-        bus->rqueue[0] = TAKE_PTR(m);
++        bus->rqueue[0] = bus_message_ref_queued(m, bus);
+         bus->rqueue_size++;
+ 
+         return 0;
+@@ -1716,7 +1716,7 @@
+                          * anyway. */
+ 
+                         bus->wqueue_size--;
+-                        sd_bus_message_unref(bus->wqueue[0]);
++                        bus_message_unref_queued(bus->wqueue[0], bus);
+                         memmove(bus->wqueue, bus->wqueue + 1, sizeof(sd_bus_message*) * bus->wqueue_size);
+                         bus->windex = 0;
+ 
+@@ -1745,6 +1745,15 @@
+         return 0;
+ }
+ 
++static void rqueue_drop_one(sd_bus *bus, size_t i) {
++        assert(bus);
++        assert(i < bus->rqueue_size);
++
++        bus_message_unref_queued(bus->rqueue[i], bus);
++        memmove(bus->rqueue + i, bus->rqueue + i + 1, sizeof(sd_bus_message*) * (bus->rqueue_size - i - 1));
++        bus->rqueue_size--;
++}
++
+ static int dispatch_rqueue(sd_bus *bus, bool hint_priority, int64_t priority, sd_bus_message **m) {
+         int r, ret = 0;
+ 
+@@ -1760,9 +1769,8 @@
+                 if (bus->rqueue_size > 0) {
+                         /* Dispatch a queued message */
+ 
+-                        *m = bus->rqueue[0];
+-                        bus->rqueue_size--;
+-                        memmove(bus->rqueue, bus->rqueue + 1, sizeof(sd_bus_message*) * bus->rqueue_size);
++                        *m = sd_bus_message_ref(bus->rqueue[0]);
++                        rqueue_drop_one(bus, 0);
+                         return 1;
+                 }
+ 
+@@ -1838,7 +1846,7 @@
+                          * of the wqueue array is always allocated so
+                          * that we always can remember how much was
+                          * written. */
+-                        bus->wqueue[0] = sd_bus_message_ref(m);
++                        bus->wqueue[0] = bus_message_ref_queued(m, bus);
+                         bus->wqueue_size = 1;
+                         bus->windex = idx;
+                 }
+@@ -1852,7 +1860,7 @@
+                 if (!GREEDY_REALLOC(bus->wqueue, bus->wqueue_allocated, bus->wqueue_size + 1))
+                         return -ENOMEM;
+ 
+-                bus->wqueue[bus->wqueue_size++] = sd_bus_message_ref(m);
++                bus->wqueue[bus->wqueue_size++] = bus_message_ref_queued(m, bus);
+         }
+ 
+ finish:
+@@ -2078,36 +2086,29 @@
+                 usec_t left;
+ 
+                 while (i < bus->rqueue_size) {
+-                        sd_bus_message *incoming = NULL;
++                        _cleanup_(sd_bus_message_unrefp) sd_bus_message *incoming = NULL;
+ 
+-                        incoming = bus->rqueue[i];
++                        incoming = sd_bus_message_ref(bus->rqueue[i]);
+ 
+                         if (incoming->reply_cookie == cookie) {
+                                 /* Found a match! */
+ 
+-                                memmove(bus->rqueue + i, bus->rqueue + i + 1, sizeof(sd_bus_message*) * (bus->rqueue_size - i - 1));
+-                                bus->rqueue_size--;
++                                rqueue_drop_one(bus, i);
+                                 log_debug_bus_message(incoming);
+ 
+                                 if (incoming->header->type == SD_BUS_MESSAGE_METHOD_RETURN) {
+ 
+                                         if (incoming->n_fds <= 0 || bus->accept_fd) {
+                                                 if (reply)
+-                                                        *reply = incoming;
+-                                                else
+-                                                        sd_bus_message_unref(incoming);
++                                                        *reply = TAKE_PTR(incoming);
+ 
+                                                 return 1;
+                                         }
+ 
+-                                        r = sd_bus_error_setf(error, SD_BUS_ERROR_INCONSISTENT_MESSAGE, "Reply message contained file descriptors which I couldn't accept. Sorry.");
+-                                        sd_bus_message_unref(incoming);
+-                                        return r;
++                                        return sd_bus_error_setf(error, SD_BUS_ERROR_INCONSISTENT_MESSAGE, "Reply message contained file descriptors which I couldn't accept. Sorry.");
+ 
+                                 } else if (incoming->header->type == SD_BUS_MESSAGE_METHOD_ERROR) {
+-                                        r = sd_bus_error_copy(error, &incoming->error);
+-                                        sd_bus_message_unref(incoming);
+-                                        return r;
++                                        return sd_bus_error_copy(error, &incoming->error);
+                                 } else {
+                                         r = -EIO;
+                                         goto fail;
+@@ -2118,15 +2119,11 @@
+                                    incoming->sender &&
+                                    streq(bus->unique_name, incoming->sender)) {
+ 
+-                                memmove(bus->rqueue + i, bus->rqueue + i + 1, sizeof(sd_bus_message*) * (bus->rqueue_size - i - 1));
+-                                bus->rqueue_size--;
++                                rqueue_drop_one(bus, i);
+ 
+-                                /* Our own message? Somebody is trying
+-                                 * to send its own client a message,
+-                                 * let's not dead-lock, let's fail
+-                                 * immediately. */
++                                /* Our own message? Somebody is trying to send its own client a message,
++                                 * let's not dead-lock, let's fail immediately. */
+ 
+-                                sd_bus_message_unref(incoming);
+                                 r = -ELOOP;
+                                 goto fail;
+                         }
+@@ -4075,3 +4072,27 @@
+         *ret = bus->wqueue_size;
+         return 0;
+ }
++
++_public_ int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m) {
++        int r;
++
++        assert_return(bus, -EINVAL);
++        assert_return(bus = bus_resolve(bus), -ENOPKG);
++        assert_return(m, -EINVAL);
++        assert_return(m->sealed, -EINVAL);
++        assert_return(!bus_pid_changed(bus), -ECHILD);
++
++        if (!BUS_IS_OPEN(bus->state))
++                return -ENOTCONN;
++
++        /* Re-enqueue a message for reading. This is primarily useful for PolicyKit-style authentication,
++         * where we accept a message, then determine we need to interactively authenticate the user, and then
++         * we want to process the message again. */
++
++        r = bus_rqueue_make_room(bus);
++        if (r < 0)
++                return r;
++
++        bus->rqueue[bus->rqueue_size++] = bus_message_ref_queued(m, bus);
++        return 0;
++}
+
+--- a/src/systemd/sd-bus.h
++++ b/src/systemd/sd-bus.h
+@@ -193,6 +193,7 @@
+ int sd_bus_process_priority(sd_bus *bus, int64_t max_priority, sd_bus_message **r);
+ int sd_bus_wait(sd_bus *bus, uint64_t timeout_usec);
+ int sd_bus_flush(sd_bus *bus);
++int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m);
+ 
+ sd_bus_slot* sd_bus_get_current_slot(sd_bus *bus);
+ sd_bus_message* sd_bus_get_current_message(sd_bus *bus);
+
+--- a/src/libsystemd/sd-bus/bus-message.c
++++ b/src/libsystemd/sd-bus/bus-message.c
+@@ -101,7 +101,8 @@
+ 
+         message_reset_parts(m);
+ 
+-        sd_bus_unref(m->bus);
++        /* Note that we don't unref m->bus here. That's already done by sd_bus_message_unref() as each user
++         * reference to the bus message also is considered a reference to the bus connection itself. */
+ 
+         if (m->free_fds) {
+                 close_many(m->fds, m->n_fds);
+@@ -880,10 +881,15 @@
+ 
+         if (!m)
+                 return NULL;
++        
++        /* We are fine if this message so far was either explicitly reffed or not reffed but queued into at
++         * least one bus connection object. */
++        assert(m->n_ref > 0 || m->n_queued > 0);
+ 
+-        assert(m->n_ref > 0);
+         m->n_ref++;
+ 
++        /* Each user reference to a bus message shall also be considered a ref on the bus */
++        sd_bus_ref(m->bus);
+         return m;
+ }
+ 
+@@ -893,10 +899,56 @@
+                 return NULL;
+ 
+         assert(m->n_ref > 0);
++
++        sd_bus_unref(m->bus); /* Each regular ref is also a ref on the bus connection. Let's hence drop it
++                               * here. Note we have to do this before decrementing our own n_ref here, since
++                               * otherwise, if this message is currently queued sd_bus_unref() might call
++                               * bus_message_unref_queued() for this which might then destroy the message
++                               * while we are still processing it. */
+         m->n_ref--;
+ 
+-        if (m->n_ref > 0)
++        if (m->n_ref > 0 || m->n_queued > 0)
+                 return NULL;
++        
++        /* Unset the bus field if neither the user has a reference nor this message is queued. We are careful
++         * to reset the field only after the last reference to the bus is dropped, after all we might keep
++         * multiple references to the bus, once for each reference kept on ourselves. */
++        m->bus = NULL;
++
++        return message_free(m);
++}
++
++sd_bus_message* bus_message_ref_queued(sd_bus_message *m, sd_bus *bus) {
++        if (!m)
++                return NULL;
++
++        /* If this is a different bus than the message is associated with, then implicitly turn this into a
++         * regular reference. This means that you can create a memory leak by enqueuing a message generated
++         * on one bus onto another at the same time as enqueueing a message from the second one on the first,
++         * as we'll not detect the cyclic references there. */
++        if (bus != m->bus)
++                return sd_bus_message_ref(m);
++
++        assert(m->n_ref > 0 || m->n_queued > 0);
++        m->n_queued++;
++
++        return m;
++}
++
++sd_bus_message* bus_message_unref_queued(sd_bus_message *m, sd_bus *bus) {
++        if (!m)
++                return NULL;
++
++        if (bus != m->bus)
++                return sd_bus_message_unref(m);
++
++        assert(m->n_queued > 0);
++        m->n_queued--;
++
++        if (m->n_ref > 0 || m->n_queued > 0)
++                return NULL;
++
++        m->bus = NULL;
+ 
+         return message_free(m);
+ }
+ 
+--- a/src/libsystemd/sd-bus/bus-message.h
++++ b/src/libsystemd/sd-bus/bus-message.h
+@@ -51,7 +51,16 @@
+ };
+ 
+ struct sd_bus_message {
+-        unsigned n_ref;
++        /* Caveat: a message can be referenced in two different ways: the main (user-facing) way will also
++         * pin the bus connection object the message is associated with. The secondary way ("queued") is used
++         * when a message is in the read or write queues of the bus connection object, which will not pin the
++         * bus connection object. This is necessary so that we don't have to have a pair of cyclic references
++         * between a message that is queued and its connection: as soon as a message is only referenced by
++         * the connection (by means of being queued) and the connection itself has no other references it
++         * will be freed. */
++
++        unsigned n_ref;     /* Counter of references that pin the connection */
++        unsigned n_queued;  /* Counter of references that do not pin the connection */
+ 
+         sd_bus *bus;
+ 
+@@ -216,3 +225,6 @@
+ 
+ void bus_message_set_sender_driver(sd_bus *bus, sd_bus_message *m);
+ void bus_message_set_sender_local(sd_bus *bus, sd_bus_message *m);
++
++sd_bus_message* bus_message_ref_queued(sd_bus_message *m, sd_bus *bus);
++sd_bus_message* bus_message_unref_queued(sd_bus_message *m, sd_bus *bus);
+
+
+--- a/src/libsystemd/sd-bus/bus-socket.c
++++ b/src/libsystemd/sd-bus/bus-socket.c
+@@ -1119,8 +1119,10 @@
+         bus->fds = NULL;
+         bus->n_fds = 0;
+ 
+-        if (t)
+-                bus->rqueue[bus->rqueue_size++] = t;
++        if (t) {
++                bus->rqueue[bus->rqueue_size++] = bus_message_ref_queued(t, bus);
++                sd_bus_message_unref(t);
++        }
+ 
+         return 1;
+ }
+
+--- a/src/systemd/sd-event.h
++++ b/src/systemd/sd-event.h
+@@ -84,6 +84,7 @@
+ int sd_event_new(sd_event **e);
+ sd_event* sd_event_ref(sd_event *e);
+ sd_event* sd_event_unref(sd_event *e);
++sd_event_source* sd_event_source_disable_unref(sd_event_source *s);
+ 
+ int sd_event_add_io(sd_event *e, sd_event_source **s, int fd, uint32_t events, sd_event_io_handler_t callback, void *userdata);
+ int sd_event_add_time(sd_event *e, sd_event_source **s, clockid_t clock, uint64_t usec, uint64_t accuracy, sd_event_time_handler_t callback, void *userdata);
+
+--- a/src/libsystemd/sd-event/sd-event.c
++++ b/src/libsystemd/sd-event/sd-event.c
+@@ -580,6 +580,12 @@
+         return NULL;
+ }
+ 
++_public_ sd_event_source* sd_event_source_disable_unref(sd_event_source *s) {
++        if (s)
++                (void) sd_event_source_set_enabled(s, SD_EVENT_OFF);
++        return sd_event_source_unref(s);
++}
++
+ static bool event_pid_changed(sd_event *e) {
+         assert(e);
diff --git a/SPECS/systemd/systemd-bootstrap.spec b/SPECS/systemd/systemd-bootstrap.spec
index 897c7d2f095..7db44bf16f7 100644
--- a/SPECS/systemd/systemd-bootstrap.spec
+++ b/SPECS/systemd/systemd-bootstrap.spec
@@ -1,65 +1,70 @@
-Summary:          Bootstrap version of systemd. Workaround for systemd circular dependency.
-Name:             systemd-bootstrap
-Version:          239
-Release:          29%{?dist}
-License:          LGPLv2+ and GPLv2+ and MIT
-URL:              https://www.freedesktop.org/wiki/Software/systemd/
-Group:            System Environment/Security
-Vendor:           Microsoft Corporation
-Distribution:     Mariner
-#Source0:         https://github.com/systemd/systemd-stable/archive/v%{version}.tar.gz
-Source0:          systemd-%{version}.tar.gz
-Source1:          50-security-hardening.conf
-Source2:          systemd.cfg
-Source3:          99-dhcp-en.network
-
-Patch0:           01-enoX-uses-instance-number-for-vmware-hv.patch
-Patch1:           02-install-general-aliases.patch
-Patch2:           systemd-239-default-dns-from-env.patch
-Patch3:           systemd-macros.patch
-Patch4:           systemd-239-query-duid.patch
+Summary:        Bootstrap version of systemd. Workaround for systemd circular dependency.
+Name:           systemd-bootstrap
+Version:        239
+Release:        31%{?dist}
+License:        LGPLv2+ AND GPLv2+ AND MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Security
+URL:            https://www.freedesktop.org/wiki/Software/systemd/
+#Source0:       https://github.com/systemd/systemd-stable/archive/v%{version}.tar.gz
+Source0:        systemd-%{version}.tar.gz
+Source1:        50-security-hardening.conf
+Source2:        systemd.cfg
+Source3:        99-dhcp-en.network
+Patch0:         01-enoX-uses-instance-number-for-vmware-hv.patch
+Patch1:         02-install-general-aliases.patch
+Patch2:         systemd-239-default-dns-from-env.patch
+Patch3:         systemd-macros.patch
+Patch4:         systemd-239-query-duid.patch
 # Fix glibc-2.28 build issue. Checked in upstream after v239
-Patch5:           systemd-239-glibc-build-fix.patch
-Patch6:           systemd-239-revert-mtu.patch
-Patch7:           systemd-239-CVE-2018-15688.patch
-Patch8:           systemd-239-CVE-2018-15686.patch
-Patch9:           systemd-239-CVE-2018-15687.patch
-Patch10:          systemd-239-CVE-2018-16864.patch
-Patch11:          systemd-239-CVE-2018-16865.patch
-Patch12:          systemd-239-CVE-2018-16866.patch
-Patch13:          Backport-FOREACH_STRING-fix-for-gcc9.patch
-Patch14:          Disable-argument-to-mount_cgroup_controllers.patch
+Patch5:         systemd-239-glibc-build-fix.patch
+Patch6:         systemd-239-revert-mtu.patch
+Patch7:         systemd-239-CVE-2018-15688.patch
+Patch8:         systemd-239-CVE-2018-15686.patch
+Patch9:         systemd-239-CVE-2018-15687.patch
+Patch10:        systemd-239-CVE-2018-16864.patch
+Patch11:        systemd-239-CVE-2018-16865.patch
+Patch12:        systemd-239-CVE-2018-16866.patch
+Patch13:        Backport-FOREACH_STRING-fix-for-gcc9.patch
+Patch14:        Disable-argument-to-mount_cgroup_controllers.patch
 # This commit from upstream fixes an issue caused by using a later version of meson.
-Patch15:          https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044742ad90b2e8271b4e68e.patch
+Patch15:        https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044742ad90b2e8271b4e68e.patch
+Patch16:        CVE-2019-3842.patch
+Patch17:        CVE-2019-3843.patch
+Patch18:        CVE-2019-3844.patch
+Patch19:        CVE-2019-6454.patch
+Patch20:        CVE-2019-20386.patch
+Patch21:        CVE-2020-1712.patch
+Patch22:        CVE-2020-13776.patch
 # This vulnerability is in the strict DNS-over-TLS (DoT) mechanism of systemd-resolve.
 # DoT is only enabled when systemd is build against gnutls.
 # Furthermore, strict mode DoT is not supported before v243.
-Patch16:          CVE-2018-21029.nopatch
-
-Requires:         pam
-Requires:         libcap
-Requires:         xz
-Requires:         kmod
-Requires:         glib
-Requires:         libgcrypt
-Requires:         filesystem >= 1.1
-BuildRequires:    intltool
-BuildRequires:    gperf
-BuildRequires:    libcap-devel
-BuildRequires:    xz-devel
-BuildRequires:    pam-devel
-BuildRequires:    perl-XML-Parser
-BuildRequires:    kbd
-BuildRequires:    kmod-devel
-BuildRequires:    util-linux-devel >= 2.30
-BuildRequires:    libxslt
-BuildRequires:    docbook-style-xsl
-BuildRequires:    docbook-dtd-xml
-BuildRequires:    glib-devel
-BuildRequires:    meson
-BuildRequires:    gettext
-BuildRequires:    shadow-utils
-BuildRequires:    libgcrypt-devel
+Patch23:        CVE-2018-21029.nopatch
+BuildRequires:  docbook-dtd-xml
+BuildRequires:  docbook-style-xsl
+BuildRequires:  gettext
+BuildRequires:  glib-devel
+BuildRequires:  gperf
+BuildRequires:  intltool
+BuildRequires:  kbd
+BuildRequires:  kmod-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libgcrypt-devel
+BuildRequires:  libxslt
+BuildRequires:  meson
+BuildRequires:  pam-devel
+BuildRequires:  perl-XML-Parser
+BuildRequires:  shadow-utils
+BuildRequires:  util-linux-devel >= 2.30
+BuildRequires:  xz-devel
+Requires:       filesystem >= 1.1
+Requires:       glib
+Requires:       kmod
+Requires:       libcap
+Requires:       libgcrypt
+Requires:       pam
+Requires:       xz
 
 %description
 Systemd is an init replacement with better process control and security
@@ -73,7 +78,7 @@ Requires:       glib-devel
 Development headers for developing applications linking to libsystemd
 
 %prep
-%setup -q -n systemd-%{version}
+%autosetup -p1 -n systemd-%{version}
 cat > config.cache << "EOF"
 KILL=/bin/kill
 HAVE_BLKID=1
@@ -82,23 +87,6 @@ BLKID_CFLAGS="-I/usr/include/blkid"
 cc_cv_CFLAGS__flto=no
 EOF
 
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-
 sed -i "s#\#DefaultTasksMax=512#DefaultTasksMax=infinity#g" src/core/system.conf.in
 
 %build
@@ -106,8 +94,8 @@ export LANG=en_US.UTF-8
 export LC_ALL=en_US.UTF-8
 CFLAGS="%{build_cflags} -Wno-error=format-overflow="                        \
 meson  --prefix %{_prefix}                                            \
-       --sysconfdir /etc                                              \
-       --localstatedir /var                                           \
+       --sysconfdir %{_sysconfdir}                                             \
+       --localstatedir %{_var}                                          \
        -Dblkid=true                                                   \
        -Dbuildtype=release                                            \
        -Ddefault-dnssec=no                                            \
@@ -121,11 +109,11 @@ meson  --prefix %{_prefix}                                            \
        -Dpam=true                                                     \
        -Dlibcurl=false                                                \
        -Dpolkit=true                                                  \
-       -Ddbuspolicydir=/etc/dbus-1/system.d                           \
-       -Ddbussessionservicedir=%{_prefix}/share/dbus-1/services       \
-       -Ddbussystemservicedir=%{_prefix}/share/dbus-1/system-services \
-       -Dsysvinit-path=/etc/rc.d/init.d                               \
-       -Drc-local=/etc/rc.d/rc.local                                  \
+       -Ddbuspolicydir=%{_sysconfdir}/dbus-1/system.d                 \
+       -Ddbussessionservicedir=%{_datadir}/dbus-1/services            \
+       -Ddbussystemservicedir=%{_datadir}/dbus-1/system-services      \
+       -Dsysvinit-path=%{_sysconfdir}/rc.d/init.d                    \
+       -Drc-local=%{_sysconfdir}/rc.d/rc.local                        \
        $PWD build &&
        cd build &&
        %ninja_build
@@ -138,16 +126,16 @@ for tool in runlevel reboot shutdown poweroff halt telinit; do
      ln -sfv ../bin/systemctl %{buildroot}/sbin/${tool}
 done
 ln -sfv ../lib/systemd/systemd %{buildroot}/sbin/init
-sed -i '/srv/d' %{buildroot}/usr/lib/tmpfiles.d/home.conf
-sed -i "s:0775 root lock:0755 root root:g" %{buildroot}/usr/lib/tmpfiles.d/legacy.conf
+sed -i '/srv/d' %{buildroot}%{_lib}/tmpfiles.d/home.conf
+sed -i "s:0775 root lock:0755 root root:g" %{buildroot}%{_lib}/tmpfiles.d/legacy.conf
 sed -i "s:NamePolicy=kernel database onboard slot path:NamePolicy=kernel database:g" %{buildroot}/lib/systemd/network/99-default.link
-sed -i "s:#LLMNR=yes:LLMNR=false:g" %{buildroot}/etc/systemd/resolved.conf
+sed -i "s:#LLMNR=yes:LLMNR=false:g" %{buildroot}%{_sysconfdir}/systemd/resolved.conf
 rm -f %{buildroot}%{_var}/log/README
 mkdir -p %{buildroot}%{_localstatedir}/opt/journal/log
 mkdir -p %{buildroot}%{_localstatedir}/log
 ln -sfv %{_localstatedir}/opt/journal/log %{buildroot}%{_localstatedir}/log/journal
 
-find %{buildroot} -name '*.la' -delete
+find %{buildroot} -type f -name "*.la" -delete -print
 install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysctl.d
 install -dm 0755 %{buildroot}/boot/
 install -m 0644 %{SOURCE2} %{buildroot}/boot/
@@ -156,12 +144,12 @@ ln -sfv multi-user.target %{buildroot}/lib/systemd/system/default.target
 install -dm 0755 %{buildroot}/%{_sysconfdir}/systemd/network
 install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/systemd/network
 
-%post
-/sbin/ldconfig
-%postun
-/sbin/ldconfig
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
 %clean
 rm -rf %{buildroot}/*
+
 %files
 %defattr(-,root,root)
 %license LICENSE.GPL2
@@ -235,7 +223,7 @@ rm -rf %{buildroot}/*
 %{_datadir}/bash-completion/*
 %{_datadir}/factory/*
 %{_datadir}/dbus-1
-%{_datadir}/doc/*
+%{_docdir}/*
 %{_mandir}/man[1578]/*
 %{_datadir}/polkit-1
 %{_datadir}/systemd
@@ -256,191 +244,297 @@ rm -rf %{buildroot}/*
 %{_mandir}/man3/*
 
 %changelog
+* Fri Nov 13 2020 Nicolas Ontiveros <niontive@microsoft.com> - 239-31
+- Fix CVE-2019-6454 patch. Add upstream patch info.
+- Fix CVE-2020-1712 patch. Add upstream patch info.
+
+* Thu Oct 22 2020 Nicolas Ontiveros <niontive@microsoft.com> - 239-30
+- Use autosetup
+- Fix CVE-2019-3842
+- Fix CVE-2019-3843
+- Fix CVE-2019-3844
+- Fix CVE-2019-6454
+- Fix CVE-2019-20386
+- Fix CVE-2020-1712
+- Fix CVE-2020-13776
+
 *  Tue Aug 11 2020 Mateusz Malisz <mamalisz@microsoft.com> 239-29
 -  Reduce kptr_restrict to 1
+
 *  Tue Jun 09 2020 Nicolas Ontiveros <niontive@microsoft.com> 239-28
 -  Change summary to address circular dependency.
+
 *  Fri May 29 2020 Nicolas Ontiveros <niontive@microsoft.com> 239-27
 -  Fork from systemd.spec.
 -  Do not include cryptsetup in BR. This breaks a circular dependency.
+
 *  Wed May 20 2020 Joe Schmitt <joschmit@microsoft.com> 239-26
 -  Remove 99-vmware-hotplug.rules.
-*  Sat May 09 00:20:49 PST 2020 Nick Samson <nisamson@microsoft.com> - 239-25
+
+*  Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 239-25
 -  Added %%license line automatically
+
 *  Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-24
 -  Renaming docbook-xsl to docbook-style-xsl
+
 *  Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-23
 -  Renaming docbook-xml to docbook-dtd-xml
+
 *  Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-22
 -  Renaming Linux-PAM to pam
+
 *  Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-21
 -  Renaming XML-Parser to perl-XML-Parser
+
 *  Tue May 05 2020 Joe Schmitt <joschmit@microsoft.com> 239-20
 -  Remove unused rdrand-rng after kernel update.
+
 *  Thu Apr 23 2020 Emre Girgin <mrgirgin@microsoft.com> 239-19
 -  Ignore CVE-2018-21029.
+
 *  Fri Apr 17 2020 Emre Girgin <mrgirgin@microsoft.com> 239-18
 -  Rename shadow to shadow-utils.
+
 *  Thu Apr 16 2020 Emre Girgin <mrgirgin@microsoft.com> 239-17
 -  Resolve build issues arising from upgrading meson to 0.49.2.
+
 *  Thu Apr 09 2020 Henry Beberman <henry.beberman@microsoft.com> 239-16
 -  Add patch to disable arguments to mount_cgroup_controllers as in upstream latest.
+
 *  Tue Apr 07 2020 Paul Monson <paulmon@microsoft.com> 239-15
 -  Update Source0 link.  License verified.
+
 *  Tue Mar 31 2020 Henry Beberman <henry.beberman@microsoft.com> 239-14
 -  Backport upstream fix for FOREACH_STRING macro.
+
 *  Tue Mar 24 2020 Henry Beberman <henry.beberman@microsoft.com> 239-13
 -  Add -Wno-error=format-overflow= to fix gcc9 build.
+
 *  Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 239-12
 -  Disable libcurl auto-configure
+
 *  Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 239-11
 -  Initial CBL-Mariner import from Photon (license: Apache2).
+
 *  Thu Jan 10 2019 Anish Swaminathan <anishs@vmware.com>  239-10
 -  Fix CVE-2018-16864, CVE-2018-16865, CVE-2018-16866
+
 *  Wed Jan 09 2019 Keerthana K <keerthanak@vmware.com> 239-9
 -  Seting default values for tcp_timestamps, tcp_challenge_ack_limit and ip_forward.
+
 *  Wed Jan 02 2019 Anish Swaminathan <anishs@vmware.com>  239-8
 -  Fix CVE-2018-15686, CVE-2018-15687
+
 *  Sun Nov 11 2018 Tapas Kundu <tkundu@vmware.com> 239-7
 -  Fix CVE-2018-15688
+
 *  Fri Oct 26 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 239-6
 -  Auto-load rdrand-rng kernel module only on x86.
+
 *  Fri Oct 26 2018 Anish Swaminathan <anishs@vmware.com>  239-5
 -  Revert the commit that causes GCE networkd timeout
 -  https://github.com/systemd/systemd/commit/44b598a1c9d11c23420a5ef45ff11bcb0ed195eb
+
 *  Mon Oct 08 2018 Srinidhi Rao <srinidhir@vmware.com> 239-4
 -  Add glib-devel as a Requirement to systemd-devel
+
 *  Fri Sep 21 2018 Alexey Makhalov <amakhalov@vmware.com> 239-3
 -  Fix compilation issue against glibc-2.28
+
 *  Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 239-2
 -  Automatically load rdrand-rng kernel module on every boot.
+
 *  Tue Aug 28 2018 Anish Swaminathan <anishs@vmware.com>  239-1
 -  Update systemd to 239
+
 *  Wed Apr 11 2018 Xiaolin Li <xiaolinl@vmware.com>  236-3
 -  Build systemd with util-linux 2.32.
+
 *  Wed Jan 17 2018 Divya Thaluru <dthaluru@vmware.com>  236-2
 -  Fixed the log file directory structure
+
 *  Fri Dec 29 2017 Anish Swaminathan <anishs@vmware.com>  236-1
 -  Update systemd to 236
+
 *  Thu Nov 09 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-11
 -  Fix CVE-2017-15908 dns packet loop fix.
+
 *  Tue Nov 07 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-10
 -  Fix nullptr access during link disable.
+
 *  Mon Sep 18 2017 Anish Swaminathan <anishs@vmware.com>  233-9
 -  Backport router solicitation backoff from systemd 234
+
 *  Fri Sep 15 2017 Anish Swaminathan <anishs@vmware.com>  233-8
 -  Move network file to systemd package
+
 *  Tue Aug 15 2017 Alexey Makhalov <amakhalov@vmware.com> 233-7
 -  Fix compilation issue for glibc-2.26
+
 *  Fri Jul 21 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-6
 -  Fix for CVE-2017-1000082.
+
 *  Fri Jul 07 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-5
 -  Fix default-dns-from-env patch.
+
 *  Wed Jul 05 2017 Xiaolin Li <xiaolinl@vmware.com> 233-4
 -  Add kmod-devel to BuildRequires
+
 *  Thu Jun 29 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-3
 -  Fix for CVE-2017-9445.
+
 *  Tue Jun 20 2017 Anish Swaminathan <anishs@vmware.com>  233-2
 -  Fix for CVE-2017-9217
+
 *  Mon Mar 06 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-1
 -  Update systemd to 233
+
 *  Tue Jan 3 2017 Alexey Makhalov <amakhalov@vmware.com>  232-5
 -  Added /boot/systemd.cfg
+
 *  Tue Dec 20 2016 Alexey Makhalov <amakhalov@vmware.com>  232-4
 -  Fix initrd-switch-root issue
+
 *  Wed Dec 07 2016 Xiaolin Li <xiaolinl@vmware.com> 232-3
 -  BuildRequires Linux-PAM-devel
+
 *  Thu Dec 01 2016 Xiaolin Li <xiaolinl@vmware.com> 232-2
 -  disable-elfutils.
+
 *  Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  232-1
 -  Update systemd to 232
+
 *  Thu Nov 3 2016 Divya Thaluru <dthaluru@vmware.com>  228-32
 -  Added logic to reload services incase of rpm upgrade
+
 *  Thu Sep 29 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-31
 -  Fix a CVE in systemd-notify socket.
+
 *  Mon Aug 29 2016 Alexey Makhalov <amakhalov@vmware.com>  228-30
 -  02-install-general-aliases.patch to create absolute symlinks
+
 *  Fri Aug 26 2016 Anish Swaminathan <anishs@vmware.com>  228-29
 -  Change config file properties for 99-default.link
+
 *  Tue Aug 16 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-28
 -  systemd-resolved: Fix DNS_TRANSACTION_PENDING assert.
+
 *  Mon Aug 1 2016 Divya Thaluru <dthaluru@vmware.com> 228-27
 -  Removed packaging of symlinks and will be created during installation
+
 *  Tue Jul 12 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-26
 -  systemd-resolved: Fix DNS domains resolv.conf search issue for static DNS.
+
 *  Mon Jul 11 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-25
 -  systemd-networkd: Update DUID/IAID config interface to systemd v230 spec.
+
 *  Tue Jun 21 2016 Anish Swaminathan <anishs@vmware.com>  228-24
 -  Change config file properties
+
 *  Fri Jun 17 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-23
 -  systemd-resolved: Configure initial DNS servers from environment var.
+
 *  Mon Jun 06 2016 Alexey Makhalov <amakhalov@vmware.com>  228-22
 -  systemd-resolved: disable LLMNR
+
 *  Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 228-21
 -  GA - Bump release of all rpms
+
 *  Tue May 17 2016 Anish Swaminathan <anishs@vmware.com>  228-20
 -  Added patch for letting kernel handle ndisc
+
 *  Tue May 17 2016 Divya Thaluru <dthaluru@vmware.com> 228-19
 -  Updated systemd-user PAM configuration
+
 *  Mon May 16 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 228-18
 -  Updated the MaxTasks to infinity in system.conf file
+
 *  Thu Apr 21 2016 Mahmoud Bassiouny <mbassiouny@vmware.com>  228-17
 -  Set the default.target to the multi-user.target
+
 *  Tue Apr 12 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-16
 -  Disable network interface renaming.
+
 *  Thu Mar 31 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-15
 -  Patch to query DHCP DUID, IAID.f
+
 *  Wed Mar 30 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-14
 -  Update DHCP DUID, IAID configuration patch.
+
 *  Wed Mar 30 2016 Kumar Kaushik <kaushikk@vmware.com>  228-13
 -  Install the security hardening script as part of systemd.
+
 *  Tue Mar 29 2016 Kumar Kaushik <kaushikk@vmware.com>  228-12
 -  Added patch for timedatectl /etc/adjtime PR2749.
+
 *  Fri Mar 11 2016 Anish Swaminathan <anishs@vmware.com>  228-11
 -  Added patch for dhcp preservation via duid iaid configurability
+
 *  Fri Mar 11 2016 Anish Swaminathan <anishs@vmware.com>  228-10
 -  Added patch for swap disconnect order
+
 *  Thu Mar 10 2016 XIaolin Li <xiaolinl@vmware.com> 228-9
 -  Enable manpages.
+
 *  Fri Feb 19 2016 Anish Swaminathan <anishs@vmware.com>  228-8
 -  Added patch to get around systemd-networkd wait online timeout
+
 *  Sat Feb 06 2016 Alexey Makhalov <amakhalov@vmware.com>  228-7
 -  Added patch: fix-reading-routes.
+
 *  Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com>  228-6
 -  Add hotplug udev rules.
+
 *  Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com>  228-5
 -  Change config file attributes.
+
 *  Wed Jan 06 2016 Anish Swaminathan <anishs@vmware.com> 228-4
 -  Patches for minor network fixes.
+
 *  Wed Dec 16 2015 Anish Swaminathan <anishs@vmware.com> 228-3
 -  Patch for ostree.
+
 *  Wed Dec 16 2015 Anish Swaminathan <anishs@vmware.com> 228-2
 -  Patch for loopback address.
+
 *  Fri Dec 11 2015 Anish Swaminathan <anishs@vmware.com> 228-1
 -  Upgrade systemd version.
+
 *  Mon Nov 30 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 216-13
 -  Removing the reference of lock user
+
 *  Fri Oct 9 2015 Xiaolin Li <xiaolinl@vmware.com> 216-12
 -  Removing la files from packages.
+
 *  Fri Sep 18 2015 Divya Thaluru <dthaluru@vmware.com> 216-11
 -  Packaging journal log directory
+
 *  Thu Sep 10 2015 Alexey Makhalov <amakhalov@vmware.com> 216-10
 -  Improve enoX renaming in VMware HV case. Patch is added.
+
 *  Tue Aug 25 2015 Alexey Makhalov <amakhalov@vmware.com> 216-9
 -  Reduce systemd-networkd boot time (exclude if-rename patch).
+
 *  Mon Jul 20 2015 Divya Thaluru <dthaluru@vmware.com> 216-8
 -  Adding sysvinit support
+
 *  Mon Jul 06 2015 Kumar Kaushik <kaushikk@vmware.com> 216-7
 -  Fixing networkd/udev race condition for renaming interface.
+
 *  Thu Jun 25 2015 Sharath George <sharathg@vmware.com> 216-6
 -  Remove debug files.
+
 *  Tue Jun 23 2015 Divya Thaluru <dthaluru@vmware.com> 216-5
 -  Building compat libs
+
 *  Mon Jun 1 2015 Alexey Makhalov <amakhalov@vmware.com> 216-4
 -  gudev support
+
 *  Wed May 27 2015 Divya Thaluru <dthaluru@vmware.com> 216-3
 -  Removing packing of PAM configuration files
+
 *  Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> 216-2
 -  Update according to UsrMove.
+
 *  Mon Oct 27 2014 Sharath George <sharathg@vmware.com> 216-1
 -  Initial build. First version
diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec
index 795793355ea..2ca346be0f6 100644
--- a/SPECS/systemd/systemd.spec
+++ b/SPECS/systemd/systemd.spec
@@ -1,76 +1,80 @@
-Summary:          Systemd-239
-Name:             systemd
-Version:          239
-Release:          32%{?dist}
-License:          LGPLv2+ and GPLv2+ and MIT
-URL:              https://www.freedesktop.org/wiki/Software/systemd/
-Group:            System Environment/Security
-Vendor:           Microsoft Corporation
-Distribution:     Mariner
-#Source0:         https://github.com/systemd/systemd-stable/archive/v%{version}.tar.gz
-Source0:          %{name}-%{version}.tar.gz
-Source1:          50-security-hardening.conf
-Source2:          systemd.cfg
-Source3:          99-dhcp-en.network
-
-Patch0:           01-enoX-uses-instance-number-for-vmware-hv.patch
-Patch1:           02-install-general-aliases.patch
-Patch2:           systemd-239-default-dns-from-env.patch
-Patch3:           systemd-macros.patch
-Patch4:           systemd-239-query-duid.patch
+Summary:        Systemd-239
+Name:           systemd
+Version:        239
+Release:        34%{?dist}
+License:        LGPLv2+ AND GPLv2+ AND MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Security
+URL:            https://www.freedesktop.org/wiki/Software/systemd/
+#Source0:       https://github.com/systemd/systemd-stable/archive/v%{version}.tar.gz
+Source0:        %{name}-%{version}.tar.gz
+Source1:        50-security-hardening.conf
+Source2:        systemd.cfg
+Source3:        99-dhcp-en.network
+Patch0:         01-enoX-uses-instance-number-for-vmware-hv.patch
+Patch1:         02-install-general-aliases.patch
+Patch2:         systemd-239-default-dns-from-env.patch
+Patch3:         systemd-macros.patch
+Patch4:         systemd-239-query-duid.patch
 # Fix glibc-2.28 build issue. Checked in upstream after v239
-Patch5:           systemd-239-glibc-build-fix.patch
-Patch6:           systemd-239-revert-mtu.patch
-Patch7:           systemd-239-CVE-2018-15688.patch
-Patch8:           systemd-239-CVE-2018-15686.patch
-Patch9:           systemd-239-CVE-2018-15687.patch
-Patch10:          systemd-239-CVE-2018-16864.patch
-Patch11:          systemd-239-CVE-2018-16865.patch
-Patch12:          systemd-239-CVE-2018-16866.patch
-Patch13:          Backport-FOREACH_STRING-fix-for-gcc9.patch
-Patch14:          Disable-argument-to-mount_cgroup_controllers.patch
+Patch5:         systemd-239-glibc-build-fix.patch
+Patch6:         systemd-239-revert-mtu.patch
+Patch7:         systemd-239-CVE-2018-15688.patch
+Patch8:         systemd-239-CVE-2018-15686.patch
+Patch9:         systemd-239-CVE-2018-15687.patch
+Patch10:        systemd-239-CVE-2018-16864.patch
+Patch11:        systemd-239-CVE-2018-16865.patch
+Patch12:        systemd-239-CVE-2018-16866.patch
+Patch13:        Backport-FOREACH_STRING-fix-for-gcc9.patch
+Patch14:        Disable-argument-to-mount_cgroup_controllers.patch
 # This commit from upstream fixes an issue caused by using a later version of meson.
-Patch15:          https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044742ad90b2e8271b4e68e.patch
+Patch15:        https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044742ad90b2e8271b4e68e.patch
+Patch16:        CVE-2019-3842.patch
+Patch17:        CVE-2019-3843.patch
+Patch18:        CVE-2019-3844.patch
+Patch19:        CVE-2019-6454.patch
+Patch20:        CVE-2019-20386.patch
+Patch21:        CVE-2020-1712.patch
+Patch22:        CVE-2020-13776.patch
 # This vulnerability is in the strict DNS-over-TLS (DoT) mechanism of systemd-resolve.
 # DoT is only enabled when systemd is build against gnutls.
 # Furthermore, strict mode DoT is not supported before v243.
-Patch16:          CVE-2018-21029.nopatch
-
+Patch23:        CVE-2018-21029.nopatch
 #Portablectl patches for --now --enable and --no-block flags support
-Patch100:          100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch
-Patch101:          101-Portabled-fix-inspect-on-image-attached-as-directory.patch
-Patch102:          102-portablectl-add-now-and-enable-to-attach-detach.patch
-Patch103:          103-core-allow-portablectl-to-load-new-services-without-.patch
-Patch104:          104-portablectl-block-when-stopping-a-unit-on-detach-now.patch
-Patch105:          105-portablectl-use-replace-unload-when-stopping-a-servi.patch
-Patch106:          106-portabled-implement-container-host-os-release-interf.patch
-
-Obsoletes:        systemd-bootstrap
-Requires:         pam
-Requires:         libcap
-Requires:         xz
-Requires:         kmod
-Requires:         glib
-Requires:         libgcrypt
-Requires:         filesystem >= 1.1
-BuildRequires:    intltool
-BuildRequires:    gperf
-BuildRequires:    libcap-devel
-BuildRequires:    xz-devel
-BuildRequires:    pam-devel
-BuildRequires:    perl-XML-Parser
-BuildRequires:    kbd
-BuildRequires:    kmod-devel
-BuildRequires:    util-linux-devel >= 2.30
-BuildRequires:    libxslt
-BuildRequires:    docbook-style-xsl
-BuildRequires:    docbook-dtd-xml
-BuildRequires:    glib-devel
-BuildRequires:    meson
-BuildRequires:    gettext
-BuildRequires:    shadow-utils
-BuildRequires:    libgcrypt-devel
-BuildRequires:    cryptsetup-devel
+Patch100:       100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch
+Patch101:       101-Portabled-fix-inspect-on-image-attached-as-directory.patch
+Patch102:       102-portablectl-add-now-and-enable-to-attach-detach.patch
+Patch103:       103-core-allow-portablectl-to-load-new-services-without-.patch
+Patch104:       104-portablectl-block-when-stopping-a-unit-on-detach-now.patch
+Patch105:       105-portablectl-use-replace-unload-when-stopping-a-servi.patch
+Patch106:       106-portabled-implement-container-host-os-release-interf.patch
+BuildRequires:  cryptsetup-devel
+BuildRequires:  docbook-dtd-xml
+BuildRequires:  docbook-style-xsl
+BuildRequires:  gettext
+BuildRequires:  glib-devel
+BuildRequires:  gperf
+BuildRequires:  intltool
+BuildRequires:  kbd
+BuildRequires:  kmod-devel
+BuildRequires:  libcap-devel
+BuildRequires:  libgcrypt-devel
+BuildRequires:  libxslt
+BuildRequires:  meson
+BuildRequires:  pam-devel
+BuildRequires:  perl-XML-Parser
+BuildRequires:  shadow-utils
+BuildRequires:  util-linux-devel >= 2.30
+BuildRequires:  xz-devel
+Requires:       filesystem >= 1.1
+Requires:       glib
+Requires:       kmod
+Requires:       libcap
+Requires:       libgcrypt
+Requires:       pam
+Requires:       xz
+Obsoletes:      systemd-bootstrap
 
 %description
 Systemd is an init replacement with better process control and security
@@ -78,7 +82,7 @@ Systemd is an init replacement with better process control and security
 %package devel
 Summary:        Development headers for systemd
 Requires:       %{name} = %{version}-%{release}
-Requires:    glib-devel
+Requires:       glib-devel
 
 %description devel
 Development headers for developing applications linking to libsystemd
@@ -91,7 +95,7 @@ Requires:       %{name} = %{version}-%{release}
 Language pack for systemd
 
 %prep
-%setup -q
+%autosetup -p1
 cat > config.cache << "EOF"
 KILL=/bin/kill
 HAVE_BLKID=1
@@ -100,32 +104,6 @@ BLKID_CFLAGS="-I/usr/include/blkid"
 cc_cv_CFLAGS__flto=no
 EOF
 
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-
-# Portablectl patches
-%patch100 -p1
-%patch101 -p1
-%patch102 -p1
-%patch103 -p1
-%patch104 -p1
-%patch105 -p1
-%patch106 -p1
-
 sed -i "s#\#DefaultTasksMax=512#DefaultTasksMax=infinity#g" src/core/system.conf.in
 
 %build
@@ -133,8 +111,8 @@ export LANG=en_US.UTF-8
 export LC_ALL=en_US.UTF-8
 CFLAGS="%{build_cflags} -Wno-error=format-overflow="                        \
 meson  --prefix %{_prefix}                                            \
-       --sysconfdir /etc                                              \
-       --localstatedir /var                                           \
+       --sysconfdir %{_sysconfdir}                                    \
+       --localstatedir %{_var}                                        \
        -Dblkid=true                                                   \
        -Dbuildtype=release                                            \
        -Ddefault-dnssec=no                                            \
@@ -150,11 +128,11 @@ meson  --prefix %{_prefix}                                            \
        -Dpolkit=true                                                  \
        -Dlibcryptsetup=true                                           \
        -Dgcrypt=true                                                  \
-       -Ddbuspolicydir=/etc/dbus-1/system.d                           \
-       -Ddbussessionservicedir=%{_prefix}/share/dbus-1/services       \
-       -Ddbussystemservicedir=%{_prefix}/share/dbus-1/system-services \
-       -Dsysvinit-path=/etc/rc.d/init.d                               \
-       -Drc-local=/etc/rc.d/rc.local                                  \
+       -Ddbuspolicydir=%{_sysconfdir}/dbus-1/system.d                 \
+       -Ddbussessionservicedir=%{_datadir}/dbus-1/services            \
+       -Ddbussystemservicedir=%{_datadir}/dbus-1/system-services      \
+       -Dsysvinit-path=%{_sysconfdir}/rc.d/init.d                     \
+       -Drc-local=%{_sysconfdir}/rc.d/rc.local                        \
        $PWD build &&
        cd build &&
        %ninja_build
@@ -167,17 +145,17 @@ for tool in runlevel reboot shutdown poweroff halt telinit; do
      ln -sfv ../bin/systemctl %{buildroot}/sbin/${tool}
 done
 ln -sfv ../lib/systemd/systemd %{buildroot}/sbin/init
-sed -i '/srv/d' %{buildroot}/usr/lib/tmpfiles.d/home.conf
-sed -i "s:0775 root lock:0755 root root:g" %{buildroot}/usr/lib/tmpfiles.d/legacy.conf
+sed -i '/srv/d' %{buildroot}%{_lib}/tmpfiles.d/home.conf
+sed -i "s:0775 root lock:0755 root root:g" %{buildroot}%{_lib}/tmpfiles.d/legacy.conf
 sed -i "s:NamePolicy=kernel database onboard slot path:NamePolicy=kernel database:g" %{buildroot}/lib/systemd/network/99-default.link
-sed -i "s:#LLMNR=yes:LLMNR=false:g" %{buildroot}/etc/systemd/resolved.conf
-sed -i "s:#NTP=:NTP=time.windows.com:g" %{buildroot}/etc/systemd/timesyncd.conf
+sed -i "s:#LLMNR=yes:LLMNR=false:g" %{buildroot}%{_sysconfdir}/systemd/resolved.conf
+sed -i "s:#NTP=:NTP=time.windows.com:g" %{buildroot}%{_sysconfdir}/systemd/timesyncd.conf
 rm -f %{buildroot}%{_var}/log/README
 mkdir -p %{buildroot}%{_localstatedir}/opt/journal/log
 mkdir -p %{buildroot}%{_localstatedir}/log
 ln -sfv %{_localstatedir}/opt/journal/log %{buildroot}%{_localstatedir}/log/journal
 
-find %{buildroot} -name '*.la' -delete
+find %{buildroot} -type f -name "*.la" -delete -print
 install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysctl.d
 install -dm 0700 %{buildroot}/boot/
 install -m 0600 %{SOURCE2} %{buildroot}/boot/
@@ -187,12 +165,12 @@ install -dm 0755 %{buildroot}/%{_sysconfdir}/systemd/network
 install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/systemd/network
 %find_lang %{name} ../%{name}.lang
 
-%post
-/sbin/ldconfig
-%postun
-/sbin/ldconfig
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig
+
 %clean
 rm -rf %{buildroot}/*
+
 %files
 %defattr(-,root,root)
 %license LICENSE.GPL2
@@ -266,7 +244,7 @@ rm -rf %{buildroot}/*
 %{_datadir}/bash-completion/*
 %{_datadir}/factory/*
 %{_datadir}/dbus-1
-%{_datadir}/doc/*
+%{_docdir}/*
 %{_mandir}/man[1578]/*
 %{_datadir}/polkit-1
 %{_datadir}/systemd
@@ -289,196 +267,305 @@ rm -rf %{buildroot}/*
 %files lang -f %{name}.lang
 
 %changelog
+* Fri Nov 13 2020 Nicolas Ontiveros <niontive@microsoft.com> - 239-34
+- Fix CVE-2019-6454 patch. Add upstream patch info.
+- Fix CVE-2020-1712 patch. Add upstream patch info.
+
+* Thu Oct 22 2020 Nicolas Ontiveros <niontive@microsoft.com> - 239-33
+- Use autosetup
+- Fix CVE-2019-3842
+- Fix CVE-2019-3843
+- Fix CVE-2019-3844
+- Fix CVE-2019-6454
+- Fix CVE-2019-20386
+- Fix CVE-2020-1712
+- Fix CVE-2020-13776
+
 *  Wed Sep 23 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 239-32
 -  Portablectl patches for --now --enable and --no-block flags support
+
 *  Mon Aug 24 2020 Leandro Pereira <leperei@microsoft.com> 239-31
 -  Use time.windows.com as the default NTP server in timesyncd.
+
 *  Tue Aug 11 2020 Mateusz Malisz <mamalisz@microsoft.com> 239-30
 -  Reduce kptr_restrict to 1
+
 *  Fri May 29 2020 Nicolas Ontiveros <niontive@microsoft.com> 239-29
 -  Include cryptsetup to build cryptsetup generator.
+
 *  Wed May 27 2020 Chris Co <chrco@microsoft.com> 239-28
 -  Disable IPv6 router advertisements by default
+
 *  Wed May 20 2020 Emre Girgin <mrgirgin@microsoft.com> 239-27
 -  Change /boot directory permissions to 600.
+
 *  Wed May 20 2020 Joe Schmitt <joschmit@microsoft.com> 239-26
 -  Remove 99-vmware-hotplug.rules.
-*  Sat May 09 00:20:49 PST 2020 Nick Samson <nisamson@microsoft.com> - 239-25
+
+*  Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 239-25
 -  Added %%license line automatically
+
 *  Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-24
 -  Renaming docbook-xsl to docbook-style-xsl
+
 *  Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-23
 -  Renaming docbook-xml to docbook-dtd-xml
+
 *  Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-22
 -  Renaming Linux-PAM to pam
+
 *  Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-21
 -  Renaming XML-Parser to perl-XML-Parser
+
 *  Tue May 05 2020 Joe Schmitt <joschmit@microsoft.com> 239-20
 -  Remove unused rdrand-rng after kernel update.
+
 *  Thu Apr 23 2020 Emre Girgin <mrgirgin@microsoft.com> 239-19
 -  Ignore CVE-2018-21029.
+
 *  Fri Apr 17 2020 Emre Girgin <mrgirgin@microsoft.com> 239-18
 -  Rename shadow to shadow-utils.
+
 *  Thu Apr 16 2020 Emre Girgin <mrgirgin@microsoft.com> 239-17
 -  Resolve build issues arising from upgrading meson to 0.49.2.
+
 *  Thu Apr 09 2020 Henry Beberman <henry.beberman@microsoft.com> 239-16
 -  Add patch to disable arguments to mount_cgroup_controllers as in upstream latest.
+
 *  Tue Apr 07 2020 Paul Monson <paulmon@microsoft.com> 239-15
 -  Update Source0 link.  License verified.
+
 *  Tue Mar 31 2020 Henry Beberman <henry.beberman@microsoft.com> 239-14
 -  Backport upstream fix for FOREACH_STRING macro.
+
 *  Tue Mar 24 2020 Henry Beberman <henry.beberman@microsoft.com> 239-13
 -  Add -Wno-error=format-overflow= to fix gcc9 build.
+
 *  Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 239-12
 -  Disable libcurl auto-configure
+
 *  Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 239-11
 -  Initial CBL-Mariner import from Photon (license: Apache2).
+
 *  Thu Jan 10 2019 Anish Swaminathan <anishs@vmware.com>  239-10
 -  Fix CVE-2018-16864, CVE-2018-16865, CVE-2018-16866
+
 *  Wed Jan 09 2019 Keerthana K <keerthanak@vmware.com> 239-9
 -  Seting default values for tcp_timestamps, tcp_challenge_ack_limit and ip_forward.
+
 *  Wed Jan 02 2019 Anish Swaminathan <anishs@vmware.com>  239-8
 -  Fix CVE-2018-15686, CVE-2018-15687
+
 *  Sun Nov 11 2018 Tapas Kundu <tkundu@vmware.com> 239-7
 -  Fix CVE-2018-15688
+
 *  Fri Oct 26 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 239-6
 -  Auto-load rdrand-rng kernel module only on x86.
+
 *  Fri Oct 26 2018 Anish Swaminathan <anishs@vmware.com>  239-5
 -  Revert the commit that causes GCE networkd timeout
 -  https://github.com/systemd/systemd/commit/44b598a1c9d11c23420a5ef45ff11bcb0ed195eb
+
 *  Mon Oct 08 2018 Srinidhi Rao <srinidhir@vmware.com> 239-4
 -  Add glib-devel as a Requirement to systemd-devel
+
 *  Fri Sep 21 2018 Alexey Makhalov <amakhalov@vmware.com> 239-3
 -  Fix compilation issue against glibc-2.28
+
 *  Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 239-2
 -  Automatically load rdrand-rng kernel module on every boot.
+
 *  Tue Aug 28 2018 Anish Swaminathan <anishs@vmware.com>  239-1
 -  Update systemd to 239
+
 *  Wed Apr 11 2018 Xiaolin Li <xiaolinl@vmware.com>  236-3
 -  Build systemd with util-linux 2.32.
+
 *  Wed Jan 17 2018 Divya Thaluru <dthaluru@vmware.com>  236-2
 -  Fixed the log file directory structure
+
 *  Fri Dec 29 2017 Anish Swaminathan <anishs@vmware.com>  236-1
 -  Update systemd to 236
+
 *  Thu Nov 09 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-11
 -  Fix CVE-2017-15908 dns packet loop fix.
+
 *  Tue Nov 07 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-10
 -  Fix nullptr access during link disable.
+
 *  Mon Sep 18 2017 Anish Swaminathan <anishs@vmware.com>  233-9
 -  Backport router solicitation backoff from systemd 234
+
 *  Fri Sep 15 2017 Anish Swaminathan <anishs@vmware.com>  233-8
 -  Move network file to systemd package
+
 *  Tue Aug 15 2017 Alexey Makhalov <amakhalov@vmware.com> 233-7
 -  Fix compilation issue for glibc-2.26
+
 *  Fri Jul 21 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-6
 -  Fix for CVE-2017-1000082.
+
 *  Fri Jul 07 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-5
 -  Fix default-dns-from-env patch.
+
 *  Wed Jul 05 2017 Xiaolin Li <xiaolinl@vmware.com> 233-4
 -  Add kmod-devel to BuildRequires
+
 *  Thu Jun 29 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-3
 -  Fix for CVE-2017-9445.
+
 *  Tue Jun 20 2017 Anish Swaminathan <anishs@vmware.com>  233-2
 -  Fix for CVE-2017-9217
+
 *  Mon Mar 06 2017 Vinay Kulkarni <kulkarniv@vmware.com>  233-1
 -  Update systemd to 233
+
 *  Tue Jan 3 2017 Alexey Makhalov <amakhalov@vmware.com>  232-5
 -  Added /boot/systemd.cfg
+
 *  Tue Dec 20 2016 Alexey Makhalov <amakhalov@vmware.com>  232-4
 -  Fix initrd-switch-root issue
+
 *  Wed Dec 07 2016 Xiaolin Li <xiaolinl@vmware.com> 232-3
 -  BuildRequires Linux-PAM-devel
+
 *  Thu Dec 01 2016 Xiaolin Li <xiaolinl@vmware.com> 232-2
 -  disable-elfutils.
+
 *  Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  232-1
 -  Update systemd to 232
+
 *  Thu Nov 3 2016 Divya Thaluru <dthaluru@vmware.com>  228-32
 -  Added logic to reload services incase of rpm upgrade
+
 *  Thu Sep 29 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-31
 -  Fix a CVE in systemd-notify socket.
+
 *  Mon Aug 29 2016 Alexey Makhalov <amakhalov@vmware.com>  228-30
 -  02-install-general-aliases.patch to create absolute symlinks
+
 *  Fri Aug 26 2016 Anish Swaminathan <anishs@vmware.com>  228-29
 -  Change config file properties for 99-default.link
+
 *  Tue Aug 16 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-28
 -  systemd-resolved: Fix DNS_TRANSACTION_PENDING assert.
+
 *  Mon Aug 1 2016 Divya Thaluru <dthaluru@vmware.com> 228-27
 -  Removed packaging of symlinks and will be created during installation
+
 *  Tue Jul 12 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-26
 -  systemd-resolved: Fix DNS domains resolv.conf search issue for static DNS.
+
 *  Mon Jul 11 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-25
 -  systemd-networkd: Update DUID/IAID config interface to systemd v230 spec.
+
 *  Tue Jun 21 2016 Anish Swaminathan <anishs@vmware.com>  228-24
 -  Change config file properties
+
 *  Fri Jun 17 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-23
 -  systemd-resolved: Configure initial DNS servers from environment var.
+
 *  Mon Jun 06 2016 Alexey Makhalov <amakhalov@vmware.com>  228-22
 -  systemd-resolved: disable LLMNR
+
 *  Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 228-21
 -  GA - Bump release of all rpms
+
 *  Tue May 17 2016 Anish Swaminathan <anishs@vmware.com>  228-20
 -  Added patch for letting kernel handle ndisc
+
 *  Tue May 17 2016 Divya Thaluru <dthaluru@vmware.com> 228-19
 -  Updated systemd-user PAM configuration
+
 *  Mon May 16 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 228-18
 -  Updated the MaxTasks to infinity in system.conf file
+
 *  Thu Apr 21 2016 Mahmoud Bassiouny <mbassiouny@vmware.com>  228-17
 -  Set the default.target to the multi-user.target
+
 *  Tue Apr 12 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-16
 -  Disable network interface renaming.
+
 *  Thu Mar 31 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-15
 -  Patch to query DHCP DUID, IAID.f
+
 *  Wed Mar 30 2016 Vinay Kulkarni <kulkarniv@vmware.com>  228-14
 -  Update DHCP DUID, IAID configuration patch.
+
 *  Wed Mar 30 2016 Kumar Kaushik <kaushikk@vmware.com>  228-13
 -  Install the security hardening script as part of systemd.
+
 *  Tue Mar 29 2016 Kumar Kaushik <kaushikk@vmware.com>  228-12
 -  Added patch for timedatectl /etc/adjtime PR2749.
+
 *  Fri Mar 11 2016 Anish Swaminathan <anishs@vmware.com>  228-11
 -  Added patch for dhcp preservation via duid iaid configurability
+
 *  Fri Mar 11 2016 Anish Swaminathan <anishs@vmware.com>  228-10
 -  Added patch for swap disconnect order
+
 *  Thu Mar 10 2016 XIaolin Li <xiaolinl@vmware.com> 228-9
 -  Enable manpages.
+
 *  Fri Feb 19 2016 Anish Swaminathan <anishs@vmware.com>  228-8
 -  Added patch to get around systemd-networkd wait online timeout
+
 *  Sat Feb 06 2016 Alexey Makhalov <amakhalov@vmware.com>  228-7
 -  Added patch: fix-reading-routes.
+
 *  Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com>  228-6
 -  Add hotplug udev rules.
+
 *  Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com>  228-5
 -  Change config file attributes.
+
 *  Wed Jan 06 2016 Anish Swaminathan <anishs@vmware.com> 228-4
 -  Patches for minor network fixes.
+
 *  Wed Dec 16 2015 Anish Swaminathan <anishs@vmware.com> 228-3
 -  Patch for ostree.
+
 *  Wed Dec 16 2015 Anish Swaminathan <anishs@vmware.com> 228-2
 -  Patch for loopback address.
+
 *  Fri Dec 11 2015 Anish Swaminathan <anishs@vmware.com> 228-1
 -  Upgrade systemd version.
+
 *  Mon Nov 30 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 216-13
 -  Removing the reference of lock user
+
 *  Fri Oct 9 2015 Xiaolin Li <xiaolinl@vmware.com> 216-12
 -  Removing la files from packages.
+
 *  Fri Sep 18 2015 Divya Thaluru <dthaluru@vmware.com> 216-11
 -  Packaging journal log directory
+
 *  Thu Sep 10 2015 Alexey Makhalov <amakhalov@vmware.com> 216-10
 -  Improve enoX renaming in VMware HV case. Patch is added.
+
 *  Tue Aug 25 2015 Alexey Makhalov <amakhalov@vmware.com> 216-9
 -  Reduce systemd-networkd boot time (exclude if-rename patch).
+
 *  Mon Jul 20 2015 Divya Thaluru <dthaluru@vmware.com> 216-8
 -  Adding sysvinit support
+
 *  Mon Jul 06 2015 Kumar Kaushik <kaushikk@vmware.com> 216-7
 -  Fixing networkd/udev race condition for renaming interface.
+
 *  Thu Jun 25 2015 Sharath George <sharathg@vmware.com> 216-6
 -  Remove debug files.
+
 *  Tue Jun 23 2015 Divya Thaluru <dthaluru@vmware.com> 216-5
 -  Building compat libs
+
 *  Mon Jun 1 2015 Alexey Makhalov <amakhalov@vmware.com> 216-4
 -  gudev support
+
 *  Wed May 27 2015 Divya Thaluru <dthaluru@vmware.com> 216-3
 -  Removing packing of PAM configuration files
+
 *  Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> 216-2
 -  Update according to UsrMove.
+
 *  Mon Oct 27 2014 Sharath George <sharathg@vmware.com> 216-1
 -  Initial build. First version
diff --git a/SPECS/tcpdump/CVE-2020-8037.patch b/SPECS/tcpdump/CVE-2020-8037.patch
new file mode 100644
index 00000000000..2852845eb74
--- /dev/null
+++ b/SPECS/tcpdump/CVE-2020-8037.patch
@@ -0,0 +1,63 @@
+From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Sat, 18 Apr 2020 14:04:59 -0700
+Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer.
+
+The buffer should be big enough to hold the captured data, but it
+doesn't need to be big enough to hold the entire on-the-network packet,
+if we haven't captured all of it.
+
+(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+---
+ print-ppp.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index 891761728..33fb03412 100644
+--- a/print-ppp.c
++++ b/print-ppp.c
+@@ -1367,19 +1367,29 @@ print_bacp_config_options(netdissect_options *ndo,
+ 	return 0;
+ }
+ 
++/*
++ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
++ * The length argument is the on-the-wire length, not the captured
++ * length; we can only un-escape the captured part.
++ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+          const u_char *p, int length)
+ {
++	u_int caplen = ndo->ndo_snapend - p;
+ 	u_char *b, *t, c;
+ 	const u_char *s;
+-	int i, proto;
++	u_int i;
++	int proto;
+ 	const void *se;
+ 
++	if (caplen == 0)
++		return;
++
+         if (length <= 0)
+                 return;
+ 
+-	b = (u_char *)malloc(length);
++	b = (u_char *)malloc(caplen);
+ 	if (b == NULL)
+ 		return;
+ 
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+ 	 * Do this so that we dont overwrite the original packet
+ 	 * contents.
+ 	 */
+-	for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
++	for (s = p, t = b, i = caplen; i != 0; i--) {
+ 		c = *s++;
+ 		if (c == 0x7d) {
+-			if (i <= 1 || !ND_TTEST(*s))
++			if (i <= 1)
+ 				break;
+ 			i--;
+ 			c = *s++ ^ 0x20;
diff --git a/SPECS/tcpdump/tcpdump.spec b/SPECS/tcpdump/tcpdump.spec
index df3210db52b..15082341742 100644
--- a/SPECS/tcpdump/tcpdump.spec
+++ b/SPECS/tcpdump/tcpdump.spec
@@ -1,13 +1,14 @@
 Summary:        Packet Analyzer
 Name:           tcpdump
 Version:        4.9.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
-URL:            https://www.tcpdump.org
-Source0:        https://www.tcpdump.org/release/%{name}-%{version}.tar.gz
-Group:          Networking
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Networking
+URL:            https://www.tcpdump.org
+Source0:        https://www.tcpdump.org/release/%{name}-%{version}.tar.gz
+Patch0:         CVE-2020-8037.patch
 BuildRequires:  libpcap-devel
 Requires:       libpcap
 
@@ -17,7 +18,7 @@ It allows the user to display TCP/IP and other packets being
 transmitted or received over a network to which the computer is attached.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 %configure
@@ -25,7 +26,7 @@ make %{?_smp_mflags}
 
 %install
 make DESTDIR=%{buildroot} install
-find %{buildroot} -name '*.la' -delete
+find %{buildroot} -type f -name "*.la" -delete -print
 
 %check
 make %{?_smp_mflags} check
@@ -37,43 +38,57 @@ make %{?_smp_mflags} check
 %{_mandir}/man1/*
 
 %changelog
+* Fri Nov 13 2020 Thomas Crain <thcrain@microsoft.com> - 4.9.3-3
+- Patch CVE-2020-8037
+- Lint to Mariner style
+
 * Sat May 09 00:21:40 PST 2020 Nick Samson <nisamson@microsoft.com> - 4.9.3-2
 - Added %%license line automatically
 
-*   Tue Apr 21 2020 Emre Girgin <mrgirgin@microsoft.co> 4.9.3-1
--   Upgrade to 4.9.3 to resolve 28 CVEs.
--   Fixed CVE-2020-10103.
--   Fixed CVE-2020-10105.
--   Update Source0 and URL.
--   License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.9.2-3
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Mar 14 2019 Michelle Wang <michellew@vmware.com> 4.9.2-2
--   Add patch CVE-2018-19519
-*   Fri Sep 15 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.9.2-1
--   Updating version to 4.9.2
-*   Thu Sep 07 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.9.1-2
--   Fix for CVE-2017-11541 CVE-2017-11542 and CVE-2017-11543
-*   Thu Aug 03 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.9.1-1
--   Updating version to 4.9.1
-*   Thu Feb 02 2017 Dheeraj Shetty <dheerajs@vmware.com> 4.9.0-1
--   Adding latest version to handle following CVEs
--   CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925,
--   CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929,
--   CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933,
--   CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937,
--   CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973,
--   CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984,
--   CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993,
--   CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203,
--   CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342,
--   CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485,
--   CVE-2017-5486
-*   Tue Oct 04 2016 ChangLee <changlee@vmware.com> 4.7.4-3
--   Modified %check
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 4.7.4-2
--   GA - Bump release of all rpms
-*   Wed Jan 20 2016 Anish Swaminathan <anishs@vmware.com> 4.7.4-1
--   Upgrade version.
-*   Mon Apr 6  2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 4.7.3-1
--   Updating version to 4.7.3
+* Tue Apr 21 2020 Emre Girgin <mrgirgin@microsoft.co> - 4.9.3-1
+- Upgrade to 4.9.3 to resolve 28 CVEs.
+- Fixed CVE-2020-10103.
+- Fixed CVE-2020-10105.
+- Update Source0 and URL.
+- License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 4.9.2-3
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Mar 14 2019 Michelle Wang <michellew@vmware.com> - 4.9.2-2
+- Add patch CVE-2018-19519
+
+* Fri Sep 15 2017 Dheeraj Shetty <dheerajs@vmware.com> - 4.9.2-1
+- Updating version to 4.9.2
+
+* Thu Sep 07 2017 Dheeraj Shetty <dheerajs@vmware.com> - 4.9.1-2
+- Fix for CVE-2017-11541 CVE-2017-11542 and CVE-2017-11543
+
+* Thu Aug 03 2017 Dheeraj Shetty <dheerajs@vmware.com> - 4.9.1-1
+- Updating version to 4.9.1
+
+* Thu Feb 02 2017 Dheeraj Shetty <dheerajs@vmware.com> - 4.9.0-1
+- Adding latest version to handle following CVEs
+- CVE-2016-7922, CVE-2016-7923, CVE-2016-7924, CVE-2016-7925,
+- CVE-2016-7926, CVE-2016-7927, CVE-2016-7928, CVE-2016-7929,
+- CVE-2016-7930, CVE-2016-7931, CVE-2016-7932, CVE-2016-7933,
+- CVE-2016-7934, CVE-2016-7935, CVE-2016-7936, CVE-2016-7937,
+- CVE-2016-7938, CVE-2016-7939, CVE-2016-7940, CVE-2016-7973,
+- CVE-2016-7974, CVE-2016-7975, CVE-2016-7983, CVE-2016-7984,
+- CVE-2016-7985, CVE-2016-7986, CVE-2016-7992, CVE-2016-7993,
+- CVE-2016-8574, CVE-2016-8575, CVE-2017-5202, CVE-2017-5203,
+- CVE-2017-5204, CVE-2017-5205, CVE-2017-5341, CVE-2017-5342,
+- CVE-2017-5482, CVE-2017-5483, CVE-2017-5484, CVE-2017-5485,
+- CVE-2017-5486
+
+* Tue Oct 04 2016 ChangLee <changlee@vmware.com> - 4.7.4-3
+- Modified %check
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 4.7.4-2
+- GA - Bump release of all rpms
+
+* Wed Jan 20 2016 Anish Swaminathan <anishs@vmware.com> - 4.7.4-1
+- Upgrade version.
+
+* Mon Apr 6  2015 Mahmoud Bassiouny <mbassiouny@vmware.com> - 4.7.3-1
+- Updating version to 4.7.3
diff --git a/SPECS/tcsh/tcsh.spec b/SPECS/tcsh/tcsh.spec
index 84b945c3a71..ee2f1fe638f 100644
--- a/SPECS/tcsh/tcsh.spec
+++ b/SPECS/tcsh/tcsh.spec
@@ -2,21 +2,32 @@
 Summary:        An enhanced version of csh, the C shell
 Name:           tcsh
 Version:        6.20.00
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        BSD
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
 Group:          System Environment/Shells
-Source:         https://astron.com/pub/%{name}/old/%{name}-%{version}.tar.gz
+URL:            https://www.tcsh.org/
+Source0:        https://astron.com/pub/%{name}/old/%{name}-%{version}.tar.gz
+
 # patch origin http://pkgs.fedoraproject.org/cgit/rpms/tcsh.git/
 Patch0:         tcsh-6.20.00-009-fix-regexp-for-backlash-quoting-tests.patch
-URL:            https://www.tcsh.org/
-Vendor:         Microsoft Corporation
-Distribution:   Mariner
-Provides:       csh = %{version}
-Provides:       /bin/tcsh, /bin/csh
+
 BuildRequires:  ncurses-devel
+
+%if %{with_check}
+BuildRequires:  shadow-utils
+BuildRequires:  sudo
+%endif
+
 Requires:       ncurses
 Requires(post): /bin/grep
-Requires(postun): coreutils /bin/grep
+Requires(postun): /bin/grep
+Requires(postun): coreutils
+
+Provides:       csh = %{version}
+Provides:       /bin/csh
+Provides:       /bin/tcsh
 
 %description
 Tcsh is an enhanced but completely compatible version of csh, the C
@@ -74,36 +85,37 @@ sudo -u test make check && userdel test -r -f
 %clean
 rm -rf %{buildroot}
 
+
 %post
 if [ $1 -eq 1 ] ; then
-  if [ ! -f /etc/shells ]; then
-   echo "%{_bindir}/tcsh" >> /etc/shells
-   echo "%{_bindir}/csh"  >> /etc/shells
-   echo "/bin/tcsh" >> /etc/shells
-   echo "/bin/csh"  >> /etc/shells
+  if [ ! -f %{_sysconfdir}/shells ]; then
+   echo "%{_bindir}/tcsh" >> %{_sysconfdir}/shells
+   echo "%{_bindir}/csh"  >> %{_sysconfdir}/shells
+   echo "/bin/tcsh" >> %{_sysconfdir}/shells
+   echo "/bin/csh"  >> %{_sysconfdir}/shells
   else
-   grep -q '^%{_bindir}/tcsh$' /etc/shells || \
-   echo "%{_bindir}/tcsh" >> /etc/shells
-   grep -q '^%{_bindir}/csh$'  /etc/shells || \
-   echo "%{_bindir}/csh"  >> /etc/shells
-   grep -q '^/bin/tcsh$' /etc/shells || \
-   echo "/bin/tcsh" >> /etc/shells
-   grep -q '^/bin/csh$'  /etc/shells || \
-   echo "/bin/csh"  >> /etc/shells
+   grep -q '^%{_bindir}/tcsh$' %{_sysconfdir}/shells || \
+   echo "%{_bindir}/tcsh" >> %{_sysconfdir}/shells
+   grep -q '^%{_bindir}/csh$'  %{_sysconfdir}/shells || \
+   echo "%{_bindir}/csh"  >> %{_sysconfdir}/shells
+   grep -q '^/bin/tcsh$' %{_sysconfdir}/shells || \
+   echo "/bin/tcsh" >> %{_sysconfdir}/shells
+   grep -q '^/bin/csh$'  %{_sysconfdir}/shells || \
+   echo "/bin/csh"  >> %{_sysconfdir}/shells
   fi
 fi
 
 %postun
 if [ $1 -eq 0 ] ; then
   if [ ! -x %{_bindir}/tcsh ]; then
-   grep -v '^%{_bindir}/tcsh$'  /etc/shells | \
-   grep -v '^%{_bindir}/csh$' > /etc/shells.rpm && \
-   mv /etc/shells.rpm /etc/shells
+   grep -v '^%{_bindir}/tcsh$'  %{_sysconfdir}/shells | \
+   grep -v '^%{_bindir}/csh$' > %{_sysconfdir}/shells.rpm && \
+   mv %{_sysconfdir}/shells.rpm %{_sysconfdir}/shells
   fi
   if [ ! -x /bin/tcsh ]; then
-   grep -v '^/bin/tcsh$'  /etc/shells | \
-   grep -v '^/bin/csh$' > /etc/shells.rpm && \
-   mv /etc/shells.rpm /etc/shells
+   grep -v '^/bin/tcsh$'  %{_sysconfdir}/shells | \
+   grep -v '^/bin/csh$' > %{_sysconfdir}/shells.rpm && \
+   mv %{_sysconfdir}/shells.rpm %{_sysconfdir}/shells
   fi
 fi
 
@@ -115,33 +127,50 @@ fi
 %{_mandir}/man1/*.1*
 
 %changelog
-*   Sat May 09 00:21:11 PST 2020 Nick Samson <nisamson@microsoft.com> - 6.20.00-8
--   Added %%license line automatically
-*   Mon Apr 13 2020 Eric Li <eli@microsoft.com> 6.20.00-7
--   Verified license.
-*   Thu Apr 09 2020 Nicolas Ontiveros <niontive@microsoft.com> 6.20.00-6
--   Remove toybox and only use coreutils for requires.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 6.20.00-5
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 6.20.00-4
--   Requires coreutils or toybox and /bin/grep
-*   Tue Jun 6 2017 Alexey Makhalov <amakhalov@vmware.com> 6.20.00-3
--   Fix make check issues.
-*   Tue Apr 25 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 6.20.00-2
--   Ensure non empty debuginfo
-*   Tue Mar 28 2017 Xiaolin Li <xiaolinl@vmware.com> 6.20.00-1
--   Updated to version 6.20.00
-*   Tue Feb 07 2017 Divya Thaluru <dthaluru@vmware.com> 6.19.00-6
--   Added /bin/csh and /bin/tsch entries in /etc/shells
-*   Wed Dec 14 2016 Alexey Makhalov <amakhalov@vmware.com> 6.19.00-5
--   tcsh.glibc-2.24.patch
-*   Wed May 25 2016 Anish Swaminathan <anishs@vmware.com> 6.19.00-4
--   Fix calloc for gcc 5 optimization
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 6.19.00-3
--   GA - Bump release of all rpms
-*   Wed May 4 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 6.19.00-2
--   Fix for upgrade issues
-*   Thu Jan 21 2016 Anish Swaminathan <anishs@vmware.com> 6.19.00-1
--   Upgrade version
-*   Wed Apr 1 2015 Divya Thaluru <dthaluru@vmware.com> 6.18.01-1
--   Initial build. First version
+* Mon Nov 16 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 6.20.00-9
+- Adding 'BuildRequires' on 'shadow-utils' and 'sudo' to fix the package tests.
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 6.20.00-8
+- Added %%license line automatically
+
+* Mon Apr 13 2020 Eric Li <eli@microsoft.com> - 6.20.00-7
+- Verified license.
+
+* Thu Apr 09 2020 Nicolas Ontiveros <niontive@microsoft.com> - 6.20.00-6
+- Remove toybox and only use coreutils for requires.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 6.20.00-5
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 6.20.00-4
+- Requires coreutils or toybox and /bin/grep
+
+* Tue Jun 6 2017 Alexey Makhalov <amakhalov@vmware.com> - 6.20.00-3
+- Fix make check issues.
+
+* Tue Apr 25 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 6.20.00-2
+- Ensure non empty debuginfo
+
+* Tue Mar 28 2017 Xiaolin Li <xiaolinl@vmware.com> - 6.20.00-1
+- Updated to version 6.20.00
+
+* Tue Feb 07 2017 Divya Thaluru <dthaluru@vmware.com> - 6.19.00-6
+- Added /bin/csh and /bin/tsch entries in /etc/shells
+
+* Wed Dec 14 2016 Alexey Makhalov <amakhalov@vmware.com> - 6.19.00-5
+- tcsh.glibc-2.24.patch
+
+* Wed May 25 2016 Anish Swaminathan <anishs@vmware.com> - 6.19.00-4
+- Fix calloc for gcc 5 optimization
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 6.19.00-3
+- GA - Bump release of all rpms
+
+* Wed May 4 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 6.19.00-2
+- Fix for upgrade issues
+
+* Thu Jan 21 2016 Anish Swaminathan <anishs@vmware.com> - 6.19.00-1
+- Upgrade version
+
+* Wed Apr 1 2015 Divya Thaluru <dthaluru@vmware.com> - 6.18.01-1
+- Initial build. First version
diff --git a/SPECS/tdnf/tdnf.spec b/SPECS/tdnf/tdnf.spec
index f84e356c748..29fee739268 100644
--- a/SPECS/tdnf/tdnf.spec
+++ b/SPECS/tdnf/tdnf.spec
@@ -5,39 +5,19 @@
 Summary:        dnf/yum equivalent using C libs
 Name:           tdnf
 Version:        2.1.0
-Release:        4%{?dist}
+Release:        5%{?dist}
+License:        LGPLv2.1 AND GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-License:        LGPLv2.1 and GPLv2
-URL:            https://github.com/vmware/tdnf/wiki
 Group:          Applications/RPM
-Requires:       rpm-libs
-Requires:       curl
-Requires:       tdnf-cli-libs = %{version}-%{release}
-Requires:       libsolv
-Requires:       openssl-libs
-BuildRequires:  popt-devel
-BuildRequires:  rpm-devel
-BuildRequires:  openssl-devel
-BuildRequires:  libsolv-devel
-BuildRequires:  curl-devel
-#plugin repogpgcheck
-BuildRequires:  gpgme-devel
-BuildRequires:  cmake
-BuildRequires:  python3-devel
-%if %{with_check}
-BuildRequires:  createrepo_c
-BuildRequires:  glib
-BuildRequires:  libxml2
-%endif
-Obsoletes:      yum
-Provides:       yum
+URL:            https://github.com/vmware/tdnf/wiki
 #Source0:       https://github.com/vmware/tdnf/archive/v%{version}.tar.gz
 Source0:        %{name}-%{version}.tar.gz
 Source1:        cache-updateinfo
 Source2:        cache-updateinfo.service
 Source3:        cache-updateinfo.timer
 Source4:        tdnfrepogpgcheck.conf
+
 Patch0:         tdnf-fix-distroverpkg-search.patch
 Patch1:         tdnf-ssl-support.patch
 Patch2:         tdnf-add-download-command.patch
@@ -47,23 +27,52 @@ Patch5:         tdnf-support-multiple-gpgkeys.patch
 Patch6:         tdnf-add-download-no-deps-command.patch
 Patch7:         tdnf-use-custom-keyring-for-gpg-checks.patch
 
+BuildRequires:  cmake
+BuildRequires:  curl-devel
+#plugin repogpgcheck
+BuildRequires:  gpgme-devel
+BuildRequires:  libsolv-devel
+BuildRequires:  openssl-devel
+BuildRequires:  popt-devel
+BuildRequires:  python3-devel
+BuildRequires:  rpm-devel
+
+%if %{with_check}
+BuildRequires:  createrepo_c
+BuildRequires:  glib
+BuildRequires:  libxml2
+BuildRequires:  python3-requests
+BuildRequires:  python3-setuptools
+BuildRequires:  python3-xml
+%endif
+
+Requires:       curl
+Requires:       libsolv
+Requires:       openssl-libs
+Requires:       rpm-libs
+Requires:       tdnf-cli-libs = %{version}-%{release}
+
+Obsoletes:      yum
+Provides:       yum
+
 %description
 tdnf is a yum/dnf equivalent which uses libsolv and libcurl
 
 %define _tdnfpluginsdir %{_libdir}/tdnf-plugins
 
 %package    devel
-Summary:    A Library providing C API for tdnf
-Group:      Development/Libraries
-Requires:   tdnf = %{version}-%{release}
-Requires:   libsolv-devel
+Summary:        A Library providing C API for tdnf
+Group:          Development/Libraries
+
+Requires:       libsolv-devel
+Requires:       tdnf = %{version}-%{release}
 
 %description devel
 Development files for tdnf
 
 %package	cli-libs
-Summary:	Library providing cli libs for tdnf like clients
-Group:		Development/Libraries
+Summary:        Library providing cli libs for tdnf like clients
+Group:          Development/Libraries
 
 %description cli-libs
 Library providing cli libs for tdnf like clients.
@@ -71,6 +80,7 @@ Library providing cli libs for tdnf like clients.
 %package        plugin-repogpgcheck
 Summary:        tdnf plugin providing gpg verification for repository metadata
 Group:          Development/Libraries
+
 Requires:       gpgme
 
 %description plugin-repogpgcheck
@@ -79,7 +89,9 @@ tdnf plugin providing gpg verification for repository metadata
 %package        python
 Summary:        python bindings for tdnf
 Group:          Development/Libraries
+
 Requires:       python3
+
 %description python
 python bindings for tdnf
 
@@ -99,19 +111,21 @@ cmake \
 make %{?_smp_mflags} && make python
 
 %check
+easy_install_3=$(ls /usr/bin |grep easy_install |grep 3)
+$easy_install_3 pytest
 cd build && make %{?_smp_mflags} check
 
 %install
 cd build && make DESTDIR=%{buildroot} install
 find %{buildroot} -name '*.a' -delete
-mkdir -p %{buildroot}/var/cache/tdnf
+mkdir -p %{buildroot}%{_var}/cache/tdnf
 ln -sf %{_bindir}/tdnf %{buildroot}%{_bindir}/tyum
 ln -sf %{_bindir}/tdnf %{buildroot}%{_bindir}/yum
 install -v -D -m 0755 %{SOURCE1} %{buildroot}%{_bindir}/tdnf-cache-updateinfo
 install -v -D -m 0644 %{SOURCE2} %{buildroot}%{_libdir}/systemd/system/tdnf-cache-updateinfo.service
 install -v -D -m 0644 %{SOURCE3} %{buildroot}%{_libdir}/systemd/system/tdnf-cache-updateinfo.timer
 install -v -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/tdnf/pluginconf.d/tdnfrepogpgcheck.conf
-mv %{buildroot}/usr/lib/pkgconfig/tdnfcli.pc %{buildroot}/usr/lib/pkgconfig/tdnf-cli-libs.pc
+mv %{buildroot}%{_lib}/pkgconfig/tdnfcli.pc %{buildroot}%{_lib}/pkgconfig/tdnf-cli-libs.pc
 mkdir -p %{buildroot}/%{_tdnfpluginsdir}/tdnfrepogpgcheck
 mv %{buildroot}/%{_tdnfpluginsdir}/libtdnfrepogpgcheck.so %{buildroot}/%{_tdnfpluginsdir}/tdnfrepogpgcheck/libtdnfrepogpgcheck.so
 
@@ -150,159 +164,215 @@ find %{buildroot} -name '*.pyc' -delete
 
 %files
 %license COPYING
-    %defattr(-,root,root,0755)
-    %{_bindir}/tdnf
-    %{_bindir}/tyum
-    %{_bindir}/yum
-    %{_bindir}/tdnf-cache-updateinfo
-    %{_libdir}/libtdnf.so.*
-    %config(noreplace) %{_sysconfdir}/tdnf/tdnf.conf
-    %config %{_libdir}/systemd/system/tdnf-cache-updateinfo.service
-    %config(noreplace) %{_libdir}/systemd/system/tdnf-cache-updateinfo.timer
-    %dir /var/cache/tdnf
-    %{_datadir}/bash-completion/completions/tdnf
-    
+%defattr(-,root,root,0755)
+%{_bindir}/tdnf
+%{_bindir}/tyum
+%{_bindir}/yum
+%{_bindir}/tdnf-cache-updateinfo
+%{_libdir}/libtdnf.so.*
+%config(noreplace) %{_sysconfdir}/tdnf/tdnf.conf
+%config %{_libdir}/systemd/system/tdnf-cache-updateinfo.service
+%config(noreplace) %{_libdir}/systemd/system/tdnf-cache-updateinfo.timer
+%dir %{_var}/cache/tdnf
+%{_datadir}/bash-completion/completions/tdnf
+
 %files devel
-    %defattr(-,root,root)
-    %{_includedir}/tdnf/*.h
-    %{_libdir}/libtdnf.so
-    %{_libdir}/libtdnfcli.so
-    %exclude %{_libdir}/debug
-    %{_libdir}/pkgconfig/tdnf.pc
-    %{_libdir}/pkgconfig/tdnf-cli-libs.pc
+%defattr(-,root,root)
+%{_includedir}/tdnf/*.h
+%{_libdir}/libtdnf.so
+%{_libdir}/libtdnfcli.so
+%exclude %{_libdir}/debug
+%{_libdir}/pkgconfig/tdnf.pc
+%{_libdir}/pkgconfig/tdnf-cli-libs.pc
 
 %files cli-libs
-    %defattr(-,root,root)
-    %{_libdir}/libtdnfcli.so.*
+%defattr(-,root,root)
+%{_libdir}/libtdnfcli.so.*
 
 %files plugin-repogpgcheck
-    %defattr(-,root,root)
-    %dir %{_sysconfdir}/tdnf/pluginconf.d
-    %config(noreplace) %{_sysconfdir}/tdnf/pluginconf.d/tdnfrepogpgcheck.conf
-    %{_tdnfpluginsdir}/tdnfrepogpgcheck/libtdnfrepogpgcheck.so
+%defattr(-,root,root)
+%dir %{_sysconfdir}/tdnf/pluginconf.d
+%config(noreplace) %{_sysconfdir}/tdnf/pluginconf.d/tdnfrepogpgcheck.conf
+%{_tdnfpluginsdir}/tdnfrepogpgcheck/libtdnfrepogpgcheck.so
 
 %files python
-    %defattr(-,root,root)
-    %{python3_sitelib}/*
-    
+%defattr(-,root,root)
+%{python3_sitelib}/*
+
 %changelog
-*   Fri Aug 14 2020 Joe Schmitt <joschmit@microsoft.com> 2.1.0-4
--   Add tdnf-use-custom-keyring-for-gpg-checks.patch
-*   Thu Jul 30 2020 Joe Schmitt <joschmit@microsoft.com> 2.1.0-3
--   Add tdnf-add-download-no-deps-command.patch.
-*   Wed Jul 29 2020 Emre Girgin <mrgirgin@microsoft.com> 2.1.0-2
--   Fix 'repolist' command failure when gpgkey field is empty.
-*   Tue May 19 2020 Emre Girgin <mrgirgin@microsoft.com> 2.1.0-1
--   Update URL, and License.
--   License verified.
--   Upgrade to 2.1.0.
--   Add support for multiple gpgkeys in the .repo file.
-*   Sat May 09 00:21:26 PST 2020 Nick Samson <nisamson@microsoft.com>
--   Added %%license line automatically
-*   Tue Apr 07 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.0.0-16
--   Don't install updateinfo.sh to the motdgen directory.
--   Remove motd triggers.
--   Fixed Source0.
-*   Mon Nov 25 2019 Andrew Phelps <anphel@microsoft.com> 2.0.0-15
--   Fix $basearch and $releasever handling.
-*   Thu Nov 21 2019 Joe Schmitt <joschmit@microsoft.com> 2.0.0-14
--   Fix "showorder" output to match the rest of tdnf formatting.
-*   Wed Nov 20 2019 Joe Schmitt <joschmit@microsoft.com> 2.0.0-13
--   Add "download" command and "showorder" option.
-*   Wed Oct 30 2019 Emre Girgin <mrgirgin@microsoft.com> 2.0.0-12
--   Add support for SSL verification options in .repo files.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.0.0-11
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Fri Mar 15 2019 Ankit Jain <ankitja@vmware.com> 2.0.0-10
--   Added skipconflicts and skipobsoletes to check command.
-*   Thu Mar 14 2019 Keerthana K <keerthanak@vmware.com> 2.0.0-9
--   GPGCheck fix on RPM version 4.14.2
-*   Mon Mar 04 2019 Keerthana K <keerthanak@vmware.com> 2.0.0-8
--   makecache and refresh command updates.
-*   Thu Feb 14 2019 Keerthana K <keerthanak@vmware.com> 2.0.0-7
--   Fix to address issues when no repos are enabled.
-*   Wed Jan 23 2019 Keerthana K <keerthanak@vmware.com> 2.0.0-6
--   Fix Memory leak and curl status type.
-*   Wed Jan 02 2019 Keerthana K <keerthanak@vmware.com> 2.0.0-5
--   Added make check.
-*   Tue Dec 04 2018 Keerthana K <keerthanak@vmware.com> 2.0.0-4
--   Add support for libsolv caching.
--   Fix bug in tdnf updateinfo command.
--   Fix bug on list available command.
-*   Wed Nov 21 2018 Keerthana K <keerthanak@vmware.com> 2.0.0-3
--   Update to 2.0.0 beta release.
-*   Mon Oct 08 2018 Keerthana K <keerthanak@vmware.com> 2.0.0-2
--   Fix bug on tdnf crash when photon-iso repo only enabled without mounting cdrom.
-*   Fri Feb 09 2018 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.0.0-1
--   update to 2.0.0
-*   Tue Jan 30 2018 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.2-3
--   patch to error out early for permission issues.
-*   Tue Oct 10 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.2-2
--   Fix bug in obsolete protected packages.
-*   Wed Oct 4 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.2-1
--   update to v1.2.2
-*   Sat Sep 30 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.1-5
--   Output problems while resolving to stderr (instead of stdout)
-*   Wed Sep 27 2017 Bo Gan <ganb@vmware.com> 1.2.1-4
--   Improve suggestion in motd message
-*   Thu Sep 14 2017 Bo Gan <ganb@vmware.com> 1.2.1-3
--   Add suggestion in motd message
-*   Fri Jul 21 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.1-2
--   Modify quiet patch.
-*   Tue Jul 18 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.1-1
--   Update to v1.2.1
-*   Tue May 30 2017 Bo Gan <ganb@vmware.com> 1.2.0-5
--   Fix cache-updateinfo script again
-*   Fri May 12 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.0-4
--   Patch repo refresh to allow quiet flags
-*   Wed May 10 2017 Bo Gan <ganb@vmware.com> 1.2.0-3
--   Fix cache-updateinfo script
-*   Fri May 05 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.0-2
--   Fix Requires for cli-libs
-*   Wed May 03 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.2.0-1
--   update to v1.2.0
-*   Sun Apr 30 2017 Bo Gan <ganb@vmware.com> 1.1.0-5
--   Do not write to stdout in motd triggers
-*   Thu Apr 20 2017 Bo Gan <ganb@vmware.com> 1.1.0-4
--   motd hooks/triggers for updateinfo notification
-*   Fri Apr 14 2017 Dheerajs Shetty <dheerajs@vmware.com> 1.1.0-3
--   Adding a patch to compile with latest hawkey version
-*   Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> 1.1.0-2
--   BuildRequires libsolv-devel.
-*   Thu Dec 08 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.1.0-1
--   update to v1.1.0
-*   Thu Nov 17 2016 Alexey Makhalov <amakhalov@vmware.com> 1.0.9-3
--   Use rpm-libs at runtime
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.9-2
--   GA - Bump release of all rpms
-*   Fri May 20 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.9-1
--   Update to 1.0.9. Contains fixes for updateinfo.
-*   Wed May 4 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.8-3
--   Fix link installs, fix devel header dir
-*   Fri Apr 1 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.8-2
--   Update version which was missed with 1.0.8-1, apply string limits
-*   Fri Apr 1 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.8-1
--   Code scan fixes, autotest path fix, support --releasever
-*   Thu Jan 14 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.7
--   Fix return codes on install and check-update
--   Add tests for install existing and update
-*   Wed Jan 13 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.6
--   Support distroverpkg and add tests to work with make check
-*   Mon Dec 14 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.5
--   Support for multiple packages in alter commands
--   Support url vars for releasever and basearch
-*   Fri Oct 2 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.4
--   Fix upgrade to work without args, Engage distro-sync
--   Fix install to resolve to latest available
--   Fix formats, fix refresh on download output
-*   Tue Sep 8 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.3
--   Fix metadata creation issues. Engage refresh flag.
--   Do not check gpgkey when gpgcheck is turned off in repo.
-*   Thu Jul 23 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.2
--   Support reinstalls in transaction. Handle non-existent packages correctly.
-*   Mon Jul 13 2015 Alexey Makhalov <amakhalov@vmware.com> 1.0.1-2
--   Create -debuginfo package. Use parallel make.
-*   Tue Jun 30 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0.1
--   Proxy support, keepcache fix, valgrind leaks fix
-*   Fri Jan 23 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.0
--   Initial build.  First version
+* Mon Nov 16 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.1.0-5
+- Extending 'BuildRequires' with "pytest's" dependencies to fix the package tests.
+
+* Fri Aug 14 2020 Joe Schmitt <joschmit@microsoft.com> - 2.1.0-4
+- Add tdnf-use-custom-keyring-for-gpg-checks.patch
+
+* Thu Jul 30 2020 Joe Schmitt <joschmit@microsoft.com> - 2.1.0-3
+- Add tdnf-add-download-no-deps-command.patch.
+
+* Wed Jul 29 2020 Emre Girgin <mrgirgin@microsoft.com> - 2.1.0-2
+- Fix 'repolist' command failure when gpgkey field is empty.
+
+* Tue May 19 2020 Emre Girgin <mrgirgin@microsoft.com> - 2.1.0-1
+- Update URL, and License.
+- License verified.
+- Upgrade to 2.1.0.
+- Add support for multiple gpgkeys in the .repo file.
+
+* Sat May 09 00:21:26 PST 2020 Nick Samson <nisamson@microsoft.com>
+- Added %%license line automatically
+
+* Tue Apr 07 2020 Nicolas Ontiveros <niontive@microsoft.com> - 2.0.0-16
+- Don't install updateinfo.sh to the motdgen directory.
+- Remove motd triggers.
+- Fixed Source0.
+
+* Mon Nov 25 2019 Andrew Phelps <anphel@microsoft.com> - 2.0.0-15
+- Fix $basearch and $releasever handling.
+
+* Thu Nov 21 2019 Joe Schmitt <joschmit@microsoft.com> - 2.0.0-14
+- Fix "showorder" output to match the rest of tdnf formatting.
+
+* Wed Nov 20 2019 Joe Schmitt <joschmit@microsoft.com> - 2.0.0-13
+- Add "download" command and "showorder" option.
+
+* Wed Oct 30 2019 Emre Girgin <mrgirgin@microsoft.com> - 2.0.0-12
+- Add support for SSL verification options in .repo files.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 2.0.0-11
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Fri Mar 15 2019 Ankit Jain <ankitja@vmware.com> - 2.0.0-10
+- Added skipconflicts and skipobsoletes to check command.
+
+* Thu Mar 14 2019 Keerthana K <keerthanak@vmware.com> - 2.0.0-9
+- GPGCheck fix on RPM version 4.14.2
+
+* Mon Mar 04 2019 Keerthana K <keerthanak@vmware.com> - 2.0.0-8
+- makecache and refresh command updates.
+
+* Thu Feb 14 2019 Keerthana K <keerthanak@vmware.com> - 2.0.0-7
+- Fix to address issues when no repos are enabled.
+
+* Wed Jan 23 2019 Keerthana K <keerthanak@vmware.com> - 2.0.0-6
+- Fix Memory leak and curl status type.
+
+* Wed Jan 02 2019 Keerthana K <keerthanak@vmware.com> - 2.0.0-5
+- Added make check.
+
+* Tue Dec 04 2018 Keerthana K <keerthanak@vmware.com> - 2.0.0-4
+- Add support for libsolv caching.
+- Fix bug in tdnf updateinfo command.
+- Fix bug on list available command.
+
+* Wed Nov 21 2018 Keerthana K <keerthanak@vmware.com> - 2.0.0-3
+- Update to 2.0.0 beta release.
+
+* Mon Oct 08 2018 Keerthana K <keerthanak@vmware.com> - 2.0.0-2
+- Fix bug on tdnf crash when photon-iso repo only enabled without mounting cdrom.
+
+* Fri Feb 09 2018 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 2.0.0-1
+- update to 2.0.0
+
+* Tue Jan 30 2018 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.2-3
+- patch to error out early for permission issues.
+
+* Tue Oct 10 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.2-2
+- Fix bug in obsolete protected packages.
+
+* Wed Oct 4 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.2-1
+- update to v1.2.2
+
+* Sat Sep 30 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.1-5
+- Output problems while resolving to stderr (instead of stdout)
+
+* Wed Sep 27 2017 Bo Gan <ganb@vmware.com> - 1.2.1-4
+- Improve suggestion in motd message
+
+* Thu Sep 14 2017 Bo Gan <ganb@vmware.com> - 1.2.1-3
+- Add suggestion in motd message
+
+* Fri Jul 21 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.1-2
+- Modify quiet patch.
+
+* Tue Jul 18 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.1-1
+- Update to v1.2.1
+
+* Tue May 30 2017 Bo Gan <ganb@vmware.com> - 1.2.0-5
+- Fix cache-updateinfo script again
+
+* Fri May 12 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.0-4
+- Patch repo refresh to allow quiet flags
+
+* Wed May 10 2017 Bo Gan <ganb@vmware.com> - 1.2.0-3
+- Fix cache-updateinfo script
+
+* Fri May 05 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.0-2
+- Fix Requires for cli-libs
+
+* Wed May 03 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.2.0-1
+- update to v1.2.0
+
+* Sun Apr 30 2017 Bo Gan <ganb@vmware.com> - 1.1.0-5
+- Do not write to stdout in motd triggers
+
+* Thu Apr 20 2017 Bo Gan <ganb@vmware.com> - 1.1.0-4
+- motd hooks/triggers for updateinfo notification
+
+* Fri Apr 14 2017 Dheerajs Shetty <dheerajs@vmware.com> - 1.1.0-3
+- Adding a patch to compile with latest hawkey version
+
+* Mon Dec 19 2016 Xiaolin Li <xiaolinl@vmware.com> - 1.1.0-2
+- BuildRequires libsolv-devel.
+
+* Thu Dec 08 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.1.0-1
+- update to v1.1.0
+
+* Thu Nov 17 2016 Alexey Makhalov <amakhalov@vmware.com> - 1.0.9-3
+- Use rpm-libs at runtime
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.9-2
+- GA - Bump release of all rpms
+
+* Fri May 20 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.9-1
+- Update to 1.0.9. Contains fixes for updateinfo.
+
+* Wed May 4 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.8-3
+- Fix link installs, fix devel header dir
+
+* Fri Apr 1 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.8-2
+- Update version which was missed with 1.0.8-1, apply string limits
+
+* Fri Apr 1 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.8-1
+- Code scan fixes, autotest path fix, support --releasever
+
+* Thu Jan 14 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.7
+- Fix return codes on install and check-update
+- Add tests for install existing and update
+
+* Wed Jan 13 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.6
+- Support distroverpkg and add tests to work with make check
+
+* Mon Dec 14 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.5
+- Support for multiple packages in alter commands
+- Support url vars for releasever and basearch
+
+* Fri Oct 2 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.4
+- Fix upgrade to work without args, Engage distro-sync
+- Fix install to resolve to latest available
+- Fix formats, fix refresh on download output
+
+* Tue Sep 8 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.3
+- Fix metadata creation issues. Engage refresh flag.
+- Do not check gpgkey when gpgcheck is turned off in repo.
+
+* Thu Jul 23 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.2
+- Support reinstalls in transaction. Handle non-existent packages correctly.
+
+* Mon Jul 13 2015 Alexey Makhalov <amakhalov@vmware.com> - 1.0.1-2
+- Create -debuginfo package. Use parallel make.
+
+* Tue Jun 30 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0.1
+- Proxy support, keepcache fix, valgrind leaks fix
+
+* Fri Jan 23 2015 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 1.0
+- Initial build.  First version
diff --git a/SPECS/trousers/CVE-2020-24331.nopatch b/SPECS/trousers/CVE-2020-24331.nopatch
index 2483a2ee406..e69de29bb2d 100644
--- a/SPECS/trousers/CVE-2020-24331.nopatch
+++ b/SPECS/trousers/CVE-2020-24331.nopatch
@@ -1 +0,0 @@
-CVE-2020-24330.patch fixes this CVE as well.
\ No newline at end of file
diff --git a/SPECS/trousers/CVE-2020-24332.nopatch b/SPECS/trousers/CVE-2020-24332.nopatch
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/SPECS/trousers/trousers.spec b/SPECS/trousers/trousers.spec
index db54b62fdfa..ca4560ef37f 100644
--- a/SPECS/trousers/trousers.spec
+++ b/SPECS/trousers/trousers.spec
@@ -1,19 +1,18 @@
-Summary:      TCG Software Stack (TSS)
-Name:         trousers
-Version:      0.3.14
-Release:      6%{?dist}
-License:      BSD-3-Clause
-URL:          https://sourceforge.net/projects/trousers/
-Group:        System Environment/Security
-Vendor:       Microsoft Corporation
-Distribution: Mariner
-Source0:      https://sourceforge.net/projects/%{name}/files/%{name}/%{version}/%{name}-%{version}.tar.gz
-
-# CVE-2020-24330.patch fixes both CVE-2020-24330 and CVE-2020-24331.
-Patch0:       CVE-2020-24330.patch
-Patch1:       CVE-2020-24331.nopatch
-
-Requires:     libtspi = %{version}-%{release}
+Summary:        TCG Software Stack (TSS)
+Name:           trousers
+Version:        0.3.14
+Release:        7%{?dist}
+License:        BSD
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Security
+URL:            https://sourceforge.net/projects/trousers
+Source0:        %{url}/files/%{name}/%{version}/%{name}-%{version}.tar.gz
+# CVE-2020-24330.patch also fixes CVE-2020-24331 and CVE-2020-24332.
+Patch0:         CVE-2020-24330.patch
+Patch1:         CVE-2020-24331.nopatch
+Patch2:         CVE-2020-24332.nopatch
+Requires:       libtspi = %{version}-%{release}
 
 %description
 Trousers is an open-source TCG Software Stack (TSS), released under
@@ -21,19 +20,20 @@ the BSD License. Trousers aims to be compliant with the
 1.1b and 1.2 TSS specifications available from the Trusted Computing
 
 %package devel
-Summary:    The libraries and header files needed for TSS development.
-Requires:   libtspi = %{version}-%{release}
+Summary:        The libraries and header files needed for TSS development.
+Requires:       libtspi = %{version}-%{release}
+
 %description devel
 The libraries and header files needed for TSS development.
 
 %package -n libtspi
-Summary:    TSPI library
+Summary:        TSPI library
+
 %description -n libtspi
 TSPI library
 
 %prep
-%setup -q -c %{name}-%{version}
-%patch0 -p1
+%autosetup -c %{name}-%{version} -p1
 
 %build
 %configure \
@@ -45,14 +45,14 @@ make %{?_smp_mflags}
 make DESTDIR=%{buildroot} install
 
 %post
-mkdir -p /var/lib/tpm
+mkdir -p %{_sharedstatedir}/tpm
 if [ $1 -eq 1 ]; then
     # this is initial installation
     if ! getent group tss >/dev/null; then
         groupadd tss
     fi
     if ! getent passwd tss >/dev/null; then
-        useradd -c "TCG Software Stack" -d /var/lib/tpm -g tss \
+        useradd -c "TCG Software Stack" -d %{_sharedstatedir}/tpm -g tss \
             -s /bin/false tss
     fi
 fi
@@ -78,7 +78,7 @@ fi
 %{_sbindir}/*
 %{_mandir}/man5
 %{_mandir}/man8
-%exclude /var
+%exclude %{_var}
 
 %files devel
 %defattr(-,root,root)
@@ -95,18 +95,26 @@ fi
 %exclude %{_libdir}/libtddl.a
 
 %changelog
-*   Thu Aug 20 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 0.3.14-6
--   Applying a patch for CVE-2020-24330 and CVE-2020-24331.
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 0.3.14-5
--   Added %%license line automatically
-*   Thu Apr 09 2020 Joe Schmitt <joschmit@microsoft.com> 0.3.14-4
--   Update Source0 with valid URL.
--   Update License.
--   Remove sha1 macro.
--   License verified.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 0.3.14-3
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Fri Oct 13 2017 Alexey Makhalov <amakhalov@vmware.com> 0.3.14-2
--   Use standard configure macros
-*   Thu Mar 2 2017 Alexey Makhalov <amakhalov@vmware.com> 0.3.14-1
--   Initial build. First version
+* Tue Oct 27 2020 Thomas Crain <thcrain@microsoft.com> - 0.3.14-7
+- Added nopatch file for CVE-2020-24332.
+
+* Thu Aug 20 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.3.14-6
+- Applying a patch for CVE-2020-24330 and CVE-2020-24331.
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 0.3.14-5
+- Added %%license line automatically
+
+* Thu Apr 09 2020 Joe Schmitt <joschmit@microsoft.com> - 0.3.14-4
+- Update Source0 with valid URL.
+- Update License.
+- Remove sha1 macro.
+- License verified.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 0.3.14-3
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Fri Oct 13 2017 Alexey Makhalov <amakhalov@vmware.com> - 0.3.14-2
+- Use standard configure macros
+
+* Thu Mar 2 2017 Alexey Makhalov <amakhalov@vmware.com> - 0.3.14-1
+- Initial build. First version
diff --git a/SPECS/unzip/CVE-2008-0888.nopatch b/SPECS/unzip/CVE-2008-0888.nopatch
index b504f8f1801..e69de29bb2d 100644
--- a/SPECS/unzip/CVE-2008-0888.nopatch
+++ b/SPECS/unzip/CVE-2008-0888.nopatch
@@ -1 +0,0 @@
-# Upstream has fixed CVE-2008-0888 in 6.0
\ No newline at end of file
diff --git a/SPECS/unzip/unzip-6.0-cve-2014-8139.patch b/SPECS/unzip/CVE-2014-8139.patch
similarity index 100%
rename from SPECS/unzip/unzip-6.0-cve-2014-8139.patch
rename to SPECS/unzip/CVE-2014-8139.patch
diff --git a/SPECS/unzip/unzip-6.0-cve-2014-8140.patch b/SPECS/unzip/CVE-2014-8140.patch
similarity index 100%
rename from SPECS/unzip/unzip-6.0-cve-2014-8140.patch
rename to SPECS/unzip/CVE-2014-8140.patch
diff --git a/SPECS/unzip/unzip-6.0-cve-2014-8141.patch b/SPECS/unzip/CVE-2014-8141.patch
similarity index 100%
rename from SPECS/unzip/unzip-6.0-cve-2014-8141.patch
rename to SPECS/unzip/CVE-2014-8141.patch
diff --git a/SPECS/unzip/cve-2014-9636.patch b/SPECS/unzip/CVE-2014-9636.patch
similarity index 100%
rename from SPECS/unzip/cve-2014-9636.patch
rename to SPECS/unzip/CVE-2014-9636.patch
diff --git a/SPECS/unzip/unzip-CVE-2014-9913.patch b/SPECS/unzip/CVE-2014-9913.patch
similarity index 100%
rename from SPECS/unzip/unzip-CVE-2014-9913.patch
rename to SPECS/unzip/CVE-2014-9913.patch
diff --git a/SPECS/unzip/cve-2015-1315.patch b/SPECS/unzip/CVE-2015-1315.patch
similarity index 100%
rename from SPECS/unzip/cve-2015-1315.patch
rename to SPECS/unzip/CVE-2015-1315.patch
diff --git a/SPECS/unzip/unzip-CVE-2016-9844.patch b/SPECS/unzip/CVE-2016-9844.patch
similarity index 100%
rename from SPECS/unzip/unzip-CVE-2016-9844.patch
rename to SPECS/unzip/CVE-2016-9844.patch
diff --git a/SPECS/unzip/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch b/SPECS/unzip/CVE-2018-1000035.patch
similarity index 100%
rename from SPECS/unzip/unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
rename to SPECS/unzip/CVE-2018-1000035.patch
diff --git a/SPECS/unzip/unzip-zipbomb-part1.patch b/SPECS/unzip/unzip-zipbomb-part1-CVE-2019-13232.patch
similarity index 100%
rename from SPECS/unzip/unzip-zipbomb-part1.patch
rename to SPECS/unzip/unzip-zipbomb-part1-CVE-2019-13232.patch
diff --git a/SPECS/unzip/unzip.spec b/SPECS/unzip/unzip.spec
index 9c41e85de47..b4d0c63df69 100644
--- a/SPECS/unzip/unzip.spec
+++ b/SPECS/unzip/unzip.spec
@@ -1,7 +1,7 @@
 Summary:        Unzip-6.0
 Name:           unzip
 Version:        6.0
-Release:        16%{?dist}
+Release:        18%{?dist}
 License:        BSD
 URL:            http://infozip.sourceforge.net/UnZip.html
 Source0:        https://downloads.sourceforge.net/infozip/unzip60.tar.gz
@@ -9,24 +9,22 @@ Group:          System Environment/Utilities
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 
-Patch0:         cve-2014-9636.patch
-Patch1:         cve-2015-1315.patch
+Patch0:         CVE-2014-9636.patch
+Patch1:         CVE-2015-1315.patch
 Patch2:         CVE-2015-7696.patch
-Patch3:         unzip-CVE-2016-9844.patch
-Patch4:         unzip-CVE-2014-9913.patch
-# Fixes CVE-2018-18384
-Patch5:         unzip_cfactor_overflow.patch
-Patch6:         unzip-6.0-cve-2014-8139.patch
-Patch7:         unzip-6.0-cve-2014-8140.patch
-Patch8:         unzip-6.0-cve-2014-8141.patch
-# Fixes CVE-2019-13232
-Patch9:         unzip-zipbomb-part1.patch
+Patch3:         CVE-2016-9844.patch
+Patch4:         CVE-2014-9913.patch
+Patch5:         unzip_cfactor_overflow-CVE-2018-18384.patch
+Patch6:         CVE-2014-8139.patch
+Patch7:         CVE-2014-8140.patch
+Patch8:         CVE-2014-8141.patch
+Patch9:         unzip-zipbomb-part1-CVE-2019-13232.patch
 Patch10:        unzip-zipbomb-part2.patch
 Patch11:        unzip-zipbomb-part3.patch
 Patch12:        unzip-zipbomb-manpage.patch
 Patch13:        CVE-2015-7697.patch
 # Fixes CVE-2018-1000035
-Patch14:        unzip-6.0-cve-2018-1000035-heap-based-overflow.patch
+Patch14:        CVE-2018-1000035.patch
 # Upstream has fixed CVE-2008-0888 in 6.0
 Patch15:        CVE-2008-0888.nopatch
 
@@ -36,22 +34,7 @@ for extracting files from ZIP archives. ZIP archives are created
 with PKZIP or Info-ZIP utilities, primarily in a DOS environment.
 
 %prep
-%setup -qn unzip60
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
+%autosetup -p1 -n unzip60
 
 %build
 case `uname -m` in
@@ -86,6 +69,11 @@ make %{?_smp_mflags}  check
 %{_bindir}/*
 
 %changelog
+*   Fri Oct 23 2020 Nick Samson <nisamson@microsoft.com> 6.0-18
+-   Renamed patch files for CVE-2019-13232 and CVE-2018-18384 to ensure detection by CVE tooling
+*   Thu Oct 22 2020 Nicolas Ontiveros <niontive@microsoft.com> 6.0-17
+-   Use autosetup
+-   Fix names for CVE patches
 *   Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 6.0-16
 -   Nopatch CVE-2008-0888, fixed in 6.0
 *   Thu Jul 09 2020 Daniel McIlvaney <damcilva@microsoft.com> 6.0-15
diff --git a/SPECS/unzip/unzip_cfactor_overflow.patch b/SPECS/unzip/unzip_cfactor_overflow-CVE-2018-18384.patch
similarity index 100%
rename from SPECS/unzip/unzip_cfactor_overflow.patch
rename to SPECS/unzip/unzip_cfactor_overflow-CVE-2018-18384.patch
diff --git a/SPECS/vim/CVE-2019-12735.patch b/SPECS/vim/CVE-2019-12735.patch
deleted file mode 100644
index 83c6cbc0b48..00000000000
--- a/SPECS/vim/CVE-2019-12735.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-diff --git a/src/getchar.c b/src/getchar.c
-index cc8b344e1..53f3a76be 100644
---- a/src/getchar.c
-+++ b/src/getchar.c
-@@ -1442,6 +1442,12 @@ openscript(
- 	EMSG(_(e_nesting));
- 	return;
-     }
-+
-+    // Disallow sourcing a file in the sandbox, the commands would be executed
-+    // later, possibly outside of the sandbox.
-+    if (check_secure())
-+	return;
-+
- #ifdef FEAT_EVAL
-     if (ignore_script)
- 	/* Not reading from script, also don't open one.  Warning message? */
-diff --git a/src/testdir/test_source_utf8.vim b/src/testdir/test_source_utf8.vim
-index c29c2ec1f..f13906242 100644
---- a/src/testdir/test_source_utf8.vim
-+++ b/src/testdir/test_source_utf8.vim
-@@ -61,3 +61,12 @@ func Test_source_ctrl_v()
-   unmap __4
-   unmap __5
- endfunc
-+
-+func Test_source_sandbox()
-+  new
-+  call writefile(["Ohello\<Esc>"], 'Xsourcehello')
-+  source! Xsourcehello | echo
-+  call assert_equal('hello', getline(1))
-+  call assert_fails('sandbox source! Xsourcehello', 'E48:')
-+  bwipe!
-+endfunc
-diff --git a/src/version.c b/src/version.c
-index dce4643c2..c6e64ea76 100644
---- a/src/version.c
-+++ b/src/version.c
-@@ -794,6 +794,8 @@ static char *(features[]) =
- 
- static int included_patches[] =
- {   /* Add new patch number below this line */
-+/**/
-+    1365,
- /**/
-     388,
- /**/
diff --git a/SPECS/vim/vim.signatures.json b/SPECS/vim/vim.signatures.json
index 9318958178e..28ea332ec22 100644
--- a/SPECS/vim/vim.signatures.json
+++ b/SPECS/vim/vim.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "vim-8.1.0388.tar.gz": "34cff3096a712ee0682ddc9ebfc8df8ade8303cf7069a189f14bca48dd0d02b7"
+  "vim-8.1.1667.tar.gz": "9896654b6729f4007222505b52784786441bcafcc7c81ed937255bf5ea250309"
  }
 }
\ No newline at end of file
diff --git a/SPECS/vim/vim.spec b/SPECS/vim/vim.spec
index 4e0eaeb3c95..e5525340e96 100644
--- a/SPECS/vim/vim.spec
+++ b/SPECS/vim/vim.spec
@@ -1,20 +1,15 @@
 %define debug_package %{nil}
-
 Summary:        Text editor
 Name:           vim
-Version:        8.1.0388
-Release:        7%{?dist}
+Version:        8.1.1667
+Release:        1%{?dist}
 License:        Vim
-URL:            https://www.vim.org
-Group:          Applications/Editors
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          Applications/Editors
+URL:            https://www.vim.org
 #Source0:       https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
 Source0:        %{name}-%{version}.tar.gz
-# Based on:
-# https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040.patch
-# Had some modifications for patch to apply cleanly.
-Patch0:         CVE-2019-12735.patch
 
 BuildRequires:  ncurses-devel
 
@@ -22,18 +17,21 @@ BuildRequires:  ncurses-devel
 The Vim package contains a powerful text editor.
 
 %package    extra
-Summary:    Extra files for Vim text editor
-Group:      Applications/Editors
-Requires:   tcsh
-Conflicts:  toybox
+Summary:        Extra files for Vim text editor
+Group:          Applications/Editors
+
+Requires:       tcsh
+
+Conflicts:      toybox
 
 %description extra
 The vim extra package contains a extra files for powerful text editor.
 
 %prep
-%autosetup -p1
+%autosetup
 
 echo '#define SYS_VIMRC_FILE "/etc/vimrc"' >> src/feature.h
+
 %build
 
 %configure --enable-multibyte
@@ -43,9 +41,9 @@ make VERBOSE=1 %{?_smp_mflags}
 #cd %{_builddir}/%{name}74
 make DESTDIR=%{buildroot} install
 ln -sv vim %{buildroot}%{_bindir}/vi
-install -vdm 755 %{buildroot}/etc
-cat > %{buildroot}/etc/vimrc << "EOF"
-" Begin /etc/vimrc
+install -vdm 755 %{buildroot}%{_sysconfdir}
+cat > %{buildroot}%{_sysconfdir}/vimrc << "EOF"
+" Begin %{_sysconfdir}/vimrc
 
 set shell=/bin/bash
 set nocompatible
@@ -70,7 +68,7 @@ if ! isdirectory("~/.vim/swap/")
         call system('install -d -m 700 ~/.vim/swap')
 endif
 set directory=~/.vim/swap//
-" End /etc/vimrc
+" End %{_sysconfdir}/vimrc
 EOF
 
 %check
@@ -86,12 +84,12 @@ then
 fi
 
 %files extra
-%defattr(-,root,root)
 %license README.txt
+%doc %{_datarootdir}/vim/vim81/doc/*
+%defattr(-,root,root)
 %{_bindir}/vimtutor
 %{_bindir}/xxd
 %{_mandir}/*/*
-%doc %{_datarootdir}/vim/vim81/doc/*
 %{_datarootdir}/vim/vim81/autoload/*
 %{_datarootdir}/vim/vim81/bugreport.vim
 %{_datarootdir}/vim/vim81/colors/*
@@ -162,21 +160,21 @@ fi
 %lang(zh_CN) %{_datarootdir}/vim/vim81/lang/zh_CN/LC_MESSAGES/vim.mo
 %lang(zh_TW.UTF-8) %{_datarootdir}/vim/vim81/lang/zh_TW.UTF-8/LC_MESSAGES/vim.mo
 %lang(zh_TW) %{_datarootdir}/vim/vim81/lang/zh_TW/LC_MESSAGES/vim.mo
-%lang(cs.cp1250)  %{_datarootdir}/vim/vim81/lang/cs.cp1250/LC_MESSAGES/vim.mo
-%lang(ja.euc-jp)  %{_datarootdir}/vim/vim81/lang/ja.euc-jp/LC_MESSAGES/vim.mo
-%lang(ja.sjis)    %{_datarootdir}/vim/vim81/lang/ja.sjis/LC_MESSAGES/vim.mo
-%lang(nl)     %{_datarootdir}/vim/vim81/lang/nl/LC_MESSAGES/vim.mo
-%lang(pl.UTF-8)   %{_datarootdir}/vim/vim81/lang/pl.UTF-8/LC_MESSAGES/vim.mo
-%lang(pl.cp1250)  %{_datarootdir}/vim/vim81/lang/pl.cp1250/LC_MESSAGES/vim.mo
-%lang(ru.cp1251)  %{_datarootdir}/vim/vim81/lang/ru.cp1251/LC_MESSAGES/vim.mo
-%lang(sk.cp1250)  %{_datarootdir}/vim/vim81/lang/sk.cp1250/LC_MESSAGES/vim.mo
-%lang(uk.cp1251)  %{_datarootdir}/vim/vim81/lang/uk.cp1251/LC_MESSAGES/vim.mo
+%lang(cs.cp1250) %{_datarootdir}/vim/vim81/lang/cs.cp1250/LC_MESSAGES/vim.mo
+%lang(ja.euc-jp) %{_datarootdir}/vim/vim81/lang/ja.euc-jp/LC_MESSAGES/vim.mo
+%lang(ja.sjis) %{_datarootdir}/vim/vim81/lang/ja.sjis/LC_MESSAGES/vim.mo
+%lang(nl) %{_datarootdir}/vim/vim81/lang/nl/LC_MESSAGES/vim.mo
+%lang(pl.UTF-8) %{_datarootdir}/vim/vim81/lang/pl.UTF-8/LC_MESSAGES/vim.mo
+%lang(pl.cp1250) %{_datarootdir}/vim/vim81/lang/pl.cp1250/LC_MESSAGES/vim.mo
+%lang(ru.cp1251) %{_datarootdir}/vim/vim81/lang/ru.cp1251/LC_MESSAGES/vim.mo
+%lang(sk.cp1250) %{_datarootdir}/vim/vim81/lang/sk.cp1250/LC_MESSAGES/vim.mo
+%lang(uk.cp1251) %{_datarootdir}/vim/vim81/lang/uk.cp1251/LC_MESSAGES/vim.mo
 %lang(zh_CN.cp936) %{_datarootdir}/vim/vim81/lang/zh_CN.cp936/LC_MESSAGES/vim.mo
 
 %files
 %defattr(-,root,root)
 %license README.txt
-%config(noreplace) /etc/vimrc
+%config(noreplace) %{_sysconfdir}/vimrc
 %{_datarootdir}/vim/vim81/syntax/syntax.vim
 %{_datarootdir}/vim/vim81/rgb.txt
 %{_datarootdir}/vim/vim81/colors/desert.vim
@@ -189,45 +187,68 @@ fi
 %{_bindir}/vimdiff
 
 %changelog
-*   Thu Oct 15 2020 Emre Girgin <mrgirgin@microsoft.com> 8.1.0388-7
--   Fix CVE-2019-12735.
-*   Mon Jun 01 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 8.1.0388-6
--   Adding a license reference.
-*   Mon Apr 13 2020 Eric Li <eli@microsoft.com> 8.1.0388-5
--   Add #Source0: comment and delete sha1. Verified license.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 8.1.0388-4
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Tue Jan 29 2019 Dweep Advani <dadvani@vmware.com> 8.1.0388-3
--   Fixed swap file creation error for custom login shell
-*   Wed Sep 12 2018 Anish Swaminathan <anishs@vmware.com> 8.1.0388-2
--   Add conflicts toybox for vim-extra.
-*   Wed Sep 12 2018 Anish Swaminathan <anishs@vmware.com> 8.1.0388-1
--   Update to version 8.1.0388.
-*   Tue Jul 10 2018 Tapas Kundu <tkundu@vmware.com> 8.0.0533-4
--   Fix for CVE-2017-17087 and CVE-2017-1000382.
-*   Mon Aug 14 2017 Chang Lee <changlee@vmware.com>  8.0.0533-3
--   Disabled Test_recover_root_dir in %check.
-*   Tue May 02 2017 Anish Swaminathan <anishs@vmware.com>  8.0.0533-2
--   Remove tcsh requires.
-*   Fri Apr 14 2017 Xiaolin Li <xiaolinl@vmware.com> 8.0.0533-1
--   Updated to version 8.0.0533.
-*   Tue Feb 28 2017 Anish Swaminathan <anishs@vmware.com>  7.4-10
--   Fix for CVE-2017-6349 and CVE-2017-6350.
-*   Fri Feb 17 2017 Anish Swaminathan <anishs@vmware.com>  7.4-9
--   Fix for CVE-2017-5953.
-*   Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  7.4-8
--   Fix for CVE-2016-1248.
-*   Wed Oct 05 2016 ChangLee <changlee@vmware.com> 7.4-7
--   Modified %check.
-*   Wed Aug 24 2016 Alexey Makhalov <amakhalov@vmware.com> 7.4-6
--   vimrc: Added tags search, tab->spaces and some bindings.
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 7.4-5
--   GA - Bump release of all rpms.
-*   Thu Jul 16 2015 Touseef Liaqat <tliaqat@vmware.com> 7.4-3
--   Added profile related files in minimal vim package.
-*   Tue Jun 30 2015 Touseef Liaqat <tliaqat@vmware.com> 7.4-3
--   Pack extra files separately, to make vim package small.
-*   Fri Jun 19 2015 Alexey Makhalov <amakhalov@vmware.com> 7.4-2
--   Disable debug package. Use 'desert' colorscheme.
-*   Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 7.4-1
--   Initial build First version.
+* Fri Oct 30 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.1.1667-1
+- Fix CVE-2019-20807 by updating to 8.1.1667.
+
+* Thu Oct 15 2020 Emre Girgin <mrgirgin@microsoft.com> - 8.1.0388-7
+- Fix CVE-2019-12735.
+
+* Mon Jun 01 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 8.1.0388-6
+- Adding a license reference.
+
+* Mon Apr 13 2020 Eric Li <eli@microsoft.com> - 8.1.0388-5
+- Add #Source0: comment and delete sha1. Verified license.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 8.1.0388-4
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Tue Jan 29 2019 Dweep Advani <dadvani@vmware.com> - 8.1.0388-3
+- Fixed swap file creation error for custom login shell
+
+* Wed Sep 12 2018 Anish Swaminathan <anishs@vmware.com> - 8.1.0388-2
+- Add conflicts toybox for vim-extra.
+
+* Wed Sep 12 2018 Anish Swaminathan <anishs@vmware.com> - 8.1.0388-1
+- Update to version 8.1.0388.
+
+* Tue Jul 10 2018 Tapas Kundu <tkundu@vmware.com> - 8.0.0533-4
+- Fix for CVE-2017-17087 and CVE-2017-1000382.
+
+* Mon Aug 14 2017 Chang Lee <changlee@vmware.com> - 8.0.0533-3
+- Disabled Test_recover_root_dir in %check.
+
+* Tue May 02 2017 Anish Swaminathan <anishs@vmware.com> - 8.0.0533-2
+- Remove tcsh requires.
+
+* Fri Apr 14 2017 Xiaolin Li <xiaolinl@vmware.com> - 8.0.0533-1
+- Updated to version 8.0.0533.
+
+* Tue Feb 28 2017 Anish Swaminathan <anishs@vmware.com> - 7.4-10
+- Fix for CVE-2017-6349 and CVE-2017-6350.
+
+* Fri Feb 17 2017 Anish Swaminathan <anishs@vmware.com> - 7.4-9
+- Fix for CVE-2017-5953.
+
+* Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com> - 7.4-8
+- Fix for CVE-2016-1248.
+
+* Wed Oct 05 2016 ChangLee <changlee@vmware.com> - 7.4-7
+- Modified %check.
+
+* Wed Aug 24 2016 Alexey Makhalov <amakhalov@vmware.com> - 7.4-6
+- vimrc: Added tags search, tab->spaces and some bindings.
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 7.4-5
+- GA - Bump release of all rpms.
+
+* Thu Jul 16 2015 Touseef Liaqat <tliaqat@vmware.com> - 7.4-3
+- Added profile related files in minimal vim package.
+
+* Tue Jun 30 2015 Touseef Liaqat <tliaqat@vmware.com> - 7.4-3
+- Pack extra files separately, to make vim package small.
+
+* Fri Jun 19 2015 Alexey Makhalov <amakhalov@vmware.com> - 7.4-2
+- Disable debug package. Use 'desert' colorscheme.
+
+* Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> - 7.4-1
+- Initial build First version.
diff --git a/SPECS/wget/wget.spec b/SPECS/wget/wget.spec
index 423af80818b..ee6f0a65c79 100644
--- a/SPECS/wget/wget.spec
+++ b/SPECS/wget/wget.spec
@@ -1,7 +1,7 @@
 Summary:        A network utility to retrieve files from the Web
 Name:           wget
 Version:        1.20.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv3+
 URL:            https://www.gnu.org/software/wget/wget.html
 Group:          System Environment/NetworkingPrograms
@@ -49,6 +49,7 @@ rm -rf %{buildroot}/%{_infodir}
 
 %check
 export PERL_MM_USE_DEFAULT=1
+cpan local::lib
 cpan HTTP::Daemon
 make  %{?_smp_mflags} check
 
@@ -62,6 +63,9 @@ rm -rf %{buildroot}/*
 %{_mandir}/man1/*
 
 %changelog
+* Fri Nov 13 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.20.3-3
+- Adding 'local::lib' perl5 library to fix test dependencies.
+
 *   Wed Oct 07 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 1.20.3-2
 -   Updating certificate bundle path to include full set of trust information.
 *   Mon Jun 08 2020 Joe Schmitt <joschmit@microsoft.com> 1.20.3-1
diff --git a/SPECS/wpa_supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch b/SPECS/wpa_supplicant/CVE-2019-16275.patch
similarity index 100%
rename from SPECS/wpa_supplicant/0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
rename to SPECS/wpa_supplicant/CVE-2019-16275.patch
diff --git a/SPECS/wpa_supplicant/wpa_supplicant.spec b/SPECS/wpa_supplicant/wpa_supplicant.spec
index f25b656276c..8ecae1c1f95 100644
--- a/SPECS/wpa_supplicant/wpa_supplicant.spec
+++ b/SPECS/wpa_supplicant/wpa_supplicant.spec
@@ -1,19 +1,18 @@
-Summary:          WPA client
-Name:             wpa_supplicant
-Version:          2.9
-Release:          1%{?dist}
-License:          BSD
-URL:              https://w1.fi
-Group:            Applications/Communications
-Vendor:           Microsoft Corporation
-Distribution:     Mariner
-Source0:          https://w1.fi/releases/%{name}-%{version}.tar.gz
-BuildRequires:    libnl3-devel openssl-devel
-Requires:         libnl3
-Requires:         openssl
-
-# This patch fixes CVE-2019-16275
-Patch0:           0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
+Summary:        WPA client
+Name:           wpa_supplicant
+Version:        2.9
+Release:        2%{?dist}
+License:        BSD
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          Applications/Communications
+URL:            https://w1.fi
+Source0:        https://w1.fi/releases/%{name}-%{version}.tar.gz
+Patch0:         CVE-2019-16275.patch
+BuildRequires:  libnl3-devel
+BuildRequires:  openssl-devel
+Requires:       libnl3
+Requires:       openssl
 
 %description
 WPA Supplicant is a Wi-Fi Protected Access (WPA) client and IEEE 802.1X supplicant
@@ -56,31 +55,31 @@ make BINDIR=%{_sbindir} LIBDIR=%{_libdir} %{?_smp_mflags}
 mkdir -p %{buildroot}%{_sbindir}
 mkdir -p %{buildroot}%{_mandir}/man5
 mkdir -p %{buildroot}%{_mandir}/man8
-mkdir -p %{buildroot}/usr/lib/systemd/system
-mkdir -p %{buildroot}/etc/wpa_supplicant
+mkdir -p %{buildroot}%{_lib}/systemd/system
+mkdir -p %{buildroot}%{_sysconfdir}/wpa_supplicant
 cd wpa_supplicant
 install -v -m755 wpa_{cli,passphrase,supplicant} %{buildroot}%{_sbindir}/
 install -v -m644 doc/docbook/wpa_supplicant.conf.5 %{buildroot}%{_mandir}/man5/
 install -v -m644 doc/docbook/wpa_{cli,passphrase,supplicant}.8 %{buildroot}%{_mandir}/man8/
 
-cat > %{buildroot}/usr/lib/systemd/system/wpa_supplicant@.service << "EOF"
+cat > %{buildroot}%{_lib}/systemd/system/wpa_supplicant@.service << "EOF"
 [Unit]
-Description=WPA supplicant (%I)
-BindsTo=sys-subsystem-net-devices-%i.device
-After=sys-subsystem-net-devices-%i.device
+Description=WPA supplicant (%{I})
+BindsTo=sys-subsystem-net-devices-%{i}.device
+After=sys-subsystem-net-devices-%{i}.device
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/sbin/ip link set dev %I up
-ExecStart=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant-%I.conf -B -i %I
-ExecStop=/usr/sbin/ip link set dev %I down
+ExecStart=%{_sbindir}/ip link set dev %{I} up
+ExecStart=%{_sbindir}/wpa_supplicant -c %{_sysconfdir}/wpa_supplicant/wpa_supplicant-%{I}.conf -B -i %{I}
+ExecStop=%{_sbindir}/ip link set dev %{I} down
 
 [Install]
 WantedBy=multi-user.target
 EOF
 
-cat > %{buildroot}/etc/wpa_supplicant/wpa_supplicant-wlan0.conf << "EOF"
+cat > %{buildroot}%{_sysconfdir}/wpa_supplicant/wpa_supplicant-wlan0.conf << "EOF"
 ctrl_interface=/run/wpa_supplicant
 update_config=1
 
@@ -98,20 +97,29 @@ EOF
 %{_sysconfdir}/wpa_supplicant/wpa_supplicant-wlan0.conf
 
 %changelog
+* Mon Nov 16 2020 Nicolas Guibourge <nicolasg@microsoft.com> - 2.9-2
+- Change name of CVE-2019-16275 patch.
+
 *   Thu May 14 2020 Henry Beberman <hebeberm@microsoft.com> 2.9-1
 -   Update version to 2.9.
 -   Add patch for CVE-2019-16275.
+
 *   Sat May 09 00:20:37 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.7-4
 -   Added %%license line automatically
+
 *   Fri Apr 17 2020 Nicolas Ontiveros <niontive@microsoft.com> 2.7-3
 -   Rename libnl to libnl3.
 -   Remove sha1 macro.
+
 *   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 2.7-2
 -   Initial CBL-Mariner import from Photon (license: Apache2).
+
 *   Thu Jan 3 2019 Michelle Wang <michellew@vmware.com> 2.7-1
 -   Update version to 2.7.
+
 *   Fri Aug 17 2018 Alexey Makhalov <amakhalov@vmware.com> 2.6-2
 -   Improve .service file: wait wlanX to appear, run daemon in background.
 -   Added skeleton for wlan0 conf file.
+
 *   Tue Nov 14 2017 Alexey Makhalov <amakhalov@vmware.com> 2.6-1
 -   Initial build. First version.
diff --git a/SPECS/zsh/0001-Skipping-test-if-ran-as-superuser.patch b/SPECS/zsh/0001-Skipping-test-if-ran-as-superuser.patch
new file mode 100644
index 00000000000..5d0685b9f04
--- /dev/null
+++ b/SPECS/zsh/0001-Skipping-test-if-ran-as-superuser.patch
@@ -0,0 +1,37 @@
+From 0fbbbea15b38364830d7b341c86682f05575ae0b Mon Sep 17 00:00:00 2001
+From: Pawel <pawelwi@microsoft.com>
+Date: Tue, 10 Nov 2020 18:37:47 -0800
+Subject: [PATCH] Skipping test if ran as superuser.
+
+---
+ Test/D02glob.ztst | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/Test/D02glob.ztst b/Test/D02glob.ztst
+index b0650c8..39d97c1 100644
+--- a/Test/D02glob.ztst
++++ b/Test/D02glob.ztst
+@@ -729,11 +729,15 @@
+ >not/exist
+ >exist
+ 
+- mkdir -m 000 glob.tmp/secret-d000
+- mkdir -m 111 glob.tmp/secret-d111
+- mkdir -m 444 glob.tmp/secret-d444
+- for 1 in 000 111 444 ; do ln -s secret-d$1 glob.tmp/secret-s$1; done
+- print -rC 2 -- glob.tmp/secret-*/ glob.tmp/secret-*(-/)
++ if (( UID )); then
++   mkdir -m 000 glob.tmp/secret-d000
++   mkdir -m 111 glob.tmp/secret-d111
++   mkdir -m 444 glob.tmp/secret-d444
++   for 1 in 000 111 444 ; do ln -s secret-d$1 glob.tmp/secret-s$1; done
++   print -rC 2 -- glob.tmp/secret-*/ glob.tmp/secret-*(-/)
++ else
++   ZTST_skip="cannot test unreadable directories globbing when tests run as superuser"
++ fi
+ -f:unreadable directories can be globbed (users/24619, users/24626)
+ >glob.tmp/secret-d000/  glob.tmp/secret-d000
+ >glob.tmp/secret-d111/  glob.tmp/secret-d111
+-- 
+2.17.1
+
diff --git a/SPECS/zsh/zsh.spec b/SPECS/zsh/zsh.spec
index b05538b3396..1b20d91adb2 100644
--- a/SPECS/zsh/zsh.spec
+++ b/SPECS/zsh/zsh.spec
@@ -3,33 +3,37 @@
 Summary:        Z shell
 Name:           zsh
 Version:        5.8
-Release:        3%{?dist}
-License:        MIT and GPLv2.0 and GPLv3.0 and GPLv2+
-URL:            http://zsh.sourceforge.net/
-Group:          System Environment/Shells
+Release:        4%{?dist}
+License:        MIT AND GPLv2.0 AND GPLv3.0 AND GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
+Group:          System Environment/Shells
+URL:            http://zsh.sourceforge.net/
 Source0:        https://sourceforge.net/projects/%{name}/files/%{name}/%{version}/%{name}-%{version}.tar.xz
 Source1:        zprofile.rhs
 Source2:        zshrc
 
-BuildRequires: coreutils
-BuildRequires: tar
-BuildRequires: diffutils
-BuildRequires: make
-BuildRequires: gcc
-BuildRequires: binutils
-BuildRequires: kernel-headers
-BuildRequires: sed
-BuildRequires: ncurses-devel
-BuildRequires: libcap-devel
-BuildRequires: texinfo
-BuildRequires: gawk
-BuildRequires: elfutils
+Patch0:         0001-Skipping-test-if-ran-as-superuser.patch
+
+BuildRequires:  binutils
+BuildRequires:  coreutils
+BuildRequires:  diffutils
+BuildRequires:  elfutils
+BuildRequires:  gawk
+BuildRequires:  gcc
+BuildRequires:  kernel-headers
+BuildRequires:  libcap-devel
+BuildRequires:  make
+BuildRequires:  ncurses-devel
+BuildRequires:  sed
+BuildRequires:  tar
+BuildRequires:  texinfo
+
 Requires(post): /bin/grep
-Requires(postun): coreutils /bin/grep
+Requires(postun): /bin/grep
+Requires(postun): coreutils
 
-Provides: /bin/zsh
+Provides:       /bin/zsh
 
 %description
 The zsh shell is a command interpreter usable as an interactive login
@@ -40,8 +44,8 @@ command completion, shell functions (with autoloading), a history
 mechanism, and more.
 
 %package html
-Summary: Zsh shell manual in html format
-Group: System Environment/Shells
+Summary:        Zsh shell manual in html format
+Group:          System Environment/Shells
 
 %description html
 The zsh shell is a command interpreter usable as an interactive login
@@ -55,7 +59,7 @@ This package contains the Zsh manual in html format.
 
 %prep
 
-%setup -q
+%autosetup -p1
 
 %build
 # make loading of module's dependencies work again (#1277996)
@@ -68,42 +72,33 @@ make all html
 %check
 rm -f Test/C02cond.ztst
 make check
+
 %install
-rm -rf $RPM_BUILD_ROOT
 
 %makeinstall install.info \
-  fndir=$RPM_BUILD_ROOT%{_datadir}/%{name}/%{version}/functions \
-  sitefndir=$RPM_BUILD_ROOT%{_datadir}/%{name}/site-functions \
-  scriptdir=$RPM_BUILD_ROOT%{_datadir}/%{name}/%{version}/scripts \
-  sitescriptdir=$RPM_BUILD_ROOT%{_datadir}/%{name}/scripts \
-  runhelpdir=$RPM_BUILD_ROOT%{_datadir}/%{name}/%{version}/help
+  fndir=%{buildroot}%{_datadir}/%{name}/%{version}/functions \
+  sitefndir=%{buildroot}%{_datadir}/%{name}/site-functions \
+  scriptdir=%{buildroot}%{_datadir}/%{name}/%{version}/scripts \
+  sitescriptdir=%{buildroot}%{_datadir}/%{name}/scripts \
+  runhelpdir=%{buildroot}%{_datadir}/%{name}/%{version}/help
 
-rm -f ${RPM_BUILD_ROOT}%{_bindir}/zsh-%{version}
-rm -f $RPM_BUILD_ROOT%{_infodir}/dir
+rm -f %{buildroot}%{_bindir}/zsh-%{version}
+rm -f %{buildroot}%{_infodir}/dir
 
-mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}
+mkdir -p %{buildroot}%{_sysconfdir}
 for i in %{SOURCE1}; do
-    install -m 644 $i $RPM_BUILD_ROOT%{_sysconfdir}/"$(basename $i .rhs)"
+    install -m 644 $i %{buildroot}%{_sysconfdir}/"$(basename $i .rhs)"
 done
 
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/skel
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/skel/.zshrc
-
-# This is just here to shut up rpmlint, and is very annoying.
-# Note that we can't chmod everything as then rpmlint will complain about
-# those without a she-bang line.
-for i in checkmail harden run-help zcalc zkbd; do
-    sed -i -e 's!/usr/local/bin/zsh!%{_bindir}/zsh!' \
-    $RPM_BUILD_ROOT%{_datadir}/zsh/%{version}/functions/$i
-    chmod +x $RPM_BUILD_ROOT%{_datadir}/zsh/%{version}/functions/$i
-done
+mkdir -p %{buildroot}%{_sysconfdir}/skel
+install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/skel/.zshrc
 
-sed -i "s!$RPM_BUILD_ROOT%{_datadir}/%{name}/%{version}/help!%{_datadir}/%{name}/%{version}/help!" \
-    $RPM_BUILD_ROOT%{_datadir}/zsh/%{version}/functions/{run-help,_run-help}
+sed -i "s!%{buildroot}%{_datadir}/%{name}/%{version}/help!%{_datadir}/%{name}/%{version}/help!" \
+    %{buildroot}%{_datadir}/zsh/%{version}/functions/{run-help,_run-help}
 
 
 %clean
-rm -rf $RPM_BUILD_ROOT
+rm -rf %{buildroot}
 
 %post
 if [ "$1" = 1 ]; then
@@ -117,18 +112,16 @@ if [ "$1" = 1 ]; then
 fi
 
 %preun
-
 %postun
 if [ "$1" = 0 ] && [ -f %{_sysconfdir}/shells ] ; then
   sed -i '\!^%{_bindir}/%{name}$!d' %{_sysconfdir}/shells
   sed -i '\!^/bin/%{name}$!d' %{_sysconfdir}/shells
 fi
 
-
 %files
 %defattr(-,root,root)
 %license LICENCE
-%doc README LICENCE Etc/BUGS Etc/CONTRIBUTORS Etc/FAQ FEATURES MACHINES
+%doc README Etc/BUGS Etc/CONTRIBUTORS Etc/FAQ FEATURES MACHINES
 %doc NEWS Etc/zsh-development-guide Etc/completion-style-guide
 %attr(755,root,root) %{_bindir}/zsh
 %{_mandir}/*/*
@@ -143,30 +136,44 @@ fi
 %doc Doc/*.html
 
 %changelog
+* Tue Nov 10 2020 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.8-4
+- Adding a patch to skip globbing test if ran as root.
+- Removing redundant 'sed' and 'chmod' commands in %%install.
+
 * Sat May 09 00:20:44 PST 2020 Nick Samson <nisamson@microsoft.com> - 5.8-3
 - Added %%license line automatically
 
-*   Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> 5.8-2
--   Renaming linux-api-headers to kernel-headers
-*   Fri Apr 10 2020 Jon Slobodzian <joslobo@microsoft.com> 5.8-1
--   Updated to latest version to fix CVE CVE-2019-20044.
--   Fixed Source0 download link
--   Verified license.
-*   Thu Apr 09 2020 Nicolas Ontiveros <niontive@microsoft.com> 5.6.1-3
--   Remove coreutils and only use toybox in requires.
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 5.6.1-2
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Thu Sep 13 2018 Siju Maliakkal <smaliakkal@vmware.com> 5.6.1-1
--   Upgrading to latest
-*   Mon Mar 19 2018 Xiaolin Li <xiaolinl@vmware.com> 5.3.1-5
--   Fix CVE-2018-7548
-*   Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> 5.3.1-4
--   Requires coreutils or toybox and /bin/grep
-*   Fri Sep 15 2017 Bo Gan <ganb@vmware.com> 5.3.1-3
--   Clean up check
-*   Wed Aug 02 2017 Chang Lee <changlee@vmware.com> 5.3.1-2
--   Skip a test case that is not supported from photon OS chroot
-*   Wed Apr 05 2017 Xiaolin Li <xiaolinl@vmware.com> 5.3.1-1
--   Updated to version 5.3.1.
-*   Sun Jul 24 2016 Ivan Porto Carrero <icarrero@vmware.com> - 5.2-1
--   Initial zsh for photon os
+* Thu Apr 30 2020 Emre Girgin <mrgirgin@microsoft.com> - 5.8-2
+- Renaming linux-api-headers to kernel-headers
+
+* Fri Apr 10 2020 Jon Slobodzian <joslobo@microsoft.com> - 5.8-1
+- Updated to latest version to fix CVE CVE-2019-20044.
+- Fixed Source0 download link
+- Verified license.
+
+* Thu Apr 09 2020 Nicolas Ontiveros <niontive@microsoft.com> - 5.6.1-3
+- Remove coreutils and only use toybox in requires.
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 5.6.1-2
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Thu Sep 13 2018 Siju Maliakkal <smaliakkal@vmware.com> - 5.6.1-1
+- Upgrading to latest
+
+* Mon Mar 19 2018 Xiaolin Li <xiaolinl@vmware.com> - 5.3.1-5
+- Fix CVE-2018-7548
+
+* Mon Sep 18 2017 Alexey Makhalov <amakhalov@vmware.com> - 5.3.1-4
+- Requires coreutils or toybox and /bin/grep
+
+* Fri Sep 15 2017 Bo Gan <ganb@vmware.com> - 5.3.1-3
+- Clean up check
+
+* Wed Aug 02 2017 Chang Lee <changlee@vmware.com> - 5.3.1-2
+- Skip a test case that is not supported from photon OS chroot
+
+* Wed Apr 05 2017 Xiaolin Li <xiaolinl@vmware.com> - 5.3.1-1
+- Updated to version 5.3.1.
+
+* Sun Jul 24 2016 Ivan Porto Carrero <icarrero@vmware.com> - 5.2-1
+- Initial zsh for photon os
diff --git a/cgmanifest.json b/cgmanifest.json
index 123a954d948..5a062be51e9 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -100,6 +100,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "aspnetcore-runtime-3.1",
+          "version": "3.1.5",
+          "downloadUrl": "https://download.visualstudio.microsoft.com/download/pr/6827d794-a218-4352-b3b3-a19ec773c975/e3e53bc2f20df220a29c6e09f74d8a00/aspnetcore-runtime-3.1.5-linux-x64.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -525,8 +535,8 @@
         "type": "other",
         "other": {
           "name": "clamav",
-          "version": "0.101.2",
-          "downloadUrl": "https://www.clamav.net/downloads/production/clamav-0.101.2.tar.gz"
+          "version": "0.103.0",
+          "downloadUrl": "https://www.clamav.net/downloads/production/clamav-0.103.0.tar.gz"
         }
       }
     },
@@ -1551,6 +1561,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "heimdal",
+          "version": "7.7.0",
+          "downloadUrl": "https://github.com/heimdal/heimdal/releases/download/heimdal-7.7.0/heimdal-7.7.0.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -1576,8 +1596,8 @@
         "type": "other",
         "other": {
           "name": "hyperv-daemons",
-          "version": "5.4.51",
-          "downloadUrl": "https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.51.tar.gz"
+          "version": "5.4.72",
+          "downloadUrl": "https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.72.tar.gz"
         }
       }
     },
@@ -1711,6 +1731,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "ipv6calc",
+          "version": "2.2.0",
+          "downloadUrl": "ftp://ftp.bieringer.de/pub/linux/IPv6/ipv6calc/ipv6calc-2.2.0.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -1866,8 +1896,8 @@
         "type": "other",
         "other": {
           "name": "kernel-headers",
-          "version": "5.4.51",
-          "downloadUrl": "https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.51.tar.gz"
+          "version": "5.4.72",
+          "downloadUrl": "https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.72.tar.gz"
         }
       }
     },
@@ -1876,8 +1906,8 @@
         "type": "other",
         "other": {
           "name": "kernel-hyperv",
-          "version": "5.4.51",
-          "downloadUrl": "https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.51.tar.gz"
+          "version": "5.4.72",
+          "downloadUrl": "https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.72.tar.gz"
         }
       }
     },
@@ -1886,8 +1916,8 @@
         "type": "other",
         "other": {
           "name": "kernel",
-          "version": "5.4.51",
-          "downloadUrl": "https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.51.tar.gz"
+          "version": "5.4.72",
+          "downloadUrl": "https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.72.tar.gz"
         }
       }
     },
@@ -2751,6 +2781,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "libxcrypt",
+          "version": "4.4.17",
+          "downloadUrl": "https://github.com/besser82/libxcrypt/archive/v4.4.17/libxcrypt-4.4.17.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -3226,8 +3266,8 @@
         "type": "other",
         "other": {
           "name": "mysql",
-          "version": "8.0.20",
-          "downloadUrl": "https://cdn.mysql.com/Downloads/MySQL-8.0/mysql-boost-8.0.20.tar.gz"
+          "version": "8.0.22",
+          "downloadUrl": "https://cdn.mysql.com/Downloads/MySQL-8.0/mysql-boost-8.0.22.tar.gz"
         }
       }
     },
@@ -3276,8 +3316,8 @@
         "type": "other",
         "other": {
           "name": "net-snmp",
-          "version": "5.8",
-          "downloadUrl": "http://sourceforge.net/projects/net-snmp/files/net-snmp/5.8/net-snmp-5.8.tar.gz"
+          "version": "5.9",
+          "downloadUrl": "http://sourceforge.net/projects/net-snmp/files/net-snmp/5.9/net-snmp-5.9.tar.gz"
         }
       }
     },
@@ -3326,8 +3366,8 @@
         "type": "other",
         "other": {
           "name": "nghttp2",
-          "version": "1.33.0",
-          "downloadUrl": "https://github.com/nghttp2/nghttp2/releases/download/v1.33.0/nghttp2-1.33.0.tar.xz"
+          "version": "1.41.0",
+          "downloadUrl": "https://github.com/nghttp2/nghttp2/releases/download/v1.41.0/nghttp2-1.41.0.tar.xz"
         }
       }
     },
@@ -3656,8 +3696,8 @@
         "type": "other",
         "other": {
           "name": "pcre",
-          "version": "8.42",
-          "downloadUrl": "https://ftp.pcre.org/pub/pcre/pcre-8.42.tar.bz2"
+          "version": "8.44",
+          "downloadUrl": "https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.bz2"
         }
       }
     },
@@ -3771,6 +3811,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "perl-JSON",
+          "version": "4.02",
+          "downloadUrl": "https://cpan.metacpan.org/modules/by-module/JSON/JSON-4.02.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -4036,8 +4086,8 @@
         "type": "other",
         "other": {
           "name": "postgresql",
-          "version": "12.1",
-          "downloadUrl": "https://ftp.postgresql.org/pub/source/v12.1/postgresql-12.1.tar.bz2"
+          "version": "12.5",
+          "downloadUrl": "https://ftp.postgresql.org/pub/source/v12.5/postgresql-12.5.tar.bz2"
         }
       }
     },
@@ -5826,8 +5876,8 @@
         "type": "other",
         "other": {
           "name": "vim",
-          "version": "8.1.0388",
-          "downloadUrl": "https://github.com/vim/vim/archive/v8.1.0388.tar.gz"
+          "version": "8.1.1667",
+          "downloadUrl": "https://github.com/vim/vim/archive/v8.1.1667.tar.gz"
         }
       }
     },
diff --git a/toolkit/docs/how_it_works/1_initial_prep.md b/toolkit/docs/how_it_works/1_initial_prep.md
index 455cf9b3d01..5dfe9957c78 100644
--- a/toolkit/docs/how_it_works/1_initial_prep.md
+++ b/toolkit/docs/how_it_works/1_initial_prep.md
@@ -24,6 +24,7 @@ Prepping the Build Environment
         - [specreader](#specreader)
         - [srpmpacker](#srpmpacker)
         - [unravel](#unravel)
+        - [validatechroot](#validatechroot)
 
 ## The Makefile
 
@@ -93,5 +94,7 @@ The `specreader` tool scans all the `*.spec` files in a directory and generates
 The `srpmpacker` tool creates `.src.rpm` files from local specs and sources. The sources can be found locally, or downloaded from a source server. It is responsible for enforcing a matching hash for every source file.
 #### unravel
 The `unravel` tool converts a dependency graph into a set of build instructions which can be used to successfully build all local packages.
+#### validatechroot
+A tool which double checks the worker chroot has all its dependencies correctly installed.
 
 ## Prev: [Intro](0_intro.md), Next: [Local Packages](2_local_packages.md)
\ No newline at end of file
diff --git a/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/isolinux.bin b/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/isolinux.bin
new file mode 100755
index 00000000000..c908d07d055
Binary files /dev/null and b/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/isolinux.bin differ
diff --git a/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/isolinux.cfg b/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/isolinux.cfg
new file mode 100755
index 00000000000..ad3722d179a
--- /dev/null
+++ b/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/isolinux.cfg
@@ -0,0 +1,7 @@
+# D-I config version 2.0
+totaltimeout 1
+
+default Installer
+label Installer
+	kernel vmlinuz
+	append initrd=initrd.img root=/dev/ram0 loglevel=3
\ No newline at end of file
diff --git a/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/ldlinux.c32 b/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/ldlinux.c32
new file mode 100644
index 00000000000..51009c5ba8d
Binary files /dev/null and b/toolkit/resources/assets/isomaker/iso_root_arch-dependent_files/arm64/isolinux/ldlinux.c32 differ
diff --git a/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg b/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg
index b1a738eee30..98d8356b4b8 100644
--- a/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg
+++ b/toolkit/resources/assets/isomaker/iso_root_static_files/boot/grub2/grub.cfg
@@ -1,7 +1,9 @@
 set timeout=0
 
+# The use of mariner.media=CDROM is a workaround that our installer does not require
+# but it is observed to be needed to boot on some hardware/SoCs.
 menuentry "CBL-Mariner" {
     search --label CDROM --set root
-    linux /isolinux/vmlinuz root=/dev/ram0 loglevel=3
+    linux /isolinux/vmlinuz root=/dev/ram0 loglevel=3 mariner.media=CDROM
     initrd /isolinux/initrd.img
 }
diff --git a/toolkit/resources/imageconfigs/iso_initrd_arm64.json b/toolkit/resources/imageconfigs/iso_initrd_arm64.json
new file mode 100644
index 00000000000..c1d2457b787
--- /dev/null
+++ b/toolkit/resources/imageconfigs/iso_initrd_arm64.json
@@ -0,0 +1,45 @@
+{
+    "Disks": [
+        {
+            "Artifacts": [
+                {
+                    "Name": "iso-initrd",
+                    "Type": "initrd",
+                    "Compression": "tar.gz"
+                }
+            ]
+        }
+    ],
+    "SystemConfigs": [
+        {
+            "Name": "ISO initrd",
+            "PackageLists": [
+                "packagelists/iso-initrd-packages-arm64.json"
+            ],
+            "KernelOptions": {
+                "default": "kernel"
+            },
+            "AdditionalFiles": {
+                "../../out/tools/imager":"/installer/imager",
+                "../../out/tools/liveinstaller":"/installer/liveinstaller",
+                "../assets/efi/grub/grub.cfg":"/installer/efi/grub/grub.cfg",
+                "../assets/efi/grub/grubEncrypt.cfg":"/installer/efi/grub/grubEncrypt.cfg",
+                "../assets/grub2/grub.cfg":"/installer/grub2/grub.cfg",
+                "additionalfiles/iso_initrd/init":"/init",
+                "additionalfiles/iso_initrd/installer/EULA.txt":"/installer/EULA.txt",
+                "additionalfiles/iso_initrd/root/runliveinstaller":"/root/runliveinstaller",
+                "additionalfiles/iso_initrd/usr/lib/mariner/terminfo/mariner-installer":"/usr/lib/mariner/terminfo/m/mariner-installer",
+                "additionalfiles/iso_initrd/usr/lib/systemd/system/getty@.service":"/usr/lib/systemd/system/getty@.service",
+                "additionalfiles/iso_initrd/usr/lib/systemd/system/serial-getty@.service":"/usr/lib/systemd/system/serial-getty@.service",
+                "../manifests/image/local.repo":"/etc/yum.repos.d/mariner-iso.repo"
+            },
+            "Users": [
+                {
+                    "Name": "root",
+                    "PasswordExpiresDays": 99999,
+                    "StartupCommand": "/root/runliveinstaller"
+                }
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/toolkit/resources/imageconfigs/packagelists/iso-initrd-packages-arm64.json b/toolkit/resources/imageconfigs/packagelists/iso-initrd-packages-arm64.json
new file mode 100644
index 00000000000..ef763d9093d
--- /dev/null
+++ b/toolkit/resources/imageconfigs/packagelists/iso-initrd-packages-arm64.json
@@ -0,0 +1,66 @@
+{
+    "packages": [
+        "pam",
+        "attr",
+        "bash",
+        "bzip2",
+        "cifs-utils",
+        "coreutils",
+        "cpio",
+        "cracklib",
+        "cracklib-dicts",
+        "cryptsetup",
+        "curl",
+        "dbus",
+        "dosfstools",
+        "dracut",
+        "e2fsprogs",
+        "efibootmgr",
+        "efivar",
+        "expat",
+        "file",
+        "filesystem",
+        "findutils",
+        "glib",
+        "glibc",
+        "gmp",
+        "gptfdisk",
+        "grep",
+        "grub2-efi-binary",
+        "gzip",
+        "haveged",
+        "less",
+        "libcap",
+        "libgcc",
+        "libstdc++",
+        "lvm2",
+        "kernel",
+        "lua",
+        "ncurses",
+        "ncurses-term",
+        "nspr",
+        "nss",
+        "openssl",
+        "mariner-release",
+        "parted",
+        "pcre",
+        "pkg-config",
+        "popt",
+        "readline",
+        "rpm",
+        "sed",
+        "shadow-utils",
+        "shim-unsigned",
+        "squashfs-tools",
+        "sqlite",
+        "systemd",
+        "tar",
+        "tdnf",
+        "usbutils",
+        "util-linux",
+        "vim",
+        "words",
+        "xz",
+        "zlib"
+    ]
+}
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index 4959063f210..7fd8c71c1e5 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,19 +1,19 @@
 filesystem-1.1-7.cm1.aarch64.rpm
-kernel-headers-5.4.51-2.cm1.noarch.rpm
-glibc-2.28-12.cm1.aarch64.rpm
-glibc-devel-2.28-12.cm1.aarch64.rpm
-glibc-i18n-2.28-12.cm1.aarch64.rpm
-glibc-iconv-2.28-12.cm1.aarch64.rpm
-glibc-lang-2.28-12.cm1.aarch64.rpm
-glibc-nscd-2.28-12.cm1.aarch64.rpm
-glibc-tools-2.28-12.cm1.aarch64.rpm
+kernel-headers-5.4.72-1.cm1.noarch.rpm
+glibc-2.28-14.cm1.aarch64.rpm
+glibc-devel-2.28-14.cm1.aarch64.rpm
+glibc-i18n-2.28-14.cm1.aarch64.rpm
+glibc-iconv-2.28-14.cm1.aarch64.rpm
+glibc-lang-2.28-14.cm1.aarch64.rpm
+glibc-nscd-2.28-14.cm1.aarch64.rpm
+glibc-tools-2.28-14.cm1.aarch64.rpm
 zlib-1.2.11-3.cm1.aarch64.rpm
 zlib-devel-1.2.11-3.cm1.aarch64.rpm
 file-5.38-1.cm1.aarch64.rpm
 file-devel-5.38-1.cm1.aarch64.rpm
 file-libs-5.38-1.cm1.aarch64.rpm
-binutils-2.32-3.cm1.aarch64.rpm
-binutils-devel-2.32-3.cm1.aarch64.rpm
+binutils-2.32-4.cm1.aarch64.rpm
+binutils-devel-2.32-4.cm1.aarch64.rpm
 gmp-6.1.2-5.cm1.aarch64.rpm
 gmp-devel-6.1.2-5.cm1.aarch64.rpm
 mpfr-4.0.1-3.cm1.aarch64.rpm
@@ -35,11 +35,11 @@ ncurses-libs-6.2-4.cm1.aarch64.rpm
 ncurses-term-6.2-4.cm1.aarch64.rpm
 readline-7.0-4.cm1.aarch64.rpm
 readline-devel-7.0-4.cm1.aarch64.rpm
-coreutils-8.30-5.cm1.aarch64.rpm
-coreutils-lang-8.30-5.cm1.aarch64.rpm
-bash-4.4.18-5.cm1.aarch64.rpm
-bash-devel-4.4.18-5.cm1.aarch64.rpm
-bash-lang-4.4.18-5.cm1.aarch64.rpm
+coreutils-8.30-7.cm1.aarch64.rpm
+coreutils-lang-8.30-7.cm1.aarch64.rpm
+bash-4.4.18-6.cm1.aarch64.rpm
+bash-devel-4.4.18-6.cm1.aarch64.rpm
+bash-lang-4.4.18-6.cm1.aarch64.rpm
 bzip2-1.0.6-15.cm1.aarch64.rpm
 bzip2-devel-1.0.6-15.cm1.aarch64.rpm
 bzip2-libs-1.0.6-15.cm1.aarch64.rpm
@@ -58,7 +58,7 @@ findutils-lang-4.6.0-7.cm1.aarch64.rpm
 gettext-0.19.8.1-3.cm1.aarch64.rpm
 gzip-1.9-5.cm1.aarch64.rpm
 make-4.2.1-5.cm1.aarch64.rpm
-mariner-release-1.0-10.cm1.noarch.rpm
+mariner-release-1.0-11.cm1.noarch.rpm
 patch-2.7.6-7.cm1.aarch64.rpm
 util-linux-2.32.1-3.cm1.aarch64.rpm
 util-linux-devel-2.32.1-3.cm1.aarch64.rpm
@@ -72,8 +72,8 @@ zstd-1.4.4-1.cm1.aarch64.rpm
 zstd-devel-1.4.4-1.cm1.aarch64.rpm
 zstd-libs-1.4.4-1.cm1.aarch64.rpm
 libtool-2.4.6-5.cm1.aarch64.rpm
-flex-2.6.4-5.cm1.aarch64.rpm
-flex-devel-2.6.4-5.cm1.aarch64.rpm
+flex-2.6.4-6.cm1.aarch64.rpm
+flex-devel-2.6.4-6.cm1.aarch64.rpm
 bison-3.1-3.cm1.aarch64.rpm
 popt-1.16-7.cm1.aarch64.rpm
 popt-devel-1.16-7.cm1.aarch64.rpm
@@ -103,14 +103,14 @@ gdbm-devel-1.18-3.cm1.aarch64.rpm
 gdbm-lang-1.18-3.cm1.aarch64.rpm
 perl-5.30.3-1.cm1.aarch64.rpm
 texinfo-6.5-7.cm1.aarch64.rpm
-autoconf-2.69-9.cm1.noarch.rpm
+autoconf-2.69-10.cm1.noarch.rpm
 automake-1.16.1-3.cm1.noarch.rpm
-openssl-1.1.1g-6.cm1.aarch64.rpm
-openssl-devel-1.1.1g-6.cm1.aarch64.rpm
-openssl-libs-1.1.1g-6.cm1.aarch64.rpm
-openssl-perl-1.1.1g-6.cm1.aarch64.rpm
-openssl-static-1.1.1g-6.cm1.aarch64.rpm
-openssl-debuginfo-1.1.1g-6.cm1.aarch64.rpm
+openssl-1.1.1g-7.cm1.aarch64.rpm
+openssl-devel-1.1.1g-7.cm1.aarch64.rpm
+openssl-libs-1.1.1g-7.cm1.aarch64.rpm
+openssl-perl-1.1.1g-7.cm1.aarch64.rpm
+openssl-static-1.1.1g-7.cm1.aarch64.rpm
+openssl-debuginfo-1.1.1g-7.cm1.aarch64.rpm
 libcap-2.26-2.cm1.aarch64.rpm
 libcap-devel-2.26-2.cm1.aarch64.rpm
 libdb-5.3.28-4.cm1.aarch64.rpm
@@ -132,17 +132,17 @@ libssh2-devel-1.9.0-1.cm1.aarch64.rpm
 curl-7.68.0-2.cm1.aarch64.rpm
 curl-devel-7.68.0-2.cm1.aarch64.rpm
 curl-libs-7.68.0-2.cm1.aarch64.rpm
-tdnf-2.1.0-4.cm1.aarch64.rpm
-tdnf-cli-libs-2.1.0-4.cm1.aarch64.rpm
-tdnf-devel-2.1.0-4.cm1.aarch64.rpm
-tdnf-plugin-repogpgcheck-2.1.0-4.cm1.aarch64.rpm
+tdnf-2.1.0-5.cm1.aarch64.rpm
+tdnf-cli-libs-2.1.0-5.cm1.aarch64.rpm
+tdnf-devel-2.1.0-5.cm1.aarch64.rpm
+tdnf-plugin-repogpgcheck-2.1.0-5.cm1.aarch64.rpm
 createrepo_c-0.11.1-6.cm1.aarch64.rpm
-libxml2-2.9.10-2.cm1.aarch64.rpm
-libxml2-devel-2.9.10-2.cm1.aarch64.rpm
+libxml2-2.9.10-3.cm1.aarch64.rpm
+libxml2-devel-2.9.10-3.cm1.aarch64.rpm
 glib-2.58.0-6.cm1.aarch64.rpm
 libltdl-2.4.6-5.cm1.aarch64.rpm
 libltdl-devel-2.4.6-5.cm1.aarch64.rpm
-pcre-libs-8.42-4.cm1.aarch64.rpm
+pcre-libs-8.44-1.cm1.aarch64.rpm
 krb5-1.17-4.cm1.aarch64.rpm
 lua-5.3.5-8.cm1.aarch64.rpm
 mariner-rpm-macros-1.0-3.cm1.noarch.rpm
@@ -154,7 +154,7 @@ libksba-1.3.5-3.cm1.aarch64.rpm
 npth-1.6-3.cm1.aarch64.rpm
 pinentry-1.1.0-3.cm1.aarch64.rpm
 gnupg2-2.2.20-3.cm1.aarch64.rpm
-gpgme-1.13.1-5.cm1.aarch64.rpm
+gpgme-1.13.1-6.cm1.aarch64.rpm
 mariner-repos-1.0-11.cm1.noarch.rpm
 mariner-repos-preview-1.0-11.cm1.noarch.rpm
 libffi-3.2.1-12.cm1.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 935e0cfb438..c73c1776d37 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,19 +1,19 @@
 filesystem-1.1-7.cm1.x86_64.rpm
-kernel-headers-5.4.51-2.cm1.noarch.rpm
-glibc-2.28-12.cm1.x86_64.rpm
-glibc-devel-2.28-12.cm1.x86_64.rpm
-glibc-i18n-2.28-12.cm1.x86_64.rpm
-glibc-iconv-2.28-12.cm1.x86_64.rpm
-glibc-lang-2.28-12.cm1.x86_64.rpm
-glibc-nscd-2.28-12.cm1.x86_64.rpm
-glibc-tools-2.28-12.cm1.x86_64.rpm
+kernel-headers-5.4.72-1.cm1.noarch.rpm
+glibc-2.28-14.cm1.x86_64.rpm
+glibc-devel-2.28-14.cm1.x86_64.rpm
+glibc-i18n-2.28-14.cm1.x86_64.rpm
+glibc-iconv-2.28-14.cm1.x86_64.rpm
+glibc-lang-2.28-14.cm1.x86_64.rpm
+glibc-nscd-2.28-14.cm1.x86_64.rpm
+glibc-tools-2.28-14.cm1.x86_64.rpm
 zlib-1.2.11-3.cm1.x86_64.rpm
 zlib-devel-1.2.11-3.cm1.x86_64.rpm
 file-5.38-1.cm1.x86_64.rpm
 file-devel-5.38-1.cm1.x86_64.rpm
 file-libs-5.38-1.cm1.x86_64.rpm
-binutils-2.32-3.cm1.x86_64.rpm
-binutils-devel-2.32-3.cm1.x86_64.rpm
+binutils-2.32-4.cm1.x86_64.rpm
+binutils-devel-2.32-4.cm1.x86_64.rpm
 gmp-6.1.2-5.cm1.x86_64.rpm
 gmp-devel-6.1.2-5.cm1.x86_64.rpm
 mpfr-4.0.1-3.cm1.x86_64.rpm
@@ -35,11 +35,11 @@ ncurses-libs-6.2-4.cm1.x86_64.rpm
 ncurses-term-6.2-4.cm1.x86_64.rpm
 readline-7.0-4.cm1.x86_64.rpm
 readline-devel-7.0-4.cm1.x86_64.rpm
-coreutils-8.30-5.cm1.x86_64.rpm
-coreutils-lang-8.30-5.cm1.x86_64.rpm
-bash-4.4.18-5.cm1.x86_64.rpm
-bash-devel-4.4.18-5.cm1.x86_64.rpm
-bash-lang-4.4.18-5.cm1.x86_64.rpm
+coreutils-8.30-7.cm1.x86_64.rpm
+coreutils-lang-8.30-7.cm1.x86_64.rpm
+bash-4.4.18-6.cm1.x86_64.rpm
+bash-devel-4.4.18-6.cm1.x86_64.rpm
+bash-lang-4.4.18-6.cm1.x86_64.rpm
 bzip2-1.0.6-15.cm1.x86_64.rpm
 bzip2-devel-1.0.6-15.cm1.x86_64.rpm
 bzip2-libs-1.0.6-15.cm1.x86_64.rpm
@@ -58,7 +58,7 @@ findutils-lang-4.6.0-7.cm1.x86_64.rpm
 gettext-0.19.8.1-3.cm1.x86_64.rpm
 gzip-1.9-5.cm1.x86_64.rpm
 make-4.2.1-5.cm1.x86_64.rpm
-mariner-release-1.0-10.cm1.noarch.rpm
+mariner-release-1.0-11.cm1.noarch.rpm
 patch-2.7.6-7.cm1.x86_64.rpm
 util-linux-2.32.1-3.cm1.x86_64.rpm
 util-linux-devel-2.32.1-3.cm1.x86_64.rpm
@@ -72,8 +72,8 @@ zstd-1.4.4-1.cm1.x86_64.rpm
 zstd-devel-1.4.4-1.cm1.x86_64.rpm
 zstd-libs-1.4.4-1.cm1.x86_64.rpm
 libtool-2.4.6-5.cm1.x86_64.rpm
-flex-2.6.4-5.cm1.x86_64.rpm
-flex-devel-2.6.4-5.cm1.x86_64.rpm
+flex-2.6.4-6.cm1.x86_64.rpm
+flex-devel-2.6.4-6.cm1.x86_64.rpm
 bison-3.1-3.cm1.x86_64.rpm
 popt-1.16-7.cm1.x86_64.rpm
 popt-devel-1.16-7.cm1.x86_64.rpm
@@ -103,14 +103,14 @@ gdbm-devel-1.18-3.cm1.x86_64.rpm
 gdbm-lang-1.18-3.cm1.x86_64.rpm
 perl-5.30.3-1.cm1.x86_64.rpm
 texinfo-6.5-7.cm1.x86_64.rpm
-autoconf-2.69-9.cm1.noarch.rpm
+autoconf-2.69-10.cm1.noarch.rpm
 automake-1.16.1-3.cm1.noarch.rpm
-openssl-1.1.1g-6.cm1.x86_64.rpm
-openssl-devel-1.1.1g-6.cm1.x86_64.rpm
-openssl-libs-1.1.1g-6.cm1.x86_64.rpm
-openssl-perl-1.1.1g-6.cm1.x86_64.rpm
-openssl-static-1.1.1g-6.cm1.x86_64.rpm
-openssl-debuginfo-1.1.1g-6.cm1.x86_64.rpm
+openssl-1.1.1g-7.cm1.x86_64.rpm
+openssl-devel-1.1.1g-7.cm1.x86_64.rpm
+openssl-libs-1.1.1g-7.cm1.x86_64.rpm
+openssl-perl-1.1.1g-7.cm1.x86_64.rpm
+openssl-static-1.1.1g-7.cm1.x86_64.rpm
+openssl-debuginfo-1.1.1g-7.cm1.x86_64.rpm
 libcap-2.26-2.cm1.x86_64.rpm
 libcap-devel-2.26-2.cm1.x86_64.rpm
 libdb-5.3.28-4.cm1.x86_64.rpm
@@ -132,17 +132,17 @@ libssh2-devel-1.9.0-1.cm1.x86_64.rpm
 curl-7.68.0-2.cm1.x86_64.rpm
 curl-devel-7.68.0-2.cm1.x86_64.rpm
 curl-libs-7.68.0-2.cm1.x86_64.rpm
-tdnf-2.1.0-4.cm1.x86_64.rpm
-tdnf-cli-libs-2.1.0-4.cm1.x86_64.rpm
-tdnf-devel-2.1.0-4.cm1.x86_64.rpm
-tdnf-plugin-repogpgcheck-2.1.0-4.cm1.x86_64.rpm
+tdnf-2.1.0-5.cm1.x86_64.rpm
+tdnf-cli-libs-2.1.0-5.cm1.x86_64.rpm
+tdnf-devel-2.1.0-5.cm1.x86_64.rpm
+tdnf-plugin-repogpgcheck-2.1.0-5.cm1.x86_64.rpm
 createrepo_c-0.11.1-6.cm1.x86_64.rpm
-libxml2-2.9.10-2.cm1.x86_64.rpm
-libxml2-devel-2.9.10-2.cm1.x86_64.rpm
+libxml2-2.9.10-3.cm1.x86_64.rpm
+libxml2-devel-2.9.10-3.cm1.x86_64.rpm
 glib-2.58.0-6.cm1.x86_64.rpm
 libltdl-2.4.6-5.cm1.x86_64.rpm
 libltdl-devel-2.4.6-5.cm1.x86_64.rpm
-pcre-libs-8.42-4.cm1.x86_64.rpm
+pcre-libs-8.44-1.cm1.x86_64.rpm
 krb5-1.17-4.cm1.x86_64.rpm
 lua-5.3.5-8.cm1.x86_64.rpm
 mariner-rpm-macros-1.0-3.cm1.noarch.rpm
@@ -154,7 +154,7 @@ libksba-1.3.5-3.cm1.x86_64.rpm
 npth-1.6-3.cm1.x86_64.rpm
 pinentry-1.1.0-3.cm1.x86_64.rpm
 gnupg2-2.2.20-3.cm1.x86_64.rpm
-gpgme-1.13.1-5.cm1.x86_64.rpm
+gpgme-1.13.1-6.cm1.x86_64.rpm
 mariner-repos-1.0-11.cm1.noarch.rpm
 mariner-repos-preview-1.0-11.cm1.noarch.rpm
 libffi-3.2.1-12.cm1.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 3a92cb8a1c4..f3b7fc5f40b 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -2,15 +2,15 @@ alsa-lib-1.2.2-1.cm1.aarch64.rpm
 alsa-lib-debuginfo-1.2.2-1.cm1.aarch64.rpm
 alsa-lib-devel-1.2.2-1.cm1.aarch64.rpm
 asciidoc-8.6.10-4.cm1.noarch.rpm
-autoconf-2.69-9.cm1.noarch.rpm
+autoconf-2.69-10.cm1.noarch.rpm
 automake-1.16.1-3.cm1.noarch.rpm
-bash-4.4.18-5.cm1.aarch64.rpm
-bash-debuginfo-4.4.18-5.cm1.aarch64.rpm
-bash-devel-4.4.18-5.cm1.aarch64.rpm
-bash-lang-4.4.18-5.cm1.aarch64.rpm
-binutils-2.32-3.cm1.aarch64.rpm
-binutils-debuginfo-2.32-3.cm1.aarch64.rpm
-binutils-devel-2.32-3.cm1.aarch64.rpm
+bash-4.4.18-6.cm1.aarch64.rpm
+bash-debuginfo-4.4.18-6.cm1.aarch64.rpm
+bash-devel-4.4.18-6.cm1.aarch64.rpm
+bash-lang-4.4.18-6.cm1.aarch64.rpm
+binutils-2.32-4.cm1.aarch64.rpm
+binutils-debuginfo-2.32-4.cm1.aarch64.rpm
+binutils-devel-2.32-4.cm1.aarch64.rpm
 bison-3.1-3.cm1.aarch64.rpm
 bison-debuginfo-3.1-3.cm1.aarch64.rpm
 bzip2-1.0.6-15.cm1.aarch64.rpm
@@ -27,9 +27,9 @@ check-0.12.0-4.cm1.aarch64.rpm
 check-debuginfo-0.12.0-4.cm1.aarch64.rpm
 cmake-3.17.3-2.cm1.aarch64.rpm
 cmake-debuginfo-3.17.3-2.cm1.aarch64.rpm
-coreutils-8.30-5.cm1.aarch64.rpm
-coreutils-debuginfo-8.30-5.cm1.aarch64.rpm
-coreutils-lang-8.30-5.cm1.aarch64.rpm
+coreutils-8.30-7.cm1.aarch64.rpm
+coreutils-debuginfo-8.30-7.cm1.aarch64.rpm
+coreutils-lang-8.30-7.cm1.aarch64.rpm
 cpio-2.13-2.cm1.aarch64.rpm
 cpio-debuginfo-2.13-2.cm1.aarch64.rpm
 cpio-lang-2.13-2.cm1.aarch64.rpm
@@ -86,9 +86,9 @@ filesystem-1.1-7.cm1.aarch64.rpm
 findutils-4.6.0-7.cm1.aarch64.rpm
 findutils-debuginfo-4.6.0-7.cm1.aarch64.rpm
 findutils-lang-4.6.0-7.cm1.aarch64.rpm
-flex-2.6.4-5.cm1.aarch64.rpm
-flex-debuginfo-2.6.4-5.cm1.aarch64.rpm
-flex-devel-2.6.4-5.cm1.aarch64.rpm
+flex-2.6.4-6.cm1.aarch64.rpm
+flex-debuginfo-2.6.4-6.cm1.aarch64.rpm
+flex-devel-2.6.4-6.cm1.aarch64.rpm
 freetype-2.9.1-4.cm1.aarch64.rpm
 freetype-debuginfo-2.9.1-4.cm1.aarch64.rpm
 freetype-devel-2.9.1-4.cm1.aarch64.rpm
@@ -104,13 +104,13 @@ gettext-0.19.8.1-3.cm1.aarch64.rpm
 gettext-debuginfo-0.19.8.1-3.cm1.aarch64.rpm
 gfortran-9.1.0-7.cm1.aarch64.rpm
 glib-2.58.0-6.cm1.aarch64.rpm
-glibc-2.28-12.cm1.aarch64.rpm
-glibc-devel-2.28-12.cm1.aarch64.rpm
-glibc-i18n-2.28-12.cm1.aarch64.rpm
-glibc-iconv-2.28-12.cm1.aarch64.rpm
-glibc-lang-2.28-12.cm1.aarch64.rpm
-glibc-nscd-2.28-12.cm1.aarch64.rpm
-glibc-tools-2.28-12.cm1.aarch64.rpm
+glibc-2.28-14.cm1.aarch64.rpm
+glibc-devel-2.28-14.cm1.aarch64.rpm
+glibc-i18n-2.28-14.cm1.aarch64.rpm
+glibc-iconv-2.28-14.cm1.aarch64.rpm
+glibc-lang-2.28-14.cm1.aarch64.rpm
+glibc-nscd-2.28-14.cm1.aarch64.rpm
+glibc-tools-2.28-14.cm1.aarch64.rpm
 glib-debuginfo-2.58.0-6.cm1.aarch64.rpm
 glib-devel-2.58.0-6.cm1.aarch64.rpm
 glib-schemas-2.58.0-6.cm1.aarch64.rpm
@@ -124,9 +124,9 @@ gnupg2-2.2.20-3.cm1.aarch64.rpm
 gnupg2-debuginfo-2.2.20-3.cm1.aarch64.rpm
 gperf-3.1-3.cm1.aarch64.rpm
 gperf-debuginfo-3.1-3.cm1.aarch64.rpm
-gpgme-1.13.1-5.cm1.aarch64.rpm
-gpgme-debuginfo-1.13.1-5.cm1.aarch64.rpm
-gpgme-devel-1.13.1-5.cm1.aarch64.rpm
+gpgme-1.13.1-6.cm1.aarch64.rpm
+gpgme-debuginfo-1.13.1-6.cm1.aarch64.rpm
+gpgme-devel-1.13.1-6.cm1.aarch64.rpm
 grep-3.1-3.cm1.aarch64.rpm
 grep-debuginfo-3.1-3.cm1.aarch64.rpm
 grep-lang-3.1-3.cm1.aarch64.rpm
@@ -140,12 +140,12 @@ gzip-debuginfo-1.9-5.cm1.aarch64.rpm
 integritysetup-2.3.3-2.cm1.aarch64.rpm
 intltool-0.51.0-7.cm1.noarch.rpm
 itstool-2.0.6-3.cm1.noarch.rpm
-json-c-0.14-2.cm1.aarch64.rpm
-json-c-debuginfo-0.14-2.cm1.aarch64.rpm
-json-c-devel-0.14-2.cm1.aarch64.rpm
+json-c-0.14-3.cm1.aarch64.rpm
+json-c-debuginfo-0.14-3.cm1.aarch64.rpm
+json-c-devel-0.14-3.cm1.aarch64.rpm
 kbd-2.0.4-5.cm1.aarch64.rpm
 kbd-debuginfo-2.0.4-5.cm1.aarch64.rpm
-kernel-headers-5.4.51-2.cm1.noarch.rpm
+kernel-headers-5.4.72-1.cm1.noarch.rpm
 kmod-25-4.cm1.aarch64.rpm
 kmod-debuginfo-25-4.cm1.aarch64.rpm
 kmod-devel-25-4.cm1.aarch64.rpm
@@ -192,9 +192,9 @@ libmpc-debuginfo-1.1.0-5.cm1.aarch64.rpm
 libpipeline-1.5.0-3.cm1.aarch64.rpm
 libpipeline-debuginfo-1.5.0-3.cm1.aarch64.rpm
 libpipeline-devel-1.5.0-3.cm1.aarch64.rpm
-libpwquality-1.4.2-4.cm1.aarch64.rpm
-libpwquality-debuginfo-1.4.2-4.cm1.aarch64.rpm
-libpwquality-devel-1.4.2-4.cm1.aarch64.rpm
+libpwquality-1.4.2-6.cm1.aarch64.rpm
+libpwquality-debuginfo-1.4.2-6.cm1.aarch64.rpm
+libpwquality-devel-1.4.2-6.cm1.aarch64.rpm
 libselinux-2.9-3.cm1.aarch64.rpm
 libselinux-debuginfo-2.9-3.cm1.aarch64.rpm
 libselinux-devel-2.9-3.cm1.aarch64.rpm
@@ -218,10 +218,10 @@ libtasn1-debuginfo-4.14-2.cm1.aarch64.rpm
 libtasn1-devel-4.14-2.cm1.aarch64.rpm
 libtool-2.4.6-5.cm1.aarch64.rpm
 libtool-debuginfo-2.4.6-5.cm1.aarch64.rpm
-libxml2-2.9.10-2.cm1.aarch64.rpm
-libxml2-debuginfo-2.9.10-2.cm1.aarch64.rpm
-libxml2-devel-2.9.10-2.cm1.aarch64.rpm
-libxml2-python-2.9.10-2.cm1.aarch64.rpm
+libxml2-2.9.10-3.cm1.aarch64.rpm
+libxml2-debuginfo-2.9.10-3.cm1.aarch64.rpm
+libxml2-devel-2.9.10-3.cm1.aarch64.rpm
+libxml2-python-2.9.10-3.cm1.aarch64.rpm
 libxslt-1.1.34-2.cm1.aarch64.rpm
 libxslt-debuginfo-1.1.34-2.cm1.aarch64.rpm
 libxslt-devel-1.1.34-2.cm1.aarch64.rpm
@@ -237,7 +237,7 @@ m4-debuginfo-1.4.18-4.cm1.aarch64.rpm
 make-4.2.1-5.cm1.aarch64.rpm
 make-debuginfo-4.2.1-5.cm1.aarch64.rpm
 mariner-check-macros-1.0-3.cm1.noarch.rpm
-mariner-release-1.0-10.cm1.noarch.rpm
+mariner-release-1.0-11.cm1.noarch.rpm
 mariner-repos-1.0-11.cm1.noarch.rpm
 mariner-repos-preview-1.0-11.cm1.noarch.rpm
 mariner-rpm-macros-1.0-3.cm1.noarch.rpm
@@ -269,12 +269,12 @@ openjdk8-doc-1.8.0.181-8.cm1.aarch64.rpm
 openjdk8-sample-1.8.0.181-8.cm1.aarch64.rpm
 openjdk8-src-1.8.0.181-8.cm1.aarch64.rpm
 openjre8-1.8.0.181-8.cm1.aarch64.rpm
-openssl-1.1.1g-6.cm1.aarch64.rpm
-openssl-debuginfo-1.1.1g-6.cm1.aarch64.rpm
-openssl-devel-1.1.1g-6.cm1.aarch64.rpm
-openssl-libs-1.1.1g-6.cm1.aarch64.rpm
-openssl-perl-1.1.1g-6.cm1.aarch64.rpm
-openssl-static-1.1.1g-6.cm1.aarch64.rpm
+openssl-1.1.1g-7.cm1.aarch64.rpm
+openssl-debuginfo-1.1.1g-7.cm1.aarch64.rpm
+openssl-devel-1.1.1g-7.cm1.aarch64.rpm
+openssl-libs-1.1.1g-7.cm1.aarch64.rpm
+openssl-perl-1.1.1g-7.cm1.aarch64.rpm
+openssl-static-1.1.1g-7.cm1.aarch64.rpm
 p11-kit-0.23.16.1-2.cm1.aarch64.rpm
 p11-kit-debuginfo-0.23.16.1-2.cm1.aarch64.rpm
 p11-kit-devel-0.23.16.1-2.cm1.aarch64.rpm
@@ -286,10 +286,10 @@ pam-devel-1.3.1-4.cm1.aarch64.rpm
 pam-lang-1.3.1-4.cm1.aarch64.rpm
 patch-2.7.6-7.cm1.aarch64.rpm
 patch-debuginfo-2.7.6-7.cm1.aarch64.rpm
-pcre-8.42-4.cm1.aarch64.rpm
-pcre-debuginfo-8.42-4.cm1.aarch64.rpm
-pcre-devel-8.42-4.cm1.aarch64.rpm
-pcre-libs-8.42-4.cm1.aarch64.rpm
+pcre-8.44-1.cm1.aarch64.rpm
+pcre-debuginfo-8.44-1.cm1.aarch64.rpm
+pcre-devel-8.44-1.cm1.aarch64.rpm
+pcre-libs-8.44-1.cm1.aarch64.rpm
 perl-5.30.3-1.cm1.aarch64.rpm
 perl-DBD-SQLite-1.62-3.cm1.aarch64.rpm
 perl-DBD-SQLite-debuginfo-1.62-3.cm1.aarch64.rpm
@@ -316,22 +316,22 @@ procps-ng-3.3.15-3.cm1.aarch64.rpm
 procps-ng-debuginfo-3.3.15-3.cm1.aarch64.rpm
 procps-ng-devel-3.3.15-3.cm1.aarch64.rpm
 procps-ng-lang-3.3.15-3.cm1.aarch64.rpm
-python2-2.7.18-3.cm1.aarch64.rpm
-python2-debuginfo-2.7.18-3.cm1.aarch64.rpm
-python2-devel-2.7.18-3.cm1.aarch64.rpm
-python2-libs-2.7.18-3.cm1.aarch64.rpm
-python2-test-2.7.18-3.cm1.aarch64.rpm
-python2-tools-2.7.18-3.cm1.aarch64.rpm
+python2-2.7.18-5.cm1.aarch64.rpm
+python2-debuginfo-2.7.18-5.cm1.aarch64.rpm
+python2-devel-2.7.18-5.cm1.aarch64.rpm
+python2-libs-2.7.18-5.cm1.aarch64.rpm
+python2-test-2.7.18-5.cm1.aarch64.rpm
+python2-tools-2.7.18-5.cm1.aarch64.rpm
 python3-cracklib-2.9.7-2.cm1.aarch64.rpm
-python3-gpg-1.13.1-5.cm1.aarch64.rpm
-python3-libxml2-2.9.10-2.cm1.aarch64.rpm
-python3-pwquality-1.4.2-4.cm1.aarch64.rpm
+python3-gpg-1.13.1-6.cm1.aarch64.rpm
+python3-libxml2-2.9.10-3.cm1.aarch64.rpm
+python3-pwquality-1.4.2-6.cm1.aarch64.rpm
 python3-rpm-4.14.2-10.cm1.aarch64.rpm
-python-curses-2.7.18-3.cm1.aarch64.rpm
-python-gpg-1.13.1-5.cm1.aarch64.rpm
+python-curses-2.7.18-5.cm1.aarch64.rpm
+python-gpg-1.13.1-6.cm1.aarch64.rpm
 python-rpm-4.14.2-10.cm1.aarch64.rpm
-python-setuptools-40.2.0-5.cm1.noarch.rpm
-python-xml-2.7.18-3.cm1.aarch64.rpm
+python-setuptools-40.2.0-6.cm1.noarch.rpm
+python-xml-2.7.18-5.cm1.aarch64.rpm
 readline-7.0-4.cm1.aarch64.rpm
 readline-debuginfo-7.0-4.cm1.aarch64.rpm
 readline-devel-7.0-4.cm1.aarch64.rpm
@@ -353,33 +353,33 @@ sqlite-devel-3.32.3-2.cm1.aarch64.rpm
 sqlite-libs-3.32.3-2.cm1.aarch64.rpm
 swig-3.0.12-4.cm1.aarch64.rpm
 swig-debuginfo-3.0.12-4.cm1.aarch64.rpm
-systemd-239-32.cm1.aarch64.rpm
-systemd-bootstrap-239-29.cm1.aarch64.rpm
-systemd-bootstrap-debuginfo-239-29.cm1.aarch64.rpm
-systemd-bootstrap-devel-239-29.cm1.aarch64.rpm
-systemd-debuginfo-239-32.cm1.aarch64.rpm
-systemd-devel-239-32.cm1.aarch64.rpm
-systemd-lang-239-32.cm1.aarch64.rpm
+systemd-239-34.cm1.aarch64.rpm
+systemd-bootstrap-239-31.cm1.aarch64.rpm
+systemd-bootstrap-debuginfo-239-31.cm1.aarch64.rpm
+systemd-bootstrap-devel-239-31.cm1.aarch64.rpm
+systemd-debuginfo-239-34.cm1.aarch64.rpm
+systemd-devel-239-34.cm1.aarch64.rpm
+systemd-lang-239-34.cm1.aarch64.rpm
 tar-1.32-2.cm1.aarch64.rpm
 tar-debuginfo-1.32-2.cm1.aarch64.rpm
-tdnf-2.1.0-4.cm1.aarch64.rpm
-tdnf-cli-libs-2.1.0-4.cm1.aarch64.rpm
-tdnf-debuginfo-2.1.0-4.cm1.aarch64.rpm
-tdnf-devel-2.1.0-4.cm1.aarch64.rpm
-tdnf-plugin-repogpgcheck-2.1.0-4.cm1.aarch64.rpm
-tdnf-python-2.1.0-4.cm1.aarch64.rpm
+tdnf-2.1.0-5.cm1.aarch64.rpm
+tdnf-cli-libs-2.1.0-5.cm1.aarch64.rpm
+tdnf-debuginfo-2.1.0-5.cm1.aarch64.rpm
+tdnf-devel-2.1.0-5.cm1.aarch64.rpm
+tdnf-plugin-repogpgcheck-2.1.0-5.cm1.aarch64.rpm
+tdnf-python-2.1.0-5.cm1.aarch64.rpm
 texinfo-6.5-7.cm1.aarch64.rpm
 texinfo-debuginfo-6.5-7.cm1.aarch64.rpm
-unzip-6.0-16.cm1.aarch64.rpm
-unzip-debuginfo-6.0-16.cm1.aarch64.rpm
+unzip-6.0-18.cm1.aarch64.rpm
+unzip-debuginfo-6.0-18.cm1.aarch64.rpm
 util-linux-2.32.1-3.cm1.aarch64.rpm
 util-linux-debuginfo-2.32.1-3.cm1.aarch64.rpm
 util-linux-devel-2.32.1-3.cm1.aarch64.rpm
 util-linux-lang-2.32.1-3.cm1.aarch64.rpm
 util-linux-libs-2.32.1-3.cm1.aarch64.rpm
 veritysetup-2.3.3-2.cm1.aarch64.rpm
-wget-1.20.3-2.cm1.aarch64.rpm
-wget-debuginfo-1.20.3-2.cm1.aarch64.rpm
+wget-1.20.3-3.cm1.aarch64.rpm
+wget-debuginfo-1.20.3-3.cm1.aarch64.rpm
 which-2.21-7.cm1.aarch64.rpm
 which-debuginfo-2.21-7.cm1.aarch64.rpm
 xz-5.2.4-3.cm1.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index c9a443a6243..e4437b45bfc 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -2,15 +2,15 @@ alsa-lib-1.2.2-1.cm1.x86_64.rpm
 alsa-lib-debuginfo-1.2.2-1.cm1.x86_64.rpm
 alsa-lib-devel-1.2.2-1.cm1.x86_64.rpm
 asciidoc-8.6.10-4.cm1.noarch.rpm
-autoconf-2.69-9.cm1.noarch.rpm
+autoconf-2.69-10.cm1.noarch.rpm
 automake-1.16.1-3.cm1.noarch.rpm
-bash-4.4.18-5.cm1.x86_64.rpm
-bash-debuginfo-4.4.18-5.cm1.x86_64.rpm
-bash-devel-4.4.18-5.cm1.x86_64.rpm
-bash-lang-4.4.18-5.cm1.x86_64.rpm
-binutils-2.32-3.cm1.x86_64.rpm
-binutils-debuginfo-2.32-3.cm1.x86_64.rpm
-binutils-devel-2.32-3.cm1.x86_64.rpm
+bash-4.4.18-6.cm1.x86_64.rpm
+bash-debuginfo-4.4.18-6.cm1.x86_64.rpm
+bash-devel-4.4.18-6.cm1.x86_64.rpm
+bash-lang-4.4.18-6.cm1.x86_64.rpm
+binutils-2.32-4.cm1.x86_64.rpm
+binutils-debuginfo-2.32-4.cm1.x86_64.rpm
+binutils-devel-2.32-4.cm1.x86_64.rpm
 bison-3.1-3.cm1.x86_64.rpm
 bison-debuginfo-3.1-3.cm1.x86_64.rpm
 bzip2-1.0.6-15.cm1.x86_64.rpm
@@ -27,9 +27,9 @@ check-0.12.0-4.cm1.x86_64.rpm
 check-debuginfo-0.12.0-4.cm1.x86_64.rpm
 cmake-3.17.3-2.cm1.x86_64.rpm
 cmake-debuginfo-3.17.3-2.cm1.x86_64.rpm
-coreutils-8.30-5.cm1.x86_64.rpm
-coreutils-debuginfo-8.30-5.cm1.x86_64.rpm
-coreutils-lang-8.30-5.cm1.x86_64.rpm
+coreutils-8.30-7.cm1.x86_64.rpm
+coreutils-debuginfo-8.30-7.cm1.x86_64.rpm
+coreutils-lang-8.30-7.cm1.x86_64.rpm
 cpio-2.13-2.cm1.x86_64.rpm
 cpio-debuginfo-2.13-2.cm1.x86_64.rpm
 cpio-lang-2.13-2.cm1.x86_64.rpm
@@ -86,9 +86,9 @@ filesystem-1.1-7.cm1.x86_64.rpm
 findutils-4.6.0-7.cm1.x86_64.rpm
 findutils-debuginfo-4.6.0-7.cm1.x86_64.rpm
 findutils-lang-4.6.0-7.cm1.x86_64.rpm
-flex-2.6.4-5.cm1.x86_64.rpm
-flex-debuginfo-2.6.4-5.cm1.x86_64.rpm
-flex-devel-2.6.4-5.cm1.x86_64.rpm
+flex-2.6.4-6.cm1.x86_64.rpm
+flex-debuginfo-2.6.4-6.cm1.x86_64.rpm
+flex-devel-2.6.4-6.cm1.x86_64.rpm
 freetype-2.9.1-4.cm1.x86_64.rpm
 freetype-debuginfo-2.9.1-4.cm1.x86_64.rpm
 freetype-devel-2.9.1-4.cm1.x86_64.rpm
@@ -104,13 +104,13 @@ gettext-0.19.8.1-3.cm1.x86_64.rpm
 gettext-debuginfo-0.19.8.1-3.cm1.x86_64.rpm
 gfortran-9.1.0-7.cm1.x86_64.rpm
 glib-2.58.0-6.cm1.x86_64.rpm
-glibc-2.28-12.cm1.x86_64.rpm
-glibc-devel-2.28-12.cm1.x86_64.rpm
-glibc-i18n-2.28-12.cm1.x86_64.rpm
-glibc-iconv-2.28-12.cm1.x86_64.rpm
-glibc-lang-2.28-12.cm1.x86_64.rpm
-glibc-nscd-2.28-12.cm1.x86_64.rpm
-glibc-tools-2.28-12.cm1.x86_64.rpm
+glibc-2.28-14.cm1.x86_64.rpm
+glibc-devel-2.28-14.cm1.x86_64.rpm
+glibc-i18n-2.28-14.cm1.x86_64.rpm
+glibc-iconv-2.28-14.cm1.x86_64.rpm
+glibc-lang-2.28-14.cm1.x86_64.rpm
+glibc-nscd-2.28-14.cm1.x86_64.rpm
+glibc-tools-2.28-14.cm1.x86_64.rpm
 glib-debuginfo-2.58.0-6.cm1.x86_64.rpm
 glib-devel-2.58.0-6.cm1.x86_64.rpm
 glib-schemas-2.58.0-6.cm1.x86_64.rpm
@@ -124,9 +124,9 @@ gnupg2-2.2.20-3.cm1.x86_64.rpm
 gnupg2-debuginfo-2.2.20-3.cm1.x86_64.rpm
 gperf-3.1-3.cm1.x86_64.rpm
 gperf-debuginfo-3.1-3.cm1.x86_64.rpm
-gpgme-1.13.1-5.cm1.x86_64.rpm
-gpgme-debuginfo-1.13.1-5.cm1.x86_64.rpm
-gpgme-devel-1.13.1-5.cm1.x86_64.rpm
+gpgme-1.13.1-6.cm1.x86_64.rpm
+gpgme-debuginfo-1.13.1-6.cm1.x86_64.rpm
+gpgme-devel-1.13.1-6.cm1.x86_64.rpm
 grep-3.1-3.cm1.x86_64.rpm
 grep-debuginfo-3.1-3.cm1.x86_64.rpm
 grep-lang-3.1-3.cm1.x86_64.rpm
@@ -140,12 +140,12 @@ gzip-debuginfo-1.9-5.cm1.x86_64.rpm
 integritysetup-2.3.3-2.cm1.x86_64.rpm
 intltool-0.51.0-7.cm1.noarch.rpm
 itstool-2.0.6-3.cm1.noarch.rpm
-json-c-0.14-2.cm1.x86_64.rpm
-json-c-debuginfo-0.14-2.cm1.x86_64.rpm
-json-c-devel-0.14-2.cm1.x86_64.rpm
+json-c-0.14-3.cm1.x86_64.rpm
+json-c-debuginfo-0.14-3.cm1.x86_64.rpm
+json-c-devel-0.14-3.cm1.x86_64.rpm
 kbd-2.0.4-5.cm1.x86_64.rpm
 kbd-debuginfo-2.0.4-5.cm1.x86_64.rpm
-kernel-headers-5.4.51-2.cm1.noarch.rpm
+kernel-headers-5.4.72-1.cm1.noarch.rpm
 kmod-25-4.cm1.x86_64.rpm
 kmod-debuginfo-25-4.cm1.x86_64.rpm
 kmod-devel-25-4.cm1.x86_64.rpm
@@ -192,9 +192,9 @@ libmpc-debuginfo-1.1.0-5.cm1.x86_64.rpm
 libpipeline-1.5.0-3.cm1.x86_64.rpm
 libpipeline-debuginfo-1.5.0-3.cm1.x86_64.rpm
 libpipeline-devel-1.5.0-3.cm1.x86_64.rpm
-libpwquality-1.4.2-4.cm1.x86_64.rpm
-libpwquality-debuginfo-1.4.2-4.cm1.x86_64.rpm
-libpwquality-devel-1.4.2-4.cm1.x86_64.rpm
+libpwquality-1.4.2-6.cm1.x86_64.rpm
+libpwquality-debuginfo-1.4.2-6.cm1.x86_64.rpm
+libpwquality-devel-1.4.2-6.cm1.x86_64.rpm
 libselinux-2.9-3.cm1.x86_64.rpm
 libselinux-debuginfo-2.9-3.cm1.x86_64.rpm
 libselinux-devel-2.9-3.cm1.x86_64.rpm
@@ -218,10 +218,10 @@ libtasn1-debuginfo-4.14-2.cm1.x86_64.rpm
 libtasn1-devel-4.14-2.cm1.x86_64.rpm
 libtool-2.4.6-5.cm1.x86_64.rpm
 libtool-debuginfo-2.4.6-5.cm1.x86_64.rpm
-libxml2-2.9.10-2.cm1.x86_64.rpm
-libxml2-debuginfo-2.9.10-2.cm1.x86_64.rpm
-libxml2-devel-2.9.10-2.cm1.x86_64.rpm
-libxml2-python-2.9.10-2.cm1.x86_64.rpm
+libxml2-2.9.10-3.cm1.x86_64.rpm
+libxml2-debuginfo-2.9.10-3.cm1.x86_64.rpm
+libxml2-devel-2.9.10-3.cm1.x86_64.rpm
+libxml2-python-2.9.10-3.cm1.x86_64.rpm
 libxslt-1.1.34-2.cm1.x86_64.rpm
 libxslt-debuginfo-1.1.34-2.cm1.x86_64.rpm
 libxslt-devel-1.1.34-2.cm1.x86_64.rpm
@@ -237,7 +237,7 @@ m4-debuginfo-1.4.18-4.cm1.x86_64.rpm
 make-4.2.1-5.cm1.x86_64.rpm
 make-debuginfo-4.2.1-5.cm1.x86_64.rpm
 mariner-check-macros-1.0-3.cm1.noarch.rpm
-mariner-release-1.0-10.cm1.noarch.rpm
+mariner-release-1.0-11.cm1.noarch.rpm
 mariner-repos-1.0-11.cm1.noarch.rpm
 mariner-repos-preview-1.0-11.cm1.noarch.rpm
 mariner-rpm-macros-1.0-3.cm1.noarch.rpm
@@ -269,12 +269,12 @@ openjdk8-doc-1.8.0.212-10.cm1.x86_64.rpm
 openjdk8-sample-1.8.0.212-10.cm1.x86_64.rpm
 openjdk8-src-1.8.0.212-10.cm1.x86_64.rpm
 openjre8-1.8.0.212-10.cm1.x86_64.rpm
-openssl-1.1.1g-6.cm1.x86_64.rpm
-openssl-debuginfo-1.1.1g-6.cm1.x86_64.rpm
-openssl-devel-1.1.1g-6.cm1.x86_64.rpm
-openssl-libs-1.1.1g-6.cm1.x86_64.rpm
-openssl-perl-1.1.1g-6.cm1.x86_64.rpm
-openssl-static-1.1.1g-6.cm1.x86_64.rpm
+openssl-1.1.1g-7.cm1.x86_64.rpm
+openssl-debuginfo-1.1.1g-7.cm1.x86_64.rpm
+openssl-devel-1.1.1g-7.cm1.x86_64.rpm
+openssl-libs-1.1.1g-7.cm1.x86_64.rpm
+openssl-perl-1.1.1g-7.cm1.x86_64.rpm
+openssl-static-1.1.1g-7.cm1.x86_64.rpm
 p11-kit-0.23.16.1-2.cm1.x86_64.rpm
 p11-kit-debuginfo-0.23.16.1-2.cm1.x86_64.rpm
 p11-kit-devel-0.23.16.1-2.cm1.x86_64.rpm
@@ -286,10 +286,10 @@ pam-devel-1.3.1-4.cm1.x86_64.rpm
 pam-lang-1.3.1-4.cm1.x86_64.rpm
 patch-2.7.6-7.cm1.x86_64.rpm
 patch-debuginfo-2.7.6-7.cm1.x86_64.rpm
-pcre-8.42-4.cm1.x86_64.rpm
-pcre-debuginfo-8.42-4.cm1.x86_64.rpm
-pcre-devel-8.42-4.cm1.x86_64.rpm
-pcre-libs-8.42-4.cm1.x86_64.rpm
+pcre-8.44-1.cm1.x86_64.rpm
+pcre-debuginfo-8.44-1.cm1.x86_64.rpm
+pcre-devel-8.44-1.cm1.x86_64.rpm
+pcre-libs-8.44-1.cm1.x86_64.rpm
 perl-5.30.3-1.cm1.x86_64.rpm
 perl-DBD-SQLite-1.62-3.cm1.x86_64.rpm
 perl-DBD-SQLite-debuginfo-1.62-3.cm1.x86_64.rpm
@@ -316,22 +316,22 @@ procps-ng-3.3.15-3.cm1.x86_64.rpm
 procps-ng-debuginfo-3.3.15-3.cm1.x86_64.rpm
 procps-ng-devel-3.3.15-3.cm1.x86_64.rpm
 procps-ng-lang-3.3.15-3.cm1.x86_64.rpm
-python2-2.7.18-3.cm1.x86_64.rpm
-python2-debuginfo-2.7.18-3.cm1.x86_64.rpm
-python2-devel-2.7.18-3.cm1.x86_64.rpm
-python2-libs-2.7.18-3.cm1.x86_64.rpm
-python2-test-2.7.18-3.cm1.x86_64.rpm
-python2-tools-2.7.18-3.cm1.x86_64.rpm
+python2-2.7.18-5.cm1.x86_64.rpm
+python2-debuginfo-2.7.18-5.cm1.x86_64.rpm
+python2-devel-2.7.18-5.cm1.x86_64.rpm
+python2-libs-2.7.18-5.cm1.x86_64.rpm
+python2-test-2.7.18-5.cm1.x86_64.rpm
+python2-tools-2.7.18-5.cm1.x86_64.rpm
 python3-cracklib-2.9.7-2.cm1.x86_64.rpm
-python3-gpg-1.13.1-5.cm1.x86_64.rpm
-python3-libxml2-2.9.10-2.cm1.x86_64.rpm
-python3-pwquality-1.4.2-4.cm1.x86_64.rpm
+python3-gpg-1.13.1-6.cm1.x86_64.rpm
+python3-libxml2-2.9.10-3.cm1.x86_64.rpm
+python3-pwquality-1.4.2-6.cm1.x86_64.rpm
 python3-rpm-4.14.2-10.cm1.x86_64.rpm
-python-curses-2.7.18-3.cm1.x86_64.rpm
-python-gpg-1.13.1-5.cm1.x86_64.rpm
+python-curses-2.7.18-5.cm1.x86_64.rpm
+python-gpg-1.13.1-6.cm1.x86_64.rpm
 python-rpm-4.14.2-10.cm1.x86_64.rpm
-python-setuptools-40.2.0-5.cm1.noarch.rpm
-python-xml-2.7.18-3.cm1.x86_64.rpm
+python-setuptools-40.2.0-6.cm1.noarch.rpm
+python-xml-2.7.18-5.cm1.x86_64.rpm
 readline-7.0-4.cm1.x86_64.rpm
 readline-debuginfo-7.0-4.cm1.x86_64.rpm
 readline-devel-7.0-4.cm1.x86_64.rpm
@@ -353,33 +353,33 @@ sqlite-devel-3.32.3-2.cm1.x86_64.rpm
 sqlite-libs-3.32.3-2.cm1.x86_64.rpm
 swig-3.0.12-4.cm1.x86_64.rpm
 swig-debuginfo-3.0.12-4.cm1.x86_64.rpm
-systemd-239-32.cm1.x86_64.rpm
-systemd-bootstrap-239-29.cm1.x86_64.rpm
-systemd-bootstrap-debuginfo-239-29.cm1.x86_64.rpm
-systemd-bootstrap-devel-239-29.cm1.x86_64.rpm
-systemd-debuginfo-239-32.cm1.x86_64.rpm
-systemd-devel-239-32.cm1.x86_64.rpm
-systemd-lang-239-32.cm1.x86_64.rpm
+systemd-239-34.cm1.x86_64.rpm
+systemd-bootstrap-239-31.cm1.x86_64.rpm
+systemd-bootstrap-debuginfo-239-31.cm1.x86_64.rpm
+systemd-bootstrap-devel-239-31.cm1.x86_64.rpm
+systemd-debuginfo-239-34.cm1.x86_64.rpm
+systemd-devel-239-34.cm1.x86_64.rpm
+systemd-lang-239-34.cm1.x86_64.rpm
 tar-1.32-2.cm1.x86_64.rpm
 tar-debuginfo-1.32-2.cm1.x86_64.rpm
-tdnf-2.1.0-4.cm1.x86_64.rpm
-tdnf-cli-libs-2.1.0-4.cm1.x86_64.rpm
-tdnf-debuginfo-2.1.0-4.cm1.x86_64.rpm
-tdnf-devel-2.1.0-4.cm1.x86_64.rpm
-tdnf-plugin-repogpgcheck-2.1.0-4.cm1.x86_64.rpm
-tdnf-python-2.1.0-4.cm1.x86_64.rpm
+tdnf-2.1.0-5.cm1.x86_64.rpm
+tdnf-cli-libs-2.1.0-5.cm1.x86_64.rpm
+tdnf-debuginfo-2.1.0-5.cm1.x86_64.rpm
+tdnf-devel-2.1.0-5.cm1.x86_64.rpm
+tdnf-plugin-repogpgcheck-2.1.0-5.cm1.x86_64.rpm
+tdnf-python-2.1.0-5.cm1.x86_64.rpm
 texinfo-6.5-7.cm1.x86_64.rpm
 texinfo-debuginfo-6.5-7.cm1.x86_64.rpm
-unzip-6.0-16.cm1.x86_64.rpm
-unzip-debuginfo-6.0-16.cm1.x86_64.rpm
+unzip-6.0-18.cm1.x86_64.rpm
+unzip-debuginfo-6.0-18.cm1.x86_64.rpm
 util-linux-2.32.1-3.cm1.x86_64.rpm
 util-linux-debuginfo-2.32.1-3.cm1.x86_64.rpm
 util-linux-devel-2.32.1-3.cm1.x86_64.rpm
 util-linux-lang-2.32.1-3.cm1.x86_64.rpm
 util-linux-libs-2.32.1-3.cm1.x86_64.rpm
 veritysetup-2.3.3-2.cm1.x86_64.rpm
-wget-1.20.3-2.cm1.x86_64.rpm
-wget-debuginfo-1.20.3-2.cm1.x86_64.rpm
+wget-1.20.3-3.cm1.x86_64.rpm
+wget-debuginfo-1.20.3-3.cm1.x86_64.rpm
 which-2.21-7.cm1.x86_64.rpm
 which-debuginfo-2.21-7.cm1.x86_64.rpm
 xz-5.2.4-3.cm1.x86_64.rpm
diff --git a/toolkit/scripts/imggen.mk b/toolkit/scripts/imggen.mk
index 3a6b42efd7e..ef02c799605 100644
--- a/toolkit/scripts/imggen.mk
+++ b/toolkit/scripts/imggen.mk
@@ -11,7 +11,11 @@ assets_files             = $(shell find $(assets_dir))
 imggen_local_repo        = $(MANIFESTS_DIR)/image/local.repo
 imagefetcher_local_repo  = $(MANIFESTS_DIR)/package/local.repo
 imagefetcher_cloned_repo = $(MANIFESTS_DIR)/package/fetcher.repo
+ifeq ($(build_arch),aarch64)
+initrd_config_json       = $(RESOURCES_DIR)/imageconfigs/iso_initrd_arm64.json
+else
 initrd_config_json       = $(RESOURCES_DIR)/imageconfigs/iso_initrd.json
+endif
 meta_user_data_files     = $(META_USER_DATA_DIR)/user-data $(META_USER_DATA_DIR)/meta-data
 ova_ovfinfo              = $(assets_dir)/ova/ovfinfo.txt
 ova_vmxtemplate          = $(assets_dir)/ova/vmx-template
@@ -35,7 +39,11 @@ image_external_package_cache_summary = $(imggen_config_dir)/image_external_deps.
 artifact_dir             = $(IMAGES_DIR)/$(config_name)
 imager_disk_output_dir   = $(imggen_config_dir)/imager_output
 imager_disk_output_files = $(shell find $(imager_disk_output_dir) -not -name '*:*')
+ifeq ($(build_arch),aarch64)
+initrd_img               = $(IMAGES_DIR)/iso_initrd_arm64/iso-initrd.img
+else
 initrd_img               = $(IMAGES_DIR)/iso_initrd/iso-initrd.img
+endif
 meta_user_data_iso       = ${IMAGES_DIR)/meta-user-data.iso
 
 $(call create_folder,$(workspace_dir))
diff --git a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh
index 1251058b8ff..15893d56b02 100755
--- a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh
+++ b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh
@@ -348,10 +348,17 @@ chroot_and_install_rpms libssh2
 build_rpm_in_chroot_no_install curl
 build_rpm_in_chroot_no_install libxml2
 
+# python-setuptools needs python-xml
+# python-xml is built by building python2
+chroot_and_install_rpms python-xml
+
 # cracklib needs python-setuptools
 chroot_and_install_rpms python-setuptools
 build_rpm_in_chroot_no_install cracklib
 
+# pam needs cracklib
+chroot_and_install_rpms cracklib
+
 build_rpm_in_chroot_no_install cmake
 build_rpm_in_chroot_no_install pam
 build_rpm_in_chroot_no_install docbook-dtd-xml
@@ -378,9 +385,6 @@ build_rpm_in_chroot_no_install libsolv
 # glib needs perl-XML-Parser, python-xml
 chroot_and_install_rpms perl-XML-Parser
 
-# python-xml is built by building python2
-chroot_and_install_rpms python-xml
-
 build_rpm_in_chroot_no_install glib
 build_rpm_in_chroot_no_install libassuan
 build_rpm_in_chroot_no_install npth
@@ -439,8 +443,6 @@ chroot_and_install_rpms ninja-build
 chroot_and_install_rpms gettext
 build_rpm_in_chroot_no_install meson
 
-# libpwquality requires cracklib
-chroot_and_install_rpms cracklib
 build_rpm_in_chroot_no_install libpwquality
 build_rpm_in_chroot_no_install json-c
 build_rpm_in_chroot_no_install libsepol
diff --git a/toolkit/scripts/toolchain/container/toolchain-md5sums b/toolkit/scripts/toolchain/container/toolchain-md5sums
index 5a79a133695..31f495b09d7 100644
--- a/toolkit/scripts/toolchain/container/toolchain-md5sums
+++ b/toolkit/scripts/toolchain/container/toolchain-md5sums
@@ -98,7 +98,7 @@ ef8c2c1d16a00bd95b9fdcef63b8a2ca  libXtst-1.2.3.tar.bz2
 4cbe1c1def7a5e1b0ed5fce8e512f4c6  libXvMC-1.0.10.tar.bz2
 d7dd9b9df336b7dd4028b6b56542ff2c  libXxf86dga-1.1.4.tar.bz2
 298b8fff82df17304dfdb5fe4066fe3a  libXxf86vm-1.1.4.tar.bz2
-a144b639702d36f8fc2b59bf8f5690a7  linux-msft-5.4.51.tar.gz
+c7d15cd5b39d88dfb32fcc9cd3441ebd  linux-msft-5.4.72.tar.gz
 63ecacd3ff6552537a73f8c30c396caf  lua-5.3.5-shared_library-1.patch
 4f4b4f323fd3514a68e0ab3da8ce3455  lua-5.3.5.tar.gz
 730bb15d96fffe47e148d1e09235af82  m4-1.4.18.tar.xz
diff --git a/toolkit/scripts/toolchain/container/toolchain-remote-wget-list b/toolkit/scripts/toolchain/container/toolchain-remote-wget-list
index 428dd5c70f1..69c7032b5d0 100644
--- a/toolkit/scripts/toolchain/container/toolchain-remote-wget-list
+++ b/toolkit/scripts/toolchain/container/toolchain-remote-wget-list
@@ -39,7 +39,7 @@ http://ftp.gnu.org/gnu/readline/readline-7.0.tar.gz
 http://ftp.gnu.org/gnu/tar/tar-1.30.tar.xz
 http://ftp.gnu.org/gnu/texinfo/texinfo-6.5.tar.xz
 https://www.cpan.org/src/5.0/perl-5.30.3.tar.gz
-https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.51.tar.gz
+https://github.com/microsoft/WSL2-Linux-Kernel/archive/linux-msft-5.4.72.tar.gz
 http://ftp.gnu.org/gnu/bash/bash-4.4.18.tar.gz
 https://ftp.gnu.org/gnu/bison/bison-3.1.tar.xz
 https://sourceware.org/pub/bzip2/bzip2-1.0.6.tar.gz
diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
index 3f57fe8a4cd..a4212c3cb74 100755
--- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
@@ -57,14 +57,14 @@ set -e
 #
 cd /sources
 
-echo Linux-5.4.51 API Headers
-tar xf linux-msft-5.4.51.tar.gz
-pushd WSL2-Linux-Kernel-linux-msft-5.4.51
+echo Linux-5.4.72 API Headers
+tar xf linux-msft-5.4.72.tar.gz
+pushd WSL2-Linux-Kernel-linux-msft-5.4.72
 make mrproper
 make headers
 cp -rv usr/include/* /usr/include
 popd
-rm -rf WSL2-Linux-Kernel-linux-msft-5.4.51
+rm -rf WSL2-Linux-Kernel-linux-msft-5.4.72
 touch /logs/status_kernel_headers_complete
 
 echo 6.8. Man-pages-5.02
diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
index 87c7af5ac1a..4ca776bf2cf 100755
--- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
@@ -113,14 +113,14 @@ rm -rf gcc-9.1.0
 
 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete
 
-echo Linux-5.4.51 API Headers
-tar xf linux-msft-5.4.51.tar.gz
-pushd WSL2-Linux-Kernel-linux-msft-5.4.51
+echo Linux-5.4.72 API Headers
+tar xf linux-msft-5.4.72.tar.gz
+pushd WSL2-Linux-Kernel-linux-msft-5.4.72
 make mrproper
 make headers
 cp -rv usr/include/* /tools/include
 popd
-rm -rf WSL2-Linux-Kernel-linux-msft-5.4.51
+rm -rf WSL2-Linux-Kernel-linux-msft-5.4.72
 
 touch $LFS/logs/temptoolchain/status_kernel_headers_complete
 
diff --git a/toolkit/scripts/tools.mk b/toolkit/scripts/tools.mk
index bec17d0a4f9..47ed0924fcc 100644
--- a/toolkit/scripts/tools.mk
+++ b/toolkit/scripts/tools.mk
@@ -29,6 +29,7 @@ go_tool_list = \
 	specreader \
 	srpmpacker \
 	unravel \
+	validatechroot \
 
 # For each utility "util", create a "out/tools/util" target which references code in "tools/util/"
 go_tool_targets = $(foreach target,$(go_tool_list),$(TOOL_BINS_DIR)/$(target))
@@ -112,7 +113,7 @@ go-test-coverage: $(test_coverage_report)
 
 chroot_worker = $(BUILD_DIR)/worker/worker_chroot.tar.gz
 
-.PHONY: chroot-tools clean-chroot-tools
+.PHONY: chroot-tools clean-chroot-tools validate-chroot
 chroot-tools: $(chroot_worker)
 
 clean: clean-chroot-tools
@@ -120,7 +121,9 @@ clean-chroot-tools:
 	rm -f $(chroot_worker)
 	@echo Verifying no mountpoints present in $(BUILD_DIR)/worker/
 	$(SCRIPTS_DIR)/safeunmount.sh "$(BUILD_DIR)/worker/" && \
-	rm -rf $(BUILD_DIR)/worker
+	$(SCRIPTS_DIR)/safeunmount.sh "$(BUILD_DIR)/validatechroot/" && \
+	rm -rf $(BUILD_DIR)/worker && \
+	rm -rf $(BUILD_DIR)/validatechroot
 
 worker_chroot_manifest = $(TOOLCHAIN_MANIFESTS_DIR)/pkggen_core_$(build_arch).txt
 # Find the *.rpm corresponding to each of the entries in the manifest
@@ -140,6 +143,15 @@ worker_chroot_deps := \
 $(chroot_worker): $(worker_chroot_deps)
 	$(PKGGEN_DIR)/worker/create_worker_chroot.sh $(BUILD_DIR)/worker $(worker_chroot_manifest) $(toolchain_rpms_dir) $(LOGS_DIR)
 
+validate-chroot: $(go-validatechroot) $(chroot_worker)
+	$(go-validatechroot) \
+	--rpm-dir="$(toolchain_rpms_dir)" \
+	--tmp-dir="$(BUILD_DIR)/validatechroot" \
+	--worker-chroot="$(chroot_worker)" \
+	--worker-manifest="$(worker_chroot_manifest)" \
+	--log-file="$(LOGS_DIR)/worker/validate.log" \
+	--log-level="$(LOG_LEVEL)"
+
 ######## MACRO TOOLS ########
 
 macro_rpmrc = $(RPMRC_DIR)/rpmrc
diff --git a/toolkit/tools/imagegen/configuration/partitiontabletype.go b/toolkit/tools/imagegen/configuration/partitiontabletype.go
index e30c276e499..a532a465c7b 100644
--- a/toolkit/tools/imagegen/configuration/partitiontabletype.go
+++ b/toolkit/tools/imagegen/configuration/partitiontabletype.go
@@ -22,6 +22,12 @@ const (
 	PartitionTableTypeNone PartitionTableType = ""
 )
 
+var partitionTableTypeToPartedArgument = map[PartitionTableType]string{
+	PartitionTableTypeGpt:  "gpt",
+	PartitionTableTypeMbr:  "msdos",
+	PartitionTableTypeNone: "",
+}
+
 func (p PartitionTableType) String() string {
 	return fmt.Sprintf(string(p))
 }
@@ -46,6 +52,16 @@ func (p *PartitionTableType) IsValid() (err error) {
 	return fmt.Errorf("invalid value for PartitionTableType (%s)", p)
 }
 
+// ConvertToPartedArgument returns the parted argument corresponding to the
+// partition table type
+func (p *PartitionTableType) ConvertToPartedArgument() (partedArgument string, err error) {
+	if err = p.IsValid(); err != nil {
+		return
+	}
+	partedArgument = partitionTableTypeToPartedArgument[*p]
+	return
+}
+
 // UnmarshalJSON Unmarshals a PartitionTableType entry
 func (p *PartitionTableType) UnmarshalJSON(b []byte) (err error) {
 	// Use an intermediate type which will use the default JSON unmarshal implementation
diff --git a/toolkit/tools/imagegen/configuration/partitiontabletype_test.go b/toolkit/tools/imagegen/configuration/partitiontabletype_test.go
index cfbeb29a92e..ea7af515cc9 100644
--- a/toolkit/tools/imagegen/configuration/partitiontabletype_test.go
+++ b/toolkit/tools/imagegen/configuration/partitiontabletype_test.go
@@ -17,9 +17,14 @@ var (
 		PartitionTableType("mbr"),
 		PartitionTableType(""),
 	}
-	invalidPartitionTableType     = PartitionTableType("not_a_partition_type")
-	validPartitionTableTypeJSON   = `"gpt"`
-	invalidPartitionTableTypeJSON = `1234`
+	invalidPartitionTableType                 = PartitionTableType("not_a_partition_type")
+	validPartitionTableTypeJSON               = `"gpt"`
+	invalidPartitionTableTypeJSON             = `1234`
+	validPartitionTableTypesToPartedArguments = map[PartitionTableType]string{
+		PartitionTableType("gpt"): "gpt",
+		PartitionTableType("mbr"): "msdos",
+		PartitionTableType(""):    "",
+	}
 )
 
 func TestShouldSucceedValidPartitionsMatch_PartitionTableType(t *testing.T) {
@@ -75,3 +80,20 @@ func TestShouldFailParsingInvalidJSON_PartitionTableType(t *testing.T) {
 	assert.Error(t, err)
 	assert.Equal(t, "failed to parse [PartitionTableType]: json: cannot unmarshal number into Go value of type configuration.IntermediateTypePartitionTableType", err.Error())
 }
+
+func TestShouldSucceedConvertToPartedArgument_PartitionTableType(t *testing.T) {
+	var ptt PartitionTableType
+	assert.Equal(t, len(validPartitionTableTypes), len(ptt.GetValidPartitionTableTypes()))
+
+	for _, partitionType := range validPartitionTableTypes {
+		partedArgument, err := partitionType.ConvertToPartedArgument()
+		assert.NoError(t, err)
+		assert.Equal(t, partedArgument, validPartitionTableTypesToPartedArguments[partitionType])
+	}
+}
+
+func TestShouldFailConvertToPartedArgument_PartitionTableType(t *testing.T) {
+	_, err := invalidPartitionTableType.ConvertToPartedArgument()
+	assert.Error(t, err)
+	assert.Equal(t, "invalid value for PartitionTableType (not_a_partition_type)", err.Error())
+}
diff --git a/toolkit/tools/imagegen/diskutils/diskutils.go b/toolkit/tools/imagegen/diskutils/diskutils.go
index ec79450eb9d..0e797aa6d4c 100644
--- a/toolkit/tools/imagegen/diskutils/diskutils.go
+++ b/toolkit/tools/imagegen/diskutils/diskutils.go
@@ -244,7 +244,13 @@ func CreatePartitions(diskDevPath string, disk configuration.Disk, rootEncryptio
 
 	// Create new partition table
 	partitionTableType := disk.PartitionTableType
-	_, stderr, err = shell.Execute("parted", diskDevPath, "--script", "mklabel", partitionTableType.String())
+	logger.Log.Debugf("Converting partition table type (%v) to parted argument", partitionTableType)
+	partedArgument, err := partitionTableType.ConvertToPartedArgument()
+	if err != nil {
+		logger.Log.Errorf("Unable to convert partition table type (%v) to parted argument", partitionTableType)
+		return
+	}
+	_, stderr, err = shell.Execute("parted", diskDevPath, "--script", "mklabel", partedArgument)
 	if err != nil {
 		logger.Log.Warnf("Failed to set partition table type using parted: %v", stderr)
 		return
diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go
index de50102a6d5..ed1b32ac4b5 100644
--- a/toolkit/tools/imagegen/installutils/installutils.go
+++ b/toolkit/tools/imagegen/installutils/installutils.go
@@ -1079,7 +1079,7 @@ func tdnfInstall(packageName, installRoot string, currentPackagesInstalled, tota
 		ReportPercentComplete(progress)
 	}
 
-	err = shell.ExecuteLiveWithCallback(onStdout, logger.Log.Warn, "tdnf", "install", packageName, "--installroot", installRoot, "--nogpgcheck", "--assumeyes")
+	err = shell.ExecuteLiveWithCallback(onStdout, logger.Log.Warn, true, "tdnf", "install", packageName, "--installroot", installRoot, "--nogpgcheck", "--assumeyes")
 	if err != nil {
 		logger.Log.Warnf("Failed to tdnf install: %v. Package name: %v", err, packageName)
 	}
@@ -1562,7 +1562,7 @@ func KernelPackages(config configuration.Config) []*pkgjson.PackageVer {
 // To be able to cleanly exit the setup chroot, we must stop it.
 func stopGPGAgent(installChroot *safechroot.Chroot) {
 	installChroot.UnsafeRun(func() error {
-		err := shell.ExecuteLiveWithCallback(logger.Log.Debug, logger.Log.Warn, "gpgconf", "--kill", "gpg-agent")
+		err := shell.ExecuteLiveWithCallback(logger.Log.Debug, logger.Log.Warn, false, "gpgconf", "--kill", "gpg-agent")
 		if err != nil {
 			// This is non-fatal, as there is no guarentee the image has gpg agent started.
 			logger.Log.Warnf("Failed to stop gpg-agent. This is expected if it is not installed: %s", err)
diff --git a/toolkit/tools/internal/logger/log.go b/toolkit/tools/internal/logger/log.go
index 2b376906fca..1dfbeee128c 100644
--- a/toolkit/tools/internal/logger/log.go
+++ b/toolkit/tools/internal/logger/log.go
@@ -133,9 +133,21 @@ func WarningOnError(err interface{}, args ...interface{}) {
 }
 
 // StreamOutput calls the provided logFunction on every line from the provided pipe
-func StreamOutput(pipe io.Reader, logFunction func(...interface{}), wg *sync.WaitGroup) {
+func StreamOutput(pipe io.Reader, logFunction func(...interface{}), wg *sync.WaitGroup, outputChan chan string) {
 	for scanner := bufio.NewScanner(pipe); scanner.Scan(); {
-		logFunction(scanner.Text())
+		line := scanner.Text()
+		logFunction(line)
+
+		Log.Tracef("StreamOutput:\t'%s'", line)
+
+		// Optionally buffer the output to print in the event of an error
+		if outputChan != nil {
+			select {
+			case outputChan <- line:
+			default:
+				// In the event the buffer is full, drop the line
+			}
+		}
 	}
 
 	wg.Done()
diff --git a/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go b/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go
index 20771acc358..d0e313a1d57 100644
--- a/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go
+++ b/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go
@@ -412,7 +412,7 @@ func (r *RpmRepoCloner) ClonedRepoContents() (repoContents *repocloner.RepoConte
 			"--disablerepo=*",
 			fmt.Sprintf("--enablerepo=%s", checkedRepoID),
 		}
-		return shell.ExecuteLiveWithCallback(onStdout, logger.Log.Warn, "tdnf", tdnfArgs...)
+		return shell.ExecuteLiveWithCallback(onStdout, logger.Log.Warn, true, "tdnf", tdnfArgs...)
 	})
 
 	return
diff --git a/toolkit/tools/internal/shell/shell.go b/toolkit/tools/internal/shell/shell.go
index 31de21eac72..9142ffd2596 100644
--- a/toolkit/tools/internal/shell/shell.go
+++ b/toolkit/tools/internal/shell/shell.go
@@ -130,11 +130,16 @@ func ExecuteLive(squashErrors bool, program string, args ...string) (err error)
 		onStderr = logger.Log.Warn
 	}
 
-	return ExecuteLiveWithCallback(onStdout, onStderr, program, args...)
+	return ExecuteLiveWithCallback(onStdout, onStderr, false, program, args...)
 }
 
-// ExecuteLiveWithCallback runs a command in the shell and invokes the provided callbacks it in real-time on stdout and stderr.
-func ExecuteLiveWithCallback(onStdout, onStderr func(...interface{}), program string, args ...string) (err error) {
+// ExecuteLiveWithCallback runs a command in the shell and invokes the provided callbacks in real-time on each line of stdout and stderr.
+// If printOutputOnError is true, the full output of the command will be printed after completion if the command returns an error. In the event
+// the buffer becomes full the oldest buffered output is discarded.
+func ExecuteLiveWithCallback(onStdout, onStderr func(...interface{}), printOutputOnError bool, program string, args ...string) (err error) {
+	var outputChan chan string
+	const outputChanBufferSize = 1500
+
 	cmd := exec.Command(program, args...)
 
 	stdoutPipe, err := cmd.StdoutPipe()
@@ -161,12 +166,27 @@ func ExecuteLiveWithCallback(onStdout, onStderr func(...interface{}), program st
 	wg := new(sync.WaitGroup)
 	wg.Add(2)
 
-	go logger.StreamOutput(stdoutPipe, onStdout, wg)
-	go logger.StreamOutput(stderrPipe, onStderr, wg)
+	if printOutputOnError {
+		outputChan = make(chan string, outputChanBufferSize)
+	}
+	go logger.StreamOutput(stdoutPipe, onStdout, wg, outputChan)
+	go logger.StreamOutput(stderrPipe, onStderr, wg, outputChan)
 
 	wg.Wait()
+	err = cmd.Wait()
+
+	// Optionally dump the output in the event of an error
+	if outputChan != nil {
+		close(outputChan)
+	}
+	if err != nil && printOutputOnError {
+		logger.Log.Errorf("Call to %s returned error, last %d lines of output:", cmd.Args, outputChanBufferSize)
+		for line := range outputChan {
+			logger.Log.Warn(line)
+		}
+	}
 
-	return cmd.Wait()
+	return
 }
 
 // MustExecuteLive executes the shell command.
diff --git a/toolkit/tools/isomaker/maker.go b/toolkit/tools/isomaker/maker.go
index 60da7f30a7d..69be75e6536 100644
--- a/toolkit/tools/isomaker/maker.go
+++ b/toolkit/tools/isomaker/maker.go
@@ -23,6 +23,7 @@ import (
 
 const (
 	efiBootImgPathRelativeToIsoRoot = "boot/grub2/efiboot.img"
+	initrdEFIBootDirectoryPath      = "boot/efi/EFI/BOOT"
 	isoRootArchDependentDirPath     = "assets/isomaker/iso_root_arch-dependent_files"
 )
 
@@ -131,10 +132,8 @@ func (im *IsoMaker) copyInitrd() {
 // which is booted in case of an UEFI boot of the ISO image.
 func (im *IsoMaker) setUpIsoGrub2Bootloader() {
 	const (
-		blockSizeInBytes      = 1024 * 1024
-		numberOfBlocksToCopy  = 3
-		bootx64BootloaderFile = "boot/efi/EFI/BOOT/bootx64.efi"
-		grubx64BootloaderFile = "boot/efi/EFI/BOOT/grubx64.efi"
+		blockSizeInBytes     = 1024 * 1024
+		numberOfBlocksToCopy = 3
 	)
 
 	logger.Log.Info("Preparing ISO's bootloaders.")
@@ -175,36 +174,49 @@ func (im *IsoMaker) setUpIsoGrub2Bootloader() {
 	}()
 
 	logger.Log.Debug("Copying EFI modules into efiboot.img.")
-	// Copy Shim (bootx64.efi) and grub2 (grubx64.efi)
+	// Copy Shim (boot<arch>64.efi) and grub2 (grub<arch>64.efi)
+	if runtime.GOARCH == "arm64" {
+		im.copyShimFromInitrd(efiBootImgTempMountDir, "bootaa64.efi", "grubaa64.efi")
+	} else {
+		im.copyShimFromInitrd(efiBootImgTempMountDir, "bootx64.efi", "grubx64.efi")
+	}
+}
+
+func (im *IsoMaker) copyShimFromInitrd(efiBootImgTempMountDir, bootBootloaderFile, grubBootloaderFile string) {
 	bootDirPath := filepath.Join(efiBootImgTempMountDir, "EFI", "BOOT")
-	bootx64EfiFilePath := filepath.Join(bootDirPath, "bootx64.efi")
-	im.extractFromInitrdAndCopy(bootx64BootloaderFile, bootx64EfiFilePath)
-	grubx64EfiFilePath := filepath.Join(bootDirPath, "grubx64.efi")
-	im.extractFromInitrdAndCopy(grubx64BootloaderFile, grubx64EfiFilePath)
 
-	im.applyRufusWorkaround()
+	initrdBootBootloaderFilePath := filepath.Join(initrdEFIBootDirectoryPath, bootBootloaderFile)
+	buildDirBootEFIFilePath := filepath.Join(bootDirPath, bootBootloaderFile)
+	im.extractFromInitrdAndCopy(initrdBootBootloaderFilePath, buildDirBootEFIFilePath)
+
+	initrdGrubBootloaderFilePath := filepath.Join(initrdEFIBootDirectoryPath, grubBootloaderFile)
+	buildDirGrubEFIFilePath := filepath.Join(bootDirPath, grubBootloaderFile)
+	im.extractFromInitrdAndCopy(initrdGrubBootloaderFilePath, buildDirGrubEFIFilePath)
+
+	im.applyRufusWorkaround(bootBootloaderFile, grubBootloaderFile)
 }
 
-// Rufus ISO-to-USB converter has a limitation where it will only copy the bootx64.efi binary from a given efi*.img
+// Rufus ISO-to-USB converter has a limitation where it will only copy the boot<arch>64.efi binary from a given efi*.img
 // archive into the standard UEFI EFI/BOOT folder instead of extracting the whole archive as per the El Torito ISO
 // specification.
 //
 // Most distros (including ours) use a 2 stage bootloader flow (shim->grub->kernel). Since the Rufus limitation only
-// copies the 1st stage to EFI/BOOT/bootx64.efi, it cannot find the 2nd stage bootloader (grubx64.efi) which should
-// be in the same directory: EFI/BOOT/grubx64.efi. This causes the USB installation to fail to boot.
+// copies the 1st stage to EFI/BOOT/boot<arch>64.efi, it cannot find the 2nd stage bootloader (grub<arch>64.efi) which should
+// be in the same directory: EFI/BOOT/grub<arch>64.efi. This causes the USB installation to fail to boot.
 //
 // Rufus prioritizes the presence of an EFI folder on the ISO disk over extraction of the efi*.img archive.
 // So to workaround the limitation, create an EFI folder and make a duplicate copy of the bootloader files
 // in EFI/Boot so Rufus doesn't attempt to extract the efi*.img in the first place.
-func (im *IsoMaker) applyRufusWorkaround() {
-	const (
-		bootx64BootloaderFile = "boot/efi/EFI/BOOT/bootx64.efi"
-		grubx64BootloaderFile = "boot/efi/EFI/BOOT/grubx64.efi"
-	)
-	bootx64EfiUsbFilePath := filepath.Join(im.buildDirPath, "efi/boot/bootx64.efi")
-	im.extractFromInitrdAndCopy(bootx64BootloaderFile, bootx64EfiUsbFilePath)
-	grubx64EfiUsbFilePath := filepath.Join(im.buildDirPath, "efi/boot/grubx64.efi")
-	im.extractFromInitrdAndCopy(grubx64BootloaderFile, grubx64EfiUsbFilePath)
+func (im *IsoMaker) applyRufusWorkaround(bootBootloaderFile, grubBootloaderFile string) {
+	const buildDirBootEFIDirectoryPath = "efi/boot"
+
+	initrdBootloaderFilePath := filepath.Join(initrdEFIBootDirectoryPath, bootBootloaderFile)
+	buildDirBootEFIUsbFilePath := filepath.Join(im.buildDirPath, buildDirBootEFIDirectoryPath, bootBootloaderFile)
+	im.extractFromInitrdAndCopy(initrdBootloaderFilePath, buildDirBootEFIUsbFilePath)
+
+	initrdGrubEFIFilePath := filepath.Join(initrdEFIBootDirectoryPath, grubBootloaderFile)
+	buildDirGrubEFIUsbFilePath := filepath.Join(im.buildDirPath, buildDirBootEFIDirectoryPath, grubBootloaderFile)
+	im.extractFromInitrdAndCopy(initrdGrubEFIFilePath, buildDirGrubEFIUsbFilePath)
 }
 
 // createVmlinuzImage builds the 'vmlinuz' file containing the Linux kernel
diff --git a/toolkit/tools/liveinstaller/liveinstaller.go b/toolkit/tools/liveinstaller/liveinstaller.go
index 6531519c37b..d24e757606a 100644
--- a/toolkit/tools/liveinstaller/liveinstaller.go
+++ b/toolkit/tools/liveinstaller/liveinstaller.go
@@ -359,7 +359,7 @@ func terminalAttendedInstall(cfg configuration.Config, progress chan int, status
 
 	args.emitProgress = true
 	program, commandArgs := formatImagerCommand(args)
-	err = shell.ExecuteLiveWithCallback(onStdout, logger.Log.Warn, program, commandArgs...)
+	err = shell.ExecuteLiveWithCallback(onStdout, logger.Log.Warn, false, program, commandArgs...)
 
 	return
 }
diff --git a/toolkit/tools/pkgworker/pkgworker.go b/toolkit/tools/pkgworker/pkgworker.go
index ad028e3ca9e..5e45d833bae 100644
--- a/toolkit/tools/pkgworker/pkgworker.go
+++ b/toolkit/tools/pkgworker/pkgworker.go
@@ -135,7 +135,7 @@ func buildSRPMInChroot(chrootDir, rpmDirPath, workerTar, srpmFile, repoFile, rpm
 	defer chroot.Close(noCleanup)
 
 	// Place extra files that will be needed to build into the chroot
-	srpmFileInChroot, err := copyFilesIntoChroot(chroot, srpmFile, repoFile, rpmmacrosFile)
+	srpmFileInChroot, err := copyFilesIntoChroot(chroot, srpmFile, repoFile, rpmmacrosFile, runCheck)
 	if err != nil {
 		return
 	}
@@ -175,7 +175,7 @@ func buildRPMFromSRPMInChroot(srpmFile string, runCheck bool, defines map[string
 	}
 
 	// Query and install the build requirements for this SRPM
-	err = installBuildRequires(defines)
+	err = installBuildRequires(defines, runCheck)
 	if err != nil {
 		return
 	}
@@ -236,10 +236,11 @@ func moveBuiltRPMs(rpmOutDir, dstDir string) (builtRPMs []string, err error) {
 	return
 }
 
-func installBuildRequires(defines map[string]string) (err error) {
+func installBuildRequires(defines map[string]string, runCheck bool) (err error) {
 	// Query the BuildRequires fields from this spec and turn them into an array of PackageVersions
 	const (
 		emptyQueryFormat        = ""
+		caCertificatesPackage   = "ca-certificates"
 		unresolvedOutputPrefix  = "No package"
 		unresolvedOutputPostfix = "available"
 		alreadyInstalledPostfix = "is already installed."
@@ -264,7 +265,12 @@ func installBuildRequires(defines map[string]string) (err error) {
 		return
 	}
 
-	if len(buildRequires) > 0 {
+	if runCheck || len(buildRequires) > 0 {
+		var (
+			stderr string
+			stdout string
+		)
+
 		defaultArgs := []string{"install", "-y"}
 		installArgs := make([]string, 0, len(buildRequires)+len(defaultArgs))
 
@@ -282,10 +288,11 @@ func installBuildRequires(defines map[string]string) (err error) {
 			installArgs = append(installArgs, strings.TrimSpace(buildReq))
 		}
 
-		var (
-			stderr string
-			stdout string
-		)
+		if runCheck {
+			logger.Log.Warn("Adding the 'ca-certificates' package - needed for package tests (make argument 'RUN_CHECK' set to 'y').")
+
+			installArgs = append(installArgs, caCertificatesPackage)
+		}
 
 		stdout, stderr, err = shell.Execute("tdnf", installArgs...)
 		if err != nil {
@@ -356,10 +363,11 @@ func removeLibArchivesFromSystem() (err error) {
 }
 
 // copyFilesIntoChroot copies several required build specific files into the chroot.
-func copyFilesIntoChroot(chroot *safechroot.Chroot, srpmFile, repoFile, rpmmacrosFile string) (srpmFileInChroot string, err error) {
+func copyFilesIntoChroot(chroot *safechroot.Chroot, srpmFile, repoFile, rpmmacrosFile string, runCheck bool) (srpmFileInChroot string, err error) {
 	const (
 		chrootRepoDestDir = "/etc/yum.repos.d"
 		chrootSrpmDestDir = "/root/SRPMS"
+		resolvFilePath    = "/etc/resolv.conf"
 		rpmmacrosDest     = "/usr/lib/rpm/macros.d/macros.override"
 	)
 
@@ -385,6 +393,16 @@ func copyFilesIntoChroot(chroot *safechroot.Chroot, srpmFile, repoFile, rpmmacro
 		filesToCopy = append(filesToCopy, rpmmacrosCopy)
 	}
 
+	if runCheck {
+		logger.Log.Warn("Enabling network access because we're running package tests (make argument 'RUN_CHECK' set to 'y').")
+
+		resolvFileCopy := safechroot.FileToCopy{
+			Src:  resolvFilePath,
+			Dest: resolvFilePath,
+		}
+		filesToCopy = append(filesToCopy, resolvFileCopy)
+	}
+
 	err = chroot.AddFiles(filesToCopy...)
 	return
 }
diff --git a/toolkit/tools/roast/formats/ova.go b/toolkit/tools/roast/formats/ova.go
index cc5739cb0a9..4e1aa62c331 100644
--- a/toolkit/tools/roast/formats/ova.go
+++ b/toolkit/tools/roast/formats/ova.go
@@ -110,14 +110,14 @@ func (o *Ova) Convert(input, output string, isInputFile bool) (err error) {
 
 	logger.Log.Infof(`Converting "%s" to "%s"`, input, vmdkFilePath)
 
-	err = shell.ExecuteLiveWithCallback(logger.Log.Info, logger.Log.Warn, "qemu-img", "convert", "-f", "raw", input, "-O", "vmdk", vmdkFilePath)
+	err = shell.ExecuteLiveWithCallback(logger.Log.Info, logger.Log.Warn, false, "qemu-img", "convert", "-f", "raw", input, "-O", "vmdk", vmdkFilePath)
 	if err != nil {
 		return err
 	}
 
 	// This step produces the disk1 vmdk and .mf files generated by ovftool from vmx template
 	logger.Log.Debugf(`Expanding template "%s" to "%s"`, vmxFilePath, ovfFilePath)
-	err = shell.ExecuteLiveWithCallback(logger.Log.Info, logger.Log.Warn, "ovftool", vmxFilePath, ovfFilePath)
+	err = shell.ExecuteLiveWithCallback(logger.Log.Info, logger.Log.Warn, false, "ovftool", vmxFilePath, ovfFilePath)
 	if err != nil {
 		return
 	}
@@ -157,7 +157,7 @@ func (o *Ova) Convert(input, output string, isInputFile bool) (err error) {
 	vmdkDisk1FileName := strings.TrimSuffix(vmdkBase, filepath.Ext(vmdkBase)) + "-disk1.vmdk"
 	vmdkDisk1FilePath := filepath.Join(filepath.Dir(vmdkFilePath), vmdkDisk1FileName)
 
-	err = shell.ExecuteLiveWithCallback(logger.Log.Info, logger.Log.Warn, "openssl", "sha1", "-out", mfFilePath, vmdkDisk1FilePath, ovfFilePath)
+	err = shell.ExecuteLiveWithCallback(logger.Log.Info, logger.Log.Warn, false, "openssl", "sha1", "-out", mfFilePath, vmdkDisk1FilePath, ovfFilePath)
 	if err != nil {
 		return
 	}
@@ -178,7 +178,7 @@ func (o *Ova) Convert(input, output string, isInputFile bool) (err error) {
 	os.Chdir(artifactsFolder)
 
 	// OVA is just a tar archive with .ovf, .mf and other artifacts (disk)
-	err = shell.ExecuteLiveWithCallback(logger.Log.Info, logger.Log.Warn, "tar", "-cf", output, "--format=ustar", ovfFileBase, mfFileBase, vmdkDisk1FileBase)
+	err = shell.ExecuteLiveWithCallback(logger.Log.Info, logger.Log.Warn, false, "tar", "-cf", output, "--format=ustar", ovfFileBase, mfFileBase, vmdkDisk1FileBase)
 
 	logger.Log.Debugf("Changing directory back to %s after running tar for OVA generation.", currentPwd)
 	os.Chdir(currentPwd)
diff --git a/toolkit/tools/validatechroot/validatechroot.go b/toolkit/tools/validatechroot/validatechroot.go
new file mode 100644
index 00000000000..bc720b8776d
--- /dev/null
+++ b/toolkit/tools/validatechroot/validatechroot.go
@@ -0,0 +1,131 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+
+	"gopkg.in/alecthomas/kingpin.v2"
+	"microsoft.com/pkggen/internal/exe"
+	"microsoft.com/pkggen/internal/file"
+	"microsoft.com/pkggen/internal/logger"
+	"microsoft.com/pkggen/internal/safechroot"
+	"microsoft.com/pkggen/internal/shell"
+)
+
+const (
+	leaveChrootFilesOnDisk = false
+)
+
+var (
+	app = kingpin.New("validatechroot", "A tool to validate that the worker chroot is well configured and all dependencies are satisfied.")
+
+	toolchainRpmsDir = app.Flag("rpm-dir", "Directory that contains already built toolchain RPMs. Should contain top level directories for architecture.").Required().ExistingDir()
+	tmpDir           = app.Flag("tmp-dir", "Temporary chroot directory.").String()
+
+	workerTar      = app.Flag("worker-chroot", "Full path to worker_chroot.tar.gz").Required().ExistingFile()
+	workerManifest = app.Flag("worker-manifest", "Full path to the worker manifest file").Required().ExistingFile()
+
+	logFile  = exe.LogFileFlag(app)
+	logLevel = exe.LogLevelFlag(app)
+)
+
+func main() {
+	app.Version(exe.ToolkitVersion)
+	kingpin.MustParse(app.Parse(os.Args[1:]))
+	logger.InitBestEffort(*logFile, *logLevel)
+
+	err := validateWorker(*toolchainRpmsDir, *tmpDir, *workerTar, *workerManifest)
+
+	if err != nil {
+		logger.Log.Fatalf("Failed to validate worker. Error: %s", err)
+	}
+}
+
+func validateWorker(rpmsDir, chrootDir, workerTarPath, manifestPath string) (err error) {
+	const (
+		chrootToolchainRpmsDir = "/toolchainrpms"
+		isExistingDir          = false
+	)
+
+	var (
+		chroot *safechroot.Chroot
+		// Every valid line will be of the form: <package>-<version>.<arch>.rpm
+		packageArchLookupRegex = regexp.MustCompile(`^.+(?P<arch>x86_64|aarch64|noarch)\.rpm$`)
+	)
+
+	// Ensure that if initialization fails, the chroot is closed
+	defer func() {
+		if chroot != nil {
+			closeErr := chroot.Close(leaveChrootFilesOnDisk)
+			if closeErr != nil {
+				logger.Log.Panicf("Unable to close chroot on failed initialization. Error: %s", closeErr)
+			}
+		}
+	}()
+
+	logger.Log.Infof("Creating chroot environment to validate '%s' against '%s'", workerTarPath, manifestPath)
+
+	chroot = safechroot.NewChroot(chrootDir, isExistingDir)
+	rpmMount := safechroot.NewMountPoint(rpmsDir, chrootToolchainRpmsDir, "", safechroot.BindMountPointFlags, "")
+	extraDirectories := []string{chrootToolchainRpmsDir}
+	rpmMounts := []*safechroot.MountPoint{rpmMount}
+	err = chroot.Initialize(workerTarPath, extraDirectories, rpmMounts)
+	if err != nil {
+		chroot = nil
+		return
+	}
+
+	manifestEntries, err := file.ReadLines(manifestPath)
+	if err != nil {
+		return
+	}
+	badEntries := make(map[string]string)
+
+	err = chroot.Run(func() (err error) {
+		for _, rpm := range manifestEntries {
+			archMatches := packageArchLookupRegex.FindStringSubmatch(rpm)
+			if len(archMatches) != 2 {
+				logger.Log.Errorf("%v", archMatches)
+				return fmt.Errorf("'%s' is an invalid rpm file path", rpm)
+			}
+			arch := archMatches[1]
+			rpmPath := path.Join(chrootToolchainRpmsDir, arch, rpm)
+
+			// --replacepkgs instructs RPM to gracefully re-install a package, including checking dependencies
+			args := []string{
+				"-ihv",
+				"--replacepkgs",
+				"--nosignature",
+				rpmPath,
+			}
+			logger.Log.Infof("Validating %s", filepath.Base(rpmPath))
+			stdout, stderr, err := shell.Execute("rpm", args...)
+
+			logger.Log.Debug(stdout)
+
+			if err != nil || len(stderr) > 0 {
+				logger.Log.Warn(stderr)
+				if len(stderr) > 0 {
+					badEntries[rpm] = stderr
+				} else {
+					badEntries[rpm] = err.Error()
+				}
+			}
+		}
+		return
+	})
+
+	if len(badEntries) > 0 {
+		for rpm, errMsg := range badEntries {
+			logger.Log.Errorf("%s:\n %s", rpm, errMsg)
+		}
+		err = fmt.Errorf("found invalid packages in the worker chroot")
+	}
+	return
+}