Update for 2017.02.10

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

CHANGES

@@ -1,3 +1,174 @@
+2017.02.10, Released January 31st, 2018
+
+	Important / security related fixes.
+
+	nconfig: Fix for ncurses/ncursesw linking issue causing crashes.
+
+	System: Only show getty options when busybox init or sysvinit
+	are used.
+
+	Infrastructure: Fix build issue for autotools based packages
+	checking for C++ support on toolchains without C++ support and
+	on a distro lacking /lib/cpp (E.G. Arch Linux).
+
+	Updated/fixed packages: avahi, berkeleydb, bind, busybox,
+	ccache, clamav, coreutils, dovecot, eeprog, eudev, fis,
+	intel-microcode, iputils, irssi, kmsxx, liberation, libiio,
+	lz4, mariadb, matchbox-lib, mcookie, openocd, php, pound,
+	rpcbind, squid, tar, ti-cgt-pru, transmission, util-linux,
+	webkitgtk, wireshark, xen
+
+	Issues resolved (http://bugs.buildroot.org):
+
+	#9996: lz4 package does not install lz4 binaries in target
+	#10176: Rsyslog's S01logging is deleted by Busybox.mk from...
+	#10216: package/x11r7/mcookie/mcookie.c:207: bad size ?
+	#10301: systemd/getty unused options
+	#10331: kmsxx, host installation fails with BR2_SHARED_...
+	#10536: Finding non-relative paths in the ccache
+	#10641: avahi-autoipd not starting when using systemd-tmpfiles
+
+2017.02.9, Released January 1st, 2018
+
+	Important / security related fixes.
+
+	Fix divide by zero issue in size-stats script.
+
+	Fix makefile include ordering issue with certain make versions
+	in the external toolchain handling.
+
+	Updated/fixed packages: dhcp, exim, flann, gdb, heimdal,
+	libcue, libcurl, libevent, libpqxx, libsoxr, linphone, lldpd,
+	mariadb, mfgtools, mtools, nodejs, nut, openssl, rsync,
+	samba4, tor, vlc, webkitgtk, wireshark, xfsprogs,
+	xlib_libXcursor, xlib_libXfont, xlib_libXfont2
+
+2017.02.8, Released November 27th, 2017
+
+	Important / security related fixes.
+
+	Qt: 5.6 version updated to 5.6.3.
+
+	Reproducible: Do not override SOURCE_DATE_EPOCH if already set
+	in the environment.
+
+	Updated/fixed packages: apr, apr-util, arqp-standalone,
+	collectd, dvb-apps, ffmpeg, google-breakpad, gstreamer,
+	imagemagick, libfastjson, libglib2, libpjsip, libplist,
+	localedef, luajit, mesa3d, openssh, openssl, postgresql,
+	python3, python-pyqt5, qt5base, qt5canvas3d, qt5connectivity,
+	qt5declarative, qt5engineio, qt5graphicaleffects,
+	qt5imageformats, qt5location, qt5multimedia, qt5quickcontrols,
+	qt5quickcontrols2, qt5script, qt5sensors, qt5serialbus,
+	qt5serialport, qt5svg, qt5tools, qt5webchannel, qt5webkit,
+	qt5websockets, qt5x11extras, qt5xmlpatterns, quagga, ruby,
+	samba4, snmppp, ti-gfx, vboot-utils, webkitgtk, wireshark,
+	xapp_xdriinfo.
+
+	Issues resolved (http://bugs.buildroot.org):
+
+	10326: mesa3d package fails to build when BR2_SHARED_STATIC_LIBS=y
+	10361: python3 python-config script generates invalid includes
+	10501: host-localedef fails to compile on Ubuntu 17.10
+
+2017.02.7, Released October 28th, 2017
+
+	Important / security related fixes.
+
+	Webkitgtk bumped to the 2.18.x series, fixing a large number
+	of security issues.
+
+	Defconfigs: wandboard: Correct rootfs offset
+
+	Toolchain: Linaro toolchains updated to 2017.08 release,
+	fixing a number of issues. Musl: fix for CVE-2017-15650.
+
+	Updated/fixed packages: busybox, bzip2, dnsmasq, git, go,
+	hostapd, irssi, iucode-tool, lame, libcurl, libffi, libnspr,
+	libnss, nodejs, openssh, openvpn, qemu, qt, redis, sdl2,
+	webkitgtk, wget, wpa_supplicant, xen, xlib_libXfont,
+	xlib_libXfont2, xserver_xorg-server
+
+2017.02.6, Released September 24th, 2017
+
+	Important / security related fixes.
+
+	Cmake: Ensure correct pkg-config is used when building host
+	packages
+
+	fs/iso9660: Ensure files from earlier builds are not included.
+
+	Updated/fixed packages: apache, bcusdk, bind, binutils,
+	bluez5_utils, botan, cmake, connman, dbus, dialog, e2fsprogs,
+	faad2, fakeroot, ffmpeg, file, flashrom, gcc, gd, gdb,
+	gdk-pixbuf, git, gnupg, gpsd, grub2, gst1-plugins-bad,
+	imagemagick, iostat, iucode-tool, jack2, libarchive, libcurl,
+	libgcrypt, libidn, libphidget, librsync, librsvg, libsoup,
+	libxml2, linux-tools, lua, mariadb, mbedtls, mediastreamer,
+	minidlna, netplug, nss-pam-ldapd, nvidia-driver, openjpeg,
+	postgresql, proxychains-ng, python-libconfig,
+	python-service-identity, qt, rpcbind, ruby, samba4, squashfs,
+	squid, strongswan, subversion, supervisor, sysvinit, tcpdump,
+	tor, transmission, unrar, valgrind, vim, webkitgtk, whois,
+	xen, zmqpp
+
+	Issues resolved (http://bugs.buildroot.org):
+
+	#10141: Squashfs extended attribute failures
+	#10261: Grub2 fails to build for x86_64
+	#10276: BR2_PACKAGE_LINUX_TOOLS_GPIO fails for MIPS with...
+
+2017.02.5, Released July 27th, 2017
+
+	Important / security related fixes.
+
+	Webkitgtk bumped to the 2.16.x series, fixing a large number
+	of security issues.
+
+	host-aespipe compile fix for Debian/Gentoo/Ubuntu toolchains
+	which default to PIE mode.
+
+	Updated/fixed packages: aespipe, apache, bind, binutils,
+	ccache, collectd, efibootmgr, efivar, expat, ffmpeg, gcc,
+	heimdal, iproute2, irssi, libglib2, libmemcached, libosip2,
+	libtirpc, libxml-parser-perl, linux-fusion, linux-zigbee,
+	mpg123, nodejs, orc, pcre, php, pulseaudio,
+	python-setproctitle, qt5base, rpi-firmware, samba4, syslinux,
+	systemd, spice, tiff, webkitgtk, x265, xen,
+	xserver_xorg-server, xvisor
+
+	Issues resolved (http://bugs.buildroot.org):
+
+	#10061: gcc5.4 buildroot toolchain for powerpc libsanitizer...
+
+2017.02.4, Released July 4th, 2017
+
+	Important / security related fixes.
+
+	Update support/scripts/scancpan to use METACPAN v1 API as v0
+	has been shutdown.
+
+	Update support/scripts/mkusers to handle setups where
+	/etc/shadow is a symlink.
+
+	External toolchain: Don't create musl dynamic loader symlink
+	for static builds.
+
+	Setlocalversion: Correct detection of mercurial revisions for
+	non-tagged versions.
+
+	Updated/fixed packages: apache, automake, bind, botan, c-ares,
+	dhcp, expat, fcgiwrap, gcc, gdb, gesftpserver, glibc, gnutls,
+	gst1-plugins-bad, imagemagick, imx-uuc, intltool, iperf,
+	ipsec-tools, irssi, libgcrypt, libmad, libnl, mosquitto,
+	mpg123, ncurses, nodejs, ntp, openssh, openvpn, qt5base,
+	qt5multimedia, rtl8821au, socat, spice, systemd, tor, tslib,
+	vlc, x264, xserver_xorg-server
+
+	Issues resolved (http://bugs.buildroot.org):
+
+	#9976: License file for package 'rtl8821au' incorrect
+
 2017.02.3, Released June 2nd, 2017
 
 	Important / security related fixes.

Config.in

@@ -57,6 +57,11 @@ config BR2_HOST_GCC_AT_LEAST_6
 	default y if BR2_HOST_GCC_VERSION = "6"
 	select BR2_HOST_GCC_AT_LEAST_5
 
+config BR2_HOST_GCC_AT_LEAST_7
+	bool
+	default y if BR2_HOST_GCC_VERSION = "7"
+	select BR2_HOST_GCC_AT_LEAST_6
+
 # Hidden boolean selected by packages in need of Java in order to build
 # (example: xbmc)
 config BR2_NEEDS_HOST_JAVA
@@ -462,7 +467,7 @@ choice
 config BR2_OPTIMIZE_0
 	bool "optimization level 0"
 	help
-	  Do not optimize. This is the default.
+	  Do not optimize.
 
 config BR2_OPTIMIZE_1
 	bool "optimization level 1"
@@ -529,6 +534,7 @@ config BR2_OPTIMIZE_S
 	  -falign-loops -falign-labels -freorder-blocks
 	  -freorder-blocks-and-partition -fprefetch-loop-arrays
 	  -ftree-vect-loop-version
+	  This is the default.
 
 endchoice
 

Config.in.legacy

@@ -143,8 +143,42 @@ comment "----------------------------------------------------"
 endif
 
 ###############################################################################
+
 comment "Legacy options removed in 2017.02"
 
+config BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_WEBRTC
+	bool "gst1-plugins-bad webrtc renamed to webrtcdsp"
+	select BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_WEBRTCDSP
+	select BR2_LEGACY
+	help
+	  The WebRTC plugin in GStreamer 1.x has always been named
+	  webrtcdsp, but was wrongly introduced in Buildroot under the
+	  name webrtc. Therefore, we have renamed the option to match
+	  the actual name of the GStreamer plugin.
+
+config BR2_PACKAGE_SPICE_CLIENT
+	bool "spice client support removed"
+	select BR2_LEGACY
+	help
+	  Spice client support has been removed upstream. The
+	  functionality now lives in the spice-gtk widget and
+	  virt-viewer.
+
+config BR2_PACKAGE_SPICE_GUI
+	bool "spice gui support removed"
+	select BR2_LEGACY
+	help
+	  Spice gui support has been removed upstream. The
+	  functionality now lives in the spice-gtk widget and
+	  virt-viewer.
+
+config BR2_PACKAGE_SPICE_TUNNEL
+	bool "spice network redirection removed"
+	select BR2_LEGACY
+	help
+	  Spice network redirection, aka tunnelling has been removed
+	  upstream.
+
 config BR2_PACKAGE_PERL_DB_FILE
 	bool "perl-db-file removed"
 	select BR2_LEGACY

DEVELOPERS

@@ -1624,6 +1624,7 @@ F:	package/libinput/
 F:	package/libiscsi/
 F:	package/libseccomp/
 F:	package/linux-tools/
+F:	package/matchbox*
 F:	package/mesa3d-headers/
 F:	package/mke2img/
 F:	package/nut/

Makefile

@@ -86,9 +86,9 @@ else # umask / $(CURDIR) / $(O)
 all:
 
 # Set and export the version string
-export BR2_VERSION := 2017.02.3
+export BR2_VERSION := 2017.02.10
 # Actual time the release is cut (for reproducible builds)
-BR2_VERSION_EPOCH = 1496390000
+BR2_VERSION_EPOCH = 1517426000
 
 # Save running make version since it's clobbered by the make package
 RUNNING_MAKE_VERSION := $(MAKE_VERSION)
@@ -253,7 +253,7 @@ export LANG = C
 export LC_ALL = C
 export GZIP = -n
 BR2_VERSION_GIT_EPOCH = $(shell GIT_DIR=$(TOPDIR)/.git $(GIT) log -1 --format=%at)
-export SOURCE_DATE_EPOCH = $(if $(wildcard $(TOPDIR)/.git),$(BR2_VERSION_GIT_EPOCH),$(BR2_VERSION_EPOCH))
+export SOURCE_DATE_EPOCH ?= $(if $(wildcard $(TOPDIR)/.git),$(BR2_VERSION_GIT_EPOCH),$(BR2_VERSION_EPOCH))
 DEPENDENCIES_HOST_PREREQ += host-fakedate
 endif
 
@@ -481,8 +481,10 @@ include Makefile.legacy
 include package/Makefile.in
 include support/dependencies/dependencies.mk
 
-include toolchain/*.mk
-include toolchain/*/*.mk
+PACKAGES += $(DEPENDENCIES_HOST_PREREQ)
+
+include $(sort $(wildcard toolchain/*.mk))
+include $(sort $(wildcard toolchain/*/*.mk))
 
 # Include the package override file if one has been provided in the
 # configuration.
@@ -1069,7 +1071,7 @@ print-version:
 	@echo $(BR2_VERSION_FULL)
 
 include docs/manual/manual.mk
--include $(foreach dir,$(BR2_EXTERNAL_DIRS),$(dir)/docs/*/*.mk)
+-include $(foreach dir,$(BR2_EXTERNAL_DIRS),$(sort $(wildcard $(dir)/docs/*/*.mk)))
 
 .PHONY: $(noconfig_targets)
 

arch/Config.in.arm

@@ -534,15 +534,9 @@ config BR2_GCC_TARGET_CPU
 	default "strongarm"	if BR2_strongarm
 	default "xscale"	if BR2_xscale
 	default "iwmmxt"	if BR2_iwmmxt
-	default "cortex-a53"		if (BR2_cortex_a53 && !BR2_ARCH_IS_64)
-	default "cortex-a53+fp"		if (BR2_cortex_a53 && BR2_ARCH_IS_64 && BR2_ARM_FPU_FP_ARMV8)
-	default "cortex-a53+fp+simd" 	if (BR2_cortex_a53 && BR2_ARCH_IS_64 && BR2_ARM_FPU_NEON_FP_ARMV8)
-	default "cortex-a57"		if (BR2_cortex_a57 && !BR2_ARCH_IS_64)
-	default "cortex-a57+fp"		if (BR2_cortex_a57 && BR2_ARCH_IS_64 && BR2_ARM_FPU_FP_ARMV8)
-	default "cortex-a57+fp+simd" 	if (BR2_cortex_a57 && BR2_ARCH_IS_64 && BR2_ARM_FPU_NEON_FP_ARMV8)
-	default "cortex-a72"		if (BR2_cortex_a72 && !BR2_ARCH_IS_64)
-	default "cortex-a72+fp"		if (BR2_cortex_a72 && BR2_ARCH_IS_64 && BR2_ARM_FPU_FP_ARMV8)
-	default "cortex-a72+fp+simd" 	if (BR2_cortex_a72 && BR2_ARCH_IS_64 && BR2_ARM_FPU_NEON_FP_ARMV8)
+	default "cortex-a53"	if BR2_cortex_a53
+	default "cortex-a57"	if BR2_cortex_a57
+	default "cortex-a72"	if BR2_cortex_a72
 
 config BR2_GCC_TARGET_ABI
 	default "aapcs-linux"	if BR2_arm || BR2_armeb

board/wandboard/genimage.cfg

@@ -26,6 +26,7 @@ image sdcard.img {
   partition rootfs {
     partition-type = 0x83
     image = "rootfs.ext4"
+    offset = 1M
     size = 512M
   }
 }

boot/grub2/grub2.mk

@@ -53,7 +53,7 @@ GRUB2_CONF_ENV = \
 	$(HOST_CONFIGURE_OPTS) \
 	CPP="$(HOSTCC) -E" \
 	TARGET_CC="$(TARGET_CC)" \
-	TARGET_CFLAGS="$(TARGET_CFLAGS)" \
+	TARGET_CFLAGS="$(TARGET_CFLAGS) -fno-stack-protector" \
 	TARGET_CPPFLAGS="$(TARGET_CPPFLAGS)" \
 	TARGET_LDFLAGS="$(TARGET_LDFLAGS)" \
 	NM="$(TARGET_NM)" \

boot/syslinux/Config.in

@@ -35,6 +35,7 @@ config BR2_TARGET_SYSLINUX_PXELINUX
 
 config BR2_TARGET_SYSLINUX_MBR
 	bool "install mbr"
+	depends on !BR2_TOOLCHAIN_HAS_BINUTILS_BUG_19615
 	select BR2_TARGET_SYSLINUX_LEGACY_BIOS
 	help
 	  Install the legacy-BIOS 'mbr' image, to boot off a

boot/syslinux/syslinux.mk

@@ -13,7 +13,8 @@ SYSLINUX_LICENSE_FILES = COPYING
 
 SYSLINUX_INSTALL_IMAGES = YES
 
-SYSLINUX_DEPENDENCIES = host-nasm host-upx util-linux
+# host-util-linux needed to provide libuuid when building host tools
+SYSLINUX_DEPENDENCIES = host-nasm host-upx util-linux host-util-linux
 
 ifeq ($(BR2_TARGET_SYSLINUX_LEGACY_BIOS),y)
 SYSLINUX_TARGET += bios

docs/manual/adding-packages-generic.txt

@@ -315,7 +315,10 @@ information is (assuming the package name is +libfoo+) :
   ** +local+ for a local source code directory. One should use this
      when +LIBFOO_SITE+ specifies a local directory path containing
      the package source code. Buildroot copies the contents of the
-     source directory into the package's build directory.
+     source directory into the package's build directory. Note that
+     for +local+ packages, no patches are applied. If you need to
+     still patch the source code, use +LIBFOO_POST_RSYNC_HOOKS+, see
+     xref:hooks-rsync[].
 
 * +LIBFOO_GIT_SUBMODULES+ can be set to +YES+ to create an archive
   with the git submodules in the repository.  This is only available

docs/manual/adding-packages-hooks.txt

@@ -59,6 +59,7 @@ endef
 LIBFOO_POST_PATCH_HOOKS += LIBFOO_POST_PATCH_FIXUP
 ----------------------
 
+[[hooks-rsync]]
 ==== Using the +POST_RSYNC+ hook
 The +POST_RSYNC+ hook is run only for packages that use a local source,
 either through the +local+ site method or the +OVERRIDE_SRCDIR+

docs/manual/customize-outside-br.txt

@@ -199,7 +199,7 @@ and to the kernel configuration file as follows (e.g. by running
 ----
 BR2_GLOBAL_PATCH_DIR=$(BR2_EXTERNAL_BAR_42_PATH)/patches/
 BR2_ROOTFS_OVERLAY=$(BR2_EXTERNAL_BAR_42_PATH)/board/<boardname>/overlay/
-BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=$(BR2_EXTERNAL_BAR_42_FOO)/board/<boardname>/kernel.config
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE=$(BR2_EXTERNAL_BAR_42_PATH)/board/<boardname>/kernel.config
 ----
 
 ===== Example layout
@@ -263,7 +263,7 @@ illustration, of course):
   |     |BR2_GLOBAL_PATCH_DIR="$(BR2_EXTERNAL_BAR_42_PATH)/patches/"
   |     |BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_BAR_42_PATH)/board/my-board/overlay/"
   |     |BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_BAR_42_PATH)/board/my-board/post-image.sh"
-  |     |BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_BAR_42_FOO)/board/my-board/kernel.config"
+  |     |BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_BAR_42_PATH)/board/my-board/kernel.config"
   |     `----
   |
   |- patches/linux/0001-some-change.patch

docs/manual/using-buildroot-development.txt

@@ -50,11 +50,11 @@ BUSYBOX_OVERRIDE_SRCDIR = /home/bob/busybox/
 When Buildroot finds that for a given package, an
 +<pkg>_OVERRIDE_SRCDIR+ has been defined, it will no longer attempt to
 download, extract and patch the package. Instead, it will directly use
-the source code available in in the specified directory and +make
-clean+ will not touch this directory. This allows to point Buildroot
-to your own directories, that can be managed by Git, Subversion, or
-any other version control system. To achieve this, Buildroot will use
-_rsync_ to copy the source code of the component from the specified
+the source code available in the specified directory and +make clean+
+will not touch this directory. This allows to point Buildroot to your
+own directories, that can be managed by Git, Subversion, or any other
+version control system. To achieve this, Buildroot will use _rsync_ to
+copy the source code of the component from the specified
 +<pkg>_OVERRIDE_SRCDIR+ to +output/build/<package>-custom/+.
 
 This mechanism is best used in conjunction with the +make

fs/iso9660/iso9660.mk

@@ -40,6 +40,7 @@ define ROOTFS_ISO9660_CREATE_TEMPDIR
 	$(RM) -rf $(ROOTFS_ISO9660_TARGET_DIR)
 	mkdir -p $(ROOTFS_ISO9660_TARGET_DIR)
 endef
+ROOTFS_ISO9660_PRE_GEN_HOOKS += ROOTFS_ISO9660_CREATE_TEMPDIR
 else
 ROOTFS_ISO9660_TARGET_DIR = $(TARGET_DIR)
 endif

linux/linux.mk

@@ -274,7 +274,7 @@ define LINUX_KCONFIG_FIXUP_CMDS
 		$(call KCONFIG_ENABLE_OPT,CONFIG_FHANDLE,$(@D)/.config)
 		$(call KCONFIG_ENABLE_OPT,CONFIG_AUTOFS4_FS,$(@D)/.config)
 		$(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_POSIX_ACL,$(@D)/.config)
-		$(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_POSIX_XATTR,$(@D)/.config))
+		$(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_XATTR,$(@D)/.config))
 	$(if $(BR2_PACKAGE_SMACK),
 		$(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY,$(@D)/.config)
 		$(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_SMACK,$(@D)/.config)

package/Makefile.in

@@ -207,7 +207,7 @@ TARGET_STRIP = $(TARGET_CROSS)strip
 STRIPCMD = $(TARGET_CROSS)strip --remove-section=.comment --remove-section=.note
 endif
 ifeq ($(BR2_STRIP_none),y)
-TARGET_STRIP = true
+TARGET_STRIP = /bin/true
 STRIPCMD = $(TARGET_STRIP)
 endif
 INSTALL := $(shell which install || type -p install)
@@ -223,6 +223,27 @@ HOST_CFLAGS   += $(HOST_CPPFLAGS)
 HOST_CXXFLAGS += $(HOST_CFLAGS)
 HOST_LDFLAGS  += -L$(HOST_DIR)/lib -L$(HOST_DIR)/usr/lib -Wl,-rpath,$(HOST_DIR)/usr/lib
 
+# The macros below are taken from linux 4.11 and adapted slightly.
+# Copy more when needed.
+
+# try-run
+# Usage: option = $(call try-run, $(CC)...-o "$$TMP",option-ok,otherwise)
+# Exit code chooses option. "$$TMP" is can be used as temporary file and
+# is automatically cleaned up.
+try-run = $(shell set -e;               \
+	TMP="$$(tempfile)";             \
+	if ($(1)) >/dev/null 2>&1;      \
+	then echo "$(2)";               \
+	else echo "$(3)";               \
+	fi;                             \
+	rm -f "$$TMP")
+
+# host-cc-option
+# Usage: HOST_FOO_CFLAGS += $(call host-cc-option,-no-pie,)
+host-cc-option = $(call try-run,\
+        $(HOSTCC) $(HOST_CFLAGS) $(1) -c -x c /dev/null -o "$$TMP",$(1),$(2))
+
+
 # host-intltool should be executed with the system perl, so we save
 # the path to the system perl, before a host-perl built by Buildroot
 # might get installed into $(HOST_DIR)/usr/bin and therefore appears
@@ -367,7 +388,7 @@ DISABLE_NLS :=--disable-nls
 endif
 
 ifneq ($(BR2_INSTALL_LIBSTDCPP),y)
-TARGET_CONFIGURE_OPTS += CXX=false
+TARGET_CONFIGURE_OPTS += CXX=false CXXCPP=cpp
 endif
 
 ifeq ($(BR2_STATIC_LIBS),y)

package/aespipe/aespipe.mk

@@ -9,5 +9,15 @@ AESPIPE_SOURCE = aespipe-v$(AESPIPE_VERSION).tar.bz2
 AESPIPE_SITE = http://loop-aes.sourceforge.net/aespipe
 AESPIPE_LICENSE = GPL
 
+# Recent Debian, Gentoo and Ubuntu enable -fPIE by default, breaking the build:
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=837393
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835148
+# Older gcc versions however don't support the -no-pie flag, so we have to
+# check its availability.
+HOST_AESPIPE_NO_PIE_FLAG = $(call host-cc-option,-no-pie)
+HOST_AESPIPE_CONF_ENV = \
+	CFLAGS="$(HOST_CFLAGS) $(HOST_AESPIPE_NO_PIE_FLAG)" \
+	LDFLAGS="$(HOST_LDFLAGS) $(HOST_AESPIPE_NO_PIE_FLAG)"
+
 $(eval $(autotools-package))
 $(eval $(host-autotools-package))

package/apache/0003-CVS-2017-9798.patch

@@ -0,0 +1,30 @@
+core: Disallow Methods' registration at run time (.htaccess), they may
+be used only if registered at init time (httpd.conf).
+
+Calling ap_method_register() in children processes is not the right scope
+since it won't be shared for all requests.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68
+
+Fixes CVE-2017-9798: https://nvd.nist.gov/vuln/detail/CVE-2017-9798
+
+Downloaded from upstream repo:
+https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+--- a/server/core.c	2017/08/16 16:50:29	1805223
++++ b/server/core.c	2017/09/08 13:13:11	1807754
+@@ -2266,6 +2266,12 @@
+             /* method has not been registered yet, but resource restriction
+              * is always checked before method handling, so register it.
+              */
++            if (cmd->pool == cmd->temp_pool) {
++                /* In .htaccess, we can't globally register new methods. */
++                return apr_psprintf(cmd->pool, "Could not register method '%s' "
++                                   "for %s from .htaccess configuration",
++                                    method, cmd->cmd->name);
++            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+         }

package/apache/apache.hash

@@ -1,2 +1,2 @@
-# From http://www.apache.org/dist/httpd/httpd-2.4.23.tar.bz2.sha1
-sha1 bd6d138c31c109297da2346c6e7b93b9283993d2  httpd-2.4.25.tar.bz2
+# From http://www.apache.org/dist/httpd/httpd-2.4.27.tar.bz2.sha256
+sha256 71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a httpd-2.4.27.tar.bz2

package/apache/apache.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-APACHE_VERSION = 2.4.25
+APACHE_VERSION = 2.4.27
 APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2
 APACHE_SITE = http://archive.apache.org/dist/httpd
 APACHE_LICENSE = Apache-2.0

package/apr-util/apr-util.hash

@@ -1,2 +1,4 @@
-# From http://archive.apache.org/dist/apr/apr-util-1.5.4.tar.gz.sha1
-sha1	72cc3ac693b52fb831063d5c0de18723bc8e0095	apr-util-1.5.4.tar.gz
+# From http://www.apache.org/dist/apr/apr-util-1.6.1.tar.bz2.sha256
+sha256	d3e12f7b6ad12687572a3a39475545a072608f4ba03a6ce8a3778f607dd0035b	apr-util-1.6.1.tar.bz2
+# Locally calculated
+sha256	ef5609d18601645ad6fe22c6c122094be40e976725c1d0490778abacc836e7a2	LICENSE

package/apr-util/apr-util.mk

@@ -4,7 +4,8 @@
 #
 ################################################################################
 
-APR_UTIL_VERSION = 1.5.4
+APR_UTIL_VERSION = 1.6.1
+APR_UTIL_SOURCE = apr-util-$(APR_UTIL_VERSION).tar.bz2
 APR_UTIL_SITE = http://archive.apache.org/dist/apr
 APR_UTIL_LICENSE = Apache-2.0
 APR_UTIL_LICENSE_FILES = LICENSE

package/apr/0001-cross-compile.patch

@@ -42,10 +42,10 @@ diff -uNr apr-1.5.1.org/Makefile.in apr-1.5.1/Makefile.in
  
  # get substituted into some targets
  APR_MAJOR_VERSION=@APR_MAJOR_VERSION@
-@@ -134,8 +136,13 @@
+@@ -134,8 +134,13 @@
+ 	$(APR_MKDIR) tools
+ 	$(LT_COMPILE)
  
- OBJECTS_gen_test_char = tools/gen_test_char.lo $(LOCAL_LIBS)
- tools/gen_test_char.lo: make_tools_dir
 +ifdef CC_FOR_BUILD
 +tools/gen_test_char@EXEEXT@: tools/gen_test_char.c $(LOCAL_LIBS)
 +	$(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) -DCROSS_COMPILE -o $@ $<

package/apr/apr.hash

@@ -1,2 +1,4 @@
-# From http://archive.apache.org/dist/apr/apr-1.5.1.tar.gz.sha1
-sha1	9caa83e3f50f3abc9fab7c4a3f2739a12b14c3a3	apr-1.5.1.tar.gz
+# From http://www.apache.org/dist/apr/apr-1.6.3.tar.bz2.sha256
+sha256 131f06d16d7aabd097fa992a33eec2b6af3962f93e6d570a9bd4d85e95993172  apr-1.6.3.tar.bz2
+# Locally calculated
+sha256 f854aeef66ecd55a126226e82b3f26793fc3b1c584647f6a0edc5639974c38ad  LICENSE

package/apr/apr.mk

@@ -4,7 +4,8 @@
 #
 ################################################################################
 
-APR_VERSION = 1.5.1
+APR_VERSION = 1.6.3
+APR_SOURCE = apr-$(APR_VERSION).tar.bz2
 APR_SITE = http://archive.apache.org/dist/apr
 APR_LICENSE = Apache-2.0
 APR_LICENSE_FILES = LICENSE

package/argp-standalone/0003-fix_build_with_c99_compilers.patch

@@ -66,15 +66,3 @@ index e797b11..828f435 100644
  
  /* Internal routines.  */
  extern void _argp_fmtstream_update (argp_fmtstream_t __fs);
-@@ -216,7 +220,11 @@
- #endif
- 
- #ifndef ARGP_FS_EI
-+#if defined(__GNUC__) && !defined(__GNUC_STDC_INLINE__)
- #define ARGP_FS_EI extern inline
-+#else
-+#define ARGP_FS_EI inline
-+#endif
- #endif
- 
- ARGP_FS_EI size_t

package/argp-standalone/argp-standalone.mk

@@ -10,7 +10,7 @@ ARGP_STANDALONE_INSTALL_STAGING = YES
 ARGP_STANDALONE_LICENSE = LGPLv2+
 
 ARGP_STANDALONE_CONF_ENV = \
-	CFLAGS="$(TARGET_CFLAGS) -fPIC"
+	CFLAGS="$(TARGET_CFLAGS) -fPIC -fgnu89-inline"
 
 define ARGP_STANDALONE_INSTALL_STAGING_CMDS
 	$(INSTALL) -D $(@D)/libargp.a $(STAGING_DIR)/usr/lib/libargp.a

package/automake/0002-port-to-perl-5.22-and-later.patch

@@ -0,0 +1,34 @@
+From 13f00eb4493c217269b76614759e452d8302955e Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Thu, 31 Mar 2016 16:35:29 -0700
+Subject: [PATCH] automake: port to Perl 5.22 and later
+
+Without this change, Perl 5.22 complains "Unescaped left brace in
+regex is deprecated" and this is planned to become a hard error in
+Perl 5.26.  See:
+http://search.cpan.org/dist/perl-5.22.0/pod/perldelta.pod#A_literal_%22{%22_should_now_be_escaped_in_a_pattern
+* bin/automake.in (substitute_ac_subst_variables): Escape left brace.
+
+[Backported from:
+ http://git.savannah.gnu.org/cgit/automake.git/commit/?id=13f00eb4493c217269b76614759e452d8302955e]
+Signed-off-by: Adam Duskett <aduskett@gmail.com>
+---
+ bin/automake.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bin/automake.in b/bin/automake.in
+index a3a0aa3..2c8f31e 100644
+--- a/bin/automake.in
++++ b/bin/automake.in
+@@ -3878,7 +3878,7 @@ sub substitute_ac_subst_variables_worker
+ sub substitute_ac_subst_variables
+ {
+   my ($text) = @_;
+-  $text =~ s/\${([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
++  $text =~ s/\$[{]([^ \t=:+{}]+)}/substitute_ac_subst_variables_worker ($1)/ge;
+   return $text;
+ }
+ 
+-- 
+2.7.4
+

package/avahi/avahi_tmpfiles.conf

@@ -1 +1 @@
-d /tmp/avahi-autopid 0755 avahi avahi
+d /tmp/avahi-autoipd 0755 avahi avahi

package/bcusdk/0002-eibd-fix-endless-recursion-when-using-USB-backends.patch

@@ -0,0 +1,35 @@
+From 6bd1b4958e949d83468e053c34bf6c89d14d687a Mon Sep 17 00:00:00 2001
+From: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+Date: Fri, 25 Aug 2017 23:01:14 +0200
+Subject: [PATCH] eibd: drop local clock_gettime in USB backends
+
+clock_gettime is defined locally, and calls pth_int_time, which
+in turn calls clock_gettime.
+The USB backend shouldn't overrule clock_gettime in the first place.
+This patch fixes this endless recursion by removing the local defition.
+
+Signed-off-by: Kurt Van Dijck <dev.kurt@vandijck-laurijssen.be>
+---
+ eibd/usb/linux_usbfs.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/eibd/usb/linux_usbfs.c b/eibd/usb/linux_usbfs.c
+index c3ec410..957b908 100644
+--- a/eibd/usb/linux_usbfs.c
++++ b/eibd/usb/linux_usbfs.c
+@@ -52,12 +52,6 @@ int pthread_mutex_trylock(pthread_mutex_t *mutex)
+ 	return 0;
+ }
+ 
+-int clock_gettime(clockid_t clk_id, struct timespec *tp)
+-{
+-	pth_int_time (tp);
+-	return 0;
+-}
+-
+ /* sysfs vs usbfs:
+  * opening a usbfs node causes the device to be resumed, so we attempt to
+  * avoid this during enumeration.
+-- 
+1.8.5.rc3
+

package/berkeleydb/0001-cwd-db_config.patch

@@ -0,0 +1,21 @@
+Do not access DB_CONFIG when db_home is not set
+
+Fixes CVE-2017-10140:
+https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9
+
+Downloaded from
+http://pkgs.fedoraproject.org/cgit/rpms/libdb.git/commit/?id=8047fa8580659fcae740c25e91b490539b8453eb
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+--- db-5.3.28/src/env/env_open.c.old	2017-06-26 10:32:11.011419981 +0200
++++ db-5.3.28/src/env/env_open.c	2017-06-26 10:32:46.893721233 +0200
+@@ -473,7 +473,7 @@
+ 	env->db_mode = mode == 0 ? DB_MODE_660 : mode;
+ 
+ 	/* Read the DB_CONFIG file. */
+-	if ((ret = __env_read_db_config(env)) != 0)
++	if (env->db_home != NULL && (ret = __env_read_db_config(env)) != 0)
+ 		return (ret);
+ 
+ 	/*

package/berkeleydb/berkeleydb.hash

@@ -1,2 +1,3 @@
 # Locally calculated
 sha256	76a25560d9e52a198d37a31440fd07632b5f1f8f9f2b6d5438f4bc3e7c9013ef  db-5.3.28.NC.tar.gz
+sha256	b78815181a53241f9347c6b47d1031fd669946f863e1edc807a291354cec024b  LICENSE

package/bind/bind.hash

@@ -1,2 +1,3 @@
-# Verified from http://ftp.isc.org/isc/bind9/9.11.0-P5/bind-9.11.0-P5.tar.gz.sha256.asc
-sha256 1e283f0567b484687dfd7b936e26c9af4f64043daf73cbd8f3eb1122c9fb71f5  bind-9.11.0-P5.tar.gz
+# Verified from http://ftp.isc.org/isc/bind9/9.11.2-P1/bind-9.11.2-P1.tar.gz.sha256.asc
+sha256 cec31548832fca3f85d95178d4019b7d702039e8595d4c93914feba337df1212 bind-9.11.2-P1.tar.gz
+sha256 d3906dfe153e2c48440d3ca1d5319f5e89b4b820cdfc5d0779c23d7ac2b175e9 COPYRIGHT

package/bind/bind.mk

@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.11.0-P5
-BIND_SITE = ftp://ftp.isc.org/isc/bind9/$(BIND_VERSION)
+BIND_VERSION = 9.11.2-P1
+BIND_SITE = http://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 # bind does not support parallel builds.
 BIND_MAKE = $(MAKE1)
 BIND_INSTALL_STAGING = YES
@@ -24,6 +24,7 @@ BIND_CONF_ENV = \
 	BUILD_CC="$(TARGET_CC)" \
 	BUILD_CFLAGS="$(TARGET_CFLAGS)"
 BIND_CONF_OPTS = \
+	--without-lmdb \
 	--with-libjson=no \
 	--with-randomdev=/dev/urandom \
 	--enable-epoll \

package/binutils/2.25.1/131-xtensa-fix-memory-corruption-by-broken-sysregs.patch

@@ -0,0 +1,42 @@
+From 3c8788dbb70b40e737d4b8e30cab81406e5c5091 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 2 Aug 2017 00:36:05 -0700
+Subject: [PATCH] xtensa: fix memory corruption by broken sysregs
+
+In some xtensa configurations there may be system/user registers in
+xtensa-modules with negative index. ISA initialization for such config
+may clobber heap and result in program termination.
+Don't update lookup table entries for register with negative indices.
+They are not directly accessible via RSR/WSR/XSR or RUR/WUR, so this
+change should not affect processing of valid assembly/binary code.
+
+bfd/
+2017-08-02  Max Filippov  <jcmvbkbc@gmail.com>
+
+	* xtensa-isa.c (xtensa_isa_init): Don't update lookup table
+	entries for sysregs with negative indices.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+---
+Backported from: d84ed528d4817b0ff854006b65a9f6ec75f0407a
+
+ bfd/xtensa-isa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/xtensa-isa.c b/bfd/xtensa-isa.c
+index 8da75bea8109..8c6ee88fdeae 100644
+--- a/bfd/xtensa-isa.c
++++ b/bfd/xtensa-isa.c
+@@ -292,7 +292,8 @@ xtensa_isa_init (xtensa_isa_status *errno_p, char **error_msg_p)
+       xtensa_sysreg_internal *sreg = &isa->sysregs[n];
+       is_user = sreg->is_user;
+ 
+-      isa->sysreg_table[is_user][sreg->number] = n;
++      if (sreg->number >= 0)
++	isa->sysreg_table[is_user][sreg->number] = n;
+     }
+ 
+   /* Set up the interface lookup table.  */
+-- 
+2.1.4
+

package/binutils/2.26.1/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch

@@ -0,0 +1,42 @@
+From 3c8788dbb70b40e737d4b8e30cab81406e5c5091 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 2 Aug 2017 00:36:05 -0700
+Subject: [PATCH] xtensa: fix memory corruption by broken sysregs
+
+In some xtensa configurations there may be system/user registers in
+xtensa-modules with negative index. ISA initialization for such config
+may clobber heap and result in program termination.
+Don't update lookup table entries for register with negative indices.
+They are not directly accessible via RSR/WSR/XSR or RUR/WUR, so this
+change should not affect processing of valid assembly/binary code.
+
+bfd/
+2017-08-02  Max Filippov  <jcmvbkbc@gmail.com>
+
+	* xtensa-isa.c (xtensa_isa_init): Don't update lookup table
+	entries for sysregs with negative indices.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+---
+Backported from: d84ed528d4817b0ff854006b65a9f6ec75f0407a
+
+ bfd/xtensa-isa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/xtensa-isa.c b/bfd/xtensa-isa.c
+index 8da75bea8109..8c6ee88fdeae 100644
+--- a/bfd/xtensa-isa.c
++++ b/bfd/xtensa-isa.c
+@@ -292,7 +292,8 @@ xtensa_isa_init (xtensa_isa_status *errno_p, char **error_msg_p)
+       xtensa_sysreg_internal *sreg = &isa->sysregs[n];
+       is_user = sreg->is_user;
+ 
+-      isa->sysreg_table[is_user][sreg->number] = n;
++      if (sreg->number >= 0)
++	isa->sysreg_table[is_user][sreg->number] = n;
+     }
+ 
+   /* Set up the interface lookup table.  */
+-- 
+2.1.4
+

package/binutils/2.27/0131-xtensa-fix-memory-corruption-by-broken-sysregs.patch

@@ -0,0 +1,42 @@
+From 3c8788dbb70b40e737d4b8e30cab81406e5c5091 Mon Sep 17 00:00:00 2001
+From: Max Filippov <jcmvbkbc@gmail.com>
+Date: Wed, 2 Aug 2017 00:36:05 -0700
+Subject: [PATCH] xtensa: fix memory corruption by broken sysregs
+
+In some xtensa configurations there may be system/user registers in
+xtensa-modules with negative index. ISA initialization for such config
+may clobber heap and result in program termination.
+Don't update lookup table entries for register with negative indices.
+They are not directly accessible via RSR/WSR/XSR or RUR/WUR, so this
+change should not affect processing of valid assembly/binary code.
+
+bfd/
+2017-08-02  Max Filippov  <jcmvbkbc@gmail.com>
+
+	* xtensa-isa.c (xtensa_isa_init): Don't update lookup table
+	entries for sysregs with negative indices.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+---
+Backported from: d84ed528d4817b0ff854006b65a9f6ec75f0407a
+
+ bfd/xtensa-isa.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/bfd/xtensa-isa.c b/bfd/xtensa-isa.c
+index 8da75bea8109..8c6ee88fdeae 100644
+--- a/bfd/xtensa-isa.c
++++ b/bfd/xtensa-isa.c
+@@ -292,7 +292,8 @@ xtensa_isa_init (xtensa_isa_status *errno_p, char **error_msg_p)
+       xtensa_sysreg_internal *sreg = &isa->sysregs[n];
+       is_user = sreg->is_user;
+ 
+-      isa->sysreg_table[is_user][sreg->number] = n;
++      if (sreg->number >= 0)
++	isa->sysreg_table[is_user][sreg->number] = n;
+     }
+ 
+   /* Set up the interface lookup table.  */
+-- 
+2.1.4
+

package/binutils/2.27/0907-Automatically-enable-CRC-instructions-on-supported-A.patch

@@ -0,0 +1,88 @@
+From 29a4659015ca7044c2d425d32a0b828e0fbb5ac1 Mon Sep 17 00:00:00 2001
+From: Richard Earnshaw <Richard.Earnshaw@arm.com>
+Date: Wed, 7 Sep 2016 17:14:54 +0100
+Subject: [PATCH] Automatically enable CRC instructions on supported ARMv8-A
+ CPUs.
+
+2016-09-07  Richard Earnshaw  <rearnsha@arm.com>
+
+	* opcode/arm.h (ARM_ARCH_V8A_CRC): New architecture.
+
+2016-09-07  Richard Earnshaw  <rearnsha@arm.com>
+
+	* config/tc-arm.c ((arm_cpus): Use ARM_ARCH_V8A_CRC for all
+	ARMv8-A CPUs except xgene1.
+
+Upstream: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=27e5a270962fb92c07e7d476966ba380fa3bb68e
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ gas/config/tc-arm.c  | 18 +++++++++---------
+ include/opcode/arm.h |  2 ++
+ 2 files changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/gas/config/tc-arm.c b/gas/config/tc-arm.c
+index 73d05316..7c86184d 100644
+--- a/gas/config/tc-arm.c
++++ b/gas/config/tc-arm.c
+@@ -25332,17 +25332,17 @@ static const struct arm_cpu_option_table arm_cpus[] =
+ 								  "Cortex-A15"),
+   ARM_CPU_OPT ("cortex-a17",	ARM_ARCH_V7VE,   FPU_ARCH_NEON_VFP_V4,
+ 								  "Cortex-A17"),
+-  ARM_CPU_OPT ("cortex-a32",    ARM_ARCH_V8A,    FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("cortex-a32",    ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 								  "Cortex-A32"),
+-  ARM_CPU_OPT ("cortex-a35",    ARM_ARCH_V8A,    FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("cortex-a35",    ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 								  "Cortex-A35"),
+-  ARM_CPU_OPT ("cortex-a53",    ARM_ARCH_V8A,    FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("cortex-a53",    ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 								  "Cortex-A53"),
+-  ARM_CPU_OPT ("cortex-a57",    ARM_ARCH_V8A,    FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("cortex-a57",    ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 								  "Cortex-A57"),
+-  ARM_CPU_OPT ("cortex-a72",    ARM_ARCH_V8A,    FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("cortex-a72",    ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 								  "Cortex-A72"),
+-  ARM_CPU_OPT ("cortex-a73",    ARM_ARCH_V8A,    FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("cortex-a73",    ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 								  "Cortex-A73"),
+   ARM_CPU_OPT ("cortex-r4",	ARM_ARCH_V7R,	 FPU_NONE,	  "Cortex-R4"),
+   ARM_CPU_OPT ("cortex-r4f",	ARM_ARCH_V7R,	 FPU_ARCH_VFP_V3D16,
+@@ -25361,10 +25361,10 @@ static const struct arm_cpu_option_table arm_cpus[] =
+   ARM_CPU_OPT ("cortex-m1",	ARM_ARCH_V6SM,	 FPU_NONE,	  "Cortex-M1"),
+   ARM_CPU_OPT ("cortex-m0",	ARM_ARCH_V6SM,	 FPU_NONE,	  "Cortex-M0"),
+   ARM_CPU_OPT ("cortex-m0plus",	ARM_ARCH_V6SM,	 FPU_NONE,	  "Cortex-M0+"),
+-  ARM_CPU_OPT ("exynos-m1",	ARM_ARCH_V8A,	 FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("exynos-m1",	ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 								  "Samsung " \
+ 								  "Exynos M1"),
+-  ARM_CPU_OPT ("qdf24xx",	ARM_ARCH_V8A,	 FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("qdf24xx",	ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 								  "Qualcomm "
+ 								  "QDF24XX"),
+ 
+@@ -25389,7 +25389,7 @@ static const struct arm_cpu_option_table arm_cpus[] =
+   /* APM X-Gene family.  */
+   ARM_CPU_OPT ("xgene1",        ARM_ARCH_V8A,    FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 	                                                          "APM X-Gene 1"),
+-  ARM_CPU_OPT ("xgene2",        ARM_ARCH_V8A,    FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
++  ARM_CPU_OPT ("xgene2",        ARM_ARCH_V8A_CRC, FPU_ARCH_CRYPTO_NEON_VFP_ARMV8,
+ 	                                                          "APM X-Gene 2"),
+ 
+   { NULL, 0, ARM_ARCH_NONE, ARM_ARCH_NONE, NULL }
+diff --git a/include/opcode/arm.h b/include/opcode/arm.h
+index 60715cf8..feace5cd 100644
+--- a/include/opcode/arm.h
++++ b/include/opcode/arm.h
+@@ -263,6 +263,8 @@
+ #define ARM_ARCH_V7M	ARM_FEATURE_CORE (ARM_AEXT_V7M, ARM_EXT2_V6T2_V8M)
+ #define ARM_ARCH_V7EM	ARM_FEATURE_CORE (ARM_AEXT_V7EM, ARM_EXT2_V6T2_V8M)
+ #define ARM_ARCH_V8A	ARM_FEATURE_CORE (ARM_AEXT_V8A, ARM_AEXT2_V8A)
++#define ARM_ARCH_V8A_CRC ARM_FEATURE (ARM_AEXT_V8A, ARM_AEXT2_V8A, \
++				      CRC_EXT_ARMV8)
+ #define ARM_ARCH_V8_1A	ARM_FEATURE (ARM_AEXT_V8A, ARM_AEXT2_V8_1A,	\
+ 				     CRC_EXT_ARMV8 | FPU_NEON_EXT_RDMA)
+ #define ARM_ARCH_V8_2A	ARM_FEATURE (ARM_AEXT_V8A, ARM_AEXT2_V8_2A,	\
+-- 
+2.11.0
+

package/bluez5_utils/0002-sdp-Fix-Out-of-bounds-heap-read-in-service_search_at.patch

@@ -0,0 +1,29 @@
+From 9e009647b14e810e06626dde7f1bb9ea3c375d09 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Wed, 13 Sep 2017 10:01:40 +0300
+Subject: [PATCH] sdp: Fix Out-of-bounds heap read in service_search_attr_req
+ function
+
+Check if there is enough data to continue otherwise return an error.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/sdpd-request.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sdpd-request.c b/src/sdpd-request.c
+index 1eefdce1a..318d04467 100644
+--- a/src/sdpd-request.c
++++ b/src/sdpd-request.c
+@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
+ 	} else {
+ 		/* continuation State exists -> get from cache */
+ 		sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
+-		if (pCache) {
++		if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
+ 			uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
+ 			pResponse = pCache->data;
+ 			memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);
+-- 
+2.11.0
+

package/botan/botan.hash

@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256	23ec973d4b4a4fe04f490d409e08ac5638afe3aa09acd7f520daaff38ba19b90  Botan-1.10.13.tgz
+sha256 6c5472401d06527e87adcb53dd270f3c9b1fb688703b04dd7a7cfb86289efe52  Botan-1.10.16.tgz

package/botan/botan.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BOTAN_VERSION = 1.10.13
+BOTAN_VERSION = 1.10.16
 BOTAN_SOURCE = Botan-$(BOTAN_VERSION).tgz
 BOTAN_SITE = http://botan.randombit.net/releases
 BOTAN_LICENSE = BSD-2c
@@ -43,6 +43,12 @@ BOTAN_DEPENDENCIES += zlib
 BOTAN_CONF_OPTS += --with-zlib
 endif
 
+ifeq ($(BR2_POWERPC_CPU_HAS_ALTIVEC),y)
+BOTAN_CONF_OPTS += --enable-altivec
+else
+BOTAN_CONF_OPTS += --disable-altivec
+endif
+
 define BOTAN_CONFIGURE_CMDS
 	(cd $(@D); $(TARGET_MAKE_ENV) ./configure.py $(BOTAN_CONF_OPTS))
 endef

package/busybox/0003-wget-fix-for-brain-damaged-HTTP-servers.-Closes-9471.patch

@@ -0,0 +1,87 @@
+From dac762a702d01c8c2d42135795cc9bf23ff324a2 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Wed, 11 Jan 2017 20:16:45 +0100
+Subject: [PATCH] wget: fix for brain-damaged HTTP servers. Closes 9471
+
+write(3, "GET / HTTP/1.1\r\nUser-Agent: Wget\r\nConnection: close\r\n\r\n", 74) = 74
+shutdown(3, SHUT_WR)    = 0
+alarm(900)              = 900
+read(3, "", 1024)       = 0
+write(2, "wget: error getting response\n", 29) = 29
+exit(1)
+
+The peer simply does not return anything. It closes its connection.
+
+Probably it detects wget closing its writing end: shutdown(3, SHUT_WR).
+
+The point it, closing write side of the socket is _valid_ for HTTP.
+wget sent the full request, it won't be sending anything more:
+it will only receive the response, and that's it.
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ networking/wget.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/networking/wget.c b/networking/wget.c
+index b082a0f59..afb09f587 100644
+--- a/networking/wget.c
++++ b/networking/wget.c
+@@ -141,6 +141,8 @@
+ #endif
+ 
+ 
++#define SSL_SUPPORTED (ENABLE_FEATURE_WGET_OPENSSL || ENABLE_FEATURE_WGET_SSL_HELPER)
++
+ struct host_info {
+ 	char *allocated;
+ 	const char *path;
+@@ -151,7 +153,7 @@ struct host_info {
+ };
+ static const char P_FTP[] ALIGN1 = "ftp";
+ static const char P_HTTP[] ALIGN1 = "http";
+-#if ENABLE_FEATURE_WGET_OPENSSL || ENABLE_FEATURE_WGET_SSL_HELPER
++#if SSL_SUPPORTED
+ static const char P_HTTPS[] ALIGN1 = "https";
+ #endif
+ 
+@@ -452,7 +454,7 @@ static void parse_url(const char *src_url, struct host_info *h)
+ 		if (strcmp(url, P_FTP) == 0) {
+ 			h->port = bb_lookup_port(P_FTP, "tcp", 21);
+ 		} else
+-#if ENABLE_FEATURE_WGET_OPENSSL || ENABLE_FEATURE_WGET_SSL_HELPER
++#if SSL_SUPPORTED
+ 		if (strcmp(url, P_HTTPS) == 0) {
+ 			h->port = bb_lookup_port(P_HTTPS, "tcp", 443);
+ 			h->protocol = P_HTTPS;
+@@ -1093,12 +1095,20 @@ static void download_one_url(const char *url)
+ 		}
+ 
+ 		fflush(sfp);
+-		/* If we use SSL helper, keeping our end of the socket open for writing
+-		 * makes our end (i.e. the same fd!) readable (EAGAIN instead of EOF)
+-		 * even after child closes its copy of the fd.
+-		 * This helps:
+-		 */
+-		shutdown(fileno(sfp), SHUT_WR);
++
++/* Tried doing this unconditionally.
++ * Cloudflare and nginx/1.11.5 are shocked to see SHUT_WR on non-HTTPS.
++ */
++#if SSL_SUPPORTED
++		if (target.protocol == P_HTTPS) {
++			/* If we use SSL helper, keeping our end of the socket open for writing
++			 * makes our end (i.e. the same fd!) readable (EAGAIN instead of EOF)
++			 * even after child closes its copy of the fd.
++			 * This helps:
++			 */
++			shutdown(fileno(sfp), SHUT_WR);
++		}
++#endif
+ 
+ 		/*
+ 		 * Retrieve HTTP response line and check for "200" status code.
+-- 
+2.11.0
+

package/busybox/0004-unzip-properly-use-CDF-to-find-compressed-files.-Clo.patch

@@ -0,0 +1,494 @@
+From fa654812e79d2422b41cfff6443e2abcb7737517 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 5 Jan 2017 11:43:53 +0100
+Subject: [PATCH] unzip: properly use CDF to find compressed files. Closes 9536
+
+function                                             old     new   delta
+unzip_main                                          2437    2350     -87
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ archival/unzip.c      | 285 +++++++++++++++++++++++++++++---------------------
+ testsuite/unzip.tests |   6 +-
+ 2 files changed, 168 insertions(+), 123 deletions(-)
+
+diff --git a/archival/unzip.c b/archival/unzip.c
+index c540485ac..edef22f75 100644
+--- a/archival/unzip.c
++++ b/archival/unzip.c
+@@ -16,7 +16,6 @@
+  * TODO
+  * Zip64 + other methods
+  */
+-
+ //config:config UNZIP
+ //config:	bool "unzip"
+ //config:	default y
+@@ -24,8 +23,17 @@
+ //config:	  unzip will list or extract files from a ZIP archive,
+ //config:	  commonly found on DOS/WIN systems. The default behavior
+ //config:	  (with no options) is to extract the archive into the
+-//config:	  current directory. Use the `-d' option to extract to a
+-//config:	  directory of your choice.
++//config:	  current directory.
++//config:
++//config:config FEATURE_UNZIP_CDF
++//config:	bool "Read and use Central Directory data"
++//config:	default y
++//config:	depends on UNZIP
++//config:	help
++//config:	  If you know that you only need to deal with simple
++//config:	  ZIP files without deleted/updated files, SFX archves etc,
++//config:	  you can reduce code size by unselecting this option.
++//config:	  To support less trivial ZIPs, say Y.
+ 
+ //applet:IF_UNZIP(APPLET(unzip, BB_DIR_USR_BIN, BB_SUID_DROP))
+ //kbuild:lib-$(CONFIG_UNZIP) += unzip.o
+@@ -80,30 +88,20 @@ typedef union {
+ 		uint32_t ucmpsize PACKED;       /* 18-21 */
+ 		uint16_t filename_len;          /* 22-23 */
+ 		uint16_t extra_len;             /* 24-25 */
++		/* filename follows (not NUL terminated) */
++		/* extra field follows */
++		/* data follows */
+ 	} formatted PACKED;
+ } zip_header_t; /* PACKED - gcc 4.2.1 doesn't like it (spews warning) */
+ 
+-/* Check the offset of the last element, not the length.  This leniency
+- * allows for poor packing, whereby the overall struct may be too long,
+- * even though the elements are all in the right place.
+- */
+-struct BUG_zip_header_must_be_26_bytes {
+-	char BUG_zip_header_must_be_26_bytes[
+-		offsetof(zip_header_t, formatted.extra_len) + 2
+-			== ZIP_HEADER_LEN ? 1 : -1];
+-};
+-
+-#define FIX_ENDIANNESS_ZIP(zip_header) do { \
+-	(zip_header).formatted.version      = SWAP_LE16((zip_header).formatted.version     ); \
+-	(zip_header).formatted.method       = SWAP_LE16((zip_header).formatted.method      ); \
+-	(zip_header).formatted.modtime      = SWAP_LE16((zip_header).formatted.modtime     ); \
+-	(zip_header).formatted.moddate      = SWAP_LE16((zip_header).formatted.moddate     ); \
++#define FIX_ENDIANNESS_ZIP(zip_header) \
++do { if (BB_BIG_ENDIAN) { \
+ 	(zip_header).formatted.crc32        = SWAP_LE32((zip_header).formatted.crc32       ); \
+ 	(zip_header).formatted.cmpsize      = SWAP_LE32((zip_header).formatted.cmpsize     ); \
+ 	(zip_header).formatted.ucmpsize     = SWAP_LE32((zip_header).formatted.ucmpsize    ); \
+ 	(zip_header).formatted.filename_len = SWAP_LE16((zip_header).formatted.filename_len); \
+ 	(zip_header).formatted.extra_len    = SWAP_LE16((zip_header).formatted.extra_len   ); \
+-} while (0)
++}} while (0)
+ 
+ #define CDF_HEADER_LEN 42
+ 
+@@ -115,8 +113,8 @@ typedef union {
+ 		uint16_t version_needed;        /* 2-3 */
+ 		uint16_t cdf_flags;             /* 4-5 */
+ 		uint16_t method;                /* 6-7 */
+-		uint16_t mtime;                 /* 8-9 */
+-		uint16_t mdate;                 /* 10-11 */
++		uint16_t modtime;               /* 8-9 */
++		uint16_t moddate;               /* 10-11 */
+ 		uint32_t crc32;                 /* 12-15 */
+ 		uint32_t cmpsize;               /* 16-19 */
+ 		uint32_t ucmpsize;              /* 20-23 */
+@@ -127,27 +125,27 @@ typedef union {
+ 		uint16_t internal_file_attributes; /* 32-33 */
+ 		uint32_t external_file_attributes PACKED; /* 34-37 */
+ 		uint32_t relative_offset_of_local_header PACKED; /* 38-41 */
++		/* filename follows (not NUL terminated) */
++		/* extra field follows */
++		/* comment follows */
+ 	} formatted PACKED;
+ } cdf_header_t;
+ 
+-struct BUG_cdf_header_must_be_42_bytes {
+-	char BUG_cdf_header_must_be_42_bytes[
+-		offsetof(cdf_header_t, formatted.relative_offset_of_local_header) + 4
+-			== CDF_HEADER_LEN ? 1 : -1];
+-};
+-
+-#define FIX_ENDIANNESS_CDF(cdf_header) do { \
++#define FIX_ENDIANNESS_CDF(cdf_header) \
++do { if (BB_BIG_ENDIAN) { \
++	(cdf_header).formatted.version_made_by = SWAP_LE16((cdf_header).formatted.version_made_by); \
++	(cdf_header).formatted.version_needed = SWAP_LE16((cdf_header).formatted.version_needed); \
++	(cdf_header).formatted.method       = SWAP_LE16((cdf_header).formatted.method      ); \
++	(cdf_header).formatted.modtime      = SWAP_LE16((cdf_header).formatted.modtime     ); \
++	(cdf_header).formatted.moddate      = SWAP_LE16((cdf_header).formatted.moddate     ); \
+ 	(cdf_header).formatted.crc32        = SWAP_LE32((cdf_header).formatted.crc32       ); \
+ 	(cdf_header).formatted.cmpsize      = SWAP_LE32((cdf_header).formatted.cmpsize     ); \
+ 	(cdf_header).formatted.ucmpsize     = SWAP_LE32((cdf_header).formatted.ucmpsize    ); \
+ 	(cdf_header).formatted.file_name_length = SWAP_LE16((cdf_header).formatted.file_name_length); \
+ 	(cdf_header).formatted.extra_field_length = SWAP_LE16((cdf_header).formatted.extra_field_length); \
+ 	(cdf_header).formatted.file_comment_length = SWAP_LE16((cdf_header).formatted.file_comment_length); \
+-	IF_DESKTOP( \
+-	(cdf_header).formatted.version_made_by = SWAP_LE16((cdf_header).formatted.version_made_by); \
+ 	(cdf_header).formatted.external_file_attributes = SWAP_LE32((cdf_header).formatted.external_file_attributes); \
+-	) \
+-} while (0)
++}} while (0)
+ 
+ #define CDE_HEADER_LEN 16
+ 
+@@ -166,20 +164,38 @@ typedef union {
+ 	} formatted PACKED;
+ } cde_header_t;
+ 
+-struct BUG_cde_header_must_be_16_bytes {
++#define FIX_ENDIANNESS_CDE(cde_header) \
++do { if (BB_BIG_ENDIAN) { \
++	(cde_header).formatted.cdf_offset = SWAP_LE32((cde_header).formatted.cdf_offset); \
++}} while (0)
++
++struct BUG {
++	/* Check the offset of the last element, not the length.  This leniency
++	 * allows for poor packing, whereby the overall struct may be too long,
++	 * even though the elements are all in the right place.
++	 */
++	char BUG_zip_header_must_be_26_bytes[
++		offsetof(zip_header_t, formatted.extra_len) + 2
++			== ZIP_HEADER_LEN ? 1 : -1];
++	char BUG_cdf_header_must_be_42_bytes[
++		offsetof(cdf_header_t, formatted.relative_offset_of_local_header) + 4
++			== CDF_HEADER_LEN ? 1 : -1];
+ 	char BUG_cde_header_must_be_16_bytes[
+ 		sizeof(cde_header_t) == CDE_HEADER_LEN ? 1 : -1];
+ };
+ 
+-#define FIX_ENDIANNESS_CDE(cde_header) do { \
+-	(cde_header).formatted.cdf_offset = SWAP_LE32((cde_header).formatted.cdf_offset); \
+-} while (0)
+ 
+ enum { zip_fd = 3 };
+ 
+ 
+-#if ENABLE_DESKTOP
++/* This value means that we failed to find CDF */
++#define BAD_CDF_OFFSET ((uint32_t)0xffffffff)
++
++#if !ENABLE_FEATURE_UNZIP_CDF
+ 
++# define find_cdf_offset() BAD_CDF_OFFSET
++
++#else
+ /* Seen in the wild:
+  * Self-extracting PRO2K3XP_32.exe contains 19078464 byte zip archive,
+  * where CDE was nearly 48 kbytes before EOF.
+@@ -188,25 +204,26 @@ enum { zip_fd = 3 };
+  * To make extraction work, bumped PEEK_FROM_END from 16k to 64k.
+  */
+ #define PEEK_FROM_END (64*1024)
+-
+-/* This value means that we failed to find CDF */
+-#define BAD_CDF_OFFSET ((uint32_t)0xffffffff)
+-
+ /* NB: does not preserve file position! */
+ static uint32_t find_cdf_offset(void)
+ {
+ 	cde_header_t cde_header;
++	unsigned char *buf;
+ 	unsigned char *p;
+ 	off_t end;
+-	unsigned char *buf = xzalloc(PEEK_FROM_END);
+ 	uint32_t found;
+ 
+-	end = xlseek(zip_fd, 0, SEEK_END);
++	end = lseek(zip_fd, 0, SEEK_END);
++	if (end == (off_t) -1)
++		return BAD_CDF_OFFSET;
++
+ 	end -= PEEK_FROM_END;
+ 	if (end < 0)
+ 		end = 0;
++
+ 	dbg("Looking for cdf_offset starting from 0x%"OFF_FMT"x", end);
+  	xlseek(zip_fd, end, SEEK_SET);
++	buf = xzalloc(PEEK_FROM_END);
+ 	full_read(zip_fd, buf, PEEK_FROM_END);
+ 
+ 	found = BAD_CDF_OFFSET;
+@@ -252,30 +269,36 @@ static uint32_t find_cdf_offset(void)
+ static uint32_t read_next_cdf(uint32_t cdf_offset, cdf_header_t *cdf_ptr)
+ {
+ 	off_t org;
++	uint32_t magic;
+ 
+-	org = xlseek(zip_fd, 0, SEEK_CUR);
++	if (cdf_offset == BAD_CDF_OFFSET)
++		return cdf_offset;
+ 
+-	if (!cdf_offset)
+-		cdf_offset = find_cdf_offset();
+-
+-	if (cdf_offset != BAD_CDF_OFFSET) {
+-		dbg("Reading CDF at 0x%x", (unsigned)cdf_offset);
+-		xlseek(zip_fd, cdf_offset + 4, SEEK_SET);
+-		xread(zip_fd, cdf_ptr->raw, CDF_HEADER_LEN);
+-		FIX_ENDIANNESS_CDF(*cdf_ptr);
+-		dbg("  file_name_length:%u extra_field_length:%u file_comment_length:%u",
+-			(unsigned)cdf_ptr->formatted.file_name_length,
+-			(unsigned)cdf_ptr->formatted.extra_field_length,
+-			(unsigned)cdf_ptr->formatted.file_comment_length
+-		);
+-		cdf_offset += 4 + CDF_HEADER_LEN
+-			+ cdf_ptr->formatted.file_name_length
+-			+ cdf_ptr->formatted.extra_field_length
+-			+ cdf_ptr->formatted.file_comment_length;
++	org = xlseek(zip_fd, 0, SEEK_CUR);
++	dbg("Reading CDF at 0x%x", (unsigned)cdf_offset);
++	xlseek(zip_fd, cdf_offset, SEEK_SET);
++	xread(zip_fd, &magic, 4);
++	/* Central Directory End? */
++	if (magic == ZIP_CDE_MAGIC) {
++		dbg("got ZIP_CDE_MAGIC");
++		return 0; /* EOF */
+ 	}
++	xread(zip_fd, cdf_ptr->raw, CDF_HEADER_LEN);
++	/* Caller doesn't need this: */
++	/* dbg("Returning file position to 0x%"OFF_FMT"x", org); */
++	/* xlseek(zip_fd, org, SEEK_SET); */
++
++	FIX_ENDIANNESS_CDF(*cdf_ptr);
++	dbg("  file_name_length:%u extra_field_length:%u file_comment_length:%u",
++		(unsigned)cdf_ptr->formatted.file_name_length,
++		(unsigned)cdf_ptr->formatted.extra_field_length,
++		(unsigned)cdf_ptr->formatted.file_comment_length
++	);
++	cdf_offset += 4 + CDF_HEADER_LEN
++		+ cdf_ptr->formatted.file_name_length
++		+ cdf_ptr->formatted.extra_field_length
++		+ cdf_ptr->formatted.file_comment_length;
+ 
+-	dbg("Returning file position to 0x%"OFF_FMT"x", org);
+-	xlseek(zip_fd, org, SEEK_SET);
+ 	return cdf_offset;
+ };
+ #endif
+@@ -324,6 +347,7 @@ static void unzip_extract(zip_header_t *zip_header, int dst_fd)
+ 			bb_error_msg("bad length");
+ 		}
+ 	}
++	/* TODO? method 12: bzip2, method 14: LZMA */
+ }
+ 
+ static void my_fgets80(char *buf80)
+@@ -339,15 +363,12 @@ int unzip_main(int argc, char **argv)
+ {
+ 	enum { O_PROMPT, O_NEVER, O_ALWAYS };
+ 
+-	zip_header_t zip_header;
+ 	smallint quiet = 0;
+-	IF_NOT_DESKTOP(const) smallint verbose = 0;
++	IF_NOT_FEATURE_UNZIP_CDF(const) smallint verbose = 0;
+ 	smallint listing = 0;
+ 	smallint overwrite = O_PROMPT;
+ 	smallint x_opt_seen;
+-#if ENABLE_DESKTOP
+ 	uint32_t cdf_offset;
+-#endif
+ 	unsigned long total_usize;
+ 	unsigned long total_size;
+ 	unsigned total_entries;
+@@ -430,7 +451,7 @@ int unzip_main(int argc, char **argv)
+ 			break;
+ 
+ 		case 'v': /* Verbose list */
+-			IF_DESKTOP(verbose++;)
++			IF_FEATURE_UNZIP_CDF(verbose++;)
+ 			listing = 1;
+ 			break;
+ 
+@@ -545,78 +566,102 @@ int unzip_main(int argc, char **argv)
+ 	total_usize = 0;
+ 	total_size = 0;
+ 	total_entries = 0;
+-#if ENABLE_DESKTOP
+-	cdf_offset = 0;
+-#endif
++	cdf_offset = find_cdf_offset();	/* try to seek to the end, find CDE and CDF start */
+ 	while (1) {
+-		uint32_t magic;
++		zip_header_t zip_header;
+ 		mode_t dir_mode = 0777;
+-#if ENABLE_DESKTOP
++#if ENABLE_FEATURE_UNZIP_CDF
+ 		mode_t file_mode = 0666;
+ #endif
+ 
+-		/* Check magic number */
+-		xread(zip_fd, &magic, 4);
+-		/* Central directory? It's at the end, so exit */
+-		if (magic == ZIP_CDF_MAGIC) {
+-			dbg("got ZIP_CDF_MAGIC");
+-			break;
+-		}
+-#if ENABLE_DESKTOP
+-		/* Data descriptor? It was a streaming file, go on */
+-		if (magic == ZIP_DD_MAGIC) {
+-			dbg("got ZIP_DD_MAGIC");
+-			/* skip over duplicate crc32, cmpsize and ucmpsize */
+-			unzip_skip(3 * 4);
+-			continue;
+-		}
+-#endif
+-		if (magic != ZIP_FILEHEADER_MAGIC)
+-			bb_error_msg_and_die("invalid zip magic %08X", (int)magic);
+-		dbg("got ZIP_FILEHEADER_MAGIC");
+-
+-		/* Read the file header */
+-		xread(zip_fd, zip_header.raw, ZIP_HEADER_LEN);
+-		FIX_ENDIANNESS_ZIP(zip_header);
+-		if ((zip_header.formatted.method != 0) && (zip_header.formatted.method != 8)) {
+-			bb_error_msg_and_die("unsupported method %d", zip_header.formatted.method);
+-		}
+-#if !ENABLE_DESKTOP
+-		if (zip_header.formatted.zip_flags & SWAP_LE16(0x0009)) {
+-			bb_error_msg_and_die("zip flags 1 and 8 are not supported");
+-		}
+-#else
+-		if (zip_header.formatted.zip_flags & SWAP_LE16(0x0001)) {
+-			/* 0x0001 - encrypted */
+-			bb_error_msg_and_die("zip flag 1 (encryption) is not supported");
+-		}
++		if (!ENABLE_FEATURE_UNZIP_CDF || cdf_offset == BAD_CDF_OFFSET) {
++			/* Normally happens when input is unseekable.
++			 *
++			 * Valid ZIP file has Central Directory at the end
++			 * with central directory file headers (CDFs).
++			 * After it, there is a Central Directory End structure.
++			 * CDFs identify what files are in the ZIP and where
++			 * they are located. This allows ZIP readers to load
++			 * the list of files without reading the entire ZIP archive.
++			 * ZIP files may be appended to, only files specified in
++			 * the CD are valid. Scanning for local file headers is
++			 * not a correct algorithm.
++			 *
++			 * We try to do the above, and resort to "linear" reading
++			 * of ZIP file only if seek failed or CDE wasn't found.
++			 */
++			uint32_t magic;
+ 
+-		if (cdf_offset != BAD_CDF_OFFSET) {
++			/* Check magic number */
++			xread(zip_fd, &magic, 4);
++			/* Central directory? It's at the end, so exit */
++			if (magic == ZIP_CDF_MAGIC) {
++				dbg("got ZIP_CDF_MAGIC");
++				break;
++			}
++			/* Data descriptor? It was a streaming file, go on */
++			if (magic == ZIP_DD_MAGIC) {
++				dbg("got ZIP_DD_MAGIC");
++				/* skip over duplicate crc32, cmpsize and ucmpsize */
++				unzip_skip(3 * 4);
++				continue;
++			}
++			if (magic != ZIP_FILEHEADER_MAGIC)
++				bb_error_msg_and_die("invalid zip magic %08X", (int)magic);
++			dbg("got ZIP_FILEHEADER_MAGIC");
++
++			xread(zip_fd, zip_header.raw, ZIP_HEADER_LEN);
++			FIX_ENDIANNESS_ZIP(zip_header);
++			if ((zip_header.formatted.method != 0)
++			 && (zip_header.formatted.method != 8)
++			) {
++				/* TODO? method 12: bzip2, method 14: LZMA */
++				bb_error_msg_and_die("unsupported method %d", zip_header.formatted.method);
++			}
++			if (zip_header.formatted.zip_flags & SWAP_LE16(0x0009)) {
++				bb_error_msg_and_die("zip flags 1 and 8 are not supported");
++			}
++		}
++#if ENABLE_FEATURE_UNZIP_CDF
++		else {
++			/* cdf_offset is valid (and we know the file is seekable) */
+ 			cdf_header_t cdf_header;
+ 			cdf_offset = read_next_cdf(cdf_offset, &cdf_header);
+-			/*
+-			 * Note: cdf_offset can become BAD_CDF_OFFSET after the above call.
+-			 */
++			if (cdf_offset == 0) /* EOF? */
++				break;
++# if 0
++			xlseek(zip_fd,
++				SWAP_LE32(cdf_header.formatted.relative_offset_of_local_header) + 4,
++				SEEK_SET);
++			xread(zip_fd, zip_header.raw, ZIP_HEADER_LEN);
++			FIX_ENDIANNESS_ZIP(zip_header);
+ 			if (zip_header.formatted.zip_flags & SWAP_LE16(0x0008)) {
+ 				/* 0x0008 - streaming. [u]cmpsize can be reliably gotten
+-				 * only from Central Directory. See unzip_doc.txt
++				 * only from Central Directory.
+ 				 */
+ 				zip_header.formatted.crc32    = cdf_header.formatted.crc32;
+ 				zip_header.formatted.cmpsize  = cdf_header.formatted.cmpsize;
+ 				zip_header.formatted.ucmpsize = cdf_header.formatted.ucmpsize;
+ 			}
++# else
++			/* CDF has the same data as local header, no need to read the latter */
++			memcpy(&zip_header.formatted.version,
++				&cdf_header.formatted.version_needed, ZIP_HEADER_LEN);
++			xlseek(zip_fd,
++				SWAP_LE32(cdf_header.formatted.relative_offset_of_local_header) + 4 + ZIP_HEADER_LEN,
++				SEEK_SET);
++# endif
+ 			if ((cdf_header.formatted.version_made_by >> 8) == 3) {
+ 				/* This archive is created on Unix */
+ 				dir_mode = file_mode = (cdf_header.formatted.external_file_attributes >> 16);
+ 			}
+ 		}
+-		if (cdf_offset == BAD_CDF_OFFSET
+-		 && (zip_header.formatted.zip_flags & SWAP_LE16(0x0008))
+-		) {
+-			/* If it's a streaming zip, we _require_ CDF */
+-			bb_error_msg_and_die("can't find file table");
+-		}
+ #endif
++
++		if (zip_header.formatted.zip_flags & SWAP_LE16(0x0001)) {
++			/* 0x0001 - encrypted */
++			bb_error_msg_and_die("zip flag 1 (encryption) is not supported");
++		}
+ 		dbg("File cmpsize:0x%x extra_len:0x%x ucmpsize:0x%x",
+ 			(unsigned)zip_header.formatted.cmpsize,
+ 			(unsigned)zip_header.formatted.extra_len,
+@@ -751,7 +796,7 @@ int unzip_main(int argc, char **argv)
+ 			overwrite = O_ALWAYS;
+ 		case 'y': /* Open file and fall into unzip */
+ 			unzip_create_leading_dirs(dst_fn);
+-#if ENABLE_DESKTOP
++#if ENABLE_FEATURE_UNZIP_CDF
+ 			dst_fd = xopen3(dst_fn, O_WRONLY | O_CREAT | O_TRUNC, file_mode);
+ #else
+ 			dst_fd = xopen(dst_fn, O_WRONLY | O_CREAT | O_TRUNC);
+diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
+index d8738a3bd..d9c45242c 100755
+--- a/testsuite/unzip.tests
++++ b/testsuite/unzip.tests
+@@ -31,11 +31,10 @@ rmdir foo
+ rm foo.zip
+ 
+ # File containing some damaged encrypted stream
++optional FEATURE_UNZIP_CDF
+ testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
+ "Archive:  bad.zip
+-  inflating: ]3j½r«IK-%Ix
+-unzip: corrupted data
+-unzip: inflate error
++unzip: short read
+ 1
+ " \
+ "" "\
+@@ -49,6 +48,7 @@ BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
+ NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
+ ====
+ "
++SKIP=
+ 
+ rm *
+ 
+-- 
+2.11.0
+

package/busybox/0005-typo-fix-in-config-help-text.patch

@@ -0,0 +1,27 @@
+From f8692dc6a0035788a83821fa18b987d8748f97a7 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 5 Jan 2017 11:47:28 +0100
+Subject: [PATCH] typo fix in config help text
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ archival/unzip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archival/unzip.c b/archival/unzip.c
+index edef22f75..f1726439d 100644
+--- a/archival/unzip.c
++++ b/archival/unzip.c
+@@ -31,7 +31,7 @@
+ //config:	depends on UNZIP
+ //config:	help
+ //config:	  If you know that you only need to deal with simple
+-//config:	  ZIP files without deleted/updated files, SFX archves etc,
++//config:	  ZIP files without deleted/updated files, SFX archives etc,
+ //config:	  you can reduce code size by unselecting this option.
+ //config:	  To support less trivial ZIPs, say Y.
+ 
+-- 
+2.11.0
+

package/busybox/0006-unzip-remove-now-pointless-lseek-which-returns-curre.patch

@@ -0,0 +1,50 @@
+From 50504d3a3badb8ab80bd33797abcbb3b7427c267 Mon Sep 17 00:00:00 2001
+From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
+Date: Thu, 5 Jan 2017 19:07:54 +0100
+Subject: [PATCH] unzip: remove now-pointless lseek which returns current
+ position
+
+archival/unzip.c: In function 'read_next_cdf':
+archival/unzip.c:271:8: warning: variable 'org' set but
+                                 not used [-Wunused-but-set-variable]
+  off_t org;
+        ^~~
+
+Signed-off-by: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ archival/unzip.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/archival/unzip.c b/archival/unzip.c
+index f1726439d..98a71c09d 100644
+--- a/archival/unzip.c
++++ b/archival/unzip.c
+@@ -268,13 +268,11 @@ static uint32_t find_cdf_offset(void)
+ 
+ static uint32_t read_next_cdf(uint32_t cdf_offset, cdf_header_t *cdf_ptr)
+ {
+-	off_t org;
+ 	uint32_t magic;
+ 
+ 	if (cdf_offset == BAD_CDF_OFFSET)
+ 		return cdf_offset;
+ 
+-	org = xlseek(zip_fd, 0, SEEK_CUR);
+ 	dbg("Reading CDF at 0x%x", (unsigned)cdf_offset);
+ 	xlseek(zip_fd, cdf_offset, SEEK_SET);
+ 	xread(zip_fd, &magic, 4);
+@@ -284,9 +282,6 @@ static uint32_t read_next_cdf(uint32_t cdf_offset, cdf_header_t *cdf_ptr)
+ 		return 0; /* EOF */
+ 	}
+ 	xread(zip_fd, cdf_ptr->raw, CDF_HEADER_LEN);
+-	/* Caller doesn't need this: */
+-	/* dbg("Returning file position to 0x%"OFF_FMT"x", org); */
+-	/* xlseek(zip_fd, org, SEEK_SET); */
+ 
+ 	FIX_ENDIANNESS_CDF(*cdf_ptr);
+ 	dbg("  file_name_length:%u extra_field_length:%u file_comment_length:%u",
+-- 
+2.11.0
+

package/busybox/0007-unzip-do-not-use-CDF.extra_len-read-local-file-heade.patch

@@ -0,0 +1,509 @@
+From ee72302ac5e3b0b2217f616ab316d3c89e5a1f4c Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Sun, 8 Jan 2017 14:14:19 +0100
+Subject: [PATCH] unzip: do not use CDF.extra_len, read local file header.
+ Closes 9536
+
+While at it, shorten many field and variable names.
+
+function                                             old     new   delta
+unzip_main                                          2334    2376     +42
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ archival/unzip.c      | 236 ++++++++++++++++++++++++++------------------------
+ testsuite/unzip.tests |   4 +-
+ 2 files changed, 125 insertions(+), 115 deletions(-)
+
+diff --git a/archival/unzip.c b/archival/unzip.c
+index 98a71c09d..921493591 100644
+--- a/archival/unzip.c
++++ b/archival/unzip.c
+@@ -62,8 +62,8 @@
+ enum {
+ #if BB_BIG_ENDIAN
+ 	ZIP_FILEHEADER_MAGIC = 0x504b0304,
+-	ZIP_CDF_MAGIC        = 0x504b0102, /* central directory's file header */
+-	ZIP_CDE_MAGIC        = 0x504b0506, /* "end of central directory" record */
++	ZIP_CDF_MAGIC        = 0x504b0102, /* CDF item */
++	ZIP_CDE_MAGIC        = 0x504b0506, /* End of CDF */
+ 	ZIP_DD_MAGIC         = 0x504b0708,
+ #else
+ 	ZIP_FILEHEADER_MAGIC = 0x04034b50,
+@@ -91,16 +91,16 @@ typedef union {
+ 		/* filename follows (not NUL terminated) */
+ 		/* extra field follows */
+ 		/* data follows */
+-	} formatted PACKED;
++	} fmt PACKED;
+ } zip_header_t; /* PACKED - gcc 4.2.1 doesn't like it (spews warning) */
+ 
+-#define FIX_ENDIANNESS_ZIP(zip_header) \
++#define FIX_ENDIANNESS_ZIP(zip) \
+ do { if (BB_BIG_ENDIAN) { \
+-	(zip_header).formatted.crc32        = SWAP_LE32((zip_header).formatted.crc32       ); \
+-	(zip_header).formatted.cmpsize      = SWAP_LE32((zip_header).formatted.cmpsize     ); \
+-	(zip_header).formatted.ucmpsize     = SWAP_LE32((zip_header).formatted.ucmpsize    ); \
+-	(zip_header).formatted.filename_len = SWAP_LE16((zip_header).formatted.filename_len); \
+-	(zip_header).formatted.extra_len    = SWAP_LE16((zip_header).formatted.extra_len   ); \
++	(zip).fmt.crc32         = SWAP_LE32((zip).fmt.crc32       ); \
++	(zip).fmt.cmpsize       = SWAP_LE32((zip).fmt.cmpsize     ); \
++	(zip).fmt.ucmpsize      = SWAP_LE32((zip).fmt.ucmpsize    ); \
++	(zip).fmt.filename_len  = SWAP_LE16((zip).fmt.filename_len); \
++	(zip).fmt.extra_len     = SWAP_LE16((zip).fmt.extra_len   ); \
+ }} while (0)
+ 
+ #define CDF_HEADER_LEN 42
+@@ -118,39 +118,39 @@ typedef union {
+ 		uint32_t crc32;                 /* 12-15 */
+ 		uint32_t cmpsize;               /* 16-19 */
+ 		uint32_t ucmpsize;              /* 20-23 */
+-		uint16_t file_name_length;      /* 24-25 */
+-		uint16_t extra_field_length;    /* 26-27 */
++		uint16_t filename_len;          /* 24-25 */
++		uint16_t extra_len;             /* 26-27 */
+ 		uint16_t file_comment_length;   /* 28-29 */
+ 		uint16_t disk_number_start;     /* 30-31 */
+-		uint16_t internal_file_attributes; /* 32-33 */
+-		uint32_t external_file_attributes PACKED; /* 34-37 */
++		uint16_t internal_attributes;   /* 32-33 */
++		uint32_t external_attributes PACKED; /* 34-37 */
+ 		uint32_t relative_offset_of_local_header PACKED; /* 38-41 */
+ 		/* filename follows (not NUL terminated) */
+ 		/* extra field follows */
+-		/* comment follows */
+-	} formatted PACKED;
++		/* file comment follows */
++	} fmt PACKED;
+ } cdf_header_t;
+ 
+-#define FIX_ENDIANNESS_CDF(cdf_header) \
++#define FIX_ENDIANNESS_CDF(cdf) \
+ do { if (BB_BIG_ENDIAN) { \
+-	(cdf_header).formatted.version_made_by = SWAP_LE16((cdf_header).formatted.version_made_by); \
+-	(cdf_header).formatted.version_needed = SWAP_LE16((cdf_header).formatted.version_needed); \
+-	(cdf_header).formatted.method       = SWAP_LE16((cdf_header).formatted.method      ); \
+-	(cdf_header).formatted.modtime      = SWAP_LE16((cdf_header).formatted.modtime     ); \
+-	(cdf_header).formatted.moddate      = SWAP_LE16((cdf_header).formatted.moddate     ); \
+-	(cdf_header).formatted.crc32        = SWAP_LE32((cdf_header).formatted.crc32       ); \
+-	(cdf_header).formatted.cmpsize      = SWAP_LE32((cdf_header).formatted.cmpsize     ); \
+-	(cdf_header).formatted.ucmpsize     = SWAP_LE32((cdf_header).formatted.ucmpsize    ); \
+-	(cdf_header).formatted.file_name_length = SWAP_LE16((cdf_header).formatted.file_name_length); \
+-	(cdf_header).formatted.extra_field_length = SWAP_LE16((cdf_header).formatted.extra_field_length); \
+-	(cdf_header).formatted.file_comment_length = SWAP_LE16((cdf_header).formatted.file_comment_length); \
+-	(cdf_header).formatted.external_file_attributes = SWAP_LE32((cdf_header).formatted.external_file_attributes); \
++	(cdf).fmt.version_made_by = SWAP_LE16((cdf).fmt.version_made_by); \
++	(cdf).fmt.version_needed = SWAP_LE16((cdf).fmt.version_needed); \
++	(cdf).fmt.method        = SWAP_LE16((cdf).fmt.method      ); \
++	(cdf).fmt.modtime       = SWAP_LE16((cdf).fmt.modtime     ); \
++	(cdf).fmt.moddate       = SWAP_LE16((cdf).fmt.moddate     ); \
++	(cdf).fmt.crc32         = SWAP_LE32((cdf).fmt.crc32       ); \
++	(cdf).fmt.cmpsize       = SWAP_LE32((cdf).fmt.cmpsize     ); \
++	(cdf).fmt.ucmpsize      = SWAP_LE32((cdf).fmt.ucmpsize    ); \
++	(cdf).fmt.filename_len  = SWAP_LE16((cdf).fmt.filename_len); \
++	(cdf).fmt.extra_len     = SWAP_LE16((cdf).fmt.extra_len   ); \
++	(cdf).fmt.file_comment_length = SWAP_LE16((cdf).fmt.file_comment_length); \
++	(cdf).fmt.external_attributes = SWAP_LE32((cdf).fmt.external_attributes); \
+ }} while (0)
+ 
+-#define CDE_HEADER_LEN 16
++#define CDE_LEN 16
+ 
+ typedef union {
+-	uint8_t raw[CDE_HEADER_LEN];
++	uint8_t raw[CDE_LEN];
+ 	struct {
+ 		/* uint32_t signature; 50 4b 05 06 */
+ 		uint16_t this_disk_no;
+@@ -159,14 +159,14 @@ typedef union {
+ 		uint16_t cdf_entries_total;
+ 		uint32_t cdf_size;
+ 		uint32_t cdf_offset;
+-		/* uint16_t file_comment_length; */
+-		/* .ZIP file comment (variable size) */
+-	} formatted PACKED;
+-} cde_header_t;
++		/* uint16_t archive_comment_length; */
++		/* archive comment follows */
++	} fmt PACKED;
++} cde_t;
+ 
+-#define FIX_ENDIANNESS_CDE(cde_header) \
++#define FIX_ENDIANNESS_CDE(cde) \
+ do { if (BB_BIG_ENDIAN) { \
+-	(cde_header).formatted.cdf_offset = SWAP_LE32((cde_header).formatted.cdf_offset); \
++	(cde).fmt.cdf_offset = SWAP_LE32((cde).fmt.cdf_offset); \
+ }} while (0)
+ 
+ struct BUG {
+@@ -175,13 +175,13 @@ struct BUG {
+ 	 * even though the elements are all in the right place.
+ 	 */
+ 	char BUG_zip_header_must_be_26_bytes[
+-		offsetof(zip_header_t, formatted.extra_len) + 2
++		offsetof(zip_header_t, fmt.extra_len) + 2
+ 			== ZIP_HEADER_LEN ? 1 : -1];
+ 	char BUG_cdf_header_must_be_42_bytes[
+-		offsetof(cdf_header_t, formatted.relative_offset_of_local_header) + 4
++		offsetof(cdf_header_t, fmt.relative_offset_of_local_header) + 4
+ 			== CDF_HEADER_LEN ? 1 : -1];
+-	char BUG_cde_header_must_be_16_bytes[
+-		sizeof(cde_header_t) == CDE_HEADER_LEN ? 1 : -1];
++	char BUG_cde_must_be_16_bytes[
++		sizeof(cde_t) == CDE_LEN ? 1 : -1];
+ };
+ 
+ 
+@@ -207,7 +207,7 @@ enum { zip_fd = 3 };
+ /* NB: does not preserve file position! */
+ static uint32_t find_cdf_offset(void)
+ {
+-	cde_header_t cde_header;
++	cde_t cde;
+ 	unsigned char *buf;
+ 	unsigned char *p;
+ 	off_t end;
+@@ -228,7 +228,7 @@ static uint32_t find_cdf_offset(void)
+ 
+ 	found = BAD_CDF_OFFSET;
+ 	p = buf;
+-	while (p <= buf + PEEK_FROM_END - CDE_HEADER_LEN - 4) {
++	while (p <= buf + PEEK_FROM_END - CDE_LEN - 4) {
+ 		if (*p != 'P') {
+ 			p++;
+ 			continue;
+@@ -240,19 +240,19 @@ static uint32_t find_cdf_offset(void)
+ 		if (*++p != 6)
+ 			continue;
+ 		/* we found CDE! */
+-		memcpy(cde_header.raw, p + 1, CDE_HEADER_LEN);
+-		FIX_ENDIANNESS_CDE(cde_header);
++		memcpy(cde.raw, p + 1, CDE_LEN);
++		FIX_ENDIANNESS_CDE(cde);
+ 		/*
+ 		 * I've seen .ZIP files with seemingly valid CDEs
+ 		 * where cdf_offset points past EOF - ??
+ 		 * This check ignores such CDEs:
+ 		 */
+-		if (cde_header.formatted.cdf_offset < end + (p - buf)) {
+-			found = cde_header.formatted.cdf_offset;
++		if (cde.fmt.cdf_offset < end + (p - buf)) {
++			found = cde.fmt.cdf_offset;
+ 			dbg("Possible cdf_offset:0x%x at 0x%"OFF_FMT"x",
+ 				(unsigned)found, end + (p-3 - buf));
+ 			dbg("  cdf_offset+cdf_size:0x%x",
+-				(unsigned)(found + SWAP_LE32(cde_header.formatted.cdf_size)));
++				(unsigned)(found + SWAP_LE32(cde.fmt.cdf_size)));
+ 			/*
+ 			 * We do not "break" here because only the last CDE is valid.
+ 			 * I've seen a .zip archive which contained a .zip file,
+@@ -266,7 +266,7 @@ static uint32_t find_cdf_offset(void)
+ 	return found;
+ };
+ 
+-static uint32_t read_next_cdf(uint32_t cdf_offset, cdf_header_t *cdf_ptr)
++static uint32_t read_next_cdf(uint32_t cdf_offset, cdf_header_t *cdf)
+ {
+ 	uint32_t magic;
+ 
+@@ -276,23 +276,25 @@ static uint32_t read_next_cdf(uint32_t cdf_offset, cdf_header_t *cdf_ptr)
+ 	dbg("Reading CDF at 0x%x", (unsigned)cdf_offset);
+ 	xlseek(zip_fd, cdf_offset, SEEK_SET);
+ 	xread(zip_fd, &magic, 4);
+-	/* Central Directory End? */
++	/* Central Directory End? Assume CDF has ended.
++	 * (more correct method is to use cde.cdf_entries_total counter)
++	 */
+ 	if (magic == ZIP_CDE_MAGIC) {
+ 		dbg("got ZIP_CDE_MAGIC");
+ 		return 0; /* EOF */
+ 	}
+-	xread(zip_fd, cdf_ptr->raw, CDF_HEADER_LEN);
++	xread(zip_fd, cdf->raw, CDF_HEADER_LEN);
+ 
+-	FIX_ENDIANNESS_CDF(*cdf_ptr);
+-	dbg("  file_name_length:%u extra_field_length:%u file_comment_length:%u",
+-		(unsigned)cdf_ptr->formatted.file_name_length,
+-		(unsigned)cdf_ptr->formatted.extra_field_length,
+-		(unsigned)cdf_ptr->formatted.file_comment_length
++	FIX_ENDIANNESS_CDF(*cdf);
++	dbg("  filename_len:%u extra_len:%u file_comment_length:%u",
++		(unsigned)cdf->fmt.filename_len,
++		(unsigned)cdf->fmt.extra_len,
++		(unsigned)cdf->fmt.file_comment_length
+ 	);
+ 	cdf_offset += 4 + CDF_HEADER_LEN
+-		+ cdf_ptr->formatted.file_name_length
+-		+ cdf_ptr->formatted.extra_field_length
+-		+ cdf_ptr->formatted.file_comment_length;
++		+ cdf->fmt.filename_len
++		+ cdf->fmt.extra_len
++		+ cdf->fmt.file_comment_length;
+ 
+ 	return cdf_offset;
+ };
+@@ -315,28 +317,28 @@ static void unzip_create_leading_dirs(const char *fn)
+ 	free(name);
+ }
+ 
+-static void unzip_extract(zip_header_t *zip_header, int dst_fd)
++static void unzip_extract(zip_header_t *zip, int dst_fd)
+ {
+-	if (zip_header->formatted.method == 0) {
++	if (zip->fmt.method == 0) {
+ 		/* Method 0 - stored (not compressed) */
+-		off_t size = zip_header->formatted.ucmpsize;
++		off_t size = zip->fmt.ucmpsize;
+ 		if (size)
+ 			bb_copyfd_exact_size(zip_fd, dst_fd, size);
+ 	} else {
+ 		/* Method 8 - inflate */
+ 		transformer_state_t xstate;
+ 		init_transformer_state(&xstate);
+-		xstate.bytes_in = zip_header->formatted.cmpsize;
++		xstate.bytes_in = zip->fmt.cmpsize;
+ 		xstate.src_fd = zip_fd;
+ 		xstate.dst_fd = dst_fd;
+ 		if (inflate_unzip(&xstate) < 0)
+ 			bb_error_msg_and_die("inflate error");
+ 		/* Validate decompression - crc */
+-		if (zip_header->formatted.crc32 != (xstate.crc32 ^ 0xffffffffL)) {
++		if (zip->fmt.crc32 != (xstate.crc32 ^ 0xffffffffL)) {
+ 			bb_error_msg_and_die("crc error");
+ 		}
+ 		/* Validate decompression - size */
+-		if (zip_header->formatted.ucmpsize != xstate.bytes_out) {
++		if (zip->fmt.ucmpsize != xstate.bytes_out) {
+ 			/* Don't die. Who knows, maybe len calculation
+ 			 * was botched somewhere. After all, crc matched! */
+ 			bb_error_msg("bad length");
+@@ -563,7 +565,7 @@ int unzip_main(int argc, char **argv)
+ 	total_entries = 0;
+ 	cdf_offset = find_cdf_offset();	/* try to seek to the end, find CDE and CDF start */
+ 	while (1) {
+-		zip_header_t zip_header;
++		zip_header_t zip;
+ 		mode_t dir_mode = 0777;
+ #if ENABLE_FEATURE_UNZIP_CDF
+ 		mode_t file_mode = 0666;
+@@ -589,7 +591,7 @@ int unzip_main(int argc, char **argv)
+ 
+ 			/* Check magic number */
+ 			xread(zip_fd, &magic, 4);
+-			/* Central directory? It's at the end, so exit */
++			/* CDF item? Assume there are no more files, exit */
+ 			if (magic == ZIP_CDF_MAGIC) {
+ 				dbg("got ZIP_CDF_MAGIC");
+ 				break;
+@@ -605,71 +607,74 @@ int unzip_main(int argc, char **argv)
+ 				bb_error_msg_and_die("invalid zip magic %08X", (int)magic);
+ 			dbg("got ZIP_FILEHEADER_MAGIC");
+ 
+-			xread(zip_fd, zip_header.raw, ZIP_HEADER_LEN);
+-			FIX_ENDIANNESS_ZIP(zip_header);
+-			if ((zip_header.formatted.method != 0)
+-			 && (zip_header.formatted.method != 8)
++			xread(zip_fd, zip.raw, ZIP_HEADER_LEN);
++			FIX_ENDIANNESS_ZIP(zip);
++			if ((zip.fmt.method != 0)
++			 && (zip.fmt.method != 8)
+ 			) {
+ 				/* TODO? method 12: bzip2, method 14: LZMA */
+-				bb_error_msg_and_die("unsupported method %d", zip_header.formatted.method);
++				bb_error_msg_and_die("unsupported method %d", zip.fmt.method);
+ 			}
+-			if (zip_header.formatted.zip_flags & SWAP_LE16(0x0009)) {
++			if (zip.fmt.zip_flags & SWAP_LE16(0x0009)) {
+ 				bb_error_msg_and_die("zip flags 1 and 8 are not supported");
+ 			}
+ 		}
+ #if ENABLE_FEATURE_UNZIP_CDF
+ 		else {
+ 			/* cdf_offset is valid (and we know the file is seekable) */
+-			cdf_header_t cdf_header;
+-			cdf_offset = read_next_cdf(cdf_offset, &cdf_header);
++			cdf_header_t cdf;
++			cdf_offset = read_next_cdf(cdf_offset, &cdf);
+ 			if (cdf_offset == 0) /* EOF? */
+ 				break;
+-# if 0
++# if 1
+ 			xlseek(zip_fd,
+-				SWAP_LE32(cdf_header.formatted.relative_offset_of_local_header) + 4,
++				SWAP_LE32(cdf.fmt.relative_offset_of_local_header) + 4,
+ 				SEEK_SET);
+-			xread(zip_fd, zip_header.raw, ZIP_HEADER_LEN);
+-			FIX_ENDIANNESS_ZIP(zip_header);
+-			if (zip_header.formatted.zip_flags & SWAP_LE16(0x0008)) {
++			xread(zip_fd, zip.raw, ZIP_HEADER_LEN);
++			FIX_ENDIANNESS_ZIP(zip);
++			if (zip.fmt.zip_flags & SWAP_LE16(0x0008)) {
+ 				/* 0x0008 - streaming. [u]cmpsize can be reliably gotten
+ 				 * only from Central Directory.
+ 				 */
+-				zip_header.formatted.crc32    = cdf_header.formatted.crc32;
+-				zip_header.formatted.cmpsize  = cdf_header.formatted.cmpsize;
+-				zip_header.formatted.ucmpsize = cdf_header.formatted.ucmpsize;
++				zip.fmt.crc32    = cdf.fmt.crc32;
++				zip.fmt.cmpsize  = cdf.fmt.cmpsize;
++				zip.fmt.ucmpsize = cdf.fmt.ucmpsize;
+ 			}
+ # else
+-			/* CDF has the same data as local header, no need to read the latter */
+-			memcpy(&zip_header.formatted.version,
+-				&cdf_header.formatted.version_needed, ZIP_HEADER_LEN);
++			/* CDF has the same data as local header, no need to read the latter...
++			 * ...not really. An archive was seen with cdf.extra_len == 6 but
++			 * zip.extra_len == 0.
++			 */
++			memcpy(&zip.fmt.version,
++				&cdf.fmt.version_needed, ZIP_HEADER_LEN);
+ 			xlseek(zip_fd,
+-				SWAP_LE32(cdf_header.formatted.relative_offset_of_local_header) + 4 + ZIP_HEADER_LEN,
++				SWAP_LE32(cdf.fmt.relative_offset_of_local_header) + 4 + ZIP_HEADER_LEN,
+ 				SEEK_SET);
+ # endif
+-			if ((cdf_header.formatted.version_made_by >> 8) == 3) {
++			if ((cdf.fmt.version_made_by >> 8) == 3) {
+ 				/* This archive is created on Unix */
+-				dir_mode = file_mode = (cdf_header.formatted.external_file_attributes >> 16);
++				dir_mode = file_mode = (cdf.fmt.external_attributes >> 16);
+ 			}
+ 		}
+ #endif
+ 
+-		if (zip_header.formatted.zip_flags & SWAP_LE16(0x0001)) {
++		if (zip.fmt.zip_flags & SWAP_LE16(0x0001)) {
+ 			/* 0x0001 - encrypted */
+ 			bb_error_msg_and_die("zip flag 1 (encryption) is not supported");
+ 		}
+ 		dbg("File cmpsize:0x%x extra_len:0x%x ucmpsize:0x%x",
+-			(unsigned)zip_header.formatted.cmpsize,
+-			(unsigned)zip_header.formatted.extra_len,
+-			(unsigned)zip_header.formatted.ucmpsize
++			(unsigned)zip.fmt.cmpsize,
++			(unsigned)zip.fmt.extra_len,
++			(unsigned)zip.fmt.ucmpsize
+ 		);
+ 
+ 		/* Read filename */
+ 		free(dst_fn);
+-		dst_fn = xzalloc(zip_header.formatted.filename_len + 1);
+-		xread(zip_fd, dst_fn, zip_header.formatted.filename_len);
++		dst_fn = xzalloc(zip.fmt.filename_len + 1);
++		xread(zip_fd, dst_fn, zip.fmt.filename_len);
+ 
+ 		/* Skip extra header bytes */
+-		unzip_skip(zip_header.formatted.extra_len);
++		unzip_skip(zip.fmt.extra_len);
+ 
+ 		/* Guard against "/abspath", "/../" and similar attacks */
+ 		overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn));
+@@ -684,32 +689,32 @@ int unzip_main(int argc, char **argv)
+ 				/* List entry */
+ 				char dtbuf[sizeof("mm-dd-yyyy hh:mm")];
+ 				sprintf(dtbuf, "%02u-%02u-%04u %02u:%02u",
+-					(zip_header.formatted.moddate >> 5) & 0xf,  // mm: 0x01e0
+-					(zip_header.formatted.moddate)      & 0x1f, // dd: 0x001f
+-					(zip_header.formatted.moddate >> 9) + 1980, // yy: 0xfe00
+-					(zip_header.formatted.modtime >> 11),       // hh: 0xf800
+-					(zip_header.formatted.modtime >> 5) & 0x3f  // mm: 0x07e0
+-					// seconds/2 are not shown, encoded in ----------- 0x001f
++					(zip.fmt.moddate >> 5) & 0xf,  // mm: 0x01e0
++					(zip.fmt.moddate)      & 0x1f, // dd: 0x001f
++					(zip.fmt.moddate >> 9) + 1980, // yy: 0xfe00
++					(zip.fmt.modtime >> 11),       // hh: 0xf800
++					(zip.fmt.modtime >> 5) & 0x3f  // mm: 0x07e0
++					// seconds/2 not shown, encoded in -- 0x001f
+ 				);
+ 				if (!verbose) {
+ 					//      "  Length      Date    Time    Name\n"
+ 					//      "---------  ---------- -----   ----"
+ 					printf(       "%9u  " "%s   "         "%s\n",
+-						(unsigned)zip_header.formatted.ucmpsize,
++						(unsigned)zip.fmt.ucmpsize,
+ 						dtbuf,
+ 						dst_fn);
+ 				} else {
+-					unsigned long percents = zip_header.formatted.ucmpsize - zip_header.formatted.cmpsize;
++					unsigned long percents = zip.fmt.ucmpsize - zip.fmt.cmpsize;
+ 					if ((int32_t)percents < 0)
+ 						percents = 0; /* happens if ucmpsize < cmpsize */
+ 					percents = percents * 100;
+-					if (zip_header.formatted.ucmpsize)
+-						percents /= zip_header.formatted.ucmpsize;
++					if (zip.fmt.ucmpsize)
++						percents /= zip.fmt.ucmpsize;
+ 					//      " Length   Method    Size  Cmpr    Date    Time   CRC-32   Name\n"
+ 					//      "--------  ------  ------- ---- ---------- ----- --------  ----"
+ 					printf(      "%8u  %s"        "%9u%4u%% " "%s "         "%08x  "  "%s\n",
+-						(unsigned)zip_header.formatted.ucmpsize,
+-						zip_header.formatted.method == 0 ? "Stored" : "Defl:N", /* Defl is method 8 */
++						(unsigned)zip.fmt.ucmpsize,
++						zip.fmt.method == 0 ? "Stored" : "Defl:N", /* Defl is method 8 */
+ /* TODO: show other methods?
+  *  1 - Shrunk
+  *  2 - Reduced with compression factor 1
+@@ -722,15 +727,16 @@ int unzip_main(int argc, char **argv)
+  * 10 - PKWARE Data Compression Library Imploding
+  * 11 - Reserved by PKWARE
+  * 12 - BZIP2
++ * 14 - LZMA
+  */
+-						(unsigned)zip_header.formatted.cmpsize,
++						(unsigned)zip.fmt.cmpsize,
+ 						(unsigned)percents,
+ 						dtbuf,
+-						zip_header.formatted.crc32,
++						zip.fmt.crc32,
+ 						dst_fn);
+-					total_size += zip_header.formatted.cmpsize;
++					total_size += zip.fmt.cmpsize;
+ 				}
+-				total_usize += zip_header.formatted.ucmpsize;
++				total_usize += zip.fmt.ucmpsize;
+ 				i = 'n';
+ 			} else if (dst_fd == STDOUT_FILENO) {
+ 				/* Extracting to STDOUT */
+@@ -798,9 +804,11 @@ int unzip_main(int argc, char **argv)
+ #endif
+ 		case -1: /* Unzip */
+ 			if (!quiet) {
+-				printf("  inflating: %s\n", dst_fn);
++				printf(/* zip.fmt.method == 0
++					? " extracting: %s\n"
++					: */ "  inflating: %s\n", dst_fn);
+ 			}
+-			unzip_extract(&zip_header, dst_fd);
++			unzip_extract(&zip, dst_fd);
+ 			if (dst_fd != STDOUT_FILENO) {
+ 				/* closing STDOUT is potentially bad for future business */
+ 				close(dst_fd);
+@@ -811,7 +819,7 @@ int unzip_main(int argc, char **argv)
+ 			overwrite = O_NEVER;
+ 		case 'n':
+ 			/* Skip entry data */
+-			unzip_skip(zip_header.formatted.cmpsize);
++			unzip_skip(zip.fmt.cmpsize);
+ 			break;
+ 
+ 		case 'r':
+diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
+index d9c45242c..2e4becdb8 100755
+--- a/testsuite/unzip.tests
++++ b/testsuite/unzip.tests
+@@ -34,7 +34,9 @@ rm foo.zip
+ optional FEATURE_UNZIP_CDF
+ testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
+ "Archive:  bad.zip
+-unzip: short read
++  inflating: ]3j½r«IK-%Ix
++unzip: corrupted data
++unzip: inflate error
+ 1
+ " \
+ "" "\
+-- 
+2.11.0
+

package/busybox/0008-httpd-fix-handling-of-range-requests.patch

@@ -0,0 +1,27 @@
+From 4316dff48aacb29307e1b52cb761fef603759b9d Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Mon, 18 Sep 2017 13:09:11 +0200
+Subject: [PATCH] httpd: fix handling of range requests
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ networking/httpd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/networking/httpd.c b/networking/httpd.c
+index d301d598d..84d819723 100644
+--- a/networking/httpd.c
++++ b/networking/httpd.c
+@@ -2337,7 +2337,7 @@ static void handle_incoming_and_exit(const len_and_sockaddr *fromAddr)
+ 			if (STRNCASECMP(iobuf, "Range:") == 0) {
+ 				/* We know only bytes=NNN-[MMM] */
+ 				char *s = skip_whitespace(iobuf + sizeof("Range:")-1);
+-				if (is_prefixed_with(s, "bytes=") == 0) {
++				if (is_prefixed_with(s, "bytes=")) {
+ 					s += sizeof("bytes=")-1;
+ 					range_start = BB_STRTOOFF(s, &s, 10);
+ 					if (s[0] != '-' || range_start < 0) {
+-- 
+2.11.0
+

package/busybox/busybox-minimal.config

@@ -22,7 +22,7 @@ CONFIG_FEATURE_INSTALLER=y
 # CONFIG_PAM is not set
 CONFIG_LONG_OPTS=y
 CONFIG_FEATURE_DEVPTS=y
-CONFIG_FEATURE_CLEAN_UP=y
+# CONFIG_FEATURE_CLEAN_UP is not set
 CONFIG_FEATURE_UTMP=y
 CONFIG_FEATURE_WTMP=y
 # CONFIG_FEATURE_PIDFILE is not set

package/busybox/busybox.config

@@ -22,7 +22,7 @@ CONFIG_FEATURE_INSTALLER=y
 # CONFIG_PAM is not set
 CONFIG_LONG_OPTS=y
 CONFIG_FEATURE_DEVPTS=y
-CONFIG_FEATURE_CLEAN_UP=y
+# CONFIG_FEATURE_CLEAN_UP is not set
 CONFIG_FEATURE_UTMP=y
 CONFIG_FEATURE_WTMP=y
 # CONFIG_FEATURE_PIDFILE is not set

package/busybox/busybox.mk

@@ -175,7 +175,7 @@ define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		$(INSTALL) -m 0755 -D package/busybox/S01logging \
 			$(TARGET_DIR)/etc/init.d/S01logging; \
-	else rm -f $(TARGET_DIR)/etc/init.d/S01logging; fi
+	fi
 endef
 
 ifeq ($(BR2_INIT_BUSYBOX),y)

package/bzip2/bzip2.mk

@@ -12,13 +12,13 @@ BZIP2_LICENSE_FILES = LICENSE
 
 ifeq ($(BR2_STATIC_LIBS),)
 define BZIP2_BUILD_SHARED_CMDS
-	$(TARGET_MAKE_ENV)
+	$(TARGET_MAKE_ENV) \
 		$(MAKE) -C $(@D) -f Makefile-libbz2_so $(TARGET_CONFIGURE_OPTS)
 endef
 endif
 
 define BZIP2_BUILD_CMDS
-	$(TARGET_MAKE_ENV)
+	$(TARGET_MAKE_ENV) \
 		$(MAKE) -C $(@D) libbz2.a bzip2 bzip2recover $(TARGET_CONFIGURE_OPTS)
 	$(BZIP2_BUILD_SHARED_CMDS)
 endef

package/c-ares/c-ares.hash

@@ -1,2 +1,2 @@
 # Locally calculated after checking pgp signature
-sha256 8692f9403cdcdf936130e045c84021665118ee9bfea905d1a76f04d4e6f365fb c-ares-1.12.0.tar.gz
+sha256 03f708f1b14a26ab26c38abd51137640cb444d3ec72380b21b20f1a8d2861da7 c-ares-1.13.0.tar.gz

package/c-ares/c-ares.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-C_ARES_VERSION = 1.12.0
+C_ARES_VERSION = 1.13.0
 C_ARES_SITE = http://c-ares.haxx.se/download
 C_ARES_INSTALL_STAGING = YES
 C_ARES_CONF_OPTS = --with-random=/dev/urandom

package/ccache/ccache.hash

@@ -1,2 +1,3 @@
-# Verified key https://samba.org/ftp/ccache/ccache-3.3.3.tar.xz.asc - sha256 computed locally
-sha256  3b02a745da1cfa9eb438af7147e0fd3545e2f6163de9e5b07da86f58859f04ec  ccache-3.3.3.tar.xz
+# Verified key https://samba.org/ftp/ccache/ccache-3.3.4.tar.xz.asc - sha256 computed locally
+sha256  24f15bf389e38c41548c9c259532187774ec0cb9686c3497bbb75504c8dc404f  ccache-3.3.4.tar.xz
+sha256  190576a6e938760ec8113523e6fd380141117303e90766cc4802e770422b30c6  ccache-3.3.5.tar.xz

package/ccache/ccache.mk

@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-CCACHE_VERSION = 3.3.3
-CCACHE_SITE = https://samba.org/ftp/ccache
+CCACHE_VERSION = 3.3.5
+CCACHE_SITE = https://www.samba.org/ftp/ccache
 CCACHE_SOURCE = ccache-$(CCACHE_VERSION).tar.xz
 CCACHE_LICENSE = GPLv3+, others
 CCACHE_LICENSE_FILES = LICENSE.txt GPL-3.0.txt
@@ -28,9 +28,13 @@ HOST_CCACHE_CONF_OPTS += --with-bundled-zlib
 #    BR2_CCACHE_DIR.
 #  - Change hard-coded last-ditch default to match path in .config, to avoid
 #    the need to specify BR_CACHE_DIR when invoking ccache directly.
+#    CCache replaces "%s" with the home directory of the current user,
+#    So rewrite BR_CACHE_DIR to take that into consideration for SDK purpose
+HOST_CCACHE_DEFAULT_CCACHE_DIR = $(patsubst $(HOME)/%,\%s/%,$(BR_CACHE_DIR))
+
 define HOST_CCACHE_PATCH_CONFIGURATION
 	sed -i 's,getenv("CCACHE_DIR"),getenv("BR_CACHE_DIR"),' $(@D)/ccache.c
-	sed -i 's,"%s/.ccache","$(BR_CACHE_DIR)",' $(@D)/conf.c
+	sed -i 's,"%s/.ccache","$(HOST_CCACHE_DEFAULT_CCACHE_DIR)",' $(@D)/conf.c
 endef
 
 HOST_CCACHE_POST_PATCH_HOOKS += HOST_CCACHE_PATCH_CONFIGURATION

package/clamav/Config.in

@@ -1,6 +1,7 @@
 config BR2_PACKAGE_CLAMAV
 	bool "clamav"
 	select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT_IF_LOCALE
+	select BR2_PACKAGE_LIBTOOL
 	select BR2_PACKAGE_OPENSSL
 	select BR2_PACKAGE_ZLIB
 	depends on BR2_TOOLCHAIN_HAS_THREADS

package/clamav/clamav.hash

@@ -1,2 +1,14 @@
 # Locally calculated
-sha256	167bd6a13e05ece326b968fdb539b05c2ffcfef6018a274a10aeda85c2c0027a	clamav-0.99.2.tar.gz
+sha256 00fa5292a6e00a3a4035b826267748965d5d2c4943d8ff417d740238263e8e84  clamav-0.99.3.tar.gz
+sha256 0c4fd2fa9733fc9122503797648710851e4ee6d9e4969dd33fcbd8c63cd2f584  COPYING
+sha256 d72a145c90918184a05ef65a04c9e6f7466faa59bc1b82c8f6a8ddc7ddcb9bed  COPYING.bzip2
+sha256 dfb818a0d41411c6fb1c193c68b73018ceadd1994bda41ad541cbff292894bc6  COPYING.file
+sha256 6dce638b76399e7521ad8e182d3e33e4496c85b3b69b6ff434b53017101e82ad  COPYING.getopt
+sha256 a9bdde5616ecdd1e980b44f360600ee8783b1f99b8cc83a2beb163a0a390e861  COPYING.LGPL
+sha256 e3a9b913515a42f8ff3ef1551c3a2cdba383c39ed959729e0e2911219496ad74  COPYING.llvm
+sha256 d96d71b66aa32c4a2d1619b9ca3347dafa9460bcf0fb5ac2408916067ad31dfc  COPYING.lzma
+sha256 accdcf2455c07b99abea59016b3663eaef926a92092d103bfaa25fed27cf6b24  COPYING.pcre
+sha256 e2c1395a3d9fea6d5d25847c9d783db6e2cc8b085b4025861f459139c5dfd90b  COPYING.regex
+sha256 1faccc6b5c7b958fb807a3f573d5be9bf7889fe898f7e0617c544b05a81bfd00  COPYING.unrar
+sha256 a20d6317c5384e8d4c05f9c31097878675d9429ec46090656166039cc10bc957  COPYING.YARA
+sha256 c2f77553f8d870c5635b0dace0519253233f172b33ce1fdf6578610706294eee  COPYING.zlib

package/clamav/clamav.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CLAMAV_VERSION = 0.99.2
+CLAMAV_VERSION = 0.99.3
 CLAMAV_SITE = https://www.clamav.net/downloads/production
 CLAMAV_LICENSE = GPLv2
 CLAMAV_LICENSE_FILES = COPYING COPYING.bzip2 COPYING.file COPYING.getopt \
@@ -12,6 +12,7 @@ CLAMAV_LICENSE_FILES = COPYING COPYING.bzip2 COPYING.file COPYING.getopt \
 	COPYING.unrar COPYING.zlib
 CLAMAV_DEPENDENCIES = \
 	host-pkgconf \
+	libtool \
 	openssl \
 	zlib \
 	$(if $(BR2_NEEDS_GETTEXT_IF_LOCALE),gettext)
@@ -24,6 +25,8 @@ CLAMAV_CONF_ENV = \
 # UCLIBC_HAS_FTS is disabled, therefore disable fanotify (missing fts.h)
 CLAMAV_CONF_OPTS = \
 	--with-dbdir=/var/lib/clamav \
+	--with-ltdl-include=$(STAGING_DIR)/usr/include \
+	--with-ltdl-lib=$(STAGING_DIR)/usr/lib \
 	--with-openssl=$(STAGING_DIR)/usr \
 	--with-zlib=$(STAGING_DIR)/usr \
 	--disable-zlib-vcheck \
@@ -45,6 +48,13 @@ else
 CLAMAV_CONF_OPTS += --disable-bzip2
 endif
 
+ifeq ($(BR2_PACKAGE_JSON_C),y)
+CLAMAV_CONF_OPTS += --with-libjson=$(STAGING_DIR)/usr
+CLAMAV_DEPENDENCIES += json-c
+else
+CLAMAV_CONF_OPTS += --without-libjson
+endif
+
 ifeq ($(BR2_PACKAGE_LIBXML2),y)
 CLAMAV_CONF_OPTS += --with-xml=$(STAGING_DIR)/usr
 CLAMAV_DEPENDENCIES += libxml2

package/cmake/cmake.mk

@@ -46,6 +46,7 @@ define HOST_CMAKE_CONFIGURE_CMDS
 			-DCMAKE_C_FLAGS="$(HOST_CMAKE_CFLAGS)" \
 			-DCMAKE_CXX_FLAGS="$(HOST_CMAKE_CXXFLAGS)" \
 			-DCMAKE_EXE_LINKER_FLAGS="$(HOST_LDFLAGS)" \
+			-DCMAKE_USE_OPENSSL:BOOL=OFF \
 			-DBUILD_CursesDialog=OFF \
 	)
 endef

package/collectd/0001-libcollectdclient-increase-error-buffer.patch

@@ -0,0 +1,87 @@
+From e170f3559fcda6d37a012aba187a96b1f42e8f9d Mon Sep 17 00:00:00 2001
+From: Ruben Kerkhof <ruben@rubenkerkhof.com>
+Date: Sun, 2 Jul 2017 21:52:14 +0200
+Subject: [PATCH] libcollectdclient: increase error buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+make[1]: Entering directory '/home/ruben/src/collectd'
+  CC       src/libcollectdclient/libcollectdclient_la-client.lo
+src/libcollectdclient/client.c: In function ‘lcc_getval’:
+src/libcollectdclient/client.c:621:23: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 1010 [-Wformat-truncation=]
+     LCC_SET_ERRSTR(c, "Server error: %s", res.message);
+                       ^                   ~
+src/libcollectdclient/client.c:94:48: note: in definition of macro ‘LCC_SET_ERRSTR’
+     snprintf((c)->errbuf, sizeof((c)->errbuf), __VA_ARGS__);                   \
+                                                ^~~~~~~~~~~
+src/libcollectdclient/client.c:94:5: note: ‘snprintf’ output between 15 and 1038 bytes into a destination of size 1024
+     snprintf((c)->errbuf, sizeof((c)->errbuf), __VA_ARGS__);                   \
+     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+src/libcollectdclient/client.c:621:5: note: in expansion of macro ‘LCC_SET_ERRSTR’
+     LCC_SET_ERRSTR(c, "Server error: %s", res.message);
+     ^~~~~~~~~~~~~~
+src/libcollectdclient/client.c: In function ‘lcc_putval’:
+src/libcollectdclient/client.c:754:23: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 1010 [-Wformat-truncation=]
+     LCC_SET_ERRSTR(c, "Server error: %s", res.message);
+                       ^                   ~
+src/libcollectdclient/client.c:94:48: note: in definition of macro ‘LCC_SET_ERRSTR’
+     snprintf((c)->errbuf, sizeof((c)->errbuf), __VA_ARGS__);                   \
+                                                ^~~~~~~~~~~
+src/libcollectdclient/client.c:94:5: note: ‘snprintf’ output between 15 and 1038 bytes into a destination of size 1024
+     snprintf((c)->errbuf, sizeof((c)->errbuf), __VA_ARGS__);                   \
+     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+src/libcollectdclient/client.c:754:5: note: in expansion of macro ‘LCC_SET_ERRSTR’
+     LCC_SET_ERRSTR(c, "Server error: %s", res.message);
+     ^~~~~~~~~~~~~~
+src/libcollectdclient/client.c: In function ‘lcc_flush’:
+src/libcollectdclient/client.c:802:23: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 1010 [-Wformat-truncation=]
+     LCC_SET_ERRSTR(c, "Server error: %s", res.message);
+                       ^                   ~
+src/libcollectdclient/client.c:94:48: note: in definition of macro ‘LCC_SET_ERRSTR’
+     snprintf((c)->errbuf, sizeof((c)->errbuf), __VA_ARGS__);                   \
+                                                ^~~~~~~~~~~
+src/libcollectdclient/client.c:94:5: note: ‘snprintf’ output between 15 and 1038 bytes into a destination of size 1024
+     snprintf((c)->errbuf, sizeof((c)->errbuf), __VA_ARGS__);                   \
+     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+src/libcollectdclient/client.c:802:5: note: in expansion of macro ‘LCC_SET_ERRSTR’
+     LCC_SET_ERRSTR(c, "Server error: %s", res.message);
+     ^~~~~~~~~~~~~~
+src/libcollectdclient/client.c: In function ‘lcc_listval’:
+src/libcollectdclient/client.c:834:23: warning: ‘%s’ directive output may be truncated writing up to 1023 bytes into a region of size 1010 [-Wformat-truncation=]
+     LCC_SET_ERRSTR(c, "Server error: %s", res.message);
+                       ^                   ~
+src/libcollectdclient/client.c:94:48: note: in definition of macro ‘LCC_SET_ERRSTR’
+     snprintf((c)->errbuf, sizeof((c)->errbuf), __VA_ARGS__);                   \
+                                                ^~~~~~~~~~~
+src/libcollectdclient/client.c:94:5: note: ‘snprintf’ output between 15 and 1038 bytes into a destination of size 1024
+     snprintf((c)->errbuf, sizeof((c)->errbuf), __VA_ARGS__);                   \
+     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+src/libcollectdclient/client.c:834:5: note: in expansion of macro ‘LCC_SET_ERRSTR’
+     LCC_SET_ERRSTR(c, "Server error: %s", res.message);
+     ^~~~~~~~~~~~~~
+
+Fixes #2200
+
+[Upstream commit: https://git.octo.it/?p=collectd.git;a=commitdiff;h=e170f3559fcda6d37a012aba187a96b1f42e8f9d]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+---
+ src/libcollectdclient/client.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libcollectdclient/client.c b/src/libcollectdclient/client.c
+index 51a4ab2..3ae2e71 100644
+--- a/src/libcollectdclient/client.c
++++ b/src/libcollectdclient/client.c
+@@ -99,7 +99,7 @@
+  */
+ struct lcc_connection_s {
+   FILE *fh;
+-  char errbuf[1024];
++  char errbuf[2048];
+ };
+ 
+ struct lcc_response_s {
+-- 
+1.7.10.4
+

package/collectd/collectd.mk

@@ -24,9 +24,23 @@ COLLECTD_PLUGINS_DISABLE = \
 
 COLLECTD_CONF_ENV += LIBS="-lm"
 
+#
+# NOTE: There's also a third availible setting "intswap", which might
+# be needed on some old ARM hardware (see [2]), but is not being
+# accounted for as per discussion [1]
+#
+# [1] http://lists.busybox.net/pipermail/buildroot/2017-November/206100.html
+# [2] http://lists.busybox.net/pipermail/buildroot/2017-November/206251.html
+#
+ifeq ($(BR2_ENDIAN),"BIG")
+COLLECTD_FP_LAYOUT=endianflip
+else
+COLLECTD_FP_LAYOUT=nothing
+endif
+
 COLLECTD_CONF_OPTS += \
 	--with-nan-emulation \
-	--with-fp-layout=nothing \
+	--with-fp-layout=$(COLLECTD_FP_LAYOUT) \
 	--with-perl-bindings=no \
 	$(foreach p, $(COLLECTD_PLUGINS_DISABLE), --disable-$(p)) \
 	$(if $(BR2_PACKAGE_COLLECTD_AGGREGATION),--enable-aggregation,--disable-aggregation) \

package/connman/connman.hash

@@ -1,2 +1,2 @@
 # From https://www.kernel.org/pub/linux/network/connman/sha256sums.asc
-sha256	bc8946036fa70124d663136f9f6b6238d897ca482782df907b07a428b09df5a0	connman-1.33.tar.xz
+sha256	66d7deb98371545c6e417239a9b3b3e3201c1529d08eedf40afbc859842cf2aa	connman-1.35.tar.xz

package/connman/connman.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CONNMAN_VERSION = 1.33
+CONNMAN_VERSION = 1.35
 CONNMAN_SOURCE = connman-$(CONNMAN_VERSION).tar.xz
 CONNMAN_SITE = $(BR2_KERNEL_MIRROR)/linux/network/connman
 CONNMAN_DEPENDENCIES = libglib2 dbus iptables

package/coreutils/coreutils.mk

@@ -56,8 +56,8 @@ COREUTILS_CONF_ENV = ac_cv_c_restrict=no \
 	INSTALL_PROGRAM=$(INSTALL)
 
 COREUTILS_BIN_PROGS = cat chgrp chmod chown cp date dd df dir echo false \
-	ln ls mkdir mknod mv pwd rm rmdir vdir sleep stty sync touch true \
-	uname join
+	kill link ln ls mkdir mknod mktemp mv nice printenv pwd rm rmdir \
+	vdir sleep stty sync touch true uname join
 
 # If both coreutils and busybox are selected, make certain coreutils
 # wins the fight over who gets to have their utils actually installed.

package/dbus/0001-config-loader-expat-Tell-Expat-not-to-defend-against.patch

@@ -0,0 +1,78 @@
+From 1252dc1d1f465b8ab6b36ff7252e395e66a040cf Mon Sep 17 00:00:00 2001
+From: Simon McVittie <smcv@debian.org>
+Date: Fri, 21 Jul 2017 10:46:39 +0100
+Subject: [PATCH 1/2] config-loader-expat: Tell Expat not to defend against
+ hash collisions
+
+By default, Expat uses cryptographic-quality random numbers as a salt for
+its hash algorithm, and since 2.2.1 it gets them from the getrandom
+syscall on Linux. That syscall refuses to return any entropy until the
+kernel's CSPRNG (random pool) has been initialized. Unfortunately, this
+can take as long as 40 seconds on embedded devices with few entropy
+sources, which is too long: if the system dbus-daemon blocks for that
+length of time, important D-Bus clients like systemd and systemd-logind
+time out and fail to connect to it.
+
+We're parsing small configuration files here, and we trust them
+completely, so we don't need to defend against hash collisions: nobody
+is going to be crafting them to cause pathological performance.
+
+Bug: https://bugs.freedesktop.org/show_bug.cgi?id=101858
+Signed-off-by: Simon McVittie <smcv@debian.org>
+Tested-by: Christopher Hewitt <hewitt@ieee.org>
+Reviewed-by: Philip Withnall <withnall@endlessm.com>
+
+Upstream commit 1252dc1d1f465b8ab6b36ff7252e395e66a040cf
+Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
+---
+ bus/config-loader-expat.c | 14 ++++++++++++++
+ configure.ac              |  8 ++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/bus/config-loader-expat.c b/bus/config-loader-expat.c
+index b571fda3..27cbe2d0 100644
+--- a/bus/config-loader-expat.c
++++ b/bus/config-loader-expat.c
+@@ -203,6 +203,20 @@ bus_config_load (const DBusString      *file,
+       goto failed;
+     }
+ 
++  /* We do not need protection against hash collisions (CVE-2012-0876)
++   * because we are only parsing trusted XML; and if we let Expat block
++   * waiting for the CSPRNG to be initialized, as it does by default to
++   * defeat CVE-2012-0876, it can cause timeouts during early boot on
++   * entropy-starved embedded devices.
++   *
++   * TODO: When Expat gets a more explicit API for this than
++   * XML_SetHashSalt, check for that too, and use it preferentially.
++   * https://github.com/libexpat/libexpat/issues/91 */
++#if defined(HAVE_XML_SETHASHSALT)
++  /* Any nonzero number will do. https://xkcd.com/221/ */
++  XML_SetHashSalt (expat, 4);
++#endif
++
+   if (!_dbus_string_get_dirname (file, &dirname))
+     {
+       dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);
+diff --git a/configure.ac b/configure.ac
+index 52da11fb..c4022ed7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -938,6 +938,14 @@ XML_CFLAGS=
+ AC_SUBST([XML_CFLAGS])
+ AC_SUBST([XML_LIBS])
+ 
++save_cflags="$CFLAGS"
++save_libs="$LIBS"
++CFLAGS="$CFLAGS $XML_CFLAGS"
++LIBS="$LIBS $XML_LIBS"
++AC_CHECK_FUNCS([XML_SetHashSalt])
++CFLAGS="$save_cflags"
++LIBS="$save_libs"
++
+ # Thread lib detection
+ AC_ARG_VAR([THREAD_LIBS])
+ save_libs="$LIBS"
+-- 
+2.11.0
+

package/dbus/dbus.mk

@@ -7,6 +7,8 @@
 DBUS_VERSION = 1.10.16
 DBUS_SITE = http://dbus.freedesktop.org/releases/dbus
 DBUS_LICENSE = AFLv2.1 or GPLv2+ (library, tools), GPLv2+ (tools)
+# 0001-config-loader-expat-Tell-Expat-not-to-defend-against.patch
+DBUS_AUTORECONF = YES
 DBUS_LICENSE_FILES = COPYING
 DBUS_INSTALL_STAGING = YES
 

package/dhcp/0002-v4_3-Plugs-a-socket-descriptor-leak-in-OMAPI.patch

@@ -0,0 +1,51 @@
+From 5097bc0559f592683faac1f67bf350e1bddf6ed4 Mon Sep 17 00:00:00 2001
+From: Thomas Markwalder <tmark@isc.org>
+Date: Thu, 7 Dec 2017 11:39:30 -0500
+Subject: [PATCH] [v4_3] Plugs a socket descriptor leak in OMAPI
+
+        Merges in rt46767.
+
+[baruch: drop RELNOTES hunk]
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Patch status: upstream commit 5097bc0559f
+
+ omapip/buffer.c  | 9 +++++++++
+ omapip/message.c | 2 +-
+
+diff --git a/omapip/buffer.c b/omapip/buffer.c
+index f7fdc3250e82..809034d1317b 100644
+--- a/omapip/buffer.c
++++ b/omapip/buffer.c
+@@ -566,6 +566,15 @@ isc_result_t omapi_connection_writer (omapi_object_t *h)
+ 			omapi_buffer_dereference (&buffer, MDL);
+ 		}
+ 	}
++
++	/* If we had data left to write when we're told to disconnect,
++	* we need recall disconnect, now that we're done writing.
++	* See rt46767. */
++	if (c->out_bytes == 0 && c->state == omapi_connection_disconnecting) {
++		omapi_disconnect (h, 1);
++		return ISC_R_SHUTTINGDOWN;
++	}
++
+ 	return ISC_R_SUCCESS;
+ }
+ 
+diff --git a/omapip/message.c b/omapip/message.c
+index 59ccdc2c05cf..21bcfc3822e7 100644
+--- a/omapip/message.c
++++ b/omapip/message.c
+@@ -339,7 +339,7 @@ isc_result_t omapi_message_unregister (omapi_object_t *mo)
+ }
+ 
+ #ifdef DEBUG_PROTOCOL
+-static const char *omapi_message_op_name(int op) {
++const char *omapi_message_op_name(int op) {
+ 	switch (op) {
+ 	case OMAPI_OP_OPEN:    return "OMAPI_OP_OPEN";
+ 	case OMAPI_OP_REFRESH: return "OMAPI_OP_REFRESH";
+-- 
+2.15.1
+

package/dhcp/Config.in

@@ -12,6 +12,7 @@ if BR2_PACKAGE_DHCP
 
 config BR2_PACKAGE_DHCP_SERVER
 	bool "dhcp server"
+	select BR2_PACKAGE_SYSTEMD_TMPFILES if BR2_PACKAGE_SYSTEMD
 	help
 	  DHCP server from the ISC DHCP distribution.
 

package/dhcp/dhcp.hash

@@ -1,2 +1,4 @@
-# Verified from https://ftp.isc.org/isc/dhcp/4.3.5/dhcp-4.3.5.tar.gz.sha256.asc
-sha256 eb95936bf15d2393c55dd505bc527d1d4408289cec5a9fa8abb99f7577e7f954  dhcp-4.3.5.tar.gz
+# Verified from https://ftp.isc.org/isc/dhcp/4.3.6/dhcp-4.3.6.tar.gz.sha256.asc
+sha256 a41eaf6364f1377fe065d35671d9cf82bbbc8f21207819b2b9f33f652aec6f1b  dhcp-4.3.6.tar.gz
+# Locally calculated
+sha256 dd7ae2201c0c11c3c1e2510d731c67b2f4bc8ba735707d7348ddd65f7b598562  LICENSE

package/dhcp/dhcp.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DHCP_VERSION = 4.3.5
+DHCP_VERSION = 4.3.6
 DHCP_SITE = http://ftp.isc.org/isc/dhcp/$(DHCP_VERSION)
 DHCP_INSTALL_STAGING = YES
 DHCP_LICENSE = ISC

package/dialog/dialog.mk

@@ -6,7 +6,7 @@
 
 DIALOG_VERSION = 1.2-20150125
 DIALOG_SOURCE = dialog-$(DIALOG_VERSION).tgz
-DIALOG_SITE = ftp://invisible-island.net/dialog
+DIALOG_SITE = ftp://ftp.invisible-island.net/dialog
 DIALOG_CONF_OPTS = --with-ncurses --with-curses-dir=$(STAGING_DIR)/usr \
 	--disable-rpath-hack
 DIALOG_DEPENDENCIES = host-pkgconf ncurses

package/dnsmasq/dnsmasq.hash

@@ -1,2 +1,6 @@
 # Locally calculated after checking pgp signature
-sha256	4b92698dee19ca0cb2a8f2e48f1d2dffd01a21eb15d1fbed4cf085630c8c9f96	dnsmasq-2.76.tar.xz
+# http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.78.tar.xz.asc
+sha256	89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b	dnsmasq-2.78.tar.xz
+# Locally calculated
+sha256	dcc100d4161cc0b7177545ab6e47216f84857cda3843847c792a25289852dcaa	COPYING
+sha256	8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903	COPYING-v3

package/dnsmasq/dnsmasq.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DNSMASQ_VERSION = 2.76
+DNSMASQ_VERSION = 2.78
 DNSMASQ_SOURCE = dnsmasq-$(DNSMASQ_VERSION).tar.xz
 DNSMASQ_SITE = http://thekelleys.org.uk/dnsmasq
 DNSMASQ_MAKE_ENV = $(TARGET_MAKE_ENV) CC="$(TARGET_CC)"
@@ -58,7 +58,7 @@ DNSMASQ_MAKE_OPTS += LIBS+="-ldl"
 endif
 
 define DNSMASQ_ENABLE_LUA
-	$(SED) 's/lua5.1/lua/g' $(DNSMASQ_DIR)/Makefile
+	$(SED) 's/lua5.2/lua/g' $(DNSMASQ_DIR)/Makefile
 	$(SED) 's^.*#define HAVE_LUASCRIPT.*^#define HAVE_LUASCRIPT^' \
 		$(DNSMASQ_DIR)/src/config.h
 endef

package/dovecot/0001-byteorder.h-fix-uclibc-build.patch

@@ -0,0 +1,32 @@
+From 902917880ca29f1007750a70cf46e7246b2d0a2a Mon Sep 17 00:00:00 2001
+From: Josef 'Jeff' Sipek <jeff.sipek@dovecot.fi>
+Date: Tue, 14 Nov 2017 06:01:21 +0100
+Subject: [PATCH] byteorder.h: fix uclibc build
+
+Patch suggested on upstream mailinglist:
+https://www.dovecot.org/pipermail/dovecot/2017-November/110019.html
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ src/lib/byteorder.h | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/lib/byteorder.h b/src/lib/byteorder.h
+index 2f5dc7c17..4ffe8da21 100644
+--- a/src/lib/byteorder.h
++++ b/src/lib/byteorder.h
+@@ -23,6 +23,11 @@
+ #ifndef BYTEORDER_H
+ #define BYTEORDER_H
+ 
++#undef bswap_8
++#undef bswap_16
++#undef bswap_32
++#undef bswap_64
++
+ /*
+  * These prototypes exist to catch bugs in the code generating macros below.
+  */
+-- 
+2.11.0
+

package/dovecot/0002-lib-auth-Fix-memory-leak-in-auth_client_request_abor.patch

@@ -0,0 +1,33 @@
+From 1a29ed2f96da1be22fa5a4d96c7583aa81b8b060 Mon Sep 17 00:00:00 2001
+From: Timo Sirainen <timo.sirainen@dovecot.fi>
+Date: Mon, 18 Dec 2017 16:50:51 +0200
+Subject: [PATCH] lib-auth: Fix memory leak in auth_client_request_abort()
+
+This caused memory leaks when authentication was aborted. For example
+with IMAP:
+
+a AUTHENTICATE PLAIN
+*
+
+Broken by 9137c55411aa39d41c1e705ddc34d5bd26c65021
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/lib-auth/auth-client-request.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/lib-auth/auth-client-request.c b/src/lib-auth/auth-client-request.c
+index 480fb42b3..046f7c307 100644
+--- a/src/lib-auth/auth-client-request.c
++++ b/src/lib-auth/auth-client-request.c
+@@ -186,6 +186,7 @@ void auth_client_request_abort(struct auth_client_request **_request)
+ 
+ 	auth_client_send_cancel(request->conn->client, request->id);
+ 	call_callback(request, AUTH_REQUEST_STATUS_ABORT, NULL, NULL);
++	pool_unref(&request->pool);
+ }
+ 
+ unsigned int auth_client_request_get_id(struct auth_client_request *request)
+-- 
+2.11.0
+

package/dovecot/dovecot.hash

@@ -1,2 +1,5 @@
 # Locally computed after checking signature
-sha256 ccfa9ffb7eb91e9e87c21c108324b911250c9ffa838bffb64b1caafadcb0f388  dovecot-2.2.29.1.tar.gz
+sha256 fe1e3b78609a56ee22fc209077e4b75348fa1bbd54c46f52bde2472a4c4cee84  dovecot-2.2.33.2.tar.gz
+sha256 a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8  COPYING
+sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LGPL
+sha256 52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97  COPYING.MIT

package/dovecot/dovecot.mk

@@ -5,7 +5,7 @@
 ################################################################################
 
 DOVECOT_VERSION_MAJOR = 2.2
-DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).29.1
+DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).33.2
 DOVECOT_SITE = http://www.dovecot.org/releases/$(DOVECOT_VERSION_MAJOR)
 DOVECOT_INSTALL_STAGING = YES
 DOVECOT_LICENSE = LGPLv2.1

package/dvb-apps/dvb-apps.mk

@@ -15,6 +15,8 @@ DVB_APPS_DEPENDENCIES = libiconv
 DVB_APPS_LDLIBS += -liconv
 endif
 
+DVB_APPS_MAKE_OPTS = PERL5LIB=$(@D)/util/scan
+
 ifeq ($(BR2_STATIC_LIBS),y)
 DVB_APPS_MAKE_OPTS += enable_shared=no
 else ifeq ($(BR2_SHARED_LIBS),y)
@@ -25,7 +27,7 @@ DVB_APPS_INSTALL_STAGING = YES
 
 define DVB_APPS_BUILD_CMDS
 	$(TARGET_CONFIGURE_OPTS) LDLIBS="$(DVB_APPS_LDLIBS)" \
-		$(MAKE) -C $(@D) CROSS_ROOT=$(STAGING_DIR) \
+		$(MAKE1) -C $(@D) CROSS_ROOT=$(STAGING_DIR) \
 		$(DVB_APPS_MAKE_OPTS)
 endef
 

package/e2fsprogs/0002-include-sys-sysmacros.h-as-needed.patch

@@ -0,0 +1,129 @@
+From 3fb715b55426875902dfef3056b2cf7335953178 Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@gentoo.org>
+Date: Fri, 19 May 2017 13:25:59 -0400
+Subject: [PATCH] include sys/sysmacros.h as needed
+
+The minor/major/makedev macros are not entirely standard.  glibc has had
+the definitions in sys/sysmacros.h since the start, and wants to move away
+from always defining them implicitly via sys/types.h (as this pollutes the
+namespace in violation of POSIX).  Other C libraries have already dropped
+them.  Since the configure script already checks for this header, use that
+to pull in the header in files that use these macros.
+
+Signed-off-by: Mike Frysinger <vapier@gentoo.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+
+Upstream commit 3fb715b55426875902dfef3056b2cf7335953178
+Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
+---
+ debugfs/debugfs.c      | 3 +++
+ lib/blkid/devname.c    | 3 +++
+ lib/blkid/devno.c      | 3 +++
+ lib/ext2fs/finddev.c   | 3 +++
+ lib/ext2fs/ismounted.c | 3 +++
+ misc/create_inode.c    | 4 ++++
+ misc/mk_hugefiles.c    | 3 +++
+ 7 files changed, 22 insertions(+)
+
+diff --git a/debugfs/debugfs.c b/debugfs/debugfs.c
+index 059ddc39..453f5b52 100644
+--- a/debugfs/debugfs.c
++++ b/debugfs/debugfs.c
+@@ -26,6 +26,9 @@ extern char *optarg;
+ #include <errno.h>
+ #endif
+ #include <fcntl.h>
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
+ 
+ #include "debugfs.h"
+ #include "uuid/uuid.h"
+diff --git a/lib/blkid/devname.c b/lib/blkid/devname.c
+index 3e2efa9d..671e781f 100644
+--- a/lib/blkid/devname.c
++++ b/lib/blkid/devname.c
+@@ -36,6 +36,9 @@
+ #if HAVE_SYS_MKDEV_H
+ #include <sys/mkdev.h>
+ #endif
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
+ #include <time.h>
+ 
+ #include "blkidP.h"
+diff --git a/lib/blkid/devno.c b/lib/blkid/devno.c
+index aa6eb907..480030f2 100644
+--- a/lib/blkid/devno.c
++++ b/lib/blkid/devno.c
+@@ -31,6 +31,9 @@
+ #if HAVE_SYS_MKDEV_H
+ #include <sys/mkdev.h>
+ #endif
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
+ 
+ #include "blkidP.h"
+ 
+diff --git a/lib/ext2fs/finddev.c b/lib/ext2fs/finddev.c
+index 311608de..62fa0dbe 100644
+--- a/lib/ext2fs/finddev.c
++++ b/lib/ext2fs/finddev.c
+@@ -31,6 +31,9 @@
+ #if HAVE_SYS_MKDEV_H
+ #include <sys/mkdev.h>
+ #endif
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
+ 
+ #include "ext2_fs.h"
+ #include "ext2fs.h"
+diff --git a/lib/ext2fs/ismounted.c b/lib/ext2fs/ismounted.c
+index bcac0f15..7d524715 100644
+--- a/lib/ext2fs/ismounted.c
++++ b/lib/ext2fs/ismounted.c
+@@ -49,6 +49,9 @@
+ #if HAVE_SYS_TYPES_H
+ #include <sys/types.h>
+ #endif
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
+ 
+ #include "ext2_fs.h"
+ #include "ext2fs.h"
+diff --git a/misc/create_inode.c b/misc/create_inode.c
+index ae22ff6f..8ce3fafa 100644
+--- a/misc/create_inode.c
++++ b/misc/create_inode.c
+@@ -22,6 +22,10 @@
+ #include <attr/xattr.h>
+ #endif
+ #include <sys/ioctl.h>
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
++
+ #include <ext2fs/ext2fs.h>
+ #include <ext2fs/ext2_types.h>
+ #include <ext2fs/fiemap.h>
+diff --git a/misc/mk_hugefiles.c b/misc/mk_hugefiles.c
+index 049c6f41..5882394d 100644
+--- a/misc/mk_hugefiles.c
++++ b/misc/mk_hugefiles.c
+@@ -35,6 +35,9 @@ extern int optind;
+ #include <sys/ioctl.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#ifdef HAVE_SYS_SYSMACROS_H
++#include <sys/sysmacros.h>
++#endif
+ #include <libgen.h>
+ #include <limits.h>
+ #include <blkid/blkid.h>
+-- 
+2.13.3
+

package/eeprog/Config.in

@@ -3,4 +3,4 @@ config BR2_PACKAGE_EEPROG
 	help
 	  Simple tool to read/write i2c eeprom chips.
 
-	  http://codesink.org/eeprog.html
+	  http://www.codesink.org/eeprog.html

package/efibootmgr/0003-Remove-extra-const-keywords-gcc-7-gripes-about.patch

@@ -0,0 +1,51 @@
+From a542b169003c2ef95ce6c00d40050eb10568b612 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 6 Feb 2017 16:34:54 -0500
+Subject: [PATCH] Remove extra const keywords gcc 7 gripes about.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+[Backported from upstream commit a542b169003c2ef95ce6c00d40050eb10568b612]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+---
+ src/efibootdump.c | 2 +-
+ src/efibootmgr.c  | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/efibootdump.c b/src/efibootdump.c
+index 6ff8360..30a1943 100644
+--- a/src/efibootdump.c
++++ b/src/efibootdump.c
+@@ -39,7 +39,7 @@ print_boot_entry(efi_load_option *loadopt, size_t data_size)
+ 	uint8_t *optional_data = NULL;
+ 	size_t optional_data_len = 0;
+ 	uint16_t pathlen;
+-	const unsigned char const *desc;
++	const unsigned char *desc;
+ 	char *raw;
+ 	size_t raw_len;
+ 
+diff --git a/src/efibootmgr.c b/src/efibootmgr.c
+index 493f2cf..90a0998 100644
+--- a/src/efibootmgr.c
++++ b/src/efibootmgr.c
+@@ -221,7 +221,7 @@ warn_duplicate_name(list_t *var_list)
+ 	list_t *pos;
+ 	var_entry_t *entry;
+ 	efi_load_option *load_option;
+-	const unsigned char const *desc;
++	const unsigned char *desc;
+ 
+ 	list_for_each(pos, var_list) {
+ 		entry = list_entry(pos, var_entry_t, list);
+@@ -873,7 +873,7 @@ show_vars(const char *prefix)
+ {
+ 	list_t *pos;
+ 	var_entry_t *boot;
+-	const unsigned char const *description;
++	const unsigned char *description;
+ 	efi_load_option *load_option;
+ 	efidp dp = NULL;
+ 	unsigned char *optional_data = NULL;
+-- 
+2.9.4
+

package/efivar/0003-Remove-some-extra-const-that-gcc-complains-about.patch

@@ -0,0 +1,47 @@
+From 1c7c0f71c9d22efda4156881eb187b8c69d1cca7 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 6 Feb 2017 14:28:19 -0500
+Subject: [PATCH] Remove some extra "const" that gcc complains about.
+
+One of these days I'll get these right.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream commit 1c7c0f71c9d22e.
+
+ src/include/efivar/efiboot-loadopt.h | 4 ++--
+ src/loadopt.c                        | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/include/efivar/efiboot-loadopt.h b/src/include/efivar/efiboot-loadopt.h
+index 07db5c4c53e3..efc29c69d47e 100644
+--- a/src/include/efivar/efiboot-loadopt.h
++++ b/src/include/efivar/efiboot-loadopt.h
+@@ -32,8 +32,8 @@ extern ssize_t efi_loadopt_create(uint8_t *buf, ssize_t size,
+ 
+ extern efidp efi_loadopt_path(efi_load_option *opt, ssize_t limit)
+ 	__attribute__((__nonnull__ (1)));
+-extern const unsigned char const * efi_loadopt_desc(efi_load_option *opt,
+-						    ssize_t limit)
++extern const unsigned char * efi_loadopt_desc(efi_load_option *opt,
++					      ssize_t limit)
+ 	__attribute__((__visibility__ ("default")))
+ 	__attribute__((__nonnull__ (1)));
+ extern uint32_t efi_loadopt_attrs(efi_load_option *opt)
+diff --git a/src/loadopt.c b/src/loadopt.c
+index a63ca792d2dc..ce889867fd29 100644
+--- a/src/loadopt.c
++++ b/src/loadopt.c
+@@ -357,7 +357,7 @@ teardown(void)
+ 
+ __attribute__((__nonnull__ (1)))
+ __attribute__((__visibility__ ("default")))
+-const unsigned char const *
++const unsigned char *
+ efi_loadopt_desc(efi_load_option *opt, ssize_t limit)
+ {
+ 	if (last_desc) {
+-- 
+2.13.2
+

package/eudev/S10udev

@@ -27,9 +27,9 @@ test -r $UDEV_CONFIG || exit 6
 
 case "$1" in
     start)
-        printf "Populating ${udev_root:-/dev} using udev: "
+        printf "Populating %s using udev: " "${udev_root:-/dev}"
         printf '\000\000\000\000' > /proc/sys/kernel/hotplug
-        $UDEV_BIN -d || (echo "FAIL" && exit 1)
+        $UDEV_BIN -d || { echo "FAIL"; exit 1; }
         udevadm trigger --type=subsystems --action=add
         udevadm trigger --type=devices --action=add
         udevadm settle --timeout=30 || echo "udevadm settle failed"

package/exim/0003-Skip-version-check-and-symlink-installation.patch

@@ -9,6 +9,8 @@ Inspired by:
 http://patch-tracker.debian.org/patch/series/view/exim4/4.76-2/35_install.dpatch
 
 Signed-off-by: Luca Ceresoli <luca@lucaceresoli.net>
+(rebased against exim 4.89)
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 ---
  scripts/exim_install |    7 +++++--
  1 files changed, 5 insertions(+), 2 deletions(-)
@@ -17,7 +19,7 @@ diff --git a/scripts/exim_install b/scripts/exim_install
 index e68e7d5..487a4e1 100755
 --- a/scripts/exim_install
 +++ b/scripts/exim_install
-@@ -59,6 +59,8 @@ while [ $# -gt 0 ] ; do
+@@ -58,6 +58,8 @@
    shift
  done
  
@@ -26,15 +28,14 @@ index e68e7d5..487a4e1 100755
  # Get the values of BIN_DIRECTORY, CONFIGURE_FILE, INFO_DIRECTORY, NO_SYMLINK,
  # SYSTEM_ALIASES_FILE, and EXE from the global Makefile (in the build
  # directory). EXE is empty except in the Cygwin environment. In each case, keep
-@@ -218,8 +220,9 @@ while [ $# -gt 0 ]; do
+@@ -217,9 +219,7 @@
    # The exim binary is handled specially
  
    if [ $name = exim${EXE} ]; then
--    version=exim-`./exim -bV -C /dev/null | \
+-    exim="./exim -bV -C /dev/null"
+-    version=exim-`$exim 2>/dev/null | \
 -      awk '/Exim version/ { OFS=""; print $3,"-",substr($4,2,length($4)-1) }'`${EXE}
 +    version=exim
-+#    version=exim-`./exim -bV -C /dev/null | \
-+#      awk '/Exim version/ { OFS=""; print $3,"-",substr($4,2,length($4)-1) }'`${EXE}
  
      if [ "${version}" = "exim-${EXE}" ]; then
        echo $com ""

package/exim/0004-glibc.patch

@@ -0,0 +1,27 @@
+uClibc does not contain gnu/libc-version.h
+
+Patch sent upstream: https://bugs.exim.org/show_bug.cgi?id=2070
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+
+diff -uNr exim-4.88.org/src/exim.c exim-4.88/src/exim.c
+--- exim-4.88.org/src/exim.c	2016-12-18 15:02:28.000000000 +0100
++++ exim-4.88/src/exim.c	2016-12-26 12:12:57.000000000 +0100
+@@ -12,7 +12,7 @@
+ 
+ #include "exim.h"
+ 
+-#ifdef __GLIBC__
++#if defined(__GLIBC__) && !defined(__UCLIBC__)
+ # include <gnu/libc-version.h>
+ #endif
+ 
+@@ -1044,7 +1044,7 @@
+   fprintf(f, "Compiler: <unknown>\n");
+ #endif
+ 
+-#ifdef __GLIBC__
++#if defined(__GLIBC__) && !defined(__UCLIBC__)
+   fprintf(f, "Library version: Glibc: Compile: %d.%d\n",
+ 	       	__GLIBC__, __GLIBC_MINOR__);
+   if (__GLIBC_PREREQ(2, 1))

package/exim/exim.hash

@@ -1,2 +1,2 @@
-# Locally calculated
-sha256	d4b7994c89240d2f9a9fcd7a2dffa4b72f14379001a24266f4dbb0fbe5131514	exim-4.87.1.tar.bz2
+# Locally calculated after checking pgp signature
+sha256 1a21322a10e2da9c0bd6a2a483b6e7ef8fa7f16efcab4c450fd73e7188f5fa94  exim-4.89.1.tar.xz

package/exim/exim.mk

@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-EXIM_VERSION = 4.87.1
-EXIM_SOURCE = exim-$(EXIM_VERSION).tar.bz2
-EXIM_SITE = ftp://ftp.exim.org/pub/exim/exim4/old
+EXIM_VERSION = 4.89.1
+EXIM_SOURCE = exim-$(EXIM_VERSION).tar.xz
+EXIM_SITE = ftp://ftp.exim.org/pub/exim/exim4
 EXIM_LICENSE = GPLv2+
 EXIM_LICENSE_FILES = LICENCE
 EXIM_DEPENDENCIES = pcre berkeleydb host-pkgconf

package/expat/expat.hash

@@ -1,5 +1,5 @@
-# From https://sourceforge.net/projects/expat/files/expat/2.2.0/
-md5	2f47841c829facb346eb6e3fab5212e2	expat-2.2.0.tar.bz2
-sha1	8453bc52324be4c796fd38742ec48470eef358b3	expat-2.2.0.tar.bz2
+# From https://sourceforge.net/projects/expat/files/expat/2.2.2/
+md5	1ede9a41223c78528b8c5d23e69a2667	expat-2.2.2.tar.bz2
+sha1	891cee988b38d5d66953f62f94c3150b8810a70a	expat-2.2.2.tar.bz2
 # Calculated based on the hashes above
-sha256	d9e50ff2d19b3538bd2127902a89987474e1a4db8e43a66a4d1a712ab9a504ff	expat-2.2.0.tar.bz2
+sha256	4376911fcf81a23ebd821bbabc26fd933f3ac74833f74924342c29aad2c86046	expat-2.2.2.tar.bz2

package/expat/expat.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-EXPAT_VERSION = 2.2.0
+EXPAT_VERSION = 2.2.2
 EXPAT_SITE = http://downloads.sourceforge.net/project/expat/expat/$(EXPAT_VERSION)
 EXPAT_SOURCE = expat-$(EXPAT_VERSION).tar.bz2
 EXPAT_INSTALL_STAGING = YES
@@ -15,5 +15,14 @@ HOST_EXPAT_DEPENDENCIES = host-pkgconf
 EXPAT_LICENSE = MIT
 EXPAT_LICENSE_FILES = COPYING
 
+# Kernel versions older than 3.17 do not support getrandom()
+ifeq ($(BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_17),)
+EXPAT_CONF_ENV += CPPFLAGS="$(TARGET_CPPFLAGS) -DXML_POOR_ENTROPY"
+endif
+
+# Make build succeed on host kernel older than 3.17. getrandom() will still
+# be used on newer kernels.
+HOST_EXPAT_CONF_ENV += CPPFLAGS="$(HOST_CPPFLAGS) -DXML_POOR_ENTROPY"
+
 $(eval $(autotools-package))
 $(eval $(host-autotools-package))

package/faad2/0001-getopt-fix-strncmp-declaration.patch

@@ -0,0 +1,40 @@
+From 6787914efad562e4097a153988109c5c7158abf7 Mon Sep 17 00:00:00 2001
+From: Baruch Siach <baruch@tkos.co.il>
+Date: Wed, 16 Aug 2017 13:35:57 +0300
+Subject: [PATCH] getopt: fix strncmp() declaration
+
+The strncmp() declaration does not conform with the standard as to the
+type of the 'n' parameter. Fix this to avoid the following build failure
+with musl libc:
+
+n file included from main.c:61:0:
+getopt.c:175:13: error: conflicting types for 'strncmp'
+ extern int  strncmp(const char *s1, const char *s2, unsigned int n);
+             ^~~~~~~
+In file included from main.c:49:0:
+.../host/x86_64-buildroot-linux-musl/sysroot/usr/include/string.h:38:5: note: previous declaration of 'strncmp' was here
+ int strncmp (const char *, const char *, size_t);
+     ^~~~~~~
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+---
+Upstream status: https://sourceforge.net/p/faac/bugs/217/
+
+ frontend/getopt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/frontend/getopt.c b/frontend/getopt.c
+index 185d49b804dd..40c7a2242551 100644
+--- a/frontend/getopt.c
++++ b/frontend/getopt.c
+@@ -172,7 +172,7 @@ static enum
+ #if __STDC__ || defined(PROTO)
+ extern char *getenv(const char *name);
+ extern int  strcmp (const char *s1, const char *s2);
+-extern int  strncmp(const char *s1, const char *s2, unsigned int n);
++extern int  strncmp(const char *s1, const char *s2, size_t n);
+ 
+ static int my_strlen(const char *s);
+ static char *my_index (const char *str, int chr);
+-- 
+2.14.1
+

package/faad2/faad2.hash

@@ -1,4 +1,4 @@
-# From http://sourceforge.net/projects/faac/files/faad2-src/faad2-2.7/ (used by upstream):
-sha1	80eaaa5cc576c35dd28863767b795c50cbcc0511  faad2-2.7.tar.gz
+# From http://sourceforge.net/projects/faac/files/faad2-src/faad2-2.8.0/ (used by upstream):
+sha1	a5caa71cd915acd502d96cba56f38296277f2350  faad2-2.8.1.tar.bz2
 # Locally computed
-sha256  ee26ed1e177c0cd8fa8458a481b14a0b24ca0b51468c8b4c8b676fd3ceccd330  faad2-2.7.tar.gz
+sha256  f4042496f6b0a60f5ded6acd11093230044ef8a2fd965360c1bbd5b58780933d  faad2-2.8.1.tar.bz2

package/faad2/faad2.mk

@@ -4,10 +4,14 @@
 #
 ################################################################################
 
-FAAD2_VERSION = 2.7
-FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION)
+FAAD2_VERSION_MAJOR = 2.8
+FAAD2_VERSION = $(FAAD2_VERSION_MAJOR).1
+FAAD2_SITE = http://downloads.sourceforge.net/project/faac/faad2-src/faad2-$(FAAD2_VERSION_MAJOR).0
+FAAD2_SOURCE = faad2-$(FAAD2_VERSION).tar.bz2
 FAAD2_LICENSE = GPLv2
 FAAD2_LICENSE_FILES = COPYING
+# No configure script in upstream tarball
+FAAD2_AUTORECONF = YES
 # frontend/faad calls frexp()
 FAAD2_CONF_ENV = LIBS=-lm
 FAAD2_INSTALL_STAGING = YES

package/fakeroot/0002-communicate-check-return-status-of-msgrcv.patch

@@ -0,0 +1,46 @@
+From a853f21633693f9eefc4949660253a5328d2d2f3 Mon Sep 17 00:00:00 2001
+From: "Yann E. MORIN" <yann.morin.1998@free.fr>
+Date: Sun, 13 Aug 2017 23:21:54 +0200
+Subject: [PATCH 1/1] communicate: check return status of msgrcv()
+
+msgrcv can return with -1 to indicate an error condition.
+One such error is to have been interrupted by a signal.
+
+Being interrupted by a signal is very rare in this code, except in a
+very special condition: a highly-parallel (1000 jobs!) mksquashfs on
+a filesystem with extended attributes, where we see errors like (those
+are mksquashfs errors):
+    llistxattr for titi/603/883 failed in read_attrs, because Unknown
+    error 1716527536
+
+See: https://bugs.busybox.net/show_bug.cgi?id=10141
+
+In this case, we just have to retry the call to msgrcv().
+
+Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
+---
+ communicate.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/communicate.c b/communicate.c
+index 293f404..787bb63 100644
+--- a/communicate.c
++++ b/communicate.c
+@@ -553,10 +553,13 @@ void send_get_fakem(struct fake_msg *buf)
+       l=msgrcv(msg_get,
+                (struct my_msgbuf*)buf,
+                sizeof(*buf)-sizeof(buf->mtype),0,0);
+-    while((buf->serial!=serial)||buf->pid!=pid);
++    while(((l==-1)&&(errno==EINTR))||(buf->serial!=serial)||buf->pid!=pid);
+ 
+     semaphore_down();
+ 
++    if(l==-1)
++      buf->xattr.flags_rc=errno;
++
+     /*
+     (nah, may be wrong, due to allignment)
+ 
+-- 
+2.11.0
+

package/fcgiwrap/fcgiwrap.mk

@@ -10,6 +10,7 @@ FCGIWRAP_DEPENDENCIES = host-pkgconf libfcgi
 FCGIWRAP_LICENSE = MIT
 FCGIWRAP_LICENSE_FILES = COPYING
 FCGIWRAP_AUTORECONF = YES
+FCGIWRAP_CONF_ENV = CFLAGS="$(TARGET_CFLAGS) -Wno-error"
 
 ifeq ($(BR2_PACKAGE_SYSTEMD),y)
 FCGIWRAP_DEPENDENCIES += systemd

package/ffmpeg/ffmpeg.hash

@@ -1,2 +1,2 @@
 # Locally calculated
-sha256 54ce502aca10b7e6059f19220ea2f68fa0c9c4c4d255ae13e615f08f0c94dcc5  ffmpeg-3.2.3.tar.xz
+sha256 1131d37890ed3dcbc3970452b200a56ceb36b73eaa51d1c23c770c90f928537f  ffmpeg-3.2.9.tar.xz

package/ffmpeg/ffmpeg.mk

@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-FFMPEG_VERSION = 3.2.3
+FFMPEG_VERSION = 3.2.9
 FFMPEG_SOURCE = ffmpeg-$(FFMPEG_VERSION).tar.xz
 FFMPEG_SITE = http://ffmpeg.org/releases
 FFMPEG_INSTALL_STAGING = YES
@@ -44,6 +44,9 @@ FFMPEG_CONF_OPTS = \
 	--disable-mipsdspr2 \
 	--disable-msa \
 	--enable-hwaccels \
+	--disable-cuda \
+	--disable-cuvid \
+	--disable-nvenc \
 	--disable-avisynth \
 	--disable-frei0r \
 	--disable-libopencore-amrnb \
@@ -159,12 +162,18 @@ endif
 
 ifeq ($(BR2_PACKAGE_FFMPEG_INDEVS),y)
 FFMPEG_CONF_OPTS += --enable-indevs
+ifeq ($(BR2_PACKAGE_ALSA_LIB),y)
+FFMPEG_DEPENDENCIES += alsa-lib
+endif
 else
 FFMPEG_CONF_OPTS += --disable-indevs
 endif
 
 ifeq ($(BR2_PACKAGE_FFMPEG_OUTDEVS),y)
 FFMPEG_CONF_OPTS += --enable-outdevs
+ifeq ($(BR2_PACKAGE_ALSA_LIB),y)
+FFMPEG_DEPENDENCIES += alsa-lib
+endif
 else
 FFMPEG_CONF_OPTS += --disable-outdevs
 endif

package/file/file.hash

@@ -1,2 +1,2 @@
 # Locally calculated
-sha256 ea661277cd39bf8f063d3a83ee875432cc3680494169f952787e002bdd3884c0  file-5.29.tar.gz
+sha256 8639dc4d1b21e232285cd483604afc4a6ee810710e00e579dbe9591681722b50  file-5.32.tar.gz