u-boot-tools: drop yaml in DT validation

Since yamltree was dropped from upstream dtc (i.e., in Linux), a patch was
sent to U-Boot to backport the corresponding changes.

Apply this patch in u-boot's sources.

Overall, this fixes the build-time issues with DTC (and so in
u-boot-tools).

Considering libyaml is no longer used, the dependency on libyaml-native can be
dropped as well (thus reverting the change below):

02e09e036e: u-boot-tools: Add dependency on libyaml for dtschema validation

Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

wireless-regdb: upgrade 2026.02.04 -> 2026.03.18

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

devtool: Disable gpg signing when setting up source tree repos

This stops 'devtool modify foo' from failing with an error message like

    ERROR: Execution of 'git -c user.name=\"OpenEmbedded\" -c
    user.email=\"oe.patch@oe\" commit -q -m "Initial commit from upstream at
    version 1.90.0"' failed with exit code 128:
    error: cannot run ssh-keygen: No such file or directory
    error:
    fatal: failed to write commit object

when GPG signing is enabled in the git configuration.

Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

tzdata/tzcode-native: upgrade 2026a -> 2026b

The 2026b release contains the following changes:

Briefly:
    British Columbia moved to permanent -07 on 2026-03-09.
    Some more overflow bugs have been fixed in zic.

Changes to future timestamps

    British Columbia’s 2026-03-08 spring forward was its last
    foreseeable clock change, as it moved to permanent -07 thereafter.
    (Thanks to Arthur David Olson.)  Although the change to permanent
    -07 legally took place on 2026-03-09, temporarily model the change
    to occur on 2026-11-01 at 02:00 instead.  This works around a
    limitation in CLDR v48.2 (2026-03-17).  This temporary hack is
    planned to be removed after CLDR is fixed.

Changes to code

    zic no longer mishandles a last transition to a new time type.
    zic no longer overflows a buffer when generating a TZ string like
    "PST-167:59:58PDT-167:59:59,M11.5.6/-167:59:59,M12.5.6/-167:59:59",
    which can occur with adversarial input.  (Thanks to Naveed Khan.)

    zic no longer generates a longer TZif file than necessary when
    an earlier time zone abbreviation is a suffix of a later one.
    As a nice side effect, zic no longer overflows a buffer when given
    a long series of abbreviations, each a suffix of the next.
    (Buffer overflow reported by Arthur Chan.)

    zic no longer overflows an int when processing input like ‘Zone
    Ouch 2147483648:00:00 - LMT’.  The int overflow can lead to buffer
    overflow in adversarial cases.  (Thanks to Naveed Khan.)

    zic now checks for signals more often.

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

python3-lxml: upgrade 6.0.4 -> 6.1.0

Solves CVE-2026-41066.

Release notes: [1]

[1] https://lxml.de/6.1/changes-6.1.0.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libpng: upgrade 1.6.56 -> 1.6.58

Solves CVE-2026-34757 (in 1.6.57, as described in CVE description).
Solves also regression of CVE-2026-33416 (in 1.56.58).

Explicit CVE_STATUS is needed to remove it from open CVE list.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libgcrypt: upgrade 1.12.1 -> 1.12.2

Solves CVE-2026-41989 and CVE-2026-41990.

Release notes: [1]

Refereshed patches.

[1] https://lists.gnu.org/archive/html/info-gnu/2026-04/msg00007.html

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libarchive: set status for CVE-2026-4426

This is a version-less RedHat CVE so needs explicit status.
Fix reference: PR/commit listed in [1] backported as [2].

[1] https://security-tracker.debian.org/tracker/CVE-2026-4426
[2] https://github.com/libarchive/libarchive/commit/ec1bc43156b84e12ff363f39005533e6f7067297

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libcap: set status for CVE-2026-4878

This is version-less RedHat CVE, so needs explicit status.
Fix reference: [1]

[1] https://security-tracker.debian.org/tracker/CVE-2026-4878

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libsdl2: set status for CVE-2026-35444

This CVE is for SDL_IMAGE, not SDL.

Mapping in sbom-cve-check tool seems to be wrong at [1].
It maps both SDL and SDL_IMAGE to the same CPE.

[1] https://github.com/bootlin/sbom-cve-check/blob/v1.3.0/src/sbom_cve_check/products/products.toml#L1608

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libmicrohttpd: set status for CVE-2025-59777 and CVE-2025-62689

This was fixed in the same commit includeded in 1.0.3 per [1] and [2].
The CVEs have dates instead of version in CPE.

[1] https://security-tracker.debian.org/tracker/CVE-2025-59777
[2] https://security-tracker.debian.org/tracker/CVE-2025-62689

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libsoup: set status for CVE-2026-2369

Per [1] this is fixed by commit in version 3.6.6.
It is RedHat version-less CVE.

[1] https://security-tracker.debian.org/tracker/CVE-2026-2369

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

wireless-regdb: use ${firmwaredir} instead of ${nonarch_base_libdir}/firmware

Now that firmwaredir has been defined, use it instead of explicitly using
${nonarch_base_libdir}/firmware.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

classes/kernel-module-split: return list of values in extract_modinfo

extract_modinfo() currently returns a dictionary of key-value entries,
but many fields in modinfo can have more than one value:

  $ modinfo drivers/bluetooth/btmrvl_sdio.ko
  filename:       btmrvl_sdio.ko
  firmware:       mrvl/sdsd8997_combo_v4.bin
  firmware:       mrvl/sd8987_uapsta.bin
  [ ... ]
  firmware:       mrvl/sd8688_helper.bin
  license:        GPL v2
  version:        1.0
  description:    Marvell BT-over-SDIO driver ver 1.0
  author:         Marvell International Ltd.
  srcversion:     7C108FB5953EFD4D4DE0A4C
  alias:          sdio:c*v02DFd9142*
  [ ... ]
  alias:          sdio:c*v02DFd9105*
  depends:        btmrvl
  intree:         Y
  name:           btmrvl_sdio
  vermagic:       6.18.24-yocto-standard SMP preempt mod_unload aarch64

Instead of returning a dict of key:value pairs, return a dict of key to
list of values and update the callers to take the first element in the
list where a single value is expected (such as the description).

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

classes/kernel-module-split: skip .debug files early

There's no need to try and extract modinfo from .debug files as there is
none, so don't even try.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

linux-firmware: split out MediaTek mt7996 firmare

The firmware for the MT7996/MT7992/MT7990 devices that use the mt7996e
driver comes to 13MB. Split it out of the -mediatek catch-all as that
accounts for over 20% of the firmware:

linux-firmware: PACKAGES: added "linux-firmware-mt7996"
linux-firmware/linux-firmware-mediatek: PKGSIZE changed from 61848181 to 49149973 (-21%)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

linux-firmware: delink some tegra firmware to avoid pulling in full nvidia firmware

Some Nvidia firmware is shared between products but the symlinks cross
product/driver boundaries, resulting in the -nvidia-tegra package
depending on the ~150MB -nvidia-gpu package for a few 10kb files.

If we replace the symlinks with the actual content of the files then this
dependency disappears.

linux-firmware/linux-firmware-nvidia-tegra: RDEPENDS: removed "linux-firmware-nvidia-gpu"

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

wpa_supplicant: recommend the wireless regulatory database

This often gets pulled into images via packagegroup-base-wifi but not
always, and the regulatory database is important to have.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

linux-firmware: use ${firmwaredir} instead of ${nonarch_base_libdir}/firmware

Now that firmwaredir has been defined, use it instead of explicitly using
${nonarch_base_libdir}/firmware.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bluez5: use ${firmwaredir} instead of ${nonarch_base_libdir}/firmware

Now that firmwaredir has been defined, use it instead of explicitly using
${nonarch_base_libdir}/firmware.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

classes/kernel: use ${firmwaredir} instead of ${nonarch_base_libdir}/firmware

Now that firmwaredir has been defined, use it instead of explicitly using
${nonarch_base_libdir}/firmware.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

bitbake.conf: add firmwaredir

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

xz: upgrade 5.8.2 -> 5.8.3

Drop backported patch

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

vulkan-samples: upgrade to latest revision

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

ttyrun: upgrade 2.41.0 -> 2.42.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

spirv-llvm-translator: upgrade 22.1.1 -> 22.1.2

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

shaderc: upgrade 2026.1 -> 2026.2

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

ruby: upgrade 4.0.2 -> 4.0.3

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

rsync: upgrade 3.4.1 -> 3.4.2

Drop backported CVE patch included in this release.

Parts of the prototypes patch were fixed upstream (in zlib) but some sections
were not, drop the merged sections of the patch.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

rpm-sequoia: upgrade 1.10.1 -> 1.10.2

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

rpm-sequoia-crypto-policy: upgrade to latest revision

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

repo: upgrade 2.62 -> 2.63

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-wheel: upgrade 0.46.3 -> 0.47.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-uv-build: upgrade 0.10.10 -> 0.11.8

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-uritools: upgrade 6.0.1 -> 6.1.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-trove-classifiers: upgrade 2026.1.14.14 -> 2026.4.28.13

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-testtools: upgrade 2.9.0 -> 2.9.1

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-pyopenssl: upgrade 26.0.0 -> 26.1.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-pygobject: upgrade 3.56.1 -> 3.56.2

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-pip: upgrade 26.0.1 -> 26.1

License-Update: Drop mention of CONTRIBUTORS.txt

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-pdm: upgrade 2.26.7 -> 2.26.8

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-pathspec: upgrade 1.0.4 -> 1.1.1

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-numpy: upgrade 2.4.3 -> 2.4.4

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-mako: upgrade 1.3.10 -> 1.3.12

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-jsonpointer: upgrade 3.0.0 -> 3.1.1

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-idna: upgrade 3.11 -> 3.13

License-Update: Copyright years change

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-hypothesis: upgrade 6.151.9 -> 6.152.4

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-click: upgrade 8.3.1 -> 8.3.3

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-certifi: upgrade 2026.2.25 -> 2026.4.22

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-build: upgrade 1.4.3 -> 1.5.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-attrs: upgrade 25.4.0 -> 26.1.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

puzzles: upgrade to latest revision

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

nghttp2: upgrade 1.68.1 -> 1.69.0

Drop patch included upstream.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

mpg123: upgrade 1.33.4 -> 1.33.5

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meson: upgrade 1.11.0 -> 1.11.1

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

mesa, mesa-tools-native: Upgrade 26.0.5 -> 26.0.6

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

makedumpfile: upgrade 1.7.8 -> 1.7.9

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libxpm: upgrade 3.5.18 -> 3.5.19

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libxmlb: upgrade 0.3.25 -> 0.3.26

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libxml2: upgrade 2.15.2 -> 2.15.3

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libsolv: upgrade 0.7.36 -> 0.7.37

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libmpc: upgrade 1.4.0 -> 1.4.1

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libjpeg-turbo: upgrade 3.1.3 -> 3.1.4.1

License-Update: Copyright years change

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libgpg-error: upgrade 1.59 -> 1.60

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libdrm: upgrade 2.4.131 -> 2.4.133

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

iproute2: upgrade 6.19.0 -> 7.0.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

gtk4: upgrade 4.22.2 -> 4.22.4

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

gn: upgrade to latest revision

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

git: upgrade 2.53.0 -> 2.54.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

gdk-pixbuf: upgrade 2.44.5 -> 2.44.6

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

font-util: upgrade 1.4.1 -> 1.4.2

Licence-Update: Removal of a trailing whitespace

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

ethtool: upgrade 6.19 -> 7.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

epiphany: upgrade 50.3 -> 50.4

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

dhcpcd: upgrade 10.3.1 -> 10.3.2

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

coreutils: upgrade 9.10 -> 9.11

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

ccache: upgrade 4.13.3 -> 4.13.5

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

boost-build-native: upgrade 1.90.0 -> 1.91.0

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

at-spi2-core: upgrade 2.60.0 -> 2.60.3

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

go: add ptest support

Add ptest infrastructure to test the Go standard library.

- Run 'go test -short std' via run-ptest script
- Install source tree and pkg/include headers
- Create VERSION file for architecture detection
- Exclude multi-arch binary testdata to avoid QA errors

Signed-off-by: Pratik Farkase <pratik.farkase@est.tech>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

insane: simplify conditional operations with bb.utils.filter

The append override on ERROR_QA uses bb.utils.contains to check for a
string inside a variable, and return the exact same string if true.

This can be simplified by a call to bb.utils.filter, since the result is
the same, and the inline is shorter.

Replace "bb.utils.contains(A, 'a', ' a', '', d)" by " bb.utils.filter(A, 'a', d)".

Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

meta: simplify conditional operations with bb.utils.filter

Some recipes use bb.utils.contains to check for a string inside a
variable, and return the exact same string if true.

This can be simplified by a call to bb.utils.filter, since the result is
the same, and the inline is shorter.

Replace "bb.utils.contains(A, 'a', 'a', '', d)" by "bb.utils.filter(A, 'a', d)".

Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

apr-util: Add CVE_PRODUCT to support product name

apr-util is tracked in NVD under apache:apr-util, while a smaller set
of newer CVEs also appears under apache:portable_runtime_utility.
Set CVE_PRODUCT accordingly so cve-check can cover both the historical
and current NVD product identities used for APR-util.

Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

apr: Add CVE_PRODUCT to support product name

apr is tracked in NVD under apache:portable_runtime rather than the
recipe name apr. Set CVE_PRODUCT accordingly so cve-check uses the
correct NVD product identity for APR.

No additional alias was found to be necessary for this recipe.

Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

sudo: set CVE_PRODUCT

This change removes currently open CVE-2025-64170 and CVE-2025-64517
from reports which are for "trifectatech:sudo-rs".

It also removes following "patched" ones:
* CVE-2023-42456 (memorysafety:sudo)
* CVE-2025-46717 (trifectatech:sudo)
* CVE-2025-46718 (trifectatech:sudo)
All these are also for "sudo-rs".

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

valgrind: Upgrade 3.26.0 -> 3.27.0

Release notes:
https://valgrind.org/docs/manual/dist.news.html

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

dhcpcd: remove obsolete explicit debug packaging

The .debug directories are packaged automatically by default, so this is
redundant.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libsoup: patch CVE-2026-5119

Pick commit which closed [1].

[1] https://gitlab.gnome.org/GNOME/libsoup/-/work_items/502#note_cb3be24d375814549d21c03821672ed6749df36a

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

libsoup: set status for CVE-2026-2436

Commit fixing this CVE is [2] (per [1]).
That was backported to 3.6.6 as [3].

[1] https://security-tracker.debian.org/tracker/CVE-2026-2436
[2] https://gitlab.gnome.org/GNOME/libsoup/-/commit/e9b681a5b23f8259a5e29c5351a5284ae5cd1189
[3] https://gitlab.gnome.org/GNOME/libsoup/-/commit/31052a2327c81fe3b7a3d4a66d8a7c9c1aaa47ca

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

cups: upgrade 2.4.16 -> 2.4.19

Release notes:
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.19
  * CUPS 2.4.19 fixes a regression in shared printing from non-local accounts (Issue #1557)
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.18
  * The new release 2.4.18 contains a hotfix after the CVE-2026-27447 fix:
    * Fixed cupsd crash if user does not exist (Issue #1555)
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.17
  * The new release 2.4.17 contains the following security fixes:
    * CVE-2026-27447: The scheduler treated local user and group names as case-
      insensitive.
    * CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
      directory.
    * CVE-2026-34980: The scheduler did not filter control characters from option
      values.
    * CVE-2026-34979: The scheduler did not always allocate enough memory for a
      job's options string.
    * CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
      loopback interface.
    * CVE-2026-39314: Fixed the range check for job password strings.
    * CVE-2026-39316: Fixed a printer subscription bug in the scheduler.
    * CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

coreutils: set CVE_PRODUCT

This removes rust uutils coreutils CVEs from reports.
Comparing sbom-cve-check shows that only
CVE-2026-35338..CVE-2026-35381 are removed and all of them contained
reference to uutils.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

kernel-devsrc: remove obsolete explicit debug packaging

The .debug directories are packaged automatically by default, so this is
redundant.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

gobject-introspection: remove obsolete explicit debug packaging

The .debug directories are packaged automatically by default, so this is
redundant.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

python3-cryptography: remove obsolete explicit debug packaging

The .debug directories are packaged automatically by default, so this is
redundant.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

wpa-supplicant: remove obsolete explicit debug packaging

The .debug directories are packaged automatically by default, so this is
redundant.

This recipe packages the plugin debug symbols into their own packages,
there's no real advantage to doing this so remove that logic.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

p11-kit: packaging rewrite

p11-kit is actually a library, pluggable modules, and some helper tools.

Add new packages -bin -modules and -remote to package up the pieces
separately, and leave just the library in the main package.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

p11-kit: explicitly disable tests and zsh-completions

There's no need to build the tests as we won't run them, and disable the
zsh completion to avoid having to package the files.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

p11-kit: add PACKAGECONFIG for trust and systemd

libtasn dependencies are specific to the trust module, add a PACKAGECONFIG
for that and move the dependencies. This is currently enabled by default
to preserve behaviour.

p11-kit has optional systemd user units for the remote server, add a
PACKAGECONFIG for that that respects the systemd DISTRO_FEATURE.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

p11-kit: remove obsolete compile error workaround

I couldn't replicate this compile error from 2024 so it's presumably no
longer needed.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

sstate: remove dead code and unify path operations

Most substring replacement operations performed on
'dirs' and 'plaindirs' are implemented in the same
pattern, except two. Unify the implementation.

Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>

lib/packagedata.py: slight improvement to code readability

Make use of an existing variable rather than creating a new one
when collecting files of a package.

Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>