diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 756c5211487..f6cff4b97c6 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -62,7 +62,6 @@
 /SPECS/virtiofsd/* @microsoft/cbl-mariner-kata-containers
 
 /SPECS/cloud-hypervisor-cvm/* @microsoft/cbl-mariner-kata-containers
-/SPECS/hvloader/* @microsoft/cbl-mariner-kata-containers
 
 /SPECS/cloud-init/* @microsoft/cbl-mariner-provisioning
 /SPECS/walinuxagent/* @microsoft/cbl-mariner-provisioning
diff --git a/.pipelines/containerSourceData/busybox/Dockerfile-Busybox b/.pipelines/containerSourceData/busybox/Dockerfile-Busybox
index 3a02625a172..e6e6795d301 100644
--- a/.pipelines/containerSourceData/busybox/Dockerfile-Busybox
+++ b/.pipelines/containerSourceData/busybox/Dockerfile-Busybox
@@ -33,8 +33,7 @@ RUN mkdir /staging \
     && pushd /staging \
     && rm -rf boot media mnt opt run \
     && rm -rf usr/lib/sysimage \
-    && rm -rf var/cache \
-    && rm -rf var/lib/rpm; \
+    && rm -rf var/cache; \
 	ln -vL /staging/usr/sbin/busybox /staging/bin/; \
 	chroot /staging /bin/busybox --install -s /bin
 
diff --git a/.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh b/.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh
index ac3a740f019..bd9c9fcad0e 100755
--- a/.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh
+++ b/.pipelines/containerSourceData/scripts/BuildGoldenContainer.sh
@@ -58,7 +58,7 @@ set -e
 #     -j OUTPUT -k ./rpms.tar.gz -l ~/azurelinux/.pipelines/containerSourceData \
 #     -m "false" -n "false" -p development -q "false" -u "true"
 
-while getopts ":a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" OPTIONS; do
+while getopts ":a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:w:" OPTIONS; do
     case ${OPTIONS} in
     a ) BASE_IMAGE_NAME_FULL=$OPTARG;;
     b ) ACR=$OPTARG;;
@@ -82,6 +82,7 @@ while getopts ":a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" OPTIONS; do
     t ) SBOM_SCRIPT=$OPTARG;;
     u ) DISTROLESS=$OPTARG;;
     v ) VERSION_EXTRACT_CMD=$OPTARG;;
+    w ) TOOLCHAIN_RPMS_TARBALL=$OPTARG;;
 
     \? )
         echo "Error - Invalid Option: -$OPTARG" 1>&2
@@ -125,6 +126,7 @@ function print_inputs {
     echo "SBOM_TOOL_PATH                -> $SBOM_TOOL_PATH"
     echo "SBOM_SCRIPT                   -> $SBOM_SCRIPT"
     echo "DISTROLESS                    -> $DISTROLESS"
+    echo "TOOLCHAIN_RPMS_TARBALL -> $TOOLCHAIN_RPMS_TARBALL"
 }
 
 function validate_inputs {
@@ -168,6 +170,11 @@ function validate_inputs {
         exit 1
     fi
 
+    if [[ ! -f $TOOLCHAIN_RPMS_TARBALL ]]; then
+        echo "Error - No TOOLCHAIN_RPMS tarball found under '$TOOLCHAIN_RPMS_TARBALL'."
+        exit 1
+    fi
+
     if [ ! -d "$CONTAINER_SRC_DIR" ]; then
         echo "Error - Container source directory does not exist."
         exit 1
@@ -236,7 +243,9 @@ function prepare_docker_directory {
     mkdir -pv "$HOST_MOUNTED_DIR"
 
     # Copy files into docker context directory
-    tar -xf "$RPMS_TARBALL" -C "$HOST_MOUNTED_DIR"/
+    tar -xvf "$RPMS_TARBALL" -C "$HOST_MOUNTED_DIR"/
+    # we look for the toolchain rpms in the same directory as the rpms tarball
+    tar -xvf "$TOOLCHAIN_RPMS_TARBALL" -C "$HOST_MOUNTED_DIR/RPMS"/
     cp -v "$CONTAINER_SRC_DIR/azurelinuxlocal.repo" "$HOST_MOUNTED_DIR"/
 }
 
diff --git a/.pipelines/templatesWithCheckout/SodiffCheck.yml b/.pipelines/templatesWithCheckout/SodiffCheck.yml
index 2864c6274fa..c4103caa78c 100644
--- a/.pipelines/templatesWithCheckout/SodiffCheck.yml
+++ b/.pipelines/templatesWithCheckout/SodiffCheck.yml
@@ -13,6 +13,14 @@ parameters:
     type: string
     default: "rpms.tar.gz"
 
+  - name: sodiffRepoCommand
+    type: string
+    default: "sodiff-repo"
+
+  - name: sodiffRepoFile
+    type: string
+    default: "sodiff.repo"
+
   - name: sourcesWorkspace
     type: string
     default: "$(Agent.TempDirectory)/SourcesWorkspace"
@@ -52,8 +60,8 @@ steps:
       sodiff_out_dir="${{ parameters.buildRepoRoot }}/out/sodiff"
       mkdir -p $sodiff_out_dir
 
-      echo "Generate sodiff.repo file"
-      sudo make -sC "$toolkit_dir" sodiff-repo
+      echo "Generate sodiff repo file"
+      sudo make -sC "$toolkit_dir" ${{ parameters.sodiffRepoCommand }}
 
       echo "Generate input file"
       find $sodiff_rpms_dir -type f -name '*.rpm' -exec basename {} \; > ./sodiff-rpms
@@ -61,7 +69,7 @@ steps:
       sodiff_release_ver=`cat ${{ parameters.buildRepoRoot }}/SPECS/azurelinux-release/azurelinux-release.spec | grep "Version:" | cut -d " " -f 1 --complement | xargs`
       echo "sodiff release ver: $sodiff_release_ver"
       
-      $toolkit_dir/scripts/sodiff/mariner-sodiff.sh $sodiff_rpms_dir/ $toolkit_dir/scripts/sodiff/sodiff.repo $sodiff_release_ver $sodiff_out_dir < ./sodiff-rpms
+      $toolkit_dir/scripts/sodiff/mariner-sodiff.sh -r $sodiff_rpms_dir/ -f ${{ parameters.buildRepoRoot }}/build/sodiff/${{ parameters.sodiffRepoFile }} -v $sodiff_release_ver -o $sodiff_out_dir -e true < ./sodiff-rpms
 
 
-    displayName: "Sodiff check"
\ No newline at end of file
+    displayName: "Sodiff check"
diff --git a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
index 650576f1878..668a1c6b005 100644
--- a/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
+++ b/LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
@@ -5,11 +5,11 @@ The Azure Linux SPEC files originated from a variety of sources with varying lic
 | CentOS | [MIT](https://www.centos.org/legal/#licensing-policy) | crash-ptdump-command <br> delve <br> fstrm <br> nodejs-nodemon <br> rhnlib <br> rt-setup <br> rt-tests <br> rtctl <br> tuned |
 | Ceph source | [LGPL2.1](https://github.com/ceph/ceph/blob/master/COPYING-LGPL2.1) | ceph |
 | Debian | [MIT](https://opensource.org/licenses/MIT) | prometheus-process-exporter |
-| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | a52dec <br> abseil-cpp <br> accountsservice <br> acpica-tools <br> acpid <br> adcli <br> adobe-mappings-cmap <br> adobe-mappings-pdf <br> advancecomp <br> adwaita-icon-theme <br> afflib <br> aide <br> alsa-firmware <br> alsa-plugins <br> amtk <br> amtterm <br> annobin <br> ansible-freeipa <br> archivemount <br> arptables <br> arpwatch <br> asio <br> aspell <br> aspell-en <br> at <br> at-spi2-atk <br> at-spi2-core <br> atf <br> atk <br> atop <br> attr <br> audiofile <br> augeas <br> authbind <br> authd <br> authselect <br> autoconf213 <br> avahi <br> babeltrace <br> babeltrace2 <br> babl <br> baekmuk-ttf-fonts <br> bats <br> bcache-tools <br> biosdevname <br> blosc <br> bluez <br> bmake <br> bolt <br> boom-boot <br> booth <br> botan2 <br> breezy <br> brotli <br> buildah <br> busybox <br> bwidget <br> byacc <br> ca-certificates <br> cachefilesd <br> cairomm <br> calamares <br> capnproto <br> capstone <br> catatonit <br> catch <br> catch1 <br> cdrdao <br> celt051 <br> cereal <br> certmonger <br> cfitsio <br> cgdcbxd <br> chan <br> CharLS <br> checkpolicy <br> checksec <br> chrony <br> cim-schema <br> cjkuni-uming-fonts <br> cjose <br> ck <br> cldr-emoji-annotation <br> clucene <br> clutter <br> clutter-gst3 <br> clutter-gtk <br> cmocka <br> cogl <br> collectd <br> colm <br> color-filesystem <br> colord <br> colorize <br> compat-lua <br> compiler-rt <br> conda <br> conmon <br> conntrack-tools <br> console-setup <br> container-exception-logger <br> containernetworking-plugins <br> convmv <br> corosync <br> corosync-qdevice <br> cpp-hocon <br> cppcheck <br> cpprest <br> cpptest <br> cpufrequtils <br> cpuid <br> criu <br> crypto-policies <br> cryptsetup <br> cscope <br> ctags <br> CUnit <br> cups <br> custodia <br> Cython <br> dbus-c++ <br> dbus-python <br> dbxtool <br> dconf <br> dcraw <br> debootstrap <br> deltarpm <br> desktop-file-utils <br> device-mapper-persistent-data <br> dhcpcd <br> dietlibc <br> diffstat <br> ding-libs <br> discount <br> distribution-gpg-keys <br> dleyna-connector-dbus <br> dleyna-core <br> dmraid <br> dnf <br> dnf-plugins-core <br> docbook-dtds <br> docbook-simple <br> docbook-slides <br> docbook-style-dsssl <br> docbook-utils <br> docbook2X <br> docbook5-schemas <br> docbook5-style-xsl <br> dogtail <br> dos2unix <br> dotconf <br> dovecot <br> dpdk <br> dpkg <br> driverctl <br> dropwatch <br> drpm <br> duktape <br> dumpet <br> dvd+rw-tools <br> dwarves <br> dwz <br> dyninst <br> ebtables <br> edac-utils <br> edk2 <br> efax <br> efi-rpm-macros <br> egl-wayland <br> eglexternalplatform <br> elinks <br> enca <br> enchant <br> enchant2 <br> enscript <br> environment-modules <br> evemu <br> execstack <br> exempi <br> exiv2 <br> extra-cmake-modules <br> fabtests <br> facter <br> fakechroot <br> fakeroot <br> fdk-aac-free <br> fdupes <br> fence-virt <br> fetchmail <br> fftw <br> filebench <br> fio <br> fipscheck <br> firewalld <br> flac <br> flatbuffers <br> flite <br> fltk <br> fmt <br> fontawesome-fonts <br> fontawesome4-fonts <br> fontpackages <br> fonts-rpm-macros <br> foomatic-db <br> freeglut <br> freeipmi <br> freeradius <br> freetds <br> freexl <br> fribidi <br> fros <br> frr <br> fsverity-utils <br> fuse-overlayfs <br> fuse-sshfs <br> fuse-zip <br> fuse3 <br> future <br> fxload <br> gavl <br> gbenchmark <br> gconf-editor <br> GConf2 <br> gcovr <br> gcr <br> gdal <br> gdisk <br> gdk-pixbuf2 <br> generic-logos <br> genwqe-tools <br> geoclue2 <br> GeoIP <br> GeoIP-GeoLite-data <br> geolite2 <br> geos <br> gfs2-utils <br> ghc-srpm-macros <br> giflib <br> gl-manpages <br> glew <br> glm <br> glog <br> glslang <br> glusterfs <br> gnome-desktop-testing <br> gnome-doc-utils <br> gnome-icon-theme <br> gnome-keyring <br> gnu-efi <br> go-rpm-macros <br> gom <br> google-api-python-client <br> google-crosextra-caladea-fonts <br> google-crosextra-carlito-fonts <br> google-guice <br> google-noto-cjk-fonts <br> google-noto-emoji-fonts <br> google-roboto-slab-fonts <br> gphoto2 <br> gpm <br> gpsbabel <br> graphene <br> graphite2 <br> graphviz <br> grubby <br> gsettings-desktop-schemas <br> gsl <br> gsm <br> gspell <br> gssdp <br> gssntlmssp <br> gstreamer1 <br> gstreamer1-plugins-base <br> gtk-vnc <br> gtk2 <br> gtk3 <br> gtkspell <br> gupnp <br> gupnp-av <br> gupnp-dlna <br> gupnp-igd <br> hardening-check <br> hdf <br> hdf5 <br> heimdal <br> help2man <br> hexedit <br> hicolor-icon-theme <br> hiera <br> highlight <br> hivex <br> hostname <br> hping3 <br> hsakmt <br> htop <br> hunspell <br> hunspell-af <br> hunspell-ar <br> hunspell-as <br> hunspell-ast <br> hunspell-az <br> hunspell-be <br> hunspell-bg <br> hunspell-bn <br> hunspell-br <br> hunspell-ca <br> hunspell-cop <br> hunspell-csb <br> hunspell-cv <br> hunspell-cy <br> hunspell-da <br> hunspell-de <br> hunspell-dsb <br> hunspell-el <br> hunspell-en <br> hunspell-eo <br> hunspell-es <br> hunspell-et <br> hunspell-eu <br> hunspell-fa <br> hunspell-fj <br> hunspell-fo <br> hunspell-fr <br> hunspell-fur <br> hunspell-fy <br> hunspell-ga <br> hunspell-gd <br> hunspell-gl <br> hunspell-grc <br> hunspell-gu <br> hunspell-gv <br> hunspell-haw <br> hunspell-hi <br> hunspell-hil <br> hunspell-hr <br> hunspell-hsb <br> hunspell-ht <br> hunspell-hu <br> hunspell-hy <br> hunspell-ia <br> hunspell-id <br> hunspell-is <br> hunspell-it <br> hunspell-kk <br> hunspell-km <br> hunspell-kn <br> hunspell-ko <br> hunspell-ku <br> hunspell-ky <br> hunspell-la <br> hunspell-lb <br> hunspell-ln <br> hunspell-mai <br> hunspell-mg <br> hunspell-mi <br> hunspell-mk <br> hunspell-ml <br> hunspell-mn <br> hunspell-mos <br> hunspell-mr <br> hunspell-ms <br> hunspell-mt <br> hunspell-nds <br> hunspell-ne <br> hunspell-nl <br> hunspell-no <br> hunspell-nr <br> hunspell-nso <br> hunspell-ny <br> hunspell-om <br> hunspell-or <br> hunspell-pa <br> hunspell-pl <br> hunspell-pt <br> hunspell-quh <br> hunspell-ro <br> hunspell-ru <br> hunspell-rw <br> hunspell-se <br> hunspell-shs <br> hunspell-si <br> hunspell-sk <br> hunspell-sl <br> hunspell-smj <br> hunspell-so <br> hunspell-sq <br> hunspell-sr <br> hunspell-sv <br> hunspell-sw <br> hunspell-ta <br> hunspell-te <br> hunspell-tet <br> hunspell-th <br> hunspell-tk <br> hunspell-tl <br> hunspell-tn <br> hunspell-tpi <br> hunspell-ts <br> hunspell-uk <br> hunspell-uz <br> hunspell-ve <br> hunspell-vi <br> hunspell-wa <br> hunspell-xh <br> hunspell-yi <br> hwdata <br> hwloc <br> hyperscan <br> hyperv-daemons <br> hyphen <br> hyphen-as <br> hyphen-bg <br> hyphen-bn <br> hyphen-ca <br> hyphen-da <br> hyphen-de <br> hyphen-el <br> hyphen-es <br> hyphen-fa <br> hyphen-fo <br> hyphen-fr <br> hyphen-ga <br> hyphen-gl <br> hyphen-grc <br> hyphen-gu <br> hyphen-hi <br> hyphen-hsb <br> hyphen-hu <br> hyphen-ia <br> hyphen-id <br> hyphen-is <br> hyphen-it <br> hyphen-kn <br> hyphen-ku <br> hyphen-lt <br> hyphen-mi <br> hyphen-ml <br> hyphen-mn <br> hyphen-mr <br> hyphen-nl <br> hyphen-or <br> hyphen-pa <br> hyphen-pl <br> hyphen-pt <br> hyphen-ro <br> hyphen-ru <br> hyphen-sa <br> hyphen-sk <br> hyphen-sl <br> hyphen-sv <br> hyphen-ta <br> hyphen-te <br> hyphen-tk <br> hyphen-uk <br> ibus <br> ibus-chewing <br> ibus-hangul <br> ibus-kkc <br> ibus-libzhuyin <br> ibus-m17n <br> ibus-rawcode <br> ibus-sayura <br> ibus-table <br> ibus-table-chinese <br> icc-profiles-openicc <br> icon-naming-utils <br> icoutils <br> iftop <br> iio-sensor-proxy <br> ilmbase <br> im-chooser <br> imaptest <br> imsettings <br> indent <br> infinipath-psm <br> inih <br> iniparser <br> intel-cmt-cat <br> intel-ipsec-mb <br> ioping <br> IP2Location <br> ipa-pgothic-fonts <br> ipcalc <br> ipmitool <br> iprutils <br> iptraf-ng <br> iptstate <br> irssi <br> iscsi-initiator-utils <br> isns-utils <br> iso-codes <br> isomd5sum <br> iw <br> iwd <br> jabberpy <br> jakarta-servlet <br> jasper <br> javapackages-bootstrap <br> javapackages-tools <br> jbigkit <br> jdom2 <br> jemalloc <br> jfsutils <br> jimtcl <br> jose <br> js-jquery <br> jsoncpp <br> Judy <br> jurand <br> kata-containers <br> kde-filesystem <br> kde-settings <br> kexec-tools <br> keybinder3 <br> keycloak-httpd-client-install <br> kf <br> kf-kconfig <br> kf-kcoreaddons <br> kf-ki18n <br> kf-kwidgetsaddons <br> kpmcore <br> kronosnet <br> ksh <br> kyotocabinet <br> kyua <br> ladspa <br> lame <br> langtable <br> lapack <br> lasso <br> latencytop <br> lato-fonts <br> lcms2 <br> lcov <br> ldns <br> leatherman <br> ledmon <br> lensfun <br> leveldb <br> lftp <br> libabw <br> libaec <br> libao <br> libappstream-glib <br> libarrow <br> libart_lgpl <br> libasyncns <br> libatasmart <br> libavc1394 <br> libblockdev <br> libbpf <br> libbsd <br> libburn <br> libbytesize <br> libcacard <br> libcanberra <br> libcdio <br> libcdio-paranoia <br> libcdr <br> libcgroup <br> libchewing <br> libcli <br> libcmis <br> libcmpiutil <br> libcomps <br> libcroco <br> libdaemon <br> libdap <br> libdatrie <br> libdazzle <br> libdbi <br> libdbusmenu <br> libdc1394 <br> libdecor <br> libdeflate <br> libdmx <br> libdnf <br> libdrm <br> libdvdnav <br> libdvdread <br> libdwarf <br> libeasyfc <br> libecap <br> libecb <br> libei <br> libell <br> libEMF <br> libeot <br> libepoxy <br> libepubgen <br> libesmtp <br> libetonyek <br> libev <br> libevdev <br> libexif <br> libexttextcat <br> libfabric <br> libfontenc <br> libfreehand <br> libftdi <br> libgadu <br> libgdither <br> libgee <br> libgee06 <br> libgeotiff <br> libgexiv2 <br> libgit2 <br> libgit2-glib <br> libglade2 <br> libglvnd <br> libgovirt <br> libgphoto2 <br> libgsf <br> libgta <br> libguestfs <br> libgusb <br> libgxim <br> libgxps <br> libhangul <br> libhugetlbfs <br> libibcommon <br> libical <br> libICE <br> libicns <br> libid3tag <br> libIDL <br> libidn2 <br> libiec61883 <br> libieee1284 <br> libimobiledevice <br> libindicator <br> libinput <br> libiodbc <br> libipt <br> libiptcdata <br> libiscsi <br> libisoburn <br> libisofs <br> libjcat <br> libkcapi <br> libkeepalive <br> libkkc <br> libkkc-data <br> libkml <br> liblangtag <br> libldb <br> libldm <br> liblerc <br> liblockfile <br> liblognorm <br> liblouis <br> liblqr-1 <br> liblzf <br> libmad <br> libmediaart <br> libmicrohttpd <br> libmikmod <br> libmodman <br> libmodplug <br> libmodulemd1 <br> libmpcdec <br> libmspub <br> libmtp <br> libmusicbrainz5 <br> libmwaw <br> libnbd <br> libnet <br> libnetfilter_log <br> libnfs <br> libnotify <br> libntlm <br> libnumbertext <br> libnvme <br> liboauth <br> libodfgen <br> libofa <br> libogg <br> liboggz <br> liboil <br> libomxil-bellagio <br> libopenraw <br> liboping <br> libosinfo <br> libotf <br> libotr <br> libpagemaker <br> libpaper <br> libpciaccess <br> libpeas <br> libpfm <br> libpinyin <br> libplist <br> libpmemobj-cpp <br> libpng12 <br> libpng15 <br> libproxy <br> libpsm2 <br> libpwquality <br> libqb <br> libqxp <br> libraqm <br> LibRaw <br> libraw1394 <br> libreport <br> libreswan <br> librevenge <br> librsvg2 <br> librx <br> libsamplerate <br> libsass <br> libsecret <br> libsemanage <br> libsigc++20 <br> libsigsegv <br> libslirp <br> libSM <br> libsmbios <br> libsmi <br> libsndfile <br> libsodium <br> libspiro <br> libsrtp <br> libssh <br> libstaroffice <br> libstemmer <br> libstoragemgmt <br> libtdb <br> libteam <br> libtevent <br> libthai <br> libtnc <br> libtomcrypt <br> libtommath <br> libtpms <br> libtracecmd <br> libtraceevent <br> libtracefs <br> libtranslit <br> libucil <br> libunicap <br> libuninameslist <br> liburing <br> libusbmuxd <br> libuser <br> libutempter <br> libvarlink <br> libverto <br> libvirt-dbus <br> libvirt-glib <br> libvirt-java <br> libvirt-python <br> libvisio <br> libvisual <br> libvoikko <br> libvorbis <br> libvpx <br> libwacom <br> libwnck3 <br> libwpd <br> libwpe <br> libwpg <br> libwps <br> libwvstreams <br> libX11 <br> libXau <br> libXaw <br> libxcb <br> libXcomposite <br> libxcrypt <br> libXcursor <br> libxcvt <br> libXdamage <br> libXdmcp <br> libXext <br> libxfce4util <br> libXfixes <br> libXfont2 <br> libXft <br> libXi <br> libXinerama <br> libxkbcommon <br> libxkbfile <br> libxklavier <br> libxmlb <br> libXmu <br> libXpm <br> libXrandr <br> libXrender <br> libXres <br> libXScrnSaver <br> libxshmfence <br> libXt <br> libXtst <br> libXv <br> libXxf86vm <br> libyami <br> libyang <br> libyubikey <br> libzip <br> libzmf <br> lilv <br> linuxconsoletools <br> linuxptp <br> lksctp-tools <br> lldpd <br> lockdev <br> logwatch <br> lpsolve <br> lrzsz <br> lua <br> lua-expat <br> lua-filesystem <br> lua-json <br> lua-lpeg <br> lua-lunit <br> lua-rpm-macros <br> lua-term <br> luajit <br> lujavrite <br> luksmeta <br> lutok <br> lv2 <br> lzip <br> lzop <br> m17n-db <br> m17n-lib <br> mac-robber <br> mailcap <br> mailx <br> malaga <br> malaga-suomi-voikko <br> mallard-rng <br> man-pages-cs <br> man-pages-es <br> man-pages-it <br> man-pages-ja <br> man-pages-ko <br> man-pages-pl <br> man-pages-ru <br> man-pages-zh-CN <br> mandoc <br> mariadb-connector-c <br> mariadb-connector-odbc <br> marisa <br> maven-compiler-plugin <br> maven-jar-plugin <br> maven-resolver <br> maven-resources-plugin <br> maven-surefire <br> maven-wagon <br> mcelog <br> mcpp <br> mcstrans <br> mdadm <br> mdds <br> mdevctl <br> meanwhile <br> mecab <br> mecab-ipadic <br> media-player-info <br> memcached <br> memkind <br> mesa <br> mesa-libGLU <br> metis <br> microcode_ctl <br> microdnf <br> minicom <br> minizip <br> mksh <br> mobile-broadband-provider-info <br> mock <br> mock-core-configs <br> mod_auth_gssapi <br> mod_auth_mellon <br> mod_auth_openidc <br> mod_authnz_pam <br> mod_fcgid <br> mod_http2 <br> mod_intercept_form_submit <br> mod_lookup_identity <br> mod_md <br> mod_security <br> mod_security_crs <br> mod_wsgi <br> mokutil <br> mpage <br> mrtg <br> mstflint <br> mt-st <br> mtdev <br> mtools <br> mtr <br> mtx <br> munge <br> mutt <br> mythes <br> mythes-bg <br> mythes-ca <br> mythes-cs <br> mythes-da <br> mythes-de <br> mythes-el <br> mythes-en <br> mythes-eo <br> mythes-es <br> mythes-fr <br> mythes-ga <br> mythes-hu <br> mythes-mi <br> mythes-ne <br> mythes-nl <br> mythes-pl <br> mythes-pt <br> mythes-ro <br> mythes-ru <br> mythes-sk <br> mythes-sl <br> mythes-sv <br> mythes-uk <br> nbd <br> nbdkit <br> neon <br> netavark <br> netcdf <br> netcf <br> netlabel_tools <br> netpbm <br> netsniff-ng <br> nfs4-acl-tools <br> nftables <br> nilfs-utils <br> nkf <br> nload <br> nlopt <br> nodejs-packaging <br> nss-mdns <br> nss-pam-ldapd <br> nss_nis <br> nss_wrapper <br> ntfs-3g <br> ntfs-3g-system-compression <br> numad <br> numatop <br> numpy <br> nvmetcli <br> nvml <br> oath-toolkit <br> ocaml <br> ocaml-alcotest <br> ocaml-astring <br> ocaml-augeas <br> ocaml-base <br> ocaml-bigarray-compat <br> ocaml-bisect-ppx <br> ocaml-calendar <br> ocaml-camlp-streams <br> ocaml-camlp5 <br> ocaml-camomile <br> ocaml-cinaps <br> ocaml-cmdliner <br> ocaml-compiler-libs-janestreet <br> ocaml-cppo <br> ocaml-csexp <br> ocaml-csv <br> ocaml-ctypes <br> ocaml-curses <br> ocaml-dune <br> ocaml-extlib <br> ocaml-fileutils <br> ocaml-findlib <br> ocaml-fmt <br> ocaml-fpath <br> ocaml-gettext <br> ocaml-integers <br> ocaml-libvirt <br> ocaml-luv <br> ocaml-lwt <br> ocaml-markup <br> ocaml-mmap <br> ocaml-num <br> ocaml-ocamlbuild <br> ocaml-ocplib-endian <br> ocaml-ounit <br> ocaml-parsexp <br> ocaml-pp <br> ocaml-ppx-derivers <br> ocaml-ppx-here <br> ocaml-ppx-let <br> ocaml-ppxlib <br> ocaml-re <br> ocaml-react <br> ocaml-result <br> ocaml-seq <br> ocaml-sexplib <br> ocaml-sexplib0 <br> ocaml-srpm-macros <br> ocaml-stdio <br> ocaml-stdlib-random <br> ocaml-topkg <br> ocaml-tyxml <br> ocaml-uutf <br> ocaml-xml-light <br> ocaml-zarith <br> ocl-icd <br> oddjob <br> ogdi <br> omping <br> opa <br> opal <br> open-vm-tools <br> openblas <br> opencc <br> opencl-filesystem <br> opencl-headers <br> opencryptoki <br> opencsd <br> opendnssec <br> OpenEXR <br> openjade <br> openjpeg2 <br> openmpi <br> openobex <br> openoffice-lv <br> openrdate <br> opensc <br> openslp <br> opensm <br> opensp <br> openssl <br> openssl-ibmpkcs11 <br> openssl-pkcs11 <br> openwsman <br> optipng <br> opus <br> opusfile <br> orangefs <br> ORBit2 <br> orc <br> os-prober <br> osinfo-db <br> osinfo-db-tools <br> overpass-fonts <br> p11-kit <br> p7zip <br> pacemaker <br> pacrunner <br> pakchois <br> pam_krb5 <br> pam_wrapper <br> papi <br> paps <br> parallel <br> patchelf <br> patchutils <br> pbzip2 <br> pcp <br> pcsc-lite <br> pcsc-lite-ccid <br> PEGTL <br> perl <br> perl-Algorithm-C3 <br> perl-Algorithm-Diff <br> perl-Alien-Build <br> perl-Alien-pkgconf <br> perl-AnyEvent <br> perl-AnyEvent-AIO <br> perl-AnyEvent-BDB <br> perl-App-cpanminus <br> perl-App-FatPacker <br> perl-AppConfig <br> perl-Archive-Extract <br> perl-Archive-Zip <br> perl-Authen-SASL <br> perl-B-COW <br> perl-B-Debug <br> perl-B-Hooks-EndOfScope <br> perl-B-Hooks-OP-Check <br> perl-B-Keywords <br> perl-B-Lint <br> perl-bareword-filehandles <br> perl-Bit-Vector <br> perl-boolean <br> perl-Browser-Open <br> perl-BSD-Resource <br> perl-Business-ISBN <br> perl-Business-ISBN-Data <br> perl-Bytes-Random-Secure <br> perl-Capture-Tiny <br> perl-Carp-Clan <br> perl-CBOR-XS <br> perl-Class-Accessor <br> perl-Class-C3 <br> perl-Class-C3-XS <br> perl-Class-Data-Inheritable <br> perl-Class-Factory-Util <br> perl-Class-Inspector <br> perl-Class-ISA <br> perl-Class-Load <br> perl-Class-Load-XS <br> perl-Class-Method-Modifiers <br> perl-Class-Singleton <br> perl-Class-Tiny <br> perl-Class-XSAccessor <br> perl-Clone <br> perl-Color-ANSI-Util <br> perl-Color-RGB-Util <br> perl-ColorThemeBase-Static <br> perl-ColorThemeRole-ANSI <br> perl-ColorThemes-Standard <br> perl-ColorThemeUtil-ANSI <br> perl-Compress-Bzip2 <br> perl-Compress-LZF <br> perl-Compress-Raw-Lzma <br> perl-Config-AutoConf <br> perl-Config-INI <br> perl-Config-INI-Reader-Multiline <br> perl-Config-IniFiles <br> perl-Config-Simple <br> perl-Config-Tiny <br> perl-Const-Fast <br> perl-Convert-ASN1 <br> perl-Convert-Bencode <br> perl-Coro <br> perl-Coro-Multicore <br> perl-CPAN-Changes <br> perl-CPAN-DistnameInfo <br> perl-CPAN-Meta-Check <br> perl-Cpanel-JSON-XS <br> perl-Crypt-CBC <br> perl-Crypt-DES <br> perl-Crypt-IDEA <br> perl-Crypt-OpenSSL-Bignum <br> perl-Crypt-OpenSSL-Guess <br> perl-Crypt-OpenSSL-Random <br> perl-Crypt-OpenSSL-RSA <br> perl-Crypt-PasswdMD5 <br> perl-Crypt-Random-Seed <br> perl-CSS-Tiny <br> perl-Data-Dump <br> perl-Data-Munge <br> perl-Data-OptList <br> perl-Data-Peek <br> perl-Data-Section <br> perl-Data-UUID <br> perl-Date-Calc <br> perl-Date-ISO8601 <br> perl-Date-Manip <br> perl-DateTime <br> perl-DateTime-Format-Builder <br> perl-DateTime-Format-DateParse <br> perl-DateTime-Format-HTTP <br> perl-DateTime-Format-IBeat <br> perl-DateTime-Format-ISO8601 <br> perl-DateTime-Format-Mail <br> perl-DateTime-Format-Strptime <br> perl-DateTime-Locale <br> perl-DateTime-TimeZone <br> perl-DateTime-TimeZone-SystemV <br> perl-DateTime-TimeZone-Tzfile <br> perl-DBD-MySQL <br> perl-Devel-CallChecker <br> perl-Devel-Caller <br> perl-Devel-CheckBin <br> perl-Devel-CheckLib <br> perl-Devel-Cycle <br> perl-Devel-EnforceEncapsulation <br> perl-Devel-GlobalDestruction <br> perl-Devel-GlobalDestruction-XS <br> perl-Devel-Hide <br> perl-Devel-Leak <br> perl-Devel-LexAlias <br> perl-Devel-Size <br> perl-Devel-StackTrace <br> perl-Devel-Symdump <br> perl-Digest-BubbleBabble <br> perl-Digest-CRC <br> perl-Digest-HMAC <br> perl-Digest-SHA1 <br> perl-Dist-CheckConflicts <br> perl-DynaLoader-Functions <br> perl-Email-Address <br> perl-Email-Date-Format <br> perl-Encode-Detect <br> perl-Encode-EUCJPASCII <br> perl-Encode-IMAPUTF7 <br> perl-Encode-Locale <br> perl-Env-ShellWords <br> perl-Error <br> perl-EV <br> perl-Eval-Closure <br> perl-Event <br> perl-Exception-Class <br> perl-Expect <br> perl-ExtUtils-Config <br> perl-ExtUtils-Depends <br> perl-ExtUtils-Helpers <br> perl-ExtUtils-InstallPaths <br> perl-ExtUtils-PkgConfig <br> perl-FCGI <br> perl-Fedora-VSP <br> perl-FFI-CheckLib <br> perl-File-BaseDir <br> perl-File-BOM <br> perl-File-chdir <br> perl-File-CheckTree <br> perl-File-Copy-Recursive <br> perl-File-DesktopEntry <br> perl-File-Find-Object <br> perl-File-Find-Object-Rule <br> perl-File-Find-Rule <br> perl-File-Find-Rule-Perl <br> perl-File-Inplace <br> perl-File-Listing <br> perl-File-MimeInfo <br> perl-File-pushd <br> perl-File-ReadBackwards <br> perl-File-Remove <br> perl-File-ShareDir <br> perl-File-ShareDir-Install <br> perl-File-Slurp <br> perl-File-Slurp-Tiny <br> perl-File-Slurper <br> perl-File-Type <br> perl-Font-TTF <br> perl-FreezeThaw <br> perl-GD <br> perl-GD-Barcode <br> perl-generators <br> perl-Getopt-ArgvFile <br> perl-gettext <br> perl-Graphics-ColorNamesLite-WWW <br> perl-GSSAPI <br> perl-Guard <br> perl-Hook-LexWrap <br> perl-HTML-Parser <br> perl-HTML-Tagset <br> perl-HTML-Tree <br> perl-HTTP-Cookies <br> perl-HTTP-Daemon <br> perl-HTTP-Date <br> perl-HTTP-Message <br> perl-HTTP-Negotiate <br> perl-Image-Base <br> perl-Image-Info <br> perl-Image-Xbm <br> perl-Image-Xpm <br> perl-Import-Into <br> perl-Importer <br> perl-inc-latest <br> perl-indirect <br> perl-Inline-Files <br> perl-IO-AIO <br> perl-IO-All <br> perl-IO-CaptureOutput <br> perl-IO-Compress-Lzma <br> perl-IO-HTML <br> perl-IO-Multiplex <br> perl-IO-SessionData <br> perl-IO-Socket-INET6 <br> perl-IO-String <br> perl-IO-stringy <br> perl-IO-Tty <br> perl-IPC-Run <br> perl-IPC-Run3 <br> perl-IPC-System-Simple <br> perl-JSON <br> perl-JSON-Color <br> perl-JSON-MaybeXS <br> perl-LDAP <br> perl-libnet <br> perl-libwww-perl <br> perl-libxml-perl <br> perl-Lingua-EN-Inflect <br> perl-List-MoreUtils-XS <br> perl-local-lib <br> perl-Locale-Codes <br> perl-Locale-Maketext-Gettext <br> perl-Locale-Msgfmt <br> perl-Locale-PO <br> perl-Log-Message <br> perl-Log-Message-Simple <br> perl-LWP-MediaTypes <br> perl-LWP-Protocol-https <br> perl-Mail-AuthenticationResults <br> perl-Mail-DKIM <br> perl-Mail-IMAPTalk <br> perl-Mail-SPF <br> perl-MailTools <br> perl-Math-Int64 <br> perl-Math-Random-ISAAC <br> perl-MIME-Charset <br> perl-MIME-Lite <br> perl-MIME-Types <br> perl-Mixin-Linewise <br> perl-MLDBM <br> perl-Mock-Config <br> perl-Module-Build-Tiny <br> perl-Module-CPANfile <br> perl-Module-Implementation <br> perl-Module-Install-AuthorRequires <br> perl-Module-Install-AuthorTests <br> perl-Module-Install-AutoLicense <br> perl-Module-Install-GithubMeta <br> perl-Module-Install-ManifestSkip <br> perl-Module-Install-ReadmeFromPod <br> perl-Module-Install-ReadmeMarkdownFromPod <br> perl-Module-Install-Repository <br> perl-Module-Install-TestBase <br> perl-Module-Load-Util <br> perl-Module-Manifest <br> perl-Module-Manifest-Skip <br> perl-Module-Package <br> perl-Module-Package-Au <br> perl-Module-Pluggable <br> perl-Module-Runtime <br> perl-Module-Signature <br> perl-Mojolicious <br> perl-Moo <br> perl-Mozilla-CA <br> perl-Mozilla-LDAP <br> perl-MRO-Compat <br> perl-multidimensional <br> perl-namespace-autoclean <br> perl-namespace-clean <br> perl-Net-CIDR-Lite <br> perl-Net-Daemon <br> perl-Net-DNS <br> perl-Net-DNS-Resolver-Mock <br> perl-Net-DNS-Resolver-Programmable <br> perl-Net-HTTP <br> perl-Net-IMAP-Simple <br> perl-Net-IMAP-Simple-SSL <br> perl-Net-IP <br> perl-Net-LibIDN2 <br> perl-Net-Patricia <br> perl-Net-SMTP-SSL <br> perl-Net-SNMP <br> perl-Net-Telnet <br> perl-Newt <br> perl-NNTPClient <br> perl-NTLM <br> perl-Number-Compare <br> perl-Object-Deadly <br> perl-Object-HashBase <br> perl-Package-Anon <br> perl-Package-Constants <br> perl-Package-DeprecationManager <br> perl-Package-Generator <br> perl-Package-Stash <br> perl-Package-Stash-XS <br> perl-PadWalker <br> perl-Paper-Specs <br> perl-PAR-Dist <br> perl-Parallel-Iterator <br> perl-Params-Classify <br> perl-Params-Util <br> perl-Params-Validate <br> perl-Params-ValidationCompiler <br> perl-Parse-PMFile <br> perl-Parse-RecDescent <br> perl-Parse-Yapp <br> perl-Path-Tiny <br> perl-Perl-Critic <br> perl-Perl-Critic-More <br> perl-Perl-Destruct-Level <br> perl-Perl-MinimumVersion <br> perl-Perl4-CoreLibs <br> perl-PerlIO-gzip <br> perl-PerlIO-utf8_strict <br> perl-PkgConfig-LibPkgConf <br> perl-Pod-Coverage <br> perl-Pod-Coverage-TrustPod <br> perl-Pod-Escapes <br> perl-Pod-Eventual <br> perl-Pod-LaTeX <br> perl-Pod-Markdown <br> perl-Pod-Parser <br> perl-Pod-Plainer <br> perl-Pod-POM <br> perl-Pod-Spell <br> perl-PPI <br> perl-PPI-HTML <br> perl-PPIx-QuoteLike <br> perl-PPIx-Regexp <br> perl-PPIx-Utilities <br> perl-prefork <br> perl-Probe-Perl <br> perl-Razor-Agent <br> perl-Readonly <br> perl-Readonly-XS <br> perl-Ref-Util <br> perl-Ref-Util-XS <br> perl-Regexp-Pattern-Perl <br> perl-Return-MultiLevel <br> perl-Role-Tiny <br> perl-Scope-Guard <br> perl-Scope-Upper <br> perl-SGMLSpm <br> perl-SNMP_Session <br> perl-Socket6 <br> perl-Software-License <br> perl-Sort-Versions <br> perl-Specio <br> perl-Spiffy <br> perl-strictures <br> perl-String-CRC32 <br> perl-String-Format <br> perl-String-ShellQuote <br> perl-String-Similarity <br> perl-Sub-Exporter <br> perl-Sub-Exporter-Progressive <br> perl-Sub-Identify <br> perl-Sub-Info <br> perl-Sub-Install <br> perl-Sub-Name <br> perl-Sub-Quote <br> perl-Sub-Uplevel <br> perl-SUPER <br> perl-Switch <br> perl-Syntax-Highlight-Engine-Kate <br> perl-Sys-CPU <br> perl-Sys-MemInfo <br> perl-Sys-Virt <br> perl-Taint-Runtime <br> perl-Task-Weaken <br> perl-Term-Size-Any <br> perl-Term-Size-Perl <br> perl-Term-Table <br> perl-Term-UI <br> perl-TermReadKey <br> perl-Test-Base <br> perl-Test-ClassAPI <br> perl-Test-CPAN-Meta <br> perl-Test-CPAN-Meta-JSON <br> perl-Test-Deep <br> perl-Test-Differences <br> perl-Test-DistManifest <br> perl-Test-Distribution <br> perl-Test-EOL <br> perl-Test-Exception <br> perl-Test-Exit <br> perl-Test-FailWarnings <br> perl-Test-Fatal <br> perl-Test-File <br> perl-Test-File-ShareDir <br> perl-Test-Harness <br> perl-Test-HasVersion <br> perl-Test-InDistDir <br> perl-Test-Inter <br> perl-Test-LeakTrace <br> perl-Test-LongString <br> perl-Test-Manifest <br> perl-Test-Memory-Cycle <br> perl-Test-MinimumVersion <br> perl-Test-MockObject <br> perl-Test-MockRandom <br> perl-Test-Needs <br> perl-Test-NoTabs <br> perl-Test-NoWarnings <br> perl-Test-Object <br> perl-Test-Output <br> perl-Test-Pod <br> perl-Test-Pod-Coverage <br> perl-Test-Portability-Files <br> perl-Test-Requires <br> perl-Test-RequiresInternet <br> perl-Test-Script <br> perl-Test-Simple <br> perl-Test-SubCalls <br> perl-Test-Synopsis <br> perl-Test-Taint <br> perl-Test-TrailingSpace <br> perl-Test-utf8 <br> perl-Test-Vars <br> perl-Test-Warn <br> perl-Test-Without-Module <br> perl-Test2-Plugin-NoWarnings <br> perl-Test2-Suite <br> perl-Test2-Tools-Explain <br> perl-Text-CharWidth <br> perl-Text-CSV_XS <br> perl-Text-Diff <br> perl-Text-Glob <br> perl-Text-Iconv <br> perl-Text-Soundex <br> perl-Text-Unidecode <br> perl-Text-WrapI18N <br> perl-Tie-IxHash <br> perl-TimeDate <br> perl-Tree-DAG_Node <br> perl-Unicode-EastAsianWidth <br> perl-Unicode-LineBreak <br> perl-Unicode-Map8 <br> perl-Unicode-String <br> perl-Unicode-UTF8 <br> perl-UNIVERSAL-can <br> perl-UNIVERSAL-isa <br> perl-Unix-Syslog <br> perl-URI <br> perl-Variable-Magic <br> perl-Version-Requirements <br> perl-WWW-RobotRules <br> perl-XML-Catalog <br> perl-XML-DOM <br> perl-XML-Dumper <br> perl-XML-Filter-BufferText <br> perl-XML-Generator <br> perl-XML-Grove <br> perl-XML-Handler-YAWriter <br> perl-XML-LibXML <br> perl-XML-LibXSLT <br> perl-XML-NamespaceSupport <br> perl-XML-Parser-Lite <br> perl-XML-RegExp <br> perl-XML-SAX <br> perl-XML-SAX-Base <br> perl-XML-SAX-Writer <br> perl-XML-Simple <br> perl-XML-TokeParser <br> perl-XML-TreeBuilder <br> perl-XML-Twig <br> perl-XML-Writer <br> perl-XML-XPath <br> perl-XML-XPathEngine <br> perl-XString <br> perl-YAML-LibYAML <br> perl-YAML-PP <br> perl-YAML-Syck <br> perltidy <br> pesign <br> phodav <br> php <br> php-pear <br> php-pecl-zip <br> physfs <br> picosat <br> pinfo <br> pipewire <br> pixman <br> pkcs11-helper <br> pkgconf <br> plexus-cipher <br> plexus-containers <br> plexus-sec-dispatcher <br> plotutils <br> pmdk-convert <br> pmix <br> pngcrush <br> pngnq <br> po4a <br> podman <br> poetry <br> policycoreutils <br> polkit-pkla-compat <br> polkit-qt-1 <br> portreserve <br> postfix <br> potrace <br> powertop <br> ppp <br> pps-tools <br> pptp <br> priv_wrapper <br> procmail <br> prometheus <br> prometheus-node-exporter <br> ps_mem <br> psacct <br> pssh <br> psutils <br> ptlib <br> publicsuffix-list <br> pugixml <br> pulseaudio <br> puppet <br> pwgen <br> pyatspi <br> pybind11 <br> pycairo <br> pyelftools <br> pyflakes <br> pygobject3 <br> PyGreSQL <br> pykickstart <br> pylint <br> pyparted <br> pyproject-rpm-macros <br> pyserial <br> python-absl-py <br> python-aiodns <br> python-aiohttp <br> python-alsa <br> python-argcomplete <br> python-argparse-manpage <br> python-astroid <br> python-astunparse <br> python-async-generator <br> python-augeas <br> python-azure-sdk <br> python-beautifulsoup4 <br> python-betamax <br> python-blinker <br> python-blivet <br> python-cached_property <br> python-charset-normalizer <br> python-cheetah <br> python-click <br> python-cmd2 <br> python-colorama <br> python-CommonMark <br> python-conda-package-handling <br> python-configshell <br> python-cpuinfo <br> python-cups <br> python-curio <br> python-cytoolz <br> python-d2to1 <br> python-dbus-client-gen <br> python-dbus-python-client-gen <br> python-dbus-signature-pyparsing <br> python-dbusmock <br> python-ddt <br> python-debtcollector <br> python-decorator <br> python-distlib <br> python-dmidecode <br> python-dns <br> python-dtopt <br> python-dulwich <br> python-editables <br> python-enchant <br> python-entrypoints <br> python-ethtool <br> python-evdev <br> python-extras <br> python-faker <br> python-fasteners <br> python-fastjsonschema <br> python-fields <br> python-filelock <br> python-fixtures <br> python-flake8 <br> python-flask <br> python-flit <br> python-flit-core <br> python-fluidity-sm <br> python-frozendict <br> python-funcsigs <br> python-gast <br> python-genshi <br> python-google-auth <br> python-google-auth-oauthlib <br> python-greenlet <br> python-gssapi <br> python-h5py <br> python-hatch-fancy-pypi-readme <br> python-hatch-vcs <br> python-hatchling <br> python-hs-dbus-signature <br> python-html5lib <br> python-httplib2 <br> python-humanize <br> python-hwdata <br> python-importlib-metadata <br> python-inotify <br> python-into-dbus-python <br> python-IPy <br> python-iso8601 <br> python-isodate <br> python-isort <br> python-itsdangerous <br> python-justbases <br> python-justbytes <br> python-jwcrypto <br> python-jwt <br> python-kdcproxy <br> python-kerberos <br> python-kmod <br> python-kubernetes <br> python-lark <br> python-lazy-object-proxy <br> python-ldap <br> python-linux-procfs <br> python-lit <br> python-looseversion <br> python-markdown <br> python-markdown-it-py <br> python-mccabe <br> python-mdurl <br> python-memcached <br> python-mimeparse <br> python-mock <br> python-monotonic <br> python-more-itertools <br> python-mpmath <br> python-msal <br> python-msrestazure <br> python-mutagen <br> python-networkx <br> python-nose2 <br> python-ntlm-auth <br> python-oauth2client <br> python-openpyxl <br> python-openstackdocstheme <br> python-oslo-i18n <br> python-oslo-sphinx <br> python-paramiko <br> python-pathspec <br> python-pefile <br> python-pexpect <br> python-pkgconfig <br> python-platformdirs <br> python-pluggy <br> python-podman-api <br> python-poetry-core <br> python-process-tests <br> python-productmd <br> python-ptyprocess <br> python-pycares <br> python-pycosat <br> python-pydbus <br> python-pymongo <br> python-PyMySQL <br> python-pyperclip <br> python-pyroute2 <br> python-pyrsistent <br> python-pysocks <br> python-pytest-benchmark <br> python-pytest-cov <br> python-pytest-expect <br> python-pytest-flake8 <br> python-pytest-flakes <br> python-pytest-forked <br> python-pytest-mock <br> python-pytest-relaxed <br> python-pytest-runner <br> python-pytest-subtests <br> python-pytest-timeout <br> python-pytest-xdist <br> python-pytoml <br> python-pyudev <br> python-pywbem <br> python-qrcode <br> python-rdflib <br> python-recommonmark <br> python-requests-file <br> python-requests-ftp <br> python-requests-kerberos <br> python-requests-mock <br> python-requests-oauthlib <br> python-requests-toolbelt <br> python-requests_ntlm <br> python-responses <br> python-retrying <br> python-rfc3986 <br> python-rich <br> python-rpm-generators <br> python-rpmfluff <br> python-rtslib <br> python-ruamel-yaml <br> python-ruamel-yaml-clib <br> python-s3transfer <br> python-schedutils <br> python-semantic_version <br> python-should_dsl <br> python-simpleline <br> python-slip <br> python-sniffio <br> python-sortedcontainers <br> python-soupsieve <br> python-sphinx <br> python-sphinx-epytext <br> python-sphinx-theme-py3doc-enhanced <br> python-sphinx_rtd_theme <br> python-sphinxcontrib-apidoc <br> python-sphinxcontrib-applehelp <br> python-sphinxcontrib-devhelp <br> python-sphinxcontrib-htmlhelp <br> python-sphinxcontrib-httpdomain <br> python-sphinxcontrib-jsmath <br> python-sphinxcontrib-qthelp <br> python-sphinxcontrib-serializinghtml <br> python-sqlalchemy <br> python-suds <br> python-systemd <br> python-tempita <br> python-templated-dictionary <br> python-termcolor <br> python-testpath <br> python-testresources <br> python-testscenarios <br> python-testtools <br> python-tidy <br> python-toml <br> python-tomli <br> python-toolz <br> python-tornado <br> python-tox <br> python-tox-current-env <br> python-tqdm <br> python-trio <br> python-trove-classifiers <br> python-typing-extensions <br> python-uamqp <br> python-unittest2 <br> python-uritemplate <br> python-urwid <br> python-varlink <br> python-versioneer <br> python-virt-firmware <br> python-voluptuous <br> python-waitress <br> python-webencodings <br> python-webtest <br> python-wheel <br> python-whoosh <br> python-winrm <br> python-wrapt <br> python-xlrd <br> python-xlsxwriter <br> python-xmltodict <br> python-yubico <br> python-zipp <br> python-zmq <br> python-zstd <br> python3-mallard-ducktype <br> python3-pytest-asyncio <br> python3-typed_ast <br> pyusb <br> pywbem <br> pyxattr <br> qemu <br> qhull <br> qpdf <br> qperf <br> qr-code-generator <br> qt-rpm-macros <br> qt5-qtconnectivity <br> qt5-qtsensors <br> qt5-qtserialport <br> qtbase <br> qtdeclarative <br> qtsvg <br> qttools <br> quagga <br> quota <br> radvd <br> ragel <br> raptor2 <br> rarian <br> rasdaemon <br> rasqal <br> rcs <br> rdist <br> rdma-core <br> re2 <br> re2c <br> realmd <br> rear <br> recode <br> resource-agents <br> rest <br> rhash <br> rlwrap <br> rp-pppoe <br> rpm-mpi-hooks <br> rpmdevtools <br> rpmlint <br> rr <br> rtkit <br> rtl-sdr <br> ruby-augeas <br> rubygem-bson <br> rubygem-coderay <br> rubygem-diff-lcs <br> rubygem-flexmock <br> rubygem-hpricot <br> rubygem-introspection <br> rubygem-liquid <br> rubygem-maruku <br> rubygem-metaclass <br> rubygem-mongo <br> rubygem-mustache <br> rubygem-mysql2 <br> rubygem-pkg-config <br> rubygem-rake <br> rubygem-rake-compiler <br> rubygem-ronn <br> rubygem-rouge <br> rubygem-rspec <br> rubygem-rspec-expectations <br> rubygem-rspec-mocks <br> rubygem-rspec-support <br> rubygem-thread_order <br> rusers <br> rust-cbindgen <br> samba <br> sanlock <br> sassist <br> satyr <br> sbc <br> sblim-cim-client2 <br> sblim-cmpi-base <br> sblim-cmpi-devel <br> sblim-cmpi-fsvol <br> sblim-cmpi-network <br> sblim-cmpi-nfsv3 <br> sblim-cmpi-nfsv4 <br> sblim-cmpi-params <br> sblim-cmpi-sysfs <br> sblim-cmpi-syslog <br> sblim-indication_helper <br> sblim-sfcb <br> sblim-sfcc <br> sblim-sfcCommon <br> sblim-testsuite <br> sblim-wbemcli <br> scl-utils <br> scotch <br> screen <br> scrub <br> SDL <br> SDL2 <br> SDL_sound <br> sdparm <br> seabios <br> secilc <br> selinux-policy <br> serd <br> setools <br> setserial <br> setuptool <br> sgabios <br> sgml-common <br> sgpio <br> shared-mime-info <br> sharutils <br> sip <br> sisu <br> skkdic <br> sleuthkit <br> slirp4netns <br> smartmontools <br> smc-tools <br> socket_wrapper <br> softhsm <br> sombok <br> sord <br> sos <br> sound-theme-freedesktop <br> soundtouch <br> sox <br> soxr <br> sparsehash <br> spausedd <br> speex <br> speexdsp <br> spice-protocol <br> spice-vdagent <br> spirv-headers <br> spirv-tools <br> splix <br> squashfs-tools <br> squid <br> sratom <br> sscg <br> star <br> startup-notification <br> stress-ng <br> stunnel <br> subscription-manager <br> suitesparse <br> SuperLU <br> supermin <br> switcheroo-control <br> swtpm <br> symlinks <br> sympy <br> sysfsutils <br> systemd <br> systemd-bootchart <br> t1lib <br> t1utils <br> taglib <br> tang <br> targetcli <br> tbb <br> tcl-pgtcl <br> tclx <br> teckit <br> telnet <br> thrift <br> tidy <br> time <br> tini <br> tinycdb <br> tix <br> tk <br> tlog <br> tmpwatch <br> tn5250 <br> tofrodos <br> tokyocabinet <br> trace-cmd <br> tss2 <br> ttembed <br> ttmkfdir <br> tuna <br> twolame <br> uchardet <br> uclibc-ng <br> ucpp <br> ucs-miscfixed-fonts <br> ucx <br> udftools <br> udica <br> udisks2 <br> uglify-js <br> uid_wrapper <br> unicode-emoji <br> unicode-ucd <br> unique3 <br> units <br> upower <br> uriparser <br> urlview <br> usb_modeswitch <br> usb_modeswitch-data <br> usbguard <br> usbip <br> usbmuxd <br> usbredir <br> usermode <br> ustr <br> uthash <br> uuid <br> uw-imap <br> v4l-utils <br> vhostmd <br> vino <br> virglrenderer <br> virt-p2v <br> virt-top <br> virt-what <br> virt-who <br> vitess <br> vmem <br> volume_key <br> vorbis-tools <br> vte291 <br> vulkan-headers <br> vulkan-loader <br> watchdog <br> wavpack <br> wayland <br> wayland-protocols <br> web-assets <br> webrtc-audio-processing <br> websocketpp <br> wget <br> whois <br> wireguard-tools <br> wireless-regdb <br> wireshark <br> woff2 <br> wordnet <br> words <br> wpebackend-fdo <br> wsmancli <br> wvdial <br> x3270 <br> xapian-core <br> Xaw3d <br> xcb-proto <br> xcb-util <br> xcb-util-image <br> xcb-util-keysyms <br> xcb-util-renderutil <br> xcb-util-wm <br> xdelta <br> xdg-dbus-proxy <br> xdg-utils <br> xdp-tools <br> xerces-c <br> xfconf <br> xfsdump <br> xhtml1-dtds <br> xkeyboard-config <br> xmlstarlet <br> xmltoman <br> xmvn <br> xorg-x11-apps <br> xorg-x11-drv-libinput <br> xorg-x11-font-utils <br> xorg-x11-fonts <br> xorg-x11-proto-devel <br> xorg-x11-server <br> xorg-x11-server-utils <br> xorg-x11-server-Xwayland <br> xorg-x11-util-macros <br> xorg-x11-utils <br> xorg-x11-xauth <br> xorg-x11-xbitmaps <br> xorg-x11-xinit <br> xorg-x11-xkb-utils <br> xorg-x11-xtrans-devel <br> xrestop <br> xterm <br> xxhash <br> yajl <br> yaml-cpp <br> yasm <br> yelp-tools <br> yelp-xsl <br> ykclient <br> yp-tools <br> ypbind <br> ypserv <br> z3 <br> zenity <br> zerofree <br> zfs-fuse <br> zipper <br> zopfli <br> zziplib |
+| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | 389-ds-base <br> a52dec <br> abseil-cpp <br> accountsservice <br> acpica-tools <br> acpid <br> adcli <br> adobe-mappings-cmap <br> adobe-mappings-pdf <br> advancecomp <br> adwaita-icon-theme <br> afflib <br> aide <br> alsa-firmware <br> alsa-plugins <br> amtk <br> amtterm <br> annobin <br> ansible-freeipa <br> archivemount <br> arptables <br> arpwatch <br> asio <br> aspell <br> aspell-en <br> at <br> at-spi2-atk <br> at-spi2-core <br> atf <br> atk <br> atop <br> attr <br> audiofile <br> augeas <br> authbind <br> authd <br> authselect <br> autoconf213 <br> avahi <br> babeltrace <br> babeltrace2 <br> babl <br> baekmuk-ttf-fonts <br> bats <br> bcache-tools <br> biosdevname <br> blosc <br> bluez <br> bmake <br> bolt <br> boom-boot <br> booth <br> botan2 <br> breezy <br> brotli <br> buildah <br> busybox <br> bwidget <br> byacc <br> ca-certificates <br> cachefilesd <br> cairomm <br> calamares <br> capnproto <br> capstone <br> catatonit <br> catch <br> catch1 <br> cdrdao <br> celt051 <br> cereal <br> certmonger <br> cfitsio <br> cgdcbxd <br> chan <br> CharLS <br> checkpolicy <br> checksec <br> chrony <br> cim-schema <br> cjkuni-uming-fonts <br> cjose <br> ck <br> cldr-emoji-annotation <br> clucene <br> clutter <br> clutter-gst3 <br> clutter-gtk <br> cmocka <br> cogl <br> collectd <br> colm <br> color-filesystem <br> colord <br> colorize <br> compat-lua <br> compiler-rt <br> conda <br> conmon <br> conntrack-tools <br> console-setup <br> container-exception-logger <br> containernetworking-plugins <br> convmv <br> corosync <br> corosync-qdevice <br> cpp-hocon <br> cppcheck <br> cpprest <br> cpptest <br> cpufrequtils <br> cpuid <br> criu <br> crypto-policies <br> cryptsetup <br> cscope <br> ctags <br> CUnit <br> cups <br> custodia <br> Cython <br> dbus-c++ <br> dbus-python <br> dbxtool <br> dconf <br> dcraw <br> debootstrap <br> deltarpm <br> desktop-file-utils <br> device-mapper-persistent-data <br> dhcpcd <br> dietlibc <br> diffstat <br> ding-libs <br> discount <br> distribution-gpg-keys <br> dleyna-connector-dbus <br> dleyna-core <br> dmraid <br> dnf <br> dnf-plugins-core <br> docbook-dtds <br> docbook-simple <br> docbook-slides <br> docbook-style-dsssl <br> docbook-utils <br> docbook2X <br> docbook5-schemas <br> docbook5-style-xsl <br> dogtail <br> dos2unix <br> dotconf <br> dovecot <br> dpdk <br> dpkg <br> driverctl <br> dropwatch <br> drpm <br> duktape <br> dumpet <br> dvd+rw-tools <br> dwarves <br> dwz <br> dyninst <br> ebtables <br> edac-utils <br> edk2 <br> efax <br> efi-rpm-macros <br> egl-wayland <br> eglexternalplatform <br> elinks <br> enca <br> enchant <br> enchant2 <br> enscript <br> environment-modules <br> evemu <br> execstack <br> exempi <br> exiv2 <br> extra-cmake-modules <br> fabtests <br> facter <br> fakechroot <br> fakeroot <br> fdk-aac-free <br> fdupes <br> fence-virt <br> fetchmail <br> fftw <br> filebench <br> fio <br> fipscheck <br> firewalld <br> flac <br> flatbuffers <br> flite <br> fltk <br> fmt <br> fontawesome-fonts <br> fontawesome4-fonts <br> fontpackages <br> fonts-rpm-macros <br> foomatic-db <br> freeglut <br> freeipmi <br> freeradius <br> freetds <br> freexl <br> fribidi <br> fros <br> frr <br> fsverity-utils <br> fuse-overlayfs <br> fuse-sshfs <br> fuse-zip <br> fuse3 <br> future <br> fxload <br> gavl <br> gbenchmark <br> gconf-editor <br> GConf2 <br> gcovr <br> gcr <br> gdal <br> gdisk <br> gdk-pixbuf2 <br> generic-logos <br> genwqe-tools <br> geoclue2 <br> GeoIP <br> GeoIP-GeoLite-data <br> geolite2 <br> geos <br> gfs2-utils <br> ghc-srpm-macros <br> giflib <br> gl-manpages <br> glew <br> glm <br> glog <br> glslang <br> glusterfs <br> gnome-desktop-testing <br> gnome-doc-utils <br> gnome-icon-theme <br> gnome-keyring <br> gnu-efi <br> go-rpm-macros <br> gom <br> google-api-python-client <br> google-crosextra-caladea-fonts <br> google-crosextra-carlito-fonts <br> google-guice <br> google-noto-cjk-fonts <br> google-noto-emoji-fonts <br> google-roboto-slab-fonts <br> gphoto2 <br> gpm <br> gpsbabel <br> graphene <br> graphite2 <br> graphviz <br> grubby <br> gsettings-desktop-schemas <br> gsl <br> gsm <br> gspell <br> gssdp <br> gssntlmssp <br> gstreamer1 <br> gstreamer1-plugins-base <br> gtk-vnc <br> gtk2 <br> gtk3 <br> gtkspell <br> gupnp <br> gupnp-av <br> gupnp-dlna <br> gupnp-igd <br> hardening-check <br> hdf <br> hdf5 <br> heimdal <br> help2man <br> hexedit <br> hicolor-icon-theme <br> hiera <br> highlight <br> hivex <br> hostname <br> hping3 <br> hsakmt <br> htop <br> hunspell <br> hunspell-af <br> hunspell-ar <br> hunspell-as <br> hunspell-ast <br> hunspell-az <br> hunspell-be <br> hunspell-bg <br> hunspell-bn <br> hunspell-br <br> hunspell-ca <br> hunspell-cop <br> hunspell-csb <br> hunspell-cv <br> hunspell-cy <br> hunspell-da <br> hunspell-de <br> hunspell-dsb <br> hunspell-el <br> hunspell-en <br> hunspell-eo <br> hunspell-es <br> hunspell-et <br> hunspell-eu <br> hunspell-fa <br> hunspell-fj <br> hunspell-fo <br> hunspell-fr <br> hunspell-fur <br> hunspell-fy <br> hunspell-ga <br> hunspell-gd <br> hunspell-gl <br> hunspell-grc <br> hunspell-gu <br> hunspell-gv <br> hunspell-haw <br> hunspell-hi <br> hunspell-hil <br> hunspell-hr <br> hunspell-hsb <br> hunspell-ht <br> hunspell-hu <br> hunspell-hy <br> hunspell-ia <br> hunspell-id <br> hunspell-is <br> hunspell-it <br> hunspell-kk <br> hunspell-km <br> hunspell-kn <br> hunspell-ko <br> hunspell-ku <br> hunspell-ky <br> hunspell-la <br> hunspell-lb <br> hunspell-ln <br> hunspell-mai <br> hunspell-mg <br> hunspell-mi <br> hunspell-mk <br> hunspell-ml <br> hunspell-mn <br> hunspell-mos <br> hunspell-mr <br> hunspell-ms <br> hunspell-mt <br> hunspell-nds <br> hunspell-ne <br> hunspell-nl <br> hunspell-no <br> hunspell-nr <br> hunspell-nso <br> hunspell-ny <br> hunspell-om <br> hunspell-or <br> hunspell-pa <br> hunspell-pl <br> hunspell-pt <br> hunspell-quh <br> hunspell-ro <br> hunspell-ru <br> hunspell-rw <br> hunspell-se <br> hunspell-shs <br> hunspell-si <br> hunspell-sk <br> hunspell-sl <br> hunspell-smj <br> hunspell-so <br> hunspell-sq <br> hunspell-sr <br> hunspell-sv <br> hunspell-sw <br> hunspell-ta <br> hunspell-te <br> hunspell-tet <br> hunspell-th <br> hunspell-tk <br> hunspell-tl <br> hunspell-tn <br> hunspell-tpi <br> hunspell-ts <br> hunspell-uk <br> hunspell-uz <br> hunspell-ve <br> hunspell-vi <br> hunspell-wa <br> hunspell-xh <br> hunspell-yi <br> hwdata <br> hwloc <br> hyperscan <br> hyperv-daemons <br> hyphen <br> hyphen-as <br> hyphen-bg <br> hyphen-bn <br> hyphen-ca <br> hyphen-da <br> hyphen-de <br> hyphen-el <br> hyphen-es <br> hyphen-fa <br> hyphen-fo <br> hyphen-fr <br> hyphen-ga <br> hyphen-gl <br> hyphen-grc <br> hyphen-gu <br> hyphen-hi <br> hyphen-hsb <br> hyphen-hu <br> hyphen-ia <br> hyphen-id <br> hyphen-is <br> hyphen-it <br> hyphen-kn <br> hyphen-ku <br> hyphen-lt <br> hyphen-mi <br> hyphen-ml <br> hyphen-mn <br> hyphen-mr <br> hyphen-nl <br> hyphen-or <br> hyphen-pa <br> hyphen-pl <br> hyphen-pt <br> hyphen-ro <br> hyphen-ru <br> hyphen-sa <br> hyphen-sk <br> hyphen-sl <br> hyphen-sv <br> hyphen-ta <br> hyphen-te <br> hyphen-tk <br> hyphen-uk <br> ibus <br> ibus-chewing <br> ibus-hangul <br> ibus-kkc <br> ibus-libzhuyin <br> ibus-m17n <br> ibus-rawcode <br> ibus-sayura <br> ibus-table <br> ibus-table-chinese <br> icc-profiles-openicc <br> icon-naming-utils <br> icoutils <br> iftop <br> iio-sensor-proxy <br> ilmbase <br> im-chooser <br> imaptest <br> imsettings <br> indent <br> infinipath-psm <br> inih <br> iniparser <br> intel-cmt-cat <br> intel-ipsec-mb <br> ioping <br> IP2Location <br> ipa-pgothic-fonts <br> ipcalc <br> ipmitool <br> iprutils <br> iptraf-ng <br> iptstate <br> irssi <br> iscsi-initiator-utils <br> isns-utils <br> iso-codes <br> isomd5sum <br> iw <br> iwd <br> jabberpy <br> jakarta-servlet <br> jasper <br> javapackages-bootstrap <br> javapackages-tools <br> jbigkit <br> jdom2 <br> jemalloc <br> jfsutils <br> jimtcl <br> jose <br> js-jquery <br> jsoncpp <br> Judy <br> jurand <br> kata-containers <br> kde-filesystem <br> kde-settings <br> kexec-tools <br> keybinder3 <br> keycloak-httpd-client-install <br> kf <br> kf-kconfig <br> kf-kcoreaddons <br> kf-ki18n <br> kf-kwidgetsaddons <br> kpmcore <br> kronosnet <br> ksh <br> kyotocabinet <br> kyua <br> ladspa <br> lame <br> langtable <br> lapack <br> lasso <br> latencytop <br> lato-fonts <br> lcms2 <br> lcov <br> ldns <br> leatherman <br> ledmon <br> lensfun <br> leveldb <br> lftp <br> libabw <br> libaec <br> libao <br> libappstream-glib <br> libarrow <br> libart_lgpl <br> libasyncns <br> libatasmart <br> libavc1394 <br> libblockdev <br> libbpf <br> libbsd <br> libburn <br> libbytesize <br> libcacard <br> libcanberra <br> libcdio <br> libcdio-paranoia <br> libcdr <br> libcgroup <br> libchewing <br> libcli <br> libcmis <br> libcmpiutil <br> libcomps <br> libcroco <br> libcxx <br> libdaemon <br> libdap <br> libdatrie <br> libdazzle <br> libdbi <br> libdbusmenu <br> libdc1394 <br> libdecor <br> libdeflate <br> libdmx <br> libdnf <br> libdrm <br> libdvdnav <br> libdvdread <br> libdwarf <br> libeasyfc <br> libecap <br> libecb <br> libei <br> libell <br> libEMF <br> libeot <br> libepoxy <br> libepubgen <br> libesmtp <br> libetonyek <br> libev <br> libevdev <br> libexif <br> libexttextcat <br> libfabric <br> libfontenc <br> libfreehand <br> libftdi <br> libgadu <br> libgdither <br> libgee <br> libgee06 <br> libgeotiff <br> libgexiv2 <br> libgit2 <br> libgit2-glib <br> libglade2 <br> libglvnd <br> libgovirt <br> libgphoto2 <br> libgsf <br> libgta <br> libguestfs <br> libgusb <br> libgxim <br> libgxps <br> libhangul <br> libhugetlbfs <br> libibcommon <br> libical <br> libICE <br> libicns <br> libid3tag <br> libIDL <br> libidn2 <br> libiec61883 <br> libieee1284 <br> libimobiledevice <br> libindicator <br> libinput <br> libiodbc <br> libipt <br> libiptcdata <br> libiscsi <br> libisoburn <br> libisofs <br> libjcat <br> libkcapi <br> libkeepalive <br> libkkc <br> libkkc-data <br> libkml <br> liblangtag <br> libldb <br> libldm <br> liblerc <br> liblockfile <br> liblognorm <br> liblouis <br> liblqr-1 <br> liblzf <br> libmad <br> libmd <br> libmediaart <br> libmicrohttpd <br> libmikmod <br> libmodman <br> libmodplug <br> libmodulemd1 <br> libmpcdec <br> libmspub <br> libmtp <br> libmusicbrainz5 <br> libmwaw <br> libnbd <br> libnet <br> libnetfilter_log <br> libnfs <br> libnotify <br> libntlm <br> libnumbertext <br> libnvme <br> liboauth <br> libodfgen <br> libofa <br> libogg <br> liboggz <br> liboil <br> libomxil-bellagio <br> libopenraw <br> liboping <br> libosinfo <br> libotf <br> libotr <br> libpagemaker <br> libpaper <br> libpciaccess <br> libpeas <br> libpfm <br> libpinyin <br> libplist <br> libpmemobj-cpp <br> libpng12 <br> libpng15 <br> libproxy <br> libpsm2 <br> libpwquality <br> libqb <br> libqxp <br> libraqm <br> LibRaw <br> libraw1394 <br> libreport <br> libreswan <br> librevenge <br> librsvg2 <br> librx <br> libsamplerate <br> libsass <br> libsecret <br> libsemanage <br> libsigc++20 <br> libsigsegv <br> libslirp <br> libSM <br> libsmbios <br> libsmi <br> libsndfile <br> libsodium <br> libspiro <br> libsrtp <br> libssh <br> libstaroffice <br> libstemmer <br> libstoragemgmt <br> libtdb <br> libteam <br> libtevent <br> libthai <br> libtnc <br> libtomcrypt <br> libtommath <br> libtpms <br> libtracecmd <br> libtraceevent <br> libtracefs <br> libtranslit <br> libucil <br> libunicap <br> libuninameslist <br> liburing <br> libusbmuxd <br> libuser <br> libutempter <br> libvarlink <br> libverto <br> libvirt-dbus <br> libvirt-glib <br> libvirt-java <br> libvirt-python <br> libvisio <br> libvisual <br> libvoikko <br> libvorbis <br> libvpx <br> libwacom <br> libwnck3 <br> libwpd <br> libwpe <br> libwpg <br> libwps <br> libwvstreams <br> libX11 <br> libXau <br> libXaw <br> libxcb <br> libXcomposite <br> libxcrypt <br> libXcursor <br> libxcvt <br> libXdamage <br> libXdmcp <br> libXext <br> libxfce4util <br> libXfixes <br> libXfont2 <br> libXft <br> libXi <br> libXinerama <br> libxkbcommon <br> libxkbfile <br> libxklavier <br> libxmlb <br> libXmu <br> libXpm <br> libXrandr <br> libXrender <br> libXres <br> libXScrnSaver <br> libxshmfence <br> libXt <br> libXtst <br> libXv <br> libXxf86vm <br> libyami <br> libyang <br> libyubikey <br> libzip <br> libzmf <br> lilv <br> linuxconsoletools <br> linuxptp <br> lksctp-tools <br> lldpd <br> lockdev <br> logwatch <br> lpsolve <br> lrzsz <br> lua <br> lua-expat <br> lua-filesystem <br> lua-json <br> lua-lpeg <br> lua-lunit <br> lua-rpm-macros <br> lua-term <br> luajit <br> lujavrite <br> luksmeta <br> lutok <br> lv2 <br> lzip <br> lzop <br> m17n-db <br> m17n-lib <br> mac-robber <br> mailcap <br> mailx <br> malaga <br> malaga-suomi-voikko <br> mallard-rng <br> man-pages-cs <br> man-pages-es <br> man-pages-it <br> man-pages-ja <br> man-pages-ko <br> man-pages-pl <br> man-pages-ru <br> man-pages-zh-CN <br> mandoc <br> mariadb-connector-c <br> mariadb-connector-odbc <br> marisa <br> maven-compiler-plugin <br> maven-jar-plugin <br> maven-resolver <br> maven-resources-plugin <br> maven-surefire <br> maven-wagon <br> mcelog <br> mcpp <br> mcstrans <br> mdadm <br> mdds <br> mdevctl <br> meanwhile <br> mecab <br> mecab-ipadic <br> media-player-info <br> memcached <br> memkind <br> mesa <br> mesa-libGLU <br> metis <br> microcode_ctl <br> microdnf <br> minicom <br> minizip <br> mksh <br> mobile-broadband-provider-info <br> mock <br> mock-core-configs <br> mod_auth_gssapi <br> mod_auth_mellon <br> mod_auth_openidc <br> mod_authnz_pam <br> mod_fcgid <br> mod_http2 <br> mod_intercept_form_submit <br> mod_lookup_identity <br> mod_md <br> mod_security <br> mod_security_crs <br> mod_wsgi <br> mokutil <br> mosh <br> mpage <br> mrtg <br> mstflint <br> mt-st <br> mtdev <br> mtools <br> mtr <br> mtx <br> munge <br> mutt <br> mythes <br> mythes-bg <br> mythes-ca <br> mythes-cs <br> mythes-da <br> mythes-de <br> mythes-el <br> mythes-en <br> mythes-eo <br> mythes-es <br> mythes-fr <br> mythes-ga <br> mythes-hu <br> mythes-mi <br> mythes-ne <br> mythes-nl <br> mythes-pl <br> mythes-pt <br> mythes-ro <br> mythes-ru <br> mythes-sk <br> mythes-sl <br> mythes-sv <br> mythes-uk <br> nbd <br> nbdkit <br> neon <br> netavark <br> netcdf <br> netcf <br> netlabel_tools <br> netpbm <br> netsniff-ng <br> nfs4-acl-tools <br> nftables <br> nilfs-utils <br> nkf <br> nload <br> nlopt <br> nodejs-packaging <br> nss-mdns <br> nss-pam-ldapd <br> nss_nis <br> nss_wrapper <br> ntfs-3g <br> ntfs-3g-system-compression <br> numad <br> numatop <br> numpy <br> nvmetcli <br> nvml <br> oath-toolkit <br> ocaml <br> ocaml-alcotest <br> ocaml-astring <br> ocaml-augeas <br> ocaml-base <br> ocaml-bigarray-compat <br> ocaml-bisect-ppx <br> ocaml-calendar <br> ocaml-camlp-streams <br> ocaml-camlp5 <br> ocaml-camomile <br> ocaml-cinaps <br> ocaml-cmdliner <br> ocaml-compiler-libs-janestreet <br> ocaml-cppo <br> ocaml-csexp <br> ocaml-csv <br> ocaml-ctypes <br> ocaml-curses <br> ocaml-dune <br> ocaml-extlib <br> ocaml-fileutils <br> ocaml-findlib <br> ocaml-fmt <br> ocaml-fpath <br> ocaml-gettext <br> ocaml-integers <br> ocaml-libvirt <br> ocaml-luv <br> ocaml-lwt <br> ocaml-markup <br> ocaml-mmap <br> ocaml-num <br> ocaml-ocamlbuild <br> ocaml-ocplib-endian <br> ocaml-ounit <br> ocaml-parsexp <br> ocaml-pp <br> ocaml-ppx-derivers <br> ocaml-ppx-here <br> ocaml-ppx-let <br> ocaml-ppxlib <br> ocaml-re <br> ocaml-react <br> ocaml-result <br> ocaml-seq <br> ocaml-sexplib <br> ocaml-sexplib0 <br> ocaml-srpm-macros <br> ocaml-stdio <br> ocaml-stdlib-random <br> ocaml-topkg <br> ocaml-tyxml <br> ocaml-uutf <br> ocaml-xml-light <br> ocaml-zarith <br> ocl-icd <br> oddjob <br> ogdi <br> omping <br> opa <br> opal <br> open-vm-tools <br> openblas <br> opencc <br> opencl-filesystem <br> opencl-headers <br> opencryptoki <br> opencsd <br> opendnssec <br> OpenEXR <br> openjade <br> openjpeg2 <br> openmpi <br> openobex <br> openoffice-lv <br> openrdate <br> opensc <br> openslp <br> opensm <br> opensp <br> openssl <br> openssl-ibmpkcs11 <br> openssl-pkcs11 <br> openwsman <br> optipng <br> opus <br> opusfile <br> orangefs <br> ORBit2 <br> orc <br> os-prober <br> osinfo-db <br> osinfo-db-tools <br> overpass-fonts <br> p11-kit <br> p7zip <br> pacemaker <br> pacrunner <br> pakchois <br> pam_krb5 <br> pam_wrapper <br> papi <br> paps <br> parallel <br> patchelf <br> patchutils <br> pbzip2 <br> pcp <br> pcsc-lite <br> pcsc-lite-ccid <br> PEGTL <br> perl <br> perl-Algorithm-C3 <br> perl-Algorithm-Diff <br> perl-Alien-Build <br> perl-Alien-pkgconf <br> perl-AnyEvent <br> perl-AnyEvent-AIO <br> perl-AnyEvent-BDB <br> perl-App-cpanminus <br> perl-App-FatPacker <br> perl-AppConfig <br> perl-Archive-Extract <br> perl-Archive-Zip <br> perl-Authen-SASL <br> perl-B-COW <br> perl-B-Debug <br> perl-B-Hooks-EndOfScope <br> perl-B-Hooks-OP-Check <br> perl-B-Keywords <br> perl-B-Lint <br> perl-bareword-filehandles <br> perl-Bit-Vector <br> perl-boolean <br> perl-Browser-Open <br> perl-BSD-Resource <br> perl-Business-ISBN <br> perl-Business-ISBN-Data <br> perl-Bytes-Random-Secure <br> perl-Capture-Tiny <br> perl-Carp-Clan <br> perl-CBOR-XS <br> perl-Class-Accessor <br> perl-Class-C3 <br> perl-Class-C3-XS <br> perl-Class-Data-Inheritable <br> perl-Class-Factory-Util <br> perl-Class-Inspector <br> perl-Class-ISA <br> perl-Class-Load <br> perl-Class-Load-XS <br> perl-Class-Method-Modifiers <br> perl-Class-Singleton <br> perl-Class-Tiny <br> perl-Class-XSAccessor <br> perl-Clone <br> perl-Color-ANSI-Util <br> perl-Color-RGB-Util <br> perl-ColorThemeBase-Static <br> perl-ColorThemeRole-ANSI <br> perl-ColorThemes-Standard <br> perl-ColorThemeUtil-ANSI <br> perl-Compress-Bzip2 <br> perl-Compress-LZF <br> perl-Compress-Raw-Lzma <br> perl-Config-AutoConf <br> perl-Config-INI <br> perl-Config-INI-Reader-Multiline <br> perl-Config-IniFiles <br> perl-Config-Simple <br> perl-Config-Tiny <br> perl-Const-Fast <br> perl-Convert-ASN1 <br> perl-Convert-Bencode <br> perl-Coro <br> perl-Coro-Multicore <br> perl-CPAN-Changes <br> perl-CPAN-DistnameInfo <br> perl-CPAN-Meta-Check <br> perl-Cpanel-JSON-XS <br> perl-Crypt-CBC <br> perl-Crypt-DES <br> perl-Crypt-IDEA <br> perl-Crypt-OpenSSL-Bignum <br> perl-Crypt-OpenSSL-Guess <br> perl-Crypt-OpenSSL-Random <br> perl-Crypt-OpenSSL-RSA <br> perl-Crypt-PasswdMD5 <br> perl-Crypt-Random-Seed <br> perl-CSS-Tiny <br> perl-Data-Dump <br> perl-Data-Munge <br> perl-Data-OptList <br> perl-Data-Peek <br> perl-Data-Section <br> perl-Data-UUID <br> perl-Date-Calc <br> perl-Date-ISO8601 <br> perl-Date-Manip <br> perl-DateTime <br> perl-DateTime-Format-Builder <br> perl-DateTime-Format-DateParse <br> perl-DateTime-Format-HTTP <br> perl-DateTime-Format-IBeat <br> perl-DateTime-Format-ISO8601 <br> perl-DateTime-Format-Mail <br> perl-DateTime-Format-Strptime <br> perl-DateTime-Locale <br> perl-DateTime-TimeZone <br> perl-DateTime-TimeZone-SystemV <br> perl-DateTime-TimeZone-Tzfile <br> perl-DBD-MySQL <br> perl-Devel-CallChecker <br> perl-Devel-Caller <br> perl-Devel-CheckBin <br> perl-Devel-CheckLib <br> perl-Devel-Cycle <br> perl-Devel-EnforceEncapsulation <br> perl-Devel-GlobalDestruction <br> perl-Devel-GlobalDestruction-XS <br> perl-Devel-Hide <br> perl-Devel-Leak <br> perl-Devel-LexAlias <br> perl-Devel-Refcount <br> perl-Devel-Size <br> perl-Devel-StackTrace <br> perl-Devel-Symdump <br> perl-Digest-BubbleBabble <br> perl-Digest-CRC <br> perl-Digest-HMAC <br> perl-Digest-SHA1 <br> perl-Dist-CheckConflicts <br> perl-DynaLoader-Functions <br> perl-Email-Address <br> perl-Email-Date-Format <br> perl-Encode-Detect <br> perl-Encode-EUCJPASCII <br> perl-Encode-IMAPUTF7 <br> perl-Encode-Locale <br> perl-Env-ShellWords <br> perl-Error <br> perl-EV <br> perl-Eval-Closure <br> perl-Event <br> perl-Exception-Class <br> perl-Expect <br> perl-ExtUtils-Config <br> perl-ExtUtils-Depends <br> perl-ExtUtils-Helpers <br> perl-ExtUtils-InstallPaths <br> perl-ExtUtils-PkgConfig <br> perl-FCGI <br> perl-Fedora-VSP <br> perl-FFI-CheckLib <br> perl-File-BaseDir <br> perl-File-BOM <br> perl-File-chdir <br> perl-File-CheckTree <br> perl-File-Copy-Recursive <br> perl-File-DesktopEntry <br> perl-File-Find-Object <br> perl-File-Find-Object-Rule <br> perl-File-Find-Rule <br> perl-File-Find-Rule-Perl <br> perl-File-Inplace <br> perl-File-Listing <br> perl-File-MimeInfo <br> perl-File-pushd <br> perl-File-ReadBackwards <br> perl-File-Remove <br> perl-File-ShareDir <br> perl-File-ShareDir-Install <br> perl-File-Slurp <br> perl-File-Slurp-Tiny <br> perl-File-Slurper <br> perl-File-Type <br> perl-Font-TTF <br> perl-FreezeThaw <br> perl-GD <br> perl-GD-Barcode <br> perl-generators <br> perl-Getopt-ArgvFile <br> perl-gettext <br> perl-Graphics-ColorNamesLite-WWW <br> perl-GSSAPI <br> perl-Guard <br> perl-Hook-LexWrap <br> perl-HTML-Parser <br> perl-HTML-Tagset <br> perl-HTML-Tree <br> perl-HTTP-Cookies <br> perl-HTTP-Daemon <br> perl-HTTP-Date <br> perl-HTTP-Message <br> perl-HTTP-Negotiate <br> perl-Image-Base <br> perl-Image-Info <br> perl-Image-Xbm <br> perl-Image-Xpm <br> perl-Import-Into <br> perl-Importer <br> perl-inc-latest <br> perl-indirect <br> perl-Inline-Files <br> perl-IO-AIO <br> perl-IO-All <br> perl-IO-CaptureOutput <br> perl-IO-Compress-Lzma <br> perl-IO-HTML <br> perl-IO-Multiplex <br> perl-IO-SessionData <br> perl-IO-Socket-INET6 <br> perl-IO-String <br> perl-IO-stringy <br> perl-IO-Tty <br> perl-IPC-Run <br> perl-IPC-Run3 <br> perl-IPC-System-Simple <br> perl-JSON <br> perl-JSON-Color <br> perl-JSON-MaybeXS <br> perl-LDAP <br> perl-libnet <br> perl-libwww-perl <br> perl-libxml-perl <br> perl-Lingua-EN-Inflect <br> perl-List-MoreUtils-XS <br> perl-local-lib <br> perl-Locale-Codes <br> perl-Locale-Maketext-Gettext <br> perl-Locale-Msgfmt <br> perl-Locale-PO <br> perl-Log-Message <br> perl-Log-Message-Simple <br> perl-LWP-MediaTypes <br> perl-LWP-Protocol-https <br> perl-Mail-AuthenticationResults <br> perl-Mail-DKIM <br> perl-Mail-IMAPTalk <br> perl-Mail-SPF <br> perl-MailTools <br> perl-Match-Simple <br> perl-Math-Int64 <br> perl-Math-Random-ISAAC <br> perl-MIME-Charset <br> perl-MIME-Lite <br> perl-MIME-Types <br> perl-Mixin-Linewise <br> perl-MLDBM <br> perl-Mock-Config <br> perl-Module-Build-Tiny <br> perl-Module-CPANfile <br> perl-Module-Implementation <br> perl-Module-Install-AuthorRequires <br> perl-Module-Install-AuthorTests <br> perl-Module-Install-AutoLicense <br> perl-Module-Install-GithubMeta <br> perl-Module-Install-ManifestSkip <br> perl-Module-Install-ReadmeFromPod <br> perl-Module-Install-ReadmeMarkdownFromPod <br> perl-Module-Install-Repository <br> perl-Module-Install-TestBase <br> perl-Module-Load-Util <br> perl-Module-Manifest <br> perl-Module-Manifest-Skip <br> perl-Module-Package <br> perl-Module-Package-Au <br> perl-Module-Pluggable <br> perl-Module-Runtime <br> perl-Module-Signature <br> perl-Mojolicious <br> perl-Moo <br> perl-Mozilla-CA <br> perl-Mozilla-LDAP <br> perl-MRO-Compat <br> perl-multidimensional <br> perl-namespace-autoclean <br> perl-namespace-clean <br> perl-Net-CIDR-Lite <br> perl-Net-Daemon <br> perl-Net-DNS <br> perl-Net-DNS-Resolver-Mock <br> perl-Net-DNS-Resolver-Programmable <br> perl-Net-HTTP <br> perl-Net-IMAP-Simple <br> perl-Net-IMAP-Simple-SSL <br> perl-Net-IP <br> perl-Net-LibIDN2 <br> perl-Net-Patricia <br> perl-Net-SMTP-SSL <br> perl-Net-SNMP <br> perl-Net-Telnet <br> perl-Newt <br> perl-NNTPClient <br> perl-NTLM <br> perl-Number-Compare <br> perl-Object-Deadly <br> perl-Object-HashBase <br> perl-Package-Anon <br> perl-Package-Constants <br> perl-Package-DeprecationManager <br> perl-Package-Generator <br> perl-Package-Stash <br> perl-Package-Stash-XS <br> perl-PadWalker <br> perl-Paper-Specs <br> perl-PAR-Dist <br> perl-Parallel-Iterator <br> perl-Params-Classify <br> perl-Params-Util <br> perl-Params-Validate <br> perl-Params-ValidationCompiler <br> perl-Parse-PMFile <br> perl-Parse-RecDescent <br> perl-Parse-Yapp <br> perl-Path-Tiny <br> perl-Perl-Critic <br> perl-Perl-Critic-More <br> perl-Perl-Destruct-Level <br> perl-Perl-MinimumVersion <br> perl-Perl4-CoreLibs <br> perl-PerlIO-gzip <br> perl-PerlIO-utf8_strict <br> perl-PkgConfig-LibPkgConf <br> perl-Pod-Coverage <br> perl-Pod-Coverage-TrustPod <br> perl-Pod-Escapes <br> perl-Pod-Eventual <br> perl-Pod-LaTeX <br> perl-Pod-Markdown <br> perl-Pod-Parser <br> perl-Pod-Plainer <br> perl-Pod-POM <br> perl-Pod-Spell <br> perl-PPI <br> perl-PPI-HTML <br> perl-PPIx-QuoteLike <br> perl-PPIx-Regexp <br> perl-PPIx-Utilities <br> perl-prefork <br> perl-Probe-Perl <br> perl-Razor-Agent <br> perl-Readonly <br> perl-Readonly-XS <br> perl-Ref-Util <br> perl-Ref-Util-XS <br> perl-Regexp-Pattern-Perl <br> perl-Return-MultiLevel <br> perl-Role-Tiny <br> perl-Scope-Guard <br> perl-Scope-Upper <br> perl-SGMLSpm <br> perl-SNMP_Session <br> perl-Socket6 <br> perl-Software-License <br> perl-Sort-Versions <br> perl-Specio <br> perl-Spiffy <br> perl-strictures <br> perl-String-CRC32 <br> perl-String-Format <br> perl-String-ShellQuote <br> perl-String-Similarity <br> perl-Sub-Exporter <br> perl-Sub-Exporter-Progressive <br> perl-Sub-Identify <br> perl-Sub-Infix <br> perl-Sub-Info <br> perl-Sub-Install <br> perl-Sub-Name <br> perl-Sub-Quote <br> perl-Sub-Uplevel <br> perl-SUPER <br> perl-Switch <br> perl-Syntax-Highlight-Engine-Kate <br> perl-Sys-CPU <br> perl-Sys-MemInfo <br> perl-Sys-Virt <br> perl-Taint-Runtime <br> perl-Task-Weaken <br> perl-Term-Size-Any <br> perl-Term-Size-Perl <br> perl-Term-Table <br> perl-Term-UI <br> perl-TermReadKey <br> perl-Test-Base <br> perl-Test-ClassAPI <br> perl-Test-CPAN-Meta <br> perl-Test-CPAN-Meta-JSON <br> perl-Test-Deep <br> perl-Test-Differences <br> perl-Test-DistManifest <br> perl-Test-Distribution <br> perl-Test-EOL <br> perl-Test-Exception <br> perl-Test-Exit <br> perl-Test-FailWarnings <br> perl-Test-Fatal <br> perl-Test-File <br> perl-Test-File-ShareDir <br> perl-Test-Harness <br> perl-Test-HasVersion <br> perl-Test-InDistDir <br> perl-Test-Inter <br> perl-Test-LeakTrace <br> perl-Test-LongString <br> perl-Test-Manifest <br> perl-Test-Memory-Cycle <br> perl-Test-MinimumVersion <br> perl-Test-MockObject <br> perl-Test-MockRandom <br> perl-Test-Needs <br> perl-Test-NoTabs <br> perl-Test-NoWarnings <br> perl-Test-Object <br> perl-Test-Output <br> perl-Test-Pod <br> perl-Test-Pod-Coverage <br> perl-Test-Portability-Files <br> perl-Test-Requires <br> perl-Test-RequiresInternet <br> perl-Test-Script <br> perl-Test-Simple <br> perl-Test-SubCalls <br> perl-Test-Synopsis <br> perl-Test-Taint <br> perl-Test-TrailingSpace <br> perl-Test-utf8 <br> perl-Test-Vars <br> perl-Test-Warn <br> perl-Test-Without-Module <br> perl-Test2-Plugin-NoWarnings <br> perl-Test2-Suite <br> perl-Test2-Tools-Explain <br> perl-Text-CharWidth <br> perl-Text-CSV_XS <br> perl-Text-Diff <br> perl-Text-Glob <br> perl-Text-Iconv <br> perl-Text-Soundex <br> perl-Text-Unidecode <br> perl-Text-WrapI18N <br> perl-Tie-IxHash <br> perl-TimeDate <br> perl-Tree-DAG_Node <br> perl-Unicode-EastAsianWidth <br> perl-Unicode-LineBreak <br> perl-Unicode-Map8 <br> perl-Unicode-String <br> perl-Unicode-UTF8 <br> perl-UNIVERSAL-can <br> perl-UNIVERSAL-isa <br> perl-Unix-Syslog <br> perl-URI <br> perl-Variable-Magic <br> perl-Version-Requirements <br> perl-WWW-RobotRules <br> perl-XML-Catalog <br> perl-XML-DOM <br> perl-XML-Dumper <br> perl-XML-Filter-BufferText <br> perl-XML-Generator <br> perl-XML-Grove <br> perl-XML-Handler-YAWriter <br> perl-XML-LibXML <br> perl-XML-LibXSLT <br> perl-XML-NamespaceSupport <br> perl-XML-Parser-Lite <br> perl-XML-RegExp <br> perl-XML-SAX <br> perl-XML-SAX-Base <br> perl-XML-SAX-Writer <br> perl-XML-Simple <br> perl-XML-TokeParser <br> perl-XML-TreeBuilder <br> perl-XML-Twig <br> perl-XML-Writer <br> perl-XML-XPath <br> perl-XML-XPathEngine <br> perl-XString <br> perl-YAML-LibYAML <br> perl-YAML-PP <br> perl-YAML-Syck <br> perltidy <br> pesign <br> phodav <br> php <br> php-pear <br> php-pecl-apcu <br> php-pecl-zip <br> physfs <br> picosat <br> pinfo <br> pipewire <br> pixman <br> pkcs11-helper <br> pkgconf <br> plexus-cipher <br> plexus-containers <br> plexus-sec-dispatcher <br> plotutils <br> pmdk-convert <br> pmix <br> pngcrush <br> pngnq <br> po4a <br> podman <br> poetry <br> policycoreutils <br> polkit-pkla-compat <br> polkit-qt-1 <br> portreserve <br> postfix <br> potrace <br> powertop <br> ppp <br> pps-tools <br> pptp <br> priv_wrapper <br> procmail <br> prometheus <br> prometheus-node-exporter <br> ps_mem <br> psacct <br> pssh <br> psutils <br> ptlib <br> publicsuffix-list <br> pugixml <br> pulseaudio <br> puppet <br> pwgen <br> pyatspi <br> pybind11 <br> pycairo <br> pyelftools <br> pyflakes <br> pygobject3 <br> PyGreSQL <br> pykickstart <br> pylint <br> pyparted <br> pyproject-rpm-macros <br> pyserial <br> python-absl-py <br> python-aiodns <br> python-aiohttp <br> python-alsa <br> python-argcomplete <br> python-argparse-manpage <br> python-astroid <br> python-astunparse <br> python-async-generator <br> python-augeas <br> python-azure-sdk <br> python-backoff <br> python-beautifulsoup4 <br> python-betamax <br> python-blinker <br> python-blivet <br> python-cached_property <br> python-charset-normalizer <br> python-cheetah <br> python-click <br> python-cmd2 <br> python-colorama <br> python-CommonMark <br> python-conda-package-handling <br> python-configshell <br> python-cpuinfo <br> python-cups <br> python-curio <br> python-cytoolz <br> python-d2to1 <br> python-dbus-client-gen <br> python-dbus-python-client-gen <br> python-dbus-signature-pyparsing <br> python-dbusmock <br> python-ddt <br> python-debtcollector <br> python-decorator <br> python-distlib <br> python-dmidecode <br> python-dns <br> python-dtopt <br> python-dulwich <br> python-editables <br> python-enchant <br> python-entrypoints <br> python-ethtool <br> python-evdev <br> python-extras <br> python-faker <br> python-fasteners <br> python-fastjsonschema <br> python-fields <br> python-filelock <br> python-fixtures <br> python-flake8 <br> python-flask <br> python-flit <br> python-flit-core <br> python-fluidity-sm <br> python-frozendict <br> python-funcsigs <br> python-gast <br> python-genshi <br> python-google-auth <br> python-google-auth-oauthlib <br> python-greenlet <br> python-gssapi <br> python-h5py <br> python-hatch-fancy-pypi-readme <br> python-hatch-vcs <br> python-hatchling <br> python-hs-dbus-signature <br> python-html5lib <br> python-httplib2 <br> python-humanize <br> python-hwdata <br> python-importlib-metadata <br> python-inotify <br> python-into-dbus-python <br> python-IPy <br> python-iso8601 <br> python-isodate <br> python-isort <br> python-itsdangerous <br> python-junitxml <br> python-justbases <br> python-justbytes <br> python-jwcrypto <br> python-jwt <br> python-kdcproxy <br> python-kerberos <br> python-kmod <br> python-kubernetes <br> python-lark <br> python-lazy-object-proxy <br> python-ldap <br> python-linux-procfs <br> python-lit <br> python-looseversion <br> python-markdown <br> python-markdown-it-py <br> python-mccabe <br> python-mdurl <br> python-memcached <br> python-mimeparse <br> python-mock <br> python-monotonic <br> python-more-itertools <br> python-mpmath <br> python-msal <br> python-msrestazure <br> python-mutagen <br> python-networkx <br> python-nose2 <br> python-ntlm-auth <br> python-oauth2client <br> python-openpyxl <br> python-openstackdocstheme <br> python-oslo-i18n <br> python-oslo-sphinx <br> python-paramiko <br> python-pathspec <br> python-pefile <br> python-pexpect <br> python-pkgconfig <br> python-platformdirs <br> python-pluggy <br> python-podman-api <br> python-poetry-core <br> python-process-tests <br> python-productmd <br> python-ptyprocess <br> python-pycares <br> python-pycosat <br> python-pydbus <br> python-pymongo <br> python-PyMySQL <br> python-pyperclip <br> python-pyproject-metadata <br> python-pyroute2 <br> python-pyrsistent <br> python-pysocks <br> python-pytest-benchmark <br> python-pytest-cov <br> python-pytest-expect <br> python-pytest-flake8 <br> python-pytest-flakes <br> python-pytest-forked <br> python-pytest-mock <br> python-pytest-relaxed <br> python-pytest-runner <br> python-pytest-subtests <br> python-pytest-timeout <br> python-pytest-xdist <br> python-pytoml <br> python-pyudev <br> python-pywbem <br> python-qrcode <br> python-rdflib <br> python-recommonmark <br> python-requests-file <br> python-requests-ftp <br> python-requests-kerberos <br> python-requests-mock <br> python-requests-oauthlib <br> python-requests-toolbelt <br> python-requests_ntlm <br> python-responses <br> python-retrying <br> python-rfc3986 <br> python-rich <br> python-rpm-generators <br> python-rpmautospec-core <br> python-rpmfluff <br> python-rtslib <br> python-ruamel-yaml <br> python-ruamel-yaml-clib <br> python-s3transfer <br> python-schedutils <br> python-semantic_version <br> python-should_dsl <br> python-simpleline <br> python-slip <br> python-sniffio <br> python-sortedcontainers <br> python-soupsieve <br> python-sphinx <br> python-sphinx-epytext <br> python-sphinx-theme-py3doc-enhanced <br> python-sphinx_rtd_theme <br> python-sphinxcontrib-apidoc <br> python-sphinxcontrib-applehelp <br> python-sphinxcontrib-devhelp <br> python-sphinxcontrib-htmlhelp <br> python-sphinxcontrib-httpdomain <br> python-sphinxcontrib-jsmath <br> python-sphinxcontrib-qthelp <br> python-sphinxcontrib-serializinghtml <br> python-sqlalchemy <br> python-suds <br> python-systemd <br> python-tempita <br> python-templated-dictionary <br> python-termcolor <br> python-testpath <br> python-testresources <br> python-testscenarios <br> python-testtools <br> python-tidy <br> python-toml <br> python-tomli <br> python-toolz <br> python-tornado <br> python-tox <br> python-tox-current-env <br> python-tqdm <br> python-trio <br> python-trove-classifiers <br> python-typing-extensions <br> python-uamqp <br> python-unittest2 <br> python-uritemplate <br> python-urwid <br> python-varlink <br> python-versioneer <br> python-virt-firmware <br> python-voluptuous <br> python-waitress <br> python-webencodings <br> python-webtest <br> python-wheel <br> python-whoosh <br> python-winrm <br> python-wrapt <br> python-xlrd <br> python-xlsxwriter <br> python-xmltodict <br> python-yubico <br> python-zipp <br> python-zmq <br> python-zstd <br> python3-mallard-ducktype <br> python3-pytest-asyncio <br> python3-typed_ast <br> pyusb <br> pywbem <br> pyxattr <br> qemu <br> qhull <br> qpdf <br> qperf <br> qr-code-generator <br> qt-rpm-macros <br> qt5-qtconnectivity <br> qt5-qtsensors <br> qt5-qtserialport <br> qtbase <br> qtdeclarative <br> qtsvg <br> qttools <br> quagga <br> quota <br> radvd <br> ragel <br> raptor2 <br> rarian <br> rasdaemon <br> rasqal <br> rcs <br> rdist <br> rdma-core <br> re2 <br> re2c <br> realmd <br> rear <br> recode <br> resource-agents <br> rest <br> rhash <br> rlwrap <br> rp-pppoe <br> rpm-mpi-hooks <br> rpmdevtools <br> rpmlint <br> rr <br> rtkit <br> rtl-sdr <br> ruby-augeas <br> rubygem-bson <br> rubygem-coderay <br> rubygem-diff-lcs <br> rubygem-flexmock <br> rubygem-hpricot <br> rubygem-introspection <br> rubygem-liquid <br> rubygem-maruku <br> rubygem-metaclass <br> rubygem-mongo <br> rubygem-mustache <br> rubygem-mysql2 <br> rubygem-pkg-config <br> rubygem-rake <br> rubygem-rake-compiler <br> rubygem-ronn <br> rubygem-rouge <br> rubygem-rspec <br> rubygem-rspec-expectations <br> rubygem-rspec-mocks <br> rubygem-rspec-support <br> rubygem-thread_order <br> rusers <br> rust-cbindgen <br> samba <br> sanlock <br> sassist <br> satyr <br> sbc <br> sblim-cim-client2 <br> sblim-cmpi-base <br> sblim-cmpi-devel <br> sblim-cmpi-fsvol <br> sblim-cmpi-network <br> sblim-cmpi-nfsv3 <br> sblim-cmpi-nfsv4 <br> sblim-cmpi-params <br> sblim-cmpi-sysfs <br> sblim-cmpi-syslog <br> sblim-indication_helper <br> sblim-sfcb <br> sblim-sfcc <br> sblim-sfcCommon <br> sblim-testsuite <br> sblim-wbemcli <br> scl-utils <br> scotch <br> screen <br> scrub <br> SDL <br> SDL2 <br> SDL_sound <br> sdparm <br> seabios <br> secilc <br> selinux-policy <br> serd <br> setools <br> setserial <br> setuptool <br> sgabios <br> sgml-common <br> sgpio <br> shared-mime-info <br> sharutils <br> sip <br> sisu <br> skkdic <br> sleuthkit <br> slirp4netns <br> smartmontools <br> smc-tools <br> socket_wrapper <br> softhsm <br> sombok <br> sord <br> sos <br> sound-theme-freedesktop <br> soundtouch <br> sox <br> soxr <br> sparsehash <br> spausedd <br> speex <br> speexdsp <br> spice-protocol <br> spice-vdagent <br> spirv-headers <br> spirv-tools <br> splix <br> squashfs-tools <br> squid <br> sratom <br> sscg <br> star <br> startup-notification <br> stress-ng <br> stunnel <br> subscription-manager <br> subunit <br> suitesparse <br> SuperLU <br> supermin <br> switcheroo-control <br> swtpm <br> symlinks <br> sympy <br> sysfsutils <br> systemd <br> systemd-bootchart <br> t1lib <br> t1utils <br> taglib <br> tang <br> targetcli <br> tbb <br> tcl-pgtcl <br> tclx <br> teckit <br> telnet <br> thrift <br> tidy <br> time <br> tini <br> tinycdb <br> tix <br> tk <br> tlog <br> tmpwatch <br> tn5250 <br> tofrodos <br> tokyocabinet <br> trace-cmd <br> tss2 <br> ttembed <br> ttmkfdir <br> tuna <br> twolame <br> uchardet <br> uclibc-ng <br> ucpp <br> ucs-miscfixed-fonts <br> ucx <br> udftools <br> udica <br> udisks2 <br> uglify-js <br> uid_wrapper <br> unicode-emoji <br> unicode-ucd <br> unique3 <br> units <br> upower <br> uriparser <br> urlview <br> usb_modeswitch <br> usb_modeswitch-data <br> usbguard <br> usbip <br> usbmuxd <br> usbredir <br> usermode <br> ustr <br> uthash <br> uuid <br> uw-imap <br> v4l-utils <br> vhostmd <br> vino <br> virglrenderer <br> virt-p2v <br> virt-top <br> virt-what <br> virt-who <br> vitess <br> vmem <br> volume_key <br> vorbis-tools <br> vte291 <br> vulkan-headers <br> vulkan-loader <br> watchdog <br> wavpack <br> wayland <br> wayland-protocols <br> web-assets <br> webrtc-audio-processing <br> websocketpp <br> wget <br> whois <br> wireguard-tools <br> wireless-regdb <br> wireshark <br> woff2 <br> wordnet <br> words <br> wpebackend-fdo <br> wsmancli <br> wvdial <br> x3270 <br> xapian-core <br> Xaw3d <br> xcb-proto <br> xcb-util <br> xcb-util-image <br> xcb-util-keysyms <br> xcb-util-renderutil <br> xcb-util-wm <br> xdelta <br> xdg-dbus-proxy <br> xdg-utils <br> xdp-tools <br> xerces-c <br> xfconf <br> xfsdump <br> xhtml1-dtds <br> xkeyboard-config <br> xmlstarlet <br> xmltoman <br> xmvn <br> xorg-x11-apps <br> xorg-x11-drv-libinput <br> xorg-x11-font-utils <br> xorg-x11-fonts <br> xorg-x11-proto-devel <br> xorg-x11-server <br> xorg-x11-server-utils <br> xorg-x11-server-Xwayland <br> xorg-x11-util-macros <br> xorg-x11-utils <br> xorg-x11-xauth <br> xorg-x11-xbitmaps <br> xorg-x11-xinit <br> xorg-x11-xkb-utils <br> xorg-x11-xtrans-devel <br> xrestop <br> xterm <br> xxhash <br> yajl <br> yaml-cpp <br> yasm <br> yelp-tools <br> yelp-xsl <br> ykclient <br> yp-tools <br> ypbind <br> ypserv <br> z3 <br> zenity <br> zerofree <br> zfs-fuse <br> zipper <br> zopfli <br> zziplib |
 | Fedora (Copyright Remi Collet) | [CC-BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/legalcode) | libmemcached-awesome <br> librabbitmq |
 | Fedora (ISC) | [ISC License](https://github.com/sarugaku/resolvelib/blob/main/LICENSE) | python-resolvelib |
 | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka |
-| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress <br> asc <br> azcopy <br> azure-iot-sdk-c <br> azure-nvme-utils <br> azure-storage-cpp <br> azurelinux-release <br> azurelinux-repos <br> azurelinux-rpm-macros <br> azurelinux-sysinfo <br> bazel <br> blobfuse2 <br> bmon <br> bpftrace <br> ccache <br> cert-manager <br> cf-cli <br> check-restart <br> clamav <br> cloud-hypervisor-cvm <br> cmake-fedora <br> containerd <br> coredns <br> dcos-cli <br> debugedit <br> dejavu-fonts <br> distroless-packages <br> docker-buildx <br> docker-cli <br> docker-compose <br> doxygen <br> dtc <br> elixir <br> espeak-ng <br> espeakup <br> flannel <br> fluent-bit <br> freefont <br> gflags <br> gh <br> go-md2man <br> grpc <br> grub2-efi-binary-signed <br> GSL <br> gtk-update-icon-cache <br> helm <br> hvloader <br> ig <br> intel-pf-bb-config <br> ivykis <br> jsonbuilder <br> jx <br> kata-containers-cc <br> kata-packages-uvm <br> keda <br> keras <br> kernel-signed <br> kernel-uki <br> kernel-uki-signed <br> kpatch <br> kube-vip-cloud-provider <br> kubernetes <br> libacvp <br> libconfini <br> libconfuse <br> libgdiplus <br> libmaxminddb <br> libmetalink <br> libsafec <br> libuv <br> libxml++ <br> lld <br> local-path-provisioner <br> lsb-release <br> ltp <br> lttng-consume <br> mm-common <br> moby-containerd-cc <br> moby-engine <br> msgpack <br> ncompress <br> networkd-dispatcher <br> nlohmann-json <br> nmap <br> node-problem-detector <br> ntopng <br> opentelemetry-cpp <br> packer <br> pcaudiolib <br> pcre2 <br> perl-Test-Warnings <br> perl-Text-Template <br> pigz <br> prebuilt-ca-certificates <br> prebuilt-ca-certificates-base <br> prometheus-adapter <br> python-cachetools <br> python-cherrypy <br> python-cstruct <br> python-execnet <br> python-google-pasta <br> python-libclang <br> python-libevdev <br> python-logutils <br> python-ml-dtypes <br> python-namex <br> python-nocasedict <br> python-omegaconf <br> python-opt-einsum <br> python-optree <br> python-pecan <br> python-pip <br> python-pyrpm <br> python-remoto <br> python-repoze-lru <br> python-routes <br> python-rsa <br> python-setuptools <br> python-sphinxcontrib-websupport <br> python-tensorboard <br> python-tensorboard-plugin-wit <br> python-yamlloader <br> R <br> rabbitmq-server <br> rocksdb <br> rubygem-addressable <br> rubygem-asciidoctor <br> rubygem-async <br> rubygem-async-http <br> rubygem-async-io <br> rubygem-async-pool <br> rubygem-bindata <br> rubygem-concurrent-ruby <br> rubygem-connection_pool <br> rubygem-console <br> rubygem-cool.io <br> rubygem-deep_merge <br> rubygem-digest-crc <br> rubygem-elastic-transport <br> rubygem-elasticsearch <br> rubygem-elasticsearch-api <br> rubygem-eventmachine <br> rubygem-excon <br> rubygem-faraday <br> rubygem-faraday-em_http <br> rubygem-faraday-em_synchrony <br> rubygem-faraday-excon <br> rubygem-faraday-httpclient <br> rubygem-faraday-multipart <br> rubygem-faraday-net_http <br> rubygem-faraday-net_http_persistent <br> rubygem-faraday-patron <br> rubygem-faraday-rack <br> rubygem-faraday-retry <br> rubygem-ffi <br> rubygem-fiber-local <br> rubygem-fluent-config-regexp-type <br> rubygem-fluent-logger <br> rubygem-fluent-plugin-elasticsearch <br> rubygem-fluent-plugin-kafka <br> rubygem-fluent-plugin-prometheus <br> rubygem-fluent-plugin-prometheus_pushgateway <br> rubygem-fluent-plugin-record-modifier <br> rubygem-fluent-plugin-rewrite-tag-filter <br> rubygem-fluent-plugin-systemd <br> rubygem-fluent-plugin-webhdfs <br> rubygem-fluent-plugin-windows-exporter <br> rubygem-fluentd <br> rubygem-hirb <br> rubygem-hocon <br> rubygem-hoe <br> rubygem-http_parser <br> rubygem-httpclient <br> rubygem-io-event <br> rubygem-jmespath <br> rubygem-ltsv <br> rubygem-mini_portile2 <br> rubygem-minitest <br> rubygem-mocha <br> rubygem-msgpack <br> rubygem-multi_json <br> rubygem-multipart-post <br> rubygem-net-http-persistent <br> rubygem-nio4r <br> rubygem-nokogiri <br> rubygem-oj <br> rubygem-parallel <br> rubygem-power_assert <br> rubygem-prometheus-client <br> rubygem-protocol-hpack <br> rubygem-protocol-http <br> rubygem-protocol-http1 <br> rubygem-protocol-http2 <br> rubygem-public_suffix <br> rubygem-puppet-resource_api <br> rubygem-rdiscount <br> rubygem-rdkafka <br> rubygem-rexml <br> rubygem-ruby-kafka <br> rubygem-ruby-progressbar <br> rubygem-rubyzip <br> rubygem-semantic_puppet <br> rubygem-serverengine <br> rubygem-sigdump <br> rubygem-strptime <br> rubygem-systemd-journal <br> rubygem-test-unit <br> rubygem-thor <br> rubygem-timers <br> rubygem-tzinfo <br> rubygem-tzinfo-data <br> rubygem-webhdfs <br> rubygem-webrick <br> rubygem-yajl-ruby <br> rubygem-zip-zip <br> runc <br> sdbus-cpp <br> sgx-backwards-compatibility <br> shim <br> shim-unsigned <br> shim-unsigned-aarch64 <br> shim-unsigned-x64 <br> skopeo <br> span-lite <br> sriov-network-device-plugin <br> SymCrypt <br> SymCrypt-OpenSSL <br> systemd-boot-signed <br> tensorflow <br> tinyxml2 <br> toml11 <br> tracelogging <br> umoci <br> usrsctp <br> vala <br> verity-read-only-root <br> vnstat <br> zstd |
+| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | application-gateway-kubernetes-ingress <br> asc <br> azcopy <br> azure-iot-sdk-c <br> azure-nvme-utils <br> azure-storage-cpp <br> azurelinux-release <br> azurelinux-repos <br> azurelinux-rpm-macros <br> azurelinux-sysinfo <br> bazel <br> blobfuse2 <br> bmon <br> bpftrace <br> ccache <br> cert-manager <br> cf-cli <br> check-restart <br> clamav <br> cloud-hypervisor-cvm <br> cmake-fedora <br> containerd <br> coredns <br> dcos-cli <br> debugedit <br> dejavu-fonts <br> distroless-packages <br> docker-buildx <br> docker-cli <br> docker-compose <br> doxygen <br> dtc <br> elixir <br> espeak-ng <br> espeakup <br> flannel <br> fluent-bit <br> freefont <br> gflags <br> gh <br> go-md2man <br> grpc <br> grub2-efi-binary-signed <br> GSL <br> gtk-update-icon-cache <br> helm <br> ig <br> intel-pf-bb-config <br> ivykis <br> jsonbuilder <br> jx <br> kata-containers-cc <br> kata-packages-uvm <br> keda <br> keras <br> kernel-signed <br> kernel-uki <br> kernel-uki-signed <br> kpatch <br> kube-vip-cloud-provider <br> kubernetes <br> libacvp <br> libconfini <br> libconfuse <br> libgdiplus <br> libmaxminddb <br> libmetalink <br> libsafec <br> libuv <br> libxml++ <br> lld <br> local-path-provisioner <br> lsb-release <br> ltp <br> lttng-consume <br> mm-common <br> moby-containerd-cc <br> moby-engine <br> msgpack <br> ncompress <br> networkd-dispatcher <br> nlohmann-json <br> nmap <br> node-problem-detector <br> ntopng <br> opentelemetry-cpp <br> packer <br> pcaudiolib <br> pcre2 <br> perl-Test-Warnings <br> perl-Text-Template <br> pigz <br> prebuilt-ca-certificates <br> prebuilt-ca-certificates-base <br> prometheus-adapter <br> python-cachetools <br> python-cherrypy <br> python-cstruct <br> python-execnet <br> python-google-pasta <br> python-libclang <br> python-libevdev <br> python-logutils <br> python-ml-dtypes <br> python-namex <br> python-nocasedict <br> python-omegaconf <br> python-opt-einsum <br> python-optree <br> python-pecan <br> python-pip <br> python-pyrpm <br> python-remoto <br> python-repoze-lru <br> python-routes <br> python-rsa <br> python-setuptools <br> python-sphinxcontrib-websupport <br> python-tensorboard <br> python-tensorboard-plugin-wit <br> python-yamlloader <br> R <br> rabbitmq-server <br> rocksdb <br> rubygem-addressable <br> rubygem-asciidoctor <br> rubygem-async <br> rubygem-async-http <br> rubygem-async-io <br> rubygem-async-pool <br> rubygem-bindata <br> rubygem-concurrent-ruby <br> rubygem-connection_pool <br> rubygem-console <br> rubygem-cool.io <br> rubygem-deep_merge <br> rubygem-digest-crc <br> rubygem-elastic-transport <br> rubygem-elasticsearch <br> rubygem-elasticsearch-api <br> rubygem-eventmachine <br> rubygem-excon <br> rubygem-faraday <br> rubygem-faraday-em_http <br> rubygem-faraday-em_synchrony <br> rubygem-faraday-excon <br> rubygem-faraday-httpclient <br> rubygem-faraday-multipart <br> rubygem-faraday-net_http <br> rubygem-faraday-net_http_persistent <br> rubygem-faraday-patron <br> rubygem-faraday-rack <br> rubygem-faraday-retry <br> rubygem-ffi <br> rubygem-fiber-local <br> rubygem-fluent-config-regexp-type <br> rubygem-fluent-logger <br> rubygem-fluent-plugin-elasticsearch <br> rubygem-fluent-plugin-kafka <br> rubygem-fluent-plugin-prometheus <br> rubygem-fluent-plugin-prometheus_pushgateway <br> rubygem-fluent-plugin-record-modifier <br> rubygem-fluent-plugin-rewrite-tag-filter <br> rubygem-fluent-plugin-systemd <br> rubygem-fluent-plugin-webhdfs <br> rubygem-fluent-plugin-windows-exporter <br> rubygem-fluentd <br> rubygem-hirb <br> rubygem-hocon <br> rubygem-hoe <br> rubygem-http_parser <br> rubygem-httpclient <br> rubygem-io-event <br> rubygem-jmespath <br> rubygem-ltsv <br> rubygem-mini_portile2 <br> rubygem-minitest <br> rubygem-mocha <br> rubygem-msgpack <br> rubygem-multi_json <br> rubygem-multipart-post <br> rubygem-net-http-persistent <br> rubygem-nio4r <br> rubygem-nokogiri <br> rubygem-oj <br> rubygem-parallel <br> rubygem-power_assert <br> rubygem-prometheus-client <br> rubygem-protocol-hpack <br> rubygem-protocol-http <br> rubygem-protocol-http1 <br> rubygem-protocol-http2 <br> rubygem-public_suffix <br> rubygem-puppet-resource_api <br> rubygem-rdiscount <br> rubygem-rdkafka <br> rubygem-rexml <br> rubygem-ruby-kafka <br> rubygem-ruby-progressbar <br> rubygem-rubyzip <br> rubygem-semantic_puppet <br> rubygem-serverengine <br> rubygem-sigdump <br> rubygem-strptime <br> rubygem-systemd-journal <br> rubygem-test-unit <br> rubygem-thor <br> rubygem-timers <br> rubygem-tzinfo <br> rubygem-tzinfo-data <br> rubygem-webhdfs <br> rubygem-webrick <br> rubygem-yajl-ruby <br> rubygem-zip-zip <br> runc <br> sdbus-cpp <br> sgx-backwards-compatibility <br> shim <br> shim-unsigned <br> shim-unsigned-aarch64 <br> shim-unsigned-x64 <br> skopeo <br> span-lite <br> sriov-network-device-plugin <br> SymCrypt <br> SymCrypt-OpenSSL <br> systemd-boot-signed <br> tensorflow <br> tinyxml2 <br> toml11 <br> tracelogging <br> umoci <br> usrsctp <br> vala <br> valkey <br> verity-read-only-root <br> vnstat <br> zstd |
 | Netplan source | [GPLv3](https://github.com/canonical/netplan/blob/main/COPYING) | netplan |
 | Numad source | [LGPLv2 License](https://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt) | numad |
 | NVIDIA | [ASL 2.0 License and spec specific licenses](http://www.apache.org/licenses/LICENSE-2.0) | libnvidia-container <br> mlnx-tools <br> mlx-bootctl <br> nvidia-container-toolkit <br> ofed-scripts <br> perftest |
diff --git a/LICENSES-AND-NOTICES/SPECS/data/licenses.json b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
index 5b27bca1ad8..542f6b1a926 100644
--- a/LICENSES-AND-NOTICES/SPECS/data/licenses.json
+++ b/LICENSES-AND-NOTICES/SPECS/data/licenses.json
@@ -35,6 +35,7 @@
         "Fedora": {
             "license": "[Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files)",
             "specs": [
+                "389-ds-base",
                 "a52dec",
                 "abseil-cpp",
                 "accountsservice",
@@ -601,6 +602,7 @@
                 "libcmpiutil",
                 "libcomps",
                 "libcroco",
+                "libcxx",
                 "libdaemon",
                 "libdap",
                 "libdatrie",
@@ -689,6 +691,7 @@
                 "liblqr-1",
                 "liblzf",
                 "libmad",
+                "libmd",
                 "libmediaart",
                 "libmicrohttpd",
                 "libmikmod",
@@ -921,6 +924,7 @@
                 "mod_security_crs",
                 "mod_wsgi",
                 "mokutil",
+                "mosh",
                 "mpage",
                 "mrtg",
                 "mstflint",
@@ -1207,6 +1211,7 @@
                 "perl-Devel-Hide",
                 "perl-Devel-Leak",
                 "perl-Devel-LexAlias",
+                "perl-Devel-Refcount",
                 "perl-Devel-Size",
                 "perl-Devel-StackTrace",
                 "perl-Devel-Symdump",
@@ -1324,6 +1329,7 @@
                 "perl-Mail-IMAPTalk",
                 "perl-Mail-SPF",
                 "perl-MailTools",
+                "perl-Match-Simple",
                 "perl-Math-Int64",
                 "perl-Math-Random-ISAAC",
                 "perl-MIME-Charset",
@@ -1448,6 +1454,7 @@
                 "perl-Sub-Exporter",
                 "perl-Sub-Exporter-Progressive",
                 "perl-Sub-Identify",
+                "perl-Sub-Infix",
                 "perl-Sub-Info",
                 "perl-Sub-Install",
                 "perl-Sub-Name",
@@ -1569,6 +1576,7 @@
                 "phodav",
                 "php",
                 "php-pear",
+                "php-pecl-apcu",
                 "php-pecl-zip",
                 "physfs",
                 "picosat",
@@ -1635,6 +1643,7 @@
                 "python-async-generator",
                 "python-augeas",
                 "python-azure-sdk",
+                "python-backoff",
                 "python-beautifulsoup4",
                 "python-betamax",
                 "python-blinker",
@@ -1707,6 +1716,7 @@
                 "python-isodate",
                 "python-isort",
                 "python-itsdangerous",
+                "python-junitxml",
                 "python-justbases",
                 "python-justbytes",
                 "python-jwcrypto",
@@ -1760,6 +1770,7 @@
                 "python-pymongo",
                 "python-PyMySQL",
                 "python-pyperclip",
+                "python-pyproject-metadata",
                 "python-pyroute2",
                 "python-pyrsistent",
                 "python-pysocks",
@@ -1793,6 +1804,7 @@
                 "python-rfc3986",
                 "python-rich",
                 "python-rpm-generators",
+                "python-rpmautospec-core",
                 "python-rpmfluff",
                 "python-rtslib",
                 "python-ruamel-yaml",
@@ -2007,6 +2019,7 @@
                 "stress-ng",
                 "stunnel",
                 "subscription-manager",
+                "subunit",
                 "suitesparse",
                 "SuperLU",
                 "supermin",
@@ -2134,7 +2147,7 @@
                 "xorg-x11-proto-devel",
                 "xorg-x11-server",
                 "xorg-x11-server-utils",
-		"xorg-x11-server-Xwayland",
+                "xorg-x11-server-Xwayland",
                 "xorg-x11-util-macros",
                 "xorg-x11-utils",
                 "xorg-x11-xauth",
@@ -2231,7 +2244,6 @@
                 "GSL",
                 "gtk-update-icon-cache",
                 "helm",
-                "hvloader",
                 "ig",
                 "intel-pf-bb-config",
                 "ivykis",
@@ -2420,6 +2432,7 @@
                 "umoci",
                 "usrsctp",
                 "vala",
+                "valkey",
                 "verity-read-only-root",
                 "vnstat",
                 "zstd"
diff --git a/SPECS-EXTENDED/389-ds-base/389-ds-base-devel.README b/SPECS-EXTENDED/389-ds-base/389-ds-base-devel.README
new file mode 100644
index 00000000000..c411a613f81
--- /dev/null
+++ b/SPECS-EXTENDED/389-ds-base/389-ds-base-devel.README
@@ -0,0 +1,4 @@
+For detailed information on developing plugins for 389 Directory Server visit
+
+https://www.port389.org/docs/389ds/design/plugins.html
+https://github.com/389ds/389-ds-base/blob/main/src/slapi_r_plugin/README.md
diff --git a/SPECS-EXTENDED/389-ds-base/389-ds-base.signatures.json b/SPECS-EXTENDED/389-ds-base/389-ds-base.signatures.json
new file mode 100644
index 00000000000..442d2e42450
--- /dev/null
+++ b/SPECS-EXTENDED/389-ds-base/389-ds-base.signatures.json
@@ -0,0 +1,8 @@
+{
+ "Signatures": {
+  "389-ds-base-3.1.1.tar.bz2": "e111c4bc3ad2efa5d73a7d7a18d03ff84ee53afa25b631a8a31cd19cb0fe854b",
+  "389-ds-base-devel.README": "f69e816db24e12423e921ea6a1b3d6cd326715eae9079646358143018fff75fe",
+  "389-ds-base.sysusers": "c710a2b07565c29e5293d42cab8519cc0351a0d772e0e13693be0ed4ea6a19bf",
+  "jemalloc-5.3.0.tar.bz2": "2db82d1e7119df3e71b7640219b6dfe84789bc0537983c3b7ac4f7189aecfeaa"
+ }
+}
\ No newline at end of file
diff --git a/SPECS-EXTENDED/389-ds-base/389-ds-base.spec b/SPECS-EXTENDED/389-ds-base/389-ds-base.spec
new file mode 100644
index 00000000000..0b608b1caa9
--- /dev/null
+++ b/SPECS-EXTENDED/389-ds-base/389-ds-base.spec
@@ -0,0 +1,1251 @@
+%global pkgname dirsrv
+%global bash_completions_dir %{_datadir}/bash-completion/%{name}/
+
+# Exclude i686 bit arches
+ExcludeArch: i686
+
+%bcond bundle_jemalloc 1
+%if %{with bundle_jemalloc}
+%global jemalloc_name jemalloc
+%global jemalloc_ver 5.3.0
+%global __provides_exclude ^libjemalloc\\.so.*$
+%endif
+
+%bcond bundle_libdb 0
+%if %{with bundle_libdb}
+%global libdb_version 5.3
+%global libdb_base_version db-%{libdb_version}.28
+%global libdb_full_version lib%{libdb_base_version}-59
+%global libdb_bundle_name libdb-%{libdb_version}-389ds.so
+%if 0%{?fedora} >= 41 || 0%{?rhel} >= 11
+# RPM 4.20
+%global libdb_base_dir lib%{libdb_base_version}-build/%{libdb_base_version}
+%else
+%global libdb_base_dir %{libdb_base_version}
+%endif
+%endif
+
+# This is used in certain builds to help us know if it has extra features.
+%global variant base
+# This enables a sanitized build.
+%bcond asan 0
+%bcond msan 0
+%bcond tsan 0
+%bcond ubsan 0
+
+%if %{with asan} || %{with msan} || %{with tsan} || %{with ubsan}
+%global variant base-xsan
+%endif
+
+# Use Clang instead of GCC
+%bcond clang 0
+%if %{with msan}
+%bcond clang 1
+%endif
+
+%if %{with clang}
+%global toolchain clang
+%global _missing_build_ids_terminate_build 0
+%endif
+
+# Build cockpit plugin
+%bcond cockpit 0
+
+# fedora 15 and later uses tmpfiles.d
+# otherwise, comment this out
+%{!?with_tmpfiles_d: %global with_tmpfiles_d %{_sysconfdir}/tmpfiles.d}
+
+# systemd support
+%global groupname %{pkgname}.target
+
+# Filter argparse-manpage from autogenerated package Requires
+%global __requires_exclude ^python.*argparse-manpage
+
+# Force to require nss version greater or equal as the version available at the build time
+# See bz1986327
+%define dirsrv_requires_ge()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
+
+Summary:          389 Directory Server (%{variant})
+Name:             389-ds-base
+Version:          3.1.1
+Release:          2%{?dist}
+License:          GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
+URL:              https://www.port389.org
+Vendor:           Microsoft Corporation
+Distribution:     Azure Linux
+Source0:          https://github.com/389ds/389-ds-base/releases/download/%{name}-%{version}/%{name}-%{version}.tar.bz2
+Source2:          %{name}-devel.README
+%if %{with bundle_jemalloc}
+Source3:          https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
+%endif
+Source4:          389-ds-base.sysusers
+%if %{with bundle_libdb}
+Source5:          https://fedorapeople.org/groups/389ds/libdb-5.3.28-59.tar.bz2
+%endif
+
+Provides:         ldif2ldbm >= 0
+
+# Attach the buildrequires to the top level package:
+BuildRequires:    nspr-devel
+BuildRequires:    nss-devel
+BuildRequires:    openldap-clients
+BuildRequires:    openldap-devel
+BuildRequires:    lmdb-devel
+BuildRequires:    cyrus-sasl-devel
+BuildRequires:    icu
+BuildRequires:    libicu-devel
+BuildRequires:    pcre2-devel
+BuildRequires:    cracklib-devel
+BuildRequires:    json-c-devel
+%if %{with clang}
+BuildRequires:    libatomic
+BuildRequires:    clang
+BuildRequires:    compiler-rt
+BuildRequires:    lld
+%else
+BuildRequires:    gcc
+BuildRequires:    gcc-c++
+%if %{with asan}
+BuildRequires:    libasan
+%endif
+%if %{with tsan}
+BuildRequires:    libtsan
+%endif
+%if %{with ubsan}
+BuildRequires:    libubsan
+%endif
+%endif
+%if %{without bundle_libdb}
+BuildRequires:    libdb-devel
+%endif
+
+# The following are needed to build the snmp ldap-agent
+BuildRequires:    net-snmp-devel
+BuildRequires:    bzip2-devel
+BuildRequires:    openssl-devel
+# the following is for the pam passthru auth plug-in
+BuildRequires:    pam-devel
+BuildRequires:    systemd-units
+BuildRequires:    systemd-devel
+BuildRequires:    systemd-rpm-macros
+%{?sysusers_requires_compat}
+BuildRequires:    cargo
+BuildRequires:    rust
+BuildRequires:    pkgconfig
+BuildRequires:    pkgconfig(krb5)
+BuildRequires:    pkgconfig(libpcre2-8)
+# Needed to support regeneration of the autotool artifacts.
+BuildRequires:    autoconf
+BuildRequires:    automake
+BuildRequires:    libtool
+# For our documentation
+BuildRequires:    doxygen
+# For tests!
+BuildRequires:    libcmocka-devel
+# For lib389 and related components.
+BuildRequires:    python%{python3_pkgversion}
+BuildRequires:    python%{python3_pkgversion}-devel
+BuildRequires:    python%{python3_pkgversion}-setuptools
+BuildRequires:    python%{python3_pkgversion}-ldap
+BuildRequires:    python%{python3_pkgversion}-pyasn1
+BuildRequires:    python%{python3_pkgversion}-pyasn1-modules
+BuildRequires:    python%{python3_pkgversion}-dateutil
+BuildRequires:    python%{python3_pkgversion}-argcomplete
+BuildRequires:    python%{python3_pkgversion}-argparse-manpage
+BuildRequires:    python%{python3_pkgversion}-policycoreutils
+BuildRequires:    python%{python3_pkgversion}-libselinux
+BuildRequires:    python%{python3_pkgversion}-cryptography
+
+# For cockpit
+%if %{with cockpit}
+BuildRequires:    rsync
+BuildRequires:    npm
+BuildRequires:    nodejs
+%endif
+
+Requires:         %{name}-libs = %{version}-%{release}
+Requires:         python%{python3_pkgversion}-lib389 = %{version}-%{release}
+
+# this is needed for using semanage from our setup scripts
+Requires:         policycoreutils-python-utils
+Requires:         libsemanage-python%{python3_pkgversion}
+# the following are needed for some of our scripts
+Requires:         openldap-clients
+Requires:         acl
+# this is needed to setup SSL if you are not using the
+# administration server package
+Requires:         nss-tools
+%dirsrv_requires_ge nss
+# these are not found by the auto-dependency method
+# they are required to support the mandatory LDAP SASL mechs
+Requires:         cyrus-sasl-gssapi
+Requires:         cyrus-sasl-md5
+# This is optionally supported by us, as we use it in our tests
+Requires:         cyrus-sasl-plain
+# this is needed for backldbm
+%if %{without bundle_libdb}
+Requires:         libdb
+%endif
+Requires:         lmdb-libs
+# Needed by logconv.pl
+%if %{without bundle_libdb}
+#Requires:         perl-DB_File
+%endif
+Requires:         perl-Archive-Tar
+%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
+Requires:         perl-debugger
+Requires:         perl-sigtrap
+%endif
+# Needed for password dictionary checks
+Requires:         cracklib-dicts
+Requires:         json-c
+# Log compression
+Requires:         zlib-devel
+# Picks up our systemd deps.
+%{?systemd_requires}
+
+
+%description
+389 Directory Server is an LDAPv3 compliant server.  The base package includes
+the LDAP server and command line utilities for server administration.
+%if %{with asan}
+WARNING! This build is linked to Address Sanitisation libraries. This probably
+isn't what you want. Please contact support immediately.
+Please see http://seclists.org/oss-sec/2016/q1/363 for more information.
+%endif
+
+
+%package          libs
+Summary:          Core libraries for 389 Directory Server (%{variant})
+Provides:         svrcore = 4.1.4
+Obsoletes:        svrcore <= 4.1.3
+Conflicts:        svrcore
+%dirsrv_requires_ge nss
+Requires:         nspr
+Requires:         openldap
+Requires:         systemd-libs
+# Pull in sasl
+Requires:         cyrus-sasl-lib
+# KRB
+Requires:         krb5-libs
+%if %{with clang}
+Requires:         llvm
+Requires:         compiler-rt
+%else
+%if %{with asan}
+Requires:         libasan
+%endif
+%if %{with tsan}
+Requires:         libtsan
+%endif
+%if %{with ubsan}
+Requires:         libubsan
+%endif
+%endif
+
+%description      libs
+Core libraries for the 389 Directory Server base package.  These libraries
+are used by the main package and the -devel package.  This allows the -devel
+package to be installed with just the -libs package and without the main package.
+
+%package          devel
+Summary:          Development libraries for 389 Directory Server (%{variant})
+Provides:         svrcore-devel = 4.1.4
+Obsoletes:        svrcore-devel <= 4.1.3
+Conflicts:        svrcore-devel
+Requires:         %{name}-libs = %{version}-%{release}
+Requires:         pkgconfig
+Requires:         nspr-devel
+Requires:         nss-devel >= 3.34
+Requires:         openldap-devel
+# systemd-libs contains the headers iirc.
+Requires:         systemd-libs
+
+%description      devel
+Development Libraries and headers for the 389 Directory Server base package.
+
+%package          snmp
+Summary:          SNMP Agent for 389 Directory Server
+Requires:         %{name} = %{version}-%{release}
+
+Obsoletes:        %{name} <= 1.4.0.0
+
+%description      snmp
+SNMP Agent for the 389 Directory Server base package.
+
+%if %{with bundle_libdb}
+%package          bdb
+Summary:          Berkeley Database backend for 389 Directory Server
+%description      bdb
+Berkeley Database backend for 389 Directory Server
+Warning! This backend is deprecated in favor of lmdb and its support
+may be removed in future versions.
+
+Requires:         %{name} = %{version}-%{release}
+# Berkeley DB database libdb was marked as deprecated since F40:
+# https://fedoraproject.org/wiki/Changes/389_Directory_Server_3.0.0
+# because libdb was marked as deprecated since F33
+# https://fedoraproject.org/wiki/Changes/Libdb_deprecated
+Provides:         deprecated()
+%endif
+
+
+%package -n python%{python3_pkgversion}-lib389
+Summary:  A library for accessing, testing, and configuring the 389 Directory Server
+BuildArch:        noarch
+Requires: %{name} = %{version}-%{release}
+Requires: openssl
+# This is for /usr/bin/c_rehash tool, only needed for openssl < 1.1.0
+Requires: openssl-perl
+Requires: iproute
+Requires: python%{python3_pkgversion}
+Requires: python%{python3_pkgversion}-distro
+Requires: python%{python3_pkgversion}-ldap
+Requires: python%{python3_pkgversion}-pyasn1
+Requires: python%{python3_pkgversion}-pyasn1-modules
+Requires: python%{python3_pkgversion}-dateutil
+Requires: python%{python3_pkgversion}-argcomplete
+Requires: python%{python3_pkgversion}-libselinux
+Requires: python%{python3_pkgversion}-setuptools
+Requires: python%{python3_pkgversion}-cryptography
+Recommends: bash-completion
+%{?python_provide:%python_provide python%{python3_pkgversion}-lib389}
+
+%description -n python%{python3_pkgversion}-lib389
+This module contains tools and libraries for accessing, testing,
+ and configuring the 389 Directory Server.
+
+%if %{with cockpit}
+%package -n cockpit-389-ds
+Summary:          Cockpit UI Plugin for configuring and administering the 389 Directory Server
+BuildArch:        noarch
+Requires:         cockpit
+Requires:         %{name} = %{version}-%{release}
+Requires:         python%{python3_pkgversion}
+Requires:         python%{python3_pkgversion}-lib389 = %{version}-%{release}
+
+%description -n cockpit-389-ds
+A cockpit UI Plugin for configuring and administering the 389 Directory Server
+%endif
+
+%prep
+%autosetup -p1 -v -n %{name}-%{version}
+
+%if %{with bundle_jemalloc}
+%setup -q -n %{name}-%{version} -T -D -b 3
+%endif
+
+%if %{with bundle_libdb}
+%setup -q -n %{name}-%{version} -T -D -b 5
+%endif
+
+cp %{SOURCE2} README.devel
+
+%build
+
+%if %{with clang}
+CLANG_FLAGS="--enable-clang"
+%endif
+
+%{?with_tmpfiles_d: TMPFILES_FLAG="--with-tmpfiles-d=%{with_tmpfiles_d}"}
+
+%if %{with asan}
+ASAN_FLAGS="--enable-asan --enable-debug"
+%endif
+
+%if %{with msan}
+MSAN_FLAGS="--enable-msan --enable-debug"
+%endif
+
+%if %{with tsan}
+TSAN_FLAGS="--enable-tsan --enable-debug"
+%endif
+
+%if %{with ubsan}
+UBSAN_FLAGS="--enable-ubsan --enable-debug"
+%endif
+
+RUST_FLAGS="--enable-rust --enable-rust-offline"
+
+%if %{without cockpit}
+COCKPIT_FLAGS="--disable-cockpit"
+%endif
+
+%if %{with bundle_jemalloc}
+# Override page size, bz #1545539
+# 4K
+%ifarch %ix86 %arm x86_64 s390x
+%define lg_page --with-lg-page=12
+%endif
+
+# 64K
+%ifarch ppc64 ppc64le aarch64
+%define lg_page --with-lg-page=16
+%endif
+
+# Override huge page size on aarch64
+# 2M instead of 512M
+%ifarch aarch64
+%define lg_hugepage --with-lg-hugepage=21
+%endif
+
+# Build jemalloc
+pushd ../%{jemalloc_name}-%{jemalloc_ver}
+%configure \
+        --libdir=%{_libdir}/%{pkgname}/lib \
+        --bindir=%{_libdir}/%{pkgname}/bin \
+        --enable-prof %{lg_page} %{lg_hugepage}
+make %{?_smp_mflags}
+popd
+%endif
+
+# Build custom libdb package
+%if %{with bundle_libdb}
+mkdir -p ../%{libdb_base_version}
+pushd ../%{libdb_base_version}
+tar -xjf  %{_topdir}/SOURCES/%{libdb_full_version}.tar.bz2
+mv %{libdb_full_version} SOURCES
+rpmbuild  --define "_topdir $PWD" -bc %{_builddir}/%{name}-%{version}/rpm/bundle-libdb.spec
+popd
+%endif
+
+# Rebuild the autotool artifacts now.
+autoreconf -fiv
+
+%configure \
+%if %{with bundle_libdb}
+           --with-bundle-libdb=%{_builddir}/%{libdb_base_version}/BUILD/%{libdb_base_dir}/dist/dist-tls \
+%endif
+           --with-selinux $TMPFILES_FLAG \
+           --with-systemd \
+           --with-systemdsystemunitdir=%{_unitdir} \
+           --with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \
+           --with-systemdgroupname=%{groupname} \
+           --libexecdir=%{_libexecdir}/%{pkgname} \
+           $ASAN_FLAGS $MSAN_FLAGS $TSAN_FLAGS $UBSAN_FLAGS $RUST_FLAGS $CLANG_FLAGS $COCKPIT_FLAGS \
+%if 0%{?fedora} >= 34 || 0%{?rhel} >= 9
+           --with-libldap-r=no \
+%endif
+           --enable-cmocka
+
+# Avoid "Unknown key name 'XXX' in section 'Service', ignoring." warnings from systemd on older releases
+%if 0%{?rhel} && 0%{?rhel} < 9
+  sed -r -i '/^(Protect(Home|Hostname|KernelLogs)|PrivateMounts)=/d' %{_builddir}/%{name}-%{version}/wrappers/*.service.in
+%endif
+
+# lib389
+make src/lib389/setup.py
+pushd ./src/lib389
+%py3_build
+popd
+# argparse-manpage dynamic man pages have hardcoded man v1 in header,
+# need to change it to v8
+sed -i  "1s/\"1\"/\"8\"/" %{_builddir}/%{name}-%{version}/src/lib389/man/dsconf.8
+sed -i  "1s/\"1\"/\"8\"/" %{_builddir}/%{name}-%{version}/src/lib389/man/dsctl.8
+sed -i  "1s/\"1\"/\"8\"/" %{_builddir}/%{name}-%{version}/src/lib389/man/dsidm.8
+sed -i  "1s/\"1\"/\"8\"/" %{_builddir}/%{name}-%{version}/src/lib389/man/dscreate.8
+
+# Generate symbolic info for debuggers
+export XCFLAGS=$RPM_OPT_FLAGS
+
+make %{?_smp_mflags}
+
+%install
+
+mkdir -p %{buildroot}%{_datadir}/gdb/auto-load%{_sbindir}
+%if %{with cockpit}
+mkdir -p %{buildroot}%{_datadir}/cockpit
+%endif
+make DESTDIR="$RPM_BUILD_ROOT" install
+
+%if %{with cockpit}
+find %{buildroot}%{_datadir}/cockpit/389-console -type d | sed -e "s@%{buildroot}@@" | sed -e 's/^/\%dir /' > cockpit.list
+find %{buildroot}%{_datadir}/cockpit/389-console -type f | sed -e "s@%{buildroot}@@" >> cockpit.list
+%endif
+
+find %{buildroot}%{_libdir}/%{pkgname}/plugins/ -type f -iname 'lib*.so' | sed -e "s@%{buildroot}@@" > plugins.list
+%if %{with bundle_libdb}
+sed -i -e "/libback-bdb/d" plugins.list
+%endif
+
+# Copy in our docs from doxygen.
+cp -r %{_builddir}/%{name}-%{version}/man/man3 $RPM_BUILD_ROOT/%{_mandir}/man3
+
+# lib389
+pushd src/lib389
+%py3_install
+popd
+
+# Register CLI tools for bash completion
+for clitool in dsconf dsctl dsidm dscreate ds-replcheck
+do
+    register-python-argcomplete "${clitool}" > "${clitool}"
+    install -p -m 0644 -D -t '%{buildroot}%{bash_completions_dir}' "${clitool}"
+done
+
+mkdir -p $RPM_BUILD_ROOT/var/log/%{pkgname}
+mkdir -p $RPM_BUILD_ROOT/var/lib/%{pkgname}
+mkdir -p $RPM_BUILD_ROOT/var/lock/%{pkgname} \
+    && chmod 770 $RPM_BUILD_ROOT/var/lock/%{pkgname}
+
+# for systemd
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/%{groupname}.wants
+install -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/389-ds-base.conf
+
+#remove libtool and static libs
+rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/*.a
+rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/*.la
+rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/plugins/*.a
+rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/plugins/*.la
+rm -f $RPM_BUILD_ROOT%{_libdir}/libsvrcore.a
+rm -f $RPM_BUILD_ROOT%{_libdir}/libsvrcore.la
+
+%if %{with bundle_jemalloc}
+pushd ../%{jemalloc_name}-%{jemalloc_ver}
+make DESTDIR="$RPM_BUILD_ROOT" install_lib install_bin
+cp -pa COPYING ../%{name}-%{version}/COPYING.jemalloc
+cp -pa README ../%{name}-%{version}/README.jemalloc
+popd
+%endif
+
+%if %{with bundle_libdb}
+pushd ../%{libdb_base_version}
+libdbbuilddir=$PWD/BUILD/%{libdb_base_dir}
+libdbdestdir=$PWD/../%{name}-%{version}
+cp -pa $libdbbuilddir/LICENSE $libdbdestdir/LICENSE.libdb
+cp -pa $libdbbuilddir/README $libdbdestdir/README.libdb
+cp -pa $libdbbuilddir/lgpl-2.1.txt $libdbdestdir/lgpl-2.1.txt.libdb
+cp -pa $libdbbuilddir/dist/dist-tls/.libs/%{libdb_bundle_name} $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/%{libdb_bundle_name}
+popd
+%endif
+
+
+%check
+# This checks the code, if it fails it prints why, then re-raises the fail to shortcircuit the rpm build.
+%if %{with tsan}
+export TSAN_OPTIONS=print_stacktrace=1:second_deadlock_stack=1:history_size=7
+%endif
+%if %{without asan} && %{without msan}
+if ! make DESTDIR="$RPM_BUILD_ROOT" check; then cat ./test-suite.log && false; fi
+%endif
+
+%post
+if [ -n "$DEBUGPOSTTRANS" ] ; then
+    output=$DEBUGPOSTTRANS
+    output2=${DEBUGPOSTTRANS}.upgrade
+else
+    output=/dev/null
+    output2=/dev/null
+fi
+
+# reload to pick up any changes to systemd files
+/bin/systemctl daemon-reload >$output 2>&1 || :
+
+# https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation
+# Soft static allocation for UID and GID
+# sysusers.d format https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
+%sysusers_create_compat %{SOURCE4}
+
+# Reload our sysctl before we restart (if we can)
+sysctl --system &> $output; true
+
+# Gather the running instances so we can restart them
+instbase="%{_sysconfdir}/%{pkgname}"
+ninst=0
+for dir in $instbase/slapd-* ; do
+    echo dir = $dir >> $output 2>&1 || :
+    if [ ! -d "$dir" ] ; then continue ; fi
+    case "$dir" in *.removed) continue ;; esac
+    basename=`basename $dir`
+    inst="%{pkgname}@`echo $basename | sed -e 's/slapd-//g'`"
+    echo found instance $inst - getting status  >> $output 2>&1 || :
+    if /bin/systemctl -q is-active $inst ; then
+       echo instance $inst is running >> $output 2>&1 || :
+       instances="$instances $inst"
+    else
+       echo instance $inst is not running >> $output 2>&1 || :
+    fi
+    ninst=`expr $ninst + 1`
+done
+if [ $ninst -eq 0 ] ; then
+    echo no instances to upgrade >> $output 2>&1 || :
+    exit 0 # have no instances to upgrade - just skip the rest
+else
+    # restart running instances
+    echo shutting down all instances . . . >> $output 2>&1 || :
+    for inst in $instances ; do
+        echo stopping instance $inst >> $output 2>&1 || :
+        /bin/systemctl stop $inst >> $output 2>&1 || :
+    done
+    for inst in $instances ; do
+        echo starting instance $inst >> $output 2>&1 || :
+        /bin/systemctl start $inst >> $output 2>&1 || :
+    done
+fi
+
+
+%preun
+if [ $1 -eq 0 ]; then # Final removal
+    # remove instance specific service files/links
+    rm -rf %{_sysconfdir}/systemd/system/%{groupname}.wants/* > /dev/null 2>&1 || :
+fi
+
+%postun
+if [ $1 = 0 ]; then # Final removal
+    rm -rf /var/run/%{pkgname}
+fi
+
+%post snmp
+%systemd_post %{pkgname}-snmp.service
+
+%preun snmp
+%systemd_preun %{pkgname}-snmp.service %{groupname}
+
+%postun snmp
+%systemd_postun_with_restart %{pkgname}-snmp.service
+
+exit 0
+
+%files -f plugins.list
+%if %{with bundle_jemalloc}
+%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.jemalloc
+%license COPYING.jemalloc
+%else
+%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl
+%endif
+%dir %{_sysconfdir}/%{pkgname}
+%dir %{_sysconfdir}/%{pkgname}/schema
+%config(noreplace)%{_sysconfdir}/%{pkgname}/schema/*.ldif
+%dir %{_sysconfdir}/%{pkgname}/config
+%dir %{_sysconfdir}/systemd/system/%{groupname}.wants
+%{_sysusersdir}/389-ds-base.conf
+%config(noreplace)%{_sysconfdir}/%{pkgname}/config/slapd-collations.conf
+%config(noreplace)%{_sysconfdir}/%{pkgname}/config/certmap.conf
+%{_datadir}/%{pkgname}
+%{_datadir}/gdb/auto-load/*
+%{_unitdir}
+%{_bindir}/dbscan
+%{_mandir}/man1/dbscan.1.gz
+%{_bindir}/ds-replcheck
+%{_mandir}/man1/ds-replcheck.1.gz
+%{bash_completions_dir}/ds-replcheck
+%{_bindir}/ds-logpipe.py
+%{_mandir}/man1/ds-logpipe.py.1.gz
+%{_bindir}/ldclt
+%{_mandir}/man1/ldclt.1.gz
+%{_bindir}/logconv.pl
+%{_mandir}/man1/logconv.pl.1.gz
+%{_bindir}/pwdhash
+%{_mandir}/man1/pwdhash.1.gz
+%{_sbindir}/ns-slapd
+%{_mandir}/man8/ns-slapd.8.gz
+%{_sbindir}/openldap_to_ds
+%{_mandir}/man8/openldap_to_ds.8.gz
+%{_libexecdir}/%{pkgname}/ds_systemd_ask_password_acl
+%{_libexecdir}/%{pkgname}/ds_selinux_restorecon.sh
+%{_mandir}/man5/99user.ldif.5.gz
+%{_mandir}/man5/certmap.conf.5.gz
+%{_mandir}/man5/slapd-collations.conf.5.gz
+%{_mandir}/man5/dirsrv.5.gz
+%{_mandir}/man5/dirsrv.systemd.5.gz
+%{_libdir}/%{pkgname}/python
+%dir %{_libdir}/%{pkgname}/plugins
+# This has to be hardcoded to /lib - $libdir changes between lib/lib64, but
+# sysctl.d is always in /lib.
+%{_prefix}/lib/sysctl.d/*
+%dir %{_localstatedir}/lib/%{pkgname}
+%dir %{_localstatedir}/log/%{pkgname}
+%ghost %dir %{_localstatedir}/lock/%{pkgname}
+%exclude %{_sbindir}/ldap-agent*
+%exclude %{_mandir}/man1/ldap-agent.1.gz
+%exclude %{_unitdir}/%{pkgname}-snmp.service
+%if %{with bundle_jemalloc}
+%{_libdir}/%{pkgname}/lib/
+%{_libdir}/%{pkgname}/bin/
+%exclude %{_libdir}/%{pkgname}/bin/jemalloc-config
+%exclude %{_libdir}/%{pkgname}/bin/jemalloc.sh
+%exclude %{_libdir}/%{pkgname}/lib/libjemalloc.a
+%exclude %{_libdir}/%{pkgname}/lib/libjemalloc.so
+%exclude %{_libdir}/%{pkgname}/lib/libjemalloc_pic.a
+%exclude %{_libdir}/%{pkgname}/lib/pkgconfig
+%endif
+
+%files devel
+%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel
+%{_mandir}/man3/*
+%{_includedir}/svrcore.h
+%{_includedir}/%{pkgname}
+%{_libdir}/libsvrcore.so
+%{_libdir}/%{pkgname}/libslapd.so
+%{_libdir}/%{pkgname}/libns-dshttpd.so
+%{_libdir}/%{pkgname}/libldaputil.so
+%{_libdir}/pkgconfig/svrcore.pc
+%{_libdir}/pkgconfig/dirsrv.pc
+
+%files libs
+%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel
+%dir %{_libdir}/%{pkgname}
+%{_libdir}/libsvrcore.so.*
+%{_libdir}/%{pkgname}/libslapd.so.*
+%{_libdir}/%{pkgname}/libns-dshttpd.so.*
+%{_libdir}/%{pkgname}/libldaputil.so.*
+%{_libdir}/%{pkgname}/librewriters.so*
+%if %{with bundle_jemalloc}
+%{_libdir}/%{pkgname}/lib/libjemalloc.so.2
+%endif
+
+%files snmp
+%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel
+%config(noreplace)%{_sysconfdir}/%{pkgname}/config/ldap-agent.conf
+%{_sbindir}/ldap-agent*
+%{_mandir}/man1/ldap-agent.1.gz
+%{_unitdir}/%{pkgname}-snmp.service
+
+%if %{with bundle_libdb}
+%files bdb
+%doc LICENSE LICENSE.GPLv3+ README.devel LICENSE.libdb README.libdb lgpl-2.1.txt.libdb
+%{_libdir}/%{pkgname}/%{libdb_bundle_name}
+%{_libdir}/%{pkgname}/plugins/libback-bdb.so
+%endif
+
+%files -n python%{python3_pkgversion}-lib389
+%doc LICENSE LICENSE.GPLv3+
+%{python3_sitelib}/lib389*
+%{_sbindir}/dsconf
+%{_mandir}/man8/dsconf.8.gz
+%{_sbindir}/dscreate
+%{_mandir}/man8/dscreate.8.gz
+%{_sbindir}/dsctl
+%{_mandir}/man8/dsctl.8.gz
+%{_sbindir}/dsidm
+%{_mandir}/man8/dsidm.8.gz
+%{_libexecdir}/%{pkgname}/dscontainer
+%{bash_completions_dir}/dsctl
+%{bash_completions_dir}/dsconf
+%{bash_completions_dir}/dscreate
+%{bash_completions_dir}/dsidm
+
+%if %{with cockpit}
+%files -n cockpit-389-ds -f cockpit.list
+%{_datarootdir}/metainfo/389-console/org.port389.cockpit_console.metainfo.xml
+%doc README.md
+%endif
+
+%changelog
+* Fri Sep 20 2024 Muhammad Falak <mwani@microsoft.com> 3.1.0-2
+- Initial Azure Linux import from Fedora 42 (license: MIT)
+- License verified
+
+* Tue May 14 2024 James Chapman <jachapma@redhat.com> - 3.1.0-1
+- Bump version to 3.1.0
+- Issue 6142 - Fix CI tests (#6161)
+- Issue 6157 - Cockipt crashes when getting replication status if topology contains an old 389ds version (#6158)
+- Issue 5105 - lmdb - Cannot create entries with long rdn - fix covscan (#6131)
+- Issue 6086 - Ambiguous warning about SELinux in dscreate for non-root user
+- Issue 6094 - Add coverity scan workflow
+- Issue 5962 - Rearrange includes for 32-bit support logic
+- Issue 6046 - Make dscreate to work during kickstart installations
+- Issue 6073 - Improve error log when running out of memory (#6084)
+- Issue 6071 - Instance creation/removal is slow
+- Issue 6010 - 389 ds ignores nsslapd-maxdescriptors (#6027)
+- Issue 6075 - Ignore build artifacts (#6076)
+- Issue 6068 - Add dscontainer stop function
+
+* Mon Apr 15 2024 James Chapman <jachapma@redhat.com> - 3.0.2-1
+- Bump version to 3.0.2
+- Issue 6082 - Remove explicit dependencies toward libdb - revert default (#6145)
+- Issue 6142 - [RFE] Add LMDB configuration related checks into Healthcheck tool (#6143)
+- Issue 6141 - freeipa test_topology_TestCASpecificRUVs is failing (#6144)
+- Issue 6136 - failure in freeipa tests (#6137)
+- Issue 6119 - Synchronise accept_thread with slapd_daemon (#6120)
+- Issue 6105 - lmdb - Cannot create entries with long rdn (#6130)
+- Issue 6082 - Remove explicit dependencies toward libdb (#6083)
+- Issue i6057 - Fix3 - Fix covscan issues (#6127)
+- Issue 6057 - vlv search may result wrong result with lmdb - Fix 2 (#6121)
+- Issue 6057 - vlv search may result wrong result with lmdb (#6091)
+- Issue 6092 - passwordHistory is not updated with a pre-hashed password (#6093)
+- Issue 6133 - Move slapi_pblock_set_flag_operation_notes() to slapi-plugin.h
+- Issue 6125 - dscreate interactive fails when chosing mdb backend (#6126)
+- Issue 6110 - Typo in Account Policy plugin message
+- Issue 6080 - ns-slapd crash in referint_get_config (#6081)
+- Issue 6117 - Fix the UTC offset print (#6118)
+- Issue 5305 - OpenLDAP version autodetection doesn't work
+- Issue 6112 - RFE - add new operation note for MFA authentications
+- Issue 5842 - Add log buffering to audit log
+- Issue 3527 - Support HAProxy and Instance on the same machine configuration (#6107)
+- Issue 6103 - New connection timeout error breaks errormap (#6104)
+- Issue 6096 - Improve connection timeout error logging (#6097)
+- Issue 6067 - Improve dsidm CLI No Such Entry handling (#6079)
+- Issue 6067 - Add hidden -v and -j options to each CLI subcommand (#6088)
+- Issue 6061 - Certificate lifetime displayed as NaN
+
+* Wed Jan 31 2024 Pete Walter <pwalter@fedoraproject.org> - 3.0.1-2
+- Rebuild for ICU 74
+
+* Tue Jan 30 2024 Simon Pichugin <spichugi@redhat.com> - 3.0.1-1
+- Bump version to 3.0.1
+- Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses for both (#6045)
+- Issue 3555 - Remove audit-ci from dependencies (#6056)
+- Issue 6052 - Paged results test sets hostname to `localhost` on test collection
+- Issue 6051 - Drop unused pytest markers
+- Issue 6049 - lmdb - changelog is wrongly recreated by reindex task (#6050)
+- Issue 6047 - Add a check for tagged commits
+- Issue 6041 - dscreate ds-root - accepts relative path (#6042)
+- Switch default backend to lmdb and bump version to 3.0 (#6013)
+- Issue 6032 - Replication broken after backup restore (#6035)
+- Issue 6037 - Server crash at startup in vlvIndex_delete (#6038)
+- Issue 6034 - Change replica_id from str to int
+- Issue 6028 - vlv index keys inconsistencies (#6031)
+- Issue 5989 - RFE support of inChain Matching Rule (#5990)
+- Issue 6022 - lmdb inconsistency between vlv index and vlv cache names (#6026)
+- Issue 6015 - Fix typo remeber (#6014)
+- Issue 6016 - Pin upload/download artifacts action to v3
+- Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007)
+- Issue 4673 - Update Rust crates
+- Issue 6004 - idletimeout may be ignored (#6005)
+- Issue 5954 - Disable Transparent Huge Pages
+- Issue 5997 - test_inactivty_and_expiration CI testcase is wrong (#5999)
+- Issue 5993 - Fix several race condition around CI tests (#5996)
+- Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994)
+- Bump openssl from 0.10.55 to 0.10.60 in /src (#5995)
+- Issue 5980 - Improve instance startup failure handling (#5991)
+- Issue 5976 - Fix freeipa install regression with lmdb (#5977)
+- Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)
+- Issue 5984 - Crash when paged result search are abandoned (#5985)
+- Issue 5947 - CI test_vlv_recreation_reindex fails on LMDB (#5979)
+
+* Mon Jan 29 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jan 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jan 18 2024 Viktor Ashirov <vashirov@redhat.com> - 2.4.5-1
+- Bump version to 2.4.5
+- Issue 5989 - RFE support of inChain Matching Rule (#5990)
+- Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007)
+- Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994)
+- Issue 5954 - Disable Transparent Huge Pages
+- Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)
+- Issue 5984 - Crash when paged result search are abandoned (#5985)
+
+* Wed Nov 15 2023 James Chapman <jachapma@redhat.com> - 2.4.4
+- Bump version to 2.4.4
+- Issue 5971 - CLI - Fix password prompt for repl status (#5972)
+- Issue 5973 - Fix fedora cop RawHide builds (#5974)
+- Revert "Issue 5761 - Worker thread dynamic management (#5796)" (#5970)
+- Issue 5966 - CLI - Custom schema object is removed on a failed edit (#5967)
+- Issue 5786 - Update permissions for Release workflow
+- Issue 5960 - Subpackages should have more strict interdependencies
+- Issue 3555 - UI - Fix audit issue with npm - babel/traverse (#5959)
+- Issue 4843 - Fix dscreate create-template issue (#5950)
+- bugfix for --passwd-file not working on latest version (#5934)
+- Issue 5843 - dsconf / dscreate should be able to handle lmdb parameters (#5943)
+- Bump postcss from 8.4.24 to 8.4.31 in /src/cockpit/389-console (#5945)
+- Issue 5938 - Attribute Names changed to lowercase after adding the Attributes (#5940)
+- issue 5924 - ASAN server build crash when looping opening/closing connections (#5926)
+- Issue 1925 - Add a CI test (#5936)
+- Issue 5732 - Localizing Cockpit's 389ds Plugin using CockpitPoPlugin (#5764)
+- Issue 1870 - Add a CI test (#5929)
+- Issue 843 - Add a warning to slapi_valueset_add_value_ext (#5925)
+- Issue 5761 - Worker thread dynamic management (#5796)
+- Issue 1802 - Improve ldclt man page (#5928)
+- Issue 1456 - Add a CI test that verifies there is no issue (#5927)
+- Issue 1317 - Add a CI test (#5923)
+- Issue 1081 - CI - Add more tests for overwriting x-origin issue (#5815)
+- Issue 1115 - Add a CI test (#5913)
+- Issue 5848 - Fix condition and add a CI test (#5916)
+- Issue 5848 - Fix condition and add a CI test (#5916)
+- Issue 5914 - UI - server settings page validation improvements and db index fixes
+- Issue 5909 - Multi listener hang with 20k connections (#5917)
+- Issue 5902 - Fix previous commit regression (#5919)
+- pass instance correctly to ds_is_older (#5903)
+- Issue 5909 - Multi listener hang with 20k connections (#5910)
+- Issue 5722 - improve testcase (#5904)
+- Issue 5203 - outdated version in provided metadata for lib389
+- Bug Description:
+- issue 5890 part 2 - Need a tester for testing multiple listening thread feature (#5897)
+- Issue i5846 - Crash when lmdb import is aborted (#5881)
+- Issue 5894 - lmdb import error fails with Could not store the entry (#5895)
+- Issue 5890 - Need a tester for testing multiple listening thread feature (#5891)
+- Issue 5082 - slugify: ModuleNotFoundError when running test cases
+- Issue 4551 - Part 2 - Fix build warning of previous PR (#5888)
+- Issue 5834 - AccountPolicyPlugin erroring for some users (#5866)
+- Issue 5872 - part 2 - fix is_dbi regression (#5887)
+- Issue 4758 - Add tests for WebUI
+- Issue 5848 - dsconf should prevent setting the replicaID for hub and consumer roles (#5849)
+- Issue 5883 - Remove connection mutex contention risk on autobind (#5886)
+- Issue 5872 - `dbscan()` in lib389 can return bytes
+
+* Thu Aug 3 2023 Mark Reynolds<mreynolds@redhat.com> - 2.4.3-1
+- Bump version to 2.4.3-1
+- Issue 5729 - Memory leak in factory_create_extension (#5814)
+- Issue 5870 - ns-slapd crashes at startup if a backend has no suffix (#5871)
+- Issue 5876 - CI Test random failure - Import (#5879)
+- Issue 5877 - test_basic_ldapagent breaks test_setup_ds_as_non_root* tests
+- Issue 5867 - lib389 should use filter for tarfile as recommended by PEP 706 (#5868)
+- Issue 5853 - Update Cargo.lock and fix minor warning (#5854)
+- Issue 5785 - CLI - arg completion is broken
+- Issue 5864 - Server fails to start after reboot because it's unable to access nsslapd-rundir
+- Issue 5856 - SyntaxWarning: invalid escape sequence '\,'
+- Issue 5859 - dbscan fails with AttributeError: 'list' object has no attribute 'extends'
+- Issue 3527 - UI - Add nsslapd-haproxy-trusted-ip to server setting (#5839)
+- Issue 4551 - Paged search impacts performance (#5838)
+- Issue 4758 - Add tests for WebUI
+- Issue 4169 - UI - Fix retrochangelog and schema Typeaheads (#5837)
+- issue 5833 - dsconf monitor backend fails on lmdb (#5835)
+- Issue 3555 - UI - Fix audit issue with npm - stylelint (#5836)
+
+* Mon Jul 24 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.2-5
+- Bump version to 2.4.2-5
+- Add the bash completion scripts to the appropriate files section
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jul 11 2023 František Zatloukal <fzatlouk@redhat.com> - 2.4.2-3
+- Rebuilt for ICU 73.2
+
+* Mon Jul 10 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.2-2
+- Bump version to 2.4.2-2
+- Issue 5752 - RFE - Provide a history for LastLoginTime (#5807)
+= Issue 4719 - CI - Add dsconf add a PTA URL test
+
+* Fri Jul 7 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.2-1
+- Bump version to 2.4.2
+- Issue 5793 - UI - fix suffix selection in export modal
+- Issue 5793 - UI - Fix minor crashes (#5827)
+- Issue 5825 - healthcheck - password storage scheme warning needs more info
+- Issue 5822 - Allow empty export path for db2ldif
+- Issue 5755 - Massive memory leaking on update operations (#5824)
+- Issue 5701 - CI - Add more tests for referral mode fix (#5810)
+- Issue 5551 - Almost empty and not loaded ns-slapd high cpu load
+- Issue 5755 - The Massive memory leaking on update operations (#5803)
+- Issue 2375 - CLI - Healthcheck - revise and add new checks
+- Bump openssl from 0.10.52 to 0.10.55 in /src
+- Issue 5793 - UI - movce from webpack to esbuild bundler
+- Issue 5752 - CI - Add more tests for lastLoginHistorySize RFE (#5802)
+- Issue 3527 - Fix HAProxy x390x compatibility and compiler warnings (#5801)
+- Issue 5798 - CLI - Add multi-valued support to dsconf config (#5799)
+- Issue 5781 - Bug handling return code of pre-extended operation plugin.
+- Issue 5785 - move bash completion to post section of specfile
+- Issue 5156 - (cont) RFE slapi_memberof reusing memberof values (#5744)
+- Issue 4758 - Add tests for WebUI
+- Issue 3527 - Add PROXY protocol support (#5762)
+- Issue 5789 - Improve ds-replcheck error handling
+- Issue 5786 - CLI - registers tools for bash completion
+- Issue 5786 - Set minimal permissions on GitHub Workflows (#5787)
+- Issue 5646 - Various memory leaks (#5725)
+- Issue 5778 - UI - Remove error message if .dsrc is missing
+- Issue 5751 - Cleanallruv task crashes on consumer (#5775)
+
+* Wed Jun 28 2023 Python Maint <python-maint@redhat.com> - 2.4.1-2
+- Rebuilt for Python 3.12
+
+* Thu May 18 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.1-1
+- Bump version to 2.4.1
+- Issue 5770 - RFE - Extend Password Adminstrators to allow skipping password info updates
+- Issue 5768 - CLI/UI - cert checks are too strict, and other issues
+- Issue 5722 - fix compilation warnings (#5771)
+- Issue 5765 - Improve installer selinux handling
+- Issue 152  - RFE - Add support for LDAP alias entries
+- Issue 5052 - BUG - Custom filters prevented entry deletion (#5060)
+- Issue 5752 - RFE - Provide a history for LastLoginTime (#5753)
+- Issue 5722 - RFE When a filter contains 'nsrole', improve response time by rewriting the filter (#5723)
+- Issue 5704 - crash in sync_refresh_initial_content (#5720)
+- Issue 5738 - RFE - UI - Read/write replication monitor info to .dsrc file
+- Issue 5156 - build warnings (#5758)
+- Issue 5749 - RFE - Allow Account Policy Plugin to handle inactivity and expiration at the same time
+- Issue 5743 - Disabling replica crashes the server (#5746)
+- Issue 2562 - Copy config files into backup directory
+- Issue 5156 - fix build breakage from slapi-memberof commit
+- Issue 4758 - Add tests for WebUI
+
+* Tue Apr 25 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.0-1
+- Bump version to 2.4.0
+- Issue 5156 - RFE that implement slapi_memberof (#5694)
+- Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735)
+- Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
+- Issue 4758 - Add tests for WebUI
+- Issue 5718 - Memory leak in connection table (#5719)
+- Issue 5705 - Add config parameter to close client conns on failed bind (#5712)
+- Issue 4758 - Add tests for WebUI
+- Issue 5643 - Memory leak in entryrdn during delete (#5717)
+- Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations
+- Issue 5701 - CLI - Fix referral mode setting (#5708)
+- Bump openssl from 0.10.45 to 0.10.48 in /src (#5709)
+- Issue 5710 - subtree search statistics for index lookup does not report ancestorid/entryrdn lookups (#5711)
+- Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698)
+- Issue 1081 - Stop schema replication from overwriting x-origin
+- Issue 4812 - Listener thread does not scale with a high num of established connections (#5706)
+- Issue 4812 - Listener thread does not scale with a high num of established connections (#5681)
+- Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
+- Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5692)
+- Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5691)
+- Issue 5687 - UI - sensitive information disclosure
+- Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV (#5676)
+- Issue 5554 - Add more tests to security_basic_test suite
+- Issue 4583 - Update specfile to skip checks of ASAN builds
+- Issue 4758 - Add tests for WebUI
+- Issue 3604 - UI - Add support for Subject Alternative Names in CSR
+- Issue 5600 - buffer overflow when enabling sync repl plugin when dynamic plugins is enabled
+- Issue 5640 - Update logconv for new logging format
+- Issue 5162 - CI - fix error message for invalid pem file
+- Issue 5598 - In 2.x, SRCH throughput drops by 10% because of handling of referral (#5604)
+- Issue 5671 - covscan - clang warning (#5672)
+- Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn
+- Issue 5666 - CLI - Add timeout parameter for tasks
+- Issue 5567 - CLI - make ldifgen use the same default ldif name for all options
+- Issue 5647 - Fix unused variable warning from previous commit (#5670)
+- Issue 5162 - Lib389 - verify certificate type before adding
+- Issue 5642 - Build fails against setuptools 67.0.0
+- Issue 5630 - CLI - need to add logging filter for stdout
+- Issue 5646 - CLI/UI - do not hardcode password storage schemes
+- Issue 5640 - Update logconv for new logging format
+- issue 5647 - covscan: memory leak in audit log when adding entries (#5650)
+- Issue 5658 - CLI - unable to add attribute with matching rule
+- Issue 5653 - covscan - fix invalid dereference
+- Issue 5652 - Libasan crash in replication/cascading_test (#5659)
+- Issue 5628 - Handle graceful timeout in CI tests (#5657)
+- Issue 5648 - Covscan - Compiler warnings (#5651)
+- Issue 5630 - CLI - error messages should goto stderr
+- Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
+- Issue 5632 - CLI - improve error handling with db2ldif
+- Issue 5517 - Replication conflict CI test sometime fails (#5518)
+- Issue 5634 - Deprecated warning related to github action workflow code (#5635)
+- Issue 5637 - Covscan - fix Buffer Overflows (#5638)
+- Issue 5624 - RFE - UI - export certificates, and import text base64 encoded certificates
+- Bump tokio from 1.24.1 to 1.25.0 in /src (#5629)
+- Issue 4577 - Add LMDB pytest github action (#5627)
+- Issue 4293 - RFE - CLI - add dsrc options for setting user and group subtrees
+- Remove stale libevent(-devel) dependency
+- Issue 5578 - dscreate ds-root does not normaile paths (#5613)
+- Issue 5497 - boolean attributes should be case insensitive
+
+* Fri Mar 31 2023 Viktor Ashirov <vashirov@redhat.com> - 2.3.2-3
+- Fix build issue against setuptools 67.0.0 (#2183375)
+
+* Tue Feb 28 2023 Simon Pichugin <spichugi@redhat.com> - 2.3.2-2
+- Use systemd-sysusers for dirsrv user and group (#2173834)
+
+* Mon Jan 23 2023 Mark Reynolds <mreynolds@redhat.com> - 2.3.2-1
+- Bump version to 2.3.2
+- Issue 5547 - automember plugin improvements
+- Issue 5607, 5351, 5611 - UI/CLI - fix various issues
+- Issue 5610 - Build failure on Debian
+- Issue 5608 - UI - need to replace some "const" with "let"
+- Issue 5560 - dscreate run by non superuser set defaults requiring superuser privilege (#5579)
+- Issue 3604 - Create a private key/CSR with dsconf/Cockpit (#5584)
+- Issue 5605 - Adding a slapi_log_backtrace function in libslapd (#5606)
+- Issue 5602 - UI - browser crash when trying to modify read-only variable
+- Issue 5581 - UI - Support cockpit dark theme
+- Issue 5593 - CLI - dsidm account subtree-status fails with TypeError
+- Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592)
+- Fix latest npm audit failures
+- Issue 5599 - CI - webui tests randomly fail
+- Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries
+- Issue 5588 - Fix CI tests
+- Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
+- Issue 5521 - UI - Update plugins for new split PAM and LDAP pass thru auth
+- Bump json5 from 2.2.1 to 2.2.3 in /src/cockpit/389-console
+- Issue 5236 - UI add specialized group edit modal
+- Issue 5550 - dsconf monitor crashes with Error math domain error (#5553)
+- Issue 5278 - CLI - dsidm asks for the old password on password reset
+- Issue 5531 - CI - use universal_lines in capture_output
+- Issue 5425 - CLI - add confirmation arg when deleting backend
+- Issue 5558 - non-root instance fails to start on creation (#5559)
+- Issue 5545 - A random crash in import over lmdb (#5546)
+- Issue 3615 - CLI - prevent virtual attribute indexing
+- Update specfile and rust crates
+- Issue 5413 - Allow mutliple MemberOf fixup tasks with different bases/filters
+- Issue 5554 - Add more tests to security_basic_test suite (#5555)
+- Issue 5561 - Nightly tests are failing
+- Issue 5521 - RFE - split pass through auth cli
+- Issue 5521 - BUG - Pam PTA multiple issues
+- Issue 5544 - Increase default task TTL
+- Issue 5526 - RFE - Improve saslauthd migration options (#5528)
+- Issue 5539 - Make logger's parameter name unified (#5540)
+- Issue 5541 - Fix typo in `lib389.cli_conf.backend._get_backend` (#5542)
+- Issue 3729 - (cont) RFE Extend log of operations statistics in access log (#5538)
+- Issue 5534 - Fix a rebase typo (#5537)
+- Issue 5534 - Add copyright text to the repository files
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sat Dec 31 2022 Pete Walter <pwalter@fedoraproject.org> - 2.3.1-2
+- Rebuild for ICU 72
+
+* Fri Nov 18 2022 Mark Reynolds <mreynolds@redhat.com> - 2.3.1-1
+- Bump version to 2.3.1
+- Issue 5532 - Make db compaction TOD day more robust.
+- Issue 3729 - RFE Extend log of operations statistics in access log (#5508)
+- Issue 5529 - UI - Fix npm vulnerability in loader-utils
+- Issue 5490 - tombstone in entryrdn index with lmdb but not with bdb (#5498)
+- Issue 5162 - Fix dsctl tls ca-certfiicate add-cert arg requirement
+- Issue 5510 - remove twalk_r dependency to build on RHEL8 (#5516)
+- Issue 5162 - RFE - CLI allow adding CA certificate bundles
+- Issue 5440 - memberof is slow on update/fixup if there are several 'groupattr' (#5455)
+- Issue 5512 - BUG - skip pwdPolicyChecker OC in migration (#5513)
+- Issue 3555 - UI - fix audit issue with npm loader-utils (#5514)
+- Issue 5505 - Fix compiler warning (#5506)
+- Issue 5469 - Increase the default value of nsslapd-conntablesize (#5472)
+- Issue 5408 - lmdb import is slow (#5481)
+- Issue 5429 - healthcheck - add checks for MemberOf group attrs being indexed
+- Issue 5502 - RFE - Add option to display entry attributes in audit log
+- Issue 5495 - BUG - Minor fix to dds skip, inconsistent attrs caused errors (#5501)
+- Issue 5367 - RFE - store full DN in database record
+- Issue 5495 - RFE - skip dds during migration. (#5496)
+- Issue 5491 - UI - Add rework and finish jpegPhoto functionality (#5492)
+- Issue 5368 - Retro Changelog trimming does not work (#5486)
+- Issue 5487 - Fix various issues with logconv.pl
+- Issue 5476 - RFE - add memberUid read aci by default (#5477)
+- Issue 5482 - lib389 - Can not enable replication with a mixed case suffix
+- Issue 5478 - Random crash in connection code during server shutdown (#5479)
+- Issue 3061 - RFE - Add password policy debug log level
+- Issue 5302 - Release tarballs don't contain cockpit webapp
+- Issue 5262 - high contention in find_entry_internal_dn on mixed load (#5264)
+- Issue 4324 - Revert recursive pthread mutex change (#5463)
+- Issue 5462 - RFE - add missing default indexes (#5464)
+- Issue 5465 - Fix dbscan linking (#5466)
+- Issue 5271 - Serialization of pam_passthrough causing high etimes (#5272)
+- Issue 5453 - UI/CLI - Changing Root DN breaks UI
+- Issue 5446 - Fix some covscan issues (#5451)
+- Issue 4308 - checking if an entry is a referral is expensive
+- Issue 5447 - UI - add NDN max cache size to UI
+- Issue 5443 - UI - disable save button while saving
+- Issue 5413 - Allow only one MemberOf fixup task at a time
+- Issue 4592 - dscreate error with custom dir_path (#5434)
+- Issue 5158 - entryuuid fixup tasks fails in replicated topology (#5439)
+
+* Tue Sep 20 2022 Mark Reynolds <mreynolds@redhat.com> - 2.3.0-2
+- Bump version to 2.3.0-2
+- Update old pcre-devel requirement to pcre2-devel
+
+* Thu Sep 1 2022 Mark Reynolds <mreynolds@redhat.com> - 2.3.0-1
+- Bump version to 2.3.0
+- Issue 5012 - Migrate pcre to pcre2 - remove match limit
+- Issue 5356 - Make Rust non-optional and update default password storage scheme
+- Issue 5012 - Migrate pcre to pcre2
+- Issue 5428 - Fix regression with nscpEntryWsi computation
+- Fix missing 'not' in description (closes #5423) (#5424)
+- Issue 5421 - CI - makes replication/acceptance_test.py::test_modify_entry more robust (#5422)
+- Issue 3903 - fix repl keep alive event interval
+- Issue 5418 - Sync_repl may crash while managing invalid cookie (#5420)
+- Issue 5415 - Hostname when set to localhost causing failures in other tests
+- Issue 5412 - lib389 - do not set backend name to lowercase
+- Issue 5407 - sync_repl crashes if enabled while dynamic plugin is enabled (#5411)
+- Issue 5385 - LMDB - import crash in rdncache_add_elem (#5406)
+- Issue 5403 - Memory leak in conntection table mulit list (#5404)
+- Issue 3903 - keep alive update event starts too soon
+- Issue 5397 - Fix various memory leaks
+- Issue 5399 - UI - LDAP Editor is not updated when we switch instances (#5400)
+- Issue 3903 - Supplier should do periodic updates
+- Issue 5377 - Code cleanup: Fix Covscan invalid reference (#5393)
+- Issue 5394 - configure doesn't check for lmdb and json-c
+- Issue 5392 - dscreate fails when using alternative ports in the SELinux hi_reserved_port_t label range
+- Issue 5386 - BUG - Update sudoers schema to correctly support UTF-8 (#5387)
+- Issue 5388 - fix use-after-free and deadcode
+- Issue 5383 - UI - Various fixes and RFE's for UI
+- Issue 4656 - Remove problematic language from source code
+- Issue 5380 - Separate cleanAllRUV code into new file
+- Issue 5322 - optime & wtime on rejected connections is not properly set
+- Issue 5335 - RFE - Add Security Audit Log
+- Issue 5375 - CI - disable TLS hostname checking
+- Issue 981  - Managed Entries betxnpreoperation - transaction not aborted on managed entry failure (#5369)
+- Issue 5373 - dsidm user get_dn fails with search_ext() argument 1 must be str, not function
+- Issue 5371 - Update npm and cargo packages
+- Issue 3069 - Support ECDSA private keys for TLS (#5365)
+- Issue 5290 - Importing certificate chain files via "import-server-key-cert" no longer works (#5293)
+
+* Mon Aug 01 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 2.2.2-3
+- Rebuilt for ICU 71.1
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 5 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.2-1
+- Bump version to 2.2.2
+- Issue 5221 - fix covscan (#5359)
+- Issue 5294 - Report Portal 5 is not processing an XML file with (#5358)
+- Issue 5353 - CLI - dsconf backend export breaks with multiple backends
+- Issue 5346 - New connection table fails with ASAN failures (#5350)
+- Issue 5345 - BUG - openldap migration fails when ppolicy is active (#5347)
+- Issue 5323 - BUG - improve skipping of monitor db (#5340)
+- Issue 5329 - Improve replication extended op logging
+- Issue 5343 - Various improvements to winsync
+- Issue 4932 - CLI - add parser aliases to long arg names
+- Issue 5332 - BUG - normalise filter as intended
+- Issue 5327 - Validate test metadata
+- Issue 4812 - Scalability with high number of connections (#5090)
+- Issue 4348 - Add tests for dsidm
+- Issue 5333 - 389-ds-base fails to build with Python 3.11
+
+* Thu Jun 16 2022 Python Maint <python-maint@redhat.com> - 2.2.1-4
+- Rebuilt for Python 3.11
+
+* Wed Jun 15 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.1-3
+- Bump version to 2.2.1-3
+- Issue 5332 - BUG - normalise filter as intended
+- Issue 5327 - Validate test metadata
+- Issue 4348 - Add tests for dsidm
+- Bump crossbeam-utils from 0.8.6 to 0.8.8 in /src
+- Issue 5333 - 389-ds-base fails to build with Python 3.11
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 2.2.1-2
+- Rebuilt for Python 3.11
+
+* Fri Jun 3 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.1-1
+- Bump version to 2.2.1
+- Issue 5323 - BUG - Fix issue in mdb tests with monitor (#5326)
+- Issue 5170 - BUG - incorrect behaviour of filter test (#5315)
+- Issue 5324 - plugin acceptance test needs hardening
+- Issue 5319 - dsctl_tls_test.py fails with openssl-3.x
+- Issue 5323 - BUG - migrating database for monitoring interface lead to crash (#5321)
+- Issue 5304 - Need a compatibility option about sub suffix handling (#5310)
+- Issue 5313 - dbgen test uses deprecated -h HOST and -p PORT options for ldapmodify
+- Issue 5311 - Missing Requires for acl in the spec file
+- Issue 5305 - OpenLDAP version autodetection doesn't work
+- Issue 5307 - VERSION_PREREL is not set correctly in CI builds
+- Issue 5302 - Release tarballs don't contain cockpit webapp
+- Issue 5170 - RFE - improve filter logging to assist debugging (#5301)
+- Issue 5299 - jemalloc 5.3 released
+- Issue 5175 - Remove stale zlib-devel dependency declaration (#5173)
+- Issue 5294 - Report Portal 5 is not processing test results XML file
+- Issue 5170 - BUG - ldapsubentries were incorrectly returned (#5285)
+- Issue 5291 - Harden ReplicationManager.wait_for_replication (#5292)
+- Issue  379 - RFE - Compress rotated logs (fix linker)
+- Issue  379 - RFE - Compress rotated logs
+- Issue 5281 - HIGH - basic test does not run
+- Issue 5284 - Replication broken after password change (#5286)
+- Issue 5279 - dscontainer: TypeError: unsupported operand type(s) for /: 'str' and 'int'
+- Issue 5170 - RFE - Filter optimiser (#5171)
+- Issue 5276 - CLI - improve task handling
+- Issue 5126 - Memory leak in slapi_ldap_get_lderrno (#5153)
+- Issue 3 - ansible-ds - Prefix handling fix (#5275)
+- Issue 5273 - CLI - add arg completer for instance name
+- Issue 2893 - CLI - dscreate - add options for setting up replication
+- Issue 4866 - CLI - when enabling replication set changelog trimming by default
+- Issue 5241 - UI - Add account locking missing functionality (#5251)
+- Issue 5180 - snmp_collator tries to unlock NULL mutex (#5266)
+- Issue 4904 - Fix various small issues
+- lib389 prerequisite for ansible-ds (#5253)
+- Issue 5260 - BUG - OpenLDAP allows multiple names of memberof overlay (#5261)
+- Issue 5252 - During DEL, vlv search can erroneously return NULL candidate (#5256)
+- Issue 5254 - dscreate create-template regression due to 5a3bdc336 (#5255)
+- Issue 5210 - Python undefined names in lib389
+- Issue 5065 - Crash in suite plugins - test_dna_max_value (#5108)
+- Issue 5247 - BUG - Missing attributes in samba schema (#5248)
+- Issue 5242- Craft message may crash the server (#5243)
+- Issue 4775 -plugin entryuuid failing (#5229)
+- Issue 5239 - Nightly copr builds are broken
+- Issue 5237 - audit-ci: Cannot convert undefined or null to object
+- Issue 5234 - UI - rename Users and Groups tab
+- Issue 5227 - UI - No way to move back to Get Started step (#5233)
+- Issue 5217 - Simplify instance creation and administration by non root user (#5224)
diff --git a/SPECS-EXTENDED/389-ds-base/389-ds-base.sysusers b/SPECS-EXTENDED/389-ds-base/389-ds-base.sysusers
new file mode 100644
index 00000000000..32a3452dae4
--- /dev/null
+++ b/SPECS-EXTENDED/389-ds-base/389-ds-base.sysusers
@@ -0,0 +1,3 @@
+#Type Name     ID             GECOS                   Home directory       Shell
+g     dirsrv   389
+u     dirsrv   389:389        "user for 389-ds-base"  /usr/share/dirsrv/   /sbin/nologin
diff --git a/SPECS-EXTENDED/CharLS/CharLS.signatures.json b/SPECS-EXTENDED/CharLS/CharLS.signatures.json
index 9b1060ddc8d..a89dbcc7937 100644
--- a/SPECS-EXTENDED/CharLS/CharLS.signatures.json
+++ b/SPECS-EXTENDED/CharLS/CharLS.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "CharLS-2.0.0.tar.gz": "528c6a3cc168a44e73f2890d8f4a35104a54d752eba3d6a643f050b72dd67cfa"
+  "CharLS-2.4.2.tar.gz": "d1c2c35664976f1e43fec7764d72755e6a50a80f38eca70fcc7553cad4fe19d9"
  }
 }
diff --git a/SPECS-EXTENDED/CharLS/CharLS.spec b/SPECS-EXTENDED/CharLS/CharLS.spec
index 1e7e287f88d..df540fdb322 100644
--- a/SPECS-EXTENDED/CharLS/CharLS.spec
+++ b/SPECS-EXTENDED/CharLS/CharLS.spec
@@ -1,13 +1,14 @@
 Summary:        An optimized implementation of the JPEG-LS standard
 Name:           CharLS
-Version:        2.0.0
-Release:        10%{?dist}
+Version:        2.4.2
+Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://github.com/team-charls/charls
-Source0:        https://github.com/team-charls/charls/archive/%{version}/%{name}-%{version}.tar.gz
-BuildRequires:  cmake >= 2.6.0
+Source0:        https://github.com/team-charls/charls/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+
+BuildRequires:  cmake
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 
@@ -42,7 +43,6 @@ rm CharLS*.sln* -v
 
 %cmake_build
 
-
 %install
 %cmake_install
 
@@ -55,16 +55,20 @@ popd
 
 
 %files
-%license License.txt
-%{_libdir}/lib%{name}.so.2
-%{_libdir}/lib%{name}.so.2.0
+%license LICENSE.md
+%{_libdir}/libcharls.so.2*
 
 %files devel
-%dir %{_includedir}/%{name}/
-%{_includedir}/%{name}/*
-%{_libdir}/lib%{name}.so
+%dir %{_includedir}/charls/
+%{_includedir}/charls/*
+%{_libdir}/cmake/charls/
+%{_libdir}/libcharls.so
+%{_libdir}/pkgconfig/charls.pc
 
 %changelog
+* Tue Sept 24 2024 Jyoti Kanase <v-jykanase@microsoft.com> - 2.4.2-1
+- Update to version 2.4.2
+
 * Wed Aug 09 2023 Archana Choudhary <archana1@microsoft.com> - 2.0.0-10
 - Initial CBL-Mariner import from Fedora 37 (license: MIT).
 - License verified
diff --git a/SPECS-EXTENDED/buildah/buildah.spec b/SPECS-EXTENDED/buildah/buildah.spec
index f76e937881a..318a0ae2aff 100644
--- a/SPECS-EXTENDED/buildah/buildah.spec
+++ b/SPECS-EXTENDED/buildah/buildah.spec
@@ -21,7 +21,7 @@
 Summary:        A command line tool used for creating OCI Images
 Name:           buildah
 Version:        1.18.0
-Release:        27%{?dist}
+Release:        28%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -32,7 +32,7 @@ BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  git
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 BuildRequires:  go-md2man
 BuildRequires:  go-rpm-macros
 BuildRequires:  golang
@@ -123,6 +123,9 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.18.0-28
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 1.18.0-27
 - Bump to rebuild with updated glibc
 
@@ -1896,7 +1899,7 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 
 * Thu Feb 22 2018 Dan Walsh <dwalsh@redhat.com> 0.13-1
 - Vendor in latest containers/storage
-- This fixes a large SELinux bug.  
+- This fixes a large SELinux bug.
 - run: do not open /etc/hosts if not needed
 - Add the following flags to buildah bud and from
             --add-host
@@ -2024,7 +2027,7 @@ cp imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 - Bump for inclusion of OCI 1.0 Runtime and Image Spec
 
 * Tue Jul 18 2017 Dan Walsh <dwalsh@redhat.com> 0.2.0-1.gitac2aad6
-- buildah run: Add support for -- ending options parsing 
+- buildah run: Add support for -- ending options parsing
 - buildah Add/Copy support for glob syntax
 - buildah commit: Add flag to remove containers on commit
 - buildah push: Improve man page and help information
diff --git a/SPECS-EXTENDED/catatonit/catatonit.spec b/SPECS-EXTENDED/catatonit/catatonit.spec
index 2a9e5d12d35..79b58fadb71 100644
--- a/SPECS-EXTENDED/catatonit/catatonit.spec
+++ b/SPECS-EXTENDED/catatonit/catatonit.spec
@@ -3,7 +3,7 @@ Distribution:   Azure Linux
 
 Name: catatonit
 Version: 0.1.7
-Release: 15%{?dist}
+Release: 16%{?dist}
 Summary: A signal-forwarding process manager for containers
 License: GPLv3+
 URL: https://github.com/openSUSE/catatonit
@@ -13,7 +13,7 @@ BuildRequires: automake
 BuildRequires: file
 BuildRequires: gcc
 BuildRequires: git
-BuildRequires: glibc-static >= 2.38-7%{?dist}
+BuildRequires: glibc-static >= 2.38-8%{?dist}
 BuildRequires: libtool
 BuildRequires: make
 
@@ -61,6 +61,9 @@ ln -s %{_libexecdir}/%{name}/%{name} %{buildroot}%{_libexecdir}/podman/%{name}
 %{_libexecdir}/podman/%{name}
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.1.7-16
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 0.1.7-15
 - Bump to rebuild with updated glibc
 
@@ -105,7 +108,7 @@ ln -s %{_libexecdir}/%{name}/%{name} %{buildroot}%{_libexecdir}/podman/%{name}
 - autobuilt v0.1.5
 
 * Wed Apr 29 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0.1.5-2
-- complain if not statically linked, patch from Jindrich Novy <jnovy@redhat.com> 
+- complain if not statically linked, patch from Jindrich Novy <jnovy@redhat.com>
 
 * Wed Apr 29 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 0.1.5-1
 - bump to v0.1.5
diff --git a/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.signatures.json b/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.signatures.json
deleted file mode 100644
index d10a6ba75d0..00000000000
--- a/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "distribution-gpg-keys-1.104.tar.gz": "60ec27522ba960719f6b7d578106a65dc2dca235e9ebf2399a6a98571afffd5a"
- }
-}
\ No newline at end of file
diff --git a/SPECS-EXTENDED/dyninst/dyninst.spec b/SPECS-EXTENDED/dyninst/dyninst.spec
index b020da7ea54..d27f30a1d25 100644
--- a/SPECS-EXTENDED/dyninst/dyninst.spec
+++ b/SPECS-EXTENDED/dyninst/dyninst.spec
@@ -1,7 +1,7 @@
 Summary: An API for Run-time Code Generation
 License: LGPLv2+
 Name: dyninst
-Release: 17%{?dist}
+Release: 18%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL: http://www.dyninst.org
@@ -31,7 +31,7 @@ BuildRequires: tbb tbb-devel
 
 # Extra requires just for the testsuite
 BuildRequires: gcc-gfortran libstdc++-static libxml2-devel
-BuildRequires: glibc-static >= 2.38-7%{?dist}
+BuildRequires: glibc-static >= 2.38-8%{?dist}
 
 # Testsuite files should not provide/require anything
 %{?filter_setup:
@@ -194,6 +194,9 @@ echo "%{_libdir}/dyninst" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %attr(644,root,root) %{_libdir}/dyninst/testsuite/*.a
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 10.1.0-18
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 10.1.0-17
 - Bump to rebuild with updated glibc
 
@@ -236,7 +239,7 @@ echo "%{_libdir}/dyninst" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
 * Fri Nov 15 2019 Stan Cox <scox@redhat.com> - 10.1.0-4
-- Fix rhbz963475 dyninst must be ported to aarch64 
+- Fix rhbz963475 dyninst must be ported to aarch64
 
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 10.1.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
diff --git a/SPECS-EXTENDED/kernel-rt/config b/SPECS-EXTENDED/kernel-rt/config
index 43592b36b0d..6bb08f08746 100644
--- a/SPECS-EXTENDED/kernel-rt/config
+++ b/SPECS-EXTENDED/kernel-rt/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 6.6.43.1 Kernel Configuration
+# Linux/x86_64 6.6.44.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
diff --git a/SPECS-EXTENDED/kernel-rt/kernel-rt.signatures.json b/SPECS-EXTENDED/kernel-rt/kernel-rt.signatures.json
index afc9c9d3f7f..3f20214235b 100644
--- a/SPECS-EXTENDED/kernel-rt/kernel-rt.signatures.json
+++ b/SPECS-EXTENDED/kernel-rt/kernel-rt.signatures.json
@@ -1,10 +1,10 @@
 {
   "Signatures": {
     "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-    "config": "9bcf400cb3b750163107727bed252a8fe7414f4edaee97981c56ce70bf20dee2",
+    "config": "2c67ae488fa1e01db4230f09fdd7f1d898ed17def7cff53da275a79e80b68548",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
-    "kernel-6.6.43.1.tar.gz": "978e302c77d8ffbb7f6e6fafd1bc77c9fc84a7839d1ec3251f1c48d61eaf5c39"
+    "kernel-6.6.44.1.tar.gz": "664f0c0f3c898001f624b1a028d96551fa515ab06d52e101c5f893a9dd5e395b"
   }
 }
diff --git a/SPECS-EXTENDED/kernel-rt/kernel-rt.spec b/SPECS-EXTENDED/kernel-rt/kernel-rt.spec
index 05425dd00a9..f3b370142f7 100644
--- a/SPECS-EXTENDED/kernel-rt/kernel-rt.spec
+++ b/SPECS-EXTENDED/kernel-rt/kernel-rt.spec
@@ -1,6 +1,6 @@
 %global security_hardening none
 %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh
-%global rt_version rt38
+%global rt_version rt39
 %define uname_r %{version}-%{rt_version}-%{release}
 %define mariner_version 3
 %define version_upstream %(echo %{version} | rev | cut -d'.' -f2- | rev)
@@ -23,7 +23,7 @@
 
 Summary:        Realtime Linux Kernel
 Name:           kernel-rt
-Version:        6.6.43.1
+Version:        6.6.44.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -414,6 +414,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Wed Aug 14 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.44.1-1
+- Auto-upgrade to 6.6.44.1
+
 * Tue Jul 30 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.43.1-1
 - Auto-upgrade to 6.6.43.1
 
diff --git a/SPECS-EXTENDED/kernel-rt/patch-6.6.43-rt38.patch b/SPECS-EXTENDED/kernel-rt/patch-6.6.44-rt39.patch
similarity index 96%
rename from SPECS-EXTENDED/kernel-rt/patch-6.6.43-rt38.patch
rename to SPECS-EXTENDED/kernel-rt/patch-6.6.44-rt39.patch
index 25f208d99d6..30e8dc8dd92 100644
--- a/SPECS-EXTENDED/kernel-rt/patch-6.6.43-rt38.patch
+++ b/SPECS-EXTENDED/kernel-rt/patch-6.6.44-rt39.patch
@@ -1,7 +1,7 @@
-From 4423cccce35387775ff546874075cd980e54ee04 Mon Sep 17 00:00:00 2001
+From c31fd57df2b7621190d30077ad57f6bb4ca387ec Mon Sep 17 00:00:00 2001
 From: Peter Zijlstra <peterz@infradead.org>
 Date: Fri, 8 Sep 2023 18:22:48 +0200
-Subject: [PATCH 001/198] sched: Constrain locks in sched_submit_work()
+Subject: [PATCH 001/200] sched: Constrain locks in sched_submit_work()
 
 Even though sched_submit_work() is ran from preemptible context,
 it is discouraged to have it use blocking locks due to the recursion
@@ -18,10 +18,10 @@ Link: https://lkml.kernel.org/r/20230908162254.999499-2-bigeasy@linutronix.de
  1 file changed, 9 insertions(+)
 
 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 820880960513..3593fa308098 100644
+index 92e4afeb71ad..849fc7d07107 100644
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
-@@ -6724,11 +6724,18 @@ void __noreturn do_task_dead(void)
+@@ -6721,11 +6721,18 @@ void __noreturn do_task_dead(void)
  
  static inline void sched_submit_work(struct task_struct *tsk)
  {
@@ -40,7 +40,7 @@ index 820880960513..3593fa308098 100644
  	task_flags = tsk->flags;
  	/*
  	 * If a worker goes to sleep, notify and ask workqueue whether it
-@@ -6753,6 +6760,8 @@ static inline void sched_submit_work(struct task_struct *tsk)
+@@ -6750,6 +6757,8 @@ static inline void sched_submit_work(struct task_struct *tsk)
  	 * make sure to submit it to avoid deadlocks.
  	 */
  	blk_flush_plug(tsk->plug, true);
@@ -52,10 +52,10 @@ index 820880960513..3593fa308098 100644
 -- 
 2.45.2
 
-From 49792a941814ec347f6e752649dff1628c358ae3 Mon Sep 17 00:00:00 2001
+From 72f3810ae4e509f7480e115e674d04fa960710b8 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 8 Sep 2023 18:22:49 +0200
-Subject: [PATCH 002/198] locking/rtmutex: Avoid unconditional slowpath for
+Subject: [PATCH 002/200] locking/rtmutex: Avoid unconditional slowpath for
  DEBUG_RT_MUTEXES
 
 With DEBUG_RT_MUTEXES enabled the fast-path rt_mutex_cmpxchg_acquire()
@@ -138,10 +138,10 @@ index d1473c624105..c7196de838ed 100644
 -- 
 2.45.2
 
-From 5c3e7fcdea9270d9ec9a97f87435debcf96595b3 Mon Sep 17 00:00:00 2001
+From 925e452d2b87ee4ac76c3225f60384fa1b460ef4 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Fri, 8 Sep 2023 18:22:50 +0200
-Subject: [PATCH 003/198] sched: Extract __schedule_loop()
+Subject: [PATCH 003/200] sched: Extract __schedule_loop()
 
 There are currently two implementations of this basic __schedule()
 loop, and there is soon to be a third.
@@ -155,10 +155,10 @@ Link: https://lkml.kernel.org/r/20230908162254.999499-4-bigeasy@linutronix.de
  1 file changed, 11 insertions(+), 10 deletions(-)
 
 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 3593fa308098..30659d67daf6 100644
+index 849fc7d07107..716f521d6e3e 100644
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
-@@ -6774,16 +6774,21 @@ static void sched_update_worker(struct task_struct *tsk)
+@@ -6771,16 +6771,21 @@ static void sched_update_worker(struct task_struct *tsk)
  	}
  }
  
@@ -185,7 +185,7 @@ index 3593fa308098..30659d67daf6 100644
  	sched_update_worker(tsk);
  }
  EXPORT_SYMBOL(schedule);
-@@ -6847,11 +6852,7 @@ void __sched schedule_preempt_disabled(void)
+@@ -6844,11 +6849,7 @@ void __sched schedule_preempt_disabled(void)
  #ifdef CONFIG_PREEMPT_RT
  void __sched notrace schedule_rtlock(void)
  {
@@ -201,10 +201,10 @@ index 3593fa308098..30659d67daf6 100644
 -- 
 2.45.2
 
-From 7a7ba90ec8996e601366abe90153b197d6db49bf Mon Sep 17 00:00:00 2001
+From c3c52ffe17dd2b7862968e6921f42a3777cbb2d3 Mon Sep 17 00:00:00 2001
 From: Peter Zijlstra <peterz@infradead.org>
 Date: Fri, 8 Sep 2023 18:22:51 +0200
-Subject: [PATCH 004/198] sched: Provide rt_mutex specific scheduler helpers
+Subject: [PATCH 004/200] sched: Provide rt_mutex specific scheduler helpers
 
 With PREEMPT_RT there is a rt_mutex recursion problem where
 sched_submit_work() can use an rtlock (aka spinlock_t). More
@@ -275,10 +275,10 @@ index 994c25640e15..b2b9e6eb9683 100644
   * Must hold either p->pi_lock or task_rq(p)->lock.
   */
 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index 30659d67daf6..a1fc8d66c7ac 100644
+index 716f521d6e3e..c3dc0103e2f3 100644
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
-@@ -6727,9 +6727,6 @@ static inline void sched_submit_work(struct task_struct *tsk)
+@@ -6724,9 +6724,6 @@ static inline void sched_submit_work(struct task_struct *tsk)
  	static DEFINE_WAIT_OVERRIDE_MAP(sched_map, LD_WAIT_CONFIG);
  	unsigned int task_flags;
  
@@ -288,7 +288,7 @@ index 30659d67daf6..a1fc8d66c7ac 100644
  	/*
  	 * Establish LD_WAIT_CONFIG context to ensure none of the code called
  	 * will use a blocking primitive -- which would lead to recursion.
-@@ -6787,7 +6784,12 @@ asmlinkage __visible void __sched schedule(void)
+@@ -6784,7 +6781,12 @@ asmlinkage __visible void __sched schedule(void)
  {
  	struct task_struct *tsk = current;
  
@@ -302,7 +302,7 @@ index 30659d67daf6..a1fc8d66c7ac 100644
  	__schedule_loop(SM_NONE);
  	sched_update_worker(tsk);
  }
-@@ -7048,6 +7050,32 @@ static void __setscheduler_prio(struct task_struct *p, int prio)
+@@ -7045,6 +7047,32 @@ static void __setscheduler_prio(struct task_struct *p, int prio)
  
  #ifdef CONFIG_RT_MUTEXES
  
@@ -338,10 +338,10 @@ index 30659d67daf6..a1fc8d66c7ac 100644
 -- 
 2.45.2
 
-From 47c661a4f222035595dff720718cec32db45081d Mon Sep 17 00:00:00 2001
+From 1714943dda97cac2e6f767914db38a7de60d3898 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 8 Sep 2023 18:22:52 +0200
-Subject: [PATCH 005/198] locking/rtmutex: Use rt_mutex specific scheduler
+Subject: [PATCH 005/200] locking/rtmutex: Use rt_mutex specific scheduler
  helpers
 
 Have rt_mutex use the rt_mutex specific scheduler helpers to avoid
@@ -489,7 +489,7 @@ index 25ec0239477c..c7258cb32d91 100644
  }
  
 diff --git a/kernel/locking/rwsem.c b/kernel/locking/rwsem.c
-index 9eabd585ce7a..2340b6d90ec6 100644
+index 11ed7ce6579e..62eac9fd809a 100644
 --- a/kernel/locking/rwsem.c
 +++ b/kernel/locking/rwsem.c
 @@ -1427,8 +1427,14 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
@@ -529,10 +529,10 @@ index 48a19ed8486d..842037b2ba54 100644
 -- 
 2.45.2
 
-From becc250b764ffd62a9bc154c2fdc7eb4db5bba76 Mon Sep 17 00:00:00 2001
+From ef10de7e059aad3e8a44fa85060d9c89693ecba2 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Fri, 8 Sep 2023 18:22:53 +0200
-Subject: [PATCH 006/198] locking/rtmutex: Add a lockdep assert to catch
+Subject: [PATCH 006/200] locking/rtmutex: Add a lockdep assert to catch
  potential nested blocking
 
 There used to be a BUG_ON(current->pi_blocked_on) in the lock acquisition
@@ -595,10 +595,10 @@ index 842037b2ba54..38e292454fcc 100644
 -- 
 2.45.2
 
-From 5878c6faeccf08219a336d5c237936e255b4fb73 Mon Sep 17 00:00:00 2001
+From 6cde51509c49f25edd00a7b55365ef1a4c061d96 Mon Sep 17 00:00:00 2001
 From: Peter Zijlstra <peterz@infradead.org>
 Date: Fri, 15 Sep 2023 17:19:44 +0200
-Subject: [PATCH 007/198] futex/pi: Fix recursive rt_mutex waiter state
+Subject: [PATCH 007/200] futex/pi: Fix recursive rt_mutex waiter state
 
 Some new assertions pointed out that the existing code has nested rt_mutex wait
 state in the futex code.
@@ -799,10 +799,10 @@ index cba8b1a6a4cc..4c73e0b81acc 100644
 -- 
 2.45.2
 
-From 52b1044fd776051c1d929059af1429f267d67838 Mon Sep 17 00:00:00 2001
+From 54d7bb86c6afda9a4f6420dfe10f08ed7b89a9c8 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 3 Aug 2023 12:09:31 +0200
-Subject: [PATCH 008/198] signal: Add proper comment about the preempt-disable
+Subject: [PATCH 008/200] signal: Add proper comment about the preempt-disable
  in ptrace_stop().
 
 Commit 53da1d9456fe7 ("fix ptrace slowness") added a preempt-disable section
@@ -820,7 +820,7 @@ Link: https://lore.kernel.org/r/20230803100932.325870-2-bigeasy@linutronix.de
  1 file changed, 14 insertions(+), 3 deletions(-)
 
 diff --git a/kernel/signal.c b/kernel/signal.c
-index 09019017d669..051ed8114cd4 100644
+index 21903f524ef8..83865eeaadc5 100644
 --- a/kernel/signal.c
 +++ b/kernel/signal.c
 @@ -2329,10 +2329,21 @@ static int ptrace_stop(int exit_code, int why, unsigned long message,
@@ -851,10 +851,10 @@ index 09019017d669..051ed8114cd4 100644
 -- 
 2.45.2
 
-From f2930a5fc732bcdfd66cd444b8e791380ba7af20 Mon Sep 17 00:00:00 2001
+From 6eabd5ae946e572aaf30aa9db6e99cf9a165fa13 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 3 Aug 2023 12:09:32 +0200
-Subject: [PATCH 009/198] signal: Don't disable preemption in ptrace_stop() on
+Subject: [PATCH 009/200] signal: Don't disable preemption in ptrace_stop() on
  PREEMPT_RT.
 
 On PREEMPT_RT keeping preemption disabled during the invocation of
@@ -875,7 +875,7 @@ Link: https://lore.kernel.org/r/20230803100932.325870-3-bigeasy@linutronix.de
  1 file changed, 11 insertions(+), 2 deletions(-)
 
 diff --git a/kernel/signal.c b/kernel/signal.c
-index 051ed8114cd4..b71026341056 100644
+index 83865eeaadc5..9f240d9cb240 100644
 --- a/kernel/signal.c
 +++ b/kernel/signal.c
 @@ -2344,11 +2344,20 @@ static int ptrace_stop(int exit_code, int why, unsigned long message,
@@ -904,10 +904,10 @@ index 051ed8114cd4..b71026341056 100644
 -- 
 2.45.2
 
-From 5a08a1f329a9427a076d418f02dc3c4333874356 Mon Sep 17 00:00:00 2001
+From 7205a8cde8bd8e87f1c02d4f38ca4b91f40506a9 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 21 Sep 2023 16:15:12 +0200
-Subject: [PATCH 010/198] drm/amd/display: Remove migrate_en/dis from
+Subject: [PATCH 010/200] drm/amd/display: Remove migrate_en/dis from
  dc_fpu_begin().
 
 This is a revert of the commit mentioned below while it is not wrong, as
@@ -995,10 +995,10 @@ index 172aa10a8800..86f4c0e04654 100644
 -- 
 2.45.2
 
-From 4c3fdb425f420fded3011a3a658e9b6bcc8d05aa Mon Sep 17 00:00:00 2001
+From 48035cee8f31618a1500e94836463901ddf78dce Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 21 Sep 2023 16:15:13 +0200
-Subject: [PATCH 011/198] drm/amd/display: Simplify the per-CPU usage.
+Subject: [PATCH 011/200] drm/amd/display: Simplify the per-CPU usage.
 
 The fpu_recursion_depth counter is used to ensure that dc_fpu_begin()
 can be invoked multiple times while the FPU-disable function itself is
@@ -1127,10 +1127,10 @@ index 86f4c0e04654..8bd5926b47e0 100644
 -- 
 2.45.2
 
-From fdd83ac751288552335cc3ddaa248d506786a603 Mon Sep 17 00:00:00 2001
+From 3dd4f1938bceeec541d5095ad8834e5e4fe376d4 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 21 Sep 2023 16:15:14 +0200
-Subject: [PATCH 012/198] drm/amd/display: Add a warning if the FPU is used
+Subject: [PATCH 012/200] drm/amd/display: Add a warning if the FPU is used
  outside from task context.
 
 Add a warning if the FPU is used from any context other than task
@@ -1158,10 +1158,10 @@ index 8bd5926b47e0..4ae4720535a5 100644
 -- 
 2.45.2
 
-From 2f76edf899a5700ba2a03477537d9345d1f93f28 Mon Sep 17 00:00:00 2001
+From 16504f4905da1ee14eb6883b3e1ab1141ccd97b0 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 21 Sep 2023 16:15:15 +0200
-Subject: [PATCH 013/198] drm/amd/display: Move the memory allocation out of
+Subject: [PATCH 013/200] drm/amd/display: Move the memory allocation out of
  dcn21_validate_bandwidth_fp().
 
 dcn21_validate_bandwidth_fp() is invoked while FPU access has been
@@ -1254,10 +1254,10 @@ index c51badf7b68a..a81a0b9e6884 100644
 -- 
 2.45.2
 
-From 5c6816beb99f5e9237c142081d9b2475c4a77181 Mon Sep 17 00:00:00 2001
+From 78c8dde20d1982c88d3c428dc84fcbb25a337b71 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 21 Sep 2023 16:15:16 +0200
-Subject: [PATCH 014/198] drm/amd/display: Move the memory allocation out of
+Subject: [PATCH 014/200] drm/amd/display: Move the memory allocation out of
  dcn20_validate_bandwidth_fp().
 
 dcn20_validate_bandwidth_fp() is invoked while FPU access has been
@@ -1384,10 +1384,10 @@ index a81a0b9e6884..b6c34198ddc8 100644
 -- 
 2.45.2
 
-From 784ecbe84e6821d34dc5c9377f2f6acc52bac11c Mon Sep 17 00:00:00 2001
+From c3924b6f37744b4af19ce3819279c0b6b42890b3 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Mon, 15 Aug 2022 17:29:50 +0200
-Subject: [PATCH 015/198] net: Avoid the IPI to free the
+Subject: [PATCH 015/200] net: Avoid the IPI to free the
 
 skb_attempt_defer_free() collects a skbs, which was allocated on a
 remote CPU, on a per-CPU list. These skbs are either freed on that
@@ -1512,10 +1512,10 @@ index f0a9ef1aeaa2..682175af439d 100644
 -- 
 2.45.2
 
-From 28f49fcca08a84c909a65c589762c6f2a46164b1 Mon Sep 17 00:00:00 2001
+From d3b6df512dfe902f1d8348338c60e98dcdd7b769 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Wed, 7 Aug 2019 18:15:38 +0200
-Subject: [PATCH 016/198] x86: Allow to enable RT
+Subject: [PATCH 016/200] x86: Allow to enable RT
 
 Allow to select RT.
 
@@ -1540,10 +1540,10 @@ index 82d12c93feab..231e41817ea4 100644
 -- 
 2.45.2
 
-From 39bd20d22b2cb98d47c7fa93232d16f5b6c6e4ef Mon Sep 17 00:00:00 2001
+From e549b0437c804a41acecb0591ba12887411e99be Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 7 Nov 2019 17:49:20 +0100
-Subject: [PATCH 017/198] x86: Enable RT also on 32bit
+Subject: [PATCH 017/200] x86: Enable RT also on 32bit
 
 Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
@@ -1574,10 +1574,10 @@ index 231e41817ea4..fe340c07ddbf 100644
 -- 
 2.45.2
 
-From 1201b2936f9c22e15378890a7385876189804ba8 Mon Sep 17 00:00:00 2001
+From 07cb5b821c910fdb8193d0e4fbd2aca82dc49a05 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Tue, 1 Aug 2023 17:26:48 +0200
-Subject: [PATCH 018/198] sched/rt: Don't try push tasks if there are none.
+Subject: [PATCH 018/200] sched/rt: Don't try push tasks if there are none.
 
 I have a RT task X at a high priority and cyclictest on each CPU with
 lower priority than X's. If X is active and each CPU wakes their own
@@ -1637,10 +1637,10 @@ index 4ac36eb4cdee..acd1510e8d47 100644
 -- 
 2.45.2
 
-From 6e0deabcf3e0d7fb4e649a69d83b1b01f40b0ca8 Mon Sep 17 00:00:00 2001
+From 1b21c110976b90f6168e86e7bc760194bc4a7737 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Wed, 1 Dec 2021 17:41:09 +0100
-Subject: [PATCH 019/198] softirq: Use a dedicated thread for timer wakeups.
+Subject: [PATCH 019/200] softirq: Use a dedicated thread for timer wakeups.
 
 A timer/hrtimer softirq is raised in-IRQ context. With threaded
 interrupts enabled or on PREEMPT_RT this leads to waking the ksoftirqd
@@ -1870,10 +1870,10 @@ index 63a8ce7177dd..7cad6fe3c035 100644
 -- 
 2.45.2
 
-From 25b3a9dcab59c4ae59bb112617488132d5f4c757 Mon Sep 17 00:00:00 2001
+From 0a0992d76d7462ceebfafc9d57215aa3f62060d6 Mon Sep 17 00:00:00 2001
 From: Frederic Weisbecker <frederic@kernel.org>
 Date: Tue, 5 Apr 2022 03:07:51 +0200
-Subject: [PATCH 020/198] rcutorture: Also force sched priority to timersd on
+Subject: [PATCH 020/200] rcutorture: Also force sched priority to timersd on
  boosting test.
 
 ksoftirqd is statically boosted to the priority level right above the
@@ -1950,10 +1950,10 @@ index 0e43058c2e58..63e8b9ad2727 100644
 -- 
 2.45.2
 
-From 8358e66346b242dd77fa90e2573b2353f703ac1a Mon Sep 17 00:00:00 2001
+From 7f4ecc8e16a895bbb0f10d6d72f819152b613e10 Mon Sep 17 00:00:00 2001
 From: Frederic Weisbecker <frederic@kernel.org>
 Date: Tue, 5 Apr 2022 03:07:52 +0200
-Subject: [PATCH 021/198] tick: Fix timer storm since introduction of timersd
+Subject: [PATCH 021/200] tick: Fix timer storm since introduction of timersd
 
 If timers are pending while the tick is reprogrammed on nohz_mode, the
 next expiry is not armed to fire now, it is delayed one jiffy forward
@@ -2065,10 +2065,10 @@ index 55cbc49f70d1..1a0ed106b192 100644
 -- 
 2.45.2
 
-From ad779ee4173626fb8db3d41de23ec3d6aad50778 Mon Sep 17 00:00:00 2001
+From e14b37b3ae0c307ce0b833eb4ccab314beb2a8bf Mon Sep 17 00:00:00 2001
 From: Junxiao Chang <junxiao.chang@intel.com>
 Date: Mon, 20 Feb 2023 09:12:20 +0100
-Subject: [PATCH 022/198] softirq: Wake ktimers thread also in softirq.
+Subject: [PATCH 022/200] softirq: Wake ktimers thread also in softirq.
 
 If the hrtimer is raised while a softirq is processed then it does not
 wake the corresponding ktimers thread. This is due to the optimisation in the
@@ -2114,10 +2114,10 @@ index 65477d8e00af..ea6198bf64e0 100644
 -- 
 2.45.2
 
-From 1041e73d56b76f835febaa671067e4ef995a1d48 Mon Sep 17 00:00:00 2001
+From 076ad72e50ed0c20311ba6dd11b5814c113b2e46 Mon Sep 17 00:00:00 2001
 From: Mike Galbraith <umgwanakikbuti@gmail.com>
 Date: Thu, 31 Mar 2016 04:08:28 +0200
-Subject: [PATCH 023/198] zram: Replace bit spinlocks with spinlock_t for
+Subject: [PATCH 023/200] zram: Replace bit spinlocks with spinlock_t for
  PREEMPT_RT.
 
 The bit spinlock disables preemption. The spinlock_t lock becomes a sleeping
@@ -2216,10 +2216,10 @@ index ca7a15bd4845..e64eb607eb45 100644
 -- 
 2.45.2
 
-From fb50b3cd61b5c1a86926df37082588760f7c3898 Mon Sep 17 00:00:00 2001
+From b2df669c653f2acb7afd5af4509574bcb1fe126f Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Wed, 8 Mar 2023 16:29:38 +0100
-Subject: [PATCH 024/198] preempt: Put preempt_enable() within an
+Subject: [PATCH 024/200] preempt: Put preempt_enable() within an
  instrumentation*() section.
 
 Callers of preempt_enable() can be within an noinstr section leading to:
@@ -2268,10 +2268,10 @@ index 9aa6358a1a16..cd16f0330fba 100644
 -- 
 2.45.2
 
-From 9d9edbebc4d86ba66bdd644ce3e15b480870356e Mon Sep 17 00:00:00 2001
+From cb6aa9b55149e7c01ef15c45c09a3873376a0d2b Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 4 Aug 2023 13:30:37 +0200
-Subject: [PATCH 025/198] sched/core: Provide a method to check if a task is
+Subject: [PATCH 025/200] sched/core: Provide a method to check if a task is
  PI-boosted.
 
 Provide a method to check if a task inherited the priority from another
@@ -2301,10 +2301,10 @@ index 67623ffd4a8e..eab173e5d09b 100644
  extern void set_user_nice(struct task_struct *p, long nice);
  extern int task_prio(const struct task_struct *p);
 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index a1fc8d66c7ac..b917a854ac50 100644
+index c3dc0103e2f3..fb30aad3c1b6 100644
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
-@@ -8926,6 +8926,21 @@ static inline void preempt_dynamic_init(void) { }
+@@ -8923,6 +8923,21 @@ static inline void preempt_dynamic_init(void) { }
  
  #endif /* #ifdef CONFIG_PREEMPT_DYNAMIC */
  
@@ -2329,10 +2329,10 @@ index a1fc8d66c7ac..b917a854ac50 100644
 -- 
 2.45.2
 
-From bccda658a9d2b65ee5349a32713d72a3add684d3 Mon Sep 17 00:00:00 2001
+From 1093748bae3b49d27d22a711a359cc040cc48a9e Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 4 Aug 2023 13:30:38 +0200
-Subject: [PATCH 026/198] softirq: Add function to preempt serving softirqs.
+Subject: [PATCH 026/200] softirq: Add function to preempt serving softirqs.
 
 Add a functionality for the softirq handler to preempt its current work
 if needed. The softirq core has no particular state. It reads and resets
@@ -2396,10 +2396,10 @@ index ea6198bf64e0..2fde8af88e48 100644
 -- 
 2.45.2
 
-From 7544ba59a63387fff1399f275bafa6e62dcc477a Mon Sep 17 00:00:00 2001
+From 8330f8203d8688bb5ad6d4b8570f71680f4905eb Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 4 Aug 2023 13:30:39 +0200
-Subject: [PATCH 027/198] time: Allow to preempt after a callback.
+Subject: [PATCH 027/200] time: Allow to preempt after a callback.
 
 The TIMER_SOFTIRQ handler invokes timer callbacks of the expired timers.
 Before each invocation the timer_base::lock is dropped. The only lock
@@ -2448,10 +2448,10 @@ index 7cad6fe3c035..b3fbe97d1e34 100644
 -- 
 2.45.2
 
-From dc6f98f045a227ed1801c138b8c359fcf2161c6f Mon Sep 17 00:00:00 2001
+From 6cbb174a00cb86a0004e040c59f3cdc9e232d448 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:19 +0206
-Subject: [PATCH 028/198] serial: core: Use lock wrappers
+Subject: [PATCH 028/200] serial: core: Use lock wrappers
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -2546,10 +2546,10 @@ index 052df85dfd59..71d925e8a79b 100644
 -- 
 2.45.2
 
-From e2c7193b5cea8fae0f9cbb09c7bc8fe0b44616fc Mon Sep 17 00:00:00 2001
+From 6a0973155e66e0c794a9d4b836231cef07146ffc Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:20 +0206
-Subject: [PATCH 029/198] serial: 21285: Use port lock wrappers
+Subject: [PATCH 029/200] serial: 21285: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -2626,10 +2626,10 @@ index d756fcc884cb..4de0c975ebdc 100644
 -- 
 2.45.2
 
-From 8ad67e08d1c49dd5a16778bc7f745db464dd1ff9 Mon Sep 17 00:00:00 2001
+From deeff9a4358ee6cf3b3c8c3fec09417829e1adf6 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:21 +0206
-Subject: [PATCH 030/198] serial: 8250_aspeed_vuart: Use port lock wrappers
+Subject: [PATCH 030/200] serial: 8250_aspeed_vuart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -2692,10 +2692,10 @@ index 4a9e71b2dbbc..021949f252f8 100644
 -- 
 2.45.2
 
-From 381bdf601002208af45993ba23c5f4f0a07102da Mon Sep 17 00:00:00 2001
+From 194f8956ecc544192307e5c83848dc67aad1ba48 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:22 +0206
-Subject: [PATCH 031/198] serial: 8250_bcm7271: Use port lock wrappers
+Subject: [PATCH 031/200] serial: 8250_bcm7271: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -2848,10 +2848,10 @@ index 9afd5979c9e0..db23b3a02aef 100644
 -- 
 2.45.2
 
-From 50316ba5bcec8390673d644dcea5ced8efc20e80 Mon Sep 17 00:00:00 2001
+From f75ca1ee70d313783e05ce32e588ca41c1b710bf Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:23 +0206
-Subject: [PATCH 032/198] serial: 8250: Use port lock wrappers
+Subject: [PATCH 032/200] serial: 8250: Use port lock wrappers
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -3320,10 +3320,10 @@ index a17803da83f8..cba5a1b1030f 100644
 -- 
 2.45.2
 
-From 314833797d39e82094b4ee7fa948f948c6489297 Mon Sep 17 00:00:00 2001
+From 407885d0e92f662c65b27fe9c6a8bb13feeb2a6a Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:24 +0206
-Subject: [PATCH 033/198] serial: 8250_dma: Use port lock wrappers
+Subject: [PATCH 033/200] serial: 8250_dma: Use port lock wrappers
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -3405,10 +3405,10 @@ index 7fa66501792d..8b30ca8fdd3f 100644
 -- 
 2.45.2
 
-From fa5371344d6542ebf17e32045de276233e863336 Mon Sep 17 00:00:00 2001
+From b53a2e919c22d5f7a214a068bf3262716b01e429 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:25 +0206
-Subject: [PATCH 034/198] serial: 8250_dw: Use port lock wrappers
+Subject: [PATCH 034/200] serial: 8250_dw: Use port lock wrappers
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -3479,10 +3479,10 @@ index 8aed33be2ebf..5367bcc6256c 100644
 -- 
 2.45.2
 
-From 4dffbffa93a0799cf70cfe1e0d4a9f04a2be8e1e Mon Sep 17 00:00:00 2001
+From f69add349f4fb4293bee743ba58c51e5bfe52477 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:26 +0206
-Subject: [PATCH 035/198] serial: 8250_exar: Use port lock wrappers
+Subject: [PATCH 035/200] serial: 8250_exar: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -3536,10 +3536,10 @@ index 27430fdd9e76..17be6ad24a0f 100644
 -- 
 2.45.2
 
-From e472ed2a86c3a82be365e2518cbf5e1a65302de1 Mon Sep 17 00:00:00 2001
+From c1c6f640c501e1c7edff13e70dec543da53b619f Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:27 +0206
-Subject: [PATCH 036/198] serial: 8250_fsl: Use port lock wrappers
+Subject: [PATCH 036/200] serial: 8250_fsl: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -3604,10 +3604,10 @@ index 6af4e1c1210a..f522eb5026c9 100644
 -- 
 2.45.2
 
-From 64a67d8fd984925c4c2ac95915ac588785489068 Mon Sep 17 00:00:00 2001
+From 697e639468793562ed658f3c79eb26662178e439 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:28 +0206
-Subject: [PATCH 037/198] serial: 8250_mtk: Use port lock wrappers
+Subject: [PATCH 037/200] serial: 8250_mtk: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -3686,10 +3686,10 @@ index 28f9a2679a20..33699e86eb52 100644
 -- 
 2.45.2
 
-From fa07e5d2a2e5b74df2854f9f03902e2979de91b5 Mon Sep 17 00:00:00 2001
+From 5102b1b22dd8465e266c8d83a3084969104c1bb9 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:29 +0206
-Subject: [PATCH 038/198] serial: 8250_omap: Use port lock wrappers
+Subject: [PATCH 038/200] serial: 8250_omap: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -3927,10 +3927,10 @@ index 8f472a2080ff..78fc1f17d5e2 100644
 -- 
 2.45.2
 
-From 68c0029368c25a091dc1e4f244ac8b6b8c48cf36 Mon Sep 17 00:00:00 2001
+From 17dbdf19ef2c3a2432e801de5abd82159adfc584 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:30 +0206
-Subject: [PATCH 039/198] serial: 8250_pci1xxxx: Use port lock wrappers
+Subject: [PATCH 039/200] serial: 8250_pci1xxxx: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -3998,10 +3998,10 @@ index a3b25779d921..53e238c8cc89 100644
 -- 
 2.45.2
 
-From 5f99a8e9ff4f540658db19dccb72461aeb094751 Mon Sep 17 00:00:00 2001
+From 42e5a7eb488557ac2859b9700825bc1fa0696aab Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:31 +0206
-Subject: [PATCH 040/198] serial: altera_jtaguart: Use port lock wrappers
+Subject: [PATCH 040/200] serial: altera_jtaguart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -4136,10 +4136,10 @@ index 5fab4c978891..7090b251dd4d 100644
 -- 
 2.45.2
 
-From 26f1483ba079e1a4b9912b3ca9b6cfcae318e97c Mon Sep 17 00:00:00 2001
+From 5d770ede444d189adb4a6d958845ea18806f5c1d Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:32 +0206
-Subject: [PATCH 041/198] serial: altera_uart: Use port lock wrappers
+Subject: [PATCH 041/200] serial: altera_uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -4257,10 +4257,10 @@ index a9c41942190c..77835ac68df2 100644
 -- 
 2.45.2
 
-From 807e3fde8e7ea4d30a4d09c0e37fb6a3872ec98c Mon Sep 17 00:00:00 2001
+From 30e8000f988f780c233dda43feb29d47c6a398cd Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:33 +0206
-Subject: [PATCH 042/198] serial: amba-pl010: Use port lock wrappers
+Subject: [PATCH 042/200] serial: amba-pl010: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -4374,10 +4374,10 @@ index b5a7404cbacb..eabbf8afc9b5 100644
 -- 
 2.45.2
 
-From 326c823920e940c719bccd034588dbb5fd04119f Mon Sep 17 00:00:00 2001
+From b7f2ca09de1493231eb95b80e69d90112c70dd21 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:34 +0206
-Subject: [PATCH 043/198] serial: amba-pl011: Use port lock wrappers
+Subject: [PATCH 043/200] serial: amba-pl011: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -4706,10 +4706,10 @@ index 362bbcdece0d..16c770311069 100644
 -- 
 2.45.2
 
-From 5cbacce44b2e7bd8267f148a7d7dd5e2398e6933 Mon Sep 17 00:00:00 2001
+From e20d1732179f80b9884d1487de0665b693e1da13 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:35 +0206
-Subject: [PATCH 044/198] serial: apb: Use port lock wrappers
+Subject: [PATCH 044/200] serial: apb: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -4787,10 +4787,10 @@ index d3cb341f2c55..364599f256db 100644
 -- 
 2.45.2
 
-From 520f47750889e1db940cc8163a4d682e24e8b5e0 Mon Sep 17 00:00:00 2001
+From a8ec3d1c3b1e39276d58d612211e05a02ff0490f Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:36 +0206
-Subject: [PATCH 045/198] serial: ar933x: Use port lock wrappers
+Subject: [PATCH 045/200] serial: ar933x: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -4936,10 +4936,10 @@ index 924c1a89347c..ffd234673177 100644
 -- 
 2.45.2
 
-From b1eb93b3f0e92343dabfb3cac87aea802b10a76e Mon Sep 17 00:00:00 2001
+From b1a800ad483c7561bc9fb462d0ccdb57c65ac5ad Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:37 +0206
-Subject: [PATCH 046/198] serial: arc_uart: Use port lock wrappers
+Subject: [PATCH 046/200] serial: arc_uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -5038,10 +5038,10 @@ index ad4ae19b6ce3..1aa5b2b49c26 100644
 -- 
 2.45.2
 
-From dbdfb4d553e17aad3306df5ada6aed543902ffd8 Mon Sep 17 00:00:00 2001
+From ac45992a88e13249acde64b0ac9de187761a0d01 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:38 +0206
-Subject: [PATCH 047/198] serial: atmel: Use port lock wrappers
+Subject: [PATCH 047/200] serial: atmel: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -5162,10 +5162,10 @@ index 88cdafa5ac54..1946fafc3f3e 100644
 -- 
 2.45.2
 
-From d7c89cdecea57eb08ae835680247c85c847e7f03 Mon Sep 17 00:00:00 2001
+From 1eb0468843659f1f21000733fc4c62d642625111 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:39 +0206
-Subject: [PATCH 048/198] serial: bcm63xx-uart: Use port lock wrappers
+Subject: [PATCH 048/200] serial: bcm63xx-uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -5295,10 +5295,10 @@ index 44c27e5cefbc..b104c36ce5c0 100644
 -- 
 2.45.2
 
-From 7939829f66d9be135638873b1631d22e9afd66c8 Mon Sep 17 00:00:00 2001
+From d816749abf87690b8b20743c6984a4d1137e27ba Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:40 +0206
-Subject: [PATCH 049/198] serial: cpm_uart: Use port lock wrappers
+Subject: [PATCH 049/200] serial: cpm_uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -5370,10 +5370,10 @@ index 626423022d62..be4af6eda4c2 100644
 -- 
 2.45.2
 
-From dc3ca8bd123eafe6d6478be8419c949028699458 Mon Sep 17 00:00:00 2001
+From 39904d1806d20a7aadc74d6797d28e95b2787ab2 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:41 +0206
-Subject: [PATCH 050/198] serial: digicolor: Use port lock wrappers
+Subject: [PATCH 050/200] serial: digicolor: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -5488,10 +5488,10 @@ index 128b5479e813..5004125f3045 100644
 -- 
 2.45.2
 
-From d56493c1c9f4a00dfb73d1d1941b12a027355c6c Mon Sep 17 00:00:00 2001
+From 5a8503bc22339f64c1c53f8e6c461685d5ad7137 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:42 +0206
-Subject: [PATCH 051/198] serial: dz: Use port lock wrappers
+Subject: [PATCH 051/200] serial: dz: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -5654,10 +5654,10 @@ index 667f52e83277..6df7af9edc1c 100644
 -- 
 2.45.2
 
-From 01f7d132be4d5db1de1ad52452e1fa4608ddb10c Mon Sep 17 00:00:00 2001
+From 988cd7c9d13381daba433d0b0ae01cafe08f4798 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:43 +0206
-Subject: [PATCH 052/198] serial: linflexuart: Use port lock wrappers
+Subject: [PATCH 052/200] serial: linflexuart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -5802,10 +5802,10 @@ index 249cb380c3c6..7fa809a405e8 100644
 -- 
 2.45.2
 
-From 9e7d91947dbe8d5042f318ee36e48d5c0ad52bd1 Mon Sep 17 00:00:00 2001
+From 563ebb00c3ca6553f80f3fd3068977e277b25515 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:44 +0206
-Subject: [PATCH 053/198] serial: fsl_lpuart: Use port lock wrappers
+Subject: [PATCH 053/200] serial: fsl_lpuart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -6196,10 +6196,10 @@ index 385b41275e8b..71d0cbd74807 100644
 -- 
 2.45.2
 
-From b652e8f5616ee1e082042902321f653379506adf Mon Sep 17 00:00:00 2001
+From 0f3ab0dac8b067770206dec4b92873e7095131c6 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:45 +0206
-Subject: [PATCH 054/198] serial: icom: Use port lock wrappers
+Subject: [PATCH 054/200] serial: icom: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -6352,10 +6352,10 @@ index 819f957b6b84..a75eafbcbea3 100644
 -- 
 2.45.2
 
-From 5622eda3f180f387906eb54fa523632e30cc2f65 Mon Sep 17 00:00:00 2001
+From c4a77c8c6b8486697fbed0702ee80e8e49d03124 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:46 +0206
-Subject: [PATCH 055/198] serial: imx: Use port lock wrappers
+Subject: [PATCH 055/200] serial: imx: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -6711,10 +6711,10 @@ index a5d0df2ba5c5..267c9af4bd53 100644
 -- 
 2.45.2
 
-From bab67fac0cd89450de2f7fa43c16fbb431fd1599 Mon Sep 17 00:00:00 2001
+From d0590362c06b701fb827e819a69e90df87a6fd52 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:47 +0206
-Subject: [PATCH 056/198] serial: ip22zilog: Use port lock wrappers
+Subject: [PATCH 056/200] serial: ip22zilog: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -6901,10 +6901,10 @@ index 845ff706bc59..320b29cd4683 100644
 -- 
 2.45.2
 
-From a6264fd16c3812e7e44bfe57430bb1357c7013db Mon Sep 17 00:00:00 2001
+From 803d740abf601e7338425818456ca4364bafefa1 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:48 +0206
-Subject: [PATCH 057/198] serial: jsm: Use port lock wrappers
+Subject: [PATCH 057/200] serial: jsm: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -7032,10 +7032,10 @@ index 222afc270c88..ce0fef7e2c66 100644
 -- 
 2.45.2
 
-From 867ccf81e8bee801e92b84a3ddc671e0d2e731c2 Mon Sep 17 00:00:00 2001
+From 87ea771fb92e18a46a76b14f773b7d14b39b541f Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:49 +0206
-Subject: [PATCH 058/198] serial: liteuart: Use port lock wrappers
+Subject: [PATCH 058/200] serial: liteuart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -7147,10 +7147,10 @@ index d881cdd2a58f..a25ab1efe38f 100644
 -- 
 2.45.2
 
-From cdc6f2159b958a69583728cf999e057877641e04 Mon Sep 17 00:00:00 2001
+From e71a29106098d034f72fbfd9f305b39d1061656c Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:50 +0206
-Subject: [PATCH 059/198] serial: lpc32xx_hs: Use port lock wrappers
+Subject: [PATCH 059/200] serial: lpc32xx_hs: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -7300,10 +7300,10 @@ index b38fe4728c26..5149a947b7fe 100644
 -- 
 2.45.2
 
-From 6b8e3f8cc8b04d1e6dd6ab8d1a308051dc67fdcd Mon Sep 17 00:00:00 2001
+From b78d6c9bff8c679c381526ff529e8e9b19f7b59f Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:51 +0206
-Subject: [PATCH 060/198] serial: ma35d1: Use port lock wrappers
+Subject: [PATCH 060/200] serial: ma35d1: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -7422,10 +7422,10 @@ index 99225f1e02ac..faccd772c68c 100644
 -- 
 2.45.2
 
-From d404880201d0480eb6e2a45871db4198e69211ba Mon Sep 17 00:00:00 2001
+From d7cf2bde4b3aa96ec719e3494e97013ef453b54a Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:52 +0206
-Subject: [PATCH 061/198] serial: mcf: Use port lock wrappers
+Subject: [PATCH 061/200] serial: mcf: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -7554,10 +7554,10 @@ index aea29b4e6567..ee40af20a08f 100644
 -- 
 2.45.2
 
-From 61442a339049e918828976c2b05d38f1dd302e03 Mon Sep 17 00:00:00 2001
+From 1ff623adf2fe448750b673413099670ae19e8e8f Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:53 +0206
-Subject: [PATCH 062/198] serial: men_z135_uart: Use port lock wrappers
+Subject: [PATCH 062/200] serial: men_z135_uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -7635,10 +7635,10 @@ index d2502aaa3e8c..8048fa542fc4 100644
 -- 
 2.45.2
 
-From 65ec6b9c2af0816f4c35729a4e8174e64ad71425 Mon Sep 17 00:00:00 2001
+From 15a6b799e3c4ebdcaec51a530c58a747e3948ccd Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:54 +0206
-Subject: [PATCH 063/198] serial: meson: Use port lock wrappers
+Subject: [PATCH 063/200] serial: meson: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -7808,10 +7808,10 @@ index 9388b9ddea3b..4c1d2089a0bb 100644
 -- 
 2.45.2
 
-From 0f41cd656f9c2475a8ca17c9b2b66014040fe086 Mon Sep 17 00:00:00 2001
+From ba7be5d2c8fd68ef39507d76b4075875c944f0cf Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:55 +0206
-Subject: [PATCH 064/198] serial: milbeaut_usio: Use port lock wrappers
+Subject: [PATCH 064/200] serial: milbeaut_usio: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -7914,10 +7914,10 @@ index 70a910085e93..db3b81f2aa57 100644
 -- 
 2.45.2
 
-From ab7346defef58e74368a9e27264b1b9092386b26 Mon Sep 17 00:00:00 2001
+From 69b4c829c70cb28fc9756bbee6988c64eebcf881 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:56 +0206
-Subject: [PATCH 065/198] serial: mpc52xx: Use port lock wrappers
+Subject: [PATCH 065/200] serial: mpc52xx: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -8008,10 +8008,10 @@ index 916507b8f31d..a252465e745f 100644
 -- 
 2.45.2
 
-From 3eabbf5baa1a628c0fb6868faf85324b68f16680 Mon Sep 17 00:00:00 2001
+From 522d4cf4fd7570e943aace69bd519c33bbcf3187 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:57 +0206
-Subject: [PATCH 066/198] serial: mps2-uart: Use port lock wrappers
+Subject: [PATCH 066/200] serial: mps2-uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -8116,10 +8116,10 @@ index ea5a7911cb15..2a4c09f3a834 100644
 -- 
 2.45.2
 
-From 7de20b93641976fbb5927a38ae0f09f7bde542b3 Mon Sep 17 00:00:00 2001
+From 16f935db44f676cef53c42f1e892d4d04c0a8029 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:58 +0206
-Subject: [PATCH 067/198] serial: msm: Use port lock wrappers
+Subject: [PATCH 067/200] serial: msm: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -8306,10 +8306,10 @@ index 90953e679e38..597264b546fd 100644
 -- 
 2.45.2
 
-From 2d8d3c3254df091493ef6b5b52ff02f63975d545 Mon Sep 17 00:00:00 2001
+From a66fb666a8f6237453a5617d664da08a6398f9df Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:43:59 +0206
-Subject: [PATCH 068/198] serial: mvebu-uart: Use port lock wrappers
+Subject: [PATCH 068/200] serial: mvebu-uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -8419,10 +8419,10 @@ index ea924e9b913b..0255646bc175 100644
 -- 
 2.45.2
 
-From b66d723115470873668d8afdeeaf8a042b3ee57d Mon Sep 17 00:00:00 2001
+From 4ffa7508d4399b2d555306c60e19dc61f565366a Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:00 +0206
-Subject: [PATCH 069/198] serial: omap: Use port lock wrappers
+Subject: [PATCH 069/200] serial: omap: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -8604,10 +8604,10 @@ index 135a838f517a..f4c6ff806465 100644
 -- 
 2.45.2
 
-From d7bf0c3b207d0c89086daa54be1fa083b1e64129 Mon Sep 17 00:00:00 2001
+From 9630af7ff10cc55d6e0858045d11f9d0825e7ded Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:01 +0206
-Subject: [PATCH 070/198] serial: owl: Use port lock wrappers
+Subject: [PATCH 070/200] serial: owl: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -8756,10 +8756,10 @@ index e99970a9437f..919f5e5aa0f1 100644
 -- 
 2.45.2
 
-From 11bb2f75afb30abeb0187bb503f121ebd6dd9912 Mon Sep 17 00:00:00 2001
+From e6a14428f084ac31998f206353bb23e6e1bdb46e Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:02 +0206
-Subject: [PATCH 071/198] serial: pch: Use port lock wrappers
+Subject: [PATCH 071/200] serial: pch: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -8841,10 +8841,10 @@ index cc83b772b7ca..436cc6d52a11 100644
 -- 
 2.45.2
 
-From eb264628c792288ba7d96e3716d4756d1d398f1a Mon Sep 17 00:00:00 2001
+From d23f03c0e7171f2eee1c1d48fa96b7aa987a396e Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:03 +0206
-Subject: [PATCH 072/198] serial: pic32: Use port lock wrappers
+Subject: [PATCH 072/200] serial: pic32: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -8964,10 +8964,10 @@ index e308d5022b3f..3a95bf5d55d3 100644
 -- 
 2.45.2
 
-From 1da8eff18364ec31321b1c71a44337c51595e5ac Mon Sep 17 00:00:00 2001
+From 19e7a91c43af31661bd8a489bdf4afebf3f32b3a Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:04 +0206
-Subject: [PATCH 073/198] serial: pmac_zilog: Use port lock wrappers
+Subject: [PATCH 073/200] serial: pmac_zilog: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -9201,10 +9201,10 @@ index 29bc80d39e8b..77691fbbf779 100644
 -- 
 2.45.2
 
-From 07235aa11ddcfa82ff63db7b9a794a34eddaaa31 Mon Sep 17 00:00:00 2001
+From b8c3a70617575cb2af23756598252c8c32bcd963 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:05 +0206
-Subject: [PATCH 074/198] serial: pxa: Use port lock wrappers
+Subject: [PATCH 074/200] serial: pxa: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -9356,10 +9356,10 @@ index 73c60f5ea027..46e70e155aab 100644
 -- 
 2.45.2
 
-From 0ee8c9e28303091fa43985f8b6bc9dbff54c1e92 Mon Sep 17 00:00:00 2001
+From b44dfb541c91e86c799d9dbaa894ba78ce0ef3f4 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:06 +0206
-Subject: [PATCH 075/198] serial: qcom-geni: Use port lock wrappers
+Subject: [PATCH 075/200] serial: qcom-geni: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -9432,10 +9432,10 @@ index 2e1b1c827dfe..549909644011 100644
 -- 
 2.45.2
 
-From f66ed466762e383a0455e80b1c24e864e377d19a Mon Sep 17 00:00:00 2001
+From e6264d9a7b7c1601bd9e4060d57d061a7e139ebd Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:07 +0206
-Subject: [PATCH 076/198] serial: rda: Use port lock wrappers
+Subject: [PATCH 076/200] serial: rda: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -9614,10 +9614,10 @@ index be5c842b5ba9..d824c8318f33 100644
 -- 
 2.45.2
 
-From bedfddc79500d29bb38b6dd13317800e2d3bf32d Mon Sep 17 00:00:00 2001
+From 9207d4797a8d766b4b58e0b569fd9f948528ee1b Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:08 +0206
-Subject: [PATCH 077/198] serial: rp2: Use port lock wrappers
+Subject: [PATCH 077/200] serial: rp2: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -9733,10 +9733,10 @@ index de220ac8ca54..d46a81cddfcd 100644
 -- 
 2.45.2
 
-From 93a14f4cacfa2455e21289ba10dfc1ebea49d949 Mon Sep 17 00:00:00 2001
+From 8808aaf47fd6a44edcbedbeff2893b9db7e2dbfc Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:09 +0206
-Subject: [PATCH 078/198] serial: sa1100: Use port lock wrappers
+Subject: [PATCH 078/200] serial: sa1100: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -9855,10 +9855,10 @@ index ad011f1e2f4d..be7bcd75d9f4 100644
 -- 
 2.45.2
 
-From 0fc0fd7105c6876ad84223a6ce14254fee175558 Mon Sep 17 00:00:00 2001
+From 4fd995130780452e1048a7076b985e98108ed162 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:10 +0206
-Subject: [PATCH 079/198] serial: samsung_tty: Use port lock wrappers
+Subject: [PATCH 079/200] serial: samsung_tty: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -10105,10 +10105,10 @@ index 5a4d88e13471..a82b65155f6e 100644
 -- 
 2.45.2
 
-From 3c6595e1a5af883c7331756a0d0ce44f0c2961d4 Mon Sep 17 00:00:00 2001
+From f5019cd64ad069f4fea2e33bbe0cb830f95c90b2 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:11 +0206
-Subject: [PATCH 080/198] serial: sb1250-duart: Use port lock wrappers
+Subject: [PATCH 080/200] serial: sb1250-duart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -10195,10 +10195,10 @@ index f3cd69346482..dbec29d9a6c3 100644
 -- 
 2.45.2
 
-From 0b3b1c5e5b69f5a7f501df75614127265a8d44c3 Mon Sep 17 00:00:00 2001
+From b5cc3f79e02cfd3b64ada374fc5ef957ed54c598 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:12 +0206
-Subject: [PATCH 081/198] serial: sc16is7xx: Use port lock wrappers
+Subject: [PATCH 081/200] serial: sc16is7xx: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -10259,10 +10259,10 @@ index 7a9924d9b294..be9ae5cdd1b8 100644
 -- 
 2.45.2
 
-From b26a19c3bd1838c848f281625369373e4586792b Mon Sep 17 00:00:00 2001
+From 218e0456d267a57fdd8b9f187c714131d7b74aeb Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:13 +0206
-Subject: [PATCH 082/198] serial: tegra: Use port lock wrappers
+Subject: [PATCH 082/200] serial: tegra: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -10440,10 +10440,10 @@ index d4ec943cb8e9..6d4006b41975 100644
 -- 
 2.45.2
 
-From de7c394c671e7cd55e213f66dd2af40ab846a61e Mon Sep 17 00:00:00 2001
+From ffc8ac5c464f07c9a1a84ce2a116b051c0cdc88f Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:14 +0206
-Subject: [PATCH 083/198] serial: core: Use port lock wrappers
+Subject: [PATCH 083/200] serial: core: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -10817,10 +10817,10 @@ index 469ad26cde48..66fd117d8aea 100644
 -- 
 2.45.2
 
-From b2c1c69560d20f29d7d48ffd748787fcbe53000b Mon Sep 17 00:00:00 2001
+From 2c0cc57ae4876f3df16985b86f28d59cd6debfa1 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:15 +0206
-Subject: [PATCH 084/198] serial: mctrl_gpio: Use port lock wrappers
+Subject: [PATCH 084/200] serial: mctrl_gpio: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -10880,10 +10880,10 @@ index 7d5aaa8d422b..e51ca593ab86 100644
 -- 
 2.45.2
 
-From 224958fabb33d48d3d8e52256679d672a80bd921 Mon Sep 17 00:00:00 2001
+From b5642ee52fdd93a6e173a0dabfcf97d9a8ba4dde Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:16 +0206
-Subject: [PATCH 085/198] serial: txx9: Use port lock wrappers
+Subject: [PATCH 085/200] serial: txx9: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -11019,10 +11019,10 @@ index be08fb6f749c..eaa980722455 100644
 -- 
 2.45.2
 
-From 4f63b9b7949b084b68538891888f7497ce6a9bb6 Mon Sep 17 00:00:00 2001
+From 020380b4581e4187bff0017090c72ba499cbfa38 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:17 +0206
-Subject: [PATCH 086/198] serial: sh-sci: Use port lock wrappers
+Subject: [PATCH 086/200] serial: sh-sci: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -11326,10 +11326,10 @@ index f793624fd501..2559c97812fa 100644
 -- 
 2.45.2
 
-From 304c31dbcb6882ac3ae4ea1f2857b3ab68cbba93 Mon Sep 17 00:00:00 2001
+From e6b65d1896362ed26dfbea30987d73f5fd86caa0 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:18 +0206
-Subject: [PATCH 087/198] serial: sifive: Use port lock wrappers
+Subject: [PATCH 087/200] serial: sifive: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -11433,10 +11433,10 @@ index d195c5de52e7..b296e57a9dee 100644
 -- 
 2.45.2
 
-From 163283eb17a4b95c35be18b4df3a2b7a71042c9a Mon Sep 17 00:00:00 2001
+From a1a589e37b39856371330f63a20174551a353690 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:19 +0206
-Subject: [PATCH 088/198] serial: sprd: Use port lock wrappers
+Subject: [PATCH 088/200] serial: sprd: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -11600,10 +11600,10 @@ index f328fa57231f..f257525f9299 100644
 -- 
 2.45.2
 
-From b1ab8a1a129b9022dc3849645a51d98518384d86 Mon Sep 17 00:00:00 2001
+From d4f04d84765da040038e860c3a96e1bdfe6ca8fa Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:20 +0206
-Subject: [PATCH 089/198] serial: st-asc: Use port lock wrappers
+Subject: [PATCH 089/200] serial: st-asc: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -11715,10 +11715,10 @@ index 92b9f6894006..a821f5d76a26 100644
 -- 
 2.45.2
 
-From 0d825ae01c3e1a17ef37c1bd65116d457ec63ff5 Mon Sep 17 00:00:00 2001
+From 84fda6abeb7a2e37782a18bae510087671cdc2ce Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:21 +0206
-Subject: [PATCH 090/198] serial: stm32: Use port lock wrappers
+Subject: [PATCH 090/200] serial: stm32: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -11905,10 +11905,10 @@ index 9ef90bb30a47..b963f9ccb070 100644
 -- 
 2.45.2
 
-From 1a80c5aedf022ca8dcbe34f8c1b7527ab58b16d7 Mon Sep 17 00:00:00 2001
+From 9a5e83c5d454e487c6d6e325b794fcffa0a77023 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:22 +0206
-Subject: [PATCH 091/198] serial: sunhv: Use port lock wrappers
+Subject: [PATCH 091/200] serial: sunhv: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -12059,10 +12059,10 @@ index c671d674bce4..5bfc0040f17b 100644
 -- 
 2.45.2
 
-From 0306e83c5dc0f2d941e8752057efa488cafcae6c Mon Sep 17 00:00:00 2001
+From d9343dc401de8427e23aa17f0604eadb46ef7be0 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:23 +0206
-Subject: [PATCH 092/198] serial: sunplus-uart: Use port lock wrappers
+Subject: [PATCH 092/200] serial: sunplus-uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -12210,10 +12210,10 @@ index 3aacd5eb414c..4251f4e1ba99 100644
 -- 
 2.45.2
 
-From bb65033edbfa28b4ff736912d09b109ddb5bcab2 Mon Sep 17 00:00:00 2001
+From 95a1aa19ffc2b58bd4746574c2c29a9250db5010 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:24 +0206
-Subject: [PATCH 093/198] serial: sunsab: Use port lock wrappers
+Subject: [PATCH 093/200] serial: sunsab: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -12391,10 +12391,10 @@ index 40eeaf835bba..6aa51a6f8063 100644
 -- 
 2.45.2
 
-From 48a810b1d03c97965d1a611f2147b282527b4b7d Mon Sep 17 00:00:00 2001
+From 8a9705c95c0cc2bdf434e8ffc655f93b009d7ab2 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:25 +0206
-Subject: [PATCH 094/198] serial: sunsu: Use port lock wrappers
+Subject: [PATCH 094/200] serial: sunsu: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -12615,10 +12615,10 @@ index 58a4342ad0f9..1e051cc2591c 100644
 -- 
 2.45.2
 
-From 18a38ec3063ea498cd060aa0065151f9d4e081c7 Mon Sep 17 00:00:00 2001
+From c38a5b5750b08e7f2c72ddf1a4ccd188ca60102c Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:26 +0206
-Subject: [PATCH 095/198] serial: sunzilog: Use port lock wrappers
+Subject: [PATCH 095/200] serial: sunzilog: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -12831,10 +12831,10 @@ index c8c71c56264c..d3b5e864b727 100644
 -- 
 2.45.2
 
-From ce83ff6e6afb3df7415cbd9f945361794e2e9077 Mon Sep 17 00:00:00 2001
+From 9fe33b7343a0088ba246a91d31b9ec6de40826c2 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:27 +0206
-Subject: [PATCH 096/198] serial: timbuart: Use port lock wrappers
+Subject: [PATCH 096/200] serial: timbuart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -12907,10 +12907,10 @@ index 0859394a78cd..0cc6524f5e8b 100644
 -- 
 2.45.2
 
-From ff2f1e4663a322c720d31c84387c9ebe33fce75f Mon Sep 17 00:00:00 2001
+From e42612494d67b1b00e5e000c27e81f8eb6cae77b Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:28 +0206
-Subject: [PATCH 097/198] serial: uartlite: Use port lock wrappers
+Subject: [PATCH 097/200] serial: uartlite: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -13017,10 +13017,10 @@ index b225a78f6175..404c14acafa5 100644
 -- 
 2.45.2
 
-From 49c85afc14d61921a1ebb92011eb487bc3066247 Mon Sep 17 00:00:00 2001
+From ffdb3fbe18c229e62da57542c2cb36f32529f3d7 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:29 +0206
-Subject: [PATCH 098/198] serial: ucc_uart: Use port lock wrappers
+Subject: [PATCH 098/200] serial: ucc_uart: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -13081,10 +13081,10 @@ index b06661b80f41..ed7a6bb5596a 100644
 -- 
 2.45.2
 
-From b81e070808e9bc913f43d4816314470f7893bc91 Mon Sep 17 00:00:00 2001
+From 7827b25208699ac01465966ec407a0f808564be0 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:30 +0206
-Subject: [PATCH 099/198] serial: vt8500: Use port lock wrappers
+Subject: [PATCH 099/200] serial: vt8500: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -13162,10 +13162,10 @@ index c5d5c2765119..78a1c1eea11b 100644
 -- 
 2.45.2
 
-From 4a76b27b0e60109c28d93248be169109ccd27e67 Mon Sep 17 00:00:00 2001
+From e7ba1177c632219975da0c8a2acd26008ad93158 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 14 Sep 2023 20:44:31 +0206
-Subject: [PATCH 100/198] serial: xilinx_uartps: Use port lock wrappers
+Subject: [PATCH 100/200] serial: xilinx_uartps: Use port lock wrappers
 
 When a serial port is used for kernel console output, then all
 modifications to the UART registers which are done from other contexts,
@@ -13443,10 +13443,10 @@ index 2e5e86a00a77..9c13dac1d4d1 100644
 -- 
 2.45.2
 
-From a5ba4685cd779298d2ca41e20a3150b7842f7ab9 Mon Sep 17 00:00:00 2001
+From 4bc6621e9d84a9ec71c156043473f733b3fedddb Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sat, 16 Sep 2023 21:26:00 +0206
-Subject: [PATCH 101/198] printk: Add non-BKL (nbcon) console basic
+Subject: [PATCH 101/200] printk: Add non-BKL (nbcon) console basic
  infrastructure
 
 The current console/printk subsystem is protected by a Big Kernel Lock,
@@ -13717,10 +13717,10 @@ index 0fca282c0a25..b2c65b991e1e 100644
 -- 
 2.45.2
 
-From 25eeb3074c79b522df2bab04ada51d3697f1c940 Mon Sep 17 00:00:00 2001
+From 96e85303396861e216017a33f06b5d8a340d2c7b Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sat, 16 Sep 2023 21:26:01 +0206
-Subject: [PATCH 102/198] printk: nbcon: Add acquire/release logic
+Subject: [PATCH 102/200] printk: nbcon: Add acquire/release logic
 
 Add per console acquire/release functionality.
 
@@ -14429,10 +14429,10 @@ index 63d24ca62ac5..a2a354f859f9 100644
 -- 
 2.45.2
 
-From 57e09f34d0b11303f6f44a86a3555f84ccd6d10d Mon Sep 17 00:00:00 2001
+From 7c95cefee1f190cc26dbbf2f7a00773d96f2c05f Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Sat, 16 Sep 2023 21:26:02 +0206
-Subject: [PATCH 103/198] printk: Make static printk buffers available to nbcon
+Subject: [PATCH 103/200] printk: Make static printk buffers available to nbcon
 
 The nbcon boot consoles also need printk buffers that are available
 very early. Since the nbcon boot consoles will also be serialized
@@ -14501,10 +14501,10 @@ index b2c65b991e1e..dd68135cb371 100644
 -- 
 2.45.2
 
-From 1358934ed2531f8f65f250c88799f6df44b09988 Mon Sep 17 00:00:00 2001
+From fbd8ed0a565d74d254ffb3f6fbd929d13f2d06f3 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sat, 16 Sep 2023 21:26:03 +0206
-Subject: [PATCH 104/198] printk: nbcon: Add buffer management
+Subject: [PATCH 104/200] printk: nbcon: Add buffer management
 
 In case of hostile takeovers it must be ensured that the previous
 owner cannot scribble over the output buffer of the emergency/panic
@@ -14823,10 +14823,10 @@ index dd68135cb371..58b57deb0cbe 100644
 -- 
 2.45.2
 
-From b48399e559b8566c6a1ce933393b3c31125668d0 Mon Sep 17 00:00:00 2001
+From 335bb4eca225a1b996da6542952f77903d8aa071 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sat, 16 Sep 2023 21:26:04 +0206
-Subject: [PATCH 105/198] printk: nbcon: Add ownership state functions
+Subject: [PATCH 105/200] printk: nbcon: Add ownership state functions
 
 Provide functions that are related to the safe handover mechanism
 and allow console drivers to dynamically specify unsafe regions:
@@ -15007,10 +15007,10 @@ index ba1febf15db6..98e4be5429f0 100644
 -- 
 2.45.2
 
-From 6d382e1b192c2dad88aed0d9c6b1e72940906e31 Mon Sep 17 00:00:00 2001
+From 30a97741fd8343d2a76bfdecc966180ab16e72ce Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sat, 16 Sep 2023 21:26:05 +0206
-Subject: [PATCH 106/198] printk: nbcon: Add sequence handling
+Subject: [PATCH 106/200] printk: nbcon: Add sequence handling
 
 Add an atomic_long_t field @nbcon_seq to the console struct to
 store the sequence number for nbcon consoles. For nbcon consoles
@@ -15329,10 +15329,10 @@ index 58b57deb0cbe..a1ab4760f807 100644
 -- 
 2.45.2
 
-From f4f507dffb3f8e18ca6cabd4c7e0bee375b855c5 Mon Sep 17 00:00:00 2001
+From b1adce1bf70071760c47a7ea5a04d7c8dce31b11 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sat, 16 Sep 2023 21:26:06 +0206
-Subject: [PATCH 107/198] printk: nbcon: Add emit function and callback
+Subject: [PATCH 107/200] printk: nbcon: Add emit function and callback
  function for atomic printing
 
 Implement an emit function for nbcon consoles to output printk
@@ -15601,10 +15601,10 @@ index a1ab4760f807..70f793b392e5 100644
 -- 
 2.45.2
 
-From 4d8bc6065437e804cc18aff2b57f38c5b7b5624c Mon Sep 17 00:00:00 2001
+From 159433cf4a30cbfbaa5dcaf494b85e9fb3b82604 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sat, 16 Sep 2023 21:26:07 +0206
-Subject: [PATCH 108/198] printk: nbcon: Allow drivers to mark unsafe regions
+Subject: [PATCH 108/200] printk: nbcon: Allow drivers to mark unsafe regions
  and check state
 
 For the write_atomic callback, the console driver may have unsafe
@@ -15744,10 +15744,10 @@ index 6e05d263fd22..b96077152f49 100644
 -- 
 2.45.2
 
-From c9c6e48475b8432394d8e0b989c1a65949c57c5e Mon Sep 17 00:00:00 2001
+From 36b2fa76862f79b7a59f2cfd2f9911755d9a1df3 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Wed, 20 Sep 2023 17:58:38 +0206
-Subject: [PATCH 109/198] printk: fix illegal pbufs access for !CONFIG_PRINTK
+Subject: [PATCH 109/200] printk: fix illegal pbufs access for !CONFIG_PRINTK
 
 When CONFIG_PRINTK is not set, PRINTK_MESSAGE_MAX is 0. This
 leads to a zero-sized array @outbuf in @printk_shared_pbufs. In
@@ -15883,10 +15883,10 @@ index 70f793b392e5..3bf517ae8262 100644
 -- 
 2.45.2
 
-From 638ace32240eb2e9bb3e6aa9c772c676ee969c0f Mon Sep 17 00:00:00 2001
+From eb0eb4077d3a7bcd1a3de51668787a4b8a0a58f0 Mon Sep 17 00:00:00 2001
 From: Petr Mladek <pmladek@suse.com>
 Date: Fri, 6 Oct 2023 10:21:51 +0200
-Subject: [PATCH 110/198] printk: Reduce pr_flush() pooling time
+Subject: [PATCH 110/200] printk: Reduce pr_flush() pooling time
 
 pr_flush() does not guarantee that all messages would really get flushed
 to the console. The best it could do is to wait with a given timeout.[*]
@@ -15990,10 +15990,10 @@ index 3bf517ae8262..a30338aca084 100644
 -- 
 2.45.2
 
-From c24472bbd8bfdb6eac9aa30ccfcc26de2207967f Mon Sep 17 00:00:00 2001
+From cc4e3316dd0a48aa5f68b37854cbda3c13023086 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Wed, 6 Dec 2023 12:01:56 +0000
-Subject: [PATCH 111/198] printk: nbcon: Relocate 32bit seq macros
+Subject: [PATCH 111/200] printk: nbcon: Relocate 32bit seq macros
 
 The macros __seq_to_nbcon_seq() and __nbcon_seq_to_seq() are
 used to provide support for atomic handling of sequence numbers
@@ -16138,10 +16138,10 @@ index 18cd25e489b8..b82a96dc2ea2 100644
 -- 
 2.45.2
 
-From 162024de5d1f98be7d5e405ed9c3dc1ad97f08b7 Mon Sep 17 00:00:00 2001
+From fbd2ede7785729e68cab93411ba74fd14b0e2f02 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 7 Dec 2023 14:15:15 +0000
-Subject: [PATCH 112/198] printk: Adjust mapping for 32bit seq macros
+Subject: [PATCH 112/200] printk: Adjust mapping for 32bit seq macros
 
 Note: This change only applies to 32bit architectures. On 64bit
       architectures the macros are NOPs.
@@ -16214,10 +16214,10 @@ index b82a96dc2ea2..12f60c782e46 100644
 -- 
 2.45.2
 
-From b628a53279a7fd0d46ea2c40e16bdd384177d108 Mon Sep 17 00:00:00 2001
+From bc804bae7f0ce67ccb4049508618650e73c0cdd4 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Wed, 22 Nov 2023 16:13:37 +0000
-Subject: [PATCH 113/198] printk: Use prb_first_seq() as base for 32bit seq
+Subject: [PATCH 113/200] printk: Use prb_first_seq() as base for 32bit seq
  macros
 
 Note: This change only applies to 32bit architectures. On 64bit
@@ -16292,10 +16292,10 @@ index 12f60c782e46..ee294aaf4aeb 100644
 -- 
 2.45.2
 
-From 6bbe6bdc8a9a5df1117b78c774bcb06e6935d42d Mon Sep 17 00:00:00 2001
+From 753c836fb2148489d5f5060fc8ab1d3edfdd7297 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Thu, 19 Oct 2023 10:32:05 +0000
-Subject: [PATCH 114/198] printk: ringbuffer: Do not skip non-finalized records
+Subject: [PATCH 114/200] printk: ringbuffer: Do not skip non-finalized records
  with prb_next_seq()
 
 Commit f244b4dc53e5 ("printk: ringbuffer: Improve
@@ -16604,10 +16604,10 @@ index ee294aaf4aeb..2d948cc82b5b 100644
 -- 
 2.45.2
 
-From 6219cf0cb3db3169b0bbe364013ed040f085416c Mon Sep 17 00:00:00 2001
+From 3dcec0371cd447f5a292e6abbce9e833b4d6b439 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 23 Oct 2023 11:11:05 +0000
-Subject: [PATCH 115/198] printk: ringbuffer: Clarify special lpos values
+Subject: [PATCH 115/200] printk: ringbuffer: Clarify special lpos values
 
 For empty line records, no data blocks are created. Instead,
 these valid records are identified by special logical position
@@ -16703,10 +16703,10 @@ index 2d948cc82b5b..d49460f7578e 100644
 -- 
 2.45.2
 
-From e15c23199bf9ef47232032e152045721e309aec5 Mon Sep 17 00:00:00 2001
+From 5874c61bff77e90b46874ef15d95966f7c34023f Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 13 Oct 2023 14:30:49 +0000
-Subject: [PATCH 116/198] printk: Add this_cpu_in_panic()
+Subject: [PATCH 116/200] printk: Add this_cpu_in_panic()
 
 There is already panic_in_progress() and other_cpu_in_panic(),
 but checking if the current CPU is the panic CPU must still be
@@ -16798,10 +16798,10 @@ index a30338aca084..2bb393009d4e 100644
 -- 
 2.45.2
 
-From 464af56d61fba5171c179b0832cf077515301b4b Mon Sep 17 00:00:00 2001
+From 7f17488e64800f23fa6118e5569cdfcc18aa7f04 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 6 Nov 2023 15:01:58 +0000
-Subject: [PATCH 117/198] printk: ringbuffer: Cleanup reader terminology
+Subject: [PATCH 117/200] printk: ringbuffer: Cleanup reader terminology
 
 With the lockless ringbuffer, it is allowed that multiple
 CPUs/contexts write simultaneously into the buffer. This creates
@@ -16870,10 +16870,10 @@ index 244d991ffd73..67ee1c62fcd6 100644
 -- 
 2.45.2
 
-From 185cfa7c546636e96fa108e8837c90df04901d44 Mon Sep 17 00:00:00 2001
+From 861fd9d2154564fb9772045af0b3ca2ba629e7e7 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 6 Nov 2023 14:59:55 +0000
-Subject: [PATCH 118/198] printk: Wait for all reserved records with pr_flush()
+Subject: [PATCH 118/200] printk: Wait for all reserved records with pr_flush()
 
 Currently pr_flush() will only wait for records that were
 available to readers at the time of the call (using
@@ -17049,10 +17049,10 @@ index d49460f7578e..52626d0f1fa3 100644
 -- 
 2.45.2
 
-From d0a82e88c03059c600f11e1821278adfb2262138 Mon Sep 17 00:00:00 2001
+From ab28207bf8cca851de3071c2ef5986d7dacd6dae Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 13 Oct 2023 10:23:11 +0000
-Subject: [PATCH 119/198] printk: ringbuffer: Skip non-finalized records in
+Subject: [PATCH 119/200] printk: ringbuffer: Skip non-finalized records in
  panic
 
 Normally a reader will stop once reaching a non-finalized
@@ -17122,10 +17122,10 @@ index b7748d7c44c1..d6ed33683b8b 100644
 -- 
 2.45.2
 
-From 0143ceda8af0cfac94f61465ab01f0ab708defaf Mon Sep 17 00:00:00 2001
+From 134e8c795f7a63708a6e9fb1268f83030a2f8d14 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 20 Nov 2023 12:46:35 +0100
-Subject: [PATCH 120/198] printk: ringbuffer: Consider committed as finalized
+Subject: [PATCH 120/200] printk: ringbuffer: Consider committed as finalized
  in panic
 
 A descriptor in the committed state means the record does not yet
@@ -17188,10 +17188,10 @@ index d6ed33683b8b..e7b808b829a0 100644
 -- 
 2.45.2
 
-From 5f66381ab520bc0d02dfd1d494c94d4548683283 Mon Sep 17 00:00:00 2001
+From e5e906ec18a5725e185adac5412e6927ac795f67 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 20 Oct 2023 09:37:05 +0000
-Subject: [PATCH 121/198] printk: Avoid non-panic CPUs writing to ringbuffer
+Subject: [PATCH 121/200] printk: Avoid non-panic CPUs writing to ringbuffer
 
 Commit 13fb0f74d702 ("printk: Avoid livelock with heavy printk
 during panic") introduced a mechanism to silence non-panic CPUs
@@ -17271,10 +17271,10 @@ index 807692fd386a..7c5ab5c01abb 100644
 -- 
 2.45.2
 
-From e18b36360571d01852d303c313a86ddbdd1e72eb Mon Sep 17 00:00:00 2001
+From 64eddcf7eaca7a39528875bea161dd21e3f13059 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Wed, 22 Nov 2023 11:23:43 +0000
-Subject: [PATCH 122/198] printk: Consider nbcon boot consoles on seq init
+Subject: [PATCH 122/200] printk: Consider nbcon boot consoles on seq init
 
 If a non-boot console is registering and boot consoles exist, the
 consoles are flushed before being unregistered. This allows the
@@ -17327,10 +17327,10 @@ index 7c5ab5c01abb..ae3bf0cf215a 100644
 -- 
 2.45.2
 
-From 3a5c34e9b23cea2c7f64a2bf68460955fb7a9a97 Mon Sep 17 00:00:00 2001
+From 811b435ebb4bbfec1176f98b89ae3890574e8e93 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 9 Oct 2023 13:55:19 +0000
-Subject: [PATCH 123/198] printk: Add sparse notation to console_srcu locking
+Subject: [PATCH 123/200] printk: Add sparse notation to console_srcu locking
 
 kernel/printk/printk.c:284:5: sparse: sparse: context imbalance in
 'console_srcu_read_lock' - wrong count at exit
@@ -17368,10 +17368,10 @@ index ae3bf0cf215a..ea13c808c282 100644
 -- 
 2.45.2
 
-From febba5572d4db2c87304e9389ea52dbb14224b92 Mon Sep 17 00:00:00 2001
+From 48560f34bf90e00b03fc707cf39754c8c8dbaf77 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 20 Oct 2023 09:52:59 +0000
-Subject: [PATCH 124/198] printk: nbcon: Ensure ownership release on failed
+Subject: [PATCH 124/200] printk: nbcon: Ensure ownership release on failed
  emit
 
 Until now it was assumed that ownership has been lost when the
@@ -17431,10 +17431,10 @@ index c8093bcc01fe..8ecd76aa22e6 100644
 -- 
 2.45.2
 
-From 3e0533f5d46712ee9afc93140dc93036581627e9 Mon Sep 17 00:00:00 2001
+From 16b4c119770c1a318c76b0304519dae00799dae6 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 22 Sep 2023 14:58:18 +0000
-Subject: [PATCH 125/198] printk: Check printk_deferred_enter()/_exit() usage
+Subject: [PATCH 125/200] printk: Check printk_deferred_enter()/_exit() usage
 
 Add validation that printk_deferred_enter()/_exit() are called in
 non-migration contexts.
@@ -17496,10 +17496,10 @@ index 6d10927a07d8..8d9408d653de 100644
 -- 
 2.45.2
 
-From 689de59065beacb0334df972a4dc1a9ef64e03e1 Mon Sep 17 00:00:00 2001
+From 362c2198c3365b9bcbe7c9c4b848cdaf90f8ae0d Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Wed, 13 Sep 2023 08:35:23 +0000
-Subject: [PATCH 126/198] printk: nbcon: Implement processing in port->lock
+Subject: [PATCH 126/200] printk: nbcon: Implement processing in port->lock
  wrapper
 
 Currently the port->lock wrappers uart_port_lock(),
@@ -17751,10 +17751,10 @@ index 8ecd76aa22e6..a5707fe1e95e 100644
 -- 
 2.45.2
 
-From 5d22dc8168e1363b069713b16387275085a3f7a0 Mon Sep 17 00:00:00 2001
+From 11acea9573254934d45de1e71d2e69494cc1f30d Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 8 Dec 2023 15:54:27 +0000
-Subject: [PATCH 127/198] printk: nbcon: Add driver_enter/driver_exit console
+Subject: [PATCH 127/200] printk: nbcon: Add driver_enter/driver_exit console
  callbacks
 
 Console drivers need some mechanism to synchronize between "normal
@@ -17798,10 +17798,10 @@ index c27bd5189660..73515c324347 100644
 -- 
 2.45.2
 
-From cd5ded76b71e3e4121beb9ad0e15990a6e6968b5 Mon Sep 17 00:00:00 2001
+From a137c4460a3f2fd6a8c109f014d981374c34b8bf Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 12 Sep 2023 13:25:41 +0000
-Subject: [PATCH 128/198] printk: Make console_is_usable() available to nbcon
+Subject: [PATCH 128/200] printk: Make console_is_usable() available to nbcon
 
 Move console_is_usable() as-is into internal.h so that it can
 be used by nbcon printing functions as well.
@@ -17908,10 +17908,10 @@ index ea13c808c282..d959be5c4102 100644
 -- 
 2.45.2
 
-From 31fde95be4d4b878938c8f320f57427892a57702 Mon Sep 17 00:00:00 2001
+From c79fae60ccbabeb5b3c400f670967f75353bedd0 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 12 Sep 2023 13:53:21 +0000
-Subject: [PATCH 129/198] printk: Let console_is_usable() handle nbcon
+Subject: [PATCH 129/200] printk: Let console_is_usable() handle nbcon
 
 The nbcon consoles use a different printing callback. For nbcon
 consoles, check for the write_atomic() callback instead of
@@ -17956,10 +17956,10 @@ index 378ccca007ca..d741d19bb9db 100644
 -- 
 2.45.2
 
-From 0eeead3bbae58e9230d01640c43962019d5d93ba Mon Sep 17 00:00:00 2001
+From 4e7c124cd3d4ca32792c10297612a60e3f3145c0 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 12 Sep 2023 13:45:33 +0000
-Subject: [PATCH 130/198] printk: Add @flags argument for console_is_usable()
+Subject: [PATCH 130/200] printk: Add @flags argument for console_is_usable()
 
 The caller of console_is_usable() usually needs @console->flags
 for its own checks. Rather than having console_is_usable() read
@@ -18030,10 +18030,10 @@ index d959be5c4102..bdd3d7e40e63 100644
 -- 
 2.45.2
 
-From 6ef417cb3c1c7319094c6361025cf1d36e6f3ef3 Mon Sep 17 00:00:00 2001
+From 49232f099f1b0a45f758eb79538e678c28de42f5 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Tue, 12 Sep 2023 12:00:08 +0000
-Subject: [PATCH 131/198] printk: nbcon: Provide function to flush using
+Subject: [PATCH 131/200] printk: nbcon: Provide function to flush using
  write_atomic()
 
 Provide nbcon_atomic_flush_all() to perform flushing of all
@@ -18225,10 +18225,10 @@ index bdd3d7e40e63..271865952a4d 100644
 -- 
 2.45.2
 
-From 0586c0b87f2cf54984ff1838f1d5585e58d5a4c4 Mon Sep 17 00:00:00 2001
+From 33123b535b9e978d09c04debde1b7e65c00ac82f Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 24 Oct 2023 14:13:14 +0000
-Subject: [PATCH 132/198] printk: Track registered boot consoles
+Subject: [PATCH 132/200] printk: Track registered boot consoles
 
 Unfortunately it is not known if a boot console and a regular
 (legacy or nbcon) console use the same hardware. For this reason
@@ -18308,10 +18308,10 @@ index 271865952a4d..4185c58f7915 100644
 -- 
 2.45.2
 
-From 1be4432e56ee0f11e1b1392bc9817e9807398608 Mon Sep 17 00:00:00 2001
+From 2e09f008dc17a4f0a4dbb8f0cd0ba0932b172a04 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 19 Sep 2023 14:33:27 +0000
-Subject: [PATCH 133/198] printk: nbcon: Use nbcon consoles in
+Subject: [PATCH 133/200] printk: nbcon: Use nbcon consoles in
  console_flush_all()
 
 Allow nbcon consoles to print messages in the printk() caller
@@ -18490,10 +18490,10 @@ index 4185c58f7915..d6173575ea03 100644
 -- 
 2.45.2
 
-From 8c82e4ba70c70cc92a2932394737ecb227a28eb5 Mon Sep 17 00:00:00 2001
+From dbed4f27af14cc43b8a0f645c9b18702ce19c1f5 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Thu, 14 Dec 2023 14:38:42 +0000
-Subject: [PATCH 134/198] printk: nbcon: Assign priority based on CPU state
+Subject: [PATCH 134/200] printk: nbcon: Assign priority based on CPU state
 
 Use the current state of the CPU to determine which priority to
 assign to the printing context.
@@ -18610,10 +18610,10 @@ index c17cf3ea6153..3e999784ba5c 100644
 -- 
 2.45.2
 
-From 52adc37a96c17bfc60dc19066679f9e4f77c1ee1 Mon Sep 17 00:00:00 2001
+From b96326b72a3df7d0b6028707326d56f156bffffe Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 20 Oct 2023 10:03:42 +0000
-Subject: [PATCH 135/198] printk: nbcon: Add unsafe flushing on panic
+Subject: [PATCH 135/200] printk: nbcon: Add unsafe flushing on panic
 
 Add nbcon_atomic_flush_unsafe() to flush all nbcon consoles
 using the write_atomic() callback and allowing unsafe hostile
@@ -18715,10 +18715,10 @@ index 3e999784ba5c..1c01f88d596d 100644
 -- 
 2.45.2
 
-From edc45d8596509dcd2e4fa698b9020fd6e7c3be0c Mon Sep 17 00:00:00 2001
+From 1dc3486d1b55b454cf36b8ebf8c53ebfcea9f936 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 26 Sep 2023 12:44:07 +0000
-Subject: [PATCH 136/198] printk: Avoid console_lock dance if no legacy or boot
+Subject: [PATCH 136/200] printk: Avoid console_lock dance if no legacy or boot
  consoles
 
 Currently the console lock is used to attempt legacy-type
@@ -18933,10 +18933,10 @@ index d6173575ea03..e92da55b8e9f 100644
 -- 
 2.45.2
 
-From 1034e88ce0801d0f882bc72583c36976003c3b77 Mon Sep 17 00:00:00 2001
+From c776e58c8df743a106fa2cb407cda44a182a4498 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 11 Dec 2023 09:36:52 +0000
-Subject: [PATCH 137/198] printk: Track nbcon consoles
+Subject: [PATCH 137/200] printk: Track nbcon consoles
 
 Add a global flag @have_nbcon_console to identify if any nbcon
 consoles are registered. This will be used in follow-up commits
@@ -19005,10 +19005,10 @@ index e92da55b8e9f..977a97f0396b 100644
 -- 
 2.45.2
 
-From 197c8250e45665a1605701ff0ec4236eaa4329fa Mon Sep 17 00:00:00 2001
+From e5c811c4e055218dce49c0f7cfcf9c9e2b6b1050 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Wed, 22 Nov 2023 11:56:58 +0000
-Subject: [PATCH 138/198] printk: Coordinate direct printing in panic
+Subject: [PATCH 138/200] printk: Coordinate direct printing in panic
 
 Perform printing by nbcon consoles on the panic CPU from the
 printk() caller context in order to get panic messages printed
@@ -19148,10 +19148,10 @@ index 977a97f0396b..e8d60e29c17f 100644
 -- 
 2.45.2
 
-From fe9837094061302a96ee7f25c088019cfe5b9e86 Mon Sep 17 00:00:00 2001
+From 2416a470cee743dfb9f6c27619d854b6fb6c2498 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Mon, 11 Sep 2023 15:21:57 +0000
-Subject: [PATCH 139/198] printk: nbcon: Implement emergency sections
+Subject: [PATCH 139/200] printk: nbcon: Implement emergency sections
 
 In emergency situations (something has gone wrong but the
 system continues to operate), usually important information
@@ -19391,10 +19391,10 @@ index e8d60e29c17f..4a0df41d32b8 100644
 -- 
 2.45.2
 
-From ae9e3ee1255c99520bd45e56a137c302980269de Mon Sep 17 00:00:00 2001
+From 348a34e37c1d2645f63358a81e1baac16e866037 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Mon, 11 Sep 2023 15:53:04 +0000
-Subject: [PATCH 140/198] panic: Mark emergency section in warn
+Subject: [PATCH 140/200] panic: Mark emergency section in warn
 
 Mark the full contents of __warn() as an emergency section. In
 this section, the CPU will not perform console output for the
@@ -19434,10 +19434,10 @@ index f0e91a0c4001..147803c3a402 100644
 -- 
 2.45.2
 
-From cc7cbb324c04ce560f6664fe4d37e5cdf31ccd2e Mon Sep 17 00:00:00 2001
+From c50afd6369a6c7bdf39cfb5caaac8a0ebcc25fdf Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 19 Sep 2023 17:07:34 +0000
-Subject: [PATCH 141/198] panic: Mark emergency section in oops
+Subject: [PATCH 141/200] panic: Mark emergency section in oops
 
 Mark an emergency section beginning with oops_enter() until the
 end of oops_exit(). In this section, the CPU will not perform
@@ -19478,10 +19478,10 @@ index 147803c3a402..9215df21d8c2 100644
 -- 
 2.45.2
 
-From 25c9f8b74e279aab3153a9cd77cb5c9a547628e2 Mon Sep 17 00:00:00 2001
+From 69da3439e08fed6c879c95eef545198dbf57f15e Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 11 Sep 2023 15:53:39 +0000
-Subject: [PATCH 142/198] rcu: Mark emergency section in rcu stalls
+Subject: [PATCH 142/200] rcu: Mark emergency section in rcu stalls
 
 Mark an emergency section within print_other_cpu_stall(), where
 RCU stall information is printed. In this section, the CPU will
@@ -19528,10 +19528,10 @@ index 11a1fac3a589..6f085a159fca 100644
 -- 
 2.45.2
 
-From f022111693b4530475e7e7753d02596122deb642 Mon Sep 17 00:00:00 2001
+From 924d2a3a21677de19e46f6ed2eab612066274dce Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 18 Sep 2023 20:27:41 +0000
-Subject: [PATCH 143/198] lockdep: Mark emergency section in lockdep splats
+Subject: [PATCH 143/200] lockdep: Mark emergency section in lockdep splats
 
 Mark an emergency section within print_usage_bug(), where
 lockdep bugs are printed. In this section, the CPU will not
@@ -19578,10 +19578,10 @@ index 151bd3de5936..5c21ba41e308 100644
 -- 
 2.45.2
 
-From 6144a5eb9894a284cf78a7ad714198f724e4447c Mon Sep 17 00:00:00 2001
+From e1a16b64bf24f4a909eb3bc25c0b70935d03d2e4 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Fri, 22 Sep 2023 14:12:21 +0000
-Subject: [PATCH 144/198] printk: nbcon: Introduce printing kthreads
+Subject: [PATCH 144/200] printk: nbcon: Introduce printing kthreads
 
 Provide the main implementation for running a printer kthread
 per nbcon console that is takeover/handover aware.
@@ -20030,10 +20030,10 @@ index 4a0df41d32b8..3e307d475d23 100644
 -- 
 2.45.2
 
-From b8a2514fdcc61663246962caef2825ff4946ec90 Mon Sep 17 00:00:00 2001
+From 8075e61875d6c982f0825a0a15423c3f75c737fd Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 23 Oct 2023 17:43:48 +0000
-Subject: [PATCH 145/198] printk: Atomic print in printk context on shutdown
+Subject: [PATCH 145/200] printk: Atomic print in printk context on shutdown
 
 For nbcon consoles, normally the printing is handled by the
 dedicated console printing threads. However, on shutdown the
@@ -20076,10 +20076,10 @@ index 3e307d475d23..2a77a4ad5619 100644
 -- 
 2.45.2
 
-From 495b8863ee377ebb74145fccf86e6c9c488bc30c Mon Sep 17 00:00:00 2001
+From c24387d27880e1e1d9f3cc569dbd58cebcc85aa5 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 26 Sep 2023 14:43:30 +0000
-Subject: [PATCH 146/198] printk: nbcon: Add context to console_is_usable()
+Subject: [PATCH 146/200] printk: nbcon: Add context to console_is_usable()
 
 The nbcon consoles have two callbacks to be used for different
 contexts. In order to determine if an nbcon console is usable,
@@ -20196,10 +20196,10 @@ index 2a77a4ad5619..3863e3dc3816 100644
 -- 
 2.45.2
 
-From f9f3719eb39aa4f1b1172e118067488b6bd14d35 Mon Sep 17 00:00:00 2001
+From df86179351eceb90629fcc29db92c17c3e3f5b96 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Tue, 26 Sep 2023 13:03:52 +0000
-Subject: [PATCH 147/198] printk: nbcon: Add printer thread wakeups
+Subject: [PATCH 147/200] printk: nbcon: Add printer thread wakeups
 
 Add a function to wakeup the printer threads. Use the new function
 when:
@@ -20371,10 +20371,10 @@ index 3863e3dc3816..3cdda6dd8941 100644
 -- 
 2.45.2
 
-From 3413d13f9d49d3505aff897ea73ffd471ed5c06c Mon Sep 17 00:00:00 2001
+From 378fb0e72ecd67cbc6a7ec311422bdb82b3cf04b Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 26 Sep 2023 13:04:15 +0000
-Subject: [PATCH 148/198] printk: nbcon: Stop threads on shutdown/reboot
+Subject: [PATCH 148/200] printk: nbcon: Stop threads on shutdown/reboot
 
 Register a syscore_ops shutdown function to stop all threaded
 printers on shutdown/reboot. This allows printk to transition back
@@ -20436,10 +20436,10 @@ index 337ec7a10095..57ed4968a653 100644
 -- 
 2.45.2
 
-From 2db54366e75b8501a49e989ec68bb416e6ee6551 Mon Sep 17 00:00:00 2001
+From 43af883ddf1b35861838614356ad67bfb44ba70c Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 5 Dec 2023 14:09:31 +0000
-Subject: [PATCH 149/198] printk: nbcon: Start printing threads
+Subject: [PATCH 149/200] printk: nbcon: Start printing threads
 
 If there are no boot consoles, the printing threads are started
 in early_initcall.
@@ -20580,10 +20580,10 @@ index 3cdda6dd8941..3722f1a66357 100644
 -- 
 2.45.2
 
-From 6e79773c3e5bcf74962b5ee1a288c4520cf6379a Mon Sep 17 00:00:00 2001
+From d2b2b276ef8461066e31e2a9d0e440b33d3098f7 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Tue, 26 Sep 2023 13:31:00 +0000
-Subject: [PATCH 150/198] proc: Add nbcon support for /proc/consoles
+Subject: [PATCH 150/200] proc: Add nbcon support for /proc/consoles
 
 Update /proc/consoles output to show 'W' if an nbcon write
 callback is implemented (write_atomic or write_thread).
@@ -20638,10 +20638,10 @@ index e0758fe7936d..2703676549f5 100644
 -- 
 2.45.2
 
-From 6d43c5b27a05e816911844887c87b9d92dfe31be Mon Sep 17 00:00:00 2001
+From 4e3621466bc8ff5008683c3092f986d12c2e4830 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 22 Sep 2023 14:31:09 +0000
-Subject: [PATCH 151/198] tty: sysfs: Add nbcon support for 'active'
+Subject: [PATCH 151/200] tty: sysfs: Add nbcon support for 'active'
 
 Allow the 'active' attribute to list nbcon consoles.
 
@@ -20676,10 +20676,10 @@ index 493fc4742895..afa52883c498 100644
 -- 
 2.45.2
 
-From b3e9c72cedfba22470d12485d064d2d206bc851e Mon Sep 17 00:00:00 2001
+From d7bb4ca00319f2911e030ef6e377824e0d1a7d64 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 20 Oct 2023 10:01:58 +0000
-Subject: [PATCH 152/198] printk: nbcon: Provide function to reacquire
+Subject: [PATCH 152/200] printk: nbcon: Provide function to reacquire
  ownership
 
 Contexts may become nbcon owners for various reasons, not just
@@ -20775,10 +20775,10 @@ index b866d0138fe0..f843df54ee82 100644
 -- 
 2.45.2
 
-From 3388ae9fcb90590f2dfb0fe91e1c1ab593418a83 Mon Sep 17 00:00:00 2001
+From 66892b5a990b37dc9c2c2c86ab7ca105e322bd08 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 11 Dec 2023 09:19:18 +0000
-Subject: [PATCH 153/198] serial: core: Provide low-level functions to port
+Subject: [PATCH 153/200] serial: core: Provide low-level functions to port
  lock
 
 The nbcon console's driver_enter() and driver_exit() callbacks need
@@ -20823,10 +20823,10 @@ index 6fc2003767a9..7c861b4606aa 100644
 -- 
 2.45.2
 
-From e31f4d34f8f32e33ede31f1ebfafe2b75ab202bf Mon Sep 17 00:00:00 2001
+From f8bc4464b5e38f029a55b891309bd6ac36453cc7 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Wed, 13 Sep 2023 15:30:36 +0000
-Subject: [PATCH 154/198] serial: 8250: Switch to nbcon console
+Subject: [PATCH 154/200] serial: 8250: Switch to nbcon console
 
 Implement the necessary callbacks to switch the 8250 console driver
 to perform as an nbcon console.
@@ -21167,10 +21167,10 @@ index be65de65fe61..ec46e3b49ee9 100644
 -- 
 2.45.2
 
-From 2314140b8c95a326c2654671098935c7e7e3d47a Mon Sep 17 00:00:00 2001
+From 62fab477292a68aba7c0150225c2c9135ce5750e Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Fri, 22 Sep 2023 17:35:04 +0000
-Subject: [PATCH 155/198] printk: Add kthread for all legacy consoles
+Subject: [PATCH 155/200] printk: Add kthread for all legacy consoles
 
 The write callback of legacy consoles make use of spinlocks.
 This is not permitted with PREEMPT_RT in atomic contexts.
@@ -21598,10 +21598,10 @@ index 3722f1a66357..4f1ca9931ddb 100644
 -- 
 2.45.2
 
-From f0dbeb8b0e778d69076872f650fdb5f580962094 Mon Sep 17 00:00:00 2001
+From 9b1a4bb75dae029d59a2d203eee8b9cacf461f14 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 2 Oct 2023 15:30:43 +0000
-Subject: [PATCH 156/198] serial: 8250: revert "drop lockdep annotation from
+Subject: [PATCH 156/200] serial: 8250: revert "drop lockdep annotation from
  serial8250_clear_IER()"
 
 The 8250 driver no longer depends on @oops_in_progress and
@@ -21632,10 +21632,10 @@ index bc3ab612aec5..2d4e775cd7cb 100644
 -- 
 2.45.2
 
-From 578228e0f90a5657abfcb1e26a24c7cd947652a3 Mon Sep 17 00:00:00 2001
+From 25e776eb6eb155b104451f87dbbeb05ac3ab7677 Mon Sep 17 00:00:00 2001
 From: John Ogness <john.ogness@linutronix.de>
 Date: Mon, 11 Dec 2023 09:34:16 +0000
-Subject: [PATCH 157/198] printk: Avoid false positive lockdep report for
+Subject: [PATCH 157/200] printk: Avoid false positive lockdep report for
  legacy driver.
 
 printk may invoke the legacy console driver from atomic context. This leads to
@@ -21701,10 +21701,10 @@ index 4f1ca9931ddb..249576a8c351 100644
 -- 
 2.45.2
 
-From c868850c96483fdafd6ee3a352efe97fb6d4f242 Mon Sep 17 00:00:00 2001
+From 7c9f87b242a7d6237fc4e6dfbd055786274c7de7 Mon Sep 17 00:00:00 2001
 From: Mike Galbraith <umgwanakikbuti@gmail.com>
 Date: Sat, 27 Feb 2016 08:09:11 +0100
-Subject: [PATCH 158/198] drm/i915: Use preempt_disable/enable_rt() where
+Subject: [PATCH 158/200] drm/i915: Use preempt_disable/enable_rt() where
  recommended
 
 Mario Kleiner suggest in commit
@@ -21762,10 +21762,10 @@ index f5659ebd08eb..5b6d2f55528d 100644
 -- 
 2.45.2
 
-From 0ba10b2984c34fb7ac70572d0b4848912f754b4b Mon Sep 17 00:00:00 2001
+From 3235518cd24ebb7fa1c33873b2c8f520b5787606 Mon Sep 17 00:00:00 2001
 From: Mike Galbraith <umgwanakikbuti@gmail.com>
 Date: Sat, 27 Feb 2016 09:01:42 +0100
-Subject: [PATCH 159/198] drm/i915: Don't disable interrupts on PREEMPT_RT
+Subject: [PATCH 159/200] drm/i915: Don't disable interrupts on PREEMPT_RT
  during atomic updates
 
 Commit
@@ -21852,10 +21852,10 @@ index cfbfbfed3f5e..da2becfbc86c 100644
 -- 
 2.45.2
 
-From 32a5a13896ac89994c2a4e61e3155fc2d9b59e38 Mon Sep 17 00:00:00 2001
+From 3fe34f3023f9b22efd04685fb3f0330138d08c2d Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Mon, 25 Oct 2021 15:05:18 +0200
-Subject: [PATCH 160/198] drm/i915: Don't check for atomic context on
+Subject: [PATCH 160/200] drm/i915: Don't check for atomic context on
  PREEMPT_RT
 
 The !in_atomic() check in _wait_for_atomic() triggers on PREEMPT_RT
@@ -21888,10 +21888,10 @@ index c61066498bf2..48e19e55d6b0 100644
 -- 
 2.45.2
 
-From 4c4c7b1fafbffa54d8e2ab64ea03732b1ba052fa Mon Sep 17 00:00:00 2001
+From ae9c8375d1775c29e0da15dab036b2e1328db94f Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 6 Dec 2018 09:52:20 +0100
-Subject: [PATCH 161/198] drm/i915: Disable tracing points on PREEMPT_RT
+Subject: [PATCH 161/200] drm/i915: Disable tracing points on PREEMPT_RT
 
 Luca Abeni reported this:
 | BUG: scheduling while atomic: kworker/u8:2/15203/0x00000003
@@ -21938,10 +21938,10 @@ index ce1cbee1b39d..c54653cf72c9 100644
 -- 
 2.45.2
 
-From f617dbd4ef8e1f7c2f39dc0098aff8a4ae828edf Mon Sep 17 00:00:00 2001
+From ea5ef610350d0e531b308e4ff49a28d093cb6e4e Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Wed, 19 Dec 2018 10:47:02 +0100
-Subject: [PATCH 162/198] drm/i915: skip DRM_I915_LOW_LEVEL_TRACEPOINTS with
+Subject: [PATCH 162/200] drm/i915: skip DRM_I915_LOW_LEVEL_TRACEPOINTS with
  NOTRACE
 
 The order of the header files is important. If this header file is
@@ -21972,10 +21972,10 @@ index c54653cf72c9..3c51620d011b 100644
 -- 
 2.45.2
 
-From 814f7bc68678691a78ed8f8caedf4a395ca540a7 Mon Sep 17 00:00:00 2001
+From 32f1485b7137d29b522c8e74672cd78933cedae3 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Wed, 8 Sep 2021 17:18:00 +0200
-Subject: [PATCH 163/198] drm/i915/gt: Queue and wait for the irq_work item.
+Subject: [PATCH 163/200] drm/i915/gt: Queue and wait for the irq_work item.
 
 Disabling interrupts and invoking the irq_work function directly breaks
 on PREEMPT_RT.
@@ -22020,10 +22020,10 @@ index f2973cd1a8aa..aa77f8601b8a 100644
 -- 
 2.45.2
 
-From 4baa3eb017711c42d70dc99cea2ea9d0f1ec600a Mon Sep 17 00:00:00 2001
+From 167c5db49060816ad61e39d58047655acc46e0fc Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Wed, 8 Sep 2021 19:03:41 +0200
-Subject: [PATCH 164/198] drm/i915/gt: Use spin_lock_irq() instead of
+Subject: [PATCH 164/200] drm/i915/gt: Use spin_lock_irq() instead of
  local_irq_disable() + spin_lock()
 
 execlists_dequeue() is invoked from a function which uses
@@ -22049,7 +22049,7 @@ Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
  1 file changed, 5 insertions(+), 12 deletions(-)
 
 diff --git a/drivers/gpu/drm/i915/gt/intel_execlists_submission.c b/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
-index 42e09f158920..ac80e229f1cc 100644
+index 2065be5a196b..73d815fc514b 100644
 --- a/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
 +++ b/drivers/gpu/drm/i915/gt/intel_execlists_submission.c
 @@ -1303,7 +1303,7 @@ static void execlists_dequeue(struct intel_engine_cs *engine)
@@ -22114,10 +22114,10 @@ index 42e09f158920..ac80e229f1cc 100644
 -- 
 2.45.2
 
-From c78d8e9b33978255b96cef113ccd77dc03360bfe Mon Sep 17 00:00:00 2001
+From dd328d707db4264bc8d6b191bc3ef05232552a51 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 1 Oct 2021 20:01:03 +0200
-Subject: [PATCH 165/198] drm/i915: Drop the irqs_disabled() check
+Subject: [PATCH 165/200] drm/i915: Drop the irqs_disabled() check
 
 The !irqs_disabled() check triggers on PREEMPT_RT even with
 i915_sched_engine::lock acquired. The reason is the lock is transformed
@@ -22158,10 +22158,10 @@ index f59081066a19..014d02029a41 100644
 -- 
 2.45.2
 
-From ec62a2022fa25e4cbd7b7195f298e6b494b9f8bf Mon Sep 17 00:00:00 2001
+From 1051a1738a9ea6ee51262268a035f57be4bac777 Mon Sep 17 00:00:00 2001
 From: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
 Date: Wed, 5 Jul 2023 10:30:25 +0100
-Subject: [PATCH 166/198] drm/i915: Do not disable preemption for resets
+Subject: [PATCH 166/200] drm/i915: Do not disable preemption for resets
 
 Commit ade8a0f59844 ("drm/i915: Make all GPU resets atomic") added a
 preempt disable section over the hardware reset callback to prepare the
@@ -22262,10 +22262,10 @@ index 13fb8e5042c5..b51fb0c97772 100644
 -- 
 2.45.2
 
-From d851be1494b9792f97cfbb324780ff70ae015fd5 Mon Sep 17 00:00:00 2001
+From 83b39907e6f7a0185cdf76443627b34377d80bab Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Tue, 3 Oct 2023 21:37:21 +0200
-Subject: [PATCH 167/198] drm/i915/guc: Consider also RCU depth in busy loop.
+Subject: [PATCH 167/200] drm/i915/guc: Consider also RCU depth in busy loop.
 
 intel_guc_send_busy_loop() looks at in_atomic() and irqs_disabled() to
 decide if it should busy-spin while waiting or if it may sleep.
@@ -22296,10 +22296,10 @@ index 8dc291ff0093..5b8d084c9c58 100644
 -- 
 2.45.2
 
-From 33b3a2072ad9e8a78c747432d2263db4ef4d026f Mon Sep 17 00:00:00 2001
+From 18321a9c9a22bd98ac388125352f34b98c954071 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Mon, 21 Feb 2022 17:59:14 +0100
-Subject: [PATCH 168/198] Revert "drm/i915: Depend on !PREEMPT_RT."
+Subject: [PATCH 168/200] Revert "drm/i915: Depend on !PREEMPT_RT."
 
 Once the known issues are addressed, it should be safe to enable the
 driver.
@@ -22324,10 +22324,10 @@ index ce397a8797f7..98c3f532822d 100644
 -- 
 2.45.2
 
-From 874801d5fa1d79109b2fce33dbc7f6ef451e5400 Mon Sep 17 00:00:00 2001
+From b0271319d6f5dbc9d3eeafc4d4024aa621b34a94 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Sat, 23 Sep 2023 03:11:05 +0200
-Subject: [PATCH 169/198] sched: define TIF_ALLOW_RESCHED
+Subject: [PATCH 169/200] sched: define TIF_ALLOW_RESCHED
 
 On Fri, Sep 22 2023 at 00:55, Thomas Gleixner wrote:
 > On Thu, Sep 21 2023 at 09:00, Linus Torvalds wrote:
@@ -22763,7 +22763,7 @@ index 2e0f75bcb7fd..d952fa5ee880 100644
  
  		if (ti_work & _TIF_NOTIFY_RESUME)
 diff --git a/kernel/sched/core.c b/kernel/sched/core.c
-index b917a854ac50..0026aa2965d4 100644
+index fb30aad3c1b6..f8ae421b2fed 100644
 --- a/kernel/sched/core.c
 +++ b/kernel/sched/core.c
 @@ -897,14 +897,15 @@ static inline void hrtick_rq_init(struct rq *rq)
@@ -22909,7 +22909,7 @@ index 4c3d0d9f3db6..63e19b89c8c3 100644
  }
  late_initcall(sched_init_debug);
 diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
-index d3d0a1c9336b..5cc8b6802ddd 100644
+index b2e1009e5706..e7e5569fd505 100644
 --- a/kernel/sched/fair.c
 +++ b/kernel/sched/fair.c
 @@ -1022,8 +1022,10 @@ static void clear_buddies(struct cfs_rq *cfs_rq, struct sched_entity *se);
@@ -22977,7 +22977,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  static void update_curr_fair(struct rq *rq)
  {
  	update_curr(cfs_rq_of(&rq->curr->se));
-@@ -5404,7 +5420,7 @@ entity_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr, int queued)
+@@ -5403,7 +5419,7 @@ entity_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr, int queued)
  	/*
  	 * Update run-time statistics of the 'current'.
  	 */
@@ -22986,7 +22986,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  
  	/*
  	 * Ensure that runnable average is periodically updated.
-@@ -5418,7 +5434,7 @@ entity_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr, int queued)
+@@ -5417,7 +5433,7 @@ entity_tick(struct cfs_rq *cfs_rq, struct sched_entity *curr, int queued)
  	 * validating it and just reschedule.
  	 */
  	if (queued) {
@@ -22995,7 +22995,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  		return;
  	}
  	/*
-@@ -5564,7 +5580,7 @@ static void __account_cfs_rq_runtime(struct cfs_rq *cfs_rq, u64 delta_exec)
+@@ -5563,7 +5579,7 @@ static void __account_cfs_rq_runtime(struct cfs_rq *cfs_rq, u64 delta_exec)
  	 * hierarchy can be throttled
  	 */
  	if (!assign_cfs_rq_runtime(cfs_rq) && likely(cfs_rq->curr))
@@ -23004,7 +23004,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  }
  
  static __always_inline
-@@ -5824,7 +5840,7 @@ void unthrottle_cfs_rq(struct cfs_rq *cfs_rq)
+@@ -5823,7 +5839,7 @@ void unthrottle_cfs_rq(struct cfs_rq *cfs_rq)
  
  	/* Determine whether we need to wake up potentially idle CPU: */
  	if (rq->curr == rq->idle && rq->cfs.nr_running)
@@ -23013,7 +23013,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  }
  
  #ifdef CONFIG_SMP
-@@ -6529,7 +6545,7 @@ static void hrtick_start_fair(struct rq *rq, struct task_struct *p)
+@@ -6528,7 +6544,7 @@ static void hrtick_start_fair(struct rq *rq, struct task_struct *p)
  
  		if (delta < 0) {
  			if (task_current(rq, p))
@@ -23022,7 +23022,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  			return;
  		}
  		hrtick_start(rq, delta);
-@@ -8207,7 +8223,7 @@ static void check_preempt_wakeup(struct rq *rq, struct task_struct *p, int wake_
+@@ -8206,7 +8222,7 @@ static void check_preempt_wakeup(struct rq *rq, struct task_struct *p, int wake_
  	 * prevents us from potentially nominating it as a false LAST_BUDDY
  	 * below.
  	 */
@@ -23031,7 +23031,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  		return;
  
  	/* Idle tasks are by definition preempted by non-idle tasks. */
-@@ -8249,7 +8265,7 @@ static void check_preempt_wakeup(struct rq *rq, struct task_struct *p, int wake_
+@@ -8248,7 +8264,7 @@ static void check_preempt_wakeup(struct rq *rq, struct task_struct *p, int wake_
  	return;
  
  preempt:
@@ -23040,7 +23040,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  }
  
  #ifdef CONFIG_SMP
-@@ -12395,7 +12411,7 @@ static inline void task_tick_core(struct rq *rq, struct task_struct *curr)
+@@ -12394,7 +12410,7 @@ static inline void task_tick_core(struct rq *rq, struct task_struct *curr)
  	 */
  	if (rq->core->core_forceidle_count && rq->cfs.nr_running == 1 &&
  	    __entity_slice_used(&curr->se, MIN_NR_TASKS_DURING_FORCEIDLE))
@@ -23049,7 +23049,7 @@ index d3d0a1c9336b..5cc8b6802ddd 100644
  }
  
  /*
-@@ -12560,7 +12576,7 @@ prio_changed_fair(struct rq *rq, struct task_struct *p, int oldprio)
+@@ -12559,7 +12575,7 @@ prio_changed_fair(struct rq *rq, struct task_struct *p, int oldprio)
  	 */
  	if (task_current(rq, p)) {
  		if (p->prio > oldprio)
@@ -23083,11 +23083,11 @@ index 5007b25c5bc6..95e1b3df1400 100644
  	raw_local_irq_disable();
  
 diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
-index 2e8f26a919ed..649b3b370193 100644
+index 8cbbbea7fdbb..00cdf0db8732 100644
 --- a/kernel/sched/sched.h
 +++ b/kernel/sched/sched.h
 @@ -2438,6 +2438,7 @@ extern void init_sched_fair_class(void);
- extern void reweight_task(struct task_struct *p, int prio);
+ extern void reweight_task(struct task_struct *p, const struct load_weight *lw);
  
  extern void resched_curr(struct rq *rq);
 +extern void resched_curr_lazy(struct rq *rq);
@@ -23146,10 +23146,10 @@ index 3b7d3e9eb6ea..5a4fefbc0856 100644
 -- 
 2.45.2
 
-From 8df619a8de4ee7309baccb3098bf487a38d2f674 Mon Sep 17 00:00:00 2001
+From 8c7eb81022a6d981fd35666afb4cb3c713fc72fd Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Wed, 8 Jul 2015 17:14:48 +0200
-Subject: [PATCH 170/198] arm: Disable jump-label on PREEMPT_RT.
+Subject: [PATCH 170/200] arm: Disable jump-label on PREEMPT_RT.
 
 jump-labels are used to efficiently switch between two possible code
 paths. To achieve this, stop_machine() is used to keep the CPU in a
@@ -23187,10 +23187,10 @@ index 57c0448d017a..dea47ba6576b 100644
 -- 
 2.45.2
 
-From c0e9a98b0d3c6cf32859f2762a416c657a9a5e5e Mon Sep 17 00:00:00 2001
+From 3fcbe46fbc2b3de05938bd97b6f3788ea35f9c61 Mon Sep 17 00:00:00 2001
 From: "Yadi.hu" <yadi.hu@windriver.com>
 Date: Wed, 10 Dec 2014 10:32:09 +0800
-Subject: [PATCH 171/198] ARM: enable irq in translation/section permission
+Subject: [PATCH 171/200] ARM: enable irq in translation/section permission
  fault handlers
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -23283,10 +23283,10 @@ index fef62e4a9edd..622a30243f4a 100644
 -- 
 2.45.2
 
-From 2b902e911ab6a5550f305325cdcfafebdc74d440 Mon Sep 17 00:00:00 2001
+From da90c1ec4875b9c4d7ac666f0d794ac2e3354281 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Thu, 28 Jul 2011 13:32:57 +0200
-Subject: [PATCH 172/198] tty/serial/omap: Make the locking RT aware
+Subject: [PATCH 172/200] tty/serial/omap: Make the locking RT aware
 
 The lock is a sleeping lock and local_irq_save() is not the
 optimsation we are looking for. Redo it to make it work on -RT and
@@ -23331,10 +23331,10 @@ index f4c6ff806465..1097fca22307 100644
 -- 
 2.45.2
 
-From 806bc0d235ff97b290e67b83dd67f9da36810d04 Mon Sep 17 00:00:00 2001
+From 52945309b6536c556f6656536457215588042478 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Tue, 8 Jan 2013 21:36:51 +0100
-Subject: [PATCH 173/198] tty/serial/pl011: Make the locking work on RT
+Subject: [PATCH 173/200] tty/serial/pl011: Make the locking work on RT
 
 The lock is a sleeping lock and local_irq_save() is not the optimsation
 we are looking for. Redo it to make it work on -RT and non-RT.
@@ -23378,10 +23378,10 @@ index 16c770311069..9cd660edb165 100644
 -- 
 2.45.2
 
-From efea34ebf47bfb6e45636fcf424f1d3d3315df85 Mon Sep 17 00:00:00 2001
+From 31bc803789eaa693e39dc7c91ae1c314723085f7 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 19 May 2023 16:57:29 +0200
-Subject: [PATCH 174/198] ARM: vfp: Provide vfp_lock() for VFP locking.
+Subject: [PATCH 174/200] ARM: vfp: Provide vfp_lock() for VFP locking.
 
 kernel_neon_begin() uses local_bh_disable() to ensure exclusive access
 to the VFP unit. This is broken on PREEMPT_RT because a BH disabled
@@ -23458,10 +23458,10 @@ index 7e8773a2d99d..8d321cdb7ac5 100644
 -- 
 2.45.2
 
-From 254520dceb4e22416beada7cc6467a7e826c65b0 Mon Sep 17 00:00:00 2001
+From a2eb8e492682a634310eba3f3830e75b70367d52 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 19 May 2023 16:57:30 +0200
-Subject: [PATCH 175/198] ARM: vfp: Use vfp_lock() in vfp_sync_hwstate().
+Subject: [PATCH 175/200] ARM: vfp: Use vfp_lock() in vfp_sync_hwstate().
 
 vfp_sync_hwstate() uses preempt_disable() followed by local_bh_disable()
 to ensure that it won't get interrupted while checking the VFP state.
@@ -23507,10 +23507,10 @@ index 8d321cdb7ac5..3b9360bfc508 100644
 -- 
 2.45.2
 
-From 5b2469b9dcef6b213b236cf38616bda413e28bbe Mon Sep 17 00:00:00 2001
+From 3baa84fe6cb61bda3caff48bfdf6184d268ebfbc Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Wed, 28 Jun 2023 09:36:10 +0200
-Subject: [PATCH 176/198] ARM: vfp: Use vfp_lock() in vfp_support_entry().
+Subject: [PATCH 176/200] ARM: vfp: Use vfp_lock() in vfp_support_entry().
 
 vfp_entry() is invoked from exception handler and is fully preemptible.
 It uses local_bh_disable() to remain uninterrupted while checking the
@@ -23560,10 +23560,10 @@ index 3b9360bfc508..9543f011d0ed 100644
 -- 
 2.45.2
 
-From 74ef0b1ac71b8945bbef78dbe891256ee6eaa073 Mon Sep 17 00:00:00 2001
+From 3ae0a70861ed7d8d75b4c54ab773322e44acecd9 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Wed, 28 Jun 2023 09:39:33 +0200
-Subject: [PATCH 177/198] ARM: vfp: Move sending signals outside of
+Subject: [PATCH 177/200] ARM: vfp: Move sending signals outside of
  vfp_lock()ed section.
 
 VFP_bounce() is invoked from within vfp_support_entry() and may send a
@@ -23686,10 +23686,10 @@ index 9543f011d0ed..9fde36fcb80c 100644
 -- 
 2.45.2
 
-From 0b8426173d444a690f843e9fab84742c5fcddc2b Mon Sep 17 00:00:00 2001
+From fc0a49e37055effd8a80d99ca51fb9e91ac53b82 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 11 Oct 2019 13:14:29 +0200
-Subject: [PATCH 178/198] ARM: Allow to enable RT
+Subject: [PATCH 178/200] ARM: Allow to enable RT
 
 Allow to select RT.
 
@@ -23722,10 +23722,10 @@ index dea47ba6576b..a154ecd2d3c3 100644
 -- 
 2.45.2
 
-From ce20b68e50d762bd06f157f42482cf752ad2fb47 Mon Sep 17 00:00:00 2001
+From a7b8f883a99ec7c07816571b125001eae98495f8 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 11 Oct 2019 13:14:35 +0200
-Subject: [PATCH 179/198] ARM64: Allow to enable RT
+Subject: [PATCH 179/200] ARM64: Allow to enable RT
 
 Allow to select RT.
 
@@ -23750,10 +23750,10 @@ index f9777ce2ccb2..9717c564daac 100644
 -- 
 2.45.2
 
-From 22f4e7cdd6af5fcc06e47742008aadff02ac780d Mon Sep 17 00:00:00 2001
+From 6f76d8b829e4350f8f42def01cb26467095c6896 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 26 Jul 2019 11:30:49 +0200
-Subject: [PATCH 180/198] powerpc: traps: Use PREEMPT_RT
+Subject: [PATCH 180/200] powerpc: traps: Use PREEMPT_RT
 
 Add PREEMPT_RT to the backtrace if enabled.
 
@@ -23789,10 +23789,10 @@ index 2de7f6dcd32b..739f5b179a7f 100644
 -- 
 2.45.2
 
-From 6399a3a2a3d8eb4bc6351359c6e5dd468f9d6ea6 Mon Sep 17 00:00:00 2001
+From 0d276945c8ce6aa0016bbec90e20ab00f2f46001 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Tue, 26 Mar 2019 18:31:54 +0100
-Subject: [PATCH 181/198] powerpc/pseries/iommu: Use a locallock instead
+Subject: [PATCH 181/200] powerpc/pseries/iommu: Use a locallock instead
  local_irq_save()
 
 The locallock protects the per-CPU variable tce_page. The function
@@ -23906,10 +23906,10 @@ index b1e6d275cda9..9a8d3970da3c 100644
 -- 
 2.45.2
 
-From 2b66512ccfa34fc83911dba7c34a2a334ef0b3ad Mon Sep 17 00:00:00 2001
+From 9ae50b2f3a9898f44e3518e6291effe072146961 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 9 Mar 2023 09:13:52 +0100
-Subject: [PATCH 182/198] powerpc/pseries: Select the generic memory allocator.
+Subject: [PATCH 182/200] powerpc/pseries: Select the generic memory allocator.
 
 The RTAS work area allocator is using the generic memory allocator and
 as such it must select it.
@@ -23938,10 +23938,10 @@ index 4ebf2ef2845d..381c3be3bec1 100644
 -- 
 2.45.2
 
-From 63e82523afd384d5288d1bf7de2bd2980ca74052 Mon Sep 17 00:00:00 2001
+From d12f74dc169aaa3661ed54e616e3e98c1e23ad2e Mon Sep 17 00:00:00 2001
 From: Bogdan Purcareata <bogdan.purcareata@freescale.com>
 Date: Fri, 24 Apr 2015 15:53:13 +0000
-Subject: [PATCH 183/198] powerpc/kvm: Disable in-kernel MPIC emulation for
+Subject: [PATCH 183/200] powerpc/kvm: Disable in-kernel MPIC emulation for
  PREEMPT_RT
 
 While converting the openpic emulation code to use a raw_spinlock_t enables
@@ -23983,10 +23983,10 @@ index 902611954200..2f188137f830 100644
 -- 
 2.45.2
 
-From c1c0cfd42beeb283e27c8b3b5c45747546bde8d8 Mon Sep 17 00:00:00 2001
+From f3c9904e5c191e737726498ec089842a242c3614 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Tue, 26 Mar 2019 18:31:29 +0100
-Subject: [PATCH 184/198] powerpc/stackprotector: work around stack-guard init
+Subject: [PATCH 184/200] powerpc/stackprotector: work around stack-guard init
  from atomic
 
 This is invoked from the secondary CPU in atomic context. On x86 we use
@@ -24022,10 +24022,10 @@ index 283c34647856..4727f40052dd 100644
 -- 
 2.45.2
 
-From bb8f81b7b52c72b4abea2b6a86164352f08c7fa6 Mon Sep 17 00:00:00 2001
+From 0df0a0d051dfaed7ae0f3a03f3f2f990e5072308 Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Fri, 11 Oct 2019 13:14:41 +0200
-Subject: [PATCH 185/198] POWERPC: Allow to enable RT
+Subject: [PATCH 185/200] POWERPC: Allow to enable RT
 
 Allow to select RT.
 
@@ -24058,10 +24058,10 @@ index 2fe51e0ad637..116444551038 100644
 -- 
 2.45.2
 
-From bcef1137b648838645dc4615cf2be7d210a1f1d7 Mon Sep 17 00:00:00 2001
+From 1eca1d3468c701a89e28e59735189ac66ad6d2c7 Mon Sep 17 00:00:00 2001
 From: Evan Green <evan@rivosinc.com>
 Date: Mon, 6 Nov 2023 14:58:55 -0800
-Subject: [PATCH 186/198] RISC-V: Probe misaligned access speed in parallel
+Subject: [PATCH 186/200] RISC-V: Probe misaligned access speed in parallel
 
 Probing for misaligned access speed takes about 0.06 seconds. On a
 system with 64 cores, doing this in smp_callin() means it's done
@@ -24254,10 +24254,10 @@ index 1b8da4e40a4d..2cb5e651412c 100644
 -- 
 2.45.2
 
-From 96fbee3cec4b29a29d5ee882e29beb7b8ddc8a0f Mon Sep 17 00:00:00 2001
+From e051b53809f795682c5608dccbfa7b41b8313fdc Mon Sep 17 00:00:00 2001
 From: Jisheng Zhang <jszhang@kernel.org>
 Date: Tue, 31 Oct 2023 22:35:20 +0800
-Subject: [PATCH 187/198] riscv: add PREEMPT_AUTO support
+Subject: [PATCH 187/200] riscv: add PREEMPT_AUTO support
 
 riscv has switched to GENERIC_ENTRY, so adding PREEMPT_AUTO is as simple
 as adding TIF_ARCH_RESCHED_LAZY related definitions and enabling
@@ -24305,10 +24305,10 @@ index d18ce0113ca1..e18710fe51f0 100644
 -- 
 2.45.2
 
-From 573582c0900748246676da4ed9516f26f503e256 Mon Sep 17 00:00:00 2001
+From 585420a814687313a96fe2f48820d53b6c0810a5 Mon Sep 17 00:00:00 2001
 From: Jisheng Zhang <jszhang@kernel.org>
 Date: Tue, 31 Oct 2023 22:35:21 +0800
-Subject: [PATCH 188/198] riscv: allow to enable RT
+Subject: [PATCH 188/200] riscv: allow to enable RT
 
 Now, it's ready to enable RT on riscv.
 
@@ -24333,10 +24333,10 @@ index ea01aa411e2c..e05c170781c6 100644
 -- 
 2.45.2
 
-From 96705982edc5d56b1e487873115e605e6fd80214 Mon Sep 17 00:00:00 2001
+From 83df018e7cc966e1e46443d3073340ce16206ddc Mon Sep 17 00:00:00 2001
 From: Clark Williams <williams@redhat.com>
 Date: Sat, 30 Jul 2011 21:55:53 -0500
-Subject: [PATCH 189/198] sysfs: Add /sys/kernel/realtime entry
+Subject: [PATCH 189/200] sysfs: Add /sys/kernel/realtime entry
 
 Add a /sys/kernel entry to indicate that the kernel is a
 realtime kernel.
@@ -24387,10 +24387,10 @@ index 1d4bc493b2f4..486c68c11bbe 100644
 -- 
 2.45.2
 
-From 107a68ddae93d163c95c914a1cc1271fbfb21b83 Mon Sep 17 00:00:00 2001
+From 4ab189a9e35edbb3d87000a96f48c81934cf790f Mon Sep 17 00:00:00 2001
 From: Clark Williams <clark.williams@gmail.com>
 Date: Mon, 5 Feb 2024 14:04:38 -0600
-Subject: [PATCH 190/198] arch/riscv: check_unaligned_acces(): don't alloc page
+Subject: [PATCH 190/200] arch/riscv: check_unaligned_acces(): don't alloc page
  for check
 
 Drop the alloc_pages() call since the page is passed in as
@@ -24422,10 +24422,10 @@ index 9d8b6b463592..dd118773e717 100644
 -- 
 2.45.2
 
-From 40be968914f9acea3772bdebaac8a285388d34b1 Mon Sep 17 00:00:00 2001
+From 69bf5b5f3dd79e298acc2a4b6b22140c472a6321 Mon Sep 17 00:00:00 2001
 From: Clark Williams <clark.williams@gmail.com>
 Date: Tue, 6 Feb 2024 12:17:19 -0600
-Subject: [PATCH 191/198] Revert "preempt: Put preempt_enable() within an
+Subject: [PATCH 191/200] Revert "preempt: Put preempt_enable() within an
  instrumentation*() section."
 
 This reverts commit cc3d27d9fdeddcb82db3ea176a44a5509e70eb1c.
@@ -24469,10 +24469,10 @@ index cd16f0330fba..9aa6358a1a16 100644
 -- 
 2.45.2
 
-From 7482bf8052bc7ec78eecfb4aea975efac52346de Mon Sep 17 00:00:00 2001
+From 77dbb0def582e5d2d9f82185289e2fc74196ab35 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Fri, 8 Jul 2011 20:25:16 +0200
-Subject: [PATCH 192/198] Add localversion for -RT release
+Subject: [PATCH 192/200] Add localversion for -RT release
 
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 ---
@@ -24490,10 +24490,10 @@ index 000000000000..483ad771f201
 -- 
 2.45.2
 
-From ce870c6f1a9532af1f64d4b367d66c162a7e6d76 Mon Sep 17 00:00:00 2001
+From a879175afc8b430c8456afedbe47e3689bb9febc Mon Sep 17 00:00:00 2001
 From: Clark Williams <clark.williams@gmail.com>
 Date: Tue, 27 Feb 2024 17:13:28 -0600
-Subject: [PATCH 193/198] Linux 6.6.18-rt23 REBASE
+Subject: [PATCH 193/200] Linux 6.6.18-rt23 REBASE
 
 Signed-off-by: Clark Williams <clark.williams@gmail.com>
 ---
@@ -24510,10 +24510,10 @@ index 483ad771f201..9a218ca23053 100644
 -- 
 2.45.2
 
-From ad7895ab3fb369251ef0bf65ad545f8b8c7126ae Mon Sep 17 00:00:00 2001
+From 7d4540446deab8fbe3db82b11920b40f6e35948b Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Tue, 23 Jan 2024 12:56:21 +0100
-Subject: [PATCH 194/198] arm: Disable FAST_GUP on PREEMPT_RT if HIGHPTE is
+Subject: [PATCH 194/200] arm: Disable FAST_GUP on PREEMPT_RT if HIGHPTE is
  also enabled.
 
 gup_pgd_range() is invoked with disabled interrupts and invokes
@@ -24552,10 +24552,10 @@ index a154ecd2d3c3..e5a283851c02 100644
 -- 
 2.45.2
 
-From d7393ac8c5e11f0520b791b8b0bfecd736e0f99d Mon Sep 17 00:00:00 2001
+From 3259e01628d422b8949cf293be11999aaa9f101b Mon Sep 17 00:00:00 2001
 From: Junxiao Chang <junxiao.chang@intel.com>
 Date: Tue, 23 Jan 2024 13:40:32 +0800
-Subject: [PATCH 195/198] printk: nbcon: move locked_port flag to struct
+Subject: [PATCH 195/200] printk: nbcon: move locked_port flag to struct
  uart_port
 
 Console pointer in uart_port might be shared among multiple uart
@@ -24648,10 +24648,10 @@ index 1b1b585b1675..b53d93585ee7 100644
 -- 
 2.45.2
 
-From b69ef9cefa816bb3e83da37e75405f82c778edd0 Mon Sep 17 00:00:00 2001
+From 7e85381d11952023d44d5fbd03b96f4c0b33c5d2 Mon Sep 17 00:00:00 2001
 From: Clark Williams <clark.williams@gmail.com>
 Date: Tue, 25 Jun 2024 17:08:39 -0500
-Subject: [PATCH 196/198] Linux 6.6.35-rt34 REBASE
+Subject: [PATCH 196/200] Linux 6.6.35-rt34 REBASE
 
 Signed-off-by: Clark Williams <clark.williams@gmail.com>
 ---
@@ -24668,10 +24668,10 @@ index 9a218ca23053..21988f9ad53f 100644
 -- 
 2.45.2
 
-From 310ade92c6ecd6c0bd4d59080616ab99ec63b436 Mon Sep 17 00:00:00 2001
+From 3838d2044a0bee77d9ed551e7484c710014e398e Mon Sep 17 00:00:00 2001
 From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
 Date: Thu, 20 Jun 2024 11:21:13 +0200
-Subject: [PATCH 197/198] prinkt/nbcon: Add a scheduling point to
+Subject: [PATCH 197/200] prinkt/nbcon: Add a scheduling point to
  nbcon_kthread_func().
 
 Constant printing can lead to a CPU hog in nbcon_kthread_func(). The
@@ -24709,10 +24709,10 @@ index b53d93585ee7..b941039ee7d2 100644
 -- 
 2.45.2
 
-From aa5bc3af0aeef0776dffc7bbbb02dd731ef6b9ff Mon Sep 17 00:00:00 2001
+From 9d488acbe8b345ff1f04789043498a3a9d928a08 Mon Sep 17 00:00:00 2001
 From: Clark Williams <clark.williams@gmail.com>
 Date: Sun, 28 Jul 2024 15:53:21 -0500
-Subject: [PATCH 198/198] Linux 6.6.43-rt38 REBASE
+Subject: [PATCH 198/200] Linux 6.6.43-rt38 REBASE
 
 Signed-off-by: Clark Williams <clark.williams@gmail.com>
 ---
@@ -24729,3 +24729,59 @@ index 21988f9ad53f..49bae8d6aa67 100644
 -- 
 2.45.2
 
+From cea05c7dc6b60be3377cb435d00464ebb1e58d3c Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Mon, 5 Aug 2024 09:48:12 -0500
+Subject: [PATCH 199/200] riscv: Add return value to check_unaligned_access().
+
+The stable backport of commit c20d36cc2a207 ("riscv: don't probe
+unaligned access speed if already done") added a `return' stament to
+check_unaligned_access(). The return value of the function is `void' but
+the RT tree has the backport of commit 73cf6167ef44c ("RISC-V: Probe
+misaligned access speed in parallel") which changes the return type to
+`int'.
+
+Make the return statement return 0.
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Signed-off-by: Clark Williams <clark.williams@gmail.com>
+---
+ arch/riscv/kernel/cpufeature.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
+index dd118773e717..347cdf56f3a1 100644
+--- a/arch/riscv/kernel/cpufeature.c
++++ b/arch/riscv/kernel/cpufeature.c
+@@ -588,7 +588,7 @@ static int check_unaligned_access(void *param)
+ 
+ 	/* We are already set since the last check */
+ 	if (per_cpu(misaligned_access_speed, cpu) != RISCV_HWPROBE_MISALIGNED_UNKNOWN)
+-		return;
++		return 0;
+ 
+ 	/* Make an unaligned destination buffer. */
+ 	dst = (void *)((unsigned long)page_address(page) | 0x1);
+-- 
+2.45.2
+
+From 1f943bc825265e0213a171e0b60e696817796d24 Mon Sep 17 00:00:00 2001
+From: Clark Williams <clark.williams@gmail.com>
+Date: Tue, 6 Aug 2024 13:36:02 -0500
+Subject: [PATCH 200/200] Linux 6.6.44-rt39 REBASE
+
+Signed-off-by: Clark Williams <clark.williams@gmail.com>
+---
+ localversion-rt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/localversion-rt b/localversion-rt
+index 49bae8d6aa67..5498386d0d0c 100644
+--- a/localversion-rt
++++ b/localversion-rt
+@@ -1 +1 @@
+--rt38
++-rt39
+-- 
+2.45.2
+
diff --git a/SPECS-EXTENDED/libuser/libuser-0.63-PR49_add_yescrypt.patch b/SPECS-EXTENDED/libuser/libuser-0.63-PR49_add_yescrypt.patch
deleted file mode 100644
index 18a767d98ac..00000000000
--- a/SPECS-EXTENDED/libuser/libuser-0.63-PR49_add_yescrypt.patch
+++ /dev/null
@@ -1,260 +0,0 @@
-From 3b8a2aa52bcee6e03f047840251ae42ab971a8a0 Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 07 2021 20:25:41 +0000
-Subject: [PATCH 1/5] lib/util.c: bcrypt should use $2b$ as prefix for setting.
-
-
-This prefix is the recommended one for new bcrypt hashes
-for a long time.
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
----
-
-diff --git a/lib/util.c b/lib/util.c
-index 1b03f7d..e549a35 100644
---- a/lib/util.c
-+++ b/lib/util.c
-@@ -124,7 +124,7 @@ static const struct {
- } salt_type_info[] = {
- 	{"$1$", "$", 8, FALSE },
- 	/* FIXME: number of rounds, base64 of 128 bits */
--	{"$2a$", "$", 8, FALSE },
-+	{"$2b$", "$", 8, FALSE },
- 	{"$5$", "$", 16, TRUE },
- 	{"$6$", "$", 16, TRUE },
- 	{ "", "", 2 },
-@@ -231,7 +231,7 @@ lu_util_default_salt_specifier(struct lu_context *context)
- 	} salt_types[] = {
- 		{ "des", "", FALSE },
- 		{ "md5", "$1$", FALSE },
--		{ "blowfish", "$2a$", FALSE },
-+		{ "blowfish", "$2b$", FALSE },
- 		{ "sha256", "$5$", TRUE },
- 		{ "sha512", "$6$", TRUE },
- 	};
-
-From 9dcc69425677cf510ec6da5ababfdd295f875c1a Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 17 2021 15:34:02 +0000
-Subject: [PATCH 2/5] lib/util.c: Use crypt_gensalt(), if available in libcrypt.
-
-
-Most Linux distributions, including Fedora and RHEL 8, are shipping
-with libxcrypt >= 4.0.
-
-Since that version of libxcrypt the provided family of crypt_gensalt()
-functions are able to use automatic entropy drawn from secure system
-ressources, like arc4random(), getentropy() or getrandom().
-
-Anyways, the settings generated by crypt_gensalt() are always
-guaranteed to works with the crypt() function.
-
-Using crypt_gesalt() is also needed to make proper use of newer
-hashing methods, like yescrypt, provided by libxcrypt.
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
----
-
-diff --git a/lib/util.c b/lib/util.c
-index e549a35..b6db2af 100644
---- a/lib/util.c
-+++ b/lib/util.c
-@@ -43,6 +43,13 @@
- #define HASH_ROUNDS_MIN 1000
- #define HASH_ROUNDS_MAX 999999999
- 
-+#if (defined CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY && \
-+     CRYPT_GENSALT_IMPLEMENTS_AUTO_ENTROPY)
-+#define USE_XCRYPT_GENSALT 1
-+#else
-+#define USE_XCRYPT_GENSALT 0
-+#endif
-+
- struct lu_lock {
- 	int fd;
- 	struct flock lock;
-@@ -66,6 +73,7 @@ lu_strcmp(gconstpointer v1, gconstpointer v2)
- 	return strcmp((char *) v1, (char *) v2);
- }
- 
-+#if !USE_XCRYPT_GENSALT
- /* A list of allowed salt characters, according to SUSv2. */
- #define ACCEPTABLE "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \
- 		   "abcdefghijklmnopqrstuvwxyz" \
-@@ -115,6 +123,7 @@ fill_urandom(char *output, size_t length)
- 	close(fd);
- 	return TRUE;
- }
-+#endif
- 
- static const struct {
- 	const char initial[5];
-@@ -135,6 +144,9 @@ lu_make_crypted(const char *plain, const char *previous)
- {
- 	char salt[2048];
- 	size_t i, len = 0;
-+#if USE_XCRYPT_GENSALT
-+	unsigned long rounds = 0;
-+#endif
- 
- 	if (previous == NULL) {
- 		previous = LU_DEFAULT_SALT_TYPE;
-@@ -151,6 +163,23 @@ lu_make_crypted(const char *plain, const char *previous)
- 
- 	if (salt_type_info[i].sha_rounds != FALSE
- 	    && strncmp(previous + len, "rounds=", strlen("rounds=")) == 0) {
-+#if USE_XCRYPT_GENSALT
-+		const char *start;
-+		char *end;
-+
-+		start = previous + len + strlen("rounds=");
-+		rounds = strtoul (start, &end, 10);
-+
-+		if (rounds < HASH_ROUNDS_MIN)
-+			rounds = HASH_ROUNDS_MIN;
-+		else if (rounds > HASH_ROUNDS_MAX)
-+			rounds = HASH_ROUNDS_MAX;
-+	}
-+
-+	g_assert(CRYPT_GENSALT_OUTPUT_SIZE <= sizeof(salt));
-+
-+	crypt_gensalt_rn(previous, rounds, NULL, 0, salt, sizeof(salt));
-+#else
- 		const char *start, *end;
- 
- 		start = previous + len + strlen("rounds=");
-@@ -168,6 +197,7 @@ lu_make_crypted(const char *plain, const char *previous)
- 		return NULL;
- 	strcpy(salt + len + salt_type_info[i].salt_length,
- 	       salt_type_info[i].separator);
-+#endif
- 
- 	return crypt(plain, salt);
- }
-@@ -251,13 +281,18 @@ lu_util_default_salt_specifier(struct lu_context *context)
- 
- found:
- 	if (salt_types[i].sha_rounds != FALSE) {
--		unsigned long rounds;
-+		unsigned long rounds = 0;
- 
- 		rounds = select_hash_rounds(context);
-+#if USE_XCRYPT_GENSALT
-+		return g_strdup(crypt_gensalt(salt_types[i].initializer,
-+					      rounds, NULL, 0));
-+#else
- 		if (rounds != 0)
- 			return g_strdup_printf("%srounds=%lu$",
- 					       salt_types[i].initializer,
- 					       rounds);
-+#endif
- 	}
- 	return g_strdup(salt_types[i].initializer);
- }
-
-From 2d40503977df3855f1415db995833ae4231e7944 Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 17 2021 15:34:02 +0000
-Subject: [PATCH 3/5] lib/util.c: Add yescrypt hashing method for user passwords.
-
-
-The yescrypt hashing method is considered to be much stronger than
-sha512crypt and fully supported by libxcrypt >= 4.3.  It is based
-on NIST-approved primitives and on par with argon2 in strength.
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
----
-
-diff --git a/lib/util.c b/lib/util.c
-index b6db2af..bba9420 100644
---- a/lib/util.c
-+++ b/lib/util.c
-@@ -50,6 +50,14 @@
- #define USE_XCRYPT_GENSALT 0
- #endif
- 
-+#if ((defined XCRYPT_VERSION_NUM && \
-+      XCRYPT_VERSION_NUM >= ((4 << 16) | 3)) && \
-+      USE_XCRYPT_GENSALT)
-+#define HAVE_YESCRYPT 1
-+#else
-+#define HAVE_YESCRYPT 0
-+#endif
-+
- struct lu_lock {
- 	int fd;
- 	struct flock lock;
-@@ -136,6 +144,9 @@ static const struct {
- 	{"$2b$", "$", 8, FALSE },
- 	{"$5$", "$", 16, TRUE },
- 	{"$6$", "$", 16, TRUE },
-+#if HAVE_YESCRYPT
-+	{"$y$", "$", 24, FALSE },
-+#endif
- 	{ "", "", 2 },
- };
- 
-@@ -264,6 +275,9 @@ lu_util_default_salt_specifier(struct lu_context *context)
- 		{ "blowfish", "$2b$", FALSE },
- 		{ "sha256", "$5$", TRUE },
- 		{ "sha512", "$6$", TRUE },
-+#if HAVE_YESCRYPT
-+		{ "yescrypt", "$y$", FALSE },
-+#endif
- 	};
- 
- 	const char *salt_type;
-
-From 71ef71fe1878a321612e1995cb5c59dcb501ff01 Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 17 2021 15:34:02 +0000
-Subject: [PATCH 4/5] docs/libuser.conf.5.in: Add yescrypt parameter for crypt_style.
-
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
----
-
-diff --git a/docs/libuser.conf.5.in b/docs/libuser.conf.5.in
-index 2af0828..bd1daa7 100644
---- a/docs/libuser.conf.5.in
-+++ b/docs/libuser.conf.5.in
-@@ -69,8 +69,8 @@ The current algorithm may be retained
- when changing a password of an existing user, depending on the application.
- 
- Possible values are \fBdes\fR, \fBmd5\fR, \fBblowfish\fR,
--.B sha256
--and \fBsha512\fR, all case-insensitive.
-+.B sha256,
-+\fBsha512\fR, and \fByescrypt\fR, all case-insensitive.
- Unrecognized values are treated as \fBdes\fR.
- Default value is \fBdes\fR.
- 
-
-From 284b3195393688105b112b905069e0225c3046d2 Mon Sep 17 00:00:00 2001
-From: Björn Esser <besser82@fedoraproject.org>
-Date: Jun 17 2021 15:34:02 +0000
-Subject: [PATCH 5/5] libuser.conf: Use yescrypt as default value for crypt_style.
-
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
-
----
-
-diff --git a/libuser.conf b/libuser.conf
-index 8ff5b2e..cd25eb2 100644
---- a/libuser.conf
-+++ b/libuser.conf
-@@ -17,7 +17,7 @@ default_useradd = /etc/default/useradd
- # skeleton = /etc/skel
- # mailspooldir = /var/mail
- 
--crypt_style = sha512
-+crypt_style = yescrypt
- modules = files shadow
- create_modules = files shadow
- # modules = files shadow ldap
-
diff --git a/SPECS-EXTENDED/libuser/libuser-0.63-downstream_test_xcrypt.patch b/SPECS-EXTENDED/libuser/libuser-0.63-downstream_test_xcrypt.patch
deleted file mode 100644
index 8375740b784..00000000000
--- a/SPECS-EXTENDED/libuser/libuser-0.63-downstream_test_xcrypt.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff --git a/tests/pwhash_test b/tests/pwhash_test
-index ff89d60..525885e 100755
---- a/tests/pwhash_test
-+++ b/tests/pwhash_test
-@@ -77,6 +77,22 @@ if [ "x${pw#\$6\$}" = "x$pw" ]; then
-     exit 1
- fi
- 
-+cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
-+echo 'crypt_style = blowfish' >> "$LIBUSER_CONF"
-+pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py)
-+if [ "x${pw#\$2b\$}" = "x$pw" ]; then
-+    echo "Invalid BLOWFISH hash" >&2
-+    exit 1
-+fi
-+
-+cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
-+echo 'crypt_style = yescrypt' >> "$LIBUSER_CONF"
-+pw=$(workdir="$workdir" $VALGRIND $PYTHON "$srcdir"/pwhash.py)
-+if [ "x${pw#\$y\$}" = "x$pw" ]; then
-+    echo "Invalid YESCRYPT hash" >&2
-+    exit 1
-+fi
-+
- cp "${LIBUSER_CONF}_" "$LIBUSER_CONF"
- cat >> "$LIBUSER_CONF" <<\EOF
- crypt_style = sha256
diff --git a/SPECS-EXTENDED/libuser/libuser.signatures.json b/SPECS-EXTENDED/libuser/libuser.signatures.json
deleted file mode 100644
index 83ddbb4bdab..00000000000
--- a/SPECS-EXTENDED/libuser/libuser.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "libuser-0.63.tar.xz": "8dc377255452a68e82c4837ba22c3ee4ae3658971bf0f2ef67ed0b77fc497f91"
- }
-}
diff --git a/SPECS-EXTENDED/mock-core-configs/mock-core-configs.signatures.json b/SPECS-EXTENDED/mock-core-configs/mock-core-configs.signatures.json
deleted file mode 100644
index 149cc6dcc71..00000000000
--- a/SPECS-EXTENDED/mock-core-configs/mock-core-configs.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "mock-core-configs-36.4.tar.gz": "25213ef6e6a988f372556396180d33393fbd252033b6a5289455c732d3ea2df1"
- }
-}
diff --git a/SPECS-EXTENDED/mock/mock.signatures.json b/SPECS-EXTENDED/mock/mock.signatures.json
deleted file mode 100644
index 0da88ce12d2..00000000000
--- a/SPECS-EXTENDED/mock/mock.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "mock-2.16.tar.gz": "2e62bfedb159ca6331f490e7b0180ff9216959f43cfadcae8dc183167b3ef0c3"
- }
-}
diff --git a/SPECS-EXTENDED/mosh/mosh.signatures.json b/SPECS-EXTENDED/mosh/mosh.signatures.json
new file mode 100644
index 00000000000..362fd010ebc
--- /dev/null
+++ b/SPECS-EXTENDED/mosh/mosh.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "mosh-1.4.0.tar.gz": "872e4b134e5df29c8933dff12350785054d2fd2839b5ae6b5587b14db1465ddd"
+ }
+}
diff --git a/SPECS-EXTENDED/mosh/mosh.spec b/SPECS-EXTENDED/mosh/mosh.spec
new file mode 100644
index 00000000000..b0ffe7dada1
--- /dev/null
+++ b/SPECS-EXTENDED/mosh/mosh.spec
@@ -0,0 +1,231 @@
+Name:           mosh
+Version:        1.4.0
+Release:        7%{?dist}
+Summary:        Mobile shell that supports roaming and intelligent local echo
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+
+License:        GPLv3+
+URL:            https://mosh.mit.edu/
+Source0:        https://github.com/mobile-shell/mosh/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+
+BuildRequires:  libutempter-devel
+BuildRequires:  ncurses-devel
+BuildRequires:  openssl-devel
+BuildRequires:  perl-diagnostics
+BuildRequires:  perl-generators
+BuildRequires:  protobuf-compiler
+BuildRequires:  protobuf-devel
+BuildRequires:  protobuf-static
+BuildRequires:  zlib-devel
+BuildRequires:  gcc
+BuildRequires:  gcc-c++
+BuildRequires:  make
+Requires:       openssh-clients
+Requires:       openssl
+Requires:       perl-IO-Socket-IP
+
+%description
+Mosh is a remote terminal application that supports:
+  - intermittent network connectivity,
+  - roaming to different IP address without dropping the connection, and
+  - intelligent local echo and line editing to reduce the effects
+    of "network lag" on high-latency connections.
+
+
+%prep
+%autosetup -p1
+
+
+%build
+export CXXFLAGS="${CXXFLAGS} -std=c++17"
+%configure --disable-silent-rules CC=gcc CXX=g++
+%make_build
+
+
+%install
+%make_install
+
+
+%files
+%doc README.md ChangeLog
+%license COPYING
+%{_bindir}/mosh
+%{_bindir}/mosh-client
+%{_bindir}/mosh-server
+%{_mandir}/man1/mosh.1.gz
+%{_mandir}/man1/mosh-client.1.gz
+%{_mandir}/man1/mosh-server.1.gz
+
+
+%changelog
+- Tue Sep 24 2024 Rohit Rawat <rohitrawat@microsoft.com> - 1.4.0-7
+- AzureLinux move from 2.0 branch to 3.0
+
+* Sun Aug 11 2024 Chris Co <chrco@microsoft.com> - 1.4.0-6
+- Initial Azure Linux import from Fedora 40 (license: MIT)
+- License verified
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Oct 26 2022 Alex Chernyakhovsky <achernya@mit.edu> - 1.4.0-1
+- Update to mosh 1.4.0
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Apr 05 2022 Michal Josef Špaček <mspacek@redhat.com> - 1.3.2-14
+- Remove dependency to obsolete IO::Socket::INET6
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-12
+- Rebuilt for protobuf 3.19.0
+
+* Tue Oct 26 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-11
+- Rebuilt for protobuf 3.18.1
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.3.2-10
+- Rebuilt with OpenSSL 3.0.0
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Jan 14 08:32:44 CET 2021 Adrian Reber <adrian@lisas.de> - 1.3.2-7
+- Rebuilt for protobuf 3.14
+
+* Thu Sep 24 2020 Adrian Reber <adrian@lisas.de> - 1.3.2-6
+- Rebuilt for protobuf 3.13
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 1.3.2-4
+- Rebuilt for protobuf 3.12
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Dec 19 2019 Orion Poplawski <orion@nwra.com> - 1.3.2-2
+- Rebuild for protobuf 3.11
+
+* Sun Sep 22 2019 Alex Chernyakhovsky <achernya@mit.edu> - 1.3.2-1
+- Update to mosh 1.3.2
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Nov 21 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.0-9
+- Rebuild for protobuf 3.6
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Nov 29 2017 Igor Gnatenko <ignatenko@redhat.com> - 1.3.0-6
+- Rebuild for protobuf 3.5
+
+* Mon Nov 13 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.3.0-5
+- Rebuild for protobuf 3.4
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jun 13 2017 Orion Poplawski <orion@cora.nwra.com> - 1.3.0-2
+- Rebuild for protobuf 3.3.1
+
+* Sun Mar 26 2017 Alex Chernyakhovsky <achernya@mit.edu> - 1.3.0-1
+- Update to mosh 1.3.0
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.6-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Jan 26 2017 Orion Poplawski <orion@cora.nwra.com> - 1.2.6-3
+- Rebuild for protobuf 3.2.0
+
+* Sat Nov 19 2016 Orion Poplawski <orion@cora.nwra.com> - 1.2.6-2
+- Rebuild for protobuf 3.1.0
+
+* Wed Aug 10 2016 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.6-1
+- Update to mosh 1.2.6
+
+* Mon Feb 08 2016 Ralf Corsépius <corsepiu@fedoraproject.org> - 1.2.5-3
+- Let package honor RPM_OPT_FLAGS (Fix F24FTBFS).
+- Add %%license.
+- Make building verbose.
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Aug  6 2015 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.5-1
+- Update to mosh 1.2.5
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sun Apr 26 2015 Alex Chernyakhovsky <achernya@mit.edu> - 1.2.4-6
+- Rebuild for protobuf version bump.
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 1.2.4-2
+- Perl 5.18 rebuild
+
+* Wed Mar 27 2013 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.4-1
+- Update to mosh 1.2.4
+
+* Sun Mar 10 2013 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.3-3
+- Rebuilt for Protobuf API change from 2.4.1 to 2.5.0
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Fri Oct 19 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.3-1
+- Update to mosh 1.2.3
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Wed Jun 13 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2.2-1
+- Update to mosh 1.2.2
+
+* Sat Apr 28 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2-2
+- Add -g and -O2 CFLAGS
+
+* Fri Apr 27 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.2-1
+- Update to mosh 1.2.
+
+* Mon Mar 26 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.1.1-1
+- Update to mosh 1.1.1.
+
+* Wed Mar 21 2012 Alexander Chernyakhovsky <achernya@mit.edu> - 1.1-1
+- Initial packaging for mosh.
diff --git a/SPECS-EXTENDED/perl-Algorithm-C3/perl-Algorithm-C3.signatures.json b/SPECS-EXTENDED/perl-Algorithm-C3/perl-Algorithm-C3.signatures.json
deleted file mode 100644
index 14fe89e81bc..00000000000
--- a/SPECS-EXTENDED/perl-Algorithm-C3/perl-Algorithm-C3.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "perl-Algorithm-C3-0.10.tar.gz": "5acf3a074025e9be10da352adc6d1ccadde4b61b6d6691e83248d366bb621406"
- }
-}
diff --git a/SPECS-EXTENDED/perl-Devel-Caller/perl-Devel-Caller.signatures.json b/SPECS-EXTENDED/perl-Devel-Caller/perl-Devel-Caller.signatures.json
deleted file mode 100644
index 58d8b5196fe..00000000000
--- a/SPECS-EXTENDED/perl-Devel-Caller/perl-Devel-Caller.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "perl-Devel-Caller-2.06.tar.gz": "6a73ae6a292834255b90da9409205425305fcfe994b148dcb6d2d6ef628db7df"
- }
-}
diff --git a/SPECS-EXTENDED/perl-PadWalker/perl-PadWalker.signatures.json b/SPECS-EXTENDED/perl-PadWalker/perl-PadWalker.signatures.json
deleted file mode 100644
index 763032d814c..00000000000
--- a/SPECS-EXTENDED/perl-PadWalker/perl-PadWalker.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "perl-PadWalker-2.3.tar.gz": "2a6c44fb600861e54568e74081a8d1f121f0060076069ceab34b1ae89d6588cf"
- }
-}
diff --git a/SPECS-EXTENDED/perl-Sub-Install/perl-Sub-Install.signatures.json b/SPECS-EXTENDED/perl-Sub-Install/perl-Sub-Install.signatures.json
deleted file mode 100644
index 1e5e5382b7c..00000000000
--- a/SPECS-EXTENDED/perl-Sub-Install/perl-Sub-Install.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "perl-Sub-Install-0.928.tar.gz": "61e567a7679588887b7b86d427bc476ea6d77fffe7e0d17d640f89007d98ef0f"
- }
-}
diff --git a/SPECS-EXTENDED/perl-Sub-Name/perl-Sub-Name.signatures.json b/SPECS-EXTENDED/perl-Sub-Name/perl-Sub-Name.signatures.json
deleted file mode 100644
index d1ba3c6cd8a..00000000000
--- a/SPECS-EXTENDED/perl-Sub-Name/perl-Sub-Name.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "perl-Sub-Name-0.26.tar.gz": "2d2f2d697d516c89547e7c4307f1e79441641cae2c7395e7319b306d390df105"
- }
-}
diff --git a/SPECS-EXTENDED/perl-Test-Without-Module/perl-Test-Without-Module.signatures.json b/SPECS-EXTENDED/perl-Test-Without-Module/perl-Test-Without-Module.signatures.json
deleted file mode 100644
index 192a7dc0756..00000000000
--- a/SPECS-EXTENDED/perl-Test-Without-Module/perl-Test-Without-Module.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "perl-Test-Without-Module-0.20.tar.gz": "8e9aeb7c32a6c6d0b8a93114db2a8c072721273a9d9a2dd4f9ca86cfd28aa524"
- }
-}
diff --git a/SPECS-EXTENDED/podman/podman.spec b/SPECS-EXTENDED/podman/podman.spec
index d30a2e4a53e..a90ce63e49d 100644
--- a/SPECS-EXTENDED/podman/podman.spec
+++ b/SPECS-EXTENDED/podman/podman.spec
@@ -35,7 +35,7 @@
 
 Name:           podman
 Version:        4.1.1
-Release:        25%{?dist}
+Release:        26%{?dist}
 License:        ASL 2.0 and BSD and ISC and MIT and MPLv2.0
 Summary:        Manage Pods, Containers and Container Images
 Vendor:         Microsoft Corporation
@@ -50,7 +50,7 @@ BuildRequires:  go-md2man
 BuildRequires:  golang
 BuildRequires:  gcc
 BuildRequires:  glib2-devel
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 BuildRequires:  git
 BuildRequires:  go-rpm-macros
 BuildRequires:  gpgme-devel
@@ -386,6 +386,9 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
 
 # rhcontainerbot account currently managed by lsm5
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 4.1.1-26
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 4.1.1-25
 - Bump to rebuild with updated glibc
 
diff --git a/SPECS-EXTENDED/python-argcomplete/python-argcomplete.spec b/SPECS-EXTENDED/python-argcomplete/python-argcomplete.spec
index 8b96444418c..5ed26bc9b0e 100644
--- a/SPECS-EXTENDED/python-argcomplete/python-argcomplete.spec
+++ b/SPECS-EXTENDED/python-argcomplete/python-argcomplete.spec
@@ -7,14 +7,14 @@ Distribution:   Azure Linux
 Name:          python-%{modname}
 Summary:       Bash tab completion for argparse
 Version:       1.10.0
-Release:       6%{?dist}
+Release:       7%{?dist}
 License:       ASL 2.0
 URL:           https://github.com/kislyuk/argcomplete
 Source0:       %pypi_source argcomplete
 
 %if %{with check}
 BuildRequires: tcsh
-BuildRequires: fish
+#BuildRequires: fish
 %endif
 
 BuildArch:     noarch
@@ -84,6 +84,9 @@ install -p -m0644 %{buildroot}%{python3_sitelib}/%{modname}/bash_completion.d/py
 %{_sysconfdir}/bash_completion.d/python-argcomplete.sh
 
 %changelog
+* Wed Sep 25 2024 Muhammad Falak <mwani@microsoft.com> - 1.10.0-7
+- Drop BR on fish to enable build
+
 * Mon Jul 05 2022 Daniel McIlvaney <damcilva@microsoft.com> - 1.10.0-6
 - Bump release due to bump in fish to 3.5.0.
 - License verified.
diff --git a/SPECS-EXTENDED/python-extras/python-extras.spec b/SPECS-EXTENDED/python-extras/python-extras.spec
index 8fdb354f5f4..294caf63f15 100644
--- a/SPECS-EXTENDED/python-extras/python-extras.spec
+++ b/SPECS-EXTENDED/python-extras/python-extras.spec
@@ -11,10 +11,10 @@
 Summary:        Useful extra bits for Python
 Name:           python-extras
 Version:        1.0.0
-Release:        15%{?dist}
+Release:        16%{?dist}
 License:        MIT
 URL:            https://github.com/testing-cabal/extras
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://pypi.io/packages/source/e/extras/extras-%{version}.tar.gz
 BuildArch:      noarch
@@ -62,6 +62,10 @@ rm -vrf *.egg-info
 %{python3_sitelib}/extras-*.egg-info/
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.0.0-16
+- Release bump to fix package information.
+- License verified.
+
 * Tue Oct 13 2020 Steve Laughman <steve.laughman@microsoft.com> - 1.6.0-15
 - Initial CBL-Mariner import from Fedora 33 (license: MIT)
 - Disable circular dependency check
diff --git a/SPECS-EXTENDED/python-ldap/python-ldap.signatures.json b/SPECS-EXTENDED/python-ldap/python-ldap.signatures.json
index dc1112c50fc..10f56011ed0 100644
--- a/SPECS-EXTENDED/python-ldap/python-ldap.signatures.json
+++ b/SPECS-EXTENDED/python-ldap/python-ldap.signatures.json
@@ -1,5 +1,5 @@
 {
-  "Signatures": {
-    "python-ldap-3.4.0.tar.gz": "60464c8fc25e71e0fd40449a24eae482dcd0fb7fcf823e7de627a6525b3e0d12"
-  }
-}
+ "Signatures": {
+  "python-ldap-3.4.4.tar.gz": "98c03c14724636351964606a307bf946fa6248630c2d6b89938a6911b6b84c99"
+ }
+}
\ No newline at end of file
diff --git a/SPECS-EXTENDED/python-ldap/python-ldap.spec b/SPECS-EXTENDED/python-ldap/python-ldap.spec
index 4aab88a6c71..ec938b53a02 100644
--- a/SPECS-EXTENDED/python-ldap/python-ldap.spec
+++ b/SPECS-EXTENDED/python-ldap/python-ldap.spec
@@ -1,5 +1,4 @@
 ### Abstract ###
-# global prerelease b4
 %global openldap_version 2.4.45-4
 %global _description\
 python-ldap provides an object-oriented API for working with LDAP within\
@@ -9,13 +8,13 @@ OpenLDAP 2.x libraries, and contains modules for other LDAP-related tasks\
 
 Summary:        An object-oriented API to access LDAP directory servers
 Name:           python-ldap
-Version:        3.4.0
+Version:        3.4.4
 Release:        1%{?dist}
 License:        Python
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            http://python-ldap.org/
-Source0:        https://files.pythonhosted.org/packages/source/p/%{name}/%{name}-%{version}%{?prerelease}.tar.gz
+Source0:        https://github.com/%{name}/%{name}/archive/refs/tags/%{name}-%{version}.tar.gz
 
 # Test dependencies
 BuildRequires:  %{_bindir}/tox
@@ -30,6 +29,9 @@ BuildRequires:  python3-devel
 BuildRequires:  python3-pyasn1 >= 0.3.7
 BuildRequires:  python3-pyasn1-modules >= 0.1.5
 BuildRequires:  python3-setuptools
+%if %{with check}
+BuildRequires:  python3-pip
+%endif
 
 %description %{_description}
 
@@ -47,14 +49,14 @@ Provides:       python3-pyldap%{?_isa} = %{version}-%{release}
 %description -n python3-ldap %{_description}
 
 %prep
-%setup -q -n %{name}-%{version}%{?prerelease}
+%autosetup -p1 -n %{name}-%{name}-%{version}%{?prerelease}
 
 # Fix interpreter
 find . -name '*.py' | xargs sed -i '1s|^#!/usr/bin/env python|#!%{__python3}|'
 
 # Disable warnings in test to work around "'U' mode is deprecated"
 # https://github.com/python-ldap/python-ldap/issues/96
-sed -i 's,-Werror,-Wignore,g' tox.ini
+# sed -i 's,-Werror,-Wignore,g' tox.ini
 
 
 %build
@@ -62,10 +64,18 @@ sed -i 's,-Werror,-Wignore,g' tox.ini
 
 
 %check
-# don't download packages
-export PIP_INDEX_URL=http://host.invalid./
-export PIP_NO_DEPS=yes
-TOXENV=py%{python3_version_nodots} LOGLEVEL=10 tox --sitepackages
+pip3 install tox pluggy py filelock toml six virtualenv
+# env SBIN=/usr/libexec/ python3 -m tox -e py312
+PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m unittest -v \
+	   Tests/t_cidict.py \
+	   Tests/t_ldap_dn.py \
+	   Tests/t_ldap_filter.py \
+	   Tests/t_ldap_functions.py \
+	   Tests/t_ldap_modlist.py \
+	   Tests/t_ldap_schema_tokenizer.py \
+	   Tests/t_ldapurl.py \
+	   Tests/t_ldif.py \
+	   Tests/t_untested_mods.py
 
 
 %install
@@ -83,6 +93,10 @@ TOXENV=py%{python3_version_nodots} LOGLEVEL=10 tox --sitepackages
 %{python3_sitearch}/python_ldap-%{version}%{?prerelease}-py%{python3_version}.egg-info/
 
 %changelog
+* Thu Sep 26 2024 Muhammad Falak <mwani@microsoft.com> - 3.4.4-1
+- Enable ptest
+- Bump version to 3.4.4
+
 * Tue Sep 19 2023 Archana Choudhary <archana1@microsoft.com> - 3.4.0-1
 - Upgrade to 3.4.0 - CVE-2021-46823
 - License verified
diff --git a/SPECS-EXTENDED/python-pymongo/python-pymongo.spec b/SPECS-EXTENDED/python-pymongo/python-pymongo.spec
index 54c822210c9..96b485df4eb 100644
--- a/SPECS-EXTENDED/python-pymongo/python-pymongo.spec
+++ b/SPECS-EXTENDED/python-pymongo/python-pymongo.spec
@@ -7,12 +7,15 @@
 
 Name:           python-pymongo
 Version:        3.10.1
-Release:        5%{?dist}
-# All code is ASL 2.0 except bson/time64*.{c,h} which is MIT
-License:        ASL 2.0 and MIT
+Release:        6%{?dist}
+# All code is ASL 2.0 except for:
+# - bson/time64*.{c,h} - MIT,
+# - encoding_helpers.c - Unicode with a "Portions Copyright 2001 Unicode, Inc." header,
+# - ssl_match_hostname.py - Python-2.0
+License:        ASL 2.0 and MIT and Python-2.0 and Unicode
 Summary:        Python driver for MongoDB
 URL:            https://github.com/mongodb/mongo-python-driver
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://github.com/mongodb/mongo-python-driver/archive/%{version}/pymongo-%{version}.tar.gz
 # This patch removes the bundled ssl.match_hostname library as it was vulnerable to CVE-2013-7440
@@ -90,28 +93,32 @@ chmod 755 %{buildroot}%{python3_sitearch}/bson/*.so
 chmod 755 %{buildroot}%{python3_sitearch}/pymongo/*.so
 
 %files doc
-%license LICENSE
+%license LICENSE THIRD-PARTY-NOTICES
 %if 0%{!?bootstrap:1}
 %doc doc/_build/html/*
 %endif
 
 %files -n python3-bson
-%license LICENSE
+%license LICENSE THIRD-PARTY-NOTICES
 %doc README.rst
 %{python3_sitearch}/bson
 
 %files -n python3-pymongo
-%license LICENSE
+%license LICENSE THIRD-PARTY-NOTICES
 %doc README.rst
 %{python3_sitearch}/pymongo
 %{python3_sitearch}/pymongo-%{version}-*.egg-info
 
 %files -n python3-pymongo-gridfs
-%license LICENSE
+%license LICENSE THIRD-PARTY-NOTICES
 %doc README.rst
 %{python3_sitearch}/gridfs
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.10.1-6
+- Release bump to fix package information.
+- License verified.
+
 * Mon Oct 19 2020 Steve Laughman <steve.laughman@microsoft.com> - 3.10.1-5
 - Initial CBL-Mariner import from Fedora 33 (license: MIT)
 
diff --git a/SPECS-EXTENDED/python-pyroute2/python-pyroute2.signatures.json b/SPECS-EXTENDED/python-pyroute2/python-pyroute2.signatures.json
deleted file mode 100644
index 5e4c2fd93fc..00000000000
--- a/SPECS-EXTENDED/python-pyroute2/python-pyroute2.signatures.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
- "Signatures": {
-  "pyroute2-0.6.5.tar.gz": "d0995c8aeb96c0e4eed4d62e97c9d795000a1a33b747d6dc54326665857cf11c",
-  "pyroute2.core-0.6.5.tar.gz": "266d740eae40fa64dd04541f007d34db696cecf3154cba5be30fa75a67d43852",
-  "pyroute2.nslink-0.6.5.tar.gz": "292e6c2832a73544c1c6d5ba727f7117aa847e55f88d78e94b7d4607b299999e",
-  "pyroute2.nftables-0.6.5.tar.gz": "b1455a63a3efc050d108d550d1cafd011edded6e894d99e7bdfa02d592bf6f16",
-  "pyroute2.ndb-0.6.5.tar.gz": "a4d309584e9ef6c7842af4f832b48fc5344ab225e70e384baed1b7fe2b94d9f8",
-  "pyroute2.ethtool-0.6.5.tar.gz": "caf8014b676521135c4760d72cf5aeef6abbc7fa275210f7e95333073cc7715a",
-  "pyroute2.ipset-0.6.5.tar.gz": "ae527c0f999748230a1f688d9a2b7c257b2df6d74369f44eca530d007793b79d",
-  "pyroute2.ipdb-0.6.5.tar.gz": "f2028fd1013d8af888150d033eecf7537657a4be37e0cccea9800809961eb577"
- }
-}
diff --git a/SPECS-EXTENDED/python-pyrsistent/python-pyrsistent.spec b/SPECS-EXTENDED/python-pyrsistent/python-pyrsistent.spec
index 95975e959b4..fec0b0c2d72 100644
--- a/SPECS-EXTENDED/python-pyrsistent/python-pyrsistent.spec
+++ b/SPECS-EXTENDED/python-pyrsistent/python-pyrsistent.spec
@@ -18,10 +18,10 @@ original structure is left untouched.}
 Name:           python-%{pypi_name}
 Summary:        Persistent/Functional/Immutable data structures
 Version:        0.17.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 URL:            http://github.com/tobgu/pyrsistent/
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://files.pythonhosted.org/packages/source/p/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
 # relax dependencies specified in setup.py
@@ -71,6 +71,10 @@ rm -rf %{pypi_name}.egg-info
 %{python3_sitearch}/%{pypi_name}-%{version}-py%{python3_version}.egg-info/
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.17.3-3
+- Release bump to fix package information.
+- License verified.
+
 * Thu Oct 22 2020 Steve Laughman <steve.laughman@microsoft.com> - 0.17.3-2
 - Initial CBL-Mariner import from Fedora 33 (license: MIT)
 
diff --git a/SPECS-EXTENDED/python-pytest-runner/python-pytest-runner.spec b/SPECS-EXTENDED/python-pytest-runner/python-pytest-runner.spec
index 599d7956ce8..e45e5744dbd 100644
--- a/SPECS-EXTENDED/python-pytest-runner/python-pytest-runner.spec
+++ b/SPECS-EXTENDED/python-pytest-runner/python-pytest-runner.spec
@@ -10,10 +10,10 @@
 Summary:        Invoke py.test as distutils command with dependency resolution
 Name:           python-%{modulename}
 Version:        4.0
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        MIT
 URL:            https://pypi.python.org/pypi/pytest-runner
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 # setuptools-scm requires a pypi tarball and doesn't like github tarball
 Source0:        https://files.pythonhosted.org/packages/source/p/%{modulename}/%{modulename}-%{version}.tar.gz
@@ -58,6 +58,10 @@ Python 3 version.
 %{python3_sitelib}/__pycache__/ptr.*
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.0-13
+- Release bump to fix package information.
+- License verified.
+
 * Thu Oct 22 2020 Steve Laughman <steve.laughman@microsoft.com> - 4.0-12
 - Initial CBL-Mariner import from Fedora 33 (license: MIT)
 
diff --git a/SPECS-EXTENDED/python-recommonmark/python-recommonmark.spec b/SPECS-EXTENDED/python-recommonmark/python-recommonmark.spec
index 6ef7466dbaf..cd4a4c1f914 100644
--- a/SPECS-EXTENDED/python-recommonmark/python-recommonmark.spec
+++ b/SPECS-EXTENDED/python-recommonmark/python-recommonmark.spec
@@ -16,11 +16,11 @@ Documentation is available on Read the Docs: http://recommonmark.readthedocs.org
 
 Name:           python-%{github_name}
 Version:        0.6.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        %{sum}
 License:        MIT
 URL:            https://github.com/%{project_owner}/%{github_name}
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://github.com/%{project_owner}/%{github_name}/archive/%{version}/%{github_name}-%{version}.tar.gz
 BuildArch:      noarch
@@ -81,6 +81,10 @@ popd  # Leave buildroot bindir
 %{_bindir}/cm2*-%{python3_version}
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.6.0-5
+- Release bump to fix package information.
+- License verified.
+
 * Thu Oct 14 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.6.0-4
 - Converting the 'Release' tag to the '[number].[distribution]' format.
 
diff --git a/SPECS-EXTENDED/python-templated-dictionary/python-templated-dictionary.signatures.json b/SPECS-EXTENDED/python-templated-dictionary/python-templated-dictionary.signatures.json
deleted file mode 100644
index 9bb585255d3..00000000000
--- a/SPECS-EXTENDED/python-templated-dictionary/python-templated-dictionary.signatures.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "Signatures": {
-  "python-templated-dictionary-1.1.tar.gz": "17f5fa6d5f1a4b9259ac0e358edf31d70a67104d3c89d6d9086652a655d44308"
- }
-}
diff --git a/SPECS-EXTENDED/python-testscenarios/python-testscenarios.spec b/SPECS-EXTENDED/python-testscenarios/python-testscenarios.spec
index abb942ba751..f4a2902aa8a 100644
--- a/SPECS-EXTENDED/python-testscenarios/python-testscenarios.spec
+++ b/SPECS-EXTENDED/python-testscenarios/python-testscenarios.spec
@@ -5,11 +5,11 @@
 
 Name:           python-%{pypi_name}
 Version:        0.5.0
-Release:        22%{?dist}
+Release:        23%{?dist}
 Summary:        Testscenarios, a pyunit extension for dependency injection
 License:        ASL 2.0 and BSD
 URL:            https://launchpad.net/testscenarios
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://pypi.python.org/packages/source/t/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
 BuildArch:      noarch
@@ -71,6 +71,9 @@ CFLAGS="%{optflags}" %{__python3} setup.py build
 %{python3_sitelib}/*
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.5.0-23
+- Release bump to fix package information.
+
 * Fri Apr 29 2022 Muhammad Falak <mwani@microsoft.com> - 0.5.0-22
 - Add BR on `pip` to enable ptest
 - License verified
diff --git a/SPECS-EXTENDED/python-testtools/python-testtools.spec b/SPECS-EXTENDED/python-testtools/python-testtools.spec
index b0ae67f9f53..05e21d0bd0d 100644
--- a/SPECS-EXTENDED/python-testtools/python-testtools.spec
+++ b/SPECS-EXTENDED/python-testtools/python-testtools.spec
@@ -27,11 +27,11 @@ framework.}
 
 Name:           python-%{pkgname}
 Version:        2.4.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Extensions to the Python unit testing framework
 License:        MIT
 URL:            https://launchpad.net/testtools
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://files.pythonhosted.org/packages/source/t/%{libname}/%{libname}-%{version}.tar.gz
 Patch0:         testtools-2.4.0-remove_backports.patch
@@ -107,6 +107,10 @@ make PYTHON=%{__python3} check
 %endif
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.4.0-9
+- Release bump to fix package information.
+- License verified.
+
 * Tue Oct 13 2020 Steve Laughman <steve.laughman@microsoft.com> - 2.4.0-8
 - Initial CBL-Mariner import from Fedora 33 (license: MIT)
 
diff --git a/SPECS-EXTENDED/realmd/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch b/SPECS-EXTENDED/realmd/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
deleted file mode 100644
index 894fe937194..00000000000
--- a/SPECS-EXTENDED/realmd/0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
+++ /dev/null
@@ -1,168 +0,0 @@
-From b11d891a50c2f70e3c02b880e0199583b8df186c Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 31 May 2018 16:16:08 +0200
-Subject: [PATCH] Find NetBIOS name in keytab while leaving
-
-If realmd is used with Samba as membership software, i.e. Samba's net
-utility, the NetBIOS name must be known when leaving a domain. The most
-reliable way to find it is by searching the keytab for NAME$@REALM type
-entries and use the NAME as the NetBIOS name.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1370457
----
- service/realm-kerberos.c     | 64 ++++++++++++++++++++++++++++++++++++
- service/realm-kerberos.h     |  2 ++
- service/realm-samba-enroll.c | 17 ++++++++--
- 3 files changed, 80 insertions(+), 3 deletions(-)
-
-diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
-index 54d1ed7..d6d109f 100644
---- a/service/realm-kerberos.c
-+++ b/service/realm-kerberos.c
-@@ -1130,3 +1130,67 @@ realm_kerberos_flush_keytab (const gchar *realm_name,
- 	return ret;
- 
- }
-+
-+gchar *
-+realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name)
-+{
-+	krb5_error_code code;
-+	krb5_keytab keytab = NULL;
-+	krb5_context ctx;
-+	krb5_kt_cursor cursor = NULL;
-+	krb5_keytab_entry entry;
-+	krb5_principal realm_princ = NULL;
-+	gchar *princ_name = NULL;
-+	gchar *netbios_name = NULL;
-+	krb5_data *name_data;
-+
-+	code = krb5_init_context (&ctx);
-+	if (code != 0) {
-+		return NULL;
-+	}
-+
-+	princ_name = g_strdup_printf ("user@%s", realm_name);
-+	code = krb5_parse_name (ctx, princ_name, &realm_princ);
-+	g_free (princ_name);
-+
-+	if (code == 0) {
-+		code = krb5_kt_default (ctx, &keytab);
-+	}
-+
-+	if (code == 0) {
-+		code = krb5_kt_start_seq_get (ctx, keytab, &cursor);
-+	}
-+
-+	if (code == 0) {
-+		while (!krb5_kt_next_entry (ctx, keytab, &entry, &cursor) && netbios_name == NULL) {
-+			if (krb5_realm_compare (ctx, realm_princ, entry.principal)) {
-+				name_data = krb5_princ_component (ctx, entry.principal, 0);
-+				if (name_data != NULL
-+				                && name_data->length > 0
-+				                && name_data->data[name_data->length - 1] == '$') {
-+					netbios_name = g_strndup (name_data->data, name_data->length - 1);
-+					if (netbios_name == NULL) {
-+						code = krb5_kt_free_entry (ctx, &entry);
-+						warn_if_krb5_failed (ctx, code);
-+						break;
-+					}
-+				}
-+			}
-+			code = krb5_kt_free_entry (ctx, &entry);
-+			warn_if_krb5_failed (ctx, code);
-+		}
-+	}
-+
-+	code = krb5_kt_end_seq_get (ctx, keytab, &cursor);
-+	warn_if_krb5_failed (ctx, code);
-+
-+	code = krb5_kt_close (ctx, keytab);
-+	warn_if_krb5_failed (ctx, code);
-+
-+	krb5_free_principal (ctx, realm_princ);
-+
-+	krb5_free_context (ctx);
-+
-+	return netbios_name;
-+
-+}
-diff --git a/service/realm-kerberos.h b/service/realm-kerberos.h
-index 0447e4d..58cfe07 100644
---- a/service/realm-kerberos.h
-+++ b/service/realm-kerberos.h
-@@ -88,6 +88,8 @@ gchar *             realm_kerberos_format_login          (RealmKerberos *self,
- gboolean            realm_kerberos_flush_keytab                (const gchar *realm_name,
-                                                                 GError **error);
- 
-+gchar *             realm_kerberos_get_netbios_name_from_keytab (const gchar *realm_name);
-+
- const gchar *       realm_kerberos_get_name                    (RealmKerberos *self);
- 
- const gchar *       realm_kerberos_get_realm_name              (RealmKerberos *self);
-diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
-index 76e7b79..f5edca3 100644
---- a/service/realm-samba-enroll.c
-+++ b/service/realm-samba-enroll.c
-@@ -85,7 +85,8 @@ static JoinClosure *
- join_closure_init (GTask *task,
-                    RealmDisco *disco,
-                    GVariant *options,
--                   GDBusMethodInvocation *invocation)
-+                   GDBusMethodInvocation *invocation,
-+                   gboolean do_join)
- {
- 	JoinClosure *join;
- 	gchar *workgroup;
-@@ -93,6 +94,7 @@ join_closure_init (GTask *task,
- 	int temp_fd;
- 	const gchar *explicit_computer_name = NULL;
- 	const gchar *authid = NULL;
-+	gchar *name_from_keytab = NULL;
- 
- 	join = g_new0 (JoinClosure, 1);
- 	join->disco = realm_disco_ref (disco);
-@@ -106,6 +108,14 @@ join_closure_init (GTask *task,
- 	else if (disco->explicit_netbios)
- 		authid = disco->explicit_netbios;
- 
-+	/* try to get the NetBIOS name from the keytab while leaving the domain */
-+	if (explicit_computer_name == NULL && !do_join) {
-+		name_from_keytab = realm_kerberos_get_netbios_name_from_keytab(disco->kerberos_realm);
-+		if (name_from_keytab != NULL) {
-+			authid = name_from_keytab;
-+		}
-+	}
-+
- 	join->config = realm_ini_config_new (REALM_INI_NO_WATCH | REALM_INI_PRIVATE);
- 	realm_ini_config_set (join->config, REALM_SAMBA_CONFIG_GLOBAL,
- 	                      "security", "ads",
-@@ -151,6 +161,7 @@ join_closure_init (GTask *task,
- 		g_warning ("Couldn't create temp file in: %s", g_get_tmp_dir ());
- 	}
- 
-+	g_free (name_from_keytab);
- 	return join;
- }
- 
-@@ -393,7 +404,7 @@ realm_samba_enroll_join_async (RealmDisco *disco,
- 	g_return_if_fail (cred != NULL);
- 
- 	task = g_task_new (NULL, NULL, callback, user_data);
--	join = join_closure_init (task, disco, options, invocation);
-+	join = join_closure_init (task, disco, options, invocation, TRUE);
- 	explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
- 	if (explicit_computer_name != NULL) {
- 		realm_diagnostics_info (invocation, "Joining using a manual netbios name: %s",
-@@ -462,7 +473,7 @@ realm_samba_enroll_leave_async (RealmDisco *disco,
- 	JoinClosure *join;
- 
- 	task = g_task_new (NULL, NULL, callback, user_data);
--	join = join_closure_init (task, disco, options, invocation);
-+	join = join_closure_init (task, disco, options, invocation, FALSE);
- 
- 	switch (cred->type) {
- 	case REALM_CREDENTIAL_PASSWORD:
--- 
-2.17.1
-
diff --git a/SPECS-EXTENDED/realmd/0001-Fix-issues-found-by-Coverity.patch b/SPECS-EXTENDED/realmd/0001-Fix-issues-found-by-Coverity.patch
deleted file mode 100644
index abb678220f4..00000000000
--- a/SPECS-EXTENDED/realmd/0001-Fix-issues-found-by-Coverity.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 1831748847715a13f0cc911a9a491eb8614d6682 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 14 Aug 2018 14:09:48 +0200
-Subject: [PATCH 1/3] Fix issues found by Coverity
-
----
- service/realm-kerberos.c | 5 ++++-
- service/realm-packages.c | 2 +-
- 2 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/service/realm-kerberos.c b/service/realm-kerberos.c
-index d6d109f..252e256 100644
---- a/service/realm-kerberos.c
-+++ b/service/realm-kerberos.c
-@@ -980,7 +980,10 @@ realm_kerberos_set_details (RealmKerberos *self,
- 		if (name == NULL)
- 			break;
- 		value = va_arg (va, const gchar *);
--		g_return_if_fail (value != NULL);
-+		if (value == NULL) {
-+			va_end (va);
-+			g_return_if_reached ();
-+		}
- 
- 		values[0] = g_variant_new_string (name);
- 		values[1] = g_variant_new_string (value);
-diff --git a/service/realm-packages.c b/service/realm-packages.c
-index 9a6984c..5976439 100644
---- a/service/realm-packages.c
-+++ b/service/realm-packages.c
-@@ -567,7 +567,7 @@ lookup_required_files_and_packages (const gchar **package_sets,
- 		g_ptr_array_add (packages, NULL);
- 		*result_packages = (gchar **)g_ptr_array_free (packages, FALSE);
- 	} else {
--		g_ptr_array_free (files, TRUE);
-+		g_ptr_array_free (packages, TRUE);
- 	}
- 
- 	if (result_files) {
--- 
-2.17.1
-
diff --git a/SPECS-EXTENDED/realmd/0001-Fix-man-page-reference-in-systemd-service-file.patch b/SPECS-EXTENDED/realmd/0001-Fix-man-page-reference-in-systemd-service-file.patch
deleted file mode 100644
index fe466209f1b..00000000000
--- a/SPECS-EXTENDED/realmd/0001-Fix-man-page-reference-in-systemd-service-file.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From e8d9d5e9817627dcf208ac742debcc9dc320752d Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 27 Jul 2016 19:06:29 +0200
-Subject: [PATCH] Fix man page reference in systemd service file
-
----
- dbus/realmd.service.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in
-index b3bcf7a..64c1090 100644
---- a/dbus/realmd.service.in
-+++ b/dbus/realmd.service.in
-@@ -1,6 +1,6 @@
- [Unit]
- Description=Realm and Domain Configuration
--Documentation=man:realmd(8)
-+Documentation=man:realm(8)
- 
- [Service]
- Type=dbus
--- 
-2.7.4
-
diff --git a/SPECS-EXTENDED/realmd/0001-IPA-do-not-call-sssd-enable-logins.patch b/SPECS-EXTENDED/realmd/0001-IPA-do-not-call-sssd-enable-logins.patch
deleted file mode 100644
index 01fdef86b30..00000000000
--- a/SPECS-EXTENDED/realmd/0001-IPA-do-not-call-sssd-enable-logins.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 373f2e03736dfd87d50f02208b99d462cf34d891 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 27 Sep 2018 13:04:47 +0200
-Subject: [PATCH] IPA: do not call sssd-enable-logins
-
-It is expected that ipa-client-install will do all PAM and NSS
-configuration. To avoid changing IPA default realmd will not try to
-update the related configuration.
----
- service/realm-sssd-ipa.c | 24 +-----------------------
- 1 file changed, 1 insertion(+), 23 deletions(-)
-
-diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
-index 5029f6b..70f8b0e 100644
---- a/service/realm-sssd-ipa.c
-+++ b/service/realm-sssd-ipa.c
-@@ -109,41 +109,19 @@ enroll_closure_free (gpointer data)
- 	g_free (enroll);
- }
- 
--static void
--on_enable_nss_done (GObject *source,
--                    GAsyncResult *result,
--                    gpointer user_data)
--{
--	GTask *task = G_TASK (user_data);
--	GError *error = NULL;
--	gint status;
--
--	status = realm_command_run_finish (result, NULL, &error);
--	if (error == NULL && status != 0)
--		g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
--		             _("Enabling SSSD in nsswitch.conf and PAM failed."));
--	if (error != NULL)
--		g_task_return_error (task, error);
--	else
--		g_task_return_boolean (task, TRUE);
--	g_object_unref (task);
--}
--
- static void
- on_restart_done (GObject *source,
-                  GAsyncResult *result,
-                  gpointer user_data)
- {
- 	GTask *task = G_TASK (user_data);
--	EnrollClosure *enroll = g_task_get_task_data (task);
- 	RealmSssd *sssd = g_task_get_source_object (task);
- 	GError *error = NULL;
- 
- 	realm_service_enable_and_restart_finish (result, &error);
- 	if (error == NULL) {
- 		realm_sssd_update_properties (sssd);
--		realm_command_run_known_async ("sssd-enable-logins", NULL, enroll->invocation,
--		                               on_enable_nss_done, g_object_ref (task));
-+		g_task_return_boolean (task, TRUE);
- 	} else {
- 		g_task_return_error (task, error);
- 	}
--- 
-2.17.1
-
diff --git a/SPECS-EXTENDED/realmd/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch b/SPECS-EXTENDED/realmd/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
deleted file mode 100644
index a61b602a272..00000000000
--- a/SPECS-EXTENDED/realmd/0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 6f0aa79c3e8dd93e723f29bf46e1b8b14403254f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Mon, 5 Dec 2016 18:25:44 +0100
-Subject: [PATCH] Kerberos: fall back to tcp SRV lookup
-
----
- service/realm-kerberos-provider.c | 48 +++++++++++++++++++++++++++++++--------
- 1 file changed, 39 insertions(+), 9 deletions(-)
-
-diff --git a/service/realm-kerberos-provider.c b/service/realm-kerberos-provider.c
-index 2b3a0f8..1477ae8 100644
---- a/service/realm-kerberos-provider.c
-+++ b/service/realm-kerberos-provider.c
-@@ -19,6 +19,7 @@
- #include "realm-kerberos-provider.h"
- 
- #include <errno.h>
-+#include <string.h>
- 
- struct _RealmKerberosProvider {
- 	RealmProvider parent;
-@@ -38,28 +39,54 @@ realm_kerberos_provider_init (RealmKerberosProvider *self)
- 
- }
- 
-+typedef struct {
-+	gchar *name;
-+	const char *prot;
-+} NameProtPair;
-+
-+static void
-+name_prot_pair_free (gpointer data)
-+{
-+	NameProtPair *name_prot_pair = data;
-+	g_free (name_prot_pair->name);
-+	g_free (name_prot_pair);
-+}
-+
- static void
- on_kerberos_discover (GObject *source,
-                       GAsyncResult *result,
-                       gpointer user_data)
- {
- 	GTask *task = G_TASK (user_data);
--	const gchar *domain = g_task_get_task_data (task);
-+	NameProtPair *name_prot_pair = g_task_get_task_data (task);
- 	GError *error = NULL;
- 	RealmDisco *disco;
- 	GList *targets;
-+	GResolver *resolver;
- 
- 	targets = g_resolver_lookup_service_finish (G_RESOLVER (source), result, &error);
- 	if (targets) {
- 		g_list_free_full (targets, (GDestroyNotify)g_srv_target_free);
--		disco = realm_disco_new (domain);
--		disco->kerberos_realm = g_ascii_strup (domain, -1);
-+		disco = realm_disco_new (name_prot_pair->name);
-+		disco->kerberos_realm = g_ascii_strup (name_prot_pair->name, -1);
- 		g_task_return_pointer (task, disco, realm_disco_unref);
- 
- 	} else if (error) {
--		g_debug ("Resolving %s failed: %s", domain, error->message);
-+		g_debug ("Resolving %s failed: %s", name_prot_pair->name, error->message);
- 		g_error_free (error);
--		g_task_return_pointer (task, NULL, NULL);
-+
-+		if (strcmp (name_prot_pair->prot, "tcp") == 0) {
-+			g_task_return_pointer (task, NULL, NULL);
-+		} else {
-+			/* Try tcp */
-+			name_prot_pair->prot = "tcp";
-+			resolver = g_resolver_get_default ();
-+			g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
-+			                                 name_prot_pair->name,
-+			                                 g_task_get_cancellable (task),
-+			                                 on_kerberos_discover, g_object_ref (task));
-+			g_object_unref (resolver);
-+		}
- 	}
- 
- 	g_object_unref (task);
-@@ -76,7 +103,7 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
- 	GTask *task;
- 	const gchar *software;
- 	GResolver *resolver;
--	gchar *name;
-+	NameProtPair *name_prot_pair;
- 
- 	task = g_task_new (provider, NULL, callback, user_data);
- 
-@@ -86,12 +113,15 @@ realm_kerberos_provider_discover_async (RealmProvider *provider,
- 		g_task_return_pointer (task, NULL, NULL);
- 
- 	} else {
--		name = g_hostname_to_ascii (string);
-+		name_prot_pair = g_new0 (NameProtPair, 1);
-+		name_prot_pair->name = g_hostname_to_ascii (string);
-+		name_prot_pair->prot = "udp";
- 		resolver = g_resolver_get_default ();
--		g_resolver_lookup_service_async (resolver, "kerberos", "udp", name,
-+		g_resolver_lookup_service_async (resolver, "kerberos", name_prot_pair->prot,
-+		                                 name_prot_pair->name,
- 		                                 realm_invocation_get_cancellable (invocation),
- 		                                 on_kerberos_discover, g_object_ref (task));
--		g_task_set_task_data (task, name, g_free);
-+		g_task_set_task_data (task, name_prot_pair, name_prot_pair_free);
- 		g_object_unref (resolver);
- 	}
- 
--- 
-2.9.3
-
diff --git a/SPECS-EXTENDED/realmd/0001-LDAP-don-t-close-LDAP-socket-twice.patch b/SPECS-EXTENDED/realmd/0001-LDAP-don-t-close-LDAP-socket-twice.patch
deleted file mode 100644
index 09e9ccf4760..00000000000
--- a/SPECS-EXTENDED/realmd/0001-LDAP-don-t-close-LDAP-socket-twice.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 895e5b37d14090541480cebcb297846cbd3662ce Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 25 Nov 2016 17:35:11 +0100
-Subject: [PATCH] LDAP: don't close LDAP socket twice
-
-ldap_destroy() will call close() on the LDAP socket so with an explicit
-close() before the file descriptor will be closed twice. Even worse,
-since the file descriptor can be reused after the explicit call of
-close() by any other thread the close() called from ldap_destroy() might
-close a file descriptor used by a different thread as seen e.g. in
-https://bugzilla.redhat.com/show_bug.cgi?id=1398522.
-
-Additionally the patch makes sure that the closed connection cannot be
-used again.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1398522
----
- service/realm-ldap.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/service/realm-ldap.c b/service/realm-ldap.c
-index 061ed61..59817fb 100644
---- a/service/realm-ldap.c
-+++ b/service/realm-ldap.c
-@@ -159,10 +159,11 @@ ldap_source_finalize (GSource *source)
- {
- 	LdapSource *ls = (LdapSource *)source;
- 
--	/* Yeah, this is pretty rough, but we don't want blocking here */
--	close (ls->sock);
- 	ldap_destroy (ls->ldap);
- 
-+	ls->sock = -1;
-+	ls->ldap = NULL;
-+
- 	if (ls->cancellable) {
- 		g_cancellable_release_fd (ls->cancellable);
- 		g_object_unref (ls->cancellable);
--- 
-2.9.3
-
diff --git a/SPECS-EXTENDED/realmd/0001-Remove-support-for-deprecated-gtester-format.patch b/SPECS-EXTENDED/realmd/0001-Remove-support-for-deprecated-gtester-format.patch
deleted file mode 100644
index bdd59dda47c..00000000000
--- a/SPECS-EXTENDED/realmd/0001-Remove-support-for-deprecated-gtester-format.patch
+++ /dev/null
@@ -1,252 +0,0 @@
-From 5ae42c176e7bb550fc6cf10f29e75f58c733ae4f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Fri, 2 Aug 2019 12:10:43 +0200
-Subject: [PATCH] Remove support for deprecated gtester format
-
-Support for the already deprecated gtester format was remove from recent
-versions of glib2 but the test still call the tab-gtester conversion
-tool.
-
-This patch removes tab-gtester and the tab format is used directly.
-
-Related to https://gitlab.freedesktop.org/realmd/realmd/issues/21
----
- Makefile.am       |   3 +-
- build/tap-gtester | 204 ----------------------------------------------
- 2 files changed, 1 insertion(+), 206 deletions(-)
- delete mode 100755 build/tap-gtester
-
-diff --git a/Makefile.am b/Makefile.am
-index 27e3494..4ffd5b4 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -161,7 +161,7 @@ endif
- #
- 
- LOG_DRIVER = $(top_srcdir)/build/tap-driver
--LOG_COMPILER = $(top_srcdir)/build/tap-gtester
-+LOG_COMPILER = sh -c '"$$0" "$$@" --tap'
- 
- VALGRIND_ARGS = --trace-children=no --quiet --error-exitcode=33 \
- 	--suppressions=valgrind-suppressions --gen-suppressions=all \
-@@ -183,7 +183,6 @@ recheck-memory: valgrind-suppressions
- 
- EXTRA_DIST += \
- 	$(LOG_DRIVER) \
--	$(LOG_COMPILER) \
- 	$(VALGRIND_SUPPRESSIONS) \
- 	$(NULL)
- 
-diff --git a/build/tap-gtester b/build/tap-gtester
-deleted file mode 100755
-index bbda266..0000000
---- a/build/tap-gtester
-+++ /dev/null
-@@ -1,204 +0,0 @@
--#!/usr/bin/python3
--# This can also be run with Python 2.
--
--# Copyright (C) 2014 Red Hat, Inc.
--#
--# Cockpit is free software; you can redistribute it and/or modify it
--# under the terms of the GNU Lesser General Public License as published by
--# the Free Software Foundation; either version 2.1 of the License, or
--# (at your option) any later version.
--#
--# Cockpit is distributed in the hope that it will be useful, but
--# WITHOUT ANY WARRANTY; without even the implied warranty of
--# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
--# Lesser General Public License for more details.
--#
--# You should have received a copy of the GNU Lesser General Public License
--# along with Cockpit; If not, see <http://www.gnu.org/licenses/>.
--
--#
--# This is a test output compiler which produces TAP from GTest output
--# if GTest output is detected.
--#
--# Versions of glib later than 2.38.x output TAP natively when tests are
--# run with the --tap option. However we can't depend on such a recent
--# version of glib for our purposes.
--#
--# This implements the Test Anything Protocol (ie: TAP)
--# https://metacpan.org/pod/release/PETDANCE/Test-Harness-2.64/lib/Test/Harness/TAP.pod
--#
--
--import argparse
--import os
--import select
--import signal
--import subprocess
--import sys
--
--# Yes, it's dumb, but strsignal is not exposed in python
--# In addition signal numbers varify heavily from arch to arch
--def strsignal(sig):
--    for name in dir(signal):
--        if name.startswith("SIG") and sig == getattr(signal, name):
--            return name
--    return str(sig)
--
--
--class NullCompiler:
--    def __init__(self, command):
--        self.command = command
--
--    def input(self, line):
--        sys.stdout.write(line)
--
--    def process(self, proc):
--        while True:
--            line = proc.stdout.readline()
--            if not line:
--                break
--            self.input(line)
--        proc.wait()
--        return proc.returncode
--
--    def run(self, proc, line=None):
--        if line:
--            self.input(line)
--        return self.process(proc)
--
--
--class GTestCompiler(NullCompiler):
--    def __init__(self, filename):
--        NullCompiler.__init__(self, filename)
--        self.test_num = 0
--        self.test_name = None
--        self.test_remaining = []
--
--    def input(self, line):
--        line = line.strip()
--        if line.startswith("GTest: "):
--           (cmd, unused, data) = line[7:].partition(": ")
--           cmd = cmd.strip()
--           data = data.strip()
--           if cmd == "run":
--               self.test_name = data
--               assert self.test_name in self.test_remaining, "%s %s" % (self.test_name, repr(self.test_remaining))
--               self.test_remaining.remove(self.test_name)
--               self.test_num += 1
--           elif cmd == "result":
--               if self.test_name:
--                   if data == "OK":
--                       print("ok %d %s" % (self.test_num, self.test_name))
--                   if data == "FAIL":
--                       print("not ok %d %s" % (self.test_num, self.test_name))
--               self.test_name = None
--           elif cmd == "skipping":
--               if "/subprocess" not in data:
--                   print("ok %d # skip -- %s" % (self.test_num, data))
--               self.test_name = None
--           elif data:
--               print("# %s: %s" % (cmd, data))
--           else:
--               print("# %s" % cmd)
--        elif line.startswith("(MSG: "):
--            print("# %s" % line[6:-1])
--        elif line:
--            print("# %s" % line)
--        sys.stdout.flush()
--
--    def run(self, proc, output=""):
--        # Complete retrieval of the list of tests
--        output += proc.stdout.read()
--        proc.wait()
--        if proc.returncode:
--            sys.stderr.write("tap-gtester: listing GTest tests failed: %d\n" % proc.returncode)
--            return proc.returncode
--        self.test_remaining = []
--        for line in output.split("\n"):
--            if line.startswith("/"):
--                self.test_remaining.append(line.strip())
--        if not self.test_remaining:
--            print("Bail out! No tests found in GTest: %s" % self.command[0])
--            return 0
--
--        print("1..%d" % len(self.test_remaining))
--
--        # First try to run all the tests in a batch
--        proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
--                                stdout=subprocess.PIPE, universal_newlines=True)
--        result = self.process(proc)
--        if result == 0:
--            return 0
--
--        if result < 0:
--            sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
--
--        # Now pick up any stragglers due to failures
--        while True:
--            # Assume that the last test failed
--            if self.test_name:
--                print("not ok %d %s" % (self.test_num, self.test_name))
--                self.test_name = None
--
--            # Run any tests which didn't get run
--            if not self.test_remaining:
--                break
--
--            proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
--                                    close_fds=True, stdout=subprocess.PIPE,
--                                    universal_newlines=True)
--            result = self.process(proc)
--
--            # The various exit codes and signals we continue for
--            if result not in [ 0, 1, -4, -5, -6, -7, -8, -11, 33 ]:
--                break
--
--        return result
--
--def main(argv):
--    parser = argparse.ArgumentParser(description='Automake TAP compiler',
--                                     usage="tap-gtester [--format FORMAT] command ...")
--    parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
--                        default="auto", help='The input format to compile')
--    parser.add_argument('--verbose', action='store_true',
--                        default=True, help='Verbose mode (ignored)')
--    parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
--    args = parser.parse_args(argv[1:])
--
--    output = None
--    format = args.format
--    cmd = args.command
--    if not cmd:
--        sys.stderr.write("tap-gtester: specify a command to run\n")
--        return 2
--    if cmd[0] == '--':
--        cmd.pop(0)
--
--    proc = None
--
--    os.environ['HARNESS_ACTIVE'] = '1'
--
--    if format in ["auto", "gtest"]:
--        list_cmd = cmd + ["-l", "--verbose"]
--        proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
--                                universal_newlines=True)
--        output = proc.stdout.readline()
--        # Smell whether we're dealing with GTest list output from first line
--        if "random seed" in output or "GTest" in output or output.startswith("/"):
--            format = "gtest"
--        else:
--            format = "tap"
--    else:
--        proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
--                                universal_newlines=True)
--
--    if format == "gtest":
--        compiler = GTestCompiler(cmd)
--    elif format == "tap":
--        compiler = NullCompiler(cmd)
--    else:
--        assert False, "not reached"
--
--    return compiler.run(proc, output)
--
--if __name__ == "__main__":
--    sys.exit(main(sys.argv))
--- 
-2.21.0
-
diff --git a/SPECS-EXTENDED/realmd/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch b/SPECS-EXTENDED/realmd/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch
deleted file mode 100644
index e8ba689fd83..00000000000
--- a/SPECS-EXTENDED/realmd/0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From fa6dd59c5eaabc8c7e540f2aa2ded6f785de0a13 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Wed, 20 Feb 2019 11:12:04 -0800
-Subject: [PATCH] Set 'NEWEST' flag when resolving packages with PackageKit
-
-When resolving package names via PackageKit, realmd does not set
-the PK_FILTER_ENUM_NEWEST flag that asks PK to only give the
-*newest available* package for each package name. So if there
-are three different versions of the package available in three
-repositories, realmd winds up producing an array containing the
-package IDs for all three of those packages and calling
-InstallPackages on all of them. I don't know if PK's behaviour
-in this case is defined or predictable, but in practice in at
-least one case it reliably results in one of the older package
-versions being installed.
-
-This does not seem desirable, we should always want to install
-the newest available version. So let's set the NEWEST flag to
-ensure this.
-
-A possible consequence here is that, if a newer version of the
-package is not installable but an older version is, we will now
-fail where previously we did not. But even in that case I don't
-know if we would *reliably* succeed before, and silently
-installing an older version still doesn't necessarily seem like
-the right thing to do.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- service/realm-packages.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/service/realm-packages.c b/service/realm-packages.c
-index 5976439..0309c57 100644
---- a/service/realm-packages.c
-+++ b/service/realm-packages.c
-@@ -343,6 +343,7 @@ packages_resolve_async (GDBusConnection *connection,
-                         gpointer user_data)
- {
- 	guint64 flags = 1 << 18 /* PK_FILTER_ENUM_ARCH */;
-+	flags |= 1 << 16 /* PK_FILTER_ENUM_NEWEST */;
- 	package_transaction_create ("Resolve", g_variant_new ("(t^as)", flags, package_names),
- 	                            connection, cancellable, callback, user_data);
- }
--- 
-2.20.1
-
diff --git a/SPECS-EXTENDED/realmd/0001-Use-current-idmap-options-for-smb.conf.patch b/SPECS-EXTENDED/realmd/0001-Use-current-idmap-options-for-smb.conf.patch
deleted file mode 100644
index ea34960f8c3..00000000000
--- a/SPECS-EXTENDED/realmd/0001-Use-current-idmap-options-for-smb.conf.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From e683fb573bc09893ec541be29751560cea30ce3f Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 30 May 2018 13:10:57 +0200
-Subject: [PATCH] Use current idmap options for smb.conf
-
-Samba change some time ago the way how to configure id-mapping. With
-this patch realmd will use the current supported options when creating
-smb.conf.
-
-A new option --legacy-samba-config is added to use the old options if
-realmd is used with Samba 3.5 or earlier.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1484072
----
- dbus/realm-dbus-constants.h   |  1 +
- doc/manual/realmd.conf.xml    | 17 ++++++++++++
- service/realm-samba-enroll.c  |  2 +-
- service/realm-samba-enroll.h  |  3 +++
- service/realm-samba-winbind.c | 63 ++++++++++++++++++++++++++++++++++---------
- 5 files changed, 72 insertions(+), 14 deletions(-)
-
-diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
-index 9cd30ef..40ffa2d 100644
---- a/dbus/realm-dbus-constants.h
-+++ b/dbus/realm-dbus-constants.h
-@@ -69,6 +69,7 @@ G_BEGIN_DECLS
- #define   REALM_DBUS_OPTION_COMPUTER_NAME          "computer-name"
- #define   REALM_DBUS_OPTION_OS_NAME                "os-name"
- #define   REALM_DBUS_OPTION_OS_VERSION             "os-version"
-+#define   REALM_DBUS_OPTION_LEGACY_SMB_CONF        "legacy-samba-config"
- 
- #define   REALM_DBUS_IDENTIFIER_ACTIVE_DIRECTORY   "active-directory"
- #define   REALM_DBUS_IDENTIFIER_WINBIND            "winbind"
-diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
-index 7853230..a2b577c 100644
---- a/doc/manual/realmd.conf.xml
-+++ b/doc/manual/realmd.conf.xml
-@@ -192,6 +192,23 @@ automatic-install = no
- 	</listitem>
- 	</varlistentry>
- 
-+	<varlistentry>
-+	<term><option>legacy-samba-config</option></term>
-+	<listitem>
-+		<para>Set this to <parameter>yes</parameter> to create a Samba
-+		configuration file with id-mapping options used by Samba-3.5
-+		and earlier version.</para>
-+
-+		<informalexample>
-+<programlisting language="js">
-+[service]
-+legacy-samba-config = no
-+# legacy-samba-config = yes
-+</programlisting>
-+		</informalexample>
-+	</listitem>
-+	</varlistentry>
-+
- 	</variablelist>
- </refsect1>
- 
-diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
-index c81aed2..76e7b79 100644
---- a/service/realm-samba-enroll.c
-+++ b/service/realm-samba-enroll.c
-@@ -69,7 +69,7 @@ join_closure_free (gpointer data)
- 	g_free (join);
- }
- 
--static gchar *
-+gchar *
- fallback_workgroup (const gchar *realm)
- {
- 	const gchar *pos;
-diff --git a/service/realm-samba-enroll.h b/service/realm-samba-enroll.h
-index 84e8b2f..310ec65 100644
---- a/service/realm-samba-enroll.h
-+++ b/service/realm-samba-enroll.h
-@@ -46,6 +46,9 @@ void               realm_samba_enroll_leave_async          (RealmDisco *disco,
- gboolean           realm_samba_enroll_leave_finish         (GAsyncResult *result,
-                                                             GError **error);
- 
-+gchar *
-+fallback_workgroup (const gchar *realm);
-+
- G_END_DECLS
- 
- #endif /* __REALM_SAMBA_ENROLL_H__ */
-diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
-index a7ddec3..9335e26 100644
---- a/service/realm-samba-winbind.c
-+++ b/service/realm-samba-winbind.c
-@@ -21,8 +21,10 @@
- #include "realm-options.h"
- #include "realm-samba-config.h"
- #include "realm-samba-winbind.h"
-+#include "realm-samba-enroll.h"
- #include "realm-settings.h"
- #include "realm-service.h"
-+#include "dbus/realm-dbus-constants.h"
- 
- #include <glib/gstdio.h>
- 
-@@ -80,6 +82,10 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
- 	RealmIniConfig *pwc;
- 	GTask *task;
- 	GError *error = NULL;
-+	gchar *workgroup = NULL;
-+	gchar *idmap_config_backend = NULL;
-+	gchar *idmap_config_range = NULL;
-+	gchar *idmap_config_schema_mode = NULL;
- 
- 	g_return_if_fail (config != NULL);
- 	g_return_if_fail (invocation != NULL || G_IS_DBUS_METHOD_INVOCATION (invocation));
-@@ -100,23 +106,54 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
- 		                      "template shell", realm_settings_string ("users", "default-shell"),
- 		                      NULL);
- 
--		if (realm_options_automatic_mapping (options, domain_name)) {
--			realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
--			                      "idmap uid", "10000-2000000",
--			                      "idmap gid", "10000-2000000",
--			                      "idmap backend", "tdb",
--			                      "idmap schema", NULL,
--			                      NULL);
-+		if (realm_settings_boolean ("service", REALM_DBUS_OPTION_LEGACY_SMB_CONF, FALSE)) {
-+			if (realm_options_automatic_mapping (options, domain_name)) {
-+				realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-+						      "idmap uid", "10000-2000000",
-+						      "idmap gid", "10000-2000000",
-+						      "idmap backend", "tdb",
-+						      "idmap schema", NULL,
-+						      NULL);
-+			} else {
-+				realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-+						      "idmap uid", "500-4294967296",
-+						      "idmap gid", "500-4294967296",
-+						      "idmap backend", "ad",
-+						      "idmap schema", "rfc2307",
-+						      NULL);
-+			}
- 		} else {
--			realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
--			                      "idmap uid", "500-4294967296",
--			                      "idmap gid", "500-4294967296",
--			                      "idmap backend", "ad",
--			                      "idmap schema", "rfc2307",
--			                      NULL);
-+			workgroup = realm_ini_config_get (config, REALM_SAMBA_CONFIG_GLOBAL, "workgroup");
-+			if (workgroup == NULL) {
-+				workgroup = fallback_workgroup (domain_name);
-+			}
-+			idmap_config_backend = g_strdup_printf ("idmap config %s : backend", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
-+			idmap_config_range = g_strdup_printf ("idmap config %s : range", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
-+			idmap_config_schema_mode = g_strdup_printf ("idmap config %s : schema_mode", workgroup != NULL ? workgroup : "PLEASE_REPLACE");
-+			g_free (workgroup);
-+
-+			if (realm_options_automatic_mapping (options, domain_name)) {
-+				realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-+						      "idmap config * : backend", "tdb",
-+						      "idmap config * : range", "10000-999999",
-+						      idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "rid",
-+						      idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "2000000-2999999",
-+						      idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", NULL,
-+						      NULL);
-+			} else {
-+				realm_ini_config_set (config, REALM_SAMBA_CONFIG_GLOBAL,
-+						      "idmap config * : backend", "tdb",
-+						      "idmap config * : range", "10000000-10999999",
-+						      idmap_config_backend != NULL ? idmap_config_backend : "idmap config PLEASE_REPLACE : backend", "ad",
-+						      idmap_config_range != NULL ? idmap_config_range: "idmap config PLEASE_REPLACE : range", "500-999999",
-+						      idmap_config_schema_mode != NULL ? idmap_config_schema_mode: "idmap config PLEASE_REPLACE : schema_mode", "rfc2307",
-+						      NULL);
-+			}
- 		}
- 
- 		realm_ini_config_finish_change (config, &error);
-+		g_free (idmap_config_backend);
-+		g_free (idmap_config_range);
- 	}
- 
- 	/* Setup pam_winbind.conf with decent defaults matching our expectations */
--- 
-2.14.4
-
diff --git a/SPECS-EXTENDED/realmd/0001-ipa-Propagate-hostname-error.patch b/SPECS-EXTENDED/realmd/0001-ipa-Propagate-hostname-error.patch
new file mode 100644
index 00000000000..433031eaf64
--- /dev/null
+++ b/SPECS-EXTENDED/realmd/0001-ipa-Propagate-hostname-error.patch
@@ -0,0 +1,67 @@
+From 8f417fb7fee088dba728e083bc5553a5f237f660 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Thu, 2 Nov 2023 10:35:48 +0100
+Subject: [PATCH] ipa: Propagate hostname error
+
+When a computer hostname is wrong, the `ipa-client-install` cmd fails
+with the "invalid hostname" error. However, the join method fails with
+the generic `REALM_ERROR_INTERNAL` error. Let's fail with the dedicated
+`REALM_ERROR_BAD_HOSTNAME` instead.
+
+Related: https://gitlab.gnome.org/GNOME/gnome-initial-setup/-/issues/123
+Related: https://gitlab.gnome.org/GNOME/gnome-initial-setup/-/issues/124
+---
+ service/realm-sssd-ipa.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
+index 0cb1a5b..fca8e25 100644
+--- a/service/realm-sssd-ipa.c
++++ b/service/realm-sssd-ipa.c
+@@ -129,6 +129,23 @@ on_restart_done (GObject *source,
+ 	g_object_unref (task);
+ }
+ 
++static gchar *
++parse_hostname_error (const gchar *output)
++{
++	GRegex* regex;
++	GMatchInfo *match_info = NULL;
++	gchar *reason = NULL;
++
++	regex = g_regex_new ("invalid hostname: (.+)", 0, 0, NULL);
++	if (g_regex_match (regex, output, 0, &match_info))
++		reason = g_match_info_fetch (match_info, 1);
++
++	g_match_info_unref (match_info);
++	g_regex_unref (regex);
++
++	return reason;
++}
++
+ static void
+ on_ipa_client_do_restart (GObject *source,
+                           GAsyncResult *result,
+@@ -149,6 +166,7 @@ on_ipa_client_do_restart (GObject *source,
+ 	gchar *section;
+ 	gchar *home;
+ 	gint status;
++	gchar *reason;
+ 
+ 	status = realm_command_run_finish (result, &output, &error);
+ 
+@@ -163,6 +181,11 @@ on_ipa_client_do_restart (GObject *source,
+ 		if (g_pattern_match_simple ("*kinit: Password incorrect*", output->str)) {
+ 			g_set_error (&error, REALM_ERROR, REALM_ERROR_AUTH_FAILED,
+ 			             "Password is incorrect");
++		} else if ((reason = parse_hostname_error (output->str)) != NULL) {
++			g_set_error (&error, REALM_ERROR, REALM_ERROR_BAD_HOSTNAME,
++			             "This computer's host name is not set correctly: %s",
++			             reason);
++			g_free (reason);
+ 		} else {
+ 			g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
+ 			             "Running ipa-client-install failed");
+-- 
+2.43.2
+
diff --git a/SPECS-EXTENDED/realmd/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch b/SPECS-EXTENDED/realmd/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
deleted file mode 100644
index 8b8f633a897..00000000000
--- a/SPECS-EXTENDED/realmd/0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 402cbab6e8267fcd959bcfa84a47f4871b59944d Mon Sep 17 00:00:00 2001
-From: Stef Walter <stefw@redhat.com>
-Date: Fri, 28 Oct 2016 20:27:48 +0200
-Subject: [PATCH] service: Add nss and pam sssd.conf services after joining
-
-After adding a domain to sssd.conf add the nss and pam services
-to the [sssd] block.
-
-https://bugs.freedesktop.org/show_bug.cgi?id=98479
----
- service/realm-sssd-ad.c     | 3 +++
- service/realm-sssd-config.c | 2 --
- service/realm-sssd-ipa.c    | 3 +++
- tests/test-sssd-config.c    | 4 ++--
- 4 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index 5ed384d..5fa81ce 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -160,6 +160,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
-                            gboolean use_adcli,
-                            GError **error)
- {
-+	const gchar *services[] = { "nss", "pam", NULL };
- 	GString *realmd_tags;
- 	const gchar *access_provider;
- 	const gchar *shell;
-@@ -206,6 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
- 	                                    "ldap_sasl_authid", authid,
- 	                                    NULL);
- 
-+	realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
-+
- 	g_free (authid);
- 	g_string_free (realmd_tags, TRUE);
- 
-diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
-index 2096afd..d4398b9 100644
---- a/service/realm-sssd-config.c
-+++ b/service/realm-sssd-config.c
-@@ -154,8 +154,6 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
- 	g_strfreev (already);
- 
- 	/* Setup a default sssd section */
--	if (!realm_ini_config_have (config, "section", "services"))
--		realm_ini_config_set (config, "sssd", "services", "nss, pam", NULL);
- 	if (!realm_ini_config_have (config, "sssd", "config_file_version"))
- 		realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
- 
-diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
-index b12136e..001870d 100644
---- a/service/realm-sssd-ipa.c
-+++ b/service/realm-sssd-ipa.c
-@@ -156,6 +156,7 @@ on_ipa_client_do_restart (GObject *source,
-                           GAsyncResult *result,
-                           gpointer user_data)
- {
-+	const gchar *services[] = { "nss", "pam", NULL };
- 	GTask *task = G_TASK (user_data);
- 	EnrollClosure *enroll = g_task_get_task_data (task);
- 	RealmSssd *sssd = g_task_get_source_object (task);
-@@ -207,6 +208,8 @@ on_ipa_client_do_restart (GObject *source,
- 		                                 "realmd_tags", realmd_tags,
- 		                                 NULL);
- 
-+		realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
-+
- 		g_free (home);
- 	}
- 
-diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
-index 59eab75..892b9d5 100644
---- a/tests/test-sssd-config.c
-+++ b/tests/test-sssd-config.c
-@@ -90,7 +90,7 @@ test_add_domain (Test *test,
-                  gconstpointer unused)
- {
- 	const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
--	const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
-+	const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
- 	GError *error = NULL;
- 	gchar *output;
- 	gboolean ret;
-@@ -140,7 +140,7 @@ static void
- test_add_domain_only (Test *test,
-                       gconstpointer unused)
- {
--	const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
-+	const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
- 	GError *error = NULL;
- 	gchar *output;
- 	gboolean ret;
--- 
-2.9.3
-
diff --git a/SPECS-EXTENDED/realmd/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch b/SPECS-EXTENDED/realmd/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
deleted file mode 100644
index 6c44727a2f7..00000000000
--- a/SPECS-EXTENDED/realmd/0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 9d5b6f5c88df582fb94edcf5cc05a8cfaa63cf6a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 25 Apr 2017 07:20:17 +0200
-Subject: [PATCH] service: Add "pam" and "nss" services in
- realm_sssd_config_add_domain()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-realm_sssd_config_add_domain() must setup the services line in sssd.conf
-otherwise SSSD won't be able to start any of its services.
-
-It's a regression caused by 402cbab which leaves SSSD with no services
-line when joining to an ad client doing "realm join ad.example".
-
-https://bugs.freedesktop.org/show_bug.cgi?id=98479
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
----
- service/realm-sssd-ad.c     | 3 ++-
- service/realm-sssd-config.c | 2 ++
- service/realm-sssd-ipa.c    | 3 ++-
- tests/test-sssd-config.c    | 4 ++--
- 4 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index 5fa81ce..8543ca8 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -207,7 +207,8 @@ configure_sssd_for_domain (RealmIniConfig *config,
- 	                                    "ldap_sasl_authid", authid,
- 	                                    NULL);
- 
--	realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
-+	if (ret)
-+		ret = realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, error);
- 
- 	g_free (authid);
- 	g_string_free (realmd_tags, TRUE);
-diff --git a/service/realm-sssd-config.c b/service/realm-sssd-config.c
-index d4398b9..140d7dc 100644
---- a/service/realm-sssd-config.c
-+++ b/service/realm-sssd-config.c
-@@ -130,6 +130,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
- 	gchar **already;
- 	gboolean ret;
- 	gchar *section;
-+	const gchar *services[] = { "nss", "pam", NULL };
- 	va_list va;
- 	gint i;
- 
-@@ -154,6 +155,7 @@ realm_sssd_config_add_domain (RealmIniConfig *config,
- 	g_strfreev (already);
- 
- 	/* Setup a default sssd section */
-+	realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
- 	if (!realm_ini_config_have (config, "sssd", "config_file_version"))
- 		realm_ini_config_set (config, "sssd", "config_file_version", "2", NULL);
- 
-diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
-index 001870d..ff1dc8a 100644
---- a/service/realm-sssd-ipa.c
-+++ b/service/realm-sssd-ipa.c
-@@ -208,7 +208,8 @@ on_ipa_client_do_restart (GObject *source,
- 		                                 "realmd_tags", realmd_tags,
- 		                                 NULL);
- 
--		realm_ini_config_set_list_diff (config, "sssd", "services", ", ", services, NULL);
-+		if (error == NULL)
-+			realm_ini_config_change_list (config, "sssd", "services", ", ", services, NULL, &error);
- 
- 		g_free (home);
- 	}
-diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
-index 892b9d5..59eab75 100644
---- a/tests/test-sssd-config.c
-+++ b/tests/test-sssd-config.c
-@@ -90,7 +90,7 @@ test_add_domain (Test *test,
-                  gconstpointer unused)
- {
- 	const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
--	const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
-+	const gchar *check = "[domain/one]\nval=1\n[sssd]\ndomains = one, two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
- 	GError *error = NULL;
- 	gchar *output;
- 	gboolean ret;
-@@ -140,7 +140,7 @@ static void
- test_add_domain_only (Test *test,
-                       gconstpointer unused)
- {
--	const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\n\n[domain/two]\ndos = 2\n";
-+	const gchar *check = "\n[sssd]\ndomains = two\nconfig_file_version = 2\nservices = nss, pam\n\n[domain/two]\ndos = 2\n";
- 	GError *error = NULL;
- 	gchar *output;
- 	gboolean ret;
--- 
-2.9.3
-
diff --git a/SPECS-EXTENDED/realmd/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch b/SPECS-EXTENDED/realmd/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
new file mode 100644
index 00000000000..c2c8e3e0e99
--- /dev/null
+++ b/SPECS-EXTENDED/realmd/0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch
@@ -0,0 +1,74 @@
+From 19923985b69ccd5f2a33a067bfc3ed020889377e Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 13 Jun 2023 18:02:52 +0200
+Subject: [PATCH 1/3] service: allow multiple names and _srv_ ad_server option
+
+realmd checks if the 'ad_server' option is set in sssd.conf before
+calling adcli to remove the host from the AD server. If set the value is
+used as value for dcli's '--domain-controller' option. But if multiple
+names are set in sssd.conf this currently fails because the whole string
+is used.
+
+With this patch the 'ad_server' option is properly evaluated and only
+the first domain controller name is used.
+---
+ service/realm-sssd-ad.c | 36 +++++++++++++++++++++++++++++++++++-
+ 1 file changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 2817e73..096b6c5 100644
+--- a/service/realm-sssd-ad.c
++++ b/service/realm-sssd-ad.c
+@@ -649,6 +649,40 @@ realm_sssd_ad_generic_finish (RealmKerberosMembership *realm,
+ 	return g_task_propagate_boolean (G_TASK (result), error);
+ }
+ 
++static gchar *get_ad_server_from_config (RealmKerberos *realm)
++{
++	RealmSssd *sssd = REALM_SSSD (realm);
++	RealmIniConfig *config;
++	const gchar *section;
++	gchar **servers;
++	gchar *tmp;
++	size_t c;
++	gchar *value = NULL;
++
++	config = realm_sssd_get_config (sssd);
++	section = realm_sssd_get_config_section (sssd);
++
++	if (section == NULL) {
++		return NULL;
++	}
++
++	servers = realm_ini_config_get_list (config, section, "ad_server", ",");
++	/* Only use the first server defined given in 'ad_server' and ignore
++	 * '_srv_'. */
++	if (servers != NULL) {
++		for (c = 0; servers[c] != NULL; c++) {
++			tmp = g_strstrip (servers[c]);
++			if (strcasecmp ("_srv_", tmp) != 0) {
++				value = g_strdup (tmp);
++				break;
++			}
++		}
++		g_strfreev (servers);
++	}
++
++	return value;
++}
++
+ static void
+ realm_sssd_ad_discover_myself (RealmKerberos *realm,
+                                RealmDisco *disco)
+@@ -665,7 +699,7 @@ realm_sssd_ad_discover_myself (RealmKerberos *realm,
+ 	if (section == NULL)
+ 		return;
+ 
+-	value = realm_ini_config_get (config, section, "ad_server");
++	value = get_ad_server_from_config (realm);
+ 	g_free (disco->explicit_server);
+ 	disco->explicit_server = value;
+ 
+-- 
+2.43.0
+
diff --git a/SPECS-EXTENDED/realmd/0001-sssd-package-fix.patch b/SPECS-EXTENDED/realmd/0001-sssd-package-fix.patch
new file mode 100644
index 00000000000..acf5dcfcd53
--- /dev/null
+++ b/SPECS-EXTENDED/realmd/0001-sssd-package-fix.patch
@@ -0,0 +1,72 @@
+From 4299bd81279830e48b93f163049179aff14d1402 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 5 Feb 2024 08:58:56 +0100
+Subject: [PATCH] sssd package fix
+
+---
+ dbus/realm-dbus-constants.h           | 1 +
+ service/realm-sssd-ad.c               | 3 +++
+ service/realmd-redhat-authconfig.conf | 5 ++++-
+ service/realmd-redhat.conf            | 5 ++++-
+ 4 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/dbus/realm-dbus-constants.h b/dbus/realm-dbus-constants.h
+index d2c2a8b..e49034b 100644
+--- a/dbus/realm-dbus-constants.h
++++ b/dbus/realm-dbus-constants.h
+@@ -78,6 +78,7 @@ G_BEGIN_DECLS
+ #define   REALM_DBUS_IDENTIFIER_IPA                "ipa"
+ #define   REALM_DBUS_IDENTIFIER_FREEIPA            "freeipa"
+ #define   REALM_DBUS_IDENTIFIER_SSSD               "sssd"
++#define   REALM_DBUS_IDENTIFIER_SSSD_AD            "sssd-ad"
+ #define   REALM_DBUS_IDENTIFIER_SAMBA              "samba"
+ #define   REALM_DBUS_IDENTIFIER_ADCLI              "adcli"
+ #define   REALM_DBUS_IDENTIFIER_EXAMPLE            "example"
+diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
+index 096b6c5..64bb488 100644
+--- a/service/realm-sssd-ad.c
++++ b/service/realm-sssd-ad.c
+@@ -46,18 +46,21 @@ typedef struct {
+ 
+ static const gchar *ADCLI_PACKAGES[] = {
+ 	REALM_DBUS_IDENTIFIER_SSSD,
++	REALM_DBUS_IDENTIFIER_SSSD_AD,
+ 	REALM_DBUS_IDENTIFIER_ADCLI,
+ 	NULL
+ };
+ 
+ static const gchar *SAMBA_PACKAGES[] = {
+ 	REALM_DBUS_IDENTIFIER_SSSD,
++	REALM_DBUS_IDENTIFIER_SSSD_AD,
+ 	REALM_DBUS_IDENTIFIER_SAMBA,
+ 	NULL
+ };
+ 
+ static const gchar *ALL_PACKAGES[] = {
+ 	REALM_DBUS_IDENTIFIER_SSSD,
++	REALM_DBUS_IDENTIFIER_SSSD_AD,
+ 	REALM_DBUS_IDENTIFIER_ADCLI,
+ 	REALM_DBUS_IDENTIFIER_SAMBA,
+ 	NULL
+diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
+index 2b11c30..12ec3c3 100644
+--- a/service/realmd-redhat.conf
++++ b/service/realmd-redhat.conf
+@@ -13,10 +13,13 @@ oddjob = /usr/sbin/oddjobd
+ oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
+ 
+ [sssd-packages]
+-sssd = /usr/sbin/sssd
++sssd-common = /usr/sbin/sssd
+ oddjob = /usr/sbin/oddjobd
+ oddjob-mkhomedir = /usr/libexec/oddjob/mkhomedir
+ 
++[sssd-ad-packages]
++sssd-ad = /usr/libexec/sssd/gpo_child
++
+ [adcli-packages]
+ adcli = /usr/sbin/adcli
+ 
+-- 
+2.43.0
+
diff --git a/SPECS-EXTENDED/realmd/0001-switch-to-authselect.patch b/SPECS-EXTENDED/realmd/0001-switch-to-authselect.patch
deleted file mode 100644
index d750d6dbf3b..00000000000
--- a/SPECS-EXTENDED/realmd/0001-switch-to-authselect.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 32645f2fc1ddfb2eed7069fd749602619f26ed37 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
-Date: Mon, 19 Feb 2018 11:51:06 +0100
-Subject: [PATCH] switch to authselect
-
----
- service/realmd-redhat.conf | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/service/realmd-redhat.conf b/service/realmd-redhat.conf
-index e39fad525c716d1ed99715280cd5d497b9039427..26cf6147f352e1b48c3261fa42707d816428f879 100644
---- a/service/realmd-redhat.conf
-+++ b/service/realmd-redhat.conf
-@@ -23,15 +23,15 @@ adcli = /usr/sbin/adcli
- freeipa-client = /usr/sbin/ipa-client-install
- 
- [commands]
--winbind-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablewinbind --enablewinbindauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
--winbind-disable-logins = /usr/sbin/authconfig --update --disablewinbind --disablewinbindauth --nostart
-+winbind-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-+winbind-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
- winbind-enable-service = /usr/bin/systemctl enable winbind.service
- winbind-disable-service = /usr/bin/systemctl disable winbind.service
- winbind-restart-service = /usr/bin/systemctl restart winbind.service
- winbind-stop-service = /usr/bin/systemctl stop winbind.service
- 
--sssd-enable-logins = /usr/bin/sh -c "/usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
--sssd-disable-logins = /usr/sbin/authconfig --update --disablesssdauth --nostart
-+sssd-enable-logins = /usr/bin/sh -c "/usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service"
-+sssd-disable-logins = /usr/bin/authselect select sssd with-mkhomedir
- sssd-enable-service = /usr/bin/systemctl enable sssd.service
- sssd-disable-service = /usr/bin/systemctl disable sssd.service
- sssd-restart-service = /usr/bin/systemctl restart sssd.service
--- 
-2.9.3
-
diff --git a/SPECS-EXTENDED/realmd/0001-tests-ignore-order-in-test_update_domain.patch b/SPECS-EXTENDED/realmd/0001-tests-ignore-order-in-test_update_domain.patch
deleted file mode 100644
index 2a84abac57b..00000000000
--- a/SPECS-EXTENDED/realmd/0001-tests-ignore-order-in-test_update_domain.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From b6753bd048b4012b11d60c094d1ab6ca181ee50d Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Thu, 21 Feb 2019 21:16:26 +0100
-Subject: [PATCH] tests: ignore order in test_update_domain
-
-Individual options of a domain or in general for a section in an ini
-file are stored by realmd in a hash table. When writing out the ini file
-the options can show up in any order and the unit tests should be aware
-of it.
-
-Resolves: https://gitlab.freedesktop.org/realmd/realmd/issues/19
----
- tests/test-sssd-config.c | 41 ++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 39 insertions(+), 2 deletions(-)
-
-diff --git a/tests/test-sssd-config.c b/tests/test-sssd-config.c
-index 59eab75..8f3fec5 100644
---- a/tests/test-sssd-config.c
-+++ b/tests/test-sssd-config.c
-@@ -163,12 +163,49 @@ test_add_domain_only (Test *test,
- 	g_free (output);
- }
- 
-+static void check_for_test_update_domain (char *new)
-+{
-+	char *token;
-+	char *saveptr;
-+	size_t c;
-+	int result = 0;
-+
-+	token = strtok_r (new, "\n", &saveptr);
-+	g_assert_nonnull (token);
-+	g_assert_cmpstr (token, ==, "[domain/one]");
-+
-+	for (c = 0; c < 3; c++) {
-+		token = strtok_r (NULL, "\n", &saveptr);
-+		g_assert_nonnull (token);
-+		if (strcmp (token, "val=1") == 0) {
-+			result += 1;
-+		} else if (strcmp (token, "uno = 1") == 0) {
-+			result += 2;
-+		} else if (strcmp (token, "eins = one") == 0) {
-+			result += 4;
-+		} else {
-+			g_assert_not_reached ();
-+		}
-+	}
-+	g_assert_cmpint (result, ==, 7);
-+
-+	token = strtok_r (NULL, "\n", &saveptr);
-+	g_assert_nonnull (token);
-+	g_assert_cmpstr (token, ==, "[sssd]");
-+
-+	token = strtok_r (NULL, "\n", &saveptr);
-+	g_assert_nonnull (token);
-+	g_assert_cmpstr (token, ==, "domains=one");
-+
-+	token = strtok_r (NULL, "\n", &saveptr);
-+	g_assert_null (token);
-+}
-+
- static void
- test_update_domain (Test *test,
-                     gconstpointer unused)
- {
- 	const gchar *data = "[domain/one]\nval=1\n[sssd]\ndomains=one";
--	const gchar *check = "[domain/one]\nval=1\nuno = 1\neins = one\n[sssd]\ndomains=one";
- 	GError *error = NULL;
- 	gchar *output;
- 	gboolean ret;
-@@ -190,7 +227,7 @@ test_update_domain (Test *test,
- 	g_assert_no_error (error);
- 	g_assert (ret == TRUE);
- 
--	g_assert_cmpstr (check, ==, output);
-+	check_for_test_update_domain (output);
- 	g_free (output);
- }
- 
--- 
-2.20.1
-
diff --git a/SPECS-EXTENDED/realmd/0001-tests-run-tests-with-python3.patch b/SPECS-EXTENDED/realmd/0001-tests-run-tests-with-python3.patch
deleted file mode 100644
index 607afa44655..00000000000
--- a/SPECS-EXTENDED/realmd/0001-tests-run-tests-with-python3.patch
+++ /dev/null
@@ -1,374 +0,0 @@
-From c257850912897a07e20f205faecf3c1b692fa9e9 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 4 Jul 2018 16:41:16 +0200
-Subject: [PATCH] tests: run tests with python3
-
-To allow the test to run with python3 build/tap-driver and
-build/tap-gtester are updated to the latest version provided by the
-cockpit project https://github.com/cockpit-project/cockpit.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1595813
----
- build/tap-driver  | 104 +++++++++++++++++++++++++++++++++++++++++++-----------
- build/tap-gtester |  59 ++++++++++++++++++++++---------
- 2 files changed, 125 insertions(+), 38 deletions(-)
-
-diff --git a/build/tap-driver b/build/tap-driver
-index 42f57c8..241fd50 100755
---- a/build/tap-driver
-+++ b/build/tap-driver
-@@ -1,4 +1,5 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
-+# This can also be run with Python 2.
- 
- # Copyright (C) 2013 Red Hat, Inc.
- #
-@@ -29,20 +30,58 @@
- #
- 
- import argparse
-+import fcntl
- import os
- import select
-+import struct
- import subprocess
- import sys
-+import termios
-+import errno
-+
-+_PY3 = sys.version[0] >= '3'
-+_str = _PY3 and str or unicode
-+
-+def out(data, stream=None, flush=False):
-+    if not isinstance(data, bytes):
-+        data = data.encode("UTF-8")
-+    if not stream:
-+        stream = _PY3 and sys.stdout.buffer or sys.stdout
-+    while True:
-+        try:
-+            if data:
-+                stream.write(data)
-+            data = None
-+            if flush:
-+                stream.flush()
-+            flush = False
-+            break
-+        except IOError as e:
-+            if e.errno == errno.EAGAIN:
-+                continue
-+            raise
-+
-+def terminal_width():
-+    try:
-+        h, w, hp, wp = struct.unpack('HHHH',
-+            fcntl.ioctl(1, termios.TIOCGWINSZ,
-+            struct.pack('HHHH', 0, 0, 0, 0)))
-+        return w
-+    except IOError as e:
-+        if e.errno != errno.ENOTTY:
-+            sys.stderr.write("%i %s %s\n" % (e.errno, e.strerror, sys.exc_info()))
-+        return sys.maxsize
- 
- class Driver:
-     def __init__(self, args):
-         self.argv = args.command
-         self.test_name = args.test_name
--        self.log = open(args.log_file, "w")
--        self.log.write("# %s\n" % " ".join(sys.argv))
-+        self.log = open(args.log_file, "wb")
-+        self.log.write(("# %s\n" % " ".join(sys.argv)).encode("UTF-8"))
-         self.trs = open(args.trs_file, "w")
-         self.color_tests = args.color_tests
-         self.expect_failure = args.expect_failure
-+        self.width = terminal_width() - 9
- 
-     def report(self, code, *args):
-         CODES = {
-@@ -57,17 +96,18 @@ class Driver:
-         # Print out to console
-         if self.color_tests:
-             if code in CODES:
--                sys.stdout.write(CODES[code])
--        sys.stdout.write(code)
-+                out(CODES[code])
-+        out(code)
-         if self.color_tests:
--            sys.stdout.write('\x1b[m')
--        sys.stdout.write(": ")
--        sys.stdout.write(self.test_name)
--        sys.stdout.write(" ")
--        for arg in args:
--            sys.stdout.write(str(arg))
--        sys.stdout.write("\n")
--        sys.stdout.flush()
-+            out('\x1b[m')
-+        out(": ")
-+        msg = "".join([ self.test_name + " " ] + list(map(_str, args)))
-+        if code == "PASS" and len(msg) > self.width:
-+            out(msg[:self.width])
-+            out("...")
-+        else:
-+            out(msg)
-+        out("\n", flush=True)
- 
-         # Book keeping
-         if code in CODES:
-@@ -100,12 +140,14 @@ class Driver:
-     def execute(self):
-         try:
-             proc = subprocess.Popen(self.argv, close_fds=True,
-+                                    stdin=subprocess.PIPE,
-                                     stdout=subprocess.PIPE,
-                                     stderr=subprocess.PIPE)
--        except OSError, ex:
-+        except OSError as ex:
-             self.report_error("Couldn't run %s: %s" % (self.argv[0], str(ex)))
-             return
- 
-+        proc.stdin.close()
-         outf = proc.stdout.fileno()
-         errf = proc.stderr.fileno()
-         rset = [outf, errf]
-@@ -113,18 +155,25 @@ class Driver:
-             ret = select.select(rset, [], [], 10)
-             if outf in ret[0]:
-                 data = os.read(outf, 1024)
--                if data == "":
-+                if data == b"":
-                     rset.remove(outf)
-                 self.log.write(data)
-                 self.process(data)
-             if errf in ret[0]:
-                 data = os.read(errf, 1024)
--                if data == "":
-+                if data == b"":
-                     rset.remove(errf)
-                 self.log.write(data)
--                sys.stderr.write(data)
-+                stream = _PY3 and sys.stderr.buffer or sys.stderr
-+                out(data, stream=stream, flush=True)
- 
-         proc.wait()
-+
-+        # Make sure the test didn't change blocking output
-+        assert fcntl.fcntl(0, fcntl.F_GETFL) & os.O_NONBLOCK == 0
-+        assert fcntl.fcntl(1, fcntl.F_GETFL) & os.O_NONBLOCK == 0
-+        assert fcntl.fcntl(2, fcntl.F_GETFL) & os.O_NONBLOCK == 0
-+
-         return proc.returncode
- 
- 
-@@ -137,6 +186,7 @@ class TapDriver(Driver):
-         self.late_plan = False
-         self.errored = False
-         self.bail_out = False
-+        self.skip_all_reason = None
- 
-     def report(self, code, num, *args):
-         if num:
-@@ -170,13 +220,19 @@ class TapDriver(Driver):
-         else:
-             self.result_fail(num, description)
- 
--    def consume_test_plan(self, first, last):
-+    def consume_test_plan(self, line):
-         # Only one test plan is supported
-         if self.test_plan:
-             self.report_error("Get a second TAP test plan")
-             return
- 
-+        if line.lower().startswith('1..0 # skip'):
-+            self.skip_all_reason = line[5:].strip()
-+            self.bail_out = True
-+            return
-+
-         try:
-+            (first, unused, last) = line.partition("..")
-             first = int(first)
-             last = int(last)
-         except ValueError:
-@@ -192,7 +248,7 @@ class TapDriver(Driver):
- 
-     def process(self, output):
-         if output:
--            self.output += output
-+            self.output += output.decode("UTF-8")
-         elif self.output:
-             self.output += "\n"
-         (ready, unused, self.output) = self.output.rpartition("\n")
-@@ -202,8 +258,7 @@ class TapDriver(Driver):
-             elif line.startswith("not ok "):
-                 self.consume_test_line(False, line[7:])
-             elif line and line[0].isdigit() and ".." in line:
--                (first, unused, last) = line.partition("..")
--                self.consume_test_plan(first, last)
-+                self.consume_test_plan(line)
-             elif line.lower().startswith("bail out!"):
-                 self.consume_bail_out(line)
- 
-@@ -213,6 +268,13 @@ class TapDriver(Driver):
-         failed = False
-         skipped = True
- 
-+        if self.skip_all_reason is not None:
-+            self.result_skip("skipping:", self.skip_all_reason)
-+            self.trs.write(":global-test-result: SKIP\n")
-+            self.trs.write(":test-global-result: SKIP\n")
-+            self.trs.write(":recheck: no\n")
-+            return 0
-+
-         # Basic collation of results
-         for (num, code) in self.reported.items():
-             if code == "ERROR":
-diff --git a/build/tap-gtester b/build/tap-gtester
-index 7e667d4..bbda266 100755
---- a/build/tap-gtester
-+++ b/build/tap-gtester
-@@ -1,4 +1,5 @@
--#!/usr/bin/python
-+#!/usr/bin/python3
-+# This can also be run with Python 2.
- 
- # Copyright (C) 2014 Red Hat, Inc.
- #
-@@ -30,9 +31,19 @@
- import argparse
- import os
- import select
-+import signal
- import subprocess
- import sys
- 
-+# Yes, it's dumb, but strsignal is not exposed in python
-+# In addition signal numbers varify heavily from arch to arch
-+def strsignal(sig):
-+    for name in dir(signal):
-+        if name.startswith("SIG") and sig == getattr(signal, name):
-+            return name
-+    return str(sig)
-+
-+
- class NullCompiler:
-     def __init__(self, command):
-         self.command = command
-@@ -76,22 +87,22 @@ class GTestCompiler(NullCompiler):
-            elif cmd == "result":
-                if self.test_name:
-                    if data == "OK":
--                       print "ok %d %s" % (self.test_num, self.test_name)
-+                       print("ok %d %s" % (self.test_num, self.test_name))
-                    if data == "FAIL":
--                       print "not ok %d %s", (self.test_num, self.test_name)
-+                       print("not ok %d %s" % (self.test_num, self.test_name))
-                self.test_name = None
-            elif cmd == "skipping":
-                if "/subprocess" not in data:
--                   print "ok %d # skip -- %s" % (self.test_num, data)
-+                   print("ok %d # skip -- %s" % (self.test_num, data))
-                self.test_name = None
-            elif data:
--               print "# %s: %s" % (cmd, data)
-+               print("# %s: %s" % (cmd, data))
-            else:
--               print "# %s" % cmd
-+               print("# %s" % cmd)
-         elif line.startswith("(MSG: "):
--            print "# %s" % line[6:-1]
-+            print("# %s" % line[6:-1])
-         elif line:
--            print "# %s" % line
-+            print("# %s" % line)
-         sys.stdout.flush()
- 
-     def run(self, proc, output=""):
-@@ -106,22 +117,26 @@ class GTestCompiler(NullCompiler):
-             if line.startswith("/"):
-                 self.test_remaining.append(line.strip())
-         if not self.test_remaining:
--            print "Bail out! No tests found in GTest: %s" % self.command[0]
-+            print("Bail out! No tests found in GTest: %s" % self.command[0])
-             return 0
- 
--        print "1..%d" % len(self.test_remaining)
-+        print("1..%d" % len(self.test_remaining))
- 
-         # First try to run all the tests in a batch
--        proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True, stdout=subprocess.PIPE)
-+        proc = subprocess.Popen(self.command + ["--verbose" ], close_fds=True,
-+                                stdout=subprocess.PIPE, universal_newlines=True)
-         result = self.process(proc)
-         if result == 0:
-             return 0
- 
-+        if result < 0:
-+            sys.stderr.write("%s terminated with %s\n" % (self.command[0], strsignal(-result)))
-+
-         # Now pick up any stragglers due to failures
-         while True:
-             # Assume that the last test failed
-             if self.test_name:
--                print "not ok %d %s" % (self.test_num, self.test_name)
-+                print("not ok %d %s" % (self.test_num, self.test_name))
-                 self.test_name = None
- 
-             # Run any tests which didn't get run
-@@ -129,7 +144,8 @@ class GTestCompiler(NullCompiler):
-                 break
- 
-             proc = subprocess.Popen(self.command + ["--verbose", "-p", self.test_remaining[0]],
--                                    close_fds=True, stdout=subprocess.PIPE)
-+                                    close_fds=True, stdout=subprocess.PIPE,
-+                                    universal_newlines=True)
-             result = self.process(proc)
- 
-             # The various exit codes and signals we continue for
-@@ -139,24 +155,32 @@ class GTestCompiler(NullCompiler):
-         return result
- 
- def main(argv):
--    parser = argparse.ArgumentParser(description='Automake TAP compiler')
-+    parser = argparse.ArgumentParser(description='Automake TAP compiler',
-+                                     usage="tap-gtester [--format FORMAT] command ...")
-     parser.add_argument('--format', metavar='FORMAT', choices=[ "auto", "gtest", "tap" ],
-                         default="auto", help='The input format to compile')
-     parser.add_argument('--verbose', action='store_true',
-                         default=True, help='Verbose mode (ignored)')
--    parser.add_argument('command', nargs='+', help="A test command to run")
-+    parser.add_argument('command', nargs=argparse.REMAINDER, help="A test command to run")
-     args = parser.parse_args(argv[1:])
- 
-     output = None
-     format = args.format
-     cmd = args.command
-+    if not cmd:
-+        sys.stderr.write("tap-gtester: specify a command to run\n")
-+        return 2
-+    if cmd[0] == '--':
-+        cmd.pop(0)
-+
-     proc = None
- 
-     os.environ['HARNESS_ACTIVE'] = '1'
- 
-     if format in ["auto", "gtest"]:
-         list_cmd = cmd + ["-l", "--verbose"]
--        proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE)
-+        proc = subprocess.Popen(list_cmd, close_fds=True, stdout=subprocess.PIPE,
-+                                universal_newlines=True)
-         output = proc.stdout.readline()
-         # Smell whether we're dealing with GTest list output from first line
-         if "random seed" in output or "GTest" in output or output.startswith("/"):
-@@ -164,7 +188,8 @@ def main(argv):
-         else:
-             format = "tap"
-     else:
--        proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE)
-+        proc = subprocess.Popen(cmd, close_fds=True, stdout=subprocess.PIPE,
-+                                universal_newlines=True)
- 
-     if format == "gtest":
-         compiler = GTestCompiler(cmd)
--- 
-2.14.4
-
diff --git a/SPECS-EXTENDED/realmd/0001-tools-fix-ccache-handling-for-leave-operation.patch b/SPECS-EXTENDED/realmd/0001-tools-fix-ccache-handling-for-leave-operation.patch
new file mode 100644
index 00000000000..01a3a2adcc4
--- /dev/null
+++ b/SPECS-EXTENDED/realmd/0001-tools-fix-ccache-handling-for-leave-operation.patch
@@ -0,0 +1,69 @@
+From f648ae06012d1de137f12095d1bd7aaacb382042 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Wed, 10 Jan 2024 09:18:20 +0100
+Subject: [PATCH] tools: fix ccache handling for leave operation
+
+krb5_cc_initialize() must be called before anything can be written into
+a ccache.
+
+While checking the available credential types the order/preference was
+not respected.
+
+Resolves: https://issues.redhat.com/browse/SSSD-6420
+---
+ tools/realm-client.c | 25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/tools/realm-client.c b/tools/realm-client.c
+index c386e64..06420ea 100644
+--- a/tools/realm-client.c
++++ b/tools/realm-client.c
+@@ -498,13 +498,16 @@ are_credentials_supported (GVariant *supported,
+ 	GVariantIter iter;
+ 	const gchar *type;
+ 	const gchar *owner;
+-
+-	g_variant_iter_init (&iter, supported);
+-	while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
+-		if (g_strcmp0 (credential_type_1, type) == 0 ||
+-		    g_strcmp0 (credential_type_2, type) == 0) {
+-			*ret_owner = owner;
+-			return type;
++	const gchar *list[] = {credential_type_1, credential_type_2, NULL};
++	size_t c;
++
++	for (c = 0; list[c] != NULL; c++) {
++		g_variant_iter_init (&iter, supported);
++		while (g_variant_iter_loop (&iter, "(&s&s)", &type, &owner)) {
++			if (g_strcmp0 (list[c], type) == 0) {
++				*ret_owner = owner;
++				return type;
++			}
+ 		}
+ 	}
+ 
+@@ -622,8 +625,6 @@ copy_to_ccache (krb5_context krb5,
+ 	memset (&mcred, 0, sizeof (mcred));
+ 	mcred.client = principal;
+ 	mcred.server = server;
+-	mcred.times.starttime = g_get_real_time () / G_TIME_SPAN_MILLISECOND;
+-	mcred.times.endtime = mcred.times.starttime;
+ 
+ 	code = krb5_cc_retrieve_cred (krb5, def_ccache, KRB5_TC_MATCH_TIMES,
+ 	                              &mcred, &creds);
+@@ -639,6 +640,12 @@ copy_to_ccache (krb5_context krb5,
+ 		return FALSE;
+ 	}
+ 
++	code = krb5_cc_initialize (krb5, ccache, creds.client);
++	if (code != 0) {
++		g_debug ("krb5_cc_initialize failed: %s", krb5_get_error_message (krb5, code));
++		return FALSE;
++	}
++
+ 	code = krb5_cc_store_cred (krb5, ccache, &creds);
+ 	krb5_free_cred_contents (krb5, &creds);
+ 
+-- 
+2.43.0
+
diff --git a/SPECS-EXTENDED/realmd/0002-Change-qualified-names-default-for-IPA.patch b/SPECS-EXTENDED/realmd/0002-Change-qualified-names-default-for-IPA.patch
deleted file mode 100644
index 4ac6c6d413d..00000000000
--- a/SPECS-EXTENDED/realmd/0002-Change-qualified-names-default-for-IPA.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From 21ab1fdd127d242a9b4e95c3c90dd2bf3159d149 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 14 Aug 2018 16:44:39 +0200
-Subject: [PATCH 2/3] Change qualified names default for IPA
-
-In a FreeIPA domain it is typically expected that the IPA accounts use
-sort names while accounts from trusted domains have fully qualified
-names. This is automatically done by SSSD's IPA provider so there is no
-need to force fully qualified names in the SSSD configuration.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1575538
----
- service/realm-options.c       | 9 +++++----
- service/realm-options.h       | 3 ++-
- service/realm-samba-winbind.c | 2 +-
- service/realm-sssd-ad.c       | 2 +-
- service/realm-sssd-ipa.c      | 2 +-
- 5 files changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/service/realm-options.c b/service/realm-options.c
-index bd804ea..34a209f 100644
---- a/service/realm-options.c
-+++ b/service/realm-options.c
-@@ -98,7 +98,7 @@ realm_options_automatic_mapping (GVariant *options,
- 
- 	if (realm_name && !option) {
- 		section = g_utf8_casefold (realm_name, -1);
--		mapping = realm_settings_boolean (realm_name, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
-+		mapping = realm_settings_boolean (section, REALM_DBUS_OPTION_AUTOMATIC_ID_MAPPING, TRUE);
- 		g_free (section);
- 	}
- 
-@@ -112,20 +112,21 @@ realm_options_automatic_join (const gchar *realm_name)
- 	gboolean mapping;
- 
- 	section = g_utf8_casefold (realm_name, -1);
--	mapping = realm_settings_boolean (realm_name, "automatic-join", FALSE);
-+	mapping = realm_settings_boolean (section, "automatic-join", FALSE);
- 	g_free (section);
- 
- 	return mapping;
- }
- 
- gboolean
--realm_options_qualify_names (const gchar *realm_name)
-+realm_options_qualify_names (const gchar *realm_name,
-+                             gboolean def)
- {
- 	gchar *section;
- 	gboolean qualify;
- 
- 	section = g_utf8_casefold (realm_name, -1);
--	qualify = realm_settings_boolean (realm_name, "fully-qualified-names", TRUE);
-+	qualify = realm_settings_boolean (section, "fully-qualified-names", def);
- 	g_free (section);
- 
- 	return qualify;
-diff --git a/service/realm-options.h b/service/realm-options.h
-index 7a1355e..b71d219 100644
---- a/service/realm-options.h
-+++ b/service/realm-options.h
-@@ -37,7 +37,8 @@ const gchar *  realm_options_user_principal           (GVariant *options,
- gboolean       realm_options_automatic_mapping        (GVariant *options,
- 						       const gchar *realm_name);
- 
--gboolean       realm_options_qualify_names            (const gchar *realm_name);
-+gboolean       realm_options_qualify_names            (const gchar *realm_name,
-+                                                       gboolean def);
- 
- gboolean       realm_options_check_domain_name        (const gchar *domain_name);
- 
-diff --git a/service/realm-samba-winbind.c b/service/realm-samba-winbind.c
-index 9335e26..61988eb 100644
---- a/service/realm-samba-winbind.c
-+++ b/service/realm-samba-winbind.c
-@@ -102,7 +102,7 @@ realm_samba_winbind_configure_async (RealmIniConfig *config,
- 		                      "winbind enum groups", "no",
- 		                      "winbind offline logon", "yes",
- 		                      "winbind refresh tickets", "yes",
--		                      "winbind use default domain", realm_options_qualify_names (domain_name )? "no" : "yes",
-+		                      "winbind use default domain", realm_options_qualify_names (domain_name, TRUE )? "no" : "yes",
- 		                      "template shell", realm_settings_string ("users", "default-shell"),
- 		                      NULL);
- 
-diff --git a/service/realm-sssd-ad.c b/service/realm-sssd-ad.c
-index 8543ca8..de7ce30 100644
---- a/service/realm-sssd-ad.c
-+++ b/service/realm-sssd-ad.c
-@@ -172,7 +172,7 @@ configure_sssd_for_domain (RealmIniConfig *config,
- 	gchar *home;
- 
- 	home = realm_sssd_build_default_home (realm_settings_string ("users", "default-home"));
--	qualify = realm_options_qualify_names (disco->domain_name);
-+	qualify = realm_options_qualify_names (disco->domain_name, TRUE);
- 	shell = realm_settings_string ("users", "default-shell");
- 	explicit_computer_name = realm_options_computer_name (options, disco->domain_name);
- 	realmd_tags = g_string_new ("");
-diff --git a/service/realm-sssd-ipa.c b/service/realm-sssd-ipa.c
-index ff1dc8a..5029f6b 100644
---- a/service/realm-sssd-ipa.c
-+++ b/service/realm-sssd-ipa.c
-@@ -201,7 +201,7 @@ on_ipa_client_do_restart (GObject *source,
- 
- 		realm_sssd_config_update_domain (config, domain, &error,
- 		                                 "cache_credentials", "True",
--		                                 "use_fully_qualified_names", realm_options_qualify_names (domain) ? "True" : "False",
-+		                                 "use_fully_qualified_names", realm_options_qualify_names (domain, FALSE) ? "True" : "False",
- 		                                 "krb5_store_password_if_offline", "True",
- 		                                 "default_shell", shell,
- 		                                 "fallback_homedir", home,
--- 
-2.17.1
-
diff --git a/SPECS-EXTENDED/realmd/0002-service-fix-error-message-when-removing-host-from-AD.patch b/SPECS-EXTENDED/realmd/0002-service-fix-error-message-when-removing-host-from-AD.patch
new file mode 100644
index 00000000000..c5968d3967b
--- /dev/null
+++ b/SPECS-EXTENDED/realmd/0002-service-fix-error-message-when-removing-host-from-AD.patch
@@ -0,0 +1,88 @@
+From d691c679c1531b3eb457c494141bafdc4e0bc692 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 1 Dec 2023 12:14:06 +0100
+Subject: [PATCH 2/3] service: fix error message when removing host from AD
+
+If there is an error while trying to remove the host from AD with the
+help of adcli the error message talks about "joining" which might be
+irritating when figuring out the reason for the failure. This patch
+adds a better message when leaving the domain.
+---
+ service/realm-adcli-enroll.c | 34 +++++++++++++++++++++++++++-------
+ 1 file changed, 27 insertions(+), 7 deletions(-)
+
+diff --git a/service/realm-adcli-enroll.c b/service/realm-adcli-enroll.c
+index e0d752b..c913987 100644
+--- a/service/realm-adcli-enroll.c
++++ b/service/realm-adcli-enroll.c
+@@ -25,9 +25,10 @@
+ #include "realm-settings.h"
+ 
+ static void
+-on_join_process (GObject *source,
+-                 GAsyncResult *result,
+-                 gpointer user_data)
++on_join_leave_process (GObject *source,
++                       GAsyncResult *result,
++                       gpointer user_data,
++                       gboolean is_join)
+ {
+ 	GTask *task = G_TASK (user_data);
+ 	GError *error = NULL;
+@@ -39,15 +40,18 @@ on_join_process (GObject *source,
+ 		switch (status) {
+ 		case 2: /* ADCLI_ERR_UNEXPECTED */
+ 			g_set_error (&error, REALM_ERROR, REALM_ERROR_INTERNAL,
+-			             "Internal unexpected error joining the domain");
++			             is_join ? "Internal unexpected error joining the domain"
++			                     : "Internal unexpected error removing host from the domain");
+ 			break;
+ 		case 6: /* ADCLI_ERR_CREDENTIALS */
+ 			g_set_error (&error, REALM_ERROR, REALM_ERROR_AUTH_FAILED,
+-			             "Insufficient permissions to join the domain");
++			             is_join ? "Insufficient permissions to join the domain"
++			                     : "Insufficient permissions to remove the host from the domain");
+ 			break;
+ 		default:
+ 			g_set_error (&error, REALM_ERROR, REALM_ERROR_FAILED,
+-			             "Failed to join the domain");
++			             is_join ? "Failed to join the domain"
++			                     : "Failed to remove the host from the domain");
+ 			break;
+ 		}
+ 	}
+@@ -64,6 +68,22 @@ on_join_process (GObject *source,
+ 	g_object_unref (task);
+ }
+ 
++static void
++on_join_process (GObject *source,
++                 GAsyncResult *result,
++                 gpointer user_data)
++{
++	on_join_leave_process (source, result, user_data, TRUE);
++}
++
++static void
++on_leave_process (GObject *source,
++                  GAsyncResult *result,
++                  gpointer user_data)
++{
++	on_join_leave_process (source, result, user_data, FALSE);
++}
++
+ void
+ realm_adcli_enroll_join_async (RealmDisco *disco,
+                                RealmCredential *cred,
+@@ -290,7 +310,7 @@ realm_adcli_enroll_delete_async (RealmDisco *disco,
+ 	g_ptr_array_add (args, NULL);
+ 
+ 	realm_command_runv_async ((gchar **)args->pdata, environ, input,
+-	                          invocation, on_join_process,
++	                          invocation, on_leave_process,
+ 	                          g_object_ref (task));
+ 
+ 	g_ptr_array_free (args, TRUE);
+-- 
+2.43.0
+
diff --git a/SPECS-EXTENDED/realmd/0003-discover-try-to-get-domain-name-from-hostname.patch b/SPECS-EXTENDED/realmd/0003-discover-try-to-get-domain-name-from-hostname.patch
deleted file mode 100644
index b611d6c8ada..00000000000
--- a/SPECS-EXTENDED/realmd/0003-discover-try-to-get-domain-name-from-hostname.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 5e28cf702ad338e399f8fff0b3fa18736a297318 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Tue, 21 Aug 2018 13:09:20 +0200
-Subject: [PATCH 3/3] discover: try to get domain name from hostname
-
-If there is no domain name returned by DHCP check if the hostname
-contains a domain part and use this to discover a realm.
-
-Related to https://bugzilla.redhat.com/show_bug.cgi?id=1619162
----
- service/realm-provider.c | 28 +++++++++++++++++++++++++++-
- 1 file changed, 27 insertions(+), 1 deletion(-)
-
-diff --git a/service/realm-provider.c b/service/realm-provider.c
-index d647c7a..258e8e1 100644
---- a/service/realm-provider.c
-+++ b/service/realm-provider.c
-@@ -28,6 +28,8 @@
- #include <glib/gi18n.h>
- #include <gio/gio.h>
- 
-+#include <errno.h>
-+
- #define TIMEOUT_SECONDS 15
- 
- G_DEFINE_TYPE (RealmProvider, realm_provider, G_TYPE_DBUS_OBJECT_SKELETON);
-@@ -181,6 +183,25 @@ on_discover_complete (GObject *source,
- 	return_discover_result (method, realms, relevance, error);
- }
- 
-+static gchar *
-+get_domain_from_hostname (void)
-+{
-+	gchar hostname[HOST_NAME_MAX + 1];
-+	gchar *dot;
-+
-+	if (gethostname (hostname, sizeof (hostname)) < 0) {
-+		g_warning ("Couldn't get the computer host name: %s", g_strerror (errno));
-+		return NULL;
-+	}
-+
-+	dot = strchr (hostname, '.');
-+	if (dot != NULL) {
-+		return g_strdup (dot + 1);
-+	}
-+
-+	return NULL;
-+}
-+
- static void
- on_discover_default (GObject *source,
-                      GAsyncResult *result,
-@@ -195,6 +216,10 @@ on_discover_default (GObject *source,
- 		g_clear_error (&error);
- 	}
- 
-+	if (method->string == NULL) {
-+		method->string = get_domain_from_hostname ();
-+	}
-+
- 	if (method->string) {
- 		g_strstrip (method->string);
- 		if (g_str_equal (method->string, "")) {
-@@ -210,7 +235,8 @@ on_discover_default (GObject *source,
- 		                         on_discover_complete, method);
- 
- 	} else {
--		realm_diagnostics_info (method->invocation, "No default domain received via DHCP");
-+		realm_diagnostics_info (method->invocation,
-+		                        "No default domain received via DHCP or given by hostname");
- 		return_discover_result (method, NULL, 0, NULL);
- 	}
- }
--- 
-2.17.1
-
diff --git a/SPECS-EXTENDED/realmd/0003-doc-fix-reference-in-realmd.conf-man-page.patch b/SPECS-EXTENDED/realmd/0003-doc-fix-reference-in-realmd.conf-man-page.patch
new file mode 100644
index 00000000000..a03a09a018a
--- /dev/null
+++ b/SPECS-EXTENDED/realmd/0003-doc-fix-reference-in-realmd.conf-man-page.patch
@@ -0,0 +1,26 @@
+From 56aedbceec3e6ff0d6142a16ca0c343c523b6d7a Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 1 Dec 2023 13:07:10 +0100
+Subject: [PATCH 3/3] doc: fix reference in realmd.conf man page
+
+---
+ doc/manual/realmd.conf.xml | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
+index 72b706c..ad17639 100644
+--- a/doc/manual/realmd.conf.xml
++++ b/doc/manual/realmd.conf.xml
+@@ -110,7 +110,8 @@ default-client = sssd
+ 		</para>
+ 
+ 		<para>Some callers of <command>realmd</command> such as the
+-		<link linkend="realm"><command>realm</command></link>
++		<citerefentry><refentrytitle>realm</refentrytitle>
++		<manvolnum>8</manvolnum></citerefentry>
+ 		command line tool allow specifying which client software should
+ 		be used. Others, such as GNOME Control Center, simplify choose
+ 		the default.</para>
+-- 
+2.43.0
+
diff --git a/SPECS-EXTENDED/realmd/realmd.signatures.json b/SPECS-EXTENDED/realmd/realmd.signatures.json
index c9c5ecf0e0e..48cec3d11e8 100644
--- a/SPECS-EXTENDED/realmd/realmd.signatures.json
+++ b/SPECS-EXTENDED/realmd/realmd.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "realmd-0.16.3.tar.gz": "d8943f66a2a666fee8be026d82a66904c0a5125aab7ef74504456ce269687dda"
+  "realmd-0.17.1.tar.gz": "2eb12cc6e023c3dd1e2691b893f9841f0a679ba3feb3c8d0bc71891424ebec5f"
  }
 }
diff --git a/SPECS-EXTENDED/realmd/realmd.spec b/SPECS-EXTENDED/realmd/realmd.spec
index ba1452e645d..72ef2bb5c35 100644
--- a/SPECS-EXTENDED/realmd/realmd.spec
+++ b/SPECS-EXTENDED/realmd/realmd.spec
@@ -1,36 +1,19 @@
 Name:		realmd
-Version:	0.16.3
-Release:	25%{?dist}
+Version:	0.17.1
+Release:	1%{?dist}
 Summary:	Kerberos realm enrollment service
 License:	LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
-URL:		http://cgit.freedesktop.org/realmd/realmd/
-Source0:	http://www.freedesktop.org/software/realmd/releases/realmd-%{version}.tar.gz
+URL:		https://gitlab.freedesktop.org/realmd/realmd
+Source0:	https://gitlab.freedesktop.org/realmd/realmd/-/archive/0.17.1/realmd-%{version}.tar.gz
 
-Patch1:		0001-LDAP-don-t-close-LDAP-socket-twice.patch
-Patch2:		0001-service-Add-nss-and-pam-sssd.conf-services-after-joi.patch
-Patch3:		0001-Kerberos-fall-back-to-tcp-SRV-lookup.patch
-Patch4:		0001-service-Add-pam-and-nss-services-in-realm_sssd_confi.patch
-Patch5:		0001-switch-to-authselect.patch
-Patch6:		0001-Fix-man-page-reference-in-systemd-service-file.patch
-Patch7:		0001-Use-current-idmap-options-for-smb.conf.patch
-Patch8:		0001-Find-NetBIOS-name-in-keytab-while-leaving.patch
-Patch9:		0001-tests-run-tests-with-python3.patch
-
-Patch10:	0001-Fix-issues-found-by-Coverity.patch
-Patch11:	0002-Change-qualified-names-default-for-IPA.patch
-Patch12:	0003-discover-try-to-get-domain-name-from-hostname.patch
-
-Patch13:	0001-IPA-do-not-call-sssd-enable-logins.patch
-
-Patch14:	0001-Set-NEWEST-flag-when-resolving-packages-with-Package.patch
-
-# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1675879
-Patch15:	0001-tests-ignore-order-in-test_update_domain.patch
-
-# Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1736578
-Patch16:	0001-Remove-support-for-deprecated-gtester-format.patch
+Patch1:	        0001-service-allow-multiple-names-and-_srv_-ad_server-opt.patch			
+Patch2:		0002-service-fix-error-message-when-removing-host-from-AD.patch
+Patch3:		0003-doc-fix-reference-in-realmd.conf-man-page.patch
+Patch4:		0001-sssd-package-fix.patch
+Patch5:		0001-tools-fix-ccache-handling-for-leave-operation.patch
+Patch6:		0001-ipa-Propagate-hostname-error.patch
 
 BuildRequires:	gcc
 BuildRequires:	perl(File::Find)
@@ -43,6 +26,7 @@ BuildRequires:	openldap-devel
 BuildRequires:	polkit-devel
 BuildRequires:	krb5-devel
 BuildRequires:	systemd-devel
+BuildRequires:  systemd-units
 BuildRequires:	libxslt
 BuildRequires:	xmlto
 BuildRequires:	python3
@@ -51,6 +35,7 @@ BuildRequires:  e2fsprogs-devel
 Requires:	authselect
 Requires:	polkit
 
+
 %description
 realmd is a DBus system service which manages discovery and enrollment in realms
 and domains like Active Directory or IPA. The control center uses realmd as the
@@ -82,6 +67,14 @@ make check
 make install DESTDIR=%{buildroot}
 
 %find_lang realmd
+%post
+%systemd_post realmd.service
+
+%preun
+%systemd_preun realmd.service
+
+%postun
+%systemd_postun_with_restart realmd.service
 
 %files -f realmd.lang
 %license COPYING
@@ -89,7 +82,7 @@ make install DESTDIR=%{buildroot}
 %{_sysconfdir}/dbus-1/system.d/org.freedesktop.realmd.conf
 %{_sbindir}/realm
 %dir %{_prefix}/lib/realmd
-%{_prefix}/lib/realmd/realmd
+%{_libexecdir}/realmd
 %{_prefix}/lib/realmd/realmd-defaults.conf
 %{_prefix}/lib/realmd/realmd-distro.conf
 %{_unitdir}/realmd.service
@@ -102,6 +95,9 @@ make install DESTDIR=%{buildroot}
 %doc ChangeLog
 
 %changelog
+* Thu Sept 26 2024 Jyoti kanase <v-jykanase@microsoft.com> - 0.17.1-1
+- Update to version 0.17.1
+
 * Wed Feb 16 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.16.3-25
 - License verified.
 
diff --git a/SPECS-EXTENDED/samba/0001-Disable-building-smb.conf.5-in-docs-xml-wscript.patch b/SPECS-EXTENDED/samba/0001-Disable-building-smb.conf.5-in-docs-xml-wscript.patch
new file mode 100644
index 00000000000..969fa4e29d6
--- /dev/null
+++ b/SPECS-EXTENDED/samba/0001-Disable-building-smb.conf.5-in-docs-xml-wscript.patch
@@ -0,0 +1,25 @@
+From c6d32a54404f4bd7c39eb056999fe61ddabd3413 Mon Sep 17 00:00:00 2001
+From: Sindhu Karri <lakarri@microsoft.com>
+Date: Fri, 9 Aug 2024 06:15:12 +0000
+Subject: [PATCH] Disable building smb.conf.5 in docs-xml wscript
+
+---
+ docs-xml/wscript_build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
+index 40f5514..d0c1830 100644
+--- a/docs-xml/wscript_build
++++ b/docs-xml/wscript_build
+@@ -183,7 +183,7 @@ def SMBDOTCONF_MANPAGE(bld, target):
+ 
+ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']):
+ 
+-    SMBDOTCONF_MANPAGE(bld, 'manpages/smb.conf.5')
++#    SMBDOTCONF_MANPAGE(bld, 'manpages/smb.conf.5')
+     bld.SAMBAMANPAGES(manpages)
+ 
+     if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
+-- 
+2.33.8
+
diff --git a/SPECS-EXTENDED/samba/samba-4.12.5.tar.asc b/SPECS-EXTENDED/samba/samba-4.12.5.tar.asc
deleted file mode 100644
index ec3af40b57d..00000000000
--- a/SPECS-EXTENDED/samba/samba-4.12.5.tar.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXv3BXhUcc2FtYmEtYnVn
-c0BzYW1iYS5vcmcACgkQbzORW2Vot+quPwCcDfpwxTo7ZDrFD768SgWqRmKI/+QA
-oJqPMNOtzBJYbxVbKY+OyCqwQ2Zl
-=2OtH
------END PGP SIGNATURE-----
diff --git a/SPECS-EXTENDED/samba/samba.signatures.json b/SPECS-EXTENDED/samba/samba.signatures.json
index f5c184e7fac..915b34cc750 100644
--- a/SPECS-EXTENDED/samba/samba.signatures.json
+++ b/SPECS-EXTENDED/samba/samba.signatures.json
@@ -1,13 +1,11 @@
 {
  "Signatures": {
   "README.downgrade": "6d35f69e43eb241e578e886bcc9f915d40c09687a1060ffec71112eed045058e",
-  "gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg": "8542aaa6de25e0905fbf68f0e8d8e3215812a4fb147c2fd02819ac92893e2690",
   "pam_winbind.conf": "afbb96ebf172dd2cc4e3c2ae13958ebadcb1d5b4c1d70e4e608014eeeae70347",
-  "samba-4.12.5.tar.asc": "8a7ec27ba3c51f9d5dd300cb2b772faf41d8fe27d1f1be02d96d89866c794960",
-  "samba-4.12.5.tar.xz": "fae2861fcaa76a955b1a3b21c8bbf16423dbbd93b7eadb58e94759a1a00ca3be",
+  "samba-4.18.3.tar.xz": "26fceff620e2673c516ee209ceacd50377d146d1c1fbf7f8524b43da0614caad",
   "samba.logrotate": "f604fd7e23b83e87da346e11f8d34e9840f89ec62ebd77814cbd69884125d5b5",
   "samba.pamd": "adf2c510d4218ac0b3f72898cfe4097c0d1c9836da2b0237929af6bf4619ea84",
   "smb.conf.example": "5064e01653b98f8456fb749c4e24f454287a9266a3d19fb7c2b03c1d2f1a3f7c",
   "smb.conf.vendor": "30e58aa44c7370ab4edac1b7b896a69fe6a7f6f6d6e3210fc757ae9b9e81a757"
  }
-}
+}
\ No newline at end of file
diff --git a/SPECS-EXTENDED/samba/samba.spec b/SPECS-EXTENDED/samba/samba.spec
index b20b063f222..6fadefe39d4 100644
--- a/SPECS-EXTENDED/samba/samba.spec
+++ b/SPECS-EXTENDED/samba/samba.spec
@@ -8,10 +8,12 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%define talloc_version 2.3.1
-%define tdb_version 1.4.3
-%define tevent_version 0.10.2
-%define ldb_version 2.1.4
+%global libnetapi_so_version 1
+
+%define talloc_version 2.4.0
+%define tdb_version 1.4.8
+%define tevent_version 0.14.1
+%define ldb_version 2.7.2
 # This should be rc1 or nil
 %define pre_release %nil
 
@@ -47,7 +49,7 @@
 #endif rhel
 %endif
 
-%global libwbc_alternatives_version 0.15
+%global libwbc_alternatives_version 0.16
 %global libwbc_alternatives_suffix %nil
 %if 0%{?__isa_bits} == 64
 %global libwbc_alternatives_suffix -64
@@ -84,8 +86,8 @@
 %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba"
 
 Name:           samba
-Version:        4.12.5
-Release:        5%{?dist}
+Version:        4.18.3
+Release:        1%{?dist}
 
 
 %define samba_depver %{version}-%{release}
@@ -98,8 +100,8 @@ URL:            https://www.samba.org
 
 # This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%%{version}%%{pre_release}.tar.gz
 Source0:        https://ftp.samba.org/pub/samba/stable/samba-%{version}%{pre_release}.tar.gz#/samba-%{version}%{pre_release}.tar.xz
-Source1:        https://ftp.samba.org/pub/samba/stable/samba-%{version}%{pre_release}.tar.asc
-Source2:        gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
+# Source1:        https://ftp.samba.org/pub/samba/stable/samba-%{version}%{pre_release}.tar.asc
+# Source2:        gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
 
 # Red Hat specific replacement-files
 Source10:       samba.logrotate
@@ -110,6 +112,8 @@ Source14:       samba.pamd
 
 Source201:      README.downgrade
 
+Patch0:         0001-Disable-building-smb.conf.5-in-docs-xml-wscript.patch
+
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
 Requires(preun): systemd
@@ -168,6 +172,7 @@ BuildRequires: libcmocka-devel
 BuildRequires: libnsl2-devel
 BuildRequires: libtirpc-devel
 BuildRequires: libuuid-devel
+BuildRequires: libxslt
 BuildRequires: lmdb
 %if %{with_winexe}
 BuildRequires: mingw32-gcc
@@ -345,6 +350,40 @@ Requires: libwbclient = %{samba_depver}
 The samba-common-tools package contains tools for Samba servers and
 SMB/CIFS clients.
 
+%package tools
+Summary: Tools for Samba servers
+# samba-tool needs python3-samba
+Requires: python3-%{name} = %{samba_depver}
+# samba-tool needs python3-samba-dc also on non-dc build
+# Removing it to see if build happens
+# # Requires: python3-%{name}-dc = %{samba_depver}
+Requires: libnetapi = %{samba_depver}
+%if %{with dc}
+# samba-tool needs mdb_copy and tdbackup for domain backup or upgrade provision
+Requires: lmdb
+Requires: tdb-tools
+Requires: python3-gpg
+%endif
+ 
+%description tools
+The samba-tools package contains tools for Samba servers
+and for GPO management on domain members.
+ 
+### RPC
+%package dcerpc
+Summary: DCE RPC binaries
+Requires: samba-common-libs = %{samba_depver}
+Requires: samba-client-libs = %{samba_depver}
+Requires: samba-libs = %{samba_depver}
+Requires: %{name}-dcerpc = %{samba_depver}
+Requires: libnetapi = %{samba_depver}
+%if %{with libwbclient}
+Requires: libwbclient = %{samba_depver}
+%endif
+
+%description dcerpc
+The samba-dcerpc package contains binaries that serve DCERPC over named pipes.
+
 ### DC
 %if %{with_dc}
 %package dc
@@ -354,6 +393,7 @@ Requires: %{name}-libs = %{samba_depver}
 Requires: %{name}-dc-provision = %{samba_depver}
 Requires: %{name}-dc-libs = %{samba_depver}
 Requires: %{name}-winbind = %{samba_depver}
+Requires: %{name}-tools = %{samba_depver}
 # samba-tool needs tdbbackup
 Requires: tdb-tools
 # samba-tool needs mdb_copy
@@ -415,6 +455,7 @@ name server related details of Samba AD.
 Summary: Developer tools for Samba libraries
 Requires: %{name}-libs = %{samba_depver}
 Requires: %{name}-client-libs = %{samba_depver}
+Requires: libnetapi = %{samba_depver}
 
 Provides: samba4-devel = %{samba_depver}
 Obsoletes: samba4-devel < %{samba_depver}
@@ -488,6 +529,25 @@ Obsoletes: samba4-libs < %{samba_depver}
 The %{name}-libs package contains the libraries needed by programs that link
 against the SMB, RPC and other protocols provided by the Samba suite.
 
+### LIBNETAPI
+%package -n libnetapi
+Summary: The NETAPI library
+Requires(pre): %{name}-common = %{samba_depver}
+Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-common-libs = %{samba_depver}
+Requires: %{name}-client-libs = %{samba_depver}
+
+%description -n libnetapi
+This contains the NETAPI library from the Samba suite.
+
+%package -n libnetapi-devel
+Summary: Developer tools for the NETAPI library
+Requires: libnetapi = %{samba_depver}
+
+%description -n libnetapi-devel
+The libnetapi-devel package contains the header files and libraries needed to
+develop programs that link against the NETAPI library in the Samba suite.
+
 ### LIBSMBCLIENT
 %if %with_libsmbclient
 %package -n libsmbclient
@@ -570,7 +630,7 @@ Requires: %{name}-libs = %{samba_depver}
 The python3-%{name}-test package contains the Python libraries used by the test suite of Samba.
 If you want to run full set of Samba tests, you need to install this package.
 
-%if %{with_dc}
+# %if %{with_dc}
 %package -n python3-samba-dc
 Summary: Samba Python libraries for Samba AD
 Requires: python3-%{name} = %{samba_depver}
@@ -578,7 +638,7 @@ Requires: python3-%{name} = %{samba_depver}
 %description -n python3-samba-dc
 The python3-%{name}-dc package contains the Python libraries needed by programs
 to manage Samba AD.
-%endif
+# %endif
 
 ### PIDL
 %package pidl
@@ -611,6 +671,7 @@ Requires: %{name}-test-libs = %{samba_depver}
 Requires: %{name}-dc-libs = %{samba_depver}
 %endif
 Requires: %{name}-libs = %{samba_depver}
+Requires: libnetapi = %{samba_depver}
 %if %with_libsmbclient
 Requires: libsmbclient = %{samba_depver}
 %endif
@@ -654,6 +715,7 @@ Requires: %{name}-client-libs = %{samba_depver}
 Requires: %{name}-libs = %{samba_depver}
 Requires: %{name}-winbind-modules = %{samba_depver}
 Requires: libwbclient = %{samba_depver}
+Requires: %{name}-dcerpc = %{samba_depver}
 
 Provides: samba4-winbind = %{samba_depver}
 Obsoletes: samba4-winbind < %{samba_depver}
@@ -771,6 +833,7 @@ projects to store temporary data. If an application is already using TDB for
 temporary data it is very easy to convert that application to be cluster aware
 and use CTDB instead.
 
+%if %{with testsuite}
 ### CTDB-TEST
 %package -n ctdb-tests
 Summary: CTDB clustered database test suite
@@ -790,13 +853,17 @@ CTDB is a cluster implementation of the TDB database used by Samba and other
 projects to store temporary data. If an application is already using TDB for
 temporary data it is very easy to convert that application to be cluster aware
 and use CTDB instead.
+
+#endif with testsuite (with selftest enabled)
+%endif
+
 #endif with_clustering_support
 %endif
 
 
 
 %prep
-xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
+# xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
 %autosetup -n samba-%{version}%{pre_release} -p1
 
 %build
@@ -880,6 +947,9 @@ export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')"
         --systemd-smb-extra=%{_systemd_extra} \
         --systemd-nmb-extra=%{_systemd_extra} \
         --systemd-winbind-extra=%{_systemd_extra} \
+%if %{with clustering}
+        --systemd-ctdb-extra=%{_systemd_extra} \
+%endif
         --systemd-samba-extra=%{_systemd_extra}
 
 %make_build
@@ -966,9 +1036,9 @@ install -m 0644 ctdb/config/ctdb.conf %{buildroot}%{_sysconfdir}/ctdb/ctdb.conf
 
 install -m 0644 %{SOURCE201} packaging/README.downgrade
 
-%if %with_clustering_support
-install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
-%endif
+# %if %with_clustering_support
+# install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
+# %endif
 
 # NetworkManager online/offline script
 install -d -m 0755 %{buildroot}%{_prefix}/lib/NetworkManager/dispatcher.d/
@@ -985,10 +1055,8 @@ for i in \
     %{_libdir}/samba/libdnsserver-common-samba4.so \
     %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \
     %{_libdir}/samba/libscavenge-dns-records-samba4.so \
-    %{_libdir}/libdcerpc-server-core.so* \
     %{_mandir}/man8/samba.8 \
     %{_mandir}/man8/samba_downgrade_db.8 \
-    %{_mandir}/man8/samba-tool.8 \
     %{_mandir}/man8/samba-gpupdate.8 \
     %{_libdir}/samba/ldb/ildap.so \
     %{_libdir}/samba/ldb/ldbsamba_extensions.so \
@@ -1283,6 +1351,7 @@ fi
 %{_libdir}/samba/vfs/glusterfs_fuse.so
 %if %{with_vfs_io_uring}
 %{_libdir}/samba/vfs/io_uring.so
+%{_mandir}/man8/vfs_io_uring.8*
 %endif
 %{_libdir}/samba/vfs/linux_xfs_sgid.so
 %{_libdir}/samba/vfs/media_harmony.so
@@ -1301,15 +1370,72 @@ fi
 %{_libdir}/samba/vfs/time_audit.so
 %{_libdir}/samba/vfs/unityed_media.so
 %{_libdir}/samba/vfs/virusfilter.so
+%{_libdir}/samba/vfs/widelinks.so
 %{_libdir}/samba/vfs/worm.so
 %{_libdir}/samba/vfs/xattr_tdb.so
 
+%if %{with testsuite}
+%{_libdir}/samba/vfs/nfs4acl_xattr.so
+%endif
+
+%dir %{_libexecdir}/samba
+%{_libexecdir}/samba/samba-bgqd
+
+%dir %{_datadir}/samba
+%dir %{_datadir}/samba/mdssvc
+%{_datadir}/samba/mdssvc/elasticsearch_mappings.json
+
 %{_unitdir}/nmb.service
 %{_unitdir}/smb.service
 %attr(1777,root,root) %dir /var/spool/samba
 %dir %{_sysconfdir}/openldap/schema
 %config %{_sysconfdir}/openldap/schema/samba.schema
 %config(noreplace) %{_sysconfdir}/pam.d/samba
+%{_mandir}/man1/smbstatus.1*
+%{_mandir}/man8/eventlogadm.8*
+%{_mandir}/man8/samba-bgqd.8*
+%{_mandir}/man8/smbd.8*
+%{_mandir}/man8/nmbd.8*
+%{_mandir}/man8/vfs_acl_tdb.8*
+%{_mandir}/man8/vfs_acl_xattr.8*
+%{_mandir}/man8/vfs_aio_fork.8*
+%{_mandir}/man8/vfs_aio_pthread.8*
+%{_mandir}/man8/vfs_audit.8*
+%{_mandir}/man8/vfs_btrfs.8*
+%{_mandir}/man8/vfs_cap.8*
+%{_mandir}/man8/vfs_catia.8*
+%{_mandir}/man8/vfs_commit.8*
+%{_mandir}/man8/vfs_crossrename.8*
+%{_mandir}/man8/vfs_default_quota.8*
+%{_mandir}/man8/vfs_dirsort.8*
+%{_mandir}/man8/vfs_expand_msdfs.8*
+%{_mandir}/man8/vfs_extd_audit.8*
+%{_mandir}/man8/vfs_fake_perms.8*
+%{_mandir}/man8/vfs_fileid.8*
+%{_mandir}/man8/vfs_fruit.8*
+%{_mandir}/man8/vfs_full_audit.8*
+%{_mandir}/man8/vfs_gpfs.8*
+%{_mandir}/man8/vfs_glusterfs_fuse.8*
+%{_mandir}/man8/vfs_linux_xfs_sgid.8*
+%{_mandir}/man8/vfs_media_harmony.8*
+%{_mandir}/man8/vfs_offline.8*
+%{_mandir}/man8/vfs_preopen.8*
+%{_mandir}/man8/vfs_readahead.8*
+%{_mandir}/man8/vfs_readonly.8*
+%{_mandir}/man8/vfs_recycle.8*
+%{_mandir}/man8/vfs_shadow_copy.8*
+%{_mandir}/man8/vfs_shadow_copy2.8*
+%{_mandir}/man8/vfs_shell_snap.8*
+%{_mandir}/man8/vfs_snapper.8*
+%{_mandir}/man8/vfs_streams_depot.8*
+%{_mandir}/man8/vfs_streams_xattr.8*
+%{_mandir}/man8/vfs_syncops.8*
+%{_mandir}/man8/vfs_time_audit.8*
+%{_mandir}/man8/vfs_unityed_media.8*
+%{_mandir}/man8/vfs_virusfilter.8*
+%{_mandir}/man8/vfs_widelinks.8*
+%{_mandir}/man8/vfs_worm.8*
+%{_mandir}/man8/vfs_xattr_tdb.8*
 
 %if ! %{with_vfs_glusterfs}
 %exclude %{_mandir}/man8/vfs_glusterfs.8*
@@ -1328,9 +1454,9 @@ fi
 %{_bindir}/cifsdd
 %{_bindir}/dbwrap_tool
 %{_bindir}/dumpmscat
-%{_bindir}/findsmb
+# %{_bindir}/findsmb
 %{_bindir}/mvxattr
-%{_bindir}/mdfind
+%{_bindir}/mdsearch
 %{_bindir}/nmblookup
 %{_bindir}/oLschema2ldif
 %{_bindir}/regdiff
@@ -1350,6 +1476,31 @@ fi
 %{_bindir}/smbtree
 %dir %{_libexecdir}/samba
 %ghost %{_libexecdir}/samba/cups_backend_smb
+%{_mandir}/man1/dbwrap_tool.1*
+%{_mandir}/man1/nmblookup.1*
+%{_mandir}/man1/oLschema2ldif.1*
+%{_mandir}/man1/regdiff.1*
+%{_mandir}/man1/regpatch.1*
+%{_mandir}/man1/regshell.1*
+%{_mandir}/man1/regtree.1*
+%{_mandir}/man1/log2pcap.1*
+%{_mandir}/man1/mdsearch.1*
+%{_mandir}/man1/mvxattr.1*
+%{_mandir}/man1/rpcclient.1*
+%{_mandir}/man1/sharesec.1*
+%{_mandir}/man1/smbcacls.1*
+%{_mandir}/man1/smbclient.1*
+%{_mandir}/man1/smbcquotas.1*
+%{_mandir}/man1/smbget.1*
+%{_mandir}/man5/smbgetrc.5*
+%{_mandir}/man1/smbtar.1*
+%{_mandir}/man1/smbtree.1*
+%{_mandir}/man7/traffic_learner.7.*
+%{_mandir}/man7/traffic_replay.7.*
+%{_mandir}/man8/cifsdd.8.*
+%{_mandir}/man8/samba-regedit.8*
+%{_mandir}/man8/smbspool.8*
+
 %dir %{_datadir}/samba
 %dir %{_datadir}/samba/mdssvc
 %{_datadir}/samba/mdssvc/elasticsearch_mappings.json
@@ -1357,6 +1508,7 @@ fi
 ### CLIENT-LIBS
 %files client-libs
 %{_libdir}/libdcerpc-binding.so.*
+%{_libdir}/libdcerpc-server-core.so*
 %{_libdir}/libndr.so.*
 %{_libdir}/libndr-krb5pac.so.*
 %{_libdir}/libndr-nbt.so.*
@@ -1392,10 +1544,11 @@ fi
 %{_libdir}/samba/libclidns-samba4.so
 %{_libdir}/samba/libcluster-samba4.so
 %{_libdir}/samba/libcmdline-contexts-samba4.so
-%{_libdir}/samba/libcmdline-credentials-samba4.so
+# %{_libdir}/samba/libcmdline-credentials-samba4.so
 %{_libdir}/samba/libcommon-auth-samba4.so
 %{_libdir}/samba/libctdb-event-client-samba4.so
 %{_libdir}/samba/libdbwrap-samba4.so
+%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so
 %{_libdir}/samba/libdcerpc-samba-samba4.so
 %{_libdir}/samba/libevents-samba4.so
 %{_libdir}/samba/libflag-mapping-samba4.so
@@ -1440,9 +1593,10 @@ fi
 %{_libdir}/samba/libsmb-transport-samba4.so
 %{_libdir}/samba/libsmbclient-raw-samba4.so
 %{_libdir}/samba/libsmbd-base-samba4.so
-%{_libdir}/samba/libsmbd-conn-samba4.so
+# %{_libdir}/samba/libsmbd-conn-samba4.so
 %{_libdir}/samba/libsmbd-shim-samba4.so
 %{_libdir}/samba/libsmbldaphelper-samba4.so
+%{_libdir}/samba/libstable-sort-samba4.so
 %{_libdir}/samba/libsys-rw-samba4.so
 %{_libdir}/samba/libsocket-blocking-samba4.so
 %{_libdir}/samba/libtalloc-report-printf-samba4.so
@@ -1451,14 +1605,14 @@ fi
 %{_libdir}/samba/libtime-basic-samba4.so
 %{_libdir}/samba/libtorture-samba4.so
 %{_libdir}/samba/libtrusts-util-samba4.so
-%{_libdir}/samba/libutil-cmdline-samba4.so
+# %{_libdir}/samba/libutil-cmdline-samba4.so
 %{_libdir}/samba/libutil-reg-samba4.so
 %{_libdir}/samba/libutil-setid-samba4.so
 %{_libdir}/samba/libutil-tdb-samba4.so
 
 %if ! %with_libwbclient
 %{_libdir}/samba/libwbclient.so.*
-%{_libdir}/samba/libwinbind-client-samba4.so
+# %{_libdir}/samba/libwinbind-client-samba4.so
 #endif ! with_libwbclient
 %endif
 
@@ -1485,12 +1639,16 @@ fi
 %{_sysconfdir}/samba/smb.conf.example
 %config(noreplace) %{_sysconfdir}/samba/lmhosts
 %config(noreplace) %{_sysconfdir}/sysconfig/samba
+%{_mandir}/man5/lmhosts.5*
+%{_mandir}/man5/smbpasswd.5*
+%{_mandir}/man7/samba.7*
 
 ### COMMON-libs
 %files common-libs
 # common libraries
-%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so
-%{_libdir}/samba/libpopt-samba3-samba4.so
+# %{_libdir}/samba/libpopt-samba3-cmdline-samba4.so
+# %{_libdir}/samba/libpopt-samba3-samba4.so
+%{_libdir}/samba/libcmdline-samba4.so
 
 %dir %{_libdir}/samba/ldb
 
@@ -1506,12 +1664,35 @@ fi
 %{_bindir}/smbcontrol
 %{_bindir}/smbpasswd
 %{_bindir}/testparm
+%{_mandir}/man1/profiles.1*
+%{_mandir}/man1/smbcontrol.1*
+%{_mandir}/man1/testparm.1*
+%{_mandir}/man8/net.8*
+%{_mandir}/man8/pdbedit.8*
+%{_mandir}/man8/smbpasswd.8*
+
+%files tools
+%{_bindir}/samba-tool
+%{_mandir}/man8/samba-tool.8*
+
+### RPC
+%files dcerpc
+%dir %{_libexecdir}/samba
+%{_libexecdir}/samba/samba-dcerpcd
+%{_libexecdir}/samba/rpcd_classic
+%{_libexecdir}/samba/rpcd_epmapper
+%{_libexecdir}/samba/rpcd_fsrvp
+%{_libexecdir}/samba/rpcd_lsad
+%{_libexecdir}/samba/rpcd_mdssvc
+%{_libexecdir}/samba/rpcd_rpcecho
+%{_libexecdir}/samba/rpcd_spoolss
+%{_libexecdir}/samba/rpcd_winreg
+%{_mandir}/man8/samba-dcerpcd.8*
 
 ### DC
 %if %{with_dc}
 %files dc
 %{_unitdir}/samba.service
-%{_bindir}/samba-tool
 %{_sbindir}/samba
 %{_sbindir}/samba_dnsupdate
 %{_sbindir}/samba_downgrade_db
@@ -1603,7 +1784,6 @@ fi
 %{_libdir}/samba/service/winbindd.so
 %{_libdir}/samba/service/wrepl.so
 %{_libdir}/libdcerpc-server.so.*
-%{_libdir}/libdcerpc-server-core.so.*
 %{_libdir}/samba/libdnsserver-common-samba4.so
 %{_libdir}/samba/libdsdb-module-samba4.so
 %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
@@ -1637,6 +1817,7 @@ fi
 %{_includedir}/samba-4.0/domain_credentials.h
 %{_includedir}/samba-4.0/gen_ndr/atsvc.h
 %{_includedir}/samba-4.0/gen_ndr/auth.h
+%{_includedir}/samba-4.0/gen_ndr/claims.h
 %{_includedir}/samba-4.0/gen_ndr/dcerpc.h
 %{_includedir}/samba-4.0/gen_ndr/krb5pac.h
 %{_includedir}/samba-4.0/gen_ndr/lsa.h
@@ -1689,7 +1870,7 @@ fi
 %dir %{_includedir}/samba-4.0/util
 %{_includedir}/samba-4.0/util/attr.h
 %{_includedir}/samba-4.0/util/blocking.h
-%{_includedir}/samba-4.0/util/byteorder.h
+# %{_includedir}/samba-4.0/util/byteorder.h
 %{_includedir}/samba-4.0/util/data_blob.h
 %{_includedir}/samba-4.0/util/debug.h
 %{_includedir}/samba-4.0/util/discard.h
@@ -1698,7 +1879,7 @@ fi
 %{_includedir}/samba-4.0/util/idtree.h
 %{_includedir}/samba-4.0/util/idtree_random.h
 %{_includedir}/samba-4.0/util/signal.h
-%{_includedir}/samba-4.0/util/string_wrappers.h
+# %{_includedir}/samba-4.0/util/string_wrappers.h
 %{_includedir}/samba-4.0/util/substitute.h
 %{_includedir}/samba-4.0/util/tevent_ntstatus.h
 %{_includedir}/samba-4.0/util/tevent_unix.h
@@ -1757,17 +1938,21 @@ fi
 %files vfs-cephfs
 %{_libdir}/samba/vfs/ceph.so
 %{_libdir}/samba/vfs/ceph_snapshots.so
+%{_mandir}/man8/vfs_ceph.8*
+%{_mandir}/man8/vfs_ceph_snapshots.8*
 %endif
 
 ### VFS-GLUSTERFS
 %if %{with_vfs_glusterfs}
 %files vfs-glusterfs
 %{_libdir}/samba/vfs/glusterfs.so
+%{_mandir}/man8/vfs_glusterfs.8*
 %endif
 
 ### KRB5-PRINTING
 %files krb5-printing
 %attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper
+%{_mandir}/man8/smbspool_krb5_wrapper.8*
 
 ### LIBS
 %files libs
@@ -1780,6 +1965,19 @@ fi
 %{_libdir}/samba/libshares-samba4.so
 %{_libdir}/samba/libsmbpasswdparser-samba4.so
 %{_libdir}/samba/libxattr-tdb-samba4.so
+%{_libdir}/samba/libREG-FULL-samba4.so
+%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so
+%{_libdir}/samba/libRPC-WORKER-samba4.so
+
+### LIBNETAPI
+%files -n libnetapi
+%{_libdir}/libnetapi.so.%{libnetapi_so_version}*
+ 
+### LIBNETAPI-DEVEL
+%files -n libnetapi-devel
+%{_includedir}/samba-4.0/netapi.h
+%{_libdir}/libnetapi.so
+%{_libdir}/pkgconfig/netapi.pc
 
 ### LIBSMBCLIENT
 %if %with_libsmbclient
@@ -1791,6 +1989,7 @@ fi
 %{_includedir}/samba-4.0/libsmbclient.h
 %{_libdir}/libsmbclient.so
 %{_libdir}/pkgconfig/smbclient.pc
+%{_mandir}/man7/libsmbclient.7*
 #endif with_libsmbclient
 %endif
 
@@ -1798,7 +1997,7 @@ fi
 %if %with_libwbclient
 %files -n libwbclient
 %{_libdir}/samba/wbclient/libwbclient.so.*
-%{_libdir}/samba/libwinbind-client-samba4.so
+# %{_libdir}/samba/libwinbind-client-samba4.so
 
 ### LIBWBCLIENT-DEVEL
 %files -n libwbclient-devel
@@ -1841,6 +2040,7 @@ fi
 %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/Template.pm
 %dir %{perl_vendorlib}/Parse/Pidl/Samba4/NDR
 %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Server.pm
+%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/ServerCompat.pm
 %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Client.pm
 %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Parser.pm
 %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/TDR.pm
@@ -1862,14 +2062,12 @@ fi
 %{python3_sitearch}/samba/__pycache__/auth_util.*.pyc
 %{python3_sitearch}/samba/__pycache__/colour.*.pyc
 %{python3_sitearch}/samba/__pycache__/common.*.pyc
-%{python3_sitearch}/samba/__pycache__/compat.*.pyc
+# %{python3_sitearch}/samba/__pycache__/compat.*.pyc
 %{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc
 %{python3_sitearch}/samba/__pycache__/descriptor.*.pyc
+%{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc
 %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc
 %{python3_sitearch}/samba/__pycache__/getopt.*.pyc
-%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc
-%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc
-%{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc
 %{python3_sitearch}/samba/__pycache__/graph.*.pyc
 %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc
 %{python3_sitearch}/samba/__pycache__/idmap.*.pyc
@@ -1880,10 +2078,12 @@ fi
 %{python3_sitearch}/samba/__pycache__/ms_schema.*.pyc
 %{python3_sitearch}/samba/__pycache__/ndr.*.pyc
 %{python3_sitearch}/samba/__pycache__/ntacls.*.pyc
+%{python3_sitearch}/samba/__pycache__/safe_tarfile.*.pyc
 %{python3_sitearch}/samba/__pycache__/sd_utils.*.pyc
 %{python3_sitearch}/samba/__pycache__/sites.*.pyc
 %{python3_sitearch}/samba/__pycache__/subnets.*.pyc
 %{python3_sitearch}/samba/__pycache__/tdb_util.*.pyc
+%{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc
 %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc
 %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc
 %{python3_sitearch}/samba/__pycache__/xattr.*.pyc
@@ -1894,7 +2094,8 @@ fi
 %{python3_sitearch}/samba/dbchecker.py
 %{python3_sitearch}/samba/colour.py
 %{python3_sitearch}/samba/common.py
-%{python3_sitearch}/samba/compat.py
+# %{python3_sitearch}/samba/compat.py
+%{python3_sitearch}/samba/compression.*.so
 %{python3_sitearch}/samba/credentials.*.so
 %{python3_sitearch}/samba/crypto.*.so
 %dir %{python3_sitearch}/samba/dcerpc
@@ -1904,6 +2105,7 @@ fi
 %{python3_sitearch}/samba/dcerpc/atsvc.*.so
 %{python3_sitearch}/samba/dcerpc/auth.*.so
 %{python3_sitearch}/samba/dcerpc/base.*.so
+%{python3_sitearch}/samba/dcerpc/claims.*.so
 %{python3_sitearch}/samba/dcerpc/dcerpc.*.so
 %{python3_sitearch}/samba/dcerpc/dfs.*.so
 %{python3_sitearch}/samba/dcerpc/dns.*.so
@@ -1915,6 +2117,7 @@ fi
 %{python3_sitearch}/samba/dcerpc/idmap.*.so
 %{python3_sitearch}/samba/dcerpc/initshutdown.*.so
 %{python3_sitearch}/samba/dcerpc/irpc.*.so
+%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so
 %{python3_sitearch}/samba/dcerpc/krb5pac.*.so
 %{python3_sitearch}/samba/dcerpc/lsa.*.so
 %{python3_sitearch}/samba/dcerpc/messaging.*.so
@@ -1941,12 +2144,12 @@ fi
 %{python3_sitearch}/samba/dcerpc/wkssvc.*.so
 %{python3_sitearch}/samba/dcerpc/xattr.*.so
 %{python3_sitearch}/samba/descriptor.py
+%{python3_sitearch}/samba/dnsresolver.py
 %{python3_sitearch}/samba/drs_utils.py
+%{python3_sitearch}/samba/dsdb.*.so
+%{python3_sitearch}/samba/dsdb_dns.*.so
 %{python3_sitearch}/samba/gensec.*.so
 %{python3_sitearch}/samba/getopt.py
-%{python3_sitearch}/samba/gpclass.py
-%{python3_sitearch}/samba/gp_sec_ext.py
-%{python3_sitearch}/samba/gpo.*.so
 %{python3_sitearch}/samba/graph.py
 %{python3_sitearch}/samba/hostconfig.py
 %{python3_sitearch}/samba/idmap.py
@@ -1954,6 +2157,7 @@ fi
 %{python3_sitearch}/samba/messaging.*.so
 %{python3_sitearch}/samba/ndr.py
 %{python3_sitearch}/samba/net.*.so
+%{python3_sitearch}/samba/net_s3.*.so
 %{python3_sitearch}/samba/ntstatus.*.so
 %{python3_sitearch}/samba/posix_eadb.*.so
 %dir %{python3_sitearch}/samba/emulate
@@ -1964,7 +2168,57 @@ fi
 %{python3_sitearch}/samba/emulate/__init__.py
 %{python3_sitearch}/samba/emulate/traffic.py
 %{python3_sitearch}/samba/emulate/traffic_packets.py
-%{python3_sitearch}/samba/gp_ext_loader.py
+%dir %{python3_sitearch}/samba/gp
+%dir %{python3_sitearch}/samba/gp/__pycache__
+%{python3_sitearch}/samba/gp/__pycache__/gpclass.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_crontab_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_centrify_sudoers_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_cert_auto_enroll_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_chromium_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_ext_loader.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_firefox_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_firewalld_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_gnome_settings_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_msgs_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_scripts_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_sec_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_smb_conf_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/gp_sudoers_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/vgp_access_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/vgp_files_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/vgp_issue_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/vgp_motd_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/vgp_openssh_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/vgp_startup_scripts_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/vgp_sudoers_ext.*.pyc
+%{python3_sitearch}/samba/gp/__pycache__/vgp_symlink_ext.*.pyc
+%{python3_sitearch}/samba/gp/gpclass.py
+%{python3_sitearch}/samba/gp/gp_gnome_settings_ext.py
+%{python3_sitearch}/samba/gp/gp_scripts_ext.py
+%{python3_sitearch}/samba/gp/gp_sec_ext.py
+%{python3_sitearch}/samba/gp/gp_centrify_crontab_ext.py
+%{python3_sitearch}/samba/gp/gp_centrify_sudoers_ext.py
+%{python3_sitearch}/samba/gp/gp_cert_auto_enroll_ext.py
+%{python3_sitearch}/samba/gp/gp_chromium_ext.py
+%{python3_sitearch}/samba/gp/gp_ext_loader.py
+%{python3_sitearch}/samba/gp/gp_firefox_ext.py
+%{python3_sitearch}/samba/gp/gp_firewalld_ext.py
+%{python3_sitearch}/samba/gp/gp_msgs_ext.py
+%{python3_sitearch}/samba/gp/gp_smb_conf_ext.py
+%{python3_sitearch}/samba/gp/gp_sudoers_ext.py
+%dir %{python3_sitearch}/samba/gp/util
+%dir %{python3_sitearch}/samba/gp/util/__pycache__
+%{python3_sitearch}/samba/gp/util/__pycache__/logging.*.pyc
+%{python3_sitearch}/samba/gp/util/logging.py
+%{python3_sitearch}/samba/gp/vgp_access_ext.py
+%{python3_sitearch}/samba/gp/vgp_files_ext.py
+%{python3_sitearch}/samba/gp/vgp_issue_ext.py
+%{python3_sitearch}/samba/gp/vgp_motd_ext.py
+%{python3_sitearch}/samba/gp/vgp_openssh_ext.py
+%{python3_sitearch}/samba/gp/vgp_startup_scripts_ext.py
+%{python3_sitearch}/samba/gp/vgp_sudoers_ext.py
+%{python3_sitearch}/samba/gp/vgp_symlink_ext.py
+%{python3_sitearch}/samba/gpo.*.so
 %dir %{python3_sitearch}/samba/gp_parse
 %{python3_sitearch}/samba/gp_parse/__init__.py
 %dir %{python3_sitearch}/samba/gp_parse/__pycache__
@@ -2048,18 +2302,25 @@ fi
 %{python3_sitearch}/samba/param.*.so
 %{python3_sitearch}/samba/policy.*.so
 %{python3_sitearch}/samba/registry.*.so
+%{python3_sitearch}/samba/reparse_symlink.*.so
 %{python3_sitearch}/samba/security.*.so
+%{python3_sitearch}/samba/safe_tarfile.py
 %dir %{python3_sitearch}/samba/samba3
 %{python3_sitearch}/samba/samba3/__init__.py
 %dir %{python3_sitearch}/samba/samba3/__pycache__
 %{python3_sitearch}/samba/samba3/__pycache__/__init__.*.pyc
-%{python3_sitearch}/samba/samba3/libsmb_samba_internal.*.so
+# %{python3_sitearch}/samba/samba3/libsmb_samba_internal.*.so
+%{python3_sitearch}/samba/samba3/__pycache__/libsmb_samba_internal.*.pyc
+%{python3_sitearch}/samba/samba3/libsmb_samba_cwrapper.cpython*.so
+%{python3_sitearch}/samba/samba3/libsmb_samba_internal.py
 %{python3_sitearch}/samba/samba3/mdscli.*.so
 %{python3_sitearch}/samba/samba3/param.*.so
 %{python3_sitearch}/samba/samba3/passdb.*.so
+%{python3_sitearch}/samba/samba3/smbconf.*.so
 %{python3_sitearch}/samba/samba3/smbd.*.so
 %{python3_sitearch}/samba/sd_utils.py
 %{python3_sitearch}/samba/sites.py
+%{python3_sitearch}/samba/smbconf.*.so
 %{python3_sitearch}/samba/subnets.py
 %dir %{python3_sitearch}/samba/subunit
 %{python3_sitearch}/samba/subunit/__init__.py
@@ -2068,10 +2329,6 @@ fi
 %{python3_sitearch}/samba/subunit/__pycache__/run.*.pyc
 %{python3_sitearch}/samba/subunit/run.py
 %{python3_sitearch}/samba/tdb_util.py
-%dir %{python3_sitearch}/samba/third_party
-%{python3_sitearch}/samba/third_party/__init__.py
-%dir %{python3_sitearch}/samba/third_party/__pycache__
-%{python3_sitearch}/samba/third_party/__pycache__/__init__.*.pyc
 %{python3_sitearch}/samba/upgrade.py
 %{python3_sitearch}/samba/upgradehelpers.py
 %{python3_sitearch}/samba/werror.*.so
@@ -2172,10 +2429,13 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/auth_log_winbind.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/common.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/compression.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/core.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/credentials.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dckeytab.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dns.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/dns_aging.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dns_base.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dns_forwarder.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dns_invalid.*.pyc
@@ -2183,6 +2443,8 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/dsdb_dns.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc
@@ -2194,17 +2456,24 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/gpo_member.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/graph.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/group_audit.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/join.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/logfiles.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/libsmb-basic.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc
@@ -2218,6 +2487,7 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/ntlm_auth_krb5.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/pam_winbind.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_chauthtok.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/pam_winbind_setcred.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/pam_winbind_warn_pwd_expire.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/param.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/password_hash.*.pyc
@@ -2235,21 +2505,32 @@ fi
 %{python3_sitearch}/samba/tests/__pycache__/pso.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/py_credentials.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/registry.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/reparsepoints.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3idmapdb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3param.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/s3_net_join.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/safe_tarfile.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/sid_strings.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/smb1posix.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/smb2symlink.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/smb3unix.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/smbconf.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/smb-notify.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/source.*.pyc
+%{python3_sitearch}/samba/tests/__pycache__/source_chars.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc
 %{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc
@@ -2277,10 +2558,15 @@ fi
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc
-%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdfind.*.pyc
+%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc
+%{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_dns.*.pyc
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc
+%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls.*.pyc
+%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_basic.*.pyc
+%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_dfs_propagate_inherit.*.pyc
+%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_propagate_inhertance.*.pyc
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol.*.pyc
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol_process.*.pyc
 %{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_learner.*.pyc
@@ -2289,10 +2575,15 @@ fi
 %{python3_sitearch}/samba/tests/blackbox/bug13653.py
 %{python3_sitearch}/samba/tests/blackbox/check_output.py
 %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py
-%{python3_sitearch}/samba/tests/blackbox/mdfind.py
+%{python3_sitearch}/samba/tests/blackbox/mdsearch.py
 %{python3_sitearch}/samba/tests/blackbox/ndrdump.py
+%{python3_sitearch}/samba/tests/blackbox/netads_dns.py
 %{python3_sitearch}/samba/tests/blackbox/netads_json.py
 %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py
+%{python3_sitearch}/samba/tests/blackbox/smbcacls.py
+%{python3_sitearch}/samba/tests/blackbox/smbcacls_basic.py
+%{python3_sitearch}/samba/tests/blackbox/smbcacls_dfs_propagate_inherit.py
+%{python3_sitearch}/samba/tests/blackbox/smbcacls_propagate_inhertance.py
 %{python3_sitearch}/samba/tests/blackbox/smbcontrol.py
 %{python3_sitearch}/samba/tests/blackbox/smbcontrol_process.py
 %{python3_sitearch}/samba/tests/blackbox/traffic_learner.py
@@ -2300,16 +2591,21 @@ fi
 %{python3_sitearch}/samba/tests/blackbox/traffic_summary.py
 %{python3_sitearch}/samba/tests/common.py
 %{python3_sitearch}/samba/tests/complex_expressions.py
+%{python3_sitearch}/samba/tests/compression.py
 %{python3_sitearch}/samba/tests/core.py
 %{python3_sitearch}/samba/tests/credentials.py
+%{python3_sitearch}/samba/tests/cred_opt.py
 %dir %{python3_sitearch}/samba/tests/dcerpc
 %{python3_sitearch}/samba/tests/dcerpc/__init__.py
 %dir %{python3_sitearch}/samba/tests/dcerpc/__pycache__
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/__init__.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc
+%{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc
+%{python3_sitearch}/samba/tests/dcerpc/__pycache__/createtrustrelax.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc
+%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc
@@ -2318,14 +2614,18 @@ fi
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpc_talloc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpcecho.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/sam.*.pyc
+%{python3_sitearch}/samba/tests/dcerpc/__pycache__/samr_change_password.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/srvsvc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/string_tests.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/testrpc.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/__pycache__/unix.*.pyc
 %{python3_sitearch}/samba/tests/dcerpc/array.py
 %{python3_sitearch}/samba/tests/dcerpc/bare.py
+%{python3_sitearch}/samba/tests/dcerpc/binding.py
+%{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py
 %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py
 %{python3_sitearch}/samba/tests/dcerpc/integer.py
+%{python3_sitearch}/samba/tests/dcerpc/lsa.py
 %{python3_sitearch}/samba/tests/dcerpc/mdssvc.py
 %{python3_sitearch}/samba/tests/dcerpc/misc.py
 %{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py
@@ -2334,12 +2634,14 @@ fi
 %{python3_sitearch}/samba/tests/dcerpc/rpc_talloc.py
 %{python3_sitearch}/samba/tests/dcerpc/rpcecho.py
 %{python3_sitearch}/samba/tests/dcerpc/sam.py
+%{python3_sitearch}/samba/tests/dcerpc/samr_change_password.py
 %{python3_sitearch}/samba/tests/dcerpc/srvsvc.py
 %{python3_sitearch}/samba/tests/dcerpc/string_tests.py
 %{python3_sitearch}/samba/tests/dcerpc/testrpc.py
 %{python3_sitearch}/samba/tests/dcerpc/unix.py
 %{python3_sitearch}/samba/tests/dckeytab.py
 %{python3_sitearch}/samba/tests/dns.py
+%{python3_sitearch}/samba/tests/dns_aging.py
 %{python3_sitearch}/samba/tests/dns_base.py
 %{python3_sitearch}/samba/tests/dns_forwarder.py
 %dir %{python3_sitearch}/samba/tests/dns_forwarder_helpers
@@ -2350,6 +2652,8 @@ fi
 %{python3_sitearch}/samba/tests/dns_tkey.py
 %{python3_sitearch}/samba/tests/dns_wildcard.py
 %{python3_sitearch}/samba/tests/dsdb.py
+%{python3_sitearch}/samba/tests/dsdb_api.py
+%{python3_sitearch}/samba/tests/dsdb_dns.py
 %{python3_sitearch}/samba/tests/dsdb_lock.py
 %{python3_sitearch}/samba/tests/dsdb_schema_attributes.py
 %{python3_sitearch}/samba/tests/docs.py
@@ -2369,9 +2673,11 @@ fi
 %{python3_sitearch}/samba/tests/get_opt.py
 %{python3_sitearch}/samba/tests/glue.py
 %{python3_sitearch}/samba/tests/gpo.py
+%{python3_sitearch}/samba/tests/gpo_member.py
 %{python3_sitearch}/samba/tests/graph.py
 %{python3_sitearch}/samba/tests/group_audit.py
 %{python3_sitearch}/samba/tests/hostconfig.py
+%{python3_sitearch}/samba/tests/imports.py
 %{python3_sitearch}/samba/tests/join.py
 %dir %{python3_sitearch}/samba/tests/kcc
 %{python3_sitearch}/samba/tests/kcc/__init__.py
@@ -2385,13 +2691,86 @@ fi
 %{python3_sitearch}/samba/tests/kcc/graph_utils.py
 %{python3_sitearch}/samba/tests/kcc/kcc_utils.py
 %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py
+%dir %{python3_sitearch}/samba/tests/krb5
+%dir %{python3_sitearch}/samba/tests/krb5/__pycache__
+%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/claims_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/group_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/lockout_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/nt_hash_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/protected_users_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/test_min_domain_uid.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/test_rpc.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/test_smb.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/xrealm_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/alias_tests.py
+%{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py
+%{python3_sitearch}/samba/tests/krb5/as_req_tests.py
+%{python3_sitearch}/samba/tests/krb5/claims_tests.py
+%{python3_sitearch}/samba/tests/krb5/compatability_tests.py
+%{python3_sitearch}/samba/tests/krb5/etype_tests.py
+%{python3_sitearch}/samba/tests/krb5/fast_tests.py
+%{python3_sitearch}/samba/tests/krb5/group_tests.py
+%{python3_sitearch}/samba/tests/krb5/kcrypto.py
+%{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
+%{python3_sitearch}/samba/tests/krb5/kdc_tests.py
+%{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
+%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py
+%{python3_sitearch}/samba/tests/krb5/lockout_tests.py
+%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
+%{python3_sitearch}/samba/tests/krb5/nt_hash_tests.py
+%{python3_sitearch}/samba/tests/krb5/pac_align_tests.py
+%{python3_sitearch}/samba/tests/krb5/protected_users_tests.py
+%{python3_sitearch}/samba/tests/krb5/raw_testcase.py
+%{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py
+%{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py
+%{python3_sitearch}/samba/tests/krb5/rodc_tests.py
+%{python3_sitearch}/samba/tests/krb5/simple_tests.py
+%{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py
+%{python3_sitearch}/samba/tests/krb5/test_ccache.py
+%{python3_sitearch}/samba/tests/krb5/test_ldap.py
+%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py
+%{python3_sitearch}/samba/tests/krb5/test_rpc.py
+%{python3_sitearch}/samba/tests/krb5/test_smb.py
+%{python3_sitearch}/samba/tests/krb5/s4u_tests.py
+%{python3_sitearch}/samba/tests/krb5/salt_tests.py
+%{python3_sitearch}/samba/tests/krb5/spn_tests.py
+%{python3_sitearch}/samba/tests/krb5/xrealm_tests.py
 %{python3_sitearch}/samba/tests/krb5_credentials.py
 %{python3_sitearch}/samba/tests/ldap_raw.py
+%{python3_sitearch}/samba/tests/ldap_spn.py
 %{python3_sitearch}/samba/tests/ldap_referrals.py
+%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py
 %{python3_sitearch}/samba/tests/libsmb.py
+%{python3_sitearch}/samba/tests/libsmb-basic.py
 %{python3_sitearch}/samba/tests/loadparm.py
+%{python3_sitearch}/samba/tests/logfiles.py
 %{python3_sitearch}/samba/tests/lsa_string.py
 %{python3_sitearch}/samba/tests/messaging.py
+%{python3_sitearch}/samba/tests/ndr.py
 %{python3_sitearch}/samba/tests/netbios.py
 %{python3_sitearch}/samba/tests/netcmd.py
 %{python3_sitearch}/samba/tests/net_join_no_spnego.py
@@ -2405,6 +2784,7 @@ fi
 %{python3_sitearch}/samba/tests/ntlm_auth_krb5.py
 %{python3_sitearch}/samba/tests/pam_winbind.py
 %{python3_sitearch}/samba/tests/pam_winbind_chauthtok.py
+%{python3_sitearch}/samba/tests/pam_winbind_setcred.py
 %{python3_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py
 %{python3_sitearch}/samba/tests/param.py
 %{python3_sitearch}/samba/tests/password_hash.py
@@ -2422,11 +2802,14 @@ fi
 %{python3_sitearch}/samba/tests/pso.py
 %{python3_sitearch}/samba/tests/py_credentials.py
 %{python3_sitearch}/samba/tests/registry.py
+%{python3_sitearch}/samba/tests/reparsepoints.py
 %{python3_sitearch}/samba/tests/s3idmapdb.py
 %{python3_sitearch}/samba/tests/s3param.py
 %{python3_sitearch}/samba/tests/s3passdb.py
 %{python3_sitearch}/samba/tests/s3registry.py
 %{python3_sitearch}/samba/tests/s3windb.py
+%{python3_sitearch}/samba/tests/s3_net_join.py
+%{python3_sitearch}/samba/tests/safe_tarfile.py
 %{python3_sitearch}/samba/tests/samba3sam.py
 %{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py
 %dir %{python3_sitearch}/samba/tests/samba_tool
@@ -2443,10 +2826,12 @@ fi
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/forest.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/fsmo.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo.*.pyc
+%{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo_exts.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/group.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_lmdb_size.*.pyc
+%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_member.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/ntacl.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/ou.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/passwordsettings.*.pyc
@@ -2454,6 +2839,7 @@ fi
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/promote_dc_lmdb_size.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_lmdb_size.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_password_check.*.pyc
+%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_userPassword_crypt.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc
@@ -2461,6 +2847,9 @@ fi
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_check_password_script.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA.*.pyc
+%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_base.*.pyc
+%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_gpg.*.pyc
+%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_userPassword.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_wdigest.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/visualize.*.pyc
 %{python3_sitearch}/samba/tests/samba_tool/__pycache__/visualize_drs.*.pyc
@@ -2474,10 +2863,12 @@ fi
 %{python3_sitearch}/samba/tests/samba_tool/forest.py
 %{python3_sitearch}/samba/tests/samba_tool/fsmo.py
 %{python3_sitearch}/samba/tests/samba_tool/gpo.py
+%{python3_sitearch}/samba/tests/samba_tool/gpo_exts.py
 %{python3_sitearch}/samba/tests/samba_tool/group.py
 %{python3_sitearch}/samba/tests/samba_tool/help.py
 %{python3_sitearch}/samba/tests/samba_tool/join.py
 %{python3_sitearch}/samba/tests/samba_tool/join_lmdb_size.py
+%{python3_sitearch}/samba/tests/samba_tool/join_member.py
 %{python3_sitearch}/samba/tests/samba_tool/ntacl.py
 %{python3_sitearch}/samba/tests/samba_tool/ou.py
 %{python3_sitearch}/samba/tests/samba_tool/passwordsettings.py
@@ -2485,6 +2876,7 @@ fi
 %{python3_sitearch}/samba/tests/samba_tool/promote_dc_lmdb_size.py
 %{python3_sitearch}/samba/tests/samba_tool/provision_lmdb_size.py
 %{python3_sitearch}/samba/tests/samba_tool/provision_password_check.py
+%{python3_sitearch}/samba/tests/samba_tool/provision_userPassword_crypt.py
 %{python3_sitearch}/samba/tests/samba_tool/rodc.py
 %{python3_sitearch}/samba/tests/samba_tool/schema.py
 %{python3_sitearch}/samba/tests/samba_tool/sites.py
@@ -2492,20 +2884,32 @@ fi
 %{python3_sitearch}/samba/tests/samba_tool/user.py
 %{python3_sitearch}/samba/tests/samba_tool/user_check_password_script.py
 %{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py
+%{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_base.py
+%{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py
+%{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py
 %{python3_sitearch}/samba/tests/samba_tool/user_wdigest.py
 %{python3_sitearch}/samba/tests/samba_tool/visualize.py
 %{python3_sitearch}/samba/tests/samba_tool/visualize_drs.py
 %{python3_sitearch}/samba/tests/samdb.py
 %{python3_sitearch}/samba/tests/samdb_api.py
+%{python3_sitearch}/samba/tests/sddl.py
 %{python3_sitearch}/samba/tests/security.py
 %{python3_sitearch}/samba/tests/segfault.py
+%{python3_sitearch}/samba/tests/sid_strings.py
 %{python3_sitearch}/samba/tests/smb.py
+%{python3_sitearch}/samba/tests/smb1posix.py
+%{python3_sitearch}/samba/tests/smb2symlink.py
+%{python3_sitearch}/samba/tests/smb3unix.py
+%{python3_sitearch}/samba/tests/smbconf.py
+%{python3_sitearch}/samba/tests/smb-notify.py
 %{python3_sitearch}/samba/tests/smbd_base.py
 %{python3_sitearch}/samba/tests/smbd_fuzztest.py
 %{python3_sitearch}/samba/tests/source.py
+%{python3_sitearch}/samba/tests/source_chars.py
 %{python3_sitearch}/samba/tests/strings.py
 %{python3_sitearch}/samba/tests/subunitrun.py
 %{python3_sitearch}/samba/tests/tdb_util.py
+%{python3_sitearch}/samba/trust_utils.py
 %{python3_sitearch}/samba/tests/upgrade.py
 %{python3_sitearch}/samba/tests/upgradeprovision.py
 %{python3_sitearch}/samba/tests/upgradeprovisionneeddc.py
@@ -2519,6 +2923,11 @@ fi
 %{_bindir}/masktest
 %{_bindir}/ndrdump
 %{_bindir}/smbtorture
+%{_mandir}/man1/gentest.1*
+%{_mandir}/man1/locktest.1*
+%{_mandir}/man1/masktest.1*
+%{_mandir}/man1/ndrdump.1*
+%{_mandir}/man1/smbtorture.1*
 
 %if %{with testsuite}
 # files to ignore in testsuite mode
@@ -2545,17 +2954,24 @@ fi
 %attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged
 %{_unitdir}/winbind.service
 %{_prefix}/lib/NetworkManager
+%{_mandir}/man8/winbindd.8*
+%{_mandir}/man8/idmap_*.8*
 
 ### WINBIND-CLIENTS
 %files winbind-clients
 %{_bindir}/ntlm_auth
 %{_bindir}/wbinfo
 %{_libdir}/samba/krb5/winbind_krb5_localauth.so
+%{_mandir}/man1/ntlm_auth.1.gz
+%{_mandir}/man1/wbinfo.1*
+%{_mandir}/man8/winbind_krb5_localauth.8*
 
 ### WINBIND-KRB5-LOCATOR
 %files winbind-krb5-locator
 %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 %{_libdir}/samba/krb5/winbind_krb5_locator.so
+%{_libdir}/samba/krb5/async_dns_krb5_locator.so
+%{_mandir}/man8/winbind_krb5_locator.8*
 
 ### WINBIND-MODULES
 %files winbind-modules
@@ -2563,6 +2979,8 @@ fi
 %{_libdir}/libnss_wins.so*
 %{_libdir}/security/pam_winbind.so
 %config(noreplace) %{_sysconfdir}/security/pam_winbind.conf
+%{_mandir}/man5/pam_winbind.conf.5*
+%{_mandir}/man8/pam_winbind.8*
 
 %if %with_clustering_support
 %files -n ctdb
@@ -2602,9 +3020,9 @@ fi
 %config(noreplace) %{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check
 
 %{_sbindir}/ctdbd
-%{_sbindir}/ctdbd_wrapper
+# %{_sbindir}/ctdbd_wrapper
 %{_bindir}/ctdb
-%{_bindir}/ctdb_local_daemons
+# %{_bindir}/ctdb_local_daemons
 %{_bindir}/ping_pong
 %{_bindir}/ltdbtool
 %{_bindir}/ctdb_diagnostics
@@ -2623,12 +3041,25 @@ fi
 %{_libexecdir}/ctdb/ctdb_recovery_helper
 %{_libexecdir}/ctdb/ctdb_takeover_helper
 %{_libexecdir}/ctdb/smnotify
+%{_libexecdir}/ctdb/tdb_mutex_check
 
 %dir %{_localstatedir}/lib/ctdb/
 %dir %{_localstatedir}/lib/ctdb/persistent
 %dir %{_localstatedir}/lib/ctdb/state
 %dir %{_localstatedir}/lib/ctdb/volatile
 
+%{_mandir}/man1/ctdb.1.gz
+%{_mandir}/man1/ctdb_diagnostics.1.gz
+%{_mandir}/man1/ctdbd.1.gz
+%{_mandir}/man1/onnode.1.gz
+%{_mandir}/man1/ltdbtool.1.gz
+%{_mandir}/man1/ping_pong.1.gz
+%{_mandir}/man5/ctdb.conf.5.gz
+%{_mandir}/man5/ctdb-script.options.5.gz
+%{_mandir}/man5/ctdb.sysconfig.5.gz
+%{_mandir}/man7/ctdb.7.gz
+%{_mandir}/man7/ctdb-tunables.7.gz
+%{_mandir}/man7/ctdb-statistics.7.gz
 
 %{_tmpfilesdir}/ctdb.conf
 
@@ -2649,12 +3080,14 @@ fi
 %{_datadir}/ctdb/events/legacy/31.clamd.script
 %{_datadir}/ctdb/events/legacy/40.vsftpd.script
 %{_datadir}/ctdb/events/legacy/41.httpd.script
+%{_datadir}/ctdb/events/legacy/48.netbios.script
 %{_datadir}/ctdb/events/legacy/49.winbind.script
 %{_datadir}/ctdb/events/legacy/50.samba.script
 %{_datadir}/ctdb/events/legacy/60.nfs.script
 %{_datadir}/ctdb/events/legacy/70.iscsi.script
 %{_datadir}/ctdb/events/legacy/91.lvs.script
 
+%if %{with testsuite}
 %files -n ctdb-tests
 %doc ctdb/tests/README
 %{_bindir}/ctdb_run_tests
@@ -3203,7 +3636,7 @@ fi
 %{_datadir}/ctdb/tests/UNIT/onnode/stubs/ssh
 %dir %{_datadir}/ctdb/tests/UNIT/shellcheck
 %{_datadir}/ctdb/tests/UNIT/shellcheck/base_scripts.sh
-%{_datadir}/ctdb/tests/UNIT/shellcheck/ctdbd_wrapper.sh
+# %{_datadir}/ctdb/tests/UNIT/shellcheck/ctdbd_wrapper.sh
 %{_datadir}/ctdb/tests/UNIT/shellcheck/ctdb_helpers.sh
 %{_datadir}/ctdb/tests/UNIT/shellcheck/event_scripts.sh
 %{_datadir}/ctdb/tests/UNIT/shellcheck/functions.sh
@@ -3425,6 +3858,9 @@ fi
 %{_datadir}/ctdb/tests/UNIT/tool/README
 %dir %{_datadir}/ctdb/tests/UNIT/tool/scripts
 %{_datadir}/ctdb/tests/UNIT/tool/scripts/local.sh
+ 
+#endif with testsuite (with selftest enabled)
+%endif
 
 #endif with_clustering_support
 %endif
@@ -3436,6 +3872,10 @@ fi
 %endif
 
 %changelog
+* Thu Aug 08 2024 Sindhu Karri <lakarri@microsoft.com> - 4.18.3-1
+- Upgrade samba to build with Python 3.12
+- Add patch 0001-Disable-building-smb.conf.5-in-docs-xml-wscript.patch to fix build
+
 * Tue Sep 19 2023 Jon Slobodzian <joslobo@microsoft.com> - 4.12.5-5
 - Fix build issue for systemd/systemd-bootstrap confusion
 - License verified
diff --git a/SPECS-EXTENDED/usermode/fsfaddr.patch b/SPECS-EXTENDED/usermode/fsfaddr.patch
deleted file mode 100644
index 769e4b009f7..00000000000
--- a/SPECS-EXTENDED/usermode/fsfaddr.patch
+++ /dev/null
@@ -1,396 +0,0 @@
-diff --git a/consolehelper-gtk.8 b/consolehelper-gtk.8
-index d964ffa..a0937cf 100644
---- a/consolehelper-gtk.8
-+++ b/consolehelper-gtk.8
-@@ -12,7 +12,8 @@
- .\"
- .\" You should have received a copy of the GNU General Public License
- .\" along with this program; if not, write to the Free Software
--.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+.\" MA  02110-1301, USA.
- .\"
- .TH CONSOLEHELPER-GTK 8 "2009-10-05" "Red Hat"
- .SH NAME
-diff --git a/consolehelper.8.in b/consolehelper.8.in
-index d771da7..e6ad431 100644
---- a/consolehelper.8.in
-+++ b/consolehelper.8.in
-@@ -12,7 +12,8 @@
- .\"
- .\" You should have received a copy of the GNU General Public License
- .\" along with this program; if not, write to the Free Software
--.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+.\" MA  02110-1301, USA.
- .\"
- .TH CONSOLEHELPER 8 "18 March 1999" "Red Hat Software"
- .SH NAME
-diff --git a/consolehelper.c b/consolehelper.c
-index d4ee6f9..064ccb3 100644
---- a/consolehelper.c
-+++ b/consolehelper.c
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #include "config.h"
-diff --git a/dummy.h b/dummy.h
-index 24f8277..b6d38d3 100644
---- a/dummy.h
-+++ b/dummy.h
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- /* Just a dummy file for gettext, containing messages emmitted by various
-diff --git a/gsmclient.c b/gsmclient.c
-index 85a3dea..6d67e91 100644
---- a/gsmclient.c
-+++ b/gsmclient.c
-@@ -17,8 +17,8 @@
-  *
-  * You should have received a copy of the GNU Library General Public
-  * License along with this library; if not, write to the
-- * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-- * Boston, MA 02111-1307, USA.
-+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-+ * Boston, MA  02110-1301, USA.
-  */
- 
- #include <config.h>
-diff --git a/gsmclient.h b/gsmclient.h
-index a4e94b0..66d97c7 100644
---- a/gsmclient.h
-+++ b/gsmclient.h
-@@ -17,8 +17,8 @@
-  *
-  * You should have received a copy of the GNU Library General Public
-  * License along with this library; if not, write to the
-- * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-- * Boston, MA 02111-1307, USA.
-+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-+ * Boston, MA  02110-1301, USA.
-  */
- 
- #ifndef GSM_CLIENT_H
-diff --git a/pam-panel-icon.1 b/pam-panel-icon.1
-index f92f57a..5f891dc 100644
---- a/pam-panel-icon.1
-+++ b/pam-panel-icon.1
-@@ -12,7 +12,8 @@
- .\"
- .\" You should have received a copy of the GNU General Public License
- .\" along with this program; if not, write to the Free Software
--.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+.\" MA  02110-1301, USA.
- .\"
- .\" Red Hat author: Miloslav Trmač <mitr@redhat.com>
- .TH PAM-PANEL-ICON 1 "2009-10-05" "Red Hat"
-diff --git a/pam-panel-icon.c b/pam-panel-icon.c
-index d2e93fa..c4e038c 100644
---- a/pam-panel-icon.c
-+++ b/pam-panel-icon.c
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #include "config.h"
-diff --git a/props.c b/props.c
-index 04eaeb6..3f37fd5 100644
---- a/props.c
-+++ b/props.c
-@@ -15,8 +15,8 @@
-  * 
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-- * 02111-1307, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #include "props.h"
-diff --git a/props.h b/props.h
-index c309450..aaa491c 100644
---- a/props.h
-+++ b/props.h
-@@ -15,8 +15,8 @@
-  * 
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
-- * 02111-1307, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #ifndef MSM_PROPS_H
-diff --git a/shvar.c b/shvar.c
-index 114b7fc..7dd3651 100644
---- a/shvar.c
-+++ b/shvar.c
-@@ -24,7 +24,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  *
-  */
- 
-diff --git a/shvar.h b/shvar.h
-index debc1ee..81cff6f 100644
---- a/shvar.h
-+++ b/shvar.h
-@@ -24,7 +24,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  *
-  */
- #ifndef _SHVAR_H
-diff --git a/test-userdialog.c b/test-userdialog.c
-index 4ace42e..d3dd34f 100644
---- a/test-userdialog.c
-+++ b/test-userdialog.c
-@@ -14,7 +14,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #include "config.h"
-diff --git a/userdialogs.c b/userdialogs.c
-index af44607..04f450a 100644
---- a/userdialogs.c
-+++ b/userdialogs.c
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  *
-  */
- 
-diff --git a/userdialogs.h b/userdialogs.h
-index 44b464a..3ea2f01 100644
---- a/userdialogs.h
-+++ b/userdialogs.h
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #ifndef __USERDIALOGS_H__
-diff --git a/userhelper-messages.c b/userhelper-messages.c
-index 5c73cc0..7b8e37c 100644
---- a/userhelper-messages.c
-+++ b/userhelper-messages.c
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #include "config.h"
-diff --git a/userhelper-messages.h b/userhelper-messages.h
-index 69825f5..ec507d3 100644
---- a/userhelper-messages.h
-+++ b/userhelper-messages.h
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #ifndef USERHELPER_MESSAGES_H__
-diff --git a/userhelper-wrap.c b/userhelper-wrap.c
-index cd35cd6..1e631f7 100644
---- a/userhelper-wrap.c
-+++ b/userhelper-wrap.c
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #include "config.h"
-diff --git a/userhelper-wrap.h b/userhelper-wrap.h
-index 2fb77c0..e4fea41 100644
---- a/userhelper-wrap.h
-+++ b/userhelper-wrap.h
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #ifndef __USERHELPER_WRAP_H__
-diff --git a/userhelper.8.in b/userhelper.8.in
-index 4e7aff1..ce90528 100644
---- a/userhelper.8.in
-+++ b/userhelper.8.in
-@@ -12,7 +12,8 @@
- .\"
- .\" You should have received a copy of the GNU General Public License
- .\" along with this program; if not, write to the Free Software
--.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+.\" MA  02110-1301, USA.
- .\"
- .TH USERHELPER 8 "January 8 2008" "Red Hat, Inc."
- .SH NAME
-diff --git a/userhelper.c b/userhelper.c
-index 287aa4d..fa5395d 100644
---- a/userhelper.c
-+++ b/userhelper.c
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #include "config.h"
-diff --git a/userhelper.h b/userhelper.h
-index 50e6ed9..32c29d6 100644
---- a/userhelper.h
-+++ b/userhelper.h
-@@ -13,7 +13,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #ifndef __USERHELPER_H__
-diff --git a/userinfo.1 b/userinfo.1
-index 8701bda..292aa4b 100644
---- a/userinfo.1
-+++ b/userinfo.1
-@@ -12,7 +12,8 @@
- .\"
- .\" You should have received a copy of the GNU General Public License
- .\" along with this program; if not, write to the Free Software
--.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+.\" MA  02110-1301, USA.
- .\"
- .TH USERINFO 1 "6 October 1997" "Red Hat Software"
- .SH NAME
-diff --git a/userinfo.c b/userinfo.c
-index 5139b13..4c0ea9b 100644
---- a/userinfo.c
-+++ b/userinfo.c
-@@ -14,7 +14,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- /* Things to remember...
-diff --git a/usermount.1 b/usermount.1
-index eb864c8..1af6122 100644
---- a/usermount.1
-+++ b/usermount.1
-@@ -12,7 +12,8 @@
- .\"
- .\" You should have received a copy of the GNU General Public License
- .\" along with this program; if not, write to the Free Software
--.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+.\" MA  02110-1301, USA.
- .\"
- .TH USERMOUNT 1 "March 13 2007" "Red Hat"
- .SH NAME
-diff --git a/usermount.c b/usermount.c
-index 5875c09..1fc627b 100644
---- a/usermount.c
-+++ b/usermount.c
-@@ -14,7 +14,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- /* TODO notes.
-diff --git a/userpasswd.1 b/userpasswd.1
-index 3f11f7a..6e2ab14 100644
---- a/userpasswd.1
-+++ b/userpasswd.1
-@@ -12,7 +12,8 @@
- .\"
- .\" You should have received a copy of the GNU General Public License
- .\" along with this program; if not, write to the Free Software
--.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+.\" MA  02110-1301, USA.
- .\"
- .TH USERPASSWD 1 "17 October 1997" "Red Hat Software"
- .SH NAME
-diff --git a/userpasswd.c b/userpasswd.c
-index 42c6705..fad128f 100644
---- a/userpasswd.c
-+++ b/userpasswd.c
-@@ -14,7 +14,8 @@
-  *
-  * You should have received a copy of the GNU General Public License
-  * along with this program; if not, write to the Free Software
-- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
-+ * MA  02110-1301, USA.
-  */
- 
- #include "config.h"
diff --git a/SPECS-EXTENDED/usermode/selinux_deprecated.patch b/SPECS-EXTENDED/usermode/selinux_deprecated.patch
deleted file mode 100644
index fbce5023785..00000000000
--- a/SPECS-EXTENDED/usermode/selinux_deprecated.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-diff --git a/userhelper.c b/userhelper.c
-index 4177c89..f2afde7 100644
---- a/userhelper.c
-+++ b/userhelper.c
-@@ -48,8 +48,6 @@
- 
- #ifdef WITH_SELINUX
- #include <selinux/selinux.h>
--#include <selinux/flask.h>
--#include <selinux/av_permissions.h>
- #endif
- 
- #include "shvar.h"
-@@ -111,7 +109,7 @@ static int checkAccess(unsigned int selaccess) {
-     struct av_decision avd;
-     int retval = security_compute_av(user_context,
- 				     user_context,
--				     SECCLASS_PASSWD,
-+				     string_to_security_class("passwd"),
- 				     selaccess,
- 				     &avd);
- 	  
-@@ -2267,7 +2265,8 @@ main(int argc, char **argv)
- 	const char *new_home_phone;
- 	const char *new_shell;
- #ifdef WITH_SELINUX
--	unsigned perm;
-+	security_class_t class;
-+	access_vector_t perm;
- #endif
- 
- 	/* State variable we pass around. */
-@@ -2426,12 +2425,13 @@ main(int argc, char **argv)
- 			user_name = g_strdup(argv[optind]);
- 
- #ifdef WITH_SELINUX
-+			class = string_to_security_class("passwd");
- 			if (c_flag) 
--			  perm = PASSWD__PASSWD;
-+			  perm = string_to_av_perm(class, "passwd");
- 			else if (s_flag)
--			  perm = PASSWD__CHSH;
-+			  perm = string_to_av_perm(class, "chsh");
- 			else
--			  perm = PASSWD__CHFN;
-+			  perm = string_to_av_perm(class, "chfn");
- 
- 			if (is_selinux_enabled() > 0 &&
- 			    checkAccess(perm)!= 0) {
diff --git a/SPECS-EXTENDED/usermode/sysmacros.patch b/SPECS-EXTENDED/usermode/sysmacros.patch
deleted file mode 100644
index 4ba8859e962..00000000000
--- a/SPECS-EXTENDED/usermode/sysmacros.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/usermount.c b/usermount.c
-index 3aafadd..5875c09 100644
---- a/usermount.c
-+++ b/usermount.c
-@@ -40,6 +40,7 @@
- #include <sys/stat.h>
- #include <sys/time.h>
- #include <sys/types.h>
-+#include <sys/sysmacros.h>
- #include <errno.h>
- #include <glob.h>
- #include <libintl.h>
diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
index 09d7400a75d..4ea7c12101d 100644
--- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec
+++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -9,8 +9,8 @@
 %define uname_r %{version}-%{release}
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
-Version:        6.6.47.1
-Release:        1%{?dist}
+Version:        6.6.51.1
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -145,6 +145,39 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %exclude /module_info.ld
 
 %changelog
+* Thu Oct 03 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-5
+- Bump release to match kernel
+
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Bump release to match kernel
+
+* Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
+- Bump release to match kernel
+
+* Fri Sep 20 2024 Chris Co <chrco@microsoft.com> - 6.6.51.1-2
+- Bump release to match kernel
+
+* Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.51.1-1
+- Auto-upgrade to 6.6.51.1
+
+* Fri Sep 13 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.47.1-7
+- Bump release to match kernel
+
+* Fri Sep 13 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-6
+- Bump release to match kernel
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-5
+- Bump release to match kernel
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-4
+- Bump release to match kernel
+
+* Wed Sep 04 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-3
+- Bump release to match kernel
+
+* Thu Aug 29 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.47.1-2
+- Bump release to match kernel
+
 * Thu Aug 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.47.1-1
 - Auto-upgrade to 6.6.47.1
 
diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
index c663891cc74..675978e2e10 100644
--- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
+++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
@@ -5,8 +5,8 @@
 %define kernelver %{version}-%{release}
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
-Version:        6.6.47.1
-Release:        1%{?dist}
+Version:        6.6.51.1
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -58,13 +58,49 @@ pushd rpm_contents
 # Don't use * wildcard. It does not copy over hidden files in the root folder...
 cp -rp ./. %{buildroot}/
 
+cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
+
 popd
 
 %files -n kernel-uki
 /boot/vmlinuz-uki-%{kernelver}.efi
 /lib/modules/%{kernelver}/vmlinuz-uki.efi
+/boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Thu Oct 03 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-5
+- Bump release to match kernel
+
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Bump release to match kernel
+
+* Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
+- Bump release to match kernel
+
+* Fri Sep 20 2024 Chris Co <chrco@microsoft.com> - 6.6.51.1-2
+- Bump release to match kernel
+
+* Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.51.1-1
+- Auto-upgrade to 6.6.51.1
+
+* Fri Sep 13 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.47.1-7
+- Bump release to match kernel
+
+* Fri Sep 13 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-6
+- Bump release to match kernel
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-5
+- Bump release to match kernel
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-4
+- Bump release to match kernel
+
+* Wed Sep 04 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-3
+- Bump release to match kernel
+
+* Thu Aug 29 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.47.1-2
+- Bump release to match kernel
+
 * Thu Aug 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.47.1-1
 - Auto-upgrade to 6.6.47.1
 
diff --git a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
index f4b9637659c..59a3ed26055 100644
--- a/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
+++ b/SPECS-SIGNED/systemd-boot-signed/systemd-boot-signed.spec
@@ -14,7 +14,7 @@ Version:        255
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        LGPL-2.1-or-later AND MIT AND GPL-2.0-or-later
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -51,6 +51,7 @@ Provides: version(systemd-boot)%{_isa} = %version
 
 # self-obsoletes to install both packages after split of systemd-boot
 Obsoletes: systemd-udev < 252.2^
+Conflicts: grub2-efi-binary
 
 %description -n systemd-boot
 systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
@@ -77,6 +78,8 @@ pushd rpm_contents
 # Don't use * wildcard. It does not copy over hidden files in the root folder...
 cp -rp ./. %{buildroot}/
 
+cp %{buildroot}/usr/lib/systemd/boot/efi/systemd-bootx64.efi %{buildroot}/boot/efi/EFI/BOOT/grubx64.efi
+
 popd
 
 %files -n systemd-boot
@@ -84,8 +87,12 @@ popd
 /usr/share/man/man5/loader.conf.5.gz
 /usr/share/man/man7/sd-boot.7.gz
 /usr/share/man/man7/systemd-boot.7.gz
+/boot/efi/EFI/BOOT/grubx64.efi
 
 %changelog
+* Fri Sep 13 2024 Thien Trung Vuong <tvuong@microsoft.com> - 255-18
+- Update sd-boot install location
+
 * Fri Aug 23 2024 Chris Co <chrco@microsoft.com> - 255-17
 - Bump release to match systemd spec
 
diff --git a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec
index c76637d4be4..8789f31fc54 100644
--- a/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec
+++ b/SPECS/SymCrypt-OpenSSL/SymCrypt-OpenSSL.spec
@@ -1,7 +1,7 @@
 Summary:        The SymCrypt engine for OpenSSL (SCOSSL) allows the use of OpenSSL with SymCrypt as the provider for core cryptographic operations
 Name:           SymCrypt-OpenSSL
 Version:        1.5.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -39,7 +39,7 @@ cmake   .. \
         -DOPENSSL_ROOT_DIR="%{_prefix}/local/ssl" \
         -DSYMCRYPT_ROOT_DIR=%{buildroot}%{_includedir}/.. \
         -DCMAKE_TOOLCHAIN_FILE="../cmake-toolchain/LinuxUserMode-%{symcrypt_arch}.cmake" \
-        -DCMAKE_BUILD_TYPE=Release
+        -DCMAKE_BUILD_TYPE=RelWithDebInfo
 
 cmake --build .
 
@@ -67,6 +67,9 @@ install SymCryptProvider/symcrypt_prov.cnf %{buildroot}%{_sysconfdir}/pki/tls/sy
 %{_sysconfdir}/pki/tls/symcrypt_prov.cnf
 
 %changelog
+* Wed Oct 02 2024 Tobias Brick <tobiasb@microsoft.com> - 1.5.1-2
+- Add sources to debuginfo package
+
 * Wed Aug 21 2024 Maxwell Moyer-McKee <mamckee@microsoft.com> - 1.5.1-1
 - Fix minor behavior differences with default provider
 
diff --git a/SPECS/azure-nvme-utils/azure-nvme-utils.spec b/SPECS/azure-nvme-utils/azure-nvme-utils.spec
index 110d4056298..6574e9a13c1 100644
--- a/SPECS/azure-nvme-utils/azure-nvme-utils.spec
+++ b/SPECS/azure-nvme-utils/azure-nvme-utils.spec
@@ -1,10 +1,12 @@
 Name:           azure-nvme-utils
 Version:        0.1.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Utility and udev rules to help identify Azure NVMe devices
 
 License:        MIT
 URL:            https://github.com/Azure/%{name}
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        %{url}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
 BuildRequires:  binutils
@@ -31,6 +33,9 @@ make install DESTDIR=%{buildroot}
 /lib/udev/rules.d/80-azure-nvme.rules
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.1.1-2
+- Add missing Vendor and Distribution tags.
+
 * Mon Mar 18 2024 Chris Patterson <cpatterson@microsoft.com> - 0.1.1-1
 - Original version for Azure Linux.
 - License verified.
diff --git a/SPECS/azurelinux-release/90-default.preset b/SPECS/azurelinux-release/90-default.preset
index 9396ddb33f4..0d2fc7c9da8 100644
--- a/SPECS/azurelinux-release/90-default.preset
+++ b/SPECS/azurelinux-release/90-default.preset
@@ -28,7 +28,7 @@ enable rsyslog.*
 enable syslog-ng.*
 enable sysklogd.*
 
-enable firewalld.service
+enable iptables.service
 
 enable virtqemud.socket
 enable virtqemud-ro.socket
diff --git a/SPECS/azurelinux-release/azurelinux-release.signatures.json b/SPECS/azurelinux-release/azurelinux-release.signatures.json
index abdff16e401..1457a3d405f 100644
--- a/SPECS/azurelinux-release/azurelinux-release.signatures.json
+++ b/SPECS/azurelinux-release/azurelinux-release.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "90-default.preset": "50ed546e79e3c9f5c4f2d4a9796255537f4900d5d1d78c0564fbe7362634531b",
+  "90-default.preset": "073dd8a72f9ef915280bb608f5ea0b394c0d658fe0537d552135332168fadb03",
   "90-default-user.preset": "7cf8f4d2ca1760e04ff46bd2444609cfd27a7ab456be2f9e73b0f89c284e134d",
   "99-default-disable.preset": "3127b197b9eae62eb84eeed69b0413419612238332006183e36a3fba89578378",
   "15-azurelinux-default.conf": "63a46ecbed4b92f996718ea9202e914ff119c2c06fdaeed3d1e2710aabc663b4"
diff --git a/SPECS/azurelinux-release/azurelinux-release.spec b/SPECS/azurelinux-release/azurelinux-release.spec
index e8cd1f53cb5..36cf8341b38 100644
--- a/SPECS/azurelinux-release/azurelinux-release.spec
+++ b/SPECS/azurelinux-release/azurelinux-release.spec
@@ -5,7 +5,7 @@
 Summary:        Azure Linux release files
 Name:           azurelinux-release
 Version:        %{dist_version}.0
-Release:        18%{?dist}
+Release:        20%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -118,6 +118,12 @@ install -Dm0644 %{SOURCE4} -t %{buildroot}%{_sysctldir}/
 %{_sysctldir}/*.conf
 
 %changelog
+* Fri Sep 27 2024 Rachel Menge <rachelmenge@microsoft.com> - 3.0-20
+- Enable iptables as default firewall
+
+* Wed Sep 25 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.0-19
+- Bump release for October 2024 Update
+
 * Thu Aug 08 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.0-18
 - Bump release for August 2024 Update 1
 
diff --git a/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.signatures.json b/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.signatures.json
index 1d3cacafb5e..1d915fca183 100644
--- a/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.signatures.json
+++ b/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.signatures.json
@@ -10,18 +10,17 @@
   "default-hardened-cc1": "2102bdfbb06934d95ceb3c81f789c59c9f77f91b0f996fd39588e0aa052d6f77",
   "default-hardened-ld": "4dbb822a27eed292759bc4e9cabb4b84f34fc6701535fcac2fdddac33328678b",
   "forge.lua": "79e710a646811de99643a0a7a4d429417556aa5071e745acaefa18321125114b",
-  "gen-ld-script.sh": "1204146a11095b0c3e4651aff1a1df86c23c1e4ac8811e21e8ee443d8f3af648",
+  "gen-ld-script.sh": "0a4baf97651f0d6067063dd287ea61e0e9e87ff60508bfcf9957c5e383a30167",
   "generate-package-note.py": "bd76a8e88a1356fed74863c38e5cf6a20c1c26426ac94ba21dd172578e8ca2a2",
   "gpgverify": "db0e050f56b694497d70603a6f5c17dd60ddbcf7cee670616851cd389f6767c4",
   "import_all_modules.py": "543d8c90e7db902e3b4587b7c488419e2f20a6d8b34174b7303dcd70794d8fc7",
-  "macros": "d94e2ee84806c5cb996b810137e0498c2accd5ccc73cd5aff4cfc0235d760ecc",
+  "macros": "831c67c69bc37ee1eefdebf5bb32501b88160c831eb26738e872df0bb128e981",
   "macros.check": "79367176c3c7d10c0158b6e5d881e0fc3c8fd50c5957dad2f097c2d4a37833e7",
   "macros.fonts": "f52edc646414c5dd0f5f4cdd570f2f9dbe6fb97d4f0db360908deb56d96492f8",
   "macros.forge": "52cdffd48217cafe33afe47c625cd6aac6460848cd76de66fe61031c26beeaf4",
   "macros.grub2": "b03f6f713601214406971de53538dfc25136bf836f09a663eaffc4332a72c38b",
   "macros.mono-srpm": "a9201ae36fc482e966134e38f42412378e955faf296b214cb6dd63981af8bc49",
   "macros.nodejs-srpm": "b2515cc7fad3f14849cff8593b10543a3f73edccff4c3c6d0d2764dae19c38e8",
-  "macros.ocaml-srpm": "c35c6db7ede8ea534212329d010920646f80368e1fbd0b9025e48ed0a85a09ce",
   "macros.openblas-srpm": "bd46ab2c99aa504d3fb09de1f071f0e19a9b2605772c1a738a32cfb0129d33b8",
   "macros.perl-srpm": "27f09c386944fc7478cdde55168bbc720d03ecd11ec60ae1133a42db6432e7f7",
   "macros.pybytecompile": "b07fbaa0f534bfee9706e343f4c1892d6903127e18f7561d0ad8445674658d26",
@@ -35,4 +34,4 @@
   "rpmrc": "c197369d806430f581de9d5f0e89384d231745712f394ce39497ada47d1f4efe",
   "verify-package-notes.sh": "121715379dcfda33f4e66b3eb5520c80c55c1b0d88348f8895d45d3b89dfe965"
  }
-}
+}
\ No newline at end of file
diff --git a/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.spec b/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.spec
index 8b4df1dacf6..95902f693b8 100644
--- a/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.spec
+++ b/SPECS/azurelinux-rpm-macros/azurelinux-rpm-macros.spec
@@ -7,7 +7,7 @@
 Summary:        Azure Linux specific rpm macro files
 Name:           azurelinux-rpm-macros
 Version:        %{azl}.0
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        GPL+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -143,6 +143,9 @@ install -p -m 644 -t %{buildroot}%{rcluadir}/srpm python.lua
 %{_rpmconfigdir}/macros.d/macros.check
 
 %changelog
+* Mon Sep 09 2024 Andrew Phelps <anphel@microsoft.com> - 3.0-7
+- Include release information in ELF metadata version field
+
 * Tue Aug 13 2024 Daniel McIlvaney <damcilva@microsoft.com> - 3.0-6
 - Move grub2-rpm-macros to the azurelinux-rpm-macros package
 
diff --git a/SPECS/azurelinux-rpm-macros/gen-ld-script.sh b/SPECS/azurelinux-rpm-macros/gen-ld-script.sh
index 7717c25162f..1ad17ce11f3 100755
--- a/SPECS/azurelinux-rpm-macros/gen-ld-script.sh
+++ b/SPECS/azurelinux-rpm-macros/gen-ld-script.sh
@@ -6,26 +6,32 @@
 # gen-ld-script.sh
 # Generate linker script to embed ELF binaries with build metadata
 
-# /usr/lib/rpm/azl/gen-ld-script.sh %{name} %{version} %{_topdir} %{distro_release_version}
+# /usr/lib/rpm/azl/gen-ld-script.sh %{name} %{?epoch:%{epoch}:}%{version}-%{release} %{_topdir} %{distro_release_version}
 echo "gen-ld-script.sh name($1) version($2) _topdir($3) osversion($4)"
 
 OS_VERSION=$(echo $4 | cut -d. -f1,2)
 
-# Count number of dot separators in $2 (version)
-NUM_DOT_SEPARATORS="${2//[^.]}"
+# When generating moduleVersion, strip everything after the dash. Also remove the epoch, if present
+# ex: "1.8.0-2.azl3" -> "1.8.0"
+# ex: "1:3.0.0-7.azl3" -> "3.0.0"
+VERSION_NO_RELEASE=$(echo $2 | cut -d- -f1 | cut -d: -f2)
+
+# Azure Watson requires a "moduleVersion" field, which always contains a 4-part version number.
 # Ensure moduleVersion contains 4 version parts by adding ".0" padding
+# Count number of dot separators in $2 (version)
+NUM_DOT_SEPARATORS="${VERSION_NO_RELEASE//[^.]}"
 case ${#NUM_DOT_SEPARATORS} in
   0)
-    MODULEVERSION=$2".0.0.0"
+    MODULEVERSION=$VERSION_NO_RELEASE".0.0.0"
     ;;
   1)
-    MODULEVERSION=$2".0.0"
+    MODULEVERSION=$VERSION_NO_RELEASE".0.0"
     ;;
   2)
-    MODULEVERSION=$2".0"
+    MODULEVERSION=$VERSION_NO_RELEASE".0"
     ;;
   *)
-    MODULEVERSION=$2
+    MODULEVERSION=$VERSION_NO_RELEASE
     ;;
 esac
 
diff --git a/SPECS/azurelinux-rpm-macros/macros b/SPECS/azurelinux-rpm-macros/macros
index 85b3941af31..d6e568e6256 100644
--- a/SPECS/azurelinux-rpm-macros/macros
+++ b/SPECS/azurelinux-rpm-macros/macros
@@ -36,7 +36,7 @@
 # Generate metadata linker script before prep section of each SPEC
 %__spec_prep_template   #!%{__spec_prep_shell}\
 %{__spec_prep_pre}\
-/usr/lib/rpm/azl/gen-ld-script.sh %{name} %{version} %{_topdir} %{distro_release_version}\
+/usr/lib/rpm/azl/gen-ld-script.sh %{name} %{?epoch:%{epoch}:}%{version}-%{release} %{_topdir} %{distro_release_version}\
 %{nil}
 
 # This section overrides the default behavior of the build macro to export
diff --git a/SPECS/azurelinux-sysinfo/azurelinux-sysinfo.spec b/SPECS/azurelinux-sysinfo/azurelinux-sysinfo.spec
index f9ca14a6646..956270050bc 100644
--- a/SPECS/azurelinux-sysinfo/azurelinux-sysinfo.spec
+++ b/SPECS/azurelinux-sysinfo/azurelinux-sysinfo.spec
@@ -1,7 +1,7 @@
 Summary:        Package to deploy azurelinux-sysinfo service
 Name:           azurelinux-sysinfo
 Version:        %{azl}.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -14,6 +14,7 @@ Source3:        sysinfo-selinuxpolicies.cil
 Requires:       systemd
 Requires:       python3-psutil
 Requires:       libselinux-utils
+Requires:       rpm
 
 %description
 Deploys a systemd service that gathers system information related to the device, operating system, cloud-init, boot 
@@ -62,6 +63,9 @@ if rpm -q selinux-policy &> /dev/null; then
 fi
 
 %changelog
+* Mon Sep 09 2024 Amrita Kohli <amritakohli@microsoft.com> - 3.0-3
+- Add rpm as a requirement.
+
 * Mon June 24 2024 Amrita Kohli <amritakohli@microsoft.com> - 3.0-2
 - Add libselinux-utils as a requirement; needed for `getenforce`.
 
diff --git a/SPECS/bc/bc.spec b/SPECS/bc/bc.spec
index 2d711936655..194f842bfdc 100644
--- a/SPECS/bc/bc.spec
+++ b/SPECS/bc/bc.spec
@@ -1,8 +1,8 @@
 Summary:        precision numeric processing language
 Name:           bc
 Version:        1.07.1
-Release:        4%{?dist}
-License:        GPLv2+
+Release:        5%{?dist}
+License:        GPLv3+
 URL:            https://www.gnu.org/software/bc/
 Group:          System Environment/base
 Vendor:         Microsoft Corporation
@@ -46,17 +46,26 @@ popd
 %{_mandir}/*/*
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.07.1-5
+- License verified.
+
 * Fri Jan 22 2021 Andrew Phelps <anphel@microsoft.com> 1.07.1-4
 - Fix check test. Remove sha1. Change URL to GNU bc homepage.
+
 * Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 1.07.1-3
 - Added %%license line automatically
+
 * Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 1.07.1-2
 - Initial CBL-Mariner import from Photon (license: Apache2).
+
 * Mon Oct 1 2018 Sujay G <gsujay@vmware.com> 1.07.1-1
 - Bump bc version to 1.07.1
+
 * Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 1.06.95-3
 - GA - Bump release of all rpms
+
 * Tue Aug 4 2015 Kumar Kaushik <kaushikk@vmware.com> 1.06.95-2
 - Adding the post uninstall section.
+
 * Wed Nov 5 2014 Divya Thaluru <dthaluru@vmware.com> 1.06.95-1
 - initial version
diff --git a/SPECS/blobfuse2/blobfuse2.signatures.json b/SPECS/blobfuse2/blobfuse2.signatures.json
index 4e5e94ad9d1..e8a5d7ecb19 100644
--- a/SPECS/blobfuse2/blobfuse2.signatures.json
+++ b/SPECS/blobfuse2/blobfuse2.signatures.json
@@ -1,6 +1,6 @@
 {
-    "Signatures": {
-     "blobfuse2-2.3.0.tar.gz": "9e7c3b98c4967d45405a4b9450fb3e90e329ffefaef1ffa0e6cedfd66991881b",
-     "blobfuse2-2.3.0-vendor.tar.gz": "fea87a77eb3ee28883c1e24de6213c5db1288387b9f9162f4fc57cfdffe97ddb"
-    }
+ "Signatures": {
+  "blobfuse2-2.3.2-vendor.tar.gz": "109d4e98f532736ace27bebd29b76a87764e60b9cc066a1289e5ae97eead4c16",
+  "blobfuse2-2.3.2.tar.gz": "018c23c7d2e3216392a3afc3b30e7d3836e6e6f552735bc64d3d77771aa6fb9f"
+ }
 }
\ No newline at end of file
diff --git a/SPECS/blobfuse2/blobfuse2.spec b/SPECS/blobfuse2/blobfuse2.spec
index 612d68c2d4f..5dd53533438 100644
--- a/SPECS/blobfuse2/blobfuse2.spec
+++ b/SPECS/blobfuse2/blobfuse2.spec
@@ -5,7 +5,7 @@
 
 Summary:        FUSE adapter - Azure Storage
 Name:           blobfuse2
-Version:        2.3.0
+Version:        2.3.2
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
@@ -59,6 +59,10 @@ install -D -m 0644 ./setup/blobfuse2-logrotate %{buildroot}%{_sysconfdir}/logrot
 %{_sysconfdir}/logrotate.d/blobfuse2
 
 %changelog
+* Fri Sep 27 2024 Archana Choudhary <archana1@microsoft.com> - 2.3.2-1
+- Upgrade to version 2.3.2.
+- Fixes CVE-2024-35255
+
 * Tue Jul 09 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.3.0-1
 - Update to version 2.3.0.
 
diff --git a/SPECS/build-essential/build-essential.spec b/SPECS/build-essential/build-essential.spec
index da7226627b5..e6a307e7683 100644
--- a/SPECS/build-essential/build-essential.spec
+++ b/SPECS/build-essential/build-essential.spec
@@ -1,8 +1,10 @@
 Summary:        Metapackage to install all build tools
 Name:           build-essential
 Version:        %{azl}.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Requires:       autoconf
 Requires:       automake
 Requires:       binutils
@@ -31,6 +33,9 @@ Metapackage to install all build tools
 %defattr(-,root,root,0755)
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.0-3
+- Add missing Vendor and Distribution tags.
+
 * Tue Feb 27 2024 Chris Gunn <chrisgun@microsoft.com> - 3.0-2
 - Remove installkernel
 
diff --git a/SPECS/busybox/busybox.spec b/SPECS/busybox/busybox.spec
index aaa350b5906..f82819150ce 100644
--- a/SPECS/busybox/busybox.spec
+++ b/SPECS/busybox/busybox.spec
@@ -1,7 +1,7 @@
 Summary:        Statically linked binary providing simplified versions of system commands
 Name:           busybox
 Version:        1.36.1
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -16,7 +16,7 @@ Patch2:         CVE-2021-42380.patch
 Patch3:         CVE-2023-42363.patch
 Patch4:         CVE-2023-42365.patch
 BuildRequires:  gcc
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 BuildRequires:  libselinux-devel >= 1.27.7-2
 BuildRequires:  libsepol-devel
 %if 0%{?with_check}
@@ -103,6 +103,9 @@ SKIP_KNOWN_BUGS=1 ./runtest
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.36.1-8
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 1.36.1-7
 - Bump to rebuild with updated glibc
 
diff --git a/SPECS/ccache/ccache.spec b/SPECS/ccache/ccache.spec
index 3eb03946d77..8d9c71fb236 100644
--- a/SPECS/ccache/ccache.spec
+++ b/SPECS/ccache/ccache.spec
@@ -1,10 +1,10 @@
 Summary:        Compiler Cache
 Name:           ccache
 Version:        4.8.3
-Release:        1%{?dist}
+Release:        3%{?dist}
 License:        BeOpen AND BSD AND GPLv3+ AND (Patrick Powell's AND Holger Weiss' license) AND Public Domain AND Python AND zlib
 Vendor:         Microsoft Corporation
-Distribution:   Mariner
+Distribution:   Azure Linux
 URL:            https://ccache.dev
 Source0:        https://github.com/%{name}/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz
 BuildRequires:  cmake
@@ -28,10 +28,11 @@ pushd build
 %make_install
 popd
 install -dm 755 %{buildroot}%{_libdir}/ccache
-for n in cc gcc g++ c++ ; do
+for n in gcc g++ c++ ; do
     ln -sf ../../bin/ccache %{buildroot}%{_libdir}/ccache/$n
     ln -sf ../../bin/ccache %{buildroot}%{_libdir}/ccache/%{_host}-$n
 done
+ln -sf ../../bin/ccache %{buildroot}%{_libdir}/ccache/cc
 ln -sf ../../bin/ccache %{buildroot}%{_libdir}/ccache/clang
 ln -sf ../../bin/ccache %{buildroot}%{_libdir}/ccache/clang++
 
@@ -56,6 +57,12 @@ done
 %{_libdir}/*
 
 %changelog
+* Tue Sep 17 2024 Andrew Phelps <anphel@microsoft.com> - 4.8.3-3
+- Remove dangling link to %%{_host}-cc
+
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 4.8.3-2
+- Fix the 'Distribution' tag.
+
 * Fri Nov 10 2023 Andrew Phelps <anphel@microsoft.com> - 4.8.3-1
 - Upgrade to version 4.8.3
 
diff --git a/SPECS/cert-manager/CVE-2024-25620.patch b/SPECS/cert-manager/CVE-2024-25620.patch
deleted file mode 100644
index cf31fc0371c..00000000000
--- a/SPECS/cert-manager/CVE-2024-25620.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001
-From: Bhagyashri Pathak <bhapathak@microsoft.com>
-Date: Thu, 8 Aug 2024 10:27:21 +0530
-Subject: [PATCH] CVE-2024-25620 patch 
-
----
- cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go  |  4 ++++
- .../helm.sh/helm/v3/pkg/chartutil/errors.go   |  8 ++++++++
- cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go  | 20 +++++++++++++++++++
- .../helm/v3/pkg/lint/rules/chartfile.go       |  4 ++++
- 4 files changed, 36 insertions(+)
-
-diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
-index ae572ab..3834b4c 100644
---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
-+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
-@@ -16,6 +16,7 @@ limitations under the License.
- package chart
-
- import (
-+	"path/filepath"
- 	"strings"
- 	"unicode"
-
-@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error {
- 	if md.Name == "" {
- 		return ValidationError("chart.metadata.name is required")
- 	}
-+	if md.Name != filepath.Base(md.Name) {
-+		return ValidationErrorf("chart.metadata.name %q is invalid", md.Name)
-+	}
- 	if md.Version == "" {
- 		return ValidationError("chart.metadata.version is required")
- 	}
-diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
-index fcdcc27..0a4046d 100644
---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
-+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
-@@ -33,3 +33,11 @@ type ErrNoValue struct {
- }
-
- func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) }
-+
-+type ErrInvalidChartName struct {
-+	Name string
-+}
-+
-+func (e ErrInvalidChartName) Error() string {
-+	return fmt.Sprintf("%q is not a valid chart name", e.Name)
-+}
-diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
-index 2ce4edd..4ee9070 100644
---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
-+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
-@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=")
- // directory, writing the chart's contents to that subdirectory.
- func SaveDir(c *chart.Chart, dest string) error {
- 	// Create the chart directory
-+	err := validateName(c.Name())
-+	if err != nil {
-+		return err
-+	}
- 	outdir := filepath.Join(dest, c.Name())
- 	if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() {
- 		return errors.Errorf("file %s already exists and is not a directory", outdir)
-@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) {
- }
-
- func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error {
-+	err := validateName(c.Name())
-+	if err != nil {
-+		return err
-+	}
- 	base := filepath.Join(prefix, c.Name())
-
- 	// Pull out the dependencies of a v1 Chart, since there's no way
-@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error {
- 	_, err := out.Write(body)
- 	return err
- }
-+
-+// If the name has directory name has characters which would change the location
-+// they need to be removed.
-+func validateName(name string) error {
-+	nname := filepath.Base(name)
-+
-+	if nname != name {
-+		return ErrInvalidChartName{name}
-+	}
-+
-+	return nil
-+}
-diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
-index b49f2ce..f8f033c 100644
---- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
-+++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
-@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error {
- 	if cf.Name == "" {
- 		return errors.New("name is required")
- 	}
-+	name := filepath.Base(cf.Name)
-+	if name != cf.Name {
-+		return fmt.Errorf("chart name %q is invalid", cf.Name)
-+	}
- 	return nil
- }
-
--- 
-2.34.1
-
diff --git a/SPECS/clang/clang.spec b/SPECS/clang/clang.spec
index 2882dd4f82c..6d0a977f66f 100644
--- a/SPECS/clang/clang.spec
+++ b/SPECS/clang/clang.spec
@@ -5,7 +5,7 @@
 Summary:        C, C++, Objective C and Objective C++ front-end for the LLVM compiler.
 Name:           clang
 Version:        18.1.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        NCSA
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -112,7 +112,9 @@ export CXXFLAGS="`echo " %{build_cxxflags} " | sed 's/ -g//'`"
 
 mkdir -p build
 cd build
-cmake  -DCMAKE_INSTALL_PREFIX=%{_prefix}       \
+cmake  \
+       -DCMAKE_INSTALL_PREFIX=%{_prefix}       \
+       -DLLVM_DIR=%{_libdir}/cmake/llvm        \
        -DLLVM_PARALLEL_LINK_JOBS=1             \
        -DCLANG_ENABLE_STATIC_ANALYZER:BOOL=ON  \
        -DCMAKE_BUILD_TYPE=Release              \
@@ -242,6 +244,9 @@ make clang-check
 %{_includedir}/clang-tidy/
 
 %changelog
+* Tue Sep 03 2024 Andrew Phelps <anphel@microsoft.com> - 18.1.2-3
+- Define LLVM_DIR
+
 * Wed May 29 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 18.1.2-2
 - Bump release to build with new llvm to fix CVE-2024-31852
 
diff --git a/SPECS/cloud-init/Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch b/SPECS/cloud-init/Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch
index bf20db4c1b9..4204917d664 100644
--- a/SPECS/cloud-init/Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch
+++ b/SPECS/cloud-init/Add-Network-Interface-Renaming-Support-for-CAPM3-Met.patch
@@ -15,17 +15,31 @@ interfaces by using the "id" attribute found in the CAPM3 Metal3DataTemplate
 specification. This is a temporary fix until the "name" attribute is added to
 the specification.
 ---
- cloudinit/sources/helpers/openstack.py        | 11 +--
- .../sources/helpers/test_openstack.py         |  8 +-
- tests/unittests/sources/test_configdrive.py   | 84 ++++++++++---------
- tests/unittests/test_net.py                   | 80 ++++++------------
- 4 files changed, 79 insertions(+), 104 deletions(-)
+ Makefile                                      |   2 +-
+ cloudinit/sources/helpers/openstack.py        |  11 +-
+ .../sources/helpers/test_openstack.py         |   8 +-
+ tests/unittests/sources/test_configdrive.py   |  84 ++++++-------
+ tests/unittests/test_net.py                   | 110 ++++++------------
+ 5 files changed, 90 insertions(+), 125 deletions(-)
 
+diff --git a/Makefile b/Makefile
+index 1eebb048e..af3b735bb 100644
+--- a/Makefile
++++ b/Makefile
+@@ -27,7 +27,7 @@ lint:
+ 	@$(CWD)/tools/run-lint
+ 
+ unittest: clean_pyc
+-	$(PYTHON) -m pytest -v tests/unittests cloudinit
++	$(PYTHON) -m pytest -vv -s tests/unittests cloudinit
+ 
+ render-template:
+ 	$(PYTHON) ./tools/render-template --variant=$(VARIANT) $(FILE) $(subst .tmpl,,$(FILE))
 diff --git a/cloudinit/sources/helpers/openstack.py b/cloudinit/sources/helpers/openstack.py
-index d2260baa0..f995ce4b1 100644
+index 97ec18faf..84ef61b24 100644
 --- a/cloudinit/sources/helpers/openstack.py
 +++ b/cloudinit/sources/helpers/openstack.py
-@@ -596,13 +596,14 @@ def convert_net_json(network_json=None, known_macs=None):
+@@ -600,13 +600,14 @@ def convert_net_json(network_json=None, known_macs=None):
          # present.  The 'id' in the spec is currently implemented as the host
          # nic's name, meaning something like 'tap-adfasdffd'.  We do not want
          # to name guest devices with such ugly names.
@@ -46,10 +60,10 @@ index d2260baa0..f995ce4b1 100644
          curinfo = {
              "name": cfg.get("name"),
 diff --git a/tests/unittests/sources/helpers/test_openstack.py b/tests/unittests/sources/helpers/test_openstack.py
-index ac8e2a354..143c12796 100644
+index 6ec0bd75b..02d7fb9c8 100644
 --- a/tests/unittests/sources/helpers/test_openstack.py
 +++ b/tests/unittests/sources/helpers/test_openstack.py
-@@ -42,9 +42,9 @@ class TestConvertNetJson(test_helpers.CiTestCase):
+@@ -41,9 +41,9 @@ class TestConvertNetJson:
              "version": 1,
              "config": [
                  {
@@ -61,7 +75,7 @@ index ac8e2a354..143c12796 100644
                      "subnets": [{"type": "dhcp4"}],
                      "type": "physical",
                  },
-@@ -94,9 +94,9 @@ class TestConvertNetJson(test_helpers.CiTestCase):
+@@ -90,9 +90,9 @@ class TestConvertNetJson:
              "version": 1,
              "config": [
                  {
@@ -251,10 +265,11 @@ index 70da4812a..e0afa2936 100644
          }
          self.assertEqual(expected, config_name2mac)
  
-diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
---- a/tests/unittests/test_net.py	2024-07-02 18:44:08.000000000 -0700
-+++ b/tests/unittests/test_net.py	2024-07-03 20:33:37.305007410 -0700
-@@ -566,13 +566,12 @@
+diff --git a/tests/unittests/test_net.py b/tests/unittests/test_net.py
+index 68e44fa80..eee57d9e2 100644
+--- a/tests/unittests/test_net.py
++++ b/tests/unittests/test_net.py
+@@ -566,13 +566,12 @@ OS_SAMPLES = [
          },
          "out_sysconfig_opensuse": [
              (
@@ -269,7 +284,7 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
  NETMASK=255.255.252.0
  STARTMODE=auto
  """.lstrip(),
-@@ -598,27 +597,22 @@
+@@ -598,27 +597,22 @@ dns = none
              ),
              (
                  "etc/udev/rules.d/85-persistent-net-cloud-init.rules",
@@ -301,7 +316,7 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
  IPADDR=172.19.1.34
  NETMASK=255.255.252.0
  ONBOOT=yes
-@@ -647,12 +641,8 @@
+@@ -647,12 +641,8 @@ dns = none
              ),
              (
                  "etc/udev/rules.d/70-persistent-net.rules",
@@ -311,12 +326,12 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
 -                        'ATTR{address}=="fa:16:3e:ed:9a:59", NAME="eth0"\n',
 -                    ]
 -                ),
-+	         # Since we do not set mac address, we are expecting the content to be nil
-+                 "",
++                # Since we do not set mac address, we are expecting the content to be nil
++                "",
              ),
          ],
          "expected_network_manager": [
-@@ -824,23 +814,23 @@
+@@ -660,23 +650,23 @@ dns = none
                  "".join(
                      [
                          "etc/NetworkManager/system-connections",
@@ -344,7 +359,91 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
  
  [ipv4]
  method=manual
-@@ -904,14 +894,13 @@
+@@ -738,7 +728,6 @@ dns-search=testweb.com;
+ #
+ BOOTPROTO=static
+ IPADDR=172.19.1.34
+-LLADDR=fa:16:3e:ed:9a:59
+ NETMASK=255.255.252.0
+ STARTMODE=auto
+ """.lstrip(),
+@@ -763,12 +752,8 @@ dns = none
+             ),
+             (
+                 "etc/udev/rules.d/85-persistent-net-cloud-init.rules",
+-                "".join(
+-                    [
+-                        'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ',
+-                        'ATTR{address}=="fa:16:3e:ed:9a:59", NAME="eth0"\n',
+-                    ]
+-                ),
++                # Since we do not set mac address, we are expecting the content to be nil
++                "",
+             ),
+         ],
+         "out_sysconfig_rhel": [
+@@ -783,7 +768,6 @@ DEVICE=eth0
+ DNS1=172.19.0.12
+ DOMAIN=example3.com
+ GATEWAY=172.19.3.254
+-HWADDR=fa:16:3e:ed:9a:59
+ IPADDR=172.19.1.34
+ NETMASK=255.255.252.0
+ ONBOOT=yes
+@@ -811,12 +795,8 @@ dns = none
+             ),
+             (
+                 "etc/udev/rules.d/70-persistent-net.rules",
+-                "".join(
+-                    [
+-                        'SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ',
+-                        'ATTR{address}=="fa:16:3e:ed:9a:59", NAME="eth0"\n',
+-                    ]
+-                ),
++                # Since we do not set mac address, we are expecting the content to be nil
++                "",
+             ),
+         ],
+         "expected_network_manager": [
+@@ -824,31 +804,31 @@ dns = none
+                 "".join(
+                     [
+                         "etc/NetworkManager/system-connections",
+-                        "/cloud-init-eth0.nmconnection",
++                        "/cloud-init-tap1a81968a-79.nmconnection",
+                     ]
+                 ),
+                 """
+ # Generated by cloud-init. Changes will be lost.
+ 
+ [connection]
+-id=cloud-init eth0
+-uuid=1dd9a779-d327-56e1-8454-c65e2556c12c
++id=cloud-init tap1a81968a-79
++uuid=2e85b264-dffb-5635-9b6c-616838eb1130
+ autoconnect-priority=120
+ type=ethernet
++interface-name=tap1a81968a-79
+ 
+ [user]
+ org.freedesktop.NetworkManager.origin=cloud-init
+ 
+ [ethernet]
+-mac-address=FA:16:3E:ED:9A:59
+ 
+ [ipv4]
+ method=manual
+ may-fail=false
+ address1=172.19.1.34/22
+ route1=0.0.0.0/0,172.19.3.254
+-dns=172.19.0.12;
+-dns-search=example3.com;
++dns=172.19.0.13;
++dns-search=testweb.com;
+ 
+ """.lstrip(),
+             ),
+@@ -904,14 +884,13 @@ dns-search=example3.com;
          },
          "out_sysconfig_opensuse": [
              (
@@ -360,7 +459,7 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
  NETMASK=255.255.252.0
  NETMASK1=255.255.255.0
  STARTMODE=auto
-@@ -937,25 +926,20 @@
+@@ -937,25 +916,20 @@ dns = none
              ),
              (
                  "etc/udev/rules.d/85-persistent-net-cloud-init.rules",
@@ -390,7 +489,7 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
  IPADDR=172.19.1.34
  IPADDR1=10.0.0.10
  NETMASK=255.255.252.0
-@@ -985,12 +969,8 @@
+@@ -985,12 +959,8 @@ dns = none
              ),
              (
                  "etc/udev/rules.d/70-persistent-net.rules",
@@ -405,7 +504,7 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
              ),
          ],
      },
-@@ -1062,7 +1042,7 @@
+@@ -1062,7 +1032,7 @@ dns = none
          },
          "out_sysconfig_opensuse": [
              (
@@ -414,7 +513,7 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
                  """
  # Created by cloud-init automatically, do not edit.
  #
-@@ -1071,7 +1051,6 @@
+@@ -1071,7 +1041,6 @@ IPADDR=172.19.1.34
  IPADDR6=2001:DB8::10/64
  IPADDR6_1=2001:DB9::10/64
  IPADDR6_2=2001:DB10::10/64
@@ -422,7 +521,7 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
  NETMASK=255.255.252.0
  STARTMODE=auto
  """.lstrip(),
-@@ -1095,25 +1074,20 @@
+@@ -1095,25 +1064,20 @@ dns = none
              ),
              (
                  "etc/udev/rules.d/85-persistent-net-cloud-init.rules",
@@ -452,7 +551,7 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
  IPADDR=172.19.1.34
  IPV6ADDR=2001:DB8::10/64
  IPV6ADDR_SECONDARIES="2001:DB9::10/64 2001:DB10::10/64"
-@@ -1146,12 +1120,8 @@
+@@ -1146,12 +1110,8 @@ dns = none
              ),
              (
                  "etc/udev/rules.d/70-persistent-net.rules",
@@ -467,4 +566,6 @@ diff -ruN a/tests/unittests/test_net.py b/tests/unittests/test_net.py
              ),
          ],
      },
-2.34.1
+-- 
+2.45.2
+
diff --git a/SPECS/cloud-init/Binaries-location.patch b/SPECS/cloud-init/Binaries-location.patch
index 9044ccd3b87..7620a50f6aa 100644
--- a/SPECS/cloud-init/Binaries-location.patch
+++ b/SPECS/cloud-init/Binaries-location.patch
@@ -10,3 +10,4 @@ diff -ruN a/cloudinit/distros/azurelinux.py b/cloudinit/distros/azurelinux.py
      def __init__(self, name, cfg, paths):
          super().__init__(name, cfg, paths)
          self.osfamily = "azurelinux"
+
diff --git a/SPECS/cni/CVE-2022-32149.patch b/SPECS/cni/CVE-2022-32149.patch
new file mode 100644
index 00000000000..7938e0831b3
--- /dev/null
+++ b/SPECS/cni/CVE-2022-32149.patch
@@ -0,0 +1,65 @@
+From a47ab91255e04dda4ca0d734afef58216c7479a2 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 2 Sep 2022 09:35:37 -0700
+Subject: [PATCH] language: reject excessively large Accept-Language strings
+
+Backported to apply on vendor direcotry by @mfrw
+
+The BCP 47 tag parser has quadratic time complexity due to inherent
+aspects of its design. Since the parser is, by design, exposed to
+untrusted user input, this can be leveraged to force a program to
+consume significant time parsing Accept-Language headers.
+
+The parser cannot be easily rewritten to fix this behavior for
+various reasons. Instead the solution implemented in this CL is to
+limit the total complexity of tags passed into ParseAcceptLanguage
+by limiting the number of dashes in the string to 1000. This should
+be more than enough for the majority of real world use cases, where
+the number of tags being sent is likely to be in the single digits.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to Adam
+Korczynski (ADA Logics) for writing the fuzz case and for reporting the
+issue.
+
+Fixes CVE-2022-32149
+Fixes golang/go#56152
+
+Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ vendor/golang.org/x/text/language/parse.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
+index 59b0410..b982d9e 100644
+--- a/vendor/golang.org/x/text/language/parse.go
++++ b/vendor/golang.org/x/text/language/parse.go
+@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
+ 		}
+ 	}()
+ 
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {
+-- 
+2.40.1
+
diff --git a/SPECS/cni/cni.spec b/SPECS/cni/cni.spec
index d633f0cb3ad..9b217f2b44f 100644
--- a/SPECS/cni/cni.spec
+++ b/SPECS/cni/cni.spec
@@ -24,7 +24,7 @@
 Summary:        Container Network Interface - networking for Linux containers
 Name:           cni
 Version:        1.1.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -49,6 +49,7 @@ Source2:        build.sh
 #
 Source3:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2021-38561.patch
+Patch1:         CVE-2022-32149.patch
 BuildRequires:  golang
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  xz
@@ -114,6 +115,9 @@ install -m 755 -d "%{buildroot}%{cni_doc_dir}"
 %{_sbindir}/cnitool
 
 %changelog
+* Fri Sep 06 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 1.1.2-3
+- Patch CVE-2022-32149
+
 * Tue Jul 02 2024 Osama Esmail <osamaesmail@microsoft.com> - 1.1.2-2
 - Patching CVE-2021-38561
 
diff --git a/SPECS/curl/CVE-2024-6197.patch b/SPECS/curl/CVE-2024-6197.patch
new file mode 100644
index 00000000000..d65b828d359
--- /dev/null
+++ b/SPECS/curl/CVE-2024-6197.patch
@@ -0,0 +1,21 @@
+From 3a537a4db9e65e545ec45b1b5d5575ee09a2569d Mon Sep 17 00:00:00 2001
+From: z2_ <88509734+z2-2z@users.noreply.github.com>
+Date: Fri, 28 Jun 2024 14:45:47 +0200
+Subject: [PATCH] x509asn1: remove superfluous free()
+
+---
+ lib/vtls/x509asn1.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c
+index f71ab0b90a5931..1bc4243ddae343 100644
+--- a/lib/vtls/x509asn1.c
++++ b/lib/vtls/x509asn1.c
+@@ -390,7 +390,6 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end)
+         if(wc >= 0x00000800) {
+           if(wc >= 0x00010000) {
+             if(wc >= 0x00200000) {
+-              free(buf);
+               /* Invalid char. size for target encoding. */
+               return CURLE_WEIRD_SERVER_REPLY;
+             }
diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec
index 38124d451fa..763bb1b98a2 100644
--- a/SPECS/curl/curl.spec
+++ b/SPECS/curl/curl.spec
@@ -1,13 +1,14 @@
 Summary:        An URL retrieval utility and library
 Name:           curl
 Version:        8.8.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        curl
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/NetworkingLibraries
 URL:            https://curl.haxx.se
 Source0:        https://curl.haxx.se/download/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-6197.patch
 BuildRequires:  krb5-devel
 BuildRequires:  libssh2-devel
 BuildRequires:  nghttp2-devel
@@ -85,6 +86,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libcurl.so.*
 
 %changelog
+* Wed Sep 11 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 8.8.0-2
+- Patch CVE-2024-6197
+
 * Mon Jul 15 2024 Muhammad Falak <mwani@microsoft.com> - 8.8.0-1
 - Bump version to 8.8.0 to address CVE-2024-2398
 
diff --git a/SPECS/dejavu-fonts/dejavu-fonts.spec b/SPECS/dejavu-fonts/dejavu-fonts.spec
index 985911d0120..c3f33af39bd 100644
--- a/SPECS/dejavu-fonts/dejavu-fonts.spec
+++ b/SPECS/dejavu-fonts/dejavu-fonts.spec
@@ -8,8 +8,8 @@
 Summary:        The DejaVu fonts families
 Name:           dejavu-fonts
 Version:        2.37
-Release:        2%{?dist}
-License:        Bistream Vera Font AND Arev Fonts
+Release:        3%{?dist}
+License:        Bistream Vera Font AND Arev Fonts AND AMSFonts AND Public Domain
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/Base
@@ -101,6 +101,9 @@ install ttf/DejaVuMathTeXGyre.ttf %{buildroot}%{_serif_fontdir}
 %{_serif_fontdir}/*.ttf
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.37-3
+- License verified.
+
 * Fri Jul 09 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.37-2
 - Renaming to 'dejavu-fonts'.
 - Adding 'dejavu-sans-mono-fonts' and 'dejavu-serif-fonts' subpackages.
diff --git a/SPECS/distribution-gpg-keys/distribution-gpg-keys.signatures.json b/SPECS/distribution-gpg-keys/distribution-gpg-keys.signatures.json
new file mode 100644
index 00000000000..e8ed8499316
--- /dev/null
+++ b/SPECS/distribution-gpg-keys/distribution-gpg-keys.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "distribution-gpg-keys-1.105.tar.gz": "22d6ab30d50a5fb947d755a932d922556ceb06befd0bc1a1af6eb6c196c3c754"
+ }
+}
\ No newline at end of file
diff --git a/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.spec b/SPECS/distribution-gpg-keys/distribution-gpg-keys.spec
similarity index 93%
rename from SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.spec
rename to SPECS/distribution-gpg-keys/distribution-gpg-keys.spec
index 00587568041..7cc7c05e253 100644
--- a/SPECS-EXTENDED/distribution-gpg-keys/distribution-gpg-keys.spec
+++ b/SPECS/distribution-gpg-keys/distribution-gpg-keys.spec
@@ -1,24 +1,22 @@
-Summary:	GPG keys of various Linux distributions
-Name:		distribution-gpg-keys
-Version:	1.104
-Release:	1%{?dist}
-License:	CC0
-URL:		https://github.com/rpm-software-management/distribution-gpg-keys
-# Sources can be obtained by
-# git clone git://github.com/rpm-software-management/distribution-gpg-keys.git
-# cd distribution-gpg-keys
-# tito build --tgz
-Source0:	https://github.com/rpm-software-management/distribution-gpg-keys/archive/refs/tags/%{name}-%{version}-1.tar.gz#/%{name}-%{version}.tar.gz
-BuildArch:	noarch
+Summary:	  GPG keys of various Linux distributions
+Name:		  distribution-gpg-keys
+Version:	  1.105
+Release:	  1%{?dist}
+Vendor:       Microsoft Corporation
+Distribution: Azure Linux
+License:	  CC0
+URL:		  https://github.com/rpm-software-management/distribution-gpg-keys
+Source0:	  https://github.com/rpm-software-management/distribution-gpg-keys/archive/refs/tags/%{name}-%{version}-1.tar.gz#/%{name}-%{version}.tar.gz
+BuildArch:	  noarch
 
 %description
 GPG keys used by various Linux distributions to sign packages.
 
 %package copr
-Summary:    GPG keys for Copr projects
-BuildArch:  noarch
+Summary:      GPG keys for Copr projects
+BuildArch:    noarch
 
-%description copr
+%description  copr
 GPG keys used by Copr projects.
 
 %prep
@@ -45,6 +43,9 @@ cp -a keys/* %{buildroot}%{_datadir}/%{name}/
 %{_datadir}/%{name}/copr
 
 %changelog
+* Wed Aug 28 2024 Reuben Olinsky <reubeno@microsoft.com> - 1.105-1
+- Upgrade to 1.105.
+
 * Fri Aug 02 2024 Devin Anderson <danderson@microsoft.com> - 1.104-1
 - Update to 1.104, a more recent version that includes the Azure Linux keys.
 - Use the official repository URI to download sources.
diff --git a/SPECS/docbook-style-xsl/docbook-style-xsl.spec b/SPECS/docbook-style-xsl/docbook-style-xsl.spec
index fb2c6f8bc3b..426100cc81c 100644
--- a/SPECS/docbook-style-xsl/docbook-style-xsl.spec
+++ b/SPECS/docbook-style-xsl/docbook-style-xsl.spec
@@ -1,8 +1,8 @@
 Summary:        Docbook-xsl-1.79.1
 Name:           docbook-style-xsl
 Version:        1.79.1
-Release:        13%{?dist}
-License:        ASL 2.0
+Release:        14%{?dist}
+License:        ASL 2.0 AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Tools
@@ -96,12 +96,15 @@ fi
 
 %files
 %defattr(-,root,root)
-%license COPYING
+%license COPYING extensions/LICENSE.txt
 %{_datadir}/xml/docbook/xsl-stylesheets-%{version}
 %{_datadir}/sgml/docbook/xsl-stylesheets
 %{_docdir}/*
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.79.1-14
+- License verified.
+
 * Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 1.79.1-10
 - Added %%license line automatically
 
diff --git a/SPECS/dracut/20overlayfs/overlayfs-mount.sh b/SPECS/dracut/20overlayfs/overlayfs-mount.sh
index 83d677bbf4f..f11d182a399 100755
--- a/SPECS/dracut/20overlayfs/overlayfs-mount.sh
+++ b/SPECS/dracut/20overlayfs/overlayfs-mount.sh
@@ -2,9 +2,9 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
-# Description: This script is designed to mount a DM-Verity root filesystem and
-# set up OverlayFS. It is driven by kernel parameters and is invoked during the
-# dracut initramfs phase.
+# Description: This script is designed to set up OverlayFS. It also works with
+# DM-Verity environment. It is driven by kernel parameters and is invoked during
+# the dracut initramfs phase.
 
 # Kernel Parameters:
 # - root: Specifies the path to the root filesystem. This script is designed to
@@ -14,29 +14,28 @@
 #   setups, the script will proceed with the standard OverlayFS setup, ensuring
 #   versatility in its application.
 # - rd.overlayfs: A comma-separated list defining the OverlayFS configuration.
-#   Each entry should specify the overlay, upper, work directories, and optional
-#   volume for an OverlayFS instance.
+#   Each entry should specify the lower, upper, work directories, optional
+#   volume, and optional mount mode for an OverlayFS instance.
 
 # Behavior:
 # - Verifies the presence of the 'dracut-lib' for necessary utilities.
 # - Mounts the DM-Verity root filesystem as read-only at a predefined mount
-#   point.
+#   point or mount the root device at a predefined mount point.
 # - Sets up the OverlayFS based on the provided kernel parameters. If a
 #   persistent volume is specified, it's used as the upper layer for the
 #   OverlayFS; otherwise, a volatile overlay is created.
-# - Mounts the OverlayFS on top of the root filesystem, merging the read-only
-#   root with the writable overlay, allowing system modifications without
-#   altering the base system.
+# - Mounts the OverlayFS on top of the root filesystem, merging the root with
+#   the writable overlay, allowing system modifications without altering the
+#   base system.
 
 parse_kernel_cmdline_args() {
     # Ensure that the 'dracut-lib' is present and loaded.
-    type getarg >/dev/null 2>&1 || . /lib/dracut-lib.sh
+    type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
 
-    VERITY_MOUNT="/mnt/verity_mnt"
+    ROOT_VERITY_MOUNTPOINT="/mnt/root_verity_mnt"
     OVERLAY_MOUNT="/mnt/overlay_mnt"
-    OVERLAY_MNT_OPTS="rw,nodev,nosuid,nouser,noexec"
 
-    # Retrieve the verity root. It is expected to be predefined by the dracut cmdline module.
+    # Retrieve the root device.
     [ -z "$root" ] && root=$(getarg root=)
     # Check if we're in a dm-verity environment and the root variable matches
     # the expected path. The path "/dev/mapper/root" is hardcoded here because
@@ -63,7 +62,7 @@ mount_volatile_persistent_volume() {
     if [[ "${_volume}" == "volatile" ]]; then
         # Fallback to volatile overlay if no persistent volume is specified.
         echo "No overlayfs persistent volume specified. Creating a volatile overlay."
-        mount -t tmpfs tmpfs -o ${OVERLAY_MNT_OPTS} "${_overlay_mount}" || \
+        mount -t tmpfs tmpfs "${_overlay_mount}" || \
             die "Failed to create overlay tmpfs at ${_overlay_mount}"
     else
         # Check if the specified Overlay RAID volume is present in the system.
@@ -83,64 +82,72 @@ create_overlayfs() {
     local _lower=$1
     local _upper=$2
     local _work=$3
+    local _mode=$4
 
     [ -d "$_lower" ] || die "Unable to create overlay as $_lower does not exist"
 
-    mkdir -p "${_upper}" && \
-    mkdir -p "${_work}" && \
-    mount -t overlay overlay -o ro,lowerdir="${_lower}",upperdir="${_upper}",workdir="${_work}" "${_lower}" || \
+    mkdir -p "${_upper}" || die "Failed to create upper directory ${_upper}"
+    mkdir -p "${_work}" || die "Failed to create work directory ${_work}"
+
+    # Note for now, the mountpoint / mergedir is set to the same directory as the lowerdir.
+    # This means the overlay will be mounted directly on the lower directory.
+    # TODO: Add support for a customized mountpoint in future versions.
+    mount -t overlay overlay -o "${_mode}",lowerdir="${_lower}",upperdir="${_upper}",workdir="${_work}" "${_lower}" || \
         die "Failed to mount overlay in ${_lower}"
 }
 
 mount_overlayfs() {
     local cnt=0
-    local overlay_mount_with_cnt
+    local volume_mount_with_cnt
     declare -A volume_mount_map
 
+    mkdir -p "${ROOT_VERITY_MOUNTPOINT}"
     if [ "$is_verity" = true ]; then
         echo "Mounting DM-Verity Target"
-        mkdir -p "${VERITY_MOUNT}"
-        mount -o ro,defaults "/dev/mapper/root" "${VERITY_MOUNT}" || \
+        mount -o ro "/dev/mapper/root" "${ROOT_VERITY_MOUNTPOINT}" || \
             die "Failed to mount dm-verity root target"
     else
         echo "Mounting regular root"
-        mkdir -p "${VERITY_MOUNT}"
         # Remove 'block:' prefix if present.
         root_device=$(expand_persistent_dev "${root#block:}")
-        mount -o ro,defaults "$root_device" "${VERITY_MOUNT}" || \
+        mount "$root_device" "${ROOT_VERITY_MOUNTPOINT}" || \
             die "Failed to mount root"
     fi
 
     echo "Starting to create OverlayFS"
-    for _group in ${overlayfs}; do
-        IFS=',' read -r overlay upper work volume <<< "$_group"
+    IFS=';' read -ra overlay_groups <<< "$overlayfs"
+    for _group in "${overlay_groups[@]}"; do
+        IFS=',' read -r lower upper work volume mode <<< "$_group"
 
+        # Set mode as ro to fulfill Trident specific requirement.
+        mode=${mode:-ro}
         # Resolve volume to its full device path.
         volume=$(expand_persistent_dev "$volume")
 
         if [[ "$volume" == "" ]]; then
-            overlay_mount_with_cnt="${OVERLAY_MOUNT}/${cnt}"
-            mount_volatile_persistent_volume "volatile" $overlay_mount_with_cnt
+            volume_mount_with_cnt="${OVERLAY_MOUNT}/${cnt}"
+            mount_volatile_persistent_volume "volatile" $volume_mount_with_cnt
         else
             if [[ -n "${volume_mount_map[$volume]}" ]]; then
                 # Volume already mounted, retrieve existing mount point from map.
-                overlay_mount_with_cnt=${volume_mount_map[$volume]}
+                volume_mount_with_cnt=${volume_mount_map[$volume]}
             else
                 # Not in map, so mount and update the map.
-                overlay_mount_with_cnt="${OVERLAY_MOUNT}/${cnt}"
-                mount_volatile_persistent_volume $volume $overlay_mount_with_cnt
-                volume_mount_map[$volume]=$overlay_mount_with_cnt
+                volume_mount_with_cnt="${OVERLAY_MOUNT}/${cnt}"
+                mount_volatile_persistent_volume $volume $volume_mount_with_cnt
+                volume_mount_map[$volume]=$volume_mount_with_cnt
             fi
         fi
-        cnt=$((cnt + 1))
 
-        echo "Creating OverlayFS with overlay: $overlay, upper: ${overlay_mount_with_cnt}/${upper}, work: ${overlay_mount_with_cnt}/${work}"
-        create_overlayfs "${VERITY_MOUNT}/${overlay}" "${overlay_mount_with_cnt}/${upper}" "${overlay_mount_with_cnt}/${work}"
+        echo "Creating OverlayFS with lower: $lower, upper: ${volume_mount_with_cnt}/${upper}, work: ${volume_mount_with_cnt}/${work}, mode: ${mode}"
+        create_overlayfs "${ROOT_VERITY_MOUNTPOINT}/${lower}" "${volume_mount_with_cnt}/${upper}" "${volume_mount_with_cnt}/${work}" "${mode}"
+
+        cnt=$((cnt + 1))
     done
 
     echo "Done Verity Root Mounting and OverlayFS Mounting"
     # Re-mount the verity mount along with overlayfs to the sysroot.
-    mount --rbind "${VERITY_MOUNT}" "${NEWROOT}"
+    mount --rbind "${ROOT_VERITY_MOUNTPOINT}" "${NEWROOT}"
 }
 
 # Keep a copy of this function here from verity-read-only-root package.
diff --git a/SPECS/dracut/dracut.signatures.json b/SPECS/dracut/dracut.signatures.json
index 9ea435fb927..2f5a03338bd 100644
--- a/SPECS/dracut/dracut.signatures.json
+++ b/SPECS/dracut/dracut.signatures.json
@@ -10,6 +10,6 @@
   "lgpl-2.1.txt": "dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551",
   "megaraid.conf": "914824cdbe0c525b71efa05a75e453335b0068beb8bc28bef2a5866d74bf7dd4",
   "module-setup.sh": "8f5a0d3cc393d78bcb523b0d53c578d2767d688f00e84b525355bbb31d753da4",
-  "overlayfs-mount.sh": "f049d0ad2e4a1d98acb329765900690883520fdc8fc9463f5081f6e7fb679695"
+  "overlayfs-mount.sh": "28f47c107a4435c5153bdb5b2f92f20b7a75bf3932216635ee810875c27dd55b"
  }
 }
diff --git a/SPECS/dracut/dracut.spec b/SPECS/dracut/dracut.spec
index 227c47be3d8..2b7812a5929 100644
--- a/SPECS/dracut/dracut.spec
+++ b/SPECS/dracut/dracut.spec
@@ -4,7 +4,7 @@
 Summary:        dracut to create initramfs
 Name:           dracut
 Version:        102
-Release:        4%{?dist}
+Release:        5%{?dist}
 # The entire source code is GPLv2+
 # except install/* which is LGPLv2+
 License:        GPLv2+ AND LGPLv2+
@@ -288,6 +288,9 @@ ln -srv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_sbindir}/%{name}
 %dir %{_sharedstatedir}/%{name}/overlay
 
 %changelog
+* Sun Oct 06 2024 Jon Slobodzian <joslobo@microsoft.com> - 102-5
+- Bump version to build with latest systemd
+
 * Mon Aug 19 2024 Cameron Baird <cameronbaird@microsoft.com> - 102-4
 - Drop 0002-disable-xattr.patch
 - Introduce dracut-noxattr subpackage to expose this behavior as an option
diff --git a/SPECS/ebtables/ebtables.spec b/SPECS/ebtables/ebtables.spec
index c75d9ad4854..653dfe42132 100644
--- a/SPECS/ebtables/ebtables.spec
+++ b/SPECS/ebtables/ebtables.spec
@@ -1,11 +1,13 @@
 %undefine _ld_as_needed
 
-Name:			ebtables
-Version:		2.0.11
-Release:		7%{?dist}
-Summary:		Ethernet Bridge frame table administration tool
-License:		GPLv2+
-URL:			http://ebtables.sourceforge.net/
+Name:          ebtables
+Version:		   2.0.11
+Release:		   8%{?dist}
+Summary:		   Ethernet Bridge frame table administration tool
+License:		   GPLv2+
+URL:           http://ebtables.sourceforge.net/
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
 
 Source0:		https://netfilter.org/pub/ebtables/%{name}-%{version}.tar.gz
 Source1:		ebtables-legacy-save
@@ -118,6 +120,9 @@ ln -sf ebtables-legacy-restore %{buildroot}%{_sbindir}/ebtables-restore
 %ghost %{_sysconfdir}/sysconfig/ebtables
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.0.11-8
+- Add missing Vendor and Distribution tags.
+
 * Fri Feb 02 2024 Dan Streetman <ddstreet@ieee.org> - 2.0.11-7
 - workaround "circular dependencies" from build tooling
 - license verified
@@ -259,7 +264,7 @@ ln -sf ebtables-legacy-restore %{buildroot}%{_sbindir}/ebtables-restore
 - fix missing symbol issue with extension modules (bz810006)
 
 * Thu Feb 16 2012 Thomas Woerner <twoerner@redhat.com> - 2.0.10-4
-- replaced ebtables-save perl script by bash script to get rid of the perl 
+- replaced ebtables-save perl script by bash script to get rid of the perl
   requirement
 
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.10-3
diff --git a/SPECS/edk2/CVE-2024-6119.patch b/SPECS/edk2/CVE-2024-6119.patch
new file mode 100644
index 00000000000..144f3874ea4
--- /dev/null
+++ b/SPECS/edk2/CVE-2024-6119.patch
@@ -0,0 +1,266 @@
+From 05f360d9e849a1b277db628f1f13083a7f8dd04f Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Wed, 19 Jun 2024 21:04:11 +1000
+Subject: [PATCH] Avoid type errors in EAI-related name check logic.
+
+The incorrectly typed data is read only, used in a compare operation, so
+neither remote code execution, nor memory content disclosure were possible.
+However, applications performing certificate name checks were vulnerable to
+denial of service.
+
+The GENERAL_TYPE data type is a union, and we must take care to access the
+correct member, based on `gen->type`, not all the member fields have the same
+structure, and a segfault is possible if the wrong member field is read.
+
+The code in question was lightly refactored with the intent to make it more
+obviously correct.
+
+Fixes CVE-2024-6119
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(cherry picked from commit 0890cd13d40fbc98f655f3974f466769caa83680)
+---
+ crypto/x509/v3_utl.c                          | 78 +++++++++++++------
+ test/recipes/25-test_eai_data.t               | 12 ++-
+ test/recipes/25-test_eai_data/kdc-cert.pem    | 21 +++++
+ .../25-test_eai_data/kdc-root-cert.pem        | 16 ++++
+ test/recipes/25-test_eai_data/kdc.sh          | 41 ++++++++++
+ 5 files changed, 142 insertions(+), 26 deletions(-)
+ create mode 100644 test/recipes/25-test_eai_data/kdc-cert.pem
+ create mode 100644 test/recipes/25-test_eai_data/kdc-root-cert.pem
+ create mode 100755 test/recipes/25-test_eai_data/kdc.sh
+
+diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
+index 1a18174995196..a09414c972fa8 100644
+--- a/crypto/x509/v3_utl.c
++++ b/crypto/x509/v3_utl.c
+@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen,
+             ASN1_STRING *cstr;
+ 
+             gen = sk_GENERAL_NAME_value(gens, i);
+-            if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) {
+-                if (OBJ_obj2nid(gen->d.otherName->type_id) ==
+-                    NID_id_on_SmtpUTF8Mailbox) {
+-                    san_present = 1;
+-
+-                    /*
+-                     * If it is not a UTF8String then that is unexpected and we
+-                     * treat it as no match
+-                     */
+-                    if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) {
+-                        cstr = gen->d.otherName->value->value.utf8string;
+-
+-                        /* Positive on success, negative on error! */
+-                        if ((rv = do_check_string(cstr, 0, equal, flags,
+-                                                chk, chklen, peername)) != 0)
+-                            break;
+-                    }
+-                } else
++            switch (gen->type) {
++            default:
++                continue;
++            case GEN_OTHERNAME:
++		switch (OBJ_obj2nid(gen->d.otherName->type_id)) {
++                default:
+                     continue;
+-            } else {
+-                if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME))
++                case NID_id_on_SmtpUTF8Mailbox:
++                    /*-
++                     * https://datatracker.ietf.org/doc/html/rfc8398#section-3
++                     *
++                     *   Due to name constraint compatibility reasons described
++                     *   in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT
++                     *   be used unless the local-part of the email address
++                     *   contains non-ASCII characters. When the local-part is
++                     *   ASCII, rfc822Name subjectAltName MUST be used instead
++                     *   of SmtpUTF8Mailbox. This is compatible with legacy
++                     *   software that supports only rfc822Name (and not
++                     *   SmtpUTF8Mailbox). [...]
++                     *
++                     *   SmtpUTF8Mailbox is encoded as UTF8String.
++                     *
++                     * If it is not a UTF8String then that is unexpected, and
++                     * we ignore the invalid SAN (neither set san_present nor
++                     * consider it a candidate for equality).  This does mean
++                     * that the subject CN may be considered, as would be the
++                     * case when the malformed SmtpUtf8Mailbox SAN is instead
++                     * simply absent.
++                     *
++                     * When CN-ID matching is not desirable, applications can
++                     * choose to turn it off, doing so is at this time a best
++                     * practice.
++                     */
++                    if (check_type != GEN_EMAIL
++                        || gen->d.otherName->value->type != V_ASN1_UTF8STRING)
++                        continue;
++                    alt_type = 0;
++                    cstr = gen->d.otherName->value->value.utf8string;
++                    break;
++                }
++                break;
++            case GEN_EMAIL:
++                if (check_type != GEN_EMAIL)
+                     continue;
+-            }
+-            san_present = 1;
+-            if (check_type == GEN_EMAIL)
+                 cstr = gen->d.rfc822Name;
+-            else if (check_type == GEN_DNS)
++                break;
++            case GEN_DNS:
++                if (check_type != GEN_DNS)
++                    continue;
+                 cstr = gen->d.dNSName;
+-            else
++                break;
++            case GEN_IPADD:
++                if (check_type != GEN_IPADD)
++                    continue;
+                 cstr = gen->d.iPAddress;
++                break;
++            }
++            san_present = 1;
+             /* Positive on success, negative on error! */
+             if ((rv = do_check_string(cstr, alt_type, equal, flags,
+                                       chk, chklen, peername)) != 0)
+diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t
+index 522982ddfb802..e18735d89aadf 100644
+--- a/test/recipes/25-test_eai_data.t
++++ b/test/recipes/25-test_eai_data.t
+@@ -21,16 +21,18 @@ setup("test_eai_data");
+ #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem
+ #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem
+ 
+-plan tests => 12;
++plan tests => 16;
+ 
+ require_ok(srctop_file('test','recipes','tconversion.pl'));
+ my $folder = "test/recipes/25-test_eai_data";
+ 
+ my $ascii_pem = srctop_file($folder, "ascii_leaf.pem");
+ my $utf8_pem  = srctop_file($folder, "utf8_leaf.pem");
++my $kdc_pem   = srctop_file($folder, "kdc-cert.pem");
+ 
+ my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem");
+ my $utf8_chain_pem  = srctop_file($folder, "utf8_chain.pem");
++my $kdc_chain_pem  = srctop_file($folder, "kdc-root-cert.pem");
+ 
+ my $out;
+ my $outcnt = 0;
+@@ -56,10 +58,18 @@ SKIP: {
+ 
+ ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem])));
+ ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem])));
++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem])));
+ 
+ ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem])));
+ ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem,  $ascii_pem])));
+ 
++# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated).
++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
++# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated).
++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
++# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String.
++ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem,  $kdc_pem])));
++
+ #Check that we get the expected failure return code
+ with({ exit_checker => sub { return shift == 2; } },
+      sub {
+diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem
+new file mode 100644
+index 0000000000000..e8a2c6f55d459
+--- /dev/null
++++ b/test/recipes/25-test_eai_data/kdc-cert.pem
+@@ -0,0 +1,21 @@
++-----BEGIN CERTIFICATE-----
++MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290
++MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU
++RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+
++6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry
++BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8
++vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx
++Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT
++7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9
++3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj
++te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG
++AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU
++RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA
++ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA
++T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb
++iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU
++UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1
++El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9
++0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI
++oDQ9fKfUOAmUFth2/R/eGA==
++-----END CERTIFICATE-----
+diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem
+new file mode 100644
+index 0000000000000..a74c96bf31469
+--- /dev/null
++++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem
+@@ -0,0 +1,16 @@
++-----BEGIN CERTIFICATE-----
++MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS
++b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD
++DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj
++61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0
++qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK
++MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS
++dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj
++3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7
++pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI
++lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT
++Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl
++KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW
++7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS
++vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8
++-----END CERTIFICATE-----
+diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh
+new file mode 100755
+index 0000000000000..7a8dbc719fb71
+--- /dev/null
++++ b/test/recipes/25-test_eai_data/kdc.sh
+@@ -0,0 +1,41 @@
++#! /usr/bin/env bash
++
++# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and
++# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS
++# name SAN.  In the vulnerable EAI code, the KDC principal `otherName` should
++# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox`
++# should likewise lead to ASAN issues with email name checks.
++
++rm -f root-key.pem root-cert.pem
++openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \
++        -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem
++
++exts=$(
++    printf "%s\n%s\n%s\n%s = " \
++        "subjectKeyIdentifier = hash" \
++        "authorityKeyIdentifier = keyid" \
++        "basicConstraints = CA:false" \
++        "subjectAltName"
++    printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name"
++    printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com"
++    printf "%s, " "email:joe@example.com"
++    printf "%s\n" "DNS:mx1.example.com"
++    printf "[kdc_princ_name]\n"
++    printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n"
++    printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n"
++    printf "[kdc_principal_seq]\n"
++    printf "name_type = EXP:0, INTEGER:1\n"
++    printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n"
++    printf "[kdc_principal_components]\n"
++    printf "princ1 = GeneralString:krbtgt\n"
++    printf "princ2 = GeneralString:TEST.EXAMPLE\n"
++    )
++
++printf "%s\n" "$exts"
++
++openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \
++    -subj "/CN=TEST.EXAMPLE" |
++    openssl x509 -req -out kdc-cert.pem \
++        -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \
++        -set_serial 2 -days 36524 \
++        -extfile <(printf "%s\n" "$exts")
diff --git a/SPECS/edk2/edk2.signatures.json b/SPECS/edk2/edk2.signatures.json
index 104816979de..3a5fe9358ec 100644
--- a/SPECS/edk2/edk2.signatures.json
+++ b/SPECS/edk2/edk2.signatures.json
@@ -28,9 +28,11 @@
   "edk2-build.py": "b4be60833465d372662ac4f1f89f40b9c65d59fb17f7716059f980503069ddb7",
   "edk2-build.rhel-9": "477723037cadf03fa15756de563995cc556ccf84d9a4ba059ea37c97c3a0e3e7",
   "edk2-platforms-a912d9fcf7d1.tar.xz": "dc2c8a0eb131ccba28f52c83d14617cae049ddd466f98a8cd229215051b9754a",
+  "hvloader-286f1c642ed624af2c7840fbca7923497891fe68.tar.gz": "4e0a15cfab98a89a0a93f747df876ea3ee5366c3ffbd158c28e296bf52c7dfba",
+  "hvloader-target.txt": "fcf4f427d3b80e67296be2a1d17ec124d65f673d4f6ea37d238f8d3fc1ddc4b8",
   "jansson-2.13.1.tar.bz2": "ee90a0f879d2b7b7159124ff22b937a2a9a8c36d3bb65d1da7dd3f04370a10bd",
   "openssl-rhel-db0287935122edceb91dcda8dfb53b4090734e22.tar.xz": "9fcc5b49513d6ae21c7ddc3d1bbb1f8973cfbe76f2392d10106a8cd435e3eb47",
   "ovmf-whitepaper-c770f8c.txt": "842518adadaa837914dbb13a6628002fb7f7acca107c6d6f41815b399dc9f8b8",
   "softfloat-20180726-gitb64af41.tar.xz": "c7f2172357ca3022621b9464fd92bf2b462256bda3e019bf9a669fa6b5aeea91"
  }
-}
\ No newline at end of file
+}
diff --git a/SPECS/edk2/edk2.spec b/SPECS/edk2/edk2.spec
index 59f55aaf8df..694ca3d8128 100644
--- a/SPECS/edk2/edk2.spec
+++ b/SPECS/edk2/edk2.spec
@@ -39,6 +39,9 @@ ExclusiveArch: x86_64
 
 %define DBXDATE        20230509
 
+%define HVLOADER_VER    1.0.1
+%define HVLOADER_COMMIT 286f1c642ed624af2c7840fbca7923497891fe68
+
 %define build_ovmf 1
 %define build_aarch64 0
 %define build_riscv64 0
@@ -52,7 +55,7 @@ ExclusiveArch: x86_64
 
 Name:       edk2
 Version:    %{GITDATE}git%{GITCOMMIT}
-Release:    1%{?dist}
+Release:    3%{?dist}
 Summary:    UEFI firmware for 64-bit virtual machines
 License:    Apache-2.0 AND (BSD-2-Clause OR GPL-2.0-or-later) AND BSD-2-Clause-Patent AND BSD-3-Clause AND BSD-4-Clause AND ISC AND MIT AND LicenseRef-Fedora-Public-Domain
 URL:        http://www.tianocore.org
@@ -68,6 +71,8 @@ Source3: softfloat-%{softfloat_version}.tar.xz
 Source4: edk2-platforms-%{PLATFORMS_COMMIT}.tar.xz
 Source5: jansson-2.13.1.tar.bz2
 Source6: README.experimental
+Source7: hvloader-%{HVLOADER_COMMIT}.tar.gz
+Source8: hvloader-target.txt
 
 # json description files
 Source10: 50-edk2-aarch64-qcow2.json
@@ -125,6 +130,7 @@ Patch0017: 0017-silence-.-has-a-LOAD-segment-with-RWX-permissions-wa.patch
 Patch0018: 0018-NetworkPkg-TcpDxe-Fixed-system-stuck-on-PXE-boot-flo.patch
 Patch0019: 0019-NetworkPkg-DxeNetLib-adjust-PseudoRandom-error-loggi.patch
 Patch1000: CVE-2022-3996.patch
+Patch1001: CVE-2024-6119.patch
 
 # python3-devel and libuuid-devel are required for building tools.
 # python3-devel is also needed for varstore template generation and
@@ -305,6 +311,18 @@ This package provides tools that are needed to build EFI executables
 and ROMs using the GNU tools.  You do not need to install this package;
 you probably want to install edk2-tools only.
 
+%package hvloader
+Summary:        Loader binary for loading type 1 hypervisors under Linux.
+Requires:       python3
+
+%description hvloader
+HvLoader.efi is an EFI application for loading an external hypervisor loader.
+
+HvLoader.efi loads a given hypervisor loader binary (DLL, EFI, etc.), and 
+calls it's entry point passing HvLoader.efi ImageHandle. This way the 
+hypervisor loader binary has access to HvLoader.efi's command line options,
+and use those as configuration parameters. The first HvLoader.efi command line
+option is the path to hypervisor loader binary.
 
 
 %prep
@@ -324,12 +342,14 @@ cp -a -- %{SOURCE1} .
 tar -C CryptoPkg/Library/OpensslLib -a -f %{SOURCE2} -x
 # Need to patch CVE-2022-3996 in the bundled openssl
 (cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1000}
+(cd CryptoPkg/Library/OpensslLib/openssl && patch -p1 ) < %{PATCH1001}
 
 # extract softfloat into place
 tar -xf %{SOURCE3} --strip-components=1 --directory ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3/
 tar -xf %{SOURCE4} --strip-components=1 --wildcards "*/Drivers" "*/Features" "*/Platform" "*/Silicon"
 mkdir -p RedfishPkg/Library/JsonLib/jansson
 tar -xf %{SOURCE5} --strip-components=1 --directory RedfishPkg/Library/JsonLib/jansson
+
 # include paths pointing to unused submodules
 mkdir -p MdePkg/Library/MipiSysTLib/mipisyst/library/include
 mkdir -p CryptoPkg/Library/MbedTlsLib/mbedtls/include
@@ -353,6 +373,10 @@ cp -a -- \
    %{SOURCE90} %{SOURCE91} \
    .
 
+# extract hvloader source into place
+tar -xf %{SOURCE7} --directory MdeModulePkg/Application
+sed -i '/MdeModulePkg\/Application\/HelloWorld\/HelloWorld.inf/a \ \ MdeModulePkg\/Application\/HvLoader-%{HVLOADER_VER}/HvLoader.inf' MdeModulePkg/MdeModulePkg.dsc
+
 %build
 
 chmod +x ./edk2-build.py
@@ -475,6 +499,11 @@ for raw in */riscv/*.raw; do
 done
 %endif
 
+source ./edksetup.sh
+make -C BaseTools
+cp %{SOURCE8} Conf/target.txt
+build -p MdeModulePkg/MdeModulePkg.dsc -m MdeModulePkg/Application/HvLoader-%{HVLOADER_VER}/HvLoader.inf
+
 %install
 
 cp -a OvmfPkg/License.txt License.OvmfPkg.txt
@@ -573,6 +602,9 @@ done
 %py_byte_compile %{python3} %{buildroot}%{_datadir}/edk2/Python
 %endif
 
+mkdir -p %{buildroot}/boot/efi
+cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/HvLoader-%{HVLOADER_VER}/HvLoader/OUTPUT/HvLoader.efi %{buildroot}/boot/efi
+
 %check
 for file in %{buildroot}%{_datadir}/%{name}/*/*VARS.secboot.fd; do
     test -f "$file" || continue
@@ -749,7 +781,16 @@ done
 %dir %{_datadir}/%{name}
 %{_datadir}/%{name}/Python
 
+%files hvloader
+/boot/efi/HvLoader.efi
+
 %changelog
+* Thu Sep 19 2024 Minghe Ren <mingheren@microsoft.com> - 20240524git3e722403cd16-3
+- Add patch for CVE-2024-6119
+
+* Wed Aug 21 2024 Cameron Baird <cameronbaird@microsoft.com> - 20240524git3e722403cd16-2
+- Introduce edk2-hvloader subpackage
+
 * Tue Jul 30 2024 Betty Lakes <bettylakes@microsoft.com> - 20240524git3e722403cd16-1
 - Upgrade to 20240524git3e722403cd16 to fix CVE-2023-45236, CVE-2023-45237
 
diff --git a/SPECS/hvloader/target-x86.txt b/SPECS/edk2/hvloader-target.txt
similarity index 100%
rename from SPECS/hvloader/target-x86.txt
rename to SPECS/edk2/hvloader-target.txt
diff --git a/SPECS/expat/expat.signatures.json b/SPECS/expat/expat.signatures.json
index 6f7c7d73895..8464dd011d7 100644
--- a/SPECS/expat/expat.signatures.json
+++ b/SPECS/expat/expat.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "expat-2.6.2.tar.bz2": "9c7c1b5dcbc3c237c500a8fb1493e14d9582146dd9b42aa8d3ffb856a3b927e0"
+  "expat-2.6.3.tar.bz2": "b8baef92f328eebcf731f4d18103951c61fa8c8ec21d5ff4202fb6f2198aeb2d"
  }
 }
diff --git a/SPECS/expat/expat.spec b/SPECS/expat/expat.spec
index cb65657520d..19defa4bd1c 100644
--- a/SPECS/expat/expat.spec
+++ b/SPECS/expat/expat.spec
@@ -1,7 +1,7 @@
 %define         underscore_version %(echo %{version} | cut -d. -f1-3 --output-delimiter="_")
 Summary:        An XML parser library
 Name:           expat
-Version:        2.6.2
+Version:        2.6.3
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
@@ -66,6 +66,9 @@ rm -rf %{buildroot}/%{_docdir}/%{name}
 %{_libdir}/libexpat.so.1*
 
 %changelog
+* Tue Sep 04 2024 Gary Swalling <gaswal@microsoft.com> - 2.6.3-1
+- Upgrade to 2.6.3 to fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
+
 * Wed May 22 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.6.2-1
 - Upgrade to v2.6.2 to fix CVE-2024-28757
 
diff --git a/SPECS/extra-cmake-modules/extra-cmake-modules.signatures.json b/SPECS/extra-cmake-modules/extra-cmake-modules.signatures.json
index 4e995ee489c..e6ff81faf79 100644
--- a/SPECS/extra-cmake-modules/extra-cmake-modules.signatures.json
+++ b/SPECS/extra-cmake-modules/extra-cmake-modules.signatures.json
@@ -1,6 +1,5 @@
 {
-  "Signatures": {
-    "clang-python-4.0.1.tar.gz": "f3b3b866edac22662ce7836997ab7b193647878f6307d9749708d9215cb6bec8",
-    "extra-cmake-modules-5.249.0.tar.gz": "350aa1b8109078318c3a54230fbf6ecff4cf186f0df7dfc32fd51a96b1bdac12"
-  }
+ "Signatures": {
+  "extra-cmake-modules-5.249.0.tar.gz": "350aa1b8109078318c3a54230fbf6ecff4cf186f0df7dfc32fd51a96b1bdac12"
+ }
 }
diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec
index 99cf843b2be..9d47ef9506b 100644
--- a/SPECS/flannel/flannel.spec
+++ b/SPECS/flannel/flannel.spec
@@ -3,7 +3,7 @@
 Summary:        Simple and easy way to configure a layer 3 network fabric designed for Kubernetes
 Name:           flannel
 Version:        0.24.2
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,7 +13,7 @@ Source0:        https://github.com/flannel-io/%{name}/archive/refs/tags/v%{versi
 Source1:        %{name}-%{version}-vendor.tar.gz
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 BuildRequires:  golang >= 1.20
 BuildRequires:  kernel-headers
 
@@ -50,6 +50,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld
 %{_bindir}/flanneld
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.24.2-7
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 0.24.2-6
 - Bump to rebuild with updated glibc
 
diff --git a/SPECS/gdk-pixbuf2/CVE-2022-48622.patch b/SPECS/gdk-pixbuf2/CVE-2022-48622.patch
new file mode 100755
index 00000000000..8037edfda8e
--- /dev/null
+++ b/SPECS/gdk-pixbuf2/CVE-2022-48622.patch
@@ -0,0 +1,112 @@
+From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:26:54 -0500
+Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
+
+An anih chunk causes us to initialize a bunch of state, which we only
+expect to do once per file.
+
+Fixes: #202
+Fixes: CVE-2022-48622
+---
+ gdk-pixbuf/io-ani.c                       |   9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index c6c4642cf4..a78ea7ace4 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
++		if (context->animation)
++		{
++			g_set_error_literal (error,
++                                             GDK_PIXBUF_ERROR,
++                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                             _("Invalid header in animation"));
++			return FALSE;
++		}
++
+ 		context->HeaderSize = read_int32 (context);
+ 		context->NumFrames = read_int32 (context);
+ 		context->NumSteps = read_int32 (context);
+-- 
+GitLab
+
+
+From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:13:37 -0500
+Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
+
+There should be at most one chunk each.  These would cause memory leaks
+otherwise.
+---
+ gdk-pixbuf/io-ani.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index a78ea7ace4..8e8414117c 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_INAM) 
+ 	{
+-		if (!context->animation) 
++		if (!context->animation || context->title)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_IART) 
+ 	{
+-		if (!context->animation) 
++		if (!context->animation || context->author)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+-- 
+GitLab
+
+
+From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 08:17:25 -0500
+Subject: [PATCH 3/3] ANI: Validate anih chunk size
+
+Before reading a chunk, we verify that enough bytes are available to match
+the chunk size declared by the file.  However, uniquely, the anih chunk
+loader doesn't verify that this size matches the number of bytes it
+actually intends to read.  Thus, if the chunk size is too small and the
+file ends in the middle of the chunk, we populate some context fields with
+stack garbage.  (But we'd still fail later on because the file doesn't
+contain any images.)  Fix this.
+---
+ gdk-pixbuf/io-ani.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index 8e8414117c..cfafd7b196 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
++		if (context->chunk_size < 36)
++		{
++			g_set_error_literal (error,
++                                             GDK_PIXBUF_ERROR,
++                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                             _("Malformed chunk in animation"));
++			return FALSE;
++		}
+ 		if (context->animation)
+ 		{
+ 			g_set_error_literal (error,
+-- 
+GitLab
diff --git a/SPECS/gdk-pixbuf2/gdk-pixbuf2.spec b/SPECS/gdk-pixbuf2/gdk-pixbuf2.spec
index 688d92af1dc..0da9c1a3587 100644
--- a/SPECS/gdk-pixbuf2/gdk-pixbuf2.spec
+++ b/SPECS/gdk-pixbuf2/gdk-pixbuf2.spec
@@ -2,13 +2,13 @@
 Summary:        An image loading library
 Name:           gdk-pixbuf2
 Version:        2.42.10
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://gitlab.gnome.org/GNOME/gdk-pixbuf
 Source0:        https://download.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
-
+Patch0:         CVE-2022-48622.patch
 BuildRequires:  %{_bindir}/rst2man
 BuildRequires:  gettext
 BuildRequires:  libjpeg-devel
@@ -115,6 +115,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
 %{_datadir}/installed-tests
 
 %changelog
+* Thu Sep 19 2024 Sumedh Sharma <sumsharma@microsoft.com> - 2.42.10-2
+- Add patch for CVE-2022-48622
+
 * Thu Feb 15 2024 Yash Panchal <yashpanchal@microsoft.com> - 2.42.10-1
 - Update to 2.42.10
 
diff --git a/SPECS/glibc/0001-Remove-Wno-format-cflag-from-tests.patch b/SPECS/glibc/0001-Remove-Wno-format-cflag-from-tests.patch
new file mode 100644
index 00000000000..fe35461507c
--- /dev/null
+++ b/SPECS/glibc/0001-Remove-Wno-format-cflag-from-tests.patch
@@ -0,0 +1,52 @@
+From 8768893dbd2b055f71c719e5135d9b8720731d81 Mon Sep 17 00:00:00 2001
+From: Rachel Menge <rachelmenge@microsoft.com>
+Date: Fri, 7 Jun 2024 21:17:37 +0000
+Subject: [PATCH] Remove -Wno-format cflag from tests
+
+This flag prevents the error
+"c1: error: '-Wformat-security' ignored without '-Wformat' [-Werror=format-security]"
+The error occurs when glibc is compiled with -Wformat-security which
+requires -Wformat and thus conflicts with tests which use -Wno-format
+---
+ debug/Makefile | 4 ++--
+ time/Makefile  | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/debug/Makefile b/debug/Makefile
+index 434e52f7..05363c26 100644
+--- a/debug/Makefile
++++ b/debug/Makefile
+@@ -192,7 +192,7 @@ tests-cc-def-chk =
+ tests-c-time64-chk =
+ tests-cc-time64-chk =
+ 
+-CFLAGS-tst-fortify.c += -Wno-format -Wno-deprecated-declarations -Wno-error
++CFLAGS-tst-fortify.c += -Wno-deprecated-declarations
+ 
+ # No additional flags for the default tests.
+ define cflags-default
+@@ -215,7 +215,7 @@ src-chk-nongnu = \#undef _GNU_SOURCE
+ # cannot be disabled via pragmas, so require -Wno-error to be used.
+ define gen-chk-test
+ tests-$(1)-$(4)-chk += tst-fortify-$(1)-$(2)-$(3)-$(4)
+-CFLAGS-tst-fortify-$(1)-$(2)-$(3)-$(4).$(1) += $(no-fortify-source),-D_FORTIFY_SOURCE=$(3) -Wno-format \
++CFLAGS-tst-fortify-$(1)-$(2)-$(3)-$(4).$(1) += $(no-fortify-source),-D_FORTIFY_SOURCE=$(3) \
+ 					  -Wno-deprecated-declarations \
+ 					  -Wno-error
+ $(eval $(call cflags-$(2),$(1),$(3),$(4)))
+diff --git a/time/Makefile b/time/Makefile
+index 1d2e667c..8b878bcc 100644
+--- a/time/Makefile
++++ b/time/Makefile
+@@ -102,7 +102,7 @@ CFLAGS-nanosleep.c += -fexceptions -fasynchronous-unwind-tables
+ CFLAGS-mktime.c += $(config-cflags-wno-ignored-attributes)
+ 
+ # Don't warn about Y2k problem in strftime format string.
+-CFLAGS-test_time.c += -Wno-format
++CFLAGS-test_time.c += -Wformat
+ 
+ test_time-ARGS= EST5EDT CST
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec
index 75baaaa1d75..d5e7b084953 100644
--- a/SPECS/glibc/glibc.spec
+++ b/SPECS/glibc/glibc.spec
@@ -10,7 +10,7 @@
 Summary:        Main C library
 Name:           glibc
 Version:        2.38
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        BSD AND GPLv2+ AND Inner-Net AND ISC AND LGPLv2+ AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,6 +35,8 @@ Patch7:         CVE-2023-5156.patch
 Patch8:         CVE-2023-6246.patch
 Patch9:         CVE-2023-6779.patch
 Patch10:        CVE-2023-6780.patch
+# Patches for testing
+Patch100:       0001-Remove-Wno-format-cflag-from-tests.patch
 
 BuildRequires:  bison
 BuildRequires:  gawk
@@ -248,26 +250,27 @@ ls -1 %{buildroot}%{_libdir}/*.a | grep -v -e "$static_libs_in_devel_pattern" |
 
 %check
 cd %{_builddir}/glibc-build
-make %{?_smp_mflags} check ||:
-# These 2 persistant false positives are OK
-# XPASS for: elf/tst-protected1a and elf/tst-protected1b
-[ `grep ^XPASS tests.sum | wc -l` -ne 2 -a `grep "^XPASS: elf/tst-protected1[ab]" tests.sum | wc -l` -ne 2 ] && exit 1 ||:
 
-# FAIL (intermittent) in chroot but PASS in container:
-# posix/tst-spawn3 and stdio-common/test-vfprintf
+# Results have varied based on the environment the tests are being built
+# Summary of test results in local VM:
+#      3 FAIL : nptl/tst-cancel1, io/tst-lchmod, nptl/tst-mutex10
+#   5040 PASS
+#    152 UNSUPPORTED
+#     12 XFAIL
+#      8 XPASS
+# Summary of test results in pipeline (this has shown varying results):
+#       7 FAIL
+#    5110 PASS
+#      79 UNSUPPORTED
+#      12 XFAIL
+#       8 XPASS
+make %{?_smp_mflags} check ||:
 n=0
-grep "^FAIL: posix/tst-spawn3" tests.sum >/dev/null && n=$((n+1)) ||:
-grep "^FAIL: stdio-common/test-vfprintf" tests.sum >/dev/null && n=$((n+1)) ||:
-# FAIL always on overlayfs/aufs (in container)
-grep "^FAIL: posix/tst-dir" tests.sum >/dev/null && n=$((n+1)) ||:
-
-#https://sourceware.org/glibc/wiki/Testing/Testsuite
-grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
-#This happens because the kernel fails to reap exiting threads fast enough,
-#eventually resulting an EAGAIN when pthread_create is called within the test.
-
-# check for exact 'n' failures
-[ `grep ^FAIL tests.sum | wc -l` -ne $n ] && exit 1 ||:
+# expected failures in local VM
+grep "^FAIL: nptl/tst-cancel1" tests.sum >/dev/null && n=$((n+1)) ||:
+grep "^FAIL: io/tst-lchmod" tests.sum >/dev/null && n=$((n+1)) ||:
+grep "^FAIL: nptl/tst-mutex10" tests.sum >/dev/null && n=$((n+1)) ||:
+[ `grep ^FAIL tests.sum | wc -l` -eq $n ]
 
 %post -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
@@ -354,6 +357,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||:
 %exclude %{_libdir}/locale/C.utf8
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 2.38-8
+- Enable check section for glibc
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 2.38-7
 - Fix syslog failing to print issue
 
diff --git a/SPECS/glslang/glslang.spec b/SPECS/glslang/glslang.spec
index 65700dfa365..e5259359126 100644
--- a/SPECS/glslang/glslang.spec
+++ b/SPECS/glslang/glslang.spec
@@ -2,11 +2,13 @@
 
 Name:           glslang
 Version:        14.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        OpenGL and OpenGL ES shader front end and validator
 
 License:        BSD and GPLv3+ and Apache-2.0
 URL:            https://github.com/KhronosGroup/%{name}
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        %url/archive/vulkan-sdk-%{sdkver}.tar.gz#/%{name}-sdk-%{sdkver}.tar.gz
 # Patch to build against system spirv-tools (rebased locally)
 #Patch3:         https://patch-diff.githubusercontent.com/raw/KhronosGroup/glslang/pull/1722.patch#/0001-pkg-config-compatibility.patch
@@ -77,6 +79,9 @@ popd
 %{_libdir}/cmake/*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 14.0.0-2
+- Add missing Vendor and Distribution tags.
+
 * Thu Feb 29 2024 Vince Perri <viperri@microsoft.com> - 14.0.0-1
 - Initial Azure Linux import from Fedora 40 (license: MIT).
 - License verified.
diff --git a/SPECS/golang/golang.signatures.json b/SPECS/golang/golang.signatures.json
index 9590a8d189e..271da468ced 100644
--- a/SPECS/golang/golang.signatures.json
+++ b/SPECS/golang/golang.signatures.json
@@ -1,8 +1,8 @@
 {
   "Signatures": {
-    "go1.22.6-20240806.4.src.tar.gz": "b6a9b8dbc33a5214d08b672c749d18e7e406887e66977bc8111a349f59f2b93d",
-    "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52",
     "go.20230802.5.src.tar.gz": "56b9e0e0c3c13ca95d5efa6de4e7d49a9d190eca77919beff99d33cd3fa74e95",
-    "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd"
+    "go.20240206.2.src.tar.gz": "7982e0011aa9ab95fd0530404060410af4ba57326d26818690f334fdcb6451cd",
+    "go1.22.7-20240925.5.src.tar.gz": "6577057080f0d61f9b7b1c5e3a029c8a24f8c4b38a91a497115ecd259bd987ab",
+    "go1.4-bootstrap-20171003.tar.gz": "f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52"
   }
 }
diff --git a/SPECS/golang/golang.spec b/SPECS/golang/golang.spec
index 0641a371674..2379baf4c46 100644
--- a/SPECS/golang/golang.spec
+++ b/SPECS/golang/golang.spec
@@ -1,7 +1,7 @@
 %global goroot          %{_libdir}/golang
 %global gopath          %{_datadir}/gocode
-%global ms_go_filename  go1.22.6-20240806.4.src.tar.gz
-%global ms_go_revision  1
+%global ms_go_filename  go1.22.7-20240925.5.src.tar.gz
+%global ms_go_revision  3
 %ifarch aarch64
 %global gohostarch      arm64
 %else
@@ -14,8 +14,8 @@
 %define __find_requires %{nil}
 Summary:        Go
 Name:           golang
-Version:        1.22.6
-Release:        1%{?dist}
+Version:        1.22.7
+Release:        2%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -153,6 +153,12 @@ fi
 %{_bindir}/*
 
 %changelog
+* Thu Sep 26 2024 Microsoft Golang Bot <microsoft-golang-bot@users.noreply.github.com> - 1.22.7-2
+- Bump version to 1.22.7-3
+
+* Fri Sep 06 2024 Microsoft Golang Bot <microsoft-golang-bot@users.noreply.github.com> - 1.22.7-1
+- Bump version to 1.22.7-1
+
 * Wed Aug 07 2024 Davis Goodin <dagood@microsoft.com> - 1.22.6-1
 - Bump version to 1.22.6-1
 
diff --git a/SPECS/haproxy/haproxy.signatures.json b/SPECS/haproxy/haproxy.signatures.json
index 505820aabe5..343c425c392 100644
--- a/SPECS/haproxy/haproxy.signatures.json
+++ b/SPECS/haproxy/haproxy.signatures.json
@@ -1,6 +1,5 @@
 {
  "Signatures": {
-  "haproxy-2.9.1.tar.gz": "d5801c772aab9c43f40964b7b33b4388d14b5b45750be4d2671785863cdb9f1c"
+  "haproxy-2.9.11.tar.gz": "2375281ddf81e201b531d4119c686356d1d37d0afc4bc0e3b6dcec9f2e5568ba"
  }
 }
-
diff --git a/SPECS/haproxy/haproxy.spec b/SPECS/haproxy/haproxy.spec
index 87de4ecc480..a6b0ce0d968 100644
--- a/SPECS/haproxy/haproxy.spec
+++ b/SPECS/haproxy/haproxy.spec
@@ -1,7 +1,7 @@
 Summary:        A fast, reliable HA, load balancing, and proxy solution.
 Name:           haproxy
-Version:        2.9.1
-Release:        2%{?dist}
+Version:        2.9.11
+Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -59,6 +59,10 @@ install -vDm644 examples/transparent_proxy.cfg  %{buildroot}/%{_sysconfdir}/hapr
 %{_mandir}/*
 
 %changelog
+* Wed Sep 25 2024 Archana Choudhary <archana1@microsoft.com> - 2.9.11-1
+- Upgrade to 2.9.11
+- Fix CVE-2024-45506
+
 * Fri Apr 05 2024 Betty Lakes <bettylakes@microsoft.com> - 2.9.1-2
 - Move from pcre to pcre2
 
diff --git a/SPECS/hardening-check/hardening-check.spec b/SPECS/hardening-check/hardening-check.spec
index 21ca2fb93ba..d2c20a3f356 100644
--- a/SPECS/hardening-check/hardening-check.spec
+++ b/SPECS/hardening-check/hardening-check.spec
@@ -3,7 +3,7 @@
 Summary:        Tool to check ELF binary hardening configuration
 Name:           hardening-check
 Version:        2.6
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2+
 URL:            http://packages.debian.org/hardening-wrapper
 Group:          Development/Tools
@@ -53,6 +53,9 @@ make
 %{_mandir}/man1/hardening-check.1.*
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.6-3
+- License verified.
+
 * Wed May 20 2020 Henry Beberman <henry.beberman@microsoft.com> - 2.6-2
 - Initial CBL-Mariner import from Fedora 26 (license: MIT).
 - Changed package name from 'hardening-wrapper'.
diff --git a/SPECS/hvloader/hvloader.signatures.json b/SPECS/hvloader/hvloader.signatures.json
deleted file mode 100644
index f391cb64fe5..00000000000
--- a/SPECS/hvloader/hvloader.signatures.json
+++ /dev/null
@@ -1,7 +0,0 @@
-{
- "Signatures": {
-  "edk2-stable202405-submodules.tar.gz": "aa9ef0f245b006c3e2cb069cf3356d3e8942b41b9d6cda5349be265548b15e5f",
-  "hvloader-1.0.1.tar.gz": "4e0a15cfab98a89a0a93f747df876ea3ee5366c3ffbd158c28e296bf52c7dfba",
-  "target-x86.txt": "fcf4f427d3b80e67296be2a1d17ec124d65f673d4f6ea37d238f8d3fc1ddc4b8"
- }
-}
\ No newline at end of file
diff --git a/SPECS/hvloader/hvloader.spec b/SPECS/hvloader/hvloader.spec
deleted file mode 100644
index 5a0e46fb274..00000000000
--- a/SPECS/hvloader/hvloader.spec
+++ /dev/null
@@ -1,77 +0,0 @@
-%define  debug_package %{nil}
-%define  name_github   HvLoader
-%define  edk2_tag      edk2-stable202405
-Summary:        HvLoader.efi is an EFI application for loading an external hypervisor loader.
-Name:           hvloader
-Version:        1.0.1
-Release:        5%{?dist}
-License:        MIT
-Vendor:         Microsoft Corporation
-Distribution:   Azure Linux
-Group:          Applications/System
-URL:            https://github.com/microsoft/HvLoader
-Source0:        https://github.com/microsoft/HvLoader/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-# Instructions to generate edk2 submodules: https://github.com/tianocore/edk2/tree/edk2-stable202405?tab=readme-ov-file#submodules
-Source1:        https://github.com/tianocore/edk2/archive/refs/tags/%{edk2_tag}.tar.gz#/%{edk2_tag}-submodules.tar.gz
-Source2:        target-x86.txt
-BuildRequires:  bc
-BuildRequires:  gcc
-BuildRequires:  build-essential
-BuildRequires:  gcc-c++
-BuildRequires:  genisoimage
-BuildRequires:  acpica-tools
-BuildRequires:  libuuid-devel
-BuildRequires:  nasm
-BuildRequires:  python3
-BuildRequires:  python3-devel
-ExclusiveArch:  x86_64
-
-%description
-HvLoader.efi is an EFI application for loading an external hypervisor loader.
-
-HvLoader.efi loads a given hypervisor loader binary (DLL, EFI, etc.), and 
-calls it's entry point passing HvLoader.efi ImageHandle. This way the 
-hypervisor loader binary has access to HvLoader.efi's command line options,
-and use those as configuration parameters. The first HvLoader.efi command line
-option is the path to hypervisor loader binary.
-
-%prep
-%autosetup -a 0 -a 1 -c "%{name}-%{version}"
-set -x
-ls -l
-mv %{name_github}-%{version} MdeModulePkg/Application
-
-%build
-export EDK_TOOLS_PATH=$(pwd)/BaseTools
-source ./edksetup.sh
-make -C BaseTools
-sed -i '/MdeModulePkg\/Application\/HelloWorld\/HelloWorld.inf/a \ \ MdeModulePkg\/Application\/%{name_github}-%{version}/HvLoader.inf' MdeModulePkg/MdeModulePkg.dsc
-cp %{SOURCE2} Conf/target.txt
-build -p MdeModulePkg/MdeModulePkg.dsc -m MdeModulePkg/Application/%{name_github}-%{version}/HvLoader.inf
-
-%install
-mkdir -p %{buildroot}/boot/efi
-cp ./Build/MdeModule/RELEASE_GCC5/X64/MdeModulePkg/Application/%{name_github}-%{version}/%{name_github}/OUTPUT/HvLoader.efi %{buildroot}/boot/efi
-
-%files
-%license MdeModulePkg/Application/%{name_github}-%{version}/LICENSE
-/boot/efi/HvLoader.efi
-
-%changelog
-* Thu Jul 25 2024 Betty Lakes <bettylakes@microsoft.com> - 1.0.1-5
-- Update edk2_tag to edk2-stable202405 to fix CVE-2022-36763, CVE-2022-36764, CVE-2022-36765, CVE-2023-45230, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237
-- Remove CVE-2024-1298 and CVE-2023-0464 patches, since they were fixed in version edk2-stable202405
-
-* Fri Jul 12 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-4
-- Add patch to resolve CVE-2023-0464
-
-* Fri Jul 12 2024 Archana Choudhary <archana1@microsoft.com> - 1.0.1-3
-- Add patch to resolve CVE-2024-1298
-
-* Wed Jun 05 2024 Chris Co <chrco@microsoft.com> - 1.0.1-2
-- Update edk2_tag to edk2-stable202305
-
-* Tue May 02 2023 Cameron Baird <cameronbaird@microsoft.com> - 1.0.1-1
-- Add hvloader.spec
-- License verified
-- Original version for CBL-Mariner
diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
index 99df6f631b2..72072e949a1 100644
--- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
+++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json
@@ -7,6 +7,6 @@
     "hypervkvpd.service": "c1bb207cf9f388f8f3cf5b649abbf8cfe4c4fcf74538612946e68f350d1f265f",
     "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1",
     "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d",
-    "kernel-6.6.47.1.tar.gz": "05f517228da02a9d1d4fd86c66b7565aa7bd28bae1380e29d79f181842efe50f"
+    "kernel-6.6.51.1.tar.gz": "018ece71bd3feb3f770e759c4c04a4472c72daf3a10f3f88de61083aaa6193df"
   }
 }
diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec
index effb9b6aa51..24b4455c8cd 100644
--- a/SPECS/hyperv-daemons/hyperv-daemons.spec
+++ b/SPECS/hyperv-daemons/hyperv-daemons.spec
@@ -10,7 +10,7 @@
 
 Summary:        Hyper-V daemons suite
 Name:           hyperv-daemons
-Version:        6.6.47.1
+Version:        6.6.51.1
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@@ -221,6 +221,9 @@ fi
 %{_sbindir}/lsvmbus
 
 %changelog
+* Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.51.1-1
+- Auto-upgrade to 6.6.51.1
+
 * Thu Aug 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.47.1-1
 - Auto-upgrade to 6.6.47.1
 
diff --git a/SPECS/ig/ig.signatures.json b/SPECS/ig/ig.signatures.json
index e64567a85ce..89c9aa98341 100644
--- a/SPECS/ig/ig.signatures.json
+++ b/SPECS/ig/ig.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "ig-0.30.0-govendor-v1.tar.gz": "b2db05dc0389ef7a4456f3a04edc96d2c89c4c599e89db39ce3b0d14314d60e9",
-  "ig-0.30.0.tar.gz": "75422f8f8a596019724f65acaa5165c142d9c580334114b3f7a7f86c742ee198"
+  "ig-0.32.0-govendor-v1.tar.gz": "daeb58510a1796dd76a78ac61c421630a61f5589f0ee3f35949500d731edb7bd",
+  "ig-0.32.0.tar.gz": "f0d0840974d4f2c724824949a8ec3fb0eeac6945a730f84345382824e4c49c4d"
  }
 }
\ No newline at end of file
diff --git a/SPECS/ig/ig.spec b/SPECS/ig/ig.spec
index abba7d7f029..abc3b675400 100644
--- a/SPECS/ig/ig.spec
+++ b/SPECS/ig/ig.spec
@@ -1,6 +1,6 @@
 Summary:        The eBPF tool and systems inspection framework for Kubernetes, containers and Linux hosts.
 Name:           ig
-Version:        0.30.0
+Version:        0.32.0
 Release:        1%{?dist}
 License:        Apache 2.0 and GPL 2.0 for eBPF code
 Vendor:         Microsoft Corporation
@@ -64,6 +64,12 @@ fi
 %{_bindir}/ig
 
 %changelog
+* Tue Sep 03 2024 Francis Laniel <flaniel@linux.microsoft.com> - 0.32.0-1
+- Bump to version 0.32.0
+
+* Tue Aug 06 2024 Francis Laniel <flaniel@linux.microsoft.com> - 0.31.0-1
+- Bump to version 0.31.0
+
 * Mon Jul 01 2024 Francis Laniel <flaniel@linux.microsoft.com> - 0.30.0-1
 - Bump to version 0.30.0
 - Update how binary version is set while building
diff --git a/SPECS/jx/CVE-2023-45288.patch b/SPECS/jx/CVE-2023-45288.patch
new file mode 100644
index 00000000000..4d53dfb5125
--- /dev/null
+++ b/SPECS/jx/CVE-2023-45288.patch
@@ -0,0 +1,83 @@
+From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Wed, 10 Jan 2024 13:41:39 -0800
+Subject: [PATCH] http2: close connections when receiving too many headers
+
+Maintaining HPACK state requires that we parse and process
+all HEADERS and CONTINUATION frames on a connection.
+When a request's headers exceed MaxHeaderBytes, we don't
+allocate memory to store the excess headers but we do
+parse them. This permits an attacker to cause an HTTP/2
+endpoint to read arbitrary amounts of data, all associated
+with a request which is going to be rejected.
+
+Set a limit on the amount of excess header frames we
+will process before closing a connection.
+
+Thanks to Bartek Nowotarski for reporting this issue.
+
+Fixes CVE-2023-45288
+Fixes golang/go#65051
+
+Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Than McIntosh <thanm@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index c1f6b90..175c154 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
++++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 		if size > remainSize {
+ 			hdec.SetEmitEnabled(false)
+ 			mh.Truncated = true
++			remainSize = 0
+ 			return
+ 		}
+ 		remainSize -= size
+@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 	var hc headersOrContinuation = hf
+ 	for {
+ 		frag := hc.HeaderBlockFragment()
++
++		// Avoid parsing large amounts of headers that we will then discard.
++		// If the sender exceeds the max header list size by too much,
++		// skip parsing the fragment and close the connection.
++		//
++		// "Too much" is either any CONTINUATION frame after we've already
++		// exceeded the max header list size (in which case remainSize is 0),
++		// or a frame whose encoded size is more than twice the remaining
++		// header list bytes we're willing to accept.
++		if int64(len(frag)) > int64(2*remainSize) {
++			if VerboseLogs {
++				log.Printf("http2: header list too large")
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
++		// Also close the connection after any CONTINUATION frame following an
++		// invalid header, since we stop tracking the size of the headers after
++		// an invalid one.
++		if invalid != nil {
++			if VerboseLogs {
++				log.Printf("http2: invalid header: %v", invalid)
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
+ 		if _, err := hdec.Write(frag); err != nil {
+ 			return nil, ConnectionError(ErrCodeCompression)
+ 		}
diff --git a/SPECS/jx/jx.spec b/SPECS/jx/jx.spec
index 33ffdd97e01..83f607b5972 100644
--- a/SPECS/jx/jx.spec
+++ b/SPECS/jx/jx.spec
@@ -1,7 +1,7 @@
 Summary:        Command line tool for working with Jenkins X.
 Name:           jx
 Version:        3.10.116
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -27,6 +27,7 @@ Source0:        https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        %{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2023-45288.patch
 
 BuildRequires:  golang >= 1.17.1
 %global debug_package %{nil}
@@ -36,10 +37,12 @@ BuildRequires:  golang >= 1.17.1
 Command line tool for working with Jenkins X.
 
 %prep
-%autosetup -p1
+%autosetup -N
+# Apply vendor before patching
+tar --no-same-owner -xf %{SOURCE1}
+%autopatch -p1
 
 %build
-tar --no-same-owner -xf %{SOURCE1}
 export GOPATH=%{our_gopath}
 # No download use vednor cache locally
 sed -i 's/go mod download/# go mod download/' ./Makefile
@@ -60,6 +63,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./build/jx
 %{_bindir}/jx
 
 %changelog
+* Thu Aug 22 2024 Sumedh Sharma <sumsharma@microsoft.com> - 3.10.116-2
+- Add patch to resolve CVE-2023-45288
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.10.116-1
 - Auto-upgrade to 3.10.116 - Azure Linux 3.0 - package upgrades
 
diff --git a/SPECS/kata-containers-cc/kata-containers-cc.spec b/SPECS/kata-containers-cc/kata-containers-cc.spec
index 1d5061557ac..b775d8dd7df 100644
--- a/SPECS/kata-containers-cc/kata-containers-cc.spec
+++ b/SPECS/kata-containers-cc/kata-containers-cc.spec
@@ -14,11 +14,12 @@
 
 Name:         kata-containers-cc
 Version:      3.2.0.azl2
-Release:      6%{?dist}
+Release:      7%{?dist}
 Summary:      Kata Confidential Containers package developed for Confidential Containers on AKS
 License:      ASL 2.0
-Vendor:       Microsoft Corporation
 URL:          https://github.com/microsoft/kata-containers
+Vendor:       Microsoft Corporation
+Distribution: Azure Linux
 Source0:      https://github.com/microsoft/kata-containers/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:      %{name}-%{version}-cargo.tar.gz
 Source2:      mariner-coco-build-uvm.sh
@@ -293,6 +294,9 @@ fi
 %exclude %{osbuilder}/tools/osbuilder/rootfs-builder/ubuntu
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.2.0.azl2-7
+- Add missing Distribution tag.
+
 * Fri Jul 19 2024 Cameron Baird <cameronbaird@microsoft.com> 3.2.0.azl2-6
 - Explicitly set OS_VERSION=3.0 for invocations of rootfs builder
 
diff --git a/SPECS/kata-containers/kata-containers.spec b/SPECS/kata-containers/kata-containers.spec
index 345f427d5f9..3f81d315a46 100644
--- a/SPECS/kata-containers/kata-containers.spec
+++ b/SPECS/kata-containers/kata-containers.spec
@@ -40,10 +40,11 @@
 Summary:        Kata Containers
 Name:           kata-containers
 Version:        3.2.0.azl2
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        ASL 2.0
-Vendor:         Microsoft Corporation
 URL:            https://github.com/microsoft/kata-containers
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://github.com/microsoft/kata-containers/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        %{name}-%{version}-cargo.tar.gz
 Source2:        50-kata
@@ -216,6 +217,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime
 %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.2.0.azl2-5
+- Add missing Distribution tag.
+
 * Fri Jul 19 2024 Cameron Baird <cameronbaird@microsoft.com> 3.2.0.azl2-4
 - Explicitly set OS_VERSION=3.0 for invocations of rootfs builder
 
diff --git a/SPECS/keda/keda.signatures.json b/SPECS/keda/keda.signatures.json
index 01067dd2549..04ea160db2e 100644
--- a/SPECS/keda/keda.signatures.json
+++ b/SPECS/keda/keda.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "keda-2.14.0-vendor.tar.gz": "36e62d59b865b119070868c5d237e935bd633eacad31b1dc91e9bdcb3d5fd3cf",
-  "keda-2.14.0.tar.gz": "f99bf7540a70cf44d5450146737e62c5860276a14fadfa020ad05b6c1f1c8f8a"
+  "keda-2.14.1-vendor.tar.gz": "8bd0e8a26be3011de6455166874e3613ce39e99f6e7c8af49eae7cbf05d02efe",
+  "keda-2.14.1.tar.gz": "5a843fccb39f23ea4de03a88a803129223baf9131ec802bbae438cb83bcf3272"
  }
 }
diff --git a/SPECS/keda/keda.spec b/SPECS/keda/keda.spec
index c243af50866..bd64f4b864f 100644
--- a/SPECS/keda/keda.spec
+++ b/SPECS/keda/keda.spec
@@ -1,7 +1,7 @@
 Summary:        Kubernetes-based Event Driven Autoscaling
 Name:           keda
-Version:        2.14.0
-Release:        2%{?dist}
+Version:        2.14.1
+Release:        1%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -60,6 +60,10 @@ cp ./bin/keda-admission-webhooks %{buildroot}%{_bindir}
 %{_bindir}/%{name}-admission-webhooks
 
 %changelog
+* Fri Sep 27 2024 Archana Choudhary <archana1@microsoft.com> - 2.14.1-1
+- Upgrade to 2.14.1
+- Fix CVE-2024-35255 in github.com/Azure/azure-sdk-for-go/sdk/azidentity 
+
 * Thu Aug 01 2024 Bala <balakumaran.kannan@microsoft.com> - 2.14.0-2
 - Added CVE-2024-6104.patch
 
diff --git a/SPECS/keepalived/CVE-2024-41184.patch b/SPECS/keepalived/CVE-2024-41184.patch
new file mode 100644
index 00000000000..d6b5c5b5646
--- /dev/null
+++ b/SPECS/keepalived/CVE-2024-41184.patch
@@ -0,0 +1,379 @@
+From f3a32e3557520dccb298b36b4952eff3e236fb86 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:11:13 +0100
+Subject: [PATCH 1/5] lib: don't return subtracted addresses for rb_find()
+ compare function
+
+If sizeof(int) < sizeof(void *) returning the difference between two
+addresses in an int can cause an overflow.
+
+Use less_equal_greater_than() for comparing addresses.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ lib/memory.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/memory.c b/lib/memory.c
+index c7217fdd..4b250ac9 100644
+--- a/lib/memory.c
++++ b/lib/memory.c
+@@ -200,7 +200,7 @@ static unsigned free_list_size;
+ static inline int
+ memcheck_ptr_cmp(const void *key, const struct rb_node *a)
+ {
+-	return (const char *)key - (char *)rb_entry_const(a, MEMCHECK, t)->ptr;
++	return less_equal_greater_than((const char *)key, (char *)rb_entry_const(a, MEMCHECK, t)->ptr);
+ }
+ 
+ static inline bool
+-- 
+2.34.1
+
+
+From e78513fe0ce5d83c226ea2c0bd222f375c2438e7 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:16:47 +0100
+Subject: [PATCH 2/5] vrrp: Handle empty ipset names with vrrp_ipsets keyword
+
+We now handle empty ipset names and return a config error.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/core/global_parser.c | 40 ++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
+index ed76b5cb..8935e502 100644
+--- a/keepalived/core/global_parser.c
++++ b/keepalived/core/global_parser.c
+@@ -1099,6 +1099,22 @@ vrrp_iptables_handler(const vector_t *strvec)
+ 	}
+ }
+ #ifdef _HAVE_LIBIPSET_
++static bool
++check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
++{
++	if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
++		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
++		return false;
++	}
++
++	if (strlen(strvec_slot(strvec, entry)) == 0) {
++		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
++		return false;
++	}
++
++	return true;
++}
++
+ static void
+ vrrp_ipsets_handler(const vector_t *strvec)
+ {
+@@ -1119,17 +1135,13 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 		return;
+ 	}
+ 
+-	if (strlen(strvec_slot(strvec,1)) >= IPSET_MAXNAMELEN - 1) {
+-		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset address name too long - ignored");
++	if (!check_valid_ipset_name(strvec, 1, "address"))
+ 		return;
+-	}
+ 	global_data->vrrp_ipset_address = STRDUP(strvec_slot(strvec,1));
+ 
+ 	if (vector_size(strvec) >= 3) {
+-		if (strlen(strvec_slot(strvec,2)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 2, "IPv6 address"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_address6 = STRDUP(strvec_slot(strvec,2));
+ 	} else {
+ 		/* No second set specified, copy first name and add "6" */
+@@ -1140,10 +1152,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 	}
+ 
+ 	if (vector_size(strvec) >= 4) {
+-		if (strlen(strvec_slot(strvec,3)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IPv6 address_iface name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 3, "IPv6 address_iface"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_address_iface6 = STRDUP(strvec_slot(strvec,3));
+ 	} else {
+ 		/* No third set specified, copy second name and add "_if6" */
+@@ -1157,10 +1167,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 	}
+ 
+ 	if (vector_size(strvec) >= 5) {
+-		if (strlen(strvec_slot(strvec,4)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset IGMP name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 4, "IGMP"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_igmp = STRDUP(strvec_slot(strvec,4));
+ 	} else {
+ 		/* No second set specified, copy first name and add "_igmp" */
+@@ -1171,10 +1179,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 	}
+ 
+ 	if (vector_size(strvec) >= 6) {
+-		if (strlen(strvec_slot(strvec,5)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset MLD name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 5, "MLD"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_mld = STRDUP(strvec_slot(strvec,5));
+ 	} else {
+ 		/* No second set specified, copy first name and add "_mld" */
+@@ -1186,10 +1192,8 @@ vrrp_ipsets_handler(const vector_t *strvec)
+ 
+ #ifdef _HAVE_VRRP_VMAC_
+ 	if (vector_size(strvec) >= 7) {
+-		if (strlen(strvec_slot(strvec,6)) >= IPSET_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset ND name too long - ignored");
++		if (!check_valid_ipset_name(strvec, 6, "ND"))
+ 			return;
+-		}
+ 		global_data->vrrp_ipset_vmac_nd = STRDUP(strvec_slot(strvec,6));
+ 	} else {
+ 		/* No second set specified, copy first name and add "_nd" */
+-- 
+2.34.1
+
+
+From 281de3aa8a0990fa3cd694a9addc0bf28953da0b Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:18:20 +0100
+Subject: [PATCH 3/5] vrrp: handle empty iptables chain names - vrrp_iptables
+ keyword
+
+We now return an error if a chain name is empty.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/core/global_parser.c | 42 ++++++++++++++++++++-------------
+ 1 file changed, 25 insertions(+), 17 deletions(-)
+
+diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
+index 8935e502..3d436e49 100644
+--- a/keepalived/core/global_parser.c
++++ b/keepalived/core/global_parser.c
+@@ -1072,6 +1072,28 @@ vrrp_higher_prio_send_advert_handler(const vector_t *strvec)
+ 		global_data->vrrp_higher_prio_send_advert = true;
+ }
+ #ifdef _WITH_IPTABLES_
++static bool
++check_valid_iptables_ipset_name(const vector_t *strvec, unsigned entry, unsigned max_len, const char *type_name, const char *log_name)
++{
++	if (strlen(strvec_slot(strvec, entry)) >= max_len - 1) {
++		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name too long - ignored", type_name, log_name);
++		return false;
++	}
++
++	if (strlen(strvec_slot(strvec, entry)) == 0) {
++		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name empty - ignored", type_name, log_name);
++		return false;
++	}
++
++	return true;
++}
++
++static bool
++check_valid_iptables_chain_name(const vector_t *strvec, unsigned entry, const char *log_name)
++{
++	return check_valid_iptables_ipset_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
++}
++
+ static void
+ vrrp_iptables_handler(const vector_t *strvec)
+ {
+@@ -1081,16 +1103,12 @@ vrrp_iptables_handler(const vector_t *strvec)
+ 	}
+ 
+ 	if (vector_size(strvec) >= 2) {
+-		if (strlen(strvec_slot(strvec,1)) >= XT_EXTENSION_MAXNAMELEN - 1) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : iptables in chain name too long - ignored");
++		if (!check_valid_iptables_chain_name(strvec, 1, "in chain"))
+ 			return;
+-		}
+ 		global_data->vrrp_iptables_inchain = STRDUP(strvec_slot(strvec,1));
+ 		if (vector_size(strvec) >= 3) {
+-			if (strlen(strvec_slot(strvec,2)) >= XT_EXTENSION_MAXNAMELEN - 1) {
+-				report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : iptables out chain name too long - ignored");
++			if (!check_valid_iptables_chain_name(strvec, 2, "out chain"))
+ 				return;
+-			}
+ 			global_data->vrrp_iptables_outchain = STRDUP(strvec_slot(strvec,2));
+ 		}
+ 	} else {
+@@ -1102,17 +1120,7 @@ vrrp_iptables_handler(const vector_t *strvec)
+ static bool
+ check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
+ {
+-	if (strlen(strvec_slot(strvec, entry)) >= IPSET_MAXNAMELEN - 1) {
+-		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name too long - ignored", log_name);
+-		return false;
+-	}
+-
+-	if (strlen(strvec_slot(strvec, entry)) == 0) {
+-		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : ipset %s name empty - ignored", log_name);
+-		return false;
+-	}
+-
+-	return true;
++	return check_valid_iptables_ipset_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
+ }
+ 
+ static void
+-- 
+2.34.1
+
+
+From 1e5902c4793ac01b810f0faa3b5cf47b41ae95c1 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:32:35 +0100
+Subject: [PATCH 4/5] vrrp and ipvs: handle empty nftables chain names
+
+We now return an error if a chain name is empty.
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ keepalived/core/global_parser.c | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/keepalived/core/global_parser.c b/keepalived/core/global_parser.c
+index 3d436e49..0a8f53ac 100644
+--- a/keepalived/core/global_parser.c
++++ b/keepalived/core/global_parser.c
+@@ -1071,9 +1071,10 @@ vrrp_higher_prio_send_advert_handler(const vector_t *strvec)
+ 	else
+ 		global_data->vrrp_higher_prio_send_advert = true;
+ }
+-#ifdef _WITH_IPTABLES_
++
++#if defined _WITH_IPTABLES_ || defined _WITH_NFTABLES_
+ static bool
+-check_valid_iptables_ipset_name(const vector_t *strvec, unsigned entry, unsigned max_len, const char *type_name, const char *log_name)
++check_valid_iptables_ipset_nftables_name(const vector_t *strvec, unsigned entry, unsigned max_len, const char *type_name, const char *log_name)
+ {
+ 	if (strlen(strvec_slot(strvec, entry)) >= max_len - 1) {
+ 		report_config_error(CONFIG_GENERAL_ERROR, "VRRP Error : %s %s name too long - ignored", type_name, log_name);
+@@ -1087,11 +1088,13 @@ check_valid_iptables_ipset_name(const vector_t *strvec, unsigned entry, unsigned
+ 
+ 	return true;
+ }
++#endif
+ 
++#ifdef _WITH_IPTABLES_
+ static bool
+ check_valid_iptables_chain_name(const vector_t *strvec, unsigned entry, const char *log_name)
+ {
+-	return check_valid_iptables_ipset_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
++	return check_valid_iptables_ipset_nftables_name(strvec, entry, XT_EXTENSION_MAXNAMELEN, "iptables", log_name);
+ }
+ 
+ static void
+@@ -1120,7 +1123,7 @@ vrrp_iptables_handler(const vector_t *strvec)
+ static bool
+ check_valid_ipset_name(const vector_t *strvec, unsigned entry, const char *log_name)
+ {
+-	return check_valid_iptables_ipset_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
++	return check_valid_iptables_ipset_nftables_name(strvec, entry, IPSET_MAXNAMELEN, "ipset", log_name);
+ }
+ 
+ static void
+@@ -1229,6 +1232,12 @@ vrrp_iptables_handler(__attribute__((unused)) const vector_t *strvec)
+ 
+ #ifdef _WITH_NFTABLES_
+ #ifdef _WITH_VRRP_
++static bool
++check_valid_nftables_chain_name(const vector_t *strvec, unsigned entry, const char *log_name)
++{
++	return check_valid_iptables_ipset_nftables_name(strvec, entry, NFT_TABLE_MAXNAMELEN, "nftables", log_name);
++}
++
+ static void
+ vrrp_nftables_handler(__attribute__((unused)) const vector_t *strvec)
+ {
+@@ -1240,10 +1249,8 @@ vrrp_nftables_handler(__attribute__((unused)) const vector_t *strvec)
+ 	}
+ 
+ 	if (vector_size(strvec) >= 2) {
+-		if (strlen(strvec_slot(strvec, 1)) >= NFT_TABLE_MAXNAMELEN) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "nftables table name too long - ignoring");
++		if (!check_valid_nftables_chain_name(strvec, 1, "chain"))
+ 			return;
+-		}
+ 		name = strvec_slot(strvec, 1);
+ 	}
+ 	else {
+@@ -1283,10 +1290,8 @@ ipvs_nftables_handler(__attribute__((unused)) const vector_t *strvec)
+ 	}
+ 
+ 	if (vector_size(strvec) >= 2) {
+-		if (strlen(strvec_slot(strvec, 1)) >= NFT_TABLE_MAXNAMELEN) {
+-			report_config_error(CONFIG_GENERAL_ERROR, "ipvs nftables table name too long - ignoring");
++		if (!check_valid_nftables_chain_name(strvec, 1, "ipvs chain"))
+ 			return;
+-		}
+ 		name = strvec_slot(strvec, 1);
+ 	}
+ 	else {
+-- 
+2.34.1
+
+
+From 7e2cabdb1391f9378fbb76513c2ee9c88b15dba8 Mon Sep 17 00:00:00 2001
+From: Quentin Armitage <quentin@armitage.org.uk>
+Date: Fri, 12 Jul 2024 15:34:54 +0100
+Subject: [PATCH 5/5] configure: add --enable-sanitize-address option
+
+Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
+---
+ configure.ac | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 180beb6f..1ba691b6 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -263,6 +263,8 @@ AC_ARG_ENABLE(stacktrace,
+   [AS_HELP_STRING([--enable-stacktrace], [compile with stacktrace support])])
+ AC_ARG_ENABLE(perf,
+   [AS_HELP_STRING([--enable-perf], [compile with perf performance data recording support for vrrp process])])
++AC_ARG_ENABLE(sanitize-address,
++  [AS_HELP_STRING([--enable-sanitize-address], [compile with sanitize=address (ASAN) support])])
+ AC_ARG_ENABLE(log-file,
+   [AS_HELP_STRING([--enable-log-file], [enable logging to file (-g)])])
+ AC_ARG_ENABLE(dump-threads,
+@@ -2848,6 +2850,16 @@ else
+   ENABLE_PERF=No
+ fi
+ 
++dnl ----[ sanitize=address testing or not? ]----
++if test "${enable_sanitize_address}" = yes; then
++#  AC_DEFINE([_WITH_SANITIZE_ADDRESS_], [ 1 ], [Define to 1 to build with sanitize=address support])
++  ENABLE_SANITIZE_ADDRESS=Yes
++  add_config_opt([SANITIZE_ADDRESS])
++  add_to_var([KA_CFLAGS], [-fsanitize=address -g])
++else
++  ENABLE_SANITIZE_ADDRESS=No
++fi
++
+ if test "${enable_log_file}" = yes; then
+   AC_DEFINE([ENABLE_LOG_TO_FILE], [ 1 ], [Define if enabling logging to files])
+   ENABLE_LOG_FILE_APPEND=Yes
+@@ -3271,6 +3283,9 @@ fi
+ if test ${ENABLE_PERF} = Yes; then
+   echo "Perf support             : Yes"
+ fi
++if test ${ENABLE_SANITIZE_ADDRESS} = Yes; then
++  echo "sanitize=address testing : Yes"
++fi
+ if test ${MEM_CHECK} = Yes; then
+   echo "Memory alloc check       : Yes"
+   echo "Memory alloc check log   : ${MEM_CHECK_LOG}"
+-- 
+2.34.1
+
diff --git a/SPECS/keepalived/keepalived.signatures.json b/SPECS/keepalived/keepalived.signatures.json
index 462a500d230..ce75fa5589a 100644
--- a/SPECS/keepalived/keepalived.signatures.json
+++ b/SPECS/keepalived/keepalived.signatures.json
@@ -1,6 +1,6 @@
 {
-  "Signatures": {
-    "keepalived.service": "533fac0ed629192f87b42f5fa2ba4443bccc3ac383e9495be97369616b95d6bd",
-    "keepalived-2.2.8.tar.gz": "85882eb62974f395d4c631be990a41a839594a7e62fbfebcb5649a937a7a1bb6"
-  }
+ "Signatures": {
+  "keepalived-2.3.1.tar.gz": "92f4b69bfd998e2306d1995ad16fdad1b59e70be694c883385c5f55e02c62aa3",
+  "keepalived.service": "533fac0ed629192f87b42f5fa2ba4443bccc3ac383e9495be97369616b95d6bd"
+ }
 }
diff --git a/SPECS/keepalived/keepalived.spec b/SPECS/keepalived/keepalived.spec
index 0857c89d324..752004a7b5d 100644
--- a/SPECS/keepalived/keepalived.spec
+++ b/SPECS/keepalived/keepalived.spec
@@ -1,6 +1,6 @@
 Summary:        HA monitor built upon LVS, VRRP and services poller
 Name:           keepalived
-Version:        2.2.8
+Version:        2.3.1
 Release:        1%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
@@ -9,6 +9,7 @@ Group:          Applications/System
 URL:            https://www.keepalived.org/
 Source0:        https://www.keepalived.org/software/%{name}-%{version}.tar.gz
 Source1:        %{name}.service
+Patch0:         CVE-2024-41184.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -45,7 +46,7 @@ failover. So in short keepalived is a userspace daemon for LVS cluster nodes
 healthchecks and LVS directors failover.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 autoreconf -f -i
@@ -109,6 +110,10 @@ fi
 %{_mandir}/man8/keepalived.8*
 
 %changelog
+* Thu Sep 19 2024 Suresh Thelkar <sthelkar@microsoft.com> - 2.3.1-1
+- Add patch for CVE-2024-41184.patch.
+- Use autosetup.
+
 * Mon Nov 06 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.2.8-1
 - Auto-upgrade to 2.2.8 - Azure Linux 3.0 - package upgrades
 
diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json
index 859c64cc1ef..758ce87241f 100644
--- a/SPECS/kernel-headers/kernel-headers.signatures.json
+++ b/SPECS/kernel-headers/kernel-headers.signatures.json
@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "kernel-6.6.47.1.tar.gz": "05f517228da02a9d1d4fd86c66b7565aa7bd28bae1380e29d79f181842efe50f"
+    "kernel-6.6.51.1.tar.gz": "018ece71bd3feb3f770e759c4c04a4472c72daf3a10f3f88de61083aaa6193df"
   }
 }
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
index 1305e26df06..c9fc7ab67ee 100644
--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@@ -13,8 +13,8 @@
 
 Summary:        Linux API header files
 Name:           kernel-headers
-Version:        6.6.47.1
-Release:        1%{?dist}
+Version:        6.6.51.1
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -75,6 +75,39 @@ done
 %endif
 
 %changelog
+* Thu Oct 03 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-5
+- Bump release to match kernel
+
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Bump release to match kernel
+
+* Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
+- Bump release to match kernel
+
+* Fri Sep 20 2024 Chris Co <chrco@microsoft.com> - 6.6.51.1-2
+- Bump release to match kernel
+
+* Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.51.1-1
+- Auto-upgrade to 6.6.51.1
+
+* Fri Sep 13 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.47.1-7
+- Bump release to match kernel
+
+* Fri Sep 13 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-6
+- Bump release to match kernel
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-5
+- Bump release to match kernel
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-4
+- Bump release to match kernel
+
+* Wed Sep 04 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-3
+- Bump release to match kernel
+
+* Thu Aug 29 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.47.1-2
+- Bump release to match kernel
+
 * Thu Aug 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.47.1-1
 - Auto-upgrade to 6.6.47.1
 
diff --git a/SPECS/kernel/CVE-2024-38381.nopatch b/SPECS/kernel/CVE-2024-38381.nopatch
new file mode 100644
index 00000000000..5e495c9d83f
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-38381.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-38381 - patched in 6.6.33.1 - (generated by autopatch tool)
+upstream e4a87abf588536d1cdfb128595e6e680af5cf3ed - stable e53a7f8afcbd2886f2a94c5d56757328109730ea
+
diff --git a/SPECS/kernel/CVE-2024-39472.nopatch b/SPECS/kernel/CVE-2024-39472.nopatch
new file mode 100644
index 00000000000..87e9208d964
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-39472.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-39472 - patched in 6.6.46.1 - (generated by autopatch tool)
+upstream 45cf976008ddef4a9c9a30310c9b4fb2a9a6602a - stable c2389c074973aa94e34992e7f66dac0de37595b5
+
diff --git a/SPECS/kernel/CVE-2024-43884.nopatch b/SPECS/kernel/CVE-2024-43884.nopatch
new file mode 100644
index 00000000000..69448400628
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-43884.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-43884 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 538fd3921afac97158d4177139a0ad39f056dbb2 - stable 064dd929c76532359d2905d90a7c12348043cfd4
+
diff --git a/SPECS/kernel/CVE-2024-43891.nopatch b/SPECS/kernel/CVE-2024-43891.nopatch
new file mode 100644
index 00000000000..d84376ad029
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-43891.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-43891 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream b1560408692cd0ab0370cfbe9deb03ce97ab3f6d - stable 4ed03758ddf0b19d69eed69386d65a92d0091e0c
+
diff --git a/SPECS/kernel/CVE-2024-44946.nopatch b/SPECS/kernel/CVE-2024-44946.nopatch
new file mode 100644
index 00000000000..fa8e53b4ca0
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44946.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44946 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 807067bf014d4a3ae2cc55bd3de16f22a01eb580 - stable 00425508f30baa5ab6449a1f478480ca7cffa6da
+
diff --git a/SPECS/kernel/CVE-2024-44947.nopatch b/SPECS/kernel/CVE-2024-44947.nopatch
new file mode 100644
index 00000000000..42779db2234
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44947.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44947 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 3c0da3d163eb32f1f91891efaade027fa9b245b9 - stable ac42e0f0eb66af966015ee33fd355bc6f5d80cd6
+
diff --git a/SPECS/kernel/CVE-2024-44974.nopatch b/SPECS/kernel/CVE-2024-44974.nopatch
new file mode 100644
index 00000000000..1340109f0f5
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44974.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44974 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d - stable 9a9afbbc3fbfca4975eea4aa5b18556db5a0c0b8
+
diff --git a/SPECS/kernel/CVE-2024-44983.nopatch b/SPECS/kernel/CVE-2024-44983.nopatch
new file mode 100644
index 00000000000..8e4dbb172ff
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44983.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44983 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 6ea14ccb60c8ab829349979b22b58a941ec4a3ee - stable 0279c35d242d037abeb73d60d06a6d1bb7f672d9
+
diff --git a/SPECS/kernel/CVE-2024-44985.nopatch b/SPECS/kernel/CVE-2024-44985.nopatch
new file mode 100644
index 00000000000..8e2e0d00d5c
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44985.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44985 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 2d5ff7e339d04622d8282661df36151906d0e1c7 - stable 124b428fe28064c809e4237b0b38e97200a8a4a8
+
diff --git a/SPECS/kernel/CVE-2024-44986.nopatch b/SPECS/kernel/CVE-2024-44986.nopatch
new file mode 100644
index 00000000000..ea2c1fa8df5
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44986.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44986 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream da273b377ae0d9bd255281ed3c2adb228321687b - stable 6ab6bf731354a6fdbaa617d1ec194960db61cf3b
+
diff --git a/SPECS/kernel/CVE-2024-44987.nopatch b/SPECS/kernel/CVE-2024-44987.nopatch
new file mode 100644
index 00000000000..a2558bed638
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44987.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44987 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream faa389b2fbaaec7fd27a390b4896139f9da662e3 - stable af1dde074ee2ed7dd5bdca4e7e8ba17f44e7b011
+
diff --git a/SPECS/kernel/CVE-2024-44989.nopatch b/SPECS/kernel/CVE-2024-44989.nopatch
new file mode 100644
index 00000000000..313a4a38276
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44989.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44989 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream f8cde9805981c50d0c029063dc7d82821806fc44 - stable 4582d4ff413a07d4ed8a4823c652dc5207760548
+
diff --git a/SPECS/kernel/CVE-2024-44990.nopatch b/SPECS/kernel/CVE-2024-44990.nopatch
new file mode 100644
index 00000000000..affc13590b6
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44990.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44990 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 95c90e4ad89d493a7a14fa200082e466e2548f9d - stable 0707260a18312bbcd2a5668584e3692d0a29e3f6
+
diff --git a/SPECS/kernel/CVE-2024-44995.nopatch b/SPECS/kernel/CVE-2024-44995.nopatch
new file mode 100644
index 00000000000..7a8cbbf6a07
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44995.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44995 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream be5e816d00a506719e9dbb1a9c861c5ced30a109 - stable fa1d4de7265c370e673583ac8d1bd17d21826cd9
+
diff --git a/SPECS/kernel/CVE-2024-44996.nopatch b/SPECS/kernel/CVE-2024-44996.nopatch
new file mode 100644
index 00000000000..e73eb1af403
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44996.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44996 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 69139d2919dd4aa9a553c8245e7c63e82613e3fc - stable 921f1acf0c3cf6b1260ab57a8a6e8b3d5f3023d5
+
diff --git a/SPECS/kernel/CVE-2024-44997.nopatch b/SPECS/kernel/CVE-2024-44997.nopatch
new file mode 100644
index 00000000000..01c936942b4
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44997.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44997 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream db1b4bedb9b97c6d34b03d03815147c04fffe8b4 - stable 326a89321f9d5fe399fe6f9ff7c0fc766582a6a0
+
diff --git a/SPECS/kernel/CVE-2024-44998.nopatch b/SPECS/kernel/CVE-2024-44998.nopatch
new file mode 100644
index 00000000000..2ff75fd69b9
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44998.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44998 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream a9a18e8f770c9b0703dab93580d0b02e199a4c79 - stable ef23c18ab88e33ce000d06a5c6aad0620f219bfd
+
diff --git a/SPECS/kernel/CVE-2024-44999.nopatch b/SPECS/kernel/CVE-2024-44999.nopatch
new file mode 100644
index 00000000000..67c7742bf5a
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-44999.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-44999 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 3a3be7ff9224f424e485287b54be00d2c6bd9c40 - stable 34ba4f29f3d9eb52dee37512059efb2afd7e966f
+
diff --git a/SPECS/kernel/CVE-2024-45000.nopatch b/SPECS/kernel/CVE-2024-45000.nopatch
new file mode 100644
index 00000000000..c054396e0a2
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45000.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45000 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream f71aa06398aabc2e3eaac25acdf3d62e0094ba70 - stable dfaa39b05a6cf34a16c525a2759ee6ab26b5fef6
+
diff --git a/SPECS/kernel/CVE-2024-45002.nopatch b/SPECS/kernel/CVE-2024-45002.nopatch
new file mode 100644
index 00000000000..a6abe7e9230
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45002.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45002 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 90574d2a675947858b47008df8d07f75ea50d0d0 - stable 753f1745146e03abd17eec8eee95faffc96d743d
+
diff --git a/SPECS/kernel/CVE-2024-45006.nopatch b/SPECS/kernel/CVE-2024-45006.nopatch
new file mode 100644
index 00000000000..81d44aa3a35
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45006.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45006 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream af8e119f52e9c13e556be9e03f27957554a84656 - stable 6b99de301d78e1f5249e57ef2c32e1dec3df2bb1
+
diff --git a/SPECS/kernel/CVE-2024-45009.nopatch b/SPECS/kernel/CVE-2024-45009.nopatch
new file mode 100644
index 00000000000..e487faac804
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45009.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45009 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 1c1f721375989579e46741f59523e39ec9b2a9bd - stable d20bf2c96d7ffd171299b32f562f70e5bf5dc608
+
diff --git a/SPECS/kernel/CVE-2024-45010.nopatch b/SPECS/kernel/CVE-2024-45010.nopatch
new file mode 100644
index 00000000000..0196f585dc3
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45010.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45010 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 322ea3778965da72862cca2a0c50253aacf65fe6 - stable 43cf912b0b0fc7b4fd12cbc735d1f5afb8e1322d
+
diff --git a/SPECS/kernel/CVE-2024-45011.nopatch b/SPECS/kernel/CVE-2024-45011.nopatch
new file mode 100644
index 00000000000..05b7548af97
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45011.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45011 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 2374bf7558de915edc6ec8cb10ec3291dfab9594 - stable 5cff754692ad45d5086b75fef8cc3a99c30a1005
+
diff --git a/SPECS/kernel/CVE-2024-45012.nopatch b/SPECS/kernel/CVE-2024-45012.nopatch
new file mode 100644
index 00000000000..1a45d76ee54
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45012.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45012 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 9b340aeb26d50e9a9ec99599e2a39b035fac978e - stable cc29c5546c6a373648363ac49781f1d74b530707
+
diff --git a/SPECS/kernel/CVE-2024-45015.nopatch b/SPECS/kernel/CVE-2024-45015.nopatch
new file mode 100644
index 00000000000..c3ebf5294e5
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45015.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45015 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream aedf02e46eb549dac8db4821a6b9f0c6bf6e3990 - stable 3fb61718bcbe309279205d1cc275a6435611dc77
+
diff --git a/SPECS/kernel/CVE-2024-45016.nopatch b/SPECS/kernel/CVE-2024-45016.nopatch
new file mode 100644
index 00000000000..94030376934
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45016.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45016 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream c07ff8592d57ed258afee5a5e04991a48dbaf382 - stable 577d6c0619467fe90f7e8e57e45cb5bd9d936014
+
diff --git a/SPECS/kernel/CVE-2024-45018.nopatch b/SPECS/kernel/CVE-2024-45018.nopatch
new file mode 100644
index 00000000000..e41e31a463b
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45018.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45018 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream e9767137308daf906496613fd879808a07f006a2 - stable c7b760499f7791352b49b11667ed04b23d7f5b0f
+
diff --git a/SPECS/kernel/CVE-2024-45019.nopatch b/SPECS/kernel/CVE-2024-45019.nopatch
new file mode 100644
index 00000000000..75c5e2f1b56
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45019.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45019 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream e6b5afd30b99b43682a7764e1a74a42fe4d5f4b3 - stable b3b9a87adee97854bcd71057901d46943076267e
+
diff --git a/SPECS/kernel/CVE-2024-45020.nopatch b/SPECS/kernel/CVE-2024-45020.nopatch
new file mode 100644
index 00000000000..33615405475
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45020.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45020 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream bed2eb964c70b780fb55925892a74f26cb590b25 - stable 7cad3174cc79519bf5f6c4441780264416822c08
+
diff --git a/SPECS/kernel/CVE-2024-45021.nopatch b/SPECS/kernel/CVE-2024-45021.nopatch
new file mode 100644
index 00000000000..094405beec4
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45021.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45021 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 046667c4d3196938e992fba0dfcde570aa85cd0e - stable f1aa7c509aa766080db7ab3aec2e31b1df09e57c
+
diff --git a/SPECS/kernel/CVE-2024-45022.nopatch b/SPECS/kernel/CVE-2024-45022.nopatch
new file mode 100644
index 00000000000..a75347a5aaa
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45022.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45022 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 61ebe5a747da649057c37be1c37eb934b4af79ca - stable de7bad86345c43cd040ed43e20d9fad78a3ee59f
+
diff --git a/SPECS/kernel/CVE-2024-45025.nopatch b/SPECS/kernel/CVE-2024-45025.nopatch
new file mode 100644
index 00000000000..0c945dde5c4
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45025.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45025 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 9a2fa1472083580b6c66bdaf291f591e1170123a - stable dd72ae8b0fce9c0bbe9582b9b50820f0407f8d8a
+
diff --git a/SPECS/kernel/CVE-2024-45026.nopatch b/SPECS/kernel/CVE-2024-45026.nopatch
new file mode 100644
index 00000000000..0439bb94b9b
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45026.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45026 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 7db4042336580dfd75cb5faa82c12cd51098c90b - stable 93a7e2856951680cd7fe6ebd705ac10c8a8a5efd
+
diff --git a/SPECS/kernel/CVE-2024-45028.nopatch b/SPECS/kernel/CVE-2024-45028.nopatch
new file mode 100644
index 00000000000..7770133d84f
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45028.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45028 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream a1e627af32ed60713941cbfc8075d44cad07f6dd - stable cac2815f49d343b2f0acc4973d2c14918ac3ab0c
+
diff --git a/SPECS/kernel/CVE-2024-45029.nopatch b/SPECS/kernel/CVE-2024-45029.nopatch
new file mode 100644
index 00000000000..edc507e7e07
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45029.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45029 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 14d069d92951a3e150c0a81f2ca3b93e54da913b - stable 6861faf4232e4b78878f2de1ed3ee324ddae2287
+
diff --git a/SPECS/kernel/CVE-2024-45030.nopatch b/SPECS/kernel/CVE-2024-45030.nopatch
new file mode 100644
index 00000000000..c57ec2624e5
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-45030.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-45030 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 8aba27c4a5020abdf60149239198297f88338a8d - stable 8ea80ff5d8298356d28077bc30913ed37df65109
+
diff --git a/SPECS/kernel/CVE-2024-46672.nopatch b/SPECS/kernel/CVE-2024-46672.nopatch
new file mode 100644
index 00000000000..1a0d4e432b2
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46672.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46672 - patched in 6.6.48.1 - (generated by autopatch tool)
+upstream 2ad4e1ada8eebafa2d75a4b75eeeca882de6ada1 - stable 4291f94f8c6b01505132c22ee27b59ed27c3584f
+
diff --git a/SPECS/kernel/CVE-2024-46673.nopatch b/SPECS/kernel/CVE-2024-46673.nopatch
new file mode 100644
index 00000000000..93d988366df
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46673.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46673 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream 919ddf8336f0b84c0453bac583808c9f165a85c2 - stable 8a3995a3ffeca280a961b59f5c99843d81b15929
+
diff --git a/SPECS/kernel/CVE-2024-46674.nopatch b/SPECS/kernel/CVE-2024-46674.nopatch
new file mode 100644
index 00000000000..71abedad6ca
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46674.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46674 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream ddfcfeba891064b88bb844208b43bef2ef970f0c - stable e1e5e8ea2731150d5ba7c707f9e02fafebcfeb49
+
diff --git a/SPECS/kernel/CVE-2024-46677.nopatch b/SPECS/kernel/CVE-2024-46677.nopatch
new file mode 100644
index 00000000000..5cc597e65ec
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46677.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46677 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream defd8b3c37b0f9cb3e0f60f47d3d78d459d57fda - stable 28c67f0f84f889fe9f4cbda8354132b20dc9212d
+
diff --git a/SPECS/kernel/CVE-2024-46685.nopatch b/SPECS/kernel/CVE-2024-46685.nopatch
new file mode 100644
index 00000000000..6198da566f0
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46685.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46685 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream 1c38a62f15e595346a1106025722869e87ffe044 - stable 4ed45fe99ec9e3c9478bd634624cd05a57d002f7
+
diff --git a/SPECS/kernel/CVE-2024-46686.nopatch b/SPECS/kernel/CVE-2024-46686.nopatch
new file mode 100644
index 00000000000..580840403a0
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46686.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46686 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf - stable a01859dd6aebf826576513850a3b05992809e9d2
+
diff --git a/SPECS/kernel/CVE-2024-46687.nopatch b/SPECS/kernel/CVE-2024-46687.nopatch
new file mode 100644
index 00000000000..84aa8f9e4ff
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46687.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46687 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 - stable 51722b99f41f5e722ffa10b8f61e802a0e70b331
+
diff --git a/SPECS/kernel/CVE-2024-46692.nopatch b/SPECS/kernel/CVE-2024-46692.nopatch
new file mode 100644
index 00000000000..8d88d2d1919
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46692.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46692 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream 9960085a3a82c58d3323c1c20b991db6045063b0 - stable cdf7efe4b02aa93813db0bf1ca596ad298ab6b06
+
diff --git a/SPECS/kernel/CVE-2024-46693.nopatch b/SPECS/kernel/CVE-2024-46693.nopatch
new file mode 100644
index 00000000000..8d6451c491e
--- /dev/null
+++ b/SPECS/kernel/CVE-2024-46693.nopatch
@@ -0,0 +1,3 @@
+CVE-2024-46693 - patched in 6.6.49.1 - (generated by autopatch tool)
+upstream 3568affcddd68743e25aa3ec1647d9b82797757b - stable 1efdbf5323c9360e05066049b97414405e94e087
+
diff --git a/SPECS/kernel/config b/SPECS/kernel/config
index 1ad3dc7e3b8..61ec375a81e 100644
--- a/SPECS/kernel/config
+++ b/SPECS/kernel/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86_64 6.6.47.1 Kernel Configuration
+# Linux/x86_64 6.6.51.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -356,7 +356,7 @@ CONFIG_HYPERVISOR_GUEST=y
 CONFIG_PARAVIRT=y
 CONFIG_PARAVIRT_XXL=y
 # CONFIG_PARAVIRT_DEBUG is not set
-# CONFIG_PARAVIRT_SPINLOCKS is not set
+CONFIG_PARAVIRT_SPINLOCKS=y
 CONFIG_X86_HV_CALLBACK_VECTOR=y
 CONFIG_XEN=y
 CONFIG_XEN_PV=y
@@ -367,7 +367,7 @@ CONFIG_XEN_PVHVM=y
 CONFIG_XEN_PVHVM_SMP=y
 # CONFIG_XEN_PVHVM_GUEST is not set
 CONFIG_XEN_SAVE_RESTORE=y
-CONFIG_XEN_DEBUG_FS=y
+# CONFIG_XEN_DEBUG_FS is not set
 # CONFIG_XEN_PVH is not set
 CONFIG_XEN_DOM0=y
 CONFIG_XEN_PV_MSR_SAFE=y
@@ -467,7 +467,8 @@ CONFIG_X86_PAT=y
 CONFIG_ARCH_USES_PG_UNCACHED=y
 CONFIG_X86_UMIP=y
 CONFIG_CC_HAS_IBT=y
-# CONFIG_X86_KERNEL_IBT is not set
+CONFIG_X86_CET=y
+CONFIG_X86_KERNEL_IBT=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_X86_INTEL_TSX_MODE_OFF=y
 # CONFIG_X86_INTEL_TSX_MODE_ON is not set
@@ -1333,6 +1334,7 @@ CONFIG_NF_TABLES_INET=y
 CONFIG_NF_TABLES_NETDEV=y
 CONFIG_NFT_NUMGEN=m
 CONFIG_NFT_CT=m
+CONFIG_NFT_FLOW_OFFLOAD=m
 CONFIG_NFT_CONNLIMIT=m
 CONFIG_NFT_LOG=m
 CONFIG_NFT_LIMIT=m
@@ -1356,7 +1358,9 @@ CONFIG_NFT_TPROXY=m
 # CONFIG_NFT_DUP_NETDEV is not set
 # CONFIG_NFT_FWD_NETDEV is not set
 # CONFIG_NFT_REJECT_NETDEV is not set
-# CONFIG_NF_FLOW_TABLE is not set
+# CONFIG_NF_FLOW_TABLE_INET is not set
+CONFIG_NF_FLOW_TABLE=m
+# CONFIG_NF_FLOW_TABLE_PROCFS is not set
 CONFIG_NETFILTER_XTABLES=y
 CONFIG_NETFILTER_XTABLES_COMPAT=y
 
@@ -1731,8 +1735,9 @@ CONFIG_NET_ACT_BPF=m
 # CONFIG_NET_ACT_SKBMOD is not set
 # CONFIG_NET_ACT_IFE is not set
 CONFIG_NET_ACT_TUNNEL_KEY=m
+CONFIG_NET_ACT_CT=m
 # CONFIG_NET_ACT_GATE is not set
-# CONFIG_NET_TC_SKB_EXT is not set
+CONFIG_NET_TC_SKB_EXT=y
 CONFIG_NET_SCH_FIFO=y
 CONFIG_DCB=y
 CONFIG_DNS_RESOLVER=m
@@ -2290,10 +2295,10 @@ CONFIG_MEGARAID_MM=m
 CONFIG_MEGARAID_MAILBOX=m
 CONFIG_MEGARAID_LEGACY=m
 CONFIG_MEGARAID_SAS=m
-CONFIG_SCSI_MPT3SAS=y
+CONFIG_SCSI_MPT3SAS=m
 CONFIG_SCSI_MPT2SAS_MAX_SGE=128
 CONFIG_SCSI_MPT3SAS_MAX_SGE=128
-CONFIG_SCSI_MPT2SAS=y
+CONFIG_SCSI_MPT2SAS=m
 CONFIG_SCSI_MPI3MR=m
 CONFIG_SCSI_SMARTPQI=y
 CONFIG_SCSI_HPTIOP=m
@@ -2446,7 +2451,7 @@ CONFIG_PATA_RZ1000=y
 #
 CONFIG_PATA_ACPI=y
 CONFIG_ATA_GENERIC=y
-CONFIG_PATA_LEGACY=y
+CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=m
 CONFIG_MD_BITMAP_FILE=y
@@ -2668,8 +2673,8 @@ CONFIG_NET_VENDOR_GOOGLE=y
 CONFIG_NET_VENDOR_I825XX=y
 CONFIG_NET_VENDOR_INTEL=y
 CONFIG_E100=m
-CONFIG_E1000=y
-CONFIG_E1000E=y
+CONFIG_E1000=m
+CONFIG_E1000E=m
 CONFIG_E1000E_HWTS=y
 CONFIG_IGB=m
 CONFIG_IGB_HWMON=y
@@ -2714,6 +2719,9 @@ CONFIG_MLX5_EN_RXNFC=y
 CONFIG_MLX5_MPFS=y
 CONFIG_MLX5_ESWITCH=y
 CONFIG_MLX5_BRIDGE=y
+CONFIG_MLX5_CLS_ACT=y
+CONFIG_MLX5_TC_CT=y
+CONFIG_MLX5_TC_SAMPLE=y
 CONFIG_MLX5_CORE_EN_DCB=y
 CONFIG_MLX5_CORE_IPOIB=y
 CONFIG_MLX5_EN_IPSEC=y
@@ -3320,7 +3328,7 @@ CONFIG_HVC_XEN_FRONTEND=y
 CONFIG_SERIAL_DEV_BUS=y
 CONFIG_SERIAL_DEV_CTRL_TTYPORT=y
 # CONFIG_TTY_PRINTK is not set
-CONFIG_VIRTIO_CONSOLE=m
+CONFIG_VIRTIO_CONSOLE=y
 CONFIG_IPMI_HANDLER=m
 CONFIG_IPMI_DMI_DECODE=y
 CONFIG_IPMI_PLAT_DATA=y
@@ -3420,7 +3428,7 @@ CONFIG_I2C_PIIX4=m
 CONFIG_I2C_DESIGNWARE_CORE=m
 # CONFIG_I2C_DESIGNWARE_SLAVE is not set
 CONFIG_I2C_DESIGNWARE_PLATFORM=m
-CONFIG_I2C_DESIGNWARE_BAYTRAIL=y
+# CONFIG_I2C_DESIGNWARE_BAYTRAIL is not set
 # CONFIG_I2C_DESIGNWARE_PCI is not set
 # CONFIG_I2C_EMEV2 is not set
 # CONFIG_I2C_GPIO is not set
@@ -5549,7 +5557,7 @@ CONFIG_HID_HYPERV_MOUSE=m
 #
 CONFIG_USB_HID=m
 # CONFIG_HID_PID is not set
-# CONFIG_USB_HIDDEV is not set
+CONFIG_USB_HIDDEV=y
 
 #
 # USB HID Boot Protocol drivers
@@ -5690,7 +5698,7 @@ CONFIG_USB_SERIAL_GENERIC=y
 # CONFIG_USB_SERIAL_AIRCABLE is not set
 # CONFIG_USB_SERIAL_ARK3116 is not set
 # CONFIG_USB_SERIAL_BELKIN is not set
-# CONFIG_USB_SERIAL_CH341 is not set
+CONFIG_USB_SERIAL_CH341=m
 # CONFIG_USB_SERIAL_WHITEHEAT is not set
 # CONFIG_USB_SERIAL_DIGI_ACCELEPORT is not set
 CONFIG_USB_SERIAL_CP210X=m
@@ -7201,7 +7209,7 @@ CONFIG_NFSD_BLOCKLAYOUT=y
 CONFIG_NFSD_SCSILAYOUT=y
 CONFIG_NFSD_FLEXFILELAYOUT=y
 # CONFIG_NFSD_V4_2_INTER_SSC is not set
-# CONFIG_NFSD_V4_SECURITY_LABEL is not set
+CONFIG_NFSD_V4_SECURITY_LABEL=y
 CONFIG_GRACE_PERIOD=m
 CONFIG_LOCKD=m
 CONFIG_LOCKD_V4=y
diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64
index e9f921e7339..58acb731145 100644
--- a/SPECS/kernel/config_aarch64
+++ b/SPECS/kernel/config_aarch64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.6.47.1 Kernel Configuration
+# Linux/arm64 6.6.51.1 Kernel Configuration
 #
 CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.2.0"
 CONFIG_CC_IS_GCC=y
@@ -7756,7 +7756,7 @@ CONFIG_USB_SERIAL_GENERIC=y
 # CONFIG_USB_SERIAL_AIRCABLE is not set
 # CONFIG_USB_SERIAL_ARK3116 is not set
 # CONFIG_USB_SERIAL_BELKIN is not set
-# CONFIG_USB_SERIAL_CH341 is not set
+CONFIG_USB_SERIAL_CH341=m
 # CONFIG_USB_SERIAL_WHITEHEAT is not set
 # CONFIG_USB_SERIAL_DIGI_ACCELEPORT is not set
 CONFIG_USB_SERIAL_CP210X=m
@@ -10266,7 +10266,7 @@ CONFIG_NFSD_BLOCKLAYOUT=y
 CONFIG_NFSD_SCSILAYOUT=y
 CONFIG_NFSD_FLEXFILELAYOUT=y
 # CONFIG_NFSD_V4_2_INTER_SSC is not set
-# CONFIG_NFSD_V4_SECURITY_LABEL is not set
+CONFIG_NFSD_V4_SECURITY_LABEL=y
 CONFIG_GRACE_PERIOD=m
 CONFIG_LOCKD=m
 CONFIG_LOCKD_V4=y
diff --git a/SPECS/kernel/kernel-uki-dracut.conf b/SPECS/kernel/kernel-uki-dracut.conf
index db4a79aa0f7..fdfec989386 100644
--- a/SPECS/kernel/kernel-uki-dracut.conf
+++ b/SPECS/kernel/kernel-uki-dracut.conf
@@ -6,7 +6,7 @@ compress="xz"
 early_microcode="no"
 
 # modules: basics
-dracutmodules+=" base systemd systemd-initrd dracut-systemd dbus usrmount shutdown i18n "
+dracutmodules+=" base systemd systemd-initrd dracut-systemd shutdown i18n "
 
 # modules: storage support
 dracutmodules+=" dm rootfs-block fs-lib "
diff --git a/SPECS/kernel/kernel-uki.signatures.json b/SPECS/kernel/kernel-uki.signatures.json
index d896ac81fa8..93fa9871af9 100644
--- a/SPECS/kernel/kernel-uki.signatures.json
+++ b/SPECS/kernel/kernel-uki.signatures.json
@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "kernel-uki-dracut.conf": "3dff7bc36a7da9217a5d07304ad697c4c1f63b4d349854dc0529ec500179676e"
+    "kernel-uki-dracut.conf": "83b8db11c5066b275f8d982bbae69305750f94f7e96ab215104ed050a682de4e"
   }
 }
diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec
index b0d8478290a..665feb2b6ab 100644
--- a/SPECS/kernel/kernel-uki.spec
+++ b/SPECS/kernel/kernel-uki.spec
@@ -17,8 +17,8 @@
 
 Summary:        Unified Kernel Image
 Name:           kernel-uki
-Version:        6.6.47.1
-Release:        1%{?dist}
+Version:        6.6.51.1
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -65,11 +65,49 @@ install -vdm 700 %{buildroot}/lib/modules/%{kernelver}
 install -vm 600 vmlinuz-uki.efi %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi
 ln -s /boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/lib/modules/%{kernelver}/vmlinuz-uki.efi
 
+# install to ESP
+install -vdm 700 %{buildroot}/boot/efi/EFI/Linux
+cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
+
 %files
 /boot/vmlinuz-uki-%{kernelver}.efi
 /lib/modules/%{kernelver}/vmlinuz-uki.efi
+/boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
 
 %changelog
+* Thu Oct 03 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-5
+- Bump release to match kernel
+
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Bump release to match kernel
+
+* Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
+- Remove dbus from initrd
+
+* Fri Sep 20 2024 Chris Co <chrco@microsoft.com> - 6.6.51.1-2
+- Bump release to match kernel
+
+* Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.51.1-1
+- Auto-upgrade to 6.6.51.1
+
+* Fri Sep 13 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.47.1-7
+- Install binary to ESP
+
+* Fri Sep 13 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-6
+- Bump release to match kernel
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-5
+- Bump release to match kernel
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-4
+- Bump release to match kernel
+
+* Wed Sep 04 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-3
+- Bump release to match kernel
+
+* Thu Aug 29 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.47.1-2
+- Remove usrmount from initrd
+
 * Thu Aug 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.47.1-1
 - Auto-upgrade to 6.6.47.1
 
diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json
index fb9ff8c6bbf..17be245e529 100644
--- a/SPECS/kernel/kernel.signatures.json
+++ b/SPECS/kernel/kernel.signatures.json
@@ -1,11 +1,11 @@
 {
   "Signatures": {
     "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
-    "config": "e64e049e175bd2d2d68794689b26e3080f5ce0f9141264be4e68c5be9af750c7",
-    "config_aarch64": "a97fae26989a351d21d27bd99d3a1456e8e661a2754ca0f690e98cc0b3f33c7b",
+    "config": "2c39e562cc6c0f133df50a576e27e5a89a5d3c5fde8a6ed391cde372129e202f",
+    "config_aarch64": "c496a8275a29735e25105a86db16228e1bdde3d8ce7e0caa72d423b971d6cbda",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
-    "kernel-6.6.47.1.tar.gz": "05f517228da02a9d1d4fd86c66b7565aa7bd28bae1380e29d79f181842efe50f"
+    "kernel-6.6.51.1.tar.gz": "018ece71bd3feb3f770e759c4c04a4472c72daf3a10f3f88de61083aaa6193df"
   }
 }
diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec
index 198bd0f9ec9..7e167e33d1e 100644
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@@ -29,8 +29,8 @@
 
 Summary:        Linux Kernel
 Name:           kernel
-Version:        6.6.47.1
-Release:        1%{?dist}
+Version:        6.6.51.1
+Release:        5%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -43,7 +43,7 @@ Source3:        sha512hmac-openssl.sh
 Source4:        cbl-mariner-ca-20211013.pem
 Source5:        cpupower
 Source6:        cpupower.service
-Patch0:		    0001-add-mstflint-kernel-%{mstflintver}.patch
+Patch0:         0001-add-mstflint-kernel-%{mstflintver}.patch
 BuildRequires:  audit-devel
 BuildRequires:  bash
 BuildRequires:  bc
@@ -407,6 +407,42 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Thu Oct 03 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-5
+- Make e1000 drivers modules instead of built-in
+- Enable virtio console by default
+
+* Wed Oct 02 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.51.1-4
+- Enable nfsd v4 security label
+
+* Tue Sep 24 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.51.1-3
+- UKI: remove dbus from initrd
+
+* Fri Sep 20 2024 Chris Co <chrco@microsoft.com> - 6.6.51.1-2
+- Enable MLX5 TC offload
+
+* Wed Sep 18 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.51.1-1
+- Auto-upgrade to 6.6.51.1
+
+* Fri Sep 13 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.47.1-7
+- UKI: Install binary to ESP
+
+* Fri Sep 13 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-6
+- Disable xen debugfs and I2C Baytrail configs
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-5
+- Build mpt2sas and mpt3sas drivers as modules
+- Build pata_legacy as module
+
+* Thu Sep 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-4
+- Enable paravirt spinlocks
+- Enable CET and IBT
+
+* Wed Sep 04 2024 Rachel Menge <rachelmenge@microsoft.com> - 6.6.47.1-3
+- Enable usb hiddev and serial ch341
+
+* Thu Aug 29 2024 Jo Zzsi <jozzsicsataban@gmail.com> - 6.6.47.1-2
+- UKI: remove usrmount from initrd
+
 * Thu Aug 22 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.47.1-1
 - Auto-upgrade to 6.6.47.1
 
diff --git a/SPECS/krb5/CVE-2024-26461.patch b/SPECS/krb5/CVE-2024-26461.patch
new file mode 100644
index 00000000000..f44347c3c51
--- /dev/null
+++ b/SPECS/krb5/CVE-2024-26461.patch
@@ -0,0 +1,195 @@
+From c929e7d18bdd47b9e9316de173359efc76810b29 Mon Sep 17 00:00:00 2001
+From: ankita <ankitapareek@microsoft.com>
+Date: Mon, 2 Sep 2024 12:34:38 +0530
+Subject: [PATCH] krb5: Fix CVE-2024-26458 and CVE-2024-26461
+
+---
+ src/lib/gssapi/krb5/k5sealv3.c | 56 +++++++++++++++-------------------
+ src/lib/rpc/pmap_rmt.c         |  9 +++---
+ 2 files changed, 29 insertions(+), 36 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c
+index 1fcbdfb..d3210c1 100644
+--- a/src/lib/gssapi/krb5/k5sealv3.c
++++ b/src/lib/gssapi/krb5/k5sealv3.c
+@@ -65,7 +65,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+                                 int conf_req_flag, int toktype)
+ {
+     size_t bufsize = 16;
+-    unsigned char *outbuf = 0;
++    unsigned char *outbuf = NULL;
+     krb5_error_code err;
+     int key_usage;
+     unsigned char acceptor_flag;
+@@ -75,9 +75,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+     size_t ec;
+     unsigned short tok_id;
+-    krb5_checksum sum;
++    krb5_checksum sum = { 0 };
+     krb5_key key;
+     krb5_cksumtype cksumtype;
++    krb5_data plain = empty_data();
++
++    token->value = NULL;
++    token->length = 0;
+ 
+     acceptor_flag = ctx->initiate ? 0 : FLAG_SENDER_IS_ACCEPTOR;
+     key_usage = (toktype == KG_TOK_WRAP_MSG
+@@ -107,14 +111,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+ 
+     if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
+-        krb5_data plain;
+         krb5_enc_data cipher;
+         size_t ec_max;
+         size_t encrypt_size;
+ 
+         /* 300: Adds some slop.  */
+-        if (SIZE_MAX - 300 < message->length)
+-            return ENOMEM;
++        if (SIZE_MAX - 300 < message->length) {
++            err = ENOMEM;
++            goto cleanup;
++        }
+         ec_max = SIZE_MAX - message->length - 300;
+         if (ec_max > 0xffff)
+             ec_max = 0xffff;
+@@ -126,20 +131,20 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ #endif
+         err = alloc_data(&plain, message->length + 16 + ec);
+         if (err)
+-            return err;
++            goto cleanup;
+ 
+         /* Get size of ciphertext.  */
+         encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype);
+         if (encrypt_size > SIZE_MAX / 2) {
+             err = ENOMEM;
+-            goto error;
++            goto cleanup;
+         }
+         bufsize = 16 + encrypt_size;
+         /* Allocate space for header plus encrypted data.  */
+         outbuf = gssalloc_malloc(bufsize);
+         if (outbuf == NULL) {
+-            free(plain.data);
+-            return ENOMEM;
++            err = ENOMEM;
++            goto cleanup;
+         }
+ 
+         /* TOK_ID */
+@@ -164,11 +169,8 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         cipher.ciphertext.length = bufsize - 16;
+         cipher.enctype = key->keyblock.enctype;
+         err = krb5_k_encrypt(context, key, key_usage, 0, &plain, &cipher);
+-        zap(plain.data, plain.length);
+-        free(plain.data);
+-        plain.data = 0;
+         if (err)
+-            goto error;
++            goto cleanup;
+ 
+         /* Now that we know we're returning a valid token....  */
+         ctx->seq_send++;
+@@ -181,7 +183,6 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         /* If the rotate fails, don't worry about it.  */
+ #endif
+     } else if (toktype == KG_TOK_WRAP_MSG && !conf_req_flag) {
+-        krb5_data plain;
+         size_t cksumsize;
+ 
+         /* Here, message is the application-supplied data; message2 is
+@@ -193,21 +194,19 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+     wrap_with_checksum:
+         err = alloc_data(&plain, message->length + 16);
+         if (err)
+-            return err;
++            goto cleanup;
+ 
+         err = krb5_c_checksum_length(context, cksumtype, &cksumsize);
+         if (err)
+-            goto error;
++            goto cleanup;
+ 
+         assert(cksumsize <= 0xffff);
+ 
+         bufsize = 16 + message2->length + cksumsize;
+         outbuf = gssalloc_malloc(bufsize);
+         if (outbuf == NULL) {
+-            free(plain.data);
+-            plain.data = 0;
+             err = ENOMEM;
+-            goto error;
++            goto cleanup;
+         }
+ 
+         /* TOK_ID */
+@@ -239,23 +238,15 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+         if (message2->length)
+             memcpy(outbuf + 16, message2->value, message2->length);
+ 
+-        sum.contents = outbuf + 16 + message2->length;
+-        sum.length = cksumsize;
+-
+         err = krb5_k_make_checksum(context, cksumtype, key,
+                                    key_usage, &plain, &sum);
+-        zap(plain.data, plain.length);
+-        free(plain.data);
+-        plain.data = 0;
+         if (err) {
+             zap(outbuf,bufsize);
+-            goto error;
++            goto cleanup;
+         }
+         if (sum.length != cksumsize)
+             abort();
+         memcpy(outbuf + 16 + message2->length, sum.contents, cksumsize);
+-        krb5_free_checksum_contents(context, &sum);
+-        sum.contents = 0;
+         /* Now that we know we're actually generating the token...  */
+         ctx->seq_send++;
+ 
+@@ -285,12 +276,13 @@ gss_krb5int_make_seal_token_v3 (krb5_context context,
+ 
+     token->value = outbuf;
+     token->length = bufsize;
+-    return 0;
++    outbuf = NULL;
++    err = 0;
+ 
+-error:
++cleanup:
++    krb5_free_checksum_contents(context, &sum);
++    zapfree(plain.data, plain.length);
+     gssalloc_free(outbuf);
+-    token->value = NULL;
+-    token->length = 0;
+     return err;
+ }
+ 
+diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
+index 8c7e30c..115a55a 100644
+--- a/src/lib/rpc/pmap_rmt.c
++++ b/src/lib/rpc/pmap_rmt.c
+@@ -160,11 +160,12 @@ xdr_rmtcallres(
+ 	caddr_t port_ptr;
+ 
+ 	port_ptr = (caddr_t)(void *)crp->port_ptr;
+-	if (xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
+-	    xdr_u_int32) && xdr_u_int32(xdrs, &crp->resultslen)) {
+-		crp->port_ptr = (uint32_t *)(void *)port_ptr;
++	if (!xdr_reference(xdrs, &port_ptr, sizeof (uint32_t),
++	    xdr_u_int32))
++		return (FALSE);
++	crp->port_ptr = (uint32_t *)(void *)port_ptr;
++	if (xdr_u_int32(xdrs, &crp->resultslen))
+ 		return ((*(crp->xdr_results))(xdrs, crp->results_ptr));
+-	}
+ 	return (FALSE);
+ }
+ 
+-- 
+2.34.1
+
diff --git a/SPECS/krb5/krb5.spec b/SPECS/krb5/krb5.spec
index 86e866532f9..1ad51fc41e2 100644
--- a/SPECS/krb5/krb5.spec
+++ b/SPECS/krb5/krb5.spec
@@ -4,7 +4,7 @@
 Summary:        The Kerberos newtork authentication system
 Name:           krb5
 Version:        1.21.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -12,6 +12,7 @@ Group:          System Environment/Security
 URL:            https://web.mit.edu/kerberos/
 Source0:        https://kerberos.org/dist/%{name}/%{maj_version}/%{name}-%{version}.tar.gz
 Source1:        krb5.conf
+Patch0:         CVE-2024-26461.patch
 BuildRequires:  e2fsprogs-devel
 BuildRequires:  openssl-devel
 Requires:       e2fsprogs-libs
@@ -125,6 +126,9 @@ make check
 %{_datarootdir}/locale/*
 
 %changelog
+* Mon Sep 2 2024 Ankita Pareek <ankitapareek@microsoft.com> - 1.21.3-2
+- Add patch for CVE-2024-26458 and CVE-2024-26461
+
 * Wed Jul 24 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.21.3-1
 - Auto-upgrade to 1.21.3 - CVE-2024-37371, CVE-2024-37370
 
diff --git a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec
index f9a510b2190..f0a5e64c442 100644
--- a/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec
+++ b/SPECS/kube-vip-cloud-provider/kube-vip-cloud-provider.spec
@@ -1,11 +1,11 @@
 Summary:        The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups
 Name:           kube-vip-cloud-provider
 Version:        0.0.10
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 URL:            https://github.com/kube-vip/kube-vip-cloud-provider
 Group:          Applications/Text
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://github.com/kube-vip/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 #Note that the source file should be renamed to the format {name}-%{version}.tar.gz
@@ -40,6 +40,9 @@ install kube-vip-cloud-provider %{buildroot}%{_bindir}/kube-vip-cloud-provider
 %{_bindir}/kube-vip-cloud-provider
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.0.10-2
+- Release bump to fix package information.
+
 * Mon Jul 08 2024 Tobias Brick <tobiasb@microsoft.com> - 0.0.10-1
 - Upgrade to 0.0.10
 - Patch CVE-2023-47108
diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec
index 2019b2431ce..4e6de8c2719 100644
--- a/SPECS/kubernetes/kubernetes.spec
+++ b/SPECS/kubernetes/kubernetes.spec
@@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.30.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -19,7 +19,7 @@ URL:            https://kubernetes.io/
 Source0:        https://dl.k8s.io/v%{version}/kubernetes-src.tar.gz#/%{name}-v%{version}.tar.gz
 Source1:        kubelet.service
 BuildRequires:  flex-devel
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 BuildRequires:  golang
 BuildRequires:  rsync
 BuildRequires:  systemd-devel
@@ -269,6 +269,9 @@ fi
 %{_exec_prefix}/local/bin/pause
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.30.1-3
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 1.30.1-2
 - Bump to rebuild with updated glibc
 
@@ -465,5 +468,3 @@ fi
 
 * Wed Dec 02 2020 Nicolas Guibourge <nicolasg@microsoft.com> - 1.19.1-1
 - Original version for CBL-Mariner
-
-
diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec
index e39f59997a1..bdff43c0b07 100644
--- a/SPECS/kubevirt/kubevirt.spec
+++ b/SPECS/kubevirt/kubevirt.spec
@@ -20,7 +20,7 @@
 Summary:        Container native virtualization
 Name:           kubevirt
 Version:        1.2.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -32,8 +32,9 @@ Source0:        https://github.com/kubevirt/kubevirt/archive/refs/tags/v%{versio
 # correctly.
 Patch0:         Cleanup-housekeeping-cgroup-on-vm-del.patch
 %global debug_package %{nil}
+BuildRequires:  swtpm-tools
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 BuildRequires:  golang >= 1.21
 BuildRequires:  golang-packaging
 BuildRequires:  pkgconfig
@@ -270,6 +271,9 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt
 %{_bindir}/virt-tests
 
 %changelog
+* Fri Sep 06 2024 Sharath Srikanth Chellappa <sharathsr@microsoft.com> - 1.2.0-8
+- Adding swtpm tools for building kubevirt RPM.
+
 * Fri Aug 30 2024 Harshit Gupta <guptaharshit@microsoft.com> - 1.2.0-7
 - Update installation path of virt_launcher.cil in virt-handler container.
 
@@ -327,10 +331,10 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt
 - Bump release to rebuild with go 1.19.10
 
 * Fri May 12 2023 Kanika Nema <kanikanema@microsoft.com> - 0.59.0-2
-- Patch 0.59.0 with Operator Nexus patches 
+- Patch 0.59.0 with Operator Nexus patches
 
 * Fri May 05 2023 Kanika Nema <kanikanema@microsoft.com> - 0.59.0-1
-- Upgrade to v0.59.0 
+- Upgrade to v0.59.0
 
 * Wed Apr 05 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.58.0-7
 - Bump release to rebuild with go 1.19.8
diff --git a/SPECS/libburn/libburn.spec b/SPECS/libburn/libburn.spec
index 70559057ccf..48b35ab9a55 100644
--- a/SPECS/libburn/libburn.spec
+++ b/SPECS/libburn/libburn.spec
@@ -5,10 +5,12 @@
 Summary:         Library for reading, mastering and writing optical discs
 Name:            libburn
 Version:         1.5.6
-Release:         1%{?dist}
+Release:         2%{?dist}
 License:         GPLv2+
 Group:           System Environment/Libraries
 URL:             https://dev.lovelyhq.com/libburnia/libburn
+Vendor:          Microsoft Corporation
+Distribution:    Azure Linux
 Source0:         https://dev.lovelyhq.com/libburnia/libburn/archive/release-%{version}.tar.gz#//%{pkgname}-%{version}.tar.gz
 Patch0:          libburn-0.6.16-multilib.patch
 
@@ -89,6 +91,9 @@ rm -rf $RPM_BUILD_ROOT%{_defaultdocdir}
 %{_mandir}/man1/%{cdrskin}.1*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.5.6-2
+- Add missing Vendor and Distribution tags.
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.5.6-1
 - Auto-upgrade to 1.5.6 - Azure Linux 3.0 - package upgrades
 
diff --git a/SPECS/libcxx/libcxx.signatures.json b/SPECS/libcxx/libcxx.signatures.json
new file mode 100644
index 00000000000..f93006b26f9
--- /dev/null
+++ b/SPECS/libcxx/libcxx.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "llvmorg-18.1.2.tar.gz": "8d686d5ece6f12b09985cb382a3a530dc06bb6e7eb907f57c7f8bf2d868ebb0b"
+ }
+}
diff --git a/SPECS/libcxx/libcxx.spec b/SPECS/libcxx/libcxx.spec
new file mode 100644
index 00000000000..08d56bf5e6e
--- /dev/null
+++ b/SPECS/libcxx/libcxx.spec
@@ -0,0 +1,568 @@
+%global toolchain clang
+
+# Opt out of https://fedoraproject.org/wiki/Changes/fno-omit-frame-pointer
+# https://bugzilla.redhat.com/show_bug.cgi?id=2158587
+%undefine _include_frame_pointers
+
+%global maj_ver 18
+
+Summary:        C++ standard library targeting C++11
+Name:           libcxx
+Version:        %{maj_ver}.1.2
+Release:        2%{?dist}
+License:        Apache-2.0 WITH LLVM-exception OR MIT OR NCSA
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Group:          Development/Tools
+URL:            http://libcxx.llvm.org/
+Source0:        https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-%{version}.tar.gz
+
+BuildRequires:  clang
+BuildRequires:  cmake
+BuildRequires:  llvm-devel
+BuildRequires:  ninja-build
+
+Requires: libcxxabi%{?_isa} = %{version}-%{release}
+
+%description
+libc++ is a new implementation of the C++ standard library, targeting C++11.
+
+%package devel
+Summary:    Headers and libraries for libcxx devel
+Requires:   %{name}%{?_isa} = %{version}-%{release}
+Requires:   libcxxabi-devel
+
+%description devel
+%{summary}.
+
+%package static
+Summary:    Static libraries for libcxx
+
+%description static
+%{summary}.
+
+%package -n libcxxabi
+Summary:    Low level support for a standard C++ library
+
+%description -n libcxxabi
+libcxxabi provides low level support for a standard C++ library.
+
+%package -n libcxxabi-devel
+Summary:    Headers and libraries for libcxxabi devel
+Requires:   libcxxabi%{?_isa} = %{version}-%{release}
+
+%description -n libcxxabi-devel
+%{summary}.
+
+%package -n libcxxabi-static
+Summary:    Static libraries for libcxxabi
+
+%description -n libcxxabi-static
+%{summary}.
+
+%package -n llvm-libunwind
+Summary:    LLVM libunwind
+
+%description -n llvm-libunwind
+
+LLVM libunwind is an implementation of the interface defined by the HP libunwind
+project. It was contributed Apple as a way to enable clang++ to port to
+platforms that do not have a system unwinder. It is intended to be a small and
+fast implementation of the ABI, leaving off some features of HP's libunwind
+that never materialized (e.g. remote unwinding).
+
+%package -n llvm-libunwind-devel
+Summary:    LLVM libunwind development files
+Provides:   libunwind(major) = %{maj_ver}
+Requires:   llvm-libunwind%{?_isa} = %{version}-%{release}
+
+%description -n llvm-libunwind-devel
+Unversioned shared library for LLVM libunwind
+
+%package -n llvm-libunwind-static
+Summary: Static library for LLVM libunwind
+
+%description -n llvm-libunwind-static
+%{summary}.
+
+%prep
+%autosetup -p1 -n llvm-project-llvmorg-%{version}
+
+%build
+mkdir -p build
+cd build
+cmake \
+    -G Ninja \
+    -S ../runtimes \
+    -DLLVM_ENABLE_RUNTIMES="libcxx;libcxxabi;libunwind" \
+    -DCMAKE_INSTALL_PREFIX=%{_prefix} \
+    -DCMAKE_BUILD_TYPE=Release \
+    -DCMAKE_MODULE_PATH="%{_libdir}/cmake/llvm;%{_datadir}/llvm/cmake/Modules" \
+    -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
+    -DLIBCXX_STATICALLY_LINK_ABI_IN_STATIC_LIBRARY=ON \
+    -DLIBCXX_INCLUDE_BENCHMARKS=OFF \
+    -DLIBCXX_ENABLE_ABI_LINKER_SCRIPT=ON \
+    -DLIBUNWIND_INSTALL_INCLUDE_DIR=%{_includedir}/llvm-libunwind \
+    -DCXX_SUPPORTS_NOSTDLIBXX_FLAG=OFF
+
+%ninja_build cxx
+%ninja_build
+
+%install
+cd build
+%ninja_install
+
+# We can't install the unversionned path on default location because that would conflict with
+# https://src.fedoraproject.org/rpms/libunwind
+#
+# The versionned path has a different soname (libunwind.so.1 compared to
+# libunwind.so.8) so they can live together in %%{_libdir}
+#
+# ABI wise, even though llvm-libunwind's library is named libunwind, it doesn't
+# have the exact same ABI as gcc's libunwind (it actually provides a subset).
+rm %{buildroot}%{_libdir}/libunwind.so
+mkdir -p %{buildroot}/%{_libdir}/llvm-unwind/
+
+pushd %{buildroot}/%{_libdir}/llvm-unwind
+ln -s ../libunwind.so.1.0 libunwind.so
+popd
+
+%ldconfig_scriptlets
+
+%files
+%license libcxx/LICENSE.TXT
+%doc libcxx/CREDITS.TXT libcxx/TODO.TXT
+%{_libdir}/libc++.so.*
+
+%files devel
+%{_includedir}/c++/
+%exclude %{_includedir}/c++/v1/cxxabi.h
+%exclude %{_includedir}/c++/v1/__cxxabi_config.h
+%{_libdir}/libc++.so
+
+%files static
+%license libcxx/LICENSE.TXT
+%{_libdir}/libc++.a
+%{_libdir}/libc++experimental.a
+
+%files -n libcxxabi
+%license libcxxabi/LICENSE.TXT
+%doc libcxxabi/CREDITS.TXT
+%{_libdir}/libc++abi.so.*
+
+%files -n libcxxabi-devel
+%{_includedir}/c++/v1/cxxabi.h
+%{_includedir}/c++/v1/__cxxabi_config.h
+%{_libdir}/libc++abi.so
+
+%files -n libcxxabi-static
+%{_libdir}/libc++abi.a
+
+%files -n llvm-libunwind
+%license libunwind/LICENSE.TXT
+%{_libdir}/libunwind.so.1
+%{_libdir}/libunwind.so.1.0
+
+%files -n llvm-libunwind-devel
+%{_includedir}/llvm-libunwind/__libunwind_config.h
+%{_includedir}/llvm-libunwind/libunwind.h
+%{_includedir}/llvm-libunwind/libunwind.modulemap
+%{_includedir}/llvm-libunwind/mach-o/compact_unwind_encoding.h
+%{_includedir}/llvm-libunwind/mach-o/compact_unwind_encoding.modulemap
+%{_includedir}/llvm-libunwind/unwind.h
+%{_includedir}/llvm-libunwind/unwind_arm_ehabi.h
+%{_includedir}/llvm-libunwind/unwind_itanium.h
+%dir %{_libdir}/llvm-unwind
+%{_libdir}/llvm-unwind/libunwind.so
+
+%files -n llvm-libunwind-static
+%{_libdir}/libunwind.a
+
+%changelog
+* Wed Aug 07 2024 Andrew Phelps <anphel@microsoft.com> - 18.1.2-2
+- Initial Azure Linux import from Fedora 40 (license: MIT).
+- License verified
+
+* Fri Mar 22 2024 Tom Stellard <tstellar@redhat.com> - 18.1.2-1
+- 18.1.2 Release
+
+* Wed Mar 13 2024 Tom Stellard <tstellar@redhat.com> - 18.1.1-1
+- 18.1.1 Release
+
+* Mon Mar 04 2024 Nikita Popov <npopov@redhat.com> - 18.1.0~rc4-2
+- Disable LIBCXXABI_USE_LLVM_UNWINDER (rhbz#2267690)
+
+* Thu Feb 29 2024 Tom Stellard <tstellar@redhat.com> - 18.1.0~rc4-1
+- 18.1.0-rc4 Release
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 17.0.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 17.0.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Wed Nov 29 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.6-1
+- Update to LLVM 17.0.6
+
+* Wed Nov 01 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.4-1
+- Update to LLVM 17.0.4
+
+* Wed Oct 18 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.3-1
+- Update to LLVM 17.0.3
+
+* Wed Oct 04 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.2-1
+- Update to LLVM 17.0.2
+
+* Mon Sep 25 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.1-1
+- Update to LLVM 17.0.1
+
+* Mon Sep 11 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.0~rc4-1
+- Update to LLVM 17.0.0 RC4
+
+* Fri Aug 25 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.0~rc3-1
+- Update to LLVM 17.0.0 RC3
+
+* Wed Aug 23 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.0~rc2-1
+- Update to LLVM 17.0.0 RC2
+
+* Wed Aug 02 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 17.0.0~rc1-1
+- Update to LLVM 17.0.0 RC1
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 16.0.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jul 10 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.6-1
+- Update to LLVM 16.0.6
+
+* Thu Jun 15 2023 Nikita Popov <npopov@redhat.com> - 16.0.5-2
+- Use llvm-cmake-utils package
+
+* Tue Jun 06 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.5-1
+- Update to LLVM 16.0.5
+
+* Tue May 30 2023 Nikita Popov <npopov@redhat.com> - 16.0.4-2
+- Merge llvm-libunwind srpm into libcxx
+
+* Fri May 19 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.4-1
+- Update to LLVM 16.0.4
+
+* Wed May 10 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.3-1
+- Update to LLVM 16.0.3
+
+* Wed Apr 26 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.2-1
+- Update to LLVM 16.0.2
+
+* Thu Apr 20 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.1-2
+- Enable PIC even for static libraries (rhbz#2186531)
+
+* Thu Apr 13 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.1-1
+- Update to LLVM 16.0.1
+
+* Mon Mar 20 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.0-1
+- Update to LLVM 16.0.0
+
+* Wed Mar 15 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.0~rc4-1
+- Update to LLVM 16.0.0 RC4
+
+* Thu Feb 23 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.0~rc3-1
+- Update to LLVM 16.0.0 RC3
+
+* Fri Feb 10 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 16.0.0~rc1-1
+- Update to LLVM 16.0.0 RC1
+
+* Wed Feb 01 2023 Tom Stellard <tstellar@redhat.com> - 15.0.7-4
+- Omit frame pointers when building
+
+* Thu Jan 19 2023 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 15.0.7-3
+- Include the Apache license adopted in 2019.
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 15.0.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jan 13 2023 Nikita Popov <npopov@redhat.com> - 15.0.7-1
+- Update to LLVM 15.0.7
+
+* Tue Dec 06 2022 Nikita Popov <npopov@redhat.com> - 15.0.6-1
+- Update to LLVM 15.0.6
+
+* Mon Nov 07 2022 Nikita Popov <npopov@redhat.com> - 15.0.4-1
+- Update to LLVM 15.0.4
+
+* Wed Oct 05 2022 Nikita Popov <npopov@redhat.com> - 15.0.0-5
+- Fix libcxxabi dependencies
+
+* Wed Oct 05 2022 Nikita Popov <npopov@redhat.com> - 15.0.0-4
+- Combine with libcxxabi build
+
+* Tue Sep 13 2022 Nikita Popov <npopov@redhat.com> - 15.0.0-3
+- Rebuild
+
+* Tue Sep 13 2022 Nikita Popov <npopov@redhat.com> - 15.0.0-2
+- Link libc++.a against libc++abi.a
+
+* Thu Sep 08 2022 Nikita Popov <npopov@redhat.com> - 15.0.0-1
+- Update to LLVM 15.0.0
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 14.0.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon Jun 20 2022 Timm Bäder <tbaeder@redhat.com> - 14.0.5-1
+- Update to 14.0.5
+
+* Fri Apr 29 2022 Timm Bäder <tbaeder@redhat.com> - 14.0.0-2
+- Remove llvm-cmake-devel BR
+
+* Thu Mar 24 2022 Timm Bäder <tbaeder@redhat.com> - 14.0.0-1
+- Update to 14.0.0
+
+* Thu Feb 03 2022 Nikita Popov <npopov@redhat.com> - 13.0.1-1
+- Update to LLVM 13.0.1 final
+
+* Tue Feb 01 2022 Nikita Popov <npopov@redhat.com> - 13.0.1~rc3-1
+- Update to LLVM 13.0.1rc3
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 13.0.1~rc2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Jan 14 2022 Nikita Popov <npopov@redhat.com> - 13.0.1~rc2-1
+- Update to LLVM 13.0.1rc2
+
+* Wed Jan 12 2022 Nikita Popov <npopov@redhat.com> - 13.0.1~rc1-1
+- Update to LLVM 13.0.1rc1
+
+* Fri Oct 01 2021 Tom Stellard <tstellar@redhat.com> - 13.0.0-1
+- 13.0.0 Release
+
+* Wed Sep 22 2021 Tom Stellard <tstellar@redhat.com> - 13.0.0~rc3-1
+- 13.0.0-rc3 Release
+
+* Mon Aug 09 2021 Tom Stellard <tstellar@redhat.com> - 13.0.0~rc1-1
+- 13.0.0-rc1 Release
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 12.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jul 13 2021 Tom Stellard <tstellar@redhat.com> - 12.0.1-1
+- 12.0.1 Release
+
+* Thu Jul 01 2021 Tom Stellard <tstellar@redhat.com> - 12.0.1~rc3-1
+- 12.0.1-rc3 Release
+
+* Thu Jun 03 2021 Tom Stellard <tstellar@redhat.com> - 12.0.1~rc1-1
+- 12.0.1-rc1 Release
+
+* Fri Apr 16 2021 Tom Stellard <tstellar@redhat.com> - 12.0.0-1
+- 12.0.0 Release
+
+* Thu Apr 08 2021 sguelton@redhat.com - 12.0.0-0.7.rc5
+- New upstream release candidate
+
+* Fri Apr 02 2021 sguelton@redhat.com - 12.0.0-0.6.rc4
+- New upstream release candidate
+
+* Thu Mar 11 2021 sguelton@redhat.com - 12.0.0-0.5.rc3
+- LLVM 12.0.0 rc3
+
+* Tue Mar 09 2021 sguelton@redhat.com - 12.0.0-0.4.rc2
+- rebuilt
+
+* Thu Feb 25 2021 Timm Bäder <tbaeder@redhat.com> - 12.0.0-0.3.rc2
+- Build shared and static libc++ separately
+- Include libc++abi symbols in static libc++.a
+
+* Wed Feb 24 2021 sguelton@redhat.com - 12.0.0-0.2.rc2
+- 12.0.0-rc2 release
+
+* Wed Feb 17 2021 Tom Stellard <tstellar@redhat.com> - 12.0.0-0.1.rc1
+- 12.0.0-rc1 Release
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 11.1.0-0.3.rc2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Serge Guelton - 11.1.0-0.2.rc2
+- llvm 11.1.0-rc2 release
+
+* Thu Jan 14 2021 Serge Guelton - 11.1.0-0.1.rc1
+- 11.1.0-rc1 release
+
+* Wed Jan 06 2021 Serge Guelton - 11.0.1-3
+- LLVM 11.0.1 final
+
+* Tue Dec 22 2020 sguelton@redhat.com - 11.0.1-2.rc2
+- llvm 11.0.1-rc2
+
+* Tue Dec 01 2020 sguelton@redhat.com - 11.0.1-1.rc1
+- llvm 11.0.1-rc1
+
+* Thu Oct 15 2020 sguelton@redhat.com - 11.0.0-1
+- Fix NVR
+
+* Mon Oct 12 2020 sguelton@redhat.com - 11.0.0-0.5
+- llvm 11.0.0 - final release
+
+* Thu Oct 08 2020 sguelton@redhat.com - 11.0.0-0.4.rc6
+- 11.0.0-rc6
+
+* Fri Oct 02 2020 sguelton@redhat.com - 11.0.0-0.3.rc5
+- 11.0.0-rc5 Release
+
+* Sun Sep 27 2020 sguelton@redhat.com - 11.0.0-0.2.rc3
+- Fix NVR
+
+* Thu Sep 24 2020 sguelton@redhat.com - 11.0.0-0.1.rc3
+- 11.0.0-rc3 Release
+
+* Tue Sep 01 2020 sguelton@redhat.com - 11.0.0-0.1.rc2
+- 11.0.0-rc2 Release
+
+* Tue Aug 11 2020 Tom Stellard <tstellar@redhat.com> - 11.0.0-0.1.rc1
+- 11.0.0-rc1 Release
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 10.0.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 20 2020 sguelton@redhat.com - 10.0.0-2
+- Use modern cmake macros
+- Finalize source verification
+
+* Mon Mar 30 2020 sguelton@redhat.com - 10.0.0-1
+- 10.0.0 final
+
+* Wed Mar 25 2020 sguelton@redhat.com - 10.0.0-0.6.rc6
+- 10.0.0 rc6
+
+* Fri Mar 20 2020 sguelton@redhat.com - 10.0.0-0.5.rc5
+- 10.0.0 rc5
+
+* Sun Mar 15 2020 sguelton@redhat.com - 10.0.0-0.4.rc4
+- 10.0.0 rc4
+
+* Thu Mar 05 2020 sguelton@redhat.com - 10.0.0-0.3.rc3
+- 10.0.0 rc3
+
+* Fri Feb 14 2020 sguelton@redhat.com - 10.0.0-0.1.rc2
+- 10.0.0 rc2
+
+* Thu Feb 6 2020 sguelton@redhat.com - 10.0.0-0.2.rc1
+- bootstrap off
+
+* Fri Jan 31 2020 sguelton@redhat.com - 10.0.0-0.1.rc1
+- 10.0.0 rc1
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 9.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 16 2020 Tom Stellard <tstellar@redhat.com> - 9.0.1-1
+- 9.0.1 Release
+
+* Thu Jan 16 2020 Tom Stellard <tstellar@redhat.com> - 9.0.0-2
+- Build with gcc on all arches
+
+* Mon Sep 23 2019 Tom Stellard <tstellar@redhat.com> - 9.0.0-1
+- 9.0.0 Release
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 8.0.0-1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Mar 20 2019 sguelton@redhat.com - 8.0.0-1
+- 8.0.0 final
+
+* Tue Mar 12 2019 sguelton@redhat.com - 8.0.0-0.4.rc4
+- 8.0.0 Release candidate 4
+
+* Mon Mar 4 2019 sguelton@redhat.com - 8.0.0-0.3.rc3
+- 8.0.0 Release candidate 3
+
+* Sun Feb 24 2019 sguelton@redhat.com - 8.0.0-0.2.rc2
+- 8.0.0 Release candidate 2
+
+* Mon Feb 11 2019 sguelton@redhat.com - 8.0.0-0.1.rc1
+- 8.0.0 Release candidate 1
+
+* Wed Feb 06 2019 sguelton@redhat.com - 7.0.1-1
+- 7.0.1 Release
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.0.1-0.2.rc3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Dec 10 2018 sguelton@redhat.com - 7.0.1-0.1.rc3
+- 7.0.1-rc3 Release
+
+* Tue Sep 25 2018 Tom Stellard <tstellar@redhat.com> - 7.0.0-1
+- 7.0.0 Release
+
+* Wed Sep 12 2018 Tom Stellard <tstellar@redhat.com> - 7.0.0-0.1.rc3
+- 7.0.0-rc3 Release
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 26 2018 Tom Callaway <spot@fedoraproject.org> - 6.0.1-1
+- update to 6.0.1
+
+* Wed Mar 21 2018 Tom Stellard <tstellar@redhat.com> - 6.0.0-2
+- Use default LDFLAGS/CXXFLAGS/CFLAGS and filter out flags not supported by clang
+
+* Wed Mar 14 2018 Tom Callaway <spot@fedoraproject.org> - 6.0.0-1
+- 6.0.0 final
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.0.0-0.2.rc1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Jan 20 2018 Tom Stellard <tstellar@redhat.com> - 6.0.0-0.1.rc1
+- 6.0.0-rc1
+
+* Thu Dec  21 2017 Tom Stellard <tstellar@redhat.com> - 5.0.1-1
+- 5.0.1 Release
+
+* Fri Sep  8 2017 Tom Callaway <spot@fedoraproject.org> - 5.0.0-1
+- update to 5.0.0
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jun 23 2017 Tom Callaway <spot@fedoraproject.org> - 4.0.1-1
+- update to 4.0.1
+
+* Sat Apr 22 2017 Tom Callaway <spot@fedoraproject.org> - 4.0.0-1
+- update to 4.0.0
+
+* Wed Mar  8 2017 Tom Callaway <spot@fedoraproject.org> - 3.9.1-1
+- update to 3.9.1
+
+* Fri Mar  3 2017 Tom Callaway <spot@fedoraproject.org> - 3.9.0-4
+- LIBCXX_ENABLE_ABI_LINKER_SCRIPT=ON
+
+* Wed Mar  1 2017 Tom Callaway <spot@fedoraproject.org> - 3.9.0-3
+- disable bootstrap
+
+* Tue Feb 21 2017 Dan Horák <dan[at]danny.cz> - 3.9.0-2
+- apply s390(x) workaround only in Fedora < 26
+
+* Mon Feb 20 2017 Tom Callaway <spot@fedoraproject.org> - 3.9.0-1
+- update to 3.9.0 (match clang)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.8.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Aug 26 2016 Tom Callaway <spot@fedoraproject.org> - 3.8.1-1
+- update to 3.8.1
+
+* Thu Jun 09 2016 Dan Horák <dan[at]danny.cz> - 3.8.0-4
+- exclude Power only in EPEL
+- default to z10 on s390(x)
+
+* Thu May 19 2016 Tom Callaway <spot@fedoraproject.org> - 3.8.0-3
+- use gcc on el7, fedora < 24. use clang on el6 and f24+
+  MAGIC.
+- bootstrap on
+
+* Tue May 3 2016 Tom Callaway <spot@fedoraproject.org> - 3.8.0-2
+- bootstrap off
+
+* Tue May 3 2016 Tom Callaway <spot@fedoraproject.org> - 3.8.0-1
+- initial package
+- bootstrap on
diff --git a/SPECS/libguestfs/libguestfs.spec b/SPECS/libguestfs/libguestfs.spec
index 30d1aee3346..725094c69eb 100644
--- a/SPECS/libguestfs/libguestfs.spec
+++ b/SPECS/libguestfs/libguestfs.spec
@@ -25,7 +25,7 @@
 Summary:        Access and modify virtual machine disk images
 Name:           libguestfs
 Version:        1.52.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -82,7 +82,7 @@ BuildRequires:  gcc-c++
 BuildRequires:  gdisk
 BuildRequires:  genisoimage
 BuildRequires:  gfs2-utils
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 BuildRequires:  gobject-introspection-devel
 BuildRequires:  gperf
 BuildRequires:  grep
@@ -1147,6 +1147,9 @@ rm ocaml/html/.gitignore
 %endif
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.52.0-9
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 1.52.0-8
 - Bump to rebuild with updated glibc
 
diff --git a/SPECS/libidn2/libidn2.spec b/SPECS/libidn2/libidn2.spec
index edf09d18e17..a4736a3d1c7 100644
--- a/SPECS/libidn2/libidn2.spec
+++ b/SPECS/libidn2/libidn2.spec
@@ -1,9 +1,11 @@
 Summary:          Library to support IDNA2008 internationalized domain names
 Name:             libidn2
 Version:          2.3.4
-Release:          4%{?dist}
+Release:          5%{?dist}
 License:          (GPLv2+ or LGPLv3+) and GPLv3+
 URL:              https://www.gnu.org/software/libidn/#libidn2
+Vendor:           Microsoft Corporation
+Distribution:     Azure Linux
 
 Source0:          https://ftp.gnu.org/gnu/libidn/%{name}-%{version}.tar.gz
 Source1:          https://ftp.gnu.org/gnu/libidn/%{name}-%{version}.tar.gz.sig
@@ -92,6 +94,9 @@ rm -f $RPM_BUILD_ROOT%{_datadir}/info/dir
 %{_infodir}/%{name}.info*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.3.4-5
+- Add missing Vendor and Distribution tags.
+
 * Tue Jan 16 17:26:11 EST 2024 Dan Streetman <ddstreet@ieee.org> - 2.3.4-4
 - Update to version from Fedora 39/rawhide.
 - Next line is present only to avoid tooling failures, and does not indicate the actual package license.
diff --git a/SPECS/libiscsi/libiscsi.spec b/SPECS/libiscsi/libiscsi.spec
index f3e10832a3f..a126297eeb3 100644
--- a/SPECS/libiscsi/libiscsi.spec
+++ b/SPECS/libiscsi/libiscsi.spec
@@ -1,9 +1,11 @@
 Name: libiscsi
 Summary: iSCSI client library
 Version: 1.19.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPLv2+
 URL: https://github.com/sahlberg/%{name}
+Vendor:          Microsoft Corporation
+Distribution:    Azure Linux
 
 Source: https://github.com/sahlberg/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
@@ -96,6 +98,9 @@ The libiscsi-devel package includes the header files for libiscsi.
 %{_libdir}/pkgconfig/libiscsi.pc
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.19.0-2
+- Add missing Vendor and Distribution tags.
+
 * Fri Jan 19 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.19.0-1
 - Upgrade to 1.19 from Fedora
 
diff --git a/SPECS/libisofs/libisofs.spec b/SPECS/libisofs/libisofs.spec
index ecc390af803..a3a245ea4d8 100644
--- a/SPECS/libisofs/libisofs.spec
+++ b/SPECS/libisofs/libisofs.spec
@@ -1,11 +1,13 @@
 Summary:  Library to create ISO 9660 disk images
 Name:     libisofs
 Version:  1.5.6
-Release:  1%{?dist}
+Release:  2%{?dist}
 # make_isohybrid_mbr.c is under LGPLv2+, the rest under GPLv2+
 License:  GPLv2+ and LGPLv2+
 Group:    System Environment/Libraries
 URL:      https://dev.lovelyhq.com/libburnia/libisofs
+Vendor:   Microsoft Corporation
+Distribution:  Azure Linux
 Source0:  https://files.libburnia-project.org/releases/%{name}-%{version}.tar.gz
 
 BuildRequires:  autoconf
@@ -70,6 +72,9 @@ rm -rf $RPM_BUILD_ROOT%{_defaultdocdir}
 %{_libdir}/pkgconfig/%{name}*.pc
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.5.6-2
+- Add missing Vendor and Distribution tags.
+
 * Fri Feb 16 2024 Amrita Kohli <amritakohli@microsoft.com> - 1.5.6-1
 - Upgrade to 1.5.6.
 
diff --git a/SPECS/libmd/4F3E74F436050C10F5696574B972BF3EA4AE57A3 b/SPECS/libmd/4F3E74F436050C10F5696574B972BF3EA4AE57A3
new file mode 100644
index 00000000000..ecd7236301d
--- /dev/null
+++ b/SPECS/libmd/4F3E74F436050C10F5696574B972BF3EA4AE57A3
@@ -0,0 +1,63 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBEoFrhoBEADux/XveApDkVYu+IgGAxB3PgMZ4nDjNheHZ6YMCtqPUEAPgGYE
+ac5juI0k2j+4fLUFuZxjt6oPi+SGX6j35hgUcMQ6bsSkIrMTxPvoCIeFlgKkSZ0H
+cH4ishvTTZpBIGDIFVOeiNtLQCyrdW/rbjMNfx+SCQi8w44hJMvcO+0M4TIs+2MY
+3CVojhffYZ8RAAGmj5rMJ0mx96xgCNEkPUJtRlH8EGPeOwWdFGIrOy2fg0vakdCv
+33FMQQrHu1QwhhyZIQiaXEEKRjbZm7uUA3m+I0MvTbWxqn0OUv5FjwWBGETAIfFA
+WBmMZ1w55+IpLQ6GRExtWVAIk+iHE9mphl/lgMMZPUD2kat3yqmGdgcZT8T2D5R8
+Pxb83IRMNFw1yUfvaeI4aj/ssU2Hy1IPh99A8tLsE3d0fCXaTielNbvXc2DzhuEb
+ni4/mPE8bngSnAj9dYPvjgiWX8saq9keOBrjvJPm2N3pF65O3xFBja+vi6FwBFsP
+LsghM+T9srEzLLQ6kodY/1kbRKlfVQWqwtB3NJmmHogyTY7BkWR7Z+Jf2D7R9EL3
+jv988mWC4ansUo/7v84yzx3zIdphCDW1oI8OjCcgx1gtMoLusulT6ZiVJyVsPUOP
+PyQnX/9zB2i6LhMBpO+0UaxQrBjOekz3ajdqWiXVv8+w5Sc5fTMzx9+cIwARAQAB
+zSNHdWlsbGVtIEpvdmVyIDxndWlsbGVtQGhhZHJvbnMub3JnPsLBegQTAQgAJAIb
+AwIeAQIXgAULCQgHAwUVCgkICwUWAgMBAAUCSgXPyQIZAQAKCRC5cr8+pK5Xo4lh
+D/44Kmk9X3G4wHQrTwdXNEx/Fj1MYtTEl/2IPKXymUEVlf7D/pNMxr7K1xgagzW+
+/q7AjPj+bLdiyot2Fpn9TlNy2mwnO17fJOktBVrJhjx+5Zhy6QZwY9vz1QdMULKQ
+ce+IjvN+HMhi5RtFaVFjzbrOCZrKq2li6pMaOMPGgYQ9NbVWrR6c2ehPdilAXWOn
+pdWZpuZUbpb2fwBZ66PUKEESS+98bvlgNDwgWAdNhvbwaK6Q9ib8E9eh8BjFrBKK
+QeF6Hufyzna4TGaOmwzmIjbFsg4dsJ1zgOGd+gxAV2kawIdU4Ipz0dauu6umZhBz
+JZni9D+z3aLU6bmW15x3r6pqz/8N4V1Ha78pyxSOyMzemA4+O26LoTnW7BZgp5lP
+7nwBSuttCKSVml8d6cNJTzsOQbu/WAP4NhVYSIEDIyiPsLYeswAYCDITVhkP+xRd
+Z+q11DlIgOsoc1DTW9+WKedySEB/XeUB6UPJ4RJqakGNqxuJeoCJKWrkHptGfQWR
+EP3uj041pR/FoDOshxNcQx5bYIVgrdQLb4snTU5ZxfWWd/Icqz278qhSawaDaf0j
+RwvwM+y0c6QikduVwfhT+5fkFjQC730ufoe+M5BTL5oAnMNZyxeh6M1NFHHyQGzH
+kNWBuUmVRpFL6Ik32Hf1KJm49QA9yzHtYQ0Nz0I1v/bN2c0iR3VpbGxlbSBKb3Zl
+ciA8Z3VpbGxlbUBkZWJpYW4ub3JnPsLBdwQTAQgAIQUCSgXPngIbAwULCQgHAwUV
+CgkICwUWAgMBAAIeAQIXgAAKCRC5cr8+pK5Xo6JAEADMQ86c8H1mQNGBUMKntoCP
+cm12PtE2zs/sGQDt2zhRZFSSQIBj265WxbutV92C24th0P2OKGliT9QrrhrhYCDL
++Kgdyeu/n8uVoO23TxTaJgR6Olo72Pq8UFezVdCFZ0g/ybeLHA3GYYPdGtahn0uH
+nntbfd9VaPI3o5eYTcAe126UlV3qiYMpgXNZ7Ixc1vCdKduwUmKYjTa2TiYBq9nw
+g5uGd0YqAuk19MjLDpajcRd9zvzQ3M82m4xRjDvWjEeoyoVG+FR3hGz92zKojxI9
+PC5i/YFefuHDHhPnsnE5i8N2IYm2ydmD11emdEBZlEL/B0PvyWOiakbye2YB1Zi4
+v7KILMXNv1TG0ziiAKWsF0yo4gXL1RZZOIYycx7AllL8dorGKamWXSufGbFGWVcf
+K9yct8qFEHfcrGyDqqdLG2/c+bFhAQdxuiJcKE+MSBdIL09oGvBqTDwMaLprxc7Y
+8t6viVqt8IOofbwOWH9P1yAoVKXZO+QRbo+PvddE2AVK9FG+pTHB3UDlQeQiBJ0S
+AHBdsdWkzUCAh78mi0Svyrrvu+E3SzmtUmw2NZe22cywBhP8wADbTlXkSU1BdtIH
+d4JGFZR1G4CywaPVBeD3jcXMeFIx8SS9U1V8vH8jYWpn08pX9o9ujGL5q03K0las
+cJL/gBUOrto9IS1htbpl3c7BTQRKBc6ZARAAp5V1y9eVYbkApCmO9JSBtRV1Pflj
+2HmzSYjuIwa3tkWMYLLQ5Tw5rEf5aPRAN77yCm224uEZVxhhAkG4PGlRydoptNk/
+eBC2tPhGGa8n18C0AxmE6QHo19jMv75fprf8ixOD74phbx8kh6eA3x4+AbC4BunA
+VzVVuzHNpNR67cD6Eor3gxcTV2/eIqkJ6FuaoZdiTBD1hBIzmPQ36d2sczl/9n/F
+fOTQjoGpu/eEL3a00rAC72Fa38FyLHzA6/rJ7dh5FjMoR6+iDJiWS6IrJ5vfQMX3
+d4+szwjcvQurOo862qpaN2QVrQWeQTOm8pAElOvjhLdgGZ/jPTCeAvq2Xwtyaohv
+9rru77fwkrlqKNAgCObFpGxI4IzvCOANJYJmN01jNkoav8R5GodpCBGoEeKmLAvJ
+1O1kPSfvenQMEjgou0ZZJMpKJMQjRtOclNyQQjSHPlUbJfjBJRMRHHpsu/5QAIc6
+MVtSee7TALmvBpt2Fl9IqOKDn+eVqw6x0F5AUv2+zgYr8gkHkS8Kc79vbHLKUgU6
+z52Zb1E2wqJ80nJ48h+IxwUO79LYNmHBn931zswS6x0iTWVhjzfMVp43w7Gi3+Rn
+n8k6H7at409YS6L1PcQUh+u1ak5TtrI1bA1BQK+IdH1+2yCkJLwv2EScw5tfy6wt
+XIiCDakDTwFPqbsAEQEAAcLBXwQYAQgACQUCSgXOmQIbDAAKCRC5cr8+pK5Xo2CK
+EACTZ7rFQ9E71lsjz28feFBCupswRNr859iUUEmthpuUV76sS8ZJ3WrEzRtgDGcp
+hoVNa0NVhCsjB1gCkZSFctrsrEib2D8TKeTpNCecOFzPTWWCK9+KznZoOGinMhCz
+5szLtfMK3MqpQN57vzqrPsFcHDAq5mlvCxuF8RPpi91jowy5dfOeQD6JJ1vKMqY1
+vHdObkjMjXsPIXaR5PT9Ih08NiVCyvHULQsxbesWYOnSofqb+xL3o/4z1Ey5XaYn
+Kz8N2taMdGYNUt4i7W6/k5QD3zRgAPLn9YgQiOEx3E5lN56WCJIeJX9rt5yTtIDt
+POTcnJCLF/9D9GfaAsSzjUm/d7WcEQLJ+evtLmX5QAE0kyglyRzpbGabOwX23pGL
+yZp7CdDl0iGRdMNhnyAtENfu2hAjEoNxG6MSX04niNwKIjA0sraDox99oYE1cm9E
+Yq6S3J92xZd3JIU9UhpIAWbPymR1WxhzLd4OaFtSNzuweHin+YXve1HEiXlevbdC
+0or5EJhMiPqcIRpGYaFa2OwTJ4sGt74jJwekqbF7KmAtLYUKTcxwnWPrscI82Yyf
+uSyf9TsmglhYSo6uNsGtLtsGY2l5qGKeREu6JwRAJomf8H+1oanCyk+JzavT5Y5L
+A+Hwb9ddjC9U8kT/eaNzC0EEXaxTR8HQSOaUrXBwr6fp1A==
+=Gi+y
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SPECS/libmd/libmd-1.1.0.tar.xz.asc b/SPECS/libmd/libmd-1.1.0.tar.xz.asc
new file mode 100644
index 00000000000..b35ab5bdc07
--- /dev/null
+++ b/SPECS/libmd/libmd-1.1.0.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEETz509DYFDBD1aWV0uXK/PqSuV6MFAmSI5v8ACgkQuXK/PqSu
+V6OhpxAAhN6+yr0qPnxi+WN7WHMJm690WThuKouMRo9PouxEuICdGL/55V7ih9aH
+y4r6GshO0kmdIrne8AWvLhex5pzzXwQzSwl92CGnzMJ20xO2j0e+/CNtB/sC2Lp/
+FA09VzLtEkawoAQ0SIv1BZGj9QrlAEebIHSXuyU4mXkgesuRp3rXSBt/re5H922v
+AqohSaSIoUoji+c7rP/Ft7MOR4cTUtODLlN4iU64EcIpYpz9tj8+7FN6RNVR0nJl
+fp7r+Wdu/94rA0mL8D2SUyBLa40GDGm29l7l704rHtordT0V0JB6WIEMhXuue+Da
+9jj3sX+KvlAaf0s8a1t7Umc918PdOCpFLITgEHXihbdwzv/MY5gZTtSE0MjcqQki
+ITp8Wc4HyUrnLgDosMto7fGQsSsyoRk/dBqlSWZM2rb012OV9GhGMm87FXQXCSEq
+aZXhanab2RV2HZLwX4gBiCiZlxH8Tw+kEZYd+kNMXjNpUvBUPCUcNSSGDRF+A7mL
+utLN08cJPaGM345AusyHN1tygzO2J2B52suBAiP2GBgQKA1IKuK1uBnF2saqcHcE
+wBKJQAO9/BjPT6I/RmBflyaWiz6et273k2c+UD30YFJbYIcAIuGx6qb50Qnc9erH
+cEzAgkLBlybU+cMb3jasZRlLZQMpnzvGNLYNgOyVemXGnbLYfgo=
+=le71
+-----END PGP SIGNATURE-----
diff --git a/SPECS/libmd/libmd.signatures.json b/SPECS/libmd/libmd.signatures.json
new file mode 100644
index 00000000000..d2c914e63cd
--- /dev/null
+++ b/SPECS/libmd/libmd.signatures.json
@@ -0,0 +1,7 @@
+{
+    "Signatures": {
+     "libmd-1.1.0.tar.xz": "1bd6aa42275313af3141c7cf2e5b964e8b1fd488025caf2f971f43b00776b332",
+     "libmd-1.1.0.tar.xz.asc": "402fd3024e43ab975733d09e661804a58ca58697194e4b15216b1217cfe1dadb",
+     "4F3E74F436050C10F5696574B972BF3EA4AE57A3": "56b3e6dc62d6de533d1a86621b3d3fe8f9523a83f2b19927a95cffb8b562150b"
+    }
+   }
diff --git a/SPECS/libmd/libmd.spec b/SPECS/libmd/libmd.spec
new file mode 100644
index 00000000000..1e2482eb3f1
--- /dev/null
+++ b/SPECS/libmd/libmd.spec
@@ -0,0 +1,112 @@
+Summary:        Library that provides message digest functions from BSD systems
+Name:           libmd
+Version:        1.1.0
+Release:        6%{?dist}
+# Breakdown in COPYING file of libmd release tarball
+License:        BSD-2-Clause AND BSD-3-Clause AND ISC AND Beerware AND LicenseRef-Fedora-Public-Domain
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+URL:            https://www.hadrons.org/software/libmd/
+Source0:        https://libbsd.freedesktop.org/releases/%{name}-%{version}.tar.xz
+Source1:        https://libbsd.freedesktop.org/releases/%{name}-%{version}.tar.xz.asc
+Source2:        https://keys.openpgp.org/vks/v1/by-fingerprint/4F3E74F436050C10F5696574B972BF3EA4AE57A3
+BuildRequires:  gcc
+BuildRequires:  gnupg2
+BuildRequires:  make
+
+%description
+The libmd library provides a few message digest ("hash") functions, as
+found on various BSD systems, either on their libc or on a library with
+the same name, and with a compatible API.
+
+%package devel
+Summary:        Development files for the message digest library
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       pkg-config
+
+%description devel
+The libmd-devel package includes header files and libraries necessary
+for developing programs which use the message digest library.
+
+%prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%setup -q
+
+%build
+%configure --disable-static
+%make_build
+
+%install
+%make_install
+
+# Don't install any libtool .la files
+rm -f %{buildroot}%{_libdir}/%{name}.la
+
+%check
+make check
+
+%ldconfig_scriptlets
+
+%files
+%license COPYING
+%doc ChangeLog README
+%{_libdir}/%{name}.so.0*
+%{_mandir}/man7/%{name}.7*
+
+%files devel
+%{_libdir}/%{name}.so
+%{_libdir}/pkgconfig/%{name}.pc
+%{_includedir}/md2.h
+%{_includedir}/md4.h
+%{_includedir}/md5.h
+%{_includedir}/ripemd.h
+%{_includedir}/rmd160.h
+%{_includedir}/sha.h
+%{_includedir}/sha1.h
+%{_includedir}/sha2.h
+%{_includedir}/sha256.h
+%{_includedir}/sha512.h
+%{_mandir}/man3/MD2*.3*
+%{_mandir}/man3/MD4*.3*
+%{_mandir}/man3/MD5*.3*
+%{_mandir}/man3/RMD160*.3*
+%{_mandir}/man3/SHA1*.3*
+%{_mandir}/man3/SHA256*.3*
+%{_mandir}/man3/SHA384*.3*
+%{_mandir}/man3/SHA512*.3*
+%{_mandir}/man3/md2.3*
+%{_mandir}/man3/md4.3*
+%{_mandir}/man3/md5.3*
+%{_mandir}/man3/rmd160.3*
+%{_mandir}/man3/sha1.3*
+%{_mandir}/man3/sha2.3*
+
+%changelog
+* Wed Sep 11 2024 Zhichun Wan <zhichunwan@microsoft.com> - 1.1.0-6
+- Initial Azure Linux import from Fedora 42 (license: MIT)
+- License Verified
+
+* Thu Jul 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jun 14 2023 Robert Scheck <robert@fedoraproject.org> 1.1.0-1
+- Upgrade to 1.1.0 (#2214865)
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Sep 14 2022 Robert Scheck <robert@fedoraproject.org> 1.0.4-2
+- Update license identifier to SPDX expression (#2094582 #c11)
+
+* Wed Jun 08 2022 Robert Scheck <robert@fedoraproject.org> 1.0.4-1
+- Upgrade to 1.0.4 (#2094582)
+- Initial spec file for Fedora and Red Hat Enterprise Linux
diff --git a/SPECS/libnbd/CVE-2024-7383.patch b/SPECS/libnbd/CVE-2024-7383.patch
new file mode 100644
index 00000000000..9abefc05b43
--- /dev/null
+++ b/SPECS/libnbd/CVE-2024-7383.patch
@@ -0,0 +1,215 @@
+From 5ff09cdbbd19226dd2d5015d76134f88dee9321e Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Tue, 25 Jun 2024 10:55:54 +0100
+Subject: [PATCH] build: Move to minimum gnutls >= 3.5.18
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This version matches current qemu.
+
+RHEL 7 gnutls is too old (lacks gnutls_session_set_verify_cert), which
+means TLS will be disabled on this platform.  RHEL 8 has gnutls 3.6.14.
+
+I also unconditionally enabled the gnutls/socket.h header.  This
+header was added in 2016 (gnutls 3.5.3), so it's not present in RHEL 7.
+
+On RHEL 7 the configure-time test now prints:
+
+  checking for GNUTLS... no
+  configure: WARNING: gnutls not found or < 3.5.18, TLS support will be disabled.
+  ...
+  Optional library features:
+      TLS support ............................ no
+
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ configure.ac | 5 ++---
+ lib/crypto.c | 6 ------
+ 2 files changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index cd12254b..eba108c5 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -191,13 +191,13 @@ AC_ARG_WITH([gnutls],
+     [],
+     [with_gnutls=check])
+ AS_IF([test "$with_gnutls" != "no"],[
+-    PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.3.0], [
++    PKG_CHECK_MODULES([GNUTLS], [gnutls >= 3.5.18], [
+         printf "gnutls version is "; $PKG_CONFIG --modversion gnutls
+         AC_SUBST([GNUTLS_CFLAGS])
+         AC_SUBST([GNUTLS_LIBS])
+         AC_DEFINE([HAVE_GNUTLS],[1],[gnutls found at compile time.])
+     ], [
+-        AC_MSG_WARN([gnutls not found or < 3.3.0, TLS support will be disabled.])
++        AC_MSG_WARN([gnutls not found or < 3.5.18, TLS support will be disabled.])
+     ])
+ ])
+ AM_CONDITIONAL([HAVE_GNUTLS], [test "x$GNUTLS_LIBS" != "x"])
+@@ -223,7 +223,6 @@ AS_IF([test "$GNUTLS_LIBS" != ""],[
+     old_LIBS="$LIBS"
+     LIBS="$GNUTLS_LIBS $LIBS"
+     AC_CHECK_FUNCS([\
+-        gnutls_session_set_verify_cert \
+         gnutls_transport_is_ktls_enabled \
+     ])
+     LIBS="$old_LIBS"
+diff --git a/lib/crypto.c b/lib/crypto.c
+index 22a1cfa5..d131f1d0 100644
+--- a/lib/crypto.c
++++ b/lib/crypto.c
+@@ -28,10 +28,8 @@
+ 
+ #ifdef HAVE_GNUTLS
+ #include <gnutls/gnutls.h>
+-#ifdef HAVE_GNUTLS_SOCKET_H
+ #include <gnutls/socket.h>
+ #endif
+-#endif
+ 
+ #include "internal.h"
+ #include "nbdkit-string.h"
+@@ -532,12 +530,8 @@ set_up_certificate_credentials (struct nbd_handle *h,
+   return NULL;
+ 
+  found_certificates:
+-#ifdef HAVE_GNUTLS_SESSION_SET_VERIFY_CERT
+   if (h->hostname && h->tls_verify_peer)
+     gnutls_session_set_verify_cert (session, h->hostname, 0);
+-#else
+-  debug (h, "ignoring nbd_set_tls_verify_peer, this requires GnuTLS >= 3.4.6");
+-#endif
+ 
+   err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
+   if (err < 0) {
+-- 
+GitLab
+From 87ef41b69929d5d293390ec36b1c10aba2c9a57a Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 24 Jun 2024 10:48:12 +0100
+Subject: [PATCH] lib/crypto.c: Check server certificate even when using system
+ CA
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The previous code checked the server certificate only when a custom
+certificate directory was set (ie.  nbd_set_tls_certificates /
+?tls-certificates=DIR).  In the fallback case where we use the system
+CA, we never called gnutls_session_set_verify_cert and so the server
+certificate was never checked.
+
+Move the call to gnutls_session_set_verify_cert later so it is called
+on both paths.
+
+If the server certificate does not match the hostname you will see:
+
+nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
+
+Reported-by: Jon Szymaniak <jon.szymaniak@gmail.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ lib/crypto.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/crypto.c b/lib/crypto.c
+index d131f1d0..c542ce6b 100644
+--- a/lib/crypto.c
++++ b/lib/crypto.c
+@@ -530,9 +530,6 @@ set_up_certificate_credentials (struct nbd_handle *h,
+   return NULL;
+ 
+  found_certificates:
+-  if (h->hostname && h->tls_verify_peer)
+-    gnutls_session_set_verify_cert (session, h->hostname, 0);
+-
+   err = gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE, ret);
+   if (err < 0) {
+     set_error (0, "gnutls_credentials_set: %s", gnutls_strerror (err));
+@@ -647,6 +644,9 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
+       gnutls_deinit (session);
+       return NULL;
+     }
++
++    if (h->hostname && h->tls_verify_peer)
++      gnutls_session_set_verify_cert (session, h->hostname, 0);
+   }
+ 
+   /* Wrap the underlying socket with GnuTLS. */
+-- 
+GitLab
+From 6ed47a27d14f6f11946bb096d94e5bf21d97083d Mon Sep 17 00:00:00 2001
+From: "Richard W.M. Jones" <rjones@redhat.com>
+Date: Mon, 24 Jun 2024 10:31:10 +0100
+Subject: [PATCH] lib/crypto.c: Allow CA verification even if h->hostname is
+ not set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Calling gnutls_session_set_verify_cert with the hostname parameter set
+to NULL is permitted:
+https://www.gnutls.org/manual/html_node/Core-TLS-API.html#gnutls_005fsession_005fset_005fverify_005fcert
+
+It means that the server's hostname in the certificate will not be
+verified but we can at least check that the certificate was signed by
+the CA.  This allows the CA to be checked even for connections over
+Unix domain sockets.
+
+Example:
+
+  $ rm -f /tmp/sock
+  $ nbdkit -U /tmp/sock -f --tls=require --tls-certificates=$HOME/d/nbdkit/tests/pki memory 1G &
+
+Before this change:
+
+  $ nbdinfo 'nbds+unix://?socket=/tmp/sock'
+  protocol: newstyle-fixed with TLS, using structured packets
+  export="":
+	export-size: 1073741824 (1G)
+	content: data
+	uri: nbds+unix:///?socket=/tmp/sock
+  [etc]
+
+(works because it never called gnutls_session_set_verify_cert).
+
+After this change:
+
+  $ nbdinfo 'nbds+unix://?socket=/tmp/sock'
+  nbdinfo: nbd_connect_uri: gnutls_handshake: Error in the certificate verification. (15/1)
+
+(fails because system CA does not know about nbdkit's certificate
+which is signed by the CA from the nbdkit/tests/pki directory)
+
+  $ nbdinfo 'nbds+unix://?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki'
+  protocol: newstyle-fixed with TLS, using structured packets
+  export="":
+	export-size: 1073741824 (1G)
+	content: data
+	uri: nbds+unix:///?socket=/tmp/sock&tls-certificates=/home/rjones/d/nbdkit/tests/pki
+  [etc]
+
+(works because we supplied the correct CA)
+
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ lib/crypto.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/crypto.c b/lib/crypto.c
+index c542ce6b..437e24ec 100644
+--- a/lib/crypto.c
++++ b/lib/crypto.c
+@@ -645,7 +645,7 @@ nbd_internal_crypto_create_session (struct nbd_handle *h,
+       return NULL;
+     }
+ 
+-    if (h->hostname && h->tls_verify_peer)
++    if (h->tls_verify_peer)
+       gnutls_session_set_verify_cert (session, h->hostname, 0);
+   }
+ 
+-- 
+GitLab
diff --git a/SPECS/libnbd/libnbd.spec b/SPECS/libnbd/libnbd.spec
index 500dc0e984b..f641be0f730 100644
--- a/SPECS/libnbd/libnbd.spec
+++ b/SPECS/libnbd/libnbd.spec
@@ -8,10 +8,12 @@
 %global source_directory 1.18-stable
 Name:           libnbd
 Version:        1.18.3
-Release:        1%{?dist}
+Release:        3%{?dist}
 Summary:        NBD client library in userspace
 License:        LGPL-2.0-or-later AND BSD-3-Clause
 URL:            https://gitlab.com/nbdkit/libnbd
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://libguestfs.org/download/libnbd/%{source_directory}/%{name}-%{version}.tar.gz
 
 %if !0%{?azl}
@@ -25,6 +27,8 @@ Source2:       libguestfs.keyring
 Source3:        copy-patches.sh
 %endif
 
+Patch001:       CVE-2024-7383.patch
+
 %if 0%{patches_touch_autotools}
 BuildRequires: autoconf, automake, libtool
 %endif
@@ -329,6 +333,12 @@ skip_test tests/connect-tcp6
 
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.18.3-3
+- Add missing Vendor and Distribution tags.
+
+* Mon Aug 19 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.18.3-2
+- Add patches to fix CVE-2024-7383
+
 * Wed Mar 20 2024 Daniel McIlvaney <damcilva@microsoft.com> - 1.18.3-1
 - Refresh from Fedora 39
 
diff --git a/SPECS/libnvme/libnvme.spec b/SPECS/libnvme/libnvme.spec
index fb78bd9f8eb..1d75acc000d 100644
--- a/SPECS/libnvme/libnvme.spec
+++ b/SPECS/libnvme/libnvme.spec
@@ -1,9 +1,11 @@
 Summary: Linux-native nvme device management library
 Name:    libnvme
 Version: 1.8
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPL-2.1-or-later
 URL:     https://github.com/linux-nvme/libnvme
+Vendor:  Microsoft Corporation
+Distribution:  Azure Linux
 Source0: https://github.com/linux-nvme/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 BuildRequires: dbus-devel
 BuildRequires:  gcc
@@ -73,6 +75,9 @@ This package contains Python bindings for libnvme.
 %{python3_sitearch}/libnvme/*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.8-2
+- Add missing Vendor and Distribution tags.
+
 * Wed Feb 21 2024 Adit Jha <aditjha@microsoft.com> - 1.8-1
 - Initial CBL-Mariner import from Fedora 39 (license: MIT).  License verified.
 
@@ -169,4 +174,4 @@ This package contains Python bindings for libnvme.
 - Upstream v1.0 Release Candidate 0
 
 * Wed Oct 20 2021 Tomas Bzatek <tbzatek@redhat.com> - 0.0.1-1.git1fe38d6
-- Initial packaging
\ No newline at end of file
+- Initial packaging
diff --git a/SPECS/libsafec/libsafec-3.7.1-issue119.patch b/SPECS/libsafec/libsafec-3.7.1-issue119.patch
deleted file mode 100644
index b1e07d49b78..00000000000
--- a/SPECS/libsafec/libsafec-3.7.1-issue119.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/src/os/getenv_s.c b/src/os/getenv_s.c
---- a/src/os/getenv_s.c
-+++ b/src/os/getenv_s.c
-@@ -119,12 +119,14 @@ EXPORT errno_t _getenv_s_chk(size_t *restrict len, char *restrict dest,
-     buf = getenv(name);
- #endif
-
--    if (unlikely(buf == NULL)) {
--        char errstr[128] = "getenv_s: ";
-+    if (buf == NULL) {
-+#ifdef SAFECLIB_STR_NULL_SLACK
-+        memset(dest, 0, dmax);
-+#else
-+        *dest = '\0';
-+#endif
-         if (len)
-             *len = 0;
--        strcat(errstr, strerror(errno));
--        handle_error(dest, dmax, errstr, -1);
-         return -1;
-     }
diff --git a/SPECS/libsafec/libsafec.signatures.json b/SPECS/libsafec/libsafec.signatures.json
index 8913dabaf53..520ca18c29e 100644
--- a/SPECS/libsafec/libsafec.signatures.json
+++ b/SPECS/libsafec/libsafec.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "safeclib-3.7.1.tar.xz": "71d3ec970f930bd980f2a41127228eeedfc53749e4c6b203329adc4ff7df32a7"
+  "safeclib-3.8.1.tar.xz": "59c72d1257dc425c3cd02c6ca7ff2edbe80cad7988e9c55471d2c6ba2c2b9db9"
  }
 }
diff --git a/SPECS/libsafec/libsafec.spec b/SPECS/libsafec/libsafec.spec
index 7be5de4f94c..c8290eaa70d 100644
--- a/SPECS/libsafec/libsafec.spec
+++ b/SPECS/libsafec/libsafec.spec
@@ -1,11 +1,15 @@
+%define full_version %{version}.0
+%define commit_hash gdfea26
+
 Summary:        C11 Annex K functions
 Name:           libsafec
-Version:        3.7.1
+Version:        3.8.1
 Release:        2%{?dist}
 License:        MIT
 URL:            https://github.com/rurban/safeclib
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://github.com/rurban/safeclib/releases/download/v%{version}/safeclib-%{version}.tar.xz
-Patch0:         libsafec-3.7.1-issue119.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  awk
@@ -33,7 +37,7 @@ Summary:        Tools to detect use of unsafe libc APIs
 Tools to detect use of unsafe libc APIs
 
 %prep
-%autosetup -n safeclib-%{version} -p1
+%autosetup -n safeclib-%{full_version}-%{commit_hash} -p1
 
 %build
 autoreconf -Wall --install
@@ -68,6 +72,12 @@ find %{buildroot} -type f -name "*.pc" -delete -print
 %{_mandir}/man1/*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.8.1-2
+- Add missing Vendor and Distribution tags.
+
+* Thu Aug 29 2024 Andrew Phelps <anphel@microsoft.com> - 3.8.1-1
+- Upgrade to version 3.8.1
+
 * Wed Jul 13 2022 Andy Caldwell <andycaldwell@microsoft.com> - 3.7.1-2
 - Don't emit runtime safety check when getenv fails to find variable.
 
diff --git a/SPECS/libsolv/libsolv.spec b/SPECS/libsolv/libsolv.spec
index ebcf84aaa2b..fa48d7e52e3 100644
--- a/SPECS/libsolv/libsolv.spec
+++ b/SPECS/libsolv/libsolv.spec
@@ -1,7 +1,7 @@
 Summary:        A free package dependency solver
 Name:           libsolv
 Version:        0.7.28
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 URL:            https://github.com/openSUSE/libsolv
 Source0:        https://github.com/openSUSE/libsolv/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
@@ -10,6 +10,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 BuildRequires:  cmake
 BuildRequires:  rpm-devel
+BuildRequires:  zstd-devel
 Requires:       expat-libs
 
 %description
@@ -47,7 +48,8 @@ Requires:       xz
     -DENABLE_RPMDB_BYRPMHEADER=ON       \
     -DENABLE_RPMDB_LIBRPM=ON            \
     -DENABLE_RPMMD=ON                   \
-    -DENABLE_COMPS=ON
+    -DENABLE_COMPS=ON                   \
+    -DENABLE_ZSTD_COMPRESSION=ON
 %make_build
 
 %install
@@ -77,6 +79,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_mandir}/man1/*
 
 %changelog
+* Wed Sep 04 2024 Reuben Olinsky <reubeno@microsoft.com> - 0.7.28-2
+- Enable zstd support to match createrepo_c.
+
 * Wed Feb 07 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 0.7.28-1
 - Upgrade to version 0.7.28
 
diff --git a/SPECS/libtpms/libtpms.spec b/SPECS/libtpms/libtpms.spec
index d0c6b4a84be..8503a8cfb46 100644
--- a/SPECS/libtpms/libtpms.spec
+++ b/SPECS/libtpms/libtpms.spec
@@ -1,10 +1,12 @@
 Name:           libtpms
 Version:        0.9.6
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        Library providing Trusted Platform Module (TPM) functionality
 License:        BSD and TCGL
 
 URL:            https://github.com/stefanberger/libtpms
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source1:        %{url}/releases/download/v%{version}/v%{version}.tar.gz.asc#/%{name}-%{version}.tar.gz.asc
 # https://github.com/stefanberger.gpg
@@ -64,6 +66,9 @@ make check
 %{_mandir}/man3/TPM*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.9.6-7
+- Add missing Vendor and Distribution tags.
+
 * Tue Jun 25 2024 Maxwell Moyer-McKee <bfjelds@microsoft.com> - 0.9.6-6
 - Add patch for compatibility with SymCrypt provider
 
@@ -307,7 +312,7 @@ make check
 
 * Wed Apr 13 2011 Stefan Berger - 0.5.1-5
 - adding BuildRequires for nss-softokn-freebl-static
-- several libtpms-internal changes around state serialization and 
+- several libtpms-internal changes around state serialization and
   deserialization
 - fixes to libtpms makefile (makefile-libtpms)
 - adding build_type to generate a debug or production build
@@ -348,4 +353,3 @@ make check
 - Version of library is now 0.5.0
 - Debuginfo rpm is built but empty -- seems to be a known problem
   Check https://bugzilla.redhat.com/show_bug.cgi?id=209316
-  
\ No newline at end of file
diff --git a/SPECS/libtracecmd/libtracecmd.spec b/SPECS/libtracecmd/libtracecmd.spec
index 19dd2b76633..fc91ff5638a 100644
--- a/SPECS/libtracecmd/libtracecmd.spec
+++ b/SPECS/libtracecmd/libtracecmd.spec
@@ -1,10 +1,12 @@
 Name:          libtracecmd
 Version:       1.5.1
-Release:       1%{?dist}
+Release:       2%{?dist}
 License:       LGPL-2.1-only AND LGPL-2.1-or-later AND GPL-2.0-only AND GPL-2.0-or-later
 Summary:       A library for reading tracing instances stored in a trace file
 
 URL:           https://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
 Source0:       https://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/snapshot/trace-cmd-libtracecmd-%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
 ExcludeArch:   %{ix86} %{arm}
@@ -69,6 +71,9 @@ chrpath --delete %{buildroot}/%{_libdir}/libtracecmd.so*
 %{_includedir}/trace-cmd
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.5.1-2
+- Add missing Vendor and Distribution tags.
+
 * Thu Feb 15 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 1.5.1-1
 - Initial Azure Linux import from Fedora 40 (license: MIT)
 - License Verified
diff --git a/SPECS/libtracefs/libtracefs.spec b/SPECS/libtracefs/libtracefs.spec
index 445318b97b8..3580271ee1a 100644
--- a/SPECS/libtracefs/libtracefs.spec
+++ b/SPECS/libtracefs/libtracefs.spec
@@ -11,7 +11,7 @@
 
 Name:           libtracefs
 Version:        1.8.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        LGPL-2.1-or-later AND GPL-2.0-or-later AND GPL-2.0-only
 Summary:        Library for access kernel tracefs
 
@@ -20,6 +20,8 @@ Summary:        Library for access kernel tracefs
 # cd libtracefs
 # git archive --prefix=libtracefs-%%{version}/ -o libtracefs-%%{version}.tar.gz %%{git_commit}
 URL:            https://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git/
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://git.kernel.org/pub/scm/libs/libtrace/libtracefs.git/snapshot/libtracefs-%{version}.tar.gz#/%{name}-%{version}.tar.gz
 BuildRequires:  gcc
 BuildRequires:  make
@@ -62,6 +64,9 @@ rm -rf %{buildroot}/%{_libdir}/libtracefs.a
 %{_libdir}/%{name}.so
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.8.0-2
+- Add missing Vendor and Distribution tags.
+
 * Thu Feb 15 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 1.8.0-1
 - Initial Azure Linux import from Fedora 40 (license: MIT)
 - License Verified
diff --git a/SPECS/libuser/libuser.signatures.json b/SPECS/libuser/libuser.signatures.json
new file mode 100644
index 00000000000..2f05dfbc70b
--- /dev/null
+++ b/SPECS/libuser/libuser.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "libuser-0.64.tar.gz": "ea6094c72cb9e60a42fb53509dc98d124a340f1c9222783b503208adc16a0a8f"
+ }
+}
diff --git a/SPECS-EXTENDED/libuser/libuser.spec b/SPECS/libuser/libuser.spec
similarity index 97%
rename from SPECS-EXTENDED/libuser/libuser.spec
rename to SPECS/libuser/libuser.spec
index a6b129c54d3..5d5bdb44790 100644
--- a/SPECS-EXTENDED/libuser/libuser.spec
+++ b/SPECS/libuser/libuser.spec
@@ -1,45 +1,42 @@
 %bcond_with tex_docs
 
-Name: libuser
-Version: 0.63
-Release: 10%{?dist}
-License: GPLv2
+Name:           libuser
+Version:        0.64
+Release:        1%{?dist}
+License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
-URL: https://pagure.io/libuser
-Source: https://releases.pagure.org/libuser/libuser-%{version}.tar.xz
-BuildRequires: glib2-devel
+URL:            https://pagure.io/libuser
+Source:         https://releases.pagure.org/libuser/libuser-%{version}.tar.gz
+BuildRequires:  glib2-devel
 %if %{with tex_docs}
-BuildRequires: linuxdoc-tools
+BuildRequires:  linuxdoc-tools
 %endif
-BuildRequires: pam-devel
-BuildRequires: popt-devel
-BuildRequires: cyrus-sasl-devel
-BuildRequires: libselinux-devel
-BuildRequires: openldap-devel
-BuildRequires: python3-devel
-BuildRequires: gcc
+BuildRequires:  pam-devel
+BuildRequires:  popt-devel
+BuildRequires:  cyrus-sasl-devel
+BuildRequires:  libselinux-devel
+BuildRequires:  openldap-devel
+BuildRequires:  python3-devel
+BuildRequires:  gcc
 # For %%check
 %if 0%{?with_check}
 #BuildRequires: fakeroot
-BuildRequires: openldap-clients
-BuildRequires: openssl
+BuildRequires:  openldap-clients
+BuildRequires:  openssl
 
 # Missing test dependencies:
 # BuildRequires: openldap-servers
 %endif
-BuildRequires: make
-BuildRequires: bison
-BuildRequires: libtool
-BuildRequires: gettext-devel
-BuildRequires: gtk-doc
-BuildRequires: audit-libs-devel
+BuildRequires:  make
+BuildRequires:  bison
+BuildRequires:  libtool
+BuildRequires:  gettext-devel
+BuildRequires:  gtk-doc
+BuildRequires:  audit-libs-devel
 
 Summary: A user and group account administration library
 
-Patch0: %{url}/pull-request/49.patch#/libuser-0.63-PR49_add_yescrypt.patch
-Patch1: libuser-0.63-downstream_test_xcrypt.patch
-
 %global __provides_exclude_from ^(%{_libdir}/%{name}|%{python3_sitearch})/.*$
 
 %description
@@ -60,10 +57,10 @@ The libuser-devel package contains header files, static libraries, and other
 files useful for developing applications with libuser.
 
 %package -n python3-libuser
-Summary: Python 3 bindings for the libuser library
-Requires: libuser%{?_isa} = %{version}-%{release}
-Provides: libuser-python3 = %{version}-%{release}
-Provides: libuser-python3%{?_isa} = %{version}-%{release}
+Summary:   Python 3 bindings for the libuser library
+Requires:  libuser%{?_isa} = %{version}-%{release}
+Provides:  libuser-python3 = %{version}-%{release}
+Provides:  libuser-python3%{?_isa} = %{version}-%{release}
 Obsoletes: libuser-python3 < 0.63-4
 %{?python_provide:%python_provide python3-libuser}
 
@@ -103,15 +100,17 @@ make
 %find_lang %{name}
 
 %check
-%make_build check || { cat test-suite.log; false; }
+tests_ok=true
+%make_build check || { cat test-suite.log; tests_ok=false; }
 
 # Verify that all python modules load, just in case.
 LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir}:${LD_LIBRARY_PATH}
 export LD_LIBRARY_PATH
 PYTHONPATH=$RPM_BUILD_ROOT%{python3_sitearch}
 export PYTHONPATH
-%{python3} -c "import libuser"
+%{python3} -c "import libuser" || tests_ok=false
 
+$tests_ok
 
 %ldconfig_scriptlets
 
@@ -149,6 +148,9 @@ export PYTHONPATH
 %endif
 
 %changelog
+* Wed Aug 28 2024 Reuben Olinsky <reubeno@microsoft.com> - 0.64-1
+- Upgraded to 0.64.
+
 * Thu Aug 31 2023 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.63-10
 - Disabling missing test dependency.
 - License verified.
diff --git a/SPECS/libva/libva.spec b/SPECS/libva/libva.spec
index c52742fe596..e4d63c321c0 100644
--- a/SPECS/libva/libva.spec
+++ b/SPECS/libva/libva.spec
@@ -24,11 +24,13 @@
 Name:           libva
 %define _name   libva
 Version:        2.20.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Video Acceleration (VA) API
 License:        MIT
 Group:          Development/Libraries/C and C++
 URL:            https://01.org/linuxmedia
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://github.com/intel/libva/archive/%{version}.tar.gz#/libva-%{version}.tar.gz
 Source2:        baselibs.conf
 Patch0:         propagate-dpy.patch
@@ -203,6 +205,9 @@ rm -rf `find %{buildroot}%{_libdir}/pkgconfig/libva*.pc | grep -v "glx"`
 %endif
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.20.0-2
+- Add missing Vendor and Distribution tags.
+
 * Fri Mar 29 2024 Nan Liu <liunan@microsoft.com> - 2.20.0-1
 - Upgrade to 2.20.0 using openSUSE Tumbleweed.
 - License verified.
diff --git a/SPECS/libzip/always_generate_regression_tests.patch b/SPECS/libzip/always_generate_regression_tests.patch
new file mode 100644
index 00000000000..d7f3e516d35
--- /dev/null
+++ b/SPECS/libzip/always_generate_regression_tests.patch
@@ -0,0 +1,13 @@
+diff -urN a/CMakeLists.txt b/CMakeLists.txt
+--- a/CMakeLists.txt	2024-09-03 22:43:27.700119807 +0000
++++ b/CMakeLists.txt	2024-09-03 22:44:23.316342162 +0000
+@@ -315,8 +315,7 @@
+ find_program(NIHTEST nihtest)
+ 
+ if(BUILD_REGRESS AND NOT NIHTEST)
+-  message(WARNING "-- nihtest not found, regression testing disabled")
+-  set(BUILD_REGRESS OFF)
++  message(WARNING "-- nihtest not found, but regression testing will still be enabled")
+ endif()
+ 
+ if(BUILD_REGRESS)
diff --git a/SPECS/libzip/libzip.spec b/SPECS/libzip/libzip.spec
index c4892eab27b..7bf2d9909a3 100644
--- a/SPECS/libzip/libzip.spec
+++ b/SPECS/libzip/libzip.spec
@@ -1,7 +1,7 @@
 Summary:        C library for reading, creating, and modifying zip archives
 Name:           libzip
 Version:        1.10.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -28,7 +28,10 @@ BuildRequires:  perl(Symbol)
 BuildRequires:  perl(UNIVERSAL)
 BuildRequires:  perl(strict)
 BuildRequires:  perl(warnings)
+BuildRequires:  python3
+BuildRequires:  python3-pip
 %endif
+Patch0:         always_generate_regression_tests.patch
 
 %description
 libzip is a C library for reading, creating, and modifying zip archives. Files
@@ -61,6 +64,11 @@ The %{name}-tools package provides command line tools split off %{name}:
 rm INSTALL.md
 
 %build
+%if 0%{?with_check}
+pip3 install nihtest
+%endif
+mkdir build
+cd build
 %cmake \
   -DENABLE_COMMONCRYPTO:BOOL=OFF \
   -DENABLE_GNUTLS:BOOL=OFF \
@@ -73,16 +81,17 @@ rm INSTALL.md
   -DBUILD_REGRESS:BOOL=ON \
   -DBUILD_EXAMPLES:BOOL=OFF \
   -DBUILD_DOC:BOOL=ON \
-  .
+  ..
 
 make %{?_smp_mflags}
 
 %install
+cd build
 make install DESTDIR=%{buildroot} INSTALL='install -p'
 
 %check
-make check
-
+cd build
+make test
 
 %post -p /sbin/ldconfig
 %postun -p /sbin/ldconfig
@@ -106,6 +115,11 @@ make check
 %{_libdir}/pkgconfig/libzip.pc
 
 %changelog
+* Mon Aug 19 2024 Andrew Phelps <anphel@microsoft.com> - 1.10.1-2
+- Fix package tests
+- Switch to out-of-source build
+- Add patch to ensure regression tests are built even when nihtest is not detected
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.10.1-1
 - Auto-upgrade to 1.10.1 - Azure Linux 3.0 - package upgrades
 
diff --git a/SPECS/lld/lld.spec b/SPECS/lld/lld.spec
index 4fdc377d34d..ab0e767b80e 100644
--- a/SPECS/lld/lld.spec
+++ b/SPECS/lld/lld.spec
@@ -3,14 +3,13 @@
 Summary:        LLD is a linker from the LLVM project that is a drop-in replacement for system linkers and runs much faster than them
 Name:           lld
 Version:        18.1.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        NCSA
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Tools
 URL:            https://lld.llvm.org/
 Source0:        https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-%{version}.tar.gz
-BuildRequires:  build-essential
 BuildRequires:  cmake
 BuildRequires:  file
 BuildRequires:  llvm-devel
@@ -36,7 +35,7 @@ programs that use the LLD infrastructure.
 Shared libraries for LLD.
 
 %prep
-%setup -q -n %{lld_srcdir}
+%autosetup -n %{lld_srcdir}
 
 %build
 mkdir -p build
@@ -48,8 +47,12 @@ cd build
        -DCMAKE_C_FLAGS=-I../../libunwind-%{version}.src/include   \
        -DCMAKE_CXX_FLAGS=-I../../libunwind-%{version}.src/include \
        -DLLVM_LINK_LLVM_DYLIB:BOOL=on                             \
+       -DCMAKE_INSTALL_PREFIX=%{_prefix}                          \
+       -DLLVM_DIR=%{_libdir}/cmake/llvm                           \
+       -DBUILD_SHARED_LIBS:BOOL=ON                                \
        -DLLVM_DYLIB_COMPONENTS="all"                              \
-       -Wno-dev ../lld
+       -Wno-dev                                                   \
+       ../lld
 
 %ninja_build
 
@@ -59,18 +62,24 @@ cd build
 
 %files
 %license LICENSE.TXT
-%{_bindir}/*
+%{_bindir}/lld*
+%{_bindir}/ld.lld
+%{_bindir}/ld64.lld
+%{_bindir}/wasm-ld
 
 %files devel
 %{_includedir}/lld/
 %{_libdir}/cmake/lld/*.cmake
-%{_libdir}/*.so
+%{_libdir}/liblld*.so
 
 %files libs
-%license LICENSE.TXT
-%{_libdir}/*.so.*
+%{_libdir}/liblld*.so.*
 
 %changelog
+* Tue Sep 03 2024 Andrew Phelps <anphel@microsoft.com> - 18.1.2-3
+- Update file listing with explicit filenames
+- Remove unnecessary BR on build-essential
+
 * Wed May 29 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 18.1.2-2
 - Bump release to build with new llvm to fix CVE-2024-31852
 
diff --git a/SPECS/llvm/llvm.spec b/SPECS/llvm/llvm.spec
index 13c7a8c08e1..5960c675604 100644
--- a/SPECS/llvm/llvm.spec
+++ b/SPECS/llvm/llvm.spec
@@ -1,7 +1,11 @@
+%global maj_ver 18
+%global min_ver 1
+%global patch_ver 2
+
 Summary:        A collection of modular and reusable compiler and toolchain technologies.
 Name:           llvm
-Version:        18.1.2
-Release:        3%{?dist}
+Version:        %{maj_ver}.%{min_ver}.%{patch_ver}
+Release:        4%{?dist}
 License:        NCSA
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -56,7 +60,8 @@ cmake -G Ninja                              \
       -DLLVM_INCLUDE_GO_TESTS=No            \
       -DLLVM_ENABLE_RTTI=ON                 \
       -DLLVM_BINUTILS_INCDIR=%{_includedir} \
-      -Wno-dev ../llvm
+      -Wno-dev                              \
+      ../llvm
 
 %ninja_build LLVM
 %ninja_build
@@ -87,10 +92,21 @@ ninja check-all
 %files
 %defattr(-,root,root)
 %license LICENSE.TXT
-%{_bindir}/*
-%{_libdir}/*.so
-%{_libdir}/*.so.*
+%{_bindir}/bugpoint
+%{_bindir}/dsymutil
+%{_bindir}/llc
+%{_bindir}/lli
+%{_bindir}/llvm-*
+%{_bindir}/opt
+%{_bindir}/sancov
+%{_bindir}/sanstats
+%{_bindir}/verify-uselistorder
 %{_libdir}/bfd-plugins/LLVMgold.so
+%{_libdir}/LLVMgold.so
+%{_libdir}/libLLVM-%{maj_ver}.so
+%{_libdir}/libLLVM.so.%{maj_ver}.%{min_ver}
+%{_libdir}/libLTO.so*
+%{_libdir}/libRemarks.so*
 %dir %{_datadir}/opt-viewer
 %{_datadir}/opt-viewer/opt-diff.py
 %{_datadir}/opt-viewer/opt-stats.py
@@ -101,10 +117,15 @@ ninja check-all
 
 %files devel
 %{_libdir}/*.a
-%{_libdir}/cmake/*
-%{_includedir}/*
+%{_libdir}/cmake/llvm/*
+%{_libdir}/libLLVM.so
+%{_includedir}/llvm
+%{_includedir}/llvm-c
 
 %changelog
+* Tue Sep 03 2024 Andrew Phelps <anphel@microsoft.com> - 18.1.2-4
+- Update file listing with explicit filenames
+
 * Wed May 29 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 18.1.2-3
 - Patch CVE-2024-31852
 
diff --git a/SPECS/local-path-provisioner/local-path-provisioner.spec b/SPECS/local-path-provisioner/local-path-provisioner.spec
index dfe4421634c..a0838ead201 100644
--- a/SPECS/local-path-provisioner/local-path-provisioner.spec
+++ b/SPECS/local-path-provisioner/local-path-provisioner.spec
@@ -1,11 +1,11 @@
 Summary:        Provides a way for the Kubernetes users to utilize the local storage in each node
 Name:           local-path-provisioner
 Version:        0.0.24
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 URL:            https://github.com/rancher/local-path-provisioner
 Group:          Applications/Text
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://github.com/rancher/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 #Note that the source file should be renamed to the format {name}-%{version}.tar.gz
@@ -30,6 +30,9 @@ install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner
 %{_bindir}/local-path-provisioner
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.0.24-2
+- Release bump to fix package information.
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.0.24-1
 - Auto-upgrade to 0.0.24 - Azure Linux 3.0 - package upgrades
 
diff --git a/SPECS/lujavrite/lujavrite.spec b/SPECS/lujavrite/lujavrite.spec
index f6c7ab7b503..200f24061e3 100644
--- a/SPECS/lujavrite/lujavrite.spec
+++ b/SPECS/lujavrite/lujavrite.spec
@@ -1,9 +1,11 @@
 Name:           lujavrite
 Version:        1.0.2
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Lua library for calling Java code
 License:        Apache-2.0
 URL:            https://github.com/mizdebsk/lujavrite
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 
 Source0:        https://github.com/mizdebsk/lujavrite/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
@@ -36,6 +38,9 @@ lua test.lua
 %doc README.md
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.0.2-6
+- Add missing Vendor and Distribution tags.
+
 * Thu Apr 04 2024 Mitch Zhu <mitchzhu@microsoft.com> - 1.0.2-5
 - Initial Azure Linux import from Fedora 40 (license: MIT).
 - License verified.
diff --git a/SPECS/mandoc/mandoc.spec b/SPECS/mandoc/mandoc.spec
index a7e8dc20e13..81a132ef058 100644
--- a/SPECS/mandoc/mandoc.spec
+++ b/SPECS/mandoc/mandoc.spec
@@ -1,9 +1,11 @@
 Name:             mandoc
 Version:          1.14.6
-Release:          9%{?dist}
+Release:          10%{?dist}
 Summary:          A suite of tools for compiling mdoc and man
 License:          ISC AND BSD-2-Clause AND BSD-3-Clause
 URL:              https://mandoc.bsd.lv/
+Vendor:           Microsoft Corporation
+Distribution:     Azure Linux
 Source0:          https://mandoc.bsd.lv/snapshots/%{name}-%{version}.tar.gz
 
 BuildRequires:    gcc
@@ -215,88 +217,91 @@ fi
 %{_mandir}/man3/tbl.3*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.14.6-10
+- Add missing Vendor and Distribution tags.
+
 * Tue Feb 06 2024 Cameron Baird <cameronbaird@microsoft.com> - 1.14.6-9
 - Initial CBL-Mariner import from Fedora 40 (license: MIT).
 - License verified.
 
 * Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.6-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
- 
+
 * Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.6-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
- 
+
 * Thu Sep 21 2023 David Cantrell <dcantrell@redhat.com> - 1.14.6-6
 - Convert License tag to SPDX expression
- 
+
 * Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.6-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
- 
+
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.6-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
- 
+
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.6-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
- 
+
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
- 
+
 * Mon Dec 20 2021 David Cantrell <dcantrell@redhat.com> - 1.14.6-1
 - Upgrade to mandoc-1.14.6 (#2005601)
- 
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.5-15
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
- 
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.5-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
- 
+
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.5-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
- 
+
 * Wed May 20 2020 David Cantrell <dcantrell@redhat.com> - 1.14.5-12
 - Drop explicit Requires for libmandoc package (#1837690)
- 
+
 * Tue May 19 2020 David Cantrell <dcantrell@redhat.com> - 1.14.5-11
 - Per discussion with upstream, drop the shared library patch
- 
+
 * Tue Apr 14 2020 Björn Esser <besser82@fedoraproject.org> - 1.14.5-10
 - libmandoc.so must be linked with COMPAT_OBJS
 - Add patch to fix configure script
 - Replace plain make with %%make_build
 * Mon Mar 09 2020 David Cantrell <dcantrell@redhat.com> - 1.14.5-9
 - BR perl-interpreter
- 
+
 * Mon Mar 09 2020 Nikola Forró <nforro@redhat.com> - 1.14.5-8
 - Do not use alternatives for mdoc.7
- 
+
 * Thu Mar 05 2020 David Cantrell <dcantrell@redhat.com> - 1.14.5-7
 - Build everything using -fPIC
- 
+
 * Thu Mar 05 2020 David Cantrell <dcantrell@redhat.com> - 1.14.5-6
 - Include libmandoc.a in libmandoc-devel
- 
+
 * Tue Feb 25 2020 David Cantrell <dcantrell@redhat.com> - 1.14.5-5
 - Split alternatives in to 4 sets (nforro)
 - Use default names for binaries and man pages (nforro)
 - Do not compress man pages (nforro)
 - Add missing %%preun requirement (nforro)
- 
+
 * Mon Feb 24 2020 David Cantrell <dcantrell@redhat.com> - 1.14.5-4
 - Install the user tools using alternatives (#1785308)
- 
+
 * Thu Feb 06 2020 David Cantrell <dcantrell@redhat.com> - 1.14.5-3
 - Simplify the compat preprocessor tests (#1799629)
- 
+
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.5-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
- 
+
 * Wed Oct 16 2019 David Cantrell <dcantrell@redhat.com> - 1.14.5-1
 - Update to mandoc-1.14.5
- 
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
- 
+
 * Mon Mar 25 2019 David Shea <dshea@redhat.com> - 1.14.4-2
 - Move mdoc.7 to mandoc_mdoc.7 (#1691793)
- 
+
 * Thu Feb  7 2019 David Shea <dshea@redhat.com> - 1.14.4-1
 - Initial package
diff --git a/SPECS/mdadm/mdadm.spec b/SPECS/mdadm/mdadm.spec
index 794dadb2509..422f48e30f8 100644
--- a/SPECS/mdadm/mdadm.spec
+++ b/SPECS/mdadm/mdadm.spec
@@ -2,9 +2,11 @@
 
 Name:        mdadm
 Version:     4.2
-Release:     5%{?dist}
+Release:     7%{?dist}
 Summary:     The mdadm program controls Linux md devices (software RAID arrays)
 URL:         http://www.kernel.org/pub/linux/utils/raid/mdadm/
+Vendor:      Microsoft Corporation
+Distribution: Azure Linux
 License:     GPLv2+
 
 Source:      http://www.kernel.org/pub/linux/utils/raid/mdadm/%{name}-%{version}.tar.gz
@@ -145,10 +147,10 @@ Patch198:    mdadm-2.5.2-static.patch
 Patch199:    disable-Werror.patch
 
 BuildRequires: make
-BuildRequires: glibc-static >= 2.38-7%{?dist}
-BuildRequires: systemd-rpm-macros 
-BuildRequires: binutils-devel 
-BuildRequires: gcc 
+BuildRequires: glibc-static >= 2.38-8%{?dist}
+BuildRequires: systemd-rpm-macros
+BuildRequires: binutils-devel
+BuildRequires: gcc
 BuildRequires: systemd-devel
 %if %{with libreport}
 Requires:       libreport-filesystem
@@ -157,7 +159,7 @@ Requires(post): systemd coreutils
 Requires(preun): systemd
 Requires(postun): systemd coreutils
 
-%description 
+%description
 The mdadm program is used to create, manage, and monitor Linux MD (software
 RAID) devices.  As such, it provides similar functionality to the raidtools
 package.  However, mdadm is a single program, and it can perform
@@ -219,6 +221,12 @@ install -m644 %{SOURCE5} %{buildroot}/etc/libreport/events.d
 %{_datadir}/mdadm/mdcheck
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 4.2-7
+- Add missing Vendor and Distribution tags.
+
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 4.2-6
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 4.2-5
 - Bump to rebuild with updated glibc
 
@@ -326,7 +334,7 @@ install -m644 %{SOURCE5} %{buildroot}/etc/libreport/events.d
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
 
 * Thu Jan 12 2017 Xiao Ni <xni@redhat.com> - 4.0-1
-- Upgrade to mdadm-4.0 
+- Upgrade to mdadm-4.0
 - Resolves bz1411555
 
 * Mon Aug 15 2016 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.4-3
@@ -423,7 +431,7 @@ install -m644 %{SOURCE5} %{buildroot}/etc/libreport/events.d
 
 * Wed Oct 9 2013 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.3-3
 - Check for DM_UDEV_DISABLE_OTHER_RULES_FLAG instead of
-  DM_UDEV_DISABLE_DISK_RULES_FLAG in 65-md-incremental.rules 
+  DM_UDEV_DISABLE_DISK_RULES_FLAG in 65-md-incremental.rules
 - Resolves bz1015521
 
 * Tue Oct 8 2013 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.3-2
@@ -444,7 +452,7 @@ install -m644 %{SOURCE5} %{buildroot}/etc/libreport/events.d
 
 * Wed Apr 24 2013 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.2.6-19
 - Fix problem where  rebuild of IMSM RAID5 volume started in OROM,
-  does not proceed in OS 
+  does not proceed in OS
 - Resolves bz956021 (f18), bz956026 (f17), bz956031 (f19)
 
 * Tue Apr 23 2013 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.2.6-18
@@ -557,7 +565,7 @@ install -m644 %{SOURCE5} %{buildroot}/etc/libreport/events.d
 
 * Wed Jul 18 2012 Karsten Hopp <karsten@redhat.com> 3.2.5-5
 - include <linux/types.h> in some to avoid type clashes.
-  same problem as rhbz #840902  
+  same problem as rhbz #840902
 
 * Mon Jul 16 2012 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.2.5-4
 - Move /etc/tmpfiles.d/mdadm.conf to /lib/tmpfiles.d/ to comply with
@@ -632,7 +640,7 @@ install -m644 %{SOURCE5} %{buildroot}/etc/libreport/events.d
 * Thu Feb 16 2012 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.2.3-5
 - Fix issue with devices failing to be added to a raid using bitmaps,
   due to trying to write the bitmap with mis-aligned buffers using
-  O_DIRECT 
+  O_DIRECT
 - Resolves: bz789898 (f16) bz791189 (f15)
 
 * Mon Jan 30 2012 Jes Sorensen <Jes.Sorensen@redhat.com> - 3.2.3-4
@@ -932,7 +940,7 @@ install -m644 %{SOURCE5} %{buildroot}/etc/libreport/events.d
 - Modify mdadm to put its mapfile in /dev/md instead of /var/run/mdadm
   since at startup /var/run/mdadm is read-only by default and this
   breaks incremental assembly
-- Change how mdadm decides to assemble incremental devices using their 
+- Change how mdadm decides to assemble incremental devices using their
   preferred name or a random name to avoid possible conflicts when plugging
   a foreign array into a host
 
diff --git a/SPECS/mdevctl/mdevctl.spec b/SPECS/mdevctl/mdevctl.spec
index 3ec234b9689..139590b1d33 100644
--- a/SPECS/mdevctl/mdevctl.spec
+++ b/SPECS/mdevctl/mdevctl.spec
@@ -2,11 +2,13 @@
 
 Name:           mdevctl
 Version:        1.3.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A mediated device management utility for Linux
 
 License:        LGPL-2.1-only
 URL:            https://crates.io/crates/mdevctl
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://github.com/mdevctl/mdevctl/archive/refs/tags/v%{version}.tar.gz#/mdevctl-%{version}.tar.gz
 Source1:        https://github.com/mdevctl/mdevctl/releases/download/v%{version}/mdevctl-%{version}-vendor.tar.gz
 
@@ -37,7 +39,7 @@ vfio-mdev for assignment to virtual machines.
 %autosetup -n %{crate}-%{version} -p1
 
 # Do vendor expansion here manually by
-# calling `tar x` and setting up 
+# calling `tar x` and setting up
 # .cargo/config to use it.
 tar fx %{SOURCE1}
 mkdir -p .cargo
@@ -92,6 +94,9 @@ cargo test
 %{bashcompletiondir}/lsmdev
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.3.0-4
+- Add missing Vendor and Distribution tags.
+
 * Wed Mar 06 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.3.0-3
 - Enable for other architectures.
 
@@ -243,4 +248,4 @@ cargo test
 - d1f6110c59d4 ("mdevctl: Minor usage fixes")
 - 42ba1670288f ("Merge pull request #1 from cohuck/improve_cmdline")
 - d27ba583f77b ("mdevctl: improve commandline handling")
-- 5114f9eb8268 ("mdevctl: Initial commit")
\ No newline at end of file
+- 5114f9eb8268 ("mdevctl: Initial commit")
diff --git a/SPECS/moby-engine/CVE-2024-29018.patch b/SPECS/moby-engine/CVE-2024-29018.patch
new file mode 100644
index 00000000000..2419a36f3ff
--- /dev/null
+++ b/SPECS/moby-engine/CVE-2024-29018.patch
@@ -0,0 +1,264 @@
+From b9fa79f9fa3fa604b3a1d3f510d47e2ecd7c9eb3 Mon Sep 17 00:00:00 2001
+From: Albin Kerouanton <albinker@gmail.com>
+Date: Tue, 10 Oct 2023 01:13:25 +0200
+Subject: [PATCH 1/3] libnet: Don't forward to upstream resolvers on internal
+ nw
+
+Commit cbc2a71c2 makes `connect` syscall fail fast when a container is
+only attached to an internal network. Thanks to that, if such a
+container tries to resolve an "external" doamin, the embedded resolver
+returns an error immediately instead of waiting for a timeout.
+
+This commit makes sure the embedded resolver doesn't even try to forward
+to upstream servers.
+
+Signed-off-by: Albin Kerouanton <albinker@gmail.com>
+---
+ libnetwork/endpoint.go         |  8 +++++++-
+ libnetwork/resolver.go         | 19 +++++++++++++++----
+ libnetwork/sandbox_dns_unix.go |  5 +----
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go
+index 6638c15ff050c..f0aa234716ad7 100644
+--- a/libnetwork/endpoint.go
++++ b/libnetwork/endpoint.go
+@@ -569,8 +569,11 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) {
+ 		return sb.setupDefaultGW()
+ 	}
+ 
+-	moveExtConn := sb.getGatewayEndpoint() != extEp
++	currentExtEp := sb.getGatewayEndpoint()
++	// Enable upstream forwarding if the sandbox gained external connectivity.
++	sb.resolver.SetForwardingPolicy(currentExtEp != nil)
+ 
++	moveExtConn := currentExtEp != extEp
+ 	if moveExtConn {
+ 		if extEp != nil {
+ 			log.G(context.TODO()).Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
+@@ -764,6 +767,9 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool) error {
+ 
+ 	// New endpoint providing external connectivity for the sandbox
+ 	extEp = sb.getGatewayEndpoint()
++	// Disable upstream forwarding if the sandbox lost external connectivity.
++	sb.resolver.SetForwardingPolicy(extEp != nil)
++
+ 	if moveExtConn && extEp != nil {
+ 		log.G(context.TODO()).Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
+ 		extN, err := extEp.getNetworkFromStore()
+diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go
+index 816f00ad68a44..1ce23f5d8fb8e 100644
+--- a/libnetwork/resolver.go
++++ b/libnetwork/resolver.go
+@@ -9,6 +9,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 	"sync"
++	"sync/atomic"
+ 	"time"
+ 
+ 	"github.com/containerd/log"
+@@ -75,7 +76,7 @@ type Resolver struct {
+ 	tcpListen     *net.TCPListener
+ 	err           error
+ 	listenAddress string
+-	proxyDNS      bool
++	proxyDNS      atomic.Bool
+ 	startCh       chan struct{}
+ 	logger        *log.Entry
+ 
+@@ -85,15 +86,17 @@ type Resolver struct {
+ 
+ // NewResolver creates a new instance of the Resolver
+ func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver {
+-	return &Resolver{
++	r := &Resolver{
+ 		backend:       backend,
+-		proxyDNS:      proxyDNS,
+ 		listenAddress: address,
+ 		err:           fmt.Errorf("setup not done yet"),
+ 		startCh:       make(chan struct{}, 1),
+ 		fwdSem:        semaphore.NewWeighted(maxConcurrent),
+ 		logInverval:   rate.Sometimes{Interval: logInterval},
+ 	}
++	r.proxyDNS.Store(proxyDNS)
++
++	return r
+ }
+ 
+ func (r *Resolver) log(ctx context.Context) *log.Entry {
+@@ -194,6 +197,14 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) {
+ 	}
+ }
+ 
++// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to
++// external servers.
++func (r *Resolver) SetForwardingPolicy(policy bool) {
++	if r != nil {
++		r.proxyDNS.Store(policy)
++	}
++}
++
+ // NameServer returns the IP of the DNS resolver for the containers.
+ func (r *Resolver) NameServer() string {
+ 	return r.listenAddress
+@@ -421,7 +432,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) {
+ 		return
+ 	}
+ 
+-	if r.proxyDNS {
++	if r.proxyDNS.Load() {
+ 		// If the user sets ndots > 0 explicitly and the query is
+ 		// in the root domain don't forward it out. We will return
+ 		// failure and let the client retry with the search domain
+diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go
+index fb1827e4e3377..02edd0caa5439 100644
+--- a/libnetwork/sandbox_dns_unix.go
++++ b/libnetwork/sandbox_dns_unix.go
+@@ -44,10 +44,7 @@ func (sb *Sandbox) finishInitDNS() error {
+ func (sb *Sandbox) startResolver(restore bool) {
+ 	sb.resolverOnce.Do(func() {
+ 		var err error
+-		// The embedded resolver is always started with proxyDNS set as true, even when the sandbox is only attached to
+-		// an internal network. This way, it's the driver responsibility to make sure `connect` syscall fails fast when
+-		// no external connectivity is available (eg. by not setting a default gateway).
+-		sb.resolver = NewResolver(resolverIPSandbox, true, sb)
++		sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb)
+ 		defer func() {
+ 			if err != nil {
+ 				sb.resolver = nil
+
+From cf4b3950a1b137863e6534eeacc35de3c3862153 Mon Sep 17 00:00:00 2001
+From: Albin Kerouanton <albinker@gmail.com>
+Date: Wed, 20 Dec 2023 23:19:13 +0100
+Subject: [PATCH 2/3] inte/networking: rename linkLocal flag into isLinkLocal
+
+Signed-off-by: Albin Kerouanton <albinker@gmail.com>
+---
+ integration/networking/bridge_test.go | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go
+index 6007449cd6c24..a0ce08d035187 100644
+--- a/integration/networking/bridge_test.go
++++ b/integration/networking/bridge_test.go
+@@ -36,7 +36,7 @@ func TestBridgeICC(t *testing.T) {
+ 		name           string
+ 		bridgeOpts     []func(*types.NetworkCreate)
+ 		ctr1MacAddress string
+-		linkLocal      bool
++		isLinkLocal    bool
+ 		pingHost       string
+ 	}{
+ 		{
+@@ -74,7 +74,7 @@ func TestBridgeICC(t *testing.T) {
+ 				// 2. the one dynamically assigned by the IPAM driver.
+ 				network.WithIPAM("fe80::/64", "fe80::1"),
+ 			},
+-			linkLocal: true,
++			isLinkLocal: true,
+ 		},
+ 		{
+ 			name: "IPv6 link-local address on internal network",
+@@ -84,7 +84,7 @@ func TestBridgeICC(t *testing.T) {
+ 				// See the note above about link-local addresses.
+ 				network.WithIPAM("fe80::/64", "fe80::1"),
+ 			},
+-			linkLocal: true,
++			isLinkLocal: true,
+ 		},
+ 		{
+ 			// As for 'LL non-internal', but ping the container by name instead of by address
+@@ -162,7 +162,7 @@ func TestBridgeICC(t *testing.T) {
+ 
+ 			pingHost := tc.pingHost
+ 			if pingHost == "" {
+-				if tc.linkLocal {
++				if tc.isLinkLocal {
+ 					inspect := container.Inspect(ctx, t, c, id1)
+ 					pingHost = inspect.NetworkSettings.Networks[bridgeName].GlobalIPv6Address + "%eth0"
+ 				} else {
+
+From 19b74dc69124227c4255ac589ab841f5ba111f80 Mon Sep 17 00:00:00 2001
+From: Albin Kerouanton <albinker@gmail.com>
+Date: Wed, 20 Dec 2023 23:19:58 +0100
+Subject: [PATCH 3/3] inte/networking: add isIPv6 flag
+
+Signed-off-by: Albin Kerouanton <albinker@gmail.com>
+---
+ integration/networking/bridge_test.go | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/integration/networking/bridge_test.go b/integration/networking/bridge_test.go
+index a0ce08d035187..0d8c5d491ce2e 100644
+--- a/integration/networking/bridge_test.go
++++ b/integration/networking/bridge_test.go
+@@ -36,6 +36,7 @@ func TestBridgeICC(t *testing.T) {
+ 		name           string
+ 		bridgeOpts     []func(*types.NetworkCreate)
+ 		ctr1MacAddress string
++		isIPv6         bool
+ 		isLinkLocal    bool
+ 		pingHost       string
+ 	}{
+@@ -55,6 +56,7 @@ func TestBridgeICC(t *testing.T) {
+ 				network.WithIPv6(),
+ 				network.WithIPAM("fdf1:a844:380c:b200::/64", "fdf1:a844:380c:b200::1"),
+ 			},
++			isIPv6: true,
+ 		},
+ 		{
+ 			name: "IPv6 ULA on internal network",
+@@ -63,6 +65,7 @@ func TestBridgeICC(t *testing.T) {
+ 				network.WithInternal(),
+ 				network.WithIPAM("fdf1:a844:380c:b247::/64", "fdf1:a844:380c:b247::1"),
+ 			},
++			isIPv6: true,
+ 		},
+ 		{
+ 			name: "IPv6 link-local address on non-internal network",
+@@ -75,6 +78,7 @@ func TestBridgeICC(t *testing.T) {
+ 				network.WithIPAM("fe80::/64", "fe80::1"),
+ 			},
+ 			isLinkLocal: true,
++			isIPv6:      true,
+ 		},
+ 		{
+ 			name: "IPv6 link-local address on internal network",
+@@ -85,6 +89,7 @@ func TestBridgeICC(t *testing.T) {
+ 				network.WithIPAM("fe80::/64", "fe80::1"),
+ 			},
+ 			isLinkLocal: true,
++			isIPv6:      true,
+ 		},
+ 		{
+ 			// As for 'LL non-internal', but ping the container by name instead of by address
+@@ -122,6 +127,7 @@ func TestBridgeICC(t *testing.T) {
+ 			// specify one here to hardcode the SLAAC LL address below.
+ 			ctr1MacAddress: "02:42:ac:11:00:02",
+ 			pingHost:       "fe80::42:acff:fe11:2%eth0",
++			isIPv6:         true,
+ 		},
+ 		{
+ 			name: "IPv6 internal network with SLAAC LL address",
+@@ -133,6 +139,7 @@ func TestBridgeICC(t *testing.T) {
+ 			// specify one here to hardcode the SLAAC LL address below.
+ 			ctr1MacAddress: "02:42:ac:11:00:02",
+ 			pingHost:       "fe80::42:acff:fe11:2%eth0",
++			isIPv6:         true,
+ 		},
+ 	}
+ 
+@@ -170,7 +177,11 @@ func TestBridgeICC(t *testing.T) {
+ 				}
+ 			}
+ 
+-			pingCmd := []string{"ping", "-c1", "-W3", pingHost}
++			pingCmd := []string{"ping", "-c1", "-W3"}
++			if tc.isIPv6 {
++				pingCmd = append(pingCmd, "-6")
++			}
++			pingCmd = append(pingCmd, pingHost)
+ 
+ 			ctr2Name := fmt.Sprintf("ctr-icc-%d-2", tcID)
+ 			attachCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec
index e350178d777..31b03d8ce53 100644
--- a/SPECS/moby-engine/moby-engine.spec
+++ b/SPECS/moby-engine/moby-engine.spec
@@ -3,7 +3,7 @@
 Summary: The open-source application container engine
 Name:    moby-engine
 Version: 25.0.3
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
@@ -17,6 +17,7 @@ Source2: docker.socket
 Patch0:  CVE-2022-2879.patch
 Patch1:  enable-docker-proxy-libexec-search.patch
 Patch2:  CVE-2024-41110.patch
+Patch3:  CVE-2024-29018.patch
 
 %{?systemd_requires}
 
@@ -112,6 +113,9 @@ fi
 %{_unitdir}/*
 
 %changelog
+* Mon Aug 19 2024 Suresh Thelkar <sthelkar@microsoft.com> - 25.0.3-6
+- Patch CVE-2024-29018
+
 * Tue Aug 13 2024 Rohit Rawat <rohitrawat@microsoft.com> - 25.0.3-5
 - Address CVE-2024-41110
 
diff --git a/SPECS/mock-core-configs/mock-core-configs.signatures.json b/SPECS/mock-core-configs/mock-core-configs.signatures.json
new file mode 100644
index 00000000000..150b16ead08
--- /dev/null
+++ b/SPECS/mock-core-configs/mock-core-configs.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "mock-core-configs-41.2.tar.gz": "01c7511d427e23c01d2763ebdf76d177c89c3a8f84afe546c22e24dbe388b4b8"
+ }
+}
diff --git a/SPECS-EXTENDED/mock-core-configs/mock-core-configs.spec b/SPECS/mock-core-configs/mock-core-configs.spec
similarity index 87%
rename from SPECS-EXTENDED/mock-core-configs/mock-core-configs.spec
rename to SPECS/mock-core-configs/mock-core-configs.spec
index 6d130c7887d..59e2279fefc 100644
--- a/SPECS-EXTENDED/mock-core-configs/mock-core-configs.spec
+++ b/SPECS/mock-core-configs/mock-core-configs.spec
@@ -1,54 +1,71 @@
-Summary:    Mock core config files basic chroots
+%if 0%{?el8}
+%global python3 /usr/libexec/platform-python
+%endif
+
 Name:       mock-core-configs
-Version:    36.4
+Version:    41.2
 Release:    1%{?dist}
-License:    GPLv2+
+Vendor:     Microsoft Corporation
+Distribution: Azure Linux
+Summary:    Mock core config files basic chroots
+
+License:    GPL-2.0-or-later
 URL:        https://github.com/rpm-software-management/mock/
-# Source is created by
-# git clone https://github.com/rpm-software-management/mock.git
-# cd mock/mock-core-configs
-# git reset --hard %%{name}-%%{version}
-# tito build --tgz
 Source:     https://github.com/rpm-software-management/mock/archive/refs/tags/%{name}-%{version}-1/%{name}-%{version}-1.tar.gz#/%{name}-%{version}.tar.gz
+BuildArch:  noarch
+
+# The mock.rpm requires this.  Other packages may provide this if they tend to
+# replace the mock-core-configs.rpm functionality.
+Provides:   mock-configs = %{version}-%{release}
+
 # distribution-gpg-keys contains GPG keys used by mock configs
-Requires:   distribution-gpg-keys >= 1.59
+Requires:   distribution-gpg-keys >= 1.105
+
+%if ! 0%{?azl}
 # specify minimal compatible version of mock
-Requires:   mock >= 2.5
+Requires:   mock >= 5.4.post1
 Requires:   mock-filesystem
+%endif
+
 Requires(post): coreutils
-# The mock.rpm requires this.  Other packages may provide this if they tend to
-# replace the mock-core-configs.rpm functionality.
-Provides: mock-configs
-BuildArch:  noarch
+# to detect correct default.cfg
+Requires(post): python3-dnf
+Requires(post): python3-hawkey
+Requires(post): system-release
+Requires(post): python3
+Requires(post): sed
 
 %description
-Config files which allow you to create chroots for:
- * Fedora
- * Epel
- * Mageia
- * Custom chroot
- * OpenSuse Tumbleweed and Leap
+Mock configuration files which allow you to create chroots for Alma Linux,
+Amazon Linux, Azure Linux, CentOS, CentOS Stream, Circle Linux, EuroLinux, Fedora,
+Fedora EPEL, Mageia, Navy Linux, OpenMandriva Lx, openSUSE, Oracle Linux,
+Red Hat Enterprise Linux, Rocky Linux and various other specific or combined
+chroots.
+
 
 %prep
-%setup -q -n mock-%{name}-%{version}-1/mock-core-configs
+%setup -q -n mock-%{name}-%{version}-1/%{name}
 
 
 %build
 
-%install
-mkdir -p %{buildroot}%{_sysusersdir}
 
+%install
 mkdir -p %{buildroot}%{_sysconfdir}/mock/eol/templates
 mkdir -p %{buildroot}%{_sysconfdir}/mock/templates
 cp -a etc/mock/*.cfg %{buildroot}%{_sysconfdir}/mock
 cp -a etc/mock/templates/*.tpl %{buildroot}%{_sysconfdir}/mock/templates
+
 cp -a etc/mock/eol/*cfg %{buildroot}%{_sysconfdir}/mock/eol
 cp -a etc/mock/eol/templates/*.tpl %{buildroot}%{_sysconfdir}/mock/eol/templates
 
 # generate files section with config - there is many of them
 echo "%defattr(0644, root, mock)" > %{name}.cfgs
 find %{buildroot}%{_sysconfdir}/mock -name "*.cfg" -o -name '*.tpl' \
+    | grep -v chroot-aliases \
     | sed -e "s|^%{buildroot}|%%config(noreplace) |" >> %{name}.cfgs
+echo "%%config %{_sysconfdir}/mock/chroot-aliases.cfg" >> %{name}.cfgs
+
 # just for %%ghosting purposes
 ln -s fedora-rawhide-x86_64.cfg %{buildroot}%{_sysconfdir}/mock/default.cfg
 # bash-completion
@@ -62,15 +79,64 @@ fi
 # reference valid mock.rpm's docdir with example site-defaults.cfg
 mock_docs=%{_pkgdocdir}
 mock_docs=${mock_docs//mock-core-configs/mock}
-mock_docs=${mock_docs//-%{version}/-*}
+mock_docs=${mock_docs//-%version/-*}
 sed -i "s~@MOCK_DOCS@~$mock_docs~" %{buildroot}%{_sysconfdir}/mock/site-defaults.cfg
 
 %post
-if [ -s %{_sysconfdir}/os-release ]; then
-    ver=$(source %{_sysconfdir}/os-release && echo $VERSION_ID | cut -d. -f1 | grep -o '[0-9]\+')
+if [ -s /etc/os-release ]; then
+    # fedora and rhel7+
+    if grep -Fiq Rawhide /etc/os-release; then
+        ver=rawhide
+    # mageia
+    elif [ -s /etc/mageia-release ]; then
+        if grep -Fiq Cauldron /etc/mageia-release; then
+           ver=cauldron
+        fi
+    else
+        ver=$(source /etc/os-release && echo $VERSION_ID | cut -d. -f1 | grep -o '[0-9]\+')
+    fi
+else
+    # something obsure, use buildtime version
+    ver=%{?rhel}%{?fedora}%{?mageia}
 fi
-mock_arch=$(python -c "import rpmUtils.arch; baseArch = rpmUtils.arch.getBaseArch(); print baseArch")
-cfg=%{?fedora:fedora}%{?rhel:epel}%{?mageia:mageia}-$ver-${mock_arch}.cfg
+if [ -s /etc/mageia-release ]; then
+    mock_arch=$(sed -n '/^$/!{$ s/.* \(\w*\)$/\1/p}' /etc/mageia-release)
+else
+    mock_arch=$(%{python3} -c "import dnf.rpm; import hawkey; print(dnf.rpm.basearch(hawkey.detect_arch()))")
+fi
+
+cfg=unknown-distro
+%if 0%{?fedora}
+cfg=fedora-$ver-$mock_arch.cfg
+%endif
+%if 0%{?azl}
+cfg=azurelinux-$ver.0-$mock_arch.cfg
+%endif
+%if 0%{?rhel}
+# Being installed on RHEL, or a RHEL fork.  Detect it.
+distro_id=$(. /etc/os-release; echo $ID)
+case $distro_id in
+centos)
+  # This package is EL8+, and there's only CentOS Stream now.
+  distro_id=centos-stream
+  ;;
+almalinux)
+  # AlmaLinux configs look like 'alma+epel'
+  distro_id=alma
+  ;;
+esac
+cfg=$distro_id+epel-$ver-$mock_arch.cfg
+%endif
+
+%if 0%{?eln}
+# overrides rhel value which resolves in fedora+epel-rawhide-$mock_arch.cfg
+cfg=fedora-eln-$mock_arch.cfg
+%endif
+
+%if 0%{?mageia}
+cfg=mageia-$ver-$mock_arch.cfg
+%endif
+
 if [ -e %{_sysconfdir}/mock/$cfg ]; then
     if [ "$(readlink %{_sysconfdir}/mock/default.cfg)" != "$cfg" ]; then
         ln -s $cfg %{_sysconfdir}/mock/default.cfg 2>/dev/null || ln -s -f $cfg %{_sysconfdir}/mock/default.cfg.rpmnew
@@ -81,11 +147,16 @@ else
 fi
 :
 
+
 %files -f %{name}.cfgs
 %license COPYING
+%doc README
 %ghost %config(noreplace,missingok) %{_sysconfdir}/mock/default.cfg
 
 %changelog
+* Wed Aug 28 2024 Reuben Olinsky <reubeno@microsoft.com> - 41.2-1
+- Sync with Fedora 41 version of spec.
+
 * Tue Feb 08 2022 Cameron Baird <cameronbaird@microsoft.com> - 36.4-1
 - Initial CBL-Mariner import from Fedora 33 (license: MIT).
 - Update to 36.4 source
diff --git a/SPECS/mock/mock.signatures.json b/SPECS/mock/mock.signatures.json
new file mode 100644
index 00000000000..8d039da886c
--- /dev/null
+++ b/SPECS/mock/mock.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "mock-5.6.tar.gz": "0a902c1b89667e9653664487bfa7f9acfcb8f55ba9d64a021058cec40144697d"
+ }
+}
diff --git a/SPECS-EXTENDED/mock/mock.spec b/SPECS/mock/mock.spec
similarity index 84%
rename from SPECS-EXTENDED/mock/mock.spec
rename to SPECS/mock/mock.spec
index c84660833de..704abbb580e 100644
--- a/SPECS-EXTENDED/mock/mock.spec
+++ b/SPECS/mock/mock.spec
@@ -1,77 +1,165 @@
-# mock group id allocate (Must not overlap with any other gid in Mariner)
+%bcond_with lint
+%bcond_without tests
+
+# mock group id allocate for Fedora
 %global mockgid 135
+
 %global __python %{__python3}
 %global python_sitelib %{python3_sitelib}
 
-Summary:        Builds packages inside chroots
-Name:           mock
-Version:        2.16
-Release:        2%{?dist}
-License:        GPLv2+
-# Source is created by
-# git clone https://github.com/rpm-software-management/mock.git
-# cd mock
-# git reset --hard %%{name}-%%{version}
-# tito build --tgz
-URL:            https://github.com/rpm-software-management/mock/
-Source:         https://github.com/rpm-software-management/mock/archive/refs/tags/%{name}-%{version}-1.tar.gz#/%{name}-%{version}.tar.gz
-BuildRequires:  bash-completion
-BuildRequires:  perl
-BuildRequires:  python3-devel
-Requires:       %{name}-filesystem
-Requires:       coreutils
-Requires:       createrepo_c
-Requires:       dnf
-Requires:       dnf-plugins-core
-Requires:       mock-configs
-Requires:       pigz
-Requires:       procps-ng
-Requires:       python3-distro
-Requires:       python3-jinja2
-Requires:       python3-pyroute2
-Requires:       python3-requests
-Requires:       python3-rpm
-Requires:       python3-templated-dictionary
-Requires:       systemd
-Requires:       tar
-Requires:       usermode
-# hwinfo plugin
-Requires:       util-linux
-BuildArch:      noarch
-%if 0%{?with_check}
-BuildRequires:  python3-distro
-BuildRequires:  python3-jinja2
-BuildRequires:  python3-pip
-BuildRequires:  python3-pyroute2
-BuildRequires:  python3-requests
-BuildRequires:  python3-templated-dictionary
+Summary:       Builds packages inside chroots
+Name:          mock
+Version:       5.6
+Release:       1%{?dist}
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
+License:       GPL-2.0-or-later
+Source:        https://github.com/rpm-software-management/mock/archive/refs/tags/%{name}-%{version}-1.tar.gz#/%{name}-%{version}.tar.gz
+URL:           https://github.com/rpm-software-management/mock/
+BuildArch:     noarch
+Requires:      tar
+Requires:      pigz
+%if 0%{?mageia}
+Requires:      usermode-consoleonly
+%else
+Requires:      usermode
+%endif
+Requires:      createrepo_c
+
+# We know that the current version of mock isn't compatible with older variants,
+# and we want to enforce automatic upgrades.
+Conflicts:     mock-core-configs < 33
+
+# Requires 'mock-core-configs', or replacement
+Requires:      mock-configs
+Requires:      %{name}-filesystem = %{version}-%{release}
+%if 0%{?azl} || 0%{?fedora} || 0%{?rhel} >= 8
+# This is still preferred package providing 'mock-configs'
+Suggests:      mock-core-configs
+%endif
+
+Requires:      systemd
+%if 0%{?azl} || 0%{?fedora} || 0%{?rhel} >= 8
+Requires:      systemd-container
+%endif
+Requires:      coreutils
+%if 0%{?fedora}
+Suggests:      iproute
+%endif
+%if 0%{?mageia}
+Suggests:      iproute2
+%endif
+BuildRequires: bash-completion
+Requires:      python%{python3_pkgversion}-distro
+Requires:      python%{python3_pkgversion}-jinja2
+Requires:      python%{python3_pkgversion}-requests
+Requires:      python%{python3_pkgversion}-rpm
+Requires:      python%{python3_pkgversion}-pyroute2
+Requires:      python%{python3_pkgversion}-templated-dictionary
+Requires:      python%{python3_pkgversion}-backoff
+BuildRequires: python%{python3_pkgversion}-backoff
+BuildRequires: python%{python3_pkgversion}-devel
+%if %{with lint}
+BuildRequires: python%{python3_pkgversion}-pylint
 %endif
+BuildRequires: python%{python3_pkgversion}-rpm
+BuildRequires: python%{python3_pkgversion}-rpmautospec-core
+
+%if 0%{?fedora} >= 38
+# DNF5 stack
+Recommends:    dnf5
+Recommends:    dnf5-plugins
+%endif
+
+# DNF4 stack
+Recommends:    python3-dnf
+Recommends:    python3-dnf-plugins-core
+
+# YUM stack, dnf-utils replace yum-utils
+Recommends:    yum
+Recommends:    dnf-utils
+
+Recommends:    btrfs-progs
+Suggests:      qemu-user-static
+Suggests:      procenv
+Recommends:    podman
+
+%if %{with tests}
+BuildRequires: python%{python3_pkgversion}-distro
+BuildRequires: python%{python3_pkgversion}-jinja2
+BuildRequires: python%{python3_pkgversion}-pyroute2
+BuildRequires: python%{python3_pkgversion}-pytest
+BuildRequires: python%{python3_pkgversion}-requests
+BuildRequires: python%{python3_pkgversion}-templated-dictionary
+%endif
+
+%if 0%{?azl} || 0%{?fedora} || 0%{?rhel} >= 8
+BuildRequires: perl-interpreter
+%else
+BuildRequires: perl
+%endif
+# hwinfo plugin
+Requires:      util-linux
+Requires:      coreutils
+Requires:      procps-ng
+Requires:      shadow-utils
+
 
 %description
 Mock takes an SRPM and builds it in a chroot.
 
+%package scm
+Summary: Mock SCM integration module
+Requires:      %{name} = %{version}-%{release}
+%if ! 0%{?azl}
+Recommends:    cvs
+%endif
+Recommends:    git
+Recommends:    subversion
+Recommends:    tar
+
+%if ! 0%{?azl}
+# We could migrate to 'copr-distgit-client'
+Recommends:    rpkg
+%endif
+
+%description scm
+Mock SCM integration module.
+
 %package lvm
 Summary: LVM plugin for mock
-Requires: %{name} = %{version}-%{release}
-Requires: lvm2
+Requires:      %{name} = %{version}-%{release}
+Requires:      lvm2
 
 %description lvm
 Mock plugin that enables using LVM as a backend and support creating snapshots
 of the buildroot.
 
+%package rpmautospec
+Summary:       Rpmautospec plugin for mock
+Requires:      %{name} = %{version}-%{release}
+# This lets mock determine if a spec file needs to be processed with rpmautospec.
+Requires:      python%{python3_pkgversion}-rpmautospec-core
+
+%description rpmautospec
+Mock plugin that preprocesses spec files using rpmautospec.
+
 %package filesystem
-Summary:  Mock filesystem layout
-Requires(pre):  shadow-utils
+Summary:       Mock filesystem layout
+Requires(pre): shadow-utils
 
 %description filesystem
 Filesystem layout and group for Mock.
 
 %prep
-%setup -q -n mock-%{name}-%{version}-1/mock
+%setup -q -n mock-%{name}-%{version}-1/%{name}
+for file in py/mock.py py/mock-parse-buildlog.py; do
+  sed -i 1"s|#!/usr/bin/python3 |#!%{__python} |" $file
+done
 
 %build
-for i in py/mock.py py/mock-parse-buildlog.py; do
-    perl -p -i -e 's|^__VERSION__\s*=.*|__VERSION__="%{version}"|' $i
+for i in py/mockbuild/constants.py py/mock-parse-buildlog.py; do
+    perl -p -i -e 's|^VERSION\s*=.*|VERSION="%{version}"|' $i
     perl -p -i -e 's|^SYSCONFDIR\s*=.*|SYSCONFDIR="%{_sysconfdir}"|' $i
     perl -p -i -e 's|^PYTHONDIR\s*=.*|PYTHONDIR="%{python_sitelib}"|' $i
     perl -p -i -e 's|^PKGPYTHONDIR\s*=.*|PKGPYTHONDIR="%{python_sitelib}/mockbuild"|' $i
@@ -80,6 +168,10 @@ for i in docs/mock.1 docs/mock-parse-buildlog.1; do
     perl -p -i -e 's|\@VERSION\@|%{version}"|' $i
 done
 
+%if ! 0%{?azl}
+./precompile-bash-completion "mock.complete"
+%endif
+
 %install
 #base filesystem
 mkdir -p %{buildroot}%{_sysconfdir}/mock/eol/templates
@@ -104,6 +196,9 @@ cp -a etc/consolehelper/mock %{buildroot}%{_sysconfdir}/security/console.apps/%{
 
 install -d %{buildroot}%{_datadir}/bash-completion/completions/
 cp -a etc/bash_completion.d/* %{buildroot}%{_datadir}/bash-completion/completions/
+%if ! 0%{?azl}
+cp -a mock.complete %{buildroot}%{_datadir}/bash-completion/completions/mock
+%endif
 ln -s mock %{buildroot}%{_datadir}/bash-completion/completions/mock-parse-buildlog
 
 install -d %{buildroot}%{_sysconfdir}/pki/mock
@@ -132,8 +227,14 @@ getent group mock > /dev/null || groupadd -f -g %mockgid -r mock
 exit 0
 
 %check
-%{__python3} -m pip install pytest==7.1.2 pytest-cov==3.0.0
-./run-tests.sh
+%if %{with lint}
+# ignore the errors for now, just print them and hopefully somebody will fix it one day
+pylint-3 py/mockbuild/ py/*.py py/mockbuild/plugins/* || :
+%endif
+
+%if %{with tests}
+./run-tests.sh --no-cov
+%endif
 
 
 %files
@@ -172,14 +273,22 @@ exit 0
 %{_datadir}/cheat/mock
 
 # cache & build dirs
-%defattr(0775, root, mock, 02775)
+%defattr(0775, root, mock, 0775)
 %dir %{_localstatedir}/cache/mock
 %dir %{_localstatedir}/lib/mock
 
+%files scm
+%{python_sitelib}/mockbuild/scm.py*
+%{python3_sitelib}/mockbuild/__pycache__/scm.*.py*
+
 %files lvm
 %{python_sitelib}/mockbuild/plugins/lvm_root.*
 %{python3_sitelib}/mockbuild/plugins/__pycache__/lvm_root.*.py*
 
+%files rpmautospec
+%{python_sitelib}/mockbuild/plugins/rpmautospec.*
+%{python3_sitelib}/mockbuild/plugins/__pycache__/rpmautospec.*.py*
+
 %files filesystem
 %license COPYING
 %dir  %{_sysconfdir}/mock
@@ -189,6 +298,9 @@ exit 0
 %dir  %{_datadir}/cheat
 
 %changelog
+* Wed Aug 28 2024 Reuben Olinsky <reubeno@microsoft.com> - 5.6-1
+- Sync with Fedora 41 version of spec.
+
 * Fri Aug 26 2022 Muhammad Falak <mwani@microsoft.com> - 2.16-2
 - Add BR on `python3-pip` & drop un-needed deps to enable ptest
 
diff --git a/SPECS/mokutil/mokutil.spec b/SPECS/mokutil/mokutil.spec
index b5d9ca6e8ed..a1b9d93ac06 100644
--- a/SPECS/mokutil/mokutil.spec
+++ b/SPECS/mokutil/mokutil.spec
@@ -1,7 +1,7 @@
 Summary:        Tool to manage UEFI Secure Boot MoK Keys
 Name:           mokutil
 Version:        0.6.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -17,7 +17,6 @@ BuildRequires:  openssl
 BuildRequires:  openssl-devel
 BuildRequires:  which
 Conflicts:      shim < 0.8-1%{?dist}
-ExclusiveArch:  x86_64
 
 %description
 mokutil provides a tool to manage keys for Secure Boot through the MoK
@@ -43,6 +42,9 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 %{_datadir}/bash-completion/completions/mokutil
 
 %changelog
+* Thu Sep 12 2024 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 0.6.0-2
+- Build mokutil for aarch64 also.
+
 * Fri Oct 27 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.6.0-1
 - Auto-upgrade to 0.6.0 - Azure Linux 3.0 - package upgrades
 
diff --git a/SPECS/multus/CVE-2023-3978.patch b/SPECS/multus/CVE-2023-3978.patch
new file mode 100755
index 00000000000..9b04a4f1b00
--- /dev/null
+++ b/SPECS/multus/CVE-2023-3978.patch
@@ -0,0 +1,78 @@
+From 8ffa475fbdb33da97e8bf79cc5791ee8751fca5e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Thu, 06 Jul 2023 10:25:47 -0700
+Subject: [PATCH] html: only render content literally in the HTML namespace
+
+Per the WHATWG HTML specification, section 13.3, only append the literal
+content of a text node if we are in the HTML namespace.
+
+Thanks to Mohammad Thoriq Aziz for reporting this issue.
+
+Fixes golang/go#61615
+Fixes CVE-2023-3978
+
+Change-Id: I332152904d4e7646bd2441602bcbe591fc655fa4
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1942896
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/514896
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+---
+
+diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go
+index 8b28031..e8c1233 100644
+--- a/vendor/golang.org/x/net/html/render.go
++++ b/vendor/golang.org/x/net/html/render.go
+@@ -194,9 +194,8 @@
+ 		}
+ 	}
+ 
+-	// Render any child nodes.
+-	switch n.Data {
+-	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++	// Render any child nodes
++	if childTextNodesAreLiteral(n) {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if c.Type == TextNode {
+ 				if _, err := w.WriteString(c.Data); err != nil {
+@@ -213,7 +212,7 @@
+ 			// last element in the file, with no closing tag.
+ 			return plaintextAbort
+ 		}
+-	default:
++	} else {
+ 		for c := n.FirstChild; c != nil; c = c.NextSibling {
+ 			if err := render1(w, c); err != nil {
+ 				return err
+@@ -231,6 +230,27 @@
+ 	return w.WriteByte('>')
+ }
+ 
++func childTextNodesAreLiteral(n *Node) bool {
++	// Per WHATWG HTML 13.3, if the parent of the current node is a style,
++	// script, xmp, iframe, noembed, noframes, or plaintext element, and the
++	// current node is a text node, append the value of the node's data
++	// literally. The specification is not explicit about it, but we only
++	// enforce this if we are in the HTML namespace (i.e. when the namespace is
++	// "").
++	// NOTE: we also always include noscript elements, although the
++	// specification states that they should only be rendered as such if
++	// scripting is enabled for the node (which is not something we track).
++	if n.Namespace != "" {
++		return false
++	}
++	switch n.Data {
++	case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp":
++		return true
++	default:
++		return false
++	}
++}
++
+ // writeQuoted writes s to w surrounded by quotes. Normally it will use double
+ // quotes, but if s contains a double quote, it will use single quotes.
+ // It is used for writing the identifiers in a doctype declaration.
diff --git a/SPECS/multus/multus.spec b/SPECS/multus/multus.spec
index b8eaa3d342b..0c2b495d1c5 100644
--- a/SPECS/multus/multus.spec
+++ b/SPECS/multus/multus.spec
@@ -19,7 +19,7 @@
 Summary:        CNI plugin providing multiple interfaces in containers
 Name:           multus
 Version:        4.0.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -27,6 +27,7 @@ Group:          System/Management
 URL:            https://github.com/intel/multus-cni
 Source0:        https://github.com/k8snetworkplumbingwg/multus-cni/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 %define commit efdc0a5c7d1ea4bb236d638403420448b48782b3
+Patch0:         CVE-2023-3978.patch
 BuildRequires:  golang
 BuildRequires:  golang-packaging
 
@@ -69,6 +70,9 @@ install -D -m0644 deployments/multus-daemonset-crio.yml %{buildroot}%{_datadir}/
 %{_datarootdir}/k8s-yaml/multus/multus.yaml
 
 %changelog
+* Wed Aug 21 2024 Sumedh Sharma <sumsharma@microsoft.com> - 4.0.2-2
+- Add patch to resolve CVE-2023-3978
+
 * Mon Jun 24 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 4.0.2-1
 - Auto-upgrade to 4.0.2 - upgrade to 4.0.2
 
diff --git a/SPECS/ncompress/ncompress.spec b/SPECS/ncompress/ncompress.spec
index 5c9aeb6dad3..d28fbbd14e7 100644
--- a/SPECS/ncompress/ncompress.spec
+++ b/SPECS/ncompress/ncompress.spec
@@ -1,13 +1,12 @@
 Summary:        A fast, simple LZW file compressor
 Name:           ncompress
 Version:        5.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        Unlicense
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://github.com/vapier/ncompress
-#Source0:       https://github.com/vapier/%{name}/archive/v%{version}.tar.gz
-Source0:        %{name}-%{version}.tar.gz
+Source0:        https://github.com/vapier/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
 BuildRequires:  make
@@ -47,5 +46,8 @@ make PREFIX=%{_prefix} DESTDIR=%{buildroot} install_core
 %{_mandir}/man1/*
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.0-2
+- License verified.
+
 * Mon May 17 2021 Thomas Crain <thcrain@microsoft.com> - 5.0-1
 - Original version for CBL-Mariner
diff --git a/SPECS/nfs-utils/nfs-utils.spec b/SPECS/nfs-utils/nfs-utils.spec
index 769408f5176..6e166b5104e 100755
--- a/SPECS/nfs-utils/nfs-utils.spec
+++ b/SPECS/nfs-utils/nfs-utils.spec
@@ -1,7 +1,7 @@
 Summary:        NFS client utils
 Name:           nfs-utils
 Version:        2.6.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT and GPLv2 and GPLv2+ and BSD
 URL:            https://linux-nfs.org/
 Group:          Applications/Nfs-utils-client
@@ -82,6 +82,7 @@ sed -i 's/RPCGEN_PATH" =/rpcgen_path" =/' configure
             --enable-libmount-mount     \
             --without-tcp-wrappers      \
             --enable-gss                \
+            --enable-svcgss             \
             --enable-nfsv4              \
             --with-rpcgen=internal      \
             --disable-static
@@ -113,6 +114,8 @@ install -m644 systemd/nfs-idmapd.service %{buildroot}/lib/systemd/system/
 install -m644 systemd/rpc_pipefs.target  %{buildroot}/lib/systemd/system/
 install -m644 systemd/var-lib-nfs-rpc_pipefs.mount  %{buildroot}/lib/systemd/system/
 install -m644 systemd/rpc-svcgssd.service %{buildroot}/lib/systemd/system/
+install -m644 systemd/rpc-gssd.service %{buildroot}/lib/systemd/system/
+
 find %{buildroot}/%{_libdir} -name '*.la' -delete
 
 install -vdm755 %{buildroot}/usr/lib/systemd/system-preset
@@ -170,6 +173,10 @@ fi
 %{_libdir}/libnfsidmap.so
 
 %changelog
+* Mon Aug 26 2024 Suresh Thelkar <sthelkar@microsoft.com> - 2.6.4-3
+- Build nfs-utils to provide rsc.svcgssd service
+- Add rsc-gssd.service file to nfs-utils package
+
 * Tue Mar 12 2024 Rachel Menge <rachelmenge@microsoft.com> - 2.6.4-2
 - Cherry-pick fix post-install script to create nobody user instead of named user
 
diff --git a/SPECS/nginx/CVE-2024-7347.patch b/SPECS/nginx/CVE-2024-7347.patch
new file mode 100644
index 00000000000..bbfad40576a
--- /dev/null
+++ b/SPECS/nginx/CVE-2024-7347.patch
@@ -0,0 +1,78 @@
+From 7362d01658b61184108c21278443910da68f93b4 Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Mon, 12 Aug 2024 18:20:43 +0400
+Subject: [PATCH] Mp4: fixed buffer underread while updating stsz atom.
+
+While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
+overflow could happen, which could result in incorrect seeking and a very large
+value stored in "samples".  This resulted in a large invalid value of
+trak->end_chunk_samples.  This value is further used to calculate the value of
+trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom().  While doing
+this, a large invalid value of trak->end_chunk_samples could result in reading
+memory before stsz atom start.  This could potentially result in a segfault.
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 03175dea21..1cd017c274 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3099,7 +3099,8 @@ static ngx_int_t
+ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+     ngx_http_mp4_trak_t *trak, ngx_uint_t start)
+ {
+-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
++    uint64_t               n;
++    uint32_t               start_sample, chunk, samples, id, next_chunk,
+                            prev_samples;
+     ngx_buf_t             *data, *buf;
+     ngx_uint_t             entries, target_chunk, chunk_samples;
+@@ -3160,7 +3161,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+                        "samples:%uD, id:%uD",
+                        start_sample, chunk, next_chunk - chunk, samples, id);
+ 
+-        n = (next_chunk - chunk) * samples;
++        n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+         if (start_sample < n) {
+             goto found;
+@@ -3182,7 +3183,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
+                    start_sample, chunk, next_chunk - chunk, samples);
+ 
+-    n = (next_chunk - chunk) * samples;
++    n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+     if (start_sample > n) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+From 88955b1044ef38315b77ad1a509d63631a790a0f Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Mon, 12 Aug 2024 18:20:45 +0400
+Subject: [PATCH] Mp4: rejecting unordered chunks in stsc atom.
+
+Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
+in ngx_http_mp4_crop_stsc_data().  Later in ngx_http_mp4_update_stco_atom()
+this caused buffer overread while trying to calculate trak->end_offset.
+---
+ src/http/modules/ngx_http_mp4_module.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 1cd017c274..041ad263b5 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+ 
+         next_chunk = ngx_mp4_get_32value(entry->chunk);
+ 
++        if (next_chunk < chunk) {
++            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                          "unordered mp4 stsc chunks in \"%s\"",
++                          mp4->file.name.data);
++            return NGX_ERROR;
++        }
++
+         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
+                        "sample:%uD, chunk:%uD, chunks:%uD, "
+                        "samples:%uD, id:%uD",
diff --git a/SPECS/nginx/nginx.spec b/SPECS/nginx/nginx.spec
index 8ead0b62f79..20e10896fa9 100644
--- a/SPECS/nginx/nginx.spec
+++ b/SPECS/nginx/nginx.spec
@@ -6,7 +6,7 @@ Name:           nginx
 # Currently on "stable" version of nginx from https://nginx.org/en/download.html.
 # Note: Stable versions are even (1.20), mainline versions are odd (1.21)
 Version:        1.25.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD-2-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -15,6 +15,7 @@ URL:            https://nginx.org/
 Source0:        https://nginx.org/download/%{name}-%{version}.tar.gz
 Source1:        nginx.service
 Source2:        https://github.com/nginx/njs/archive/refs/tags/%{njs_version}.tar.gz#/%{name}-njs-%{njs_version}.tar.gz
+Patch0:         CVE-2024-7347.patch
 BuildRequires:  libxml2-devel
 BuildRequires:  libxslt-devel
 BuildRequires:  openssl-devel
@@ -127,6 +128,9 @@ exit 0
 %dir %{_sysconfdir}/%{name}
 
 %changelog
+* Tue Aug 20 2024 Cameron Baird <cameronbaird@microsoft.com> - 1.25.1-2
+- Fix CVE-2024-7347
+
 * Wed Mar 20 2024 Betty Lakes <bettylakes@microsoft.com> - 1.25.4-1
 - Upgrade to 1.25.4, upgrade njs to 0.8.3
 - Move from pcre to pcre2
diff --git a/SPECS/nodejs/CVE-2019-10906.patch b/SPECS/nodejs/CVE-2019-10906.patch
new file mode 100644
index 00000000000..e4aca456fc5
--- /dev/null
+++ b/SPECS/nodejs/CVE-2019-10906.patch
@@ -0,0 +1,197 @@
+From ce71e5f5911b12ebc36711a7d86dab0a11bd1c4d Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Fri, 20 Sep 2024 09:55:21 +0530
+Subject: [PATCH] Changed needed to upgrade jinja2 to 2.10.1
+
+---
+ .../jinja2/Jinja2-2.10.1.tar.gz.md5           |  1 +
+ .../jinja2/Jinja2-2.10.1.tar.gz.sha512        |  1 +
+ .../jinja2/Jinja2-2.10.tar.gz.md5             |  1 -
+ .../jinja2/Jinja2-2.10.tar.gz.sha512          |  1 -
+ tools/inspector_protocol/jinja2/LICENSE       | 62 +++++++++----------
+ tools/inspector_protocol/jinja2/__init__.py   |  2 +-
+ tools/inspector_protocol/jinja2/get_jinja2.sh |  4 +-
+ tools/inspector_protocol/jinja2/sandbox.py    | 17 ++++-
+ 8 files changed, 50 insertions(+), 39 deletions(-)
+ create mode 100644 tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.md5
+ create mode 100644 tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.sha512
+ delete mode 100644 tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.md5
+ delete mode 100644 tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.sha512
+
+diff --git a/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.md5 b/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.md5
+new file mode 100644
+index 00000000..254f4371
+--- /dev/null
++++ b/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.md5
+@@ -0,0 +1 @@
++0ae535be40fd215a8114a090c8b68e5a  Jinja2-2.10.1.tar.gz
+\ No newline at end of file
+diff --git a/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.sha512 b/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.sha512
+new file mode 100644
+index 00000000..7c379ff1
+--- /dev/null
++++ b/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.sha512
+@@ -0,0 +1 @@
++a00153a0e07bb7d67f301b4eaf7af657726a1985e9ffc7ae2d76bdbb4c062d672efc8065e398767e1039b18a483a0092e206deac91e4047aad64920b56869623  Jinja2-2.10.1.tar.gz
+\ No newline at end of file
+diff --git a/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.md5 b/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.md5
+deleted file mode 100644
+index 9137ee12..00000000
+--- a/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.md5
++++ /dev/null
+@@ -1 +0,0 @@
+-61ef1117f945486472850819b8d1eb3d  Jinja2-2.10.tar.gz
+diff --git a/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.sha512 b/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.sha512
+deleted file mode 100644
+index 087d24c1..00000000
+--- a/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.sha512
++++ /dev/null
+@@ -1 +0,0 @@
+-0ea7371be67ffcf19e46dfd06523a45a0806e678a407d54f5f2f3e573982f0959cf82ec5d07b203670309928a62ef71109701ab16547a9bba2ebcdc178cb67f2  Jinja2-2.10.tar.gz
+diff --git a/tools/inspector_protocol/jinja2/LICENSE b/tools/inspector_protocol/jinja2/LICENSE
+index 31bf900e..10145a26 100644
+--- a/tools/inspector_protocol/jinja2/LICENSE
++++ b/tools/inspector_protocol/jinja2/LICENSE
+@@ -1,31 +1,31 @@
+-Copyright (c) 2009 by the Jinja Team, see AUTHORS for more details.
+-
+-Some rights reserved.
+-
+-Redistribution and use in source and binary forms, with or without
+-modification, are permitted provided that the following conditions are
+-met:
+-
+-    * Redistributions of source code must retain the above copyright
+-      notice, this list of conditions and the following disclaimer.
+-
+-    * Redistributions in binary form must reproduce the above
+-      copyright notice, this list of conditions and the following
+-      disclaimer in the documentation and/or other materials provided
+-      with the distribution.
+-
+-    * The names of the contributors may not be used to endorse or
+-      promote products derived from this software without specific
+-      prior written permission.
+-
+-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++Copyright (c) 2009 by the Jinja Team, see AUTHORS for more details.
++
++Some rights reserved.
++
++Redistribution and use in source and binary forms, with or without
++modification, are permitted provided that the following conditions are
++met:
++
++    * Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++
++    * Redistributions in binary form must reproduce the above
++      copyright notice, this list of conditions and the following
++      disclaimer in the documentation and/or other materials provided
++      with the distribution.
++
++    * The names of the contributors may not be used to endorse or
++      promote products derived from this software without specific
++      prior written permission.
++
++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+diff --git a/tools/inspector_protocol/jinja2/__init__.py b/tools/inspector_protocol/jinja2/__init__.py
+index 42aa763d..15e13b6f 100644
+--- a/tools/inspector_protocol/jinja2/__init__.py
++++ b/tools/inspector_protocol/jinja2/__init__.py
+@@ -27,7 +27,7 @@
+     :license: BSD, see LICENSE for more details.
+ """
+ __docformat__ = 'restructuredtext en'
+-__version__ = '2.10'
++__version__ = '2.10.1'
+ 
+ # high level interface
+ from jinja2.environment import Environment, Template
+diff --git a/tools/inspector_protocol/jinja2/get_jinja2.sh b/tools/inspector_protocol/jinja2/get_jinja2.sh
+index bc6c4c30..b0fa6e8e 100755
+--- a/tools/inspector_protocol/jinja2/get_jinja2.sh
++++ b/tools/inspector_protocol/jinja2/get_jinja2.sh
+@@ -7,8 +7,8 @@
+ # Download page:
+ # https://pypi.python.org/pypi/Jinja2
+ PACKAGE='Jinja2'
+-VERSION='2.10'
+-SRC_URL='https://pypi.python.org/packages/56/e6/332789f295cf22308386cf5bbd1f4e00ed11484299c5d7383378cf48ba47/Jinja2-2.10.tar.gz'
++VERSION='2.10.1'
++SRC_URL='https://files.pythonhosted.org/packages/93/ea/d884a06f8c7f9b7afbc8138b762e80479fb17aedbbe2b06515a12de9378d/Jinja2-2.10.1.tar.gz'
+ PACKAGE_DIR='jinja2'
+ 
+ CHROMIUM_FILES="README.chromium OWNERS get_jinja2.sh"
+diff --git a/tools/inspector_protocol/jinja2/sandbox.py b/tools/inspector_protocol/jinja2/sandbox.py
+index 93fb9d45..752e8128 100644
+--- a/tools/inspector_protocol/jinja2/sandbox.py
++++ b/tools/inspector_protocol/jinja2/sandbox.py
+@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping):
+ def inspect_format_method(callable):
+     if not isinstance(callable, (types.MethodType,
+                                  types.BuiltinMethodType)) or \
+-       callable.__name__ != 'format':
++       callable.__name__ not in ('format', 'format_map'):
+         return None
+     obj = callable.__self__
+     if isinstance(obj, string_types):
+@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment):
+             obj.__class__.__name__
+         ), name=attribute, obj=obj, exc=SecurityError)
+ 
+-    def format_string(self, s, args, kwargs):
++    def format_string(self, s, args, kwargs, format_func=None):
+         """If a format call is detected, then this is routed through this
+         method so that our safety sandbox can be used for it.
+         """
+@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment):
+             formatter = SandboxedEscapeFormatter(self, s.escape)
+         else:
+             formatter = SandboxedFormatter(self)
++
++        if format_func is not None and format_func.__name__ == 'format_map':
++            if len(args) != 1 or kwargs:
++                raise TypeError(
++                    'format_map() takes exactly one argument %d given'
++                    % (len(args) + (kwargs is not None))
++                )
++
++            kwargs = args[0]
++            args = None
++
+         kwargs = _MagicFormatMapping(args, kwargs)
+         rv = formatter.vformat(s, args, kwargs)
+         return type(s)(rv)
+@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment):
+         """Call an object from sandboxed code."""
+         fmt = inspect_format_method(__obj)
+         if fmt is not None:
+-            return __self.format_string(fmt, args, kwargs)
++            return __self.format_string(fmt, args, kwargs, __obj)
+ 
+         # the double prefixes are to avoid double keyword argument
+         # errors when proxying the call.
+-- 
+2.34.1
+
diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec
index de76f2f240f..88a9525b319 100644
--- a/SPECS/nodejs/nodejs.spec
+++ b/SPECS/nodejs/nodejs.spec
@@ -5,7 +5,7 @@ Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        20.14.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -16,6 +16,7 @@ URL:            https://github.com/nodejs/node
 # !!!  => use generate_source_tarball.sh script to create a clean and reproducible source tarball.
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
 Patch0:         disable-tlsv1-tlsv1-1.patch
+Patch1:         CVE-2019-10906.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -127,6 +128,9 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Thu Sep 19 2024 Suresh Thelkar <sthelkar@microsoft.com> - 20.14.0-2
+- Patch CVE-2019-10906
+
 * Fri Jun 07 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 20.14.0-1
 - Upgrade to 20.14.0 to address CVEs
 
diff --git a/SPECS/nss/nss.spec b/SPECS/nss/nss.spec
index dd8dca71d0f..9dda38e748b 100644
--- a/SPECS/nss/nss.spec
+++ b/SPECS/nss/nss.spec
@@ -8,13 +8,12 @@
     %{buildroot}%{unsupported_tools_directory}/shlibsign -i %{buildroot}%{_libdir}/libsoftokn3.so \
     %{buildroot}%{unsupported_tools_directory}/shlibsign -i %{buildroot}%{_libdir}/libfreeblpriv3.so \
     %{buildroot}%{unsupported_tools_directory}/shlibsign -i %{buildroot}%{_libdir}/libfreebl3.so \
-    %{buildroot}%{unsupported_tools_directory}/shlibsign -i %{buildroot}%{_libdir}/libnssdbm3.so \
     %{nil}
 
 Summary:        Security client
 Name:           nss
 Version:        3.96.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -96,7 +95,8 @@ make VERBOSE=1 BUILD_OPT=1 \
     ZLIB_LIBS=-lz \
     USE_64=1 \
     NSS_ENABLE_WERROR=0 \
-    $([ -f %{_includedir}/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)
+    NSS_USE_SYSTEM_SQLITE=1 \
+    NSS_DISABLE_DBM=1
 popd
 
 cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
@@ -215,6 +215,9 @@ popd
 %{_bindir}/ssltap
 
 %changelog
+* Tue Aug 27 2024 Chris Gunn <chrisgun@microsoft.com> - 3.96.1-3
+- Disable building DBM backend.
+
 * Fri Jun 07 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.96.1-2
 - Remove dependency on 'libdb'.
 
diff --git a/SPECS/numpy/numpy.spec b/SPECS/numpy/numpy.spec
index f5714b833b1..98594cba842 100644
--- a/SPECS/numpy/numpy.spec
+++ b/SPECS/numpy/numpy.spec
@@ -5,7 +5,7 @@
 Summary:        A fast multidimensional array facility for Python
 Name:           numpy
 Version:        1.26.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 # Everything is BSD except for class SafeEval in numpy/lib/utils.py which is Python
 License:        BSD AND Python AND ASL 2.0
 Vendor:         Microsoft Corporation
@@ -36,8 +36,11 @@ BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  gcc-gfortran
 BuildRequires:  lapack-devel
+BuildRequires:  ninja-build
 BuildRequires:  python3-Cython
 BuildRequires:  python3-devel
+BuildRequires:  python3-pip
+BuildRequires:  python3-pyproject-metadata
 BuildRequires:  python3-setuptools
 Provides:       libnpymath-static = %{version}-%{release}
 Provides:       libnpymath-static%{?_isa} = %{version}-%{release}
@@ -45,7 +48,9 @@ Provides:       numpy = %{version}-%{release}
 Provides:       numpy%{?_isa} = %{version}-%{release}
 %if 0%{?with_check}
 BuildRequires:  meson
-BuildRequires:  python3-pip
+BuildRequires:  python3-hypothesis
+BuildRequires:  python3-pytest
+BuildRequires:  python3-typing-extensions
 %endif
 
 %description -n python3-numpy
@@ -99,10 +104,7 @@ EOF
 %build
 %set_build_flags
 
-env OPENBLAS=%{_libdir} \
-    BLAS=%{_libdir} \
-    LAPACK=%{_libdir} CFLAGS="%{optflags}" \
-    %{__python3} setup.py build
+%pyproject_wheel -Csetup-args=-Dblas=%{blaslib} -Csetup-args=-Dlapack=lapack
 
 %install
 mkdir docs
@@ -110,31 +112,23 @@ pushd docs
 unzip %{SOURCE1}
 popd
 
-#%%{__python3} setup.py install -O1 --skip-build --root %%{buildroot}
-# skip-build currently broken, this works around it for now
-env OPENBLAS=%{_libdir} \
-    FFTW=%{_libdir} BLAS=%{_libdir} \
-    LAPACK=%{_libdir} CFLAGS="%{optflags}" \
-    %{__python3} setup.py install --root %{buildroot} --prefix=%{_prefix}
-ln -s f2py3 %{buildroot}%{_bindir}/f2py.numpy
+%pyproject_install
+pushd %{buildroot}%{_bindir} &> /dev/null
+ln -s f2py f2py3
+ln -s f2py f2py%{python3_version}
+ln -s f2py3 f2py.numpy
+popd &> /dev/null
 
 #symlink for includes, BZ 185079
 mkdir -p %{buildroot}%{_includedir}
 ln -s %{python3_sitearch}/%{name}/core/include/numpy/ %{buildroot}%{_includedir}/numpy
 
-# distutils from setuptools don't have the patch that was created to avoid standard runpath here
-# we strip it manually instead
-# ERROR   0001: file '...' contains a standard runpath '/usr/lib64' in [/usr/lib64]
-chrpath --delete %{buildroot}%{python3_sitearch}/%{name}/core/_multiarray_umath.*.so
-chrpath --delete %{buildroot}%{python3_sitearch}/%{name}/linalg/lapack_lite.*.so
-chrpath --delete %{buildroot}%{python3_sitearch}/%{name}/linalg/_umath_linalg.*.so
-
 
 %check
 export PYTHONPATH=%{buildroot}%{python3_sitearch}
 
-# Hypothesis 6.72.0 introduced a deprecation error for "Healthcheck.all()" which fails the test run
-pip install 'pytest==7.2' 'hypothesis<6.72.0' typing-extensions
+# Freezing package versions to keep the tests stable.
+pip3 install iniconfig==2.0.0 sortedcontainers==2.4.0
 
 # test_ppc64_ibm_double_double128 is unnecessary now that ppc64le has switched long doubles to IEEE format.
 # https://github.com/numpy/numpy/issues/21094
@@ -150,7 +144,6 @@ python3 runtests.py --no-build -- -ra -k 'not test_ppc64_ibm_double_double128'
 %dir %{python3_sitearch}/%{name}
 %{python3_sitearch}/%{name}/*.py*
 %{python3_sitearch}/%{name}/core
-%{python3_sitearch}/%{name}/distutils
 %{python3_sitearch}/%{name}/doc
 %{python3_sitearch}/%{name}/fft
 %{python3_sitearch}/%{name}/lib
@@ -162,8 +155,7 @@ python3 runtests.py --no-build -- -ra -k 'not test_ppc64_ibm_double_double128'
 %{python3_sitearch}/%{name}/compat
 %{python3_sitearch}/%{name}/matrixlib
 %{python3_sitearch}/%{name}/polynomial
-%{python3_sitearch}/%{name}-*.egg-info
-%exclude %{python3_sitearch}/%{name}/LICENSE.txt
+%{python3_sitearch}/%{name}-*.dist-info
 %{_includedir}/numpy
 %{python3_sitearch}/%{name}/__init__.pxd
 %{python3_sitearch}/%{name}/__init__.cython-30.pxd
@@ -175,13 +167,21 @@ python3 runtests.py --no-build -- -ra -k 'not test_ppc64_ibm_double_double128'
 
 %files -n python3-numpy-f2py
 %{_bindir}/f2py
+%{_bindir}/f2py3
 %{_bindir}/f2py.numpy
+%{_bindir}/f2py%{python3_version}
 %{python3_sitearch}/%{name}/f2py
 
 %files -n python3-numpy-doc
 %doc docs/*
 
 %changelog
+* Tue Aug 27 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.26.3-3
+- Fix package tests.
+- Update to build using python3-pyproject-metadata.
+- Align the python3-numpy-f2py file links with Fedora.
+- Using Fedora 40 (license: MIT) for guidance.
+
 * Fri Feb 16 2024 Andrew Phelps <anphel@microsoft.com> - 1.26.3-2
 - Remove restriction on python3-setuptools < 60
 
diff --git a/SPECS/ocaml-augeas/ocaml-augeas.signatures.json b/SPECS/ocaml-augeas/ocaml-augeas.signatures.json
index 7ed6b12b03f..754de9ffb0c 100644
--- a/SPECS/ocaml-augeas/ocaml-augeas.signatures.json
+++ b/SPECS/ocaml-augeas/ocaml-augeas.signatures.json
@@ -1,7 +1,5 @@
 {
  "Signatures": {
-  "macros.ocaml-rpm": "82a9a732cffc1b5a87c240ca0637820967f9a9e7af704998e3ed5966e4ed3b67",
-  "ocaml-augeas-0.6.tar.gz": "8aba99ddacd08768ebeef4a2138361d13b41a30317fce7503140cd86a1307611",
-  "ocaml_files.py": "f5022a06638d7ba9f20863358e20e91de9d90f71d14e97e6cea99b18db3d6a8b"
+  "ocaml-augeas-0.6.tar.gz": "8aba99ddacd08768ebeef4a2138361d13b41a30317fce7503140cd86a1307611"
  }
-}
\ No newline at end of file
+}
diff --git a/SPECS/ocaml-camlp-streams/ocaml-camlp-streams.spec b/SPECS/ocaml-camlp-streams/ocaml-camlp-streams.spec
index 155f0a57665..55543f0a9f0 100644
--- a/SPECS/ocaml-camlp-streams/ocaml-camlp-streams.spec
+++ b/SPECS/ocaml-camlp-streams/ocaml-camlp-streams.spec
@@ -7,10 +7,12 @@ ExcludeArch: %{ix86}
 
 Name:           ocaml-camlp-streams
 Version:        5.0.1
-Release:        13%{?dist}
+Release:        14%{?dist}
 Summary:        Stream and Genlex libraries for OCaml
 License:        LGPL-2.1-only WITH OCaml-LGPL-linking-exception
 URL:            https://github.com/ocaml/camlp-streams
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        %{url}/archive/v%{version}/camlp-streams-%{version}.tar.gz
 
 BuildRequires:  ocaml >= 5.1.1
@@ -65,6 +67,9 @@ files for developing applications that use %{name}.
 %files devel -f .ofiles-devel
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 5.0.1-14
+- Add missing Vendor and Distribution tags.
+
 * Mon May 06 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 5.0.1-13
 - Initial Azure Linux import from Fedora 41 (license: MIT)
 - License verified
@@ -106,4 +111,4 @@ files for developing applications that use %{name}.
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 
 * Tue Jul  5 2022 Jerry James <loganjerry@gmail.com> - 5.0.1-1
-- Initial RPM (rhbz#2104283)
\ No newline at end of file
+- Initial RPM (rhbz#2104283)
diff --git a/SPECS/openldap/openldap.spec b/SPECS/openldap/openldap.spec
index 15d962cb6d4..a0cfb01b559 100644
--- a/SPECS/openldap/openldap.spec
+++ b/SPECS/openldap/openldap.spec
@@ -3,7 +3,7 @@
 Summary:        OpenLDAP (Lightweight Directory Access Protocol)
 Name:           openldap
 Version:        2.6.7
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        OpenLDAP
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -40,7 +40,7 @@ export CPPFLAGS="${CPPFLAGS} -D_REENTRANT -DLDAP_CONNECTIONLESS -D_GNU_SOURCE -D
         --disable-static    \
         --enable-dynamic    \
         --disable-debug     \
-        --disable-slapd     \
+        --enable-slapd      \
         --with-tls=openssl
 %make_build depend
 %make_build
@@ -59,6 +59,8 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %defattr(-,root,root)
 %license LICENSE
 %{_bindir}/*
+%{_sbindir}/*
+%{_libexecdir}/*
 %{_libdir}/*.so*
 %{_includedir}/*
 %{_libdir}/pkgconfig/lber.pc
@@ -70,6 +72,9 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_sysconfdir}/openldap/*
 
 %changelog
+* Wed Sep 25 2024 Muhammad Falak <mwani@microsoft.com> - 2.6.7-2
+- Configure with `--enable-slapd` to enable slapd
+
 * Thu Feb 01 2024 Thien Trung Vuong <tvuong@microsoft.com> - 2.6.7-1
 - Upgrade to version 2.6.7 - Package upgrade for Azure Linux 3.0
 - Add patch to resolve reference to ber_sockbuf_io_udp
diff --git a/SPECS/opensc/opensc.spec b/SPECS/opensc/opensc.spec
index 388c33a994b..d8cae5149d2 100644
--- a/SPECS/opensc/opensc.spec
+++ b/SPECS/opensc/opensc.spec
@@ -1,11 +1,12 @@
 Name:           opensc
 Version:        0.25.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Smart card library and applications
 
 License:        LGPL-2.1-or-later AND BSD-3-Clause
-Vendor:         Microsoft Corporation
 URL:            https://github.com/OpenSC/OpenSC/wiki
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz
 Source1:        opensc.module
 Patch1:         opensc-0.19.0-pinpad.patch
@@ -202,6 +203,9 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
 
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.25.1-4
+- Add missing Distribution tag.
+
 * Tue May 07 2024 Tobias Brick <tobiasb@microsoft.com> - 0.25.1-3
 - Imported from fedora rawhide
 - Remove fedora and rhel macro usage
@@ -218,7 +222,7 @@ rm %{buildroot}%{_mandir}/man1/opensc-notify.1*
 
 * Tue Jul 12 2022 Olivia Crain <oliviacrain@microsoft.com> - 0.22.0-2
 - test-pkcs11-tool-test-threads is marked as xfail upstream- remove Fedora-specific line un-xfailing the test
-- Remove obsoletes for packages Mariner has never shipped 
+- Remove obsoletes for packages Mariner has never shipped
 - Remove Fedora, RHEL, multilib compatibility code
 - Lint spec
 
diff --git a/SPECS/openssl/CVE-2024-5535.patch b/SPECS/openssl/CVE-2024-5535.patch
deleted file mode 100644
index 56a0066d7e7..00000000000
--- a/SPECS/openssl/CVE-2024-5535.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:14:33 +0100
-Subject: [PATCH] Fix SSL_select_next_proto
-
-Ensure that the provided client list is non-NULL and starts with a valid
-entry. When called from the ALPN callback the client list should already
-have been validated by OpenSSL so this should not cause a problem. When
-called from the NPN callback the client list is locally configured and
-will not have already been validated. Therefore SSL_select_next_proto
-should not assume that it is correctly formatted.
-
-We implement stricter checking of the client protocol list. We also do the
-same for the server list while we are about it.
-
-CVE-2024-5535
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24718)
----
- ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
- 1 file changed, 40 insertions(+), 23 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 5493d9b9c7c2d..f218dcf1dbcdb 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-                           unsigned int server_len,
-                           const unsigned char *client, unsigned int client_len)
- {
--    unsigned int i, j;
--    const unsigned char *result;
--    int status = OPENSSL_NPN_UNSUPPORTED;
-+    PACKET cpkt, csubpkt, spkt, ssubpkt;
-+
-+    if (!PACKET_buf_init(&cpkt, client, client_len)
-+            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
-+            || PACKET_remaining(&csubpkt) == 0) {
-+        *out = NULL;
-+        *outlen = 0;
-+        return OPENSSL_NPN_NO_OVERLAP;
-+    }
-+
-+    /*
-+     * Set the default opportunistic protocol. Will be overwritten if we find
-+     * a match.
-+     */
-+    *out = (unsigned char *)PACKET_data(&csubpkt);
-+    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
- 
-     /*
-      * For each protocol in server preference order, see if we support it.
-      */
--    for (i = 0; i < server_len;) {
--        for (j = 0; j < client_len;) {
--            if (server[i] == client[j] &&
--                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
--                /* We found a match */
--                result = &server[i];
--                status = OPENSSL_NPN_NEGOTIATED;
--                goto found;
-+    if (PACKET_buf_init(&spkt, server, server_len)) {
-+        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
-+            if (PACKET_remaining(&ssubpkt) == 0)
-+                continue; /* Invalid - ignore it */
-+            if (PACKET_buf_init(&cpkt, client, client_len)) {
-+                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
-+                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
-+                                     PACKET_remaining(&ssubpkt))) {
-+                        /* We found a match */
-+                        *out = (unsigned char *)PACKET_data(&ssubpkt);
-+                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
-+                        return OPENSSL_NPN_NEGOTIATED;
-+                    }
-+                }
-+                /* Ignore spurious trailing bytes in the client list */
-+            } else {
-+                /* This should never happen */
-+                return OPENSSL_NPN_NO_OVERLAP;
-             }
--            j += client[j];
--            j++;
-         }
--        i += server[i];
--        i++;
-+        /* Ignore spurious trailing bytes in the server list */
-     }
- 
--    /* There's no overlap between our protocols and the server's list. */
--    result = client;
--    status = OPENSSL_NPN_NO_OVERLAP;
--
-- found:
--    *out = (unsigned char *)result + 1;
--    *outlen = result[0];
--    return status;
-+    /*
-+     * There's no overlap between our protocols and the server's list. We use
-+     * the default opportunistic protocol selected earlier
-+     */
-+    return OPENSSL_NPN_NO_OVERLAP;
- }
- 
- #ifndef OPENSSL_NO_NEXTPROTONEG
diff --git a/SPECS/openssl/openssl.signatures.json b/SPECS/openssl/openssl.signatures.json
index 8b5e951dda4..ce0d3dce97d 100644
--- a/SPECS/openssl/openssl.signatures.json
+++ b/SPECS/openssl/openssl.signatures.json
@@ -5,6 +5,6 @@
   "configuration-prefix.h": "11aba0dcfab381269e7e6ba1fdde1e4e8dfe51e39d8c7a2918f3b28a32cb98fd",
   "configuration-switch.h": "400439d7e8c551e7d5de8bfc648dcc0ddf6f4a7552750af4813449f68941b928",
   "genpatches": "9da7f988d4378adf499b1322e79f29e94c889c4bf10cd6e79e6991b673de2463",
-  "openssl-3.3.0.tar.gz": "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02"
+  "openssl-3.3.2.tar.gz": "2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281"
  }
 }
diff --git a/SPECS/openssl/openssl.spec b/SPECS/openssl/openssl.spec
index 6a8d0e33f9f..4f88a92e6d5 100644
--- a/SPECS/openssl/openssl.spec
+++ b/SPECS/openssl/openssl.spec
@@ -8,11 +8,11 @@
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.3.0
-Release: 2%{?dist}
+Version: 3.3.2
+Release: 1%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
-Source: https://www.openssl.org/source/openssl-%{version}.tar.gz
+Source: https://github.com/openssl/openssl/releases/download/openssl-%{version}/openssl-%{version}.tar.gz
 Source2: Makefile.certificate
 Source3: genpatches
 Source9: configuration-switch.h
@@ -62,8 +62,6 @@ Patch52:  0052-Allow-SHA1-in-seclevel-1-if-rh-allow-sha1-signatures.patch
 # # See notes in the patch for details, but this patch will not be needed if
 # # the openssl issue https://github.com/openssl/openssl/issues/7048 is ever implemented and released.
 Patch80:  0001-Replacing-deprecated-functions-with-NULL-or-highest.patch
-# Remove if we upgrade to 3.3.2 to or later. https://www.openssl.org/news/secadv/20240627.txt
-Patch81:  CVE-2024-5535.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -360,6 +358,9 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Sep 19 2024 Tobias Brick <tobiasb@microsoft.com> - 3.3.2-1
+- Upgrade to 3.3.2
+
 * Fri Jul 12 2024 Suresh Thelkar <sthelkar@microsoft.com> - 3.3.0-2
 - Patch CVE-2023-5535
 
diff --git a/SPECS/pam_krb5/pam_krb5.spec b/SPECS/pam_krb5/pam_krb5.spec
index a58eedee655..6417808fce0 100644
--- a/SPECS/pam_krb5/pam_krb5.spec
+++ b/SPECS/pam_krb5/pam_krb5.spec
@@ -1,10 +1,12 @@
 Summary:        A Pluggable Authentication Module for Kerberos 5
 Name:           pam_krb5
 Version:        4.11
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD OR LGPLv2+
 Group:          System/Libraries
 URL:            https://github.com/rra/pam-krb5
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        %{url}/archive/refs/tags/upstream/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0001:      0001-Drop-module-long-test.patch
 BuildRequires:  byacc
@@ -56,6 +58,9 @@ make check
 %{_mandir}/man5/*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 4.11-3
+- Add missing Vendor and Distribution tags.
+
 * Wed Jul 20 2022 Henry Li <lihl@microsoft.com> - 4.11-2
 - Initial CBL-Mariner import from Fedora 37 (license: MIT)
 - License verified
diff --git a/SPECS/perl-Algorithm-C3/perl-Algorithm-C3.signatures.json b/SPECS/perl-Algorithm-C3/perl-Algorithm-C3.signatures.json
new file mode 100644
index 00000000000..66bab17ad01
--- /dev/null
+++ b/SPECS/perl-Algorithm-C3/perl-Algorithm-C3.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "perl-Algorithm-C3-0.11.tar.gz": "aaf48467765deea6e48054bc7d43e46e4d40cbcda16552c629d37be098289309"
+ }
+}
diff --git a/SPECS-EXTENDED/perl-Algorithm-C3/perl-Algorithm-C3.spec b/SPECS/perl-Algorithm-C3/perl-Algorithm-C3.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Algorithm-C3/perl-Algorithm-C3.spec
rename to SPECS/perl-Algorithm-C3/perl-Algorithm-C3.spec
index d9902227291..5fc23e06e2e 100644
--- a/SPECS-EXTENDED/perl-Algorithm-C3/perl-Algorithm-C3.spec
+++ b/SPECS/perl-Algorithm-C3/perl-Algorithm-C3.spec
@@ -1,6 +1,6 @@
 Name:		perl-Algorithm-C3
-Version:	0.10
-Release:	18%{?dist}
+Version:	0.11
+Release:	1%{?dist}
 Summary:	Module for merging hierarchies using the C3 algorithm
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -51,6 +51,11 @@ make test
 %{_mandir}/man3/Algorithm::C3.3*
 
 %changelog
+* Wed Aug 28 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.11-1
+- Promote package to Core repository.
+- License verified.
+- Upgrade to v0.11
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.10-18
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.signatures.json b/SPECS/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.signatures.json
rename to SPECS/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.signatures.json
diff --git a/SPECS-EXTENDED/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.spec b/SPECS/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.spec
rename to SPECS/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.spec
index 9857a48380f..d7d41055ffd 100644
--- a/SPECS-EXTENDED/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.spec
+++ b/SPECS/perl-B-Hooks-OP-Check/perl-B-Hooks-OP-Check.spec
@@ -1,7 +1,7 @@
 Name:           perl-B-Hooks-OP-Check
 Summary:        Wrap OP check callbacks
 Version:        0.22
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -65,6 +65,10 @@ make test
 %{_mandir}/man3/B::Hooks::OP::Check.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.22-11
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.22-10
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Class-ISA/perl-Class-ISA.signatures.json b/SPECS/perl-Class-ISA/perl-Class-ISA.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Class-ISA/perl-Class-ISA.signatures.json
rename to SPECS/perl-Class-ISA/perl-Class-ISA.signatures.json
diff --git a/SPECS-EXTENDED/perl-Class-ISA/perl-Class-ISA.spec b/SPECS/perl-Class-ISA/perl-Class-ISA.spec
similarity index 96%
rename from SPECS-EXTENDED/perl-Class-ISA/perl-Class-ISA.spec
rename to SPECS/perl-Class-ISA/perl-Class-ISA.spec
index 3c8e260eb4a..311c6fd9a14 100644
--- a/SPECS-EXTENDED/perl-Class-ISA/perl-Class-ISA.spec
+++ b/SPECS/perl-Class-ISA/perl-Class-ISA.spec
@@ -2,7 +2,7 @@ Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Name:           perl-Class-ISA
 Version:        0.36
-Release:        1030%{?dist}
+Release:        1031%{?dist}
 Summary:        Report the search path for a class's ISA tree
 License:        GPL+ or Artistic
 URL:            https://metacpan.org/release/Class-ISA
@@ -40,6 +40,10 @@ make test
 %{perl_vendorlib}/*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.36-1031
+- Promote package to Core repository.
+- License verified.
+
 * Fri Apr 22 2022 Muhammad Falak <mwani@microsoft.com> - 0.36-1030
 - Add an explicit BR on `perl(deprecate)` to enable ptest
 - License verified
diff --git a/SPECS-EXTENDED/perl-Class-XSAccessor/perl-Class-XSAccessor.signatures.json b/SPECS/perl-Class-XSAccessor/perl-Class-XSAccessor.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Class-XSAccessor/perl-Class-XSAccessor.signatures.json
rename to SPECS/perl-Class-XSAccessor/perl-Class-XSAccessor.signatures.json
diff --git a/SPECS-EXTENDED/perl-Class-XSAccessor/perl-Class-XSAccessor.spec b/SPECS/perl-Class-XSAccessor/perl-Class-XSAccessor.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Class-XSAccessor/perl-Class-XSAccessor.spec
rename to SPECS/perl-Class-XSAccessor/perl-Class-XSAccessor.spec
index 966c3743242..90bd6daf14a 100644
--- a/SPECS-EXTENDED/perl-Class-XSAccessor/perl-Class-XSAccessor.spec
+++ b/SPECS/perl-Class-XSAccessor/perl-Class-XSAccessor.spec
@@ -1,6 +1,6 @@
 Name:           perl-Class-XSAccessor
 Version:        1.19
-Release:        21%{?dist}
+Release:        22%{?dist}
 Summary:        Generate fast XS accessors without run-time compilation
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -65,6 +65,10 @@ make test
 %{_mandir}/man3/Class::*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.19-22
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.19-21
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Data-OptList/perl-Data-OptList.signatures.json b/SPECS/perl-Data-OptList/perl-Data-OptList.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Data-OptList/perl-Data-OptList.signatures.json
rename to SPECS/perl-Data-OptList/perl-Data-OptList.signatures.json
diff --git a/SPECS-EXTENDED/perl-Data-OptList/perl-Data-OptList.spec b/SPECS/perl-Data-OptList/perl-Data-OptList.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Data-OptList/perl-Data-OptList.spec
rename to SPECS/perl-Data-OptList/perl-Data-OptList.spec
index c545f8e6a56..23616053491 100644
--- a/SPECS-EXTENDED/perl-Data-OptList/perl-Data-OptList.spec
+++ b/SPECS/perl-Data-OptList/perl-Data-OptList.spec
@@ -10,7 +10,7 @@
 
 Name:           perl-Data-OptList
 Version:        0.110
-Release:        13%{?dist}
+Release:        14%{?dist}
 Summary:        Parse and validate simple name/value option pairs
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -98,6 +98,10 @@ make test TEST_FILES="$(echo $(find xt/ -name '*.t'))"
 %{_mandir}/man3/Data::OptList.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.110-14
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.110-13
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS/perl-Devel-Caller/perl-Devel-Caller.signatures.json b/SPECS/perl-Devel-Caller/perl-Devel-Caller.signatures.json
new file mode 100644
index 00000000000..736ee5880e6
--- /dev/null
+++ b/SPECS/perl-Devel-Caller/perl-Devel-Caller.signatures.json
@@ -0,0 +1,6 @@
+{
+ "Signatures": {
+  "perl-Devel-Caller-2.07.tar.gz": "b679a2b18034b0b720de82c3708724c364b10a6ca164cbc67cdc3af283f3503f"
+ }
+}
+
diff --git a/SPECS-EXTENDED/perl-Devel-Caller/perl-Devel-Caller.spec b/SPECS/perl-Devel-Caller/perl-Devel-Caller.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Devel-Caller/perl-Devel-Caller.spec
rename to SPECS/perl-Devel-Caller/perl-Devel-Caller.spec
index 65b4f506260..057937c74ba 100644
--- a/SPECS-EXTENDED/perl-Devel-Caller/perl-Devel-Caller.spec
+++ b/SPECS/perl-Devel-Caller/perl-Devel-Caller.spec
@@ -1,6 +1,6 @@
 Name:           perl-Devel-Caller
-Version:        2.06
-Release:        22%{?dist}
+Version:        2.07
+Release:        1%{?dist}
 Summary:        Meatier versions of caller
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -56,6 +56,11 @@ make test
 %{_mandir}/man3/Devel::Caller.3pm*
 
 %changelog
+* Wed Aug 28 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.07-1
+- Promote package to Core repository.
+- License verified.
+- Updated to v2.07.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.06-22
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Devel-CheckBin/perl-Devel-CheckBin.signatures.json b/SPECS/perl-Devel-CheckBin/perl-Devel-CheckBin.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Devel-CheckBin/perl-Devel-CheckBin.signatures.json
rename to SPECS/perl-Devel-CheckBin/perl-Devel-CheckBin.signatures.json
diff --git a/SPECS-EXTENDED/perl-Devel-CheckBin/perl-Devel-CheckBin.spec b/SPECS/perl-Devel-CheckBin/perl-Devel-CheckBin.spec
similarity index 96%
rename from SPECS-EXTENDED/perl-Devel-CheckBin/perl-Devel-CheckBin.spec
rename to SPECS/perl-Devel-CheckBin/perl-Devel-CheckBin.spec
index e805827dfbd..4556a3f71a7 100644
--- a/SPECS-EXTENDED/perl-Devel-CheckBin/perl-Devel-CheckBin.spec
+++ b/SPECS/perl-Devel-CheckBin/perl-Devel-CheckBin.spec
@@ -1,6 +1,6 @@
 Name:		perl-Devel-CheckBin
 Version:	0.04
-Release:	14%{?dist}
+Release:	15%{?dist}
 Summary:	Check that a command is available
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -54,6 +54,10 @@ make test
 %{_mandir}/man3/Devel::CheckBin.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.04-15
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.04-14
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Devel-Cycle/Devel-Cycle-1.11-512.patch b/SPECS/perl-Devel-Cycle/Devel-Cycle-1.11-512.patch
similarity index 100%
rename from SPECS-EXTENDED/perl-Devel-Cycle/Devel-Cycle-1.11-512.patch
rename to SPECS/perl-Devel-Cycle/Devel-Cycle-1.11-512.patch
diff --git a/SPECS-EXTENDED/perl-Devel-Cycle/perl-Devel-Cycle.signatures.json b/SPECS/perl-Devel-Cycle/perl-Devel-Cycle.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Devel-Cycle/perl-Devel-Cycle.signatures.json
rename to SPECS/perl-Devel-Cycle/perl-Devel-Cycle.signatures.json
diff --git a/SPECS-EXTENDED/perl-Devel-Cycle/perl-Devel-Cycle.spec b/SPECS/perl-Devel-Cycle/perl-Devel-Cycle.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Devel-Cycle/perl-Devel-Cycle.spec
rename to SPECS/perl-Devel-Cycle/perl-Devel-Cycle.spec
index 9964dec847c..c70103826cd 100644
--- a/SPECS-EXTENDED/perl-Devel-Cycle/perl-Devel-Cycle.spec
+++ b/SPECS/perl-Devel-Cycle/perl-Devel-Cycle.spec
@@ -1,6 +1,6 @@
 Name:           perl-Devel-Cycle
 Version:        1.12
-Release:        18%{?dist}
+Release:        19%{?dist}
 Summary:        Find memory cycles in objects
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -60,6 +60,10 @@ make test
 %{_mandir}/man3/Devel::Cycle.3*
 
 %changelog
+* Wed Aug 28 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.12-19
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.12-18
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.signatures.json b/SPECS/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.signatures.json
rename to SPECS/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.signatures.json
diff --git a/SPECS-EXTENDED/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.spec b/SPECS/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.spec
rename to SPECS/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.spec
index 82f25f5871c..fe2c8325c25 100644
--- a/SPECS-EXTENDED/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.spec
+++ b/SPECS/perl-Devel-GlobalDestruction-XS/perl-Devel-GlobalDestruction-XS.spec
@@ -1,6 +1,6 @@
 Name:		perl-Devel-GlobalDestruction-XS
 Version:	0.03
-Release:	13%{?dist}
+Release:	14%{?dist}
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -57,6 +57,10 @@ make test
 %{_mandir}/man3/Devel::GlobalDestruction::XS.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.03-14
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.03-13
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.signatures.json b/SPECS/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.signatures.json
rename to SPECS/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.signatures.json
diff --git a/SPECS-EXTENDED/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.spec b/SPECS/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.spec
rename to SPECS/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.spec
index 63382dcb491..51c055abe6f 100644
--- a/SPECS-EXTENDED/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.spec
+++ b/SPECS/perl-Devel-GlobalDestruction/perl-Devel-GlobalDestruction.spec
@@ -3,7 +3,7 @@
 
 Name:		perl-Devel-GlobalDestruction
 Version:	0.14
-Release:	12%{?dist}
+Release:	13%{?dist}
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -81,6 +81,10 @@ make test
 %{_mandir}/man3/Devel::GlobalDestruction.3*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.14-13
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.14-12
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
@@ -292,4 +296,3 @@ make test
 * Sun Oct 19 2008 Chris Weyl <cweyl@alumni.drew.edu> 0.02-0.1
 - initial RPM packaging
 - generated with cpan2dist (CPANPLUS::Dist::RPM version 0.0.5)
-
diff --git a/SPECS-EXTENDED/perl-Devel-Hide/perl-Devel-Hide.signatures.json b/SPECS/perl-Devel-Hide/perl-Devel-Hide.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Devel-Hide/perl-Devel-Hide.signatures.json
rename to SPECS/perl-Devel-Hide/perl-Devel-Hide.signatures.json
diff --git a/SPECS-EXTENDED/perl-Devel-Hide/perl-Devel-Hide.spec b/SPECS/perl-Devel-Hide/perl-Devel-Hide.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Devel-Hide/perl-Devel-Hide.spec
rename to SPECS/perl-Devel-Hide/perl-Devel-Hide.spec
index 452120bf83e..5a249aee423 100644
--- a/SPECS-EXTENDED/perl-Devel-Hide/perl-Devel-Hide.spec
+++ b/SPECS/perl-Devel-Hide/perl-Devel-Hide.spec
@@ -7,7 +7,7 @@
 
 Name:           perl-Devel-Hide
 Version:        0.0013
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Forces the unavailability of specified Perl modules (for testing)
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -64,6 +64,10 @@ make test
 %{_mandir}/man3/Devel::Hide.3*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.0013-3
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.0013-2
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Devel-LexAlias/perl-Devel-LexAlias.signatures.json b/SPECS/perl-Devel-LexAlias/perl-Devel-LexAlias.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Devel-LexAlias/perl-Devel-LexAlias.signatures.json
rename to SPECS/perl-Devel-LexAlias/perl-Devel-LexAlias.signatures.json
diff --git a/SPECS-EXTENDED/perl-Devel-LexAlias/perl-Devel-LexAlias.spec b/SPECS/perl-Devel-LexAlias/perl-Devel-LexAlias.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Devel-LexAlias/perl-Devel-LexAlias.spec
rename to SPECS/perl-Devel-LexAlias/perl-Devel-LexAlias.spec
index fc68a54438c..a68c09c13b7 100644
--- a/SPECS-EXTENDED/perl-Devel-LexAlias/perl-Devel-LexAlias.spec
+++ b/SPECS/perl-Devel-LexAlias/perl-Devel-LexAlias.spec
@@ -1,6 +1,6 @@
 Name:           perl-Devel-LexAlias
 Version:        0.05
-Release:        23%{?dist}
+Release:        24%{?dist}
 Summary:        Alias lexical variables
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -54,6 +54,10 @@ make test
 %{_mandir}/man3/Devel::LexAlias.3*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.05-24
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.05-23
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS/perl-Devel-Refcount/perl-Devel-Refcount.signatures.json b/SPECS/perl-Devel-Refcount/perl-Devel-Refcount.signatures.json
new file mode 100644
index 00000000000..91ef680dffd
--- /dev/null
+++ b/SPECS/perl-Devel-Refcount/perl-Devel-Refcount.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "Devel-Refcount-0.10.tar.gz": "b654d46963d1a881426ba15994f28f52eb839b0d135bf239b4d1bf38b1caca4a"
+ }
+}
diff --git a/SPECS/perl-Devel-Refcount/perl-Devel-Refcount.spec b/SPECS/perl-Devel-Refcount/perl-Devel-Refcount.spec
new file mode 100644
index 00000000000..87c77b87aa9
--- /dev/null
+++ b/SPECS/perl-Devel-Refcount/perl-Devel-Refcount.spec
@@ -0,0 +1,223 @@
+Name:           perl-Devel-Refcount
+Version:        0.10
+Release:        38%{?dist}
+Summary:        Obtain the REFCNT value of a referent
+License:        GPL+ or Artistic
+URL:            https://metacpan.org/release/Devel-Refcount
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Source0:        https://www.cpan.org/modules/by-module/Devel/Devel-Refcount-%{version}.tar.gz
+# Build
+BuildRequires:  coreutils
+BuildRequires:  findutils
+BuildRequires:  perl-devel
+BuildRequires:  perl-generators
+BuildRequires:  perl-interpreter
+BuildRequires:  perl(ExtUtils::CBuilder)
+BuildRequires:  perl(Module::Build)
+# Runtime
+BuildRequires:  perl(B)
+BuildRequires:  perl(Carp)
+BuildRequires:  perl(Exporter) >= 5.57
+BuildRequires:  perl(Scalar::Util)
+BuildRequires:  perl(strict)
+BuildRequires:  perl(warnings)
+BuildRequires:  perl(XSLoader)
+%if 0%{?with_check}
+BuildRequires:  perl(Symbol)
+BuildRequires:  perl(Test::Fatal)
+BuildRequires:  perl(Test::More)
+BuildRequires:  perl(Test::Pod) >= 1.00
+%endif
+# Dependencies
+Requires:       perl(B)
+
+%description
+This module provides a single function that obtains the reference count of
+the object being pointed to by the passed reference value.
+
+%prep
+%setup -q -n Devel-Refcount-%{version}
+
+%build
+perl Build.PL --installdirs=vendor --optimize="%{optflags}"
+./Build
+
+%install
+./Build install --destdir=%{buildroot} --create_packlist=0
+find %{buildroot} -type f -name '*.bs' -empty -delete
+%{_fixperms} -c %{buildroot}
+
+%check
+./Build test
+
+%files
+%license LICENSE
+%doc Changes README
+%{perl_vendorarch}/auto/Devel/
+%{perl_vendorarch}/Devel/
+%{_mandir}/man3/Devel::Refcount.3*
+
+%changelog
+* Thu Aug 29 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.10-38
+- Initial Azure Linux import from Fedora 42 (license: MIT).
+- License verified.
+
+* Thu Jul 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-37
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Mon Jun 10 2024 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-36
+- Perl 5.40 rebuild
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-35
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-34
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-33
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jul 11 2023 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-32
+- Perl 5.38 rebuild
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-31
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-30
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue May 31 2022 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-29
+- Perl 5.36 rebuild
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-28
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Jan  4 2022 Paul Howarth <paul@city-fan.org> - 0.10-27
+- Spec tidy-up
+  - Specify all dependencies
+  - Use author-independent source URL
+  - Fix permissions verbosely
+  - Make %%files list more explicit
+  - Use %%license
+  - Simplify find command using -empty and -delete
+  - Drop redundant buildroot cleaning in %%install section
+  - Drop redundant removal of empty directories from the buildroot
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-26
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-25
+- Perl 5.34 rebuild
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-24
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-22
+- Perl 5.32 rebuild
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-21
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-20
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-19
+- Perl 5.30 rebuild
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-16
+- Perl 5.28 rebuild
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 05 2017 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-12
+- Perl 5.26 rebuild
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-10
+- Perl 5.24 rebuild
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.10-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Jun 06 2015 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-7
+- Perl 5.22 rebuild
+
+* Fri Aug 29 2014 Jitka Plesnikova <jplesnik@redhat.com> - 0.10-6
+- Perl 5.20 rebuild
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.10-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jul 24 2013 Petr Pisar <ppisar@redhat.com> - 0.10-2
+- Perl 5.18 rebuild
+
+* Wed Jun  5 2013 Robin Lee <cheeselee@fedoraproject.org> - 0.10-1
+- Update to 0.10
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.09-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.09-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Jun 14 2012 Petr Pisar <ppisar@redhat.com> - 0.09-2
+- Perl 5.16 rebuild
+
+* Tue Jan 17 2012 Nicolas Chauvet <kwizart@gmail.com> - 0.09-1
+- Update to 0.09
+- Add missing BR
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.07-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Jun 21 2011 Marcela Mašláňová <mmaslano@redhat.com> - 0.07-6
+- Perl mass rebuild
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.07-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Dec 16 2010 Marcela Maslanova <mmaslano@redhat.com> - 0.07-4
+- 661697 rebuild for fixing problems with vendorach/lib
+
+* Fri Apr 30 2010 Marcela Maslanova <mmaslano@redhat.com> - 0.07-3
+- Mass rebuild with perl-5.12.0
+
+* Fri Apr 30 2010 Marcela Maslanova <mmaslano@redhat.com> - 0.07-2
+- Mass rebuild with perl-5.12.0
+
+* Mon Apr 19 2010 Nicolas Chauvet <kwizart@fedoraproject.org> - 0.07-1
+- Update to 0.07
+
+* Mon Dec  7 2009 Stepan Kasal <skasal@redhat.com> - 0.06-2
+- rebuild against perl 5.10.1
+
+* Tue Jul 21 2009 Nicolas Chauvet (kwizart) 0.06-1
+- Specfile autogenerated by cpanspec 1.78.
diff --git a/SPECS-EXTENDED/perl-ExtUtils-Depends/perl-ExtUtils-Depends.signatures.json b/SPECS/perl-ExtUtils-Depends/perl-ExtUtils-Depends.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-ExtUtils-Depends/perl-ExtUtils-Depends.signatures.json
rename to SPECS/perl-ExtUtils-Depends/perl-ExtUtils-Depends.signatures.json
diff --git a/SPECS-EXTENDED/perl-ExtUtils-Depends/perl-ExtUtils-Depends.spec b/SPECS/perl-ExtUtils-Depends/perl-ExtUtils-Depends.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-ExtUtils-Depends/perl-ExtUtils-Depends.spec
rename to SPECS/perl-ExtUtils-Depends/perl-ExtUtils-Depends.spec
index be9dcc0ff5b..3f6d6a6e110 100644
--- a/SPECS-EXTENDED/perl-ExtUtils-Depends/perl-ExtUtils-Depends.spec
+++ b/SPECS/perl-ExtUtils-Depends/perl-ExtUtils-Depends.spec
@@ -1,6 +1,6 @@
 Name:           perl-ExtUtils-Depends
 Version:        0.8000
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Easily build XS extensions that depend on XS extensions
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -64,6 +64,10 @@ make test
 %{_mandir}/man3/ExtUtils::Depends.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.8000-6
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.8000-5
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-IO-String/perl-IO-String.signatures.json b/SPECS/perl-IO-String/perl-IO-String.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-IO-String/perl-IO-String.signatures.json
rename to SPECS/perl-IO-String/perl-IO-String.signatures.json
diff --git a/SPECS-EXTENDED/perl-IO-String/perl-IO-String.spec b/SPECS/perl-IO-String/perl-IO-String.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-IO-String/perl-IO-String.spec
rename to SPECS/perl-IO-String/perl-IO-String.spec
index 1ea111d8908..b4c6edd473d 100644
--- a/SPECS-EXTENDED/perl-IO-String/perl-IO-String.spec
+++ b/SPECS/perl-IO-String/perl-IO-String.spec
@@ -1,6 +1,6 @@
 Name:           perl-IO-String
 Version:        1.08
-Release:        38%{?dist}
+Release:        39%{?dist}
 Summary:        Emulate file interface for in-core strings
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -56,6 +56,10 @@ make test
 
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.08-39
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.08-38
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Import-Into/perl-Import-Into.signatures.json b/SPECS/perl-Import-Into/perl-Import-Into.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Import-Into/perl-Import-Into.signatures.json
rename to SPECS/perl-Import-Into/perl-Import-Into.signatures.json
diff --git a/SPECS-EXTENDED/perl-Import-Into/perl-Import-Into.spec b/SPECS/perl-Import-Into/perl-Import-Into.spec
similarity index 96%
rename from SPECS-EXTENDED/perl-Import-Into/perl-Import-Into.spec
rename to SPECS/perl-Import-Into/perl-Import-Into.spec
index c9965570533..b062ddfef29 100644
--- a/SPECS-EXTENDED/perl-Import-Into/perl-Import-Into.spec
+++ b/SPECS/perl-Import-Into/perl-Import-Into.spec
@@ -1,6 +1,6 @@
 Name:           perl-Import-Into
 Version:        1.002005
-Release:        14%{?dist}
+Release:        15%{?dist}
 Summary:        Import packages into other packages
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -48,6 +48,10 @@ make test
 %{_mandir}/man3/Import::Into.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 1.002005-15
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.002005-14
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS/perl-Match-Simple/perl-Match-Simple.signatures.json b/SPECS/perl-Match-Simple/perl-Match-Simple.signatures.json
new file mode 100644
index 00000000000..a89401821da
--- /dev/null
+++ b/SPECS/perl-Match-Simple/perl-Match-Simple.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "match-simple-0.012.tar.gz": "b7349a9fa926d503472998d1e0b8c3a7fcae0edc7ce30ada4ee756cdb252a37c"
+ }
+}
diff --git a/SPECS/perl-Match-Simple/perl-Match-Simple.spec b/SPECS/perl-Match-Simple/perl-Match-Simple.spec
new file mode 100644
index 00000000000..132e1b9e38e
--- /dev/null
+++ b/SPECS/perl-Match-Simple/perl-Match-Simple.spec
@@ -0,0 +1,139 @@
+Name:           perl-match-simple
+Version:        0.012
+Release:        6%{?dist}
+Summary:        Simplified clone of smartmatch operator
+License:        GPL+ OR Artistic
+URL:            http://search.cpan.org/dist/match-simple/
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Source0:        https://cpan.metacpan.org/authors/id/T/TO/TOBYINK/match-simple-%{version}.tar.gz
+BuildArch:      noarch
+BuildRequires:  coreutils
+BuildRequires:  findutils
+BuildRequires:  make
+BuildRequires:  perl-generators
+BuildRequires:  perl-interpreter
+BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.17
+BuildRequires:  perl(strict)
+# Run-time:
+BuildRequires:  perl(:VERSION) >= 5.6.1
+BuildRequires:  perl(B)
+BuildRequires:  perl(Carp)
+BuildRequires:  perl(Exporter::Tiny) >= 0.026
+BuildRequires:  perl(List::Util) >= 1.33
+# Do not build-require match::simple::XS to exhibit PP implementation
+BuildRequires:  perl(overload)
+BuildRequires:  perl(Scalar::Util)
+BuildRequires:  perl(Sub::Infix) >= 0.004
+BuildRequires:  perl(warnings)
+# Tests:
+BuildRequires:  perl(if)
+BuildRequires:  perl(overloading)
+BuildRequires:  perl(Test::Fatal)
+BuildRequires:  perl(Test::More) >= 0.96
+BuildRequires:  perl(Tie::Array)
+BuildRequires:  perl(Tie::Hash)
+BuildRequires:  perl(Tie::RefHash)
+Requires:       perl(Carp)
+Requires:       perl(Exporter::Tiny) >= 0.026
+Recommends:     perl(match::simple::XS) >= 0.002
+Requires:       perl(overload)
+Requires:       perl(Sub::Infix) >= 0.004
+
+# Remove under-specified dependencies
+%global __requires_exclude %{?__requires_exclude:%{__requires_exclude}|}^perl\\(Exporter::Tiny\\)$
+
+%description
+match::simple provides a simple match operator |M| that acts like a sane
+subset of the (as of Perl 5.18) deprecated smart match operator. Unlike
+smart match, the behaviour of the match is determined entirely by the
+operand on the right hand side.
+
+%prep
+%setup -q -n match-simple-%{version}
+
+%build
+%{__perl} Makefile.PL INSTALLDIRS=vendor
+%make_build
+%install
+make pure_install DESTDIR=$RPM_BUILD_ROOT
+
+find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} \;
+find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null \;
+
+%{_fixperms} $RPM_BUILD_ROOT/*
+
+%check
+unset MATCH_SIMPLE_IMPLEMENTATION
+make test
+
+%files
+%doc Changes COPYRIGHT CREDITS README
+%license LICENSE
+%{perl_vendorlib}/*
+%{_mandir}/man3/*
+
+%changelog
+* Mon Aug 26 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.012-6
+- Initial Azure Linux import from Fedora 42 (license: MIT).
+- License verified.
+
+* Fri Jul 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.012-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.012-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.012-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.012-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jun 05 2023 Xavier Bachelot <xavier@bachelot.org> 0.012-1
+- Update to 0.012 (RHBZ#2154401)
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue May 31 2022 Jitka Plesnikova <jplesnik@redhat.com> - 0.010-13
+- Perl 5.36 rebuild
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 0.010-10
+- Perl 5.34 rebuild
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 0.010-7
+- Perl 5.32 rebuild
+
+* Wed Mar 11 2020 Petr Pisar <ppisar@redhat.com> - 0.010-6
+- Specify all dependencies
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 0.010-3
+- Perl 5.30 rebuild
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.010-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Nov 30 2018 Xavier Bachelot <xavier@bachelot.org> 0.010-1
+- Initial package.
diff --git a/SPECS-EXTENDED/perl-Module-Implementation/perl-Module-Implementation.signatures.json b/SPECS/perl-Module-Implementation/perl-Module-Implementation.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Module-Implementation/perl-Module-Implementation.signatures.json
rename to SPECS/perl-Module-Implementation/perl-Module-Implementation.signatures.json
diff --git a/SPECS-EXTENDED/perl-Module-Implementation/perl-Module-Implementation.spec b/SPECS/perl-Module-Implementation/perl-Module-Implementation.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Module-Implementation/perl-Module-Implementation.spec
rename to SPECS/perl-Module-Implementation/perl-Module-Implementation.spec
index 1de372250ac..9fa3c31733d 100644
--- a/SPECS-EXTENDED/perl-Module-Implementation/perl-Module-Implementation.spec
+++ b/SPECS/perl-Module-Implementation/perl-Module-Implementation.spec
@@ -10,7 +10,7 @@
 
 Name:		perl-Module-Implementation
 Version:	0.09
-Release:	24%{?dist}
+Release:	25%{?dist}
 Summary:	Loads one of several alternate underlying implementations for a module
 License:	Artistic 2.0
 Vendor:         Microsoft Corporation
@@ -131,6 +131,10 @@ make test
 %{_mandir}/man3/Module::Implementation.3*
 
 %changelog
+* Wed Aug 28 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.09-25
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.09-24
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Module-Runtime/perl-Module-Runtime.signatures.json b/SPECS/perl-Module-Runtime/perl-Module-Runtime.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Module-Runtime/perl-Module-Runtime.signatures.json
rename to SPECS/perl-Module-Runtime/perl-Module-Runtime.signatures.json
diff --git a/SPECS-EXTENDED/perl-Module-Runtime/perl-Module-Runtime.spec b/SPECS/perl-Module-Runtime/perl-Module-Runtime.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Module-Runtime/perl-Module-Runtime.spec
rename to SPECS/perl-Module-Runtime/perl-Module-Runtime.spec
index 06727f2eeec..06f0a9d6855 100644
--- a/SPECS-EXTENDED/perl-Module-Runtime/perl-Module-Runtime.spec
+++ b/SPECS/perl-Module-Runtime/perl-Module-Runtime.spec
@@ -9,7 +9,7 @@
 
 Name:           perl-Module-Runtime
 Version:        0.016
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        Runtime module handling
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -59,6 +59,10 @@ make test
 %{_mandir}/man3/Module::Runtime.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.016-10
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.016-9
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Package-Generator/Package-Generator-1.106-old-Test-More.patch b/SPECS/perl-Package-Generator/Package-Generator-1.106-old-Test-More.patch
similarity index 100%
rename from SPECS-EXTENDED/perl-Package-Generator/Package-Generator-1.106-old-Test-More.patch
rename to SPECS/perl-Package-Generator/Package-Generator-1.106-old-Test-More.patch
diff --git a/SPECS-EXTENDED/perl-Package-Generator/perl-Package-Generator.signatures.json b/SPECS/perl-Package-Generator/perl-Package-Generator.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Package-Generator/perl-Package-Generator.signatures.json
rename to SPECS/perl-Package-Generator/perl-Package-Generator.signatures.json
diff --git a/SPECS-EXTENDED/perl-Package-Generator/perl-Package-Generator.spec b/SPECS/perl-Package-Generator/perl-Package-Generator.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Package-Generator/perl-Package-Generator.spec
rename to SPECS/perl-Package-Generator/perl-Package-Generator.spec
index d46050f2f70..4153754c657 100644
--- a/SPECS-EXTENDED/perl-Package-Generator/perl-Package-Generator.spec
+++ b/SPECS/perl-Package-Generator/perl-Package-Generator.spec
@@ -9,7 +9,7 @@
 
 Name:		perl-Package-Generator
 Version:	1.106
-Release:	18%{?dist}
+Release:	19%{?dist}
 Summary:	Generate new packages quickly and easily
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -69,6 +69,10 @@ make test TEST_FILES="$(echo $(find xt/ -name '*.t'))"
 %{_mandir}/man3/Package::Reaper.3pm*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 1.106-19
+- Promote package to Core repository.
+- License verified.
+
 * Wed Apr 28 2021 Thomas Crain <thcrain@microsoft.com> - 1.106-18
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 - Remove colons from patchnames
diff --git a/SPECS/perl-PadWalker/perl-PadWalker.signatures.json b/SPECS/perl-PadWalker/perl-PadWalker.signatures.json
new file mode 100644
index 00000000000..664d7d6f91a
--- /dev/null
+++ b/SPECS/perl-PadWalker/perl-PadWalker.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "perl-PadWalker-2.5.tar.gz": "07b26abb841146af32072a8d68cb90176ffb176fd9268e6f2f7d106f817a0cd0"
+ }
+}
diff --git a/SPECS-EXTENDED/perl-PadWalker/perl-PadWalker.spec b/SPECS/perl-PadWalker/perl-PadWalker.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-PadWalker/perl-PadWalker.spec
rename to SPECS/perl-PadWalker/perl-PadWalker.spec
index 6704d81bbb8..ec27c42c01f 100644
--- a/SPECS-EXTENDED/perl-PadWalker/perl-PadWalker.spec
+++ b/SPECS/perl-PadWalker/perl-PadWalker.spec
@@ -1,6 +1,6 @@
 Name:           perl-PadWalker
-Version:        2.3
-Release:        9%{?dist}
+Version:        2.5
+Release:        1%{?dist}
 Summary:        Play with other people's lexical variables
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -56,6 +56,11 @@ make test
 %{_mandir}/man3/PadWalker.3*
 
 %changelog
+* Wed Aug 28 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.5-1
+- Promote package to Core repository.
+- License verified.
+- Update to v2.5
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.3-9
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Params-Util/perl-Params-Util.signatures.json b/SPECS/perl-Params-Util/perl-Params-Util.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Params-Util/perl-Params-Util.signatures.json
rename to SPECS/perl-Params-Util/perl-Params-Util.signatures.json
diff --git a/SPECS-EXTENDED/perl-Params-Util/perl-Params-Util.spec b/SPECS/perl-Params-Util/perl-Params-Util.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Params-Util/perl-Params-Util.spec
rename to SPECS/perl-Params-Util/perl-Params-Util.spec
index 463874b094a..8fe4787f069 100644
--- a/SPECS-EXTENDED/perl-Params-Util/perl-Params-Util.spec
+++ b/SPECS/perl-Params-Util/perl-Params-Util.spec
@@ -1,6 +1,6 @@
 Name:		perl-Params-Util
 Version:	1.07
-Release:	30%{?dist}
+Release:	31%{?dist}
 Summary:	Simple standalone parameter-checking functions
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -39,7 +39,7 @@ BuildRequires:	perl(File::Spec::Functions)
 %global __requires_exclude %{?__requires_exclude:%__requires_exclude|}^perl\\(Scalar::Util\\)$
 
 %description
-Params::Util provides a basic set of importable functions that 
+Params::Util provides a basic set of importable functions that
 makes checking parameters a hell of a lot easier.
 
 %prep
@@ -67,6 +67,10 @@ chmod -R u+w $RPM_BUILD_ROOT/*
 %{_mandir}/man3/*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 1.07-31
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.07-30
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
@@ -184,7 +188,7 @@ chmod -R u+w $RPM_BUILD_ROOT/*
 * Fri May 07 2010 Ralf Corsépius <corsepiu@fedoraproject.org> - 1.01-1
 - Upstream update.
 - Revert Marcela's 2010-05-04 changes.
-- Remove BR's on perl(Test::MinimumVersion), perl(Test::Pod), 
+- Remove BR's on perl(Test::MinimumVersion), perl(Test::Pod),
   perl(Test::CPAN::Meta).
   (Reflect upstream having disabled tests depending on them).
 
diff --git a/SPECS-EXTENDED/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.signatures.json b/SPECS/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.signatures.json
rename to SPECS/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.signatures.json
diff --git a/SPECS-EXTENDED/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.spec b/SPECS/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.spec
rename to SPECS/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.spec
index bf49e215f30..5a8ff68a0d2 100644
--- a/SPECS-EXTENDED/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.spec
+++ b/SPECS/perl-Perl-Destruct-Level/perl-Perl-Destruct-Level.spec
@@ -1,7 +1,7 @@
 Name:		perl-Perl-Destruct-Level
 Summary:	Allows you to change perl's internal destruction level
 Version:	0.02
-Release:	27%{?dist}
+Release:	28%{?dist}
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -64,6 +64,10 @@ make test
 %{_mandir}/man3/Perl::Destruct::Level.3*
 
 %changelog
+* Wed Sep 04 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.02-28
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.02-27
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-SUPER/perl-SUPER.signatures.json b/SPECS/perl-SUPER/perl-SUPER.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-SUPER/perl-SUPER.signatures.json
rename to SPECS/perl-SUPER/perl-SUPER.signatures.json
diff --git a/SPECS-EXTENDED/perl-SUPER/perl-SUPER.spec b/SPECS/perl-SUPER/perl-SUPER.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-SUPER/perl-SUPER.spec
rename to SPECS/perl-SUPER/perl-SUPER.spec
index 866a14958e1..3eb2a57a0b2 100644
--- a/SPECS-EXTENDED/perl-SUPER/perl-SUPER.spec
+++ b/SPECS/perl-SUPER/perl-SUPER.spec
@@ -1,6 +1,6 @@
 Name:		perl-SUPER
 Version:	1.20190531
-Release:	5%{?dist}
+Release:	6%{?dist}
 Summary:	Sane superclass method dispatcher
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -62,6 +62,10 @@ make test
 %{_mandir}/man3/SUPER.3*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.20190531-6
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.20190531-5
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Sub-Exporter-Progressive/Sub-Exporter-Progressive-0.001013-old-Test-More.patch b/SPECS/perl-Sub-Exporter-Progressive/Sub-Exporter-Progressive-0.001013-old-Test-More.patch
similarity index 100%
rename from SPECS-EXTENDED/perl-Sub-Exporter-Progressive/Sub-Exporter-Progressive-0.001013-old-Test-More.patch
rename to SPECS/perl-Sub-Exporter-Progressive/Sub-Exporter-Progressive-0.001013-old-Test-More.patch
diff --git a/SPECS-EXTENDED/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.signatures.json b/SPECS/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.signatures.json
rename to SPECS/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.signatures.json
diff --git a/SPECS-EXTENDED/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.spec b/SPECS/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.spec
rename to SPECS/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.spec
index 0277c835295..52468a9a1b5 100644
--- a/SPECS-EXTENDED/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.spec
+++ b/SPECS/perl-Sub-Exporter-Progressive/perl-Sub-Exporter-Progressive.spec
@@ -3,7 +3,7 @@
 
 Name:		perl-Sub-Exporter-Progressive
 Version:	0.001013
-Release:	12%{?dist}
+Release:	13%{?dist}
 Summary:	Only use Sub::Exporter if you need it
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -80,6 +80,10 @@ make test
 %{_mandir}/man3/Sub::Exporter::Progressive.3*
 
 %changelog
+* Mon Aug 26 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.001013-13
+- Promote package to Core repository.
+- License verified.
+
 * Wed Apr 28 2021 Thomas Crain <thcrain@microsoft.com> - 0.001013-12
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 - Remove colons from patchnames
diff --git a/SPECS-EXTENDED/perl-Sub-Exporter/perl-Sub-Exporter.signatures.json b/SPECS/perl-Sub-Exporter/perl-Sub-Exporter.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Sub-Exporter/perl-Sub-Exporter.signatures.json
rename to SPECS/perl-Sub-Exporter/perl-Sub-Exporter.signatures.json
diff --git a/SPECS-EXTENDED/perl-Sub-Exporter/perl-Sub-Exporter.spec b/SPECS/perl-Sub-Exporter/perl-Sub-Exporter.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Sub-Exporter/perl-Sub-Exporter.spec
rename to SPECS/perl-Sub-Exporter/perl-Sub-Exporter.spec
index 618b237a3d7..9a450691bbd 100644
--- a/SPECS-EXTENDED/perl-Sub-Exporter/perl-Sub-Exporter.spec
+++ b/SPECS/perl-Sub-Exporter/perl-Sub-Exporter.spec
@@ -10,7 +10,7 @@
 
 Name:		perl-Sub-Exporter
 Version:	0.987
-Release:	22%{?dist}
+Release:	23%{?dist}
 Summary:	Sophisticated exporter for custom-built routines
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -104,6 +104,10 @@ make test TEST_FILES="$(echo $(find xt/ -name '*.t'))"
 %{_mandir}/man3/Sub::Exporter::Util.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.987-23
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.987-22
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Sub-Identify/perl-Sub-Identify.signatures.json b/SPECS/perl-Sub-Identify/perl-Sub-Identify.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Sub-Identify/perl-Sub-Identify.signatures.json
rename to SPECS/perl-Sub-Identify/perl-Sub-Identify.signatures.json
diff --git a/SPECS-EXTENDED/perl-Sub-Identify/perl-Sub-Identify.spec b/SPECS/perl-Sub-Identify/perl-Sub-Identify.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Sub-Identify/perl-Sub-Identify.spec
rename to SPECS/perl-Sub-Identify/perl-Sub-Identify.spec
index 555e3acb141..d4719f96476 100644
--- a/SPECS-EXTENDED/perl-Sub-Identify/perl-Sub-Identify.spec
+++ b/SPECS/perl-Sub-Identify/perl-Sub-Identify.spec
@@ -7,7 +7,7 @@
 
 Name:		perl-Sub-Identify
 Version:	0.14
-Release:	13%{?dist}
+Release:	14%{?dist}
 Summary:	Retrieve names of code references
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -79,6 +79,10 @@ make test
 %{_mandir}/man3/Sub::Identify.3*
 
 %changelog
+* Wed Aug 28 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.14-14
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.14-13
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS/perl-Sub-Infix/perl-Sub-Infix.signatures.json b/SPECS/perl-Sub-Infix/perl-Sub-Infix.signatures.json
new file mode 100644
index 00000000000..5b8359aada1
--- /dev/null
+++ b/SPECS/perl-Sub-Infix/perl-Sub-Infix.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "Sub-Infix-0.004.tar.gz": "5caeaada66ab4afdfdae56c023e099880543a9a7c1f931f20a834d5881c15ecb"
+ }
+}
diff --git a/SPECS/perl-Sub-Infix/perl-Sub-Infix.spec b/SPECS/perl-Sub-Infix/perl-Sub-Infix.spec
new file mode 100644
index 00000000000..001d5befe0c
--- /dev/null
+++ b/SPECS/perl-Sub-Infix/perl-Sub-Infix.spec
@@ -0,0 +1,131 @@
+Name:           perl-Sub-Infix
+Version:        0.004
+Release:        25%{?dist}
+Summary:        Create a fake infix operator
+License:        GPL+ OR Artistic
+URL:            https://metacpan.org/release/Sub-Infix
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Source0:        https://cpan.metacpan.org/authors/id/T/TO/TOBYINK/Sub-Infix-%{version}.tar.gz
+BuildArch:      noarch
+
+BuildRequires:  %{__perl}
+BuildRequires:  %{__make}
+
+BuildRequires:  perl-interpreter >= 0:5.006
+BuildRequires:  perl-generators
+BuildRequires:  perl(Carp)
+BuildRequires:  perl(Exporter)
+BuildRequires:  perl(ExtUtils::MakeMaker) >= 6.17
+BuildRequires:  perl(Test::Fatal)
+BuildRequires:  perl(Test::More) >= 0.47
+BuildRequires:  perl(overload)
+BuildRequires:  perl(strict)
+BuildRequires:  perl(warnings)
+
+# optional
+BuildRequires:  perl(Scalar::Util)
+Recommends:     perl(Scalar::Util)
+
+
+%description
+Sub::Infix creates fake infix operators using overloading. It doesn't use
+source filters, or Devel::Declare, or any of that magic.
+
+%prep
+%setup -q -n Sub-Infix-%{version}
+
+%build
+%{__perl} Makefile.PL INSTALLDIRS=vendor NO_PACKLIST=1 NO_PERLLOCAL=1
+%{make_build}
+
+%install
+%{make_install}
+%{_fixperms} $RPM_BUILD_ROOT/*
+
+%check
+%{__make} test
+
+%files
+%doc Changes README CREDITS
+%license COPYRIGHT LICENSE
+%{perl_vendorlib}/*
+%{_mandir}/man3/*
+
+%changelog
+* Mon Aug 26 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.004-25
+- Initial Azure Linux import from Fedora 42 (license: MIT).
+- License verified.
+
+* Fri Jul 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-24
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-22
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-21
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-20
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Nov 29 2022 Ralf Cors├ępius <corsepiu@fedoraproject.org> - 0.004-19
+- Modernize spec.
+- Convert license to SPDX.
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue May 31 2022 Jitka Plesnikova <jplesnik@redhat.com> - 0.004-17
+- Perl 5.36 rebuild
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 0.004-14
+- Perl 5.34 rebuild
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 23 2020 Jitka Plesnikova <jplesnik@redhat.com> - 0.004-11
+- Perl 5.32 rebuild
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Jitka Plesnikova <jplesnik@redhat.com> - 0.004-8
+- Perl 5.30 rebuild
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jun 28 2018 Jitka Plesnikova <jplesnik@redhat.com> - 0.004-5
+- Perl 5.28 rebuild
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.004-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 05 2017 Jitka Plesnikova <jplesnik@redhat.com> - 0.004-2
+- Perl 5.26 rebuild
+
+* Fri Feb 03 2017 Ralf Cors├ępius <corsepiu@fedoraproject.org> 0.004-1
+- Initial Fedora package.
diff --git a/SPECS/perl-Sub-Install/perl-Sub-Install.signatures.json b/SPECS/perl-Sub-Install/perl-Sub-Install.signatures.json
new file mode 100644
index 00000000000..746106ddd89
--- /dev/null
+++ b/SPECS/perl-Sub-Install/perl-Sub-Install.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "perl-Sub-Install-0.929.tar.gz": "80b1e281d8cd3b2b31dac711f5c8a1657a87cd80bbe69af3924bcbeb4e5db077"
+ }
+}
diff --git a/SPECS-EXTENDED/perl-Sub-Install/perl-Sub-Install.spec b/SPECS/perl-Sub-Install/perl-Sub-Install.spec
similarity index 96%
rename from SPECS-EXTENDED/perl-Sub-Install/perl-Sub-Install.spec
rename to SPECS/perl-Sub-Install/perl-Sub-Install.spec
index 190cebf7faf..fcae311a8b4 100644
--- a/SPECS-EXTENDED/perl-Sub-Install/perl-Sub-Install.spec
+++ b/SPECS/perl-Sub-Install/perl-Sub-Install.spec
@@ -6,8 +6,8 @@
 %endif
 
 Name:           perl-Sub-Install
-Version:        0.928
-Release:        23%{?dist}
+Version:        0.929
+Release:        1%{?dist}
 Summary:        Install subroutines into packages easily
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -63,6 +63,13 @@ make test
 %{_mandir}/man3/Sub::Install.3pm*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.929-1
+- Update to v0.929.
+
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.928-24
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.928-23
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS/perl-Sub-Name/perl-Sub-Name.signatures.json b/SPECS/perl-Sub-Name/perl-Sub-Name.signatures.json
new file mode 100644
index 00000000000..be4284aeccf
--- /dev/null
+++ b/SPECS/perl-Sub-Name/perl-Sub-Name.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "perl-Sub-Name-0.27.tar.gz": "ecf36fba1c47ca93e1daa394968ed39c4186867459d9cd173c421e2b972043e8"
+ }
+}
diff --git a/SPECS-EXTENDED/perl-Sub-Name/perl-Sub-Name.spec b/SPECS/perl-Sub-Name/perl-Sub-Name.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Sub-Name/perl-Sub-Name.spec
rename to SPECS/perl-Sub-Name/perl-Sub-Name.spec
index a4affde2c1c..7c244f10101 100644
--- a/SPECS-EXTENDED/perl-Sub-Name/perl-Sub-Name.spec
+++ b/SPECS/perl-Sub-Name/perl-Sub-Name.spec
@@ -3,8 +3,8 @@
 %bcond_without perl_Sub_Name_enables_optional_test
 
 Name:		perl-Sub-Name
-Version:	0.26
-Release:	3%{?dist}
+Version:	0.27
+Release:	1%{?dist}
 Summary:	Name - or rename - a sub
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -79,6 +79,13 @@ make test
 %{_mandir}/man3/Sub::Name.3*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.27-1
+- Update to v0.27.
+
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.26-4
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.26-3
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Sub-Quote/perl-Sub-Quote.signatures.json b/SPECS/perl-Sub-Quote/perl-Sub-Quote.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Sub-Quote/perl-Sub-Quote.signatures.json
rename to SPECS/perl-Sub-Quote/perl-Sub-Quote.signatures.json
diff --git a/SPECS-EXTENDED/perl-Sub-Quote/perl-Sub-Quote.spec b/SPECS/perl-Sub-Quote/perl-Sub-Quote.spec
similarity index 95%
rename from SPECS-EXTENDED/perl-Sub-Quote/perl-Sub-Quote.spec
rename to SPECS/perl-Sub-Quote/perl-Sub-Quote.spec
index 875cfd71872..2d4f5691141 100644
--- a/SPECS-EXTENDED/perl-Sub-Quote/perl-Sub-Quote.spec
+++ b/SPECS/perl-Sub-Quote/perl-Sub-Quote.spec
@@ -1,6 +1,6 @@
 Name:           perl-Sub-Quote
 Version:        2.006006
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Efficient generation of subroutines via string eval
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -60,6 +60,10 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 2.006006-4
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.006006-3
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.signatures.json b/SPECS/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.signatures.json
rename to SPECS/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.signatures.json
diff --git a/SPECS-EXTENDED/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.spec b/SPECS/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.spec
rename to SPECS/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.spec
index 85cc70c5f2c..e0bc5271382 100644
--- a/SPECS-EXTENDED/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.spec
+++ b/SPECS/perl-Test-Memory-Cycle/perl-Test-Memory-Cycle.spec
@@ -1,6 +1,6 @@
 Name:           perl-Test-Memory-Cycle
 Version:        1.06
-Release:        15%{?dist}
+Release:        16%{?dist}
 Summary:        Check for memory leaks and circular memory references
 License:        Artistic 2.0
 Vendor:         Microsoft Corporation
@@ -63,6 +63,10 @@ make test
 %{_mandir}/man3/Test::Memory::Cycle.3*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.06-16
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.06-15
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Test-Output/perl-Test-Output.signatures.json b/SPECS/perl-Test-Output/perl-Test-Output.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Test-Output/perl-Test-Output.signatures.json
rename to SPECS/perl-Test-Output/perl-Test-Output.signatures.json
diff --git a/SPECS-EXTENDED/perl-Test-Output/perl-Test-Output.spec b/SPECS/perl-Test-Output/perl-Test-Output.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-Test-Output/perl-Test-Output.spec
rename to SPECS/perl-Test-Output/perl-Test-Output.spec
index 43d7a6171cb..b120dc8485d 100644
--- a/SPECS-EXTENDED/perl-Test-Output/perl-Test-Output.spec
+++ b/SPECS/perl-Test-Output/perl-Test-Output.spec
@@ -3,7 +3,7 @@
 Name:           perl-Test-Output
 # Keep 2-digit precision
 Version:        %(echo '%{cpan_version}' | sed 's/\(\...\)\(.\)/\1.\2/')
-Release:        11%{?dist}
+Release:        12%{?dist}
 Summary:        Utilities to test STDOUT and STDERR messages
 License:        Artistic 2.0
 Vendor:         Microsoft Corporation
@@ -58,6 +58,10 @@ make test
 %{_mandir}/man3/Test::Output.3pm*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.03.1-12
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.03.1-11
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Test-Requires/perl-Test-Requires.signatures.json b/SPECS/perl-Test-Requires/perl-Test-Requires.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Test-Requires/perl-Test-Requires.signatures.json
rename to SPECS/perl-Test-Requires/perl-Test-Requires.signatures.json
diff --git a/SPECS-EXTENDED/perl-Test-Requires/perl-Test-Requires.spec b/SPECS/perl-Test-Requires/perl-Test-Requires.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Test-Requires/perl-Test-Requires.spec
rename to SPECS/perl-Test-Requires/perl-Test-Requires.spec
index 75eb82ffedf..778ae3f3a89 100644
--- a/SPECS-EXTENDED/perl-Test-Requires/perl-Test-Requires.spec
+++ b/SPECS/perl-Test-Requires/perl-Test-Requires.spec
@@ -7,7 +7,7 @@
 Name:		perl-Test-Requires
 Summary:	Checks to see if a given module can be loaded
 Version:	0.10
-Release:	20%{?dist}
+Release:	21%{?dist}
 License:	GPL+ or Artistic
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -78,6 +78,10 @@ make test TEST_FILES="xt/*.t"
 %{_mandir}/man3/Test::Requires.3*
 
 %changelog
+* Tue Aug 27 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.10-21
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.10-20
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-Test-Taint/perl-Test-Taint.signatures.json b/SPECS/perl-Test-Taint/perl-Test-Taint.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-Test-Taint/perl-Test-Taint.signatures.json
rename to SPECS/perl-Test-Taint/perl-Test-Taint.signatures.json
diff --git a/SPECS-EXTENDED/perl-Test-Taint/perl-Test-Taint.spec b/SPECS/perl-Test-Taint/perl-Test-Taint.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-Test-Taint/perl-Test-Taint.spec
rename to SPECS/perl-Test-Taint/perl-Test-Taint.spec
index b9d29911bd5..be0ad94efda 100644
--- a/SPECS-EXTENDED/perl-Test-Taint/perl-Test-Taint.spec
+++ b/SPECS/perl-Test-Taint/perl-Test-Taint.spec
@@ -1,7 +1,7 @@
 Summary:        Tools to test taintedness
 Name:           perl-Test-Taint
 Version:        1.08
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -63,6 +63,10 @@ chmod -R u+w $RPM_BUILD_ROOT/*
 %{_mandir}/man3/*
 
 %changelog
+* Wed Aug 28 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.08-5
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.08-4
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS/perl-Test-Without-Module/perl-Test-Without-Module.signatures.json b/SPECS/perl-Test-Without-Module/perl-Test-Without-Module.signatures.json
new file mode 100644
index 00000000000..1398d6f9c1d
--- /dev/null
+++ b/SPECS/perl-Test-Without-Module/perl-Test-Without-Module.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "perl-Test-Without-Module-0.23.tar.gz": "8289e1cd7f57017a816ab4127e29ecd7a754ae7cd5c037c41b3b3bf849c21d21"
+ }
+}
diff --git a/SPECS-EXTENDED/perl-Test-Without-Module/perl-Test-Without-Module.spec b/SPECS/perl-Test-Without-Module/perl-Test-Without-Module.spec
similarity index 96%
rename from SPECS-EXTENDED/perl-Test-Without-Module/perl-Test-Without-Module.spec
rename to SPECS/perl-Test-Without-Module/perl-Test-Without-Module.spec
index 3d25aaa662b..e5284ac4e07 100644
--- a/SPECS-EXTENDED/perl-Test-Without-Module/perl-Test-Without-Module.spec
+++ b/SPECS/perl-Test-Without-Module/perl-Test-Without-Module.spec
@@ -1,6 +1,6 @@
 Name:           perl-Test-Without-Module
-Version:        0.20
-Release:        12%{?dist}
+Version:        0.23
+Release:        1%{?dist}
 Summary:        Test fallback behavior in absence of modules
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -54,6 +54,11 @@ make test
 %{_mandir}/man3/Test*
 
 %changelog
+* Wed Aug 28 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.23-1
+- Promote package to Core repository.
+- License verified.
+- Update to v0.23.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.20-12
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec b/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec
index 8ba58930dae..94cedd959ed 100644
--- a/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec
+++ b/SPECS/perl-XML-LibXML/perl-XML-LibXML.spec
@@ -8,11 +8,13 @@ Name:           perl-XML-LibXML
 # it might not be needed anymore
 # this module is maintained, the other is not
 Version:        2.0209
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Perl interface to the libxml2 library
 License:        (GPL+ or Artistic) and MIT
 URL:            https://metacpan.org/release/XML-LibXML
-Source0:        https://cpan.metacpan.org/authors/id/S/SH/SHLOMIF/XML-LibXML-%{version}.tar.gz 
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Source0:        https://cpan.metacpan.org/authors/id/S/SH/SHLOMIF/XML-LibXML-%{version}.tar.gz
 # Fix parsing ampersand entities in SAX interface, CPAN RT#131498,
 # posted to the upstream.
 Patch0:         XML-LibXML-2.0202-Parse-an-ampersand-entity-in-SAX-interface.patch
@@ -183,6 +185,9 @@ fi
 %{_libexecdir}/%{name}
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.0209-2
+- Add missing Vendor and Distribution tags.
+
 * Mon Dec 18 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.0209-1
 - Auto-upgrade to 2.0209 - Azure Linux 3.0 - package upgrades
 
@@ -518,7 +523,7 @@ fi
 - use better workaround until rhbz#769537 is resolved
 
 * Tue Dec 20 2011 Karsten Hopp <karsten@redhat.com> - 1:1.88-2
-- disable tests on ppc as most ppc buildmachines have only 2Gb 
+- disable tests on ppc as most ppc buildmachines have only 2Gb
   and the tests run out of memory
 
 * Sun Oct  2 2011 Tom Callaway <spot@fedoraproject.org> - 1:1.88-1
diff --git a/SPECS-EXTENDED/perl-bareword-filehandles/perl-bareword-filehandles.signatures.json b/SPECS/perl-bareword-filehandles/perl-bareword-filehandles.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-bareword-filehandles/perl-bareword-filehandles.signatures.json
rename to SPECS/perl-bareword-filehandles/perl-bareword-filehandles.signatures.json
diff --git a/SPECS-EXTENDED/perl-bareword-filehandles/perl-bareword-filehandles.spec b/SPECS/perl-bareword-filehandles/perl-bareword-filehandles.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-bareword-filehandles/perl-bareword-filehandles.spec
rename to SPECS/perl-bareword-filehandles/perl-bareword-filehandles.spec
index 480434460ff..3b55f537f26 100644
--- a/SPECS-EXTENDED/perl-bareword-filehandles/perl-bareword-filehandles.spec
+++ b/SPECS/perl-bareword-filehandles/perl-bareword-filehandles.spec
@@ -1,6 +1,6 @@
 Name:           perl-bareword-filehandles
 Version:        0.007
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Disables bareword filehandles
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -59,6 +59,10 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.007-6
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.007-5
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-indirect/perl-indirect.signatures.json b/SPECS/perl-indirect/perl-indirect.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-indirect/perl-indirect.signatures.json
rename to SPECS/perl-indirect/perl-indirect.signatures.json
diff --git a/SPECS-EXTENDED/perl-indirect/perl-indirect.spec b/SPECS/perl-indirect/perl-indirect.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-indirect/perl-indirect.spec
rename to SPECS/perl-indirect/perl-indirect.spec
index a929ec42d01..af52204cebf 100644
--- a/SPECS-EXTENDED/perl-indirect/perl-indirect.spec
+++ b/SPECS/perl-indirect/perl-indirect.spec
@@ -7,7 +7,7 @@
 
 Name:           perl-indirect
 Version:        0.39
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Lexically warn about using the indirect object syntax
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -84,6 +84,10 @@ make test
 %{_mandir}/man3/indirect.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.39-6
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.39-5
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-multidimensional/perl-multidimensional.signatures.json b/SPECS/perl-multidimensional/perl-multidimensional.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-multidimensional/perl-multidimensional.signatures.json
rename to SPECS/perl-multidimensional/perl-multidimensional.signatures.json
diff --git a/SPECS-EXTENDED/perl-multidimensional/perl-multidimensional.spec b/SPECS/perl-multidimensional/perl-multidimensional.spec
similarity index 97%
rename from SPECS-EXTENDED/perl-multidimensional/perl-multidimensional.spec
rename to SPECS/perl-multidimensional/perl-multidimensional.spec
index eab7a9cd556..0e3c8002570 100644
--- a/SPECS-EXTENDED/perl-multidimensional/perl-multidimensional.spec
+++ b/SPECS/perl-multidimensional/perl-multidimensional.spec
@@ -1,6 +1,6 @@
 Name:           perl-multidimensional
 Version:        0.014
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Disables multidimensional array emulation
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -66,6 +66,10 @@ make test
 %{_mandir}/man3/*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 0.014-9
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.014-8
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS-EXTENDED/perl-strictures/perl-strictures.signatures.json b/SPECS/perl-strictures/perl-strictures.signatures.json
similarity index 100%
rename from SPECS-EXTENDED/perl-strictures/perl-strictures.signatures.json
rename to SPECS/perl-strictures/perl-strictures.signatures.json
diff --git a/SPECS-EXTENDED/perl-strictures/perl-strictures.spec b/SPECS/perl-strictures/perl-strictures.spec
similarity index 98%
rename from SPECS-EXTENDED/perl-strictures/perl-strictures.spec
rename to SPECS/perl-strictures/perl-strictures.spec
index 1c1c2e68f21..c70e98ea906 100644
--- a/SPECS-EXTENDED/perl-strictures/perl-strictures.spec
+++ b/SPECS/perl-strictures/perl-strictures.spec
@@ -7,7 +7,7 @@
 
 Name:           perl-strictures
 Version:        2.000006
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        Turn on strict and make most warnings fatal
 License:        GPL+ or Artistic
 Vendor:         Microsoft Corporation
@@ -76,6 +76,10 @@ make test
 %{_mandir}/man3/strictures::extra.3*
 
 %changelog
+* Thu Aug 22 2024 Neha Agarwal <nehaagrwal@microsoft.com> - 2.000006-9
+- Promote package to Core repository.
+- License verified.
+
 * Fri Oct 15 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.000006-8
 - Initial CBL-Mariner import from Fedora 32 (license: MIT).
 
diff --git a/SPECS/php-pecl-apcu/apcu-panel.conf b/SPECS/php-pecl-apcu/apcu-panel.conf
new file mode 100644
index 00000000000..de7d69010c3
--- /dev/null
+++ b/SPECS/php-pecl-apcu/apcu-panel.conf
@@ -0,0 +1,9 @@
+# APC Control Panel
+Alias /apcu-panel /usr/share/apcu-panel
+
+<Directory /usr/share/apcu-panel>
+   <IfModule mod_authz_core.c>
+     Require local
+   </IfModule>
+</Directory>
+
diff --git a/SPECS/php-pecl-apcu/apcu.conf.php b/SPECS/php-pecl-apcu/apcu.conf.php
new file mode 100644
index 00000000000..8ed53202d33
--- /dev/null
+++ b/SPECS/php-pecl-apcu/apcu.conf.php
@@ -0,0 +1,23 @@
+<?php
+define('USE_AUTHENTICATION',1);		// Use (internal) authentication - best choice if
+					// no other authentication is available
+					// If set to 0:
+					//  There will be no further authentication. You
+					//  will have to handle this by yourself!
+					// If set to 1:
+					//  You need to change ADMIN_PASSWORD to make
+					//  this work!
+define('ADMIN_USERNAME','apc');		// Admin Username
+define('ADMIN_PASSWORD','password');  	// Admin Password - CHANGE THIS TO ENABLE!!!
+
+// (beckerr) I'm using a clear text password here, because I've no good idea how to let 
+//           users generate a md5 or crypt password in a easy way to fill it in above
+
+//define('DATE_FORMAT', "d.m.Y H:i:s");	// German
+//define('DATE_FORMAT', "d/m/Y H:i:s");	// French
+define('DATE_FORMAT', 'Y/m/d H:i:s'); 	// US
+
+define('GRAPH_SIZE',200);		// Image size
+
+//define('PROXY', 'tcp://127.0.0.1:8080');
+
diff --git a/SPECS/php-pecl-apcu/apcu.ini b/SPECS/php-pecl-apcu/apcu.ini
new file mode 100644
index 00000000000..dacb93858d8
--- /dev/null
+++ b/SPECS/php-pecl-apcu/apcu.ini
@@ -0,0 +1,63 @@
+; Enable APCu extension module
+extension = apcu.so
+
+;	This can be set to 0 to disable APCu
+apc.enabled=1
+
+;	Setting this enables APCu for the CLI version of PHP
+;	(Mostly for testing and debugging).
+;apc.enable_cli=0
+
+;	Sets the path to text files containing caches to load from disk upon
+;	initialization of APCu. preload_path should be a directory where each
+;	file follows $key.data where $key should be used as the entry name
+;	and the contents of the file contains serialized data to use as the value
+;	of the entry.
+;apc.preload_path=
+
+;	The size of each shared memory segment, with M/G suffixe
+;apc.shm_size=32M
+
+;	The number of seconds a cache entry is allowed to idle in a slot in case
+;	this cache entry slot is needed by another entry.
+;apc.ttl=0
+
+;	The number of seconds that a cache entry may remain on the
+;	garbage-collection list.
+;apc.gc_ttl=3600
+
+;	If you begin to get low on resources, an expunge of the cache
+;	is performed if it is less than half full. This is not always
+;	a suitable way of determining if an expunge of the cache
+;	should be per apc.smart allows you to set a runtime configuration
+;	value which	is used to determine if an expunge should be run
+;	if (available_size < apc.smart * requested_size)
+;apc.smart=0
+
+;	A "hint" about the number variables expected in the cache.
+;	Set to zero or omit if you are not sure;
+;apc.entries_hint=4096
+
+;	The mktemp-style file_mask to pass to the mmap module 
+apc.mmap_file_mask=/tmp/apc.XXXXXX
+
+;	On very busy servers whenever you start the server or
+;	modify files you can create a race of many processes
+;	all trying to cache the same data at the same time.
+;	By default, APCu attempts to prevent "slamming" of a key.
+;	A key is considered "slammed" if it was the last key set,
+;	and a context other than the current one set it ( ie. it
+;	was set by another process or thread )
+;apc.slam_defense=0
+
+;	Defines which serializer should be used
+;	Default is the standard PHP serializer.
+;apc.serializer='php'
+
+;	use the SAPI request start time for TTL
+;apc.use_request_time=0
+
+;	Enables APCu handling of signals, such as SIGSEGV, that write core files
+;	when signaled. APCu will attempt to unmap the shared memory segment in
+;	order to exclude it from the core file
+;apc.coredump_unmap=0
diff --git a/SPECS/php-pecl-apcu/php-pecl-apcu.signatures.json b/SPECS/php-pecl-apcu/php-pecl-apcu.signatures.json
new file mode 100644
index 00000000000..34888750922
--- /dev/null
+++ b/SPECS/php-pecl-apcu/php-pecl-apcu.signatures.json
@@ -0,0 +1,8 @@
+{
+ "Signatures": {
+  "php-pecl-apcu-5.1.23.tgz": "67ee7464ccad2335c3fa4aeb0b8edbcf6d8344feea7922620c6a13015d604482",
+  "apcu-panel.conf": "243df3ba157ee9c219410bb58536ae38cc06f49e97c0c97b4215930ac455a229",
+  "apcu.conf.php": "6e951a5ec91cf4d8e7ef4edee81abde1ce2c8d5f55f7c266e4b76b56d97cf176",
+  "apcu.ini": "17a905e6d91f998a280aefd8ca4a6558ddb86aa34f7dbf5941dc0b963615fa30"
+ }
+}
diff --git a/SPECS/php-pecl-apcu/php-pecl-apcu.spec b/SPECS/php-pecl-apcu/php-pecl-apcu.spec
new file mode 100644
index 00000000000..7a3c8d08870
--- /dev/null
+++ b/SPECS/php-pecl-apcu/php-pecl-apcu.spec
@@ -0,0 +1,456 @@
+# Fedora spec file for php-pecl-apcu
+#
+# Copyright (c) 2013-2024 Remi Collet
+# License: CC-BY-SA-4.0
+# http://creativecommons.org/licenses/by-sa/4.0/
+#
+# Please, preserve the changelog entries
+#
+
+%global pecl_name  apcu
+%global with_zts   0%{?__ztsphp:1}
+%global ini_name   40-%{pecl_name}.ini
+%global sources    %{pecl_name}-%{version}
+
+Name:           php-pecl-apcu
+Summary:        APC User Cache
+Version:        5.1.23
+Release:        6%{?dist}
+Source0:        https://pecl.php.net/get/%{sources}.tgz#/%{name}-%{version}.tgz
+Source1:        %{pecl_name}.ini
+Source2:        %{pecl_name}-panel.conf
+Source3:        %{pecl_name}.conf.php
+
+License:        PHP-3.01
+URL:            https://pecl.php.net/package/APCu
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+
+BuildRequires:  make
+BuildRequires:  gcc
+BuildRequires:  php-devel
+BuildRequires:  php-pear
+
+Requires:       php(zend-abi) = %{php_zend_api}
+Requires:       php(api) = %{php_core_api}
+
+Obsoletes:      php-apcu < 4.0.0-1
+Provides:       php-apcu = %{version}
+Provides:       php-apcu%{?_isa} = %{version}
+Provides:       php-pecl(apcu) = %{version}
+Provides:       php-pecl(apcu)%{?_isa} = %{version}
+
+
+%description
+APCu is userland caching: APC stripped of opcode caching.
+
+APCu only supports userland caching of variables.
+
+The %{?sub_prefix}php-pecl-apcu-bc package provides a drop
+in replacement for APC.
+
+
+%package devel
+Summary:       APCu developer files (header)
+Requires:      %{name}%{?_isa} = %{version}-%{release}
+Requires:      php-devel%{?_isa}
+Obsoletes:     php-pecl-apc-devel < 4
+Provides:      php-pecl-apc-devel = %{version}-%{release}
+Provides:      php-pecl-apc-devel%{?_isa} = %{version}-%{release}
+
+%description devel
+These are the files needed to compile programs using APCu.
+
+
+%package -n apcu-panel
+Summary:       APCu control panel
+BuildArch:     noarch
+Requires:      %{name} = %{version}-%{release}
+Requires:      php(httpd)
+Requires:      php-gd
+Requires:      httpd
+Obsoletes:     apc-panel < 4
+Provides:      apc-panel = %{version}-%{release}
+
+%description -n apcu-panel
+This package provides the APCu control panel, with Apache
+configuration, available on http://localhost/apcu-panel/
+
+
+%prep
+%setup -qc
+mv %{pecl_name}-%{version} NTS
+
+sed -e '/LICENSE/s/role="doc"/role="src"/' -i package.xml
+
+cd NTS
+# Sanity check, really often broken
+extver=$(sed -n '/#define PHP_APCU_VERSION/{s/.* "//;s/".*$//;p}' php_apc.h)
+if test "x${extver}" != "x%{version}"; then
+   : Error: Upstream extension version is ${extver}, expecting %{version}.
+   exit 1
+fi
+cd ..
+
+%if %{with_zts}
+# duplicate for ZTS build
+cp -pr NTS ZTS
+%endif
+
+# Fix path to configuration file
+sed -e s:apc.conf.php:%{_sysconfdir}/apcu-panel/conf.php:g \
+    -i  NTS/apc.php
+
+
+%build
+cd NTS
+%{_bindir}/phpize
+%configure \
+   --enable-apcu \
+   --with-php-config=%{_bindir}/php-config
+make %{?_smp_mflags}
+
+%if %{with_zts}
+cd ../ZTS
+%{_bindir}/zts-phpize
+%configure \
+   --enable-apcu \
+   --with-php-config=%{_bindir}/zts-php-config
+make %{?_smp_mflags}
+%endif
+
+
+%install
+# Install the NTS stuff
+make -C NTS install INSTALL_ROOT=%{buildroot}
+install -D -m 644 %{SOURCE1} %{buildroot}%{php_inidir}/%{ini_name}
+
+%if %{with_zts}
+# Install the ZTS stuff
+make -C ZTS install INSTALL_ROOT=%{buildroot}
+install -D -m 644 %{SOURCE1} %{buildroot}%{php_ztsinidir}/%{ini_name}
+%endif
+
+# Install the package XML file
+install -D -m 644 package.xml %{buildroot}%{pecl_xmldir}/%{name}.xml
+
+# Install the Control Panel
+# Pages
+install -D -m 644 -p NTS/apc.php  \
+        %{buildroot}%{_datadir}/apcu-panel/index.php
+# Apache config
+install -D -m 644 -p %{SOURCE2} \
+        %{buildroot}%{_sysconfdir}/httpd/conf.d/apcu-panel.conf
+# Panel config
+install -D -m 644 -p %{SOURCE3} \
+        %{buildroot}%{_sysconfdir}/apcu-panel/conf.php
+
+# Test & Documentation
+cd NTS
+for i in $(grep 'role="test"' ../package.xml | sed -e 's/^.*name="//;s/".*$//')
+do install -Dpm 644 $i %{buildroot}%{pecl_testdir}/%{pecl_name}/$i
+done
+for i in $(grep 'role="doc"' ../package.xml | sed -e 's/^.*name="//;s/".*$//')
+do install -Dpm 644 $i %{buildroot}%{pecl_docdir}/%{pecl_name}/$i
+done
+
+
+%check
+cd NTS
+%{_bindir}/php -n \
+   -d extension=%{buildroot}%{php_extdir}/%{pecl_name}.so \
+   -m | grep '^apcu$'
+
+# Upstream test suite for NTS extension
+TEST_PHP_EXECUTABLE=%{_bindir}/php \
+TEST_PHP_ARGS="-n -d extension=%{buildroot}%{php_extdir}/%{pecl_name}.so" \
+NO_INTERACTION=1 \
+REPORT_EXIT_STATUS=1 \
+%{_bindir}/php -n run-tests.php
+
+%if %{with_zts}
+cd ../ZTS
+%{__ztsphp} -n \
+   -d extension=%{buildroot}%{php_ztsextdir}/%{pecl_name}.so \
+   -m | grep '^apcu$'
+
+# Upstream test suite for ZTS extension
+TEST_PHP_EXECUTABLE=%{__ztsphp} \
+TEST_PHP_ARGS="-n -d extension=%{buildroot}%{php_ztsextdir}/%{pecl_name}.so" \
+NO_INTERACTION=1 \
+REPORT_EXIT_STATUS=1 \
+%{__ztsphp} -n run-tests.php
+%endif
+
+
+%files
+%license NTS/LICENSE
+%doc %{pecl_docdir}/%{pecl_name}
+%{pecl_xmldir}/%{name}.xml
+
+%config(noreplace) %{php_inidir}/%{ini_name}
+%{php_extdir}/%{pecl_name}.so
+
+%if %{with_zts}
+%{php_ztsextdir}/%{pecl_name}.so
+%config(noreplace) %{php_ztsinidir}/%{ini_name}
+%endif
+
+
+%files devel
+%doc %{pecl_testdir}/%{pecl_name}
+%{php_incldir}/ext/%{pecl_name}
+
+%if %{with_zts}
+%{php_ztsincldir}/ext/%{pecl_name}
+%endif
+
+
+%files -n apcu-panel
+# Need to restrict access, as it contains a clear password
+%attr(550,apache,root) %dir %{_sysconfdir}/apcu-panel
+%config(noreplace) %{_sysconfdir}/apcu-panel/conf.php
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/apcu-panel.conf
+%{_datadir}/apcu-panel
+
+
+%changelog
+* Tue Aug 27 2024 Neeraj Sallh <v-nsallh@microsoft.com> - 5.1.23-6
+- Initial Azure Linux import from Fedora 42 (license: MIT)
+- License Verified
+
+* Fri Jul 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.23-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Tue Apr 16 2024 Remi Collet <remi@remirepo.net> - 5.1.23-4
+- drop 32-bit support
+  https://fedoraproject.org/wiki/Changes/php_no_32_bit
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.23-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.23-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Nov 13 2023 Remi Collet <remi@remirepo.net> - 5.1.23-1
+- update to 5.1.23
+
+* Tue Oct 03 2023 Remi Collet <remi@remirepo.net> - 5.1.22-6
+- rebuild for https://fedoraproject.org/wiki/Changes/php83
+- build out of sources tree
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.22-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Apr 20 2023 Remi Collet <remi@remirepo.net> - 5.1.22-5
+- use SPDX license ID
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.22-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Oct 05 2022 Remi Collet <remi@remirepo.net> - 5.1.22-3
+- rebuild for https://fedoraproject.org/wiki/Changes/php82
+
+* Tue Sep 20 2022 Remi Collet <remi@remirepo.net> - 5.1.22-2
+- drop unneeded build dependency on pcre #2128350
+
+* Mon Sep 19 2022 Remi Collet <remi@remirepo.net> - 5.1.22-1
+- update to 5.1.22
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.21-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.21-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Oct 28 2021 Remi Collet <remi@remirepo.net> - 5.1.21-2
+- rebuild for https://fedoraproject.org/wiki/Changes/php81
+
+* Thu Oct  7 2021 Remi Collet <remi@remirepo.net> - 5.1.21-1
+- update to 5.1.21
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.20-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Mar  4 2021 Remi Collet <remi@remirepo.net> - 5.1.20-1
+- update to 5.1.20
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.19-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Oct  5 2020 Remi Collet <remi@remirepo.net> - 5.1.19-1
+- update to 5.1.19
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.18-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Oct 28 2019 Remi Collet <remi@remirepo.net> - 5.1.18-1
+- update to 5.1.18
+
+* Thu Oct 03 2019 Remi Collet <remi@remirepo.net> - 5.1.17-3
+- rebuild for https://fedoraproject.org/wiki/Changes/php74
+- add upstream patches for test suite
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.17-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Feb  8 2019 Remi Collet <remi@remirepo.net> - 5.1.17-1
+- update to 5.1.17
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Dec  7 2018 Remi Collet <remi@remirepo.net> - 5.1.15-1
+- update to 5.1.15
+
+* Wed Nov 21 2018 Remi Collet <remi@remirepo.net> - 5.1.14-1
+- update to 5.1.14 (stable)
+
+* Mon Nov 19 2018 Remi Collet <remi@remirepo.net> - 5.1.13-1
+- update to 5.1.13 (stable)
+
+* Thu Oct 11 2018 Remi Collet <remi@remirepo.net> - 5.1.12-3
+- Rebuild for https://fedoraproject.org/wiki/Changes/php73
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul  9 2018 Remi Collet <remi@remirepo.net> - 5.1.12-1
+- update to 5.1.12 (stable)
+
+* Thu Mar  8 2018 Remi Collet <remi@remirepo.net> - 5.1.11-1
+- update to 5.1.11 (stable)
+
+* Fri Feb 16 2018 Remi Collet <remi@remirepo.net> - 5.1.10-1
+- update to 5.1.10 (stable)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Jan 26 2018 Remi Collet <remi@remirepo.net> - 5.1.9-2
+- undefine _strict_symbol_defs_build
+
+* Tue Jan  2 2018 Remi Collet <remi@fedoraproject.org> - 5.1.9-1
+- Update to 5.1.9 (php 7, stable)
+
+* Tue Oct 03 2017 Remi Collet <remi@fedoraproject.org> - 5.1.8-5
+- rebuild for https://fedoraproject.org/wiki/Changes/php72
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 5.1.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Jan 16 2017 Remi Collet <remi@fedoraproject.org> - 5.1.8-1
+- Update to 5.1.8 (php 7, stable)
+
+* Mon Nov 14 2016 Remi Collet <remi@fedoraproject.org> - 5.1.7-2
+- rebuild for https://fedoraproject.org/wiki/Changes/php71
+
+* Fri Oct 21 2016 Remi Collet <remi@fedoraproject.org> - 5.1.7-1
+- Update to 5.1.7 (php 7, stable)
+
+* Thu Oct  6 2016 Remi Collet <remi@fedoraproject.org> - 5.1.6-1
+- Update to 5.1.6 (php 7, stable)
+
+* Mon Jun 27 2016 Remi Collet <remi@fedoraproject.org> - 5.1.5-1
+- Update to 5.1.5 (php 7, stable)
+
+* Wed Apr 20 2016 Remi Collet <remi@fedoraproject.org> - 4.0.11-1
+- Update to 4.0.11 (stable)
+- fix license usage and spec cleanup
+
+* Wed Apr 20 2016 Remi Collet <remi@fedoraproject.org> - 4.0.10-4
+- add upstream patch, fix FTBFS with 5.6.21RC1, thanks Koschei
+
+* Wed Feb 10 2016 Remi Collet <remi@fedoraproject.org> - 4.0.10-3
+- drop scriptlets (replaced file triggers in php-pear)
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Mon Dec  7 2015 Remi Collet <remi@fedoraproject.org> - 4.0.10-1
+- Update to 4.0.10 (stable)
+
+* Fri Nov 20 2015 Remi Collet <remi@fedoraproject.org> - 4.0.8-1
+- Update to 4.0.8
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Oct 27 2014 Remi Collet <remi@fedoraproject.org> - 4.0.7-1
+- Update to 4.0.7
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Jun 19 2014 Remi Collet <rcollet@redhat.com> - 4.0.6-2
+- rebuild for https://fedoraproject.org/wiki/Changes/Php56
+
+* Thu Jun 12 2014 Remi Collet <remi@fedoraproject.org> - 4.0.6-1
+- Update to 4.0.6 (beta)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.0.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed Apr 23 2014 Remi Collet <remi@fedoraproject.org> - 4.0.4-2
+- add numerical prefix to extension configuration file
+
+* Sat Mar 01 2014 Remi Collet <remi@fedoraproject.org> - 4.0.4-1
+- Update to 4.0.4 (beta)
+
+* Mon Jan 27 2014 Remi Collet <remi@fedoraproject.org> - 4.0.3-1
+- Update to 4.0.3 (beta)
+- install doc in pecl doc_dir
+- install tests in pecl test_dir (in devel)
+- cleanup SCL stuff
+
+* Mon Jan 13 2014 Remi Collet <rcollet@redhat.com> - 4.0.2-3
+- EPEL-7 build
+
+* Mon Sep 16 2013 Remi Collet <rcollet@redhat.com> - 4.0.2-2
+- fix perm on config dir
+- improve SCL compatibility
+- always provides php-pecl-apc-devel and apc-panel
+
+* Mon Sep 16 2013 Remi Collet <remi@fedoraproject.org> - 4.0.2-1
+- Update to 4.0.2
+
+* Sat Jul 27 2013 Remi Collet <remi@fedoraproject.org> - 4.0.1-3
+- restore APC serializers ABI (patch merged upstream)
+
+* Mon Jul 15 2013 Remi Collet <rcollet@redhat.com> - 4.0.1-2
+- adapt for SCL
+
+* Tue Apr 30 2013 Remi Collet <remi@fedoraproject.org> - 4.0.1-1
+- Update to 4.0.1
+- add missing scriptlet
+- fix Conflicts
+
+* Thu Apr 25 2013 Remi Collet <remi@fedoraproject.org> - 4.0.0-2
+- fix segfault when used from command line
+
+* Wed Mar 27 2013 Remi Collet <remi@fedoraproject.org> - 4.0.0-1
+- first pecl release
+- rename from php-apcu to php-pecl-apcu
+
+* Tue Mar 26 2013 Remi Collet <remi@fedoraproject.org> - 4.0.0-0.4.git4322fad
+- new snapshot (test before release)
+
+* Mon Mar 25 2013 Remi Collet <remi@fedoraproject.org> - 4.0.0-0.3.git647cb2b
+- new snapshot with our pull request
+- allow to run test suite simultaneously on 32/64 arch
+- build warning free
+
+* Mon Mar 25 2013 Remi Collet <remi@fedoraproject.org> - 4.0.0-0.2.git6d20302
+- new snapshot with full APC compatibility
+
+* Sat Mar 23 2013 Remi Collet <remi@fedoraproject.org> - 4.0.0-0.1.git44e8dd4
+- initial package, version 4.0.0
diff --git a/SPECS/plexus-utils/plexus-utils.signatures.json b/SPECS/plexus-utils/plexus-utils.signatures.json
index 8a288bbd362..414159685f6 100644
--- a/SPECS/plexus-utils/plexus-utils.signatures.json
+++ b/SPECS/plexus-utils/plexus-utils.signatures.json
@@ -1,7 +1,6 @@
 {
  "Signatures": {
   "LICENSE-2.0.txt": "cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30",
-  "plexus-utils-3.3.0.tar.gz": "a8953a183887d026311742ef72ab64a8e38916097690c24566bcf28b82478b03",
-  "plexus-utils-build.xml": "ae5c5ed948c601783e32e64261cf2ca873c3ee0503fa623bd2ac2abfcc34fef3"
+  "plexus-utils-3.3.0.tar.gz": "a8953a183887d026311742ef72ab64a8e38916097690c24566bcf28b82478b03"
  }
 }
diff --git a/SPECS/polkit-qt-1/polkit-qt-1.spec b/SPECS/polkit-qt-1/polkit-qt-1.spec
index 215e0d9bcdf..d1af8850284 100644
--- a/SPECS/polkit-qt-1/polkit-qt-1.spec
+++ b/SPECS/polkit-qt-1/polkit-qt-1.spec
@@ -1,10 +1,12 @@
 Name:            polkit-qt-1
 Version:         0.175.0
-Release:         1%{?dist}
+Release:         2%{?dist}
 Summary:         Qt bindings for PolicyKit
 
 License:         BSD-3-Clause AND GPL-2.0-or-later AND LGPL-2.0-or-later
 URL:             https://api.kde.org/kdesupport-api/polkit-qt-1-apidocs/
+Vendor:          Microsoft Corporation
+Distribution:    Azure Linux
 Source0:         https://invent.kde.org/libraries/%{name}/-/archive/v%{version}/%{name}-v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
 
@@ -63,6 +65,9 @@ Requires: polkit-qt6-1%{?_isa} = %{version}-%{release}
 %{_libdir}/cmake/PolkitQt6-1/
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.175.0-2
+- Add missing Vendor and Distribution tags.
+
 * Thu Feb 08 2024 Sam Meluch <sammeluch@microsoft.com> - 0.175.0-1
 - License Verified
 - Initial CBL-Mariner import from Fedora 39 (license: MIT).
diff --git a/SPECS/postgresql/postgresql.service b/SPECS/postgresql/postgresql.service
new file mode 100644
index 00000000000..2a8dfc7e08c
--- /dev/null
+++ b/SPECS/postgresql/postgresql.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=PostgreSQL database server
+Documentation=man:postgres(1)
+After=network-online.target multi-user.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+User=postgres
+ExecStart=/usr/bin/postgres -D /usr/local/pgsql/data
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutSec=infinity
+
+[Install]
+WantedBy=multi-user.target
diff --git a/SPECS/postgresql/postgresql.signatures.json b/SPECS/postgresql/postgresql.signatures.json
index 3c4c4d30b9a..80da8c0cb3a 100644
--- a/SPECS/postgresql/postgresql.signatures.json
+++ b/SPECS/postgresql/postgresql.signatures.json
@@ -1,5 +1,6 @@
 {
-  "Signatures": {
-    "postgresql-16.4.tar.bz2": "971766d645aa73e93b9ef4e3be44201b4f45b5477095b049125403f9f3386d6f"
-  }
-}
+ "Signatures": {
+  "postgresql-16.4.tar.bz2": "971766d645aa73e93b9ef4e3be44201b4f45b5477095b049125403f9f3386d6f",
+  "postgresql.service": "2d209e10523c43e7011b4a85e9e32f5f5911a74a25012cdeaf5fdeb0a5664461"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/postgresql/postgresql.spec b/SPECS/postgresql/postgresql.spec
index ab75f7e1063..e65b14a2cee 100644
--- a/SPECS/postgresql/postgresql.spec
+++ b/SPECS/postgresql/postgresql.spec
@@ -1,13 +1,16 @@
+%define username postgres
+%define groupname postgres
 Summary:        PostgreSQL database engine
 Name:           postgresql
 Version:        16.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        PostgreSQL
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Applications/Databases
 URL:            https://www.postgresql.org
 Source0:        https://ftp.postgresql.org/pub/source/v%{version}/%{name}-%{version}.tar.bz2
+Source1:	%{name}.service
 
 # Common libraries needed
 BuildRequires:  krb5-devel
@@ -20,6 +23,8 @@ BuildRequires:  pkgconfig(icu-uc)
 BuildRequires:  readline-devel
 BuildRequires:  tzdata
 BuildRequires:  zlib-devel
+BuildRequires:	systemd-rpm-macros
+BuildRequires:	systemd-devel
 
 %if 0%{?with_check}
 BuildRequires:  sudo
@@ -33,6 +38,7 @@ Requires:       openssl
 Requires:       readline
 Requires:       tzdata
 Requires:       zlib
+Requires:	openssl-libs
 
 %description
 PostgreSQL is an object-relational database management system.
@@ -65,12 +71,24 @@ Obsoletes:      libpq-devel < 13
 The postgresql-devel package contains libraries and header files for
 developing applications that use postgresql.
 
+%package	service
+Summary:	To setup postgresql as a service
+Requires:	%{name} = %{version}-%{release}
+Requires(post):	util-linux
+Requires(pre):	shadow-utils
+Requires(post):	shadow-utils
+Requires(postun):shadow-utils
+
+%description	service
+Install postgresql-service if you want to run postgresql as a service
+
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 sed -i '/DEFAULT_PGSOCKET_DIR/s@/tmp@/run/postgresql@' src/include/pg_config_manual.h &&
 ./configure \
+    --with-systemd \
     --enable-thread-safety \
     --prefix=%{_prefix} \
     --with-ldap \
@@ -88,6 +106,8 @@ cd contrib && make %{?_smp_mflags}
 make install DESTDIR=%{buildroot}
 cd contrib && make install DESTDIR=%{buildroot}
 
+install -D -m 644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
+
 # For postgresql 10+, commands are renamed
 # Ref: https://wiki.postgresql.org/wiki/New_in_postgres_10
 ln -sf pg_receivewal %{buildroot}%{_bindir}/pg_receivexlog
@@ -101,6 +121,50 @@ chown -Rv nobody .
 sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check"
 
 %ldconfig_scriptlets
+%pre service
+if ! getent group postgres >/dev/null; then
+    /sbin/groupadd -r postgres
+fi
+
+if ! getent passwd postgres >/dev/null; then
+    /sbin/useradd -g postgres postgres
+fi
+
+%post service
+PGDATA="/usr/local/pgsql/data"
+PGRUN="/run/postgresql"
+
+if [ ! -d "$PGDATA" ]; then
+    mkdir -p "$PGDATA"
+    chown postgres:postgres "$PGDATA"
+    su - postgres -c /usr/bin/initdb
+    chown -R postgres:postgres "$PGDATA"
+fi
+
+if [ ! -d "$PGRUN" ]; then
+    mkdir -p "$PGRUN"
+    chown postgres:postgres "$PGRUN"
+    chmod 700 "$PGRUN"
+fi
+
+%systemd_post %{name}.service
+
+%preun
+%systemd_preun %{name}.service
+
+%postun
+if [ $1 -eq 0 ] ; then
+    if getent passwd postgres >/dev/null; then
+        /sbin/userdel postgres
+    fi
+    if getent group %{name} >/dev/null; then
+        /sbin/groupdel postgres
+    fi
+    rm -rf /var/log/%{name}
+    rm -rf /var/run/%{name}
+fi
+
+%systemd_postun_with_restart %{name}.service
 
 %files
 %defattr(-,root,root)
@@ -172,7 +236,13 @@ sudo -u nobody -s /bin/bash -c "PATH=$PATH make -k check"
 %{_libdir}/libecpg_compat.a
 %{_libdir}/libpgtypes.a
 
+%files service
+%{_unitdir}/%{name}.service
+
 %changelog
+* Thu Aug 29 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 16.4-2
+- Add postgresql-service as a subpackage
+
 * Mon Aug 12 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 16.4-1
 - Auto-upgrade to 16.4 - CVE-2024-7348
  
diff --git a/SPECS/python-backoff/python-backoff.signatures.json b/SPECS/python-backoff/python-backoff.signatures.json
new file mode 100644
index 00000000000..e46f26a2099
--- /dev/null
+++ b/SPECS/python-backoff/python-backoff.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "backoff-2.2.1.tar.gz": "7b92e74aac38ec49e97ac899c96c882496c7b09cf4235e8da205e62b2c6c001d"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/python-backoff/python-backoff.spec b/SPECS/python-backoff/python-backoff.spec
new file mode 100644
index 00000000000..a899f611ce8
--- /dev/null
+++ b/SPECS/python-backoff/python-backoff.spec
@@ -0,0 +1,136 @@
+%global desc This module provides function decorators which can be used to wrap \
+a function such that it will be retried until some condition is met. \
+It is meant to be of use when accessing unreliable resources with the \
+potential for intermittent failures i.e. network resources and external \
+APIs. Somewhat more generally, it may also be of use for dynamically \
+polling resources for externally generated content.
+%global srcname backoff
+
+Name:          python-%{srcname}
+Version:       2.2.1
+Release:       9%{?dist}
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
+BuildArch:     noarch
+
+License:       MIT
+Summary:       Python library providing function decorators for configurable backoff and retry
+URL:           https://github.com/litl/backoff
+Source0:       %{url}/archive/refs/tags/v%{version}.tar.gz#/%{srcname}-%{version}.tar.gz
+
+BuildRequires: pyproject-rpm-macros
+BuildRequires: python3-pip
+BuildRequires: python3-poetry
+
+%description
+%{desc}
+
+%package -n python3-%{srcname}
+Summary:       %{summary}
+%{?python_provide:%python_provide python3-%{srcname}}
+
+%description -n python3-%{srcname}
+%{desc}
+
+%prep
+%autosetup -p1 -n %{srcname}-%{version}
+
+%generate_buildrequires
+%pyproject_buildrequires
+
+%build
+%pyproject_wheel
+
+%install
+%pyproject_install
+
+%files -n python3-%{srcname}
+%license LICENSE
+%doc CHANGELOG.md README.rst
+%{python3_sitelib}/%{srcname}/
+%{python3_sitelib}/%{srcname}-*.dist-info/
+
+%changelog
+* Wed Aug 28 2028 Reuben Olinsky <reubeno@microsoft.com> - 2.2.1-9
+- Initial Azure Linux import from Fedora 41 (license: MIT)
+- License verified
+
+* Fri Jul 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 2.2.1-7
+- Rebuilt for Python 3.13
+
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jun 15 2023 Python Maint <python-maint@redhat.com> - 2.2.1-3
+- Rebuilt for Python 3.12
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Jan 11 2023 Jiri Kyjovsky <jkyjovsk@redhat.com> - 2.2.1-1
+- Update to 2.2.1
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.0-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Thu Jun 16 2022 Python Maint <python-maint@redhat.com> - 1.10.0-7
+- Rebuilt for Python 3.11
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.10.0-4
+- Rebuilt for Python 3.10
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sat Jul 11 2020 Igor Raits <ignatenkobrain@fedoraproject.org> - 1.10.0-1
+- Update to 1.10.0
+
+* Mon May 25 2020 Miro Hrončok <mhroncok@redhat.com> - 1.6.0-7
+- Rebuilt for Python 3.9
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 1.6.0-5
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.6.0-4
+- Rebuilt for Python 3.8
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jul 30 2018 Randy Barlow <bowlofeggs@fedoraproject.org> - 1.6.0-1
+- Update to 1.6.0 (#1566766).
+- https://github.com/litl/backoff/blob/v1.6.0/CHANGELOG.md
+- Import a patch from an upstream pull request to solve a Python 3.7 compatibility issue (#1605610).
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.4.3-2
+- Rebuilt for Python 3.7
+
+* Thu Mar 08 2018 Randy Barlow <bowlofeggs@fedoraproject.org> - 1.4.3-1
+- Initial release (#1553447).
diff --git a/SPECS/python-decorator/python-decorator.spec b/SPECS/python-decorator/python-decorator.spec
index 3443f83f0d6..4c75e296a20 100644
--- a/SPECS/python-decorator/python-decorator.spec
+++ b/SPECS/python-decorator/python-decorator.spec
@@ -10,9 +10,11 @@
 Summary:        Module to simplify usage of decorators
 Name:           python-%{pypi_name}
 Version:        5.1.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 URL:            https://github.com/micheles/decorator
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://files.pythonhosted.org/packages/source/d/%{pypi_name}/%{pypi_name}-%{version}.tar.gz#/%{name}-%{version}.tar.gz
 BuildArch:      noarch
 BuildRequires:  python3-setuptools
@@ -57,6 +59,9 @@ find %{buildroot} -name SOURCES.txt~ -exec rm -f {} \;
 %{python3_sitelib}/__pycache__/*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 5.1.1-2
+- Add missing Vendor and Distribution tags.
+
 * Mon Feb 12 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 5.1.1-1
 - Auto-upgrade to 5.1.1 - Azure Linux 3.0 - package upgrades
 
@@ -197,4 +202,4 @@ find %{buildroot} -name SOURCES.txt~ -exec rm -f {} \;
 - Update to 2.3.2
 - Enable tests via nose
 * Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.2.0-2
-- Rebuild for Python 2.6
\ No newline at end of file
+- Rebuild for Python 2.6
diff --git a/SPECS/python-hatch-fancy-pypi-readme/python-hatch-fancy-pypi-readme.spec b/SPECS/python-hatch-fancy-pypi-readme/python-hatch-fancy-pypi-readme.spec
index 672e8545a90..cb9ff1fbc5e 100644
--- a/SPECS/python-hatch-fancy-pypi-readme/python-hatch-fancy-pypi-readme.spec
+++ b/SPECS/python-hatch-fancy-pypi-readme/python-hatch-fancy-pypi-readme.spec
@@ -1,10 +1,12 @@
 Name:           python-hatch-fancy-pypi-readme
 Version:        24.1.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        Hatch plugin for writing fancy PyPI readmes
 
 License:        MIT
 URL:            https://github.com/hynek/hatch-fancy-pypi-readme
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://files.pythonhosted.org/packages/b4/c2/c9094283a07dd96c5a8f7a5f1910259d40d2e29223b95dd875a6ca13b58f/hatch_fancy_pypi_readme-%{version}.tar.gz#/%{name}-%{version}.tar.gz
 
 BuildArch:      noarch
@@ -67,6 +69,9 @@ pip3 install iniconfig
 %{_bindir}/hatch-fancy-pypi-readme
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 24.1.0-5
+- Add missing Vendor and Distribution tags.
+
 * Tue Mar 05 2024 Osama Esmail <osamaesmail@microsoft.com> - 24.1.0-4
 - Initial CBL-Mariner import from Fedora 40 (license: MIT).
 - Remove toml.
@@ -100,4 +105,4 @@ pip3 install iniconfig
 - Updated as per suggestions given for this package review (#2123618)
 
 * Fri Sep 02 2022 Parag Nemade <pnemade AT redhat DOT com> - 22.3.0-1
-- Initial release
\ No newline at end of file
+- Initial release
diff --git a/SPECS/python-junitxml/python-junitxml.signatures.json b/SPECS/python-junitxml/python-junitxml.signatures.json
new file mode 100644
index 00000000000..14daab05b1d
--- /dev/null
+++ b/SPECS/python-junitxml/python-junitxml.signatures.json
@@ -0,0 +1,5 @@
+{
+    "Signatures": {
+      "junitxml-0.7.tar.gz": "a5901127067ab7f3d11df30727368c129c69b3f5595c697daf4f5ed80b1baaa3"
+    }
+  }
diff --git a/SPECS/python-junitxml/python-junitxml.spec b/SPECS/python-junitxml/python-junitxml.spec
new file mode 100644
index 00000000000..e679c779932
--- /dev/null
+++ b/SPECS/python-junitxml/python-junitxml.spec
@@ -0,0 +1,174 @@
+%global pypi_name junitxml
+%global _description\
+PyJUnitXML\
+==========\
+A Python unittest TestResult that outputs JUnit\
+compatible XML.
+Summary:        PyJUnitXML, a pyunit extension to output JUnit compatible XML
+Name:           python-%{pypi_name}
+Version:        0.7
+Release:        39%{?dist}
+License:        LGPL-3.0-only
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+URL:            https://launchpad.net/pyjunitxml
+Source0:        https://pypi.python.org/packages/source/j/%{pypi_name}/%{pypi_name}-%{version}.tar.gz
+BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
+BuildArch:      noarch
+
+%description %{_description}
+
+%package -n python3-%{pypi_name}
+Summary:        PyJUnitXML, a pyunit extension to output JUnit compatible XML
+BuildRequires:  python3-devel
+
+%description -n python3-%{pypi_name}
+PyJUnitXML
+==========
+A Python unittest TestResult that outputs JUnit
+compatible XML.
+
+%prep
+%setup -q -n %{pypi_name}-%{version}
+rm -rf %{py3dir}
+cp -a . %{py3dir}
+
+%build
+pushd %{py3dir}
+python3 setup.py build
+popd
+
+%install
+pushd %{py3dir}
+python3 setup.py install --skip-build --root %{buildroot}
+popd
+mv %{buildroot}%{_bindir}/pyjunitxml %{buildroot}%{_bindir}/pyjunitxml-%{python3_version}
+ln -s ./pyjunitxml-%{python3_version} %{buildroot}%{_bindir}/pyjunitxml-3
+
+%files -n python3-%{pypi_name}
+%license COPYING
+%{_bindir}/pyjunitxml-3
+%{_bindir}/pyjunitxml-%{python3_version}
+%{python3_sitelib}/*
+
+%changelog
+* Thu Sep 12 2024 Zhichun Wan <zhichunwan@microsoft.com> - 0.7-39
+- Initial Azure Linux import from Fedora 42 (license: MIT)
+- License Verified
+
+* Fri Jul 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-38
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 0.7-37
+- Rebuilt for Python 3.13
+
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-36
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-35
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-34
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 0.7-33
+- Rebuilt for Python 3.12
+
+* Wed Mar 01 2023 Gwyn Ciesla <gwync@protonmail.com> - 0.7-32
+- migrated to SPDX license
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-31
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Dec 21 2022 Gwyn Ciesla <gwync@protonmail.com> - 0.7-30
+- BR setuptools.
+
+* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-29
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 0.7-28
+- Rebuilt for Python 3.11
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-27
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-26
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 0.7-25
+- Rebuilt for Python 3.10
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-24
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.7-22
+- Rebuilt for Python 3.9
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-21
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Sep 23 2019 Gwyn Ciesla <gwync@protonmail.com> - 0.7-20
+- Drop Python 2 support, no more consumers.
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.7-19
+- Rebuilt for Python 3.8
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.7-15
+- Rebuilt for Python 3.7
+
+* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.7-14
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.7-12
+- Python 2 binary package renamed to python2-junitxml
+  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Feb 16 2017 Iryna Shcherbina <ishcherb@redhat.com> - 0.7-10
+- Fix python-junitxml dragging in both Python 3 and Python 2 (RHBZ#1422933)
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Dec 19 2016 Miro Hrončok <mhroncok@redhat.com> - 0.7-8
+- Rebuild for Python 3.6
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7-7
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7-5
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 28 2014 Kalev Lember <kalevlember@gmail.com> - 0.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4
+
+* Tue Apr 29 2014 Steve Linabery <slinaber@redhat.com> - 0.7-1
+- Initial package.
diff --git a/SPECS/python-kubernetes/python-kubernetes.spec b/SPECS/python-kubernetes/python-kubernetes.spec
index 8c82dd4ce45..db34a36fa04 100644
--- a/SPECS/python-kubernetes/python-kubernetes.spec
+++ b/SPECS/python-kubernetes/python-kubernetes.spec
@@ -2,10 +2,12 @@
 
 Name:       python-%{library}
 Version:    29.0.0
-Release:    1%{?dist}
+Release:    2%{?dist}
 Summary:    Python client for the kubernetes API.
 License:    ASL 2.0
 URL:        https://github.com/kubernetes-client/python
+Vendor:     Microsoft Corporation
+Distribution: Azure Linux
 Source0:    https://github.com/kubernetes-client/python/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 BuildArch:  noarch
 
@@ -17,7 +19,7 @@ BuildRequires:  python3-setuptools
 Requires:       python3-certifi
 Requires:       python3-six
 Requires:       python3-dateutil
-Requires:       python3-setuptools 
+Requires:       python3-setuptools
 Requires:       python3-urllib3
 Requires:       python3-PyYAML
 Requires:       python3-google-auth
@@ -66,6 +68,9 @@ cp -pr kubernetes/e2e_test %{buildroot}%{python3_sitelib}/%{library}/
 %{python3_sitelib}/%{library}/e2e_test
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 29.0.0-2
+- Add missing Vendor and Distribution tags.
+
 * Tue Mar 05 2024 Henry Li <lihl@microsoft.com> - 29.0.0-1
 - Upgrade to v29.0.0
 
diff --git a/SPECS/python-pip/CVE-2024-3651.patch b/SPECS/python-pip/CVE-2024-3651.patch
new file mode 100644
index 00000000000..802db7ebab5
--- /dev/null
+++ b/SPECS/python-pip/CVE-2024-3651.patch
@@ -0,0 +1,3858 @@
+From 9cdb89916b56c99ddd55c80a30ce1e7513ffc111 Mon Sep 17 00:00:00 2001
+From: Rachel Menge <rachelmenge@microsoft.com>
+Date: Wed, 28 Aug 2024 16:57:08 -0400
+Subject: [PATCH] Update vendor idna to 3.7
+
+CVE-2024-3651 requires python-idna 3.7. Therefore update to this
+version.
+
+This commit is a combination of 2 upstream commits:
+[d83c9e3] Upgrade idna to 3.6
+[cba5b13] Upgrade idna to 3.7
+---
+ news/idna.vendor.rst                 |    1 +
+ src/pip/_vendor/idna/LICENSE.md      |   36 +-
+ src/pip/_vendor/idna/codec.py        |   34 +-
+ src/pip/_vendor/idna/core.py         |   33 +-
+ src/pip/_vendor/idna/idnadata.py     | 2206 +++++++++++++++++++++++++-
+ src/pip/_vendor/idna/package_data.py |    2 +-
+ src/pip/_vendor/idna/uts46data.py    |  454 +++---
+ src/pip/_vendor/vendor.txt           |    2 +-
+ 8 files changed, 2432 insertions(+), 336 deletions(-)
+ create mode 100644 news/idna.vendor.rst
+
+diff --git a/news/idna.vendor.rst b/news/idna.vendor.rst
+new file mode 100644
+index 0000000..1b8f743
+--- /dev/null
++++ b/news/idna.vendor.rst
+@@ -0,0 +1 @@
++Upgrade idna to 3.7
+diff --git a/src/pip/_vendor/idna/LICENSE.md b/src/pip/_vendor/idna/LICENSE.md
+index b6f8732..19b6b45 100644
+--- a/src/pip/_vendor/idna/LICENSE.md
++++ b/src/pip/_vendor/idna/LICENSE.md
+@@ -1,29 +1,31 @@
+ BSD 3-Clause License
+ 
+-Copyright (c) 2013-2021, Kim Davies
++Copyright (c) 2013-2024, Kim Davies and contributors.
+ All rights reserved.
+ 
+ Redistribution and use in source and binary forms, with or without
+-modification, are permitted provided that the following conditions are met:
++modification, are permitted provided that the following conditions are
++met:
+ 
+-1. Redistributions of source code must retain the above copyright notice, this
+-   list of conditions and the following disclaimer.
++1. Redistributions of source code must retain the above copyright
++   notice, this list of conditions and the following disclaimer.
+ 
+-2. Redistributions in binary form must reproduce the above copyright notice,
+-   this list of conditions and the following disclaimer in the documentation
+-   and/or other materials provided with the distribution.
++2. Redistributions in binary form must reproduce the above copyright
++   notice, this list of conditions and the following disclaimer in the
++   documentation and/or other materials provided with the distribution.
+ 
+ 3. Neither the name of the copyright holder nor the names of its
+    contributors may be used to endorse or promote products derived from
+    this software without specific prior written permission.
+ 
+-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
++TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
++PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
++LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
++NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
++SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+diff --git a/src/pip/_vendor/idna/codec.py b/src/pip/_vendor/idna/codec.py
+index 1ca9ba6..c855a4d 100644
+--- a/src/pip/_vendor/idna/codec.py
++++ b/src/pip/_vendor/idna/codec.py
+@@ -1,7 +1,7 @@
+ from .core import encode, decode, alabel, ulabel, IDNAError
+ import codecs
+ import re
+-from typing import Tuple, Optional
++from typing import Any, Tuple, Optional
+ 
+ _unicode_dots_re = re.compile('[\u002e\u3002\uff0e\uff61]')
+ 
+@@ -26,24 +26,24 @@ class Codec(codecs.Codec):
+         return decode(data), len(data)
+ 
+ class IncrementalEncoder(codecs.BufferedIncrementalEncoder):
+-    def _buffer_encode(self, data: str, errors: str, final: bool) -> Tuple[str, int]:  # type: ignore
++    def _buffer_encode(self, data: str, errors: str, final: bool) -> Tuple[bytes, int]:
+         if errors != 'strict':
+             raise IDNAError('Unsupported error handling \"{}\"'.format(errors))
+ 
+         if not data:
+-            return "", 0
++            return b'', 0
+ 
+         labels = _unicode_dots_re.split(data)
+-        trailing_dot = ''
++        trailing_dot = b''
+         if labels:
+             if not labels[-1]:
+-                trailing_dot = '.'
++                trailing_dot = b'.'
+                 del labels[-1]
+             elif not final:
+                 # Keep potentially unfinished label until the next call
+                 del labels[-1]
+                 if labels:
+-                    trailing_dot = '.'
++                    trailing_dot = b'.'
+ 
+         result = []
+         size = 0
+@@ -54,18 +54,21 @@ class IncrementalEncoder(codecs.BufferedIncrementalEncoder):
+             size += len(label)
+ 
+         # Join with U+002E
+-        result_str = '.'.join(result) + trailing_dot  # type: ignore
++        result_bytes = b'.'.join(result) + trailing_dot
+         size += len(trailing_dot)
+-        return result_str, size
++        return result_bytes, size
+ 
+ class IncrementalDecoder(codecs.BufferedIncrementalDecoder):
+-    def _buffer_decode(self, data: str, errors: str, final: bool) -> Tuple[str, int]:  # type: ignore
++    def _buffer_decode(self, data: Any, errors: str, final: bool) -> Tuple[str, int]:
+         if errors != 'strict':
+             raise IDNAError('Unsupported error handling \"{}\"'.format(errors))
+ 
+         if not data:
+             return ('', 0)
+ 
++        if not isinstance(data, str):
++            data = str(data, 'ascii')
++
+         labels = _unicode_dots_re.split(data)
+         trailing_dot = ''
+         if labels:
+@@ -99,14 +102,17 @@ class StreamReader(Codec, codecs.StreamReader):
+     pass
+ 
+ 
+-def getregentry() -> codecs.CodecInfo:
+-    # Compatibility as a search_function for codecs.register()
++def search_function(name: str) -> Optional[codecs.CodecInfo]:
++    if name != 'idna2008':
++        return None
+     return codecs.CodecInfo(
+-        name='idna',
+-        encode=Codec().encode,  # type: ignore
+-        decode=Codec().decode,  # type: ignore
++        name=name,
++        encode=Codec().encode,
++        decode=Codec().decode,
+         incrementalencoder=IncrementalEncoder,
+         incrementaldecoder=IncrementalDecoder,
+         streamwriter=StreamWriter,
+         streamreader=StreamReader,
+     )
++
++codecs.register(search_function)
+diff --git a/src/pip/_vendor/idna/core.py b/src/pip/_vendor/idna/core.py
+index 4f30037..0dae61a 100644
+--- a/src/pip/_vendor/idna/core.py
++++ b/src/pip/_vendor/idna/core.py
+@@ -150,9 +150,11 @@ def valid_contextj(label: str, pos: int) -> bool:
+             joining_type = idnadata.joining_types.get(ord(label[i]))
+             if joining_type == ord('T'):
+                 continue
+-            if joining_type in [ord('L'), ord('D')]:
++            elif joining_type in [ord('L'), ord('D')]:
+                 ok = True
+                 break
++            else:
++                break
+ 
+         if not ok:
+             return False
+@@ -162,9 +164,11 @@ def valid_contextj(label: str, pos: int) -> bool:
+             joining_type = idnadata.joining_types.get(ord(label[i]))
+             if joining_type == ord('T'):
+                 continue
+-            if joining_type in [ord('R'), ord('D')]:
++            elif joining_type in [ord('R'), ord('D')]:
+                 ok = True
+                 break
++            else:
++                break
+         return ok
+ 
+     if cp_value == 0x200d:
+@@ -236,12 +240,8 @@ def check_label(label: Union[str, bytes, bytearray]) -> None:
+         if intranges_contain(cp_value, idnadata.codepoint_classes['PVALID']):
+             continue
+         elif intranges_contain(cp_value, idnadata.codepoint_classes['CONTEXTJ']):
+-            try:
+-                if not valid_contextj(label, pos):
+-                    raise InvalidCodepointContext('Joiner {} not allowed at position {} in {}'.format(
+-                        _unot(cp_value), pos+1, repr(label)))
+-            except ValueError:
+-                raise IDNAError('Unknown codepoint adjacent to joiner {} at position {} in {}'.format(
++            if not valid_contextj(label, pos):
++                raise InvalidCodepointContext('Joiner {} not allowed at position {} in {}'.format(
+                     _unot(cp_value), pos+1, repr(label)))
+         elif intranges_contain(cp_value, idnadata.codepoint_classes['CONTEXTO']):
+             if not valid_contexto(label, pos):
+@@ -262,13 +262,8 @@ def alabel(label: str) -> bytes:
+     except UnicodeEncodeError:
+         pass
+ 
+-    if not label:
+-        raise IDNAError('No Input')
+-
+-    label = str(label)
+     check_label(label)
+-    label_bytes = _punycode(label)
+-    label_bytes = _alabel_prefix + label_bytes
++    label_bytes = _alabel_prefix + _punycode(label)
+ 
+     if not valid_label_length(label_bytes):
+         raise IDNAError('Label too long')
+@@ -318,7 +313,7 @@ def uts46_remap(domain: str, std3_rules: bool = True, transitional: bool = False
+             status = uts46row[1]
+             replacement = None  # type: Optional[str]
+             if len(uts46row) == 3:
+-                replacement = uts46row[2]  # type: ignore
++                replacement = uts46row[2]
+             if (status == 'V' or
+                     (status == 'D' and not transitional) or
+                     (status == '3' and not std3_rules and replacement is None)):
+@@ -338,9 +333,9 @@ def uts46_remap(domain: str, std3_rules: bool = True, transitional: bool = False
+ 
+ 
+ def encode(s: Union[str, bytes, bytearray], strict: bool = False, uts46: bool = False, std3_rules: bool = False, transitional: bool = False) -> bytes:
+-    if isinstance(s, (bytes, bytearray)):
++    if not isinstance(s, str):
+         try:
+-            s = s.decode('ascii')
++            s = str(s, 'ascii')
+         except UnicodeDecodeError:
+             raise IDNAError('should pass a unicode string to the function rather than a byte string.')
+     if uts46:
+@@ -372,8 +367,8 @@ def encode(s: Union[str, bytes, bytearray], strict: bool = False, uts46: bool =
+ 
+ def decode(s: Union[str, bytes, bytearray], strict: bool = False, uts46: bool = False, std3_rules: bool = False) -> str:
+     try:
+-        if isinstance(s, (bytes, bytearray)):
+-            s = s.decode('ascii')
++        if not isinstance(s, str):
++            s = str(s, 'ascii')
+     except UnicodeDecodeError:
+         raise IDNAError('Invalid ASCII in A-label')
+     if uts46:
+diff --git a/src/pip/_vendor/idna/idnadata.py b/src/pip/_vendor/idna/idnadata.py
+index 67db462..c61dcf9 100644
+--- a/src/pip/_vendor/idna/idnadata.py
++++ b/src/pip/_vendor/idna/idnadata.py
+@@ -1,6 +1,6 @@
+ # This file is automatically generated by tools/idna-data
+ 
+-__version__ = '15.0.0'
++__version__ = '15.1.0'
+ scripts = {
+     'Greek': (
+         0x37000000374,
+@@ -59,6 +59,7 @@ scripts = {
+         0x2b7400002b81e,
+         0x2b8200002cea2,
+         0x2ceb00002ebe1,
++        0x2ebf00002ee5e,
+         0x2f8000002fa1e,
+         0x300000003134b,
+         0x31350000323b0,
+@@ -100,16 +101,190 @@ scripts = {
+     ),
+ }
+ joining_types = {
+-    0x600: 85,
+-    0x601: 85,
+-    0x602: 85,
+-    0x603: 85,
+-    0x604: 85,
+-    0x605: 85,
+-    0x608: 85,
+-    0x60b: 85,
++    0xad: 84,
++    0x300: 84,
++    0x301: 84,
++    0x302: 84,
++    0x303: 84,
++    0x304: 84,
++    0x305: 84,
++    0x306: 84,
++    0x307: 84,
++    0x308: 84,
++    0x309: 84,
++    0x30a: 84,
++    0x30b: 84,
++    0x30c: 84,
++    0x30d: 84,
++    0x30e: 84,
++    0x30f: 84,
++    0x310: 84,
++    0x311: 84,
++    0x312: 84,
++    0x313: 84,
++    0x314: 84,
++    0x315: 84,
++    0x316: 84,
++    0x317: 84,
++    0x318: 84,
++    0x319: 84,
++    0x31a: 84,
++    0x31b: 84,
++    0x31c: 84,
++    0x31d: 84,
++    0x31e: 84,
++    0x31f: 84,
++    0x320: 84,
++    0x321: 84,
++    0x322: 84,
++    0x323: 84,
++    0x324: 84,
++    0x325: 84,
++    0x326: 84,
++    0x327: 84,
++    0x328: 84,
++    0x329: 84,
++    0x32a: 84,
++    0x32b: 84,
++    0x32c: 84,
++    0x32d: 84,
++    0x32e: 84,
++    0x32f: 84,
++    0x330: 84,
++    0x331: 84,
++    0x332: 84,
++    0x333: 84,
++    0x334: 84,
++    0x335: 84,
++    0x336: 84,
++    0x337: 84,
++    0x338: 84,
++    0x339: 84,
++    0x33a: 84,
++    0x33b: 84,
++    0x33c: 84,
++    0x33d: 84,
++    0x33e: 84,
++    0x33f: 84,
++    0x340: 84,
++    0x341: 84,
++    0x342: 84,
++    0x343: 84,
++    0x344: 84,
++    0x345: 84,
++    0x346: 84,
++    0x347: 84,
++    0x348: 84,
++    0x349: 84,
++    0x34a: 84,
++    0x34b: 84,
++    0x34c: 84,
++    0x34d: 84,
++    0x34e: 84,
++    0x34f: 84,
++    0x350: 84,
++    0x351: 84,
++    0x352: 84,
++    0x353: 84,
++    0x354: 84,
++    0x355: 84,
++    0x356: 84,
++    0x357: 84,
++    0x358: 84,
++    0x359: 84,
++    0x35a: 84,
++    0x35b: 84,
++    0x35c: 84,
++    0x35d: 84,
++    0x35e: 84,
++    0x35f: 84,
++    0x360: 84,
++    0x361: 84,
++    0x362: 84,
++    0x363: 84,
++    0x364: 84,
++    0x365: 84,
++    0x366: 84,
++    0x367: 84,
++    0x368: 84,
++    0x369: 84,
++    0x36a: 84,
++    0x36b: 84,
++    0x36c: 84,
++    0x36d: 84,
++    0x36e: 84,
++    0x36f: 84,
++    0x483: 84,
++    0x484: 84,
++    0x485: 84,
++    0x486: 84,
++    0x487: 84,
++    0x488: 84,
++    0x489: 84,
++    0x591: 84,
++    0x592: 84,
++    0x593: 84,
++    0x594: 84,
++    0x595: 84,
++    0x596: 84,
++    0x597: 84,
++    0x598: 84,
++    0x599: 84,
++    0x59a: 84,
++    0x59b: 84,
++    0x59c: 84,
++    0x59d: 84,
++    0x59e: 84,
++    0x59f: 84,
++    0x5a0: 84,
++    0x5a1: 84,
++    0x5a2: 84,
++    0x5a3: 84,
++    0x5a4: 84,
++    0x5a5: 84,
++    0x5a6: 84,
++    0x5a7: 84,
++    0x5a8: 84,
++    0x5a9: 84,
++    0x5aa: 84,
++    0x5ab: 84,
++    0x5ac: 84,
++    0x5ad: 84,
++    0x5ae: 84,
++    0x5af: 84,
++    0x5b0: 84,
++    0x5b1: 84,
++    0x5b2: 84,
++    0x5b3: 84,
++    0x5b4: 84,
++    0x5b5: 84,
++    0x5b6: 84,
++    0x5b7: 84,
++    0x5b8: 84,
++    0x5b9: 84,
++    0x5ba: 84,
++    0x5bb: 84,
++    0x5bc: 84,
++    0x5bd: 84,
++    0x5bf: 84,
++    0x5c1: 84,
++    0x5c2: 84,
++    0x5c4: 84,
++    0x5c5: 84,
++    0x5c7: 84,
++    0x610: 84,
++    0x611: 84,
++    0x612: 84,
++    0x613: 84,
++    0x614: 84,
++    0x615: 84,
++    0x616: 84,
++    0x617: 84,
++    0x618: 84,
++    0x619: 84,
++    0x61a: 84,
++    0x61c: 84,
+     0x620: 68,
+-    0x621: 85,
+     0x622: 82,
+     0x623: 82,
+     0x624: 82,
+@@ -151,12 +326,33 @@ joining_types = {
+     0x648: 82,
+     0x649: 68,
+     0x64a: 68,
++    0x64b: 84,
++    0x64c: 84,
++    0x64d: 84,
++    0x64e: 84,
++    0x64f: 84,
++    0x650: 84,
++    0x651: 84,
++    0x652: 84,
++    0x653: 84,
++    0x654: 84,
++    0x655: 84,
++    0x656: 84,
++    0x657: 84,
++    0x658: 84,
++    0x659: 84,
++    0x65a: 84,
++    0x65b: 84,
++    0x65c: 84,
++    0x65d: 84,
++    0x65e: 84,
++    0x65f: 84,
+     0x66e: 68,
+     0x66f: 68,
++    0x670: 84,
+     0x671: 82,
+     0x672: 82,
+     0x673: 82,
+-    0x674: 85,
+     0x675: 82,
+     0x676: 82,
+     0x677: 82,
+@@ -253,7 +449,25 @@ joining_types = {
+     0x6d2: 82,
+     0x6d3: 82,
+     0x6d5: 82,
+-    0x6dd: 85,
++    0x6d6: 84,
++    0x6d7: 84,
++    0x6d8: 84,
++    0x6d9: 84,
++    0x6da: 84,
++    0x6db: 84,
++    0x6dc: 84,
++    0x6df: 84,
++    0x6e0: 84,
++    0x6e1: 84,
++    0x6e2: 84,
++    0x6e3: 84,
++    0x6e4: 84,
++    0x6e7: 84,
++    0x6e8: 84,
++    0x6ea: 84,
++    0x6eb: 84,
++    0x6ec: 84,
++    0x6ed: 84,
+     0x6ee: 82,
+     0x6ef: 82,
+     0x6fa: 68,
+@@ -262,6 +476,7 @@ joining_types = {
+     0x6ff: 68,
+     0x70f: 84,
+     0x710: 82,
++    0x711: 84,
+     0x712: 68,
+     0x713: 68,
+     0x714: 68,
+@@ -292,6 +507,33 @@ joining_types = {
+     0x72d: 68,
+     0x72e: 68,
+     0x72f: 82,
++    0x730: 84,
++    0x731: 84,
++    0x732: 84,
++    0x733: 84,
++    0x734: 84,
++    0x735: 84,
++    0x736: 84,
++    0x737: 84,
++    0x738: 84,
++    0x739: 84,
++    0x73a: 84,
++    0x73b: 84,
++    0x73c: 84,
++    0x73d: 84,
++    0x73e: 84,
++    0x73f: 84,
++    0x740: 84,
++    0x741: 84,
++    0x742: 84,
++    0x743: 84,
++    0x744: 84,
++    0x745: 84,
++    0x746: 84,
++    0x747: 84,
++    0x748: 84,
++    0x749: 84,
++    0x74a: 84,
+     0x74d: 82,
+     0x74e: 68,
+     0x74f: 68,
+@@ -343,6 +585,17 @@ joining_types = {
+     0x77d: 68,
+     0x77e: 68,
+     0x77f: 68,
++    0x7a6: 84,
++    0x7a7: 84,
++    0x7a8: 84,
++    0x7a9: 84,
++    0x7aa: 84,
++    0x7ab: 84,
++    0x7ac: 84,
++    0x7ad: 84,
++    0x7ae: 84,
++    0x7af: 84,
++    0x7b0: 84,
+     0x7ca: 68,
+     0x7cb: 68,
+     0x7cc: 68,
+@@ -376,7 +629,38 @@ joining_types = {
+     0x7e8: 68,
+     0x7e9: 68,
+     0x7ea: 68,
++    0x7eb: 84,
++    0x7ec: 84,
++    0x7ed: 84,
++    0x7ee: 84,
++    0x7ef: 84,
++    0x7f0: 84,
++    0x7f1: 84,
++    0x7f2: 84,
++    0x7f3: 84,
+     0x7fa: 67,
++    0x7fd: 84,
++    0x816: 84,
++    0x817: 84,
++    0x818: 84,
++    0x819: 84,
++    0x81b: 84,
++    0x81c: 84,
++    0x81d: 84,
++    0x81e: 84,
++    0x81f: 84,
++    0x820: 84,
++    0x821: 84,
++    0x822: 84,
++    0x823: 84,
++    0x825: 84,
++    0x826: 84,
++    0x827: 84,
++    0x829: 84,
++    0x82a: 84,
++    0x82b: 84,
++    0x82c: 84,
++    0x82d: 84,
+     0x840: 82,
+     0x841: 68,
+     0x842: 68,
+@@ -402,13 +686,14 @@ joining_types = {
+     0x856: 82,
+     0x857: 82,
+     0x858: 82,
++    0x859: 84,
++    0x85a: 84,
++    0x85b: 84,
+     0x860: 68,
+-    0x861: 85,
+     0x862: 68,
+     0x863: 68,
+     0x864: 68,
+     0x865: 68,
+-    0x866: 85,
+     0x867: 82,
+     0x868: 68,
+     0x869: 82,
+@@ -436,16 +721,20 @@ joining_types = {
+     0x884: 67,
+     0x885: 67,
+     0x886: 68,
+-    0x887: 85,
+-    0x888: 85,
+     0x889: 68,
+     0x88a: 68,
+     0x88b: 68,
+     0x88c: 68,
+     0x88d: 68,
+     0x88e: 82,
+-    0x890: 85,
+-    0x891: 85,
++    0x898: 84,
++    0x899: 84,
++    0x89a: 84,
++    0x89b: 84,
++    0x89c: 84,
++    0x89d: 84,
++    0x89e: 84,
++    0x89f: 84,
+     0x8a0: 68,
+     0x8a1: 68,
+     0x8a2: 68,
+@@ -459,7 +748,6 @@ joining_types = {
+     0x8aa: 82,
+     0x8ab: 82,
+     0x8ac: 82,
+-    0x8ad: 85,
+     0x8ae: 82,
+     0x8af: 68,
+     0x8b0: 68,
+@@ -487,11 +775,357 @@ joining_types = {
+     0x8c6: 68,
+     0x8c7: 68,
+     0x8c8: 68,
+-    0x8e2: 85,
+-    0x1806: 85,
++    0x8ca: 84,
++    0x8cb: 84,
++    0x8cc: 84,
++    0x8cd: 84,
++    0x8ce: 84,
++    0x8cf: 84,
++    0x8d0: 84,
++    0x8d1: 84,
++    0x8d2: 84,
++    0x8d3: 84,
++    0x8d4: 84,
++    0x8d5: 84,
++    0x8d6: 84,
++    0x8d7: 84,
++    0x8d8: 84,
++    0x8d9: 84,
++    0x8da: 84,
++    0x8db: 84,
++    0x8dc: 84,
++    0x8dd: 84,
++    0x8de: 84,
++    0x8df: 84,
++    0x8e0: 84,
++    0x8e1: 84,
++    0x8e3: 84,
++    0x8e4: 84,
++    0x8e5: 84,
++    0x8e6: 84,
++    0x8e7: 84,
++    0x8e8: 84,
++    0x8e9: 84,
++    0x8ea: 84,
++    0x8eb: 84,
++    0x8ec: 84,
++    0x8ed: 84,
++    0x8ee: 84,
++    0x8ef: 84,
++    0x8f0: 84,
++    0x8f1: 84,
++    0x8f2: 84,
++    0x8f3: 84,
++    0x8f4: 84,
++    0x8f5: 84,
++    0x8f6: 84,
++    0x8f7: 84,
++    0x8f8: 84,
++    0x8f9: 84,
++    0x8fa: 84,
++    0x8fb: 84,
++    0x8fc: 84,
++    0x8fd: 84,
++    0x8fe: 84,
++    0x8ff: 84,
++    0x900: 84,
++    0x901: 84,
++    0x902: 84,
++    0x93a: 84,
++    0x93c: 84,
++    0x941: 84,
++    0x942: 84,
++    0x943: 84,
++    0x944: 84,
++    0x945: 84,
++    0x946: 84,
++    0x947: 84,
++    0x948: 84,
++    0x94d: 84,
++    0x951: 84,
++    0x952: 84,
++    0x953: 84,
++    0x954: 84,
++    0x955: 84,
++    0x956: 84,
++    0x957: 84,
++    0x962: 84,
++    0x963: 84,
++    0x981: 84,
++    0x9bc: 84,
++    0x9c1: 84,
++    0x9c2: 84,
++    0x9c3: 84,
++    0x9c4: 84,
++    0x9cd: 84,
++    0x9e2: 84,
++    0x9e3: 84,
++    0x9fe: 84,
++    0xa01: 84,
++    0xa02: 84,
++    0xa3c: 84,
++    0xa41: 84,
++    0xa42: 84,
++    0xa47: 84,
++    0xa48: 84,
++    0xa4b: 84,
++    0xa4c: 84,
++    0xa4d: 84,
++    0xa51: 84,
++    0xa70: 84,
++    0xa71: 84,
++    0xa75: 84,
++    0xa81: 84,
++    0xa82: 84,
++    0xabc: 84,
++    0xac1: 84,
++    0xac2: 84,
++    0xac3: 84,
++    0xac4: 84,
++    0xac5: 84,
++    0xac7: 84,
++    0xac8: 84,
++    0xacd: 84,
++    0xae2: 84,
++    0xae3: 84,
++    0xafa: 84,
++    0xafb: 84,
++    0xafc: 84,
++    0xafd: 84,
++    0xafe: 84,
++    0xaff: 84,
++    0xb01: 84,
++    0xb3c: 84,
++    0xb3f: 84,
++    0xb41: 84,
++    0xb42: 84,
++    0xb43: 84,
++    0xb44: 84,
++    0xb4d: 84,
++    0xb55: 84,
++    0xb56: 84,
++    0xb62: 84,
++    0xb63: 84,
++    0xb82: 84,
++    0xbc0: 84,
++    0xbcd: 84,
++    0xc00: 84,
++    0xc04: 84,
++    0xc3c: 84,
++    0xc3e: 84,
++    0xc3f: 84,
++    0xc40: 84,
++    0xc46: 84,
++    0xc47: 84,
++    0xc48: 84,
++    0xc4a: 84,
++    0xc4b: 84,
++    0xc4c: 84,
++    0xc4d: 84,
++    0xc55: 84,
++    0xc56: 84,
++    0xc62: 84,
++    0xc63: 84,
++    0xc81: 84,
++    0xcbc: 84,
++    0xcbf: 84,
++    0xcc6: 84,
++    0xccc: 84,
++    0xccd: 84,
++    0xce2: 84,
++    0xce3: 84,
++    0xd00: 84,
++    0xd01: 84,
++    0xd3b: 84,
++    0xd3c: 84,
++    0xd41: 84,
++    0xd42: 84,
++    0xd43: 84,
++    0xd44: 84,
++    0xd4d: 84,
++    0xd62: 84,
++    0xd63: 84,
++    0xd81: 84,
++    0xdca: 84,
++    0xdd2: 84,
++    0xdd3: 84,
++    0xdd4: 84,
++    0xdd6: 84,
++    0xe31: 84,
++    0xe34: 84,
++    0xe35: 84,
++    0xe36: 84,
++    0xe37: 84,
++    0xe38: 84,
++    0xe39: 84,
++    0xe3a: 84,
++    0xe47: 84,
++    0xe48: 84,
++    0xe49: 84,
++    0xe4a: 84,
++    0xe4b: 84,
++    0xe4c: 84,
++    0xe4d: 84,
++    0xe4e: 84,
++    0xeb1: 84,
++    0xeb4: 84,
++    0xeb5: 84,
++    0xeb6: 84,
++    0xeb7: 84,
++    0xeb8: 84,
++    0xeb9: 84,
++    0xeba: 84,
++    0xebb: 84,
++    0xebc: 84,
++    0xec8: 84,
++    0xec9: 84,
++    0xeca: 84,
++    0xecb: 84,
++    0xecc: 84,
++    0xecd: 84,
++    0xece: 84,
++    0xf18: 84,
++    0xf19: 84,
++    0xf35: 84,
++    0xf37: 84,
++    0xf39: 84,
++    0xf71: 84,
++    0xf72: 84,
++    0xf73: 84,
++    0xf74: 84,
++    0xf75: 84,
++    0xf76: 84,
++    0xf77: 84,
++    0xf78: 84,
++    0xf79: 84,
++    0xf7a: 84,
++    0xf7b: 84,
++    0xf7c: 84,
++    0xf7d: 84,
++    0xf7e: 84,
++    0xf80: 84,
++    0xf81: 84,
++    0xf82: 84,
++    0xf83: 84,
++    0xf84: 84,
++    0xf86: 84,
++    0xf87: 84,
++    0xf8d: 84,
++    0xf8e: 84,
++    0xf8f: 84,
++    0xf90: 84,
++    0xf91: 84,
++    0xf92: 84,
++    0xf93: 84,
++    0xf94: 84,
++    0xf95: 84,
++    0xf96: 84,
++    0xf97: 84,
++    0xf99: 84,
++    0xf9a: 84,
++    0xf9b: 84,
++    0xf9c: 84,
++    0xf9d: 84,
++    0xf9e: 84,
++    0xf9f: 84,
++    0xfa0: 84,
++    0xfa1: 84,
++    0xfa2: 84,
++    0xfa3: 84,
++    0xfa4: 84,
++    0xfa5: 84,
++    0xfa6: 84,
++    0xfa7: 84,
++    0xfa8: 84,
++    0xfa9: 84,
++    0xfaa: 84,
++    0xfab: 84,
++    0xfac: 84,
++    0xfad: 84,
++    0xfae: 84,
++    0xfaf: 84,
++    0xfb0: 84,
++    0xfb1: 84,
++    0xfb2: 84,
++    0xfb3: 84,
++    0xfb4: 84,
++    0xfb5: 84,
++    0xfb6: 84,
++    0xfb7: 84,
++    0xfb8: 84,
++    0xfb9: 84,
++    0xfba: 84,
++    0xfbb: 84,
++    0xfbc: 84,
++    0xfc6: 84,
++    0x102d: 84,
++    0x102e: 84,
++    0x102f: 84,
++    0x1030: 84,
++    0x1032: 84,
++    0x1033: 84,
++    0x1034: 84,
++    0x1035: 84,
++    0x1036: 84,
++    0x1037: 84,
++    0x1039: 84,
++    0x103a: 84,
++    0x103d: 84,
++    0x103e: 84,
++    0x1058: 84,
++    0x1059: 84,
++    0x105e: 84,
++    0x105f: 84,
++    0x1060: 84,
++    0x1071: 84,
++    0x1072: 84,
++    0x1073: 84,
++    0x1074: 84,
++    0x1082: 84,
++    0x1085: 84,
++    0x1086: 84,
++    0x108d: 84,
++    0x109d: 84,
++    0x135d: 84,
++    0x135e: 84,
++    0x135f: 84,
++    0x1712: 84,
++    0x1713: 84,
++    0x1714: 84,
++    0x1732: 84,
++    0x1733: 84,
++    0x1752: 84,
++    0x1753: 84,
++    0x1772: 84,
++    0x1773: 84,
++    0x17b4: 84,
++    0x17b5: 84,
++    0x17b7: 84,
++    0x17b8: 84,
++    0x17b9: 84,
++    0x17ba: 84,
++    0x17bb: 84,
++    0x17bc: 84,
++    0x17bd: 84,
++    0x17c6: 84,
++    0x17c9: 84,
++    0x17ca: 84,
++    0x17cb: 84,
++    0x17cc: 84,
++    0x17cd: 84,
++    0x17ce: 84,
++    0x17cf: 84,
++    0x17d0: 84,
++    0x17d1: 84,
++    0x17d2: 84,
++    0x17d3: 84,
++    0x17dd: 84,
+     0x1807: 68,
+     0x180a: 67,
+-    0x180e: 85,
++    0x180b: 84,
++    0x180c: 84,
++    0x180d: 84,
++    0x180f: 84,
+     0x1820: 68,
+     0x1821: 68,
+     0x1822: 68,
+@@ -581,11 +1215,6 @@ joining_types = {
+     0x1876: 68,
+     0x1877: 68,
+     0x1878: 68,
+-    0x1880: 85,
+-    0x1881: 85,
+-    0x1882: 85,
+-    0x1883: 85,
+-    0x1884: 85,
+     0x1885: 84,
+     0x1886: 84,
+     0x1887: 68,
+@@ -622,14 +1251,339 @@ joining_types = {
+     0x18a6: 68,
+     0x18a7: 68,
+     0x18a8: 68,
++    0x18a9: 84,
+     0x18aa: 68,
+-    0x200c: 85,
++    0x1920: 84,
++    0x1921: 84,
++    0x1922: 84,
++    0x1927: 84,
++    0x1928: 84,
++    0x1932: 84,
++    0x1939: 84,
++    0x193a: 84,
++    0x193b: 84,
++    0x1a17: 84,
++    0x1a18: 84,
++    0x1a1b: 84,
++    0x1a56: 84,
++    0x1a58: 84,
++    0x1a59: 84,
++    0x1a5a: 84,
++    0x1a5b: 84,
++    0x1a5c: 84,
++    0x1a5d: 84,
++    0x1a5e: 84,
++    0x1a60: 84,
++    0x1a62: 84,
++    0x1a65: 84,
++    0x1a66: 84,
++    0x1a67: 84,
++    0x1a68: 84,
++    0x1a69: 84,
++    0x1a6a: 84,
++    0x1a6b: 84,
++    0x1a6c: 84,
++    0x1a73: 84,
++    0x1a74: 84,
++    0x1a75: 84,
++    0x1a76: 84,
++    0x1a77: 84,
++    0x1a78: 84,
++    0x1a79: 84,
++    0x1a7a: 84,
++    0x1a7b: 84,
++    0x1a7c: 84,
++    0x1a7f: 84,
++    0x1ab0: 84,
++    0x1ab1: 84,
++    0x1ab2: 84,
++    0x1ab3: 84,
++    0x1ab4: 84,
++    0x1ab5: 84,
++    0x1ab6: 84,
++    0x1ab7: 84,
++    0x1ab8: 84,
++    0x1ab9: 84,
++    0x1aba: 84,
++    0x1abb: 84,
++    0x1abc: 84,
++    0x1abd: 84,
++    0x1abe: 84,
++    0x1abf: 84,
++    0x1ac0: 84,
++    0x1ac1: 84,
++    0x1ac2: 84,
++    0x1ac3: 84,
++    0x1ac4: 84,
++    0x1ac5: 84,
++    0x1ac6: 84,
++    0x1ac7: 84,
++    0x1ac8: 84,
++    0x1ac9: 84,
++    0x1aca: 84,
++    0x1acb: 84,
++    0x1acc: 84,
++    0x1acd: 84,
++    0x1ace: 84,
++    0x1b00: 84,
++    0x1b01: 84,
++    0x1b02: 84,
++    0x1b03: 84,
++    0x1b34: 84,
++    0x1b36: 84,
++    0x1b37: 84,
++    0x1b38: 84,
++    0x1b39: 84,
++    0x1b3a: 84,
++    0x1b3c: 84,
++    0x1b42: 84,
++    0x1b6b: 84,
++    0x1b6c: 84,
++    0x1b6d: 84,
++    0x1b6e: 84,
++    0x1b6f: 84,
++    0x1b70: 84,
++    0x1b71: 84,
++    0x1b72: 84,
++    0x1b73: 84,
++    0x1b80: 84,
++    0x1b81: 84,
++    0x1ba2: 84,
++    0x1ba3: 84,
++    0x1ba4: 84,
++    0x1ba5: 84,
++    0x1ba8: 84,
++    0x1ba9: 84,
++    0x1bab: 84,
++    0x1bac: 84,
++    0x1bad: 84,
++    0x1be6: 84,
++    0x1be8: 84,
++    0x1be9: 84,
++    0x1bed: 84,
++    0x1bef: 84,
++    0x1bf0: 84,
++    0x1bf1: 84,
++    0x1c2c: 84,
++    0x1c2d: 84,
++    0x1c2e: 84,
++    0x1c2f: 84,
++    0x1c30: 84,
++    0x1c31: 84,
++    0x1c32: 84,
++    0x1c33: 84,
++    0x1c36: 84,
++    0x1c37: 84,
++    0x1cd0: 84,
++    0x1cd1: 84,
++    0x1cd2: 84,
++    0x1cd4: 84,
++    0x1cd5: 84,
++    0x1cd6: 84,
++    0x1cd7: 84,
++    0x1cd8: 84,
++    0x1cd9: 84,
++    0x1cda: 84,
++    0x1cdb: 84,
++    0x1cdc: 84,
++    0x1cdd: 84,
++    0x1cde: 84,
++    0x1cdf: 84,
++    0x1ce0: 84,
++    0x1ce2: 84,
++    0x1ce3: 84,
++    0x1ce4: 84,
++    0x1ce5: 84,
++    0x1ce6: 84,
++    0x1ce7: 84,
++    0x1ce8: 84,
++    0x1ced: 84,
++    0x1cf4: 84,
++    0x1cf8: 84,
++    0x1cf9: 84,
++    0x1dc0: 84,
++    0x1dc1: 84,
++    0x1dc2: 84,
++    0x1dc3: 84,
++    0x1dc4: 84,
++    0x1dc5: 84,
++    0x1dc6: 84,
++    0x1dc7: 84,
++    0x1dc8: 84,
++    0x1dc9: 84,
++    0x1dca: 84,
++    0x1dcb: 84,
++    0x1dcc: 84,
++    0x1dcd: 84,
++    0x1dce: 84,
++    0x1dcf: 84,
++    0x1dd0: 84,
++    0x1dd1: 84,
++    0x1dd2: 84,
++    0x1dd3: 84,
++    0x1dd4: 84,
++    0x1dd5: 84,
++    0x1dd6: 84,
++    0x1dd7: 84,
++    0x1dd8: 84,
++    0x1dd9: 84,
++    0x1dda: 84,
++    0x1ddb: 84,
++    0x1ddc: 84,
++    0x1ddd: 84,
++    0x1dde: 84,
++    0x1ddf: 84,
++    0x1de0: 84,
++    0x1de1: 84,
++    0x1de2: 84,
++    0x1de3: 84,
++    0x1de4: 84,
++    0x1de5: 84,
++    0x1de6: 84,
++    0x1de7: 84,
++    0x1de8: 84,
++    0x1de9: 84,
++    0x1dea: 84,
++    0x1deb: 84,
++    0x1dec: 84,
++    0x1ded: 84,
++    0x1dee: 84,
++    0x1def: 84,
++    0x1df0: 84,
++    0x1df1: 84,
++    0x1df2: 84,
++    0x1df3: 84,
++    0x1df4: 84,
++    0x1df5: 84,
++    0x1df6: 84,
++    0x1df7: 84,
++    0x1df8: 84,
++    0x1df9: 84,
++    0x1dfa: 84,
++    0x1dfb: 84,
++    0x1dfc: 84,
++    0x1dfd: 84,
++    0x1dfe: 84,
++    0x1dff: 84,
++    0x200b: 84,
+     0x200d: 67,
+-    0x202f: 85,
+-    0x2066: 85,
+-    0x2067: 85,
+-    0x2068: 85,
+-    0x2069: 85,
++    0x200e: 84,
++    0x200f: 84,
++    0x202a: 84,
++    0x202b: 84,
++    0x202c: 84,
++    0x202d: 84,
++    0x202e: 84,
++    0x2060: 84,
++    0x2061: 84,
++    0x2062: 84,
++    0x2063: 84,
++    0x2064: 84,
++    0x206a: 84,
++    0x206b: 84,
++    0x206c: 84,
++    0x206d: 84,
++    0x206e: 84,
++    0x206f: 84,
++    0x20d0: 84,
++    0x20d1: 84,
++    0x20d2: 84,
++    0x20d3: 84,
++    0x20d4: 84,
++    0x20d5: 84,
++    0x20d6: 84,
++    0x20d7: 84,
++    0x20d8: 84,
++    0x20d9: 84,
++    0x20da: 84,
++    0x20db: 84,
++    0x20dc: 84,
++    0x20dd: 84,
++    0x20de: 84,
++    0x20df: 84,
++    0x20e0: 84,
++    0x20e1: 84,
++    0x20e2: 84,
++    0x20e3: 84,
++    0x20e4: 84,
++    0x20e5: 84,
++    0x20e6: 84,
++    0x20e7: 84,
++    0x20e8: 84,
++    0x20e9: 84,
++    0x20ea: 84,
++    0x20eb: 84,
++    0x20ec: 84,
++    0x20ed: 84,
++    0x20ee: 84,
++    0x20ef: 84,
++    0x20f0: 84,
++    0x2cef: 84,
++    0x2cf0: 84,
++    0x2cf1: 84,
++    0x2d7f: 84,
++    0x2de0: 84,
++    0x2de1: 84,
++    0x2de2: 84,
++    0x2de3: 84,
++    0x2de4: 84,
++    0x2de5: 84,
++    0x2de6: 84,
++    0x2de7: 84,
++    0x2de8: 84,
++    0x2de9: 84,
++    0x2dea: 84,
++    0x2deb: 84,
++    0x2dec: 84,
++    0x2ded: 84,
++    0x2dee: 84,
++    0x2def: 84,
++    0x2df0: 84,
++    0x2df1: 84,
++    0x2df2: 84,
++    0x2df3: 84,
++    0x2df4: 84,
++    0x2df5: 84,
++    0x2df6: 84,
++    0x2df7: 84,
++    0x2df8: 84,
++    0x2df9: 84,
++    0x2dfa: 84,
++    0x2dfb: 84,
++    0x2dfc: 84,
++    0x2dfd: 84,
++    0x2dfe: 84,
++    0x2dff: 84,
++    0x302a: 84,
++    0x302b: 84,
++    0x302c: 84,
++    0x302d: 84,
++    0x3099: 84,
++    0x309a: 84,
++    0xa66f: 84,
++    0xa670: 84,
++    0xa671: 84,
++    0xa672: 84,
++    0xa674: 84,
++    0xa675: 84,
++    0xa676: 84,
++    0xa677: 84,
++    0xa678: 84,
++    0xa679: 84,
++    0xa67a: 84,
++    0xa67b: 84,
++    0xa67c: 84,
++    0xa67d: 84,
++    0xa69e: 84,
++    0xa69f: 84,
++    0xa6f0: 84,
++    0xa6f1: 84,
++    0xa802: 84,
++    0xa806: 84,
++    0xa80b: 84,
++    0xa825: 84,
++    0xa826: 84,
++    0xa82c: 84,
+     0xa840: 68,
+     0xa841: 68,
+     0xa842: 68,
+@@ -681,20 +1635,151 @@ joining_types = {
+     0xa870: 68,
+     0xa871: 68,
+     0xa872: 76,
+-    0xa873: 85,
++    0xa8c4: 84,
++    0xa8c5: 84,
++    0xa8e0: 84,
++    0xa8e1: 84,
++    0xa8e2: 84,
++    0xa8e3: 84,
++    0xa8e4: 84,
++    0xa8e5: 84,
++    0xa8e6: 84,
++    0xa8e7: 84,
++    0xa8e8: 84,
++    0xa8e9: 84,
++    0xa8ea: 84,
++    0xa8eb: 84,
++    0xa8ec: 84,
++    0xa8ed: 84,
++    0xa8ee: 84,
++    0xa8ef: 84,
++    0xa8f0: 84,
++    0xa8f1: 84,
++    0xa8ff: 84,
++    0xa926: 84,
++    0xa927: 84,
++    0xa928: 84,
++    0xa929: 84,
++    0xa92a: 84,
++    0xa92b: 84,
++    0xa92c: 84,
++    0xa92d: 84,
++    0xa947: 84,
++    0xa948: 84,
++    0xa949: 84,
++    0xa94a: 84,
++    0xa94b: 84,
++    0xa94c: 84,
++    0xa94d: 84,
++    0xa94e: 84,
++    0xa94f: 84,
++    0xa950: 84,
++    0xa951: 84,
++    0xa980: 84,
++    0xa981: 84,
++    0xa982: 84,
++    0xa9b3: 84,
++    0xa9b6: 84,
++    0xa9b7: 84,
++    0xa9b8: 84,
++    0xa9b9: 84,
++    0xa9bc: 84,
++    0xa9bd: 84,
++    0xa9e5: 84,
++    0xaa29: 84,
++    0xaa2a: 84,
++    0xaa2b: 84,
++    0xaa2c: 84,
++    0xaa2d: 84,
++    0xaa2e: 84,
++    0xaa31: 84,
++    0xaa32: 84,
++    0xaa35: 84,
++    0xaa36: 84,
++    0xaa43: 84,
++    0xaa4c: 84,
++    0xaa7c: 84,
++    0xaab0: 84,
++    0xaab2: 84,
++    0xaab3: 84,
++    0xaab4: 84,
++    0xaab7: 84,
++    0xaab8: 84,
++    0xaabe: 84,
++    0xaabf: 84,
++    0xaac1: 84,
++    0xaaec: 84,
++    0xaaed: 84,
++    0xaaf6: 84,
++    0xabe5: 84,
++    0xabe8: 84,
++    0xabed: 84,
++    0xfb1e: 84,
++    0xfe00: 84,
++    0xfe01: 84,
++    0xfe02: 84,
++    0xfe03: 84,
++    0xfe04: 84,
++    0xfe05: 84,
++    0xfe06: 84,
++    0xfe07: 84,
++    0xfe08: 84,
++    0xfe09: 84,
++    0xfe0a: 84,
++    0xfe0b: 84,
++    0xfe0c: 84,
++    0xfe0d: 84,
++    0xfe0e: 84,
++    0xfe0f: 84,
++    0xfe20: 84,
++    0xfe21: 84,
++    0xfe22: 84,
++    0xfe23: 84,
++    0xfe24: 84,
++    0xfe25: 84,
++    0xfe26: 84,
++    0xfe27: 84,
++    0xfe28: 84,
++    0xfe29: 84,
++    0xfe2a: 84,
++    0xfe2b: 84,
++    0xfe2c: 84,
++    0xfe2d: 84,
++    0xfe2e: 84,
++    0xfe2f: 84,
++    0xfeff: 84,
++    0xfff9: 84,
++    0xfffa: 84,
++    0xfffb: 84,
++    0x101fd: 84,
++    0x102e0: 84,
++    0x10376: 84,
++    0x10377: 84,
++    0x10378: 84,
++    0x10379: 84,
++    0x1037a: 84,
++    0x10a01: 84,
++    0x10a02: 84,
++    0x10a03: 84,
++    0x10a05: 84,
++    0x10a06: 84,
++    0x10a0c: 84,
++    0x10a0d: 84,
++    0x10a0e: 84,
++    0x10a0f: 84,
++    0x10a38: 84,
++    0x10a39: 84,
++    0x10a3a: 84,
++    0x10a3f: 84,
+     0x10ac0: 68,
+     0x10ac1: 68,
+     0x10ac2: 68,
+     0x10ac3: 68,
+     0x10ac4: 68,
+     0x10ac5: 82,
+-    0x10ac6: 85,
+     0x10ac7: 82,
+-    0x10ac8: 85,
+     0x10ac9: 82,
+     0x10aca: 82,
+-    0x10acb: 85,
+-    0x10acc: 85,
+     0x10acd: 76,
+     0x10ace: 82,
+     0x10acf: 82,
+@@ -716,9 +1801,9 @@ joining_types = {
+     0x10adf: 68,
+     0x10ae0: 68,
+     0x10ae1: 82,
+-    0x10ae2: 85,
+-    0x10ae3: 85,
+     0x10ae4: 82,
++    0x10ae5: 84,
++    0x10ae6: 84,
+     0x10aeb: 68,
+     0x10aec: 68,
+     0x10aed: 68,
+@@ -748,7 +1833,6 @@ joining_types = {
+     0x10bac: 82,
+     0x10bad: 68,
+     0x10bae: 68,
+-    0x10baf: 85,
+     0x10d00: 76,
+     0x10d01: 68,
+     0x10d02: 68,
+@@ -785,6 +1869,15 @@ joining_types = {
+     0x10d21: 68,
+     0x10d22: 82,
+     0x10d23: 68,
++    0x10d24: 84,
++    0x10d25: 84,
++    0x10d26: 84,
++    0x10d27: 84,
++    0x10eab: 84,
++    0x10eac: 84,
++    0x10efd: 84,
++    0x10efe: 84,
++    0x10eff: 84,
+     0x10f30: 68,
+     0x10f31: 68,
+     0x10f32: 68,
+@@ -806,7 +1899,17 @@ joining_types = {
+     0x10f42: 68,
+     0x10f43: 68,
+     0x10f44: 68,
+-    0x10f45: 85,
++    0x10f46: 84,
++    0x10f47: 84,
++    0x10f48: 84,
++    0x10f49: 84,
++    0x10f4a: 84,
++    0x10f4b: 84,
++    0x10f4c: 84,
++    0x10f4d: 84,
++    0x10f4e: 84,
++    0x10f4f: 84,
++    0x10f50: 84,
+     0x10f51: 68,
+     0x10f52: 68,
+     0x10f53: 68,
+@@ -829,14 +1932,16 @@ joining_types = {
+     0x10f7f: 68,
+     0x10f80: 68,
+     0x10f81: 68,
++    0x10f82: 84,
++    0x10f83: 84,
++    0x10f84: 84,
++    0x10f85: 84,
+     0x10fb0: 68,
+-    0x10fb1: 85,
+     0x10fb2: 68,
+     0x10fb3: 68,
+     0x10fb4: 82,
+     0x10fb5: 82,
+     0x10fb6: 82,
+-    0x10fb7: 85,
+     0x10fb8: 68,
+     0x10fb9: 82,
+     0x10fba: 82,
+@@ -845,20 +1950,668 @@ joining_types = {
+     0x10fbd: 82,
+     0x10fbe: 68,
+     0x10fbf: 68,
+-    0x10fc0: 85,
+     0x10fc1: 68,
+     0x10fc2: 82,
+     0x10fc3: 82,
+     0x10fc4: 68,
+-    0x10fc5: 85,
+-    0x10fc6: 85,
+-    0x10fc7: 85,
+-    0x10fc8: 85,
+     0x10fc9: 82,
+     0x10fca: 68,
+     0x10fcb: 76,
+-    0x110bd: 85,
+-    0x110cd: 85,
++    0x11001: 84,
++    0x11038: 84,
++    0x11039: 84,
++    0x1103a: 84,
++    0x1103b: 84,
++    0x1103c: 84,
++    0x1103d: 84,
++    0x1103e: 84,
++    0x1103f: 84,
++    0x11040: 84,
++    0x11041: 84,
++    0x11042: 84,
++    0x11043: 84,
++    0x11044: 84,
++    0x11045: 84,
++    0x11046: 84,
++    0x11070: 84,
++    0x11073: 84,
++    0x11074: 84,
++    0x1107f: 84,
++    0x11080: 84,
++    0x11081: 84,
++    0x110b3: 84,
++    0x110b4: 84,
++    0x110b5: 84,
++    0x110b6: 84,
++    0x110b9: 84,
++    0x110ba: 84,
++    0x110c2: 84,
++    0x11100: 84,
++    0x11101: 84,
++    0x11102: 84,
++    0x11127: 84,
++    0x11128: 84,
++    0x11129: 84,
++    0x1112a: 84,
++    0x1112b: 84,
++    0x1112d: 84,
++    0x1112e: 84,
++    0x1112f: 84,
++    0x11130: 84,
++    0x11131: 84,
++    0x11132: 84,
++    0x11133: 84,
++    0x11134: 84,
++    0x11173: 84,
++    0x11180: 84,
++    0x11181: 84,
++    0x111b6: 84,
++    0x111b7: 84,
++    0x111b8: 84,
++    0x111b9: 84,
++    0x111ba: 84,
++    0x111bb: 84,
++    0x111bc: 84,
++    0x111bd: 84,
++    0x111be: 84,
++    0x111c9: 84,
++    0x111ca: 84,
++    0x111cb: 84,
++    0x111cc: 84,
++    0x111cf: 84,
++    0x1122f: 84,
++    0x11230: 84,
++    0x11231: 84,
++    0x11234: 84,
++    0x11236: 84,
++    0x11237: 84,
++    0x1123e: 84,
++    0x11241: 84,
++    0x112df: 84,
++    0x112e3: 84,
++    0x112e4: 84,
++    0x112e5: 84,
++    0x112e6: 84,
++    0x112e7: 84,
++    0x112e8: 84,
++    0x112e9: 84,
++    0x112ea: 84,
++    0x11300: 84,
++    0x11301: 84,
++    0x1133b: 84,
++    0x1133c: 84,
++    0x11340: 84,
++    0x11366: 84,
++    0x11367: 84,
++    0x11368: 84,
++    0x11369: 84,
++    0x1136a: 84,
++    0x1136b: 84,
++    0x1136c: 84,
++    0x11370: 84,
++    0x11371: 84,
++    0x11372: 84,
++    0x11373: 84,
++    0x11374: 84,
++    0x11438: 84,
++    0x11439: 84,
++    0x1143a: 84,
++    0x1143b: 84,
++    0x1143c: 84,
++    0x1143d: 84,
++    0x1143e: 84,
++    0x1143f: 84,
++    0x11442: 84,
++    0x11443: 84,
++    0x11444: 84,
++    0x11446: 84,
++    0x1145e: 84,
++    0x114b3: 84,
++    0x114b4: 84,
++    0x114b5: 84,
++    0x114b6: 84,
++    0x114b7: 84,
++    0x114b8: 84,
++    0x114ba: 84,
++    0x114bf: 84,
++    0x114c0: 84,
++    0x114c2: 84,
++    0x114c3: 84,
++    0x115b2: 84,
++    0x115b3: 84,
++    0x115b4: 84,
++    0x115b5: 84,
++    0x115bc: 84,
++    0x115bd: 84,
++    0x115bf: 84,
++    0x115c0: 84,
++    0x115dc: 84,
++    0x115dd: 84,
++    0x11633: 84,
++    0x11634: 84,
++    0x11635: 84,
++    0x11636: 84,
++    0x11637: 84,
++    0x11638: 84,
++    0x11639: 84,
++    0x1163a: 84,
++    0x1163d: 84,
++    0x1163f: 84,
++    0x11640: 84,
++    0x116ab: 84,
++    0x116ad: 84,
++    0x116b0: 84,
++    0x116b1: 84,
++    0x116b2: 84,
++    0x116b3: 84,
++    0x116b4: 84,
++    0x116b5: 84,
++    0x116b7: 84,
++    0x1171d: 84,
++    0x1171e: 84,
++    0x1171f: 84,
++    0x11722: 84,
++    0x11723: 84,
++    0x11724: 84,
++    0x11725: 84,
++    0x11727: 84,
++    0x11728: 84,
++    0x11729: 84,
++    0x1172a: 84,
++    0x1172b: 84,
++    0x1182f: 84,
++    0x11830: 84,
++    0x11831: 84,
++    0x11832: 84,
++    0x11833: 84,
++    0x11834: 84,
++    0x11835: 84,
++    0x11836: 84,
++    0x11837: 84,
++    0x11839: 84,
++    0x1183a: 84,
++    0x1193b: 84,
++    0x1193c: 84,
++    0x1193e: 84,
++    0x11943: 84,
++    0x119d4: 84,
++    0x119d5: 84,
++    0x119d6: 84,
++    0x119d7: 84,
++    0x119da: 84,
++    0x119db: 84,
++    0x119e0: 84,
++    0x11a01: 84,
++    0x11a02: 84,
++    0x11a03: 84,
++    0x11a04: 84,
++    0x11a05: 84,
++    0x11a06: 84,
++    0x11a07: 84,
++    0x11a08: 84,
++    0x11a09: 84,
++    0x11a0a: 84,
++    0x11a33: 84,
++    0x11a34: 84,
++    0x11a35: 84,
++    0x11a36: 84,
++    0x11a37: 84,
++    0x11a38: 84,
++    0x11a3b: 84,
++    0x11a3c: 84,
++    0x11a3d: 84,
++    0x11a3e: 84,
++    0x11a47: 84,
++    0x11a51: 84,
++    0x11a52: 84,
++    0x11a53: 84,
++    0x11a54: 84,
++    0x11a55: 84,
++    0x11a56: 84,
++    0x11a59: 84,
++    0x11a5a: 84,
++    0x11a5b: 84,
++    0x11a8a: 84,
++    0x11a8b: 84,
++    0x11a8c: 84,
++    0x11a8d: 84,
++    0x11a8e: 84,
++    0x11a8f: 84,
++    0x11a90: 84,
++    0x11a91: 84,
++    0x11a92: 84,
++    0x11a93: 84,
++    0x11a94: 84,
++    0x11a95: 84,
++    0x11a96: 84,
++    0x11a98: 84,
++    0x11a99: 84,
++    0x11c30: 84,
++    0x11c31: 84,
++    0x11c32: 84,
++    0x11c33: 84,
++    0x11c34: 84,
++    0x11c35: 84,
++    0x11c36: 84,
++    0x11c38: 84,
++    0x11c39: 84,
++    0x11c3a: 84,
++    0x11c3b: 84,
++    0x11c3c: 84,
++    0x11c3d: 84,
++    0x11c3f: 84,
++    0x11c92: 84,
++    0x11c93: 84,
++    0x11c94: 84,
++    0x11c95: 84,
++    0x11c96: 84,
++    0x11c97: 84,
++    0x11c98: 84,
++    0x11c99: 84,
++    0x11c9a: 84,
++    0x11c9b: 84,
++    0x11c9c: 84,
++    0x11c9d: 84,
++    0x11c9e: 84,
++    0x11c9f: 84,
++    0x11ca0: 84,
++    0x11ca1: 84,
++    0x11ca2: 84,
++    0x11ca3: 84,
++    0x11ca4: 84,
++    0x11ca5: 84,
++    0x11ca6: 84,
++    0x11ca7: 84,
++    0x11caa: 84,
++    0x11cab: 84,
++    0x11cac: 84,
++    0x11cad: 84,
++    0x11cae: 84,
++    0x11caf: 84,
++    0x11cb0: 84,
++    0x11cb2: 84,
++    0x11cb3: 84,
++    0x11cb5: 84,
++    0x11cb6: 84,
++    0x11d31: 84,
++    0x11d32: 84,
++    0x11d33: 84,
++    0x11d34: 84,
++    0x11d35: 84,
++    0x11d36: 84,
++    0x11d3a: 84,
++    0x11d3c: 84,
++    0x11d3d: 84,
++    0x11d3f: 84,
++    0x11d40: 84,
++    0x11d41: 84,
++    0x11d42: 84,
++    0x11d43: 84,
++    0x11d44: 84,
++    0x11d45: 84,
++    0x11d47: 84,
++    0x11d90: 84,
++    0x11d91: 84,
++    0x11d95: 84,
++    0x11d97: 84,
++    0x11ef3: 84,
++    0x11ef4: 84,
++    0x11f00: 84,
++    0x11f01: 84,
++    0x11f36: 84,
++    0x11f37: 84,
++    0x11f38: 84,
++    0x11f39: 84,
++    0x11f3a: 84,
++    0x11f40: 84,
++    0x11f42: 84,
++    0x13430: 84,
++    0x13431: 84,
++    0x13432: 84,
++    0x13433: 84,
++    0x13434: 84,
++    0x13435: 84,
++    0x13436: 84,
++    0x13437: 84,
++    0x13438: 84,
++    0x13439: 84,
++    0x1343a: 84,
++    0x1343b: 84,
++    0x1343c: 84,
++    0x1343d: 84,
++    0x1343e: 84,
++    0x1343f: 84,
++    0x13440: 84,
++    0x13447: 84,
++    0x13448: 84,
++    0x13449: 84,
++    0x1344a: 84,
++    0x1344b: 84,
++    0x1344c: 84,
++    0x1344d: 84,
++    0x1344e: 84,
++    0x1344f: 84,
++    0x13450: 84,
++    0x13451: 84,
++    0x13452: 84,
++    0x13453: 84,
++    0x13454: 84,
++    0x13455: 84,
++    0x16af0: 84,
++    0x16af1: 84,
++    0x16af2: 84,
++    0x16af3: 84,
++    0x16af4: 84,
++    0x16b30: 84,
++    0x16b31: 84,
++    0x16b32: 84,
++    0x16b33: 84,
++    0x16b34: 84,
++    0x16b35: 84,
++    0x16b36: 84,
++    0x16f4f: 84,
++    0x16f8f: 84,
++    0x16f90: 84,
++    0x16f91: 84,
++    0x16f92: 84,
++    0x16fe4: 84,
++    0x1bc9d: 84,
++    0x1bc9e: 84,
++    0x1bca0: 84,
++    0x1bca1: 84,
++    0x1bca2: 84,
++    0x1bca3: 84,
++    0x1cf00: 84,
++    0x1cf01: 84,
++    0x1cf02: 84,
++    0x1cf03: 84,
++    0x1cf04: 84,
++    0x1cf05: 84,
++    0x1cf06: 84,
++    0x1cf07: 84,
++    0x1cf08: 84,
++    0x1cf09: 84,
++    0x1cf0a: 84,
++    0x1cf0b: 84,
++    0x1cf0c: 84,
++    0x1cf0d: 84,
++    0x1cf0e: 84,
++    0x1cf0f: 84,
++    0x1cf10: 84,
++    0x1cf11: 84,
++    0x1cf12: 84,
++    0x1cf13: 84,
++    0x1cf14: 84,
++    0x1cf15: 84,
++    0x1cf16: 84,
++    0x1cf17: 84,
++    0x1cf18: 84,
++    0x1cf19: 84,
++    0x1cf1a: 84,
++    0x1cf1b: 84,
++    0x1cf1c: 84,
++    0x1cf1d: 84,
++    0x1cf1e: 84,
++    0x1cf1f: 84,
++    0x1cf20: 84,
++    0x1cf21: 84,
++    0x1cf22: 84,
++    0x1cf23: 84,
++    0x1cf24: 84,
++    0x1cf25: 84,
++    0x1cf26: 84,
++    0x1cf27: 84,
++    0x1cf28: 84,
++    0x1cf29: 84,
++    0x1cf2a: 84,
++    0x1cf2b: 84,
++    0x1cf2c: 84,
++    0x1cf2d: 84,
++    0x1cf30: 84,
++    0x1cf31: 84,
++    0x1cf32: 84,
++    0x1cf33: 84,
++    0x1cf34: 84,
++    0x1cf35: 84,
++    0x1cf36: 84,
++    0x1cf37: 84,
++    0x1cf38: 84,
++    0x1cf39: 84,
++    0x1cf3a: 84,
++    0x1cf3b: 84,
++    0x1cf3c: 84,
++    0x1cf3d: 84,
++    0x1cf3e: 84,
++    0x1cf3f: 84,
++    0x1cf40: 84,
++    0x1cf41: 84,
++    0x1cf42: 84,
++    0x1cf43: 84,
++    0x1cf44: 84,
++    0x1cf45: 84,
++    0x1cf46: 84,
++    0x1d167: 84,
++    0x1d168: 84,
++    0x1d169: 84,
++    0x1d173: 84,
++    0x1d174: 84,
++    0x1d175: 84,
++    0x1d176: 84,
++    0x1d177: 84,
++    0x1d178: 84,
++    0x1d179: 84,
++    0x1d17a: 84,
++    0x1d17b: 84,
++    0x1d17c: 84,
++    0x1d17d: 84,
++    0x1d17e: 84,
++    0x1d17f: 84,
++    0x1d180: 84,
++    0x1d181: 84,
++    0x1d182: 84,
++    0x1d185: 84,
++    0x1d186: 84,
++    0x1d187: 84,
++    0x1d188: 84,
++    0x1d189: 84,
++    0x1d18a: 84,
++    0x1d18b: 84,
++    0x1d1aa: 84,
++    0x1d1ab: 84,
++    0x1d1ac: 84,
++    0x1d1ad: 84,
++    0x1d242: 84,
++    0x1d243: 84,
++    0x1d244: 84,
++    0x1da00: 84,
++    0x1da01: 84,
++    0x1da02: 84,
++    0x1da03: 84,
++    0x1da04: 84,
++    0x1da05: 84,
++    0x1da06: 84,
++    0x1da07: 84,
++    0x1da08: 84,
++    0x1da09: 84,
++    0x1da0a: 84,
++    0x1da0b: 84,
++    0x1da0c: 84,
++    0x1da0d: 84,
++    0x1da0e: 84,
++    0x1da0f: 84,
++    0x1da10: 84,
++    0x1da11: 84,
++    0x1da12: 84,
++    0x1da13: 84,
++    0x1da14: 84,
++    0x1da15: 84,
++    0x1da16: 84,
++    0x1da17: 84,
++    0x1da18: 84,
++    0x1da19: 84,
++    0x1da1a: 84,
++    0x1da1b: 84,
++    0x1da1c: 84,
++    0x1da1d: 84,
++    0x1da1e: 84,
++    0x1da1f: 84,
++    0x1da20: 84,
++    0x1da21: 84,
++    0x1da22: 84,
++    0x1da23: 84,
++    0x1da24: 84,
++    0x1da25: 84,
++    0x1da26: 84,
++    0x1da27: 84,
++    0x1da28: 84,
++    0x1da29: 84,
++    0x1da2a: 84,
++    0x1da2b: 84,
++    0x1da2c: 84,
++    0x1da2d: 84,
++    0x1da2e: 84,
++    0x1da2f: 84,
++    0x1da30: 84,
++    0x1da31: 84,
++    0x1da32: 84,
++    0x1da33: 84,
++    0x1da34: 84,
++    0x1da35: 84,
++    0x1da36: 84,
++    0x1da3b: 84,
++    0x1da3c: 84,
++    0x1da3d: 84,
++    0x1da3e: 84,
++    0x1da3f: 84,
++    0x1da40: 84,
++    0x1da41: 84,
++    0x1da42: 84,
++    0x1da43: 84,
++    0x1da44: 84,
++    0x1da45: 84,
++    0x1da46: 84,
++    0x1da47: 84,
++    0x1da48: 84,
++    0x1da49: 84,
++    0x1da4a: 84,
++    0x1da4b: 84,
++    0x1da4c: 84,
++    0x1da4d: 84,
++    0x1da4e: 84,
++    0x1da4f: 84,
++    0x1da50: 84,
++    0x1da51: 84,
++    0x1da52: 84,
++    0x1da53: 84,
++    0x1da54: 84,
++    0x1da55: 84,
++    0x1da56: 84,
++    0x1da57: 84,
++    0x1da58: 84,
++    0x1da59: 84,
++    0x1da5a: 84,
++    0x1da5b: 84,
++    0x1da5c: 84,
++    0x1da5d: 84,
++    0x1da5e: 84,
++    0x1da5f: 84,
++    0x1da60: 84,
++    0x1da61: 84,
++    0x1da62: 84,
++    0x1da63: 84,
++    0x1da64: 84,
++    0x1da65: 84,
++    0x1da66: 84,
++    0x1da67: 84,
++    0x1da68: 84,
++    0x1da69: 84,
++    0x1da6a: 84,
++    0x1da6b: 84,
++    0x1da6c: 84,
++    0x1da75: 84,
++    0x1da84: 84,
++    0x1da9b: 84,
++    0x1da9c: 84,
++    0x1da9d: 84,
++    0x1da9e: 84,
++    0x1da9f: 84,
++    0x1daa1: 84,
++    0x1daa2: 84,
++    0x1daa3: 84,
++    0x1daa4: 84,
++    0x1daa5: 84,
++    0x1daa6: 84,
++    0x1daa7: 84,
++    0x1daa8: 84,
++    0x1daa9: 84,
++    0x1daaa: 84,
++    0x1daab: 84,
++    0x1daac: 84,
++    0x1daad: 84,
++    0x1daae: 84,
++    0x1daaf: 84,
++    0x1e000: 84,
++    0x1e001: 84,
++    0x1e002: 84,
++    0x1e003: 84,
++    0x1e004: 84,
++    0x1e005: 84,
++    0x1e006: 84,
++    0x1e008: 84,
++    0x1e009: 84,
++    0x1e00a: 84,
++    0x1e00b: 84,
++    0x1e00c: 84,
++    0x1e00d: 84,
++    0x1e00e: 84,
++    0x1e00f: 84,
++    0x1e010: 84,
++    0x1e011: 84,
++    0x1e012: 84,
++    0x1e013: 84,
++    0x1e014: 84,
++    0x1e015: 84,
++    0x1e016: 84,
++    0x1e017: 84,
++    0x1e018: 84,
++    0x1e01b: 84,
++    0x1e01c: 84,
++    0x1e01d: 84,
++    0x1e01e: 84,
++    0x1e01f: 84,
++    0x1e020: 84,
++    0x1e021: 84,
++    0x1e023: 84,
++    0x1e024: 84,
++    0x1e026: 84,
++    0x1e027: 84,
++    0x1e028: 84,
++    0x1e029: 84,
++    0x1e02a: 84,
++    0x1e08f: 84,
++    0x1e130: 84,
++    0x1e131: 84,
++    0x1e132: 84,
++    0x1e133: 84,
++    0x1e134: 84,
++    0x1e135: 84,
++    0x1e136: 84,
++    0x1e2ae: 84,
++    0x1e2ec: 84,
++    0x1e2ed: 84,
++    0x1e2ee: 84,
++    0x1e2ef: 84,
++    0x1e4ec: 84,
++    0x1e4ed: 84,
++    0x1e4ee: 84,
++    0x1e4ef: 84,
++    0x1e8d0: 84,
++    0x1e8d1: 84,
++    0x1e8d2: 84,
++    0x1e8d3: 84,
++    0x1e8d4: 84,
++    0x1e8d5: 84,
++    0x1e8d6: 84,
+     0x1e900: 68,
+     0x1e901: 68,
+     0x1e902: 68,
+@@ -927,7 +2680,351 @@ joining_types = {
+     0x1e941: 68,
+     0x1e942: 68,
+     0x1e943: 68,
++    0x1e944: 84,
++    0x1e945: 84,
++    0x1e946: 84,
++    0x1e947: 84,
++    0x1e948: 84,
++    0x1e949: 84,
++    0x1e94a: 84,
+     0x1e94b: 84,
++    0xe0001: 84,
++    0xe0020: 84,
++    0xe0021: 84,
++    0xe0022: 84,
++    0xe0023: 84,
++    0xe0024: 84,
++    0xe0025: 84,
++    0xe0026: 84,
++    0xe0027: 84,
++    0xe0028: 84,
++    0xe0029: 84,
++    0xe002a: 84,
++    0xe002b: 84,
++    0xe002c: 84,
++    0xe002d: 84,
++    0xe002e: 84,
++    0xe002f: 84,
++    0xe0030: 84,
++    0xe0031: 84,
++    0xe0032: 84,
++    0xe0033: 84,
++    0xe0034: 84,
++    0xe0035: 84,
++    0xe0036: 84,
++    0xe0037: 84,
++    0xe0038: 84,
++    0xe0039: 84,
++    0xe003a: 84,
++    0xe003b: 84,
++    0xe003c: 84,
++    0xe003d: 84,
++    0xe003e: 84,
++    0xe003f: 84,
++    0xe0040: 84,
++    0xe0041: 84,
++    0xe0042: 84,
++    0xe0043: 84,
++    0xe0044: 84,
++    0xe0045: 84,
++    0xe0046: 84,
++    0xe0047: 84,
++    0xe0048: 84,
++    0xe0049: 84,
++    0xe004a: 84,
++    0xe004b: 84,
++    0xe004c: 84,
++    0xe004d: 84,
++    0xe004e: 84,
++    0xe004f: 84,
++    0xe0050: 84,
++    0xe0051: 84,
++    0xe0052: 84,
++    0xe0053: 84,
++    0xe0054: 84,
++    0xe0055: 84,
++    0xe0056: 84,
++    0xe0057: 84,
++    0xe0058: 84,
++    0xe0059: 84,
++    0xe005a: 84,
++    0xe005b: 84,
++    0xe005c: 84,
++    0xe005d: 84,
++    0xe005e: 84,
++    0xe005f: 84,
++    0xe0060: 84,
++    0xe0061: 84,
++    0xe0062: 84,
++    0xe0063: 84,
++    0xe0064: 84,
++    0xe0065: 84,
++    0xe0066: 84,
++    0xe0067: 84,
++    0xe0068: 84,
++    0xe0069: 84,
++    0xe006a: 84,
++    0xe006b: 84,
++    0xe006c: 84,
++    0xe006d: 84,
++    0xe006e: 84,
++    0xe006f: 84,
++    0xe0070: 84,
++    0xe0071: 84,
++    0xe0072: 84,
++    0xe0073: 84,
++    0xe0074: 84,
++    0xe0075: 84,
++    0xe0076: 84,
++    0xe0077: 84,
++    0xe0078: 84,
++    0xe0079: 84,
++    0xe007a: 84,
++    0xe007b: 84,
++    0xe007c: 84,
++    0xe007d: 84,
++    0xe007e: 84,
++    0xe007f: 84,
++    0xe0100: 84,
++    0xe0101: 84,
++    0xe0102: 84,
++    0xe0103: 84,
++    0xe0104: 84,
++    0xe0105: 84,
++    0xe0106: 84,
++    0xe0107: 84,
++    0xe0108: 84,
++    0xe0109: 84,
++    0xe010a: 84,
++    0xe010b: 84,
++    0xe010c: 84,
++    0xe010d: 84,
++    0xe010e: 84,
++    0xe010f: 84,
++    0xe0110: 84,
++    0xe0111: 84,
++    0xe0112: 84,
++    0xe0113: 84,
++    0xe0114: 84,
++    0xe0115: 84,
++    0xe0116: 84,
++    0xe0117: 84,
++    0xe0118: 84,
++    0xe0119: 84,
++    0xe011a: 84,
++    0xe011b: 84,
++    0xe011c: 84,
++    0xe011d: 84,
++    0xe011e: 84,
++    0xe011f: 84,
++    0xe0120: 84,
++    0xe0121: 84,
++    0xe0122: 84,
++    0xe0123: 84,
++    0xe0124: 84,
++    0xe0125: 84,
++    0xe0126: 84,
++    0xe0127: 84,
++    0xe0128: 84,
++    0xe0129: 84,
++    0xe012a: 84,
++    0xe012b: 84,
++    0xe012c: 84,
++    0xe012d: 84,
++    0xe012e: 84,
++    0xe012f: 84,
++    0xe0130: 84,
++    0xe0131: 84,
++    0xe0132: 84,
++    0xe0133: 84,
++    0xe0134: 84,
++    0xe0135: 84,
++    0xe0136: 84,
++    0xe0137: 84,
++    0xe0138: 84,
++    0xe0139: 84,
++    0xe013a: 84,
++    0xe013b: 84,
++    0xe013c: 84,
++    0xe013d: 84,
++    0xe013e: 84,
++    0xe013f: 84,
++    0xe0140: 84,
++    0xe0141: 84,
++    0xe0142: 84,
++    0xe0143: 84,
++    0xe0144: 84,
++    0xe0145: 84,
++    0xe0146: 84,
++    0xe0147: 84,
++    0xe0148: 84,
++    0xe0149: 84,
++    0xe014a: 84,
++    0xe014b: 84,
++    0xe014c: 84,
++    0xe014d: 84,
++    0xe014e: 84,
++    0xe014f: 84,
++    0xe0150: 84,
++    0xe0151: 84,
++    0xe0152: 84,
++    0xe0153: 84,
++    0xe0154: 84,
++    0xe0155: 84,
++    0xe0156: 84,
++    0xe0157: 84,
++    0xe0158: 84,
++    0xe0159: 84,
++    0xe015a: 84,
++    0xe015b: 84,
++    0xe015c: 84,
++    0xe015d: 84,
++    0xe015e: 84,
++    0xe015f: 84,
++    0xe0160: 84,
++    0xe0161: 84,
++    0xe0162: 84,
++    0xe0163: 84,
++    0xe0164: 84,
++    0xe0165: 84,
++    0xe0166: 84,
++    0xe0167: 84,
++    0xe0168: 84,
++    0xe0169: 84,
++    0xe016a: 84,
++    0xe016b: 84,
++    0xe016c: 84,
++    0xe016d: 84,
++    0xe016e: 84,
++    0xe016f: 84,
++    0xe0170: 84,
++    0xe0171: 84,
++    0xe0172: 84,
++    0xe0173: 84,
++    0xe0174: 84,
++    0xe0175: 84,
++    0xe0176: 84,
++    0xe0177: 84,
++    0xe0178: 84,
++    0xe0179: 84,
++    0xe017a: 84,
++    0xe017b: 84,
++    0xe017c: 84,
++    0xe017d: 84,
++    0xe017e: 84,
++    0xe017f: 84,
++    0xe0180: 84,
++    0xe0181: 84,
++    0xe0182: 84,
++    0xe0183: 84,
++    0xe0184: 84,
++    0xe0185: 84,
++    0xe0186: 84,
++    0xe0187: 84,
++    0xe0188: 84,
++    0xe0189: 84,
++    0xe018a: 84,
++    0xe018b: 84,
++    0xe018c: 84,
++    0xe018d: 84,
++    0xe018e: 84,
++    0xe018f: 84,
++    0xe0190: 84,
++    0xe0191: 84,
++    0xe0192: 84,
++    0xe0193: 84,
++    0xe0194: 84,
++    0xe0195: 84,
++    0xe0196: 84,
++    0xe0197: 84,
++    0xe0198: 84,
++    0xe0199: 84,
++    0xe019a: 84,
++    0xe019b: 84,
++    0xe019c: 84,
++    0xe019d: 84,
++    0xe019e: 84,
++    0xe019f: 84,
++    0xe01a0: 84,
++    0xe01a1: 84,
++    0xe01a2: 84,
++    0xe01a3: 84,
++    0xe01a4: 84,
++    0xe01a5: 84,
++    0xe01a6: 84,
++    0xe01a7: 84,
++    0xe01a8: 84,
++    0xe01a9: 84,
++    0xe01aa: 84,
++    0xe01ab: 84,
++    0xe01ac: 84,
++    0xe01ad: 84,
++    0xe01ae: 84,
++    0xe01af: 84,
++    0xe01b0: 84,
++    0xe01b1: 84,
++    0xe01b2: 84,
++    0xe01b3: 84,
++    0xe01b4: 84,
++    0xe01b5: 84,
++    0xe01b6: 84,
++    0xe01b7: 84,
++    0xe01b8: 84,
++    0xe01b9: 84,
++    0xe01ba: 84,
++    0xe01bb: 84,
++    0xe01bc: 84,
++    0xe01bd: 84,
++    0xe01be: 84,
++    0xe01bf: 84,
++    0xe01c0: 84,
++    0xe01c1: 84,
++    0xe01c2: 84,
++    0xe01c3: 84,
++    0xe01c4: 84,
++    0xe01c5: 84,
++    0xe01c6: 84,
++    0xe01c7: 84,
++    0xe01c8: 84,
++    0xe01c9: 84,
++    0xe01ca: 84,
++    0xe01cb: 84,
++    0xe01cc: 84,
++    0xe01cd: 84,
++    0xe01ce: 84,
++    0xe01cf: 84,
++    0xe01d0: 84,
++    0xe01d1: 84,
++    0xe01d2: 84,
++    0xe01d3: 84,
++    0xe01d4: 84,
++    0xe01d5: 84,
++    0xe01d6: 84,
++    0xe01d7: 84,
++    0xe01d8: 84,
++    0xe01d9: 84,
++    0xe01da: 84,
++    0xe01db: 84,
++    0xe01dc: 84,
++    0xe01dd: 84,
++    0xe01de: 84,
++    0xe01df: 84,
++    0xe01e0: 84,
++    0xe01e1: 84,
++    0xe01e2: 84,
++    0xe01e3: 84,
++    0xe01e4: 84,
++    0xe01e5: 84,
++    0xe01e6: 84,
++    0xe01e7: 84,
++    0xe01e8: 84,
++    0xe01e9: 84,
++    0xe01ea: 84,
++    0xe01eb: 84,
++    0xe01ec: 84,
++    0xe01ed: 84,
++    0xe01ee: 84,
++    0xe01ef: 84,
+ }
+ codepoint_classes = {
+     'PVALID': (
+@@ -1834,7 +3931,6 @@ codepoint_classes = {
+         0xa7d50000a7d6,
+         0xa7d70000a7d8,
+         0xa7d90000a7da,
+-        0xa7f20000a7f5,
+         0xa7f60000a7f8,
+         0xa7fa0000a828,
+         0xa82c0000a82d,
+@@ -1907,9 +4003,7 @@ codepoint_classes = {
+         0x1060000010737,
+         0x1074000010756,
+         0x1076000010768,
+-        0x1078000010786,
+-        0x10787000107b1,
+-        0x107b2000107bb,
++        0x1078000010781,
+         0x1080000010806,
+         0x1080800010809,
+         0x1080a00010836,
+@@ -2112,7 +4206,6 @@ codepoint_classes = {
+         0x1e01b0001e022,
+         0x1e0230001e025,
+         0x1e0260001e02b,
+-        0x1e0300001e06e,
+         0x1e08f0001e090,
+         0x1e1000001e12d,
+         0x1e1300001e13e,
+@@ -2134,6 +4227,7 @@ codepoint_classes = {
+         0x2b7400002b81e,
+         0x2b8200002cea2,
+         0x2ceb00002ebe1,
++        0x2ebf00002ee5e,
+         0x300000003134b,
+         0x31350000323b0,
+     ),
+diff --git a/src/pip/_vendor/idna/package_data.py b/src/pip/_vendor/idna/package_data.py
+index 8501893..ed81113 100644
+--- a/src/pip/_vendor/idna/package_data.py
++++ b/src/pip/_vendor/idna/package_data.py
+@@ -1,2 +1,2 @@
+-__version__ = '3.4'
++__version__ = '3.7'
+ 
+diff --git a/src/pip/_vendor/idna/uts46data.py b/src/pip/_vendor/idna/uts46data.py
+index 186796c..6a1eddb 100644
+--- a/src/pip/_vendor/idna/uts46data.py
++++ b/src/pip/_vendor/idna/uts46data.py
+@@ -7,7 +7,7 @@ from typing import List, Tuple, Union
+ """IDNA Mapping Table from UTS46."""
+ 
+ 
+-__version__ = '15.0.0'
++__version__ = '15.1.0'
+ def _seg_0() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+     (0x0, '3'),
+@@ -1899,7 +1899,7 @@ def _seg_18() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1E9A, 'M', 'aʾ'),
+     (0x1E9B, 'M', 'ṡ'),
+     (0x1E9C, 'V'),
+-    (0x1E9E, 'M', 'ss'),
++    (0x1E9E, 'M', 'ß'),
+     (0x1E9F, 'V'),
+     (0x1EA0, 'M', 'ạ'),
+     (0x1EA1, 'V'),
+@@ -2418,10 +2418,6 @@ def _seg_23() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x222F, 'M', '∮∮'),
+     (0x2230, 'M', '∮∮∮'),
+     (0x2231, 'V'),
+-    (0x2260, '3'),
+-    (0x2261, 'V'),
+-    (0x226E, '3'),
+-    (0x2270, 'V'),
+     (0x2329, 'M', '〈'),
+     (0x232A, 'M', '〉'),
+     (0x232B, 'V'),
+@@ -2502,14 +2498,14 @@ def _seg_23() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x24BA, 'M', 'e'),
+     (0x24BB, 'M', 'f'),
+     (0x24BC, 'M', 'g'),
+-    ]
+-
+-def _seg_24() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x24BD, 'M', 'h'),
+     (0x24BE, 'M', 'i'),
+     (0x24BF, 'M', 'j'),
+     (0x24C0, 'M', 'k'),
++    ]
++
++def _seg_24() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x24C1, 'M', 'l'),
+     (0x24C2, 'M', 'm'),
+     (0x24C3, 'M', 'n'),
+@@ -2606,14 +2602,14 @@ def _seg_24() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2C26, 'M', 'ⱖ'),
+     (0x2C27, 'M', 'ⱗ'),
+     (0x2C28, 'M', 'ⱘ'),
+-    ]
+-
+-def _seg_25() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x2C29, 'M', 'ⱙ'),
+     (0x2C2A, 'M', 'ⱚ'),
+     (0x2C2B, 'M', 'ⱛ'),
+     (0x2C2C, 'M', 'ⱜ'),
++    ]
++
++def _seg_25() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x2C2D, 'M', 'ⱝ'),
+     (0x2C2E, 'M', 'ⱞ'),
+     (0x2C2F, 'M', 'ⱟ'),
+@@ -2710,14 +2706,14 @@ def _seg_25() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2CC0, 'M', 'ⳁ'),
+     (0x2CC1, 'V'),
+     (0x2CC2, 'M', 'ⳃ'),
+-    ]
+-
+-def _seg_26() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x2CC3, 'V'),
+     (0x2CC4, 'M', 'ⳅ'),
+     (0x2CC5, 'V'),
+     (0x2CC6, 'M', 'ⳇ'),
++    ]
++
++def _seg_26() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x2CC7, 'V'),
+     (0x2CC8, 'M', 'ⳉ'),
+     (0x2CC9, 'V'),
+@@ -2814,14 +2810,14 @@ def _seg_26() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2F13, 'M', '勹'),
+     (0x2F14, 'M', '匕'),
+     (0x2F15, 'M', '匚'),
+-    ]
+-
+-def _seg_27() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x2F16, 'M', '匸'),
+     (0x2F17, 'M', '十'),
+     (0x2F18, 'M', '卜'),
+     (0x2F19, 'M', '卩'),
++    ]
++
++def _seg_27() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x2F1A, 'M', '厂'),
+     (0x2F1B, 'M', '厶'),
+     (0x2F1C, 'M', '又'),
+@@ -2918,14 +2914,14 @@ def _seg_27() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2F77, 'M', '糸'),
+     (0x2F78, 'M', '缶'),
+     (0x2F79, 'M', '网'),
+-    ]
+-
+-def _seg_28() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x2F7A, 'M', '羊'),
+     (0x2F7B, 'M', '羽'),
+     (0x2F7C, 'M', '老'),
+     (0x2F7D, 'M', '而'),
++    ]
++
++def _seg_28() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x2F7E, 'M', '耒'),
+     (0x2F7F, 'M', '耳'),
+     (0x2F80, 'M', '聿'),
+@@ -3022,14 +3018,14 @@ def _seg_28() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x3036, 'M', '〒'),
+     (0x3037, 'V'),
+     (0x3038, 'M', '十'),
+-    ]
+-
+-def _seg_29() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x3039, 'M', '卄'),
+     (0x303A, 'M', '卅'),
+     (0x303B, 'V'),
+     (0x3040, 'X'),
++    ]
++
++def _seg_29() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x3041, 'V'),
+     (0x3097, 'X'),
+     (0x3099, 'V'),
+@@ -3126,14 +3122,14 @@ def _seg_29() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x3182, 'M', 'ᇱ'),
+     (0x3183, 'M', 'ᇲ'),
+     (0x3184, 'M', 'ᅗ'),
+-    ]
+-
+-def _seg_30() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x3185, 'M', 'ᅘ'),
+     (0x3186, 'M', 'ᅙ'),
+     (0x3187, 'M', 'ᆄ'),
+     (0x3188, 'M', 'ᆅ'),
++    ]
++
++def _seg_30() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x3189, 'M', 'ᆈ'),
+     (0x318A, 'M', 'ᆑ'),
+     (0x318B, 'M', 'ᆒ'),
+@@ -3230,14 +3226,14 @@ def _seg_30() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x3244, 'M', '問'),
+     (0x3245, 'M', '幼'),
+     (0x3246, 'M', '文'),
+-    ]
+-
+-def _seg_31() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x3247, 'M', '箏'),
+     (0x3248, 'V'),
+     (0x3250, 'M', 'pte'),
+     (0x3251, 'M', '21'),
++    ]
++
++def _seg_31() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x3252, 'M', '22'),
+     (0x3253, 'M', '23'),
+     (0x3254, 'M', '24'),
+@@ -3334,14 +3330,14 @@ def _seg_31() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x32AF, 'M', '協'),
+     (0x32B0, 'M', '夜'),
+     (0x32B1, 'M', '36'),
+-    ]
+-
+-def _seg_32() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x32B2, 'M', '37'),
+     (0x32B3, 'M', '38'),
+     (0x32B4, 'M', '39'),
+     (0x32B5, 'M', '40'),
++    ]
++
++def _seg_32() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x32B6, 'M', '41'),
+     (0x32B7, 'M', '42'),
+     (0x32B8, 'M', '43'),
+@@ -3438,14 +3434,14 @@ def _seg_32() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x3313, 'M', 'ギルダー'),
+     (0x3314, 'M', 'キロ'),
+     (0x3315, 'M', 'キログラム'),
+-    ]
+-
+-def _seg_33() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x3316, 'M', 'キロメートル'),
+     (0x3317, 'M', 'キロワット'),
+     (0x3318, 'M', 'グラム'),
+     (0x3319, 'M', 'グラムトン'),
++    ]
++
++def _seg_33() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x331A, 'M', 'クルゼイロ'),
+     (0x331B, 'M', 'クローネ'),
+     (0x331C, 'M', 'ケース'),
+@@ -3542,14 +3538,14 @@ def _seg_33() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x3377, 'M', 'dm'),
+     (0x3378, 'M', 'dm2'),
+     (0x3379, 'M', 'dm3'),
+-    ]
+-
+-def _seg_34() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x337A, 'M', 'iu'),
+     (0x337B, 'M', '平成'),
+     (0x337C, 'M', '昭和'),
+     (0x337D, 'M', '大正'),
++    ]
++
++def _seg_34() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x337E, 'M', '明治'),
+     (0x337F, 'M', '株式会社'),
+     (0x3380, 'M', 'pa'),
+@@ -3646,14 +3642,14 @@ def _seg_34() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x33DB, 'M', 'sr'),
+     (0x33DC, 'M', 'sv'),
+     (0x33DD, 'M', 'wb'),
+-    ]
+-
+-def _seg_35() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x33DE, 'M', 'v∕m'),
+     (0x33DF, 'M', 'a∕m'),
+     (0x33E0, 'M', '1日'),
+     (0x33E1, 'M', '2日'),
++    ]
++
++def _seg_35() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x33E2, 'M', '3日'),
+     (0x33E3, 'M', '4日'),
+     (0x33E4, 'M', '5日'),
+@@ -3750,14 +3746,14 @@ def _seg_35() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xA68B, 'V'),
+     (0xA68C, 'M', 'ꚍ'),
+     (0xA68D, 'V'),
+-    ]
+-
+-def _seg_36() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xA68E, 'M', 'ꚏ'),
+     (0xA68F, 'V'),
+     (0xA690, 'M', 'ꚑ'),
+     (0xA691, 'V'),
++    ]
++
++def _seg_36() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xA692, 'M', 'ꚓ'),
+     (0xA693, 'V'),
+     (0xA694, 'M', 'ꚕ'),
+@@ -3854,14 +3850,14 @@ def _seg_36() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xA779, 'M', 'ꝺ'),
+     (0xA77A, 'V'),
+     (0xA77B, 'M', 'ꝼ'),
+-    ]
+-
+-def _seg_37() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xA77C, 'V'),
+     (0xA77D, 'M', 'ᵹ'),
+     (0xA77E, 'M', 'ꝿ'),
+     (0xA77F, 'V'),
++    ]
++
++def _seg_37() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xA780, 'M', 'ꞁ'),
+     (0xA781, 'V'),
+     (0xA782, 'M', 'ꞃ'),
+@@ -3958,14 +3954,14 @@ def _seg_37() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xA878, 'X'),
+     (0xA880, 'V'),
+     (0xA8C6, 'X'),
+-    ]
+-
+-def _seg_38() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xA8CE, 'V'),
+     (0xA8DA, 'X'),
+     (0xA8E0, 'V'),
+     (0xA954, 'X'),
++    ]
++
++def _seg_38() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xA95F, 'V'),
+     (0xA97D, 'X'),
+     (0xA980, 'V'),
+@@ -4062,14 +4058,14 @@ def _seg_38() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xABA8, 'M', 'Ꮨ'),
+     (0xABA9, 'M', 'Ꮩ'),
+     (0xABAA, 'M', 'Ꮪ'),
+-    ]
+-
+-def _seg_39() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xABAB, 'M', 'Ꮫ'),
+     (0xABAC, 'M', 'Ꮬ'),
+     (0xABAD, 'M', 'Ꮭ'),
+     (0xABAE, 'M', 'Ꮮ'),
++    ]
++
++def _seg_39() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xABAF, 'M', 'Ꮯ'),
+     (0xABB0, 'M', 'Ꮰ'),
+     (0xABB1, 'M', 'Ꮱ'),
+@@ -4166,14 +4162,14 @@ def _seg_39() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xF943, 'M', '弄'),
+     (0xF944, 'M', '籠'),
+     (0xF945, 'M', '聾'),
+-    ]
+-
+-def _seg_40() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xF946, 'M', '牢'),
+     (0xF947, 'M', '磊'),
+     (0xF948, 'M', '賂'),
+     (0xF949, 'M', '雷'),
++    ]
++
++def _seg_40() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xF94A, 'M', '壘'),
+     (0xF94B, 'M', '屢'),
+     (0xF94C, 'M', '樓'),
+@@ -4270,14 +4266,14 @@ def _seg_40() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xF9A7, 'M', '獵'),
+     (0xF9A8, 'M', '令'),
+     (0xF9A9, 'M', '囹'),
+-    ]
+-
+-def _seg_41() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xF9AA, 'M', '寧'),
+     (0xF9AB, 'M', '嶺'),
+     (0xF9AC, 'M', '怜'),
+     (0xF9AD, 'M', '玲'),
++    ]
++
++def _seg_41() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xF9AE, 'M', '瑩'),
+     (0xF9AF, 'M', '羚'),
+     (0xF9B0, 'M', '聆'),
+@@ -4374,14 +4370,14 @@ def _seg_41() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFA0B, 'M', '廓'),
+     (0xFA0C, 'M', '兀'),
+     (0xFA0D, 'M', '嗀'),
+-    ]
+-
+-def _seg_42() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFA0E, 'V'),
+     (0xFA10, 'M', '塚'),
+     (0xFA11, 'V'),
+     (0xFA12, 'M', '晴'),
++    ]
++
++def _seg_42() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFA13, 'V'),
+     (0xFA15, 'M', '凞'),
+     (0xFA16, 'M', '猪'),
+@@ -4478,14 +4474,14 @@ def _seg_42() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFA76, 'M', '勇'),
+     (0xFA77, 'M', '勺'),
+     (0xFA78, 'M', '喝'),
+-    ]
+-
+-def _seg_43() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFA79, 'M', '啕'),
+     (0xFA7A, 'M', '喙'),
+     (0xFA7B, 'M', '嗢'),
+     (0xFA7C, 'M', '塚'),
++    ]
++
++def _seg_43() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFA7D, 'M', '墳'),
+     (0xFA7E, 'M', '奄'),
+     (0xFA7F, 'M', '奔'),
+@@ -4582,14 +4578,14 @@ def _seg_43() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFADA, 'X'),
+     (0xFB00, 'M', 'ff'),
+     (0xFB01, 'M', 'fi'),
+-    ]
+-
+-def _seg_44() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFB02, 'M', 'fl'),
+     (0xFB03, 'M', 'ffi'),
+     (0xFB04, 'M', 'ffl'),
+     (0xFB05, 'M', 'st'),
++    ]
++
++def _seg_44() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFB07, 'X'),
+     (0xFB13, 'M', 'մն'),
+     (0xFB14, 'M', 'մե'),
+@@ -4686,14 +4682,14 @@ def _seg_44() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFBDB, 'M', 'ۈ'),
+     (0xFBDD, 'M', 'ۇٴ'),
+     (0xFBDE, 'M', 'ۋ'),
+-    ]
+-
+-def _seg_45() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFBE0, 'M', 'ۅ'),
+     (0xFBE2, 'M', 'ۉ'),
+     (0xFBE4, 'M', 'ې'),
+     (0xFBE8, 'M', 'ى'),
++    ]
++
++def _seg_45() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFBEA, 'M', 'ئا'),
+     (0xFBEC, 'M', 'ئە'),
+     (0xFBEE, 'M', 'ئو'),
+@@ -4790,14 +4786,14 @@ def _seg_45() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFC54, 'M', 'هي'),
+     (0xFC55, 'M', 'يج'),
+     (0xFC56, 'M', 'يح'),
+-    ]
+-
+-def _seg_46() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFC57, 'M', 'يخ'),
+     (0xFC58, 'M', 'يم'),
+     (0xFC59, 'M', 'يى'),
+     (0xFC5A, 'M', 'يي'),
++    ]
++
++def _seg_46() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFC5B, 'M', 'ذٰ'),
+     (0xFC5C, 'M', 'رٰ'),
+     (0xFC5D, 'M', 'ىٰ'),
+@@ -4894,14 +4890,14 @@ def _seg_46() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFCB8, 'M', 'طح'),
+     (0xFCB9, 'M', 'ظم'),
+     (0xFCBA, 'M', 'عج'),
+-    ]
+-
+-def _seg_47() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFCBB, 'M', 'عم'),
+     (0xFCBC, 'M', 'غج'),
+     (0xFCBD, 'M', 'غم'),
+     (0xFCBE, 'M', 'فج'),
++    ]
++
++def _seg_47() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFCBF, 'M', 'فح'),
+     (0xFCC0, 'M', 'فخ'),
+     (0xFCC1, 'M', 'فم'),
+@@ -4998,14 +4994,14 @@ def _seg_47() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFD1C, 'M', 'حي'),
+     (0xFD1D, 'M', 'جى'),
+     (0xFD1E, 'M', 'جي'),
+-    ]
+-
+-def _seg_48() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFD1F, 'M', 'خى'),
+     (0xFD20, 'M', 'خي'),
+     (0xFD21, 'M', 'صى'),
+     (0xFD22, 'M', 'صي'),
++    ]
++
++def _seg_48() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFD23, 'M', 'ضى'),
+     (0xFD24, 'M', 'ضي'),
+     (0xFD25, 'M', 'شج'),
+@@ -5102,14 +5098,14 @@ def _seg_48() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFDA4, 'M', 'تمى'),
+     (0xFDA5, 'M', 'جمي'),
+     (0xFDA6, 'M', 'جحى'),
+-    ]
+-
+-def _seg_49() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFDA7, 'M', 'جمى'),
+     (0xFDA8, 'M', 'سخى'),
+     (0xFDA9, 'M', 'صحي'),
+     (0xFDAA, 'M', 'شحي'),
++    ]
++
++def _seg_49() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFDAB, 'M', 'ضحي'),
+     (0xFDAC, 'M', 'لجي'),
+     (0xFDAD, 'M', 'لمي'),
+@@ -5206,14 +5202,14 @@ def _seg_49() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFE5B, '3', '{'),
+     (0xFE5C, '3', '}'),
+     (0xFE5D, 'M', '〔'),
+-    ]
+-
+-def _seg_50() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFE5E, 'M', '〕'),
+     (0xFE5F, '3', '#'),
+     (0xFE60, '3', '&'),
+     (0xFE61, '3', '*'),
++    ]
++
++def _seg_50() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFE62, '3', '+'),
+     (0xFE63, 'M', '-'),
+     (0xFE64, '3', '<'),
+@@ -5310,14 +5306,14 @@ def _seg_50() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFF18, 'M', '8'),
+     (0xFF19, 'M', '9'),
+     (0xFF1A, '3', ':'),
+-    ]
+-
+-def _seg_51() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFF1B, '3', ';'),
+     (0xFF1C, '3', '<'),
+     (0xFF1D, '3', '='),
+     (0xFF1E, '3', '>'),
++    ]
++
++def _seg_51() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFF1F, '3', '?'),
+     (0xFF20, '3', '@'),
+     (0xFF21, 'M', 'a'),
+@@ -5414,14 +5410,14 @@ def _seg_51() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFF7C, 'M', 'シ'),
+     (0xFF7D, 'M', 'ス'),
+     (0xFF7E, 'M', 'セ'),
+-    ]
+-
+-def _seg_52() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFF7F, 'M', 'ソ'),
+     (0xFF80, 'M', 'タ'),
+     (0xFF81, 'M', 'チ'),
+     (0xFF82, 'M', 'ツ'),
++    ]
++
++def _seg_52() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFF83, 'M', 'テ'),
+     (0xFF84, 'M', 'ト'),
+     (0xFF85, 'M', 'ナ'),
+@@ -5518,14 +5514,14 @@ def _seg_52() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0xFFE7, 'X'),
+     (0xFFE8, 'M', '│'),
+     (0xFFE9, 'M', '←'),
+-    ]
+-
+-def _seg_53() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFFEA, 'M', '↑'),
+     (0xFFEB, 'M', '→'),
+     (0xFFEC, 'M', '↓'),
+     (0xFFED, 'M', '■'),
++    ]
++
++def _seg_53() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFFEE, 'M', '○'),
+     (0xFFEF, 'X'),
+     (0x10000, 'V'),
+@@ -5622,14 +5618,14 @@ def _seg_53() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x104B3, 'M', '𐓛'),
+     (0x104B4, 'M', '𐓜'),
+     (0x104B5, 'M', '𐓝'),
+-    ]
+-
+-def _seg_54() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x104B6, 'M', '𐓞'),
+     (0x104B7, 'M', '𐓟'),
+     (0x104B8, 'M', '𐓠'),
+     (0x104B9, 'M', '𐓡'),
++    ]
++
++def _seg_54() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x104BA, 'M', '𐓢'),
+     (0x104BB, 'M', '𐓣'),
+     (0x104BC, 'M', '𐓤'),
+@@ -5726,14 +5722,14 @@ def _seg_54() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x10786, 'X'),
+     (0x10787, 'M', 'ʣ'),
+     (0x10788, 'M', 'ꭦ'),
+-    ]
+-
+-def _seg_55() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x10789, 'M', 'ʥ'),
+     (0x1078A, 'M', 'ʤ'),
+     (0x1078B, 'M', 'ɖ'),
+     (0x1078C, 'M', 'ɗ'),
++    ]
++
++def _seg_55() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1078D, 'M', 'ᶑ'),
+     (0x1078E, 'M', 'ɘ'),
+     (0x1078F, 'M', 'ɞ'),
+@@ -5830,14 +5826,14 @@ def _seg_55() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x10A60, 'V'),
+     (0x10AA0, 'X'),
+     (0x10AC0, 'V'),
+-    ]
+-
+-def _seg_56() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x10AE7, 'X'),
+     (0x10AEB, 'V'),
+     (0x10AF7, 'X'),
+     (0x10B00, 'V'),
++    ]
++
++def _seg_56() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x10B36, 'X'),
+     (0x10B39, 'V'),
+     (0x10B56, 'X'),
+@@ -5934,14 +5930,14 @@ def _seg_56() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1107F, 'V'),
+     (0x110BD, 'X'),
+     (0x110BE, 'V'),
+-    ]
+-
+-def _seg_57() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x110C3, 'X'),
+     (0x110D0, 'V'),
+     (0x110E9, 'X'),
+     (0x110F0, 'V'),
++    ]
++
++def _seg_57() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x110FA, 'X'),
+     (0x11100, 'V'),
+     (0x11135, 'X'),
+@@ -6038,14 +6034,14 @@ def _seg_57() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x118A4, 'M', '𑣄'),
+     (0x118A5, 'M', '𑣅'),
+     (0x118A6, 'M', '𑣆'),
+-    ]
+-
+-def _seg_58() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x118A7, 'M', '𑣇'),
+     (0x118A8, 'M', '𑣈'),
+     (0x118A9, 'M', '𑣉'),
+     (0x118AA, 'M', '𑣊'),
++    ]
++
++def _seg_58() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x118AB, 'M', '𑣋'),
+     (0x118AC, 'M', '𑣌'),
+     (0x118AD, 'M', '𑣍'),
+@@ -6142,14 +6138,14 @@ def _seg_58() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x11EE0, 'V'),
+     (0x11EF9, 'X'),
+     (0x11F00, 'V'),
+-    ]
+-
+-def _seg_59() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x11F11, 'X'),
+     (0x11F12, 'V'),
+     (0x11F3B, 'X'),
+     (0x11F3E, 'V'),
++    ]
++
++def _seg_59() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x11F5A, 'X'),
+     (0x11FB0, 'V'),
+     (0x11FB1, 'X'),
+@@ -6246,14 +6242,14 @@ def _seg_59() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x18D00, 'V'),
+     (0x18D09, 'X'),
+     (0x1AFF0, 'V'),
+-    ]
+-
+-def _seg_60() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1AFF4, 'X'),
+     (0x1AFF5, 'V'),
+     (0x1AFFC, 'X'),
+     (0x1AFFD, 'V'),
++    ]
++
++def _seg_60() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1AFFF, 'X'),
+     (0x1B000, 'V'),
+     (0x1B123, 'X'),
+@@ -6350,14 +6346,14 @@ def _seg_60() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D41E, 'M', 'e'),
+     (0x1D41F, 'M', 'f'),
+     (0x1D420, 'M', 'g'),
+-    ]
+-
+-def _seg_61() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D421, 'M', 'h'),
+     (0x1D422, 'M', 'i'),
+     (0x1D423, 'M', 'j'),
+     (0x1D424, 'M', 'k'),
++    ]
++
++def _seg_61() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D425, 'M', 'l'),
+     (0x1D426, 'M', 'm'),
+     (0x1D427, 'M', 'n'),
+@@ -6454,14 +6450,14 @@ def _seg_61() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D482, 'M', 'a'),
+     (0x1D483, 'M', 'b'),
+     (0x1D484, 'M', 'c'),
+-    ]
+-
+-def _seg_62() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D485, 'M', 'd'),
+     (0x1D486, 'M', 'e'),
+     (0x1D487, 'M', 'f'),
+     (0x1D488, 'M', 'g'),
++    ]
++
++def _seg_62() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D489, 'M', 'h'),
+     (0x1D48A, 'M', 'i'),
+     (0x1D48B, 'M', 'j'),
+@@ -6558,14 +6554,14 @@ def _seg_62() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D4E9, 'M', 'z'),
+     (0x1D4EA, 'M', 'a'),
+     (0x1D4EB, 'M', 'b'),
+-    ]
+-
+-def _seg_63() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D4EC, 'M', 'c'),
+     (0x1D4ED, 'M', 'd'),
+     (0x1D4EE, 'M', 'e'),
+     (0x1D4EF, 'M', 'f'),
++    ]
++
++def _seg_63() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D4F0, 'M', 'g'),
+     (0x1D4F1, 'M', 'h'),
+     (0x1D4F2, 'M', 'i'),
+@@ -6662,14 +6658,14 @@ def _seg_63() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D550, 'M', 'y'),
+     (0x1D551, 'X'),
+     (0x1D552, 'M', 'a'),
+-    ]
+-
+-def _seg_64() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D553, 'M', 'b'),
+     (0x1D554, 'M', 'c'),
+     (0x1D555, 'M', 'd'),
+     (0x1D556, 'M', 'e'),
++    ]
++
++def _seg_64() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D557, 'M', 'f'),
+     (0x1D558, 'M', 'g'),
+     (0x1D559, 'M', 'h'),
+@@ -6766,14 +6762,14 @@ def _seg_64() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D5B4, 'M', 'u'),
+     (0x1D5B5, 'M', 'v'),
+     (0x1D5B6, 'M', 'w'),
+-    ]
+-
+-def _seg_65() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D5B7, 'M', 'x'),
+     (0x1D5B8, 'M', 'y'),
+     (0x1D5B9, 'M', 'z'),
+     (0x1D5BA, 'M', 'a'),
++    ]
++
++def _seg_65() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D5BB, 'M', 'b'),
+     (0x1D5BC, 'M', 'c'),
+     (0x1D5BD, 'M', 'd'),
+@@ -6870,14 +6866,14 @@ def _seg_65() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D618, 'M', 'q'),
+     (0x1D619, 'M', 'r'),
+     (0x1D61A, 'M', 's'),
+-    ]
+-
+-def _seg_66() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D61B, 'M', 't'),
+     (0x1D61C, 'M', 'u'),
+     (0x1D61D, 'M', 'v'),
+     (0x1D61E, 'M', 'w'),
++    ]
++
++def _seg_66() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D61F, 'M', 'x'),
+     (0x1D620, 'M', 'y'),
+     (0x1D621, 'M', 'z'),
+@@ -6974,14 +6970,14 @@ def _seg_66() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D67C, 'M', 'm'),
+     (0x1D67D, 'M', 'n'),
+     (0x1D67E, 'M', 'o'),
+-    ]
+-
+-def _seg_67() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D67F, 'M', 'p'),
+     (0x1D680, 'M', 'q'),
+     (0x1D681, 'M', 'r'),
+     (0x1D682, 'M', 's'),
++    ]
++
++def _seg_67() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D683, 'M', 't'),
+     (0x1D684, 'M', 'u'),
+     (0x1D685, 'M', 'v'),
+@@ -7078,14 +7074,14 @@ def _seg_67() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D6E2, 'M', 'α'),
+     (0x1D6E3, 'M', 'β'),
+     (0x1D6E4, 'M', 'γ'),
+-    ]
+-
+-def _seg_68() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D6E5, 'M', 'δ'),
+     (0x1D6E6, 'M', 'ε'),
+     (0x1D6E7, 'M', 'ζ'),
+     (0x1D6E8, 'M', 'η'),
++    ]
++
++def _seg_68() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D6E9, 'M', 'θ'),
+     (0x1D6EA, 'M', 'ι'),
+     (0x1D6EB, 'M', 'κ'),
+@@ -7182,14 +7178,14 @@ def _seg_68() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D747, 'M', 'σ'),
+     (0x1D749, 'M', 'τ'),
+     (0x1D74A, 'M', 'υ'),
+-    ]
+-
+-def _seg_69() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D74B, 'M', 'φ'),
+     (0x1D74C, 'M', 'χ'),
+     (0x1D74D, 'M', 'ψ'),
+     (0x1D74E, 'M', 'ω'),
++    ]
++
++def _seg_69() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D74F, 'M', '∂'),
+     (0x1D750, 'M', 'ε'),
+     (0x1D751, 'M', 'θ'),
+@@ -7286,14 +7282,14 @@ def _seg_69() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1D7AD, 'M', 'δ'),
+     (0x1D7AE, 'M', 'ε'),
+     (0x1D7AF, 'M', 'ζ'),
+-    ]
+-
+-def _seg_70() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D7B0, 'M', 'η'),
+     (0x1D7B1, 'M', 'θ'),
+     (0x1D7B2, 'M', 'ι'),
+     (0x1D7B3, 'M', 'κ'),
++    ]
++
++def _seg_70() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D7B4, 'M', 'λ'),
+     (0x1D7B5, 'M', 'μ'),
+     (0x1D7B6, 'M', 'ν'),
+@@ -7390,14 +7386,14 @@ def _seg_70() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1E030, 'M', 'а'),
+     (0x1E031, 'M', 'б'),
+     (0x1E032, 'M', 'в'),
+-    ]
+-
+-def _seg_71() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1E033, 'M', 'г'),
+     (0x1E034, 'M', 'д'),
+     (0x1E035, 'M', 'е'),
+     (0x1E036, 'M', 'ж'),
++    ]
++
++def _seg_71() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1E037, 'M', 'з'),
+     (0x1E038, 'M', 'и'),
+     (0x1E039, 'M', 'к'),
+@@ -7494,14 +7490,14 @@ def _seg_71() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1E907, 'M', '𞤩'),
+     (0x1E908, 'M', '𞤪'),
+     (0x1E909, 'M', '𞤫'),
+-    ]
+-
+-def _seg_72() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1E90A, 'M', '𞤬'),
+     (0x1E90B, 'M', '𞤭'),
+     (0x1E90C, 'M', '𞤮'),
+     (0x1E90D, 'M', '𞤯'),
++    ]
++
++def _seg_72() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1E90E, 'M', '𞤰'),
+     (0x1E90F, 'M', '𞤱'),
+     (0x1E910, 'M', '𞤲'),
+@@ -7598,14 +7594,14 @@ def _seg_72() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1EE48, 'X'),
+     (0x1EE49, 'M', 'ي'),
+     (0x1EE4A, 'X'),
+-    ]
+-
+-def _seg_73() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1EE4B, 'M', 'ل'),
+     (0x1EE4C, 'X'),
+     (0x1EE4D, 'M', 'ن'),
+     (0x1EE4E, 'M', 'س'),
++    ]
++
++def _seg_73() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1EE4F, 'M', 'ع'),
+     (0x1EE50, 'X'),
+     (0x1EE51, 'M', 'ص'),
+@@ -7702,14 +7698,14 @@ def _seg_73() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1EEB2, 'M', 'ق'),
+     (0x1EEB3, 'M', 'ر'),
+     (0x1EEB4, 'M', 'ش'),
+-    ]
+-
+-def _seg_74() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1EEB5, 'M', 'ت'),
+     (0x1EEB6, 'M', 'ث'),
+     (0x1EEB7, 'M', 'خ'),
+     (0x1EEB8, 'M', 'ذ'),
++    ]
++
++def _seg_74() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1EEB9, 'M', 'ض'),
+     (0x1EEBA, 'M', 'ظ'),
+     (0x1EEBB, 'M', 'غ'),
+@@ -7806,14 +7802,14 @@ def _seg_74() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1F150, 'V'),
+     (0x1F16A, 'M', 'mc'),
+     (0x1F16B, 'M', 'md'),
+-    ]
+-
+-def _seg_75() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1F16C, 'M', 'mr'),
+     (0x1F16D, 'V'),
+     (0x1F190, 'M', 'dj'),
+     (0x1F191, 'V'),
++    ]
++
++def _seg_75() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1F1AE, 'X'),
+     (0x1F1E6, 'V'),
+     (0x1F200, 'M', 'ほか'),
+@@ -7910,14 +7906,14 @@ def _seg_75() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x1FA54, 'X'),
+     (0x1FA60, 'V'),
+     (0x1FA6E, 'X'),
+-    ]
+-
+-def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1FA70, 'V'),
+     (0x1FA7D, 'X'),
+     (0x1FA80, 'V'),
+     (0x1FA89, 'X'),
++    ]
++
++def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1FA90, 'V'),
+     (0x1FABE, 'X'),
+     (0x1FABF, 'V'),
+@@ -7953,6 +7949,8 @@ def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2CEA2, 'X'),
+     (0x2CEB0, 'V'),
+     (0x2EBE1, 'X'),
++    (0x2EBF0, 'V'),
++    (0x2EE5E, 'X'),
+     (0x2F800, 'M', '丽'),
+     (0x2F801, 'M', '丸'),
+     (0x2F802, 'M', '乁'),
+@@ -8014,12 +8012,12 @@ def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2F83C, 'M', '咞'),
+     (0x2F83D, 'M', '吸'),
+     (0x2F83E, 'M', '呈'),
++    (0x2F83F, 'M', '周'),
++    (0x2F840, 'M', '咢'),
+     ]
+ 
+ def _seg_77() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F83F, 'M', '周'),
+-    (0x2F840, 'M', '咢'),
+     (0x2F841, 'M', '哶'),
+     (0x2F842, 'M', '唐'),
+     (0x2F843, 'M', '啓'),
+@@ -8118,12 +8116,12 @@ def _seg_77() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2F8A4, 'M', '𢛔'),
+     (0x2F8A5, 'M', '惇'),
+     (0x2F8A6, 'M', '慈'),
++    (0x2F8A7, 'M', '慌'),
++    (0x2F8A8, 'M', '慎'),
+     ]
+ 
+ def _seg_78() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F8A7, 'M', '慌'),
+-    (0x2F8A8, 'M', '慎'),
+     (0x2F8A9, 'M', '慌'),
+     (0x2F8AA, 'M', '慺'),
+     (0x2F8AB, 'M', '憎'),
+@@ -8222,12 +8220,12 @@ def _seg_78() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2F908, 'M', '港'),
+     (0x2F909, 'M', '湮'),
+     (0x2F90A, 'M', '㴳'),
++    (0x2F90B, 'M', '滋'),
++    (0x2F90C, 'M', '滇'),
+     ]
+ 
+ def _seg_79() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F90B, 'M', '滋'),
+-    (0x2F90C, 'M', '滇'),
+     (0x2F90D, 'M', '𣻑'),
+     (0x2F90E, 'M', '淹'),
+     (0x2F90F, 'M', '潮'),
+@@ -8326,12 +8324,12 @@ def _seg_79() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2F96F, 'M', '縂'),
+     (0x2F970, 'M', '繅'),
+     (0x2F971, 'M', '䌴'),
++    (0x2F972, 'M', '𦈨'),
++    (0x2F973, 'M', '𦉇'),
+     ]
+ 
+ def _seg_80() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F972, 'M', '𦈨'),
+-    (0x2F973, 'M', '𦉇'),
+     (0x2F974, 'M', '䍙'),
+     (0x2F975, 'M', '𦋙'),
+     (0x2F976, 'M', '罺'),
+@@ -8430,12 +8428,12 @@ def _seg_80() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     (0x2F9D3, 'M', '𧲨'),
+     (0x2F9D4, 'M', '貫'),
+     (0x2F9D5, 'M', '賁'),
++    (0x2F9D6, 'M', '贛'),
++    (0x2F9D7, 'M', '起'),
+     ]
+ 
+ def _seg_81() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F9D6, 'M', '贛'),
+-    (0x2F9D7, 'M', '起'),
+     (0x2F9D8, 'M', '𧼯'),
+     (0x2F9D9, 'M', '𠠄'),
+     (0x2F9DA, 'M', '跋'),
+diff --git a/src/pip/_vendor/vendor.txt b/src/pip/_vendor/vendor.txt
+index 5554c38..c5a8eba 100644
+--- a/src/pip/_vendor/vendor.txt
++++ b/src/pip/_vendor/vendor.txt
+@@ -10,7 +10,7 @@ pyproject-hooks==1.0.0
+ requests==2.31.0
+     certifi==2023.7.22
+     chardet==5.1.0
+-    idna==3.4
++    idna==3.7
+     urllib3==1.26.17
+ rich==13.4.2
+     pygments==2.15.1
+-- 
+2.34.1
+
diff --git a/SPECS/python-pip/python-pip.spec b/SPECS/python-pip/python-pip.spec
index 2c0c1f75cd9..e09af894801 100644
--- a/SPECS/python-pip/python-pip.spec
+++ b/SPECS/python-pip/python-pip.spec
@@ -5,13 +5,14 @@ A tool for installing and managing Python packages}
 Summary:        A tool for installing and managing Python packages
 Name:           python-pip
 Version:        24.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT AND Python-2.0.1 AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND LGPL-2.1-only AND MPL-2.0 AND (Apache-2.0 OR BSD-2-Clause)
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Tools
 URL:            https://pip.pypa.io/
 Source0:        https://github.com/pypa/pip/archive/%{version}/%{srcname}-%{version}.tar.gz
+Patch0:         CVE-2024-3651.patch
 
 BuildArch:      noarch
 
@@ -20,13 +21,12 @@ BuildArch:      noarch
 %package -n python3-pip
 Summary:        %{summary}
 BuildRequires:  python3-devel
-# TODO: enable python3-wheel BR when this package is added to toolchain to fix non-toolchain builds
-#BuildRequires:  python3-wheel
+BuildRequires:  python3-wheel
 
 %description -n python3-pip %{_description}
 
 %prep
-%autosetup -n %{srcname}-%{version}
+%autosetup -p1 -n %{srcname}-%{version}
 
 %build
 # Bootstrap `pip3` which casues ptest build failure.
@@ -52,6 +52,10 @@ pip3 install --no-cache-dir --no-index --ignore-installed --root %{buildroot} \
 %{python3_sitelib}/pip*
 
 %changelog
-* Tue Feb 13 2024 Andrew Phelps anphel@microsoft.com - 24.0-1
+* Wed Aug 28 2024 Rachel Menge <rachelmenge@microsoft.com> - 24.0-2
+- Patch CVE-2024-3651.patch
+- Add python3-wheel BR to python3-pip subpackage
+
+* Tue Feb 13 2024 Andrew Phelps <anphel@microsoft.com> - 24.0-1
 - License verified
 - Original version for Azure Linux.
diff --git a/SPECS/python-platformdirs/python-platformdirs.spec b/SPECS/python-platformdirs/python-platformdirs.spec
index ebe3a471a1e..2a8ae6d4bc3 100644
--- a/SPECS/python-platformdirs/python-platformdirs.spec
+++ b/SPECS/python-platformdirs/python-platformdirs.spec
@@ -1,5 +1,4 @@
 # Disable tests as it requires new package python-exceptiongroup
-%global with_check 0
 %global srcname platformdirs
 %bcond_without tests
 %global common_description %{expand:
@@ -8,7 +7,7 @@ a "user data dir".}
 Summary:        Python module for determining appropriate platform-specific dirs
 Name:           python-%{srcname}
 Version:        4.2.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -26,6 +25,11 @@ BuildRequires:  python3-pathspec
 BuildRequires:  python3-pluggy
 BuildRequires:  python3-tomli
 BuildRequires:  python3-trove-classifiers
+%if 0%{?with_check}
+BuildRequires:  python3-pytest
+BuildRequires:  python3-pytest-mock
+BuildRequires:  python3-appdirs
+%endif
 BuildArch:      noarch
 
 %description %{common_description}
@@ -51,13 +55,12 @@ BuildRequires:  python3-devel
 
 
 %check
-%if 0%{?with_check}
 %if %{with tests}
+pip install iniconfig==2.0.0
 %pytest
 %else
 %pyproject_check_import
 %endif
-%endif
 
 
 %files -n python3-%{srcname} -f %{pyproject_files}
@@ -65,6 +68,9 @@ BuildRequires:  python3-devel
 %doc README.rst
 
 %changelog
+* Thu Oct 03 2024 Bala <balakumaran.kannan@microsoft.com> - 4.2.0-2
+- Fixing the missing dependency in the test section and enable it
+
 * Mon Feb 26 2024 Bala <balakumaran.kannan@microsoft.com> - 4.2.0-1
 - Upgraded to 4.2.0
 - Disable tests as pytest requires new package python-exceptiongroup
diff --git a/SPECS/python-pyproject-metadata/python-pyproject-metadata.signatures.json b/SPECS/python-pyproject-metadata/python-pyproject-metadata.signatures.json
new file mode 100644
index 00000000000..938f50d0294
--- /dev/null
+++ b/SPECS/python-pyproject-metadata/python-pyproject-metadata.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "python-pyproject-metadata-0.8.0.tar.gz": "bb5015c9f3869c6fa59d8fdf29840a58cda2a570cb557b8aecae0f9e97a4cf88"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/python-pyproject-metadata/python-pyproject-metadata.spec b/SPECS/python-pyproject-metadata/python-pyproject-metadata.spec
new file mode 100644
index 00000000000..732649cfd84
--- /dev/null
+++ b/SPECS/python-pyproject-metadata/python-pyproject-metadata.spec
@@ -0,0 +1,143 @@
+%global pkgname pyproject-metadata
+
+# Building the documentation requires the furo Sphinx theme.  But building furo
+# requires sphinx_theme_builder, which requires this package.  Avoid a
+# dependency loop with this conditional.
+%bcond_with doc
+
+Name:           python-%{pkgname}
+Version:        0.8.0
+Release:        1%{?dist}
+Summary:        PEP 621 metadata parsing
+
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+URL:            https://github.com/pypa/python-%{pkgname}
+Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
+
+BuildArch:      noarch
+
+BuildRequires:  python3-devel
+BuildRequires:  python3-flit-core
+BuildRequires:  python3-pip
+BuildRequires:  python3-wheel
+BuildRequires:  %{py3_dist docutils}
+
+%if 0%{?with_check}
+BuildRequires:  python3-pytest
+%endif
+
+%global _desc %{expand:
+Dataclass for PEP 621 metadata with support for core metadata generation.
+
+This project does not implement the parsing of pyproject.toml containing
+PEP 621 metadata.  Instead, given a Python data structure representing
+PEP 621 metadata (already parsed), it will validate this input and
+generate a PEP 643-compliant metadata file (e.g. PKG-INFO).}
+
+%description %_desc
+
+%package     -n python3-%{pkgname}
+Summary:        PEP 621 metadata parsing
+
+# This can be removed when F40 reaches EOL
+Obsoletes:      python3-pep621 < 0.5
+Provides:       python3-pep621 = %{version}-%{release}
+
+%description -n python3-%{pkgname} %_desc
+
+%if %{with doc}
+%package        doc
+Summary:        Documentation for python3-%{pkgname}
+
+# This can be removed when F40 reaches EOL
+Obsoletes:      python3-pep621-doc < 0.5
+Provides:       python3-pep621-doc = %{version}-%{release}
+
+%description    doc
+Documentation for python3-%{pkgname}.
+%endif
+
+%prep
+%autosetup -p1 -n %{pkgname}-%{version}
+# No need to BuildRequire pytest-cov to run pytest
+sed -i /pytest-cov/d pyproject.toml
+
+%generate_buildrequires
+%if %{with doc}
+%pyproject_buildrequires -x test,docs
+%else
+%pyproject_buildrequires -x test
+%endif
+
+%build
+%pyproject_wheel
+rst2html --no-datestamp CHANGELOG.rst CHANGELOG.html
+
+%if %{with doc}
+# Build the documentation
+PYTHONPATH=$PWD/build/lib
+mkdir html
+sphinx-build -b html docs html
+rm -rf html/{.buildinfo,.doctrees}
+%endif
+
+%install
+%pyproject_install
+%pyproject_save_files pyproject_metadata
+
+%check
+# Freezing package versions to keep the tests stable.
+pip3 install iniconfig==2.0.0
+%pytest
+
+%files -n python3-%{pkgname} -f %{pyproject_files}
+%doc CHANGELOG.html README.md
+%license LICENSE
+
+%if %{with doc}
+%files doc
+%doc html
+%endif
+
+%changelog
+* Tue Aug 27 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.8.0-1
+- Initial CBL-Mariner import from Fedora 40 (license: MIT).
+- License Verified
+- Upgraded to version 0.8.0.
+- Switched to using original upstream source.
+
+* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jul 11 2023 Miro Hrončok <mhroncok@redhat.com> - 0.7.1-3
+- Drop an unused build requirement on pytest-cov
+
+* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 0.7.1-2
+- Rebuilt for Python 3.12
+
+* Thu Feb 23 2023 Jerry James <loganjerry@gmail.com> - 0.7.1-1
+- Dynamically generate BuildRequires
+
+* Mon Jan 30 2023 Jerry James <loganjerry@gmail.com> - 0.7.1-1
+- Version 0.7.1
+- Drop packaging workaround, resolved upstream
+
+* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Jan 18 2023 Jerry James <loganjerry@gmail.com> - 0.7.0-2
+- Work around FTI due to version of packaging (rhbz#2161981)
+
+* Tue Jan 17 2023 Jerry James <loganjerry@gmail.com> - 0.7.0-1
+- Version 0.7.0
+
+* Tue Jul 26 2022 Jerry James <loganjerry@gmail.com> - 0.6.1-1
+- Initial RPM, obsoleting python-pep621
diff --git a/SPECS/python-pyroute2/python-pyroute2.signatures.json b/SPECS/python-pyroute2/python-pyroute2.signatures.json
new file mode 100644
index 00000000000..7b2ea4b414e
--- /dev/null
+++ b/SPECS/python-pyroute2/python-pyroute2.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "python-pyroute2-0.7.12.tar.gz": "54d226fc3ff2732f49bac9b26853c50c9d05be05a4d9daf09c7cf6d77301eff3"
+ }
+}
diff --git a/SPECS-EXTENDED/python-pyroute2/python-pyroute2.spec b/SPECS/python-pyroute2/python-pyroute2.spec
similarity index 77%
rename from SPECS-EXTENDED/python-pyroute2/python-pyroute2.spec
rename to SPECS/python-pyroute2/python-pyroute2.spec
index c12d8b378b9..ea6a2741f84 100644
--- a/SPECS-EXTENDED/python-pyroute2/python-pyroute2.spec
+++ b/SPECS/python-pyroute2/python-pyroute2.spec
@@ -1,90 +1,57 @@
 %global srcname pyroute2
 
-Summary:        Pure Python netlink library
-Name:           python-%{srcname}
-Version:        0.6.5
-Release:        3%{?dist}
-License:        GPLv2+
-URL:            https://github.com/svinota/%{srcname}
-Source0:        https://pypi.io/packages/source/p/pyroute2/%{srcname}-%{version}.tar.gz
-Source1:        %{srcname}.core-%{version}.tar.gz
-Source2:        %{srcname}.nslink-%{version}.tar.gz
-Source3:        %{srcname}.nftables-%{version}.tar.gz
-Source4:        %{srcname}.ethtool-%{version}.tar.gz
-Source5:        %{srcname}.ipset-%{version}.tar.gz
-Source6:        %{srcname}.ipdb-%{version}.tar.gz
-Source7:        %{srcname}.ndb-%{version}.tar.gz
-BuildArch:      noarch
-
-%description
-PyRoute2 provides several levels of API to work with Netlink
-protocols, such as Generic Netlink, RTNL, TaskStats, NFNetlink,
+%global _description \
+PyRoute2 provides several levels of API to work with Netlink\
+protocols, such as Generic Netlink, RTNL, TaskStats, NFNetlink,\
 IPQ.
 
-%package -n python3-%{srcname}
-Summary:        %{summary}
-BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
- 
-%description -n python3-%{srcname}
-PyRoute2 provides several levels of API to work with Netlink
-protocols, such as Generic Netlink, RTNL, TaskStats, NFNetlink,
-IPQ.
+Name:          python-%{srcname}
+Version:       0.7.12
+Release:       1%{?dist}
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
+Summary:       Pure Python netlink library
+License:       GPL-2.0-or-later OR Apache-2.0
+URL:           https://github.com/svinota/%{srcname}
+
+BuildArch:     noarch
+BuildRequires: python3-pip
+BuildRequires: python3-wheel
+Source0:       %{url}/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+
+%description   %{_description}
+
+
+%package -n python%{python3_pkgversion}-%{srcname}
+Summary: %{summary}
+BuildRequires: python%{python3_pkgversion}-devel
+BuildRequires: python%{python3_pkgversion}-setuptools
+
+%description -n python%{python3_pkgversion}-%{srcname} %{_description}
 
 %prep
-%setup -q -n %{srcname}-%{version}
-cd ..
-tar xzvf %{SOURCE1}
-tar xzvf %{SOURCE2}
-tar xzvf %{SOURCE3}
-tar xzvf %{SOURCE4}
-tar xzvf %{SOURCE5}
-tar xzvf %{SOURCE6}
-tar xzvf %{SOURCE7}
+%autosetup -n %{srcname}-%{version}
 
 %build
-%py3_build
-cd ../pyroute2.core-%{version}
-%py3_build
-cd ../pyroute2.nslink-%{version}
-%py3_build
-cd ../pyroute2.nftables-%{version}
-%py3_build
-cd ../pyroute2.ethtool-%{version}
-%py3_build
-cd ../pyroute2.ipset-%{version}
-%py3_build
-cd ../pyroute2.ipdb-%{version}
-%py3_build
-cd ../pyroute2.ndb-%{version}
-%py3_build
+%pyproject_wheel
 
 %install
-%py3_install
-cd ../pyroute2.core-%{version}
-%py3_install
-cd ../pyroute2.nslink-%{version}
-%py3_install
-cd ../pyroute2.nftables-%{version}
-%py3_install
-cd ../pyroute2.ethtool-%{version}
-%py3_install
-cd ../pyroute2.ipset-%{version}
-%py3_install
-cd ../pyroute2.ipdb-%{version}
-%py3_install
-cd ../pyroute2.ndb-%{version}
-%py3_install
-
-%files -n python3-%{srcname}
+%pyproject_install
+%pyproject_save_files pyroute2
+
+%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
 %{_bindir}/ss2
 %{_bindir}/%{srcname}-cli
-%doc README* LICENSE.GPL.v2 LICENSE.Apache.v2
-%{python3_sitelib}/%{srcname}*
+%{_bindir}/%{srcname}-dhcp-client
+%{_bindir}/%{srcname}-test-platform
+%doc README*
+%license LICENSE.GPL-2.0-or-later LICENSE.Apache-2.0
 %{python3_sitelib}/pr2modules
 
-
 %changelog
+* Wed Aug 28 2024 Reuben Olinsky <reubeno@microsoft.com> - 0.7.12-1
+- Upgrading to 0.7.12.
+
 * Fri Apr 29 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.6.5-3
 - Fixing source URL.
 
diff --git a/SPECS/python-pytest-flakes/python-pytest-flakes.spec b/SPECS/python-pytest-flakes/python-pytest-flakes.spec
index 3ff6ef3a2c2..8756e32db60 100644
--- a/SPECS/python-pytest-flakes/python-pytest-flakes.spec
+++ b/SPECS/python-pytest-flakes/python-pytest-flakes.spec
@@ -3,11 +3,13 @@
 
 Name:           python-%{srcname}
 Version:        4.0.5
-Release:        9%{?dist}
+Release:        10%{?dist}
 Summary:        Pytest plugin to check source code with pyflakes
 
 License:        MIT
 URL:            https://pypi.python.org/pypi/pytest-flakes
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        %{pypi_source}
 
 BuildArch:      noarch
@@ -52,6 +54,9 @@ rm -rf *.egg-info
 %{python3_sitelib}/__pycache__/pytest_flakes.*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 4.0.5-10
+- Add missing Vendor and Distribution tags.
+
 * Mon May 20 2024 Sam Meluch <sammeluch@microsoft.com> - 4.0.5-9
 - Add pip test dependency to fix package tests
 
diff --git a/SPECS/python-rpmautospec-core/python-rpmautospec-core.signatures.json b/SPECS/python-rpmautospec-core/python-rpmautospec-core.signatures.json
new file mode 100644
index 00000000000..39d7d769b25
--- /dev/null
+++ b/SPECS/python-rpmautospec-core/python-rpmautospec-core.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "rpmautospec-core-0.1.5.tar.gz": "c0acf19ed013355d02c1e28220ad9d6f9088f7f61b4a29d16d5364298bc6e6f3"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/python-rpmautospec-core/python-rpmautospec-core.spec b/SPECS/python-rpmautospec-core/python-rpmautospec-core.spec
new file mode 100644
index 00000000000..e81fd012fab
--- /dev/null
+++ b/SPECS/python-rpmautospec-core/python-rpmautospec-core.spec
@@ -0,0 +1,101 @@
+%bcond_with testcoverage
+
+# Only generate buildrequires or use PEP 518 style building on Fedora and new EPEL releases because
+# Poetry is missing elsewhere. Fall back to using setuptools instead.
+%if ((! 0%{?azl}) && (! 0%{?rhel} || 0%{?epel} >= 10))
+%bcond_without genbrs
+%bcond_without pyproject_build
+%else
+%bcond_with genbrs
+%bcond_with pyproject_build
+%endif
+
+%if 0%{undefined pyproject_files}
+%global pyproject_files %{_builddir}/%{name}-%{version}-%{release}.%{_arch}-pyproject-files
+%endif
+
+%global srcname rpmautospec_core
+%global canonicalname rpmautospec-core
+
+Name:          python-%{canonicalname}
+Version:       0.1.5
+Release:       1%{?dist}
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
+Summary:       Minimum functionality for rpmautospec
+
+License:       MIT
+URL: https://github.com/fedora-infra/%{canonicalname}
+Source0:       %{url}/releases/download/%{version}/rpmautospec_core-%{version}.tar.gz#/%{canonicalname}-%{version}.tar.gz
+BuildArch:     noarch
+BuildRequires: python3-devel >= 3.6.0
+# The dependencies needed for testing don’t get auto-generated.
+BuildRequires: python3dist(pytest)
+%if %{with testcoverage}
+BuildRequires: python3dist(pytest-cov)
+%endif
+BuildRequires: sed
+
+%if %{with genbrs}
+%generate_buildrequires
+%{pyproject_buildrequires}
+%else
+BuildRequires: python3dist(pip)
+BuildRequires: python3dist(setuptools)
+%endif
+
+%global _description %{expand:
+This package contains minimum functionality to determine if an RPM spec file
+uses rpmautospec features.}
+
+%description %_description
+
+%package -n python3-%{canonicalname}
+Summary: %{summary}
+%if %{without pyproject_build}
+%py_provides python3-%{canonicalname}
+%endif
+
+%description -n python3-%{canonicalname} %_description
+
+%prep
+%autosetup -n %{srcname}-%{version}
+
+%if %{without testcoverage}
+cat << PYTESTINI > pytest.ini
+[pytest]
+addopts =
+PYTESTINI
+%endif
+
+%build
+%if %{with pyproject_build}
+%pyproject_wheel
+%else
+%py3_build
+%endif
+
+%install
+%if %{with pyproject_build}
+%pyproject_install
+%pyproject_save_files %{srcname}
+# Work around poetry not listing license files as such in package metadata.
+sed -i -e 's|^\(.*/LICENSE\)|%%license \1|g' %{pyproject_files}
+%else
+%py3_install
+echo '%{python3_sitelib}/%{srcname}*' > %{pyproject_files}
+%endif
+
+%check
+%pytest
+
+%files -n python3-%{canonicalname} -f %{pyproject_files}
+%doc README.md
+%if %{without pyproject_build}
+%license LICENSE
+%endif
+
+%changelog
+* Wed Aug 28 2028 Reuben Olinsky <reubeno@microsoft.com> - 0.1.5-1
+- Initial Azure Linux import from Fedora 41 (license: MIT)
+- License verified
diff --git a/SPECS/python-setuptools/CVE-2024-6345.patch b/SPECS/python-setuptools/CVE-2024-6345.patch
new file mode 100644
index 00000000000..96bb51a3fe1
--- /dev/null
+++ b/SPECS/python-setuptools/CVE-2024-6345.patch
@@ -0,0 +1,316 @@
+From 62ad60773f29ed3bfc0f36bb6aa04ca4c51a0566 Mon Sep 17 00:00:00 2001
+From: Sindhu Karri <lakarri@microsoft.com>
+Date: Tue, 23 Jul 2024 08:54:49 +0000
+Subject: [PATCH] Fix CVE-2024-6345 in python3-setuptools
+
+---
+ newsfragments/4332.feature.rst        |   1 +
+ setup.cfg                             |   1 +
+ setuptools/package_index.py           | 146 ++++++++++++++------------
+ setuptools/tests/test_packageindex.py |  56 +++++-----
+ 4 files changed, 108 insertions(+), 96 deletions(-)
+ create mode 100644 newsfragments/4332.feature.rst
+
+diff --git a/newsfragments/4332.feature.rst b/newsfragments/4332.feature.rst
+new file mode 100644
+index 0000000..9f46298
+--- /dev/null
++++ b/newsfragments/4332.feature.rst
+@@ -0,0 +1 @@
++Modernized and refactored VCS handling in package_index.
+\ No newline at end of file
+diff --git a/setup.cfg b/setup.cfg
+index 4e12e70..7797a9f 100644
+--- a/setup.cfg
++++ b/setup.cfg
+@@ -67,6 +67,7 @@ testing =
+ 	pytest-perf; \
+ 	sys_platform != "cygwin"
+ 	jaraco.develop >= 7.21; python_version >= "3.9" and sys_platform != "cygwin"
++        pytest-subprocess
+ testing-integration = 
+ 	pytest
+ 	pytest-xdist
+diff --git a/setuptools/package_index.py b/setuptools/package_index.py
+index 3cedd51..cf25f83 100644
+--- a/setuptools/package_index.py
++++ b/setuptools/package_index.py
+@@ -1,6 +1,7 @@
+ """PyPI and direct package downloading."""
+ 
+ import sys
++import subprocess
+ import os
+ import re
+ import io
+@@ -586,7 +587,7 @@ class PackageIndex(Environment):
+             scheme = URL_SCHEME(spec)
+             if scheme:
+                 # It's a url, download it to tmpdir
+-                found = self._download_url(scheme.group(1), spec, tmpdir)
++                found = self._download_url(spec, tmpdir)
+                 base, fragment = egg_info_for_url(spec)
+                 if base.endswith('.py'):
+                     found = self.gen_setup(found, fragment, tmpdir)
+@@ -812,7 +813,7 @@ class PackageIndex(Environment):
+             else:
+                 raise DistutilsError("Download error for %s: %s" % (url, v)) from v
+ 
+-    def _download_url(self, scheme, url, tmpdir):
++    def _download_url(self, url, tmpdir):
+         # Determine download filename
+         #
+         name, fragment = egg_info_for_url(url)
+@@ -827,19 +828,59 @@ class PackageIndex(Environment):
+ 
+         filename = os.path.join(tmpdir, name)
+ 
+-        # Download the file
+-        #
+-        if scheme == 'svn' or scheme.startswith('svn+'):
+-            return self._download_svn(url, filename)
+-        elif scheme == 'git' or scheme.startswith('git+'):
+-            return self._download_git(url, filename)
+-        elif scheme.startswith('hg+'):
+-            return self._download_hg(url, filename)
+-        elif scheme == 'file':
+-            return urllib.request.url2pathname(urllib.parse.urlparse(url)[2])
+-        else:
+-            self.url_ok(url, True)  # raises error if not allowed
+-            return self._attempt_download(url, filename)
++        return self._download_vcs(url, filename) or self._download_other(url, filename)
++
++    @staticmethod
++    def _resolve_vcs(url):
++        """
++        >>> rvcs = PackageIndex._resolve_vcs
++        >>> rvcs('git+http://foo/bar')
++        'git'
++        >>> rvcs('hg+https://foo/bar')
++        'hg'
++        >>> rvcs('git:myhost')
++        'git'
++        >>> rvcs('hg:myhost')
++        >>> rvcs('http://foo/bar')
++        """
++        scheme = urllib.parse.urlsplit(url).scheme
++        pre, sep, post = scheme.partition('+')
++        # svn and git have their own protocol; hg does not
++        allowed = set(['svn', 'git'] + ['hg'] * bool(sep))
++        return next(iter({pre} & allowed), None)
++
++    def _download_vcs(self, url, spec_filename):
++        vcs = self._resolve_vcs(url)
++        if not vcs:
++            return
++        if vcs == 'svn':
++            raise DistutilsError(
++                f"Invalid config, SVN download is not supported: {url}"
++            )
++
++        filename, _, _ = spec_filename.partition('#')
++        url, rev = self._vcs_split_rev_from_url(url)
++
++        self.info(f"Doing {vcs} clone from {url} to {filename}")
++        subprocess.check_call([vcs, 'clone', '--quiet', url, filename])
++
++        co_commands = dict(
++            git=[vcs, '-C', filename, 'checkout', '--quiet', rev],
++            hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'],
++        )
++        if rev is not None:
++            self.info(f"Checking out {rev}")
++            subprocess.check_call(co_commands[vcs])
++
++        return filename
++
++    def _download_other(self, url, filename):
++        scheme = urllib.parse.urlsplit(url).scheme
++        if scheme == 'file':  # pragma: no cover
++            return urllib.request.url2pathname(urllib.parse.urlparse(url).path)
++        # raise error if not allowed
++        self.url_ok(url, True)
++        return self._attempt_download(url, filename)
+ 
+     def scan_url(self, url):
+         self.process_url(url, True)
+@@ -855,64 +896,37 @@ class PackageIndex(Environment):
+         os.unlink(filename)
+         raise DistutilsError(f"Unexpected HTML page found at {url}")
+ 
+-    def _download_svn(self, url, _filename):
+-        raise DistutilsError(f"Invalid config, SVN download is not supported: {url}")
+-
+     @staticmethod
+-    def _vcs_split_rev_from_url(url, pop_prefix=False):
+-        scheme, netloc, path, query, frag = urllib.parse.urlsplit(url)
++    def _vcs_split_rev_from_url(url):
++        """
++        Given a possible VCS URL, return a clean URL and resolved revision if any.
++
++        >>> vsrfu = PackageIndex._vcs_split_rev_from_url
++        >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools')
++        ('https://github.com/pypa/setuptools', 'v69.0.0')
++        >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools')
++        ('https://github.com/pypa/setuptools', None)
++        >>> vsrfu('http://foo/bar')
++        ('http://foo/bar', None)
++        """
++        parts = urllib.parse.urlsplit(url)
+ 
+-        scheme = scheme.split('+', 1)[-1]
++        clean_scheme = parts.scheme.split('+', 1)[-1]
+ 
+         # Some fragment identification fails
+-        path = path.split('#', 1)[0]
+-
+-        rev = None
+-        if '@' in path:
+-            path, rev = path.rsplit('@', 1)
+-
+-        # Also, discard fragment
+-        url = urllib.parse.urlunsplit((scheme, netloc, path, query, ''))
+-
+-        return url, rev
+-
+-    def _download_git(self, url, filename):
+-        filename = filename.split('#', 1)[0]
+-        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
+-
+-        self.info("Doing git clone from %s to %s", url, filename)
+-        os.system("git clone --quiet %s %s" % (url, filename))
+-
+-        if rev is not None:
+-            self.info("Checking out %s", rev)
+-            os.system(
+-                "git -C %s checkout --quiet %s"
+-                % (
+-                    filename,
+-                    rev,
+-                )
+-            )
++        no_fragment_path, _, _ = parts.path.partition('#')
+ 
+-        return filename
++        pre, sep, post = no_fragment_path.rpartition('@')
++        clean_path, rev = (pre, post) if sep else (post, None)
+ 
+-    def _download_hg(self, url, filename):
+-        filename = filename.split('#', 1)[0]
+-        url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True)
++        resolved = parts._replace(
++            scheme=clean_scheme,
++            path=clean_path,
++            # discard the fragment
++            fragment='',
++        ).geturl()
+ 
+-        self.info("Doing hg clone from %s to %s", url, filename)
+-        os.system("hg clone --quiet %s %s" % (url, filename))
+-
+-        if rev is not None:
+-            self.info("Updating to %s", rev)
+-            os.system(
+-                "hg --cwd %s up -C -r %s -q"
+-                % (
+-                    filename,
+-                    rev,
+-                )
+-            )
+-
+-        return filename
++        return resolved, rev
+ 
+     def debug(self, msg, *args):
+         log.debug(msg, *args)
+diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py
+index 0287063..82f4382 100644
+--- a/setuptools/tests/test_packageindex.py
++++ b/setuptools/tests/test_packageindex.py
+@@ -5,7 +5,6 @@ import platform
+ import urllib.request
+ import urllib.error
+ import http.client
+-from unittest import mock
+ 
+ import pytest
+ 
+@@ -186,49 +185,46 @@ class TestPackageIndex:
+             assert dists[0].version == ''
+             assert dists[1].version == vc
+ 
+-    def test_download_git_with_rev(self, tmpdir):
++    def test_download_git_with_rev(self, tmp_path, fp):
+         url = 'git+https://github.example/group/project@master#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+-        with mock.patch("os.system") as os_system_mock:
+-            result = index.download(url, str(tmpdir))
++        expected_dir = tmp_path / 'project@master'
++        fp.register([
++            'git',
++            'clone',
++            '--quiet',
++            'https://github.example/group/project',
++            expected_dir,
++        ])
++        fp.register(['git', '-C', expected_dir, 'checkout', '--quiet', 'master'])
+ 
+-        os_system_mock.assert_called()
++        result = index.download(url, tmp_path)
+ 
+-        expected_dir = str(tmpdir / 'project@master')
+-        expected = (
+-            'git clone --quiet ' 'https://github.example/group/project {expected_dir}'
+-        ).format(**locals())
+-        first_call_args = os_system_mock.call_args_list[0][0]
+-        assert first_call_args == (expected,)
++        assert result == str(expected_dir)
++        assert len(fp.calls) == 2
+ 
+-        tmpl = 'git -C {expected_dir} checkout --quiet master'
+-        expected = tmpl.format(**locals())
+-        assert os_system_mock.call_args_list[1][0] == (expected,)
+-        assert result == expected_dir
+-
+-    def test_download_git_no_rev(self, tmpdir):
++    def test_download_git_no_rev(self, tmp_path, fp):
+         url = 'git+https://github.example/group/project#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+-        with mock.patch("os.system") as os_system_mock:
+-            result = index.download(url, str(tmpdir))
+-
+-        os_system_mock.assert_called()
+-
+-        expected_dir = str(tmpdir / 'project')
+-        expected = (
+-            'git clone --quiet ' 'https://github.example/group/project {expected_dir}'
+-        ).format(**locals())
+-        os_system_mock.assert_called_once_with(expected)
+-
+-    def test_download_svn(self, tmpdir):
++        expected_dir = tmp_path / 'project'
++        fp.register([
++            'git',
++            'clone',
++            '--quiet',
++            'https://github.example/group/project',
++            expected_dir,
++        ])
++        index.download(url, tmp_path)
++
++    def test_download_svn(self, tmp_path):
+         url = 'svn+https://svn.example/project#egg=foo'
+         index = setuptools.package_index.PackageIndex()
+ 
+         msg = r".*SVN download is not supported.*"
+         with pytest.raises(distutils.errors.DistutilsError, match=msg):
+-            index.download(url, str(tmpdir))
++            index.download(url, tmp_path)
+ 
+ 
+ class TestContentCheckers:
+-- 
+2.33.8
+
diff --git a/SPECS/python-setuptools/python-setuptools.spec b/SPECS/python-setuptools/python-setuptools.spec
index 507500c5dc9..8ca1bb0c481 100644
--- a/SPECS/python-setuptools/python-setuptools.spec
+++ b/SPECS/python-setuptools/python-setuptools.spec
@@ -6,13 +6,14 @@ Setuptools is a fully-featured, actively-maintained, and stable library designed
 Summary:        Easily build and distribute Python packages
 Name:           python-setuptools
 Version:        69.0.3
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Tools
 URL:            https://pypi.python.org/pypi/setuptools
 Source0:        https://pypi.org/packages/source/s/setuptools/setuptools-%{version}.tar.gz
+Patch0:         CVE-2024-6345.patch
 
 %description    %{_description}
 
@@ -34,7 +35,7 @@ Provides:       python%{python3_majmin}dist(setuptools) = %{version}-%{release}
 %description -n python3-setuptools %{_description}
 
 %prep
-%autosetup -n setuptools-%{version}
+%autosetup -p1 -n setuptools-%{version}
 
 %build
 pip3 wheel -w dist --no-cache-dir --no-build-isolation --no-deps $PWD
@@ -57,6 +58,9 @@ EOF
 %{python3_sitelib}/setuptools-%{version}.dist-info/*
 
 %changelog
+* Tue Sep 10 2024 <lakarri@microsoft.com> - 69.0.3-4
+- Fix CVE-2024-6345 with a patch
+
 * Thu Aug 29 2024 Andrew Phelps <anphel@microsoft.com> - 69.0.3-3
 - Bump release to rebuild and resolve python3dist provides issue
 
diff --git a/SPECS/python-six/python-six.spec b/SPECS/python-six/python-six.spec
index 06081b6d687..0d01a60cd87 100644
--- a/SPECS/python-six/python-six.spec
+++ b/SPECS/python-six/python-six.spec
@@ -1,10 +1,12 @@
 Summary:        Python 2 and 3 compatibility utilities
 Name:           python-six
 Version:        1.16.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Group:          Development/Languages/Python
 URL:            https://pypi.org/project/six/
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://pypi.python.org/packages/source/s/six/six-%{version}.tar.gz
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
@@ -16,7 +18,7 @@ BuildRequires:  python3-pip
 BuildArch:      noarch
 
 %description
-Six is a Python 2 and 3 compatibility library. It provides utility functions for smoothing over the differences between the Python versions with the goal of writing Python code that is compatible on both Python versions. 
+Six is a Python 2 and 3 compatibility library. It provides utility functions for smoothing over the differences between the Python versions with the goal of writing Python code that is compatible on both Python versions.
 
 %package -n     python3-six
 Summary:        Python 2 and 3 compatibility utilities
@@ -45,6 +47,9 @@ pip3 install pytest
 %{python3_sitelib}/*
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.16.0-3
+- Add missing Vendor and Distribution tags.
+
 * Tue Mar 22 2022 Olivia Crain <oliviacrain@microsoft.com> - 1.16.0-2
 - Remove python2 package
 - Add license file to the python3 subpackage
diff --git a/SPECS/python-templated-dictionary/python-templated-dictionary.signatures.json b/SPECS/python-templated-dictionary/python-templated-dictionary.signatures.json
new file mode 100644
index 00000000000..59aa11259dd
--- /dev/null
+++ b/SPECS/python-templated-dictionary/python-templated-dictionary.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "python-templated-dictionary-1.4.tar.gz": "2fdc220dd5f931ac9149a8d01d1a6d9334d093da514581cdd0175cc72e6542d9"
+ }
+}
diff --git a/SPECS-EXTENDED/python-templated-dictionary/python-templated-dictionary.spec b/SPECS/python-templated-dictionary/python-templated-dictionary.spec
similarity index 54%
rename from SPECS-EXTENDED/python-templated-dictionary/python-templated-dictionary.spec
rename to SPECS/python-templated-dictionary/python-templated-dictionary.spec
index 44a910c624c..d034fbe4f90 100644
--- a/SPECS-EXTENDED/python-templated-dictionary/python-templated-dictionary.spec
+++ b/SPECS/python-templated-dictionary/python-templated-dictionary.spec
@@ -1,44 +1,59 @@
 %global srcname templated-dictionary
 %global python3_pkgversion 3
 
-Summary:        Dictionary with Jinja2 expansion
-Name:           python-%{srcname}
-Version:        1.1
-Release:        6%{?dist}
-License:        GPLv2+
-URL:            https://github.com/xsuchy/templated-dictionary
-Source0:        https://files.pythonhosted.org/packages/22/4d/cd73de22b8b345e57677c80c26381e25abef19cab9495c91b1627af7621b/templated-dictionary-1.1.tar.gz#/%{name}-%{version}.tar.gz
-BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-setuptools
-Requires:       python%{python3_pkgversion}-jinja2
-BuildArch: noarch
+%if 0%{?rhel} == 7
+%global python3_pkgversion 36
+%endif
+
+Name:          python-%{srcname}
+Version:       1.4
+Release:       5%{?dist}
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
+Summary:       Dictionary with Jinja2 expansion
+
+License:       GPL-2.0-or-later
+URL:           https://github.com/xsuchy/templated-dictionary
+Source0:       %{url}/archive/refs/tags/%{name}-%{version}-1.tar.gz#/%{name}-%{version}.tar.gz
+
+BuildArch:     noarch
+
+BuildRequires: python%{python3_pkgversion}-devel
+BuildRequires: python%{python3_pkgversion}-setuptools
+Requires:      python%{python3_pkgversion}-jinja2
 
 %global _description\
 Dictionary where __getitem__() is run through Jinja2 template.
 
 %description %_description
 
+
 %package -n python3-%{srcname}
 Summary: %{summary}
 %{?py_provides:%py_provides python3-%{srcname}}
-%description -n python3-%{srcname} %{_description}
+%description -n python3-%{srcname} %_description
+
 
 %prep
-%setup -q -n %{srcname}-%{version}
+%setup -q -n %{srcname}-%{name}-%{version}-1
+
 
 %build
-version="%{version}" python3 setup.py build '--executable=%{_bindir}/python3 -s'
+version="%version" %py3_build
 
 %install
-version="%{version}" python3 setup.py install -O1 --skip-build --root %{buildroot}
+version=%version %py3_install
+
 
 %files -n python3-%{srcname}
-# %%license LICENSE
-# Annoyingly, the build produces templated_dictionary with an '_', 
-# not matching up with srcname which uses '-'
-%{python3_sitelib}/templated_dictionary*
+%license LICENSE
+%{python3_sitelib}/templated_dictionary-*.egg-info/
+%{python3_sitelib}/templated_dictionary/
 
 %changelog
+* Wed Aug 28 2024 Reuben Olinsky <reubeno@microsoft.com> - 1.4-1
+- Upgraded to 1.4 and sync'd with Fedora spec.
+
 * Fri Apr 29 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.1-6
 - Fixing source URL.
 
diff --git a/SPECS/python-tensorboard/CVE-2024-43788.patch b/SPECS/python-tensorboard/CVE-2024-43788.patch
new file mode 100644
index 00000000000..d1a09a8a15c
--- /dev/null
+++ b/SPECS/python-tensorboard/CVE-2024-43788.patch
@@ -0,0 +1,31 @@
+From d1cbef8d9c0821c21cda593487f5fca6ec560758 Mon Sep 17 00:00:00 2001
+From: "alexander.akait" <sheo13666q@gmail.com>
+Date: Wed, 21 Aug 2024 15:47:34 +0300
+Subject: [PATCH] security: fix DOM clobbering in auto public path
+
+Upstream commit: 955e057abc6cc83cbc3fa1e1ef67a49758bf5a61
+signoff by @xordux on 2024-09-02
+
+---
+ .../webpack/lib/runtime/AutoPublicPathRuntimeModule.js       | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/@angular/build-tooling/node_modules/webpack/lib/runtime/AutoPublicPathRuntimeModule.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/@angular/build-tooling/node_modules/webpack/lib/runtime/AutoPublicPathRuntimeModule.js
+index a67240862..18dc9c0fa 100644
+--- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/@angular/build-tooling/node_modules/webpack/lib/runtime/AutoPublicPathRuntimeModule.js
++++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/@angular/build-tooling/node_modules/webpack/lib/runtime/AutoPublicPathRuntimeModule.js
+@@ -42,7 +42,10 @@ class AutoPublicPathRuntimeModule extends RuntimeModule {
+ 						`var document = ${RuntimeGlobals.global}.document;`,
+ 						"if (!scriptUrl && document) {",
+ 						Template.indent([
+-							`if (document.currentScript)`,
++							// Technically we could use `document.currentScript instanceof window.HTMLScriptElement`,
++							// but an attacker could try to inject `<script>HTMLScriptElement = HTMLImageElement</script>`
++							// and use `<img name="currentScript" src="https://attacker.controlled.server/"></img>`
++							"if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT')",
+ 							Template.indent(`scriptUrl = document.currentScript.src`),
+ 							"if (!scriptUrl) {",
+ 							Template.indent([
+-- 
+2.39.4
+
diff --git a/SPECS/python-tensorboard/CVE-2024-43796.patch b/SPECS/python-tensorboard/CVE-2024-43796.patch
new file mode 100644
index 00000000000..dd6b7182e93
--- /dev/null
+++ b/SPECS/python-tensorboard/CVE-2024-43796.patch
@@ -0,0 +1,25 @@
+From 8d5a41d93faad930515399d2189760fa2bb71edc Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Wed, 25 Sep 2024 07:14:25 +0000
+Subject: [PATCH] CVE-2024-43796: don't render redirect values in anchor href
+
+---
+ .../external/npm/_/node_modules/express/lib/response.js         | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/express/lib/response.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/express/lib/response.js
+index fede486c0..23debf476 100644
+--- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/express/lib/response.js
++++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/express/lib/response.js
+@@ -960,7 +960,7 @@ res.redirect = function redirect(url) {
+ 
+     html: function(){
+       var u = escapeHtml(address);
+-      body = '<p>' + statuses.message[status] + '. Redirecting to <a href="' + u + '">' + u + '</a></p>'
++      body = '<p>' + statuses.message[status] + '. Redirecting to ' + u + '</p>'
+     },
+ 
+     default: function(){
+-- 
+2.39.4
+
diff --git a/SPECS/python-tensorboard/CVE-2024-45590.patch b/SPECS/python-tensorboard/CVE-2024-45590.patch
new file mode 100644
index 00000000000..cce3e7b842b
--- /dev/null
+++ b/SPECS/python-tensorboard/CVE-2024-45590.patch
@@ -0,0 +1,87 @@
+From 8007c86f9772612b795ddd2733ec8d8f7c9957b8 Mon Sep 17 00:00:00 2001
+From: Rohit Rawat <xordux@gmail.com>
+Date: Wed, 25 Sep 2024 17:14:58 +0000
+Subject: [PATCH] CVE-2024-45590: Set default depth limit to 32
+
+---
+ .../body-parser/lib/types/urlencoded.js       | 37 +++++++++++++++----
+ 1 file changed, 30 insertions(+), 7 deletions(-)
+
+diff --git a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/body-parser/lib/types/urlencoded.js b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/body-parser/lib/types/urlencoded.js
+index b2ca8f16d..886a3ce23 100644
+--- a/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/body-parser/lib/types/urlencoded.js
++++ b/tb_tmp/b069b9e9814ff76ffa6219506d1f1e79/external/npm/_/node_modules/body-parser/lib/types/urlencoded.js
+@@ -55,6 +55,9 @@ function urlencoded (options) {
+     : opts.limit
+   var type = opts.type || 'application/x-www-form-urlencoded'
+   var verify = opts.verify || false
++  var depth = typeof opts.depth !== 'number'
++    ? Number(opts.depth || 32)
++    : opts.depth
+ 
+   if (verify !== false && typeof verify !== 'function') {
+     throw new TypeError('option verify must be function')
+@@ -118,7 +121,8 @@ function urlencoded (options) {
+       encoding: charset,
+       inflate: inflate,
+       limit: limit,
+-      verify: verify
++      verify: verify,
++      depth: depth
+     })
+   }
+ }
+@@ -133,12 +137,20 @@ function extendedparser (options) {
+   var parameterLimit = options.parameterLimit !== undefined
+     ? options.parameterLimit
+     : 1000
++
++  var depth = typeof options.depth !== 'number'
++    ? Number(options.depth || 32)
++    : options.depth
+   var parse = parser('qs')
+ 
+   if (isNaN(parameterLimit) || parameterLimit < 1) {
+     throw new TypeError('option parameterLimit must be a positive number')
+   }
+ 
++  if(isNaN(depth) || depth < 0) {
++    throw new TypeError('option depth must be a zero or a positive number')
++  }
++
+   if (isFinite(parameterLimit)) {
+     parameterLimit = parameterLimit | 0
+   }
+@@ -156,12 +168,23 @@ function extendedparser (options) {
+     var arrayLimit = Math.max(100, paramCount)
+ 
+     debug('parse extended urlencoding')
+-    return parse(body, {
+-      allowPrototypes: true,
+-      arrayLimit: arrayLimit,
+-      depth: Infinity,
+-      parameterLimit: parameterLimit
+-    })
++    try {
++      return parse(body, {
++        allowPrototypes: true,
++        arrayLimit: arrayLimit,
++        depth: depth,
++        strictDepth: true,
++        parameterLimit: parameterLimit
++      })
++    } catch (err) {
++      if (err instanceof RangeError) {
++        throw createError(400, 'The input exceeded the depth', {
++          type: 'querystring.parse.rangeError'
++        })
++      } else {
++        throw err
++      }
++    }
+   }
+ }
+ 
+-- 
+2.39.4
+
diff --git a/SPECS/python-tensorboard/python-tensorboard.spec b/SPECS/python-tensorboard/python-tensorboard.spec
index cb7dbed2b1a..3933a1bfd06 100644
--- a/SPECS/python-tensorboard/python-tensorboard.spec
+++ b/SPECS/python-tensorboard/python-tensorboard.spec
@@ -7,7 +7,7 @@ TensorBoard is a suite of web applications for inspecting and understanding your
 Summary:        TensorBoard is a suite of web applications for inspecting and understanding your TensorFlow runs and graphs
 Name:           python-%{pypi_name}
 Version:        2.16.2
-Release:        2%{?dist}
+Release:        5%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -15,6 +15,10 @@ URL:            https://github.com/tensorflow/tensorboard
 # This source also contains the dependencies required for building tensorboard
 Source0:        %{_distro_sources_url}/%{name}-%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         0000-Use-system-package.patch
+Patch1:         CVE-2024-43788.patch
+Patch2:         CVE-2024-43796.patch
+Patch3:         CVE-2024-45590.patch
+
 BuildRequires:  bazel
 BuildRequires:  build-essential
 BuildRequires:  gcc
@@ -93,6 +97,15 @@ mv %{pypi_name}-*.whl pyproject-wheeldir/
 %{python3_sitelib}/tensorboard_data_server*
 
 %changelog
+* Thu Sep 26 09 2024 Rohit Rawat <rohitrawat@microsoft.com> - 2.16.2-5
+- Patch to fix CVE-2024-45590
+
+* Wed Sep 25 09 2024 Rohit Rawat <rohitrawat@microsoft.com> - 2.16.2-4
+- Patch to fix CVE-2024-43796
+
+* Mon Sep 02 2024 Rohit Rawat <rohitrawat@microsoft.com> - 2.16.2-3
+- Patch to fix CVE-2024-43788
+
 * Thu May 30 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.16.2-2
 - Bump release to build with new python-werkzeug to fix CVE-2024-34069
 
diff --git a/SPECS/python-xlsxwriter/python-xlsxwriter.spec b/SPECS/python-xlsxwriter/python-xlsxwriter.spec
index 37a4b5b7f70..71d6781f435 100644
--- a/SPECS/python-xlsxwriter/python-xlsxwriter.spec
+++ b/SPECS/python-xlsxwriter/python-xlsxwriter.spec
@@ -1,15 +1,16 @@
 %global pypi_name xlsxwriter
 %global src_name XlsxWriter
 
-Name:		python-%{pypi_name}
-Version:	3.2.0
-Release:	3%{?dist}
-Summary:	Python module for writing files in the Excel 2007+ XLSX file format
-License:	BSD
-Vendor:         Microsoft Corporation
-URL:		https://pypi.python.org/pypi/XlsxWriter
-Source0:	https://github.com/jmcnamara/XlsxWriter/archive/refs/tags/RELEASE_3.2.0.tar.gz#/%{name}-%{version}.tar.gz
-BuildArch:	noarch
+Name:		   python-%{pypi_name}
+Version:	   3.2.0
+Release:	   4%{?dist}
+Summary:	   Python module for writing files in the Excel 2007+ XLSX file format
+License:	   BSD
+URL:		   https://pypi.python.org/pypi/XlsxWriter
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
+Source0:	   https://github.com/jmcnamara/XlsxWriter/archive/refs/tags/RELEASE_3.2.0.tar.gz#/%{name}-%{version}.tar.gz
+BuildArch:	   noarch
 
 %global common_desc\
 XlsxWriter is a Python module for writing files in the Excel 2007+\
@@ -67,6 +68,9 @@ rm -rf %{src_name}.egg-info
 %{_bindir}/vba_extract.py
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.2.0-4
+- Add missing Distribution tag.
+
 * Fri Jun 14 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 3.2.0-3
 - Build step correction
 
diff --git a/SPECS/python-zstd/python-zstd.spec b/SPECS/python-zstd/python-zstd.spec
index 4148101df37..341a39d6d63 100644
--- a/SPECS/python-zstd/python-zstd.spec
+++ b/SPECS/python-zstd/python-zstd.spec
@@ -3,12 +3,14 @@
 
 Name:           python-%{pypi_name}
 Version:        1.5.5.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Zstd Bindings for Python
 
 # original zstd bits are GPL-2.0-or-later OR BSD-2-Clause
 License:        BSD-2-Clause AND (GPL-2.0-or-later OR BSD-2-Clause)
 URL:            https://github.com/sergey-dryabzhinsky/python-zstd
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source:         %{pypi_source}
 
 # Patches to fix test execution
@@ -65,6 +67,9 @@ sed -i -e '/test_version/d' tests/__init__.py
 %{python3_sitearch}/%{pypi_name}*.so
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.5.5.1-4
+- Add missing Vendor and Distribution tags.
+
 * Fri Feb 16 2024 Andrew Phelps <anphel@microsoft.com> - 1.5.5.1-3
 - Add Provides python3dist(zstd)
 
diff --git a/SPECS/python3/CVE-2024-6232.patch b/SPECS/python3/CVE-2024-6232.patch
new file mode 100644
index 00000000000..578d11a616f
--- /dev/null
+++ b/SPECS/python3/CVE-2024-6232.patch
@@ -0,0 +1,224 @@
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 3bbbcaa6211..f7202859de7 100755
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -843,6 +843,9 @@ def data_filter(member, dest_path):
+ # Sentinel for replace() defaults, meaning "don't change the attribute"
+ _KEEP = object()
+ 
++# Header length is digits followed by a space.
++_header_length_prefix_re = re.compile(br"([0-9]{1,20}) ")
++
+ class TarInfo(object):
+     """Informational class which holds the details about an
+        archive member given by a tar header block.
+@@ -1412,37 +1415,59 @@ def _proc_pax(self, tarfile):
+         else:
+             pax_headers = tarfile.pax_headers.copy()
+ 
+-        # Check if the pax header contains a hdrcharset field. This tells us
+-        # the encoding of the path, linkpath, uname and gname fields. Normally,
+-        # these fields are UTF-8 encoded but since POSIX.1-2008 tar
+-        # implementations are allowed to store them as raw binary strings if
+-        # the translation to UTF-8 fails.
+-        match = re.search(br"\d+ hdrcharset=([^\n]+)\n", buf)
+-        if match is not None:
+-            pax_headers["hdrcharset"] = match.group(1).decode("utf-8")
+-
+-        # For the time being, we don't care about anything other than "BINARY".
+-        # The only other value that is currently allowed by the standard is
+-        # "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
+-        hdrcharset = pax_headers.get("hdrcharset")
+-        if hdrcharset == "BINARY":
+-            encoding = tarfile.encoding
+-        else:
+-            encoding = "utf-8"
+-
+         # Parse pax header information. A record looks like that:
+         # "%d %s=%s\n" % (length, keyword, value). length is the size
+         # of the complete record including the length field itself and
+-        # the newline. keyword and value are both UTF-8 encoded strings.
+-        regex = re.compile(br"(\d+) ([^=]+)=")
++        # the newline.
+         pos = 0
+-        while match := regex.match(buf, pos):
+-            length, keyword = match.groups()
+-            length = int(length)
+-            if length == 0:
++        encoding = None
++        raw_headers = []
++        while len(buf) > pos and buf[pos] != 0x00:
++            if not (match := _header_length_prefix_re.match(buf, pos)):
++                raise InvalidHeaderError("invalid header")
++            try:
++                length = int(match.group(1))
++            except ValueError:
++                raise InvalidHeaderError("invalid header")
++            # Headers must be at least 5 bytes, shortest being '5 x=\n'.
++            # Value is allowed to be empty.
++            if length < 5:
++                raise InvalidHeaderError("invalid header")
++            if pos + length > len(buf):
++                raise InvalidHeaderError("invalid header")
++
++            header_value_end_offset = match.start(1) + length - 1  # Last byte of the header
++            keyword_and_value = buf[match.end(1) + 1:header_value_end_offset]
++            raw_keyword, equals, raw_value = keyword_and_value.partition(b"=")
++
++            # Check the framing of the header. The last character must be '\n' (0x0A)
++            if not raw_keyword or equals != b"=" or buf[header_value_end_offset] != 0x0A:
+                 raise InvalidHeaderError("invalid header")
+-            value = buf[match.end(2) + 1:match.start(1) + length - 1]
++            raw_headers.append((length, raw_keyword, raw_value))
++
++            # Check if the pax header contains a hdrcharset field. This tells us
++            # the encoding of the path, linkpath, uname and gname fields. Normally,
++            # these fields are UTF-8 encoded but since POSIX.1-2008 tar
++            # implementations are allowed to store them as raw binary strings if
++            # the translation to UTF-8 fails. For the time being, we don't care about
++            # anything other than "BINARY". The only other value that is currently
++            # allowed by the standard is "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
++            # Note that we only follow the initial 'hdrcharset' setting to preserve
++            # the initial behavior of the 'tarfile' module.
++            if raw_keyword == b"hdrcharset" and encoding is None:
++                if raw_value == b"BINARY":
++                    encoding = tarfile.encoding
++                else:  # This branch ensures only the first 'hdrcharset' header is used.
++                    encoding = "utf-8"
+ 
++            pos += length
++
++        # If no explicit hdrcharset is set, we use UTF-8 as a default.
++        if encoding is None:
++            encoding = "utf-8"
++
++        # After parsing the raw headers we can decode them to text.
++        for length, raw_keyword, raw_value in raw_headers:
+             # Normally, we could just use "utf-8" as the encoding and "strict"
+             # as the error handler, but we better not take the risk. For
+             # example, GNU tar <= 1.23 is known to store filenames it cannot
+@@ -1450,17 +1475,16 @@ def _proc_pax(self, tarfile):
+             # hdrcharset=BINARY header).
+             # We first try the strict standard encoding, and if that fails we
+             # fall back on the user's encoding and error handler.
+-            keyword = self._decode_pax_field(keyword, "utf-8", "utf-8",
++            keyword = self._decode_pax_field(raw_keyword, "utf-8", "utf-8",
+                     tarfile.errors)
+             if keyword in PAX_NAME_FIELDS:
+-                value = self._decode_pax_field(value, encoding, tarfile.encoding,
++                value = self._decode_pax_field(raw_value, encoding, tarfile.encoding,
+                         tarfile.errors)
+             else:
+-                value = self._decode_pax_field(value, "utf-8", "utf-8",
++                value = self._decode_pax_field(raw_value, "utf-8", "utf-8",
+                         tarfile.errors)
+ 
+             pax_headers[keyword] = value
+-            pos += length
+ 
+         # Fetch the next header.
+         try:
+@@ -1475,7 +1499,7 @@ def _proc_pax(self, tarfile):
+ 
+         elif "GNU.sparse.size" in pax_headers:
+             # GNU extended sparse format version 0.0.
+-            self._proc_gnusparse_00(next, pax_headers, buf)
++            self._proc_gnusparse_00(next, raw_headers)
+ 
+         elif pax_headers.get("GNU.sparse.major") == "1" and pax_headers.get("GNU.sparse.minor") == "0":
+             # GNU extended sparse format version 1.0.
+@@ -1497,15 +1521,24 @@ def _proc_pax(self, tarfile):
+ 
+         return next
+ 
+-    def _proc_gnusparse_00(self, next, pax_headers, buf):
++    def _proc_gnusparse_00(self, next, raw_headers):
+         """Process a GNU tar extended sparse header, version 0.0.
+         """
+         offsets = []
+-        for match in re.finditer(br"\d+ GNU.sparse.offset=(\d+)\n", buf):
+-            offsets.append(int(match.group(1)))
+         numbytes = []
+-        for match in re.finditer(br"\d+ GNU.sparse.numbytes=(\d+)\n", buf):
+-            numbytes.append(int(match.group(1)))
++        for _, keyword, value in raw_headers:
++            if keyword == b"GNU.sparse.offset":
++                try:
++                    offsets.append(int(value.decode()))
++                except ValueError:
++                    raise InvalidHeaderError("invalid header")
++
++            elif keyword == b"GNU.sparse.numbytes":
++                try:
++                    numbytes.append(int(value.decode()))
++                except ValueError:
++                    raise InvalidHeaderError("invalid header")
++
+         next.sparse = list(zip(offsets, numbytes))
+ 
+     def _proc_gnusparse_01(self, next, pax_headers):
+@@ -2222,7 +2255,7 @@ def _get_filter_function(self, filter):
+                     'Python 3.14 will, by default, filter extracted tar '
+                     + 'archives and reject files or modify their metadata. '
+                     + 'Use the filter argument to control this behavior.',
+-                    DeprecationWarning)
++                    DeprecationWarning, stacklevel=3)
+                 return fully_trusted_filter
+             if isinstance(filter, str):
+                 raise TypeError(
+@@ -2897,4 +2930,4 @@ def main():
+             print('{!r} file created.'.format(tar_name))
+ 
+ if __name__ == '__main__':
+-    main()
++    main()
+\ No newline at end of file
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 9aa17267490..1f9a3033d96 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -1210,6 +1210,44 @@ def test_pax_number_fields(self):
+         finally:
+             tar.close()
+ 
++    def test_pax_header_bad_formats(self):
++        # The fields from the pax header have priority over the
++        # TarInfo.
++        pax_header_replacements = (
++            b" foo=bar\n",
++            b"0 \n",
++            b"1 \n",
++            b"2 \n",
++            b"3 =\n",
++            b"4 =a\n",
++            b"1000000 foo=bar\n",
++            b"0 foo=bar\n",
++            b"-12 foo=bar\n",
++            b"000000000000000000000000036 foo=bar\n",
++        )
++        pax_headers = {"foo": "bar"}
++        for replacement in pax_header_replacements:
++            with self.subTest(header=replacement):
++                tar = tarfile.open(tmpname, "w", format=tarfile.PAX_FORMAT,
++                                   encoding="iso8859-1")
++                try:
++                    t = tarfile.TarInfo()
++                    t.name = "pax"  # non-ASCII
++                    t.uid = 1
++                    t.pax_headers = pax_headers
++                    tar.addfile(t)
++                finally:
++                    tar.close()
++                with open(tmpname, "rb") as f:
++                    data = f.read()
++                    self.assertIn(b"11 foo=bar\n", data)
++                    data = data.replace(b"11 foo=bar\n", replacement)
++                with open(tmpname, "wb") as f:
++                    f.truncate()
++                    f.write(data)
++                with self.assertRaisesRegex(tarfile.ReadError, r"method tar: ReadError\('invalid header'\)"):
++                    tarfile.open(tmpname, encoding="iso8859-1")
++        
+ 
+ class WriteTestBase(TarTest):
+     # Put all write tests in here that are supposed to be tested
diff --git a/SPECS/python3/CVE-2024-6923.patch b/SPECS/python3/CVE-2024-6923.patch
new file mode 100644
index 00000000000..93c7a71923d
--- /dev/null
+++ b/SPECS/python3/CVE-2024-6923.patch
@@ -0,0 +1,339 @@
+From e58aec9cbfdebf45ee863eded142358e9e98531d Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Wed, 31 Jul 2024 00:19:48 +0200
+Subject: [PATCH 1/2] gh-121650: Encode newlines in headers, and verify headers
+ are sound (GH-122233)
+
+- Encode header parts that contain newlines
+
+Per RFC 2047:
+
+> [...] these encoding schemes allow the
+> encoding of arbitrary octet values, mail readers that implement this
+> decoding should also ensure that display of the decoded data on the
+> recipient's terminal will not cause unwanted side-effects
+
+It seems that the "quoted-word" scheme is a valid way to include
+a newline character in a header value, just like we already allow
+undecodable bytes or control characters.
+They do need to be properly quoted when serialized to text, though.
+
+- Verify that email headers are well-formed
+
+This should fail for custom fold() implementations that aren't careful
+about newlines.
+
+Co-authored-by: Bas Bloemsaat <bas@bloemsaat.org>
+Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
+(cherry picked from commit 097633981879b3c9de9a1dd120d3aa585ecc2384)
+---
+ Doc/library/email.errors.rst                  |  7 +++
+ Doc/library/email.policy.rst                  | 18 ++++++
+ Lib/email/_header_value_parser.py             | 12 +++-
+ Lib/email/_policybase.py                      |  8 +++
+ Lib/email/errors.py                           |  4 ++
+ Lib/email/generator.py                        | 13 +++-
+ Lib/test/test_email/test_generator.py         | 62 +++++++++++++++++++
+ Lib/test/test_email/test_policy.py            | 26 ++++++++
+ ...-07-27-16-10-41.gh-issue-121650.nf6oc9.rst |  5 ++
+ 9 files changed, 151 insertions(+), 4 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
+
+diff --git a/Doc/library/email.errors.rst b/Doc/library/email.errors.rst
+index 33ab4265116178..f8f43d82a3df2e 100644
+--- a/Doc/library/email.errors.rst
++++ b/Doc/library/email.errors.rst
+@@ -58,6 +58,13 @@ The following exception classes are defined in the :mod:`email.errors` module:
+    :class:`~email.mime.nonmultipart.MIMENonMultipart` (e.g.
+    :class:`~email.mime.image.MIMEImage`).
+ 
++
++.. exception:: HeaderWriteError()
++
++   Raised when an error occurs when the :mod:`~email.generator` outputs
++   headers.
++
++
+ .. exception:: MessageDefect()
+ 
+    This is the base class for all defects found when parsing email messages.
+diff --git a/Doc/library/email.policy.rst b/Doc/library/email.policy.rst
+index 83feedf728351e..314767d0802a08 100644
+--- a/Doc/library/email.policy.rst
++++ b/Doc/library/email.policy.rst
+@@ -229,6 +229,24 @@ added matters.  To illustrate::
+ 
+       .. versionadded:: 3.6
+ 
++
++   .. attribute:: verify_generated_headers
++
++      If ``True`` (the default), the generator will raise
++      :exc:`~email.errors.HeaderWriteError` instead of writing a header
++      that is improperly folded or delimited, such that it would
++      be parsed as multiple headers or joined with adjacent data.
++      Such headers can be generated by custom header classes or bugs
++      in the ``email`` module.
++
++      As it's a security feature, this defaults to ``True`` even in the
++      :class:`~email.policy.Compat32` policy.
++      For backwards compatible, but unsafe, behavior, it must be set to
++      ``False`` explicitly.
++
++      .. versionadded:: 3.13
++
++
+    The following :class:`Policy` method is intended to be called by code using
+    the email library to create policy instances with custom settings:
+ 
+diff --git a/Lib/email/_header_value_parser.py b/Lib/email/_header_value_parser.py
+index 7da1bbaf8a80d7..ec2215a5e5f33c 100644
+--- a/Lib/email/_header_value_parser.py
++++ b/Lib/email/_header_value_parser.py
+@@ -92,6 +92,8 @@
+ ASPECIALS = TSPECIALS | set("*'%")
+ ATTRIBUTE_ENDS = ASPECIALS | WSP
+ EXTENDED_ATTRIBUTE_ENDS = ATTRIBUTE_ENDS - set('%')
++NLSET = {'\n', '\r'}
++SPECIALSNL = SPECIALS | NLSET
+ 
+ def quote_string(value):
+     return '"'+str(value).replace('\\', '\\\\').replace('"', r'\"')+'"'
+@@ -2778,9 +2780,13 @@ def _refold_parse_tree(parse_tree, *, policy):
+             wrap_as_ew_blocked -= 1
+             continue
+         tstr = str(part)
+-        if part.token_type == 'ptext' and set(tstr) & SPECIALS:
+-            # Encode if tstr contains special characters.
+-            want_encoding = True
++        if not want_encoding:
++            if part.token_type == 'ptext':
++                # Encode if tstr contains special characters.
++                want_encoding = not SPECIALSNL.isdisjoint(tstr)
++            else:
++                # Encode if tstr contains newlines.
++                want_encoding = not NLSET.isdisjoint(tstr)
+         try:
+             tstr.encode(encoding)
+             charset = encoding
+diff --git a/Lib/email/_policybase.py b/Lib/email/_policybase.py
+index 2ec54fbabae83c..5f9aa9fb091fa2 100644
+--- a/Lib/email/_policybase.py
++++ b/Lib/email/_policybase.py
+@@ -157,6 +157,13 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta):
+     message_factory     -- the class to use to create new message objects.
+                            If the value is None, the default is Message.
+ 
++    verify_generated_headers
++                        -- if true, the generator verifies that each header
++                           they are properly folded, so that a parser won't
++                           treat it as multiple headers, start-of-body, or
++                           part of another header.
++                           This is a check against custom Header & fold()
++                           implementations.
+     """
+ 
+     raise_on_defect = False
+@@ -165,6 +172,7 @@ class Policy(_PolicyBase, metaclass=abc.ABCMeta):
+     max_line_length = 78
+     mangle_from_ = False
+     message_factory = None
++    verify_generated_headers = True
+ 
+     def handle_defect(self, obj, defect):
+         """Based on policy, either raise defect or call register_defect.
+diff --git a/Lib/email/errors.py b/Lib/email/errors.py
+index 3ad00565549968..02aa5eced6ae46 100644
+--- a/Lib/email/errors.py
++++ b/Lib/email/errors.py
+@@ -29,6 +29,10 @@ class CharsetError(MessageError):
+     """An illegal charset was given."""
+ 
+ 
++class HeaderWriteError(MessageError):
++    """Error while writing headers."""
++
++
+ # These are parsing defects which the parser was able to work around.
+ class MessageDefect(ValueError):
+     """Base class for a message defect."""
+diff --git a/Lib/email/generator.py b/Lib/email/generator.py
+index c8056ad47baa0f..47b9df8f4e6090 100644
+--- a/Lib/email/generator.py
++++ b/Lib/email/generator.py
+@@ -14,12 +14,14 @@
+ from copy import deepcopy
+ from io import StringIO, BytesIO
+ from email.utils import _has_surrogates
++from email.errors import HeaderWriteError
+ 
+ UNDERSCORE = '_'
+ NL = '\n'  # XXX: no longer used by the code below.
+ 
+ NLCRE = re.compile(r'\r\n|\r|\n')
+ fcre = re.compile(r'^From ', re.MULTILINE)
++NEWLINE_WITHOUT_FWSP = re.compile(r'\r\n[^ \t]|\r[^ \n\t]|\n[^ \t]')
+ 
+ 
+ class Generator:
+@@ -222,7 +224,16 @@ def _dispatch(self, msg):
+ 
+     def _write_headers(self, msg):
+         for h, v in msg.raw_items():
+-            self.write(self.policy.fold(h, v))
++            folded = self.policy.fold(h, v)
++            if self.policy.verify_generated_headers:
++                linesep = self.policy.linesep
++                if not folded.endswith(self.policy.linesep):
++                    raise HeaderWriteError(
++                        f'folded header does not end with {linesep!r}: {folded!r}')
++                if NEWLINE_WITHOUT_FWSP.search(folded.removesuffix(linesep)):
++                    raise HeaderWriteError(
++                        f'folded header contains newline: {folded!r}')
++            self.write(folded)
+         # A blank line always separates headers from body
+         self.write(self._NL)
+ 
+diff --git a/Lib/test/test_email/test_generator.py b/Lib/test/test_email/test_generator.py
+index bc6f734d4fd0a9..c75a842c33578e 100644
+--- a/Lib/test/test_email/test_generator.py
++++ b/Lib/test/test_email/test_generator.py
+@@ -6,6 +6,7 @@
+ from email.generator import Generator, BytesGenerator
+ from email.headerregistry import Address
+ from email import policy
++import email.errors
+ from test.test_email import TestEmailBase, parameterize
+ 
+ 
+@@ -216,6 +217,44 @@ def test_rfc2231_wrapping_switches_to_default_len_if_too_narrow(self):
+         g.flatten(msg)
+         self.assertEqual(s.getvalue(), self.typ(expected))
+ 
++    def test_keep_encoded_newlines(self):
++        msg = self.msgmaker(self.typ(textwrap.dedent("""\
++            To: nobody
++            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
++
++            None
++            """)))
++        expected = textwrap.dedent("""\
++            To: nobody
++            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
++
++            None
++            """)
++        s = self.ioclass()
++        g = self.genclass(s, policy=self.policy.clone(max_line_length=80))
++        g.flatten(msg)
++        self.assertEqual(s.getvalue(), self.typ(expected))
++
++    def test_keep_long_encoded_newlines(self):
++        msg = self.msgmaker(self.typ(textwrap.dedent("""\
++            To: nobody
++            Subject: Bad subject=?UTF-8?Q?=0A?=Bcc: injection@example.com
++
++            None
++            """)))
++        expected = textwrap.dedent("""\
++            To: nobody
++            Subject: Bad subject
++             =?utf-8?q?=0A?=Bcc:
++             injection@example.com
++
++            None
++            """)
++        s = self.ioclass()
++        g = self.genclass(s, policy=self.policy.clone(max_line_length=30))
++        g.flatten(msg)
++        self.assertEqual(s.getvalue(), self.typ(expected))
++
+ 
+ class TestGenerator(TestGeneratorBase, TestEmailBase):
+ 
+@@ -224,6 +263,29 @@ class TestGenerator(TestGeneratorBase, TestEmailBase):
+     ioclass = io.StringIO
+     typ = str
+ 
++    def test_verify_generated_headers(self):
++        """gh-121650: by default the generator prevents header injection"""
++        class LiteralHeader(str):
++            name = 'Header'
++            def fold(self, **kwargs):
++                return self
++
++        for text in (
++            'Value\r\nBad Injection\r\n',
++            'NoNewLine'
++        ):
++            with self.subTest(text=text):
++                message = message_from_string(
++                    "Header: Value\r\n\r\nBody",
++                    policy=self.policy,
++                )
++
++                del message['Header']
++                message['Header'] = LiteralHeader(text)
++
++                with self.assertRaises(email.errors.HeaderWriteError):
++                    message.as_string()
++
+ 
+ class TestBytesGenerator(TestGeneratorBase, TestEmailBase):
+ 
+diff --git a/Lib/test/test_email/test_policy.py b/Lib/test/test_email/test_policy.py
+index c6b9c80efe1b54..baa35fd68e49c5 100644
+--- a/Lib/test/test_email/test_policy.py
++++ b/Lib/test/test_email/test_policy.py
+@@ -26,6 +26,7 @@ class PolicyAPITests(unittest.TestCase):
+         'raise_on_defect':          False,
+         'mangle_from_':             True,
+         'message_factory':          None,
++        'verify_generated_headers': True,
+         }
+     # These default values are the ones set on email.policy.default.
+     # If any of these defaults change, the docs must be updated.
+@@ -294,6 +295,31 @@ def test_short_maxlen_error(self):
+                 with self.assertRaises(email.errors.HeaderParseError):
+                     policy.fold("Subject", subject)
+ 
++    def test_verify_generated_headers(self):
++        """Turning protection off allows header injection"""
++        policy = email.policy.default.clone(verify_generated_headers=False)
++        for text in (
++            'Header: Value\r\nBad: Injection\r\n',
++            'Header: NoNewLine'
++        ):
++            with self.subTest(text=text):
++                message = email.message_from_string(
++                    "Header: Value\r\n\r\nBody",
++                    policy=policy,
++                )
++                class LiteralHeader(str):
++                    name = 'Header'
++                    def fold(self, **kwargs):
++                        return self
++
++                del message['Header']
++                message['Header'] = LiteralHeader(text)
++
++                self.assertEqual(
++                    message.as_string(),
++                    f"{text}\nBody",
++                )
++
+     # XXX: Need subclassing tests.
+     # For adding subclassed objects, make sure the usual rules apply (subclass
+     # wins), but that the order still works (right overrides left).
+diff --git a/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
+new file mode 100644
+index 00000000000000..83dd28d4ac575b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2024-07-27-16-10-41.gh-issue-121650.nf6oc9.rst
+@@ -0,0 +1,5 @@
++:mod:`email` headers with embedded newlines are now quoted on output. The
++:mod:`~email.generator` will now refuse to serialize (write) headers that
++are unsafely folded or delimited; see
++:attr:`~email.policy.Policy.verify_generated_headers`. (Contributed by Bas
++Bloemsaat and Petr Viktorin in :gh:`121650`.)
+
diff --git a/SPECS/python3/CVE-2024-8088.patch b/SPECS/python3/CVE-2024-8088.patch
new file mode 100644
index 00000000000..89c75cc74c8
--- /dev/null
+++ b/SPECS/python3/CVE-2024-8088.patch
@@ -0,0 +1,129 @@
+diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py
+index c66cb3cba69..49ac356fea8 100644
+--- a/Lib/test/test_zipfile/_path/test_path.py
++++ b/Lib/test/test_zipfile/_path/test_path.py
+@@ -4,6 +4,7 @@
+ import pathlib
+ import pickle
+ import sys
++import time
+ import unittest
+ import zipfile
+ 
+@@ -577,3 +578,74 @@ def test_getinfo_missing(self, alpharep):
+         zipfile.Path(alpharep)
+         with self.assertRaises(KeyError):
+             alpharep.getinfo('does-not-exist')
++
++    def test_malformed_paths(self):
++        """
++        Path should handle malformed paths gracefully.
++
++        Paths with leading slashes are not visible.
++
++        Paths with dots are treated like regular files.
++        """
++        data = io.BytesIO()
++        zf = zipfile.ZipFile(data, "w")
++        zf.writestr("/one-slash.txt", b"content")
++        zf.writestr("//two-slash.txt", b"content")
++        zf.writestr("../parent.txt", b"content")
++        zf.filename = ''
++        root = zipfile.Path(zf)
++        assert list(map(str, root.iterdir())) == ['../']
++        assert root.joinpath('..').joinpath('parent.txt').read_bytes() == b'content'
++
++    def test_unsupported_names(self):
++        """
++        Path segments with special characters are readable.
++        On some platforms or file systems, characters like
++        ``:`` and ``?`` are not allowed, but they are valid
++        in the zip file.
++        """
++        data = io.BytesIO()
++        zf = zipfile.ZipFile(data, "w")
++        zf.writestr("path?", b"content")
++        zf.writestr("V: NMS.flac", b"fLaC...")
++        zf.filename = ''
++        root = zipfile.Path(zf)
++        contents = root.iterdir()
++        assert next(contents).name == 'path?'
++        assert next(contents).name == 'V: NMS.flac'
++        assert root.joinpath('V: NMS.flac').read_bytes() == b"fLaC..."
++    def test_backslash_not_separator(self):
++        """
++        In a zip file, backslashes are not separators.
++        """
++        data = io.BytesIO()
++        zf = zipfile.ZipFile(data, "w")
++        zf.writestr(DirtyZipInfo.for_name("foo\\bar", zf), b"content")
++        zf.filename = ''
++        root = zipfile.Path(zf)
++        (first,) = root.iterdir()
++        assert not first.is_dir()
++        assert first.name == 'foo\\bar'   
++
++class DirtyZipInfo(zipfile.ZipInfo):
++    """
++    Bypass name sanitization.
++    """
++    def __init__(self, filename, *args, **kwargs):
++        super().__init__(filename, *args, **kwargs)
++        self.filename = filename
++    @classmethod
++    def for_name(cls, name, archive):
++        """
++        Construct the same way that ZipFile.writestr does.
++        TODO: extract this functionality and re-use
++        """
++        self = cls(filename=name, date_time=time.localtime(time.time())[:6])
++        self.compress_type = archive.compression
++        self.compress_level = archive.compresslevel
++        if self.filename.endswith('/'):  # pragma: no cover
++            self.external_attr = 0o40775 << 16  # drwxrwxr-x
++            self.external_attr |= 0x10  # MS-DOS directory flag
++        else:
++            self.external_attr = 0o600 << 16  # ?rw-------
++        return self
+\ No newline at end of file
+diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py
+index 78c413563bb..08f6ebb28e0 100644
+--- a/Lib/zipfile/_path/__init__.py
++++ b/Lib/zipfile/_path/__init__.py
+@@ -1,3 +1,11 @@
++"""
++A Path-like interface for zipfiles.
++This codebase is shared between zipfile.Path in the stdlib
++and zipp in PyPI. See
++https://github.com/python/importlib_metadata/wiki/Development-Methodology
++for more detail.
++"""
++
+ import io
+ import posixpath
+ import zipfile
+@@ -34,7 +42,7 @@ def _parents(path):
+ def _ancestry(path):
+     """
+     Given a path with elements separated by
+-    posixpath.sep, generate all elements of that path
++    posixpath.sep, generate all elements of that path.
+ 
+     >>> list(_ancestry('b/d'))
+     ['b/d', 'b']
+@@ -46,9 +54,14 @@ def _ancestry(path):
+     ['b']
+     >>> list(_ancestry(''))
+     []
++
++    Multiple separators are treated like a single.
++
++    >>> list(_ancestry('//b//d///f//'))
++    ['//b//d///f', '//b//d', '//b']
+     """
+     path = path.rstrip(posixpath.sep)
+-    while path and path != posixpath.sep:
++    while path.rstrip(posixpath.sep):
+         yield path
+         path, tail = posixpath.split(path)
+ 
diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec
index 818e7f8b413..50058cdc7d0 100644
--- a/SPECS/python3/python3.spec
+++ b/SPECS/python3/python3.spec
@@ -6,7 +6,7 @@
 Summary:        A high-level scripting language
 Name:           python3
 Version:        3.12.3
-Release:        2%{?dist}
+Release:        4%{?dist}
 License:        PSF
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -18,6 +18,9 @@ Source0:        https://www.python.org/ftp/python/%{version}/Python-%{version}.t
 Source1:        https://github.com/python/cpython/blob/3.9/Tools/scripts/pathfix.py
 Patch0:         cgi3.patch
 Patch1:         CVE-2024-7592.patch
+Patch2:         CVE-2024-6923.patch
+Patch3:         CVE-2024-6232.patch
+Patch4:         CVE-2024-8088.patch
 
 BuildRequires:  bzip2-devel
 BuildRequires:  expat-devel >= 2.1.0
@@ -239,6 +242,12 @@ rm -rf %{buildroot}%{_bindir}/__pycache__
 %{_libdir}/python%{majmin}/test/*
 
 %changelog
+* Fri Sep 20 2024 Himaja Kesari <himajakesari@microsoft.com> - 3.12.3-4
+- Patch CVE-2024-6232 and CVE-2024-8088
+
+* Wed Aug 28 2024 Rohit Rawat <rohitrawat@microsoft.com> - 3.12.3-3
+- Patch CVE-2024-6923
+
 * Wed Aug 21 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 3.12.3-2
 - Patch CVE-2024-7592
 
diff --git a/SPECS/pytorch/CVE-2022-1941.patch b/SPECS/pytorch/CVE-2022-1941.patch
new file mode 100644
index 00000000000..cd961581a22
--- /dev/null
+++ b/SPECS/pytorch/CVE-2022-1941.patch
@@ -0,0 +1,352 @@
+# Patch generated by Archana Choudhary <archana1@microsoft.com>
+# Source: https://github.com/protocolbuffers/protobuf/commit/55815e423bb82cc828836bbd60c79c1f9a195763
+
+diff --color -ruN a/third_party/protobuf/src/google/protobuf/extension_set_inl.h b/third_party/protobuf/src/google/protobuf/extension_set_inl.h
+--- a/third_party/protobuf/src/google/protobuf/extension_set_inl.h	2024-03-27 22:28:55.000000000 +0000
++++ b/third_party/protobuf/src/google/protobuf/extension_set_inl.h	2024-09-18 11:49:16.390834276 +0000
+@@ -206,16 +206,21 @@
+     const char* ptr, const Msg* containing_type,
+     internal::InternalMetadata* metadata, internal::ParseContext* ctx) {
+   std::string payload;
+-  uint32 type_id = 0;
+-  bool payload_read = false;
++  uint32 type_id;
++  enum class State { kNoTag, kHasType, kHasPayload, kDone };
++  State state = State::kNoTag;
++
+   while (!ctx->Done(&ptr)) {
+     uint32 tag = static_cast<uint8>(*ptr++);
+     if (tag == WireFormatLite::kMessageSetTypeIdTag) {
+       uint64 tmp;
+       ptr = ParseBigVarint(ptr, &tmp);
+       GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
+-      type_id = tmp;
+-      if (payload_read) {
++      if (state == State::kNoTag) {
++        type_id = tmp;
++        state = State::kHasType;
++      } else if (state == State::kHasPayload) {
++        type_id = tmp;
+         ExtensionInfo extension;
+         bool was_packed_on_wire;
+         if (!FindExtension(2, type_id, containing_type, ctx, &extension,
+@@ -241,20 +246,24 @@
+           GOOGLE_PROTOBUF_PARSER_ASSERT(value->_InternalParse(p, &tmp_ctx) &&
+                                          tmp_ctx.EndedAtLimit());
+         }
+-        type_id = 0;
++        state = State::kDone;
+       }
+     } else if (tag == WireFormatLite::kMessageSetMessageTag) {
+-      if (type_id != 0) {
++      if (state == State::kHasType) {
+         ptr = ParseFieldMaybeLazily(static_cast<uint64>(type_id) * 8 + 2, ptr,
+                                     containing_type, metadata, ctx);
+         GOOGLE_PROTOBUF_PARSER_ASSERT(ptr != nullptr);
+-        type_id = 0;
++        state = State::kDone;
+       } else {
++        std::string tmp;
+         int32 size = ReadSize(&ptr);
+         GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
+-        ptr = ctx->ReadString(ptr, size, &payload);
++        ptr = ctx->ReadString(ptr, size, &tmp);
+         GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
+-        payload_read = true;
++        if (state == State::kNoTag) {
++          payload = std::move(tmp);
++          state = State::kHasPayload;
++        }
+       }
+     } else {
+       ptr = ReadTag(ptr - 1, &tag);
+diff --color -ruN a/third_party/protobuf/src/google/protobuf/wire_format.cc b/third_party/protobuf/src/google/protobuf/wire_format.cc
+--- a/third_party/protobuf/src/google/protobuf/wire_format.cc	2024-03-27 22:28:55.000000000 +0000
++++ b/third_party/protobuf/src/google/protobuf/wire_format.cc	2024-09-18 11:49:16.390834276 +0000
+@@ -659,9 +659,11 @@
+   const char* _InternalParse(const char* ptr, internal::ParseContext* ctx) {
+     // Parse a MessageSetItem
+     auto metadata = reflection->MutableInternalMetadata(msg);
++    enum class State { kNoTag, kHasType, kHasPayload, kDone };
++    State state = State::kNoTag;
++
+     std::string payload;
+     uint32 type_id = 0;
+-    bool payload_read = false;
+     while (!ctx->Done(&ptr)) {
+       // We use 64 bit tags in order to allow typeid's that span the whole
+       // range of 32 bit numbers.
+@@ -670,8 +672,11 @@
+         uint64 tmp;
+         ptr = ParseBigVarint(ptr, &tmp);
+         GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
+-        type_id = tmp;
+-        if (payload_read) {
++        if (state == State::kNoTag) {
++          type_id = tmp;
++          state = State::kHasType;
++        } else if (state == State::kHasPayload) {
++          type_id = tmp;
+           const FieldDescriptor* field;
+           if (ctx->data().pool == nullptr) {
+             field = reflection->FindKnownExtensionByNumber(type_id);
+@@ -698,17 +703,17 @@
+             GOOGLE_PROTOBUF_PARSER_ASSERT(value->_InternalParse(p, &tmp_ctx) &&
+                                            tmp_ctx.EndedAtLimit());
+           }
+-          type_id = 0;
++          state = State::kDone;
+         }
+         continue;
+       } else if (tag == WireFormatLite::kMessageSetMessageTag) {
+-        if (type_id == 0) {
++        if (state == State::kNoTag) {
+           int32 size = ReadSize(&ptr);
+           GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
+           ptr = ctx->ReadString(ptr, size, &payload);
+           GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
+-          payload_read = true;
+-        } else {
++          state = State::kHasPayload;
++        } else if (state == State::kHasType) {
+           // We're now parsing the payload
+           const FieldDescriptor* field = nullptr;
+           if (descriptor->IsExtensionNumber(type_id)) {
+@@ -722,7 +727,12 @@
+           ptr = WireFormat::_InternalParseAndMergeField(
+               msg, ptr, ctx, static_cast<uint64>(type_id) * 8 + 2, reflection,
+               field);
+-          type_id = 0;
++          state = State::kDone;
++        } else {
++          int32 size = ReadSize(&ptr);
++          GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
++          ptr = ctx->Skip(ptr, size);
++          GOOGLE_PROTOBUF_PARSER_ASSERT(ptr);
+         }
+       } else {
+         // An unknown field in MessageSetItem.
+diff --color -ruN a/third_party/protobuf/src/google/protobuf/wire_format_lite.h b/third_party/protobuf/src/google/protobuf/wire_format_lite.h
+--- a/third_party/protobuf/src/google/protobuf/wire_format_lite.h	2024-03-27 22:28:55.000000000 +0000
++++ b/third_party/protobuf/src/google/protobuf/wire_format_lite.h	2024-09-18 11:49:16.390834276 +0000
+@@ -1798,6 +1798,9 @@
+   // we can parse it later.
+   std::string message_data;
+ 
++  enum class State { kNoTag, kHasType, kHasPayload, kDone };
++  State state = State::kNoTag;
++
+   while (true) {
+     const uint32 tag = input->ReadTagNoLastTag();
+     if (tag == 0) return false;
+@@ -1806,26 +1809,34 @@
+       case WireFormatLite::kMessageSetTypeIdTag: {
+         uint32 type_id;
+         if (!input->ReadVarint32(&type_id)) return false;
+-        last_type_id = type_id;
+-
+-        if (!message_data.empty()) {
++        if (state == State::kNoTag) {
++          last_type_id = type_id;
++          state = State::kHasType;
++        } else if (state == State::kHasPayload) {
+           // We saw some message data before the type_id.  Have to parse it
+           // now.
+           io::CodedInputStream sub_input(
+               reinterpret_cast<const uint8*>(message_data.data()),
+               static_cast<int>(message_data.size()));
+           sub_input.SetRecursionLimit(input->RecursionBudget());
+-          if (!ms.ParseField(last_type_id, &sub_input)) {
++          if (!ms.ParseField(type_id, &sub_input)) {
+             return false;
+           }
+           message_data.clear();
++          state = State::kDone;
+         }
+ 
+         break;
+       }
+ 
+       case WireFormatLite::kMessageSetMessageTag: {
+-        if (last_type_id == 0) {
++        if (state == State::kHasType) {
++          // Already saw type_id, so we can parse this directly.
++          if (!ms.ParseField(last_type_id, input)) {
++            return false;
++          }
++          state = State::kDone;
++        } else if (state == State::kNoTag) {
+           // We haven't seen a type_id yet.  Append this data to message_data.
+           uint32 length;
+           if (!input->ReadVarint32(&length)) return false;
+@@ -1836,11 +1847,9 @@
+           auto ptr = reinterpret_cast<uint8*>(&message_data[0]);
+           ptr = io::CodedOutputStream::WriteVarint32ToArray(length, ptr);
+           if (!input->ReadRaw(ptr, length)) return false;
++          state = State::kHasPayload;
+         } else {
+-          // Already saw type_id, so we can parse this directly.
+-          if (!ms.ParseField(last_type_id, input)) {
+-            return false;
+-          }
++          if (!ms.SkipField(tag, input)) return false;
+         }
+ 
+         break;
+diff --color -ruN a/third_party/protobuf/src/google/protobuf/wire_format_unittest.cc b/third_party/protobuf/src/google/protobuf/wire_format_unittest.cc
+--- a/third_party/protobuf/src/google/protobuf/wire_format_unittest.cc	2024-03-27 22:28:55.000000000 +0000
++++ b/third_party/protobuf/src/google/protobuf/wire_format_unittest.cc	2024-09-18 11:49:16.394834273 +0000
+@@ -47,6 +47,7 @@
+ #include <google/protobuf/io/zero_copy_stream_impl.h>
+ #include <google/protobuf/io/zero_copy_stream_impl_lite.h>
+ #include <google/protobuf/descriptor.h>
++#include <google/protobuf/dynamic_message.h>
+ #include <google/protobuf/wire_format_lite.h>
+ #include <google/protobuf/testing/googletest.h>
+ #include <gmock/gmock.h>
+@@ -585,30 +586,56 @@
+   EXPECT_EQ(message_set.DebugString(), dynamic_message_set.DebugString());
+ }
+ 
+-TEST(WireFormatTest, ParseMessageSetWithReverseTagOrder) {
++namespace {
++std::string BuildMessageSetItemStart() {
+   std::string data;
+   {
+-    unittest::TestMessageSetExtension1 message;
+-    message.set_i(123);
+-    // Build a MessageSet manually with its message content put before its
+-    // type_id.
+     io::StringOutputStream output_stream(&data);
+     io::CodedOutputStream coded_output(&output_stream);
+     coded_output.WriteTag(WireFormatLite::kMessageSetItemStartTag);
++  }
++  return data;
++}
++std::string BuildMessageSetItemEnd() {
++  std::string data;
++  {
++    io::StringOutputStream output_stream(&data);
++    io::CodedOutputStream coded_output(&output_stream);
++    coded_output.WriteTag(WireFormatLite::kMessageSetItemEndTag);
++  }
++  return data;
++}
++std::string BuildMessageSetTestExtension1(int value = 123) {
++  std::string data;
++  {
++    unittest::TestMessageSetExtension1 message;
++    message.set_i(value);
++    io::StringOutputStream output_stream(&data);
++    io::CodedOutputStream coded_output(&output_stream);
+     // Write the message content first.
+     WireFormatLite::WriteTag(WireFormatLite::kMessageSetMessageNumber,
+                              WireFormatLite::WIRETYPE_LENGTH_DELIMITED,
+                              &coded_output);
+     coded_output.WriteVarint32(message.ByteSizeLong());
+     message.SerializeWithCachedSizes(&coded_output);
+-    // Write the type id.
+-    uint32 type_id = message.GetDescriptor()->extension(0)->number();
++  }
++  return data;
++}
++std::string BuildMessageSetItemTypeId(int extension_number) {
++  std::string data;
++  {
++    io::StringOutputStream output_stream(&data);
++    io::CodedOutputStream coded_output(&output_stream);
+     WireFormatLite::WriteUInt32(WireFormatLite::kMessageSetTypeIdNumber,
+-                                type_id, &coded_output);
+-    coded_output.WriteTag(WireFormatLite::kMessageSetItemEndTag);
++                                extension_number, &coded_output);
+   }
++  return data;
++}
++void ValidateTestMessageSet(const std::string& test_case,
++                            const std::string& data) {
++  SCOPED_TRACE(test_case);
+   {
+-    proto2_wireformat_unittest::TestMessageSet message_set;
++    ::proto2_wireformat_unittest::TestMessageSet message_set;
+     ASSERT_TRUE(message_set.ParseFromString(data));
+ 
+     EXPECT_EQ(123,
+@@ -616,10 +643,15 @@
+                   .GetExtension(
+                       unittest::TestMessageSetExtension1::message_set_extension)
+                   .i());
++
++    // Make sure it does not contain anything else.
++    message_set.ClearExtension(
++        unittest::TestMessageSetExtension1::message_set_extension);
++    EXPECT_EQ(message_set.SerializeAsString(), "");
+   }
+   {
+     // Test parse the message via Reflection.
+-    proto2_wireformat_unittest::TestMessageSet message_set;
++    ::proto2_wireformat_unittest::TestMessageSet message_set;
+     io::CodedInputStream input(reinterpret_cast<const uint8*>(data.data()),
+                                data.size());
+     EXPECT_TRUE(WireFormat::ParseAndMergePartial(&input, &message_set));
+@@ -631,6 +663,61 @@
+                       unittest::TestMessageSetExtension1::message_set_extension)
+                   .i());
+   }
++  {
++    // Test parse the message via DynamicMessage.
++    DynamicMessageFactory factory;
++    std::unique_ptr<Message> msg(
++        factory
++            .GetPrototype(
++                ::proto2_wireformat_unittest::TestMessageSet::descriptor())
++            ->New());
++    msg->ParseFromString(data);
++    auto* reflection = msg->GetReflection();
++    std::vector<const FieldDescriptor*> fields;
++    reflection->ListFields(*msg, &fields);
++    ASSERT_EQ(fields.size(), 1);
++    const auto& sub = reflection->GetMessage(*msg, fields[0]);
++    reflection = sub.GetReflection();
++    EXPECT_EQ(123, reflection->GetInt32(
++                       sub, sub.GetDescriptor()->FindFieldByName("i")));
++  }
++}
++}  // namespace
++
++TEST(WireFormatTest, ParseMessageSetWithAnyTagOrder) {
++  std::string start = BuildMessageSetItemStart();
++  std::string end = BuildMessageSetItemEnd();
++  std::string id = BuildMessageSetItemTypeId(
++      unittest::TestMessageSetExtension1::descriptor()->extension(0)->number());
++  std::string message = BuildMessageSetTestExtension1();
++
++  ValidateTestMessageSet("id + message", start + id + message + end);
++  ValidateTestMessageSet("message + id", start + message + id + end);
++}
++
++TEST(WireFormatTest, ParseMessageSetWithDuplicateTags) {
++  std::string start = BuildMessageSetItemStart();
++  std::string end = BuildMessageSetItemEnd();
++  std::string id = BuildMessageSetItemTypeId(
++      unittest::TestMessageSetExtension1::descriptor()->extension(0)->number());
++  std::string other_id = BuildMessageSetItemTypeId(123456);
++  std::string message = BuildMessageSetTestExtension1();
++  std::string other_message = BuildMessageSetTestExtension1(321);
++
++  // Double id
++  ValidateTestMessageSet("id + other_id + message",
++                         start + id + other_id + message + end);
++  ValidateTestMessageSet("id + message + other_id",
++                         start + id + message + other_id + end);
++  ValidateTestMessageSet("message + id + other_id",
++                         start + message + id + other_id + end);
++  // Double message
++  ValidateTestMessageSet("id + message + other_message",
++                         start + id + message + other_message + end);
++  ValidateTestMessageSet("message + id + other_message",
++                         start + message + id + other_message + end);
++  ValidateTestMessageSet("message + other_message + id",
++                         start + message + other_message + id + end);
+ }
+ 
+ void SerializeReverseOrder(
diff --git a/SPECS/pytorch/CVE-2024-27318.patch b/SPECS/pytorch/CVE-2024-27318.patch
new file mode 100644
index 00000000000..40c1c7a7bff
--- /dev/null
+++ b/SPECS/pytorch/CVE-2024-27318.patch
@@ -0,0 +1,375 @@
+From 4458baf0be43d07acc2adab99d48689f78ff1fe1 Mon Sep 17 00:00:00 2001
+From: liqun Fu <liqfu@microsoft.com>
+Date: Mon, 19 Feb 2024 11:12:40 -0800
+Subject: [PATCH] Fix path sanitization bypass leading to arbitrary read
+ (#5917)
+
+Signed-off-by: liqunfu <liqun.fu@microsoft.com>
+Signed-off-by: liqun Fu <liqun.fu@microsoft.com>
+Co-authored-by: Justin Chu <justinchuby@users.noreply.github.com>
+(cherry picked from commit 66b7fb630903fdcf3e83b6b6d56d82e904264a20)
+---
+ onnx/checker.cc                 | 168 +++++++++++++++++---------------
+ onnx/checker.h                  |   5 +-
+ onnx/common/path.h              |  15 ++-
+ onnx/cpp2py_export.cc           |   2 +
+ onnx/external_data_helper.py    |  15 +--
+ onnx/test/test_external_data.py |  47 +++++++++
+ 6 files changed, 158 insertions(+), 94 deletions(-)
+
+diff --git a/third_party/onnx/onnx/checker.cc b/third_party/onnx/onnx/checker.cc
+index fac56f5655f..66716e97f92 100644
+--- a/third_party/onnx/onnx/checker.cc
++++ b/third_party/onnx/onnx/checker.cc
+@@ -13,7 +13,6 @@
+ #include <vector>
+ 
+ #include "onnx/common/file_utils.h"
+-#include "onnx/common/path.h"
+ #include "onnx/defs/schema.h"
+ #include "onnx/defs/tensor_proto_util.h"
+ #include "onnx/proto_utils.h"
+@@ -135,85 +134,7 @@ void check_tensor(const TensorProto& tensor, const CheckerContext& ctx) {
+     for (const StringStringEntryProto& entry : tensor.external_data()) {
+       if (entry.has_key() && entry.has_value() && entry.key() == "location") {
+         has_location = true;
+-#ifdef _WIN32
+-        auto file_path = std::filesystem::path(utf8str_to_wstring(entry.value()));
+-        if (file_path.is_absolute()) {
+-          fail_check(
+-              "Location of external TensorProto ( tensor name: ",
+-              tensor.name(),
+-              ") should be a relative path, but it is an absolute path: ",
+-              entry.value());
+-        }
+-        auto relative_path = file_path.lexically_normal().make_preferred().wstring();
+-        // Check that normalized relative path contains ".." on Windows.
+-        if (relative_path.find(L"..", 0) != std::string::npos) {
+-          fail_check(
+-              "Data of TensorProto ( tensor name: ",
+-              tensor.name(),
+-              ") should be file inside the ",
+-              ctx.get_model_dir(),
+-              ", but the '",
+-              entry.value(),
+-              "' points outside the directory");
+-        }
+-        std::wstring data_path = path_join(utf8str_to_wstring(ctx.get_model_dir()), relative_path);
+-        struct _stat64 buff;
+-        if (_wstat64(data_path.c_str(), &buff) != 0) {
+-          fail_check(
+-              "Data of TensorProto ( tensor name: ",
+-              tensor.name(),
+-              ") should be stored in ",
+-              entry.value(),
+-              ", but it doesn't exist or is not accessible.");
+-        }
+-#else // POSIX
+-        if (entry.value().empty()) {
+-          fail_check("Location of external TensorProto ( tensor name: ", tensor.name(), ") should not be empty.");
+-        } else if (entry.value()[0] == '/') {
+-          fail_check(
+-              "Location of external TensorProto ( tensor name: ",
+-              tensor.name(),
+-              ") should be a relative path, but it is an absolute path: ",
+-              entry.value());
+-        }
+-        std::string relative_path = clean_relative_path(entry.value());
+-        // Check that normalized relative path contains ".." on POSIX
+-        if (relative_path.find("..", 0) != std::string::npos) {
+-          fail_check(
+-              "Data of TensorProto ( tensor name: ",
+-              tensor.name(),
+-              ") should be file inside the ",
+-              ctx.get_model_dir(),
+-              ", but the '",
+-              entry.value(),
+-              "' points outside the directory");
+-        }
+-        std::string data_path = path_join(ctx.get_model_dir(), relative_path);
+-        // use stat64 to check whether the file exists
+-#if defined(__APPLE__) || defined(__wasm__) || !defined(__GLIBC__)
+-        struct stat buffer; // APPLE, wasm and non-glic stdlibs do not have stat64
+-        if (stat((data_path).c_str(), &buffer) != 0) {
+-#else
+-        struct stat64 buffer; // All POSIX under glibc except APPLE and wasm have stat64
+-        if (stat64((data_path).c_str(), &buffer) != 0) {
+-#endif
+-          fail_check(
+-              "Data of TensorProto ( tensor name: ",
+-              tensor.name(),
+-              ") should be stored in ",
+-              data_path,
+-              ", but it doesn't exist or is not accessible.");
+-        }
+-        // Do not allow symlinks or directories.
+-        if (!S_ISREG(buffer.st_mode)) {
+-          fail_check(
+-              "Data of TensorProto ( tensor name: ",
+-              tensor.name(),
+-              ") should be stored in ",
+-              data_path,
+-              ", but it is not regular file.");
+-        }
+-#endif
++        resolve_external_data_location(ctx.get_model_dir(), entry.value(), tensor.name());
+       }
+     }
+     if (!has_location) {
+@@ -1054,6 +975,93 @@ void check_model(const ModelProto& model, bool full_check, bool skip_opset_compa
+   }
+ }
+ 
++std::string resolve_external_data_location(
++    const std::string& base_dir,
++    const std::string& location,
++    const std::string& tensor_name) {
++#ifdef _WIN32
++  auto file_path = std::filesystem::path(utf8str_to_wstring(location));
++  if (file_path.is_absolute()) {
++    fail_check(
++        "Location of external TensorProto ( tensor name: ",
++        tensor_name,
++        ") should be a relative path, but it is an absolute path: ",
++        location);
++  }
++  auto relative_path = file_path.lexically_normal().make_preferred().wstring();
++  // Check that normalized relative path contains ".." on Windows.
++  if (relative_path.find(L"..", 0) != std::string::npos) {
++    fail_check(
++        "Data of TensorProto ( tensor name: ",
++        tensor_name,
++        ") should be file inside the ",
++        base_dir,
++        ", but the '",
++        location,
++        "' points outside the directory");
++  }
++  std::wstring data_path = path_join(utf8str_to_wstring(base_dir), relative_path);
++  struct _stat64 buff;
++  if (data_path.empty() || (data_path[0] != '#' && _wstat64(data_path.c_str(), &buff) != 0)) {
++    fail_check(
++        "Data of TensorProto ( tensor name: ",
++        tensor_name,
++        ") should be stored in ",
++        location,
++        ", but it doesn't exist or is not accessible.");
++  }
++  return wstring_to_utf8str(data_path);
++#else // POSIX
++  if (location.empty()) {
++    fail_check("Location of external TensorProto ( tensor name: ", tensor_name, ") should not be empty.");
++  } else if (location[0] == '/') {
++    fail_check(
++        "Location of external TensorProto ( tensor name: ",
++        tensor_name,
++        ") should be a relative path, but it is an absolute path: ",
++        location);
++  }
++  std::string relative_path = clean_relative_path(location);
++  // Check that normalized relative path contains ".." on POSIX
++  if (relative_path.find("..", 0) != std::string::npos) {
++    fail_check(
++        "Data of TensorProto ( tensor name: ",
++        tensor_name,
++        ") should be file inside the ",
++        base_dir,
++        ", but the '",
++        location,
++        "' points outside the directory");
++  }
++  std::string data_path = path_join(base_dir, relative_path);
++  // use stat64 to check whether the file exists
++#if defined(__APPLE__) || defined(__wasm__) || !defined(__GLIBC__)
++  struct stat buffer; // APPLE, wasm and non-glic stdlibs do not have stat64
++  if (data_path.empty() || (data_path[0] != '#' && stat((data_path).c_str(), &buffer) != 0)) {
++#else
++  struct stat64 buffer; // All POSIX under glibc except APPLE and wasm have stat64
++  if (data_path.empty() || (data_path[0] != '#' && stat64((data_path).c_str(), &buffer) != 0)) {
++#endif
++    fail_check(
++        "Data of TensorProto ( tensor name: ",
++        tensor_name,
++        ") should be stored in ",
++        data_path,
++        ", but it doesn't exist or is not accessible.");
++  }
++  // Do not allow symlinks or directories.
++  if (data_path.empty() || (data_path[0] != '#' && !S_ISREG(buffer.st_mode))) {
++    fail_check(
++        "Data of TensorProto ( tensor name: ",
++        tensor_name,
++        ") should be stored in ",
++        data_path,
++        ", but it is not regular file.");
++  }
++  return data_path;
++#endif
++}
++
+ std::set<std::string> experimental_ops = {
+     "ATen",
+     "Affine",
+diff --git a/third_party/onnx/onnx/checker.h b/third_party/onnx/onnx/checker.h
+index 6796acab222..83012213469 100644
+--- a/third_party/onnx/onnx/checker.h
++++ b/third_party/onnx/onnx/checker.h
+@@ -160,7 +160,10 @@ void check_model_local_functions(
+ 
+ void check_model(const ModelProto& model, bool full_check = false, bool skip_opset_compatibility_check = false);
+ void check_model(const std::string& model_path, bool full_check = false, bool skip_opset_compatibility_check = false);
+-
++std::string resolve_external_data_location(
++    const std::string& base_dir,
++    const std::string& location,
++    const std::string& tensor_name);
+ bool check_is_experimental_op(const NodeProto& node);
+ 
+ } // namespace checker
+diff --git a/third_party/onnx/onnx/common/path.h b/third_party/onnx/onnx/common/path.h
+index 6eaf5e67baf..09212747f7f 100644
+--- a/third_party/onnx/onnx/common/path.h
++++ b/third_party/onnx/onnx/common/path.h
+@@ -31,11 +31,22 @@ inline std::wstring utf8str_to_wstring(const std::string& utf8str) {
+   if (utf8str.size() > INT_MAX) {
+     fail_check("utf8str_to_wstring: string is too long for converting to wstring.");
+   }
+-  int size_required = MultiByteToWideChar(CP_UTF8, 0, utf8str.c_str(), (int)utf8str.size(), NULL, 0);
++  int size_required = MultiByteToWideChar(CP_UTF8, 0, utf8str.c_str(), static_cast<int>(utf8str.size()), NULL, 0);
+   std::wstring ws_str(size_required, 0);
+-  MultiByteToWideChar(CP_UTF8, 0, utf8str.c_str(), (int)utf8str.size(), &ws_str[0], size_required);
++  MultiByteToWideChar(CP_UTF8, 0, utf8str.c_str(), static_cast<int>(utf8str.size()), &ws_str[0], size_required);
+   return ws_str;
+ }
++inline std::string wstring_to_utf8str(const std::wstring& ws_str) {
++  if (ws_str.size() > INT_MAX) {
++    fail_check("wstring_to_utf8str: string is too long for converting to UTF-8.");
++  }
++  int size_required =
++      WideCharToMultiByte(CP_UTF8, 0, ws_str.c_str(), static_cast<int>(ws_str.size()), NULL, 0, NULL, NULL);
++  std::string utf8str(size_required, 0);
++  WideCharToMultiByte(
++      CP_UTF8, 0, ws_str.c_str(), static_cast<int>(ws_str.size()), &utf8str[0], size_required, NULL, NULL);
++  return utf8str;
++}
+ 
+ #else
+ std::string path_join(const std::string& origin, const std::string& append);
+diff --git a/third_party/onnx/onnx/cpp2py_export.cc b/third_party/onnx/onnx/cpp2py_export.cc
+index bc2594db0db..83cea68f3eb 100644
+--- a/third_party/onnx/onnx/cpp2py_export.cc
++++ b/third_party/onnx/onnx/cpp2py_export.cc
+@@ -545,6 +545,8 @@ PYBIND11_MODULE(onnx_cpp2py_export, onnx_cpp2py_export) {
+       "full_check"_a = false,
+       "skip_opset_compatibility_check"_a = false);
+ 
++  checker.def("_resolve_external_data_location", &checker::resolve_external_data_location);
++
+   // Submodule `version_converter`
+   auto version_converter = onnx_cpp2py_export.def_submodule("version_converter");
+   version_converter.doc() = "VersionConverter submodule";
+diff --git a/third_party/onnx/onnx/external_data_helper.py b/third_party/onnx/onnx/external_data_helper.py
+index bbc2717fb4c..05c486c621a 100644
+--- a/third_party/onnx/onnx/external_data_helper.py
++++ b/third_party/onnx/onnx/external_data_helper.py
+@@ -8,6 +8,7 @@
+ from itertools import chain
+ from typing import Callable, Iterable, Optional
+ 
++import onnx.onnx_cpp2py_export.checker as c_checker
+ from onnx.onnx_pb import AttributeProto, GraphProto, ModelProto, TensorProto
+ 
+ 
+@@ -39,9 +40,9 @@ def load_external_data_for_tensor(tensor: TensorProto, base_dir: str) -> None:
+         base_dir: directory that contains the external data.
+     """
+     info = ExternalDataInfo(tensor)
+-    file_location = _sanitize_path(info.location)
+-    external_data_file_path = os.path.join(base_dir, file_location)
+-
++    external_data_file_path = c_checker._resolve_external_data_location(  # type: ignore[attr-defined]
++        base_dir, info.location, tensor.name
++    )
+     with open(external_data_file_path, "rb") as data_file:
+         if info.offset:
+             data_file.seek(info.offset)
+@@ -259,14 +260,6 @@ def _get_attribute_tensors(onnx_model_proto: ModelProto) -> Iterable[TensorProto
+     yield from _get_attribute_tensors_from_graph(onnx_model_proto.graph)
+ 
+ 
+-def _sanitize_path(path: str) -> str:
+-    """Remove path components which would allow traversing up a directory tree from a base path.
+-
+-    Note: This method is currently very basic and should be expanded.
+-    """
+-    return path.lstrip("/.")
+-
+-
+ def _is_valid_filename(filename: str) -> bool:
+     """Utility to check whether the provided filename is valid."""
+     exp = re.compile('^[^<>:;,?"*|/]+$')
+diff --git a/third_party/onnx/onnx/test/test_external_data.py b/third_party/onnx/onnx/test/test_external_data.py
+index 63f6b4efedd..bb14d279aff 100644
+--- a/third_party/onnx/onnx/test/test_external_data.py
++++ b/third_party/onnx/onnx/test/test_external_data.py
+@@ -3,6 +3,7 @@
+ # SPDX-License-Identifier: Apache-2.0
+ from __future__ import annotations
+ 
++import itertools
+ import os
+ import pathlib
+ import tempfile
+@@ -204,6 +205,52 @@ def test_save_external_single_file_data(self) -> None:
+         attribute_tensor = new_model.graph.node[0].attribute[0].t
+         np.testing.assert_allclose(to_array(attribute_tensor), self.attribute_value)
+ 
++    @parameterized.parameterized.expand(itertools.product((True, False), (True, False)))
++    def test_save_external_invalid_single_file_data_and_check(
++        self, use_absolute_path: bool, use_model_path: bool
++    ) -> None:
++        model = onnx.load_model(self.model_filename, self.serialization_format)
++
++        model_dir = os.path.join(self.temp_dir, "save_copy")
++        os.mkdir(model_dir)
++
++        traversal_external_data_dir = os.path.join(
++            self.temp_dir, "invlid_external_data"
++        )
++        os.mkdir(traversal_external_data_dir)
++
++        if use_absolute_path:
++            traversal_external_data_location = os.path.join(
++                traversal_external_data_dir, "tensors.bin"
++            )
++        else:
++            traversal_external_data_location = "../invlid_external_data/tensors.bin"
++
++        external_data_dir = os.path.join(self.temp_dir, "external_data")
++        os.mkdir(external_data_dir)
++        new_model_filepath = os.path.join(model_dir, "model.onnx")
++
++        def convert_model_to_external_data_no_check(model: ModelProto, location: str):
++            for tensor in model.graph.initializer:
++                if tensor.HasField("raw_data"):
++                    set_external_data(tensor, location)
++
++        convert_model_to_external_data_no_check(
++            model,
++            location=traversal_external_data_location,
++        )
++
++        onnx.save_model(model, new_model_filepath, self.serialization_format)
++        if use_model_path:
++            with self.assertRaises(onnx.checker.ValidationError):
++                _ = onnx.load_model(new_model_filepath, self.serialization_format)
++        else:
++            onnx_model = onnx.load_model(
++                new_model_filepath, self.serialization_format, load_external_data=False
++            )
++            with self.assertRaises(onnx.checker.ValidationError):
++                load_external_data_for_model(onnx_model, external_data_dir)
++
+ 
+ @parameterized.parameterized_class(
+     [
diff --git a/SPECS/pytorch/pytorch.spec b/SPECS/pytorch/pytorch.spec
index cf4db56fd85..4256781ebbf 100644
--- a/SPECS/pytorch/pytorch.spec
+++ b/SPECS/pytorch/pytorch.spec
@@ -2,7 +2,7 @@
 Summary:        Tensors and Dynamic neural networks in Python with strong GPU acceleration.
 Name:           pytorch
 Version:        2.2.2
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD-3-Clause
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -24,6 +24,9 @@ BuildRequires:  python3-setuptools
 BuildRequires:  python3-typing-extensions
 BuildRequires:  python3-six
 
+Patch1:         CVE-2024-27318.patch
+Patch2:         CVE-2022-1941.patch
+
 %description
 PyTorch is a Python package that provides two high-level features:
 - Tensor computation (like NumPy) with strong GPU acceleration
@@ -56,7 +59,7 @@ PyTorch is a Python package that provides two high-level features:
 You can reuse your favorite Python packages such as NumPy, SciPy and Cython to extend PyTorch when needed.
 
 %prep
-%autosetup -a 1 -n %{name}-v%{version}
+%autosetup -a 1 -p 1 -n %{name}-v%{version}
 
 %build
 export USE_CUDA=0
@@ -84,6 +87,9 @@ cp -arf docs %{buildroot}/%{_pkgdocdir}
 %{_docdir}/*
 
 %changelog
+* Tue Sep 17 2024 Archana Choudhary <archana1@microsoft.com> - 2.2.2-2
+- patch for CVE-2024-27318, CVE-2022-1941
+
 * Tue Apr 02 2024 Riken Maharjan <rmaharjan@microsoft.com> - 2.2.2-1
 - Upgrade to pytorch 2.2.2
 
diff --git a/SPECS/qemu/qemu.spec b/SPECS/qemu/qemu.spec
index 845d8afad6f..537f26ca96a 100644
--- a/SPECS/qemu/qemu.spec
+++ b/SPECS/qemu/qemu.spec
@@ -428,7 +428,7 @@ Obsoletes: sgabios-bin <= 1:0.20180715git-10.fc38
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 8.2.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND FSFAP AND GPL-1.0-or-later AND GPL-2.0-only AND GPL-2.0-or-later AND GPL-2.0-or-later WITH GCC-exception-2.0 AND LGPL-2.0-only AND LGPL-2.0-or-later AND LGPL-2.1-only AND LGPL-2.1-or-later AND MIT AND LicenseRef-Fedora-Public-Domain AND CC-BY-3.0
 URL: http://www.qemu.org/
 
@@ -640,7 +640,7 @@ BuildRequires: rutabaga-gfx-ffi-devel
 %endif
 
 %if %{user_static}
-BuildRequires: glibc-static >= 2.38-7
+BuildRequires: glibc-static >= 2.38-8
 BuildRequires: glib2-static zlib-static
 BuildRequires: pcre2-static
 %endif
@@ -3421,6 +3421,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 8.2.0-11
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 8.2.0-10
 - Bump to rebuild with updated glibc
 
diff --git a/SPECS/rabbitmq-server/rabbitmq-server.signatures.json b/SPECS/rabbitmq-server/rabbitmq-server.signatures.json
index 4a2c16f9429..879e4ca743a 100644
--- a/SPECS/rabbitmq-server/rabbitmq-server.signatures.json
+++ b/SPECS/rabbitmq-server/rabbitmq-server.signatures.json
@@ -1,6 +1,5 @@
 {
  "Signatures": {
-  "mix_task_archive_deps-1.0.0.ez": "e6079c02cbbb41526ea18e8142a14093094c2f1942865f1cb64fbc4eb6212a48",
-  "rabbitmq-server-3.13.0.tar.xz": "3715e559a69b138a5d0a4bf242ee69f3264d4f5cf3c1e3726c66d9d33476d4ef"
+  "rabbitmq-server-3.13.7.tar.xz": "18353262e77085048bac55cedb55b77f0987dad97649317d812b99b1bdc6661d"
  }
 }
diff --git a/SPECS/rabbitmq-server/rabbitmq-server.spec b/SPECS/rabbitmq-server/rabbitmq-server.spec
index ae347bf6d67..c3753a44bc0 100644
--- a/SPECS/rabbitmq-server/rabbitmq-server.spec
+++ b/SPECS/rabbitmq-server/rabbitmq-server.spec
@@ -1,7 +1,7 @@
 %define  debug_package %{nil}
 Summary:        rabbitmq-server
 Name:           rabbitmq-server
-Version:        3.13.0
+Version:        3.13.7
 Release:        1%{?dist}
 License:        Apache-2.0 and MPL 2.0
 Vendor:         Microsoft Corporation
@@ -65,6 +65,11 @@ done
 %{_libdir}/rabbitmq/lib/rabbitmq_server-%{version}/*
 
 %changelog
+* Tue Sep 17 2024 Archana Choudhary <archana1@microsoft.com> - 3.13.7-1
+- Upgrade rabbitmq-server to version 3.13.7
+- deps/jose is updated to 1.11.10
+- Fixes CVE-2023-50966
+
 * Thu Mar 28 2024 Sam Meluch <sammeluch@microsoft.com> - 3.13.0-1
 - Upgrade rabbitmq-server to version 3.13.0 for Azure Linux 3.0
 - Remove now unused vendor tarballs
diff --git a/SPECS/rpmdevtools/rpmdevtools.spec b/SPECS/rpmdevtools/rpmdevtools.spec
index e2919a2e419..fdfd0ede6a6 100644
--- a/SPECS/rpmdevtools/rpmdevtools.spec
+++ b/SPECS/rpmdevtools/rpmdevtools.spec
@@ -1,12 +1,14 @@
 Name:           rpmdevtools
 Version:        9.6
-Release:        8%{?dist}
+Release:        9%{?dist}
 Summary:        RPM Development Tools
 
 # rpmdev-md5 and rpmdev-setuptree are GPL-2.0-only,
 # everything else is GPL-2.0-or-later.
 License:        GPL-2.0-or-later AND GPL-2.0-only
 URL:            https://pagure.io/rpmdevtools
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://releases.pagure.org/rpmdevtools/%{name}-%{version}.tar.xz
 Source1:        progressbar.py
 
@@ -157,6 +159,9 @@ $check_ok
 
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 9.6-9
+- Add missing Vendor and Distribution tags.
+
 * Tue Feb 20 2024 Daniel McIlvaney <damcilva@microsoft.com> - 9.6-8
 - Refresh from Fedora 40 (license: MIT)
 - Add conditional flags for azl
diff --git a/SPECS/rtctl/rtctl.spec b/SPECS/rtctl/rtctl.spec
index 32be011f176..53cae006c7f 100644
--- a/SPECS/rtctl/rtctl.spec
+++ b/SPECS/rtctl/rtctl.spec
@@ -1,12 +1,14 @@
-Name:       rtctl
-Version:    1.13
-Release:    6%{?dist}
-Summary:    Scripts for controlling scheduling priorities of system threads
-Group:      Applications/System
-License:    GPL
-BuildArch:  noarch
-Source0:    %{_distro_sources_url}/rtctl-%{version}.tar.bz2
-BuildRoot:  %{_tmppath}/%{name}-%{version}-build
+Name:          rtctl
+Version:       1.13
+Release:       7%{?dist}
+Summary:       Scripts for controlling scheduling priorities of system threads
+Group:         Applications/System
+License:       GPL
+BuildArch:     noarch
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
+Source0:       %{_distro_sources_url}/rtctl-%{version}.tar.bz2
+BuildRoot:     %{_tmppath}/%{name}-%{version}-build
 
 %description
 rtctl is a set of scripts used to manipulate the scheduling priorities of
@@ -41,6 +43,9 @@ systemctl disable rtctl
 fi
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.13-7
+- Add missing Vendor and Distribution tags.
+
 * Thu Feb 22 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.13-6
 - Updating naming for 3.0 version of Azure Linux.
 
diff --git a/SPECS/ruby/CVE-2024-41946.patch b/SPECS/ruby/CVE-2024-41946.patch
new file mode 100644
index 00000000000..63e3c821d91
--- /dev/null
+++ b/SPECS/ruby/CVE-2024-41946.patch
@@ -0,0 +1,111 @@
+From 8f46a0155b5ff647fef8314b0b36491ea2d7de7b Mon Sep 17 00:00:00 2001
+From: Harshit Gupta <guptaharshit@microsoft.com>
+Date: Wed, 18 Sep 2024 09:34:21 -0700
+Subject: [PATCH] Patch for CVE-2024-41946
+
+Based on upstream commit
+https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368
+
+---
+ lib/rexml/parsers/baseparser.rb | 19 ++++++++++++++++++-
+ lib/rexml/parsers/pullparser.rb |  4 ++++
+ lib/rexml/parsers/sax2parser.rb |  4 ++++
+ 3 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb
+index d09237c..61f6787 100644
+--- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb
+@@ -128,6 +128,7 @@ module REXML
+       def initialize( source )
+         self.stream = source
+         @listeners = []
++        @entity_expansion_count = 0
+       end
+ 
+       def add_listener( listener )
+@@ -135,6 +136,7 @@ module REXML
+       end
+ 
+       attr_reader :source
++      attr_reader :entity_expansion_count
+ 
+       def stream=( source )
+         @source = SourceFactory.create_from( source )
+@@ -446,7 +448,9 @@ module REXML
+       def entity( reference, entities )
+         value = nil
+         value = entities[ reference ] if entities
+-        if not value
++        if value
++          record_entity_expansion
++        else
+           value = DEFAULT_ENTITIES[ reference ]
+           value = value[2] if value
+         end
+@@ -481,12 +485,17 @@ module REXML
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
++          sum = 0
+           matches.each do |entity_reference|
+             unless filter and filter.include?(entity_reference)
+               entity_value = entity( entity_reference, entities )
+               if entity_value
+                 re = /&#{entity_reference};/
+                 rv.gsub!( re, entity_value )
++                sum += rv.bytesize
++                if sum > Security.entity_expansion_text_limit
++                  raise "entity expansion has grown too large"
++                end
+               else
+                 er = DEFAULT_ENTITIES[entity_reference]
+                 rv.gsub!( er[0], er[2] ) if er
+@@ -499,6 +508,14 @@ module REXML
+       end
+ 
+       private
++
++      def record_entity_expansion
++        @entity_expansion_count += 1
++        if @entity_expansion_count > Security.entity_expansion_limit
++          raise "number of entity expansions exceeded, processing aborted."
++        end
++      end
++
+       def need_source_encoding_update?(xml_declaration_encoding)
+         return false if xml_declaration_encoding.nil?
+         return false if /\AUTF-16\z/i =~ xml_declaration_encoding
+diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb
+index f8b232a..36b4595 100644
+--- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb
++++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/pullparser.rb
+@@ -47,6 +47,10 @@ module REXML
+         @listeners << listener
+       end
+ 
++      def entity_expansion_count
++        @parser.entity_expansion_count
++      end
++
+       def each
+         while has_next?
+           yield self.pull
+diff --git a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb
+index 6a24ce2..01cb469 100644
+--- a/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb
++++ b/.bundle/gems/rexml-3.2.8/lib/rexml/parsers/sax2parser.rb
+@@ -22,6 +22,10 @@ module REXML
+         @parser.source
+       end
+ 
++      def entity_expansion_count
++        @parser.entity_expansion_count
++      end
++
+       def add_listener( listener )
+         @parser.add_listener( listener )
+       end
+-- 
+2.34.1
+
diff --git a/SPECS/ruby/ruby.spec b/SPECS/ruby/ruby.spec
index e7231cd0fac..9a384802039 100644
--- a/SPECS/ruby/ruby.spec
+++ b/SPECS/ruby/ruby.spec
@@ -88,7 +88,7 @@ Name:           ruby
 # provides should be versioned according to the ruby version.
 # More info: https://stdgems.org/
 Version:        %{ruby_version}
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        (Ruby OR BSD) AND Public Domain AND MIT AND CC0 AND zlib AND UCD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -102,6 +102,7 @@ Source4:        rubygems.con
 Source5:        rubygems.prov
 Source6:        rubygems.req
 Source7:        macros.rubygems
+Patch0:         CVE-2024-41946.patch
 # Updates default ruby-uri to 0.12.2 and vendored one to 0.10.3. Remove once ruby gets updated to a version that comes with both lib/uri/version.rb and lib/bundler/vendor/uri/lib/uri/version.rb versions >= 0.12.2 or == 0.10.3
 BuildRequires:  openssl-devel
 # Pkgconfig(yaml-0.1) is needed to build the 'psych' gem.
@@ -407,6 +408,10 @@ sudo -u test make test TESTS="-v"
 %{_rpmconfigdir}/rubygems.con
 
 %changelog
+* Wed Sep 18 2024 Harshit Gupta <guptaharshit@microsoft.com> - 3.3.3-2
+- Revert ruby back to 3.3.3 to avoid build failure of rubygems-* packages
+- Add patch for CVE-2024-41946 for bundled gem rexml
+
 * Wed Aug 07 2024 Alejandro Martinez Torres <alejandroma@microsoft.com> - 3.3.3-1
 - Upgrade ruby to 3.3.3 to resolve CVE-2024-41946
 
diff --git a/SPECS/rubygem-rexml/add-support-for-old-strscan.patch b/SPECS/rubygem-rexml/add-support-for-old-strscan.patch
deleted file mode 100644
index 1c848deb05a..00000000000
--- a/SPECS/rubygem-rexml/add-support-for-old-strscan.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From f1df7d13b3e57a5e059273d2f0870163c08d7420 Mon Sep 17 00:00:00 2001
-From: Sutou Kouhei <kou@clear-code.com>
-Date: Mon, 20 May 2024 12:17:27 +0900
-Subject: [PATCH] Add support for old strscan
-
-Fix GH-132
-
-If we support old strscan, users can also use strscan installed as a
-default gem.
-
-Reported by Adam. Thanks!!!
----
- .github/workflows/test.yml      | 32 ++++++++++++++++++++++----------
- lib/rexml/parsers/baseparser.rb | 11 +++++++++++
- rexml.gemspec                   |  2 +-
- 3 files changed, 34 insertions(+), 11 deletions(-)
-
-diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
-index fd26b9a..f977de6 100644
---- a/.github/workflows/test.yml
-+++ b/.github/workflows/test.yml
-@@ -3,14 +3,14 @@ on:
-   - push
-   - pull_request
- jobs:
--  ruby-versions:
-+  ruby-versions-inplace:
-     uses: ruby/actions/.github/workflows/ruby_versions.yml@master
-     with:
-       engine: cruby-jruby
-       min_version: 2.5
-
-   inplace:
--    needs: ruby-versions
-+    needs: ruby-versions-inplace
-     name: "Inplace: ${{ matrix.ruby-version }} on ${{ matrix.runs-on }}"
-     runs-on: ${{ matrix.runs-on }}
-     strategy:
-@@ -20,7 +20,7 @@ jobs:
-           - ubuntu-latest
-           - macos-latest
-           - windows-latest
--        ruby-version: ${{ fromJson(needs.ruby-versions.outputs.versions) }}
-+        ruby-version: ${{ fromJson(needs.ruby-versions-inplace.outputs.versions) }}
-         exclude:
-           - {runs-on: macos-latest, ruby-version: 2.5}
-         # include:
-@@ -47,7 +47,14 @@ jobs:
-       - name: Test
-         run: bundle exec rake test RUBYOPT="--enable-frozen-string-literal"
-
-+  ruby-versions-gem:
-+    uses: ruby/actions/.github/workflows/ruby_versions.yml@master
-+    with:
-+      engine: cruby-jruby
-+      min_version: 3.0
-+
-   gem:
-+    needs: ruby-versions-gem
-     name: "Gem: ${{ matrix.ruby-version }} on ${{ matrix.runs-on }}"
-     runs-on: ${{ matrix.runs-on }}
-     strategy:
-@@ -57,21 +64,26 @@ jobs:
-           - ubuntu-latest
-           - macos-latest
-           - windows-latest
--        ruby-version:
--          - "3.0"
--          - head
-+        ruby-version: ${{ fromJson(needs.ruby-versions-gem.outputs.versions) }}
-     steps:
-       - uses: actions/checkout@v4
-       - uses: ruby/setup-ruby@v1
-         with:
-           ruby-version: ${{ matrix.ruby-version }}
-       - name: Install as gem
--        env:
--          BUNDLE_PATH__SYSTEM: "true"
--          BUNDLE_WITHOUT: "benchmark:development"
-         run: |
-           rake install
--          bundle install
-+      - name: Install test dependencies on non-Windows
-+        if: matrix.runs-on != 'windows-latest'
-+        run: |
-+          for gem in $(ruby -e 'puts ARGF.read[/^group :test do(.*)^end/m, 1].scan(/"(.+?)"/)' Gemfile); do
-+            gem install ${gem}
-+          done
-+      - name: Install test dependencies on Windows
-+        if: matrix.runs-on == 'windows-latest'
-+        run: |
-+          gem install test-unit
-+          gem install test-unit-ruby-core
-       - name: Test
-         run: |
-           ruby -run -e mkdir -- tmp
-diff --git a/lib/rexml/parsers/baseparser.rb b/lib/rexml/parsers/baseparser.rb
-index d09237c..da051a7 100644
---- a/lib/rexml/parsers/baseparser.rb
-+++ b/lib/rexml/parsers/baseparser.rb
-@@ -7,6 +7,17 @@
-
- module REXML
-   module Parsers
-+    if StringScanner::Version < "3.0.8"
-+      module StringScannerCaptures
-+        refine StringScanner do
-+          def captures
-+            values_at(*(1...size))
-+          end
-+        end
-+      end
-+      using StringScannerCaptures
-+    end
-+
-     # = Using the Pull Parser
-     # <em>This API is experimental, and subject to change.</em>
-     #  parser = PullParser.new( "<a>text<b att='val'/>txet</a>" )
-diff --git a/rexml.gemspec b/rexml.gemspec
-index 97eac65..169e49d 100644
---- a/rexml.gemspec
-+++ b/rexml.gemspec
-@@ -55,5 +55,5 @@ Gem::Specification.new do |spec|
-
-   spec.required_ruby_version = '>= 2.5.0'
-
--  spec.add_runtime_dependency("strscan", ">= 3.0.9")
-+  spec.add_runtime_dependency("strscan")
- end
diff --git a/SPECS/rubygem-rexml/rubygem-rexml.signatures.json b/SPECS/rubygem-rexml/rubygem-rexml.signatures.json
index 22a4addc7dd..7ca57f5a236 100644
--- a/SPECS/rubygem-rexml/rubygem-rexml.signatures.json
+++ b/SPECS/rubygem-rexml/rubygem-rexml.signatures.json
@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "rexml-3.2.8.tar.gz": "44c1d11af52fba515380867980ff1e30b3a3d303cb90a7ca89659563969f3444"
+  "rexml-3.3.4.tar.gz": "c6ab9da9502b2a5e824925de5f5774d9222c377d0537393f560fba71e0f868c7"
  }
 }
diff --git a/SPECS/rubygem-rexml/rubygem-rexml.spec b/SPECS/rubygem-rexml/rubygem-rexml.spec
index b69def1d0ac..135c0b1b3eb 100644
--- a/SPECS/rubygem-rexml/rubygem-rexml.spec
+++ b/SPECS/rubygem-rexml/rubygem-rexml.spec
@@ -2,7 +2,7 @@
 %global gem_name rexml
 Summary:        REXML is an XML toolkit for Ruby
 Name:           rubygem-%{gem_name}
-Version:        3.2.8
+Version:        3.3.4
 Release:        1%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
@@ -10,7 +10,6 @@ Distribution:   Azure Linux
 Group:          Development/Languages
 URL:            https://github.com/ruby/rexml
 Source0:        https://github.com/ruby/rexml/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
-Patch0:         add-support-for-old-strscan.patch
 BuildRequires:  git
 BuildRequires:  ruby
 Requires:       ruby(release)
@@ -35,6 +34,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Fri Aug 9 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 3.3.4-1
+- Upgrade to 3.3.4 to resolve CVE-2024-39908
+
 * Wed May 22 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.2.8-1
 - Upgrade to v3.2.8 to fix CVE-2024-35176
 - Add patch to support old strscan
diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec
index 4f301a1ea9d..bdff8c972fa 100644
--- a/SPECS/rust/rust.spec
+++ b/SPECS/rust/rust.spec
@@ -9,7 +9,7 @@
 Summary:        Rust Programming Language
 Name:           rust
 Version:        1.75.0
-Release:        10%{?dist}
+Release:        11%{?dist}
 License:        (ASL 2.0 OR MIT) AND BSD AND CC-BY-3.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -60,7 +60,7 @@ BuildRequires:  ninja-build
 BuildRequires:  openssl-devel
 BuildRequires:  python3
 %if 0%{?with_check}
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 %endif
 # rustc uses a C compiler to invoke the linker, and links to glibc in most cases
 Requires:       binutils
@@ -172,6 +172,9 @@ rm %{buildroot}%{_bindir}/*.old
 %{_mandir}/man1/*
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 1.75.0-11
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 1.75.0-10
 - Bump to rebuild with updated glibc
 
diff --git a/SPECS/selinux-policy/0036-fstools-Add-additional-perms-for-cloud-utils-growpar.patch b/SPECS/selinux-policy/0036-fstools-Add-additional-perms-for-cloud-utils-growpar.patch
new file mode 100644
index 00000000000..35ca17598f5
--- /dev/null
+++ b/SPECS/selinux-policy/0036-fstools-Add-additional-perms-for-cloud-utils-growpar.patch
@@ -0,0 +1,115 @@
+From b9d020a7a6ec6a9f63f53c461c84ac88ea32c1d5 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Tue, 6 Aug 2024 11:35:33 -0400
+Subject: [PATCH 36/37] fstools: Add additional perms for cloud-utils-growpart.
+
+Missed in previous growpart patch due to testing errors.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+---
+ policy/modules/admin/cloudinit.if | 38 +++++++++++++++++++++++++++++++
+ policy/modules/system/fstools.fc  |  2 ++
+ policy/modules/system/fstools.te  | 14 ++++++++++--
+ 3 files changed, 52 insertions(+), 2 deletions(-)
+
+diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if
+index 6d427e771..25e94729e 100644
+--- a/policy/modules/admin/cloudinit.if
++++ b/policy/modules/admin/cloudinit.if
+@@ -181,6 +181,25 @@ interface(`cloudinit_getattr_state_files',`
+ 	allow $1 cloud_init_state_t:file getattr;
+ ')
+ 
++########################################
++## <summary>
++##	Create, read, write, and delete cloud-init temporary dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cloudinit_manage_tmp_dirs',`
++	gen_require(`
++		type cloud_init_tmp_t;
++	')
++
++	files_search_tmp($1)
++	manage_dirs_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Write inherited cloud-init temporary files.
+@@ -237,3 +256,22 @@ interface(`cloudinit_create_tmp_files',`
+ 	files_search_tmp($1)
+ 	create_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
+ ')
++
++########################################
++## <summary>
++##	Create, read, write, and delete cloud-init temporary files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cloudinit_manage_tmp_files',`
++	gen_require(`
++		type cloud_init_tmp_t;
++	')
++
++	files_search_tmp($1)
++	manage_files_pattern($1, cloud_init_tmp_t, cloud_init_tmp_t)
++')
+diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
+index 63423802d..0fa9fb5c0 100644
+--- a/policy/modules/system/fstools.fc
++++ b/policy/modules/system/fstools.fc
+@@ -18,6 +18,7 @@
+ /usr/bin/findfs			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/fsck.*			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/gdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/bin/growpart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/hdparm			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/install-mbr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/jfs_.*			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -75,6 +76,7 @@
+ /usr/sbin/findfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/fsck.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/gdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/growpart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/hdparm		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/install-mbr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/jfs_.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
+index d5e090c28..18a42890c 100644
+--- a/policy/modules/system/fstools.te
++++ b/policy/modules/system/fstools.te
+@@ -201,8 +201,18 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	cloudinit_rw_tmp_files(fsadm_t)
+-	cloudinit_create_tmp_files(fsadm_t)
++	cloudinit_manage_tmp_files(fsadm_t)
++	cloudinit_manage_tmp_dirs(fsadm_t)
++
++	optional_policy(`
++		# cloud-utils-growpart
++		lvm_domtrans(fsadm_t)
++	')
++
++	optional_policy(`
++		# cloud-utils-growpart
++		udev_domtrans(fsadm_t)
++	')
+ ')
+ 
+ optional_policy(`
+-- 
+2.46.0
+
diff --git a/SPECS/selinux-policy/0037-docker-Fix-dockerc-typo-in-container_engine_executab.patch b/SPECS/selinux-policy/0037-docker-Fix-dockerc-typo-in-container_engine_executab.patch
new file mode 100644
index 00000000000..2d2bf8597e8
--- /dev/null
+++ b/SPECS/selinux-policy/0037-docker-Fix-dockerc-typo-in-container_engine_executab.patch
@@ -0,0 +1,27 @@
+From 52da8b0bc0d1e84bd158b48a2a7163c451bcc917 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Wed, 28 Feb 2024 16:29:18 -0500
+Subject: [PATCH 37/37] docker: Fix dockerc typo in
+ container_engine_executable_file
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+---
+ policy/modules/services/docker.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
+index 657b19962..c8d54183f 100644
+--- a/policy/modules/services/docker.te
++++ b/policy/modules/services/docker.te
+@@ -21,7 +21,7 @@ mls_trusted_object(dockerd_t)
+ 
+ type dockerc_t;
+ type dockerc_exec_t;
+-container_engine_executable_file(dockerc_t)
++container_engine_executable_file(dockerc_exec_t)
+ application_domain(dockerc_t, dockerc_exec_t)
+ 
+ container_engine_domain_template(dockerd_user)
+-- 
+2.46.0
+
diff --git a/SPECS/selinux-policy/selinux-policy.spec b/SPECS/selinux-policy/selinux-policy.spec
index 1334eaa9fc5..8389a1a3166 100644
--- a/SPECS/selinux-policy/selinux-policy.spec
+++ b/SPECS/selinux-policy/selinux-policy.spec
@@ -9,7 +9,7 @@
 Summary:        SELinux policy
 Name:           selinux-policy
 Version:        %{refpolicy_major}.%{refpolicy_minor}
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -54,6 +54,8 @@ Patch32:        0032-rpm-Fixes-from-various-post-scripts.patch
 Patch33:        0033-kmod-fix-for-run-modprobe.d.patch
 Patch34:        0034-systemd-Fix-dac_override-use-in-systemd-machine-id-s.patch
 Patch35:        0035-rpm-Run-systemd-sysctl-from-post.patch
+Patch36:        0036-fstools-Add-additional-perms-for-cloud-utils-growpar.patch
+Patch37:        0037-docker-Fix-dockerc-typo-in-container_engine_executab.patch
 BuildRequires:  bzip2
 BuildRequires:  checkpolicy >= %{CHECKPOLICYVER}
 BuildRequires:  m4
@@ -325,6 +327,10 @@ exit 0
 selinuxenabled && semodule -nB
 exit 0
 %changelog
+* Wed Sep 11 2024 Chris PeBenito <chpebeni@microsoft.com> - 2.20240226-8
+- Add additional required permissions for cloud-utils-growpart.
+- Cherry-pick upstream fix for typo in docker module.
+
 * Mon Aug 13 2024 Chris PeBenito <chpebeni@microsoft.com> - 2.20240226-7
 - Change policy composition so the base module only consits of policy modules
   that must be in the base.  This will allow dowstream users to disable or
diff --git a/SPECS/shared-mime-info/shared-mime-info.spec b/SPECS/shared-mime-info/shared-mime-info.spec
index 41d1c2eefe0..559d6f7e040 100644
--- a/SPECS/shared-mime-info/shared-mime-info.spec
+++ b/SPECS/shared-mime-info/shared-mime-info.spec
@@ -4,9 +4,11 @@
 Summary:        Shared MIME information database
 Name:           shared-mime-info
 Version:        2.2
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2+
 URL:            https://freedesktop.org/Software/shared-mime-info
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://gitlab.freedesktop.org/xdg/shared-mime-info/-/archive/%{version}/shared-mime-info-%{version}.tar.bz2
 
 Source1:        gnome-mimeapps.list
@@ -115,6 +117,9 @@ update-mime-database -n %{_datadir}/mime &> /dev/null ||:
 %{_datadir}/gettext/its/shared-mime-info.loc
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.2-3
+- Add missing Vendor and Distribution tags.
+
 * Thu Feb 22 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.2-2
 - Updating naming for 3.0 version of Azure Linux.
 
@@ -363,11 +368,11 @@ update-mime-database -n %{_datadir}/mime &> /dev/null ||:
 * Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
 
-* Tue May 22 2012 Rex Dieter <rdieter@fedoraproject.org> 
+* Tue May 22 2012 Rex Dieter <rdieter@fedoraproject.org>
 - 1.0-4
 - defaults.list: s/mozilla-firefox/firefox/ (see #736558)
 - defaults.list: s/gpk-install-file/gpk-install-local-file/
-- defaults.list: application/x-catalog=gpk-install-catalog.desktop (#770019) 
+- defaults.list: application/x-catalog=gpk-install-catalog.desktop (#770019)
 
 * Fri May 11 2012 Bastien Nocera <bnocera@redhat.com> 1.0-3
 - Use gnome-disk-image-mounter from gnome-disk-utility to handle
@@ -600,7 +605,7 @@ update-mime-database -n %{_datadir}/mime &> /dev/null ||:
 - rebuilt for new gcc4.1 snapshot and glibc changes
 
 * Mon Jan 30 2006 Caolan McNamara <caolanm@redhat.com> - 0.16.cvs20051219-2
-- rh#179138# add openoffice.org as preferred app for oasis formats 
+- rh#179138# add openoffice.org as preferred app for oasis formats
 
 * Mon Dec 19 2005 Matthias Clasen <mclasen@redhat.com> - 0.16.cvs20051219-1
 - Newer cvs snapshot
@@ -652,7 +657,7 @@ update-mime-database -n %{_datadir}/mime &> /dev/null ||:
 - Handle XUL files. #134122
 
 * Wed Oct 13 2004 Colin Walters <walters@redhat.com> - 0.15-7
-- Make helix default for ogg and mp3, will switch wav/flac too 
+- Make helix default for ogg and mp3, will switch wav/flac too
   when support is added
 
 * Wed Oct  6 2004 Alexander Larsson <alexl@redhat.com> - 0.15-6
diff --git a/SPECS/subunit/subunit.signatures.json b/SPECS/subunit/subunit.signatures.json
new file mode 100644
index 00000000000..bce1c5f15a6
--- /dev/null
+++ b/SPECS/subunit/subunit.signatures.json
@@ -0,0 +1,5 @@
+{
+    "Signatures": {
+     "subunit-1.4.4.tar.gz": "395787f52b8b36830c331faca546ea6c248b6cbd8de95989c2f64d432cc90531"
+    }
+   }
diff --git a/SPECS/subunit/subunit.spec b/SPECS/subunit/subunit.spec
new file mode 100644
index 00000000000..6502dfcbae4
--- /dev/null
+++ b/SPECS/subunit/subunit.spec
@@ -0,0 +1,516 @@
+# NOTE: python2 support is no longer available.  Do not build for EPEL versions
+# that do not support python3.
+#
+# NOTE: perl support was dropped in version 1.4.3.  It is available here:
+# https://github.com/jelmer/subunit-perl
+
+# Disable the tests in a bootstrap situation
+%global majver  %(cut -d. -f-2 <<< %{version})
+%global giturl  https://github.com/testing-cabal/subunit
+Summary:        C bindings for subunit
+Name:           subunit
+Version:        1.4.4
+Release:        5%{?dist}
+License:        Apache-2.0 OR BSD-3-Clause
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+URL:            https://launchpad.net/subunit
+Source:         %{giturl}/archive/%{version}/%{name}-%{version}.tar.gz
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  gcc-c++
+BuildRequires:  libtool
+BuildRequires:  make
+BuildRequires:  pkg-config
+BuildRequires:  python3-devel
+BuildRequires:  python3-pip
+BuildRequires:  python3-wheel
+BuildRequires:  pkgconfig(cppunit)
+# This can be removed when F43 reaches EOL
+Obsoletes:      %{name}-perl < 1.4.3
+%bcond bootstrap 0
+VCS:            git:%{giturl}.git
+%if %{without bootstrap}
+BuildRequires:  pkgconfig(check)
+%endif
+
+%description
+Subunit C bindings.  See the python-subunit package for test processing
+functionality.
+
+%package devel
+Summary:        Header files for developing C applications that use subunit
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description devel
+Header files and libraries for developing C applications that use subunit.
+
+%package cppunit
+Summary:        Subunit integration into cppunit
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description cppunit
+Subunit integration into cppunit.
+
+%package cppunit-devel
+Summary:        Header files for applications that use cppunit and subunit
+Requires:       %{name}-cppunit%{?_isa} = %{version}-%{release}
+Requires:       %{name}-devel%{?_isa} = %{version}-%{release}
+Requires:       cppunit-devel%{?_isa}
+
+%description cppunit-devel
+Header files and libraries for developing applications that use cppunit
+and subunit.
+
+%package shell
+Summary:        Shell bindings for subunit
+BuildArch:      noarch
+
+%description shell
+Subunit shell bindings.  See the python-subunit package for test
+processing functionality.
+
+%package -n python3-%{name}
+Summary:        Streaming protocol for test results
+# This can be removed when Fedora 41 reaches EOL
+Obsoletes:      python2-%{name} < 1.4.1
+BuildArch:      noarch
+
+%description -n python3-%{name}
+Subunit is a streaming protocol for test results.  The protocol is a
+binary encoding that is easily generated and parsed.  By design all the
+components of the protocol conceptually fit into the xUnit TestCase ->
+TestResult interaction.
+
+Subunit comes with command line filters to process a subunit stream and
+language bindings for python, C, C++ and shell.  Bindings are easy to
+write for other languages.
+
+A number of useful things can be done easily with subunit:
+- Test aggregation: Tests run separately can be combined and then
+  reported/displayed together.  For instance, tests from different
+  languages can be shown as a seamless whole.
+- Test archiving: A test run may be recorded and replayed later.
+- Test isolation: Tests that may crash or otherwise interact badly with
+  each other can be run separately and then aggregated, rather than
+  interfering with each other.
+- Grid testing: subunit can act as the necessary serialization and
+  deserialization to get test runs on distributed machines to be
+  reported in real time.
+
+%package -n python3-%{name}-test
+Summary:        Test code for the python 3 subunit bindings
+Requires:       %{name}-filters = %{version}-%{release}
+Requires:       python3-%{name} = %{version}-%{release}
+BuildArch:      noarch
+
+%description -n python3-%{name}-test
+%{summary}.
+
+%package filters
+Summary:        Command line filters for processing subunit streams
+Requires:       %{py3_dist junitxml}
+Requires:       gtk3 >= 3.20
+Requires:       libnotify >= 0.7.7
+Requires:       python3-%{name} = %{version}-%{release}
+Requires:       python3-gobject
+BuildArch:      noarch
+
+%description filters
+Command line filters for processing subunit streams.
+
+%package static
+Summary:        Static C library for subunit
+Requires:       %{name}-devel%{?_isa} = %{version}-%{release}
+
+%description static
+Subunit C bindings in a static library, for building statically linked
+test cases.
+
+%prep
+%autosetup -p1
+
+fixtimestamp() {
+  touch -r $1.orig $1
+  rm $1.orig
+}
+
+# Fix underlinked library
+sed "/^tests_LDADD/ilibcppunit_subunit_la_LIBADD = -lcppunit libsubunit.la\n" \
+    -i Makefile.am
+
+# Do not use env
+for fil in $(grep -Frl "%{_bindir}/env python"); do
+  sed -ri.orig 's,%{_bindir}/env python3?,%{python3},' $fil
+  fixtimestamp $fil
+done
+
+# Update an obsolete autoconf macro
+sed -i 's/AC_PROG_LIBTOOL/LT_INIT/' configure.ac
+
+%generate_buildrequires
+%pyproject_buildrequires -x docs,test
+
+%build
+# Generate the configure script
+autoreconf -fi
+
+# Build for python3
+export PYTHON=%{_bindir}/python3
+%configure --enable-shared --enable-static
+
+# Get rid of undesirable hardcoded rpaths; workaround libtool reordering
+# -Wl,--as-needed after all the libraries.
+sed -e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \
+    -e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' \
+    -e 's|CC=.g..|& -Wl,--as-needed|' \
+    -i libtool
+
+%make_build
+%pyproject_wheel
+
+%install
+%pyproject_install
+chmod 0755 %{buildroot}%{python3_sitelib}/%{name}/run.py
+chmod 0755 %{buildroot}%{python3_sitelib}/%{name}/tests/sample-script.py
+chmod 0755 %{buildroot}%{python3_sitelib}/%{name}/tests/sample-two-script.py
+
+# We set pkgpython_PYTHON for efficiency to disable automake python compilation
+%make_install pkgpython_PYTHON='' INSTALL="%{_bindir}/install -p"
+
+# Install the shell interface
+mkdir -p %{buildroot}%{_sysconfdir}/profile.d
+cp -p shell/share/%{name}.sh %{buildroot}%{_sysconfdir}/profile.d
+
+# Remove unwanted libtool files
+find %{buildroot} -type f -name "*.la" -delete -print
+
+# Fix permissions
+chmod 0755 %{buildroot}%{python3_sitelib}/%{name}/filter_scripts/*.py
+chmod 0644 %{buildroot}%{python3_sitelib}/%{name}/filter_scripts/__init__.py
+chmod 0755 %{buildroot}%{python3_sitelib}/%{name}/tests/sample-script.py
+chmod 0755 %{buildroot}%{python3_sitelib}/%{name}/tests/sample-two-script.py
+
+# Fix timestamps
+touch -r c/include/%{name}/child.h %{buildroot}%{_includedir}/%{name}/child.h
+touch -r c++/SubunitTestProgressListener.h \
+      %{buildroot}%{_includedir}/%{name}/SubunitTestProgressListener.h
+
+%check
+%if %{without bootstrap}
+# Run the tests for python3
+export LD_LIBRARY_PATH=$PWD/.libs
+export PYTHON=%{python3}
+make check
+%endif
+
+%files
+%doc NEWS README.rst
+%license Apache-2.0 BSD COPYING
+%{_libdir}/lib%{name}.so.0*
+
+%files devel
+%doc c/README
+%dir %{_includedir}/%{name}/
+%{_includedir}/%{name}/child.h
+%{_libdir}/lib%{name}.so
+%{_libdir}/pkgconfig/lib%{name}.pc
+
+%files cppunit
+%{_libdir}/libcppunit_%{name}.so.0*
+
+%files cppunit-devel
+%doc c++/README
+%{_includedir}/%{name}/SubunitTestProgressListener.h
+%{_libdir}/libcppunit_%{name}.so
+%{_libdir}/pkgconfig/libcppunit_%{name}.pc
+
+%files shell
+%doc shell/README
+%license Apache-2.0 BSD COPYING
+%config(noreplace) %{_sysconfdir}/profile.d/%{name}.sh
+
+%files -n python3-%{name}
+%license Apache-2.0 BSD COPYING
+%{python3_sitelib}/%{name}/
+%{python3_sitelib}/python_%{name}-%{version}.dist-info/
+%exclude %{python3_sitelib}/%{name}/tests/
+
+%files -n python3-%{name}-test
+%{python3_sitelib}/%{name}/tests/
+
+%files static
+%{_libdir}/*.a
+
+%files filters
+%{_bindir}/subunit*
+%{_bindir}/tap2subunit
+
+%changelog
+* Thu Sep 12 2024 Zhichun Wan <zhichunwan@microsoft.com> - 1.4.4-5
+- Initial Azure Linux import from Fedora 42 (license: MIT)
+- License Verified
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Sat Jun 08 2024 Python Maint <python-maint@redhat.com> - 1.4.4-3
+- Rebuilt for Python 3.13
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Nov 17 2023 Jerry James <loganjerry@gmail.com> - 1.4.4-1
+- Version 1.4.4
+
+* Wed Nov  8 2023 Jerry James <loganjerry@gmail.com> - 1.4.3-1
+- Version 1.4.3
+- python-iso8601 is no longer bundled in python3-subunit
+- perl support has moved to https://github.com/jelmer/subunit-perl
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Thu Jun 15 2023 Python Maint <python-maint@redhat.com> - 1.4.2-3
+- Rebuilt for Python 3.12
+
+* Fri Feb 24 2023 Jerry James <loganjerry@gmail.com> - 1.4.2-2
+- Dynamically generate python BuildRequires
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Thu Nov 17 2022 Jerry James <loganjerry@gmail.com> - 1.4.2-1
+- Version 1.4.2
+
+* Sat Nov  5 2022 Jerry James <loganjerry@gmail.com> - 1.4.1-1
+- Version 1.4.1
+- Upstream no longer provides GPG signatures
+- Convert License tag to SPDX
+- Python 2 is no longer supported
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jun 15 2022 Python Maint <python-maint@redhat.com> - 1.4.0-12
+- Rebuilt for Python 3.11
+
+* Mon May 30 2022 Jitka Plesnikova <jplesnik@redhat.com> - 1.4.0-11
+- Perl 5.36 rebuild
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Jan 14 2022 Jerry James <loganjerry@gmail.com> - 1.4.0-9
+- Update python macros for the python3 cases
+- Simplify python2 conditional
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.4.0-8
+- Rebuilt for Python 3.10
+
+* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 1.4.0-7
+- Perl 5.34 rebuild
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-5
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 1.4.0-3
+- Perl 5.32 rebuild
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 1.4.0-2
+- Rebuilt for Python 3.9
+
+* Wed Mar 18 2020 Jerry James <loganjerry@gmail.com> - 1.4.0-1
+- Version 1.4.0
+- Drop all patches; all have been upstreamed
+- Verify the source tarball
+
+* Wed Mar 11 2020 Jerry James <loganjerry@gmail.com> - 1.3.0-19
+- Drop the -decode-binary-to-unicode patch; it doesn't work with the bundled
+  version of iso8601.
+- Add 0003 and 0004 patches to fix bugs reported to upstream.
+
+* Tue Mar 10 2020 Jerry James <loganjerry@gmail.com> - 1.3.0-18
+- The python iso8601 module in Fedora has diverged too much from the bundled
+  version.  Allow this package to bundle it (bz 1811697).
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Dec 25 2019 David Tardon <dtardon@redhat.com> - 1.3.0-16
+- rebuild for cppunit 1.15.1
+
+* Sat Dec 21 2019 David Tardon <dtardon@redhat.com> - 1.3.0-15
+- rebuild for cppunit 1.15.0
+
+* Wed Oct 16 2019 Jerry James <loganjerry@gmail.com> - 1.3.0-14
+- Fix symlinks for python 3.8
+
+* Fri Sep 20 2019 Jerry James <loganjerry@gmail.com> - 1.3.0-13
+- Drop python2 support in Fedora 32+ and EPEL 9+ (bz 1753957)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 1.3.0-12
+- Rebuilt for Python 3.8
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 1.3.0-10
+- Perl 5.30 rebuild
+
+* Thu Mar 28 2019 Jerry James <loganjerry@gmail.com> - 1.3.0-9
+- Do not ship the python 2 tests for F30+
+- Run tests on aarch64 again
+
+* Wed Mar 20 2019 Andreas Schneider <asn@redhat.com> - 1.3.0-8
+- Ship the python tests, needed by Samba
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Jan  9 2019 Haïkel Guémar <hguemar@fedoraproject.org> - 1.3.0-6
+- Ensure patches get applied
+
+* Wed Jan  2 2019 Haïkel Guémar <hguemar@fedoraproject.org> - 1.3.0-5
+- Fix python3 compatibility
+
+* Fri Nov 30 2018 Haïkel Guémar <hguemar@fedoraproject.org> - 1.3.0-4
+- Migrate GUI filters to Gtk3/GObject introspection
+- Migrate filters to python3
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul  3 2018 Jerry James <loganjerry@gmail.com> - 1.3.0-2
+- One more perl 5.28 rebuild
+
+* Tue Jul  3 2018 Jerry James <loganjerry@gmail.com> - 1.3.0-1
+- New upstream release
+- Add -static subpackage (bz 1575054)
+
+* Tue Jul 03 2018 Petr Pisar <ppisar@redhat.com> - 1.2.0-21
+- Perl 5.28 rebuild
+
+* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 1.2.0-20
+- Perl 5.28 rebuild
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 1.2.0-19
+- Rebuilt for Python 3.7
+
+* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 1.2.0-18
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-16
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 26 2017 Jerry James <loganjerry@gmail.com> - 1.2.0-14
+- Rebuild to fix broken perl dependencies
+
+* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 1.2.0-13
+- Perl 5.26 rebuild
+
+* Fri May  5 2017 Jerry James <loganjerry@gmail.com> - 1.2.0-12
+- Rebuild for cppunit 1.14.0
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Sun Jan 29 2017 Jerry James <loganjerry@gmail.com> - 1.2.0-10
+- Add Requires on python-junitxml to -filter subpackage (bz 1417291)
+
+* Tue Dec 20 2016 Miro Hrončok <mhroncok@redhat.com> - 1.2.0-9
+- Rebuild for Python 3.6
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-8
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Fri Jun  3 2016 Jerry James <loganjerry@gmail.com> - 1.2.0-7
+- Fix -python3 dependency on /usr/bin/python (bz 1342508)
+- Comply with latest python packaging guidelines
+- Drop workaround for bz 1251568, now fixed
+
+* Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 1.2.0-6
+- Perl 5.24 rebuild
+
+* Mon Apr 18 2016 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 1.2.0-5
+- Added missing check for %%with_py3 to make it buildable under RHEL/CentOS
+
+* Sun Feb 14 2016 David Tardon <dtardon@redhat.com> - 1.2.0-4
+- rebuild for cppunit 1.13.2
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Fri Oct 23 2015 Jerry James <loganjerry@gmail.com> - 1.2.0-1
+- New upstream release
+
+* Wed Sep  2 2015 Haïkel Guémar <hguemar@fedoraproject.org> - 1.1.0-5
+- Backport upstream patches (RHBZ#1259286)
+
+* Fri Aug  7 2015 Jerry James <loganjerry@gmail.com> - 1.1.0-4
+- Fix FTBFS due to older python-testtools (bz 1249714)
+
+* Tue Jul 14 2015 Slavek Kabrda <bkabrda@redhat.com> - 1.1.0-3
+- Symlink iso8601 file into subunit Python dirs to preserve compatibility while unbundling
+Resolves: rhbz#1233581
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Jun 12 2015 Jerry James <loganjerry@gmail.com> - 1.1.0-1
+- New upstream release
+- Enable python3 tests
+
+* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 1.0.0-3
+- Perl 5.22 rebuild
+
+* Sat May 02 2015 Kalev Lember <kalevlember@gmail.com> - 1.0.0-2
+- Rebuilt for GCC 5 C++11 ABI change
+
+* Tue Dec  9 2014 Jerry James <loganjerry@gmail.com> - 1.0.0-1
+- New upstream release (bz 1171483 and 1172204)
+- Add python3 subpackage (bz 1172195)
+
+* Wed Nov 19 2014 Pádraig Brady <pbrady@redhat.com> - 0.0.21-2
+- Make python-subunit egginfo available for pip etc.
+
+* Fri Sep 19 2014 Jerry James <loganjerry@gmail.com> - 0.0.21-1
+- New upstream release
+- Fix license handling
+
+* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 0.0.18-5
+- Perl 5.20 rebuild
+
+* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.18-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.0.18-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Apr 24 2014 Jerry James <loganjerry@gmail.com> - 0.0.18-2
+- Add license text to all independent packages
+- Add perl module Requires to the -perl subpackage
+- Fix timestamps after install
+
+* Fri Feb 14 2014 Jerry James <loganjerry@gmail.com> - 0.0.18-1
+- Initial RPM
diff --git a/SPECS/supermin/supermin.spec b/SPECS/supermin/supermin.spec
index 7f17e9f8235..f7936c81e42 100644
--- a/SPECS/supermin/supermin.spec
+++ b/SPECS/supermin/supermin.spec
@@ -21,7 +21,7 @@
 Summary:        Tool for creating supermin appliances
 Name:           supermin
 Version:        5.3.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -54,7 +54,7 @@ BuildRequires:  systemd-udev
 %if %{with dietlibc}
 BuildRequires:  dietlibc-devel
 %else
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 %endif
 
 %if 0%{?with_check}
@@ -129,6 +129,9 @@ make check || {
 %{_rpmconfigdir}/supermin-find-requires
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 5.3.4-3
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 5.3.4-2
 - Bump to rebuild with updated glibc
 
diff --git a/SPECS/swtpm/swtpm.spec b/SPECS/swtpm/swtpm.spec
index 6d9b0396463..fcbfa7bd5cd 100644
--- a/SPECS/swtpm/swtpm.spec
+++ b/SPECS/swtpm/swtpm.spec
@@ -12,9 +12,11 @@
 Summary: TPM Emulator
 Name:           swtpm
 Version:        0.8.1
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        BSD-3-Clause
-Url:            http://github.com/stefanberger/swtpm
+URL:            http://github.com/stefanberger/swtpm
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        %{url}/archive/%{gitcommit}/%{name}-%{gitshortcommit}.tar.gz
 
 BuildRequires:  make
@@ -191,6 +193,9 @@ fi
 %{_datadir}/swtpm/swtpm-create-tpmca
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.8.1-5
+- Add missing Vendor and Distribution tags.
+
 * Mon Jan 22 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 0.8.1-4
 - Initial CBL-Mariner import from Fedora 39 (license: MIT).  License verified.
 
diff --git a/SPECS/sysbench/sysbench.spec b/SPECS/sysbench/sysbench.spec
index 2d1eaea2418..e4c940e24cb 100644
--- a/SPECS/sysbench/sysbench.spec
+++ b/SPECS/sysbench/sysbench.spec
@@ -1,10 +1,12 @@
 Summary:        Scriptable database and system performance benchmark
 Name:           sysbench
 Version:        1.0.20
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2+
 Group:          Applications/System
 URL:            https://github.com/akopytov/sysbench/
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://github.com/akopytov/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
 Patch0:         enable-python3.patch
 Patch1:         CVE-2019-19391.patch
@@ -60,6 +62,9 @@ rm -f %{buildroot}%{_docdir}/sysbench/manual.html
 %{_datadir}/%{name}
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 1.0.20-4
+- Add missing Vendor and Distribution tags.
+
 * Thu Jun 06 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 1.0.20-3
 - Address CVE-2019-19391.
 
diff --git a/SPECS/sysstat/sysstat.signatures.json b/SPECS/sysstat/sysstat.signatures.json
index 108baf854c5..eb0b6ad76f0 100644
--- a/SPECS/sysstat/sysstat.signatures.json
+++ b/SPECS/sysstat/sysstat.signatures.json
@@ -1,5 +1,5 @@
 {
-  "Signatures": {
-    "sysstat-12.7.4.tar.gz": "7a1be97b642e80b358ab4d273d0194ffa149ad208a2a927a064870340cd19d44"
-  }
-}
+ "Signatures": {
+  "sysstat-12.7.6.tar.gz": "dc77a08871f8e8813448ea31048833d4acbab7276dd9a456cd2526c008bd5301"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/sysstat/sysstat.spec b/SPECS/sysstat/sysstat.spec
index cedf1317395..47c282c3871 100644
--- a/SPECS/sysstat/sysstat.spec
+++ b/SPECS/sysstat/sysstat.spec
@@ -1,7 +1,7 @@
 Summary:        The Sysstat package contains utilities to monitor system performance and usage activity
 Name:           sysstat
-Version:        12.7.4
-Release:        2%{?dist}
+Version:        12.7.6
+Release:        1%{?dist}
 License:        GPL-2.0-only
 URL:            http://sebastien.godard.pagesperso-orange.fr/
 Group:          Development/Debuggers
@@ -49,6 +49,9 @@ install -D -m 0644 %{_builddir}/%{name}-%{version}/cron/sysstat-collect.service
 %{_libdir}/systemd/system-sleep/sysstat.sleep
 
 %changelog
+* Fri Aug 23 2024 Muhammad Falak <mwani@microsoft.com> - 12.7.6-1
+- Bump version to 12.7.6 to address CVE-2018-19416
+
 * Thu Dec 07 2023 Andrew Phelps <anphel@microsoft.com> - 12.7.4-2
 - Update file list
 
diff --git a/SPECS/systemd/systemd.spec b/SPECS/systemd/systemd.spec
index 1078dad2bce..291aa6bbbb4 100644
--- a/SPECS/systemd/systemd.spec
+++ b/SPECS/systemd/systemd.spec
@@ -50,7 +50,7 @@ Version:        255
 # determine the build information from local checkout
 Version:        %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/')
 %endif
-Release:        17%{?dist}
+Release:        18%{?dist}
 
 # FIXME - hardcode to 'stable' for now as that's what we have in our blobstore
 %global stable 1
@@ -487,6 +487,7 @@ Provides: version(systemd-boot)%{_isa} = %version
 
 # self-obsoletes to install both packages after split of systemd-boot
 Obsoletes:      systemd-udev < 252.2^
+Conflicts:      grub2-efi-binary
 
 %description boot
 systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
@@ -890,6 +891,11 @@ ln -s --relative %{buildroot}%{_bindir}/kernel-install %{buildroot}%{_sbindir}/i
 # Split files in build root into rpms
 python3 %{SOURCE2} %buildroot %{!?want_bootloader:--no-bootloader}
 
+%if 0%{?want_bootloader}
+mkdir -p %{buildroot}/boot/efi/EFI/BOOT
+cp %{buildroot}/usr/lib/systemd/boot/efi/systemd-bootx64.efi %{buildroot}/boot/efi/EFI/BOOT/grubx64.efi
+%endif
+
 %check
 %if %{with tests}
 meson test -C %{_vpath_builddir} -t 6 --print-errorlogs
@@ -1174,6 +1180,7 @@ fi
 %if 0%{?want_bootloader}
 %files ukify -f .file-list-ukify
 %files boot -f .file-list-boot
+/boot/efi/EFI/BOOT/grubx64.efi
 %endif
 
 %files container -f .file-list-container
@@ -1209,6 +1216,9 @@ rm -f %{name}.lang
 # %autochangelog. So we need to continue manually maintaining the
 # changelog here.
 %changelog
+* Fri Sep 13 2024 Thien Trung Vuong <tvuong@microsoft.com> - 255-18
+- Install systemd-boot binary to ESP
+
 * Fri Aug 23 2024 Chris Co <chrco@microsoft.com> - 255-17
 - Change bfq scheduler patch to select "none" i/o scheduler
 
diff --git a/SPECS/tdnf/fix-tests-for-azl.patch b/SPECS/tdnf/fix-tests-for-azl.patch
new file mode 100644
index 00000000000..bd3c6e7731f
--- /dev/null
+++ b/SPECS/tdnf/fix-tests-for-azl.patch
@@ -0,0 +1,121 @@
+From 39fed1f3b309e4aa088fedbb9174a4ec7327dfa3 Mon Sep 17 00:00:00 2001
+From: Sam Meluch <sammeluch@microsoft.com>
+Date: Wed, 11 Sep 2024 16:24:05 -0700
+Subject: [PATCH] fix tests for azl
+
+---
+ pytests/repo/setup-repo.sh      | 10 +++++-----
+ pytests/tests/test_cache.py     |  3 ++-
+ pytests/tests/test_priority.py  |  2 +-
+ pytests/tests/test_signature.py |  5 +++++
+ pytests/tests/test_srpms.py     |  2 +-
+ 5 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/pytests/repo/setup-repo.sh b/pytests/repo/setup-repo.sh
+index a19bd20..9897715 100755
+--- a/pytests/repo/setup-repo.sh
++++ b/pytests/repo/setup-repo.sh
+@@ -65,8 +65,8 @@ mkdir -p -m 755 ${BUILD_PATH}/BUILD \
+ cat << EOF > ${TEST_REPO_DIR}/gpgkeydata
+      %echo Generating a key for repogpgcheck signatures
+      %no-protection
+-     Key-Type: default
+-     Subkey-Type: default
++     Key-Type: RSA
++     Subkey-Type: RSA
+      Name-Real: tdnf test
+      Name-Comment: tdnf test key
+      Name-Email: tdnftest@tdnf.test
+@@ -107,9 +107,9 @@ cp -r ${BUILD_PATH}/RPMS ${PUBLISH_SHA512_PATH}
+ mkdir -p ${PUBLISH_PATH}/keys
+ gpg --armor --export tdnftest@tdnf.test > ${PUBLISH_PATH}/keys/pubkey.asc
+ 
+-createrepo ${PUBLISH_PATH}
+-createrepo ${PUBLISH_SRC_PATH}
+-createrepo -s sha512 ${PUBLISH_SHA512_PATH}
++createrepo --compatibility ${PUBLISH_PATH}
++createrepo --compatibility ${PUBLISH_SRC_PATH}
++createrepo --compatibility -s sha512 ${PUBLISH_SHA512_PATH}
+ 
+ modifyrepo ${REPO_SRC_DIR}/updateinfo-1.xml ${PUBLISH_PATH}/repodata
+ check_err "Failed to modify repo with updateinfo-1.xml."
+diff --git a/pytests/tests/test_cache.py b/pytests/tests/test_cache.py
+index 2621b59..c01df02 100644
+--- a/pytests/tests/test_cache.py
++++ b/pytests/tests/test_cache.py
+@@ -189,6 +189,7 @@ def test_download_vs_cache_size_multiple_packages(utils):
+ @pytest.mark.skipif(try_mount_small_cache() != 0, reason="Failed to mount small cache directory.")
+ def test_cache_directory_out_of_disk_space(utils):
+     small_cache_path = utils.config['small_cache_path']
++    orig_cache_path = utils.tdnf_config.get('main', 'cachedir')
+     switch_cache_path(utils, small_cache_path)
+     enable_cache(utils)
+     clean_small_cache(utils)
+@@ -200,7 +201,7 @@ def test_cache_directory_out_of_disk_space(utils):
+         run_args.append(pkgname)
+     ret = utils.run(run_args)
+ 
+-    switch_cache_path(utils, utils.tdnf_config.get('main', 'cachedir'))
++    switch_cache_path(utils, orig_cache_path)
+     clean_cache(utils)
+     clean_small_cache(utils)
+     assert ret['retval'] == 1036
+diff --git a/pytests/tests/test_priority.py b/pytests/tests/test_priority.py
+index a3e7913..0412f45 100644
+--- a/pytests/tests/test_priority.py
++++ b/pytests/tests/test_priority.py
+@@ -42,7 +42,7 @@ def test_priority(utils):
+                     )
+     assert ret['retval'] == 0
+ 
+-    ret = utils.run(["createrepo", "."], cwd=REPODIR)
++    ret = utils.run(["createrepo", "--compatibility", "."], cwd=REPODIR)
+     assert ret['retval'] == 0
+ 
+     filename = os.path.join(utils.config['repo_path'], "yum.repos.d", REPOFILENAME)
+diff --git a/pytests/tests/test_signature.py b/pytests/tests/test_signature.py
+index f2f6f06..3aea87b 100644
+--- a/pytests/tests/test_signature.py
++++ b/pytests/tests/test_signature.py
+@@ -66,6 +66,7 @@ def test_install_local_key(utils):
+     set_gpgcheck(utils, True)
+     keypath = os.path.join(utils.config['repo_path'], 'photon-test', 'keys', 'pubkey.asc')
+     set_repo_key(utils, 'file://{}'.format(keypath))
++    utils.run(['rpm', '--import', keypath])
+     pkgname = utils.config["sglversion_pkgname"]
+     ret = utils.run(['tdnf', 'install', '-y', pkgname])
+     assert ret['retval'] == 0
+@@ -76,6 +77,8 @@ def test_install_local_key(utils):
+ def test_install_remote_key(utils):
+     set_gpgcheck(utils, True)
+     set_repo_key(utils, 'http://localhost:8080/photon-test/keys/pubkey.asc')
++    keypath = os.path.join(utils.config['repo_path'], 'photon-test', 'keys', 'pubkey.asc')
++    utils.run(['rpm', '--import', keypath])
+     pkgname = utils.config["sglversion_pkgname"]
+     ret = utils.run(['tdnf', 'install', '-y', pkgname])
+     assert ret['retval'] == 0
+@@ -86,6 +89,8 @@ def test_install_remote_key(utils):
+ def test_install_remote_key_verbose(utils):
+     set_gpgcheck(utils, True)
+     set_repo_key(utils, 'http://localhost:8080/photon-test/keys/pubkey.asc')
++    keypath = os.path.join(utils.config['repo_path'], 'photon-test', 'keys', 'pubkey.asc')
++    utils.run(['rpm', '--import', keypath])
+     pkgname = utils.config["sglversion_pkgname"]
+     ret = utils.run(['tdnf', 'install', '-v', '-y', pkgname])
+     assert ret['retval'] == 0
+diff --git a/pytests/tests/test_srpms.py b/pytests/tests/test_srpms.py
+index 8279721..ee7bed0 100644
+--- a/pytests/tests/test_srpms.py
++++ b/pytests/tests/test_srpms.py
+@@ -19,7 +19,7 @@ DIST = os.environ.get('DIST')
+ if DIST == 'fedora':
+     RPMBUILD_DIR = '/root/rpmbuild'
+ else:
+-    RPMBUILD_DIR = '/usr/src/photon'
++    RPMBUILD_DIR = '/usr/src/azl'
+ 
+ 
+ @pytest.fixture(scope='function', autouse=True)
+-- 
+2.34.1
+
diff --git a/SPECS/tdnf/tdnf.signatures.json b/SPECS/tdnf/tdnf.signatures.json
index 348099056da..44ac8126bca 100644
--- a/SPECS/tdnf/tdnf.signatures.json
+++ b/SPECS/tdnf/tdnf.signatures.json
@@ -3,7 +3,7 @@
   "cache-updateinfo": "3e2157658b163a4b0558faaaf08e9fbca3d3e031fd294136de4ad39d61d232c3",
   "cache-updateinfo.service": "2a033533bbb280c61c4f850701f6df1f6e9fde1c7d8132acf03279844cc3bbba",
   "cache-updateinfo.timer": "7339fd7be53c57b9bbc000b27026d507e3d2d70958a2db7d1799f5960e3904ee",
-  "tdnf-3.5.6.tar.gz": "69c31fbaab3ce9a88a4b925afb95b5cf71147f84808100b830890ae54c6d424a",
+  "tdnf-3.5.8.tar.gz": "c4bae9432f7e3441318aba7d4588528f419b384c23d526e77f794a2812aa2b10",
   "tdnfrepogpgcheck.conf": "84c1c0c956a492cadbfd2cec581ef678c190e3e245f0d61665eb0f66b8b34fd6"
  }
 }
diff --git a/SPECS/tdnf/tdnf.spec b/SPECS/tdnf/tdnf.spec
index b16ba2a02a7..57fa9bc54e7 100644
--- a/SPECS/tdnf/tdnf.spec
+++ b/SPECS/tdnf/tdnf.spec
@@ -1,11 +1,10 @@
-%undefine __cmake_in_source_build
 %define _tdnfpluginsdir %{_libdir}/tdnf-plugins
 %define _tdnf_history_db_dir %{_libdir}/sysimage/tdnf
 
 Summary:        dnf equivalent using C libs
 Name:           tdnf
-Version:        3.5.6
-Release:        2%{?dist}
+Version:        3.5.8
+Release:        3%{?dist}
 License:        LGPLv2.1 AND GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -28,6 +27,7 @@ Patch4:         tdnf-sqlite-library.patch
 
 # Patch in vitual snapshot
 Patch5:	        virtual-repo-snapshot.patch
+Patch6:         fix-tests-for-azl.patch
 
 #Cmake requires binutils
 BuildRequires:  binutils
@@ -56,12 +56,20 @@ Requires:       tdnf-cli-libs = %{version}-%{release}
 Requires:       zlib
 Obsoletes:      yum
 %if 0%{?with_check}
+BuildRequires:  azurelinux-release
 BuildRequires:  createrepo_c
 BuildRequires:  glib
+BuildRequires:  e2fsprogs
+BuildRequires:  findutils
 BuildRequires:  libxml2
 BuildRequires:  python3-pip
 BuildRequires:  python3-requests
 BuildRequires:  python3-xml
+BuildRequires:  sed
+BuildRequires:  shadow-utils
+BuildRequires:  sudo
+BuildRequires:  util-linux
+BuildRequires:  which
 %endif
 
 %description
@@ -121,23 +129,33 @@ systemd services for periodic automatic update
 %autosetup -p1
 
 %build
+mkdir -p build && cd build
 %cmake \
     -DCMAKE_BUILD_TYPE=Debug \
     -DBUILD_SHARED_LIBS=OFF \
     -DCMAKE_INSTALL_LIBDIR:PATH=%{_libdir} \
-    -DHISTORY_DB_DIR=%{_tdnf_history_db_dir}
+    -DHISTORY_DB_DIR=%{_tdnf_history_db_dir} \
+    ..
 
-%cmake_build
-
-cd %{__cmake_builddir}
+%make_build
 %make_build python
 
 %check
-pip3 install pytest requests pyOpenSSL
-cd build && make %{?_smp_mflags} check
+# remove test files with dependencies on state and cleanup of rpm build directory
+# these are problematic when running tests from within the rpm build directory
+rm pytests/tests/test_srpms.py
+rm build/pytests/tests/test_srpms.py
+
+# link MS key as expected VMWare Key in test files
+ln -sf /etc/pki/rpm-gpg/MICROSOFT-RPM-GPG-KEY /etc/pki/rpm-gpg/VMWARE-RPM-GPG-KEY
+
+pip3 install 'pytest==8.3.3' 'pyOpenSSL==24.2.1' 'flake8==7.1.1'
+cd build && %make_build check
 
 %install
-%cmake_install
+pushd build
+%make_install
+popd
 find %{buildroot} -name '*.a' -delete -print
 mkdir -p %{buildroot}%{_var}/cache/tdnf
 mkdir -p %{buildroot}%{_tdnf_history_db_dir}
@@ -151,7 +169,7 @@ rm -rf %{buildroot}%{_datadir}/tdnf
 
 mkdir -p %{buildroot}%{_sysconfdir}/%{name}/protected.d
 
-pushd %{__cmake_builddir}/python
+pushd build/python
 %py3_install
 popd
 find %{buildroot} -name '*.pyc' -delete
@@ -219,6 +237,15 @@ fi
 /%{_lib}/systemd/system/tdnf*
 
 %changelog
+* Fri Sep 20 2024 Sam Meluch <sammeluch@microsoft.com> - 3.5.8-3
+- Fix an issue with snapshottime config option
+
+* Wed Sep 18 2024 Sam Meluch <sammeluch@microsoft.com> - 3.5.8-2
+- Add virtual repo snapshot exclude repos
+
+* Mon Sep 09 2024 Sam Meluch <sammeluch@microsoft.com> - 3.5.8-1
+- Minor upgrade to tdnf
+
 * Fri Jul 26 2024 Sam Meluch <sammeluch@microsoft.com> - 3.5.6-2
 - Add tdnf virtual repo snapshots
 
diff --git a/SPECS/tdnf/virtual-repo-snapshot.patch b/SPECS/tdnf/virtual-repo-snapshot.patch
index 368e62f65f1..063252fc188 100644
--- a/SPECS/tdnf/virtual-repo-snapshot.patch
+++ b/SPECS/tdnf/virtual-repo-snapshot.patch
@@ -1,26 +1,27 @@
-From bed541b7ceafaf75f67911ef64e231569b8eec84 Mon Sep 17 00:00:00 2001
+From 7af976b8d0977f32f9903220d8b44378e72d4336 Mon Sep 17 00:00:00 2001
 From: Sam Meluch <sammeluch@microsoft.com>
 Date: Tue, 30 Apr 2024 13:56:44 -0700
 Subject: [PATCH] Add virtual repo snapshot feature to tdnf
 
 ---
  client/config.c                            |   5 +
- client/prototypes.h                        |   3 +-
+ client/prototypes.h                        |   9 +-
  client/repo.c                              |  50 +-
+ client/repolist.c                          |  66 ++
  common/config.h                            |   1 +
- etc/bash_completion.d/tdnf-completion.bash |   2 +-
+ etc/bash_completion.d/tdnf-completion.bash |   7 +-
  include/tdnferror.h                        |   9 +
- include/tdnftypes.h                        |   2 +
+ include/tdnftypes.h                        |   3 +
  solv/defines.h                             |  29 +
  solv/includes.h                            |   6 +-
  solv/prototypes.h                          |   3 +-
  solv/tdnfrepo.c                            | 783 ++++++++++++++++++++-
- tools/cli/lib/help.c                       |   1 +
- tools/cli/lib/parseargs.c                  |   1 +
- 13 files changed, 878 insertions(+), 17 deletions(-)
+ tools/cli/lib/help.c                       |   2 +
+ tools/cli/lib/parseargs.c                  |   2 +
+ 14 files changed, 958 insertions(+), 17 deletions(-)
 
 diff --git a/client/config.c b/client/config.c
-index 8ddcc7a..805fff1 100644
+index 8ddcc7a..ef16467 100644
 --- a/client/config.c
 +++ b/client/config.c
 @@ -85,6 +85,7 @@ TDNFReadConfig(
@@ -37,13 +38,13 @@ index 8ddcc7a..805fff1 100644
          }
 +        else if (strcmp(cn->name, TDNF_CONF_KEY_SNAPSHOT_TIME) == 0)
 +        {
-+            pConf->pszSnapshotTime = cn->value; //assumes your system's time_t is typedef long
++            pConf->pszSnapshotTime = strdup(cn->value); //assumes your system's time_t is typedef long
 +        }
          else if (strcmp(cn->name, TDNF_CONF_KEY_CLEAN_REQ_ON_REMOVE) == 0)
          {
              pConf->nCleanRequirementsOnRemove = isTrue(cn->value);
 diff --git a/client/prototypes.h b/client/prototypes.h
-index bb7fba1..cb8a8d3 100644
+index bb7fba1..ddac483 100644
 --- a/client/prototypes.h
 +++ b/client/prototypes.h
 @@ -586,7 +586,8 @@ uint32_t
@@ -56,8 +57,21 @@ index bb7fba1..cb8a8d3 100644
      );
  
  uint32_t
+@@ -770,6 +771,12 @@ TDNFAlterRepoState(
+     const char* pszId
+     );
+ 
++uint32_t
++TDNFExcludeFromSnapshot(
++    PTDNF_REPO_DATA pRepos,
++    const char* pszId
++    );
++
+ uint32_t
+ TDNFCloneRepo(
+     PTDNF_REPO_DATA pRepoIn,
 diff --git a/client/repo.c b/client/repo.c
-index b6073e2..0331796 100644
+index 809c39d..95f7694 100644
 --- a/client/repo.c
 +++ b/client/repo.c
 @@ -36,6 +36,8 @@ TDNFInitRepo(
@@ -91,7 +105,7 @@ index b6073e2..0331796 100644
      pPool = pSack->pPool;
  
      dwError = TDNFGetCachePath(pTdnf, pRepoData,
-@@ -82,20 +99,27 @@ TDNFInitRepo(
+@@ -89,20 +106,27 @@ TDNFInitRepo(
      pRepo->appdata = pSolvRepoInfo;
  
      if (pRepoData->nHasMetaData) {
@@ -104,7 +118,7 @@ index b6073e2..0331796 100644
 -
 -        if (nUseMetaDataCache == 0) {
 -            dwError = TDNFInitRepoFromMetadata(pRepo, pRepoData->pszId, pRepoMD);
-+        if (pszSnapshotTime != NULL) {
++        if (!pRepoData->nExcludeSnapshot && pszSnapshotTime != NULL) {
 +            dwError = TDNFInitRepoFromMetadata(pRepo, pRepoData->pszId, pRepoMD, pszSnapshotTime);
              BAIL_ON_TDNF_ERROR(dwError);
 +        } else {
@@ -129,7 +143,7 @@ index b6073e2..0331796 100644
      } else {
          dwError = SolvReadRpmsFromDirectory(pRepo, pRepoData->ppszBaseUrls[0]);
          BAIL_ON_TDNF_ERROR(dwError);
-@@ -135,7 +159,8 @@ uint32_t
+@@ -142,7 +166,8 @@ uint32_t
  TDNFInitRepoFromMetadata(
      Repo *pRepo,
      const char* pszRepoName,
@@ -139,7 +153,7 @@ index b6073e2..0331796 100644
      )
  {
      uint32_t dwError = 0;
-@@ -152,7 +177,8 @@ TDNFInitRepoFromMetadata(
+@@ -159,7 +184,8 @@ TDNFInitRepoFromMetadata(
                    pRepoMD->pszPrimary,
                    pRepoMD->pszFileLists,
                    pRepoMD->pszUpdateInfo,
@@ -149,6 +163,111 @@ index b6073e2..0331796 100644
  cleanup:
      return dwError;
  
+diff --git a/client/repolist.c b/client/repolist.c
+index df37959..be94f6c 100644
+--- a/client/repolist.c
++++ b/client/repolist.c
+@@ -358,6 +358,7 @@ TDNFCreateRepo(
+     BAIL_ON_TDNF_ERROR(dwError);
+ 
+     pRepo->nEnabled = TDNF_REPO_DEFAULT_ENABLED;
++    pRepo->nExcludeSnapshot = 0;
+     pRepo->nHasMetaData = 1;
+     pRepo->nSkipIfUnavailable = TDNF_REPO_DEFAULT_SKIP;
+     pRepo->nGPGCheck = TDNF_REPO_DEFAULT_GPGCHECK;
+@@ -655,6 +656,7 @@ TDNFRepoListFinalize(
+     PTDNF_CMD_OPT pSetOpt = NULL;
+     PTDNF_REPO_DATA pRepo = NULL;
+     int nRepoidSeen = 0;
++    char ** ppszRepos = NULL;
+ 
+     if(!pTdnf || !pTdnf->pArgs || !pTdnf->pRepos)
+     {
+@@ -695,6 +697,22 @@ TDNFRepoListFinalize(
+                           1,
+                           pSetOpt->pszOptValue);
+         }
++        else if (strcmp(pSetOpt->pszOptName, "snapshotexcluderepos") == 0)
++        {
++            ppszRepos = NULL;
++            int i = 0;
++            dwError = TDNFSplitStringToArray(pSetOpt->pszOptValue, ",", &ppszRepos);
++            BAIL_ON_TDNF_ERROR(dwError);
++
++            while (ppszRepos && ppszRepos[i]){
++                dwError = TDNFExcludeFromSnapshot(
++                pTdnf->pRepos,
++                ppszRepos[i]);
++                BAIL_ON_TDNF_ERROR(dwError);
++                i++;
++            }
++            
++        }
+         BAIL_ON_TDNF_ERROR(dwError);
+     }
+ 
+@@ -736,6 +754,7 @@ TDNFRepoListFinalize(
+         BAIL_ON_TDNF_ERROR(dwError);
+     }
+ cleanup:
++    TDNFFreeStringArray(ppszRepos);
+     return dwError;
+ error:
+     goto cleanup;
+@@ -787,6 +806,53 @@ error:
+     goto cleanup;
+ }
+ 
++uint32_t
++TDNFExcludeFromSnapshot(
++    PTDNF_REPO_DATA pRepos,
++    const char* pszId
++    )
++{
++    uint32_t dwError = 0;
++    int nIsGlob = 0;
++    if(!pRepos || IsNullOrEmptyString(pszId))
++    {
++        dwError = ERROR_TDNF_INVALID_PARAMETER;
++        BAIL_ON_TDNF_ERROR(dwError);
++    }
++
++    nIsGlob = TDNFIsGlob(pszId);
++
++    for (int nMatch = 0; pRepos; pRepos = pRepos->pNext)
++    {
++        if(nIsGlob)
++        {
++            if(!fnmatch(pszId, pRepos->pszId, 0))
++            {
++                nMatch = 1;
++            }
++        }
++        else if(!strcmp(pRepos->pszId, pszId))
++        {
++            nMatch = 1;
++        }
++
++        if(nMatch)
++        {
++            pRepos->nExcludeSnapshot = 1;
++            if(!nIsGlob)
++            {
++                break;
++            }
++        }
++    }
++
++cleanup:
++    return dwError;
++
++error:
++    goto cleanup;
++}
++
+ uint32_t
+ TDNFCloneRepo(
+     PTDNF_REPO_DATA pRepoIn,
 diff --git a/common/config.h b/common/config.h
 index 222a448..364f7ec 100644
 --- a/common/config.h
@@ -162,15 +281,27 @@ index 222a448..364f7ec 100644
  #define TDNF_CONF_KEY_REPODIR             "repodir" // typo, keep for back compatibility
  #define TDNF_CONF_KEY_REPOSDIR            "reposdir"
 diff --git a/etc/bash_completion.d/tdnf-completion.bash b/etc/bash_completion.d/tdnf-completion.bash
-index 4e48040..3f310d4 100644
+index 4e48040..46a6201 100644
 --- a/etc/bash_completion.d/tdnf-completion.bash
 +++ b/etc/bash_completion.d/tdnf-completion.bash
-@@ -92,7 +92,7 @@ _tdnf()
+@@ -26,6 +26,11 @@ _tdnf__process_if_prev_is_option()
+             COMPREPLY=( $(compgen -W "$opts" -- $cur) )
+             return 0
+             ;;
++        --snapshotexcluderepos)
++            opts=`tdnf repolist enabled | awk '{if (NR > 1) print $1}'`
++            COMPREPLY=( $(compgen -W "$opts" -- $cur) )
++            return 0
++            ;;
+         --installroot)
+             COMPREPLY=( $(compgen -d -- $cur) )
+             return 0
+@@ -92,7 +97,7 @@ _tdnf()
  {
      local c=0 cur __opts __cmds
      COMPREPLY=()
 -    __opts="--assumeno --assumeyes --cacheonly --debugsolver --disableexcludes --disableplugin --disablerepo --downloaddir --downloadonly --enablerepo --enableplugin --exclude --installroot --noautoremove --nogpgcheck --noplugins --quiet --reboot --refresh --releasever --repo --repofrompath --repoid --rpmverbosity --security --sec --setopt --skip --skipconflicts --skipdigest --skipsignature --skipobsoletes --testonly --version --available --duplicates --extras --file --installed --whatdepends --whatrequires --whatenhances --whatobsoletes --whatprovides --whatrecommends --whatrequires --whatsuggests --whatsupplements --depends --enhances --list --obsoletes --provides --recommends --requires --requires --suggests --source --supplements --arch --delete --download --download --gpgcheck --metadata --newest --norepopath --source --urls"
-+    __opts="--assumeno --assumeyes --cacheonly --debugsolver --disableexcludes --disableplugin --disablerepo --downloaddir --downloadonly --enablerepo --enableplugin --snapshottime --exclude --installroot --noautoremove --nogpgcheck --noplugins --quiet --reboot --refresh --releasever --repo --repofrompath --repoid --rpmverbosity --security --sec --setopt --skip --skipconflicts --skipdigest --skipsignature --skipobsoletes --testonly --version --available --duplicates --extras --file --installed --whatdepends --whatrequires --whatenhances --whatobsoletes --whatprovides --whatrecommends --whatrequires --whatsuggests --whatsupplements --depends --enhances --list --obsoletes --provides --recommends --requires --requires --suggests --source --supplements --arch --delete --download --download --gpgcheck --metadata --newest --norepopath --source --urls"
++    __opts="--assumeno --assumeyes --cacheonly --debugsolver --disableexcludes --disableplugin --disablerepo --downloaddir --downloadonly --enablerepo --enableplugin --exclude --installroot --noautoremove --nogpgcheck --noplugins --quiet --reboot --refresh --releasever --repo --repofrompath --repoid --rpmverbosity --security --sec --setopt --skip --skipconflicts --skipdigest --skipsignature --skipobsoletes --snapshotexcluderepos --snapshottime --testonly --version --available --duplicates --extras --file --installed --whatdepends --whatrequires --whatenhances --whatobsoletes --whatprovides --whatrecommends --whatrequires --whatsuggests --whatsupplements --depends --enhances --list --obsoletes --provides --recommends --requires --requires --suggests --source --supplements --arch --delete --download --download --gpgcheck --metadata --newest --norepopath --source --urls"
      __cmds="autoerase autoremove check check-local check-update clean distro-sync downgrade erase help history info install list makecache mark provides whatprovides reinstall remove repolist repoquery reposync search update update-to updateinfo upgrade upgrade-to"
      cur="${COMP_WORDS[COMP_CWORD]}"
      _tdnf__process_if_prev_is_option && return 0
@@ -195,7 +326,7 @@ index c9349a0..02b8d4c 100644
  #define ERROR_TDNF_PLUGIN_BASE          2000
  
 diff --git a/include/tdnftypes.h b/include/tdnftypes.h
-index a806010..f371430 100644
+index a806010..b95c81f 100644
 --- a/include/tdnftypes.h
 +++ b/include/tdnftypes.h
 @@ -9,6 +9,7 @@
@@ -214,6 +345,14 @@ index a806010..f371430 100644
      char* pszCacheDir;
      char* pszPersistDir;
      char* pszProxy;
+@@ -274,6 +276,7 @@ typedef struct _TDNF_CONF
+ typedef struct _TDNF_REPO_DATA
+ {
+     int nEnabled;
++    int nExcludeSnapshot;
+     int nSkipIfUnavailable;
+     int nGPGCheck;
+     int nHasMetaData;
 diff --git a/solv/defines.h b/solv/defines.h
 index 38f5ab1..ddb3355 100644
 --- a/solv/defines.h
@@ -1107,26 +1246,28 @@ index c27b907..fec3ba7 100644
      return dwError;
  
 diff --git a/tools/cli/lib/help.c b/tools/cli/lib/help.c
-index bc4cf83..86c34e7 100644
+index bc4cf83..6c1d349 100644
 --- a/tools/cli/lib/help.c
 +++ b/tools/cli/lib/help.c
-@@ -23,6 +23,7 @@ static const char *help_msg =
-  "           [--downloadonly]\n"
-  "           [--enablerepo=<repoid>]\n"
-  "           [--enableplugin=<plugin_name>]\n"
+@@ -44,6 +44,8 @@ static const char *help_msg =
+  "           [--skipdigest]\n"
+  "           [--skipsignature]\n"
+  "           [--skipobsoletes]\n"
++ "           [--snapshotexcluderepos=<repoid>[,<repoid2>,...]\n"
 + "           [--snapshottime=<POSIX_time>]\n"
-  "           [--exclude [file1,file2,...]]\n"
-  "           [--installroot [path]]\n"
-  "           [--noautoremove]\n"
+  "           [--testonly]\n"
+  "           [--version]\n\n"
+  "repoquery select options:\n"
 diff --git a/tools/cli/lib/parseargs.c b/tools/cli/lib/parseargs.c
-index 0558611..18c84fc 100644
+index 4421927..9c5e282 100644
 --- a/tools/cli/lib/parseargs.c
 +++ b/tools/cli/lib/parseargs.c
-@@ -70,6 +70,7 @@ static struct option pstOptions[] =
+@@ -70,6 +70,8 @@ static struct option pstOptions[] =
      {"skipdigest",    no_argument, 0, 0},                  //--skipdigest to skip verifying RPM digest
      {"skipobsoletes", no_argument, 0, 0},                  //--skipobsoletes to skip obsolete problems
      {"skipsignature", no_argument, 0, 0},                  //--skipsignature to skip verifying RPM signatures
-+    {"snapshottime",required_argument, 0, 0},              //--snapshottime
++    {"snapshotexcluderepos", required_argument, 0, 0},     //--snapshotexcluderepos
++    {"snapshottime",  required_argument, 0, 0},            //--snapshottime
      {"source",        no_argument, &_opt.nSource, 1},
      {"testonly",      no_argument, &_opt.nTestOnly, 1},
      {"verbose",       no_argument, &_opt.nVerbose, 1},     //-v --verbose
diff --git a/SPECS/tensorflow/CVE-2024-3651.patch b/SPECS/tensorflow/CVE-2024-3651.patch
new file mode 100644
index 00000000000..482721155e2
--- /dev/null
+++ b/SPECS/tensorflow/CVE-2024-3651.patch
@@ -0,0 +1,3754 @@
+diff --color -ruN a/codec.py b/codec.py
+--- a/codec.py	2021-01-01 08:00:00.000000000 +0000
++++ b/codec.py	2024-09-26 14:49:49.043936672 +0000
+@@ -1,7 +1,7 @@
+ from .core import encode, decode, alabel, ulabel, IDNAError
+ import codecs
+ import re
+-from typing import Tuple, Optional
++from typing import Any, Tuple, Optional
+ 
+ _unicode_dots_re = re.compile('[\u002e\u3002\uff0e\uff61]')
+ 
+@@ -26,24 +26,24 @@
+         return decode(data), len(data)
+ 
+ class IncrementalEncoder(codecs.BufferedIncrementalEncoder):
+-    def _buffer_encode(self, data: str, errors: str, final: bool) -> Tuple[str, int]:  # type: ignore
++    def _buffer_encode(self, data: str, errors: str, final: bool) -> Tuple[bytes, int]:
+         if errors != 'strict':
+             raise IDNAError('Unsupported error handling \"{}\"'.format(errors))
+ 
+         if not data:
+-            return "", 0
++            return b'', 0
+ 
+         labels = _unicode_dots_re.split(data)
+-        trailing_dot = ''
++        trailing_dot = b''
+         if labels:
+             if not labels[-1]:
+-                trailing_dot = '.'
++                trailing_dot = b'.'
+                 del labels[-1]
+             elif not final:
+                 # Keep potentially unfinished label until the next call
+                 del labels[-1]
+                 if labels:
+-                    trailing_dot = '.'
++                    trailing_dot = b'.'
+ 
+         result = []
+         size = 0
+@@ -54,18 +54,21 @@
+             size += len(label)
+ 
+         # Join with U+002E
+-        result_str = '.'.join(result) + trailing_dot  # type: ignore
++        result_bytes = b'.'.join(result) + trailing_dot
+         size += len(trailing_dot)
+-        return result_str, size
++        return result_bytes, size
+ 
+ class IncrementalDecoder(codecs.BufferedIncrementalDecoder):
+-    def _buffer_decode(self, data: str, errors: str, final: bool) -> Tuple[str, int]:  # type: ignore
++    def _buffer_decode(self, data: Any, errors: str, final: bool) -> Tuple[str, int]:
+         if errors != 'strict':
+             raise IDNAError('Unsupported error handling \"{}\"'.format(errors))
+ 
+         if not data:
+             return ('', 0)
+ 
++        if not isinstance(data, str):
++            data = str(data, 'ascii')
++
+         labels = _unicode_dots_re.split(data)
+         trailing_dot = ''
+         if labels:
+@@ -99,14 +102,17 @@
+     pass
+ 
+ 
+-def getregentry() -> codecs.CodecInfo:
+-    # Compatibility as a search_function for codecs.register()
++def search_function(name: str) -> Optional[codecs.CodecInfo]:
++    if name != 'idna2008':
++        return None
+     return codecs.CodecInfo(
+-        name='idna',
+-        encode=Codec().encode,  # type: ignore
+-        decode=Codec().decode,  # type: ignore
++        name=name,
++        encode=Codec().encode,
++        decode=Codec().decode,
+         incrementalencoder=IncrementalEncoder,
+         incrementaldecoder=IncrementalDecoder,
+         streamwriter=StreamWriter,
+         streamreader=StreamReader,
+     )
++
++codecs.register(search_function)
+diff --color -ruN a/core.py b/core.py
+--- a/core.py	2021-01-01 08:00:00.000000000 +0000
++++ b/core.py	2024-09-26 14:49:49.043936672 +0000
+@@ -150,9 +150,11 @@
+             joining_type = idnadata.joining_types.get(ord(label[i]))
+             if joining_type == ord('T'):
+                 continue
+-            if joining_type in [ord('L'), ord('D')]:
++            elif joining_type in [ord('L'), ord('D')]:
+                 ok = True
+                 break
++            else:
++                break
+ 
+         if not ok:
+             return False
+@@ -162,9 +164,11 @@
+             joining_type = idnadata.joining_types.get(ord(label[i]))
+             if joining_type == ord('T'):
+                 continue
+-            if joining_type in [ord('R'), ord('D')]:
++            elif joining_type in [ord('R'), ord('D')]:
+                 ok = True
+                 break
++            else:
++                break
+         return ok
+ 
+     if cp_value == 0x200d:
+@@ -236,12 +240,8 @@
+         if intranges_contain(cp_value, idnadata.codepoint_classes['PVALID']):
+             continue
+         elif intranges_contain(cp_value, idnadata.codepoint_classes['CONTEXTJ']):
+-            try:
+-                if not valid_contextj(label, pos):
+-                    raise InvalidCodepointContext('Joiner {} not allowed at position {} in {}'.format(
+-                        _unot(cp_value), pos+1, repr(label)))
+-            except ValueError:
+-                raise IDNAError('Unknown codepoint adjacent to joiner {} at position {} in {}'.format(
++            if not valid_contextj(label, pos):
++                raise InvalidCodepointContext('Joiner {} not allowed at position {} in {}'.format(
+                     _unot(cp_value), pos+1, repr(label)))
+         elif intranges_contain(cp_value, idnadata.codepoint_classes['CONTEXTO']):
+             if not valid_contexto(label, pos):
+@@ -262,13 +262,8 @@
+     except UnicodeEncodeError:
+         pass
+ 
+-    if not label:
+-        raise IDNAError('No Input')
+-
+-    label = str(label)
+     check_label(label)
+-    label_bytes = _punycode(label)
+-    label_bytes = _alabel_prefix + label_bytes
++    label_bytes = _alabel_prefix + _punycode(label)
+ 
+     if not valid_label_length(label_bytes):
+         raise IDNAError('Label too long')
+@@ -318,7 +313,7 @@
+             status = uts46row[1]
+             replacement = None  # type: Optional[str]
+             if len(uts46row) == 3:
+-                replacement = uts46row[2]  # type: ignore
++                replacement = uts46row[2]
+             if (status == 'V' or
+                     (status == 'D' and not transitional) or
+                     (status == '3' and not std3_rules and replacement is None)):
+@@ -338,9 +333,9 @@
+ 
+ 
+ def encode(s: Union[str, bytes, bytearray], strict: bool = False, uts46: bool = False, std3_rules: bool = False, transitional: bool = False) -> bytes:
+-    if isinstance(s, (bytes, bytearray)):
++    if not isinstance(s, str):
+         try:
+-            s = s.decode('ascii')
++            s = str(s, 'ascii')
+         except UnicodeDecodeError:
+             raise IDNAError('should pass a unicode string to the function rather than a byte string.')
+     if uts46:
+@@ -372,8 +367,8 @@
+ 
+ def decode(s: Union[str, bytes, bytearray], strict: bool = False, uts46: bool = False, std3_rules: bool = False) -> str:
+     try:
+-        if isinstance(s, (bytes, bytearray)):
+-            s = s.decode('ascii')
++        if not isinstance(s, str):
++            s = str(s, 'ascii')
+     except UnicodeDecodeError:
+         raise IDNAError('Invalid ASCII in A-label')
+     if uts46:
+diff --color -ruN a/idnadata.py b/idnadata.py
+--- a/idnadata.py	2021-01-01 08:00:00.000000000 +0000
++++ b/idnadata.py	2024-09-26 14:49:49.043936672 +0000
+@@ -1,6 +1,6 @@
+ # This file is automatically generated by tools/idna-data
+ 
+-__version__ = '15.0.0'
++__version__ = '15.1.0'
+ scripts = {
+     'Greek': (
+         0x37000000374,
+@@ -59,6 +59,7 @@
+         0x2b7400002b81e,
+         0x2b8200002cea2,
+         0x2ceb00002ebe1,
++        0x2ebf00002ee5e,
+         0x2f8000002fa1e,
+         0x300000003134b,
+         0x31350000323b0,
+@@ -100,16 +101,190 @@
+     ),
+ }
+ joining_types = {
+-    0x600: 85,
+-    0x601: 85,
+-    0x602: 85,
+-    0x603: 85,
+-    0x604: 85,
+-    0x605: 85,
+-    0x608: 85,
+-    0x60b: 85,
++    0xad: 84,
++    0x300: 84,
++    0x301: 84,
++    0x302: 84,
++    0x303: 84,
++    0x304: 84,
++    0x305: 84,
++    0x306: 84,
++    0x307: 84,
++    0x308: 84,
++    0x309: 84,
++    0x30a: 84,
++    0x30b: 84,
++    0x30c: 84,
++    0x30d: 84,
++    0x30e: 84,
++    0x30f: 84,
++    0x310: 84,
++    0x311: 84,
++    0x312: 84,
++    0x313: 84,
++    0x314: 84,
++    0x315: 84,
++    0x316: 84,
++    0x317: 84,
++    0x318: 84,
++    0x319: 84,
++    0x31a: 84,
++    0x31b: 84,
++    0x31c: 84,
++    0x31d: 84,
++    0x31e: 84,
++    0x31f: 84,
++    0x320: 84,
++    0x321: 84,
++    0x322: 84,
++    0x323: 84,
++    0x324: 84,
++    0x325: 84,
++    0x326: 84,
++    0x327: 84,
++    0x328: 84,
++    0x329: 84,
++    0x32a: 84,
++    0x32b: 84,
++    0x32c: 84,
++    0x32d: 84,
++    0x32e: 84,
++    0x32f: 84,
++    0x330: 84,
++    0x331: 84,
++    0x332: 84,
++    0x333: 84,
++    0x334: 84,
++    0x335: 84,
++    0x336: 84,
++    0x337: 84,
++    0x338: 84,
++    0x339: 84,
++    0x33a: 84,
++    0x33b: 84,
++    0x33c: 84,
++    0x33d: 84,
++    0x33e: 84,
++    0x33f: 84,
++    0x340: 84,
++    0x341: 84,
++    0x342: 84,
++    0x343: 84,
++    0x344: 84,
++    0x345: 84,
++    0x346: 84,
++    0x347: 84,
++    0x348: 84,
++    0x349: 84,
++    0x34a: 84,
++    0x34b: 84,
++    0x34c: 84,
++    0x34d: 84,
++    0x34e: 84,
++    0x34f: 84,
++    0x350: 84,
++    0x351: 84,
++    0x352: 84,
++    0x353: 84,
++    0x354: 84,
++    0x355: 84,
++    0x356: 84,
++    0x357: 84,
++    0x358: 84,
++    0x359: 84,
++    0x35a: 84,
++    0x35b: 84,
++    0x35c: 84,
++    0x35d: 84,
++    0x35e: 84,
++    0x35f: 84,
++    0x360: 84,
++    0x361: 84,
++    0x362: 84,
++    0x363: 84,
++    0x364: 84,
++    0x365: 84,
++    0x366: 84,
++    0x367: 84,
++    0x368: 84,
++    0x369: 84,
++    0x36a: 84,
++    0x36b: 84,
++    0x36c: 84,
++    0x36d: 84,
++    0x36e: 84,
++    0x36f: 84,
++    0x483: 84,
++    0x484: 84,
++    0x485: 84,
++    0x486: 84,
++    0x487: 84,
++    0x488: 84,
++    0x489: 84,
++    0x591: 84,
++    0x592: 84,
++    0x593: 84,
++    0x594: 84,
++    0x595: 84,
++    0x596: 84,
++    0x597: 84,
++    0x598: 84,
++    0x599: 84,
++    0x59a: 84,
++    0x59b: 84,
++    0x59c: 84,
++    0x59d: 84,
++    0x59e: 84,
++    0x59f: 84,
++    0x5a0: 84,
++    0x5a1: 84,
++    0x5a2: 84,
++    0x5a3: 84,
++    0x5a4: 84,
++    0x5a5: 84,
++    0x5a6: 84,
++    0x5a7: 84,
++    0x5a8: 84,
++    0x5a9: 84,
++    0x5aa: 84,
++    0x5ab: 84,
++    0x5ac: 84,
++    0x5ad: 84,
++    0x5ae: 84,
++    0x5af: 84,
++    0x5b0: 84,
++    0x5b1: 84,
++    0x5b2: 84,
++    0x5b3: 84,
++    0x5b4: 84,
++    0x5b5: 84,
++    0x5b6: 84,
++    0x5b7: 84,
++    0x5b8: 84,
++    0x5b9: 84,
++    0x5ba: 84,
++    0x5bb: 84,
++    0x5bc: 84,
++    0x5bd: 84,
++    0x5bf: 84,
++    0x5c1: 84,
++    0x5c2: 84,
++    0x5c4: 84,
++    0x5c5: 84,
++    0x5c7: 84,
++    0x610: 84,
++    0x611: 84,
++    0x612: 84,
++    0x613: 84,
++    0x614: 84,
++    0x615: 84,
++    0x616: 84,
++    0x617: 84,
++    0x618: 84,
++    0x619: 84,
++    0x61a: 84,
++    0x61c: 84,
+     0x620: 68,
+-    0x621: 85,
+     0x622: 82,
+     0x623: 82,
+     0x624: 82,
+@@ -151,12 +326,33 @@
+     0x648: 82,
+     0x649: 68,
+     0x64a: 68,
++    0x64b: 84,
++    0x64c: 84,
++    0x64d: 84,
++    0x64e: 84,
++    0x64f: 84,
++    0x650: 84,
++    0x651: 84,
++    0x652: 84,
++    0x653: 84,
++    0x654: 84,
++    0x655: 84,
++    0x656: 84,
++    0x657: 84,
++    0x658: 84,
++    0x659: 84,
++    0x65a: 84,
++    0x65b: 84,
++    0x65c: 84,
++    0x65d: 84,
++    0x65e: 84,
++    0x65f: 84,
+     0x66e: 68,
+     0x66f: 68,
++    0x670: 84,
+     0x671: 82,
+     0x672: 82,
+     0x673: 82,
+-    0x674: 85,
+     0x675: 82,
+     0x676: 82,
+     0x677: 82,
+@@ -253,7 +449,25 @@
+     0x6d2: 82,
+     0x6d3: 82,
+     0x6d5: 82,
+-    0x6dd: 85,
++    0x6d6: 84,
++    0x6d7: 84,
++    0x6d8: 84,
++    0x6d9: 84,
++    0x6da: 84,
++    0x6db: 84,
++    0x6dc: 84,
++    0x6df: 84,
++    0x6e0: 84,
++    0x6e1: 84,
++    0x6e2: 84,
++    0x6e3: 84,
++    0x6e4: 84,
++    0x6e7: 84,
++    0x6e8: 84,
++    0x6ea: 84,
++    0x6eb: 84,
++    0x6ec: 84,
++    0x6ed: 84,
+     0x6ee: 82,
+     0x6ef: 82,
+     0x6fa: 68,
+@@ -262,6 +476,7 @@
+     0x6ff: 68,
+     0x70f: 84,
+     0x710: 82,
++    0x711: 84,
+     0x712: 68,
+     0x713: 68,
+     0x714: 68,
+@@ -292,6 +507,33 @@
+     0x72d: 68,
+     0x72e: 68,
+     0x72f: 82,
++    0x730: 84,
++    0x731: 84,
++    0x732: 84,
++    0x733: 84,
++    0x734: 84,
++    0x735: 84,
++    0x736: 84,
++    0x737: 84,
++    0x738: 84,
++    0x739: 84,
++    0x73a: 84,
++    0x73b: 84,
++    0x73c: 84,
++    0x73d: 84,
++    0x73e: 84,
++    0x73f: 84,
++    0x740: 84,
++    0x741: 84,
++    0x742: 84,
++    0x743: 84,
++    0x744: 84,
++    0x745: 84,
++    0x746: 84,
++    0x747: 84,
++    0x748: 84,
++    0x749: 84,
++    0x74a: 84,
+     0x74d: 82,
+     0x74e: 68,
+     0x74f: 68,
+@@ -343,6 +585,17 @@
+     0x77d: 68,
+     0x77e: 68,
+     0x77f: 68,
++    0x7a6: 84,
++    0x7a7: 84,
++    0x7a8: 84,
++    0x7a9: 84,
++    0x7aa: 84,
++    0x7ab: 84,
++    0x7ac: 84,
++    0x7ad: 84,
++    0x7ae: 84,
++    0x7af: 84,
++    0x7b0: 84,
+     0x7ca: 68,
+     0x7cb: 68,
+     0x7cc: 68,
+@@ -376,7 +629,38 @@
+     0x7e8: 68,
+     0x7e9: 68,
+     0x7ea: 68,
++    0x7eb: 84,
++    0x7ec: 84,
++    0x7ed: 84,
++    0x7ee: 84,
++    0x7ef: 84,
++    0x7f0: 84,
++    0x7f1: 84,
++    0x7f2: 84,
++    0x7f3: 84,
+     0x7fa: 67,
++    0x7fd: 84,
++    0x816: 84,
++    0x817: 84,
++    0x818: 84,
++    0x819: 84,
++    0x81b: 84,
++    0x81c: 84,
++    0x81d: 84,
++    0x81e: 84,
++    0x81f: 84,
++    0x820: 84,
++    0x821: 84,
++    0x822: 84,
++    0x823: 84,
++    0x825: 84,
++    0x826: 84,
++    0x827: 84,
++    0x829: 84,
++    0x82a: 84,
++    0x82b: 84,
++    0x82c: 84,
++    0x82d: 84,
+     0x840: 82,
+     0x841: 68,
+     0x842: 68,
+@@ -402,13 +686,14 @@
+     0x856: 82,
+     0x857: 82,
+     0x858: 82,
++    0x859: 84,
++    0x85a: 84,
++    0x85b: 84,
+     0x860: 68,
+-    0x861: 85,
+     0x862: 68,
+     0x863: 68,
+     0x864: 68,
+     0x865: 68,
+-    0x866: 85,
+     0x867: 82,
+     0x868: 68,
+     0x869: 82,
+@@ -436,16 +721,20 @@
+     0x884: 67,
+     0x885: 67,
+     0x886: 68,
+-    0x887: 85,
+-    0x888: 85,
+     0x889: 68,
+     0x88a: 68,
+     0x88b: 68,
+     0x88c: 68,
+     0x88d: 68,
+     0x88e: 82,
+-    0x890: 85,
+-    0x891: 85,
++    0x898: 84,
++    0x899: 84,
++    0x89a: 84,
++    0x89b: 84,
++    0x89c: 84,
++    0x89d: 84,
++    0x89e: 84,
++    0x89f: 84,
+     0x8a0: 68,
+     0x8a1: 68,
+     0x8a2: 68,
+@@ -459,7 +748,6 @@
+     0x8aa: 82,
+     0x8ab: 82,
+     0x8ac: 82,
+-    0x8ad: 85,
+     0x8ae: 82,
+     0x8af: 68,
+     0x8b0: 68,
+@@ -487,11 +775,357 @@
+     0x8c6: 68,
+     0x8c7: 68,
+     0x8c8: 68,
+-    0x8e2: 85,
+-    0x1806: 85,
++    0x8ca: 84,
++    0x8cb: 84,
++    0x8cc: 84,
++    0x8cd: 84,
++    0x8ce: 84,
++    0x8cf: 84,
++    0x8d0: 84,
++    0x8d1: 84,
++    0x8d2: 84,
++    0x8d3: 84,
++    0x8d4: 84,
++    0x8d5: 84,
++    0x8d6: 84,
++    0x8d7: 84,
++    0x8d8: 84,
++    0x8d9: 84,
++    0x8da: 84,
++    0x8db: 84,
++    0x8dc: 84,
++    0x8dd: 84,
++    0x8de: 84,
++    0x8df: 84,
++    0x8e0: 84,
++    0x8e1: 84,
++    0x8e3: 84,
++    0x8e4: 84,
++    0x8e5: 84,
++    0x8e6: 84,
++    0x8e7: 84,
++    0x8e8: 84,
++    0x8e9: 84,
++    0x8ea: 84,
++    0x8eb: 84,
++    0x8ec: 84,
++    0x8ed: 84,
++    0x8ee: 84,
++    0x8ef: 84,
++    0x8f0: 84,
++    0x8f1: 84,
++    0x8f2: 84,
++    0x8f3: 84,
++    0x8f4: 84,
++    0x8f5: 84,
++    0x8f6: 84,
++    0x8f7: 84,
++    0x8f8: 84,
++    0x8f9: 84,
++    0x8fa: 84,
++    0x8fb: 84,
++    0x8fc: 84,
++    0x8fd: 84,
++    0x8fe: 84,
++    0x8ff: 84,
++    0x900: 84,
++    0x901: 84,
++    0x902: 84,
++    0x93a: 84,
++    0x93c: 84,
++    0x941: 84,
++    0x942: 84,
++    0x943: 84,
++    0x944: 84,
++    0x945: 84,
++    0x946: 84,
++    0x947: 84,
++    0x948: 84,
++    0x94d: 84,
++    0x951: 84,
++    0x952: 84,
++    0x953: 84,
++    0x954: 84,
++    0x955: 84,
++    0x956: 84,
++    0x957: 84,
++    0x962: 84,
++    0x963: 84,
++    0x981: 84,
++    0x9bc: 84,
++    0x9c1: 84,
++    0x9c2: 84,
++    0x9c3: 84,
++    0x9c4: 84,
++    0x9cd: 84,
++    0x9e2: 84,
++    0x9e3: 84,
++    0x9fe: 84,
++    0xa01: 84,
++    0xa02: 84,
++    0xa3c: 84,
++    0xa41: 84,
++    0xa42: 84,
++    0xa47: 84,
++    0xa48: 84,
++    0xa4b: 84,
++    0xa4c: 84,
++    0xa4d: 84,
++    0xa51: 84,
++    0xa70: 84,
++    0xa71: 84,
++    0xa75: 84,
++    0xa81: 84,
++    0xa82: 84,
++    0xabc: 84,
++    0xac1: 84,
++    0xac2: 84,
++    0xac3: 84,
++    0xac4: 84,
++    0xac5: 84,
++    0xac7: 84,
++    0xac8: 84,
++    0xacd: 84,
++    0xae2: 84,
++    0xae3: 84,
++    0xafa: 84,
++    0xafb: 84,
++    0xafc: 84,
++    0xafd: 84,
++    0xafe: 84,
++    0xaff: 84,
++    0xb01: 84,
++    0xb3c: 84,
++    0xb3f: 84,
++    0xb41: 84,
++    0xb42: 84,
++    0xb43: 84,
++    0xb44: 84,
++    0xb4d: 84,
++    0xb55: 84,
++    0xb56: 84,
++    0xb62: 84,
++    0xb63: 84,
++    0xb82: 84,
++    0xbc0: 84,
++    0xbcd: 84,
++    0xc00: 84,
++    0xc04: 84,
++    0xc3c: 84,
++    0xc3e: 84,
++    0xc3f: 84,
++    0xc40: 84,
++    0xc46: 84,
++    0xc47: 84,
++    0xc48: 84,
++    0xc4a: 84,
++    0xc4b: 84,
++    0xc4c: 84,
++    0xc4d: 84,
++    0xc55: 84,
++    0xc56: 84,
++    0xc62: 84,
++    0xc63: 84,
++    0xc81: 84,
++    0xcbc: 84,
++    0xcbf: 84,
++    0xcc6: 84,
++    0xccc: 84,
++    0xccd: 84,
++    0xce2: 84,
++    0xce3: 84,
++    0xd00: 84,
++    0xd01: 84,
++    0xd3b: 84,
++    0xd3c: 84,
++    0xd41: 84,
++    0xd42: 84,
++    0xd43: 84,
++    0xd44: 84,
++    0xd4d: 84,
++    0xd62: 84,
++    0xd63: 84,
++    0xd81: 84,
++    0xdca: 84,
++    0xdd2: 84,
++    0xdd3: 84,
++    0xdd4: 84,
++    0xdd6: 84,
++    0xe31: 84,
++    0xe34: 84,
++    0xe35: 84,
++    0xe36: 84,
++    0xe37: 84,
++    0xe38: 84,
++    0xe39: 84,
++    0xe3a: 84,
++    0xe47: 84,
++    0xe48: 84,
++    0xe49: 84,
++    0xe4a: 84,
++    0xe4b: 84,
++    0xe4c: 84,
++    0xe4d: 84,
++    0xe4e: 84,
++    0xeb1: 84,
++    0xeb4: 84,
++    0xeb5: 84,
++    0xeb6: 84,
++    0xeb7: 84,
++    0xeb8: 84,
++    0xeb9: 84,
++    0xeba: 84,
++    0xebb: 84,
++    0xebc: 84,
++    0xec8: 84,
++    0xec9: 84,
++    0xeca: 84,
++    0xecb: 84,
++    0xecc: 84,
++    0xecd: 84,
++    0xece: 84,
++    0xf18: 84,
++    0xf19: 84,
++    0xf35: 84,
++    0xf37: 84,
++    0xf39: 84,
++    0xf71: 84,
++    0xf72: 84,
++    0xf73: 84,
++    0xf74: 84,
++    0xf75: 84,
++    0xf76: 84,
++    0xf77: 84,
++    0xf78: 84,
++    0xf79: 84,
++    0xf7a: 84,
++    0xf7b: 84,
++    0xf7c: 84,
++    0xf7d: 84,
++    0xf7e: 84,
++    0xf80: 84,
++    0xf81: 84,
++    0xf82: 84,
++    0xf83: 84,
++    0xf84: 84,
++    0xf86: 84,
++    0xf87: 84,
++    0xf8d: 84,
++    0xf8e: 84,
++    0xf8f: 84,
++    0xf90: 84,
++    0xf91: 84,
++    0xf92: 84,
++    0xf93: 84,
++    0xf94: 84,
++    0xf95: 84,
++    0xf96: 84,
++    0xf97: 84,
++    0xf99: 84,
++    0xf9a: 84,
++    0xf9b: 84,
++    0xf9c: 84,
++    0xf9d: 84,
++    0xf9e: 84,
++    0xf9f: 84,
++    0xfa0: 84,
++    0xfa1: 84,
++    0xfa2: 84,
++    0xfa3: 84,
++    0xfa4: 84,
++    0xfa5: 84,
++    0xfa6: 84,
++    0xfa7: 84,
++    0xfa8: 84,
++    0xfa9: 84,
++    0xfaa: 84,
++    0xfab: 84,
++    0xfac: 84,
++    0xfad: 84,
++    0xfae: 84,
++    0xfaf: 84,
++    0xfb0: 84,
++    0xfb1: 84,
++    0xfb2: 84,
++    0xfb3: 84,
++    0xfb4: 84,
++    0xfb5: 84,
++    0xfb6: 84,
++    0xfb7: 84,
++    0xfb8: 84,
++    0xfb9: 84,
++    0xfba: 84,
++    0xfbb: 84,
++    0xfbc: 84,
++    0xfc6: 84,
++    0x102d: 84,
++    0x102e: 84,
++    0x102f: 84,
++    0x1030: 84,
++    0x1032: 84,
++    0x1033: 84,
++    0x1034: 84,
++    0x1035: 84,
++    0x1036: 84,
++    0x1037: 84,
++    0x1039: 84,
++    0x103a: 84,
++    0x103d: 84,
++    0x103e: 84,
++    0x1058: 84,
++    0x1059: 84,
++    0x105e: 84,
++    0x105f: 84,
++    0x1060: 84,
++    0x1071: 84,
++    0x1072: 84,
++    0x1073: 84,
++    0x1074: 84,
++    0x1082: 84,
++    0x1085: 84,
++    0x1086: 84,
++    0x108d: 84,
++    0x109d: 84,
++    0x135d: 84,
++    0x135e: 84,
++    0x135f: 84,
++    0x1712: 84,
++    0x1713: 84,
++    0x1714: 84,
++    0x1732: 84,
++    0x1733: 84,
++    0x1752: 84,
++    0x1753: 84,
++    0x1772: 84,
++    0x1773: 84,
++    0x17b4: 84,
++    0x17b5: 84,
++    0x17b7: 84,
++    0x17b8: 84,
++    0x17b9: 84,
++    0x17ba: 84,
++    0x17bb: 84,
++    0x17bc: 84,
++    0x17bd: 84,
++    0x17c6: 84,
++    0x17c9: 84,
++    0x17ca: 84,
++    0x17cb: 84,
++    0x17cc: 84,
++    0x17cd: 84,
++    0x17ce: 84,
++    0x17cf: 84,
++    0x17d0: 84,
++    0x17d1: 84,
++    0x17d2: 84,
++    0x17d3: 84,
++    0x17dd: 84,
+     0x1807: 68,
+     0x180a: 67,
+-    0x180e: 85,
++    0x180b: 84,
++    0x180c: 84,
++    0x180d: 84,
++    0x180f: 84,
+     0x1820: 68,
+     0x1821: 68,
+     0x1822: 68,
+@@ -581,11 +1215,6 @@
+     0x1876: 68,
+     0x1877: 68,
+     0x1878: 68,
+-    0x1880: 85,
+-    0x1881: 85,
+-    0x1882: 85,
+-    0x1883: 85,
+-    0x1884: 85,
+     0x1885: 84,
+     0x1886: 84,
+     0x1887: 68,
+@@ -622,14 +1251,339 @@
+     0x18a6: 68,
+     0x18a7: 68,
+     0x18a8: 68,
++    0x18a9: 84,
+     0x18aa: 68,
+-    0x200c: 85,
++    0x1920: 84,
++    0x1921: 84,
++    0x1922: 84,
++    0x1927: 84,
++    0x1928: 84,
++    0x1932: 84,
++    0x1939: 84,
++    0x193a: 84,
++    0x193b: 84,
++    0x1a17: 84,
++    0x1a18: 84,
++    0x1a1b: 84,
++    0x1a56: 84,
++    0x1a58: 84,
++    0x1a59: 84,
++    0x1a5a: 84,
++    0x1a5b: 84,
++    0x1a5c: 84,
++    0x1a5d: 84,
++    0x1a5e: 84,
++    0x1a60: 84,
++    0x1a62: 84,
++    0x1a65: 84,
++    0x1a66: 84,
++    0x1a67: 84,
++    0x1a68: 84,
++    0x1a69: 84,
++    0x1a6a: 84,
++    0x1a6b: 84,
++    0x1a6c: 84,
++    0x1a73: 84,
++    0x1a74: 84,
++    0x1a75: 84,
++    0x1a76: 84,
++    0x1a77: 84,
++    0x1a78: 84,
++    0x1a79: 84,
++    0x1a7a: 84,
++    0x1a7b: 84,
++    0x1a7c: 84,
++    0x1a7f: 84,
++    0x1ab0: 84,
++    0x1ab1: 84,
++    0x1ab2: 84,
++    0x1ab3: 84,
++    0x1ab4: 84,
++    0x1ab5: 84,
++    0x1ab6: 84,
++    0x1ab7: 84,
++    0x1ab8: 84,
++    0x1ab9: 84,
++    0x1aba: 84,
++    0x1abb: 84,
++    0x1abc: 84,
++    0x1abd: 84,
++    0x1abe: 84,
++    0x1abf: 84,
++    0x1ac0: 84,
++    0x1ac1: 84,
++    0x1ac2: 84,
++    0x1ac3: 84,
++    0x1ac4: 84,
++    0x1ac5: 84,
++    0x1ac6: 84,
++    0x1ac7: 84,
++    0x1ac8: 84,
++    0x1ac9: 84,
++    0x1aca: 84,
++    0x1acb: 84,
++    0x1acc: 84,
++    0x1acd: 84,
++    0x1ace: 84,
++    0x1b00: 84,
++    0x1b01: 84,
++    0x1b02: 84,
++    0x1b03: 84,
++    0x1b34: 84,
++    0x1b36: 84,
++    0x1b37: 84,
++    0x1b38: 84,
++    0x1b39: 84,
++    0x1b3a: 84,
++    0x1b3c: 84,
++    0x1b42: 84,
++    0x1b6b: 84,
++    0x1b6c: 84,
++    0x1b6d: 84,
++    0x1b6e: 84,
++    0x1b6f: 84,
++    0x1b70: 84,
++    0x1b71: 84,
++    0x1b72: 84,
++    0x1b73: 84,
++    0x1b80: 84,
++    0x1b81: 84,
++    0x1ba2: 84,
++    0x1ba3: 84,
++    0x1ba4: 84,
++    0x1ba5: 84,
++    0x1ba8: 84,
++    0x1ba9: 84,
++    0x1bab: 84,
++    0x1bac: 84,
++    0x1bad: 84,
++    0x1be6: 84,
++    0x1be8: 84,
++    0x1be9: 84,
++    0x1bed: 84,
++    0x1bef: 84,
++    0x1bf0: 84,
++    0x1bf1: 84,
++    0x1c2c: 84,
++    0x1c2d: 84,
++    0x1c2e: 84,
++    0x1c2f: 84,
++    0x1c30: 84,
++    0x1c31: 84,
++    0x1c32: 84,
++    0x1c33: 84,
++    0x1c36: 84,
++    0x1c37: 84,
++    0x1cd0: 84,
++    0x1cd1: 84,
++    0x1cd2: 84,
++    0x1cd4: 84,
++    0x1cd5: 84,
++    0x1cd6: 84,
++    0x1cd7: 84,
++    0x1cd8: 84,
++    0x1cd9: 84,
++    0x1cda: 84,
++    0x1cdb: 84,
++    0x1cdc: 84,
++    0x1cdd: 84,
++    0x1cde: 84,
++    0x1cdf: 84,
++    0x1ce0: 84,
++    0x1ce2: 84,
++    0x1ce3: 84,
++    0x1ce4: 84,
++    0x1ce5: 84,
++    0x1ce6: 84,
++    0x1ce7: 84,
++    0x1ce8: 84,
++    0x1ced: 84,
++    0x1cf4: 84,
++    0x1cf8: 84,
++    0x1cf9: 84,
++    0x1dc0: 84,
++    0x1dc1: 84,
++    0x1dc2: 84,
++    0x1dc3: 84,
++    0x1dc4: 84,
++    0x1dc5: 84,
++    0x1dc6: 84,
++    0x1dc7: 84,
++    0x1dc8: 84,
++    0x1dc9: 84,
++    0x1dca: 84,
++    0x1dcb: 84,
++    0x1dcc: 84,
++    0x1dcd: 84,
++    0x1dce: 84,
++    0x1dcf: 84,
++    0x1dd0: 84,
++    0x1dd1: 84,
++    0x1dd2: 84,
++    0x1dd3: 84,
++    0x1dd4: 84,
++    0x1dd5: 84,
++    0x1dd6: 84,
++    0x1dd7: 84,
++    0x1dd8: 84,
++    0x1dd9: 84,
++    0x1dda: 84,
++    0x1ddb: 84,
++    0x1ddc: 84,
++    0x1ddd: 84,
++    0x1dde: 84,
++    0x1ddf: 84,
++    0x1de0: 84,
++    0x1de1: 84,
++    0x1de2: 84,
++    0x1de3: 84,
++    0x1de4: 84,
++    0x1de5: 84,
++    0x1de6: 84,
++    0x1de7: 84,
++    0x1de8: 84,
++    0x1de9: 84,
++    0x1dea: 84,
++    0x1deb: 84,
++    0x1dec: 84,
++    0x1ded: 84,
++    0x1dee: 84,
++    0x1def: 84,
++    0x1df0: 84,
++    0x1df1: 84,
++    0x1df2: 84,
++    0x1df3: 84,
++    0x1df4: 84,
++    0x1df5: 84,
++    0x1df6: 84,
++    0x1df7: 84,
++    0x1df8: 84,
++    0x1df9: 84,
++    0x1dfa: 84,
++    0x1dfb: 84,
++    0x1dfc: 84,
++    0x1dfd: 84,
++    0x1dfe: 84,
++    0x1dff: 84,
++    0x200b: 84,
+     0x200d: 67,
+-    0x202f: 85,
+-    0x2066: 85,
+-    0x2067: 85,
+-    0x2068: 85,
+-    0x2069: 85,
++    0x200e: 84,
++    0x200f: 84,
++    0x202a: 84,
++    0x202b: 84,
++    0x202c: 84,
++    0x202d: 84,
++    0x202e: 84,
++    0x2060: 84,
++    0x2061: 84,
++    0x2062: 84,
++    0x2063: 84,
++    0x2064: 84,
++    0x206a: 84,
++    0x206b: 84,
++    0x206c: 84,
++    0x206d: 84,
++    0x206e: 84,
++    0x206f: 84,
++    0x20d0: 84,
++    0x20d1: 84,
++    0x20d2: 84,
++    0x20d3: 84,
++    0x20d4: 84,
++    0x20d5: 84,
++    0x20d6: 84,
++    0x20d7: 84,
++    0x20d8: 84,
++    0x20d9: 84,
++    0x20da: 84,
++    0x20db: 84,
++    0x20dc: 84,
++    0x20dd: 84,
++    0x20de: 84,
++    0x20df: 84,
++    0x20e0: 84,
++    0x20e1: 84,
++    0x20e2: 84,
++    0x20e3: 84,
++    0x20e4: 84,
++    0x20e5: 84,
++    0x20e6: 84,
++    0x20e7: 84,
++    0x20e8: 84,
++    0x20e9: 84,
++    0x20ea: 84,
++    0x20eb: 84,
++    0x20ec: 84,
++    0x20ed: 84,
++    0x20ee: 84,
++    0x20ef: 84,
++    0x20f0: 84,
++    0x2cef: 84,
++    0x2cf0: 84,
++    0x2cf1: 84,
++    0x2d7f: 84,
++    0x2de0: 84,
++    0x2de1: 84,
++    0x2de2: 84,
++    0x2de3: 84,
++    0x2de4: 84,
++    0x2de5: 84,
++    0x2de6: 84,
++    0x2de7: 84,
++    0x2de8: 84,
++    0x2de9: 84,
++    0x2dea: 84,
++    0x2deb: 84,
++    0x2dec: 84,
++    0x2ded: 84,
++    0x2dee: 84,
++    0x2def: 84,
++    0x2df0: 84,
++    0x2df1: 84,
++    0x2df2: 84,
++    0x2df3: 84,
++    0x2df4: 84,
++    0x2df5: 84,
++    0x2df6: 84,
++    0x2df7: 84,
++    0x2df8: 84,
++    0x2df9: 84,
++    0x2dfa: 84,
++    0x2dfb: 84,
++    0x2dfc: 84,
++    0x2dfd: 84,
++    0x2dfe: 84,
++    0x2dff: 84,
++    0x302a: 84,
++    0x302b: 84,
++    0x302c: 84,
++    0x302d: 84,
++    0x3099: 84,
++    0x309a: 84,
++    0xa66f: 84,
++    0xa670: 84,
++    0xa671: 84,
++    0xa672: 84,
++    0xa674: 84,
++    0xa675: 84,
++    0xa676: 84,
++    0xa677: 84,
++    0xa678: 84,
++    0xa679: 84,
++    0xa67a: 84,
++    0xa67b: 84,
++    0xa67c: 84,
++    0xa67d: 84,
++    0xa69e: 84,
++    0xa69f: 84,
++    0xa6f0: 84,
++    0xa6f1: 84,
++    0xa802: 84,
++    0xa806: 84,
++    0xa80b: 84,
++    0xa825: 84,
++    0xa826: 84,
++    0xa82c: 84,
+     0xa840: 68,
+     0xa841: 68,
+     0xa842: 68,
+@@ -681,20 +1635,151 @@
+     0xa870: 68,
+     0xa871: 68,
+     0xa872: 76,
+-    0xa873: 85,
++    0xa8c4: 84,
++    0xa8c5: 84,
++    0xa8e0: 84,
++    0xa8e1: 84,
++    0xa8e2: 84,
++    0xa8e3: 84,
++    0xa8e4: 84,
++    0xa8e5: 84,
++    0xa8e6: 84,
++    0xa8e7: 84,
++    0xa8e8: 84,
++    0xa8e9: 84,
++    0xa8ea: 84,
++    0xa8eb: 84,
++    0xa8ec: 84,
++    0xa8ed: 84,
++    0xa8ee: 84,
++    0xa8ef: 84,
++    0xa8f0: 84,
++    0xa8f1: 84,
++    0xa8ff: 84,
++    0xa926: 84,
++    0xa927: 84,
++    0xa928: 84,
++    0xa929: 84,
++    0xa92a: 84,
++    0xa92b: 84,
++    0xa92c: 84,
++    0xa92d: 84,
++    0xa947: 84,
++    0xa948: 84,
++    0xa949: 84,
++    0xa94a: 84,
++    0xa94b: 84,
++    0xa94c: 84,
++    0xa94d: 84,
++    0xa94e: 84,
++    0xa94f: 84,
++    0xa950: 84,
++    0xa951: 84,
++    0xa980: 84,
++    0xa981: 84,
++    0xa982: 84,
++    0xa9b3: 84,
++    0xa9b6: 84,
++    0xa9b7: 84,
++    0xa9b8: 84,
++    0xa9b9: 84,
++    0xa9bc: 84,
++    0xa9bd: 84,
++    0xa9e5: 84,
++    0xaa29: 84,
++    0xaa2a: 84,
++    0xaa2b: 84,
++    0xaa2c: 84,
++    0xaa2d: 84,
++    0xaa2e: 84,
++    0xaa31: 84,
++    0xaa32: 84,
++    0xaa35: 84,
++    0xaa36: 84,
++    0xaa43: 84,
++    0xaa4c: 84,
++    0xaa7c: 84,
++    0xaab0: 84,
++    0xaab2: 84,
++    0xaab3: 84,
++    0xaab4: 84,
++    0xaab7: 84,
++    0xaab8: 84,
++    0xaabe: 84,
++    0xaabf: 84,
++    0xaac1: 84,
++    0xaaec: 84,
++    0xaaed: 84,
++    0xaaf6: 84,
++    0xabe5: 84,
++    0xabe8: 84,
++    0xabed: 84,
++    0xfb1e: 84,
++    0xfe00: 84,
++    0xfe01: 84,
++    0xfe02: 84,
++    0xfe03: 84,
++    0xfe04: 84,
++    0xfe05: 84,
++    0xfe06: 84,
++    0xfe07: 84,
++    0xfe08: 84,
++    0xfe09: 84,
++    0xfe0a: 84,
++    0xfe0b: 84,
++    0xfe0c: 84,
++    0xfe0d: 84,
++    0xfe0e: 84,
++    0xfe0f: 84,
++    0xfe20: 84,
++    0xfe21: 84,
++    0xfe22: 84,
++    0xfe23: 84,
++    0xfe24: 84,
++    0xfe25: 84,
++    0xfe26: 84,
++    0xfe27: 84,
++    0xfe28: 84,
++    0xfe29: 84,
++    0xfe2a: 84,
++    0xfe2b: 84,
++    0xfe2c: 84,
++    0xfe2d: 84,
++    0xfe2e: 84,
++    0xfe2f: 84,
++    0xfeff: 84,
++    0xfff9: 84,
++    0xfffa: 84,
++    0xfffb: 84,
++    0x101fd: 84,
++    0x102e0: 84,
++    0x10376: 84,
++    0x10377: 84,
++    0x10378: 84,
++    0x10379: 84,
++    0x1037a: 84,
++    0x10a01: 84,
++    0x10a02: 84,
++    0x10a03: 84,
++    0x10a05: 84,
++    0x10a06: 84,
++    0x10a0c: 84,
++    0x10a0d: 84,
++    0x10a0e: 84,
++    0x10a0f: 84,
++    0x10a38: 84,
++    0x10a39: 84,
++    0x10a3a: 84,
++    0x10a3f: 84,
+     0x10ac0: 68,
+     0x10ac1: 68,
+     0x10ac2: 68,
+     0x10ac3: 68,
+     0x10ac4: 68,
+     0x10ac5: 82,
+-    0x10ac6: 85,
+     0x10ac7: 82,
+-    0x10ac8: 85,
+     0x10ac9: 82,
+     0x10aca: 82,
+-    0x10acb: 85,
+-    0x10acc: 85,
+     0x10acd: 76,
+     0x10ace: 82,
+     0x10acf: 82,
+@@ -716,9 +1801,9 @@
+     0x10adf: 68,
+     0x10ae0: 68,
+     0x10ae1: 82,
+-    0x10ae2: 85,
+-    0x10ae3: 85,
+     0x10ae4: 82,
++    0x10ae5: 84,
++    0x10ae6: 84,
+     0x10aeb: 68,
+     0x10aec: 68,
+     0x10aed: 68,
+@@ -748,7 +1833,6 @@
+     0x10bac: 82,
+     0x10bad: 68,
+     0x10bae: 68,
+-    0x10baf: 85,
+     0x10d00: 76,
+     0x10d01: 68,
+     0x10d02: 68,
+@@ -785,6 +1869,15 @@
+     0x10d21: 68,
+     0x10d22: 82,
+     0x10d23: 68,
++    0x10d24: 84,
++    0x10d25: 84,
++    0x10d26: 84,
++    0x10d27: 84,
++    0x10eab: 84,
++    0x10eac: 84,
++    0x10efd: 84,
++    0x10efe: 84,
++    0x10eff: 84,
+     0x10f30: 68,
+     0x10f31: 68,
+     0x10f32: 68,
+@@ -806,7 +1899,17 @@
+     0x10f42: 68,
+     0x10f43: 68,
+     0x10f44: 68,
+-    0x10f45: 85,
++    0x10f46: 84,
++    0x10f47: 84,
++    0x10f48: 84,
++    0x10f49: 84,
++    0x10f4a: 84,
++    0x10f4b: 84,
++    0x10f4c: 84,
++    0x10f4d: 84,
++    0x10f4e: 84,
++    0x10f4f: 84,
++    0x10f50: 84,
+     0x10f51: 68,
+     0x10f52: 68,
+     0x10f53: 68,
+@@ -829,14 +1932,16 @@
+     0x10f7f: 68,
+     0x10f80: 68,
+     0x10f81: 68,
++    0x10f82: 84,
++    0x10f83: 84,
++    0x10f84: 84,
++    0x10f85: 84,
+     0x10fb0: 68,
+-    0x10fb1: 85,
+     0x10fb2: 68,
+     0x10fb3: 68,
+     0x10fb4: 82,
+     0x10fb5: 82,
+     0x10fb6: 82,
+-    0x10fb7: 85,
+     0x10fb8: 68,
+     0x10fb9: 82,
+     0x10fba: 82,
+@@ -845,20 +1950,668 @@
+     0x10fbd: 82,
+     0x10fbe: 68,
+     0x10fbf: 68,
+-    0x10fc0: 85,
+     0x10fc1: 68,
+     0x10fc2: 82,
+     0x10fc3: 82,
+     0x10fc4: 68,
+-    0x10fc5: 85,
+-    0x10fc6: 85,
+-    0x10fc7: 85,
+-    0x10fc8: 85,
+     0x10fc9: 82,
+     0x10fca: 68,
+     0x10fcb: 76,
+-    0x110bd: 85,
+-    0x110cd: 85,
++    0x11001: 84,
++    0x11038: 84,
++    0x11039: 84,
++    0x1103a: 84,
++    0x1103b: 84,
++    0x1103c: 84,
++    0x1103d: 84,
++    0x1103e: 84,
++    0x1103f: 84,
++    0x11040: 84,
++    0x11041: 84,
++    0x11042: 84,
++    0x11043: 84,
++    0x11044: 84,
++    0x11045: 84,
++    0x11046: 84,
++    0x11070: 84,
++    0x11073: 84,
++    0x11074: 84,
++    0x1107f: 84,
++    0x11080: 84,
++    0x11081: 84,
++    0x110b3: 84,
++    0x110b4: 84,
++    0x110b5: 84,
++    0x110b6: 84,
++    0x110b9: 84,
++    0x110ba: 84,
++    0x110c2: 84,
++    0x11100: 84,
++    0x11101: 84,
++    0x11102: 84,
++    0x11127: 84,
++    0x11128: 84,
++    0x11129: 84,
++    0x1112a: 84,
++    0x1112b: 84,
++    0x1112d: 84,
++    0x1112e: 84,
++    0x1112f: 84,
++    0x11130: 84,
++    0x11131: 84,
++    0x11132: 84,
++    0x11133: 84,
++    0x11134: 84,
++    0x11173: 84,
++    0x11180: 84,
++    0x11181: 84,
++    0x111b6: 84,
++    0x111b7: 84,
++    0x111b8: 84,
++    0x111b9: 84,
++    0x111ba: 84,
++    0x111bb: 84,
++    0x111bc: 84,
++    0x111bd: 84,
++    0x111be: 84,
++    0x111c9: 84,
++    0x111ca: 84,
++    0x111cb: 84,
++    0x111cc: 84,
++    0x111cf: 84,
++    0x1122f: 84,
++    0x11230: 84,
++    0x11231: 84,
++    0x11234: 84,
++    0x11236: 84,
++    0x11237: 84,
++    0x1123e: 84,
++    0x11241: 84,
++    0x112df: 84,
++    0x112e3: 84,
++    0x112e4: 84,
++    0x112e5: 84,
++    0x112e6: 84,
++    0x112e7: 84,
++    0x112e8: 84,
++    0x112e9: 84,
++    0x112ea: 84,
++    0x11300: 84,
++    0x11301: 84,
++    0x1133b: 84,
++    0x1133c: 84,
++    0x11340: 84,
++    0x11366: 84,
++    0x11367: 84,
++    0x11368: 84,
++    0x11369: 84,
++    0x1136a: 84,
++    0x1136b: 84,
++    0x1136c: 84,
++    0x11370: 84,
++    0x11371: 84,
++    0x11372: 84,
++    0x11373: 84,
++    0x11374: 84,
++    0x11438: 84,
++    0x11439: 84,
++    0x1143a: 84,
++    0x1143b: 84,
++    0x1143c: 84,
++    0x1143d: 84,
++    0x1143e: 84,
++    0x1143f: 84,
++    0x11442: 84,
++    0x11443: 84,
++    0x11444: 84,
++    0x11446: 84,
++    0x1145e: 84,
++    0x114b3: 84,
++    0x114b4: 84,
++    0x114b5: 84,
++    0x114b6: 84,
++    0x114b7: 84,
++    0x114b8: 84,
++    0x114ba: 84,
++    0x114bf: 84,
++    0x114c0: 84,
++    0x114c2: 84,
++    0x114c3: 84,
++    0x115b2: 84,
++    0x115b3: 84,
++    0x115b4: 84,
++    0x115b5: 84,
++    0x115bc: 84,
++    0x115bd: 84,
++    0x115bf: 84,
++    0x115c0: 84,
++    0x115dc: 84,
++    0x115dd: 84,
++    0x11633: 84,
++    0x11634: 84,
++    0x11635: 84,
++    0x11636: 84,
++    0x11637: 84,
++    0x11638: 84,
++    0x11639: 84,
++    0x1163a: 84,
++    0x1163d: 84,
++    0x1163f: 84,
++    0x11640: 84,
++    0x116ab: 84,
++    0x116ad: 84,
++    0x116b0: 84,
++    0x116b1: 84,
++    0x116b2: 84,
++    0x116b3: 84,
++    0x116b4: 84,
++    0x116b5: 84,
++    0x116b7: 84,
++    0x1171d: 84,
++    0x1171e: 84,
++    0x1171f: 84,
++    0x11722: 84,
++    0x11723: 84,
++    0x11724: 84,
++    0x11725: 84,
++    0x11727: 84,
++    0x11728: 84,
++    0x11729: 84,
++    0x1172a: 84,
++    0x1172b: 84,
++    0x1182f: 84,
++    0x11830: 84,
++    0x11831: 84,
++    0x11832: 84,
++    0x11833: 84,
++    0x11834: 84,
++    0x11835: 84,
++    0x11836: 84,
++    0x11837: 84,
++    0x11839: 84,
++    0x1183a: 84,
++    0x1193b: 84,
++    0x1193c: 84,
++    0x1193e: 84,
++    0x11943: 84,
++    0x119d4: 84,
++    0x119d5: 84,
++    0x119d6: 84,
++    0x119d7: 84,
++    0x119da: 84,
++    0x119db: 84,
++    0x119e0: 84,
++    0x11a01: 84,
++    0x11a02: 84,
++    0x11a03: 84,
++    0x11a04: 84,
++    0x11a05: 84,
++    0x11a06: 84,
++    0x11a07: 84,
++    0x11a08: 84,
++    0x11a09: 84,
++    0x11a0a: 84,
++    0x11a33: 84,
++    0x11a34: 84,
++    0x11a35: 84,
++    0x11a36: 84,
++    0x11a37: 84,
++    0x11a38: 84,
++    0x11a3b: 84,
++    0x11a3c: 84,
++    0x11a3d: 84,
++    0x11a3e: 84,
++    0x11a47: 84,
++    0x11a51: 84,
++    0x11a52: 84,
++    0x11a53: 84,
++    0x11a54: 84,
++    0x11a55: 84,
++    0x11a56: 84,
++    0x11a59: 84,
++    0x11a5a: 84,
++    0x11a5b: 84,
++    0x11a8a: 84,
++    0x11a8b: 84,
++    0x11a8c: 84,
++    0x11a8d: 84,
++    0x11a8e: 84,
++    0x11a8f: 84,
++    0x11a90: 84,
++    0x11a91: 84,
++    0x11a92: 84,
++    0x11a93: 84,
++    0x11a94: 84,
++    0x11a95: 84,
++    0x11a96: 84,
++    0x11a98: 84,
++    0x11a99: 84,
++    0x11c30: 84,
++    0x11c31: 84,
++    0x11c32: 84,
++    0x11c33: 84,
++    0x11c34: 84,
++    0x11c35: 84,
++    0x11c36: 84,
++    0x11c38: 84,
++    0x11c39: 84,
++    0x11c3a: 84,
++    0x11c3b: 84,
++    0x11c3c: 84,
++    0x11c3d: 84,
++    0x11c3f: 84,
++    0x11c92: 84,
++    0x11c93: 84,
++    0x11c94: 84,
++    0x11c95: 84,
++    0x11c96: 84,
++    0x11c97: 84,
++    0x11c98: 84,
++    0x11c99: 84,
++    0x11c9a: 84,
++    0x11c9b: 84,
++    0x11c9c: 84,
++    0x11c9d: 84,
++    0x11c9e: 84,
++    0x11c9f: 84,
++    0x11ca0: 84,
++    0x11ca1: 84,
++    0x11ca2: 84,
++    0x11ca3: 84,
++    0x11ca4: 84,
++    0x11ca5: 84,
++    0x11ca6: 84,
++    0x11ca7: 84,
++    0x11caa: 84,
++    0x11cab: 84,
++    0x11cac: 84,
++    0x11cad: 84,
++    0x11cae: 84,
++    0x11caf: 84,
++    0x11cb0: 84,
++    0x11cb2: 84,
++    0x11cb3: 84,
++    0x11cb5: 84,
++    0x11cb6: 84,
++    0x11d31: 84,
++    0x11d32: 84,
++    0x11d33: 84,
++    0x11d34: 84,
++    0x11d35: 84,
++    0x11d36: 84,
++    0x11d3a: 84,
++    0x11d3c: 84,
++    0x11d3d: 84,
++    0x11d3f: 84,
++    0x11d40: 84,
++    0x11d41: 84,
++    0x11d42: 84,
++    0x11d43: 84,
++    0x11d44: 84,
++    0x11d45: 84,
++    0x11d47: 84,
++    0x11d90: 84,
++    0x11d91: 84,
++    0x11d95: 84,
++    0x11d97: 84,
++    0x11ef3: 84,
++    0x11ef4: 84,
++    0x11f00: 84,
++    0x11f01: 84,
++    0x11f36: 84,
++    0x11f37: 84,
++    0x11f38: 84,
++    0x11f39: 84,
++    0x11f3a: 84,
++    0x11f40: 84,
++    0x11f42: 84,
++    0x13430: 84,
++    0x13431: 84,
++    0x13432: 84,
++    0x13433: 84,
++    0x13434: 84,
++    0x13435: 84,
++    0x13436: 84,
++    0x13437: 84,
++    0x13438: 84,
++    0x13439: 84,
++    0x1343a: 84,
++    0x1343b: 84,
++    0x1343c: 84,
++    0x1343d: 84,
++    0x1343e: 84,
++    0x1343f: 84,
++    0x13440: 84,
++    0x13447: 84,
++    0x13448: 84,
++    0x13449: 84,
++    0x1344a: 84,
++    0x1344b: 84,
++    0x1344c: 84,
++    0x1344d: 84,
++    0x1344e: 84,
++    0x1344f: 84,
++    0x13450: 84,
++    0x13451: 84,
++    0x13452: 84,
++    0x13453: 84,
++    0x13454: 84,
++    0x13455: 84,
++    0x16af0: 84,
++    0x16af1: 84,
++    0x16af2: 84,
++    0x16af3: 84,
++    0x16af4: 84,
++    0x16b30: 84,
++    0x16b31: 84,
++    0x16b32: 84,
++    0x16b33: 84,
++    0x16b34: 84,
++    0x16b35: 84,
++    0x16b36: 84,
++    0x16f4f: 84,
++    0x16f8f: 84,
++    0x16f90: 84,
++    0x16f91: 84,
++    0x16f92: 84,
++    0x16fe4: 84,
++    0x1bc9d: 84,
++    0x1bc9e: 84,
++    0x1bca0: 84,
++    0x1bca1: 84,
++    0x1bca2: 84,
++    0x1bca3: 84,
++    0x1cf00: 84,
++    0x1cf01: 84,
++    0x1cf02: 84,
++    0x1cf03: 84,
++    0x1cf04: 84,
++    0x1cf05: 84,
++    0x1cf06: 84,
++    0x1cf07: 84,
++    0x1cf08: 84,
++    0x1cf09: 84,
++    0x1cf0a: 84,
++    0x1cf0b: 84,
++    0x1cf0c: 84,
++    0x1cf0d: 84,
++    0x1cf0e: 84,
++    0x1cf0f: 84,
++    0x1cf10: 84,
++    0x1cf11: 84,
++    0x1cf12: 84,
++    0x1cf13: 84,
++    0x1cf14: 84,
++    0x1cf15: 84,
++    0x1cf16: 84,
++    0x1cf17: 84,
++    0x1cf18: 84,
++    0x1cf19: 84,
++    0x1cf1a: 84,
++    0x1cf1b: 84,
++    0x1cf1c: 84,
++    0x1cf1d: 84,
++    0x1cf1e: 84,
++    0x1cf1f: 84,
++    0x1cf20: 84,
++    0x1cf21: 84,
++    0x1cf22: 84,
++    0x1cf23: 84,
++    0x1cf24: 84,
++    0x1cf25: 84,
++    0x1cf26: 84,
++    0x1cf27: 84,
++    0x1cf28: 84,
++    0x1cf29: 84,
++    0x1cf2a: 84,
++    0x1cf2b: 84,
++    0x1cf2c: 84,
++    0x1cf2d: 84,
++    0x1cf30: 84,
++    0x1cf31: 84,
++    0x1cf32: 84,
++    0x1cf33: 84,
++    0x1cf34: 84,
++    0x1cf35: 84,
++    0x1cf36: 84,
++    0x1cf37: 84,
++    0x1cf38: 84,
++    0x1cf39: 84,
++    0x1cf3a: 84,
++    0x1cf3b: 84,
++    0x1cf3c: 84,
++    0x1cf3d: 84,
++    0x1cf3e: 84,
++    0x1cf3f: 84,
++    0x1cf40: 84,
++    0x1cf41: 84,
++    0x1cf42: 84,
++    0x1cf43: 84,
++    0x1cf44: 84,
++    0x1cf45: 84,
++    0x1cf46: 84,
++    0x1d167: 84,
++    0x1d168: 84,
++    0x1d169: 84,
++    0x1d173: 84,
++    0x1d174: 84,
++    0x1d175: 84,
++    0x1d176: 84,
++    0x1d177: 84,
++    0x1d178: 84,
++    0x1d179: 84,
++    0x1d17a: 84,
++    0x1d17b: 84,
++    0x1d17c: 84,
++    0x1d17d: 84,
++    0x1d17e: 84,
++    0x1d17f: 84,
++    0x1d180: 84,
++    0x1d181: 84,
++    0x1d182: 84,
++    0x1d185: 84,
++    0x1d186: 84,
++    0x1d187: 84,
++    0x1d188: 84,
++    0x1d189: 84,
++    0x1d18a: 84,
++    0x1d18b: 84,
++    0x1d1aa: 84,
++    0x1d1ab: 84,
++    0x1d1ac: 84,
++    0x1d1ad: 84,
++    0x1d242: 84,
++    0x1d243: 84,
++    0x1d244: 84,
++    0x1da00: 84,
++    0x1da01: 84,
++    0x1da02: 84,
++    0x1da03: 84,
++    0x1da04: 84,
++    0x1da05: 84,
++    0x1da06: 84,
++    0x1da07: 84,
++    0x1da08: 84,
++    0x1da09: 84,
++    0x1da0a: 84,
++    0x1da0b: 84,
++    0x1da0c: 84,
++    0x1da0d: 84,
++    0x1da0e: 84,
++    0x1da0f: 84,
++    0x1da10: 84,
++    0x1da11: 84,
++    0x1da12: 84,
++    0x1da13: 84,
++    0x1da14: 84,
++    0x1da15: 84,
++    0x1da16: 84,
++    0x1da17: 84,
++    0x1da18: 84,
++    0x1da19: 84,
++    0x1da1a: 84,
++    0x1da1b: 84,
++    0x1da1c: 84,
++    0x1da1d: 84,
++    0x1da1e: 84,
++    0x1da1f: 84,
++    0x1da20: 84,
++    0x1da21: 84,
++    0x1da22: 84,
++    0x1da23: 84,
++    0x1da24: 84,
++    0x1da25: 84,
++    0x1da26: 84,
++    0x1da27: 84,
++    0x1da28: 84,
++    0x1da29: 84,
++    0x1da2a: 84,
++    0x1da2b: 84,
++    0x1da2c: 84,
++    0x1da2d: 84,
++    0x1da2e: 84,
++    0x1da2f: 84,
++    0x1da30: 84,
++    0x1da31: 84,
++    0x1da32: 84,
++    0x1da33: 84,
++    0x1da34: 84,
++    0x1da35: 84,
++    0x1da36: 84,
++    0x1da3b: 84,
++    0x1da3c: 84,
++    0x1da3d: 84,
++    0x1da3e: 84,
++    0x1da3f: 84,
++    0x1da40: 84,
++    0x1da41: 84,
++    0x1da42: 84,
++    0x1da43: 84,
++    0x1da44: 84,
++    0x1da45: 84,
++    0x1da46: 84,
++    0x1da47: 84,
++    0x1da48: 84,
++    0x1da49: 84,
++    0x1da4a: 84,
++    0x1da4b: 84,
++    0x1da4c: 84,
++    0x1da4d: 84,
++    0x1da4e: 84,
++    0x1da4f: 84,
++    0x1da50: 84,
++    0x1da51: 84,
++    0x1da52: 84,
++    0x1da53: 84,
++    0x1da54: 84,
++    0x1da55: 84,
++    0x1da56: 84,
++    0x1da57: 84,
++    0x1da58: 84,
++    0x1da59: 84,
++    0x1da5a: 84,
++    0x1da5b: 84,
++    0x1da5c: 84,
++    0x1da5d: 84,
++    0x1da5e: 84,
++    0x1da5f: 84,
++    0x1da60: 84,
++    0x1da61: 84,
++    0x1da62: 84,
++    0x1da63: 84,
++    0x1da64: 84,
++    0x1da65: 84,
++    0x1da66: 84,
++    0x1da67: 84,
++    0x1da68: 84,
++    0x1da69: 84,
++    0x1da6a: 84,
++    0x1da6b: 84,
++    0x1da6c: 84,
++    0x1da75: 84,
++    0x1da84: 84,
++    0x1da9b: 84,
++    0x1da9c: 84,
++    0x1da9d: 84,
++    0x1da9e: 84,
++    0x1da9f: 84,
++    0x1daa1: 84,
++    0x1daa2: 84,
++    0x1daa3: 84,
++    0x1daa4: 84,
++    0x1daa5: 84,
++    0x1daa6: 84,
++    0x1daa7: 84,
++    0x1daa8: 84,
++    0x1daa9: 84,
++    0x1daaa: 84,
++    0x1daab: 84,
++    0x1daac: 84,
++    0x1daad: 84,
++    0x1daae: 84,
++    0x1daaf: 84,
++    0x1e000: 84,
++    0x1e001: 84,
++    0x1e002: 84,
++    0x1e003: 84,
++    0x1e004: 84,
++    0x1e005: 84,
++    0x1e006: 84,
++    0x1e008: 84,
++    0x1e009: 84,
++    0x1e00a: 84,
++    0x1e00b: 84,
++    0x1e00c: 84,
++    0x1e00d: 84,
++    0x1e00e: 84,
++    0x1e00f: 84,
++    0x1e010: 84,
++    0x1e011: 84,
++    0x1e012: 84,
++    0x1e013: 84,
++    0x1e014: 84,
++    0x1e015: 84,
++    0x1e016: 84,
++    0x1e017: 84,
++    0x1e018: 84,
++    0x1e01b: 84,
++    0x1e01c: 84,
++    0x1e01d: 84,
++    0x1e01e: 84,
++    0x1e01f: 84,
++    0x1e020: 84,
++    0x1e021: 84,
++    0x1e023: 84,
++    0x1e024: 84,
++    0x1e026: 84,
++    0x1e027: 84,
++    0x1e028: 84,
++    0x1e029: 84,
++    0x1e02a: 84,
++    0x1e08f: 84,
++    0x1e130: 84,
++    0x1e131: 84,
++    0x1e132: 84,
++    0x1e133: 84,
++    0x1e134: 84,
++    0x1e135: 84,
++    0x1e136: 84,
++    0x1e2ae: 84,
++    0x1e2ec: 84,
++    0x1e2ed: 84,
++    0x1e2ee: 84,
++    0x1e2ef: 84,
++    0x1e4ec: 84,
++    0x1e4ed: 84,
++    0x1e4ee: 84,
++    0x1e4ef: 84,
++    0x1e8d0: 84,
++    0x1e8d1: 84,
++    0x1e8d2: 84,
++    0x1e8d3: 84,
++    0x1e8d4: 84,
++    0x1e8d5: 84,
++    0x1e8d6: 84,
+     0x1e900: 68,
+     0x1e901: 68,
+     0x1e902: 68,
+@@ -927,7 +2680,351 @@
+     0x1e941: 68,
+     0x1e942: 68,
+     0x1e943: 68,
++    0x1e944: 84,
++    0x1e945: 84,
++    0x1e946: 84,
++    0x1e947: 84,
++    0x1e948: 84,
++    0x1e949: 84,
++    0x1e94a: 84,
+     0x1e94b: 84,
++    0xe0001: 84,
++    0xe0020: 84,
++    0xe0021: 84,
++    0xe0022: 84,
++    0xe0023: 84,
++    0xe0024: 84,
++    0xe0025: 84,
++    0xe0026: 84,
++    0xe0027: 84,
++    0xe0028: 84,
++    0xe0029: 84,
++    0xe002a: 84,
++    0xe002b: 84,
++    0xe002c: 84,
++    0xe002d: 84,
++    0xe002e: 84,
++    0xe002f: 84,
++    0xe0030: 84,
++    0xe0031: 84,
++    0xe0032: 84,
++    0xe0033: 84,
++    0xe0034: 84,
++    0xe0035: 84,
++    0xe0036: 84,
++    0xe0037: 84,
++    0xe0038: 84,
++    0xe0039: 84,
++    0xe003a: 84,
++    0xe003b: 84,
++    0xe003c: 84,
++    0xe003d: 84,
++    0xe003e: 84,
++    0xe003f: 84,
++    0xe0040: 84,
++    0xe0041: 84,
++    0xe0042: 84,
++    0xe0043: 84,
++    0xe0044: 84,
++    0xe0045: 84,
++    0xe0046: 84,
++    0xe0047: 84,
++    0xe0048: 84,
++    0xe0049: 84,
++    0xe004a: 84,
++    0xe004b: 84,
++    0xe004c: 84,
++    0xe004d: 84,
++    0xe004e: 84,
++    0xe004f: 84,
++    0xe0050: 84,
++    0xe0051: 84,
++    0xe0052: 84,
++    0xe0053: 84,
++    0xe0054: 84,
++    0xe0055: 84,
++    0xe0056: 84,
++    0xe0057: 84,
++    0xe0058: 84,
++    0xe0059: 84,
++    0xe005a: 84,
++    0xe005b: 84,
++    0xe005c: 84,
++    0xe005d: 84,
++    0xe005e: 84,
++    0xe005f: 84,
++    0xe0060: 84,
++    0xe0061: 84,
++    0xe0062: 84,
++    0xe0063: 84,
++    0xe0064: 84,
++    0xe0065: 84,
++    0xe0066: 84,
++    0xe0067: 84,
++    0xe0068: 84,
++    0xe0069: 84,
++    0xe006a: 84,
++    0xe006b: 84,
++    0xe006c: 84,
++    0xe006d: 84,
++    0xe006e: 84,
++    0xe006f: 84,
++    0xe0070: 84,
++    0xe0071: 84,
++    0xe0072: 84,
++    0xe0073: 84,
++    0xe0074: 84,
++    0xe0075: 84,
++    0xe0076: 84,
++    0xe0077: 84,
++    0xe0078: 84,
++    0xe0079: 84,
++    0xe007a: 84,
++    0xe007b: 84,
++    0xe007c: 84,
++    0xe007d: 84,
++    0xe007e: 84,
++    0xe007f: 84,
++    0xe0100: 84,
++    0xe0101: 84,
++    0xe0102: 84,
++    0xe0103: 84,
++    0xe0104: 84,
++    0xe0105: 84,
++    0xe0106: 84,
++    0xe0107: 84,
++    0xe0108: 84,
++    0xe0109: 84,
++    0xe010a: 84,
++    0xe010b: 84,
++    0xe010c: 84,
++    0xe010d: 84,
++    0xe010e: 84,
++    0xe010f: 84,
++    0xe0110: 84,
++    0xe0111: 84,
++    0xe0112: 84,
++    0xe0113: 84,
++    0xe0114: 84,
++    0xe0115: 84,
++    0xe0116: 84,
++    0xe0117: 84,
++    0xe0118: 84,
++    0xe0119: 84,
++    0xe011a: 84,
++    0xe011b: 84,
++    0xe011c: 84,
++    0xe011d: 84,
++    0xe011e: 84,
++    0xe011f: 84,
++    0xe0120: 84,
++    0xe0121: 84,
++    0xe0122: 84,
++    0xe0123: 84,
++    0xe0124: 84,
++    0xe0125: 84,
++    0xe0126: 84,
++    0xe0127: 84,
++    0xe0128: 84,
++    0xe0129: 84,
++    0xe012a: 84,
++    0xe012b: 84,
++    0xe012c: 84,
++    0xe012d: 84,
++    0xe012e: 84,
++    0xe012f: 84,
++    0xe0130: 84,
++    0xe0131: 84,
++    0xe0132: 84,
++    0xe0133: 84,
++    0xe0134: 84,
++    0xe0135: 84,
++    0xe0136: 84,
++    0xe0137: 84,
++    0xe0138: 84,
++    0xe0139: 84,
++    0xe013a: 84,
++    0xe013b: 84,
++    0xe013c: 84,
++    0xe013d: 84,
++    0xe013e: 84,
++    0xe013f: 84,
++    0xe0140: 84,
++    0xe0141: 84,
++    0xe0142: 84,
++    0xe0143: 84,
++    0xe0144: 84,
++    0xe0145: 84,
++    0xe0146: 84,
++    0xe0147: 84,
++    0xe0148: 84,
++    0xe0149: 84,
++    0xe014a: 84,
++    0xe014b: 84,
++    0xe014c: 84,
++    0xe014d: 84,
++    0xe014e: 84,
++    0xe014f: 84,
++    0xe0150: 84,
++    0xe0151: 84,
++    0xe0152: 84,
++    0xe0153: 84,
++    0xe0154: 84,
++    0xe0155: 84,
++    0xe0156: 84,
++    0xe0157: 84,
++    0xe0158: 84,
++    0xe0159: 84,
++    0xe015a: 84,
++    0xe015b: 84,
++    0xe015c: 84,
++    0xe015d: 84,
++    0xe015e: 84,
++    0xe015f: 84,
++    0xe0160: 84,
++    0xe0161: 84,
++    0xe0162: 84,
++    0xe0163: 84,
++    0xe0164: 84,
++    0xe0165: 84,
++    0xe0166: 84,
++    0xe0167: 84,
++    0xe0168: 84,
++    0xe0169: 84,
++    0xe016a: 84,
++    0xe016b: 84,
++    0xe016c: 84,
++    0xe016d: 84,
++    0xe016e: 84,
++    0xe016f: 84,
++    0xe0170: 84,
++    0xe0171: 84,
++    0xe0172: 84,
++    0xe0173: 84,
++    0xe0174: 84,
++    0xe0175: 84,
++    0xe0176: 84,
++    0xe0177: 84,
++    0xe0178: 84,
++    0xe0179: 84,
++    0xe017a: 84,
++    0xe017b: 84,
++    0xe017c: 84,
++    0xe017d: 84,
++    0xe017e: 84,
++    0xe017f: 84,
++    0xe0180: 84,
++    0xe0181: 84,
++    0xe0182: 84,
++    0xe0183: 84,
++    0xe0184: 84,
++    0xe0185: 84,
++    0xe0186: 84,
++    0xe0187: 84,
++    0xe0188: 84,
++    0xe0189: 84,
++    0xe018a: 84,
++    0xe018b: 84,
++    0xe018c: 84,
++    0xe018d: 84,
++    0xe018e: 84,
++    0xe018f: 84,
++    0xe0190: 84,
++    0xe0191: 84,
++    0xe0192: 84,
++    0xe0193: 84,
++    0xe0194: 84,
++    0xe0195: 84,
++    0xe0196: 84,
++    0xe0197: 84,
++    0xe0198: 84,
++    0xe0199: 84,
++    0xe019a: 84,
++    0xe019b: 84,
++    0xe019c: 84,
++    0xe019d: 84,
++    0xe019e: 84,
++    0xe019f: 84,
++    0xe01a0: 84,
++    0xe01a1: 84,
++    0xe01a2: 84,
++    0xe01a3: 84,
++    0xe01a4: 84,
++    0xe01a5: 84,
++    0xe01a6: 84,
++    0xe01a7: 84,
++    0xe01a8: 84,
++    0xe01a9: 84,
++    0xe01aa: 84,
++    0xe01ab: 84,
++    0xe01ac: 84,
++    0xe01ad: 84,
++    0xe01ae: 84,
++    0xe01af: 84,
++    0xe01b0: 84,
++    0xe01b1: 84,
++    0xe01b2: 84,
++    0xe01b3: 84,
++    0xe01b4: 84,
++    0xe01b5: 84,
++    0xe01b6: 84,
++    0xe01b7: 84,
++    0xe01b8: 84,
++    0xe01b9: 84,
++    0xe01ba: 84,
++    0xe01bb: 84,
++    0xe01bc: 84,
++    0xe01bd: 84,
++    0xe01be: 84,
++    0xe01bf: 84,
++    0xe01c0: 84,
++    0xe01c1: 84,
++    0xe01c2: 84,
++    0xe01c3: 84,
++    0xe01c4: 84,
++    0xe01c5: 84,
++    0xe01c6: 84,
++    0xe01c7: 84,
++    0xe01c8: 84,
++    0xe01c9: 84,
++    0xe01ca: 84,
++    0xe01cb: 84,
++    0xe01cc: 84,
++    0xe01cd: 84,
++    0xe01ce: 84,
++    0xe01cf: 84,
++    0xe01d0: 84,
++    0xe01d1: 84,
++    0xe01d2: 84,
++    0xe01d3: 84,
++    0xe01d4: 84,
++    0xe01d5: 84,
++    0xe01d6: 84,
++    0xe01d7: 84,
++    0xe01d8: 84,
++    0xe01d9: 84,
++    0xe01da: 84,
++    0xe01db: 84,
++    0xe01dc: 84,
++    0xe01dd: 84,
++    0xe01de: 84,
++    0xe01df: 84,
++    0xe01e0: 84,
++    0xe01e1: 84,
++    0xe01e2: 84,
++    0xe01e3: 84,
++    0xe01e4: 84,
++    0xe01e5: 84,
++    0xe01e6: 84,
++    0xe01e7: 84,
++    0xe01e8: 84,
++    0xe01e9: 84,
++    0xe01ea: 84,
++    0xe01eb: 84,
++    0xe01ec: 84,
++    0xe01ed: 84,
++    0xe01ee: 84,
++    0xe01ef: 84,
+ }
+ codepoint_classes = {
+     'PVALID': (
+@@ -1834,7 +3931,6 @@
+         0xa7d50000a7d6,
+         0xa7d70000a7d8,
+         0xa7d90000a7da,
+-        0xa7f20000a7f5,
+         0xa7f60000a7f8,
+         0xa7fa0000a828,
+         0xa82c0000a82d,
+@@ -1907,9 +4003,7 @@
+         0x1060000010737,
+         0x1074000010756,
+         0x1076000010768,
+-        0x1078000010786,
+-        0x10787000107b1,
+-        0x107b2000107bb,
++        0x1078000010781,
+         0x1080000010806,
+         0x1080800010809,
+         0x1080a00010836,
+@@ -2112,7 +4206,6 @@
+         0x1e01b0001e022,
+         0x1e0230001e025,
+         0x1e0260001e02b,
+-        0x1e0300001e06e,
+         0x1e08f0001e090,
+         0x1e1000001e12d,
+         0x1e1300001e13e,
+@@ -2134,6 +4227,7 @@
+         0x2b7400002b81e,
+         0x2b8200002cea2,
+         0x2ceb00002ebe1,
++        0x2ebf00002ee5e,
+         0x300000003134b,
+         0x31350000323b0,
+     ),
+diff --color -ruN a/package_data.py b/package_data.py
+--- a/package_data.py	2021-01-01 08:00:00.000000000 +0000
++++ b/package_data.py	2024-09-26 14:49:49.043936672 +0000
+@@ -1,2 +1,2 @@
+-__version__ = '3.4'
++__version__ = '3.7'
+ 
+diff --color -ruN a/uts46data.py b/uts46data.py
+--- a/uts46data.py	2021-01-01 08:00:00.000000000 +0000
++++ b/uts46data.py	2024-09-26 14:49:49.043936672 +0000
+@@ -7,7 +7,7 @@
+ """IDNA Mapping Table from UTS46."""
+ 
+ 
+-__version__ = '15.0.0'
++__version__ = '15.1.0'
+ def _seg_0() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+     (0x0, '3'),
+@@ -1899,7 +1899,7 @@
+     (0x1E9A, 'M', 'aʾ'),
+     (0x1E9B, 'M', 'ṡ'),
+     (0x1E9C, 'V'),
+-    (0x1E9E, 'M', 'ss'),
++    (0x1E9E, 'M', 'ß'),
+     (0x1E9F, 'V'),
+     (0x1EA0, 'M', 'ạ'),
+     (0x1EA1, 'V'),
+@@ -2418,10 +2418,6 @@
+     (0x222F, 'M', '∮∮'),
+     (0x2230, 'M', '∮∮∮'),
+     (0x2231, 'V'),
+-    (0x2260, '3'),
+-    (0x2261, 'V'),
+-    (0x226E, '3'),
+-    (0x2270, 'V'),
+     (0x2329, 'M', '〈'),
+     (0x232A, 'M', '〉'),
+     (0x232B, 'V'),
+@@ -2502,14 +2498,14 @@
+     (0x24BA, 'M', 'e'),
+     (0x24BB, 'M', 'f'),
+     (0x24BC, 'M', 'g'),
+-    ]
+-
+-def _seg_24() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x24BD, 'M', 'h'),
+     (0x24BE, 'M', 'i'),
+     (0x24BF, 'M', 'j'),
+     (0x24C0, 'M', 'k'),
++    ]
++
++def _seg_24() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x24C1, 'M', 'l'),
+     (0x24C2, 'M', 'm'),
+     (0x24C3, 'M', 'n'),
+@@ -2606,14 +2602,14 @@
+     (0x2C26, 'M', 'ⱖ'),
+     (0x2C27, 'M', 'ⱗ'),
+     (0x2C28, 'M', 'ⱘ'),
+-    ]
+-
+-def _seg_25() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x2C29, 'M', 'ⱙ'),
+     (0x2C2A, 'M', 'ⱚ'),
+     (0x2C2B, 'M', 'ⱛ'),
+     (0x2C2C, 'M', 'ⱜ'),
++    ]
++
++def _seg_25() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x2C2D, 'M', 'ⱝ'),
+     (0x2C2E, 'M', 'ⱞ'),
+     (0x2C2F, 'M', 'ⱟ'),
+@@ -2710,14 +2706,14 @@
+     (0x2CC0, 'M', 'ⳁ'),
+     (0x2CC1, 'V'),
+     (0x2CC2, 'M', 'ⳃ'),
+-    ]
+-
+-def _seg_26() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x2CC3, 'V'),
+     (0x2CC4, 'M', 'ⳅ'),
+     (0x2CC5, 'V'),
+     (0x2CC6, 'M', 'ⳇ'),
++    ]
++
++def _seg_26() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x2CC7, 'V'),
+     (0x2CC8, 'M', 'ⳉ'),
+     (0x2CC9, 'V'),
+@@ -2814,14 +2810,14 @@
+     (0x2F13, 'M', '勹'),
+     (0x2F14, 'M', '匕'),
+     (0x2F15, 'M', '匚'),
+-    ]
+-
+-def _seg_27() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x2F16, 'M', '匸'),
+     (0x2F17, 'M', '十'),
+     (0x2F18, 'M', '卜'),
+     (0x2F19, 'M', '卩'),
++    ]
++
++def _seg_27() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x2F1A, 'M', '厂'),
+     (0x2F1B, 'M', '厶'),
+     (0x2F1C, 'M', '又'),
+@@ -2918,14 +2914,14 @@
+     (0x2F77, 'M', '糸'),
+     (0x2F78, 'M', '缶'),
+     (0x2F79, 'M', '网'),
+-    ]
+-
+-def _seg_28() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x2F7A, 'M', '羊'),
+     (0x2F7B, 'M', '羽'),
+     (0x2F7C, 'M', '老'),
+     (0x2F7D, 'M', '而'),
++    ]
++
++def _seg_28() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x2F7E, 'M', '耒'),
+     (0x2F7F, 'M', '耳'),
+     (0x2F80, 'M', '聿'),
+@@ -3022,14 +3018,14 @@
+     (0x3036, 'M', '〒'),
+     (0x3037, 'V'),
+     (0x3038, 'M', '十'),
+-    ]
+-
+-def _seg_29() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x3039, 'M', '卄'),
+     (0x303A, 'M', '卅'),
+     (0x303B, 'V'),
+     (0x3040, 'X'),
++    ]
++
++def _seg_29() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x3041, 'V'),
+     (0x3097, 'X'),
+     (0x3099, 'V'),
+@@ -3126,14 +3122,14 @@
+     (0x3182, 'M', 'ᇱ'),
+     (0x3183, 'M', 'ᇲ'),
+     (0x3184, 'M', 'ᅗ'),
+-    ]
+-
+-def _seg_30() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x3185, 'M', 'ᅘ'),
+     (0x3186, 'M', 'ᅙ'),
+     (0x3187, 'M', 'ᆄ'),
+     (0x3188, 'M', 'ᆅ'),
++    ]
++
++def _seg_30() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x3189, 'M', 'ᆈ'),
+     (0x318A, 'M', 'ᆑ'),
+     (0x318B, 'M', 'ᆒ'),
+@@ -3230,14 +3226,14 @@
+     (0x3244, 'M', '問'),
+     (0x3245, 'M', '幼'),
+     (0x3246, 'M', '文'),
+-    ]
+-
+-def _seg_31() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x3247, 'M', '箏'),
+     (0x3248, 'V'),
+     (0x3250, 'M', 'pte'),
+     (0x3251, 'M', '21'),
++    ]
++
++def _seg_31() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x3252, 'M', '22'),
+     (0x3253, 'M', '23'),
+     (0x3254, 'M', '24'),
+@@ -3334,14 +3330,14 @@
+     (0x32AF, 'M', '協'),
+     (0x32B0, 'M', '夜'),
+     (0x32B1, 'M', '36'),
+-    ]
+-
+-def _seg_32() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x32B2, 'M', '37'),
+     (0x32B3, 'M', '38'),
+     (0x32B4, 'M', '39'),
+     (0x32B5, 'M', '40'),
++    ]
++
++def _seg_32() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x32B6, 'M', '41'),
+     (0x32B7, 'M', '42'),
+     (0x32B8, 'M', '43'),
+@@ -3438,14 +3434,14 @@
+     (0x3313, 'M', 'ギルダー'),
+     (0x3314, 'M', 'キロ'),
+     (0x3315, 'M', 'キログラム'),
+-    ]
+-
+-def _seg_33() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x3316, 'M', 'キロメートル'),
+     (0x3317, 'M', 'キロワット'),
+     (0x3318, 'M', 'グラム'),
+     (0x3319, 'M', 'グラムトン'),
++    ]
++
++def _seg_33() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x331A, 'M', 'クルゼイロ'),
+     (0x331B, 'M', 'クローネ'),
+     (0x331C, 'M', 'ケース'),
+@@ -3542,14 +3538,14 @@
+     (0x3377, 'M', 'dm'),
+     (0x3378, 'M', 'dm2'),
+     (0x3379, 'M', 'dm3'),
+-    ]
+-
+-def _seg_34() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x337A, 'M', 'iu'),
+     (0x337B, 'M', '平成'),
+     (0x337C, 'M', '昭和'),
+     (0x337D, 'M', '大正'),
++    ]
++
++def _seg_34() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x337E, 'M', '明治'),
+     (0x337F, 'M', '株式会社'),
+     (0x3380, 'M', 'pa'),
+@@ -3646,14 +3642,14 @@
+     (0x33DB, 'M', 'sr'),
+     (0x33DC, 'M', 'sv'),
+     (0x33DD, 'M', 'wb'),
+-    ]
+-
+-def _seg_35() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x33DE, 'M', 'v∕m'),
+     (0x33DF, 'M', 'a∕m'),
+     (0x33E0, 'M', '1日'),
+     (0x33E1, 'M', '2日'),
++    ]
++
++def _seg_35() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x33E2, 'M', '3日'),
+     (0x33E3, 'M', '4日'),
+     (0x33E4, 'M', '5日'),
+@@ -3750,14 +3746,14 @@
+     (0xA68B, 'V'),
+     (0xA68C, 'M', 'ꚍ'),
+     (0xA68D, 'V'),
+-    ]
+-
+-def _seg_36() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xA68E, 'M', 'ꚏ'),
+     (0xA68F, 'V'),
+     (0xA690, 'M', 'ꚑ'),
+     (0xA691, 'V'),
++    ]
++
++def _seg_36() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xA692, 'M', 'ꚓ'),
+     (0xA693, 'V'),
+     (0xA694, 'M', 'ꚕ'),
+@@ -3854,14 +3850,14 @@
+     (0xA779, 'M', 'ꝺ'),
+     (0xA77A, 'V'),
+     (0xA77B, 'M', 'ꝼ'),
+-    ]
+-
+-def _seg_37() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xA77C, 'V'),
+     (0xA77D, 'M', 'ᵹ'),
+     (0xA77E, 'M', 'ꝿ'),
+     (0xA77F, 'V'),
++    ]
++
++def _seg_37() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xA780, 'M', 'ꞁ'),
+     (0xA781, 'V'),
+     (0xA782, 'M', 'ꞃ'),
+@@ -3958,14 +3954,14 @@
+     (0xA878, 'X'),
+     (0xA880, 'V'),
+     (0xA8C6, 'X'),
+-    ]
+-
+-def _seg_38() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xA8CE, 'V'),
+     (0xA8DA, 'X'),
+     (0xA8E0, 'V'),
+     (0xA954, 'X'),
++    ]
++
++def _seg_38() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xA95F, 'V'),
+     (0xA97D, 'X'),
+     (0xA980, 'V'),
+@@ -4062,14 +4058,14 @@
+     (0xABA8, 'M', 'Ꮨ'),
+     (0xABA9, 'M', 'Ꮩ'),
+     (0xABAA, 'M', 'Ꮪ'),
+-    ]
+-
+-def _seg_39() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xABAB, 'M', 'Ꮫ'),
+     (0xABAC, 'M', 'Ꮬ'),
+     (0xABAD, 'M', 'Ꮭ'),
+     (0xABAE, 'M', 'Ꮮ'),
++    ]
++
++def _seg_39() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xABAF, 'M', 'Ꮯ'),
+     (0xABB0, 'M', 'Ꮰ'),
+     (0xABB1, 'M', 'Ꮱ'),
+@@ -4166,14 +4162,14 @@
+     (0xF943, 'M', '弄'),
+     (0xF944, 'M', '籠'),
+     (0xF945, 'M', '聾'),
+-    ]
+-
+-def _seg_40() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xF946, 'M', '牢'),
+     (0xF947, 'M', '磊'),
+     (0xF948, 'M', '賂'),
+     (0xF949, 'M', '雷'),
++    ]
++
++def _seg_40() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xF94A, 'M', '壘'),
+     (0xF94B, 'M', '屢'),
+     (0xF94C, 'M', '樓'),
+@@ -4270,14 +4266,14 @@
+     (0xF9A7, 'M', '獵'),
+     (0xF9A8, 'M', '令'),
+     (0xF9A9, 'M', '囹'),
+-    ]
+-
+-def _seg_41() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xF9AA, 'M', '寧'),
+     (0xF9AB, 'M', '嶺'),
+     (0xF9AC, 'M', '怜'),
+     (0xF9AD, 'M', '玲'),
++    ]
++
++def _seg_41() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xF9AE, 'M', '瑩'),
+     (0xF9AF, 'M', '羚'),
+     (0xF9B0, 'M', '聆'),
+@@ -4374,14 +4370,14 @@
+     (0xFA0B, 'M', '廓'),
+     (0xFA0C, 'M', '兀'),
+     (0xFA0D, 'M', '嗀'),
+-    ]
+-
+-def _seg_42() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFA0E, 'V'),
+     (0xFA10, 'M', '塚'),
+     (0xFA11, 'V'),
+     (0xFA12, 'M', '晴'),
++    ]
++
++def _seg_42() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFA13, 'V'),
+     (0xFA15, 'M', '凞'),
+     (0xFA16, 'M', '猪'),
+@@ -4478,14 +4474,14 @@
+     (0xFA76, 'M', '勇'),
+     (0xFA77, 'M', '勺'),
+     (0xFA78, 'M', '喝'),
+-    ]
+-
+-def _seg_43() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFA79, 'M', '啕'),
+     (0xFA7A, 'M', '喙'),
+     (0xFA7B, 'M', '嗢'),
+     (0xFA7C, 'M', '塚'),
++    ]
++
++def _seg_43() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFA7D, 'M', '墳'),
+     (0xFA7E, 'M', '奄'),
+     (0xFA7F, 'M', '奔'),
+@@ -4582,14 +4578,14 @@
+     (0xFADA, 'X'),
+     (0xFB00, 'M', 'ff'),
+     (0xFB01, 'M', 'fi'),
+-    ]
+-
+-def _seg_44() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFB02, 'M', 'fl'),
+     (0xFB03, 'M', 'ffi'),
+     (0xFB04, 'M', 'ffl'),
+     (0xFB05, 'M', 'st'),
++    ]
++
++def _seg_44() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFB07, 'X'),
+     (0xFB13, 'M', 'մն'),
+     (0xFB14, 'M', 'մե'),
+@@ -4686,14 +4682,14 @@
+     (0xFBDB, 'M', 'ۈ'),
+     (0xFBDD, 'M', 'ۇٴ'),
+     (0xFBDE, 'M', 'ۋ'),
+-    ]
+-
+-def _seg_45() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFBE0, 'M', 'ۅ'),
+     (0xFBE2, 'M', 'ۉ'),
+     (0xFBE4, 'M', 'ې'),
+     (0xFBE8, 'M', 'ى'),
++    ]
++
++def _seg_45() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFBEA, 'M', 'ئا'),
+     (0xFBEC, 'M', 'ئە'),
+     (0xFBEE, 'M', 'ئو'),
+@@ -4790,14 +4786,14 @@
+     (0xFC54, 'M', 'هي'),
+     (0xFC55, 'M', 'يج'),
+     (0xFC56, 'M', 'يح'),
+-    ]
+-
+-def _seg_46() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFC57, 'M', 'يخ'),
+     (0xFC58, 'M', 'يم'),
+     (0xFC59, 'M', 'يى'),
+     (0xFC5A, 'M', 'يي'),
++    ]
++
++def _seg_46() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFC5B, 'M', 'ذٰ'),
+     (0xFC5C, 'M', 'رٰ'),
+     (0xFC5D, 'M', 'ىٰ'),
+@@ -4894,14 +4890,14 @@
+     (0xFCB8, 'M', 'طح'),
+     (0xFCB9, 'M', 'ظم'),
+     (0xFCBA, 'M', 'عج'),
+-    ]
+-
+-def _seg_47() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFCBB, 'M', 'عم'),
+     (0xFCBC, 'M', 'غج'),
+     (0xFCBD, 'M', 'غم'),
+     (0xFCBE, 'M', 'فج'),
++    ]
++
++def _seg_47() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFCBF, 'M', 'فح'),
+     (0xFCC0, 'M', 'فخ'),
+     (0xFCC1, 'M', 'فم'),
+@@ -4998,14 +4994,14 @@
+     (0xFD1C, 'M', 'حي'),
+     (0xFD1D, 'M', 'جى'),
+     (0xFD1E, 'M', 'جي'),
+-    ]
+-
+-def _seg_48() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFD1F, 'M', 'خى'),
+     (0xFD20, 'M', 'خي'),
+     (0xFD21, 'M', 'صى'),
+     (0xFD22, 'M', 'صي'),
++    ]
++
++def _seg_48() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFD23, 'M', 'ضى'),
+     (0xFD24, 'M', 'ضي'),
+     (0xFD25, 'M', 'شج'),
+@@ -5102,14 +5098,14 @@
+     (0xFDA4, 'M', 'تمى'),
+     (0xFDA5, 'M', 'جمي'),
+     (0xFDA6, 'M', 'جحى'),
+-    ]
+-
+-def _seg_49() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFDA7, 'M', 'جمى'),
+     (0xFDA8, 'M', 'سخى'),
+     (0xFDA9, 'M', 'صحي'),
+     (0xFDAA, 'M', 'شحي'),
++    ]
++
++def _seg_49() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFDAB, 'M', 'ضحي'),
+     (0xFDAC, 'M', 'لجي'),
+     (0xFDAD, 'M', 'لمي'),
+@@ -5206,14 +5202,14 @@
+     (0xFE5B, '3', '{'),
+     (0xFE5C, '3', '}'),
+     (0xFE5D, 'M', '〔'),
+-    ]
+-
+-def _seg_50() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFE5E, 'M', '〕'),
+     (0xFE5F, '3', '#'),
+     (0xFE60, '3', '&'),
+     (0xFE61, '3', '*'),
++    ]
++
++def _seg_50() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFE62, '3', '+'),
+     (0xFE63, 'M', '-'),
+     (0xFE64, '3', '<'),
+@@ -5310,14 +5306,14 @@
+     (0xFF18, 'M', '8'),
+     (0xFF19, 'M', '9'),
+     (0xFF1A, '3', ':'),
+-    ]
+-
+-def _seg_51() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFF1B, '3', ';'),
+     (0xFF1C, '3', '<'),
+     (0xFF1D, '3', '='),
+     (0xFF1E, '3', '>'),
++    ]
++
++def _seg_51() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFF1F, '3', '?'),
+     (0xFF20, '3', '@'),
+     (0xFF21, 'M', 'a'),
+@@ -5414,14 +5410,14 @@
+     (0xFF7C, 'M', 'シ'),
+     (0xFF7D, 'M', 'ス'),
+     (0xFF7E, 'M', 'セ'),
+-    ]
+-
+-def _seg_52() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFF7F, 'M', 'ソ'),
+     (0xFF80, 'M', 'タ'),
+     (0xFF81, 'M', 'チ'),
+     (0xFF82, 'M', 'ツ'),
++    ]
++
++def _seg_52() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFF83, 'M', 'テ'),
+     (0xFF84, 'M', 'ト'),
+     (0xFF85, 'M', 'ナ'),
+@@ -5518,14 +5514,14 @@
+     (0xFFE7, 'X'),
+     (0xFFE8, 'M', '│'),
+     (0xFFE9, 'M', '←'),
+-    ]
+-
+-def _seg_53() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0xFFEA, 'M', '↑'),
+     (0xFFEB, 'M', '→'),
+     (0xFFEC, 'M', '↓'),
+     (0xFFED, 'M', '■'),
++    ]
++
++def _seg_53() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0xFFEE, 'M', '○'),
+     (0xFFEF, 'X'),
+     (0x10000, 'V'),
+@@ -5622,14 +5618,14 @@
+     (0x104B3, 'M', '𐓛'),
+     (0x104B4, 'M', '𐓜'),
+     (0x104B5, 'M', '𐓝'),
+-    ]
+-
+-def _seg_54() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x104B6, 'M', '𐓞'),
+     (0x104B7, 'M', '𐓟'),
+     (0x104B8, 'M', '𐓠'),
+     (0x104B9, 'M', '𐓡'),
++    ]
++
++def _seg_54() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x104BA, 'M', '𐓢'),
+     (0x104BB, 'M', '𐓣'),
+     (0x104BC, 'M', '𐓤'),
+@@ -5726,14 +5722,14 @@
+     (0x10786, 'X'),
+     (0x10787, 'M', 'ʣ'),
+     (0x10788, 'M', 'ꭦ'),
+-    ]
+-
+-def _seg_55() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x10789, 'M', 'ʥ'),
+     (0x1078A, 'M', 'ʤ'),
+     (0x1078B, 'M', 'ɖ'),
+     (0x1078C, 'M', 'ɗ'),
++    ]
++
++def _seg_55() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1078D, 'M', 'ᶑ'),
+     (0x1078E, 'M', 'ɘ'),
+     (0x1078F, 'M', 'ɞ'),
+@@ -5830,14 +5826,14 @@
+     (0x10A60, 'V'),
+     (0x10AA0, 'X'),
+     (0x10AC0, 'V'),
+-    ]
+-
+-def _seg_56() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x10AE7, 'X'),
+     (0x10AEB, 'V'),
+     (0x10AF7, 'X'),
+     (0x10B00, 'V'),
++    ]
++
++def _seg_56() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x10B36, 'X'),
+     (0x10B39, 'V'),
+     (0x10B56, 'X'),
+@@ -5934,14 +5930,14 @@
+     (0x1107F, 'V'),
+     (0x110BD, 'X'),
+     (0x110BE, 'V'),
+-    ]
+-
+-def _seg_57() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x110C3, 'X'),
+     (0x110D0, 'V'),
+     (0x110E9, 'X'),
+     (0x110F0, 'V'),
++    ]
++
++def _seg_57() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x110FA, 'X'),
+     (0x11100, 'V'),
+     (0x11135, 'X'),
+@@ -6038,14 +6034,14 @@
+     (0x118A4, 'M', '𑣄'),
+     (0x118A5, 'M', '𑣅'),
+     (0x118A6, 'M', '𑣆'),
+-    ]
+-
+-def _seg_58() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x118A7, 'M', '𑣇'),
+     (0x118A8, 'M', '𑣈'),
+     (0x118A9, 'M', '𑣉'),
+     (0x118AA, 'M', '𑣊'),
++    ]
++
++def _seg_58() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x118AB, 'M', '𑣋'),
+     (0x118AC, 'M', '𑣌'),
+     (0x118AD, 'M', '𑣍'),
+@@ -6142,14 +6138,14 @@
+     (0x11EE0, 'V'),
+     (0x11EF9, 'X'),
+     (0x11F00, 'V'),
+-    ]
+-
+-def _seg_59() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x11F11, 'X'),
+     (0x11F12, 'V'),
+     (0x11F3B, 'X'),
+     (0x11F3E, 'V'),
++    ]
++
++def _seg_59() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x11F5A, 'X'),
+     (0x11FB0, 'V'),
+     (0x11FB1, 'X'),
+@@ -6246,14 +6242,14 @@
+     (0x18D00, 'V'),
+     (0x18D09, 'X'),
+     (0x1AFF0, 'V'),
+-    ]
+-
+-def _seg_60() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1AFF4, 'X'),
+     (0x1AFF5, 'V'),
+     (0x1AFFC, 'X'),
+     (0x1AFFD, 'V'),
++    ]
++
++def _seg_60() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1AFFF, 'X'),
+     (0x1B000, 'V'),
+     (0x1B123, 'X'),
+@@ -6350,14 +6346,14 @@
+     (0x1D41E, 'M', 'e'),
+     (0x1D41F, 'M', 'f'),
+     (0x1D420, 'M', 'g'),
+-    ]
+-
+-def _seg_61() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D421, 'M', 'h'),
+     (0x1D422, 'M', 'i'),
+     (0x1D423, 'M', 'j'),
+     (0x1D424, 'M', 'k'),
++    ]
++
++def _seg_61() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D425, 'M', 'l'),
+     (0x1D426, 'M', 'm'),
+     (0x1D427, 'M', 'n'),
+@@ -6454,14 +6450,14 @@
+     (0x1D482, 'M', 'a'),
+     (0x1D483, 'M', 'b'),
+     (0x1D484, 'M', 'c'),
+-    ]
+-
+-def _seg_62() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D485, 'M', 'd'),
+     (0x1D486, 'M', 'e'),
+     (0x1D487, 'M', 'f'),
+     (0x1D488, 'M', 'g'),
++    ]
++
++def _seg_62() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D489, 'M', 'h'),
+     (0x1D48A, 'M', 'i'),
+     (0x1D48B, 'M', 'j'),
+@@ -6558,14 +6554,14 @@
+     (0x1D4E9, 'M', 'z'),
+     (0x1D4EA, 'M', 'a'),
+     (0x1D4EB, 'M', 'b'),
+-    ]
+-
+-def _seg_63() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D4EC, 'M', 'c'),
+     (0x1D4ED, 'M', 'd'),
+     (0x1D4EE, 'M', 'e'),
+     (0x1D4EF, 'M', 'f'),
++    ]
++
++def _seg_63() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D4F0, 'M', 'g'),
+     (0x1D4F1, 'M', 'h'),
+     (0x1D4F2, 'M', 'i'),
+@@ -6662,14 +6658,14 @@
+     (0x1D550, 'M', 'y'),
+     (0x1D551, 'X'),
+     (0x1D552, 'M', 'a'),
+-    ]
+-
+-def _seg_64() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D553, 'M', 'b'),
+     (0x1D554, 'M', 'c'),
+     (0x1D555, 'M', 'd'),
+     (0x1D556, 'M', 'e'),
++    ]
++
++def _seg_64() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D557, 'M', 'f'),
+     (0x1D558, 'M', 'g'),
+     (0x1D559, 'M', 'h'),
+@@ -6766,14 +6762,14 @@
+     (0x1D5B4, 'M', 'u'),
+     (0x1D5B5, 'M', 'v'),
+     (0x1D5B6, 'M', 'w'),
+-    ]
+-
+-def _seg_65() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D5B7, 'M', 'x'),
+     (0x1D5B8, 'M', 'y'),
+     (0x1D5B9, 'M', 'z'),
+     (0x1D5BA, 'M', 'a'),
++    ]
++
++def _seg_65() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D5BB, 'M', 'b'),
+     (0x1D5BC, 'M', 'c'),
+     (0x1D5BD, 'M', 'd'),
+@@ -6870,14 +6866,14 @@
+     (0x1D618, 'M', 'q'),
+     (0x1D619, 'M', 'r'),
+     (0x1D61A, 'M', 's'),
+-    ]
+-
+-def _seg_66() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D61B, 'M', 't'),
+     (0x1D61C, 'M', 'u'),
+     (0x1D61D, 'M', 'v'),
+     (0x1D61E, 'M', 'w'),
++    ]
++
++def _seg_66() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D61F, 'M', 'x'),
+     (0x1D620, 'M', 'y'),
+     (0x1D621, 'M', 'z'),
+@@ -6974,14 +6970,14 @@
+     (0x1D67C, 'M', 'm'),
+     (0x1D67D, 'M', 'n'),
+     (0x1D67E, 'M', 'o'),
+-    ]
+-
+-def _seg_67() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D67F, 'M', 'p'),
+     (0x1D680, 'M', 'q'),
+     (0x1D681, 'M', 'r'),
+     (0x1D682, 'M', 's'),
++    ]
++
++def _seg_67() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D683, 'M', 't'),
+     (0x1D684, 'M', 'u'),
+     (0x1D685, 'M', 'v'),
+@@ -7078,14 +7074,14 @@
+     (0x1D6E2, 'M', 'α'),
+     (0x1D6E3, 'M', 'β'),
+     (0x1D6E4, 'M', 'γ'),
+-    ]
+-
+-def _seg_68() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D6E5, 'M', 'δ'),
+     (0x1D6E6, 'M', 'ε'),
+     (0x1D6E7, 'M', 'ζ'),
+     (0x1D6E8, 'M', 'η'),
++    ]
++
++def _seg_68() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D6E9, 'M', 'θ'),
+     (0x1D6EA, 'M', 'ι'),
+     (0x1D6EB, 'M', 'κ'),
+@@ -7182,14 +7178,14 @@
+     (0x1D747, 'M', 'σ'),
+     (0x1D749, 'M', 'τ'),
+     (0x1D74A, 'M', 'υ'),
+-    ]
+-
+-def _seg_69() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D74B, 'M', 'φ'),
+     (0x1D74C, 'M', 'χ'),
+     (0x1D74D, 'M', 'ψ'),
+     (0x1D74E, 'M', 'ω'),
++    ]
++
++def _seg_69() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D74F, 'M', '∂'),
+     (0x1D750, 'M', 'ε'),
+     (0x1D751, 'M', 'θ'),
+@@ -7286,14 +7282,14 @@
+     (0x1D7AD, 'M', 'δ'),
+     (0x1D7AE, 'M', 'ε'),
+     (0x1D7AF, 'M', 'ζ'),
+-    ]
+-
+-def _seg_70() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1D7B0, 'M', 'η'),
+     (0x1D7B1, 'M', 'θ'),
+     (0x1D7B2, 'M', 'ι'),
+     (0x1D7B3, 'M', 'κ'),
++    ]
++
++def _seg_70() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1D7B4, 'M', 'λ'),
+     (0x1D7B5, 'M', 'μ'),
+     (0x1D7B6, 'M', 'ν'),
+@@ -7390,14 +7386,14 @@
+     (0x1E030, 'M', 'а'),
+     (0x1E031, 'M', 'б'),
+     (0x1E032, 'M', 'в'),
+-    ]
+-
+-def _seg_71() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1E033, 'M', 'г'),
+     (0x1E034, 'M', 'д'),
+     (0x1E035, 'M', 'е'),
+     (0x1E036, 'M', 'ж'),
++    ]
++
++def _seg_71() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1E037, 'M', 'з'),
+     (0x1E038, 'M', 'и'),
+     (0x1E039, 'M', 'к'),
+@@ -7494,14 +7490,14 @@
+     (0x1E907, 'M', '𞤩'),
+     (0x1E908, 'M', '𞤪'),
+     (0x1E909, 'M', '𞤫'),
+-    ]
+-
+-def _seg_72() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1E90A, 'M', '𞤬'),
+     (0x1E90B, 'M', '𞤭'),
+     (0x1E90C, 'M', '𞤮'),
+     (0x1E90D, 'M', '𞤯'),
++    ]
++
++def _seg_72() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1E90E, 'M', '𞤰'),
+     (0x1E90F, 'M', '𞤱'),
+     (0x1E910, 'M', '𞤲'),
+@@ -7598,14 +7594,14 @@
+     (0x1EE48, 'X'),
+     (0x1EE49, 'M', 'ي'),
+     (0x1EE4A, 'X'),
+-    ]
+-
+-def _seg_73() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1EE4B, 'M', 'ل'),
+     (0x1EE4C, 'X'),
+     (0x1EE4D, 'M', 'ن'),
+     (0x1EE4E, 'M', 'س'),
++    ]
++
++def _seg_73() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1EE4F, 'M', 'ع'),
+     (0x1EE50, 'X'),
+     (0x1EE51, 'M', 'ص'),
+@@ -7702,14 +7698,14 @@
+     (0x1EEB2, 'M', 'ق'),
+     (0x1EEB3, 'M', 'ر'),
+     (0x1EEB4, 'M', 'ش'),
+-    ]
+-
+-def _seg_74() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1EEB5, 'M', 'ت'),
+     (0x1EEB6, 'M', 'ث'),
+     (0x1EEB7, 'M', 'خ'),
+     (0x1EEB8, 'M', 'ذ'),
++    ]
++
++def _seg_74() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1EEB9, 'M', 'ض'),
+     (0x1EEBA, 'M', 'ظ'),
+     (0x1EEBB, 'M', 'غ'),
+@@ -7806,14 +7802,14 @@
+     (0x1F150, 'V'),
+     (0x1F16A, 'M', 'mc'),
+     (0x1F16B, 'M', 'md'),
+-    ]
+-
+-def _seg_75() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1F16C, 'M', 'mr'),
+     (0x1F16D, 'V'),
+     (0x1F190, 'M', 'dj'),
+     (0x1F191, 'V'),
++    ]
++
++def _seg_75() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1F1AE, 'X'),
+     (0x1F1E6, 'V'),
+     (0x1F200, 'M', 'ほか'),
+@@ -7910,14 +7906,14 @@
+     (0x1FA54, 'X'),
+     (0x1FA60, 'V'),
+     (0x1FA6E, 'X'),
+-    ]
+-
+-def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+-    return [
+     (0x1FA70, 'V'),
+     (0x1FA7D, 'X'),
+     (0x1FA80, 'V'),
+     (0x1FA89, 'X'),
++    ]
++
++def _seg_76() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
++    return [
+     (0x1FA90, 'V'),
+     (0x1FABE, 'X'),
+     (0x1FABF, 'V'),
+@@ -7953,6 +7949,8 @@
+     (0x2CEA2, 'X'),
+     (0x2CEB0, 'V'),
+     (0x2EBE1, 'X'),
++    (0x2EBF0, 'V'),
++    (0x2EE5E, 'X'),
+     (0x2F800, 'M', '丽'),
+     (0x2F801, 'M', '丸'),
+     (0x2F802, 'M', '乁'),
+@@ -8014,12 +8012,12 @@
+     (0x2F83C, 'M', '咞'),
+     (0x2F83D, 'M', '吸'),
+     (0x2F83E, 'M', '呈'),
++    (0x2F83F, 'M', '周'),
++    (0x2F840, 'M', '咢'),
+     ]
+ 
+ def _seg_77() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F83F, 'M', '周'),
+-    (0x2F840, 'M', '咢'),
+     (0x2F841, 'M', '哶'),
+     (0x2F842, 'M', '唐'),
+     (0x2F843, 'M', '啓'),
+@@ -8118,12 +8116,12 @@
+     (0x2F8A4, 'M', '𢛔'),
+     (0x2F8A5, 'M', '惇'),
+     (0x2F8A6, 'M', '慈'),
++    (0x2F8A7, 'M', '慌'),
++    (0x2F8A8, 'M', '慎'),
+     ]
+ 
+ def _seg_78() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F8A7, 'M', '慌'),
+-    (0x2F8A8, 'M', '慎'),
+     (0x2F8A9, 'M', '慌'),
+     (0x2F8AA, 'M', '慺'),
+     (0x2F8AB, 'M', '憎'),
+@@ -8222,12 +8220,12 @@
+     (0x2F908, 'M', '港'),
+     (0x2F909, 'M', '湮'),
+     (0x2F90A, 'M', '㴳'),
++    (0x2F90B, 'M', '滋'),
++    (0x2F90C, 'M', '滇'),
+     ]
+ 
+ def _seg_79() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F90B, 'M', '滋'),
+-    (0x2F90C, 'M', '滇'),
+     (0x2F90D, 'M', '𣻑'),
+     (0x2F90E, 'M', '淹'),
+     (0x2F90F, 'M', '潮'),
+@@ -8326,12 +8324,12 @@
+     (0x2F96F, 'M', '縂'),
+     (0x2F970, 'M', '繅'),
+     (0x2F971, 'M', '䌴'),
++    (0x2F972, 'M', '𦈨'),
++    (0x2F973, 'M', '𦉇'),
+     ]
+ 
+ def _seg_80() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F972, 'M', '𦈨'),
+-    (0x2F973, 'M', '𦉇'),
+     (0x2F974, 'M', '䍙'),
+     (0x2F975, 'M', '𦋙'),
+     (0x2F976, 'M', '罺'),
+@@ -8430,12 +8428,12 @@
+     (0x2F9D3, 'M', '𧲨'),
+     (0x2F9D4, 'M', '貫'),
+     (0x2F9D5, 'M', '賁'),
++    (0x2F9D6, 'M', '贛'),
++    (0x2F9D7, 'M', '起'),
+     ]
+ 
+ def _seg_81() -> List[Union[Tuple[int, str], Tuple[int, str, str]]]:
+     return [
+-    (0x2F9D6, 'M', '贛'),
+-    (0x2F9D7, 'M', '起'),
+     (0x2F9D8, 'M', '𧼯'),
+     (0x2F9D9, 'M', '𠠄'),
+     (0x2F9DA, 'M', '跋'),
diff --git a/SPECS/tensorflow/CVE-2024-6232.patch b/SPECS/tensorflow/CVE-2024-6232.patch
new file mode 100644
index 00000000000..1bb822bb873
--- /dev/null
+++ b/SPECS/tensorflow/CVE-2024-6232.patch
@@ -0,0 +1,175 @@
+diff --git a/tarfile.py b/tarfile.py
+index 3bbbcaa6211..f7202859de7 100755
+--- a/tarfile.py
++++ b/tarfile.py
+@@ -843,6 +843,9 @@ def data_filter(member, dest_path):
+ # Sentinel for replace() defaults, meaning "don't change the attribute"
+ _KEEP = object()
+ 
++# Header length is digits followed by a space.
++_header_length_prefix_re = re.compile(br"([0-9]{1,20}) ")
++
+ class TarInfo(object):
+     """Informational class which holds the details about an
+        archive member given by a tar header block.
+@@ -1412,37 +1415,59 @@ def _proc_pax(self, tarfile):
+         else:
+             pax_headers = tarfile.pax_headers.copy()
+ 
+-        # Check if the pax header contains a hdrcharset field. This tells us
+-        # the encoding of the path, linkpath, uname and gname fields. Normally,
+-        # these fields are UTF-8 encoded but since POSIX.1-2008 tar
+-        # implementations are allowed to store them as raw binary strings if
+-        # the translation to UTF-8 fails.
+-        match = re.search(br"\d+ hdrcharset=([^\n]+)\n", buf)
+-        if match is not None:
+-            pax_headers["hdrcharset"] = match.group(1).decode("utf-8")
+-
+-        # For the time being, we don't care about anything other than "BINARY".
+-        # The only other value that is currently allowed by the standard is
+-        # "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
+-        hdrcharset = pax_headers.get("hdrcharset")
+-        if hdrcharset == "BINARY":
+-            encoding = tarfile.encoding
+-        else:
+-            encoding = "utf-8"
+-
+         # Parse pax header information. A record looks like that:
+         # "%d %s=%s\n" % (length, keyword, value). length is the size
+         # of the complete record including the length field itself and
+-        # the newline. keyword and value are both UTF-8 encoded strings.
+-        regex = re.compile(br"(\d+) ([^=]+)=")
++        # the newline.
+         pos = 0
+-        while match := regex.match(buf, pos):
+-            length, keyword = match.groups()
+-            length = int(length)
+-            if length == 0:
++        encoding = None
++        raw_headers = []
++        while len(buf) > pos and buf[pos] != 0x00:
++            if not (match := _header_length_prefix_re.match(buf, pos)):
++                raise InvalidHeaderError("invalid header")
++            try:
++                length = int(match.group(1))
++            except ValueError:
++                raise InvalidHeaderError("invalid header")
++            # Headers must be at least 5 bytes, shortest being '5 x=\n'.
++            # Value is allowed to be empty.
++            if length < 5:
++                raise InvalidHeaderError("invalid header")
++            if pos + length > len(buf):
++                raise InvalidHeaderError("invalid header")
++
++            header_value_end_offset = match.start(1) + length - 1  # Last byte of the header
++            keyword_and_value = buf[match.end(1) + 1:header_value_end_offset]
++            raw_keyword, equals, raw_value = keyword_and_value.partition(b"=")
++
++            # Check the framing of the header. The last character must be '\n' (0x0A)
++            if not raw_keyword or equals != b"=" or buf[header_value_end_offset] != 0x0A:
+                 raise InvalidHeaderError("invalid header")
+-            value = buf[match.end(2) + 1:match.start(1) + length - 1]
++            raw_headers.append((length, raw_keyword, raw_value))
++
++            # Check if the pax header contains a hdrcharset field. This tells us
++            # the encoding of the path, linkpath, uname and gname fields. Normally,
++            # these fields are UTF-8 encoded but since POSIX.1-2008 tar
++            # implementations are allowed to store them as raw binary strings if
++            # the translation to UTF-8 fails. For the time being, we don't care about
++            # anything other than "BINARY". The only other value that is currently
++            # allowed by the standard is "ISO-IR 10646 2000 UTF-8" in other words UTF-8.
++            # Note that we only follow the initial 'hdrcharset' setting to preserve
++            # the initial behavior of the 'tarfile' module.
++            if raw_keyword == b"hdrcharset" and encoding is None:
++                if raw_value == b"BINARY":
++                    encoding = tarfile.encoding
++                else:  # This branch ensures only the first 'hdrcharset' header is used.
++                    encoding = "utf-8"
+ 
++            pos += length
++
++        # If no explicit hdrcharset is set, we use UTF-8 as a default.
++        if encoding is None:
++            encoding = "utf-8"
++
++        # After parsing the raw headers we can decode them to text.
++        for length, raw_keyword, raw_value in raw_headers:
+             # Normally, we could just use "utf-8" as the encoding and "strict"
+             # as the error handler, but we better not take the risk. For
+             # example, GNU tar <= 1.23 is known to store filenames it cannot
+@@ -1450,17 +1475,16 @@ def _proc_pax(self, tarfile):
+             # hdrcharset=BINARY header).
+             # We first try the strict standard encoding, and if that fails we
+             # fall back on the user's encoding and error handler.
+-            keyword = self._decode_pax_field(keyword, "utf-8", "utf-8",
++            keyword = self._decode_pax_field(raw_keyword, "utf-8", "utf-8",
+                     tarfile.errors)
+             if keyword in PAX_NAME_FIELDS:
+-                value = self._decode_pax_field(value, encoding, tarfile.encoding,
++                value = self._decode_pax_field(raw_value, encoding, tarfile.encoding,
+                         tarfile.errors)
+             else:
+-                value = self._decode_pax_field(value, "utf-8", "utf-8",
++                value = self._decode_pax_field(raw_value, "utf-8", "utf-8",
+                         tarfile.errors)
+ 
+             pax_headers[keyword] = value
+-            pos += length
+ 
+         # Fetch the next header.
+         try:
+@@ -1475,7 +1499,7 @@ def _proc_pax(self, tarfile):
+ 
+         elif "GNU.sparse.size" in pax_headers:
+             # GNU extended sparse format version 0.0.
+-            self._proc_gnusparse_00(next, pax_headers, buf)
++            self._proc_gnusparse_00(next, raw_headers)
+ 
+         elif pax_headers.get("GNU.sparse.major") == "1" and pax_headers.get("GNU.sparse.minor") == "0":
+             # GNU extended sparse format version 1.0.
+@@ -1497,15 +1521,24 @@ def _proc_pax(self, tarfile):
+ 
+         return next
+ 
+-    def _proc_gnusparse_00(self, next, pax_headers, buf):
++    def _proc_gnusparse_00(self, next, raw_headers):
+         """Process a GNU tar extended sparse header, version 0.0.
+         """
+         offsets = []
+-        for match in re.finditer(br"\d+ GNU.sparse.offset=(\d+)\n", buf):
+-            offsets.append(int(match.group(1)))
+         numbytes = []
+-        for match in re.finditer(br"\d+ GNU.sparse.numbytes=(\d+)\n", buf):
+-            numbytes.append(int(match.group(1)))
++        for _, keyword, value in raw_headers:
++            if keyword == b"GNU.sparse.offset":
++                try:
++                    offsets.append(int(value.decode()))
++                except ValueError:
++                    raise InvalidHeaderError("invalid header")
++
++            elif keyword == b"GNU.sparse.numbytes":
++                try:
++                    numbytes.append(int(value.decode()))
++                except ValueError:
++                    raise InvalidHeaderError("invalid header")
++
+         next.sparse = list(zip(offsets, numbytes))
+ 
+     def _proc_gnusparse_01(self, next, pax_headers):
+@@ -2222,7 +2255,7 @@ def _get_filter_function(self, filter):
+                     'Python 3.14 will, by default, filter extracted tar '
+                     + 'archives and reject files or modify their metadata. '
+                     + 'Use the filter argument to control this behavior.',
+-                    DeprecationWarning)
++                    DeprecationWarning, stacklevel=3)
+                 return fully_trusted_filter
+             if isinstance(filter, str):
+                 raise TypeError(
+@@ -2897,4 +2930,4 @@ def main():
+             print('{!r} file created.'.format(tar_name))
+ 
+ if __name__ == '__main__':
+-    main()
++    main()
+\ No newline at end of file
diff --git a/SPECS/tensorflow/CVE-2024-7592.patch b/SPECS/tensorflow/CVE-2024-7592.patch
new file mode 100644
index 00000000000..8fa3d7028c1
--- /dev/null
+++ b/SPECS/tensorflow/CVE-2024-7592.patch
@@ -0,0 +1,123 @@
+From 04ac47b343b10f2182c4b3730d4be241b2397a4d Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Fri, 16 Aug 2024 19:13:37 +0300
+Subject: [PATCH 1/4] gh-123067: Fix quadratic complexity in parsing cookies
+ with backslashes
+
+This fixes CVE-2024-7592.
+---
+ cookies.py                           | 34 ++++-------------
+ ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst |  1 +
+ 3 files changed, 47 insertions(+), 26 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst
+
+diff --git a/cookies.py b/cookies.py
+index 351faf428a20cd..11a67e8a2e008b 100644
+--- a/cookies.py
++++ b/cookies.py
+@@ -184,8 +184,12 @@ def _quote(str):
+         return '"' + str.translate(_Translator) + '"'
+ 
+ 
+-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]")
+-_QuotePatt = re.compile(r"[\\].")
++_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))')
++def _unquote_replace(m):
++    if m[1]:
++        return chr(int(m[1], 8))
++    else:
++        return m[2]
+ 
+ def _unquote(str):
+     # If there aren't any doublequotes,
+@@ -205,30 +209,8 @@ def _unquote(str):
+     #    \012 --> \n
+     #    \"   --> "
+     #
+-    i = 0
+-    n = len(str)
+-    res = []
+-    while 0 <= i < n:
+-        o_match = _OctalPatt.search(str, i)
+-        q_match = _QuotePatt.search(str, i)
+-        if not o_match and not q_match:              # Neither matched
+-            res.append(str[i:])
+-            break
+-        # else:
+-        j = k = -1
+-        if o_match:
+-            j = o_match.start(0)
+-        if q_match:
+-            k = q_match.start(0)
+-        if q_match and (not o_match or k < j):     # QuotePatt matched
+-            res.append(str[i:k])
+-            res.append(str[k+1])
+-            i = k + 2
+-        else:                                      # OctalPatt matched
+-            res.append(str[i:j])
+-            res.append(chr(int(str[j+1:j+4], 8)))
+-            i = j + 4
+-    return _nulljoin(res)
++
++    return _unquote_re.sub(_unquote_replace, str)
+ 
+ # The _getdate() routine is used to set the expiration time in the cookie's HTTP
+ # header.  By default, _getdate() returns the current time in the appropriate
+
+From ab87c992c2d4cd28560178048915bc9636d6566e Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Fri, 16 Aug 2024 19:38:20 +0300
+Subject: [PATCH 2/4] Restore the current behavior for backslash-escaping.
+
+---
+ cookies.py           | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/cookies.py b/cookies.py
+index 11a67e8a2e008b..464abeb0fb253a 100644
+--- a/cookies.py
++++ b/cookies.py
+@@ -184,7 +184,7 @@ def _quote(str):
+         return '"' + str.translate(_Translator) + '"'
+ 
+ 
+-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(["\\]))')
++_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))')
+ def _unquote_replace(m):
+     if m[1]:
+         return chr(int(m[1], 8))
+
+From 1fe24921da4c6c547da82e11c9703f3588dc5fab Mon Sep 17 00:00:00 2001
+From: Serhiy Storchaka <storchaka@gmail.com>
+Date: Sat, 17 Aug 2024 12:40:11 +0300
+Subject: [PATCH 3/4] Cache the sub() method, not the compiled pattern object.
+
+---
+ cookies.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/cookies.py b/cookies.py
+index 464abeb0fb253a..6b9ed24ad8ec78 100644
+--- a/cookies.py
++++ b/cookies.py
+@@ -184,7 +184,8 @@ def _quote(str):
+         return '"' + str.translate(_Translator) + '"'
+ 
+ 
+-_unquote_re = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))')
++_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub
++
+ def _unquote_replace(m):
+     if m[1]:
+         return chr(int(m[1], 8))
+@@ -209,8 +210,7 @@ def _unquote(str):
+     #    \012 --> \n
+     #    \"   --> "
+     #
+-
+-    return _unquote_re.sub(_unquote_replace, str)
++    return _unquote_sub(_unquote_replace, str)
+ 
+ # The _getdate() routine is used to set the expiration time in the cookie's HTTP
+ # header.  By default, _getdate() returns the current time in the appropriate
+
diff --git a/SPECS/tensorflow/CVE-2024-8088.patch b/SPECS/tensorflow/CVE-2024-8088.patch
new file mode 100644
index 00000000000..af19acfeba1
--- /dev/null
+++ b/SPECS/tensorflow/CVE-2024-8088.patch
@@ -0,0 +1,41 @@
+diff --color -ruN a/zipfile/_path/__init__.py b/zipfile/_path/__init__.py
+--- a/zipfile/_path/__init__.py	2021-01-01 08:00:00.000000000 +0000
++++ b/zipfile/_path/__init__.py	2024-09-26 18:35:13.560930101 +0000
+@@ -1,3 +1,12 @@
++"""
++A Path-like interface for zipfiles.
++
++This codebase is shared between zipfile.Path in the stdlib
++and zipp in PyPI. See
++https://github.com/python/importlib_metadata/wiki/Development-Methodology
++for more detail.
++"""
++
+ import io
+ import posixpath
+ import zipfile
+@@ -34,7 +43,7 @@
+ def _ancestry(path):
+     """
+     Given a path with elements separated by
+-    posixpath.sep, generate all elements of that path
++    posixpath.sep, generate all elements of that path.
+ 
+     >>> list(_ancestry('b/d'))
+     ['b/d', 'b']
+@@ -46,9 +55,14 @@
+     ['b']
+     >>> list(_ancestry(''))
+     []
++
++    Multiple separators are treated like a single.
++
++    >>> list(_ancestry('//b//d///f//'))
++    ['//b//d///f', '//b//d', '//b']
+     """
+     path = path.rstrip(posixpath.sep)
+-    while path and path != posixpath.sep:
++    while path.rstrip(posixpath.sep):
+         yield path
+         path, tail = posixpath.split(path)
+ 
diff --git a/SPECS/tensorflow/generate_tf_cache.sh b/SPECS/tensorflow/generate_tf_cache.sh
old mode 100644
new mode 100755
index dad781565df..586ebc5db78
--- a/SPECS/tensorflow/generate_tf_cache.sh
+++ b/SPECS/tensorflow/generate_tf_cache.sh
@@ -11,4 +11,4 @@ CONTAINER_ID=$(docker run -d tensorflow_image)
 docker cp $CONTAINER_ID:/root/tensorflow-$TF_VERSION-cache.tar.gz $PWD
 
 docker stop $CONTAINER_ID
-docker rm $CONTAINER_ID
\ No newline at end of file
+docker rm $CONTAINER_ID
diff --git a/SPECS/tensorflow/tensorflow.spec b/SPECS/tensorflow/tensorflow.spec
index 7bd52dcbbec..d4022958ff2 100644
--- a/SPECS/tensorflow/tensorflow.spec
+++ b/SPECS/tensorflow/tensorflow.spec
@@ -1,7 +1,7 @@
 Summary:        TensorFlow is an open source machine learning framework for everyone.
 Name:           tensorflow
 Version:        2.16.1
-Release:        5%{?dist}
+Release:        7%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -9,6 +9,10 @@ Group:          Development/Languages/Python
 URL:            https://www.tensorflow.org/
 Source0:        https://github.com/tensorflow/tensorflow/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        %{name}-%{version}-cache2.tar.gz
+Patch0:         CVE-2024-7592.patch
+Patch1:         CVE-2024-6232.patch
+Patch2:         CVE-2024-8088.patch
+Patch3:         CVE-2024-3651.patch
 BuildRequires:  bazel
 BuildRequires:  binutils
 BuildRequires:  build-essential
@@ -57,15 +61,37 @@ Requires:       python3-wrapt
 Python 3 version.
 
 %prep
-%autosetup -p1
-
+# use -N to **not** apply patches, will apply patch after getting SOURCE1 in build stage
+%autosetup -N
 
 %build
 MD5_HASH=$(echo -n $PWD | md5sum | awk '{print $1}')
 mkdir -p /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external
 tar -xvf %{SOURCE1} -C /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external
+
+# Need to patch CVE-2024-7592 in the bundled python for applicable archs: `ExclusiveArch:  x86_64`
+pushd /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external/python_x86_64-unknown-linux-gnu/lib/python3.12/http
+patch -p1 < %{PATCH0}
+popd
+
+# Need to patch CVE-2024-6232 in the bundled python for applicable archs: `ExclusiveArch:  x86_64`
+pushd /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external/python_x86_64-unknown-linux-gnu/lib/python3.12/
+patch -p1 < %{PATCH1}
+popd
+
+# Need to patch CVE-2024-8088 in the bundled python for applicable archs: `ExclusiveArch:  x86_64`
+pushd /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external/python_x86_64-unknown-linux-gnu/lib/python3.12/
+patch -p1 < %{PATCH2}
+popd  
+
+# Need to patch CVE-2024-3651 in the bundled python for applicable archs: `ExclusiveArch:  x86_64`
+pushd /root/.cache/bazel/_bazel_$USER/$MD5_HASH/external/python_x86_64-unknown-linux-gnu/lib/python3.12/site-packages/pip/_vendor/idna
+patch -p1 < %{PATCH3}
+popd
+
 export TF_PYTHON_VERSION=3.12
 ln -s %{_bindir}/python3 %{_bindir}/python
+
 # Remove the .bazelversion file so that latest bazel version available will be used to build TensorFlow.
 rm .bazelversion
 
@@ -92,6 +118,12 @@ bazel --batch build  //tensorflow/tools/pip_package:build_pip_package
 %{_bindir}/toco_from_protos
 
 %changelog
+* Wed Sep 25 2024 Archana Choudhary <archana1@microsoft.com> - 2.16.1-7
+- Bump release to build with new python3 to fix CVE-2024-6232, CVE-2024-8088, CVE-2024-3651
+
+* Fri Aug 23 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 2.16.1-6
+- Bump release to build with new python3 to fix CVE-2024-7592
+
 * Thu May 30 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 2.16.1-5
 - Bump release to build with new python-werkzeug to fix CVE-2024-34069
 
diff --git a/SPECS/tini/tini.spec b/SPECS/tini/tini.spec
index 14ed7bcdb14..f12e64aa05b 100644
--- a/SPECS/tini/tini.spec
+++ b/SPECS/tini/tini.spec
@@ -1,7 +1,7 @@
 Summary:        A tiny but valid init for containers
 Name:           tini
 Version:        0.19.0
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,7 +13,7 @@ BuildRequires:  diffutils
 BuildRequires:  file
 BuildRequires:  gcc
 BuildRequires:  glibc-devel
-BuildRequires:  glibc-static >= 2.38-7%{?dist}
+BuildRequires:  glibc-static >= 2.38-8%{?dist}
 BuildRequires:  kernel-headers
 BuildRequires:  make
 BuildRequires:  sed
@@ -66,6 +66,9 @@ ln -s %{_bindir}/tini-static %{buildroot}%{_bindir}/docker-init
 %{_bindir}/docker-init
 
 %changelog
+* Mon Aug 26 2024 Rachel Menge <rachelmenge@microsoft.com> - 0.19.0-18
+- Update to build dep latest glibc-static version
+
 * Wed Aug 21 2024 Chris Co <chrco@microsoft.com> - 0.19.0-17
 - Bump to rebuild with updated glibc
 
diff --git a/SPECS/trace-cmd/trace-cmd.spec b/SPECS/trace-cmd/trace-cmd.spec
index 8025110b716..01f6e2263c4 100644
--- a/SPECS/trace-cmd/trace-cmd.spec
+++ b/SPECS/trace-cmd/trace-cmd.spec
@@ -4,7 +4,7 @@
 
 Name:          trace-cmd
 Version:       3.2
-Release:       1%{?dist}
+Release:       2%{?dist}
 License:       LGPL-2.1-only AND LGPL-2.1-or-later AND GPL-2.0-only AND GPL-2.0-or-later
 Summary:       A user interface to Ftrace
 
@@ -15,6 +15,8 @@ ExcludeArch:   %{ix86} %{arm}
 # cd trace-cmd
 # git archive --prefix=trace-cmd-%%{version}/ -o trace-cmd-v%%{version}.tar.gz %%{git_commit}
 URL:           http://git.kernel.org/?p=linux/kernel/git/rostedt/trace-cmd.git;a=summary
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
 Source0:       https://git.kernel.org/pub/scm/utils/trace-cmd/trace-cmd.git/snapshot/trace-cmd-v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:       trace-cmd.conf
 Source2:       trace-cmd.service
@@ -63,7 +65,7 @@ CFLAGS="%{optflags} -D_GNU_SOURCE" LDFLAGS="%{build_ldflags}" BUILD_TYPE=Release
   make V=9999999999 MANPAGE_DOCBOOK_XSL=$MANPAGE_DOCBOOK_XSL \
   prefix=%{_prefix} libdir=%{_libdir} \
   PYTHON_VERS=python3 all_cmd doc
-for i in python/*.py ; do 
+for i in python/*.py ; do
     sed -i 's/env python2/python3/g' $i
 done
 chrpath --delete tracecmd/trace-cmd
@@ -101,6 +103,9 @@ rm -rf %{buildroot}/%{_mandir}/man3/*
 %{_libdir}/%{name}/python/
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 3.2-2
+- Add missing Vendor and Distribution tags.
+
 * Mon Feb 12 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 3.2-1
 - Initial Azure Linux import from Fedora 40 (license: MIT)
 - License Verified
diff --git a/SPECS/unbound/CVE-2024-33655.patch b/SPECS/unbound/CVE-2024-33655.patch
new file mode 100644
index 00000000000..33a72dda9a5
--- /dev/null
+++ b/SPECS/unbound/CVE-2024-33655.patch
@@ -0,0 +1,799 @@
+From c3206f4568f60c486be6d165b1f2b5b254fea3de Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Wed, 1 May 2024 10:10:58 +0200
+Subject: [PATCH] - Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to
+ Xiang Li   from the Network and Information Security Lab of Tsinghua
+ University   for reporting it.
+
+---
+ doc/Changelog                                 |   5 +
+ doc/example.conf.in                           |  15 ++
+ doc/unbound.conf.5.in                         |  30 ++++
+ services/cache/infra.c                        | 170 +++++++++++++++++-
+ services/cache/infra.h                        |  28 +++
+ services/mesh.c                               |  65 +++++++
+ .../doh_downstream.tdir/doh_downstream.conf   |   1 +
+ .../doh_downstream_notls.conf                 |   1 +
+ .../doh_downstream_post.conf                  |   1 +
+ .../fwd_three_service.conf                    |   1 +
+ testdata/iter_ghost_timewindow.rpl            |   1 +
+ .../ssl_req_order.tdir/ssl_req_order.conf     |   1 +
+ .../tcp_req_order.tdir/tcp_req_order.conf     |   1 +
+ testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf    |   3 +-
+ util/config_file.c                            |  15 ++
+ util/config_file.h                            |  15 ++
+ util/configlexer.lex                          |   5 +
+ util/configparser.y                           |  55 ++++++
+ 18 files changed, 410 insertions(+), 3 deletions(-)
+
+diff --git a/doc/Changelog b/doc/Changelog
+index 05112e8..501beea 100644
+--- a/doc/Changelog
++++ b/doc/Changelog
+@@ -1,3 +1,8 @@
++1 May 2024: Wouter
++	- Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
++	  from the Network and Information Security Lab of Tsinghua University
++	  for reporting it.
++
+ 2 November 2023: Wouter
+ 	- Set version number to 1.19.0.
+ 	- Tag for 1.19.0rc1 release.
+diff --git a/doc/example.conf.in b/doc/example.conf.in
+index 6bf1c66..71fb6c0 100644
+--- a/doc/example.conf.in
++++ b/doc/example.conf.in
+@@ -191,6 +191,21 @@ server:
+ 	# are behind a slow satellite link, to eg. 1128.
+ 	# unknown-server-time-limit: 376
+ 
++	# msec before recursion replies are dropped. The work item continues.
++	# discard-timeout: 1900
++
++	# Max number of replies waiting for recursion per IP address.
++	# wait-limit: 1000
++
++	# Max replies waiting for recursion for IP address with cookie.
++	# wait-limit-cookie: 10000
++
++	# Apart from the default, the wait limit can be set for a netblock.
++	# wait-limit-netblock: 192.0.2.0/24 50000
++
++	# Apart from the default, the wait limit with cookie can be adjusted.
++	# wait-limit-cookie-netblock: 192.0.2.0/24 50000
++
+ 	# the amount of memory to use for the RRset cache.
+ 	# plain value in bytes or you can append k, m or G. default is "4Mb".
+ 	# rrset-cache-size: 4m
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
+index 76cfa23..b3800f1 100644
+--- a/doc/unbound.conf.5.in
++++ b/doc/unbound.conf.5.in
+@@ -302,6 +302,36 @@ Increase this if you are behind a slow satellite link, to eg. 1128.
+ That would then avoid re\-querying every initial query because it times out.
+ Default is 376 msec.
+ .TP
++.B discard\-timeout: \fI<msec>
++The wait time in msec where recursion requests are dropped. This is
++to stop a large number of replies from accumulating. They receive
++no reply, the work item continues to recurse. It is nice to be a bit
++larger than serve\-expired\-client\-timeout if that is enabled.
++A value of 1900 msec is suggested. The value 0 disables it.
++Default 1900 msec.
++.TP
++.B wait\-limit: \fI<number>
++The number of replies that can wait for recursion, for an IP address.
++This makes a ratelimit per IP address of waiting replies for recursion.
++It stops very large amounts of queries waiting to be returned to one
++destination. The value 0 disables wait limits. Default is 1000.
++.TP
++.B wait\-limit\-cookie: \fI<number>
++The number of replies that can wait for recursion, for an IP address
++that sent the query with a valid DNS cookie. Since the cookie validates
++the client address, the limit can be higher. Default is 10000.
++.TP
++.B wait\-limit\-netblock: \fI<netblock> <number>
++The wait limit for the netblock. If not given the wait\-limit value is
++used. The most specific netblock is used to determine the limit. Useful for
++overriding the default for a specific, group or individual, server.
++The value -1 disables wait limits for the netblock.
++.TP
++.B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
++The wait limit for the netblock, when the query has a DNS cookie.
++If not given, the wait\-limit\-cookie value is used.
++The value -1 disables wait limits for the netblock.
++.TP
+ .B so\-rcvbuf: \fI<number>
+ If not 0, then set the SO_RCVBUF socket option to get more buffer
+ space on UDP port 53 incoming queries.  So that short spikes on busy
+diff --git a/services/cache/infra.c b/services/cache/infra.c
+index 31462d1..457685a 100644
+--- a/services/cache/infra.c
++++ b/services/cache/infra.c
+@@ -234,6 +234,81 @@ setup_domain_limits(struct infra_cache* infra, struct config_file* cfg)
+ 	return 1;
+ }
+ 
++/** find or create element in wait limit netblock tree */
++static struct wait_limit_netblock_info*
++wait_limit_netblock_findcreate(struct infra_cache* infra, char* str,
++	int cookie)
++{
++	rbtree_type* tree;
++	struct sockaddr_storage addr;
++	int net;
++	socklen_t addrlen;
++	struct wait_limit_netblock_info* d;
++
++	if(!netblockstrtoaddr(str, 0, &addr, &addrlen, &net)) {
++		log_err("cannot parse wait limit netblock '%s'", str);
++		return 0;
++	}
++
++	/* can we find it? */
++	if(cookie)
++		tree = &infra->wait_limits_cookie_netblock;
++	else
++		tree = &infra->wait_limits_netblock;
++	d = (struct wait_limit_netblock_info*)addr_tree_find(tree, &addr,
++		addrlen, net);
++	if(d)
++		return d;
++
++	/* create it */
++	d = (struct wait_limit_netblock_info*)calloc(1, sizeof(*d));
++	if(!d)
++		return NULL;
++	d->limit = -1;
++	if(!addr_tree_insert(tree, &d->node, &addr, addrlen, net)) {
++		log_err("duplicate element in domainlimit tree");
++		free(d);
++		return NULL;
++	}
++	return d;
++}
++
++
++/** insert wait limit information into lookup tree */
++static int
++infra_wait_limit_netblock_insert(struct infra_cache* infra,
++	struct config_file* cfg)
++{
++	struct config_str2list* p;
++	struct wait_limit_netblock_info* d;
++	for(p = cfg->wait_limit_netblock; p; p = p->next) {
++		d = wait_limit_netblock_findcreate(infra, p->str, 0);
++		if(!d)
++			return 0;
++		d->limit = atoi(p->str2);
++	}
++	for(p = cfg->wait_limit_cookie_netblock; p; p = p->next) {
++		d = wait_limit_netblock_findcreate(infra, p->str, 1);
++		if(!d)
++			return 0;
++		d->limit = atoi(p->str2);
++	}
++	return 1;
++}
++
++/** setup wait limits tree (0 on failure) */
++static int
++setup_wait_limits(struct infra_cache* infra, struct config_file* cfg)
++{
++	addr_tree_init(&infra->wait_limits_netblock);
++	addr_tree_init(&infra->wait_limits_cookie_netblock);
++	if(!infra_wait_limit_netblock_insert(infra, cfg))
++		return 0;
++	addr_tree_init_parents(&infra->wait_limits_netblock);
++	addr_tree_init_parents(&infra->wait_limits_cookie_netblock);
++	return 1;
++}
++
+ struct infra_cache* 
+ infra_create(struct config_file* cfg)
+ {
+@@ -267,6 +342,10 @@ infra_create(struct config_file* cfg)
+ 		infra_delete(infra);
+ 		return NULL;
+ 	}
++	if(!setup_wait_limits(infra, cfg)) {
++		infra_delete(infra);
++		return NULL;
++	}
+ 	infra_ip_ratelimit = cfg->ip_ratelimit;
+ 	infra->client_ip_rates = slabhash_create(cfg->ip_ratelimit_slabs,
+ 	    INFRA_HOST_STARTSIZE, cfg->ip_ratelimit_size, &ip_rate_sizefunc,
+@@ -287,6 +366,12 @@ static void domain_limit_free(rbnode_type* n, void* ATTR_UNUSED(arg))
+ 	}
+ }
+ 
++/** delete wait_limit_netblock_info entries */
++static void wait_limit_netblock_del(rbnode_type* n, void* ATTR_UNUSED(arg))
++{
++	free(n);
++}
++
+ void 
+ infra_delete(struct infra_cache* infra)
+ {
+@@ -296,6 +381,10 @@ infra_delete(struct infra_cache* infra)
+ 	slabhash_delete(infra->domain_rates);
+ 	traverse_postorder(&infra->domain_limits, domain_limit_free, NULL);
+ 	slabhash_delete(infra->client_ip_rates);
++	traverse_postorder(&infra->wait_limits_netblock,
++		wait_limit_netblock_del, NULL);
++	traverse_postorder(&infra->wait_limits_cookie_netblock,
++		wait_limit_netblock_del, NULL);
+ 	free(infra);
+ }
+ 
+@@ -880,7 +969,8 @@ static void infra_create_ratedata(struct infra_cache* infra,
+ 
+ /** create rate data item for ip address */
+ static void infra_ip_create_ratedata(struct infra_cache* infra,
+-	struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow)
++	struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
++	int mesh_wait)
+ {
+ 	hashvalue_type h = hash_addr(addr, addrlen, 0);
+ 	struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k));
+@@ -898,6 +988,7 @@ static void infra_ip_create_ratedata(struct infra_cache* infra,
+ 	k->entry.data = d;
+ 	d->qps[0] = 1;
+ 	d->timestamp[0] = timenow;
++	d->mesh_wait = mesh_wait;
+ 	slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL);
+ }
+ 
+@@ -1121,6 +1212,81 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
+ 	}
+ 
+ 	/* create */
+-	infra_ip_create_ratedata(infra, addr, addrlen, timenow);
++	infra_ip_create_ratedata(infra, addr, addrlen, timenow, 0);
+ 	return 1;
+ }
++
++int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
++	int cookie_valid, struct config_file* cfg)
++{
++	struct lruhash_entry* entry;
++	if(cfg->wait_limit == 0)
++		return 1;
++
++	entry = infra_find_ip_ratedata(infra, &rep->client_addr,
++		rep->client_addrlen, 0);
++	if(entry) {
++		rbtree_type* tree;
++		struct wait_limit_netblock_info* w;
++		struct rate_data* d = (struct rate_data*)entry->data;
++		int mesh_wait = d->mesh_wait;
++		lock_rw_unlock(&entry->lock);
++
++		/* have the wait amount, check how much is allowed */
++		if(cookie_valid)
++			tree = &infra->wait_limits_cookie_netblock;
++		else	tree = &infra->wait_limits_netblock;
++		w = (struct wait_limit_netblock_info*)addr_tree_lookup(tree,
++			&rep->client_addr, rep->client_addrlen);
++		if(w) {
++			if(w->limit != -1 && mesh_wait > w->limit)
++				return 0;
++		} else {
++			/* if there is no IP netblock specific information,
++			 * use the configured value. */
++			if(mesh_wait > (cookie_valid?cfg->wait_limit_cookie:
++				cfg->wait_limit))
++				return 0;
++		}
++	}
++	return 1;
++}
++
++void infra_wait_limit_inc(struct infra_cache* infra, struct comm_reply* rep,
++	time_t timenow, struct config_file* cfg)
++{
++	struct lruhash_entry* entry;
++	if(cfg->wait_limit == 0)
++		return;
++
++	/* Find it */
++	entry = infra_find_ip_ratedata(infra, &rep->client_addr,
++		rep->client_addrlen, 1);
++	if(entry) {
++		struct rate_data* d = (struct rate_data*)entry->data;
++		d->mesh_wait++;
++		lock_rw_unlock(&entry->lock);
++		return;
++	}
++
++	/* Create it */
++	infra_ip_create_ratedata(infra, &rep->client_addr,
++		rep->client_addrlen, timenow, 1);
++}
++
++void infra_wait_limit_dec(struct infra_cache* infra, struct comm_reply* rep,
++	struct config_file* cfg)
++{
++	struct lruhash_entry* entry;
++	if(cfg->wait_limit == 0)
++		return;
++
++	entry = infra_find_ip_ratedata(infra, &rep->client_addr,
++		rep->client_addrlen, 1);
++	if(entry) {
++		struct rate_data* d = (struct rate_data*)entry->data;
++		if(d->mesh_wait > 0)
++			d->mesh_wait--;
++		lock_rw_unlock(&entry->lock);
++	}
++}
+diff --git a/services/cache/infra.h b/services/cache/infra.h
+index 525073b..ee6f384 100644
+--- a/services/cache/infra.h
++++ b/services/cache/infra.h
+@@ -122,6 +122,10 @@ struct infra_cache {
+ 	rbtree_type domain_limits;
+ 	/** hash table with query rates per client ip: ip_rate_key, ip_rate_data */
+ 	struct slabhash* client_ip_rates;
++	/** tree of addr_tree_node, with wait_limit_netblock_info information */
++	rbtree_type wait_limits_netblock;
++	/** tree of addr_tree_node, with wait_limit_netblock_info information */
++	rbtree_type wait_limits_cookie_netblock;
+ };
+ 
+ /** ratelimit, unless overridden by domain_limits, 0 is off */
+@@ -184,10 +188,22 @@ struct rate_data {
+ 	/** what the timestamp is of the qps array members, counter is
+ 	 * valid for that timestamp.  Usually now and now-1. */
+ 	time_t timestamp[RATE_WINDOW];
++	/** the number of queries waiting in the mesh */
++	int mesh_wait;
+ };
+ 
+ #define ip_rate_data rate_data
+ 
++/**
++ * Data to store the configuration per netblock for the wait limit
++ */
++struct wait_limit_netblock_info {
++	/** The addr tree node, this must be first. */
++	struct addr_tree_node node;
++	/** the limit on the amount */
++	int limit;
++};
++
+ /** infra host cache default hash lookup size */
+ #define INFRA_HOST_STARTSIZE 32
+ /** bytes per zonename reserved in the hostcache, dnamelen(zonename.com.) */
+@@ -474,4 +490,16 @@ void ip_rate_delkeyfunc(void* d, void* arg);
+ /* delete data */
+ #define ip_rate_deldatafunc rate_deldatafunc
+ 
++/** See if the IP address can have another reply in the wait limit */
++int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
++	int cookie_valid, struct config_file* cfg);
++
++/** Increment number of waiting replies for IP */
++void infra_wait_limit_inc(struct infra_cache* infra, struct comm_reply* rep,
++	time_t timenow, struct config_file* cfg);
++
++/** Decrement number of waiting replies for IP */
++void infra_wait_limit_dec(struct infra_cache* infra, struct comm_reply* rep,
++	struct config_file* cfg);
++
+ #endif /* SERVICES_CACHE_INFRA_H */
+diff --git a/services/mesh.c b/services/mesh.c
+index 509bee3..11f4642 100644
+--- a/services/mesh.c
++++ b/services/mesh.c
+@@ -47,6 +47,7 @@
+ #include "services/outbound_list.h"
+ #include "services/cache/dns.h"
+ #include "services/cache/rrset.h"
++#include "services/cache/infra.h"
+ #include "util/log.h"
+ #include "util/net_help.h"
+ #include "util/module.h"
+@@ -409,6 +410,14 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
+ 	if(rep->c->tcp_req_info) {
+ 		r_buffer = rep->c->tcp_req_info->spool_buffer;
+ 	}
++	if(!infra_wait_limit_allowed(mesh->env->infra_cache, rep,
++		edns->cookie_valid, mesh->env->cfg)) {
++		verbose(VERB_ALGO, "Too many queries waiting from the IP. "
++			"dropping incoming query.");
++		comm_point_drop_reply(rep);
++		mesh->stats_dropped++;
++		return;
++	}
+ 	if(!unique)
+ 		s = mesh_area_find(mesh, cinfo, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0);
+ 	/* does this create a new reply state? */
+@@ -505,6 +514,8 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
+ 		log_err("mesh_new_client: out of memory initializing serve expired");
+ 		goto servfail_mem;
+ 	}
++	infra_wait_limit_inc(mesh->env->infra_cache, rep, *mesh->env->now,
++		mesh->env->cfg);
+ 	/* update statistics */
+ 	if(was_detached) {
+ 		log_assert(mesh->num_detached_states > 0);
+@@ -924,6 +935,8 @@ mesh_state_cleanup(struct mesh_state* mstate)
+ 		 * takes no time and also it does not do the mesh accounting */
+ 		mstate->reply_list = NULL;
+ 		for(; rep; rep=rep->next) {
++			infra_wait_limit_dec(mesh->env->infra_cache,
++				&rep->query_reply, mesh->env->cfg);
+ 			comm_point_drop_reply(&rep->query_reply);
+ 			log_assert(mesh->num_reply_addrs > 0);
+ 			mesh->num_reply_addrs--;
+@@ -1407,6 +1420,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
+ 		comm_point_send_reply(&r->query_reply);
+ 		m->reply_list = rlist;
+ 	}
++	infra_wait_limit_dec(m->s.env->infra_cache, &r->query_reply,
++		m->s.env->cfg);
+ 	/* account */
+ 	log_assert(m->s.env->mesh->num_reply_addrs > 0);
+ 	m->s.env->mesh->num_reply_addrs--;
+@@ -1462,6 +1477,28 @@ void mesh_query_done(struct mesh_state* mstate)
+ 		}
+ 	}
+ 	for(r = mstate->reply_list; r; r = r->next) {
++		struct timeval old;
++		timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
++		if(mstate->s.env->cfg->discard_timeout != 0 &&
++			((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
++			mstate->s.env->cfg->discard_timeout) {
++			/* Drop the reply, it is too old */
++			/* briefly set the reply_list to NULL, so that the
++			 * tcp req info cleanup routine that calls the mesh
++			 * to deregister the meshstate for it is not done
++			 * because the list is NULL and also accounting is not
++			 * done there, but instead we do that here. */
++			struct mesh_reply* reply_list = mstate->reply_list;
++			verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
++			infra_wait_limit_dec(mstate->s.env->infra_cache,
++				&r->query_reply, mstate->s.env->cfg);
++			mstate->reply_list = NULL;
++			comm_point_drop_reply(&r->query_reply);
++			mstate->reply_list = reply_list;
++			mstate->s.env->mesh->stats_dropped++;
++			continue;
++		}
++
+ 		i++;
+ 		tv = r->start_time;
+ 
+@@ -1485,6 +1522,8 @@ void mesh_query_done(struct mesh_state* mstate)
+ 			 * because the list is NULL and also accounting is not
+ 			 * done there, but instead we do that here. */
+ 			struct mesh_reply* reply_list = mstate->reply_list;
++			infra_wait_limit_dec(mstate->s.env->infra_cache,
++				&r->query_reply, mstate->s.env->cfg);
+ 			mstate->reply_list = NULL;
+ 			comm_point_drop_reply(&r->query_reply);
+ 			mstate->reply_list = reply_list;
+@@ -2017,6 +2056,8 @@ void mesh_state_remove_reply(struct mesh_area* mesh, struct mesh_state* m,
+ 			/* delete it, but allocated in m region */
+ 			log_assert(mesh->num_reply_addrs > 0);
+ 			mesh->num_reply_addrs--;
++			infra_wait_limit_dec(mesh->env->infra_cache,
++				&n->query_reply, mesh->env->cfg);
+ 
+ 			/* prev = prev; */
+ 			n = n->next;
+@@ -2157,6 +2198,28 @@ mesh_serve_expired_callback(void* arg)
+ 		log_dns_msg("Serve expired lookup", &qstate->qinfo, msg->rep);
+ 
+ 	for(r = mstate->reply_list; r; r = r->next) {
++		struct timeval old;
++		timeval_subtract(&old, mstate->s.env->now_tv, &r->start_time);
++		if(mstate->s.env->cfg->discard_timeout != 0 &&
++			((int)old.tv_sec)*1000+((int)old.tv_usec)/1000 >
++			mstate->s.env->cfg->discard_timeout) {
++			/* Drop the reply, it is too old */
++			/* briefly set the reply_list to NULL, so that the
++			 * tcp req info cleanup routine that calls the mesh
++			 * to deregister the meshstate for it is not done
++			 * because the list is NULL and also accounting is not
++			 * done there, but instead we do that here. */
++			struct mesh_reply* reply_list = mstate->reply_list;
++			verbose(VERB_ALGO, "drop reply, it is older than discard-timeout");
++			infra_wait_limit_dec(mstate->s.env->infra_cache,
++				&r->query_reply, mstate->s.env->cfg);
++			mstate->reply_list = NULL;
++			comm_point_drop_reply(&r->query_reply);
++			mstate->reply_list = reply_list;
++			mstate->s.env->mesh->stats_dropped++;
++			continue;
++		}
++
+ 		i++;
+ 		tv = r->start_time;
+ 
+@@ -2184,6 +2247,8 @@ mesh_serve_expired_callback(void* arg)
+ 			r, r_buffer, prev, prev_buffer);
+ 		if(r->query_reply.c->tcp_req_info)
+ 			tcp_req_info_remove_mesh_state(r->query_reply.c->tcp_req_info, mstate);
++		infra_wait_limit_dec(mstate->s.env->infra_cache,
++			&r->query_reply, mstate->s.env->cfg);
+ 		prev = r;
+ 		prev_buffer = r_buffer;
+ 	}
+diff --git a/testdata/doh_downstream.tdir/doh_downstream.conf b/testdata/doh_downstream.tdir/doh_downstream.conf
+index f0857bb..222c215 100644
+--- a/testdata/doh_downstream.tdir/doh_downstream.conf
++++ b/testdata/doh_downstream.tdir/doh_downstream.conf
+@@ -11,6 +11,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 	http-query-buffer-size: 1G
+ 	http-response-buffer-size: 1G
+ 	http-max-streams: 200
+diff --git a/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf b/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf
+index bdca456..161c355 100644
+--- a/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf
++++ b/testdata/doh_downstream_notls.tdir/doh_downstream_notls.conf
+@@ -11,6 +11,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 	http-query-buffer-size: 1G
+ 	http-response-buffer-size: 1G
+ 	http-max-streams: 200
+diff --git a/testdata/doh_downstream_post.tdir/doh_downstream_post.conf b/testdata/doh_downstream_post.tdir/doh_downstream_post.conf
+index f0857bb..222c215 100644
+--- a/testdata/doh_downstream_post.tdir/doh_downstream_post.conf
++++ b/testdata/doh_downstream_post.tdir/doh_downstream_post.conf
+@@ -11,6 +11,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 	http-query-buffer-size: 1G
+ 	http-response-buffer-size: 1G
+ 	http-max-streams: 200
+diff --git a/testdata/fwd_three_service.tdir/fwd_three_service.conf b/testdata/fwd_three_service.tdir/fwd_three_service.conf
+index 05fafe0..d6c9a20 100644
+--- a/testdata/fwd_three_service.tdir/fwd_three_service.conf
++++ b/testdata/fwd_three_service.tdir/fwd_three_service.conf
+@@ -11,6 +11,7 @@ server:
+ 	num-queries-per-thread: 1024
+ 	use-syslog: no
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ forward-zone:
+ 	name: "."
+ 	forward-addr: "127.0.0.1@@TOPORT@"
+diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl
+index 566be82..9e30462 100644
+--- a/testdata/iter_ghost_timewindow.rpl
++++ b/testdata/iter_ghost_timewindow.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	discard-timeout: 86400
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/ssl_req_order.tdir/ssl_req_order.conf b/testdata/ssl_req_order.tdir/ssl_req_order.conf
+index 3b2e2b1..ec39d3a 100644
+--- a/testdata/ssl_req_order.tdir/ssl_req_order.conf
++++ b/testdata/ssl_req_order.tdir/ssl_req_order.conf
+@@ -9,6 +9,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 	ssl-port: @PORT@
+ 	ssl-service-key: "unbound_server.key"
+ 	ssl-service-pem: "unbound_server.pem"
+diff --git a/testdata/tcp_req_order.tdir/tcp_req_order.conf b/testdata/tcp_req_order.tdir/tcp_req_order.conf
+index 40d6f55..b2804e8 100644
+--- a/testdata/tcp_req_order.tdir/tcp_req_order.conf
++++ b/testdata/tcp_req_order.tdir/tcp_req_order.conf
+@@ -9,6 +9,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 
+ 	local-zone: "example.net" static
+ 	local-data: "www1.example.net. IN A 1.2.3.1"
+diff --git a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf
+index 384f16b..4f1ff9b 100644
+--- a/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf
++++ b/testdata/tcp_sigpipe.tdir/tcp_sigpipe.conf
+@@ -1,5 +1,5 @@
+ server:
+-	verbosity: 2
++	verbosity: 4
+ 	# num-threads: 1
+ 	interface: 127.0.0.1
+ 	port: @PORT@
+@@ -9,6 +9,7 @@ server:
+ 	chroot: ""
+ 	username: ""
+ 	do-not-query-localhost: no
++	discard-timeout: 3000  # testns uses sleep=2
+ 
+ forward-zone:
+ 	name: "."
+diff --git a/util/config_file.c b/util/config_file.c
+index 9302705..91fdce7 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -307,6 +307,11 @@ config_create(void)
+ 	cfg->minimal_responses = 1;
+ 	cfg->rrset_roundrobin = 1;
+ 	cfg->unknown_server_time_limit = 376;
++	cfg->discard_timeout = 1900; /* msec */
++	cfg->wait_limit = 1000;
++	cfg->wait_limit_cookie = 10000;
++	cfg->wait_limit_netblock = NULL;
++	cfg->wait_limit_cookie_netblock = NULL;
+ 	cfg->max_udp_size = 1232; /* value taken from edns_buffer_size */
+ 	if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key")))
+ 		goto error_exit;
+@@ -720,6 +725,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
+ 	else S_YNO("minimal-responses:", minimal_responses)
+ 	else S_YNO("rrset-roundrobin:", rrset_roundrobin)
+ 	else S_NUMBER_OR_ZERO("unknown-server-time-limit:", unknown_server_time_limit)
++	else S_NUMBER_OR_ZERO("discard-timeout:", discard_timeout)
++	else S_NUMBER_OR_ZERO("wait-limit:", wait_limit)
++	else S_NUMBER_OR_ZERO("wait-limit-cookie:", wait_limit_cookie)
+ 	else S_STRLIST("local-data:", local_data)
+ 	else S_YNO("unblock-lan-zones:", unblock_lan_zones)
+ 	else S_YNO("insecure-lan-zones:", insecure_lan_zones)
+@@ -1198,6 +1206,11 @@ config_get_option(struct config_file* cfg, const char* opt,
+ 	else O_YNO(opt, "minimal-responses", minimal_responses)
+ 	else O_YNO(opt, "rrset-roundrobin", rrset_roundrobin)
+ 	else O_DEC(opt, "unknown-server-time-limit", unknown_server_time_limit)
++	else O_DEC(opt, "discard-timeout", discard_timeout)
++	else O_DEC(opt, "wait-limit", wait_limit)
++	else O_DEC(opt, "wait-limit-cookie", wait_limit_cookie)
++	else O_LS2(opt, "wait-limit-netblock", wait_limit_netblock)
++	else O_LS2(opt, "wait-limit-cookie-netblock", wait_limit_cookie_netblock)
+ #ifdef CLIENT_SUBNET
+ 	else O_LST(opt, "send-client-subnet", client_subnet)
+ 	else O_LST(opt, "client-subnet-zone", client_subnet_zone)
+@@ -1668,6 +1681,8 @@ config_delete(struct config_file* cfg)
+ 	config_deltrplstrlist(cfg->interface_tag_actions);
+ 	config_deltrplstrlist(cfg->interface_tag_datas);
+ 	config_delstrlist(cfg->control_ifs.first);
++	config_deldblstrlist(cfg->wait_limit_netblock);
++	config_deldblstrlist(cfg->wait_limit_cookie_netblock);
+ 	free(cfg->server_key_file);
+ 	free(cfg->server_cert_file);
+ 	free(cfg->control_key_file);
+diff --git a/util/config_file.h b/util/config_file.h
+index ad22b83..187f02e 100644
+--- a/util/config_file.h
++++ b/util/config_file.h
+@@ -533,6 +533,21 @@ struct config_file {
+ 	/* wait time for unknown server in msec */
+ 	int unknown_server_time_limit;
+ 
++	/** Wait time to drop recursion replies */
++	int discard_timeout;
++
++	/** Wait limit for number of replies per IP address */
++	int wait_limit;
++
++	/** Wait limit for number of replies per IP address with cookie */
++	int wait_limit_cookie;
++
++	/** wait limit per netblock */
++	struct config_str2list* wait_limit_netblock;
++
++	/** wait limit with cookie per netblock */
++	struct config_str2list* wait_limit_cookie_netblock;
++
+ 	/* maximum UDP response size */
+ 	size_t max_udp_size;
+ 
+diff --git a/util/configlexer.lex b/util/configlexer.lex
+index fdc2674..78d1acb 100644
+--- a/util/configlexer.lex
++++ b/util/configlexer.lex
+@@ -462,6 +462,11 @@ domain-insecure{COLON}		{ YDVAR(1, VAR_DOMAIN_INSECURE) }
+ minimal-responses{COLON}	{ YDVAR(1, VAR_MINIMAL_RESPONSES) }
+ rrset-roundrobin{COLON}		{ YDVAR(1, VAR_RRSET_ROUNDROBIN) }
+ unknown-server-time-limit{COLON} { YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) }
++discard-timeout{COLON}		{ YDVAR(1, VAR_DISCARD_TIMEOUT) }
++wait-limit{COLON}		{ YDVAR(1, VAR_WAIT_LIMIT) }
++wait-limit-cookie{COLON}	{ YDVAR(1, VAR_WAIT_LIMIT_COOKIE) }
++wait-limit-netblock{COLON}	{ YDVAR(1, VAR_WAIT_LIMIT_NETBLOCK) }
++wait-limit-cookie-netblock{COLON} { YDVAR(1, VAR_WAIT_LIMIT_COOKIE_NETBLOCK) }
+ max-udp-size{COLON}		{ YDVAR(1, VAR_MAX_UDP_SIZE) }
+ dns64-prefix{COLON}		{ YDVAR(1, VAR_DNS64_PREFIX) }
+ dns64-synthall{COLON}		{ YDVAR(1, VAR_DNS64_SYNTHALL) }
+diff --git a/util/configparser.y b/util/configparser.y
+index da5d660..044a87a 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -188,6 +188,8 @@ extern struct config_parser_state* cfg_parser;
+ %token VAR_ANSWER_COOKIE VAR_COOKIE_SECRET VAR_IP_RATELIMIT_COOKIE
+ %token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
+ %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
++%token VAR_DISCARD_TIMEOUT VAR_WAIT_LIMIT VAR_WAIT_LIMIT_COOKIE
++%token VAR_WAIT_LIMIT_NETBLOCK VAR_WAIT_LIMIT_COOKIE_NETBLOCK
+ %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
+ %token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
+ %token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
+@@ -324,6 +326,8 @@ content_server: server_num_threads | server_verbosity | server_port |
+ 	server_fast_server_permil | server_fast_server_num  | server_tls_win_cert |
+ 	server_tcp_connection_limit | server_log_servfail | server_deny_any |
+ 	server_unknown_server_time_limit | server_log_tag_queryreply |
++	server_discard_timeout | server_wait_limit | server_wait_limit_cookie |
++	server_wait_limit_netblock | server_wait_limit_cookie_netblock |
+ 	server_stream_wait_size | server_tls_ciphers |
+ 	server_tls_ciphersuites | server_tls_session_ticket_keys |
+ 	server_answer_cookie | server_cookie_secret | server_ip_ratelimit_cookie |
+@@ -2355,6 +2359,57 @@ server_unknown_server_time_limit: VAR_UNKNOWN_SERVER_TIME_LIMIT STRING_ARG
+ 		free($2);
+ 	}
+ 	;
++server_discard_timeout: VAR_DISCARD_TIMEOUT STRING_ARG
++	{
++		OUTYY(("P(server_discard_timeout:%s)\n", $2));
++		cfg_parser->cfg->discard_timeout = atoi($2);
++		free($2);
++	}
++	;
++server_wait_limit: VAR_WAIT_LIMIT STRING_ARG
++	{
++		OUTYY(("P(server_wait_limit:%s)\n", $2));
++		cfg_parser->cfg->wait_limit = atoi($2);
++		free($2);
++	}
++	;
++server_wait_limit_cookie: VAR_WAIT_LIMIT_COOKIE STRING_ARG
++	{
++		OUTYY(("P(server_wait_limit_cookie:%s)\n", $2));
++		cfg_parser->cfg->wait_limit_cookie = atoi($2);
++		free($2);
++	}
++	;
++server_wait_limit_netblock: VAR_WAIT_LIMIT_NETBLOCK STRING_ARG STRING_ARG
++	{
++		OUTYY(("P(server_wait_limit_netblock:%s %s)\n", $2, $3));
++		if(atoi($3) == 0 && strcmp($3, "0") != 0) {
++			yyerror("number expected");
++			free($2);
++			free($3);
++		} else {
++			if(!cfg_str2list_insert(&cfg_parser->cfg->
++				wait_limit_netblock, $2, $3))
++				fatal_exit("out of memory adding "
++					"wait-limit-netblock");
++		}
++	}
++	;
++server_wait_limit_cookie_netblock: VAR_WAIT_LIMIT_COOKIE_NETBLOCK STRING_ARG STRING_ARG
++	{
++		OUTYY(("P(server_wait_limit_cookie_netblock:%s %s)\n", $2, $3));
++		if(atoi($3) == 0 && strcmp($3, "0") != 0) {
++			yyerror("number expected");
++			free($2);
++			free($3);
++		} else {
++			if(!cfg_str2list_insert(&cfg_parser->cfg->
++				wait_limit_cookie_netblock, $2, $3))
++				fatal_exit("out of memory adding "
++					"wait-limit-cookie-netblock");
++		}
++	}
++	;
+ server_max_udp_size: VAR_MAX_UDP_SIZE STRING_ARG
+ 	{
+ 		OUTYY(("P(server_max_udp_size:%s)\n", $2));
+-- 
+2.25.1
+
diff --git a/SPECS/unbound/unbound.spec b/SPECS/unbound/unbound.spec
index 04a848145e2..7dae1e2aeb4 100644
--- a/SPECS/unbound/unbound.spec
+++ b/SPECS/unbound/unbound.spec
@@ -1,7 +1,7 @@
 Summary:        unbound dns server
 Name:           unbound
 Version:        1.19.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -10,6 +10,7 @@ URL:            https://nlnetlabs.nl/projects/unbound/about/
 Source0:        https://github.com/NLnetLabs/%{name}/archive/release-%{version}.tar.gz#/%{name}-release-%{version}.tar.gz
 Source1:        %{name}.service
 Patch0:         CVE-2024-43168.patch
+Patch1:         CVE-2024-33655.patch
 BuildRequires:  expat-devel
 BuildRequires:  libevent-devel
 BuildRequires:  python3-devel
@@ -97,6 +98,9 @@ useradd -r -g unbound -d %{_sysconfdir}/unbound -s /sbin/nologin \
 %{_mandir}/*
 
 %changelog
+* Mon Aug 26 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.19.1-3
+- Add patch to resolve CVE-2024-33655
+
 * Thu Aug 15 2024 Aadhar Agarwal <aadagarwal@microsoft.com> - 1.19.1-2
 - Add patch to fix CVE-2024-43168
 
diff --git a/SPECS-EXTENDED/usermode/config-util b/SPECS/usermode/config-util
similarity index 100%
rename from SPECS-EXTENDED/usermode/config-util
rename to SPECS/usermode/config-util
diff --git a/SPECS-EXTENDED/usermode/usermode.signatures.json b/SPECS/usermode/usermode.signatures.json
similarity index 50%
rename from SPECS-EXTENDED/usermode/usermode.signatures.json
rename to SPECS/usermode/usermode.signatures.json
index a2c303fd6a1..06ab67972cb 100644
--- a/SPECS-EXTENDED/usermode/usermode.signatures.json
+++ b/SPECS/usermode/usermode.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
   "config-util": "bd3f4ee7828affcb3a6a61962ecf5e0ed22363609286ed10495f294beb0baaff",
-  "usermode-1.112.autotoolized.tar.xz": "4577ec7de31428282132254fef4edcf622a3739d3307914ce238bacc11a72d11"
+  "usermode-1.114.tar.xz": "e7f58712b12175965b3a21522052863a061f3f1a888df3ffbe713b434f80254f"
  }
 }
diff --git a/SPECS-EXTENDED/usermode/usermode.spec b/SPECS/usermode/usermode.spec
similarity index 97%
rename from SPECS-EXTENDED/usermode/usermode.spec
rename to SPECS/usermode/usermode.spec
index c6e193a2557..68be412a43c 100644
--- a/SPECS-EXTENDED/usermode/usermode.spec
+++ b/SPECS/usermode/usermode.spec
@@ -1,34 +1,38 @@
-Vendor:         Microsoft Corporation
-Distribution:   Azure Linux
+# Add `--without gtk' option (enable gtk by default):
+# No GTK 2 in RHEL 10
+%if 0%{?azl} || 0%{?rhel} > 9
+%bcond_with gtk
+%else
+%bcond_without gtk
+%endif
+
 Summary: Tools for certain user account management tasks
 Name: usermode
-Version: 1.112
-Release: 12%{?dist}
-License: GPLv2+
-URL: https://pagure.io/usermode/
-Source: https://releases.pagure.org/usermode/usermode-%{version}.autotoolized.tar.xz
-Source1: config-util
-# Backport of c5a0bfd174e4a88fcd49fe7a130b37b6779c1a18
-# - inclusion of <sys/sysmacros.h> from <sys/types.h> is now deprecated
-Patch0: sysmacros.patch
-# Backport of da01d6325a1a9eb8154abb6a4590c610e8db8ec4
-# - bad FSF address fix
-Patch1: fsfaddr.patch
-# Backport of 48c4085004caad1ec928fa103b7f3e3fe684c826
-# - <selinux/flask.h> and <selinux/av_permissions.h> are now deprecated
-Patch2: selinux_deprecated.patch
+Version:       1.114
+Release:       1%{?dist}
+Vendor:        Microsoft Corporation
+Distribution:  Azure Linux
+License:       GPL-2.0-or-later
+URL:           https://pagure.io/%{name}/
+Source:        https://releases.pagure.org/%{name}/%{name}-%{version}.tar.xz
+Source1:       config-util
 Requires: pam, passwd, util-linux
 # https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/IJFYI5Q2BYZKIGDFS2WLOBDUSEGWHIKV/
+BuildRequires: make
 BuildRequires: gcc
-BuildRequires: perl(File::Find)
-BuildRequires: desktop-file-utils, gettext, glib2-devel, gtk2-devel, intltool
-BuildRequires: libblkid-devel, libSM-devel, libselinux-devel, libuser-devel
-BuildRequires: pam-devel, perl-XML-Parser, startup-notification-devel
+BuildRequires: gettext, glib2-devel, intltool
+%if %{with gtk}
+BuildRequires: desktop-file-utils, gtk2-devel, startup-notification-devel, libSM-devel
+%endif
+BuildRequires: libblkid-devel, libselinux-devel, libuser-devel
+BuildRequires: pam-devel, perl-XML-Parser
 BuildRequires: util-linux
 
+%if %{with gtk}
 %package gtk
 Summary: Graphical tools for certain user account management tasks
 Requires: %{name} = %{version}-%{release}
+%endif
 
 %global _hardened_build 1
 
@@ -37,6 +41,7 @@ The usermode package contains the userhelper program, which can be
 used to allow configured programs to be run with superuser privileges
 by ordinary users.
 
+%if %{with gtk}
 %description gtk
 The usermode-gtk package contains several graphical tools for users:
 userinfo, usermount and userpasswd.  Userinfo allows users to change
@@ -46,29 +51,30 @@ passwords.
 
 Install the usermode-gtk package if you would like to provide users with
 graphical tools for certain account management tasks.
+%endif
 
 %prep
 %setup -q
-%patch 0 -p1
-%patch 1 -p1
-%patch 2 -p1
 
 %build
-%configure --with-selinux
+%configure --with-selinux --without-fexecve %{!?with_gtk:--without-gtk}
 
-make %{?_smp_mflags}
+%make_build
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p'
+%make_install
 
+%if %{with gtk}
 # make userformat symlink to usermount
 ln -sf usermount $RPM_BUILD_ROOT%{_bindir}/userformat
 ln -s usermount.1 $RPM_BUILD_ROOT%{_mandir}/man1/userformat.1
+%endif
 
 mkdir -p $RPM_BUILD_ROOT/etc/security/console.apps
 install -p -m 644 %{SOURCE1} \
 	$RPM_BUILD_ROOT/etc/security/console.apps/config-util
 
+%if %{with gtk}
 for i in redhat-userinfo.desktop redhat-userpasswd.desktop \
 	redhat-usermount.desktop; do
 	echo 'NotShowIn=GNOME;KDE;' >>$RPM_BUILD_ROOT%{_datadir}/applications/$i
@@ -76,6 +82,7 @@ for i in redhat-userinfo.desktop redhat-userpasswd.desktop \
 		--dir $RPM_BUILD_ROOT%{_datadir}/applications \
 		$RPM_BUILD_ROOT%{_datadir}/applications/$i
 done
+%endif
 
 %find_lang %{name}
 
@@ -88,6 +95,7 @@ done
 %{_mandir}/man8/consolehelper.8*
 %config(noreplace) /etc/security/console.apps/config-util
 
+%if %{with gtk}
 %files gtk
 %{_bindir}/usermount
 %{_mandir}/man1/usermount.1*
@@ -104,8 +112,12 @@ done
 %{_datadir}/%{name}
 %{_datadir}/pixmaps/*
 %{_datadir}/applications/*
+%endif
 
 %changelog
+* Wed Aug 28 2024 Reuben Olinsky <reubeno@microsoft.com> - 1.114-1
+- Upgraded to 1.114 and sync'd with Fedora spec.
+
 * Wed Feb 16 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.112-12
 - License verified.
 
diff --git a/SPECS/util-linux/util-linux.signatures.json b/SPECS/util-linux/util-linux.signatures.json
index 1c12f9b79ef..7126b9fd8bc 100644
--- a/SPECS/util-linux/util-linux.signatures.json
+++ b/SPECS/util-linux/util-linux.signatures.json
@@ -4,6 +4,6 @@
   "runuser-l": "406d5056ad272301d0523c35c0b4608dfd388db895656fa1a04e20d13fff9340",
   "su": "95d3c92017809b11a24f456cc5bc16bf2174380f97942d435314ef24fab75885",
   "su-l": "4d10241676e97e5e8d8935e5c8e8f6cb2f871afb881059715f155909be9ebd77",
-  "util-linux-2.39.2.tar.xz": "87abdfaa8e490f8be6dde976f7c80b9b5ff9f301e1b67e3899e1f05a59a1531f"
+  "util-linux-2.40.2.tar.xz": "d78b37a66f5922d70edf3bdfb01a6b33d34ed3c3cafd6628203b2a2b67c8e8b3"
  }
 }
diff --git a/SPECS/util-linux/util-linux.spec b/SPECS/util-linux/util-linux.spec
index 96059a415d3..349c9d6263a 100644
--- a/SPECS/util-linux/util-linux.spec
+++ b/SPECS/util-linux/util-linux.spec
@@ -1,7 +1,7 @@
 %define majminorver %(echo %{version} | cut -d. -f1-2)
 Summary:        Utilities for file systems, consoles, partitions, and messages
 Name:           util-linux
-Version:        2.39.2
+Version:        2.40.2
 Release:        1%{?dist}
 License:        GPLv2+
 Vendor:         Microsoft Corporation
@@ -77,6 +77,7 @@ autoreconf -fi
     --disable-silent-rules \
     --disable-static \
     --disable-use-tty-group \
+    --disable-liblastlog2 \
     --without-python \
     --with-selinux \
     --with-audit
@@ -151,6 +152,14 @@ rm -rf %{buildroot}/lib/systemd/system
 %{_mandir}/man3/*
 
 %changelog
+* Wed Sep 18 2024 Vince Perri <viperri@microsoft.com> - 2.40.2-1
+- Upgrade to 2.40.2:
+-   Added --disable-liblastlog2 to avoid building new liblastlog2 libraries
+-   Removed CVE-2024-28085 patch as it is fixed in 2.40.2
+
+* Mon Sep 09 2024 Harshit Gupta <guptaharshit@microsoft.com> - 2.39.2-2
+- Fix CVE-2024-28085 by adding patch
+
 * Tue Nov 28 2023 Andrew Phelps <anphel@microsoft.com> - 2.39.2-1
 - Upgrade to 2.39.2
 
diff --git a/SPECS/uuid/uuid.spec b/SPECS/uuid/uuid.spec
index 8c1018414e4..3e6662c8b6b 100644
--- a/SPECS/uuid/uuid.spec
+++ b/SPECS/uuid/uuid.spec
@@ -1,8 +1,8 @@
 Summary:        Universally Unique Identifier library
 Name:           uuid
 Version:        1.6.2
-Release:        50%{?dist}
-License:        MIT
+Release:        51%{?dist}
+License:        ISC
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            http://www.ossp.org/pkg/lib/uuid/
@@ -117,6 +117,7 @@ make check
 %postun -p /sbin/ldconfig
 
 %files
+%license README
 %doc AUTHORS ChangeLog HISTORY NEWS PORTING README SEEALSO THANKS TODO USERS
 %{_bindir}/uuid
 %{_libdir}/libossp-uuid.so.*
@@ -147,6 +148,9 @@ make check
 %{_libdir}/libossp-uuid_dce.so
 
 %changelog
+* Tue Sep 03 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.6.2-51
+- License verified.
+
 * Mon Nov 30 2020 Nicolas Ontiveros <niontive@microsoft.com> - 1.6.2-50
 - Initial CBL-Mariner import from Fedora 33 (license: MIT).
 - Replace ldconfig_scriptlets with post/postun ldconfig calls
diff --git a/SPECS/valkey/valkey-conf.patch b/SPECS/valkey/valkey-conf.patch
new file mode 100644
index 00000000000..f7f788485c9
--- /dev/null
+++ b/SPECS/valkey/valkey-conf.patch
@@ -0,0 +1,22 @@
+diff --git a/valkey.conf b/valkey.conf
+index 0f43f5c..f6738ad 100644
+--- a/valkey.conf
++++ b/valkey.conf
+@@ -351,7 +351,7 @@ loglevel notice
+ # Specify the log file name. Also the empty string can be used to force
+ # the server to log on the standard output. Note that if you use standard
+ # output for logging but daemonize, logs will be sent to /dev/null
+-logfile ""
++logfile "/var/log/valkey/valkey.log"
+ 
+ # To enable logging to the system logger, just set 'syslog-enabled' to yes,
+ # and optionally update the other syslog parameters to suit your needs.
+@@ -526,7 +526,7 @@ rdb-del-sync-files no
+ # 'cluster-config-file' configuration directive is a relative path.
+ #
+ # Note that you must specify a directory here, not a file name.
+-dir ./
++dir /var/lib/valkey
+ 
+ ################################# REPLICATION #################################
+ 
\ No newline at end of file
diff --git a/SPECS/valkey/valkey.signatures.json b/SPECS/valkey/valkey.signatures.json
new file mode 100644
index 00000000000..42ec1c12a47
--- /dev/null
+++ b/SPECS/valkey/valkey.signatures.json
@@ -0,0 +1,5 @@
+{
+ "Signatures": {
+  "valkey-8.0.0.tar.gz": "f87fef2ba81ae4bce891b874fba58cfde2d19370a3bcac20f0e17498b33c33c0"
+ }
+}
\ No newline at end of file
diff --git a/SPECS/valkey/valkey.spec b/SPECS/valkey/valkey.spec
new file mode 100644
index 00000000000..5ebe3431a1d
--- /dev/null
+++ b/SPECS/valkey/valkey.spec
@@ -0,0 +1,88 @@
+Summary:        advanced key-value store
+Name:           valkey
+Version:        8.0.0
+Release:        1%{?dist}
+License:        BSD
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+Group:          Applications/Databases
+URL:            https://valkey.io/
+Source0:        https://github.com/valkey-io/valkey/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         valkey-conf.patch
+BuildRequires:  gcc
+BuildRequires:  make
+BuildRequires:  openssl-devel
+BuildRequires:  systemd
+BuildRequires:  tcl
+BuildRequires:  tcl-devel
+BuildRequires:  which
+Requires:       systemd
+Requires(pre):  %{_sbindir}/groupadd
+Requires(pre):  %{_sbindir}/useradd
+
+%description
+A flexible distributed key-value datastore that supports both caching and beyond caching workloads.
+
+%prep
+%autosetup -p1
+
+%build
+make BUILD_TLS=yes %{?_smp_mflags}
+
+%install
+install -vdm 755 %{buildroot}
+make PREFIX=%{buildroot}%{_prefix} install
+install -D -m 0640 %{name}.conf %{buildroot}%{_sysconfdir}/%{name}.conf
+mkdir -p %{buildroot}%{_sharedstatedir}/valkey
+mkdir -p %{buildroot}%{_var}/log
+mkdir -p %{buildroot}%{_var}/opt/%{name}/log
+ln -sfv %{_var}/opt/%{name}/log %{buildroot}%{_var}/log/%{name}
+mkdir -p %{buildroot}/usr/lib/systemd/system
+cat << EOF >>  %{buildroot}/usr/lib/systemd/system/valkey.service
+[Unit]
+Description=Valkey in-memory key-value datastore
+After=network.target
+
+[Service]
+ExecStart=%{_bindir}/valkey-server %{_sysconfdir}/valkey.conf --daemonize no
+ExecStop=%{_bindir}/valkey-cli shutdown
+User=valkey
+Group=valkey
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+%check
+make check
+
+%pre
+getent group %{name} &> /dev/null || \
+groupadd -r %{name} &> /dev/null
+getent passwd %{name} &> /dev/null || \
+useradd -r -g %{name} -d %{_sharedstatedir}/valkey -s /sbin/nologin \
+-c 'Valkey Datastore Server' %{name} &> /dev/null
+exit 0
+
+%post
+/sbin/ldconfig
+%systemd_post  valkey.service
+
+%postun
+/sbin/ldconfig
+%systemd_postun_with_restart valkey.service
+
+%files
+%defattr(-,root,root)
+%license COPYING
+%dir %attr(0750, valkey, valkey) %{_sharedstatedir}/valkey
+%dir %attr(0750, valkey, valkey) %{_var}/opt/%{name}/log
+%attr(0750, valkey, valkey) %{_var}/log/%{name}
+%{_bindir}/*
+%{_libdir}/systemd/*
+%config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/valkey.conf
+
+%changelog
+* Mon Sep 30 2024 Rohit Rawat <rohitrawat@microsoft.com> - 8.0.0-1
+- Original version for CBL-Mariner.
+- License Verified.
diff --git a/SPECS/vte291/vte291.spec b/SPECS/vte291/vte291.spec
index d30c0bf16e1..ecac51b3b81 100644
--- a/SPECS/vte291/vte291.spec
+++ b/SPECS/vte291/vte291.spec
@@ -18,13 +18,15 @@
 
 Name:           vte291
 Version:        0.74.2
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        GTK+ 3 terminal emulator library
 
 # libvte-2.91.so is generated from LGPLv2+ and MIT sources
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later AND MIT AND X11 AND CC-BY-4.0
 
 URL:            https://wiki.gnome.org/Apps/Terminal/VTE
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
 Source0:        https://download.gnome.org/sources/vte/%{majorver}/vte-%{version}.tar.xz
 # https://bugzilla.gnome.org/show_bug.cgi?id=711059
 # https://bugzilla.redhat.com/show_bug.cgi?id=1103380
@@ -194,6 +196,9 @@ sed -i -e "/^vte_systemduserunitdir =/s|vte_prefix|'/usr'|" meson.build
 %{_sysconfdir}/profile.d/vte.sh
 
 %changelog
+* Tue Sep 03 2024 Neha Agarwal <nehaagarwal@microsoft.com> - 0.74.2-7
+- Add missing Vendor and Distribution tags.
+
 * Thu Aug 28 2024 Dallas Delaney <dadelan@microsoft.com> - 0.74.2-6
 - Patch CVE-2024-37535
 
diff --git a/SPECS/wget/0002-normalize-path-in-url.patch b/SPECS/wget/0002-normalize-path-in-url.patch
new file mode 100644
index 00000000000..9fce4b7a212
--- /dev/null
+++ b/SPECS/wget/0002-normalize-path-in-url.patch
@@ -0,0 +1,48 @@
+From 9aeab55d09f9df833bca4467b0a209cea2901ede Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Thu, 28 Mar 2024 18:12:19 +0100
+Subject: [PATCH] Fix --no-parent for denormalized paths
+
+* libwget/iri.c (wget_iri_parse): Normalize path part of URL.
+* unit-tests/test.c (test_iri_parse): Add test with denormalized path.
+---
+ libwget/iri.c     | 3 +++
+ unit-tests/test.c | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/libwget/iri.c b/libwget/iri.c
+index 8241ea971..13bd5259b 100644
+--- a/libwget/iri.c
++++ b/libwget/iri.c
+@@ -82,6 +82,8 @@ static struct iri_scheme {
+ 	[WGET_IRI_SCHEME_HTTPS] = { 443, "https" },
+ };
+ 
++static size_t WGET_GCC_NONNULL_ALL normalize_path(char *path);
++
+ /**
+  * \param[in] scheme Scheme to get name for
+  * \return Name of \p scheme (e.g. "http" or "https") or NULL is not supported
+@@ -561,6 +563,7 @@ wget_iri *wget_iri_parse(const char *url, const char *encoding)
+ 		c = *s;
+ 		if (c) *s++ = 0;
+ 		wget_iri_unescape_inline((char *)iri->path);
++		normalize_path((char *)iri->path);
+ 	}
+ 
+ 	if (c == '?') {
+diff --git a/unit-tests/test.c b/unit-tests/test.c
+index da8cc728b..80ddeced5 100644
+--- a/unit-tests/test.c
++++ b/unit-tests/test.c
+@@ -584,6 +584,7 @@ static void test_iri_parse(void)
+ 		{ "http://example+.com/pa+th?qu+ery#fr+ag", NULL, WGET_IRI_SCHEME_HTTP, NULL, NULL, "example+.com", 80, "pa+th", "qu ery", "fr+ag"},
+ 		{ "http://example.com#frag?x", NULL, WGET_IRI_SCHEME_HTTP, NULL, NULL, "example.com", 80, NULL, NULL, "frag?x"},
+ 		{ "http://user:pw@example.com", NULL, WGET_IRI_SCHEME_HTTP, "user", "pw", "example.com", 80, NULL, NULL, NULL},
++		{ "http://example.com//path//file", NULL, WGET_IRI_SCHEME_HTTP, NULL, NULL, "example.com", 80, "path/file", NULL, NULL},
+ 	};
+ 	unsigned it;
+ 
+-- 
+GitLab
+
diff --git a/SPECS/wget/0003-Allow-option-no-tcp-fastopen-to-work-on-Linux-kernel.patch b/SPECS/wget/0003-Allow-option-no-tcp-fastopen-to-work-on-Linux-kernel.patch
new file mode 100644
index 00000000000..9dd1dc04adc
--- /dev/null
+++ b/SPECS/wget/0003-Allow-option-no-tcp-fastopen-to-work-on-Linux-kernel.patch
@@ -0,0 +1,35 @@
+From 7929bf887c69ffdcbdfb525825bffba4c9e5d6e8 Mon Sep 17 00:00:00 2001
+From: Romain Geissler <romain.geissler@amadeus.com>
+Date: Fri, 10 May 2024 16:24:57 +0000
+Subject: [PATCH] Allow option --no-tcp-fastopen to work on Linux kernels >=
+ 4.11.
+
+* libwget/net.c (set_socket_options): Add check for tcp->tcp_fastopen.
+
+Copyright-paperwork-exempt: Yes
+---
+ libwget/net.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/libwget/net.c b/libwget/net.c
+index 8fc6d143..836649c0 100644
+--- a/libwget/net.c
++++ b/libwget/net.c
+@@ -640,9 +640,11 @@ static void set_socket_options(const wget_tcp *tcp, int fd)
+ #endif
+ 
+ #ifdef TCP_FASTOPEN_LINUX_411
+-	on = 1;
+-	if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT, (void *)&on, sizeof(on)) == -1)
+-		debug_printf("Failed to set socket option TCP_FASTOPEN_CONNECT\n");
++	if (tcp->tcp_fastopen) {
++		on = 1;
++		if (setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN_CONNECT, (void *)&on, sizeof(on)) == -1)
++			debug_printf("Failed to set socket option TCP_FASTOPEN_CONNECT\n");
++	}
+ #endif
+ }
+ 
+-- 
+2.43.0
+
diff --git a/SPECS/wget/0004-Disable-OCSP-by-default.patch b/SPECS/wget/0004-Disable-OCSP-by-default.patch
new file mode 100644
index 00000000000..edf193185f9
--- /dev/null
+++ b/SPECS/wget/0004-Disable-OCSP-by-default.patch
@@ -0,0 +1,627 @@
+Backport of all the OCSP-related commits related to issue https://gitlab.com/gnuwget/wget2/-/issues/664:
+ - 53a8a88e8479fca04fb17f923b0f40781ee6a253
+ - a96f88a054a0dbb31eb23d7f39b0922447177ab3
+ - 715e646642e169a0a4510bdf51a5b4fc512f94d6
+ - 35986bd093676df0b2acd6110620534d41d0ec4d
+ - 0895f9230859207385393a148d6b0a6ec24521b9
+ - c341fcd1dfd57b3cf5a1f5acb84784571fff3a20
+ - c556a3226aca0e99191b52218117b7967889a9bf
+ - 543e1f270821cc7ea562444bfd79ae4d66d5b964
+ - f4e7c46073850af7b5c3d58b9452bdd2124b593c
+ - de294c8ddf27b11e8abc7954856d590d7ce2d4f3
+
+
+commit 53a8a88e8479fca04fb17f923b0f40781ee6a253
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sun May 12 15:14:31 2024 +0200
+
+    Fix OCSP verification of first intermediate certificate.
+    
+    * libwget/ssl_gnutls.c (verify_certificate_callback): Fix off-by-one check.
+    
+    See https://gitlab.com/gnuwget/wget2/-/issues/664#note_1901610438
+
+diff --git a/libwget/ssl_gnutls.c b/libwget/ssl_gnutls.c
+index 35f20279..5524c02c 100644
+--- a/libwget/ssl_gnutls.c
++++ b/libwget/ssl_gnutls.c
+@@ -1153,7 +1153,7 @@ static int verify_certificate_callback(gnutls_session_t session)
+ 		cert_verify_hpkp(cert, hostname, session);
+ 
+ #ifdef WITH_OCSP
+-		if (config.ocsp && it > nvalid) {
++		if (config.ocsp && it >= nvalid) {
+ 			char fingerprint[64 * 2 +1];
+ 			int revoked;
+ 
+commit a96f88a054a0dbb31eb23d7f39b0922447177ab3
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sun May 12 19:51:03 2024 +0200
+
+    -* libwget/ssl_gnutls.c (cert_verify_ocsp): Fix segfault when OCSP response is missing
+
+diff --git a/libwget/ssl_gnutls.c b/libwget/ssl_gnutls.c
+index 5524c02c..1058e50f 100644
+--- a/libwget/ssl_gnutls.c
++++ b/libwget/ssl_gnutls.c
+@@ -860,6 +860,11 @@ static int cert_verify_ocsp(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer)
+ 		return -1;
+ 	}
+ 
++	if (!resp) {
++		debug_printf("Missing response from OCSP server\n");
++		return -1;
++	}
++
+ 	/* verify and check the response for revoked cert */
+ 	ret = check_ocsp_response(cert, issuer, resp, &nonce);
+ 	wget_buffer_free(&resp);
+commit 715e646642e169a0a4510bdf51a5b4fc512f94d6
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sun May 12 19:51:44 2024 +0200
+
+    Fix tests/test-ocsp-server
+    
+    * tests/libtest.c: Handle > 1 OCSP responses.
+    * tests/libtest.h: Rename WGET_TEST_OCSP_RESP_FILE to WGET_TEST_OCSP_RESP_FILES.
+    * tests/test-ocsp-server.c: Make use of WGET_TEST_OCSP_RESP_FILES.
+
+diff --git a/tests/libtest.c b/tests/libtest.c
+index 533f5d47..e3850bc0 100644
+--- a/tests/libtest.c
++++ b/tests/libtest.c
+@@ -90,9 +90,11 @@ static int
+ 	keep_tmpfiles,
+ 	clean_directory,
+ 	reject_http_connection,
+-	reject_https_connection;
++	reject_https_connection,
++	ocsp_response_pos;
+ static wget_vector
+-	*request_urls;
++	*request_urls,
++	*ocsp_responses;
+ static wget_test_url_t
+ 	*urls;
+ static size_t
+@@ -121,12 +123,12 @@ static struct MHD_Daemon
+ static gnutls_pcert_st *pcrt;
+ static gnutls_privkey_t *privkey;
+ 
+-static struct ocsp_resp_t {
++typedef struct {
+ 	char
+ 		*data;
+ 	size_t
+ 		size;
+-} *ocsp_resp;
++} ocsp_resp_t;
+ #endif
+ 
+ #ifdef WITH_GNUTLS_OCSP
+@@ -311,14 +313,14 @@ static enum MHD_Result _ocsp_ahc(
+ 	} else if (!first && upload_data == NULL) {
+ 		int ret = 0;
+ 
+-		if (ocsp_resp->data) {
++		ocsp_resp_t *ocsp_resp = wget_vector_get(ocsp_responses, ocsp_response_pos++);
++
++		if (ocsp_resp) {
+ 			struct MHD_Response *response = MHD_create_response_from_buffer (ocsp_resp->size, ocsp_resp->data, MHD_RESPMEM_MUST_COPY);
+ 
+ 			ret = MHD_queue_response (connection, MHD_HTTP_OK, response);
+ 
+ 			MHD_destroy_response (response);
+-
+-			wget_xfree(ocsp_resp->data);
+ 		}
+ 
+ 		return ret;
+@@ -715,11 +717,6 @@ static void _http_server_stop(void)
+ 
+ #ifdef WITH_GNUTLS_OCSP
+ 	gnutls_global_deinit();
+-
+-	if(ocsp_resp)
+-		wget_free(ocsp_resp->data);
+-
+-	wget_xfree(ocsp_resp);
+ #endif
+ }
+ 
+@@ -892,8 +889,6 @@ static int _http_server_start(int SERVER_MODE)
+ #endif
+ 			MHD_OPTION_CONNECTION_MEMORY_LIMIT, (size_t) 1*1024*1024,
+ 			MHD_OPTION_END);
+-
+-		ocsp_resp = wget_malloc(sizeof(struct ocsp_resp_t));
+ #endif
+ 
+ 		if (!ocspdaemon)
+@@ -1121,6 +1116,7 @@ void wget_test_stop_server(void)
+ {
+ //	wget_vector_free(&response_headers);
+ 	wget_vector_free(&request_urls);
++	wget_vector_free(&ocsp_responses);
+ 
+ 	for (wget_test_url_t *url = urls; url < urls + nurls; url++) {
+ 		if (url->body_original) {
+@@ -1535,9 +1531,6 @@ void wget_test(int first_key, ...)
+ 		const char
+ 			*request_url,
+ 			*options = "",
+-#ifdef WITH_GNUTLS_OCSP
+-			*ocsp_resp_file = NULL,
+-#endif
+ 			*executable = global_executable;
+ 		const wget_test_file_t
+ 			*expected_files = NULL,
+@@ -1581,6 +1574,10 @@ void wget_test(int first_key, ...)
+ 			wget_vector_set_destructor(request_urls, NULL);
+ 		}
+ 
++		if (!ocsp_responses) {
++			ocsp_responses = wget_vector_create(2, NULL);
++		}
++
+ 		va_start (args, first_key);
+ 		for (key = first_key; key; key = va_arg(args, int)) {
+ 			switch (key) {
+@@ -1633,9 +1630,24 @@ void wget_test(int first_key, ...)
+ #endif
+ 				}
+ 				break;
+-			case WGET_TEST_OCSP_RESP_FILE:
++			case WGET_TEST_OCSP_RESP_FILES:
+ #ifdef WITH_GNUTLS_OCSP
+-				ocsp_resp_file = va_arg(args, const char *);
++			{
++				const char *ocsp_resp_file = NULL;
++				while ((ocsp_resp_file = va_arg(args, const char *))) {
++					if (ocspdaemon) {
++						ocsp_resp_t ocsp_resp = { .data = wget_strdup(""), .size = 0 };
++						if (*ocsp_resp_file) {
++							ocsp_resp.data = wget_read_file(ocsp_resp_file, &ocsp_resp.size);
++							if (ocsp_resp.data == NULL) {
++								wget_error_printf_exit("Couldn't read the response from '%s'.\n", ocsp_resp_file);
++							}
++						}
++						wget_vector_add_memdup(ocsp_responses, &ocsp_resp, sizeof(ocsp_resp));
++					}
++				}
++				ocsp_response_pos = 0;
++			}
+ #endif
+ 				break;
+ 			default:
+@@ -1650,19 +1662,6 @@ void wget_test(int first_key, ...)
+ 			_empty_directory(cmd->data);
+ 		}
+ 
+-#ifdef WITH_GNUTLS_OCSP
+-		if (ocspdaemon) {
+-			if (ocsp_resp_file) {
+-				ocsp_resp->data = wget_read_file(ocsp_resp_file, &(ocsp_resp->size));
+-				if (ocsp_resp->data == NULL) {
+-					wget_error_printf_exit("Couldn't read the response.\n");
+-				}
+-			} else {
+-				wget_error_printf_exit("Need value for option WGET_TEST_OCSP_RESP_FILE.\n");
+-			}
+-		}
+-#endif
+-
+ 		// create files
+ 		if (existing_files) {
+ 			for (it = 0; existing_files[it].name; it++) {
+@@ -1835,6 +1834,11 @@ void wget_test(int first_key, ...)
+ 			wget_free(post_handshake_auth);
+ #endif
+ 
++		for (int i = 0; i < wget_vector_size(ocsp_responses); i++) {
++			ocsp_resp_t *r = wget_vector_get(ocsp_responses, it);
++			wget_xfree(r->data);
++		}
++		wget_vector_clear(ocsp_responses);
+ 		wget_vector_clear(request_urls);
+ 		wget_buffer_free(&cmd);
+ 
+diff --git a/tests/libtest.h b/tests/libtest.h
+index 7aa72088..dfccbe0b 100644
+--- a/tests/libtest.h
++++ b/tests/libtest.h
+@@ -76,7 +76,7 @@ extern "C" {
+ #define WGET_TEST_POST_HANDSHAKE_AUTH 3002
+ 
+ // for OCSP testing
+-#define WGET_TEST_OCSP_RESP_FILE 3003
++#define WGET_TEST_OCSP_RESP_FILES 3003
+ 
+ typedef enum {
+ 	INTERRUPT_RESPONSE_DISABLED = 0,
+diff --git a/tests/test-ocsp-server.c b/tests/test-ocsp-server.c
+index 8b844e18..ebe443a5 100644
+--- a/tests/test-ocsp-server.c
++++ b/tests/test-ocsp-server.c
+@@ -46,7 +46,7 @@ int main(void)
+ 		WGET_TEST_OPTIONS, "--ca-certificate=" SRCDIR "/certs/ocsp/x509-root-cert.pem --no-ocsp-file --no-ocsp-date --no-ocsp-nonce --ocsp --ocsp-server http://localhost:{{ocspport}}",
+ 		WGET_TEST_REQUEST_URL, "https://localhost:{{sslport}}/index.html",
+ 		WGET_TEST_EXPECTED_ERROR_CODE, 0,
+-		WGET_TEST_OCSP_RESP_FILE, SRCDIR "/certs/ocsp/ocsp_resp_ok.der",
++		WGET_TEST_OCSP_RESP_FILES, "", SRCDIR "/certs/ocsp/ocsp_resp_ok.der", NULL,
+ 		WGET_TEST_EXPECTED_FILES, &(wget_test_file_t []) {
+ 			{urls[0].name + 1, urls[0].body},
+ 			{	NULL} },
+@@ -58,7 +58,7 @@ int main(void)
+ 		WGET_TEST_OPTIONS, "--ca-certificate=" SRCDIR "/certs/ocsp/x509-root-cert.pem --no-ocsp-file --no-ocsp-date --no-ocsp-nonce --ocsp --ocsp-server http://localhost:{{ocspport}}",
+ 		WGET_TEST_REQUEST_URL, "https://localhost:{{sslport}}/index.html",
+ 		WGET_TEST_EXPECTED_ERROR_CODE, 5,
+-		WGET_TEST_OCSP_RESP_FILE, SRCDIR "/certs/ocsp/ocsp_resp_revoked.der",
++		WGET_TEST_OCSP_RESP_FILES, "", SRCDIR "/certs/ocsp/ocsp_resp_revoked.der", NULL,
+ 		0);
+ #endif
+ 
+@@ -67,7 +67,7 @@ int main(void)
+ 		WGET_TEST_OPTIONS, "--ca-certificate=" SRCDIR "/certs/ocsp/x509-root-cert.pem --no-ocsp-file --no-ocsp-date --no-ocsp-nonce --ocsp --ocsp-server http://localhost:{{ocspport}} --no-check-certificate",
+ 		WGET_TEST_REQUEST_URL, "https://localhost:{{sslport}}/index.html",
+ 		WGET_TEST_EXPECTED_ERROR_CODE, 0,
+-		WGET_TEST_OCSP_RESP_FILE, SRCDIR "/certs/ocsp/ocsp_resp_revoked.der",
++		WGET_TEST_OCSP_RESP_FILES, "", SRCDIR "/certs/ocsp/ocsp_resp_revoked.der", NULL,
+ 		WGET_TEST_EXPECTED_FILES, &(wget_test_file_t []) {
+ 			{urls[0].name + 1, urls[0].body},
+ 			{	NULL} },
+@@ -79,7 +79,7 @@ int main(void)
+ 		WGET_TEST_OPTIONS, "--ca-certificate=" SRCDIR "/certs/ocsp/x509-root-cert.pem --no-ocsp-file --no-ocsp-date --no-ocsp-nonce --ocsp",
+ 		WGET_TEST_REQUEST_URL, "https://localhost:{{sslport}}/index.html",
+ 		WGET_TEST_EXPECTED_ERROR_CODE, 0,
+-		WGET_TEST_OCSP_RESP_FILE, SRCDIR "/certs/ocsp/ocsp_resp_ok.der",
++		WGET_TEST_OCSP_RESP_FILES, "", SRCDIR "/certs/ocsp/ocsp_resp_ok.der", NULL,
+ 		WGET_TEST_EXPECTED_FILES, &(wget_test_file_t []) {
+ 			{urls[0].name + 1, urls[0].body},
+ 			{	NULL} },
+commit 35986bd093676df0b2acd6110620534d41d0ec4d
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sat May 18 14:35:45 2024 +0200
+
+    Disable explicit OCSP requests by default
+    
+    * docs/wget2.md: Document --ocsp default value as 'off'.
+    * src/options.c (struct config): Disable .ocsp by default.
+    
+    OCSP validation of the server certificate implies privacy issues:
+      - The OCSP request tells the CA which web service the client tries to reach.
+      - The OCSP requests are sent via unencrypted HTTP, so every "listener in the
+        middle" can see which web service the client tries to connect.
+    Additionally, the OCSP requests slow down operation and may cause unexpected
+    network traffic, which may trigger security alarms unnecessarily.
+    
+    Due to these issues we explicitly disable OCSP by default.
+
+diff --git a/docs/wget2.md b/docs/wget2.md
+index 6e408592..61da3ccb 100644
+--- a/docs/wget2.md
++++ b/docs/wget2.md
+@@ -1569,7 +1569,7 @@ Go to background immediately after startup. If no output file is specified via t
+ 
+ ### `--ocsp`
+ 
+-  Enable OCSP server access to check the possible revocation the HTTPS server certificate(s) (default: on).
++  Enable OCSP server access to check the possible revocation the HTTPS server certificate(s) (default: off).
+ 
+   This procedure is pretty slow (connect to server, HTTP request, response) and thus we support
+   OSCP stapling (server sends OCSP response within TLS handshake) and persistent OCSP caching.
+diff --git a/src/options.c b/src/options.c
+index 54e8cabb..7684b795 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -1302,7 +1302,16 @@ struct config config = {
+ 	.http2 = 1,
+ 	.http2_request_window = 30,
+ #endif
+-	.ocsp = 1,
++	// OCSP validation of the server certificate implies privacy issues:
++	//   - The OCSP request tells the CA which web service the client tries to reach.
++	//   - The OCSP requests are sent via unencrypted HTTP, so every "listener in the middle" can see which web service
++	//     the client tries to connect.
++	// Additionally, the OCSP requests slow down operation and may cause unexpected network traffic, which may trigger
++	// security alarms unnecessarily.
++	// Due to these issues we explicitly disable OCSP by default.
++	//
++	// The upside of enabling OCSP mostly is a "real-time" recognition of certificate revocations.
++	.ocsp = 0,
+ 	.ocsp_date = 1,
+ 	.ocsp_stapling = 1,
+ 	.ocsp_nonce = 1,
+commit 0895f9230859207385393a148d6b0a6ec24521b9
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sat May 18 14:46:07 2024 +0200
+
+    * libwget/ssl_gnutls.c: Improve messages for OCSP stapling
+
+diff --git a/libwget/ssl_gnutls.c b/libwget/ssl_gnutls.c
+index 1058e50f..f12b5e74 100644
+--- a/libwget/ssl_gnutls.c
++++ b/libwget/ssl_gnutls.c
+@@ -1136,7 +1136,7 @@ static int verify_certificate_callback(gnutls_session_t session)
+ 			}
+ #endif
+ 			else if (!config.ocsp)
+-				error_printf_check(_("WARNING: The certificate's (stapled) OCSP status has not been sent\n"));
++				error_printf_check(_("WARNING: OCSP stapling is not supported by '%s'\n"), hostname);
+ #endif
+ 		} else if (ctx->valid)
+ 			debug_printf("OCSP: Host '%s' is valid (from cache)\n", hostname);
+@@ -1728,13 +1728,14 @@ int wget_ssl_open(wget_tcp *tcp)
+ 	// If we know the cert chain for the hostname being valid at the moment,
+ 	// we don't ask for OCSP stapling to avoid unneeded IP traffic.
+ 	// In the unlikely case that the server's certificate chain changed right now,
+-	// we fallback to OCSP responder request later.
++	// we fallback to OCSP responder request later (if enabled).
+ 	if (hostname) {
+ 		if (!(ctx->valid = wget_ocsp_hostname_is_valid(config.ocsp_host_cache, hostname))) {
+ #if GNUTLS_VERSION_NUMBER >= 0x030103
+-			if ((rc = gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL)) == GNUTLS_E_SUCCESS)
++			if ((rc = gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL)) == GNUTLS_E_SUCCESS) {
++				debug_printf("OCSP stapling requested for %s\n", hostname);
+ 				ctx->ocsp_stapling = 1;
+-			else
++			} else
+ 				error_printf("GnuTLS: %s\n", gnutls_strerror(rc)); // no translation
+ #endif
+ 		}
+commit c341fcd1dfd57b3cf5a1f5acb84784571fff3a20
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sun May 19 12:41:55 2024 +0200
+
+    Disable explicit OCSP requests by default for TLS library functions
+    
+    * libwget/ssl_openssl: Disable explicit OCSP requests by default.
+    * libwget/ssl_gnutls: Likewise.
+    * libwget/ssl_wolfssl.c: Likewise.
+
+diff --git a/libwget/ssl_gnutls.c b/libwget/ssl_gnutls.c
+index f12b5e74..7dbbde39 100644
+--- a/libwget/ssl_gnutls.c
++++ b/libwget/ssl_gnutls.c
+@@ -116,7 +116,7 @@ static struct config {
+ 	.report_invalid_cert = 1,
+ 	.check_hostname = 1,
+ #ifdef WITH_OCSP
+-	.ocsp = 1,
++	.ocsp = 0,
+ 	.ocsp_stapling = 1,
+ #endif
+ 	.ca_type = WGET_SSL_X509_FMT_PEM,
+diff --git a/libwget/ssl_openssl.c b/libwget/ssl_openssl.c
+index 94da0d3f..2332ec40 100644
+--- a/libwget/ssl_openssl.c
++++ b/libwget/ssl_openssl.c
+@@ -102,7 +102,7 @@ static struct config
+ 	.check_certificate = 1,
+ 	.check_hostname = 1,
+ #ifdef WITH_OCSP
+-	.ocsp = 1,
++	.ocsp = 0,
+ 	.ocsp_stapling = 1,
+ #endif
+ 	.ca_type = WGET_SSL_X509_FMT_PEM,
+diff --git a/libwget/ssl_wolfssl.c b/libwget/ssl_wolfssl.c
+index 47ed9ba9..967e984d 100644
+--- a/libwget/ssl_wolfssl.c
++++ b/libwget/ssl_wolfssl.c
+@@ -108,7 +108,7 @@ static struct config {
+ 	.check_certificate = 1,
+ 	.report_invalid_cert = 1,
+ 	.check_hostname = 1,
+-	.ocsp = 1,
++	.ocsp = 0,
+ 	.ocsp_stapling = 1,
+ 	.ca_type = WGET_SSL_X509_FMT_PEM,
+ 	.cert_type = WGET_SSL_X509_FMT_PEM,
+commit c556a3226aca0e99191b52218117b7967889a9bf
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sun May 19 13:05:11 2024 +0200
+
+    * libwget/ssl_openssl.c (verify_ocsp): Fix segfault when OCSP response is missing
+
+diff --git a/libwget/ssl_openssl.c b/libwget/ssl_openssl.c
+index 2332ec40..6cac6ecb 100644
+--- a/libwget/ssl_openssl.c
++++ b/libwget/ssl_openssl.c
+@@ -1024,9 +1024,7 @@ static int verify_ocsp(const char *ocsp_uri,
+ 	certid = OCSP_cert_to_id(EVP_sha1(), subject_cert, issuer_cert);
+ 
+ 	/* Send OCSP request to server, via HTTP */
+-	if (!(ocspreq = send_ocsp_request(ocsp_uri,
+-			certid,
+-			&resp)))
++	if (!(ocspreq = send_ocsp_request(ocsp_uri, certid, &resp)) || !resp || !resp->body)
+ 		return -1;
+ 
+ 	/* Check server's OCSP response */
+commit 543e1f270821cc7ea562444bfd79ae4d66d5b964
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sun May 19 12:26:29 2024 +0200
+
+    * libwget/ssl_gnutls.c (verify_certificate_callback): Warn about OCSP privacy leak
+
+diff --git a/libwget/ssl_gnutls.c b/libwget/ssl_gnutls.c
+index 7dbbde39..08f95383 100644
+--- a/libwget/ssl_gnutls.c
++++ b/libwget/ssl_gnutls.c
+@@ -1121,6 +1121,8 @@ static int verify_certificate_callback(gnutls_session_t session)
+ 	// At this point, the cert chain has been found valid regarding the locally available CA certificates and CRLs.
+ 	// Now, we are going to check the revocation status via OCSP
+ #ifdef WITH_OCSP
++	bool skip_server_cert_check = false;
++
+ 	if (config.ocsp_stapling) {
+ 		if (!ctx->valid && ctx->ocsp_stapling) {
+ #if GNUTLS_VERSION_NUMBER >= 0x030103
+@@ -1129,14 +1131,20 @@ static int verify_certificate_callback(gnutls_session_t session)
+ //				_get_cert_fingerprint(cert, fingerprint, sizeof(fingerprint)); // calc hexadecimal fingerprint string
+ 				add_cert_to_ocsp_cache(cert, true);
+ 				nvalid = 1;
++				skip_server_cert_check = true;
+ 			}
+ #if GNUTLS_VERSION_NUMBER >= 0x030400
+ 			else if (gnutls_ocsp_status_request_is_checked(session, GNUTLS_OCSP_SR_IS_AVAIL)) {
+ 				error_printf_check(_("WARNING: The certificate's (stapled) OCSP status is invalid\n"));
++				skip_server_cert_check = true;
+ 			}
+ #endif
+-			else if (!config.ocsp)
+-				error_printf_check(_("WARNING: OCSP stapling is not supported by '%s'\n"), hostname);
++			else if (!config.ocsp) {
++				debug_printf(_("OCSP stapling is not supported by '%s'\n"), hostname);
++			} else {
++				error_printf_check(_("WARNING: OCSP stapling is not supported by '%s', but OCSP validation has been requested.\n"), hostname);
++				error_printf_check(_("WARNING: This implies a privacy leak: the client sends the certificate serial ID over HTTP to the CA.\n"));
++			}
+ #endif
+ 		} else if (ctx->valid)
+ 			debug_printf("OCSP: Host '%s' is valid (from cache)\n", hostname);
+@@ -1158,55 +1166,55 @@ static int verify_certificate_callback(gnutls_session_t session)
+ 		cert_verify_hpkp(cert, hostname, session);
+ 
+ #ifdef WITH_OCSP
+-		if (config.ocsp && it >= nvalid) {
+-			char fingerprint[64 * 2 +1];
+-			int revoked;
++		if (!config.ocsp || (skip_server_cert_check && it == 0))
++			continue;
+ 
+-			_get_cert_fingerprint(cert, fingerprint, sizeof(fingerprint)); // calc hexadecimal fingerprint string
++		char fingerprint[64 * 2 +1];
++		_get_cert_fingerprint(cert, fingerprint, sizeof(fingerprint)); // calc hexadecimal fingerprint string
+ 
+-			if (wget_ocsp_fingerprint_in_cache(config.ocsp_cert_cache, fingerprint, &revoked)) {
+-				// found cert's fingerprint in cache
+-				if (revoked) {
+-					debug_printf("Certificate[%u] of '%s' has been revoked (cached)\n", it, hostname);
+-					nrevoked++;
+-				} else {
+-					debug_printf("Certificate[%u] of '%s' is valid (cached)\n", it, hostname);
+-					nvalid++;
+-				}
+-				continue;
++		int revoked;
++		if (wget_ocsp_fingerprint_in_cache(config.ocsp_cert_cache, fingerprint, &revoked)) {
++			// found cert's fingerprint in cache
++			if (revoked) {
++				debug_printf("Certificate[%u] of '%s' has been revoked (cached)\n", it, hostname);
++				nrevoked++;
++			} else {
++				debug_printf("Certificate[%u] of '%s' is valid (cached)\n", it, hostname);
++				nvalid++;
+ 			}
++			continue;
++		}
+ 
+-			if (deinit_issuer) {
+-				gnutls_x509_crt_deinit(issuer);
+-				deinit_issuer = 0;
+-			}
+-			if ((err = gnutls_certificate_get_issuer(credentials, cert, &issuer, 0)) != GNUTLS_E_SUCCESS && it < cert_list_size - 1) {
+-				gnutls_x509_crt_init(&issuer);
+-				deinit_issuer = 1;
+-				if ((err = gnutls_x509_crt_import(issuer, &cert_list[it + 1], GNUTLS_X509_FMT_DER))  != GNUTLS_E_SUCCESS) {
+-					debug_printf("Decoding error: %s\n", gnutls_strerror(err));
+-					continue;
+-				}
+-			} else if (err  != GNUTLS_E_SUCCESS) {
+-				debug_printf("Cannot find issuer: %s\n", gnutls_strerror(err));
++		if (deinit_issuer) {
++			gnutls_x509_crt_deinit(issuer);
++			deinit_issuer = 0;
++		}
++		if ((err = gnutls_certificate_get_issuer(credentials, cert, &issuer, 0)) != GNUTLS_E_SUCCESS && it < cert_list_size - 1) {
++			gnutls_x509_crt_init(&issuer);
++			deinit_issuer = 1;
++			if ((err = gnutls_x509_crt_import(issuer, &cert_list[it + 1], GNUTLS_X509_FMT_DER))  != GNUTLS_E_SUCCESS) {
++				debug_printf("Decoding error: %s\n", gnutls_strerror(err));
+ 				continue;
+ 			}
++		} else if (err  != GNUTLS_E_SUCCESS) {
++			debug_printf("Cannot find issuer: %s\n", gnutls_strerror(err));
++			continue;
++		}
+ 
+-			ocsp_ok = cert_verify_ocsp(cert, issuer);
+-			debug_printf("check_ocsp_response() returned %d\n", ocsp_ok);
+-
+-			if (ocsp_ok == 1) {
+-				debug_printf("Certificate[%u] of '%s' is valid (via OCSP)\n", it, hostname);
+-				wget_ocsp_db_add_fingerprint(config.ocsp_cert_cache, fingerprint, time(NULL) + 3600, true); // 1h valid
+-				nvalid++;
+-			} else if (ocsp_ok == 0) {
+-				debug_printf("%s: Certificate[%u] of '%s' has been revoked (via OCSP)\n", tag, it, hostname);
+-				wget_ocsp_db_add_fingerprint(config.ocsp_cert_cache, fingerprint, time(NULL) + 3600, false);  // cert has been revoked
+-				nrevoked++;
+-			} else {
+-				debug_printf("WARNING: OCSP response not available or ignored\n");
+-				nignored++;
+-			}
++		ocsp_ok = cert_verify_ocsp(cert, issuer);
++		debug_printf("check_ocsp_response() returned %d\n", ocsp_ok);
++
++		if (ocsp_ok == 1) {
++			debug_printf("Certificate[%u] of '%s' is valid (via OCSP)\n", it, hostname);
++			wget_ocsp_db_add_fingerprint(config.ocsp_cert_cache, fingerprint, time(NULL) + 3600, true); // 1h valid
++			nvalid++;
++		} else if (ocsp_ok == 0) {
++			debug_printf("%s: Certificate[%u] of '%s' has been revoked (via OCSP)\n", tag, it, hostname);
++			wget_ocsp_db_add_fingerprint(config.ocsp_cert_cache, fingerprint, time(NULL) + 3600, false);  // cert has been revoked
++			nrevoked++;
++		} else {
++			debug_printf("WARNING: OCSP response not available or ignored\n");
++			nignored++;
+ 		}
+ #endif
+ 	}
+commit f4e7c46073850af7b5c3d58b9452bdd2124b593c
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sun May 19 19:36:59 2024 +0200
+
+    * libwget/ssl_gnutls.c (verify_certificate_callback): Fix 'do not translate debug strings'
+
+diff --git a/libwget/ssl_gnutls.c b/libwget/ssl_gnutls.c
+index 08f95383..a3cf6f5d 100644
+--- a/libwget/ssl_gnutls.c
++++ b/libwget/ssl_gnutls.c
+@@ -1140,7 +1140,7 @@ static int verify_certificate_callback(gnutls_session_t session)
+ 			}
+ #endif
+ 			else if (!config.ocsp) {
+-				debug_printf(_("OCSP stapling is not supported by '%s'\n"), hostname);
++				debug_printf("OCSP stapling is not supported by '%s'\n", hostname);
+ 			} else {
+ 				error_printf_check(_("WARNING: OCSP stapling is not supported by '%s', but OCSP validation has been requested.\n"), hostname);
+ 				error_printf_check(_("WARNING: This implies a privacy leak: the client sends the certificate serial ID over HTTP to the CA.\n"));
+commit de294c8ddf27b11e8abc7954856d590d7ce2d4f3
+Author: Tim Rühsen <tim.ruehsen@gmx.de>
+Date:   Sun May 19 20:02:31 2024 +0200
+
+    * libwget/ssl_gnutls.c (verify_certificate_callback): Fix gcc warning -Wjump-misses-init
+
+diff --git a/libwget/ssl_gnutls.c b/libwget/ssl_gnutls.c
+index a3cf6f5d..6edbcea1 100644
+--- a/libwget/ssl_gnutls.c
++++ b/libwget/ssl_gnutls.c
+@@ -965,6 +965,7 @@ static int verify_certificate_callback(gnutls_session_t session)
+ 	gnutls_x509_crt_t cert = NULL, issuer = NULL;
+ 	const char *tag = config.check_certificate ? _("ERROR") : _("WARNING");
+ #ifdef WITH_OCSP
++	bool skip_server_cert_check = false;
+ 	unsigned nvalid = 0, nrevoked = 0, nignored = 0;
+ #endif
+ 
+@@ -1121,8 +1122,6 @@ static int verify_certificate_callback(gnutls_session_t session)
+ 	// At this point, the cert chain has been found valid regarding the locally available CA certificates and CRLs.
+ 	// Now, we are going to check the revocation status via OCSP
+ #ifdef WITH_OCSP
+-	bool skip_server_cert_check = false;
+-
+ 	if (config.ocsp_stapling) {
+ 		if (!ctx->valid && ctx->ocsp_stapling) {
+ #if GNUTLS_VERSION_NUMBER >= 0x030103
diff --git a/SPECS/wget/0005-Accept-progress-dot-.-for-backwards-compatibility.patch b/SPECS/wget/0005-Accept-progress-dot-.-for-backwards-compatibility.patch
new file mode 100644
index 00000000000..2d93ebd6a61
--- /dev/null
+++ b/SPECS/wget/0005-Accept-progress-dot-.-for-backwards-compatibility.patch
@@ -0,0 +1,57 @@
+From e8f1e99c96a8303421e66b0feda1651a11c8b250 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Mon, 20 May 2024 13:19:06 +0200
+Subject: [PATCH] Accept --progress=dot:... for backwards compatibility
+
+* src/options.c (parse_progress_type): Fix checking dot options.
+* tests/test-wget-1.c: Add check for --progress variants.
+---
+ src/options.c       |  6 +++---
+ tests/test-wget-1.c | 10 ++++++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/options.c b/src/options.c
+index 7684b795..0f7b3f35 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -798,13 +798,13 @@ static int WGET_GCC_PURE WGET_GCC_NONNULL((1)) parse_progress_type(option_t opt,
+ 
+ 	if (!wget_strcasecmp_ascii(val, "none"))
+ 		*((char *)opt->var) = PROGRESS_TYPE_NONE;
+-	else if (!wget_strncasecmp_ascii(val, "bar", 3)) {
++	else if (!wget_strncasecmp_ascii(val, "bar", 3) && (val[3] == ':' || val[3] == 0)) {
+ 		*((char *)opt->var) = PROGRESS_TYPE_BAR;
+ 		// Silent Wget compatibility
+-		if (!wget_strncasecmp_ascii(val+3, ":force", 6) || !wget_strncasecmp_ascii(val+3, ":noscroll:force", 15)) {
++		if (!wget_strncasecmp_ascii(val+4, "force", 5) || !wget_strncasecmp_ascii(val+4, "noscroll:force", 14)) {
+ 			config.force_progress = true;
+ 		}
+-	} else if (!wget_strcasecmp_ascii(val, "dot")) {
++	} else if (!wget_strncasecmp_ascii(val, "dot", 3) && (val[3] == ':' || val[3] == 0)) {
+ 		// Wget compatibility, whether want to support 'dot' depends on user feedback.
+ 		info_printf(_("Progress type '%s' ignored. It is not implemented yet\n"), val);
+ 	} else {
+diff --git a/tests/test-wget-1.c b/tests/test-wget-1.c
+index fdd4f54e..8a08d74d 100644
+--- a/tests/test-wget-1.c
++++ b/tests/test-wget-1.c
+@@ -626,6 +626,16 @@ int main(void)
+ 			{	NULL } },
+ 		0);
+ 
++	// test different --progress options to be accepted
++	wget_test(
++		WGET_TEST_OPTIONS, "--progress=none --progress=bar --progress=bar:force --progress=bar:noscroll:force --progress=dot --progress=dot:giga",
++		WGET_TEST_REQUEST_URL, "dummy.txt",
++		WGET_TEST_EXPECTED_ERROR_CODE, 0,
++		WGET_TEST_EXPECTED_FILES, &(wget_test_file_t []) {
++			{	"dummy.txt", urls[3].body },
++			{	NULL } },
++		0);
++
+ 	// test--https-only
+ 	wget_test(
+ 		WGET_TEST_OPTIONS, "--https-only -r -nH",
+-- 
+2.43.0
+
diff --git a/SPECS/wget/0006-Disable-TCP-Fast-Open-by-default.patch b/SPECS/wget/0006-Disable-TCP-Fast-Open-by-default.patch
new file mode 100644
index 00000000000..a1ad51a6413
--- /dev/null
+++ b/SPECS/wget/0006-Disable-TCP-Fast-Open-by-default.patch
@@ -0,0 +1,51 @@
+From 7a945d31aeb34fc73cf86a494673ae97e069d84d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 30 Jun 2024 19:33:01 +0200
+Subject: [PATCH] Disable TCP Fast Open by default
+
+* docs/wget2.md: Amended description of --tcp-fastopen.
+* src/options.c (struct config config): Disabled TFO.
+---
+ docs/wget2.md | 8 +++++++-
+ src/options.c | 1 -
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/docs/wget2.md b/docs/wget2.md
+index 61da3ccb..06828bf8 100644
+--- a/docs/wget2.md
++++ b/docs/wget2.md
+@@ -730,12 +730,18 @@ Go to background immediately after startup. If no output file is specified via t
+ 
+ ### `--tcp-fastopen`
+ 
+-  Enable support for TCP Fast Open (TFO) (default: on).
++  Enable support for TCP Fast Open (TFO) (default: off).
+ 
+   TFO reduces connection latency by 1 RT on "hot" connections (2nd+ connection to the same host in a certain amount of time).
+ 
+   Currently this works on recent Linux and OSX kernels, on HTTP and HTTPS.
+ 
++  The main reasons why TFO is disabled by default are
++    - possible user tracking issues
++    - possible issues with middle boxes that do not support TFO
++
++  This article gives has more details about TFO than fits here: https://candrews.integralblue.com/2019/03/the-sad-story-of-tcp-fast-open/
++
+ ### `--dns-cache-preload=file`
+ 
+   Load a list of IP / Name tuples into the DNS cache.
+diff --git a/src/options.c b/src/options.c
+index 026aa415..f4b5d1a1 100644
+--- a/src/options.c
++++ b/src/options.c
+@@ -1235,7 +1235,6 @@ struct config config = {
+ 	.max_redirect = 20,
+ 	.max_threads = 5,
+ 	.dns_caching = 1,
+-	.tcp_fastopen = 1,
+ 	.user_agent = PACKAGE_NAME"/"PACKAGE_VERSION,
+ 	.verbose = 1,
+ 	.check_certificate= CHECK_CERTIFICATE_ENABLED,
+-- 
+2.43.0
+
diff --git a/SPECS/wget/fix-ssl-read-and-write-error-check.patch b/SPECS/wget/fix-ssl-read-and-write-error-check.patch
new file mode 100644
index 00000000000..c4104f3337c
--- /dev/null
+++ b/SPECS/wget/fix-ssl-read-and-write-error-check.patch
@@ -0,0 +1,80 @@
+From 8877050c3f00a19d43e539029d2346d1040d8c02 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 22 Sep 2024 12:12:42 +0200
+Subject: [PATCH] Count 0 as an error for SSL_read and SSL_write, per
+ documentation
+
+* libwget/ssl_openssl.c (ssl_transfer): Take 0 as error,
+  slightly refactor code.
+
+Fixes https://github.com/rockdaboot/wget2/issues/342
+
+Reported-by: Tobias Brick (he/him) <tobiasb@microsoft.com>
+Co-authored-by: Tobias Brick (he/him) <tobiasb@microsoft.com>
+---
+ libwget/ssl_openssl.c | 34 +++++++++++++++++++---------------
+ 1 file changed, 19 insertions(+), 15 deletions(-)
+
+diff --git a/libwget/ssl_openssl.c b/libwget/ssl_openssl.c
+index 7a52792d..885b0c2c 100644
+--- a/libwget/ssl_openssl.c
++++ b/libwget/ssl_openssl.c
+@@ -1789,7 +1789,7 @@ static int ssl_transfer(int want,
+ 		void *buf, int count)
+ {
+ 	SSL *ssl;
+-	int fd, retval, error, ops = want;
++	int fd;
+ 
+ 	if (count == 0)
+ 		return 0;
+@@ -1801,7 +1801,9 @@ static int ssl_transfer(int want,
+ 	if (timeout < -1)
+ 		timeout = -1;
+ 
+-	do {
++	for (int ops = want;;) {
++		int retval;
++
+ 		if (timeout) {
+ 			/* Wait until file descriptor becomes ready */
+ 			retval = wget_ready_2_transfer(fd, timeout, ops);
+@@ -1817,23 +1819,25 @@ static int ssl_transfer(int want,
+ 		else
+ 			retval = SSL_write(ssl, buf, count);
+ 
+-		if (retval < 0) {
+-			error = SSL_get_error(ssl, retval);
++		if (retval > 0)
++			return retval;
+ 
+-			if (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE) {
+-				/* Socket not ready - let's try again (unless timeout was zero) */
+-				ops = WGET_IO_WRITABLE | WGET_IO_READABLE;
++		// The OpenSSL docs consider <= 0 an error.
++		int error = SSL_get_error(ssl, retval);
++		if (error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE) {
++			/* Socket not ready - let's try again (unless timeout was zero) */
++			ops = WGET_IO_WRITABLE | WGET_IO_READABLE;
+ 
+-				if (timeout == 0)
+-					return 0;
+-			} else {
+-				/* Not exactly a handshake error, but this is the closest one to signal TLS layer errors */
+-				return WGET_E_HANDSHAKE;
+-			}
++			if (timeout == 0)
++				return 0;
++		} else {
++			/* Not exactly a handshake error, but this is the closest one to signal TLS layer errors */
++			return WGET_E_HANDSHAKE;
+ 		}
+-	} while (retval < 0);
++	}
+ 
+-	return retval;
++	// The execution can never get here.
++	return WGET_E_UNKNOWN;
+ }
+ 
+ /**
diff --git a/SPECS/wget/set-debug_skip_body-for-OCSP-requests-in-openssl-tls-provider.patch b/SPECS/wget/set-debug_skip_body-for-OCSP-requests-in-openssl-tls-provider.patch
new file mode 100644
index 00000000000..6882eb67ebd
--- /dev/null
+++ b/SPECS/wget/set-debug_skip_body-for-OCSP-requests-in-openssl-tls-provider.patch
@@ -0,0 +1,66 @@
+From 3359e3e182a24722d601dfa5e4652143817ef24f Mon Sep 17 00:00:00 2001
+From: "Tobias Brick (he/him)" <tobiasb@microsoft.com>
+Date: Mon, 16 Sep 2024 15:34:19 +0000
+Subject: [PATCH] set debug_skip_body for OCSP requests in openssl tls provider
+
+---
+ include/wget/wget.h      | 1 +
+ libwget/http_highlevel.c | 6 ++++++
+ libwget/ssl_openssl.c    | 1 +
+ 3 files changed, 8 insertions(+)
+
+diff --git a/include/wget/wget.h b/include/wget/wget.h
+index 62ec38364..2dfe56968 100644
+--- a/include/wget/wget.h
++++ b/include/wget/wget.h
+@@ -250,6 +250,7 @@ WGET_BEGIN_DECLS
+ #define WGET_HTTP_BODY_SAVEAS           2018
+ #define WGET_HTTP_USER_DATA             2019
+ #define WGET_HTTP_RESPONSE_IGNORELENGTH 2020
++#define WGET_HTTP_DEBUG_SKIP_BODY       2021
+ 
+ // definition of error conditions
+ typedef enum {
+diff --git a/libwget/http_highlevel.c b/libwget/http_highlevel.c
+index 14c5bea72..3971f8ed0 100644
+--- a/libwget/http_highlevel.c
++++ b/libwget/http_highlevel.c
+@@ -83,6 +83,7 @@ wget_http_response *wget_http_get(int first_key, ...)
+ 	size_t bodylen = 0;
+ 	const void *body = NULL;
+ 	void *header_user_data = NULL, *body_user_data = NULL;
++	bool debug_skip_body = 0;
+ 
+ 	struct {
+ 		bool
+@@ -157,6 +158,9 @@ wget_http_response *wget_http_get(int first_key, ...)
+ 			body = va_arg(args, const void *);
+ 			bodylen = va_arg(args, size_t);
+ 			break;
++		case WGET_HTTP_DEBUG_SKIP_BODY:
++			debug_skip_body = 1;
++			break;
+ 		default:
+ 			error_printf(_("Unknown option %d\n"), key);
+ 			va_end(args);
+@@ -239,6 +243,8 @@ wget_http_response *wget_http_get(int first_key, ...)
+ 			if (body && bodylen)
+ 				wget_http_request_set_body(req, NULL, wget_memdup(body, bodylen), bodylen);
+ 
++			req->debug_skip_body = debug_skip_body;
++
+ 			rc = wget_http_send_request(conn, req);
+ 
+ 			if (rc == 0) {
+diff --git a/libwget/ssl_openssl.c b/libwget/ssl_openssl.c
+index 6cac6ecb0..7a52792d8 100644
+--- a/libwget/ssl_openssl.c
++++ b/libwget/ssl_openssl.c
+@@ -762,6 +762,7 @@ static OCSP_REQUEST *send_ocsp_request(const char *uri,
+ 		WGET_HTTP_HEADER_ADD, "Content-Type", "application/ocsp-request",
+ 		WGET_HTTP_MAX_REDIRECTIONS, 5,
+ 		WGET_HTTP_BODY, ocspreq_bytes, ocspreq_bytes_len,
++		WGET_HTTP_DEBUG_SKIP_BODY,
+ 		0);
+ 
+ 	OPENSSL_free(ocspreq_bytes);
diff --git a/SPECS/wget/wget.spec b/SPECS/wget/wget.spec
index 206fed9f19a..5c50317c4c4 100644
--- a/SPECS/wget/wget.spec
+++ b/SPECS/wget/wget.spec
@@ -3,14 +3,34 @@
 Summary:        An advanced file and recursive website downloader
 Name:           wget
 Version:        2.1.0
-Release:        1%{?dist}
+Release:        5%{?dist}
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later AND GFDL-1.3-or-later
 URL:            https://gitlab.com/gnuwget/wget2
 Group:          System Environment/NetworkingPrograms
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Source0:        https://ftp.gnu.org/gnu/wget/%{name}2-%{version}.tar.gz#/%{name}-%{version}.tar.gz
+## Fix behavior for downloading to stdin (rhbz#2257700, gl#gnuwget/wget2#651)
 Patch0001:      0001-src-log.c-log_init-Redirect-INFO-logs-to-stderr-with.patch
+## Fix normalization of path part of URL (rhbz#2271362)
+Patch0002:      0002-normalize-path-in-url.patch
+# https://github.com/rockdaboot/wget2/pull/316
+# Allow option --no-tcp-fastopen to work on Linux kernels >= 4.11
+Patch0003:      0003-Allow-option-no-tcp-fastopen-to-work-on-Linux-kernel.patch
+# https://gitlab.com/gnuwget/wget2/-/issues/664
+# Disable explicit OCSP requests by default for privacy reasons.
+Patch0004:      0004-Disable-OCSP-by-default.patch
+# https://gitlab.com/gnuwget/wget2/-/issues/661
+# Accept --progress=dot:... for backwards compatibility
+Patch0005:      0005-Accept-progress-dot-.-for-backwards-compatibility.patch
+# https://gitlab.com/gnuwget/wget2/-/commit/7a945d31aeb34fc73cf86a494673ae97e069d84d
+# Disable TCP Fast Open by default
+# rhbz#2291017
+Patch0006:      0006-Disable-TCP-Fast-Open-by-default.patch
+# https://github.com/rockdaboot/wget2/issues/342
+Patch0007:      fix-ssl-read-and-write-error-check.patch
+# https://github.com/rockdaboot/wget2/issues/344
+Patch0008:      set-debug_skip_body-for-OCSP-requests-in-openssl-tls-provider.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -108,6 +128,9 @@ install -D -m0644 -t %{buildroot}%{_mandir}/man1/ docs/man/man1/wget2.1
 
 find %{buildroot} -type f -name "*.la" -delete -print
 
+# Delete useless noinstall binary
+rm -v %{buildroot}%{_bindir}/%{name}2_noinstall
+
 ln -sr %{buildroot}%{_bindir}/%{name}2 %{buildroot}%{_bindir}/wget
 # Link wget(1) to wget2(1)
 echo ".so man1/%{name}.1" > %{buildroot}%{_mandir}/man1/wget.1
@@ -121,7 +144,6 @@ echo ".so man1/%{name}.1" > %{buildroot}%{_mandir}/man1/wget.1
 %config(noreplace) /etc/wgetrc
 %{_bindir}/*
 %{_mandir}/man1/*
-%{_datadir}/locale/*/LC_MESSAGES/*.mo
 
 %files libs
 %license COPYING*
@@ -135,6 +157,20 @@ echo ".so man1/%{name}.1" > %{buildroot}%{_mandir}/man1/wget.1
 %{_mandir}/man3/libwget*.3*
 
 %changelog
+* Mon Sep 23 2024 Tobias Brick <tobiasb@microsoft.com> - 2.1.0-5
+- Align fix for SSL read and write error check with upstream.
+
+* Wed Sep 18 2024 Tobias Brick <tobiasb@microsoft.com> - 2.1.0-4
+- Add patch to prevent debug output from printing binary request bodies.
+
+* Fri Sep 13 2024 Tobias Brick <tobiasb@microsoft.com> - 2.1.0-3
+- Add patch to fix SSL read and write error check.
+
+* Thu Sep 12 2024 Tobias Brick <tobiasb@microsoft.com> - 2.1.0-2
+- Add patches from Fedora upstream. Important ones include disabling OCSP and TCP Fast Open by default.
+- Don't install wget2_noinstall binary, which is specifically for testing.
+- Fix rpmbuild warnings.
+
 * Wed Feb 28 2024 Muhammad Falak <mwani@microsoft.com> - 2.1.0-1
 - Switch wget from 1.x to 2.x
 - Initial CBL-Mariner import from Fedora 40 (license: MIT).
diff --git a/cgmanifest.json b/cgmanifest.json
index 567097d577d..4cbae68d84d 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -1,5 +1,15 @@
 {
   "Registrations": [
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "389-ds-base",
+          "version": "3.1.1",
+          "downloadUrl": "https://github.com/389ds/389-ds-base/releases/download/389-ds-base-3.1.1/389-ds-base-3.1.1.tar.bz2"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -1127,8 +1137,8 @@
         "type": "other",
         "other": {
           "name": "blobfuse2",
-          "version": "2.3.0",
-          "downloadUrl": "https://github.com/Azure/azure-storage-fuse/archive/blobfuse2-2.3.0.tar.gz"
+          "version": "2.3.2",
+          "downloadUrl": "https://github.com/Azure/azure-storage-fuse/archive/blobfuse2-2.3.2.tar.gz"
         }
       }
     },
@@ -1617,8 +1627,8 @@
         "type": "other",
         "other": {
           "name": "CharLS",
-          "version": "2.0.0",
-          "downloadUrl": "https://github.com/team-charls/charls/archive/2.0.0/CharLS-2.0.0.tar.gz"
+          "version": "2.4.2",
+          "downloadUrl": "https://github.com/team-charls/charls/archive/refs/tags/2.4.2.tar.gz"
         }
       }
     },
@@ -2638,8 +2648,8 @@
         "type": "other",
         "other": {
           "name": "distribution-gpg-keys",
-          "version": "1.104",
-          "downloadUrl": "https://github.com/rpm-software-management/distribution-gpg-keys/archive/refs/tags/distribution-gpg-keys-1.104-1.tar.gz"
+          "version": "1.105",
+          "downloadUrl": "https://github.com/rpm-software-management/distribution-gpg-keys/archive/refs/tags/distribution-gpg-keys-1.105-1.tar.gz"
         }
       }
     },
@@ -3408,8 +3418,8 @@
         "type": "other",
         "other": {
           "name": "expat",
-          "version": "2.6.2",
-          "downloadUrl": "https://github.com/libexpat/libexpat/releases/download/R_2_6_2/expat-2.6.2.tar.bz2"
+          "version": "2.6.3",
+          "downloadUrl": "https://github.com/libexpat/libexpat/releases/download/R_2_6_3/expat-2.6.3.tar.bz2"
         }
       }
     },
@@ -4580,8 +4590,8 @@
         "type": "other",
         "other": {
           "name": "golang",
-          "version": "1.22.6",
-          "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.6-1/go1.22.6-20240806.4.src.tar.gz"
+          "version": "1.22.7",
+          "downloadUrl": "https://github.com/microsoft/go/releases/download/v1.22.7-3/go1.22.7-20240925.5.src.tar.gz"
         }
       }
     },
@@ -5110,8 +5120,8 @@
         "type": "other",
         "other": {
           "name": "haproxy",
-          "version": "2.9.1",
-          "downloadUrl": "https://www.haproxy.org/download/2.9/src/haproxy-2.9.1.tar.gz"
+          "version": "2.9.11",
+          "downloadUrl": "https://www.haproxy.org/download/2.9/src/haproxy-2.9.11.tar.gz"
         }
       }
     },
@@ -6500,8 +6510,8 @@
         "type": "other",
         "other": {
           "name": "hyperv-daemons",
-          "version": "6.6.47.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.47.1.tar.gz"
+          "version": "6.6.51.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.51.1.tar.gz"
         }
       }
     },
@@ -7121,8 +7131,8 @@
         "type": "other",
         "other": {
           "name": "ig",
-          "version": "0.30.0",
-          "downloadUrl": "https://github.com/inspektor-gadget/inspektor-gadget/archive/refs/tags/v0.30.0.tar.gz"
+          "version": "0.32.0",
+          "downloadUrl": "https://github.com/inspektor-gadget/inspektor-gadget/archive/refs/tags/v0.32.0.tar.gz"
         }
       }
     },
@@ -8071,8 +8081,8 @@
         "type": "other",
         "other": {
           "name": "keda",
-          "version": "2.14.0",
-          "downloadUrl": "https://github.com/kedacore/keda/archive/refs/tags/v2.14.0.tar.gz"
+          "version": "2.14.1",
+          "downloadUrl": "https://github.com/kedacore/keda/archive/refs/tags/v2.14.1.tar.gz"
         }
       }
     },
@@ -8081,8 +8091,8 @@
         "type": "other",
         "other": {
           "name": "keepalived",
-          "version": "2.2.8",
-          "downloadUrl": "https://www.keepalived.org/software/keepalived-2.2.8.tar.gz"
+          "version": "2.3.1",
+          "downloadUrl": "https://www.keepalived.org/software/keepalived-2.3.1.tar.gz"
         }
       }
     },
@@ -8101,8 +8111,8 @@
         "type": "other",
         "other": {
           "name": "kernel",
-          "version": "6.6.47.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.47.1.tar.gz"
+          "version": "6.6.51.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.51.1.tar.gz"
         }
       }
     },
@@ -8111,8 +8121,8 @@
         "type": "other",
         "other": {
           "name": "kernel-headers",
-          "version": "6.6.47.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.47.1.tar.gz"
+          "version": "6.6.51.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.51.1.tar.gz"
         }
       }
     },
@@ -8131,8 +8141,8 @@
         "type": "other",
         "other": {
           "name": "kernel-rt",
-          "version": "6.6.43.1",
-          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.43.1.tar.gz"
+          "version": "6.6.44.1",
+          "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.44.1.tar.gz"
         }
       }
     },
@@ -8896,6 +8906,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "libcxx",
+          "version": "18.1.2",
+          "downloadUrl": "https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-18.1.2.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -9956,6 +9976,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "libmd",
+          "version": "1.1.0",
+          "downloadUrl": "https://libbsd.freedesktop.org/releases/libmd-1.1.0.tar.xz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -10761,8 +10791,8 @@
         "type": "other",
         "other": {
           "name": "libsafec",
-          "version": "3.7.1",
-          "downloadUrl": "https://github.com/rurban/safeclib/releases/download/v3.7.1/safeclib-3.7.1.tar.xz"
+          "version": "3.8.1",
+          "downloadUrl": "https://github.com/rurban/safeclib/releases/download/v3.8.1/safeclib-3.8.1.tar.xz"
         }
       }
     },
@@ -11301,8 +11331,8 @@
         "type": "other",
         "other": {
           "name": "libuser",
-          "version": "0.63",
-          "downloadUrl": "https://releases.pagure.org/libuser/libuser-0.63.tar.xz"
+          "version": "0.64",
+          "downloadUrl": "https://releases.pagure.org/libuser/libuser-0.64.tar.gz"
         }
       }
     },
@@ -13142,8 +13172,8 @@
         "type": "other",
         "other": {
           "name": "mock",
-          "version": "2.16",
-          "downloadUrl": "https://github.com/rpm-software-management/mock/archive/refs/tags/mock-2.16-1.tar.gz"
+          "version": "5.6",
+          "downloadUrl": "https://github.com/rpm-software-management/mock/archive/refs/tags/mock-5.6-1.tar.gz"
         }
       }
     },
@@ -13152,8 +13182,8 @@
         "type": "other",
         "other": {
           "name": "mock-core-configs",
-          "version": "36.4",
-          "downloadUrl": "https://github.com/rpm-software-management/mock/archive/refs/tags/mock-core-configs-36.4-1/mock-core-configs-36.4-1.tar.gz"
+          "version": "41.2",
+          "downloadUrl": "https://github.com/rpm-software-management/mock/archive/refs/tags/mock-core-configs-41.2-1/mock-core-configs-41.2-1.tar.gz"
         }
       }
     },
@@ -13297,6 +13327,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "mosh",
+          "version": "1.4.0",
+          "downloadUrl": "https://github.com/mobile-shell/mosh/releases/download/mosh-1.4.0/mosh-1.4.0.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -15193,8 +15233,8 @@
         "type": "other",
         "other": {
           "name": "openssl",
-          "version": "3.3.0",
-          "downloadUrl": "https://www.openssl.org/source/openssl-3.3.0.tar.gz"
+          "version": "3.3.2",
+          "downloadUrl": "https://github.com/openssl/openssl/releases/download/openssl-3.3.2/openssl-3.3.2.tar.gz"
         }
       }
     },
@@ -15703,8 +15743,8 @@
         "type": "other",
         "other": {
           "name": "perl-Algorithm-C3",
-          "version": "0.10",
-          "downloadUrl": "https://cpan.metacpan.org/modules/by-module/Algorithm/Algorithm-C3-0.10.tar.gz"
+          "version": "0.11",
+          "downloadUrl": "https://cpan.metacpan.org/modules/by-module/Algorithm/Algorithm-C3-0.11.tar.gz"
         }
       }
     },
@@ -16713,8 +16753,8 @@
         "type": "other",
         "other": {
           "name": "perl-DateTime-TimeZone",
-          "version": "2.39",
-          "downloadUrl": "https://cpan.metacpan.org/authors/id/D/DR/DROLSKY/DateTime-TimeZone-2.39.tar.gz"
+          "version": "2.40",
+          "downloadUrl": "https://cpan.metacpan.org/authors/id/D/DR/DROLSKY/DateTime-TimeZone-2.40.tar.gz"
         }
       }
     },
@@ -16793,8 +16833,8 @@
         "type": "other",
         "other": {
           "name": "perl-Devel-Caller",
-          "version": "2.06",
-          "downloadUrl": "https://cpan.metacpan.org/authors/id/R/RC/RCLAMP/Devel-Caller-2.06.tar.gz"
+          "version": "2.07",
+          "downloadUrl": "https://cpan.metacpan.org/authors/id/R/RC/RCLAMP/Devel-Caller-2.07.tar.gz"
         }
       }
     },
@@ -16888,6 +16928,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "perl-Devel-Refcount",
+          "version": "0.10",
+          "downloadUrl": "https://www.cpan.org/modules/by-module/Devel/Devel-Refcount-0.10.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -18138,6 +18188,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "perl-match-simple",
+          "version": "0.012",
+          "downloadUrl": "https://cpan.metacpan.org/authors/id/T/TO/TOBYINK/match-simple-0.012.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -18823,8 +18883,8 @@
         "type": "other",
         "other": {
           "name": "perl-PadWalker",
-          "version": "2.3",
-          "downloadUrl": "https://cpan.metacpan.org/authors/id/R/RO/ROBIN/PadWalker-2.3.tar.gz"
+          "version": "2.5",
+          "downloadUrl": "https://cpan.metacpan.org/authors/id/R/RO/ROBIN/PadWalker-2.5.tar.gz"
         }
       }
     },
@@ -19448,6 +19508,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "perl-Sub-Infix",
+          "version": "0.004",
+          "downloadUrl": "https://cpan.metacpan.org/authors/id/T/TO/TOBYINK/Sub-Infix-0.004.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -19463,8 +19533,8 @@
         "type": "other",
         "other": {
           "name": "perl-Sub-Install",
-          "version": "0.928",
-          "downloadUrl": "https://cpan.metacpan.org/authors/id/R/RJ/RJBS/Sub-Install-0.928.tar.gz"
+          "version": "0.929",
+          "downloadUrl": "https://cpan.metacpan.org/authors/id/R/RJ/RJBS/Sub-Install-0.929.tar.gz"
         }
       }
     },
@@ -19473,8 +19543,8 @@
         "type": "other",
         "other": {
           "name": "perl-Sub-Name",
-          "version": "0.26",
-          "downloadUrl": "https://cpan.metacpan.org/modules/by-module/Sub/Sub-Name-0.26.tar.gz"
+          "version": "0.27",
+          "downloadUrl": "https://cpan.metacpan.org/modules/by-module/Sub/Sub-Name-0.27.tar.gz"
         }
       }
     },
@@ -20093,8 +20163,8 @@
         "type": "other",
         "other": {
           "name": "perl-Test-Without-Module",
-          "version": "0.20",
-          "downloadUrl": "https://cpan.metacpan.org/modules/by-module/Test/Test-Without-Module-0.20.tar.gz"
+          "version": "0.23",
+          "downloadUrl": "https://cpan.metacpan.org/modules/by-module/Test/Test-Without-Module-0.23.tar.gz"
         }
       }
     },
@@ -20758,6 +20828,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "php-pecl-apcu",
+          "version": "5.1.23",
+          "downloadUrl": "https://pecl.php.net/get/apcu-5.1.23.tgz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -21708,6 +21788,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "python-backoff",
+          "version": "2.2.1",
+          "downloadUrl": "https://github.com/litl/backoff/archive/refs/tags/v2.2.1.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -22788,6 +22878,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "python-junitxml",
+          "version": "0.7",
+          "downloadUrl": "https://pypi.python.org/packages/source/j/junitxml/junitxml-0.7.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -22913,8 +23013,8 @@
         "type": "other",
         "other": {
           "name": "python-ldap",
-          "version": "3.4.0",
-          "downloadUrl": "https://files.pythonhosted.org/packages/source/p/python-ldap/python-ldap-3.4.0.tar.gz"
+          "version": "3.4.4",
+          "downloadUrl": "https://github.com/python-ldap/python-ldap/archive/refs/tags/python-ldap-3.4.4.tar.gz"
         }
       }
     },
@@ -23718,13 +23818,23 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "python-pyproject-metadata",
+          "version": "0.8.0",
+          "downloadUrl": "https://github.com/pypa/python-pyproject-metadata/archive/0.8.0/python-pyproject-metadata-0.8.0.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
         "other": {
           "name": "python-pyroute2",
-          "version": "0.6.5",
-          "downloadUrl": "https://pypi.io/packages/source/p/pyroute2/pyroute2-0.6.5.tar.gz"
+          "version": "0.7.12",
+          "downloadUrl": "https://github.com/svinota/pyroute2/archive/refs/tags/0.7.12.tar.gz"
         }
       }
     },
@@ -24108,6 +24218,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "python-rpmautospec-core",
+          "version": "0.1.5",
+          "downloadUrl": "https://github.com/fedora-infra/rpmautospec-core/releases/download/0.1.5/rpmautospec_core-0.1.5.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
@@ -24503,8 +24623,8 @@
         "type": "other",
         "other": {
           "name": "python-templated-dictionary",
-          "version": "1.1",
-          "downloadUrl": "https://files.pythonhosted.org/packages/22/4d/cd73de22b8b345e57677c80c26381e25abef19cab9495c91b1627af7621b/templated-dictionary-1.1.tar.gz"
+          "version": "1.4",
+          "downloadUrl": "https://github.com/xsuchy/templated-dictionary/archive/refs/tags/python-templated-dictionary-1.4-1.tar.gz"
         }
       }
     },
@@ -25283,8 +25403,8 @@
         "type": "other",
         "other": {
           "name": "rabbitmq-server",
-          "version": "3.13.0",
-          "downloadUrl": "https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.13.0/rabbitmq-server-3.13.0.tar.xz"
+          "version": "3.13.7",
+          "downloadUrl": "https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.13.7/rabbitmq-server-3.13.7.tar.xz"
         }
       }
     },
@@ -25423,8 +25543,8 @@
         "type": "other",
         "other": {
           "name": "realmd",
-          "version": "0.16.3",
-          "downloadUrl": "http://www.freedesktop.org/software/realmd/releases/realmd-0.16.3.tar.gz"
+          "version": "0.17.1",
+          "downloadUrl": "https://gitlab.freedesktop.org/realmd/realmd/-/archive/0.17.1/realmd-0.17.1.tar.gz"
         }
       }
     },
@@ -26654,8 +26774,8 @@
         "type": "other",
         "other": {
           "name": "rubygem-rexml",
-          "version": "3.2.8",
-          "downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.2.8.tar.gz"
+          "version": "3.3.4",
+          "downloadUrl": "https://github.com/ruby/rexml/archive/refs/tags/v3.3.4.tar.gz"
         }
       }
     },
@@ -26974,8 +27094,8 @@
         "type": "other",
         "other": {
           "name": "samba",
-          "version": "4.12.5",
-          "downloadUrl": "https://ftp.samba.org/pub/samba/stable/samba-4.12.5.tar.gz"
+          "version": "4.18.3",
+          "downloadUrl": "https://ftp.samba.org/pub/samba/stable/samba-4.18.3.tar.gz"
         }
       }
     },
@@ -27945,9 +28065,9 @@
       "component": {
         "type": "other",
         "other": {
-          "name": "stress-ng",
-          "version": "0.18.02",
-          "downloadUrl": "https://github.com/ColinIanKing/stress-ng/archive/V0.18.02/stress-ng-0.18.02.tar.gz"
+          "name": "strace",
+          "version": "6.8",
+          "downloadUrl": "https://strace.io/files/6.8/strace-6.8.tar.xz"
         }
       }
     },
@@ -27955,9 +28075,9 @@
       "component": {
         "type": "other",
         "other": {
-          "name": "strace",
-          "version": "6.8",
-          "downloadUrl": "https://strace.io/files/6.8/strace-6.8.tar.xz"
+          "name": "stratis-cli",
+          "version": "2.0.1",
+          "downloadUrl": "https://github.com/stratis-storage/stratis-cli/archive/v2.0.1/stratis-cli-2.0.1.tar.gz"
         }
       }
     },
@@ -27965,9 +28085,9 @@
       "component": {
         "type": "other",
         "other": {
-          "name": "stratis-cli",
-          "version": "2.0.1",
-          "downloadUrl": "https://github.com/stratis-storage/stratis-cli/archive/v2.0.1/stratis-cli-2.0.1.tar.gz"
+          "name": "stress-ng",
+          "version": "0.18.02",
+          "downloadUrl": "https://github.com/ColinIanKing/stress-ng/archive/V0.18.02/stress-ng-0.18.02.tar.gz"
         }
       }
     },
@@ -28006,8 +28126,8 @@
         "type": "other",
         "other": {
           "name": "subunit",
-          "version": "1.4.0",
-          "downloadUrl": "https://launchpad.net/subunit/trunk/1.4.0/+download/subunit-1.4.0.tar.gz"
+          "version": "1.4.4",
+          "downloadUrl": "https://github.com/testing-cabal/subunit/archive/1.4.4/subunit-1.4.4.tar.gz"
         }
       }
     },
@@ -28176,8 +28296,8 @@
         "type": "other",
         "other": {
           "name": "sysstat",
-          "version": "12.7.4",
-          "downloadUrl": "https://github.com/sysstat/sysstat/archive/v12.7.4.tar.gz"
+          "version": "12.7.6",
+          "downloadUrl": "https://github.com/sysstat/sysstat/archive/v12.7.6.tar.gz"
         }
       }
     },
@@ -28376,8 +28496,8 @@
         "type": "other",
         "other": {
           "name": "tdnf",
-          "version": "3.5.6",
-          "downloadUrl": "https://github.com/vmware/tdnf/archive/v3.5.6.tar.gz"
+          "version": "3.5.8",
+          "downloadUrl": "https://github.com/vmware/tdnf/archive/v3.5.8.tar.gz"
         }
       }
     },
@@ -29046,8 +29166,8 @@
         "type": "other",
         "other": {
           "name": "usermode",
-          "version": "1.112",
-          "downloadUrl": "https://releases.pagure.org/usermode/usermode-1.112.autotoolized.tar.xz"
+          "version": "1.114",
+          "downloadUrl": "https://releases.pagure.org/usermode/usermode-1.114.tar.xz"
         }
       }
     },
@@ -29106,8 +29226,8 @@
         "type": "other",
         "other": {
           "name": "util-linux",
-          "version": "2.39.2",
-          "downloadUrl": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.39/util-linux-2.39.2.tar.xz"
+          "version": "2.40.2",
+          "downloadUrl": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.40/util-linux-2.40.2.tar.xz"
         }
       }
     },
@@ -29161,6 +29281,16 @@
         }
       }
     },
+    {
+      "component": {
+        "type": "other",
+        "other": {
+          "name": "valkey",
+          "version": "8.0.0",
+          "downloadUrl": "https://github.com/valkey-io/valkey/archive/refs/tags/8.0.0.tar.gz"
+        }
+      }
+    },
     {
       "component": {
         "type": "other",
diff --git a/toolkit/Makefile b/toolkit/Makefile
index 29bce885ba3..5e59df6d949 100644
--- a/toolkit/Makefile
+++ b/toolkit/Makefile
@@ -45,6 +45,8 @@ RUN_CHECK                            ?= n
 USE_PREVIEW_REPO                     ?= n
 DISABLE_UPSTREAM_REPOS               ?= n
 DISABLE_DEFAULT_REPOS                ?= n
+##help:var:REPO_SNAPSHOT_TIME:<posix_time>=Posix time to be used as a snapshot for remote repositories when fetching packages. Example: REPO_SNAPSHOT_TIME="1724119509".
+REPO_SNAPSHOT_TIME                   ?=
 TOOLCHAIN_CONTAINER_ARCHIVE          ?=
 TOOLCHAIN_ARCHIVE                    ?=
 TOOLCHAIN_SOURCES_ARCHIVE            ?=
@@ -256,7 +258,7 @@ include $(SCRIPTS_DIR)/repoquerywrapper.mk
 include $(SCRIPTS_DIR)/pkggen.mk
 
 # Create images with:
-#   image, iso, clean-imggen
+#   image, iso, clean-imagegen
 include $(SCRIPTS_DIR)/imggen.mk
 
 # Add make targets for sodiff to determine if additional packages are required to be recompiled:
diff --git a/toolkit/imageconfigs/minimal-os.json b/toolkit/imageconfigs/minimal-os.json
new file mode 100644
index 00000000000..5ba7b582218
--- /dev/null
+++ b/toolkit/imageconfigs/minimal-os.json
@@ -0,0 +1,55 @@
+{
+    "Disks": [
+        {
+            "PartitionTableType": "gpt",
+            "MaxSize": 500,
+            "Artifacts": [
+                {
+                    "Name": "minimal-os",
+                    "Type": "vhdx"
+                }
+            ],
+            "Partitions": [
+                {
+                    "ID": "boot",
+                    "Flags": [
+                        "esp",
+                        "boot"
+                    ],
+                    "Start": 1,
+                    "End": 9,
+                    "FsType": "fat32"
+                },
+                {
+                    "ID": "rootfs",
+                    "Start": 9,
+                    "End": 0,
+                    "FsType": "ext4"
+                }
+            ]
+        }
+    ],
+    "SystemConfigs": [
+        {
+            "Name": "Standard",
+            "BootType": "efi",
+            "PartitionSettings": [
+                {
+                    "ID": "boot",
+                    "MountPoint": "/boot/efi",
+                    "MountOptions": "umask=0077"
+                },
+                {
+                    "ID": "rootfs",
+                    "MountPoint": "/"
+                }
+            ],
+            "PackageLists": [
+                "packagelists/minimal-os-packages.json"
+            ],
+            "KernelOptions": {
+                "default": "kernel"
+            }
+        }
+    ]
+}
diff --git a/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json b/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json
index a6298a12c55..5419b6cacef 100644
--- a/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json
+++ b/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json
@@ -8,6 +8,7 @@
         "core-packages-base-image",
         "dracut-hostonly",
         "dracut-vrf",
+        "shadow-utils",
         "initramfs"
     ]
 }
diff --git a/toolkit/imageconfigs/packagelists/minimal-os-packages.json b/toolkit/imageconfigs/packagelists/minimal-os-packages.json
new file mode 100644
index 00000000000..50be8d0ce51
--- /dev/null
+++ b/toolkit/imageconfigs/packagelists/minimal-os-packages.json
@@ -0,0 +1,36 @@
+{
+    "packages": [
+        "azurelinux-release",
+        "azurelinux-repos",
+        "azurelinux-rpm-macros",
+        "bash",
+        "ca-certificates",
+        "ca-certificates-base",
+        "dbus",
+        "dracut-hostonly",
+        "e2fsprogs",
+        "filesystem",
+        "grub2",
+        "grub2-efi-binary",
+        "iana-etc",
+        "initramfs",
+        "iproute",
+        "iputils",
+        "irqbalance",
+        "ncurses-libs",
+        "openssl",
+        "rpm",
+        "rpm-libs",
+        "shadow-utils",
+        "shim",
+        "sudo",
+        "systemd",
+        "systemd-networkd",
+        "systemd-resolved",
+        "systemd-udev",
+        "tdnf",
+        "tdnf-plugin-repogpgcheck",
+        "util-linux",
+        "zlib"
+    ]
+}
diff --git a/toolkit/imageconfigs/scripts/setup_cvm_image.sh b/toolkit/imageconfigs/scripts/setup_cvm_image.sh
index dc2267eda17..886b3b0ed21 100755
--- a/toolkit/imageconfigs/scripts/setup_cvm_image.sh
+++ b/toolkit/imageconfigs/scripts/setup_cvm_image.sh
@@ -4,32 +4,12 @@
 
 set -e
 
-EFIDIR="BOOT"
-KERNEL_VERSION=""
-
-# Image generation is done in a chroot environment, so running `uname -r`
-# will return the version of the host running kernel. This function works
-# under the assumption that exactly one kernel is installed in the end image.
-get_kernel_version() {
-    kernel_modules_dir="/usr/lib/modules"
-    KERNEL_VERSION="$(ls $kernel_modules_dir)"
-}
-
+# set up ESP under /efi
 # symlink /boot/efi to ../efi
 cp -a /boot/efi/. /efi
 rm -rf /boot/efi
 ln -s ../efi /boot/efi
 
-# The shim has its default boot-loader filename built in as grubx64.efi.
-# To switch to systemd-boot, we overwrite that file location with the
-# sd-boot EFI binary as a workaround.
-cp /lib/systemd/boot/efi/systemd-bootx64.efi /efi/EFI/$EFIDIR/grubx64.efi
-
 # empty /etc/fstab file
 echo > /etc/fstab
 
-# copy UKI into the ESP
-mkdir -p /efi/EFI/Linux
-get_kernel_version
-echo "Kernel version = $KERNEL_VERSION"
-cp /lib/modules/$KERNEL_VERSION/vmlinuz-uki.efi /efi/EFI/Linux/vmlinuz-uki-$KERNEL_VERSION.efi
diff --git a/toolkit/pkgbld.sh b/toolkit/pkgbld.sh
index 07b8144020b..8416d0d5e94 100755
--- a/toolkit/pkgbld.sh
+++ b/toolkit/pkgbld.sh
@@ -11,7 +11,7 @@ RC=n
 WCREFRESH=y
 SDIR=../SPECS
 USEPKGBLDCACHE=y
-
+USECCACHE=y
 helpFuncion () {
 	echo ""
 	echo "Build a package(s) for 3.0 locally:"
@@ -24,6 +24,7 @@ helpFuncion () {
         echo "  -f  : Force a Rebuild"
         echo "  -n  : Cleanup input-srpms expand-srpms"
         echo "  -d  : [DryRun] Show the command to be executed"
+	echo "  -x  : Disable build using ccache (Default USE_CCACHE=y)"
 	echo ""
 	echo "Examples:"
 	echo "[inside the toolkit dir]"
@@ -43,7 +44,7 @@ helpFuncion () {
 }
 
 
-while getopts "hs:b:cp:rfnd" opt
+while getopts "hs:b:cp:rfndx" opt
 do
 	case "$opt" in
 		h ) helpVar=y;;
@@ -55,6 +56,7 @@ do
 		f ) forceVar=y;;
 		n ) nukeVar=y;;
 		d ) dryrunVar=y;;
+		x ) cacheVar=y;;
 	esac
 done
 shift $((OPTIND - 1))
@@ -103,6 +105,11 @@ then
 	USEPKGBLDCACHE=n
 fi
 
+if [ -n "$cacheVar" ]
+then
+	USECCACHE=n
+fi
+
 if [ -n "$nukeVar" ]
 then
 	echo "Cleaning up expanded specs and input srpms"
@@ -113,6 +120,8 @@ if [ -n "$dryrunVar" ]
 then
 	echo "sudo make build-packages \ "
 	echo "     REBUILD_TOOLS=y \ "
+	echo "     QUICK_REBUILD_PACKAGES=y \ "
+	echo "     USE_CCACHE=${USECCACHE} \ "
 	echo "     PACKAGE_REBUILD_LIST="${TOBUILD}" \ ";
 	echo "     SRPM_PACK_LIST="${TOBUILD}" \ ";
 	echo "     RUN_CHECK=$RC \ ";
@@ -131,6 +140,8 @@ fi
 
 sudo make build-packages \
 	REBUILD_TOOLS=y \
+	QUICK_REBUILD_PACKAGES=y \
+	USE_CCACHE=${USECCACHE} \
 	PACKAGE_REBUILD_LIST="${TOBUILD}" \
 	SRPM_PACK_LIST="${TOBUILD}" \
 	RUN_CHECK=$RC \
diff --git a/toolkit/resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller b/toolkit/resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller
index 1fe417f94a2..22cb4741cc9 100755
--- a/toolkit/resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller
+++ b/toolkit/resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller
@@ -143,8 +143,13 @@ cd /installer
 # Turn off echoing while the installer runs to stop sensitive data from rendering in the TTY session.
 stty -echo
 
+# add call to static time file to populate liveinstaller option here
+if [[ -f "$CONFIG_ROOT/repo-snapshot-time.txt" ]]; then
+REPO_TIME=$(cat /"$CONFIG_ROOT/repo-snapshot-time.txt")
+fi
+
 ./liveinstaller --base-dir $CONFIG_ROOT --imager /installer/imager --input $UNATTENDED_CONFIG_FILE --template-config $CONFIG_ROOT/attended_config.json \
-                --build-dir $PWD --log-file=/installer/log.txt
+                --build-dir $PWD --log-file=/installer/log.txt --repo-snapshot-time="$REPO_TIME"
 installerExitCode=$?
 
 # Consume any buffered stdin to prevent it from being passed to any future programs,
diff --git a/toolkit/resources/manifests/package/macros.override b/toolkit/resources/manifests/package/macros.override
index 676ff0a04ba..0f7a0df28a7 100644
--- a/toolkit/resources/manifests/package/macros.override
+++ b/toolkit/resources/manifests/package/macros.override
@@ -13,9 +13,7 @@
 %skip_check_socat 1
 
 # Check hangs
-%skip_check_glibc 1
 %skip_check_gtk_doc 1
-%skip_check_tdnf 1
 %skip_check_vim 1
 
 # We are missing many of the dependency packages for the Dracut tests
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index 754b2681ebe..87169d839ef 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,13 +1,13 @@
 filesystem-1.1-21.azl3.aarch64.rpm
-kernel-headers-6.6.47.1-1.azl3.noarch.rpm
-glibc-2.38-7.azl3.aarch64.rpm
-glibc-devel-2.38-7.azl3.aarch64.rpm
-glibc-i18n-2.38-7.azl3.aarch64.rpm
-glibc-iconv-2.38-7.azl3.aarch64.rpm
-glibc-lang-2.38-7.azl3.aarch64.rpm
-glibc-locales-all-2.38-7.azl3.aarch64.rpm
-glibc-nscd-2.38-7.azl3.aarch64.rpm
-glibc-tools-2.38-7.azl3.aarch64.rpm
+kernel-headers-6.6.51.1-5.azl3.noarch.rpm
+glibc-2.38-8.azl3.aarch64.rpm
+glibc-devel-2.38-8.azl3.aarch64.rpm
+glibc-i18n-2.38-8.azl3.aarch64.rpm
+glibc-iconv-2.38-8.azl3.aarch64.rpm
+glibc-lang-2.38-8.azl3.aarch64.rpm
+glibc-locales-all-2.38-8.azl3.aarch64.rpm
+glibc-nscd-2.38-8.azl3.aarch64.rpm
+glibc-tools-2.38-8.azl3.aarch64.rpm
 zlib-1.3.1-1.azl3.aarch64.rpm
 zlib-devel-1.3.1-1.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
@@ -70,9 +70,9 @@ make-4.4.1-2.azl3.aarch64.rpm
 patch-2.7.6-9.azl3.aarch64.rpm
 libcap-ng-0.8.4-1.azl3.aarch64.rpm
 libcap-ng-devel-0.8.4-1.azl3.aarch64.rpm
-util-linux-2.39.2-1.azl3.aarch64.rpm
-util-linux-devel-2.39.2-1.azl3.aarch64.rpm
-util-linux-libs-2.39.2-1.azl3.aarch64.rpm
+util-linux-2.40.2-1.azl3.aarch64.rpm
+util-linux-devel-2.40.2-1.azl3.aarch64.rpm
+util-linux-libs-2.40.2-1.azl3.aarch64.rpm
 tar-1.35-1.azl3.aarch64.rpm
 xz-5.4.4-1.azl3.aarch64.rpm
 xz-devel-5.4.4-1.azl3.aarch64.rpm
@@ -99,9 +99,9 @@ elfutils-libelf-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-devel-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-devel-static-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-lang-0.189-3.azl3.aarch64.rpm
-expat-2.6.2-1.azl3.aarch64.rpm
-expat-devel-2.6.2-1.azl3.aarch64.rpm
-expat-libs-2.6.2-1.azl3.aarch64.rpm
+expat-2.6.3-1.azl3.aarch64.rpm
+expat-devel-2.6.3-1.azl3.aarch64.rpm
+expat-libs-2.6.3-1.azl3.aarch64.rpm
 libpipeline-1.5.7-1.azl3.aarch64.rpm
 libpipeline-devel-1.5.7-1.azl3.aarch64.rpm
 gdbm-1.23-1.azl3.aarch64.rpm
@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.0-2.azl3.aarch64.rpm
-openssl-devel-3.3.0-2.azl3.aarch64.rpm
-openssl-libs-3.3.0-2.azl3.aarch64.rpm
-openssl-perl-3.3.0-2.azl3.aarch64.rpm
-openssl-static-3.3.0-2.azl3.aarch64.rpm
+openssl-3.3.2-1.azl3.aarch64.rpm
+openssl-devel-3.3.2-1.azl3.aarch64.rpm
+openssl-libs-3.3.2-1.azl3.aarch64.rpm
+openssl-perl-3.3.2-1.azl3.aarch64.rpm
+openssl-static-3.3.2-1.azl3.aarch64.rpm
 libcap-2.69-1.azl3.aarch64.rpm
 libcap-devel-2.69-1.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
@@ -189,32 +189,32 @@ rpm-libs-4.18.2-1.azl3.aarch64.rpm
 cpio-2.14-1.azl3.aarch64.rpm
 cpio-lang-2.14-1.azl3.aarch64.rpm
 e2fsprogs-libs-1.47.0-2.azl3.aarch64.rpm
-libsolv-0.7.28-1.azl3.aarch64.rpm
-libsolv-devel-0.7.28-1.azl3.aarch64.rpm
+libsolv-0.7.28-2.azl3.aarch64.rpm
+libsolv-devel-0.7.28-2.azl3.aarch64.rpm
 libssh2-1.11.0-1.azl3.aarch64.rpm
 libssh2-devel-1.11.0-1.azl3.aarch64.rpm
-krb5-1.21.3-1.azl3.aarch64.rpm
+krb5-1.21.3-2.azl3.aarch64.rpm
 nghttp2-1.61.0-2.azl3.aarch64.rpm
-curl-8.8.0-1.azl3.aarch64.rpm
-curl-devel-8.8.0-1.azl3.aarch64.rpm
-curl-libs-8.8.0-1.azl3.aarch64.rpm
+curl-8.8.0-2.azl3.aarch64.rpm
+curl-devel-8.8.0-2.azl3.aarch64.rpm
+curl-libs-8.8.0-2.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
 libxml2-2.11.5-1.azl3.aarch64.rpm
 libxml2-devel-2.11.5-1.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
-docbook-style-xsl-1.79.1-13.azl3.noarch.rpm
+docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.aarch64.rpm
 glib-2.78.1-4.azl3.aarch64.rpm
 libltdl-2.4.7-1.azl3.aarch64.rpm
 libltdl-devel-2.4.7-1.azl3.aarch64.rpm
 lua-5.4.6-1.azl3.aarch64.rpm
 lua-libs-5.4.6-1.azl3.aarch64.rpm
-azurelinux-rpm-macros-3.0-6.azl3.noarch.rpm
-azurelinux-check-macros-3.0-6.azl3.noarch.rpm
-tdnf-3.5.6-2.azl3.aarch64.rpm
-tdnf-cli-libs-3.5.6-2.azl3.aarch64.rpm
-tdnf-devel-3.5.6-2.azl3.aarch64.rpm
-tdnf-plugin-repogpgcheck-3.5.6-2.azl3.aarch64.rpm
+azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm
+azurelinux-check-macros-3.0-7.azl3.noarch.rpm
+tdnf-3.5.8-3.azl3.aarch64.rpm
+tdnf-cli-libs-3.5.8-3.azl3.aarch64.rpm
+tdnf-devel-3.5.8-3.azl3.aarch64.rpm
+tdnf-plugin-repogpgcheck-3.5.8-3.azl3.aarch64.rpm
 libassuan-2.5.6-1.azl3.aarch64.rpm
 libassuan-devel-2.5.6-1.azl3.aarch64.rpm
 libgpg-error-1.47-1.azl3.aarch64.rpm
@@ -240,10 +240,10 @@ ca-certificates-base-3.0.0-7.azl3.noarch.rpm
 ca-certificates-3.0.0-7.azl3.noarch.rpm
 dwz-0.14-2.azl3.aarch64.rpm
 unzip-6.0-20.azl3.aarch64.rpm
-python3-3.12.3-2.azl3.aarch64.rpm
-python3-devel-3.12.3-2.azl3.aarch64.rpm
-python3-libs-3.12.3-2.azl3.aarch64.rpm
-python3-setuptools-69.0.3-3.azl3.noarch.rpm
+python3-3.12.3-4.azl3.aarch64.rpm
+python3-devel-3.12.3-4.azl3.aarch64.rpm
+python3-libs-3.12.3-4.azl3.aarch64.rpm
+python3-setuptools-69.0.3-4.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.aarch64.rpm
 libselinux-3.6-3.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index eb8a7ff5159..1f71b3cd6dd 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,13 +1,13 @@
 filesystem-1.1-21.azl3.x86_64.rpm
-kernel-headers-6.6.47.1-1.azl3.noarch.rpm
-glibc-2.38-7.azl3.x86_64.rpm
-glibc-devel-2.38-7.azl3.x86_64.rpm
-glibc-i18n-2.38-7.azl3.x86_64.rpm
-glibc-iconv-2.38-7.azl3.x86_64.rpm
-glibc-lang-2.38-7.azl3.x86_64.rpm
-glibc-locales-all-2.38-7.azl3.x86_64.rpm
-glibc-nscd-2.38-7.azl3.x86_64.rpm
-glibc-tools-2.38-7.azl3.x86_64.rpm
+kernel-headers-6.6.51.1-5.azl3.noarch.rpm
+glibc-2.38-8.azl3.x86_64.rpm
+glibc-devel-2.38-8.azl3.x86_64.rpm
+glibc-i18n-2.38-8.azl3.x86_64.rpm
+glibc-iconv-2.38-8.azl3.x86_64.rpm
+glibc-lang-2.38-8.azl3.x86_64.rpm
+glibc-locales-all-2.38-8.azl3.x86_64.rpm
+glibc-nscd-2.38-8.azl3.x86_64.rpm
+glibc-tools-2.38-8.azl3.x86_64.rpm
 zlib-1.3.1-1.azl3.x86_64.rpm
 zlib-devel-1.3.1-1.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
@@ -70,9 +70,9 @@ make-4.4.1-2.azl3.x86_64.rpm
 patch-2.7.6-9.azl3.x86_64.rpm
 libcap-ng-0.8.4-1.azl3.x86_64.rpm
 libcap-ng-devel-0.8.4-1.azl3.x86_64.rpm
-util-linux-2.39.2-1.azl3.x86_64.rpm
-util-linux-devel-2.39.2-1.azl3.x86_64.rpm
-util-linux-libs-2.39.2-1.azl3.x86_64.rpm
+util-linux-2.40.2-1.azl3.x86_64.rpm
+util-linux-devel-2.40.2-1.azl3.x86_64.rpm
+util-linux-libs-2.40.2-1.azl3.x86_64.rpm
 tar-1.35-1.azl3.x86_64.rpm
 xz-5.4.4-1.azl3.x86_64.rpm
 xz-devel-5.4.4-1.azl3.x86_64.rpm
@@ -99,9 +99,9 @@ elfutils-libelf-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-devel-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-devel-static-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-lang-0.189-3.azl3.x86_64.rpm
-expat-2.6.2-1.azl3.x86_64.rpm
-expat-devel-2.6.2-1.azl3.x86_64.rpm
-expat-libs-2.6.2-1.azl3.x86_64.rpm
+expat-2.6.3-1.azl3.x86_64.rpm
+expat-devel-2.6.3-1.azl3.x86_64.rpm
+expat-libs-2.6.3-1.azl3.x86_64.rpm
 libpipeline-1.5.7-1.azl3.x86_64.rpm
 libpipeline-devel-1.5.7-1.azl3.x86_64.rpm
 gdbm-1.23-1.azl3.x86_64.rpm
@@ -170,11 +170,11 @@ gtk-doc-1.33.2-1.azl3.noarch.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.0-2.azl3.x86_64.rpm
-openssl-devel-3.3.0-2.azl3.x86_64.rpm
-openssl-libs-3.3.0-2.azl3.x86_64.rpm
-openssl-perl-3.3.0-2.azl3.x86_64.rpm
-openssl-static-3.3.0-2.azl3.x86_64.rpm
+openssl-3.3.2-1.azl3.x86_64.rpm
+openssl-devel-3.3.2-1.azl3.x86_64.rpm
+openssl-libs-3.3.2-1.azl3.x86_64.rpm
+openssl-perl-3.3.2-1.azl3.x86_64.rpm
+openssl-static-3.3.2-1.azl3.x86_64.rpm
 libcap-2.69-1.azl3.x86_64.rpm
 libcap-devel-2.69-1.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
@@ -189,32 +189,32 @@ rpm-libs-4.18.2-1.azl3.x86_64.rpm
 cpio-2.14-1.azl3.x86_64.rpm
 cpio-lang-2.14-1.azl3.x86_64.rpm
 e2fsprogs-libs-1.47.0-2.azl3.x86_64.rpm
-libsolv-0.7.28-1.azl3.x86_64.rpm
-libsolv-devel-0.7.28-1.azl3.x86_64.rpm
+libsolv-0.7.28-2.azl3.x86_64.rpm
+libsolv-devel-0.7.28-2.azl3.x86_64.rpm
 libssh2-1.11.0-1.azl3.x86_64.rpm
 libssh2-devel-1.11.0-1.azl3.x86_64.rpm
-krb5-1.21.3-1.azl3.x86_64.rpm
+krb5-1.21.3-2.azl3.x86_64.rpm
 nghttp2-1.61.0-2.azl3.x86_64.rpm
-curl-8.8.0-1.azl3.x86_64.rpm
-curl-devel-8.8.0-1.azl3.x86_64.rpm
-curl-libs-8.8.0-1.azl3.x86_64.rpm
+curl-8.8.0-2.azl3.x86_64.rpm
+curl-devel-8.8.0-2.azl3.x86_64.rpm
+curl-libs-8.8.0-2.azl3.x86_64.rpm
 createrepo_c-1.0.3-1.azl3.x86_64.rpm
 libxml2-2.11.5-1.azl3.x86_64.rpm
 libxml2-devel-2.11.5-1.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
-docbook-style-xsl-1.79.1-13.azl3.noarch.rpm
+docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 libsepol-3.6-1.azl3.x86_64.rpm
 glib-2.78.1-4.azl3.x86_64.rpm
 libltdl-2.4.7-1.azl3.x86_64.rpm
 libltdl-devel-2.4.7-1.azl3.x86_64.rpm
 lua-5.4.6-1.azl3.x86_64.rpm
 lua-libs-5.4.6-1.azl3.x86_64.rpm
-azurelinux-rpm-macros-3.0-6.azl3.noarch.rpm
-azurelinux-check-macros-3.0-6.azl3.noarch.rpm
-tdnf-3.5.6-2.azl3.x86_64.rpm
-tdnf-cli-libs-3.5.6-2.azl3.x86_64.rpm
-tdnf-devel-3.5.6-2.azl3.x86_64.rpm
-tdnf-plugin-repogpgcheck-3.5.6-2.azl3.x86_64.rpm
+azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm
+azurelinux-check-macros-3.0-7.azl3.noarch.rpm
+tdnf-3.5.8-3.azl3.x86_64.rpm
+tdnf-cli-libs-3.5.8-3.azl3.x86_64.rpm
+tdnf-devel-3.5.8-3.azl3.x86_64.rpm
+tdnf-plugin-repogpgcheck-3.5.8-3.azl3.x86_64.rpm
 libassuan-2.5.6-1.azl3.x86_64.rpm
 libassuan-devel-2.5.6-1.azl3.x86_64.rpm
 libgpg-error-1.47-1.azl3.x86_64.rpm
@@ -240,10 +240,10 @@ ca-certificates-base-3.0.0-7.azl3.noarch.rpm
 ca-certificates-3.0.0-7.azl3.noarch.rpm
 dwz-0.14-2.azl3.x86_64.rpm
 unzip-6.0-20.azl3.x86_64.rpm
-python3-3.12.3-2.azl3.x86_64.rpm
-python3-devel-3.12.3-2.azl3.x86_64.rpm
-python3-libs-3.12.3-2.azl3.x86_64.rpm
-python3-setuptools-69.0.3-3.azl3.noarch.rpm
+python3-3.12.3-4.azl3.x86_64.rpm
+python3-devel-3.12.3-4.azl3.x86_64.rpm
+python3-libs-3.12.3-4.azl3.x86_64.rpm
+python3-setuptools-69.0.3-4.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.x86_64.rpm
 libselinux-3.6-3.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 2e82e43275e..1f1819d759e 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -9,7 +9,7 @@ audit-devel-3.1.2-1.azl3.aarch64.rpm
 audit-libs-3.1.2-1.azl3.aarch64.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
-azurelinux-check-macros-3.0-6.azl3.noarch.rpm
+azurelinux-check-macros-3.0-7.azl3.noarch.rpm
 azurelinux-repos-3.0-3.azl3.noarch.rpm
 azurelinux-repos-debug-3.0-3.azl3.noarch.rpm
 azurelinux-repos-debug-preview-3.0-3.azl3.noarch.rpm
@@ -23,7 +23,7 @@ azurelinux-repos-ms-oss-3.0-3.azl3.noarch.rpm
 azurelinux-repos-ms-oss-preview-3.0-3.azl3.noarch.rpm
 azurelinux-repos-preview-3.0-3.azl3.noarch.rpm
 azurelinux-repos-shared-3.0-3.azl3.noarch.rpm
-azurelinux-rpm-macros-3.0-6.azl3.noarch.rpm
+azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm
 bash-5.2.15-3.azl3.aarch64.rpm
 bash-debuginfo-5.2.15-3.azl3.aarch64.rpm
 bash-devel-5.2.15-3.azl3.aarch64.rpm
@@ -42,8 +42,8 @@ ca-certificates-base-3.0.0-7.azl3.noarch.rpm
 ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm
 ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
 ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
-ccache-4.8.3-1.azl3.aarch64.rpm
-ccache-debuginfo-4.8.3-1.azl3.aarch64.rpm
+ccache-4.8.3-3.azl3.aarch64.rpm
+ccache-debuginfo-4.8.3-3.azl3.aarch64.rpm
 check-0.15.2-1.azl3.aarch64.rpm
 check-debuginfo-0.15.2-1.azl3.aarch64.rpm
 chkconfig-1.25-1.azl3.aarch64.rpm
@@ -65,17 +65,17 @@ cracklib-lang-2.9.11-1.azl3.aarch64.rpm
 createrepo_c-1.0.3-1.azl3.aarch64.rpm
 createrepo_c-debuginfo-1.0.3-1.azl3.aarch64.rpm
 createrepo_c-devel-1.0.3-1.azl3.aarch64.rpm
-curl-8.8.0-1.azl3.aarch64.rpm
-curl-debuginfo-8.8.0-1.azl3.aarch64.rpm
-curl-devel-8.8.0-1.azl3.aarch64.rpm
-curl-libs-8.8.0-1.azl3.aarch64.rpm
+curl-8.8.0-2.azl3.aarch64.rpm
+curl-debuginfo-8.8.0-2.azl3.aarch64.rpm
+curl-devel-8.8.0-2.azl3.aarch64.rpm
+curl-libs-8.8.0-2.azl3.aarch64.rpm
 Cython-debuginfo-3.0.5-2.azl3.aarch64.rpm
 debugedit-5.0-2.azl3.aarch64.rpm
 debugedit-debuginfo-5.0-2.azl3.aarch64.rpm
 diffutils-3.10-1.azl3.aarch64.rpm
 diffutils-debuginfo-3.10-1.azl3.aarch64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
-docbook-style-xsl-1.79.1-13.azl3.noarch.rpm
+docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 dwz-0.14-2.azl3.aarch64.rpm
 dwz-debuginfo-0.14-2.azl3.aarch64.rpm
 e2fsprogs-1.47.0-2.azl3.aarch64.rpm
@@ -92,10 +92,10 @@ elfutils-libelf-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-devel-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-devel-static-0.189-3.azl3.aarch64.rpm
 elfutils-libelf-lang-0.189-3.azl3.aarch64.rpm
-expat-2.6.2-1.azl3.aarch64.rpm
-expat-debuginfo-2.6.2-1.azl3.aarch64.rpm
-expat-devel-2.6.2-1.azl3.aarch64.rpm
-expat-libs-2.6.2-1.azl3.aarch64.rpm
+expat-2.6.3-1.azl3.aarch64.rpm
+expat-debuginfo-2.6.3-1.azl3.aarch64.rpm
+expat-devel-2.6.3-1.azl3.aarch64.rpm
+expat-libs-2.6.3-1.azl3.aarch64.rpm
 file-5.45-1.azl3.aarch64.rpm
 file-debuginfo-5.45-1.azl3.aarch64.rpm
 file-devel-5.45-1.azl3.aarch64.rpm
@@ -125,16 +125,16 @@ glib-debuginfo-2.78.1-4.azl3.aarch64.rpm
 glib-devel-2.78.1-4.azl3.aarch64.rpm
 glib-doc-2.78.1-4.azl3.noarch.rpm
 glib-schemas-2.78.1-4.azl3.aarch64.rpm
-glibc-2.38-7.azl3.aarch64.rpm
-glibc-debuginfo-2.38-7.azl3.aarch64.rpm
-glibc-devel-2.38-7.azl3.aarch64.rpm
-glibc-i18n-2.38-7.azl3.aarch64.rpm
-glibc-iconv-2.38-7.azl3.aarch64.rpm
-glibc-lang-2.38-7.azl3.aarch64.rpm
-glibc-locales-all-2.38-7.azl3.aarch64.rpm
-glibc-nscd-2.38-7.azl3.aarch64.rpm
-glibc-static-2.38-7.azl3.aarch64.rpm
-glibc-tools-2.38-7.azl3.aarch64.rpm
+glibc-2.38-8.azl3.aarch64.rpm
+glibc-debuginfo-2.38-8.azl3.aarch64.rpm
+glibc-devel-2.38-8.azl3.aarch64.rpm
+glibc-i18n-2.38-8.azl3.aarch64.rpm
+glibc-iconv-2.38-8.azl3.aarch64.rpm
+glibc-lang-2.38-8.azl3.aarch64.rpm
+glibc-locales-all-2.38-8.azl3.aarch64.rpm
+glibc-nscd-2.38-8.azl3.aarch64.rpm
+glibc-static-2.38-8.azl3.aarch64.rpm
+glibc-tools-2.38-8.azl3.aarch64.rpm
 gmp-6.3.0-1.azl3.aarch64.rpm
 gmp-debuginfo-6.3.0-1.azl3.aarch64.rpm
 gmp-devel-6.3.0-1.azl3.aarch64.rpm
@@ -156,14 +156,14 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.aarch64.rpm
 kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm
-kernel-headers-6.6.47.1-1.azl3.noarch.rpm
+kernel-headers-6.6.51.1-5.azl3.noarch.rpm
 kmod-30-1.azl3.aarch64.rpm
 kmod-debuginfo-30-1.azl3.aarch64.rpm
 kmod-devel-30-1.azl3.aarch64.rpm
-krb5-1.21.3-1.azl3.aarch64.rpm
-krb5-debuginfo-1.21.3-1.azl3.aarch64.rpm
-krb5-devel-1.21.3-1.azl3.aarch64.rpm
-krb5-lang-1.21.3-1.azl3.aarch64.rpm
+krb5-1.21.3-2.azl3.aarch64.rpm
+krb5-debuginfo-1.21.3-2.azl3.aarch64.rpm
+krb5-devel-1.21.3-2.azl3.aarch64.rpm
+krb5-lang-1.21.3-2.azl3.aarch64.rpm
 libacl-2.3.1-2.azl3.aarch64.rpm
 libacl-devel-2.3.1-2.azl3.aarch64.rpm
 libarchive-3.7.1-2.azl3.aarch64.rpm
@@ -223,10 +223,10 @@ libselinux-utils-3.6-3.azl3.aarch64.rpm
 libsepol-3.6-1.azl3.aarch64.rpm
 libsepol-debuginfo-3.6-1.azl3.aarch64.rpm
 libsepol-devel-3.6-1.azl3.aarch64.rpm
-libsolv-0.7.28-1.azl3.aarch64.rpm
-libsolv-debuginfo-0.7.28-1.azl3.aarch64.rpm
-libsolv-devel-0.7.28-1.azl3.aarch64.rpm
-libsolv-tools-0.7.28-1.azl3.aarch64.rpm
+libsolv-0.7.28-2.azl3.aarch64.rpm
+libsolv-debuginfo-0.7.28-2.azl3.aarch64.rpm
+libsolv-devel-0.7.28-2.azl3.aarch64.rpm
+libsolv-tools-0.7.28-2.azl3.aarch64.rpm
 libssh2-1.11.0-1.azl3.aarch64.rpm
 libssh2-debuginfo-1.11.0-1.azl3.aarch64.rpm
 libssh2-devel-1.11.0-1.azl3.aarch64.rpm
@@ -285,12 +285,12 @@ npth-debuginfo-1.6-4.azl3.aarch64.rpm
 npth-devel-1.6-4.azl3.aarch64.rpm
 ntsysv-1.25-1.azl3.aarch64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.0-2.azl3.aarch64.rpm
-openssl-debuginfo-3.3.0-2.azl3.aarch64.rpm
-openssl-devel-3.3.0-2.azl3.aarch64.rpm
-openssl-libs-3.3.0-2.azl3.aarch64.rpm
-openssl-perl-3.3.0-2.azl3.aarch64.rpm
-openssl-static-3.3.0-2.azl3.aarch64.rpm
+openssl-3.3.2-1.azl3.aarch64.rpm
+openssl-debuginfo-3.3.2-1.azl3.aarch64.rpm
+openssl-devel-3.3.2-1.azl3.aarch64.rpm
+openssl-libs-3.3.2-1.azl3.aarch64.rpm
+openssl-perl-3.3.2-1.azl3.aarch64.rpm
+openssl-static-3.3.2-1.azl3.aarch64.rpm
 p11-kit-0.25.0-1.azl3.aarch64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.aarch64.rpm
 p11-kit-devel-0.25.0-1.azl3.aarch64.rpm
@@ -529,31 +529,31 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
 pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
 python-markupsafe-debuginfo-2.1.3-1.azl3.aarch64.rpm
 python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
-python3-3.12.3-2.azl3.aarch64.rpm
+python3-3.12.3-4.azl3.aarch64.rpm
 python3-audit-3.1.2-1.azl3.aarch64.rpm
 python3-cracklib-2.9.11-1.azl3.aarch64.rpm
-python3-curses-3.12.3-2.azl3.aarch64.rpm
+python3-curses-3.12.3-4.azl3.aarch64.rpm
 python3-Cython-3.0.5-2.azl3.aarch64.rpm
-python3-debuginfo-3.12.3-2.azl3.aarch64.rpm
-python3-devel-3.12.3-2.azl3.aarch64.rpm
+python3-debuginfo-3.12.3-4.azl3.aarch64.rpm
+python3-devel-3.12.3-4.azl3.aarch64.rpm
 python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.aarch64.rpm
 python3-jinja2-3.1.2-1.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.aarch64.rpm
-python3-libs-3.12.3-2.azl3.aarch64.rpm
+python3-libs-3.12.3-4.azl3.aarch64.rpm
 python3-libxml2-2.11.5-1.azl3.aarch64.rpm
 python3-lxml-4.9.3-1.azl3.aarch64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.aarch64.rpm
 python3-newt-0.52.23-1.azl3.aarch64.rpm
 python3-packaging-23.2-3.azl3.noarch.rpm
-python3-pip-24.0-1.azl3.noarch.rpm
+python3-pip-24.0-2.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.aarch64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm
-python3-setuptools-69.0.3-3.azl3.noarch.rpm
-python3-test-3.12.3-2.azl3.aarch64.rpm
-python3-tools-3.12.3-2.azl3.aarch64.rpm
+python3-setuptools-69.0.3-4.azl3.noarch.rpm
+python3-test-3.12.3-4.azl3.aarch64.rpm
+python3-tools-3.12.3-4.azl3.aarch64.rpm
 python3-wheel-0.43.0-1.azl3.noarch.rpm
 readline-8.2-1.azl3.aarch64.rpm
 readline-debuginfo-8.2-1.azl3.aarch64.rpm
@@ -584,23 +584,23 @@ systemd-bootstrap-libs-250.3-17.azl3.aarch64.rpm
 systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm
 tar-1.35-1.azl3.aarch64.rpm
 tar-debuginfo-1.35-1.azl3.aarch64.rpm
-tdnf-3.5.6-2.azl3.aarch64.rpm
-tdnf-autoupdate-3.5.6-2.azl3.aarch64.rpm
-tdnf-cli-libs-3.5.6-2.azl3.aarch64.rpm
-tdnf-debuginfo-3.5.6-2.azl3.aarch64.rpm
-tdnf-devel-3.5.6-2.azl3.aarch64.rpm
-tdnf-plugin-metalink-3.5.6-2.azl3.aarch64.rpm
-tdnf-plugin-repogpgcheck-3.5.6-2.azl3.aarch64.rpm
-tdnf-python-3.5.6-2.azl3.aarch64.rpm
+tdnf-3.5.8-3.azl3.aarch64.rpm
+tdnf-autoupdate-3.5.8-3.azl3.aarch64.rpm
+tdnf-cli-libs-3.5.8-3.azl3.aarch64.rpm
+tdnf-debuginfo-3.5.8-3.azl3.aarch64.rpm
+tdnf-devel-3.5.8-3.azl3.aarch64.rpm
+tdnf-plugin-metalink-3.5.8-3.azl3.aarch64.rpm
+tdnf-plugin-repogpgcheck-3.5.8-3.azl3.aarch64.rpm
+tdnf-python-3.5.8-3.azl3.aarch64.rpm
 texinfo-7.0.3-1.azl3.aarch64.rpm
 texinfo-debuginfo-7.0.3-1.azl3.aarch64.rpm
 unzip-6.0-20.azl3.aarch64.rpm
 unzip-debuginfo-6.0-20.azl3.aarch64.rpm
-util-linux-2.39.2-1.azl3.aarch64.rpm
-util-linux-debuginfo-2.39.2-1.azl3.aarch64.rpm
-util-linux-devel-2.39.2-1.azl3.aarch64.rpm
-util-linux-lang-2.39.2-1.azl3.aarch64.rpm
-util-linux-libs-2.39.2-1.azl3.aarch64.rpm
+util-linux-2.40.2-1.azl3.aarch64.rpm
+util-linux-debuginfo-2.40.2-1.azl3.aarch64.rpm
+util-linux-devel-2.40.2-1.azl3.aarch64.rpm
+util-linux-lang-2.40.2-1.azl3.aarch64.rpm
+util-linux-libs-2.40.2-1.azl3.aarch64.rpm
 which-2.21-8.azl3.aarch64.rpm
 which-debuginfo-2.21-8.azl3.aarch64.rpm
 xz-5.4.4-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 3e6195e6182..1c3f8e3334d 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -9,7 +9,7 @@ audit-devel-3.1.2-1.azl3.x86_64.rpm
 audit-libs-3.1.2-1.azl3.x86_64.rpm
 autoconf-2.72-2.azl3.noarch.rpm
 automake-1.16.5-2.azl3.noarch.rpm
-azurelinux-check-macros-3.0-6.azl3.noarch.rpm
+azurelinux-check-macros-3.0-7.azl3.noarch.rpm
 azurelinux-repos-3.0-3.azl3.noarch.rpm
 azurelinux-repos-debug-3.0-3.azl3.noarch.rpm
 azurelinux-repos-debug-preview-3.0-3.azl3.noarch.rpm
@@ -23,7 +23,7 @@ azurelinux-repos-ms-oss-3.0-3.azl3.noarch.rpm
 azurelinux-repos-ms-oss-preview-3.0-3.azl3.noarch.rpm
 azurelinux-repos-preview-3.0-3.azl3.noarch.rpm
 azurelinux-repos-shared-3.0-3.azl3.noarch.rpm
-azurelinux-rpm-macros-3.0-6.azl3.noarch.rpm
+azurelinux-rpm-macros-3.0-7.azl3.noarch.rpm
 bash-5.2.15-3.azl3.x86_64.rpm
 bash-debuginfo-5.2.15-3.azl3.x86_64.rpm
 bash-devel-5.2.15-3.azl3.x86_64.rpm
@@ -43,8 +43,8 @@ ca-certificates-base-3.0.0-7.azl3.noarch.rpm
 ca-certificates-legacy-3.0.0-7.azl3.noarch.rpm
 ca-certificates-shared-3.0.0-7.azl3.noarch.rpm
 ca-certificates-tools-3.0.0-7.azl3.noarch.rpm
-ccache-4.8.3-1.azl3.x86_64.rpm
-ccache-debuginfo-4.8.3-1.azl3.x86_64.rpm
+ccache-4.8.3-3.azl3.x86_64.rpm
+ccache-debuginfo-4.8.3-3.azl3.x86_64.rpm
 check-0.15.2-1.azl3.x86_64.rpm
 check-debuginfo-0.15.2-1.azl3.x86_64.rpm
 chkconfig-1.25-1.azl3.x86_64.rpm
@@ -68,17 +68,17 @@ createrepo_c-debuginfo-1.0.3-1.azl3.x86_64.rpm
 createrepo_c-devel-1.0.3-1.azl3.x86_64.rpm
 cross-binutils-common-2.41-2.azl3.noarch.rpm
 cross-gcc-common-13.2.0-7.azl3.noarch.rpm
-curl-8.8.0-1.azl3.x86_64.rpm
-curl-debuginfo-8.8.0-1.azl3.x86_64.rpm
-curl-devel-8.8.0-1.azl3.x86_64.rpm
-curl-libs-8.8.0-1.azl3.x86_64.rpm
+curl-8.8.0-2.azl3.x86_64.rpm
+curl-debuginfo-8.8.0-2.azl3.x86_64.rpm
+curl-devel-8.8.0-2.azl3.x86_64.rpm
+curl-libs-8.8.0-2.azl3.x86_64.rpm
 Cython-debuginfo-3.0.5-2.azl3.x86_64.rpm
 debugedit-5.0-2.azl3.x86_64.rpm
 debugedit-debuginfo-5.0-2.azl3.x86_64.rpm
 diffutils-3.10-1.azl3.x86_64.rpm
 diffutils-debuginfo-3.10-1.azl3.x86_64.rpm
 docbook-dtd-xml-4.5-11.azl3.noarch.rpm
-docbook-style-xsl-1.79.1-13.azl3.noarch.rpm
+docbook-style-xsl-1.79.1-14.azl3.noarch.rpm
 dwz-0.14-2.azl3.x86_64.rpm
 dwz-debuginfo-0.14-2.azl3.x86_64.rpm
 e2fsprogs-1.47.0-2.azl3.x86_64.rpm
@@ -95,10 +95,10 @@ elfutils-libelf-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-devel-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-devel-static-0.189-3.azl3.x86_64.rpm
 elfutils-libelf-lang-0.189-3.azl3.x86_64.rpm
-expat-2.6.2-1.azl3.x86_64.rpm
-expat-debuginfo-2.6.2-1.azl3.x86_64.rpm
-expat-devel-2.6.2-1.azl3.x86_64.rpm
-expat-libs-2.6.2-1.azl3.x86_64.rpm
+expat-2.6.3-1.azl3.x86_64.rpm
+expat-debuginfo-2.6.3-1.azl3.x86_64.rpm
+expat-devel-2.6.3-1.azl3.x86_64.rpm
+expat-libs-2.6.3-1.azl3.x86_64.rpm
 file-5.45-1.azl3.x86_64.rpm
 file-debuginfo-5.45-1.azl3.x86_64.rpm
 file-devel-5.45-1.azl3.x86_64.rpm
@@ -130,16 +130,16 @@ glib-debuginfo-2.78.1-4.azl3.x86_64.rpm
 glib-devel-2.78.1-4.azl3.x86_64.rpm
 glib-doc-2.78.1-4.azl3.noarch.rpm
 glib-schemas-2.78.1-4.azl3.x86_64.rpm
-glibc-2.38-7.azl3.x86_64.rpm
-glibc-debuginfo-2.38-7.azl3.x86_64.rpm
-glibc-devel-2.38-7.azl3.x86_64.rpm
-glibc-i18n-2.38-7.azl3.x86_64.rpm
-glibc-iconv-2.38-7.azl3.x86_64.rpm
-glibc-lang-2.38-7.azl3.x86_64.rpm
-glibc-locales-all-2.38-7.azl3.x86_64.rpm
-glibc-nscd-2.38-7.azl3.x86_64.rpm
-glibc-static-2.38-7.azl3.x86_64.rpm
-glibc-tools-2.38-7.azl3.x86_64.rpm
+glibc-2.38-8.azl3.x86_64.rpm
+glibc-debuginfo-2.38-8.azl3.x86_64.rpm
+glibc-devel-2.38-8.azl3.x86_64.rpm
+glibc-i18n-2.38-8.azl3.x86_64.rpm
+glibc-iconv-2.38-8.azl3.x86_64.rpm
+glibc-lang-2.38-8.azl3.x86_64.rpm
+glibc-locales-all-2.38-8.azl3.x86_64.rpm
+glibc-nscd-2.38-8.azl3.x86_64.rpm
+glibc-static-2.38-8.azl3.x86_64.rpm
+glibc-tools-2.38-8.azl3.x86_64.rpm
 gmp-6.3.0-1.azl3.x86_64.rpm
 gmp-debuginfo-6.3.0-1.azl3.x86_64.rpm
 gmp-devel-6.3.0-1.azl3.x86_64.rpm
@@ -161,15 +161,15 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.x86_64.rpm
 kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm
-kernel-cross-headers-6.6.47.1-1.azl3.noarch.rpm
-kernel-headers-6.6.47.1-1.azl3.noarch.rpm
+kernel-cross-headers-6.6.51.1-5.azl3.noarch.rpm
+kernel-headers-6.6.51.1-5.azl3.noarch.rpm
 kmod-30-1.azl3.x86_64.rpm
 kmod-debuginfo-30-1.azl3.x86_64.rpm
 kmod-devel-30-1.azl3.x86_64.rpm
-krb5-1.21.3-1.azl3.x86_64.rpm
-krb5-debuginfo-1.21.3-1.azl3.x86_64.rpm
-krb5-devel-1.21.3-1.azl3.x86_64.rpm
-krb5-lang-1.21.3-1.azl3.x86_64.rpm
+krb5-1.21.3-2.azl3.x86_64.rpm
+krb5-debuginfo-1.21.3-2.azl3.x86_64.rpm
+krb5-devel-1.21.3-2.azl3.x86_64.rpm
+krb5-lang-1.21.3-2.azl3.x86_64.rpm
 libacl-2.3.1-2.azl3.x86_64.rpm
 libacl-devel-2.3.1-2.azl3.x86_64.rpm
 libarchive-3.7.1-2.azl3.x86_64.rpm
@@ -229,10 +229,10 @@ libselinux-utils-3.6-3.azl3.x86_64.rpm
 libsepol-3.6-1.azl3.x86_64.rpm
 libsepol-debuginfo-3.6-1.azl3.x86_64.rpm
 libsepol-devel-3.6-1.azl3.x86_64.rpm
-libsolv-0.7.28-1.azl3.x86_64.rpm
-libsolv-debuginfo-0.7.28-1.azl3.x86_64.rpm
-libsolv-devel-0.7.28-1.azl3.x86_64.rpm
-libsolv-tools-0.7.28-1.azl3.x86_64.rpm
+libsolv-0.7.28-2.azl3.x86_64.rpm
+libsolv-debuginfo-0.7.28-2.azl3.x86_64.rpm
+libsolv-devel-0.7.28-2.azl3.x86_64.rpm
+libsolv-tools-0.7.28-2.azl3.x86_64.rpm
 libssh2-1.11.0-1.azl3.x86_64.rpm
 libssh2-debuginfo-1.11.0-1.azl3.x86_64.rpm
 libssh2-devel-1.11.0-1.azl3.x86_64.rpm
@@ -291,12 +291,12 @@ npth-debuginfo-1.6-4.azl3.x86_64.rpm
 npth-devel-1.6-4.azl3.x86_64.rpm
 ntsysv-1.25-1.azl3.x86_64.rpm
 ocaml-srpm-macros-9-4.azl3.noarch.rpm
-openssl-3.3.0-2.azl3.x86_64.rpm
-openssl-debuginfo-3.3.0-2.azl3.x86_64.rpm
-openssl-devel-3.3.0-2.azl3.x86_64.rpm
-openssl-libs-3.3.0-2.azl3.x86_64.rpm
-openssl-perl-3.3.0-2.azl3.x86_64.rpm
-openssl-static-3.3.0-2.azl3.x86_64.rpm
+openssl-3.3.2-1.azl3.x86_64.rpm
+openssl-debuginfo-3.3.2-1.azl3.x86_64.rpm
+openssl-devel-3.3.2-1.azl3.x86_64.rpm
+openssl-libs-3.3.2-1.azl3.x86_64.rpm
+openssl-perl-3.3.2-1.azl3.x86_64.rpm
+openssl-static-3.3.2-1.azl3.x86_64.rpm
 p11-kit-0.25.0-1.azl3.x86_64.rpm
 p11-kit-debuginfo-0.25.0-1.azl3.x86_64.rpm
 p11-kit-devel-0.25.0-1.azl3.x86_64.rpm
@@ -535,31 +535,31 @@ pyproject-rpm-macros-1.12.0-2.azl3.noarch.rpm
 pyproject-srpm-macros-1.12.0-2.azl3.noarch.rpm
 python-markupsafe-debuginfo-2.1.3-1.azl3.x86_64.rpm
 python-wheel-wheel-0.43.0-1.azl3.noarch.rpm
-python3-3.12.3-2.azl3.x86_64.rpm
+python3-3.12.3-4.azl3.x86_64.rpm
 python3-audit-3.1.2-1.azl3.x86_64.rpm
 python3-cracklib-2.9.11-1.azl3.x86_64.rpm
-python3-curses-3.12.3-2.azl3.x86_64.rpm
+python3-curses-3.12.3-4.azl3.x86_64.rpm
 python3-Cython-3.0.5-2.azl3.x86_64.rpm
-python3-debuginfo-3.12.3-2.azl3.x86_64.rpm
-python3-devel-3.12.3-2.azl3.x86_64.rpm
+python3-debuginfo-3.12.3-4.azl3.x86_64.rpm
+python3-devel-3.12.3-4.azl3.x86_64.rpm
 python3-flit-core-3.9.0-1.azl3.noarch.rpm
 python3-gpg-1.23.2-2.azl3.x86_64.rpm
 python3-jinja2-3.1.2-1.azl3.noarch.rpm
 python3-libcap-ng-0.8.4-1.azl3.x86_64.rpm
-python3-libs-3.12.3-2.azl3.x86_64.rpm
+python3-libs-3.12.3-4.azl3.x86_64.rpm
 python3-libxml2-2.11.5-1.azl3.x86_64.rpm
 python3-lxml-4.9.3-1.azl3.x86_64.rpm
 python3-magic-5.45-1.azl3.noarch.rpm
 python3-markupsafe-2.1.3-1.azl3.x86_64.rpm
 python3-newt-0.52.23-1.azl3.x86_64.rpm
 python3-packaging-23.2-3.azl3.noarch.rpm
-python3-pip-24.0-1.azl3.noarch.rpm
+python3-pip-24.0-2.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 python3-rpm-4.18.2-1.azl3.x86_64.rpm
 python3-rpm-generators-14-11.azl3.noarch.rpm
-python3-setuptools-69.0.3-3.azl3.noarch.rpm
-python3-test-3.12.3-2.azl3.x86_64.rpm
-python3-tools-3.12.3-2.azl3.x86_64.rpm
+python3-setuptools-69.0.3-4.azl3.noarch.rpm
+python3-test-3.12.3-4.azl3.x86_64.rpm
+python3-tools-3.12.3-4.azl3.x86_64.rpm
 python3-wheel-0.43.0-1.azl3.noarch.rpm
 readline-8.2-1.azl3.x86_64.rpm
 readline-debuginfo-8.2-1.azl3.x86_64.rpm
@@ -590,23 +590,23 @@ systemd-bootstrap-libs-250.3-17.azl3.x86_64.rpm
 systemd-bootstrap-rpm-macros-250.3-17.azl3.noarch.rpm
 tar-1.35-1.azl3.x86_64.rpm
 tar-debuginfo-1.35-1.azl3.x86_64.rpm
-tdnf-3.5.6-2.azl3.x86_64.rpm
-tdnf-autoupdate-3.5.6-2.azl3.x86_64.rpm
-tdnf-cli-libs-3.5.6-2.azl3.x86_64.rpm
-tdnf-debuginfo-3.5.6-2.azl3.x86_64.rpm
-tdnf-devel-3.5.6-2.azl3.x86_64.rpm
-tdnf-plugin-metalink-3.5.6-2.azl3.x86_64.rpm
-tdnf-plugin-repogpgcheck-3.5.6-2.azl3.x86_64.rpm
-tdnf-python-3.5.6-2.azl3.x86_64.rpm
+tdnf-3.5.8-3.azl3.x86_64.rpm
+tdnf-autoupdate-3.5.8-3.azl3.x86_64.rpm
+tdnf-cli-libs-3.5.8-3.azl3.x86_64.rpm
+tdnf-debuginfo-3.5.8-3.azl3.x86_64.rpm
+tdnf-devel-3.5.8-3.azl3.x86_64.rpm
+tdnf-plugin-metalink-3.5.8-3.azl3.x86_64.rpm
+tdnf-plugin-repogpgcheck-3.5.8-3.azl3.x86_64.rpm
+tdnf-python-3.5.8-3.azl3.x86_64.rpm
 texinfo-7.0.3-1.azl3.x86_64.rpm
 texinfo-debuginfo-7.0.3-1.azl3.x86_64.rpm
 unzip-6.0-20.azl3.x86_64.rpm
 unzip-debuginfo-6.0-20.azl3.x86_64.rpm
-util-linux-2.39.2-1.azl3.x86_64.rpm
-util-linux-debuginfo-2.39.2-1.azl3.x86_64.rpm
-util-linux-devel-2.39.2-1.azl3.x86_64.rpm
-util-linux-lang-2.39.2-1.azl3.x86_64.rpm
-util-linux-libs-2.39.2-1.azl3.x86_64.rpm
+util-linux-2.40.2-1.azl3.x86_64.rpm
+util-linux-debuginfo-2.40.2-1.azl3.x86_64.rpm
+util-linux-devel-2.40.2-1.azl3.x86_64.rpm
+util-linux-lang-2.40.2-1.azl3.x86_64.rpm
+util-linux-libs-2.40.2-1.azl3.x86_64.rpm
 which-2.21-8.azl3.x86_64.rpm
 which-debuginfo-2.21-8.azl3.x86_64.rpm
 xz-5.4.4-1.azl3.x86_64.rpm
diff --git a/toolkit/scripts/analysis.mk b/toolkit/scripts/analysis.mk
index baf641e7ba0..96e7870c395 100644
--- a/toolkit/scripts/analysis.mk
+++ b/toolkit/scripts/analysis.mk
@@ -23,11 +23,15 @@ ifneq ($(build_arch),x86_64)
 # Microsoft OSS repository only exists for x86_64 - skip that .repo file;
 # otherwise package manager will signal an error due to being unable to make contact
 SODIFF_REPO_SOURCES="azurelinux-official-base.repo"
+SODIFF_REPO_SOURCES_EXTENDED="azurelinux-official-base.repo azurelinux-extended.repo"
 else
 SODIFF_REPO_SOURCES="azurelinux-official-base.repo azurelinux-ms-oss.repo"
+SODIFF_REPO_SOURCES_EXTENDED="azurelinux-official-base.repo azurelinux-microsoft.repo azurelinux-extended.repo"
 endif
 
-SODIFF_REPO_FILE=$(SCRIPTS_DIR)/sodiff/sodiff.repo
+
+SODIFF_REPO_FILE=$(BUILD_DIR)/sodiff/sodiff.repo
+SODIFF_REPO_FILE_EXTENDED=$(BUILD_DIR)/sodiff/sodiff-extended.repo
 # An artifact containing a list of packages that need to be dash-rolled due to their dependency having a new .so version
 SODIFF_SUMMARY_FILE=$(SODIFF_OUTPUT_FOLDER)/sodiff-summary.txt
 # A script doing the sodiff work
@@ -72,9 +76,16 @@ fake-built-packages-list: | $(SODIFF_OUTPUT_FOLDER)
 .PHONY: sodiff-repo
 sodiff-repo: $(SODIFF_REPO_FILE)
 
-$(SODIFF_REPO_FILE):
+$(SODIFF_REPO_FILE): $(SODIFF_OUTPUT_FOLDER)
 	echo $(SODIFF_REPO_SOURCES) | sed -E 's:([^ ]+[.]repo):$(SPECS_DIR)/azurelinux-repos/\1:g' | xargs cat > $(SODIFF_REPO_FILE)
 
+# sodiff-repo-extended: Generate just the sodiff.repo file
+.PHONY: sodiff-repo-extended
+sodiff-repo-extended: $(SODIFF_REPO_FILE_EXTENDED)
+
+$(SODIFF_REPO_FILE_EXTENDED): $(SODIFF_OUTPUT_FOLDER)
+	echo $(SODIFF_REPO_SOURCES_EXTENDED) | sed -E 's:([^ ]+[.]repo):$(SPECS_DIR)/azurelinux-repos/\1:g' | xargs cat > $(SODIFF_REPO_FILE_EXTENDED)
+
 # sodiff-setup: populate gpg-keys from SPECS/azurelinux-repos for mariner official repos for ubuntu
 .PHONY: sodiff-setup
 sodiff-setup:
@@ -85,7 +96,7 @@ sodiff-setup:
 .SILENT .PHONY: sodiff-check
 
 sodiff-check: $(BUILT_PACKAGES_FILE) | $(SODIFF_REPO_FILE)
-	<$(BUILT_PACKAGES_FILE) $(SODIFF_SCRIPT) $(RPMS_DIR)/ $(SODIFF_REPO_FILE) $(RELEASE_MAJOR_ID) $(SODIFF_OUTPUT_FOLDER)
+	<$(BUILT_PACKAGES_FILE) $(SODIFF_SCRIPT) -r $(RPMS_DIR)/ -f $(SODIFF_REPO_FILE) -v $(RELEASE_MAJOR_ID) -o $(SODIFF_OUTPUT_FOLDER)
 
 package-toolkit: $(SODIFF_REPO_FILE)
 
diff --git a/toolkit/scripts/build_tag_imagecustomizer.mk b/toolkit/scripts/build_tag_imagecustomizer.mk
index 964aab3f848..f25b1280e97 100644
--- a/toolkit/scripts/build_tag_imagecustomizer.mk
+++ b/toolkit/scripts/build_tag_imagecustomizer.mk
@@ -10,6 +10,6 @@
 #
 # and should hold the value of the next (or current) official release, not the previous official
 # release.
-image_customizer_version ?= 0.6.0
+image_customizer_version ?= 0.7.0
 IMAGE_CUSTOMIZER_VERSION_PREVIEW ?= -dev.$(DATETIME_AS_VERSION)+$(GIT_COMMIT_ID)
 image_customizer_full_version := $(image_customizer_version)$(IMAGE_CUSTOMIZER_VERSION_PREVIEW)
diff --git a/toolkit/scripts/check_entangled_specs.py b/toolkit/scripts/check_entangled_specs.py
index 3f391132535..c2c5334157e 100755
--- a/toolkit/scripts/check_entangled_specs.py
+++ b/toolkit/scripts/check_entangled_specs.py
@@ -1,16 +1,16 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
+from collections import defaultdict
+from os import path
 from typing import FrozenSet, List, Set
-from pyrpm.spec import Spec
-
 import argparse
-from collections import defaultdict
-from pathlib import Path
 import pprint
 import sys
 
+from pyrpm.spec import replace_macros, Spec
+
 version_release_matching_groups = [
     frozenset([
         "SPECS-SIGNED/kernel-signed/kernel-signed.spec",
@@ -58,6 +58,7 @@
     frozenset([
         "SPECS/clang/clang.spec",
         "SPECS/compiler-rt/compiler-rt.spec",
+        "SPECS/libcxx/libcxx.spec",
         "SPECS/lld/lld.spec",
         "SPECS/lldb/lldb.spec",
         "SPECS/llvm/llvm.spec"
@@ -86,9 +87,10 @@ def check_spec_tags(base_path: str, tags: List[str], groups: List[FrozenSet]) ->
         variants = defaultdict(set)
 
         for spec_filename in group:
-            parsed_spec = Spec.from_file(Path(base_path, spec_filename))
+            parsed_spec = Spec.from_file(path.join(base_path, spec_filename))
             for tag in tags:
-                variants[tag].add(getattr(parsed_spec, tag))
+                tag_value = get_tag_value(parsed_spec, tag)
+                variants[tag].add(tag_value)
 
         for tag in tags:
             if len(variants[tag]) > 1: err_groups.add(group)
@@ -146,6 +148,13 @@ def check_matches(base_path: str):
         sys.exit(1)
 
 
+def get_tag_value(spec: "Spec", tag: str) -> str:
+    value = getattr(spec, tag)
+    if value:
+        value = replace_macros(value, spec)
+    return value
+
+
 if __name__ == '__main__':
     parser = argparse.ArgumentParser()
     parser.add_argument(
diff --git a/toolkit/scripts/check_spec_guidelines.py b/toolkit/scripts/check_spec_guidelines.py
index f6b956fcd72..38f939f86df 100755
--- a/toolkit/scripts/check_spec_guidelines.py
+++ b/toolkit/scripts/check_spec_guidelines.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
@@ -12,38 +12,67 @@
 
 from spec_source_attributions import get_spec_source, VALID_SOURCE_ATTRIBUTIONS
 
+EXPECTED_DISTRIBUTION_TAG = "Azure Linux"
+EXPECTED_VENDOR_TAG = "Microsoft Corporation"
+
+# Checking if the specs contains a 'Distribution' tag.
+DISTRIBUTION_TAG_PRESENT_REGEX = re.compile(r"^\s*Distribution:\s*", re.MULTILINE)
+
 # Checking if the specs include only the valid 'Distribution: Azure Linux' tag.
-invalid_distribution_tag_regex = re.compile(
-    r'^\s*Distribution:\s*(?!Azure Linux\s*$)\S+', re.MULTILINE)
+INVALID_DISTRIBUTION_TAG_REGEX = re.compile(
+    rf"^\s*Distribution:\s*(?!{EXPECTED_DISTRIBUTION_TAG}\s*$)\S+", re.MULTILINE
+)
+
+# Checking if the specs include only the valid 'Vendor: Microsoft Corporation' tag.
+INVALID_VENDOR_TAG_REGEX = re.compile(
+    rf"^\s*Vendor:\s*(?!{EXPECTED_VENDOR_TAG}\s*$)\S+", re.MULTILINE
+)
+
+# Checking if the specs contains a 'Vendor' tag.
+VENDOR_TAG_PRESENT_REGEX = re.compile(r"^\s*Vendor:\s*", re.MULTILINE)
 
 # Checking for the deprecated '%patch[number]' format.
 # For more info, see: https://rpm-software-management.github.io/rpm/manual/spec.html.
-invalid_patch_macro_regex = re.compile(
-    r'^\s*%patch\d', re.MULTILINE)
+INVALID_PATCH_MACRO_REGEX = re.compile(r"^\s*%patch\d", re.MULTILINE)
 
 # Check for '%patch' macros not using the '-P' flag.
-invalid_toolchain_patch_macro = re.compile(
-    r'^\s*%patch((?!-P\s+\d+).)*$', re.MULTILINE)
+INVALID_TOOLCHAIN_PATCH_MACRO = re.compile(r"^\s*%patch((?!-P\s+\d+).)*$", re.MULTILINE)
 
-license_regex = re.compile(
-    r"\b(license verified|verified license)\b", re.IGNORECASE)
+LICENSE_REGEX = re.compile(r"\b(license verified|verified license)\b", re.IGNORECASE)
 
-valid_release_tag_regex = re.compile(
-    r'^[1-9]\d*%\{\?dist\}$')
+VALID_RELEASE_TAG_REGEX = re.compile(r"^[1-9]\d*%\{\?dist\}$")
 
-valid_source_attributions_one_per_line = "\n".join(f"- {key}: '{value}'" for key, value in VALID_SOURCE_ATTRIBUTIONS.items())
+VALID_SOURCE_ATTRIBUTIONS_ONE_PER_LINE = "\n".join(
+    f"- {key}: '{value}'" for key, value in VALID_SOURCE_ATTRIBUTIONS.items()
+)
 
 
-def check_distribution_tag(spec_path: str):
+def check_distribution_tag_correct(spec_path: str):
     """Checks if the 'Distribution' tags match 'Azure Linux'. """
     with open(spec_path) as file:
         contents = file.read()
 
-    if invalid_distribution_tag_regex.search(contents) is not None:
+    if INVALID_DISTRIBUTION_TAG_REGEX.search(contents) is not None:
         print(f"""
 ERROR: detected an invalid 'Distribution' tag.
 
-    Please use 'Distribution: Azure Linux'.
+    Please use 'Distribution: {EXPECTED_DISTRIBUTION_TAG}'.
+""")
+        return False
+
+    return True
+
+
+def check_distribution_tag_exists(spec_path: str):
+    """Checks if the 'Distribution' tag exists. """
+    with open(spec_path) as file:
+        contents = file.read()
+
+    if DISTRIBUTION_TAG_PRESENT_REGEX.search(contents) is None:
+        print(f"""
+ERROR: missing 'Distribution' tag.
+
+    Please add 'Distribution: {EXPECTED_DISTRIBUTION_TAG}'.
 """)
         return False
 
@@ -55,7 +84,7 @@ def check_patch_macro(spec_path: str):
     with open(spec_path) as file:
         contents = file.read()
 
-    if invalid_patch_macro_regex.search(contents) is not None:
+    if INVALID_PATCH_MACRO_REGEX.search(contents) is not None:
         print(f"""
 ERROR: use of deprecated '%patch[number]' format (no space between '%patch' and the number of the patch).
 
@@ -73,7 +102,7 @@ def check_release_tag(spec_path: str):
     """Checks if the 'Release' tag is in one of Azure Linux's expected formats. """
     spec = Spec.from_file(spec_path)
 
-    if valid_release_tag_regex.match(spec.release) is None:
+    if VALID_RELEASE_TAG_REGEX.match(spec.release) is None:
         print(f"""
 ERROR: invalid 'Release' tag.
 
@@ -90,7 +119,7 @@ def check_license_verification(spec_path: str):
     """Checks if the package's license has been verified. """
     spec = Spec.from_file(spec_path)
 
-    if len(license_regex.findall(spec.changelog)) == 0:
+    if len(LICENSE_REGEX.findall(spec.changelog)) == 0:
         print(f"""
 ERROR: license not verified.
 
@@ -117,7 +146,7 @@ def check_source_attribution(spec_path: str):
     Make sure to indicate the origin of the spec file in the changelog.
     Currently supported source attributions (in form of regular expressions):
 
-{valid_source_attributions_one_per_line}
+{VALID_SOURCE_ATTRIBUTIONS_ONE_PER_LINE}
 
     If you're importing a spec from a source, which doesn't fit the currently supported list,
     please update the 'VALID_SOURCE_ATTRIBUTIONS' variable inside the '{dirname(realpath(__file__))}/spec_source_attributions.py' script.
@@ -137,8 +166,8 @@ def check_toolchain_patch_lines(spec_path: str, toolchain_specs: set):
 
     with open(spec_path) as file:
         contents = file.read()
-        
-    if invalid_toolchain_patch_macro.search(contents) is not None:
+
+    if INVALID_TOOLCHAIN_PATCH_MACRO.search(contents) is not None:
         print(f"""
 ERROR: detected a toolchain spec with invalid '%patch' macros.
 
@@ -150,26 +179,59 @@ def check_toolchain_patch_lines(spec_path: str, toolchain_specs: set):
     return True
 
 
-def check_spec(spec_path, toolchain_specs):
-    spec_correct = True
+def check_vendor_tag_correct(spec_path: str):
+    """Checks if the 'Vendor' tags match 'Microsoft Corporation'. """
+    with open(spec_path) as file:
+        contents = file.read()
 
-    print(f"Checking {spec_path}")
+    if INVALID_VENDOR_TAG_REGEX.search(contents) is not None:
+        print(f"""
+ERROR: detected an invalid 'Vendor' tag.
 
-    if not check_distribution_tag(spec_path):
-        spec_correct = False
+    Please use 'Vendor: {EXPECTED_VENDOR_TAG}'.
+""")
+        return False
 
-    if not check_patch_macro(spec_path):
-        spec_correct = False
+    return True
 
-    if not check_release_tag(spec_path):
-        spec_correct = False
 
-    if not check_source_attribution(spec_path):
-        spec_correct = False
+def check_vendor_tag_exists(spec_path: str):
+    """Checks if the 'Vendor' tag exists. """
+    with open(spec_path) as file:
+        contents = file.read()
+
+    if VENDOR_TAG_PRESENT_REGEX.search(contents) is None:
+        print(f"""
+ERROR: missing 'Vendor' tag.
+
+    Please add 'Vendor: {EXPECTED_VENDOR_TAG}'.
+""")
+        return False
+
+    return True
+
+
+SPEC_CHECKS = [
+    check_distribution_tag_correct,
+    check_distribution_tag_exists,
+    check_license_verification,
+    check_patch_macro,
+    check_release_tag,
+    check_source_attribution,
+    check_vendor_tag_correct,
+    check_vendor_tag_exists,
+]
+
+
+def check_spec(spec_path, toolchain_specs):
+    spec_correct = True
+
+    print(f"Checking {spec_path}.")
+
+    for spec_check in SPEC_CHECKS:
+        if not spec_check(spec_path):
+            spec_correct = False
 
-    if not check_license_verification(spec_path):
-        spec_correct = False
-    
     if not check_toolchain_patch_lines(spec_path, toolchain_specs):
         spec_correct = False
 
@@ -190,7 +252,7 @@ def check_spec(spec_path, toolchain_specs):
                         nargs='+',
                         help='path to an RPM spec file')
     args = parser.parse_args()
-    
+
     toolchain_specs = set(args.toolchain_specs.split())
 
     specs_correct = True
diff --git a/toolkit/scripts/check_static_glibc.py b/toolkit/scripts/check_static_glibc.py
index b1b5285d1ac..7185ec783ae 100755
--- a/toolkit/scripts/check_static_glibc.py
+++ b/toolkit/scripts/check_static_glibc.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
diff --git a/toolkit/scripts/imggen.mk b/toolkit/scripts/imggen.mk
index 39123708485..4f9a9327fb8 100644
--- a/toolkit/scripts/imggen.mk
+++ b/toolkit/scripts/imggen.mk
@@ -75,6 +75,13 @@ clean-imagegen:
 	$(SCRIPTS_DIR)/safeunmount.sh "$(IMAGEGEN_DIR)" && \
 	rm -rf $(IMAGEGEN_DIR)
 
+# We need to clear the rpm package cache if we have a snapshot time. The filenames will all be
+# the same, but the actual .rpm files may be fundamentally different.
+$(STATUS_FLAGS_DIR)/imagegen_cleanup.flag: $(depend_REPO_SNAPSHOT_TIME)
+	@echo "REPO_SNAPSHOT_TIME has changed, sanitizing rpm cache"
+	find "$(local_and_external_rpm_cache)" -type f -name '*.rpm' -delete
+	touch $@
+
 ##help:target:fetch-image-packages=Locate and download all packages required for an image build.
 fetch-image-packages: $(image_package_cache_summary)
 
@@ -113,7 +120,11 @@ ifeq ($(USE_PREVIEW_REPO),y)
 imagepkgfetcher_extra_flags += --use-preview-repo
 endif
 
-$(image_package_cache_summary): $(go-imagepkgfetcher) $(chroot_worker) $(toolchain_rpms) $(imggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config) $(RPMS_DIR) $(imggen_rpms)
+ifneq ($(REPO_SNAPSHOT_TIME),)
+imagepkgfetcher_extra_flags += --repo-snapshot-time=$(REPO_SNAPSHOT_TIME)
+endif
+
+$(image_package_cache_summary): $(go-imagepkgfetcher) $(chroot_worker) $(toolchain_rpms) $(imggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config) $(RPMS_DIR) $(imggen_rpms) $(depend_REPO_SNAPSHOT_TIME) $(STATUS_FLAGS_DIR)/imagegen_cleanup.flag
 	$(if $(CONFIG_FILE),,$(error Must set CONFIG_FILE=))
 	$(go-imagepkgfetcher) \
 		--input=$(CONFIG_FILE) \
@@ -146,7 +157,7 @@ $(imager_disk_output_dir): $(STATUS_FLAGS_DIR)/imager_disk_output.flag
 	@touch $@
 	@echo Finished updating $@
 
-$(STATUS_FLAGS_DIR)/imager_disk_output.flag: $(go-imager) $(image_package_cache_summary) $(license_results_file_img) $(imggen_local_repo) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config) $(assets_files)
+$(STATUS_FLAGS_DIR)/imager_disk_output.flag: $(go-imager) $(image_package_cache_summary) $(license_results_file_img) $(imggen_local_repo) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config) $(assets_files) $(depend_REPO_SNAPSHOT_TIME)
 	$(if $(CONFIG_FILE),,$(error Must set CONFIG_FILE=))
 	mkdir -p $(imager_disk_output_dir) && \
 	rm -rf $(imager_disk_output_dir)/* && \
@@ -159,6 +170,7 @@ $(STATUS_FLAGS_DIR)/imager_disk_output.flag: $(go-imager) $(image_package_cache_
 		--log-color=$(LOG_COLOR) \
 		--local-repo $(local_and_external_rpm_cache) \
 		--tdnf-worker $(chroot_worker) \
+		--repo-snapshot-time=$(REPO_SNAPSHOT_TIME) \
 		--repo-file=$(imggen_local_repo) \
 		--output-image-contents=$(image_package_manifest) \
 		--assets $(assets_dir) \
@@ -198,7 +210,7 @@ image: $(imager_disk_output_dir) $(imager_disk_output_files) $(go-roast) $(depen
 		$(if $(filter y,$(ENABLE_TRACE)),--enable-trace) \
 		--timestamp-file=$(TIMESTAMP_DIR)/roast.jsonl
 
-$(image_external_package_cache_summary): $(cached_file) $(go-imagepkgfetcher) $(chroot_worker) $(graph_file) $(depend_REPO_LIST) $(REPO_LIST) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config)
+$(image_external_package_cache_summary): $(cached_file) $(go-imagepkgfetcher) $(chroot_worker) $(graph_file) $(depend_REPO_LIST) $(REPO_LIST) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config) $(depend_REPO_SNAPSHOT_TIME) $(STATUS_FLAGS_DIR)/imagegen_cleanup.flag
 	$(if $(CONFIG_FILE),,$(error Must set CONFIG_FILE=))
 	$(go-imagepkgfetcher) \
 		--input=$(CONFIG_FILE) \
@@ -229,7 +241,7 @@ $(image_external_package_cache_summary): $(cached_file) $(go-imagepkgfetcher) $(
 
 # We need to ensure that initrd_img recursive build will never run concurrently with another build component, so add all ISO prereqs as
 # order-only-prerequisites to initrd_img
-iso_deps = $(go-isomaker) $(go-imager) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config) $(image_package_cache_summary) $(license_results_file_img)
+iso_deps = $(go-isomaker) $(go-imager) $(depend_CONFIG_FILE) $(CONFIG_FILE) $(validate-config) $(image_package_cache_summary) $(license_results_file_img) $(depend_REPO_SNAPSHOT_TIME)
 # The initrd bundles these files into the image, we should rebuild it if they change
 initrd_bundled_files = $(go-liveinstaller) $(go-imager) $(assets_files) $(initrd_assets_files) $(imggen_local_repo)
 
@@ -250,6 +262,7 @@ iso: $(initrd_img) $(iso_deps)
 		--input $(CONFIG_FILE) \
 		--release-version $(RELEASE_VERSION) \
 		--resources $(RESOURCES_DIR) \
+		--repo-snapshot-time=$(REPO_SNAPSHOT_TIME) \
 		--iso-repo $(local_and_external_rpm_cache) \
 		--log-level=$(LOG_LEVEL) \
 		--log-file=$(LOGS_DIR)/imggen/isomaker.log \
diff --git a/toolkit/scripts/license_map.py b/toolkit/scripts/license_map.py
index 4f856e47f0d..769cd5c1b48 100755
--- a/toolkit/scripts/license_map.py
+++ b/toolkit/scripts/license_map.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
diff --git a/toolkit/scripts/pkggen.mk b/toolkit/scripts/pkggen.mk
index 3e5c8c367ca..4e3b0c5f18f 100644
--- a/toolkit/scripts/pkggen.mk
+++ b/toolkit/scripts/pkggen.mk
@@ -123,7 +123,7 @@ endif
 
 # Convert the dependency information in the json file into a graph structure
 # We require all the toolchain RPMs to be available here to help resolve unfixable cyclic dependencies
-$(graph_file): $(specs_file) $(go-grapher) $(toolchain_rpms) $(TOOLCHAIN_MANIFEST) $(pkggen_local_repo) $(graphpkgfetcher_cloned_repo) $(chroot_worker) $(depend_REPO_LIST) $(REPO_LIST)
+$(graph_file): $(specs_file) $(go-grapher) $(toolchain_rpms) $(TOOLCHAIN_MANIFEST) $(pkggen_local_repo) $(graphpkgfetcher_cloned_repo) $(chroot_worker) $(depend_REPO_LIST) $(REPO_LIST) $(depend_REPO_SNAPSHOT_TIME)
 	$(go-grapher) \
 		--input $(specs_file) \
 		$(logging_command) \
@@ -146,6 +146,7 @@ $(graph_file): $(specs_file) $(go-grapher) $(toolchain_rpms) $(TOOLCHAIN_MANIFES
 		--tls-key=$(TLS_KEY) \
 		--tmp-dir=$(grapher_working_dir) \
 		--tdnf-worker=$(chroot_worker) \
+		--repo-snapshot-time=$(REPO_SNAPSHOT_TIME) \
 		$(foreach repo, $(pkggen_local_repo) $(graphpkgfetcher_cloned_repo) $(REPO_LIST), --repo-file=$(repo))
 
 # We want to detect changes in the RPM cache, but we are not responsible for directly rebuilding any missing files.
@@ -192,12 +193,16 @@ graphpkgfetcher_extra_flags += $(if $(CONFIG_FILE),--base-dir="$(CONFIG_BASE_DIR
 $(cached_file): $(depend_CONFIG_FILE) $(depend_PACKAGE_BUILD_LIST) $(depend_PACKAGE_REBUILD_LIST) $(depend_PACKAGE_IGNORE_LIST) $(depend_TEST_RUN_LIST) $(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST)
 endif
 
+ifneq ($(REPO_SNAPSHOT_TIME),)
+graphpkgfetcher_extra_flags += --repo-snapshot-time=$(REPO_SNAPSHOT_TIME)
+endif
+
 ifeq ($(PRECACHE),y)
 # Use highly parallel downlader to fully hydrate the cache before trying to use the package manager to download packages
 $(cached_file): $(STATUS_FLAGS_DIR)/precache.flag
 endif
 
-$(cached_file): $(graph_file) $(go-graphpkgfetcher) $(chroot_worker) $(pkggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(cached_remote_rpms) $(TOOLCHAIN_MANIFEST) $(toolchain_rpms) $(depend_EXTRA_BUILD_LAYERS)
+$(cached_file): $(graph_file) $(go-graphpkgfetcher) $(chroot_worker) $(pkggen_local_repo) $(depend_REPO_LIST) $(REPO_LIST) $(cached_remote_rpms) $(TOOLCHAIN_MANIFEST) $(toolchain_rpms) $(depend_EXTRA_BUILD_LAYERS) $(depend_REPO_SNAPSHOT_TIME) $(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag
 	mkdir -p $(remote_rpms_cache_dir) && \
 	$(go-graphpkgfetcher) \
 		--input=$(graph_file) \
@@ -260,6 +265,13 @@ clean-compress-rpms:
 clean-compress-srpms:
 	rm -rf $(srpms_archive)
 
+# We need to clear the rpm package cache if we have a snapshot time. The filenames will all be
+# the same, but the actual .rpm files may be fundamentally different.
+$(STATUS_FLAGS_DIR)/build_packages_cache_cleanup.flag: $(depend_REPO_SNAPSHOT_TIME)
+	@echo "REPO_SNAPSHOT_TIME has changed, sanitizing rpm cache"
+	find "$(remote_rpms_cache_dir)" -type f -name '*.rpm' -delete
+	touch $@
+
 ifeq ($(REBUILD_PACKAGES),y)
 $(RPMS_DIR): $(STATUS_FLAGS_DIR)/build-rpms.flag
 	@touch $@
diff --git a/toolkit/scripts/sodiff/mariner-sodiff.sh b/toolkit/scripts/sodiff/mariner-sodiff.sh
index e50b1cd8565..3076fcf33b7 100755
--- a/toolkit/scripts/sodiff/mariner-sodiff.sh
+++ b/toolkit/scripts/sodiff/mariner-sodiff.sh
@@ -2,13 +2,36 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
-# Required binaries:
-# rpm and dnf
+sodiff_script_error=false
+while getopts "r:f:v:o:e:" opt; do
+    case $opt in
+        r) rpms_folder="$OPTARG";;
+        f) repo_file_path="$OPTARG";;
+        v) mariner_version="$OPTARG";;
+        o) sodiff_out_dir="$OPTARG";;
+        e) sodiff_script_error="$OPTARG";;
+    esac
+done
+
+if [[ -z "$rpms_folder" ]]; then
+    echo "INVALID ARGUMENT: RPMS_FOLDER is empty. It can be specified via the -r command line option."
+    exit 1
+fi
+
+if [[ -z "$repo_file_path" ]]; then
+    echo "INVALID ARGUMENT: REPO_FILE_PATH is empty. It can be specified via the -f command line option."
+    exit 1
+fi
+
+if [[ -z "$mariner_version" ]]; then
+    echo "INVALID ARGUMENT: MARINER_VERSION is empty. It can be specified via the -v command line option."
+    exit 1
+fi
 
-rpms_folder="$1"
-repo_file_path="$2"
-mariner_version="$3"
-sodiff_out_dir="$4"
+if [[ -z "$sodiff_out_dir" ]]; then
+    echo "INVALID ARGUMENT: SODIFF_OUT_DIR is empty. It can be specified via the -o command line option."
+    exit 1
+fi
 sodiff_log_file="${sodiff_out_dir}/sodiff.log"
 
 # Setup output dir
@@ -18,22 +41,26 @@ mkdir -p "$sodiff_out_dir"
 
 common_options="-c $repo_file_path --releasever $mariner_version"
 
-DNF_COMMAND=dnf
+dnf_command=dnf
 # Cache RPM metadata
->/dev/null dnf $common_options -y makecache
+>/dev/null $dnf_command $common_options -y makecache
 
 # Get packages from stdin
 pkgs=`cat`
+echo "$pkgs"
 
 for rpmpackage in $pkgs; do
+    package_debuginfo=$(echo "$rpmpackage" | rev | cut -f3 -d'-' | rev)
+    if [[ "$package_debuginfo" == "debuginfo" ]]; then
+        continue
+	fi
     package_path=$(find "$rpms_folder" -name "$rpmpackage" -type f)
     package_provides=`2>/dev/null rpm -qP "$package_path" | grep -E '[.]so[(.]' `
     echo "Processing ${rpmpackage}..."
     echo ".so's provided: $package_provides"
     for sofile in $package_provides; do
         # Query local metadata for provides
-        sos_found=$( 2>/dev/null $DNF_COMMAND repoquery $common_options --whatprovides $sofile | wc -l )
-        echo "Number of .so files found: $sos_found"
+        sos_found=$( 2>/dev/null $dnf_command repoquery $common_options --whatprovides $sofile | wc -l )
         if [ "$sos_found" -eq 0 ] ; then
             # SO file not found, meaning this might be a new .SO
             # or a new version of a preexisting .SO.
@@ -43,14 +70,13 @@ for rpmpackage in $pkgs; do
             sofile_no_ver=$(echo "$sofile" | sed -E 's/[.]so[(.].+/.so/')
 
             # check for generic .so in the repo
-            sos_found=$( 2>/dev/null $DNF_COMMAND repoquery $common_options --whatprovides "${sofile_no_ver}*" | wc -l )
-            echo "Number of non-versioned .so files found: $sos_found"
+            sos_found=$( 2>/dev/null $dnf_command repoquery $common_options --whatprovides "${sofile_no_ver}*" | wc -l )
             if ! [ "$sos_found" -eq 0 ] ; then
                 # Generic version of SO was found.
                 # This means it's a new version of a preexisting SO.
                 # Log which packages depend on this functionality
                 echo "Packages that require $sofile_no_ver:"
-                2>/dev/null $DNF_COMMAND repoquery $common_options -s --whatrequires "${sofile_no_ver}*" | sed -E 's/[.][^.]+[.]src[.]rpm//' | tee "$sodiff_out_dir"/"require_${sofile}"
+                2>/dev/null $dnf_command repoquery $common_options -s --whatrequires "${sofile_no_ver}*" | sed -E 's/[.][^.]+[.]src[.]rpm//' | tee "$sodiff_out_dir"/"require_${sofile}"
             fi
         fi
     done
@@ -60,7 +86,7 @@ done
 # Obtain a list of unique packages to be updated
 2>/dev/null cat "$sodiff_out_dir"/require* | sort -u > "$sodiff_out_dir"/sodiff-intermediate-summary.txt
 
-rm "$sodiff_out_dir"/require*
+rm -f "$sodiff_out_dir"/require*
 touch "$sodiff_out_dir"/sodiff-summary.txt
 
 # Remove packages that have been dash-rolled already.
@@ -88,6 +114,9 @@ echo "######################"
 if [[ $pkgsFound -gt 0 ]]; then
     echo "The Following Packages Are in Need of an Update:"
     cat "$sodiff_out_dir"/sodiff-summary.txt
+    if [[ "$sodiff_script_error" -eq "true" ]]; then
+        exit 1
+    fi 
 else
     echo "No Packages with Conflicting .so Files Found."
 fi
diff --git a/toolkit/scripts/spec_source_attributions.py b/toolkit/scripts/spec_source_attributions.py
index 12b87494fd3..8d5b367547f 100755
--- a/toolkit/scripts/spec_source_attributions.py
+++ b/toolkit/scripts/spec_source_attributions.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
diff --git a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh
index 35eb91499f4..24e75870e55 100755
--- a/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh
+++ b/toolkit/scripts/toolchain/build_official_toolchain_rpms.sh
@@ -541,8 +541,9 @@ build_rpm_in_chroot_no_install libxslt
 chroot_and_install_rpms pam
 build_rpm_in_chroot_no_install docbook-style-xsl
 
-# libsolv needs cmake
+# libsolv needs cmake, zstd-devel
 chroot_and_install_rpms cmake
+chroot_and_install_rpms zstd
 build_rpm_in_chroot_no_install libsolv
 
 # ccache needs cmake
diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile
index e68a4a3eb06..be201e1be96 100644
--- a/toolkit/scripts/toolchain/container/Dockerfile
+++ b/toolkit/scripts/toolchain/container/Dockerfile
@@ -63,7 +63,7 @@ RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolch
 # Disable downloading from remote sources by default. The 'toolchain-local-wget-list' generated for the above line will download from $(SOURCE_URL)
 # The 'toolchain-remote-wget-list' is still available and can be used as an alternate to $(SOURCE_URL) if desired.
 #RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0
-RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.47.1.tar.gz -O kernel-6.6.47.1.tar.gz --directory-prefix=$LFS/sources; exit 0
+RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner-3/6.6.51.1.tar.gz -O kernel-6.6.51.1.tar.gz --directory-prefix=$LFS/sources; exit 0
 USER root
 
 RUN mkdir -pv $LFS/{etc,var} $LFS/usr/{bin,lib,sbin} && \
diff --git a/toolkit/scripts/toolchain/container/toolchain-remote-wget-list b/toolkit/scripts/toolchain/container/toolchain-remote-wget-list
index 1a379c52ad9..37d81629b7d 100644
--- a/toolkit/scripts/toolchain/container/toolchain-remote-wget-list
+++ b/toolkit/scripts/toolchain/container/toolchain-remote-wget-list
@@ -58,5 +58,5 @@ https://pypi.org/packages/source/w/wheel/wheel-0.42.0.tar.gz
 https://pypi.org/packages/source/f/flit-core/flit_core-3.9.0.tar.gz
 https://ftp.gnu.org/gnu/sed/sed-4.9.tar.xz
 https://www.sqlite.org/2023/sqlite-autoconf-3440000.tar.gz
-https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.39/util-linux-2.39.2.tar.xz
+https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/v2.40/util-linux-2.40.2.tar.xz
 https://github.com/facebook/zstd/releases/download/v1.5.5/zstd-1.5.5.tar.gz
diff --git a/toolkit/scripts/toolchain/container/toolchain-sha256sums b/toolkit/scripts/toolchain/container/toolchain-sha256sums
index 58fd65b5c32..4bd53d2db2f 100644
--- a/toolkit/scripts/toolchain/container/toolchain-sha256sums
+++ b/toolkit/scripts/toolchain/container/toolchain-sha256sums
@@ -28,7 +28,7 @@ a3c2b80201b89e68616f4ad30bc66aee4927c3ce50e33929ca819d5c43538898  gmp-6.3.0.tar.
 1db2aedde89d0dea42b16d9528f894c8d15dae4e190b59aecc78f5a951276eab  grep-3.11.tar.xz
 6b9757f592b7518b4902eb6af7e54570bdccba37a871fddb2d30ae3863511c13  groff-1.23.0.tar.gz
 7454eb6935db17c6655576c2e1b0fabefd38b4d0936e0f87f48cd062ce91a057  gzip-1.13.tar.xz
-05f517228da02a9d1d4fd86c66b7565aa7bd28bae1380e29d79f181842efe50f  kernel-6.6.47.1.tar.gz
+018ece71bd3feb3f770e759c4c04a4472c72daf3a10f3f88de61083aaa6193df  kernel-6.6.51.1.tar.gz
 5d24e40819768f74daf846b99837fc53a3a9dcdf3ce1c2003fe0596db850f0f0  libarchive-3.7.1.tar.gz
 f311f8f3dad84699d0566d1d6f7ec943a9298b28f714cae3c931dfd57492d7eb  libcap-2.69.tar.xz
 b8b45194989022a79ec1317f64a2a75b1551b2a55bea06f67704cb2a2e4690b0  libpipeline-1.5.7.tar.gz
@@ -41,7 +41,7 @@ dd16fb1d67bfab79a72f5e8390735c49e3e8e70b4945a15ab1f81ddb78658fb3  make-4.4.1.tar
 ab642492f5cf882b74aa0cb730cd410a81edcdbec895183ce930e706c1c759b8  mpc-1.3.1.tar.gz
 277807353a6726978996945af13e52829e3abd7a9a5b7fb2793894e18f1fcbb2  mpfr-4.2.1.tar.xz
 6931283d9ac87c5073f30b6290c4c75f21632bb4fc3603ac8100812bed248159  ncurses-6.4.tar.gz
-53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02  openssl-3.3.0.tar.gz
+2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281  openssl-3.3.2.tar.gz
 ac610bda97abe0d9f6b7c963255a11dcb196c25e337c61f94e4778d632f1d8fd  patch-2.7.6.tar.xz
 eca551caec3bc549a4e590c0015003790bdd1a604ffe19cc78ee631d51f7072e  perl-5.38.0.tar.xz
 ea5a25ef8f251eb5377ec0e21c75fb61894433cfbdbf0b2559ba33e4c2664401  pkgconf-2.0.2.tar.xz
@@ -56,7 +56,7 @@ be1af57fc409f93647f2e8e4573a142ed38724b8cdd389706a867bb4efcf1e78  setuptools-69.
 b9cd386e7cd22af6e0d2a0f06d0404951e1bef109e42ea06cc0450e10cd15550  sqlite-autoconf-3440000.tar.gz
 4d62ff37342ec7aed748535323930c7cf94acf71c3591882b26a7ea50f3edc16  tar-1.35.tar.xz
 74b420d09d7f528e84f97aa330f0dd69a98a6053e7a4e01767eed115038807bf  texinfo-7.0.3.tar.xz
-87abdfaa8e490f8be6dde976f7c80b9b5ff9f301e1b67e3899e1f05a59a1531f  util-linux-2.39.2.tar.xz
+d78b37a66f5922d70edf3bdfb01a6b33d34ed3c3cafd6628203b2a2b67c8e8b3  util-linux-2.40.2.tar.xz
 c45be39f7882c9d34243236f2d63cbd58039e360f85d0913425fbd7ceea617a8  wheel-0.42.0.tar.gz
 705d0d96e94e1840e64dec75fc8d5832d34f6649833bec1ced9c3e08cf88132e  xz-5.4.4.tar.xz
 38ef96b8dfe510d42707d9c781877914792541133e1870841463bfa73f883e32  zlib-1.3.1.tar.xz
diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
index baffce91ea5..55070afad7f 100755
--- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh
@@ -98,14 +98,14 @@ popd
 rm -rf texinfo-7.0.3
 touch /logs/status_texinfo_complete
 
-echo util-linux-2.39.2
-tar xf util-linux-2.39.2.tar.xz
-pushd util-linux-2.39.2
+echo util-linux-2.40.2
+tar xf util-linux-2.40.2.tar.xz
+pushd util-linux-2.40.2
 mkdir -pv /var/lib/hwclock
 ./configure ADJTIME_PATH=/var/lib/hwclock/adjtime \
             --libdir=/usr/lib    \
             --runstatedir=/run   \
-            --docdir=/usr/share/doc/util-linux-2.39.2 \
+            --docdir=/usr/share/doc/util-linux-2.40.2 \
             --disable-chfn-chsh  \
             --disable-login      \
             --disable-nologin    \
@@ -114,11 +114,12 @@ mkdir -pv /var/lib/hwclock
             --disable-runuser    \
             --disable-pylibmount \
             --disable-static     \
+            --disable-liblastlog2 \
             --without-python
 make -j$(nproc)
 make install
 popd
-rm -rf util-linux-2.39.2
+rm -rf util-linux-2.40.2
 touch /logs/status_util-linux_complete
 
 # 7.13. Cleaning up and Saving the Temporary System
@@ -571,9 +572,9 @@ popd
 rm -rf automake-1.16.5
 touch /logs/status_automake_complete
 
-echo OpenSSL-3.3.0
-tar xf openssl-3.3.0.tar.gz
-pushd openssl-3.3.0
+echo OpenSSL-3.3.2
+tar xf openssl-3.3.2.tar.gz
+pushd openssl-3.3.2
 sslarch=
 ./config --prefix=/usr \
          --openssldir=/etc/pki/tls \
@@ -591,7 +592,7 @@ make all -j$(nproc)
 sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile
 make MANSUFFIX=ssl install
 popd
-rm -rf openssl-3.3.0
+rm -rf openssl-3.3.2
 touch /logs/status_openssl_complete
 
 echo Elfutils-0.189
@@ -822,9 +823,9 @@ popd
 rm -rf procps-ng-4.0.4
 touch /logs/status_procpsng_complete
 
-echo util-linux-2.39.2
-tar xf util-linux-2.39.2.tar.xz
-pushd util-linux-2.39.2
+echo util-linux-2.40.2
+tar xf util-linux-2.40.2.tar.xz
+pushd util-linux-2.40.2
 ./configure ADJTIME_PATH=/var/lib/hwclock/adjtime \
             --bindir=/usr/bin    \
             --libdir=/usr/lib    \
@@ -841,11 +842,12 @@ pushd util-linux-2.39.2
             --without-python     \
             --without-systemd    \
             --without-systemdsystemunitdir \
-            --docdir=/usr/share/doc/util-linux-2.39.2
+            --disable-liblastlog2 \
+            --docdir=/usr/share/doc/util-linux-2.40.2
 make -j$(nproc)
 make install
 popd
-rm -rf util-linux-2.39.2
+rm -rf util-linux-2.40.2
 touch /logs/status_util-linux_complete
 
 #
diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
index 8ef9752fb94..10ef439e7c6 100755
--- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
+++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh
@@ -86,7 +86,7 @@ rm -rf gcc-13.2.0
 
 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete
 
-KERNEL_VERSION="6.6.47.1"
+KERNEL_VERSION="6.6.51.1"
 echo Linux-${KERNEL_VERSION} API Headers
 tar xf kernel-${KERNEL_VERSION}.tar.gz
 pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-3-${KERNEL_VERSION}
diff --git a/toolkit/scripts/update_cgmanifest.py b/toolkit/scripts/update_cgmanifest.py
index bee7620b9e9..6ea3e0b9822 100755
--- a/toolkit/scripts/update_cgmanifest.py
+++ b/toolkit/scripts/update_cgmanifest.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
diff --git a/toolkit/scripts/update_toolchain_manifest.py b/toolkit/scripts/update_toolchain_manifest.py
index 768b9fb0a6e..d2f943cc2f2 100644
--- a/toolkit/scripts/update_toolchain_manifest.py
+++ b/toolkit/scripts/update_toolchain_manifest.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/env python3
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
diff --git a/toolkit/scripts/utils.mk b/toolkit/scripts/utils.mk
index f30d581e122..4cc53c4f874 100644
--- a/toolkit/scripts/utils.mk
+++ b/toolkit/scripts/utils.mk
@@ -55,10 +55,10 @@ endef
 ######## VARIABLE DEPENDENCY TRACKING ########
 
 # List of variables to watch for changes.
-watch_vars=PACKAGE_BUILD_LIST PACKAGE_REBUILD_LIST PACKAGE_IGNORE_LIST REPO_LIST CONFIG_FILE STOP_ON_PKG_FAIL TOOLCHAIN_ARCHIVE REBUILD_TOOLCHAIN SRPM_PACK_LIST SPECS_DIR MAX_CASCADING_REBUILDS RUN_CHECK TEST_RUN_LIST TEST_RERUN_LIST TEST_IGNORE_LIST EXTRA_BUILD_LAYERS LICENSE_CHECK_MODE VALIDATE_TOOLCHAIN_GPG
+watch_vars=PACKAGE_BUILD_LIST PACKAGE_REBUILD_LIST PACKAGE_IGNORE_LIST REPO_LIST CONFIG_FILE STOP_ON_PKG_FAIL TOOLCHAIN_ARCHIVE REBUILD_TOOLCHAIN SRPM_PACK_LIST SPECS_DIR MAX_CASCADING_REBUILDS RUN_CHECK TEST_RUN_LIST TEST_RERUN_LIST TEST_IGNORE_LIST EXTRA_BUILD_LAYERS LICENSE_CHECK_MODE VALIDATE_TOOLCHAIN_GPG REPO_SNAPSHOT_TIME
 # Current list: $(depend_PACKAGE_BUILD_LIST) $(depend_PACKAGE_REBUILD_LIST) $(depend_PACKAGE_IGNORE_LIST) $(depend_REPO_LIST) $(depend_CONFIG_FILE) $(depend_STOP_ON_PKG_FAIL)
 #					$(depend_TOOLCHAIN_ARCHIVE) $(depend_REBUILD_TOOLCHAIN) $(depend_SRPM_PACK_LIST) $(depend_SPECS_DIR) $(depend_EXTRA_BUILD_LAYERS) $(depend_MAX_CASCADING_REBUILDS) $(depend_RUN_CHECK) $(depend_TEST_RUN_LIST)
-#					$(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST) $(depend_LICENSE_CHECK_MODE) $(depend_VALIDATE_TOOLCHAIN_GPG)
+#					$(depend_TEST_RERUN_LIST) $(depend_TEST_IGNORE_LIST) $(depend_LICENSE_CHECK_MODE) $(depend_VALIDATE_TOOLCHAIN_GPG) $(depend_REPO_SNAPSHOT_TIME)
 
 .PHONY: variable_depends_on_phony clean-variable_depends_on_phony setfacl_always_run_phony
 clean: clean-variable_depends_on_phony
diff --git a/toolkit/tools/grapher/grapher.go b/toolkit/tools/grapher/grapher.go
index 7c811043010..de5eede8dc8 100644
--- a/toolkit/tools/grapher/grapher.go
+++ b/toolkit/tools/grapher/grapher.go
@@ -42,6 +42,7 @@ var (
 	usePreviewRepo                = app.Flag("use-preview-repo", "Pull packages from the upstream preview repo").Bool()
 	disableDefaultRepos           = app.Flag("disable-default-repos", "Disable pulling packages from PMC repos").Bool()
 	ignoreVersionToResolveSelfDep = app.Flag("ignore-version-to-resolve-selfdep", "Ignore package version while downloading package from upstream when resolving cycle").Bool()
+	repoSnapshotTime              = app.Flag("repo-snapshot-time", "Optional: Repo time limit for tdnf virtual snapshot").String()
 
 	depGraph = pkggraph.NewPkgGraph()
 )
@@ -82,7 +83,7 @@ func main() {
 
 	var cloner *rpmrepocloner.RpmRepoCloner = nil
 	if *resolveCyclesFromUpstream {
-		cloner, err = rpmrepocloner.ConstructCloner(*outDir, *tmpDir, *workerTar, *existingRpmsDir, *existingToolchainRpmDir, *tlsClientCert, *tlsClientKey, *repoFiles)
+		cloner, err = rpmrepocloner.ConstructCloner(*outDir, *tmpDir, *workerTar, *existingRpmsDir, *existingToolchainRpmDir, *tlsClientCert, *tlsClientKey, *repoFiles, *repoSnapshotTime)
 		if err != nil {
 			logger.Log.Panic(err)
 		}
diff --git a/toolkit/tools/graphpkgfetcher/graphpkgfetcher.go b/toolkit/tools/graphpkgfetcher/graphpkgfetcher.go
index 8ffb0cf5385..03d0d493107 100644
--- a/toolkit/tools/graphpkgfetcher/graphpkgfetcher.go
+++ b/toolkit/tools/graphpkgfetcher/graphpkgfetcher.go
@@ -46,6 +46,7 @@ var (
 	disableDefaultRepos  = app.Flag("disable-default-repos", "Disable pulling packages from PMC repos").Bool()
 	disableUpstreamRepos = app.Flag("disable-upstream-repos", "Disables pulling packages from upstream repos").Bool()
 	toolchainManifest    = app.Flag("toolchain-manifest", "Path to a list of RPMs which are created by the toolchain. Will mark RPMs from this list as prebuilt.").ExistingFile()
+	repoSnapshotTime     = app.Flag("repo-snapshot-time", "Optional: Repo time limit for tdnf virtual snapshot").String()
 
 	tlsClientCert = app.Flag("tls-cert", "TLS client certificate to use when downloading files.").String()
 	tlsClientKey  = app.Flag("tls-key", "TLS client key to use when downloading files.").String()
@@ -163,7 +164,7 @@ func fetchPackages(dependencyGraph *pkggraph.PkgGraph, hasUnresolvedNodes, tryDo
 
 func setupCloner() (cloner *rpmrepocloner.RpmRepoCloner, err error) {
 	// Create the worker environment
-	cloner, err = rpmrepocloner.ConstructCloner(*outDir, *tmpDir, *workertar, *existingRpmDir, *existingToolchainRpmDir, *tlsClientCert, *tlsClientKey, *repoFiles)
+	cloner, err = rpmrepocloner.ConstructCloner(*outDir, *tmpDir, *workertar, *existingRpmDir, *existingToolchainRpmDir, *tlsClientCert, *tlsClientKey, *repoFiles, *repoSnapshotTime)
 	if err != nil {
 		err = fmt.Errorf("failed to setup new cloner:\n%w", err)
 		return
@@ -552,7 +553,8 @@ func assignRPMPath(node *pkggraph.PkgNode, outDir string, resolvedPackages []str
 }
 
 func rpmPackageToRPMPath(rpmPackage, outDir string) string {
-	// Construct the rpm path of the cloned package.
+	// Construct the RPM path of the cloned package.
+	rpmPackage = rpm.StripEpochFromPackageFullQualifiedName(rpmPackage)
 	rpmName := fmt.Sprintf("%s.rpm", rpmPackage)
 	return filepath.Join(outDir, rpmName)
 }
diff --git a/toolkit/tools/imagecustomizer/DEV.md b/toolkit/tools/imagecustomizer/DEV.md
index 19df8148328..f9014726b04 100644
--- a/toolkit/tools/imagecustomizer/DEV.md
+++ b/toolkit/tools/imagecustomizer/DEV.md
@@ -18,9 +18,12 @@ sudo go test -C ./toolkit/tools ./...
 
 ## Run Image Customizer specific tests
 
-1. Build (or download) the
-   [core-efi](https://github.com/microsoft/CBL-Mariner/blob/2.0/toolkit/imageconfigs/core-efi.json)
-   vhdx image file for Azure Linux 2.0.
+1. Build (or download) the vhdx/vhd image files for:
+
+   - [Azure Linux 2.0 core-efi](https://github.com/microsoft/CBL-Mariner/blob/2.0/toolkit/imageconfigs/core-efi.json)
+   - [Azure Linux 3.0 core-efi](https://github.com/microsoft/CBL-Mariner/blob/3.0/toolkit/imageconfigs/core-efi.json)
+   - [Azure Linux 2.0 core-legacy](https://github.com/microsoft/CBL-Mariner/blob/2.0/toolkit/imageconfigs/core-legacy.json)
+   - [Azure Linux 3.0 core-legacy](https://github.com/microsoft/CBL-Mariner/blob/3.0/toolkit/imageconfigs/core-legacy.json)
 
 2. Download the test RPM files:
 
@@ -32,11 +35,13 @@ sudo go test -C ./toolkit/tools ./...
 
    ```bash
    AZURE_LINUX_2_CORE_EFI_VHDX="<core-efi-2.0.vhdx>"
+   AZURE_LINUX_3_CORE_EFI_VHDX="<core-efi-3.0.vhdx>"
+   AZURE_LINUX_2_CORE_LEGACY_VHD="<core-legacy-2.0.vhd>"
+   AZURE_LINUX_3_CORE_LEGACY_VHD="<core-legacy-3.0.vhd>"
 
    sudo go test -C ./toolkit/tools ./pkg/imagecustomizerlib -args \
-     --base-image-core-efi "$AZURE_LINUX_2_CORE_EFI_VHDX"
+     --base-image-core-efi-azl2 "$AZURE_LINUX_2_CORE_EFI_VHDX"
+     --base-image-core-efi-azl3 "$AZURE_LINUX_3_CORE_EFI_VHDX"
+     --base-image-core-legacy-azl2 "$AZURE_LINUX_2_CORE_LEGACY_VHD"
+     --base-image-core-legacy-azl3 "$AZURE_LINUX_3_CORE_LEGACY_VHD"
    ```
-
-   Where:
-
-   - `<core-efi-2.0.vhdx>`: The vhdx image file you acquired in step 1.
diff --git a/toolkit/tools/imagecustomizer/docs/cli.md b/toolkit/tools/imagecustomizer/docs/cli.md
index ac955762154..27fc8ff14df 100644
--- a/toolkit/tools/imagecustomizer/docs/cli.md
+++ b/toolkit/tools/imagecustomizer/docs/cli.md
@@ -97,6 +97,10 @@ given the lowest priority.
 See, [Building custom packages](building-packages.md) for a guide on how to build your
 own packages for Azure Linux.
 
+See, [Cloning an RPM repo](clone-rpm-repo.md) for how to clone or download RPMs from a
+existing RPM repo (such as packages.microsoft.com). Using a cloned repo with
+`--rpm-source` can help your builds avoid dependencies on external resources.
+
 ## --disable-base-image-rpm-repos
 
 Disable the base image's installed RPM repos as a source of RPMs during package
diff --git a/toolkit/tools/imagecustomizer/docs/clone-rpm-repo.md b/toolkit/tools/imagecustomizer/docs/clone-rpm-repo.md
new file mode 100644
index 00000000000..5e31c5e2302
--- /dev/null
+++ b/toolkit/tools/imagecustomizer/docs/clone-rpm-repo.md
@@ -0,0 +1,177 @@
+# Cloning an RPM repo
+
+By default, the image customizer tool uses the base image's inbuilt repo files for where
+to source RPMs from. The Azure Linux default repos typically point to
+packages.microsoft.com (PMC).
+
+PMC is regularly updated with bug fixes and feature updates for packages. So, if an
+image customization config includes package install or updates, then a run on one day
+may produce a different result than a run on another day since PMC might have been
+updated in between runs. This behavior may be perfectly fine (or even desirable) for
+some users. However, other users may require more stable builds that don't change based
+on the state of an external resource (e.g. PMC). For such users, it can be useful to
+make a clone of PMC.
+
+## Cloning a repo to a local directory
+
+1. Acquire the `dnf reposync` and `dnf download` commands.
+
+   Azure Linux 2.0 and 3.0:
+
+   ```bash
+   sudo tdnf -y install dnf-utils
+   ```
+
+   Ubuntu 24.04:
+
+   ```bash
+   sudo apt update -y
+   sudo apt install -y dnf-plugins-core
+   ```
+
+2. Select the repo URL:
+
+   | Azure Linux Version | Arch   | URL                                                               |
+   | ------------------- | ------ | ----------------------------------------------------------------- |
+   | 2.0                 | x86_64 | https://packages.microsoft.com/cbl-mariner/2.0/prod/base/x86_64/  |
+   | 2.0                 | ARM64  | https://packages.microsoft.com/cbl-mariner/2.0/prod/base/aarch64/ |
+   | 3.0                 | x86_64 | https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/   |
+   | 3.0                 | ARM64  | https://packages.microsoft.com/azurelinux/3.0/prod/base/aarch64/  |
+
+   For example:
+
+   ```bash
+   REPO_URL="https://packages.microsoft.com/azurelinux/3.0/prod/base/x86_64/"
+   ```
+
+3. Clone PMC.
+
+   If you want to clone all of PMC, then run:
+
+   ```bash
+   dnf reposync --repofrompath "azurelinux,$REPO_URL" --repo azurelinux --newest-only
+   ```
+
+   If you want to only clone a subset of packages (and their dependencies), then run:
+
+   ```bash
+   PACKAGE_LIST="vim nano"
+   dnf download --repofrompath "azurelinux,$REPO_URL" --repo azurelinux --resolve --alldeps --destdir azurelinux $PACKAGE_LIST
+   ```
+
+   This will download the RPMs into a directory named `azurelinux`.
+
+4. Cache the downloaded RPMs somewhere.
+
+5. Use cached RPMs with the image customizer tool.
+
+   ```bash
+    sudo ./imagecustomizer \
+      --build-dir ./build \
+      --image-file <base-image-file> \
+      --output-image-file ./out/image.vhdx \
+      --output-image-format vhdx \
+      --config-file <config-file> \
+      --disable-base-image-rpm-repos \
+      --rpm-source <rpms-dir>
+   ```
+
+   where:
+
+   - `<base-image-file>`: The base image file.
+   - `<config-file>`: The image customizer config file.
+   - `<rpms-dir>`: The local directory that contains the downloaded RPMs.
+
+## Hosting a cloned repo
+
+It may be desirable to host the downloaded RPMs in a common location so that it can be
+used by both builds and developers.
+
+An RPM server is simply a HTTP server that hosts static files. There is no dynamic
+content. So, pretty much any HTTP server application or provider can be used. The files
+served by the HTTP server are the RPM files themselves and a few metadata files that
+document what RPMs are available.
+
+Example RPM server using httpd/apache2:
+
+1. Install prerequisites:
+
+   Azure Linux 2.0 and 3.0:
+
+   ```bash
+   sudo tdnf -y install createrepo_c httpd
+   sudo systemctl enable --now httpd
+   ```
+
+   Ubuntu 22.04:
+
+   ```bash
+   sudo apt update -y
+   sudo apt install -y createrepo-c apache2
+   ````
+
+2. Download the cached RPMs to a local directory.
+
+3. Create the metadata files:
+
+   ```bash
+   createrepo_c --compatibility --update <rpms-dir>
+   ```
+
+   where:
+
+   - `<rpms-dir>`: The directory you downloaded the RPMs to.
+
+4. Move the RPMs directory:
+
+   ```bash
+   sudo mkdir -p /var/www
+   sudo mv -T <rpms-dir> /var/www/rpms
+   ```
+
+5. Configure the HTTP server:
+
+   Azure Linux 2.0 and 3.0:
+
+   ```bash
+   sudo sed -i 's|"/etc/httpd/htdocs"|"/var/www/rpms"|' /etc/httpd/conf/httpd.conf
+   sudo systemctl reload httpd
+   ```
+
+   Ubuntu 22.04:
+
+   ```bash
+   sudo sed -i 's|/var/www/html|/var/www/rpms|' /etc/apache2/sites-available/000-default.conf
+   sudo systemctl reload httpd
+   ```
+
+6. Create a file called `rpms.repo` with the following contents:
+
+   ```ini
+   [rpmshost]
+   name=rpmshost
+   baseurl=http://<ip-address>
+   enabled=1
+   ```
+
+   where:
+
+   - `<ip-address>`: The IP address of the HTTP server hosting the RPM files.
+
+7. Use the `rpms.repo` file with the image customizer tool:
+
+   ```bash
+    sudo ./imagecustomizer \
+      --build-dir ./build \
+      --image-file <base-image-file> \
+      --output-image-file ./out/image.vhdx \
+      --output-image-format vhdx \
+      --config-file <config-file> \
+      --disable-base-image-rpm-repos \
+      --rpm-source rpms.repo
+   ```
+
+   where:
+
+   - `<base-image-file>`: The base image file.
+   - `<config-file>`: The image customizer config file.
diff --git a/toolkit/tools/imagecustomizer/docs/configuration.md b/toolkit/tools/imagecustomizer/docs/configuration.md
index aafb05aa310..e83246e08cb 100644
--- a/toolkit/tools/imagecustomizer/docs/configuration.md
+++ b/toolkit/tools/imagecustomizer/docs/configuration.md
@@ -26,7 +26,7 @@ The Azure Linux Image Customizer is configured using a YAML (or JSON) file.
 
 4. Update hostname. ([hostname](#hostname-string))
 
-5. Copy additional files. ([additionalFiles](#additionalfiles-mapstring-fileconfig))
+5. Copy additional files. ([additionalFiles](#os-additionalfiles))
   
 6. Copy additional directories. ([additionalDirs](#additionaldirs-dirconfig))
 
@@ -47,8 +47,8 @@ The Azure Linux Image Customizer is configured using a YAML (or JSON) file.
 
 12. Update the SELinux mode. [mode](#mode-string)
 
-13. If ([overlays](#overlay-type)) are specified, then add the overlays dracut module
-    and update the grub config.
+13. If ([overlays](#overlay-type)) are specified, then add the overlay driver
+    and update the fstab file with the overlay mount information.
 
 14. If ([verity](#verity-type)) is specified, then add the dm-verity dracut driver
     and update the grub config.
@@ -125,8 +125,8 @@ os:
             - [end](#end-uint64)
             - [size](#size-uint64)
             - [type](#partition-type-string)
-    - [fileSystems](#filesystems-filesystem)
-      - [fileSystem type](#filesystem-type)
+    - [filesystems](#filesystems-filesystem)
+      - [filesystem type](#filesystem-type)
         - [deviceId](#deviceid-string)
         - [type](#type-string)
         - [mountPoint](#mountpoint-mountpoint)
@@ -136,16 +136,18 @@ os:
             - [path](#mountpoint-path)
   - [resetPartitionsUuidsType](#resetpartitionsuuidstype-string)
   - [iso](#iso-type)
-    - [additionalFiles](#additionalfiles-mapstring-fileconfig)
-      - [fileConfig type](#fileconfig-type)
-        - [path](#fileconfig-path)
+    - [additionalFiles](#iso-additionalfiles)
+      - [additionalFile type](#additionalfile-type)
+        - [source](#source-string)
+        - [content](#content-string)
+        - [destination](#destination-string)
         - [permissions](#permissions-string)
-    - [kernelCommandLine](#kernelcommandline-type)
+    - [kernelCommandLine](#iso-kernelcommandline)
       - [extraCommandLine](#extracommandline-string)
   - [os type](#os-type)
     - [resetBootLoaderType](#resetbootloadertype-string)
     - [hostname](#hostname-string)
-    - [kernelCommandLine](#kernelcommandline-type)
+    - [kernelCommandLine](#os-kernelcommandline)
       - [extraCommandLine](#extracommandline-string)
     - [packages](#packages-packages)
       - [packages type](#packages-type)
@@ -160,14 +162,16 @@ os:
         - [remove](#remove-string)
         - [updateLists](#updatelists-string)
         - [update](#update-string)
-    - [additionalFiles](#additionalfiles-mapstring-fileconfig)
-      - [fileConfig type](#fileconfig-type)
-        - [path](#fileconfig-path)
+    - [additionalFiles](#os-additionalfiles)
+      - [additionalFile type](#additionalfile-type)
+        - [source](#source-string)
+        - [content](#content-string)
+        - [destination](#destination-string)
         - [permissions](#permissions-string)
     - [additionalDirs](#additionaldirs-dirconfig)
       - [dirConfig](#dirconfig-type)
-        - [sourcePath](#dirconfig-sourcePath)
-        - [destinationPath](#dirconfig-destinationPath)
+        - [source](#dirconfig-source)
+        - [destination](#dirconfig-destination)
         - [newDirPermissions](#newdirpermissions-string)
         - [mergedDirPermissions](#mergeddirpermissions-string)
         - [childFilePermissions](#childfilepermissions-string)
@@ -244,8 +248,8 @@ storage:
 
     - id: rootfs
       start: 9M
-      
-  fileSystems:
+
+  filesystems:
   - deviceId: esp
     type: fat32
     mountPoint:
@@ -334,63 +338,174 @@ The partitions to provision on the disk.
 
 Specifies the configuration for the generated ISO media.
 
-### kernelExtraCommandLine [string]
+<div id="iso-kernelcommandline"></div>
 
-- See [extraCommandLine](#extracommandline-string).
+### kernelCommandLine [[kernelCommandLine](#kernelcommandline-type)]
+
+Specifies extra kernel command line options.
 
-### additionalFiles
+<div id="iso-additionalfiles"></div>
 
-- See [additionalFiles](#additionalfiles-mapstring-fileconfig).
+### additionalFiles [[additionalFile](#additionalfile-type)[]>]
+
+Adds files to the ISO.
 
 ## overlay type
 
 Specifies the configuration for overlay filesystem.
 
-- `lowerDir`: This directory acts as the read-only layer in the overlay
-  filesystem. It contains the base files and directories which will be overlaid
-  by the upperDir. Changes to the overlay filesystem do not affect the contents
-  of lowerDir.
+Overlays Configuration Example:
 
-- `upperDir`: This directory is the writable layer of the overlay filesystem.
-  Any modifications, such as file additions, deletions, or changes, are made in
-  the upperDir. These changes are what make the overlay filesystem appear
-  different from the lowerDir alone.
+```yaml
+storage:
+  disks:
+  bootType: efi
+  - partitionTableType: gpt
+    maxSize: 4G
+    partitions:
+    - id: esp
+      type: esp
+      start: 1M
+      end: 9M
+    - id: boot
+      start: 9M
+      end: 108M
+    - id: rootfs
+      label: rootfs
+      start: 108M
+      end: 2G
+    - id: var
+      start: 2G
 
-- `workDir`: This is a required directory used for preparing files before they
-  are merged into the upperDir. It needs to be on the same filesystem as the
-  upperDir and is used for temporary storage by the overlay filesystem to ensure
-  atomic operations. The workDir is not directly accessible to users.
+  filesystems:
+  - deviceId: esp
+    type: fat32
+    mountPoint:
+      path: /boot/efi
+      options: umask=0077
+  - deviceId: boot
+    type: ext4
+    mountPoint:
+      path: /boot
+  - deviceId: rootfs
+    type: ext4
+    mountPoint:
+      path: /
+  - deviceId: var
+    type: ext4
+    mountPoint:
+      path: /var
+      options: defaults,x-initrd.mount
 
-- `partition`: Optional field: If configured, a partition will be attached to
-  the current targeted overlay, making it persistent and ensuring that changes
-  are retained. If not configured, the overlay will be volatile.
+os:
+  resetBootLoaderType: hard-reset
+  overlays:
+    - mountPoint: /etc
+      lowerDirs:
+      - /etc
+      upperDir: /var/overlays/etc/upper
+      workDir: /var/overlays/etc/work
+      isInitrdOverlay: true
+      mountDependencies:
+      - /var
+    - mountPoint: /media
+      lowerDirs:
+      - /media
+      - /home
+      upperDir: /overlays/media/upper
+      workDir: /overlays/media/work
+```
 
-  - `idType`: Specifies the type of id for the partition. The options are
-    `part-label` (partition label), `uuid` (filesystem UUID), and `part-uuid`
-    (partition UUID).
+### `mountPoint` [string]
 
-  - `id`: The unique identifier value of the partition, corresponding to the
-    specified IdType.
+The directory where the combined view of the `upperDir` and `lowerDir` will be
+mounted. This is the location where users will see the merged contents of the
+overlay filesystem. It is common for the `mountPoint` to be the same as the
+`lowerDir`. But this is not required.
+
+Example: `/etc`
+
+### `lowerDirs` [string[]]
+
+These directories act as the read-only layers in the overlay filesystem. They
+contain the base files and directories which will be overlaid by the `upperDir`.
+Multiple lower directories can be specified by providing a list of paths, which
+will be joined using a colon (`:`) as a separator.
 
 Example:
 
 ```yaml
-os:
-  overlays:
-    - lowerDir: /etc
-      upperDir: /upper_etc
-      workDir: /work_etc
-      partition:
-        idType: part-label
-        id: partition-etc
-    - lowerDir: /var/lib
-      upperDir: /upper_var_lib
-      workDir: /work_var_lib
-    - lowerDir: /var/log
-      upperDir: /upper_var_log
-      workDir: /work_var_log
+lowerDirs: 
+- /etc
 ```
 
+### `upperDir` [string]
+
+This directory is the writable layer of the overlay filesystem. Any
+modifications, such as file additions, deletions, or changes, are made in the
+upperDir. These changes are what make the overlay filesystem appear different
+from the lowerDir alone. 
+  
+Example: `/var/overlays/etc/upper`
+
+### `workDir` [string]
+
+This is a required directory used for preparing files before they are merged
+into the upperDir. It needs to be on the same filesystem as the upperDir and
+is used for temporary storage by the overlay filesystem to ensure atomic
+operations. The workDir is not directly accessible to users. 
+  
+Example: `/var/overlays/etc/work`
+
+### `isInitrdOverlay` [bool]
+
+A boolean flag indicating whether this overlay is part of the root filesystem.
+If set to `true`, specific adjustments will be made, such as prefixing certain
+paths with `/sysroot`, and the overlay will be added to the fstab file with the
+`x-initrd.mount` option to ensure it is available during the initrd phase.
+
+This is an optional argument.
+
+Example: `False`
+
+### `mountDependencies` [string[]]
+
+Specifies a list of directories that must be mounted before this overlay. Each
+directory in the list should be mounted and available before the overlay
+filesystem is mounted.
+
+This is an optional argument.
+
+Example:
+
+```yaml
+mountDependencies: 
+- /var
+```
+
+**Important**: If any directory specified in `mountDependencies` needs to be
+available during the initrd phase, you must ensure that this directory's mount
+configuration in the `filesystems` section includes the `x-initrd.mount` option.
+For example:
+
+```yaml
+filesystems:
+  - deviceId: var
+    type: ext4
+    mountPoint:
+      path: /var
+      options: defaults,x-initrd.mount
+```
+
+### `mountOptions` [string]
+
+A string of additional mount options that can be applied to the overlay mount.
+Multiple options should be separated by commas.
+
+This is an optional argument.
+
+Example: `noatime,nodiratime`
+
 ## verity type
 
 Specifies the configuration for dm-verity root integrity verification. Please
@@ -404,8 +519,8 @@ please refer to the [overlay type](#overlay-type) section.
   at each system boot.
 
   - `idType`: Specifies the type of id for the partition. The options are
-    `part-label` (partition label), `uuid` (filesystem UUID), and `part-uuid`
-    (partition UUID).
+    `id` (partition [id](#id-string)), `part-label` (partition label),
+    `uuid` (filesystem UUID), and `part-uuid` (partition UUID).
 
   - `id`: The unique identifier value of the partition, corresponding to the
     specified IdType.
@@ -435,17 +550,15 @@ os:
     corruptionOption: panic
 ```
 
-## fileConfig type
+## additionalFile type
 
 Specifies options for placing a file in the OS.
 
-Type is used by: [additionalFiles](#additionalfiles-mapstring-fileconfig)
+Type is used by: [additionalFiles](#additionalfiles-additionalfile)
 
-<div id="fileconfig-path"></div>
+### source [string]
 
-### path [string]
-
-The absolute path of the destination file.
+The path of the source file to copy to the destination path.
 
 Example:
 
@@ -456,6 +569,33 @@ os:
     - path: /a.txt
 ```
 
+### content [string]
+
+The contents of the file to write to the destination path.
+
+Example:
+
+```yaml
+os:
+  additionalFiles:
+  - content: |
+      abc
+    destination: /a.txt
+```
+
+### destination [string]
+
+The absolute path of the destination file.
+
+Example:
+
+```yaml
+os:
+  additionalFiles:
+  - source: files/a.txt
+    destination: /a.txt
+```
+
 ### permissions [string]
 
 The permissions to set on the destination file.
@@ -469,9 +609,9 @@ Example:
 ```yaml
 os:
   additionalFiles:
-    files/a.txt:
-    - path: /a.txt
-      permissions: "664"
+  - source: files/a.txt
+    destination: /a.txt
+    permissions: "664"
 ```
 
 ## dirConfig type
@@ -480,15 +620,15 @@ Specifies options for placing a directory in the OS.
 
 Type is used by: [additionalDirs](#additionaldirs-dirconfig)
 
-<div id="dirconfig-sourcePath"></div>
+<div id="dirconfig-source"></div>
 
-### sourcePath [string]
+### source [string]
 
 The absolute path to the source directory that will be copied.
 
-<div id="dirconfig-destinationPath"></div>
+<div id="dirconfig-destination"></div>
 
-### destinationPath [string]
+### destination [string]
 
 The absolute path in the target OS that the source directory will be copied to.
 
@@ -497,8 +637,8 @@ Example:
 ```yaml
 os:
   additionalDirs:
-    - sourcePath: "home/files/targetDir"
-      destinationPath: "usr/project/targetDir"
+    - source: "home/files/targetDir"
+      destination: "usr/project/targetDir"
 ```
 
 ### newDirPermissions [string]
@@ -526,14 +666,14 @@ Example:
 ```yaml
 os:
   additionalDirs:
-    - sourcePath: "home/files/targetDir"
-      destinationPath: "usr/project/targetDir"
+    - source: "home/files/targetDir"
+      destination: "usr/project/targetDir"
       newDirPermissions: "644"
       mergedDirPermissions: "777"
       childFilePermissions: "644"
 ```
 
-## fileSystem type
+## filesystem type
 
 Specifies the mount options for a partition.
 
@@ -542,7 +682,7 @@ Specifies the mount options for a partition.
 Required.
 
 The ID of the partition.
-This is used correlate [partition](#partition-type) objects with fileSystem objects.
+This is used correlate [partition](#partition-type) objects with filesystem objects.
 
 ### type [string]
 
@@ -553,7 +693,8 @@ The filesystem type of the partition.
 Supported options:
 
 - `ext4`
-- `fat32`
+- `fat32` (alias for `vfat`)
+- `vfat` (will select either FAT12, FAT16, or FAT32 based on the size of the partition)
 - `xfs`
 
 ### mountPoint [[mountPoint](#mountpoint-type)]
@@ -776,7 +917,7 @@ os:
 Required.
 
 The ID of the partition.
-This is used to correlate Partition objects with [fileSystem](#filesystem-type)
+This is used to correlate Partition objects with [filesystem](#filesystem-type)
 objects.
 
 ### label [string]
@@ -832,7 +973,7 @@ Specifies options for the partition.
 Supported options:
 
 - `esp`: The UEFI System Partition (ESP).
-  The partition must have a `fileSystemType` of `fat32`.
+  The partition must have a `fileSystemType` of `fat32` or `vfat`.
 
 - `bios-grub`: Specifies this partition is the BIOS boot partition.
   This is required for GPT disks that wish to be bootable using legacy BIOS mode.
@@ -1143,45 +1284,32 @@ os:
   hostname: example-image
 ```
 
+<div id="os-kernelcommandline"></div>
+
 ### kernelCommandLine [[kernelCommandLine](#kernelcommandline-type)]
 
-Specifies extra kernel command line options, as well as other configuration values
-relating to the kernel.
+Specifies extra kernel command line options.
 
 ### packages [packages](#packages-type)
 
 Remove, update, and install packages on the system.
 
-### additionalFiles [map\<string, [fileConfig](#fileconfig-type)[]>]
+<div id="os-additionalfiles"></div>
 
-Copy files into the OS image.
-
-This property is a dictionary of source file paths to destination files.
-
-The destination files value can be one of:
-
-- The absolute path of a destination file.
-- A [fileConfig](#fileconfig-type) object.
-- A list containing a mixture of paths and [fileConfig](#fileconfig-type) objects.
+### additionalFiles [[additionalFile](#additionalfile-type)[]>]
 
-Example:
+Copy files into the OS image.
 
 ```yaml
 os:
   additionalFiles:
-    # Single destination.
-    files/a.txt: /a.txt
-
-    # Single destinations with options.
-    files/b.txt:
-      path: /b.txt
-      permissions: "664"
-
-    # Multiple destinations.
-    files/c.txt:
-    - /c1.txt
-    - path: /c2.txt
-      permissions: "664"
+  - source: files/a.txt
+    destination: /a.txt
+
+  - content: |
+      abc
+    destination: /b.txt
+    permissions: "664"
 ```
 
 ### additionalDirs [[dirConfig](#dirconfig-type)[]]
@@ -1196,11 +1324,11 @@ Example:
 os:
   additionalDirs:
     # Copying directory with default permission options.
-    - sourcePath: "path/to/local/directory/"
-      destinationPath: "/path/to/destination/directory/"
+    - source: "path/to/local/directory/"
+      destination: "/path/to/destination/directory/"
     # Copying directory with specific permission options.
-    - sourcePath: "path/to/local/directory/"
-      destinationPath: "/path/to/destination/directory/"
+    - source: "path/to/local/directory/"
+      destination: "/path/to/destination/directory/"
       newDirPermissions: 0644
       mergedDirPermissions: 0777
       childFilePermissions: 0644
@@ -1295,7 +1423,7 @@ Specifies the user's password.
 
 WARNING: Passwords should not be used in images used in production.
 
-### PasswordExpiresDays [int]
+### passwordExpiresDays [int]
 
 The number of days until the password expires and the user can no longer login.
 
@@ -1314,7 +1442,7 @@ os:
 
 ### sshPublicKeyPaths [string[]]
 
-File paths to SSH public key files.
+A list of file paths to SSH public key files.
 These public keys will be copied into the user's `~/.ssh/authorized_keys` file.
 
 Note: It is preferable to use Microsoft Entra ID for SSH authentication, instead of
@@ -1330,6 +1458,24 @@ os:
     - id_ed25519.pub
 ```
 
+### sshPublicKeys [string[]]
+
+A list of SSH public keys.
+These public keys will be copied into the user's `~/.ssh/authorized_keys` file.
+
+Note: It is preferable to use Microsoft Entra ID for SSH authentication, instead of
+individual public keys.
+
+Example:
+
+```yaml
+os:
+  users:
+  - name: test
+    sshPublicKeys:
+    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFyWtgGE06d/uBFQm70tYKvJKwJfRDoh06bWQQwC6Qkm test@test-machine
+```
+
 ### primaryGroup [string]
 
 The primary group of the user.
@@ -1453,6 +1599,6 @@ Supported options:
 
 Contains the options for provisioning disks and their partitions.
 
-### fileSystems [[fileSystem](#filesystem-type)[]]
+### filesystems [[filesystem](#filesystem-type)[]]
 
 Specifies the mount options of the partitions.
diff --git a/toolkit/tools/imagecustomizerapi/additionalfile.go b/toolkit/tools/imagecustomizerapi/additionalfile.go
new file mode 100644
index 00000000000..72c6145de58
--- /dev/null
+++ b/toolkit/tools/imagecustomizerapi/additionalfile.go
@@ -0,0 +1,61 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package imagecustomizerapi
+
+import (
+	"fmt"
+)
+
+type AdditionalFileList []AdditionalFile
+
+type AdditionalFile struct {
+	// The destination file path in the target OS that the file will be copied to.
+	Destination string `yaml:"destination"`
+
+	// The source file path of the file that will copied.
+	// Mutally exclusive with 'contents'.
+	Source string `yaml:"source"`
+
+	// A string that will be used as the contents of the file.
+	// Mutally exclusive with 'source'.
+	Content *string `yaml:"content"`
+
+	// The file permissions to set on the file.
+	Permissions *FilePermissions `yaml:"permissions"`
+}
+
+func (l AdditionalFileList) IsValid() (err error) {
+	for i, additionalFile := range l {
+		err = additionalFile.IsValid()
+		if err != nil {
+			return fmt.Errorf("invalid value at index %d:\n%w", i, err)
+		}
+	}
+
+	return nil
+}
+
+func (f *AdditionalFile) IsValid() (err error) {
+	if f.Destination == "" {
+		return fmt.Errorf("destination path must not be empty")
+	}
+
+	if f.Source == "" && f.Content == nil {
+		return fmt.Errorf("must specify either 'source' or 'content'")
+	}
+
+	if f.Source != "" && f.Content != nil {
+		return fmt.Errorf("cannot specify both 'source' and 'content'")
+	}
+
+	// Permissions
+	if f.Permissions != nil {
+		err = f.Permissions.IsValid()
+		if err != nil {
+			return fmt.Errorf("invalid permissions value:\n%w", err)
+		}
+	}
+
+	return nil
+}
diff --git a/toolkit/tools/imagecustomizerapi/additionalfile_test.go b/toolkit/tools/imagecustomizerapi/additionalfile_test.go
new file mode 100644
index 00000000000..8b23b8a903a
--- /dev/null
+++ b/toolkit/tools/imagecustomizerapi/additionalfile_test.go
@@ -0,0 +1,65 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package imagecustomizerapi
+
+import (
+	"testing"
+
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/ptrutils"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAdditionalFilesIsValidNoDestination(t *testing.T) {
+	additionalFiles := AdditionalFileList{
+		{
+			Destination: "",
+			Source:      "a.txt",
+		},
+	}
+	err := additionalFiles.IsValid()
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "invalid value at index 0")
+	assert.ErrorContains(t, err, "destination path must not be empty")
+}
+
+func TestAdditionalFilesIsValidNoSourceOrContent(t *testing.T) {
+	additionalFiles := AdditionalFileList{
+		{
+			Destination: "/a.txt",
+		},
+	}
+	err := additionalFiles.IsValid()
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "invalid value at index 0")
+	assert.ErrorContains(t, err, "must specify either 'source' or 'content'")
+}
+
+func TestAdditionalFilesIsValidBothSourceAndContent(t *testing.T) {
+	additionalFiles := AdditionalFileList{
+		{
+			Destination: "/a.txt",
+			Source:      "a.txt",
+			Content:     ptrutils.PtrTo("abc"),
+		},
+	}
+	err := additionalFiles.IsValid()
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "invalid value at index 0")
+	assert.ErrorContains(t, err, "cannot specify both 'source' and 'content'")
+}
+
+func TestAdditionalFilesIsValidBadPermissions(t *testing.T) {
+	additionalFiles := AdditionalFileList{
+		{
+			Destination: "/a.txt",
+			Source:      "a.txt",
+			Permissions: ptrutils.PtrTo(FilePermissions(0o7000)),
+		},
+	}
+	err := additionalFiles.IsValid()
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "invalid value at index 0")
+	assert.ErrorContains(t, err, "invalid permissions value")
+	assert.ErrorContains(t, err, "0o7000 contains non-permission bits")
+}
diff --git a/toolkit/tools/imagecustomizerapi/additionalfilesmap.go b/toolkit/tools/imagecustomizerapi/additionalfilesmap.go
deleted file mode 100644
index b0809d38a9c..00000000000
--- a/toolkit/tools/imagecustomizerapi/additionalfilesmap.go
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-
-package imagecustomizerapi
-
-import (
-	"errors"
-	"fmt"
-)
-
-type AdditionalFilesMap map[string]FileConfigList
-
-func (afmap AdditionalFilesMap) IsValid() error {
-	var aggregateErr error
-	for sourcePath, fileConfigList := range afmap {
-		if len(sourcePath) == 0 {
-			aggregateErr = errors.Join(aggregateErr, fmt.Errorf("invalid source path: cannot be empty"))
-		}
-		err := fileConfigList.IsValid()
-		if err != nil {
-			aggregateErr = errors.Join(aggregateErr, fmt.Errorf("invalid file configs for (%s):\n%w", sourcePath, err))
-		}
-	}
-	return aggregateErr
-}
diff --git a/toolkit/tools/imagecustomizerapi/config.go b/toolkit/tools/imagecustomizerapi/config.go
index 65b4976f6a5..1a61ee6b9a5 100644
--- a/toolkit/tools/imagecustomizerapi/config.go
+++ b/toolkit/tools/imagecustomizerapi/config.go
@@ -64,5 +64,42 @@ func (c *Config) IsValid() (err error) {
 		return fmt.Errorf("os.resetBootLoaderType must be specified if resetPartitionsUuidsType is specified")
 	}
 
+	if c.OS != nil && c.OS.Verity != nil {
+		err := ensureVerityPartitionIdExists(c.OS.Verity.DataPartition, c.Storage)
+		if err != nil {
+			return fmt.Errorf("invalid verity 'dataPartition':\n%w", err)
+		}
+
+		err = ensureVerityPartitionIdExists(c.OS.Verity.HashPartition, c.Storage)
+		if err != nil {
+			return fmt.Errorf("invalid verity 'hashPartition':\n%w", err)
+		}
+	}
+
+	return nil
+}
+
+func ensureVerityPartitionIdExists(verityPartition IdentifiedPartition, storage *Storage) error {
+	switch verityPartition.IdType {
+	case IdTypeId:
+		if storage == nil {
+			return fmt.Errorf("'idType' cannot be 'id' if 'storage' is not specified")
+		}
+
+		foundPartition := false
+		for _, disk := range storage.Disks {
+			for _, partition := range disk.Partitions {
+				if partition.Id == verityPartition.Id {
+					foundPartition = true
+					break
+				}
+			}
+		}
+
+		if !foundPartition {
+			return fmt.Errorf("partition with 'id' (%s) not found", verityPartition.Id)
+		}
+	}
+
 	return nil
 }
diff --git a/toolkit/tools/imagecustomizerapi/config_test.go b/toolkit/tools/imagecustomizerapi/config_test.go
index 8139e001251..093244b1227 100644
--- a/toolkit/tools/imagecustomizerapi/config_test.go
+++ b/toolkit/tools/imagecustomizerapi/config_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/ptrutils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -15,11 +16,11 @@ func TestConfigIsValid(t *testing.T) {
 		Storage: &Storage{
 			Disks: []Disk{{
 				PartitionTableType: "gpt",
-				MaxSize:            3 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "esp",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						Type:  PartitionTypeESP,
 					},
 				},
@@ -52,11 +53,11 @@ func TestConfigIsValidLegacy(t *testing.T) {
 		Storage: &Storage{
 			Disks: []Disk{{
 				PartitionTableType: "gpt",
-				MaxSize:            3 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "boot",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						Type:  PartitionTypeBiosGrub,
 					},
 				},
@@ -65,7 +66,6 @@ func TestConfigIsValidLegacy(t *testing.T) {
 			FileSystems: []FileSystem{
 				{
 					DeviceId: "boot",
-					Type:     "fat32",
 				},
 			},
 		},
@@ -84,11 +84,11 @@ func TestConfigIsValidNoBootType(t *testing.T) {
 		Storage: &Storage{
 			Disks: []Disk{{
 				PartitionTableType: "gpt",
-				MaxSize:            2 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "a",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 					},
 				},
 			}},
@@ -109,11 +109,11 @@ func TestConfigIsValidMissingBootLoaderReset(t *testing.T) {
 		Storage: &Storage{
 			Disks: []Disk{{
 				PartitionTableType: "gpt",
-				MaxSize:            3 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "esp",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						Type:  PartitionTypeESP,
 					},
 				},
@@ -145,11 +145,11 @@ func TestConfigIsValidMultipleDisks(t *testing.T) {
 			Disks: []Disk{
 				{
 					PartitionTableType: "gpt",
-					MaxSize:            1 * diskutils.MiB,
+					MaxSize:            ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 				},
 				{
 					PartitionTableType: "gpt",
-					MaxSize:            1 * diskutils.MiB,
+					MaxSize:            ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 				},
 			},
 			BootType: "legacy",
@@ -199,7 +199,7 @@ func TestConfigIsValidBadDisk(t *testing.T) {
 			BootType: BootTypeEfi,
 			Disks: []Disk{{
 				PartitionTableType: PartitionTableTypeGpt,
-				MaxSize:            0,
+				MaxSize:            ptrutils.PtrTo(DiskSize(0)),
 			}},
 		},
 		OS: &OS{
@@ -218,7 +218,7 @@ func TestConfigIsValidMissingEsp(t *testing.T) {
 		Storage: &Storage{
 			Disks: []Disk{{
 				PartitionTableType: "gpt",
-				MaxSize:            2 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 				Partitions:         []Partition{},
 			}},
 			BootType: "efi",
@@ -239,7 +239,7 @@ func TestConfigIsValidMissingBiosBoot(t *testing.T) {
 		Storage: &Storage{
 			Disks: []Disk{{
 				PartitionTableType: "gpt",
-				MaxSize:            2 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 				Partitions:         []Partition{},
 			}},
 			BootType: "legacy",
@@ -260,11 +260,11 @@ func TestConfigIsValidInvalidMountPoint(t *testing.T) {
 		Storage: &Storage{
 			Disks: []Disk{{
 				PartitionTableType: "gpt",
-				MaxSize:            3 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "esp",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						Type:  PartitionTypeESP,
 					},
 				},
@@ -288,7 +288,7 @@ func TestConfigIsValidInvalidMountPoint(t *testing.T) {
 
 	err := config.IsValid()
 	assert.Error(t, err)
-	assert.ErrorContains(t, err, "invalid fileSystems item at index 0")
+	assert.ErrorContains(t, err, "invalid filesystems item at index 0")
 	assert.ErrorContains(t, err, "invalid mountPoint value")
 	assert.ErrorContains(t, err, "invalid path (boot/efi): must be an absolute path")
 }
@@ -298,11 +298,11 @@ func TestConfigIsValidKernelCLI(t *testing.T) {
 		Storage: &Storage{
 			Disks: []Disk{{
 				PartitionTableType: "gpt",
-				MaxSize:            3 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "esp",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						Type:  PartitionTypeESP,
 					},
 				},
@@ -333,8 +333,8 @@ func TestConfigIsValidKernelCLI(t *testing.T) {
 func TestConfigIsValidInvalidIso(t *testing.T) {
 	config := &Config{
 		Iso: &Iso{
-			AdditionalFiles: AdditionalFilesMap{
-				"": FileConfigList{},
+			AdditionalFiles: AdditionalFileList{
+				{},
 			},
 		},
 	}
@@ -357,3 +357,156 @@ func TestConfigIsValidInvalidScripts(t *testing.T) {
 	assert.ErrorContains(t, err, "invalid postCustomization script at index 0")
 	assert.ErrorContains(t, err, "either path or content must have a value")
 }
+
+func TestConfigIsValidVerityValid(t *testing.T) {
+	config := &Config{
+		Storage: &Storage{
+			Disks: []Disk{{
+				PartitionTableType: "gpt",
+				Partitions: []Partition{
+					{
+						Id: "esp",
+						Size: PartitionSize{
+							Type: PartitionSizeTypeExplicit,
+							Size: 8 * diskutils.MiB,
+						},
+						Type: PartitionTypeESP,
+					},
+					{
+						Id: "root",
+						Size: PartitionSize{
+							Type: PartitionSizeTypeExplicit,
+							Size: 1 * diskutils.GiB,
+						},
+					},
+					{
+						Id: "verityhash",
+						Size: PartitionSize{
+							Type: PartitionSizeTypeExplicit,
+							Size: 100 * diskutils.MiB,
+						},
+					},
+				},
+			}},
+			BootType: "efi",
+			FileSystems: []FileSystem{
+				{
+					DeviceId: "esp",
+					Type:     "fat32",
+					MountPoint: &MountPoint{
+						Path: "/boot/efi",
+					},
+				},
+				{
+					DeviceId: "root",
+					Type:     "ext4",
+					MountPoint: &MountPoint{
+						Path: "/",
+					},
+				},
+			},
+		},
+		OS: &OS{
+			ResetBootLoaderType: "hard-reset",
+			Verity: &Verity{
+				DataPartition: IdentifiedPartition{
+					IdType: IdTypeId,
+					Id:     "root",
+				},
+				HashPartition: IdentifiedPartition{
+					IdType: IdTypeId,
+					Id:     "verityhash",
+				},
+			},
+		},
+	}
+	err := config.IsValid()
+	assert.NoError(t, err)
+}
+
+func TestConfigIsValidVerityPartitionNotFound(t *testing.T) {
+	config := &Config{
+		Storage: &Storage{
+			Disks: []Disk{{
+				PartitionTableType: "gpt",
+				Partitions: []Partition{
+					{
+						Id: "esp",
+						Size: PartitionSize{
+							Type: PartitionSizeTypeExplicit,
+							Size: 8 * diskutils.MiB,
+						},
+						Type: PartitionTypeESP,
+					},
+					{
+						Id: "root",
+						Size: PartitionSize{
+							Type: PartitionSizeTypeExplicit,
+							Size: 1 * diskutils.GiB,
+						},
+					},
+					{
+						Id: "verityhash",
+						Size: PartitionSize{
+							Type: PartitionSizeTypeExplicit,
+							Size: 100 * diskutils.MiB,
+						},
+					},
+				},
+			}},
+			BootType: "efi",
+			FileSystems: []FileSystem{
+				{
+					DeviceId: "esp",
+					Type:     "fat32",
+					MountPoint: &MountPoint{
+						Path: "/boot/efi",
+					},
+				},
+				{
+					DeviceId: "root",
+					Type:     "ext4",
+					MountPoint: &MountPoint{
+						Path: "/",
+					},
+				},
+			},
+		},
+		OS: &OS{
+			ResetBootLoaderType: "hard-reset",
+			Verity: &Verity{
+				DataPartition: IdentifiedPartition{
+					IdType: IdTypeId,
+					Id:     "wrongname",
+				},
+				HashPartition: IdentifiedPartition{
+					IdType: IdTypeId,
+					Id:     "verityhash",
+				},
+			},
+		},
+	}
+	err := config.IsValid()
+	assert.ErrorContains(t, err, "invalid verity 'dataPartition'")
+	assert.ErrorContains(t, err, "partition with 'id' (wrongname) not found")
+}
+
+func TestConfigIsValidVerityNoStorage(t *testing.T) {
+	config := &Config{
+		OS: &OS{
+			Verity: &Verity{
+				DataPartition: IdentifiedPartition{
+					IdType: IdTypePartLabel,
+					Id:     "root",
+				},
+				HashPartition: IdentifiedPartition{
+					IdType: IdTypeId,
+					Id:     "verityhash",
+				},
+			},
+		},
+	}
+	err := config.IsValid()
+	assert.ErrorContains(t, err, "invalid verity 'hashPartition'")
+	assert.ErrorContains(t, err, "'idType' cannot be 'id' if 'storage' is not specified")
+}
diff --git a/toolkit/tools/imagecustomizerapi/dirconfig.go b/toolkit/tools/imagecustomizerapi/dirconfig.go
index f7e7580b392..e11be86e0c8 100644
--- a/toolkit/tools/imagecustomizerapi/dirconfig.go
+++ b/toolkit/tools/imagecustomizerapi/dirconfig.go
@@ -13,10 +13,10 @@ type DirConfigList []DirConfig
 
 type DirConfig struct {
 	// The path to the source directory that will be copied (can be relative or absolute path).
-	SourcePath string `yaml:"sourcePath"`
+	Source string `yaml:"source"`
 
 	// The absolute path in the target OS that the directory will be copied to.
-	DestinationPath string `yaml:"destinationPath"`
+	Destination string `yaml:"destination"`
 
 	// The permissions to set on all of the new directories being created on the target OS (including the top-level directory).
 	// Note: If this value is not specified in the config, the permissions for these directories will be set to 0755.
@@ -44,11 +44,11 @@ func (l *DirConfigList) IsValid() (err error) {
 
 func (d *DirConfig) IsValid() (err error) {
 	// Paths
-	if d.SourcePath == "" {
-		return fmt.Errorf("invalid sourcePath value: empty string")
+	if d.Source == "" {
+		return fmt.Errorf("invalid 'source' value: empty string")
 	}
-	if d.DestinationPath == "" {
-		return fmt.Errorf("invalid destinationPath value: empty string")
+	if d.Destination == "" {
+		return fmt.Errorf("invalid 'destination' value: empty string")
 	}
 
 	// Permissions
diff --git a/toolkit/tools/imagecustomizerapi/dirconfig_test.go b/toolkit/tools/imagecustomizerapi/dirconfig_test.go
index aaec8ef7a2f..73482cbd223 100644
--- a/toolkit/tools/imagecustomizerapi/dirconfig_test.go
+++ b/toolkit/tools/imagecustomizerapi/dirconfig_test.go
@@ -19,8 +19,8 @@ func TestDirConfigListIsValidEmpty(t *testing.T) {
 func TestDirConfigListIsValidValidItem(t *testing.T) {
 	list := DirConfigList{
 		DirConfig{
-			SourcePath:      "a.txt",
-			DestinationPath: "/a.txt",
+			Source:      "a.txt",
+			Destination: "/a.txt",
 		},
 	}
 	err := list.IsValid()
@@ -30,8 +30,8 @@ func TestDirConfigListIsValidValidItem(t *testing.T) {
 func TestDirConfigListIsValidValidItemWithPermissions(t *testing.T) {
 	list := DirConfigList{
 		DirConfig{
-			SourcePath:           "a.txt",
-			DestinationPath:      "/a.txt",
+			Source:               "a.txt",
+			Destination:          "/a.txt",
 			NewDirPermissions:    ptrutils.PtrTo(FilePermissions(0o777)),
 			MergedDirPermissions: ptrutils.PtrTo(FilePermissions(0o777)),
 			ChildFilePermissions: ptrutils.PtrTo(FilePermissions(0o777)),
@@ -44,32 +44,32 @@ func TestDirConfigListIsValidValidItemWithPermissions(t *testing.T) {
 func TestDirConfigListIsValidEmptySource(t *testing.T) {
 	list := DirConfigList{
 		DirConfig{
-			SourcePath:      "",
-			DestinationPath: "/a.txt",
+			Source:      "",
+			Destination: "/a.txt",
 		},
 	}
 	err := list.IsValid()
 	assert.ErrorContains(t, err, "invalid value at index 0")
-	assert.ErrorContains(t, err, "invalid sourcePath value: empty string")
+	assert.ErrorContains(t, err, "invalid 'source' value: empty string")
 }
 
 func TestDirConfigListIsValidEmptyDestination(t *testing.T) {
 	list := DirConfigList{
 		DirConfig{
-			SourcePath:      "a.txt",
-			DestinationPath: "",
+			Source:      "a.txt",
+			Destination: "",
 		},
 	}
 	err := list.IsValid()
 	assert.ErrorContains(t, err, "invalid value at index 0")
-	assert.ErrorContains(t, err, "invalid destinationPath value: empty string")
+	assert.ErrorContains(t, err, "invalid 'destination' value: empty string")
 }
 
 func TestDirConfigListIsValidInvalidNewDirPermissions(t *testing.T) {
 	list := DirConfigList{
 		DirConfig{
-			SourcePath:        "a.txt",
-			DestinationPath:   "/a.txt",
+			Source:            "a.txt",
+			Destination:       "/a.txt",
 			NewDirPermissions: ptrutils.PtrTo(FilePermissions(0o1000)),
 		},
 	}
@@ -82,8 +82,8 @@ func TestDirConfigListIsValidInvalidNewDirPermissions(t *testing.T) {
 func TestDirConfigListIsValidInvalidMergedDirPermissions(t *testing.T) {
 	list := DirConfigList{
 		DirConfig{
-			SourcePath:           "a.txt",
-			DestinationPath:      "/a.txt",
+			Source:               "a.txt",
+			Destination:          "/a.txt",
 			MergedDirPermissions: ptrutils.PtrTo(FilePermissions(0o1000)),
 		},
 	}
@@ -96,8 +96,8 @@ func TestDirConfigListIsValidInvalidMergedDirPermissions(t *testing.T) {
 func TestDirConfigListIsValidInvalidChildFilePermissions(t *testing.T) {
 	list := DirConfigList{
 		DirConfig{
-			SourcePath:           "a.txt",
-			DestinationPath:      "/a.txt",
+			Source:               "a.txt",
+			Destination:          "/a.txt",
 			ChildFilePermissions: ptrutils.PtrTo(FilePermissions(0o1000)),
 		},
 	}
diff --git a/toolkit/tools/imagecustomizerapi/disk.go b/toolkit/tools/imagecustomizerapi/disk.go
index 794c7d69421..97bd7e3699c 100644
--- a/toolkit/tools/imagecustomizerapi/disk.go
+++ b/toolkit/tools/imagecustomizerapi/disk.go
@@ -5,9 +5,9 @@ package imagecustomizerapi
 
 import (
 	"fmt"
-	"sort"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/ptrutils"
 )
 
 const (
@@ -29,7 +29,8 @@ type Disk struct {
 	PartitionTableType PartitionTableType `yaml:"partitionTableType"`
 
 	// The virtual size of the disk.
-	MaxSize DiskSize `yaml:"maxSize"`
+	// Note: This value is filled in by IsValid().
+	MaxSize *DiskSize `yaml:"maxSize"`
 
 	// The partitions to allocate on the disk.
 	Partitions []Partition `yaml:"partitions"`
@@ -41,8 +42,10 @@ func (d *Disk) IsValid() error {
 		return err
 	}
 
-	if d.MaxSize <= 0 {
-		return fmt.Errorf("a disk's maxSize value (%d) must be a positive non-zero number", d.MaxSize)
+	if d.MaxSize != nil {
+		if *d.MaxSize <= 0 {
+			return fmt.Errorf("a disk's maxSize value (%d) must be a positive non-zero number", *d.MaxSize)
+		}
 	}
 
 	for i, partition := range d.Partitions {
@@ -55,23 +58,41 @@ func (d *Disk) IsValid() error {
 	gptHeaderSize := DiskSize(roundUp(GptHeaderSectorNum*DefaultSectorSize, DefaultPartitionAlignment))
 	gptFooterSize := DiskSize(roundUp(GptFooterSectorNum*DefaultSectorSize, DefaultPartitionAlignment))
 
-	// Check for overlapping partitions.
-	// First, sort partitions by start index.
-	sortedPartitions := append([]Partition(nil), d.Partitions...)
-	sort.Slice(sortedPartitions, func(i, j int) bool {
-		return sortedPartitions[i].Start < sortedPartitions[j].Start
-	})
+	// Auto-fill the start value from the previous partition's end value.
+	for i := range d.Partitions {
+		partition := &d.Partitions[i]
+
+		if partition.Start == nil {
+			if i == 0 {
+				partition.Start = ptrutils.PtrTo(DiskSize(DefaultPartitionAlignment))
+			} else {
+				prev := d.Partitions[i-1]
+				prevEnd, prevHasEnd := prev.GetEnd()
+				if !prevHasEnd {
+					return fmt.Errorf("partition (%s) omitted start value but previous partition (%s) has no size or end value",
+						partition.Id, prev.Id)
+				}
+				partition.Start = &prevEnd
+			}
+		}
+
+		if partition.Type == PartitionTypeBiosGrub {
+			if *partition.Start != diskutils.MiB {
+				return fmt.Errorf("BIOS boot partition must start at 1 MiB")
+			}
+		}
+	}
 
-	// Then, confirm each partition ends before the next starts.
-	for i := 0; i < len(sortedPartitions)-1; i++ {
-		a := &sortedPartitions[i]
-		b := &sortedPartitions[i+1]
+	// Confirm each partition ends before the next starts.
+	for i := 0; i < len(d.Partitions)-1; i++ {
+		a := d.Partitions[i]
+		b := d.Partitions[i+1]
 
 		aEnd, aHasEnd := a.GetEnd()
 		if !aHasEnd {
 			return fmt.Errorf("partition (%s) is not last partition but size is set to \"grow\"", a.Id)
 		}
-		if aEnd > b.Start {
+		if aEnd > *b.Start {
 			bEnd, bHasEnd := b.GetEnd()
 			bEndStr := ""
 			if bHasEnd {
@@ -82,31 +103,47 @@ func (d *Disk) IsValid() error {
 		}
 	}
 
-	if len(sortedPartitions) > 0 {
+	if d.MaxSize == nil && len(d.Partitions) <= 0 {
+		return fmt.Errorf("either disk must specify maxSize or last partition must have an end or size value")
+	}
+
+	if len(d.Partitions) > 0 {
 		// Make sure the first block isn't used.
-		firstPartition := sortedPartitions[0]
-		if firstPartition.Start < gptHeaderSize {
+		firstPartition := d.Partitions[0]
+		if *firstPartition.Start < gptHeaderSize {
 			return fmt.Errorf("invalid partition (%s) start:\nfirst %s of disk is reserved for the GPT header",
 				firstPartition.Id, gptHeaderSize.HumanReadable())
 		}
 
-		// Check that the disk is big enough for the partition layout.
-		lastPartition := sortedPartitions[len(sortedPartitions)-1]
-
+		// Verify MaxSize value.
+		lastPartition := d.Partitions[len(d.Partitions)-1]
 		lastPartitionEnd, lastPartitionHasEnd := lastPartition.GetEnd()
 
-		var requiredSize DiskSize
-		if !lastPartitionHasEnd {
-			requiredSize = lastPartition.Start + DefaultPartitionAlignment
-		} else {
-			requiredSize = lastPartitionEnd
-		}
+		switch {
+		case !lastPartitionHasEnd && d.MaxSize == nil:
+			return fmt.Errorf("either disk must specify maxSize or last partition (%s) must have an end or size value",
+				lastPartition.Id)
+
+		case d.MaxSize == nil:
+			// Fill in the disk's size.
+			diskSize := lastPartitionEnd + gptFooterSize
+			d.MaxSize = &diskSize
+
+		default:
+			// Check that the disk is big enough for the partition layout.
+			var requiredSize DiskSize
+			if !lastPartitionHasEnd {
+				requiredSize = *lastPartition.Start + DefaultPartitionAlignment
+			} else {
+				requiredSize = lastPartitionEnd
+			}
 
-		requiredSize += gptFooterSize
+			requiredSize += gptFooterSize
 
-		if requiredSize > d.MaxSize {
-			return fmt.Errorf("disk's partitions need %s but maxSize is only %s:\nGPT footer size is %s",
-				requiredSize.HumanReadable(), d.MaxSize.HumanReadable(), gptFooterSize.HumanReadable())
+			if requiredSize > *d.MaxSize {
+				return fmt.Errorf("disk's partitions need %s but maxSize is only %s:\nGPT footer size is %s",
+					requiredSize.HumanReadable(), d.MaxSize.HumanReadable(), gptFooterSize.HumanReadable())
+			}
 		}
 	}
 
diff --git a/toolkit/tools/imagecustomizerapi/disk_test.go b/toolkit/tools/imagecustomizerapi/disk_test.go
index 7757fdd1aa5..ebe12936f56 100644
--- a/toolkit/tools/imagecustomizerapi/disk_test.go
+++ b/toolkit/tools/imagecustomizerapi/disk_test.go
@@ -14,11 +14,11 @@ import (
 func TestDiskIsValid(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            3 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 			},
 		},
 	}
@@ -30,11 +30,11 @@ func TestDiskIsValid(t *testing.T) {
 func TestDiskIsValidWithEnd(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            3 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 				End:   ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 			},
 		},
@@ -47,11 +47,11 @@ func TestDiskIsValidWithEnd(t *testing.T) {
 func TestDiskIsValidWithSize(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            3 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 				Size: PartitionSize{
 					Type: PartitionSizeTypeExplicit,
 					Size: 1 * diskutils.MiB,
@@ -67,11 +67,11 @@ func TestDiskIsValidWithSize(t *testing.T) {
 func TestDiskIsValidStartAt0(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            3 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 0,
+				Start: ptrutils.PtrTo(DiskSize(0)),
 			},
 		},
 	}
@@ -85,11 +85,11 @@ func TestDiskIsValidStartAt0(t *testing.T) {
 func TestDiskIsValidInvalidTableType(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: "a",
-		MaxSize:            3 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 			},
 		},
 	}
@@ -102,11 +102,11 @@ func TestDiskIsValidInvalidTableType(t *testing.T) {
 func TestDiskIsValidInvalidPartition(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            2 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 2 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 				End:   ptrutils.PtrTo(DiskSize(0)),
 			},
 		},
@@ -121,15 +121,15 @@ func TestDiskIsValidInvalidPartition(t *testing.T) {
 func TestDiskIsValidTwoExpanding(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            4 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 			},
 			{
 				Id:    "b",
-				Start: 2 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 			},
 		},
 	}
@@ -142,15 +142,15 @@ func TestDiskIsValidTwoExpanding(t *testing.T) {
 func TestDiskIsValidTwoExpandingGrow(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            4 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 			},
 			{
 				Id:    "b",
-				Start: 2 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 				Size: PartitionSize{
 					Type: PartitionSizeTypeGrow,
 				},
@@ -166,16 +166,16 @@ func TestDiskIsValidTwoExpandingGrow(t *testing.T) {
 func TestDiskIsValidOverlaps(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            4 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 				End:   ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 			},
 			{
 				Id:    "b",
-				Start: 2 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 				End:   ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 			},
 		},
@@ -189,16 +189,16 @@ func TestDiskIsValidOverlaps(t *testing.T) {
 func TestDiskIsValidOverlapsExpanding(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            4 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 				End:   ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 			},
 			{
 				Id:    "b",
-				Start: 2 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 			},
 		},
 	}
@@ -211,16 +211,16 @@ func TestDiskIsValidOverlapsExpanding(t *testing.T) {
 func TestDiskIsValidTooSmall(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            4 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 				End:   ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 			},
 			{
 				Id:    "b",
-				Start: 3 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 				End:   ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 			},
 		},
@@ -235,16 +235,16 @@ func TestDiskIsValidTooSmall(t *testing.T) {
 func TestDiskIsValidTooSmallExpanding(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            3 * diskutils.MiB,
+		MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 		Partitions: []Partition{
 			{
 				Id:    "a",
-				Start: 1 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 				End:   ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 			},
 			{
 				Id:    "b",
-				Start: 3 * diskutils.MiB,
+				Start: ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 			},
 		},
 	}
@@ -258,7 +258,7 @@ func TestDiskIsValidTooSmallExpanding(t *testing.T) {
 func TestDiskIsValidZeroSize(t *testing.T) {
 	disk := &Disk{
 		PartitionTableType: PartitionTableTypeGpt,
-		MaxSize:            0,
+		MaxSize:            ptrutils.PtrTo(DiskSize(0)),
 		Partitions:         []Partition{},
 	}
 
@@ -266,3 +266,89 @@ func TestDiskIsValidZeroSize(t *testing.T) {
 	assert.Error(t, err)
 	assert.ErrorContains(t, err, "a disk's maxSize value (0) must be a positive non-zero number")
 }
+
+func TestDiskIsValidOmitMaxSizeAndPartitions(t *testing.T) {
+	disk := &Disk{
+		PartitionTableType: PartitionTableTypeGpt,
+		MaxSize:            nil,
+		Partitions:         []Partition{},
+	}
+
+	err := disk.IsValid()
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "either disk must specify maxSize or last partition must have an end or size value")
+}
+
+func TestDiskIsValidOmitMaxSizeAndGrow(t *testing.T) {
+	disk := &Disk{
+		PartitionTableType: PartitionTableTypeGpt,
+		MaxSize:            nil,
+		Partitions: []Partition{
+			{
+				Id: "a",
+				Size: PartitionSize{
+					Type: PartitionSizeTypeExplicit,
+					Size: 1 * diskutils.MiB,
+				},
+			},
+			{
+				Id: "b",
+				Size: PartitionSize{
+					Type: PartitionSizeTypeGrow,
+				},
+			},
+		},
+	}
+
+	err := disk.IsValid()
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "either disk must specify maxSize or last partition (b) must have an end or size value")
+}
+
+func TestDiskIsValidOmitMaxSizeAndStart(t *testing.T) {
+	disk := &Disk{
+		PartitionTableType: PartitionTableTypeGpt,
+		MaxSize:            nil,
+		Partitions: []Partition{
+			{
+				Id: "a",
+				Size: PartitionSize{
+					Type: PartitionSizeTypeExplicit,
+					Size: 1 * diskutils.MiB,
+				},
+			},
+			{
+				Id: "b",
+				Size: PartitionSize{
+					Type: PartitionSizeTypeExplicit,
+					Size: 2 * diskutils.MiB,
+				},
+			},
+		},
+	}
+
+	err := disk.IsValid()
+	assert.NoError(t, err)
+}
+
+func TestDiskIsValidOmitStartNoEnd(t *testing.T) {
+	disk := &Disk{
+		PartitionTableType: PartitionTableTypeGpt,
+		MaxSize:            nil,
+		Partitions: []Partition{
+			{
+				Id: "a",
+			},
+			{
+				Id: "b",
+				Size: PartitionSize{
+					Type: PartitionSizeTypeExplicit,
+					Size: 2 * diskutils.MiB,
+				},
+			},
+		},
+	}
+
+	err := disk.IsValid()
+	assert.ErrorContains(t, err, "partition (b) omitted start value but previous partition (a) has no size or end value")
+}
diff --git a/toolkit/tools/imagecustomizerapi/fileconfig.go b/toolkit/tools/imagecustomizerapi/fileconfig.go
deleted file mode 100644
index cb291daa0ea..00000000000
--- a/toolkit/tools/imagecustomizerapi/fileconfig.go
+++ /dev/null
@@ -1,116 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-
-//
-
-package imagecustomizerapi
-
-import (
-	"fmt"
-
-	"github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils"
-	"gopkg.in/yaml.v3"
-)
-
-// DestinationFileConfigList is a list of destination files where the source file will be copied to in the final image.
-// This type exists to allow a custom marshaller to be attached to it.
-type FileConfigList []FileConfig
-
-// FileConfig specifies options for how a file is copied in the target OS.
-type FileConfig struct {
-	// The file path in the target OS that the file will be copied to.
-	Path string `yaml:"path"`
-
-	// The file permissions to set on the file.
-	Permissions *FilePermissions `yaml:"permissions"`
-}
-
-var (
-	fileConfigValidFields = []string{"path", "permissions"}
-)
-
-func (l *FileConfigList) IsValid() (err error) {
-	if len(*l) <= 0 {
-		return fmt.Errorf("list is empty")
-	}
-
-	for i, fileConfig := range *l {
-		err = fileConfig.IsValid()
-		if err != nil {
-			return fmt.Errorf("invalid fileConfig at index %d:\n%w", i, err)
-		}
-	}
-
-	return nil
-}
-
-func (l *FileConfigList) UnmarshalYAML(value *yaml.Node) error {
-	var err error
-
-	// Try to parse as a single value.
-	var fileConfig FileConfig
-	err = value.Decode(&fileConfig)
-	if err == nil {
-		*l = FileConfigList{fileConfig}
-		return nil
-	}
-
-	// Try to parse as a list.
-	type IntermediateTypeFileConfigList FileConfigList
-	err = value.Decode((*IntermediateTypeFileConfigList)(l))
-	if err != nil {
-		return fmt.Errorf("failed to parse fileConfigList:\n%w", err)
-	}
-
-	return nil
-}
-
-func (f *FileConfig) IsValid() (err error) {
-	// Path
-	if f.Path == "" {
-		return fmt.Errorf("invalid path value: empty string")
-	}
-
-	// Permissions
-	if f.Permissions != nil {
-		err = f.Permissions.IsValid()
-		if err != nil {
-			return fmt.Errorf("invalid permissions value:\n%w", err)
-		}
-	}
-
-	return nil
-}
-
-func (f *FileConfig) UnmarshalYAML(value *yaml.Node) error {
-	var err error
-
-	if value.Kind == yaml.ScalarNode {
-		// Parse as a string.
-		*f = FileConfig{
-			Path:        value.Value,
-			Permissions: nil,
-		}
-		return nil
-	}
-
-	// Parse as a struct.
-	*f = FileConfig{}
-
-	type IntermediateTypeFileConfig FileConfig
-	err = value.Decode((*IntermediateTypeFileConfig)(f))
-	if err != nil {
-		return fmt.Errorf("failed to parse fileConfig:\n%w", err)
-	}
-
-	// yaml.Node.Decode() doesn't respect the KnownFields() option.
-	// So, manually enforce this.
-	for i := 0; i < len(value.Content); i += 2 {
-		key := value.Content[i].Value
-		if !sliceutils.ContainsValue(fileConfigValidFields, key) {
-			return fmt.Errorf("line %d: field %s not found in type %s", value.Line, key, "FileConfig")
-		}
-	}
-
-	return nil
-}
diff --git a/toolkit/tools/imagecustomizerapi/fileconfig_test.go b/toolkit/tools/imagecustomizerapi/fileconfig_test.go
deleted file mode 100644
index a0978271971..00000000000
--- a/toolkit/tools/imagecustomizerapi/fileconfig_test.go
+++ /dev/null
@@ -1,65 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-
-package imagecustomizerapi
-
-import (
-	"testing"
-
-	"github.com/microsoft/azurelinux/toolkit/tools/internal/ptrutils"
-)
-
-func TestParseFileConfigValidString(t *testing.T) {
-	testValidYamlValue(t, "\"/a.txt\"", &FileConfigList{{Path: "/a.txt"}})
-}
-
-func TestParseFileConfigValidStringInArray(t *testing.T) {
-	testValidYamlValue(t, "[ \"/a.txt\" ]", &FileConfigList{{Path: "/a.txt"}})
-}
-
-func TestParseFileConfigValidBasicStruct(t *testing.T) {
-	testValidYamlValue(t, "{ \"path\": \"/b.txt\" }", &FileConfigList{{Path: "/b.txt"}})
-}
-
-func TestParseFileConfigValidFullStruct(t *testing.T) {
-	testValidYamlValue(t, "{ \"path\": \"/b.txt\", \"permissions\": \"770\" }",
-		&FileConfigList{{Path: "/b.txt", Permissions: ptrutils.PtrTo(FilePermissions(0o770))}},
-	)
-}
-
-func TestParseFileConfigValidMixedArray(t *testing.T) {
-	testValidYamlValue(t, "[ { \"path\": \"/b.txt\" }, \"/c.txt\" ]",
-		&FileConfigList{
-			{Path: "/b.txt"},
-			{Path: "/c.txt"},
-		},
-	)
-}
-
-func TestParseFileConfigInvalidEmptyArray(t *testing.T) {
-	// Empty array.
-	testInvalidYamlValue[*FileConfigList](t, "[ ]")
-}
-
-func TestParseFileConfigInvalidArrayArray(t *testing.T) {
-	// Empty array.
-	testInvalidYamlValue[*FileConfigList](t, "[ [ ] ]")
-}
-
-func TestParseFileConfigInvalidEmptyString(t *testing.T) {
-	// Empty string.
-	testInvalidYamlValue[*FileConfigList](t, "\"\"")
-}
-
-func TestParseFileConfigInvalidFilePermissions(t *testing.T) {
-	// Empty string.
-	testInvalidYamlValue[*FileConfigList](t, "{ \"path\": \"/b.txt\", \"permissions\": \"7777\" }")
-}
-
-func TestParseFileConfigValidStructBadField(t *testing.T) {
-	testInvalidYamlValue[*FileConfigList](t, "{ \"pat\": \"/b.txt\" }")
-}
-
-func TestParseFileConfigValidArrayStructBadField(t *testing.T) {
-	testInvalidYamlValue[*FileConfigList](t, "[ { \"pat\": \"/b.txt\" } ]")
-}
diff --git a/toolkit/tools/imagecustomizerapi/filesystemtype.go b/toolkit/tools/imagecustomizerapi/filesystemtype.go
index b26b70511a3..d033176804e 100644
--- a/toolkit/tools/imagecustomizerapi/filesystemtype.go
+++ b/toolkit/tools/imagecustomizerapi/filesystemtype.go
@@ -3,20 +3,24 @@
 
 package imagecustomizerapi
 
-import "fmt"
+import (
+	"fmt"
+)
 
 // FileSystemType is a type of file system (e.g. ext4, xfs, etc.)
 type FileSystemType string
 
 const (
+	FileSystemTypeNone  FileSystemType = ""
 	FileSystemTypeExt4  FileSystemType = "ext4"
 	FileSystemTypeXfs   FileSystemType = "xfs"
 	FileSystemTypeFat32 FileSystemType = "fat32"
+	FileSystemTypeVfat  FileSystemType = "vfat"
 )
 
 func (t FileSystemType) IsValid() error {
 	switch t {
-	case FileSystemTypeExt4, FileSystemTypeXfs, FileSystemTypeFat32:
+	case FileSystemTypeNone, FileSystemTypeExt4, FileSystemTypeXfs, FileSystemTypeFat32, FileSystemTypeVfat:
 		// All good.
 		return nil
 
diff --git a/toolkit/tools/imagecustomizerapi/idtype.go b/toolkit/tools/imagecustomizerapi/idtype.go
index 85139b2d129..2b7e634456c 100644
--- a/toolkit/tools/imagecustomizerapi/idtype.go
+++ b/toolkit/tools/imagecustomizerapi/idtype.go
@@ -10,6 +10,7 @@ import (
 type IdType string
 
 const (
+	IdTypeId        IdType = "id"
 	IdTypePartLabel IdType = "part-label"
 	IdTypeUuid      IdType = "uuid"
 	IdTypePartUuid  IdType = "part-uuid"
@@ -17,7 +18,7 @@ const (
 
 func (i IdType) IsValid() error {
 	switch i {
-	case IdTypePartLabel, IdTypeUuid, IdTypePartUuid:
+	case IdTypeId, IdTypePartLabel, IdTypeUuid, IdTypePartUuid:
 		// All good.
 		return nil
 
diff --git a/toolkit/tools/imagecustomizerapi/iso.go b/toolkit/tools/imagecustomizerapi/iso.go
index ec70aa40d06..295f2af7869 100644
--- a/toolkit/tools/imagecustomizerapi/iso.go
+++ b/toolkit/tools/imagecustomizerapi/iso.go
@@ -10,7 +10,7 @@ import (
 // Iso defines how the generated iso media should be configured.
 type Iso struct {
 	KernelCommandLine KernelCommandLine  `yaml:"kernelCommandLine"`
-	AdditionalFiles   AdditionalFilesMap `yaml:"additionalFiles"`
+	AdditionalFiles   AdditionalFileList `yaml:"additionalFiles"`
 }
 
 func (i *Iso) IsValid() error {
@@ -19,11 +19,9 @@ func (i *Iso) IsValid() error {
 		return fmt.Errorf("invalid kernelCommandLine: %w", err)
 	}
 
-	if i.AdditionalFiles != nil {
-		err := i.AdditionalFiles.IsValid()
-		if err != nil {
-			return fmt.Errorf("invalid additionalFiles: %w", err)
-		}
+	err = i.AdditionalFiles.IsValid()
+	if err != nil {
+		return fmt.Errorf("invalid additionalFiles:\n%w", err)
 	}
 
 	return nil
diff --git a/toolkit/tools/imagecustomizerapi/mountpoint.go b/toolkit/tools/imagecustomizerapi/mountpoint.go
index 34ecef0a3d5..1cae3bf4fab 100644
--- a/toolkit/tools/imagecustomizerapi/mountpoint.go
+++ b/toolkit/tools/imagecustomizerapi/mountpoint.go
@@ -5,7 +5,6 @@ package imagecustomizerapi
 
 import (
 	"fmt"
-	"path"
 )
 
 // MountPoint holds the mounting information for each partition.
@@ -25,12 +24,14 @@ func (p *MountPoint) IsValid() error {
 		return fmt.Errorf("invalid idType value:\n%w", err)
 	}
 
-	if p.Path == "" {
-		return fmt.Errorf("invalid path: must not be empty")
+	// Use validatePath to check the Path field.
+	if err := validatePath(p.Path); err != nil {
+		return fmt.Errorf("invalid path:\n%w", err)
 	}
 
-	if !path.IsAbs(p.Path) {
-		return fmt.Errorf("invalid path (%s): must be an absolute path", p.Path)
+	// Use validateMountOptions to check Options.
+	if validateMountOptions(p.Options) {
+		return fmt.Errorf("options (%s) contain spaces, tabs, or newlines and are invalid", p.Options)
 	}
 
 	return nil
diff --git a/toolkit/tools/imagecustomizerapi/mountpoint_test.go b/toolkit/tools/imagecustomizerapi/mountpoint_test.go
index 18527d6cd4a..23a1ec69181 100644
--- a/toolkit/tools/imagecustomizerapi/mountpoint_test.go
+++ b/toolkit/tools/imagecustomizerapi/mountpoint_test.go
@@ -27,5 +27,16 @@ func TestMountPointIsValidInvalidPath(t *testing.T) {
 	}
 
 	err := mountPoint.IsValid()
-	assert.ErrorContains(t, err, "invalid path: must not be empty")
+	assert.ErrorContains(t, err, "invalid path:\npath cannot be empty")
+}
+
+func TestMountPointIsValidInvalidOptions(t *testing.T) {
+	mountPoint := MountPoint{
+		IdType:  MountIdentifierTypeDefault,
+		Path:    "/mnt",
+		Options: "invalid\toptions",
+	}
+
+	err := mountPoint.IsValid()
+	assert.ErrorContains(t, err, "options (invalid\toptions) contain spaces, tabs, or newlines and are invalid")
 }
diff --git a/toolkit/tools/imagecustomizerapi/os.go b/toolkit/tools/imagecustomizerapi/os.go
index b644ca81289..ee1bfc9a5a0 100644
--- a/toolkit/tools/imagecustomizerapi/os.go
+++ b/toolkit/tools/imagecustomizerapi/os.go
@@ -17,7 +17,7 @@ type OS struct {
 	Packages            Packages            `yaml:"packages"`
 	SELinux             SELinux             `yaml:"selinux"`
 	KernelCommandLine   KernelCommandLine   `yaml:"kernelCommandLine"`
-	AdditionalFiles     AdditionalFilesMap  `yaml:"additionalFiles"`
+	AdditionalFiles     AdditionalFileList  `yaml:"additionalFiles"`
 	AdditionalDirs      DirConfigList       `yaml:"additionalDirs"`
 	Users               []User              `yaml:"users"`
 	Services            Services            `yaml:"services"`
@@ -91,6 +91,7 @@ func (s *OS) IsValid() error {
 	}
 
 	if s.Overlays != nil {
+		mountPoints := make(map[string]bool)
 		upperDirs := make(map[string]bool)
 		workDirs := make(map[string]bool)
 
@@ -101,6 +102,12 @@ func (s *OS) IsValid() error {
 				return fmt.Errorf("invalid overlay at index %d:\n%w", i, err)
 			}
 
+			// Check for unique MountPoint
+			if _, exists := mountPoints[overlay.MountPoint]; exists {
+				return fmt.Errorf("duplicate mountPoint (%s) found in overlay at index %d", overlay.MountPoint, i)
+			}
+			mountPoints[overlay.MountPoint] = true
+
 			// Check for unique UpperDir
 			if _, exists := upperDirs[overlay.UpperDir]; exists {
 				return fmt.Errorf("duplicate upperDir (%s) found in overlay at index %d", overlay.UpperDir, i)
diff --git a/toolkit/tools/imagecustomizerapi/os_test.go b/toolkit/tools/imagecustomizerapi/os_test.go
index fa1ae0984f8..529d892141d 100644
--- a/toolkit/tools/imagecustomizerapi/os_test.go
+++ b/toolkit/tools/imagecustomizerapi/os_test.go
@@ -6,6 +6,7 @@ package imagecustomizerapi
 import (
 	"testing"
 
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/ptrutils"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -26,30 +27,30 @@ func TestOSInvalidHostname(t *testing.T) {
 	assert.ErrorContains(t, err, "invalid hostname")
 }
 
-func TestOSInvalidAdditionalFiles(t *testing.T) {
+func TestOSIsValidInvalidAdditionalFilesSource(t *testing.T) {
 	os := OS{
-		AdditionalFiles: AdditionalFilesMap{
-			"a.txt": FileConfigList{},
+		AdditionalFiles: []AdditionalFile{
+			{
+				Destination: "/a.txt",
+				Source:      "a.txt",
+			},
 		},
 	}
 	err := os.IsValid()
-	assert.Error(t, err)
-	assert.ErrorContains(t, err, "invalid additionalFiles:\ninvalid file configs for (a.txt):\nlist is empty")
+	assert.NoError(t, err)
 }
 
-func TestOSIsValidInvalidAdditionalFilesEmptySourcePath(t *testing.T) {
+func TestOSIsValidInvalidAdditionalFilesContent(t *testing.T) {
 	os := OS{
-		AdditionalFiles: AdditionalFilesMap{
-			"": FileConfigList{
-				{
-					Path: "/a.txt",
-				},
+		AdditionalFiles: []AdditionalFile{
+			{
+				Destination: "/a.txt",
+				Content:     ptrutils.PtrTo("abc"),
 			},
 		},
 	}
 	err := os.IsValid()
-	assert.Error(t, err)
-	assert.ErrorContains(t, err, "invalid additionalFiles:\ninvalid source path: cannot be empty")
+	assert.NoError(t, err)
 }
 
 func TestOSIsValidVerityInValidPartUuid(t *testing.T) {
@@ -93,12 +94,24 @@ func TestOSIsValidInvalidSELinux(t *testing.T) {
 	assert.ErrorContains(t, err, "invalid selinux value (bad)")
 }
 
+func TestOSIsValidInvalidAdditionalFiles(t *testing.T) {
+	os := OS{
+		AdditionalFiles: AdditionalFileList{
+			{},
+		},
+	}
+
+	err := os.IsValid()
+	assert.ErrorContains(t, err, "invalid additionalFiles")
+	assert.ErrorContains(t, err, "invalid value at index 0")
+}
+
 func TestOSIsValidInvalidAdditionalDirs(t *testing.T) {
 	os := OS{
 		AdditionalDirs: DirConfigList{
 			{
-				SourcePath:      "",
-				DestinationPath: "/a",
+				Source:      "",
+				Destination: "/a",
 			},
 		},
 	}
@@ -106,7 +119,7 @@ func TestOSIsValidInvalidAdditionalDirs(t *testing.T) {
 	err := os.IsValid()
 	assert.ErrorContains(t, err, "invalid additionalDirs")
 	assert.ErrorContains(t, err, "invalid value at index 0")
-	assert.ErrorContains(t, err, "invalid sourcePath value: empty string")
+	assert.ErrorContains(t, err, "invalid 'source' value: empty string")
 }
 
 func TestOSIsValidInvalidUser(t *testing.T) {
@@ -182,14 +195,16 @@ func TestOSIsValidOverlayDuplicateUpperDir(t *testing.T) {
 	os := OS{
 		Overlays: &[]Overlay{
 			{
-				LowerDir: "/",
-				UpperDir: "/upper_root",
-				WorkDir:  "/work_root",
+				LowerDirs:  []string{"/"},
+				UpperDir:   "/upper_root",
+				WorkDir:    "/work_root",
+				MountPoint: "/mnt/root",
 			},
 			{
-				LowerDir: "/var",
-				UpperDir: "/upper_root",
-				WorkDir:  "/work_var",
+				LowerDirs:  []string{"/var"},
+				UpperDir:   "/upper_root",
+				WorkDir:    "/work_var",
+				MountPoint: "/mnt/var",
 			},
 		},
 	}
@@ -202,14 +217,16 @@ func TestOSIsValidOverlayDuplicateWorkDir(t *testing.T) {
 	os := OS{
 		Overlays: &[]Overlay{
 			{
-				LowerDir: "/",
-				UpperDir: "/upper_root",
-				WorkDir:  "/work_root",
+				LowerDirs:  []string{"/"},
+				UpperDir:   "/upper_root",
+				WorkDir:    "/work_root",
+				MountPoint: "/mnt/root",
 			},
 			{
-				LowerDir: "/",
-				UpperDir: "/upper_var",
-				WorkDir:  "/work_root",
+				LowerDirs:  []string{"/"},
+				UpperDir:   "/upper_var",
+				WorkDir:    "/work_root",
+				MountPoint: "/mnt/var",
 			},
 		},
 	}
diff --git a/toolkit/tools/imagecustomizerapi/overlay.go b/toolkit/tools/imagecustomizerapi/overlay.go
index 38638812499..4fb27c8efeb 100644
--- a/toolkit/tools/imagecustomizerapi/overlay.go
+++ b/toolkit/tools/imagecustomizerapi/overlay.go
@@ -5,34 +5,52 @@ package imagecustomizerapi
 
 import (
 	"fmt"
+	"path"
 	"strings"
 )
 
 type Overlay struct {
-	LowerDir  string               `yaml:"lowerDir"`
-	UpperDir  string               `yaml:"upperDir"`
-	WorkDir   string               `yaml:"workDir"`
-	Partition *IdentifiedPartition `yaml:"partition"`
+	LowerDirs         []string `yaml:"lowerDirs"`
+	UpperDir          string   `yaml:"upperDir"`
+	WorkDir           string   `yaml:"workDir"`
+	MountPoint        string   `yaml:"mountPoint"`
+	IsInitrdOverlay   bool     `yaml:"isInitrdOverlay"`
+	MountDependencies []string `yaml:"mountDependencies"`
+	MountOptions      string   `yaml:"mountOptions"`
 }
 
 func (o *Overlay) IsValid() error {
-	// Validate paths for UpperDir, WorkDir, and LowerDir
+	// Validate paths for LowerDirs, UpperDir, WorkDir, and MountPoint.
+	for _, lowerDir := range o.LowerDirs {
+		if err := validatePath(lowerDir); err != nil {
+			return fmt.Errorf("invalid lowerDir (%s):\n%w", lowerDir, err)
+		}
+	}
 	if err := validatePath(o.UpperDir); err != nil {
 		return fmt.Errorf("invalid upperDir (%s):\n%w", o.UpperDir, err)
 	}
 	if err := validatePath(o.WorkDir); err != nil {
 		return fmt.Errorf("invalid workDir (%s):\n%w", o.WorkDir, err)
 	}
-	if err := validatePath(o.LowerDir); err != nil {
-		return fmt.Errorf("invalid lowerDir (%s):\n%w", o.LowerDir, err)
+	if err := validatePath(o.MountPoint); err != nil {
+		return fmt.Errorf("invalid mountPoint (%s):\n%w", o.MountPoint, err)
+	}
+	for _, dependency := range o.MountDependencies {
+		if err := validatePath(dependency); err != nil {
+			return fmt.Errorf("invalid mountDependencies (%s):\n%w", dependency, err)
+		}
 	}
 
-	// Check if UpperDir and WorkDir are identical
+	if validateMountOptions(o.MountOptions) {
+		return fmt.Errorf("mountOptions (%s) contain spaces, tabs, or newlines are invalid", o.MountOptions)
+	}
+
+	// Check if UpperDir and WorkDir are identical.
 	if o.UpperDir == o.WorkDir {
 		return fmt.Errorf("upperDir and workDir must be distinct, but both are '%s'", o.UpperDir)
 	}
 
-	// Check if UpperDir is a subdirectory of WorkDir or vice versa
+	// Check if UpperDir is a subdirectory of WorkDir or vice versa.
 	if isSubDirString(o.UpperDir, o.WorkDir) {
 		return fmt.Errorf("upperDir (%s) should not be a subdirectory of workDir (%s)", o.UpperDir, o.WorkDir)
 	}
@@ -40,34 +58,38 @@ func (o *Overlay) IsValid() error {
 		return fmt.Errorf("workDir (%s) should not be a subdirectory of upperDir (%s)", o.WorkDir, o.UpperDir)
 	}
 
-	if o.Partition != nil {
-		if err := o.Partition.IsValid(); err != nil {
-			return fmt.Errorf("invalid partition:\n%w", err)
-		}
-	}
-
 	return nil
 }
 
-func validatePath(path string) error {
-	// Check if the path is empty
-	if path == "" {
+func validatePath(filePath string) error {
+	// Check if the path is empty.
+	if filePath == "" {
 		return fmt.Errorf("path cannot be empty")
 	}
 
-	// Check if the path contains spaces
-	if strings.Contains(path, " ") {
-		return fmt.Errorf("path (%s) contains spaces and is invalid", path)
+	// Check if the path contains spaces, tabs, newlines, colons, or commas.
+	if strings.ContainsAny(filePath, " \t\n:,") {
+		return fmt.Errorf("path (%s) contains invalid characters (spaces, tabs, newlines, colons, or commas)", filePath)
+	}
+
+	// Check if the path is an absolute path.
+	if !path.IsAbs(filePath) {
+		return fmt.Errorf("invalid path (%s): must be an absolute path", filePath)
 	}
 
 	return nil
 }
 
+func validateMountOptions(mountOptions string) bool {
+	// Check if the value contains spaces, tabs, or newlines.
+	return strings.ContainsAny(mountOptions, " \t\n")
+}
+
 func isSubDirString(dir1, dir2 string) bool {
-	// Ensure paths are cleaned and have consistent trailing slashes
+	// Ensure paths are cleaned and have consistent trailing slashes.
 	cleanDir1 := strings.TrimSuffix(dir1, "/") + "/"
 	cleanDir2 := strings.TrimSuffix(dir2, "/") + "/"
 
-	// Check if dir2 starts with dir1 (indicating a subdirectory)
+	// Check if dir2 starts with dir1 (indicating a subdirectory).
 	return cleanDir1 != cleanDir2 && strings.HasPrefix(cleanDir2, cleanDir1)
 }
diff --git a/toolkit/tools/imagecustomizerapi/overlay_test.go b/toolkit/tools/imagecustomizerapi/overlay_test.go
index 29251ef3f29..258bd9c673e 100644
--- a/toolkit/tools/imagecustomizerapi/overlay_test.go
+++ b/toolkit/tools/imagecustomizerapi/overlay_test.go
@@ -11,13 +11,13 @@ import (
 
 func TestOverlayValidConfiguration(t *testing.T) {
 	overlay := Overlay{
-		LowerDir: "/lower",
-		UpperDir: "/upper",
-		WorkDir:  "/work",
-		Partition: &IdentifiedPartition{
-			IdType: "part-uuid",
-			Id:     "123e4567-e89b-4d3a-a456-426614174000",
-		},
+		LowerDirs:         []string{"/lower"},
+		UpperDir:          "/upper",
+		WorkDir:           "/work",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{"/var"},
+		MountOptions:      "noatime",
 	}
 
 	err := overlay.IsValid()
@@ -26,9 +26,13 @@ func TestOverlayValidConfiguration(t *testing.T) {
 
 func TestOverlayInvalidEmptyLowerDir(t *testing.T) {
 	overlay := Overlay{
-		LowerDir: "",
-		UpperDir: "/upper",
-		WorkDir:  "/work",
+		LowerDirs:         []string{""},
+		UpperDir:          "/upper",
+		WorkDir:           "/work",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{"/var"},
+		MountOptions:      "noatime",
 	}
 
 	err := overlay.IsValid()
@@ -38,21 +42,28 @@ func TestOverlayInvalidEmptyLowerDir(t *testing.T) {
 
 func TestOverlayInvalidInvalidWorkDir(t *testing.T) {
 	overlay := Overlay{
-		LowerDir: "/lower",
-		UpperDir: "/upper",
-		WorkDir:  " ",
+		LowerDirs:         []string{"/lower"},
+		UpperDir:          "/upper",
+		WorkDir:           " ",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{"/var"},
+		MountOptions:      "noatime",
 	}
 
 	err := overlay.IsValid()
-	assert.ErrorContains(t, err, "invalid workDir ( )")
-	assert.ErrorContains(t, err, "path ( ) contains spaces and is invalid")
+	assert.ErrorContains(t, err, "invalid workDir ( ):\npath ( ) contains invalid characters (spaces, tabs, newlines, colons, or commas)")
 }
 
 func TestOverlayInvalidSameUpperAndWorkDir(t *testing.T) {
 	overlay := Overlay{
-		LowerDir: "/lower",
-		UpperDir: "/invalid/same",
-		WorkDir:  "/invalid/same",
+		LowerDirs:         []string{"/lower"},
+		UpperDir:          "/invalid/same",
+		WorkDir:           "/invalid/same",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{"/var"},
+		MountOptions:      "noatime",
 	}
 
 	err := overlay.IsValid()
@@ -62,9 +73,13 @@ func TestOverlayInvalidSameUpperAndWorkDir(t *testing.T) {
 
 func TestOverlayInvalidWorkDirSubsUpperDir(t *testing.T) {
 	overlay := Overlay{
-		LowerDir: "/lower",
-		UpperDir: "/invalid",
-		WorkDir:  "/invalid/same",
+		LowerDirs:         []string{"/lower"},
+		UpperDir:          "/invalid",
+		WorkDir:           "/invalid/same",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{"/var"},
+		MountOptions:      "noatime",
 	}
 
 	err := overlay.IsValid()
@@ -74,9 +89,13 @@ func TestOverlayInvalidWorkDirSubsUpperDir(t *testing.T) {
 
 func TestOverlayInvalidUpperDirSubsWorkDir(t *testing.T) {
 	overlay := Overlay{
-		LowerDir: "/lower",
-		UpperDir: "/invalid/same",
-		WorkDir:  "/invalid",
+		LowerDirs:         []string{"/lower"},
+		UpperDir:          "/invalid/same",
+		WorkDir:           "/invalid",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{"/var"},
+		MountOptions:      "noatime",
 	}
 
 	err := overlay.IsValid()
@@ -84,14 +103,48 @@ func TestOverlayInvalidUpperDirSubsWorkDir(t *testing.T) {
 	assert.ErrorContains(t, err, "workDir (/invalid) should not be a subdirectory of upperDir (/invalid/same)")
 }
 
-func TestOverlayInvalidPartition(t *testing.T) {
+func TestOverlayInvalidMountDependencyPath(t *testing.T) {
 	overlay := Overlay{
-		LowerDir:  "/lower",
-		UpperDir:  "/upper",
-		WorkDir:   "/work",
-		Partition: &IdentifiedPartition{},
+		LowerDirs:         []string{"/lower"},
+		UpperDir:          "/upper",
+		WorkDir:           "/work",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{"invalid/path"},
+		MountOptions:      "noatime",
 	}
 
 	err := overlay.IsValid()
-	assert.ErrorContains(t, err, "invalid partition")
+	assert.ErrorContains(t, err, "invalid mountDependencies (invalid/path)")
+	assert.ErrorContains(t, err, "must be an absolute path")
+}
+
+func TestOverlayValidEmptyMountDependencies(t *testing.T) {
+	overlay := Overlay{
+		LowerDirs:         []string{"/lower"},
+		UpperDir:          "/upper",
+		WorkDir:           "/work",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{},
+		MountOptions:      "noatime",
+	}
+
+	err := overlay.IsValid()
+	assert.NoError(t, err)
+}
+
+func TestOverlayInvalidMountOptions(t *testing.T) {
+	overlay := Overlay{
+		LowerDirs:         []string{"/lower"},
+		UpperDir:          "/upper",
+		WorkDir:           "/work",
+		MountPoint:        "/mnt",
+		IsInitrdOverlay:   false,
+		MountDependencies: []string{"/var"},
+		MountOptions:      "invalid option with spaces",
+	}
+
+	err := overlay.IsValid()
+	assert.ErrorContains(t, err, "mountOptions (invalid option with spaces) contain spaces, tabs, or newlines are invalid")
 }
diff --git a/toolkit/tools/imagecustomizerapi/partition.go b/toolkit/tools/imagecustomizerapi/partition.go
index 2c4dfc51345..8e779ca8571 100644
--- a/toolkit/tools/imagecustomizerapi/partition.go
+++ b/toolkit/tools/imagecustomizerapi/partition.go
@@ -6,8 +6,6 @@ package imagecustomizerapi
 import (
 	"fmt"
 	"unicode"
-
-	"github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils"
 )
 
 type Partition struct {
@@ -16,7 +14,8 @@ type Partition struct {
 	// Name is the label to assign to the partition.
 	Label string `yaml:"label"`
 	// Start is the offset where the partition begins (inclusive).
-	Start DiskSize `yaml:"start"`
+	// Note: When not provided, value is filled in by Disk.IsValid().
+	Start *DiskSize `yaml:"start"`
 	// End is the offset where the partition ends (exclusive).
 	End *DiskSize `yaml:"end"`
 	// Size is the size of the partition.
@@ -35,7 +34,7 @@ func (p *Partition) IsValid() error {
 		return fmt.Errorf("cannot specify both end and size on partition (%s)", p.Id)
 	}
 
-	if (p.End != nil && p.Start >= *p.End) || (p.Size.Type == PartitionSizeTypeExplicit && p.Size.Size <= 0) {
+	if (p.End != nil && p.Start != nil && *p.Start >= *p.End) || (p.Size.Type == PartitionSizeTypeExplicit && p.Size.Size <= 0) {
 		return fmt.Errorf("partition's (%s) size can't be 0 or negative", p.Id)
 	}
 
@@ -44,12 +43,6 @@ func (p *Partition) IsValid() error {
 		return err
 	}
 
-	if p.IsBiosBoot() {
-		if p.Start != diskutils.MiB {
-			return fmt.Errorf("BIOS boot partition must start at 1 MiB")
-		}
-	}
-
 	return nil
 }
 
@@ -59,20 +52,12 @@ func (p *Partition) GetEnd() (DiskSize, bool) {
 	}
 
 	if p.Size.Type == PartitionSizeTypeExplicit {
-		return p.Start + p.Size.Size, true
+		return *p.Start + p.Size.Size, true
 	}
 
 	return 0, false
 }
 
-func (p *Partition) IsESP() bool {
-	return p.Type == PartitionTypeESP
-}
-
-func (p *Partition) IsBiosBoot() bool {
-	return p.Type == PartitionTypeBiosGrub
-}
-
 // isGPTNameValid checks if a GPT partition name is valid.
 func isGPTNameValid(name string) error {
 	// The max partition name length is 36 UTF-16 code units, including a null terminator.
diff --git a/toolkit/tools/imagecustomizerapi/partition_test.go b/toolkit/tools/imagecustomizerapi/partition_test.go
index f64b3c9b70a..14c840ec281 100644
--- a/toolkit/tools/imagecustomizerapi/partition_test.go
+++ b/toolkit/tools/imagecustomizerapi/partition_test.go
@@ -14,7 +14,7 @@ import (
 func TestPartitionIsValidExpanding(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 	}
 
 	err := partition.IsValid()
@@ -24,7 +24,7 @@ func TestPartitionIsValidExpanding(t *testing.T) {
 func TestPartitionIsValidFixedSize(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 		End:   ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 	}
 
@@ -35,7 +35,7 @@ func TestPartitionIsValidFixedSize(t *testing.T) {
 func TestPartitionIsValidZeroSize(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 		End:   ptrutils.PtrTo(DiskSize(0)),
 	}
 
@@ -48,7 +48,7 @@ func TestPartitionIsValidZeroSize(t *testing.T) {
 func TestPartitionIsValidZeroSizeV2(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 		Size: PartitionSize{
 			Type: PartitionSizeTypeExplicit,
 			Size: 0,
@@ -63,7 +63,7 @@ func TestPartitionIsValidZeroSizeV2(t *testing.T) {
 func TestPartitionIsValidNegativeSize(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 2 * diskutils.MiB,
+		Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 		End:   ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 	}
 
@@ -75,7 +75,7 @@ func TestPartitionIsValidNegativeSize(t *testing.T) {
 func TestPartitionIsValidBothEndAndSize(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 2 * diskutils.MiB,
+		Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 		End:   ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 		Size: PartitionSize{
 			Type: PartitionSizeTypeExplicit,
@@ -91,7 +91,7 @@ func TestPartitionIsValidBothEndAndSize(t *testing.T) {
 func TestPartitionIsValidEndAndGrow(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 2 * diskutils.MiB,
+		Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 		End:   ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 		Size: PartitionSize{
 			Type: PartitionSizeTypeGrow,
@@ -106,7 +106,7 @@ func TestPartitionIsValidEndAndGrow(t *testing.T) {
 func TestPartitionIsValidGoodName(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 		End:   nil,
 		Label: "a",
 	}
@@ -118,7 +118,7 @@ func TestPartitionIsValidGoodName(t *testing.T) {
 func TestPartitionIsValidNameTooLong(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 		End:   nil,
 		Label: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 	}
@@ -132,7 +132,7 @@ func TestPartitionIsValidNameTooLong(t *testing.T) {
 func TestPartitionIsValidNameNonASCII(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 		End:   nil,
 		Label: "❤️",
 	}
@@ -146,7 +146,7 @@ func TestPartitionIsValidNameNonASCII(t *testing.T) {
 func TestPartitionIsValidGoodType(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 		End:   nil,
 		Type:  PartitionTypeESP,
 	}
@@ -158,7 +158,7 @@ func TestPartitionIsValidGoodType(t *testing.T) {
 func TestPartitionIsValidBadType(t *testing.T) {
 	partition := Partition{
 		Id:    "a",
-		Start: 0,
+		Start: ptrutils.PtrTo(DiskSize(0)),
 		End:   nil,
 		Type:  PartitionType("a"),
 	}
diff --git a/toolkit/tools/imagecustomizerapi/storage.go b/toolkit/tools/imagecustomizerapi/storage.go
index b149d72a3b9..c5f49dbd1b0 100644
--- a/toolkit/tools/imagecustomizerapi/storage.go
+++ b/toolkit/tools/imagecustomizerapi/storage.go
@@ -10,7 +10,7 @@ import (
 type Storage struct {
 	BootType    BootType     `yaml:"bootType"`
 	Disks       []Disk       `yaml:"disks"`
-	FileSystems []FileSystem `yaml:"fileSystems"`
+	FileSystems []FileSystem `yaml:"filesystems"`
 }
 
 func (s *Storage) IsValid() error {
@@ -28,7 +28,9 @@ func (s *Storage) IsValid() error {
 		return fmt.Errorf("defining multiple disks is not currently supported")
 	}
 
-	for i, disk := range s.Disks {
+	for i := range s.Disks {
+		disk := &s.Disks[i]
+
 		err := disk.IsValid()
 		if err != nil {
 			return fmt.Errorf("invalid disk at index %d:\n%w", i, err)
@@ -39,7 +41,7 @@ func (s *Storage) IsValid() error {
 	for i, fileSystem := range s.FileSystems {
 		err = fileSystem.IsValid()
 		if err != nil {
-			return fmt.Errorf("invalid fileSystems item at index %d: %w", i, err)
+			return fmt.Errorf("invalid filesystems item at index %d:\n%w", i, err)
 		}
 
 		if _, existingName := fileSystemSet[fileSystem.DeviceId]; existingName {
@@ -64,28 +66,36 @@ func (s *Storage) IsValid() error {
 			partitionSet[partition.Id] = partition
 
 			fileSystem, hasFileSystem := fileSystemSet[partition.Id]
-			if !hasFileSystem {
-				return fmt.Errorf("invalid disk at index %d:\npartition (%s) at index %d must have a corresponding filesystem entry",
-					i, partition.Id, j)
-			}
 
 			// Ensure special partitions have the correct filesystem type.
-			if partition.IsESP() {
+			switch partition.Type {
+			case PartitionTypeESP:
 				espPartitionExists = true
 
-				if fileSystem.Type != FileSystemTypeFat32 {
-					return fmt.Errorf("ESP partition must have 'fat32' filesystem type")
+				if !hasFileSystem || (fileSystem.Type != FileSystemTypeFat32 && fileSystem.Type != FileSystemTypeVfat) {
+					return fmt.Errorf("ESP partition (%s) must have 'fat32' or 'vfat' filesystem type", partition.Id)
 				}
-			}
 
-			if partition.IsBiosBoot() {
+			case PartitionTypeBiosGrub:
 				biosBootPartitionExists = true
 
-				if fileSystem.Type != FileSystemTypeFat32 {
-					return fmt.Errorf("BIOS boot partition must have 'fat32' filesystem type")
+				if hasFileSystem {
+					if fileSystem.Type != "" {
+						return fmt.Errorf("BIOS boot partition (%s) must not have a filesystem 'type'",
+							partition.Id)
+					}
+
+					if fileSystem.MountPoint != nil {
+						return fmt.Errorf("BIOS boot partition (%s) must not have a 'mountPoint'", partition.Id)
+					}
 				}
 			}
 
+			// Ensure filesystem entires with a mountPoint also have a filesystem type value.
+			if hasFileSystem && fileSystem.MountPoint != nil && fileSystem.Type == FileSystemTypeNone {
+				return fmt.Errorf("filesystem with 'mountPoint' must have a 'type'")
+			}
+
 			// Count the number of partitions that use each label.
 			partitionLabelCounts[partition.Label] += 1
 		}
diff --git a/toolkit/tools/imagecustomizerapi/storage_test.go b/toolkit/tools/imagecustomizerapi/storage_test.go
index 8e9b06f1f9a..1dc366c5d39 100644
--- a/toolkit/tools/imagecustomizerapi/storage_test.go
+++ b/toolkit/tools/imagecustomizerapi/storage_test.go
@@ -11,15 +11,56 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func TestStorageIsValidCoreEfi(t *testing.T) {
+	value := Storage{
+		Disks: []Disk{{
+			PartitionTableType: "gpt",
+			MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.GiB)),
+			Partitions: []Partition{
+				{
+					Id:    "esp",
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
+					End:   ptrutils.PtrTo(DiskSize(9 * diskutils.MiB)),
+					Type:  PartitionTypeESP,
+				},
+				{
+					Id:    "rootfs",
+					Start: ptrutils.PtrTo(DiskSize(9 * diskutils.MiB)),
+				},
+			},
+		}},
+		BootType: "efi",
+		FileSystems: []FileSystem{
+			{
+				DeviceId: "esp",
+				Type:     "vfat",
+				MountPoint: &MountPoint{
+					Path: "/boot/efi",
+				},
+			},
+			{
+				DeviceId: "rootfs",
+				Type:     "ext4",
+				MountPoint: &MountPoint{
+					Path: "/",
+				},
+			},
+		},
+	}
+
+	err := value.IsValid()
+	assert.NoError(t, err)
+}
+
 func TestStorageIsValidDuplicatePartitionID(t *testing.T) {
 	value := Storage{
 		Disks: []Disk{{
 			PartitionTableType: "gpt",
-			MaxSize:            2 * diskutils.GiB,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
 			Partitions: []Partition{
 				{
 					Id:    "esp",
-					Start: 1 * diskutils.MiB,
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 					Type:  PartitionTypeESP,
 				},
 			},
@@ -52,11 +93,11 @@ func TestStorageIsValidUnsupportedFileSystem(t *testing.T) {
 	storage := Storage{
 		Disks: []Disk{{
 			PartitionTableType: PartitionTableTypeGpt,
-			MaxSize:            2 * diskutils.GiB,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
 			Partitions: []Partition{
 				{
 					Id:    "a",
-					Start: 1 * diskutils.MiB,
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 					End:   nil,
 				},
 			},
@@ -75,15 +116,44 @@ func TestStorageIsValidUnsupportedFileSystem(t *testing.T) {
 	assert.ErrorContains(t, err, "invalid fileSystemType value (ntfs)")
 }
 
+func TestStorageIsValidMountPointWithoutFileSystem(t *testing.T) {
+	storage := Storage{
+		Disks: []Disk{{
+			PartitionTableType: PartitionTableTypeGpt,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
+			Partitions: []Partition{
+				{
+					Id:    "a",
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
+					End:   nil,
+				},
+			},
+		}},
+		BootType: BootTypeEfi,
+		FileSystems: []FileSystem{
+			{
+				DeviceId: "a",
+				MountPoint: &MountPoint{
+					Path: "/",
+				},
+			},
+		},
+	}
+
+	err := storage.IsValid()
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "filesystem with 'mountPoint' must have a 'type'")
+}
+
 func TestStorageIsValidMissingFileSystemEntry(t *testing.T) {
 	storage := Storage{
 		Disks: []Disk{{
 			PartitionTableType: PartitionTableTypeGpt,
-			MaxSize:            2 * diskutils.GiB,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
 			Partitions: []Partition{
 				{
 					Id:    "esp",
-					Start: 1 * diskutils.MiB,
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 					End:   nil,
 					Type:  PartitionTypeESP,
 				},
@@ -94,19 +164,18 @@ func TestStorageIsValidMissingFileSystemEntry(t *testing.T) {
 
 	err := storage.IsValid()
 	assert.Error(t, err)
-	assert.ErrorContains(t, err, "invalid disk at index 0")
-	assert.ErrorContains(t, err, "partition (esp) at index 0 must have a corresponding filesystem entry")
+	assert.ErrorContains(t, err, "ESP partition (esp) must have 'fat32' or 'vfat' filesystem type")
 }
 
 func TestStorageIsValidBadEspFsType(t *testing.T) {
 	storage := Storage{
 		Disks: []Disk{{
 			PartitionTableType: PartitionTableTypeGpt,
-			MaxSize:            2 * diskutils.GiB,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
 			Partitions: []Partition{
 				{
 					Id:    "esp",
-					Start: 1 * diskutils.MiB,
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 					End:   nil,
 					Type:  PartitionTypeESP,
 				},
@@ -123,18 +192,18 @@ func TestStorageIsValidBadEspFsType(t *testing.T) {
 
 	err := storage.IsValid()
 	assert.Error(t, err)
-	assert.ErrorContains(t, err, "ESP partition must have 'fat32' filesystem type")
+	assert.ErrorContains(t, err, "ESP partition (esp) must have 'fat32' or 'vfat' filesystem type")
 }
 
 func TestStorageIsValidBadBiosBootFsType(t *testing.T) {
 	storage := Storage{
 		Disks: []Disk{{
 			PartitionTableType: PartitionTableTypeGpt,
-			MaxSize:            2 * diskutils.GiB,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
 			Partitions: []Partition{
 				{
 					Id:    "bios",
-					Start: 1 * diskutils.MiB,
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 					End:   nil,
 					Type:  PartitionTypeBiosGrub,
 				},
@@ -151,18 +220,48 @@ func TestStorageIsValidBadBiosBootFsType(t *testing.T) {
 
 	err := storage.IsValid()
 	assert.Error(t, err)
-	assert.ErrorContains(t, err, "BIOS boot partition must have 'fat32' filesystem type")
+	assert.ErrorContains(t, err, "BIOS boot partition (bios) must not have a filesystem 'type'")
+}
+
+func TestStorageIsValidBiosWithMountPoint(t *testing.T) {
+	storage := Storage{
+		Disks: []Disk{{
+			PartitionTableType: PartitionTableTypeGpt,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
+			Partitions: []Partition{
+				{
+					Id:    "bios",
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
+					End:   nil,
+					Type:  PartitionTypeBiosGrub,
+				},
+			},
+		}},
+		BootType: BootTypeEfi,
+		FileSystems: []FileSystem{
+			{
+				DeviceId: "bios",
+				MountPoint: &MountPoint{
+					Path: "/boot/bios",
+				},
+			},
+		},
+	}
+
+	err := storage.IsValid()
+	assert.Error(t, err)
+	assert.ErrorContains(t, err, "BIOS boot partition (bios) must not have a 'mountPoint'")
 }
 
 func TestStorageIsValidBadBiosBootStart(t *testing.T) {
 	storage := Storage{
 		Disks: []Disk{{
 			PartitionTableType: PartitionTableTypeGpt,
-			MaxSize:            2 * diskutils.GiB,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
 			Partitions: []Partition{
 				{
 					Id:    "bios",
-					Start: 2 * diskutils.MiB,
+					Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 					End:   nil,
 					Type:  PartitionTypeBiosGrub,
 				},
@@ -186,11 +285,11 @@ func TestStorageIsValidBadDeviceId(t *testing.T) {
 	value := Storage{
 		Disks: []Disk{{
 			PartitionTableType: "gpt",
-			MaxSize:            2 * diskutils.GiB,
+			MaxSize:            ptrutils.PtrTo(DiskSize(2 * diskutils.GiB)),
 			Partitions: []Partition{
 				{
 					Id:    "esp",
-					Start: 1 * diskutils.MiB,
+					Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 					Type:  PartitionTypeESP,
 				},
 			},
@@ -222,16 +321,16 @@ func TestStorageIsValidDuplicatePartitionId(t *testing.T) {
 		Disks: []Disk{
 			{
 				PartitionTableType: PartitionTableTypeGpt,
-				MaxSize:            4 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "a",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						End:   ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 					},
 					{
 						Id:    "a",
-						Start: 2 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 					},
 				},
 			},
@@ -254,11 +353,11 @@ func TestStorageIsValidNoLabel(t *testing.T) {
 		Disks: []Disk{
 			{
 				PartitionTableType: PartitionTableTypeGpt,
-				MaxSize:            3 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(3 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "a",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						End:   ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 						Type:  PartitionTypeESP,
 					},
@@ -288,18 +387,18 @@ func TestStorageIsValidUniqueLabel(t *testing.T) {
 		Disks: []Disk{
 			{
 				PartitionTableType: PartitionTableTypeGpt,
-				MaxSize:            4 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "a",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						End:   ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 						Type:  PartitionTypeESP,
 						Label: "a",
 					},
 					{
 						Id:    "b",
-						Start: 2 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 						Label: "b",
 					},
 				},
@@ -335,18 +434,18 @@ func TestStorageIsValidDuplicateLabel(t *testing.T) {
 		Disks: []Disk{
 			{
 				PartitionTableType: PartitionTableTypeGpt,
-				MaxSize:            4 * diskutils.MiB,
+				MaxSize:            ptrutils.PtrTo(DiskSize(4 * diskutils.MiB)),
 				Partitions: []Partition{
 					{
 						Id:    "a",
-						Start: 1 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(1 * diskutils.MiB)),
 						End:   ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 						Type:  PartitionTypeESP,
 						Label: "a",
 					},
 					{
 						Id:    "b",
-						Start: 2 * diskutils.MiB,
+						Start: ptrutils.PtrTo(DiskSize(2 * diskutils.MiB)),
 						Label: "a",
 					},
 				},
diff --git a/toolkit/tools/imagegen/diskutils/diskutils.go b/toolkit/tools/imagegen/diskutils/diskutils.go
index 9f79b2f1505..5e441206b4c 100644
--- a/toolkit/tools/imagegen/diskutils/diskutils.go
+++ b/toolkit/tools/imagegen/diskutils/diskutils.go
@@ -580,7 +580,17 @@ func createSinglePartition(diskDevPath string, partitionNumber int, partitionTab
 		}
 	}
 
-	mkpartArgs = append(mkpartArgs, partition.FsType, fmt.Sprintf(sFmt, start))
+	fsType := partition.FsType
+	if fsType == "vfat" {
+		// 'parted mkpart' requires value of either 'fat16' or 'fat32'.
+		fsType = "fat32"
+	}
+
+	if fsType != "" {
+		mkpartArgs = append(mkpartArgs, fsType)
+	}
+
+	mkpartArgs = append(mkpartArgs, fmt.Sprintf(sFmt, start))
 
 	if end == 0 {
 		mkpartArgs = append(mkpartArgs, fillToEndOption)
diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go
index c6501833945..319d24cd931 100644
--- a/toolkit/tools/imagegen/installutils/installutils.go
+++ b/toolkit/tools/imagegen/installutils/installutils.go
@@ -820,7 +820,7 @@ func calculateTotalPackages(packages []string, installRoot string) (installedPac
 		// end with an empty line.
 		for _, line := range splitStdout {
 			matches := tdnf.InstallPackageRegex.FindStringSubmatch(line)
-			if len(matches) != tdnf.InstallMaxMatchLen {
+			if len(matches) != tdnf.InstallPackageMaxMatchLen {
 				// This line contains output other than a package information; skip it
 				continue
 			}
@@ -1474,7 +1474,7 @@ func installGrubTemplateFile(assetFile, targetFile, installRoot, rootDevice, boo
 	return
 }
 
-func CallGrubMkconfig(installChroot *safechroot.Chroot) (err error) {
+func CallGrubMkconfig(installChroot safechroot.ChrootInterface) (err error) {
 	squashErrors := false
 
 	ReportActionf("Running grub2-mkconfig...")
@@ -1965,7 +1965,7 @@ func SELinuxConfigure(selinuxMode configuration.SELinux, installChroot *safechro
 	return
 }
 
-func SELinuxUpdateConfig(selinuxMode configuration.SELinux, installChroot *safechroot.Chroot) (err error) {
+func SELinuxUpdateConfig(selinuxMode configuration.SELinux, installChroot safechroot.ChrootInterface) (err error) {
 	const (
 		selinuxPattern = "^SELINUX=.*"
 	)
@@ -1986,7 +1986,7 @@ func SELinuxUpdateConfig(selinuxMode configuration.SELinux, installChroot *safec
 	return
 }
 
-func SELinuxRelabelFiles(installChroot *safechroot.Chroot, mountPointToFsTypeMap map[string]string, isRootFS bool,
+func SELinuxRelabelFiles(installChroot safechroot.ChrootInterface, mountPointToFsTypeMap map[string]string, isRootFS bool,
 ) (err error) {
 	const (
 		fileContextBasePath = "etc/selinux/%s/contexts/files/file_contexts"
diff --git a/toolkit/tools/imagepkgfetcher/imagepkgfetcher.go b/toolkit/tools/imagepkgfetcher/imagepkgfetcher.go
index d4f9721e311..3b70a6c9db6 100644
--- a/toolkit/tools/imagepkgfetcher/imagepkgfetcher.go
+++ b/toolkit/tools/imagepkgfetcher/imagepkgfetcher.go
@@ -38,6 +38,7 @@ var (
 	usePreviewRepo       = app.Flag("use-preview-repo", "Pull packages from the upstream preview repo").Bool()
 	disableDefaultRepos  = app.Flag("disable-default-repos", "Disable pulling packages from PMC repos").Bool()
 	disableUpstreamRepos = app.Flag("disable-upstream-repos", "Disables pulling packages from upstream repos").Bool()
+	repoSnapshotTime     = app.Flag("repo-snapshot-time", "Optional: Repo time limit for tdnf virtual snapshot").String()
 
 	tlsClientCert = app.Flag("tls-cert", "TLS client certificate to use when downloading files.").String()
 	tlsClientKey  = app.Flag("tls-key", "TLS client key to use when downloading files.").String()
@@ -74,7 +75,7 @@ func main() {
 
 	timestamp.StartEvent("initialize and configure cloner", nil)
 
-	cloner, err := rpmrepocloner.ConstructCloner(*outDir, *tmpDir, *workertar, *existingRpmDir, *existingToolchainRpmDir, *tlsClientCert, *tlsClientKey, *repoFiles)
+	cloner, err := rpmrepocloner.ConstructCloner(*outDir, *tmpDir, *workertar, *existingRpmDir, *existingToolchainRpmDir, *tlsClientCert, *tlsClientKey, *repoFiles, *repoSnapshotTime)
 	if err != nil {
 		logger.Log.Panicf("Failed to initialize RPM repo cloner. Error: %s", err)
 	}
diff --git a/toolkit/tools/imager/imager.go b/toolkit/tools/imager/imager.go
index b4a228962cb..b1bbe9a96fe 100644
--- a/toolkit/tools/imager/imager.go
+++ b/toolkit/tools/imager/imager.go
@@ -8,6 +8,7 @@ package main
 import (
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/imagegen/configuration"
@@ -18,6 +19,7 @@ import (
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/tdnf"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/timestamp"
 	"github.com/microsoft/azurelinux/toolkit/tools/pkg/profile"
 
@@ -25,22 +27,23 @@ import (
 )
 
 var (
-	app             = kingpin.New("imager", "Tool to create and install images.")
-	buildDir        = app.Flag("build-dir", "Directory to store temporary files while building.").ExistingDir()
-	configFile      = exe.InputFlag(app, "Path to the image config file.")
-	localRepo       = app.Flag("local-repo", "Path to local RPM repo").ExistingDir()
-	tdnfTar         = app.Flag("tdnf-worker", "Path to tdnf worker tarball").ExistingFile()
-	repoFile        = app.Flag("repo-file", "Full path to local.repo.").ExistingFile()
-	assets          = app.Flag("assets", "Path to assets directory.").ExistingDir()
-	baseDirPath     = app.Flag("base-dir", "Base directory for relative file paths from the config. Defaults to config's directory.").ExistingDir()
-	outputDir       = app.Flag("output-dir", "Path to directory to place final image.").ExistingDir()
-	imgContentFile  = app.Flag("output-image-contents", "File that stores list of packages used to compose the image.").String()
-	liveInstallFlag = app.Flag("live-install", "Enable to perform a live install to the disk specified in config file.").Bool()
-	emitProgress    = app.Flag("emit-progress", "Write progress updates to stdout, such as percent complete and current action.").Bool()
-	timestampFile   = app.Flag("timestamp-file", "File that stores timestamps for this program.").String()
-	buildNumber     = app.Flag("build-number", "Build number to be used in the image.").String()
-	logFlags        = exe.SetupLogFlags(app)
-	profFlags       = exe.SetupProfileFlags(app)
+	app              = kingpin.New("imager", "Tool to create and install images.")
+	buildDir         = app.Flag("build-dir", "Directory to store temporary files while building.").ExistingDir()
+	configFile       = exe.InputFlag(app, "Path to the image config file.")
+	localRepo        = app.Flag("local-repo", "Path to local RPM repo").ExistingDir()
+	tdnfTar          = app.Flag("tdnf-worker", "Path to tdnf worker tarball").ExistingFile()
+	repoFile         = app.Flag("repo-file", "Full path to local.repo.").ExistingFile()
+	assets           = app.Flag("assets", "Path to assets directory.").ExistingDir()
+	baseDirPath      = app.Flag("base-dir", "Base directory for relative file paths from the config. Defaults to config's directory.").ExistingDir()
+	outputDir        = app.Flag("output-dir", "Path to directory to place final image.").ExistingDir()
+	imgContentFile   = app.Flag("output-image-contents", "File that stores list of packages used to compose the image.").String()
+	liveInstallFlag  = app.Flag("live-install", "Enable to perform a live install to the disk specified in config file.").Bool()
+	emitProgress     = app.Flag("emit-progress", "Write progress updates to stdout, such as percent complete and current action.").Bool()
+	timestampFile    = app.Flag("timestamp-file", "File that stores timestamps for this program.").String()
+	buildNumber      = app.Flag("build-number", "Build number to be used in the image.").String()
+	repoSnapshotTime = app.Flag("repo-snapshot-time", "Optional: Snapshot time to be added to the image tdnf.conf").String()
+	logFlags         = exe.SetupLogFlags(app)
+	profFlags        = exe.SetupProfileFlags(app)
 )
 
 const (
@@ -622,6 +625,14 @@ func buildImage(mountPointMap, mountPointToFsTypeMap, mountPointToMountArgsMap,
 		return
 	}
 
+	//add snapshot to installchroot tdnf.conf if both a present, warning if only snapshot time present
+	if *repoSnapshotTime != "" {
+		err = tdnf.AddSnapshotToConfig(path.Join(installChroot.RootDir(), "etc", "tdnf", "tdnf.conf"), *repoSnapshotTime)
+		if err != nil {
+			return
+		}
+	}
+
 	// Configure the final image with the customized macros so that rpm continues to behave the same way in the final image
 	logger.Log.Infof("Adding final image customization macros if needed")
 	err = customizationmacros.AddCustomizationMacros(installChroot.RootDir(), systemConfig.DisableRpmDocs,
diff --git a/toolkit/tools/internal/file/filecopybuilder.go b/toolkit/tools/internal/file/filecopybuilder.go
index 04bd14666f5..0b7891f1c4e 100644
--- a/toolkit/tools/internal/file/filecopybuilder.go
+++ b/toolkit/tools/internal/file/filecopybuilder.go
@@ -75,7 +75,7 @@ func (b FileCopyBuilder) Run() (err error) {
 
 	err = createDestinationDir(b.Dst, b.DirFileMode)
 	if err != nil {
-		return
+		return fmt.Errorf("failed to create destination directory (%s):\n%w", b.Dst, err)
 	}
 
 	args := []string(nil)
@@ -96,7 +96,10 @@ func (b FileCopyBuilder) Run() (err error) {
 	if b.ChangeFileMode {
 		logger.Log.Debugf("Calling chmod on (%s) with the mode (%v)", b.Dst, b.FileMode)
 		err = os.Chmod(b.Dst, b.FileMode)
+		if err != nil {
+			return fmt.Errorf("failed to set file mode (%s):\n%w", b.Dst, err)
+		}
 	}
 
-	return
+	return nil
 }
diff --git a/toolkit/tools/internal/logger/log.go b/toolkit/tools/internal/logger/log.go
index f7e82508a1f..70532e0364e 100644
--- a/toolkit/tools/internal/logger/log.go
+++ b/toolkit/tools/internal/logger/log.go
@@ -163,6 +163,17 @@ func PanicOnError(err interface{}, args ...interface{}) {
 	}
 }
 
+// FatalOnError logs a fatal error and any message strings, then exists (while
+// running any cleanup functions registered with the log package)
+func FatalOnError(err interface{}, args ...interface{}) {
+	if err != nil {
+		if len(args) > 0 {
+			Log.Errorf(args[0].(string), args[1:]...)
+		}
+		Log.Fatalln(err)
+	}
+}
+
 // WarningOnError logs a warning error and any message strings
 func WarningOnError(err interface{}, args ...interface{}) {
 	if err != nil {
diff --git a/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go b/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go
index 75220717fc8..7e00c9b1ddc 100644
--- a/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go
+++ b/toolkit/tools/internal/packagerepo/repocloner/rpmrepocloner/rpmrepocloner.go
@@ -65,6 +65,8 @@ type RpmRepoCloner struct {
 	chrootCloneDir           string
 	defaultAzureLinuxRepoIDs []string
 	mountedCloneDir          string
+	repoSnapshotTime         string
+	repoSnapshotArgs         []string
 	repoIDCache              string
 	reposArgsList            [][]string
 	reposFlags               uint64
@@ -79,12 +81,12 @@ type RpmRepoCloner struct {
 //   - tlsCert is the path to the TLS certificate, "" if not needed
 //   - tlsKey is the path to the TLS key, "" if not needed
 //   - repoDefinitions is a list of repo files to use
-func ConstructCloner(destinationDir, tmpDir, workerTar, existingRpmsDir, toolchainRpmsDir, tlsCert, tlsKey string, repoDefinitions []string) (r *RpmRepoCloner, err error) {
+func ConstructCloner(destinationDir, tmpDir, workerTar, existingRpmsDir, toolchainRpmsDir, tlsCert, tlsKey string, repoDefinitions []string, posixTime string) (r *RpmRepoCloner, err error) {
 	timestamp.StartEvent("initialize and configure cloner", nil)
 	defer timestamp.StopEvent(nil) // initialize and configure cloner
 
 	r = &RpmRepoCloner{}
-	err = r.initialize(destinationDir, tmpDir, workerTar, existingRpmsDir, toolchainRpmsDir, repoDefinitions)
+	err = r.initialize(destinationDir, tmpDir, workerTar, existingRpmsDir, toolchainRpmsDir, repoDefinitions, posixTime)
 	if err != nil {
 		err = fmt.Errorf("failed to prep new rpm cloner:\n%w", err)
 		return
@@ -107,7 +109,7 @@ func ConstructCloner(destinationDir, tmpDir, workerTar, existingRpmsDir, toolcha
 //   - existingRpmsDir is the directory with prebuilt RPMs
 //   - prebuiltRpmsDir is the directory with toolchain RPMs
 //   - repoDefinitions is a list of repo files to use when cloning RPMs
-func (r *RpmRepoCloner) initialize(destinationDir, tmpDir, workerTar, existingRpmsDir, toolchainRpmsDir string, repoDefinitions []string) (err error) {
+func (r *RpmRepoCloner) initialize(destinationDir, tmpDir, workerTar, existingRpmsDir, toolchainRpmsDir string, repoDefinitions []string, posixTime string) (err error) {
 	const (
 		isExistingDir          = false
 		leaveChrootFilesOnDisk = false
@@ -209,6 +211,10 @@ func (r *RpmRepoCloner) initialize(destinationDir, tmpDir, workerTar, existingRp
 
 	r.SetEnabledRepos(repoFlagClonerDefault)
 
+	if posixTime != "" {
+		r.SetRepoEpochTimeLimitArgs(posixTime)
+	}
+
 	return
 }
 
@@ -400,6 +406,10 @@ func (r *RpmRepoCloner) cloneRawPackageNames(cloneDeps, singleTransaction bool,
 		r.chrootCloneDir,
 	}
 
+	if r.GetRepoSnapshotTime() != "" {
+		constantArgs = append(constantArgs, r.GetRepoSnapshotArgs()...)
+	}
+
 	logger.Log.Debugf("Will clone in total %d items.", len(rawPackageNames))
 
 	// Create a list of lists for each transaction. Each transaction will be cloned separately. Generally either all
@@ -453,7 +463,11 @@ func (r *RpmRepoCloner) WhatProvides(pkgVer *pkgjson.PackageVer) (packageNames [
 		releaseverCliArg,
 	}
 
-	// Consider the built (tooolchain, local) RPMs first, then the already cached, and finally all remote packages.
+	if r.GetRepoSnapshotTime() != "" {
+		baseArgs = append(baseArgs, r.GetRepoSnapshotArgs()...)
+	}
+
+	// Consider the built (toolchain, local) RPMs first, then the already cached, and finally all remote packages.
 	for _, reposArgs := range r.reposArgsList {
 		logger.Log.Debugf("Using repos args: %v", reposArgs)
 
@@ -474,8 +488,8 @@ func (r *RpmRepoCloner) WhatProvides(pkgVer *pkgjson.PackageVer) (packageNames [
 			// MUST keep order of packages printed by TDNF.
 			// TDNF will print the packages starting from the highest version, which allows us to work around an RPM bug:
 			// https://github.com/rpm-software-management/rpm/issues/2359
-			for _, matches := range tdnf.PackageLookupNameMatchRegex.FindAllStringSubmatch(stdout, -1) {
-				packageName := matches[tdnf.PackageNameIndex]
+			for _, matches := range tdnf.PackageProvidesRegex.FindAllStringSubmatch(stdout, -1) {
+				packageName := matches[tdnf.PackageProvidesNameIndex]
 				if lookupIgnoredCase {
 					logger.Log.Warnf("'%s' was found by case-insensitive lookup of '%s', but this is not valid and will be ignored", packageName, pkgVer.Name)
 					// This is not a valid mapping of requires -> provides, so we skip it. This is not a fatal error since
@@ -556,15 +570,15 @@ func (r *RpmRepoCloner) ClonedRepoContents() (repoContents *repocloner.RepoConte
 	repoContents = &repocloner.RepoContents{}
 	onStdout := func(line string) {
 		matches := tdnf.ListedPackageRegex.FindStringSubmatch(line)
-		if len(matches) != tdnf.ListMaxMatchLen {
+		if len(matches) != tdnf.ListedPackageMaxMatchLen {
 			return
 		}
 
 		pkg := &repocloner.RepoPackage{
-			Name:         matches[tdnf.ListPackageName],
-			Version:      matches[tdnf.ListPackageVersion],
-			Architecture: matches[tdnf.ListPackageArch],
-			Distribution: matches[tdnf.ListPackageDist],
+			Name:         matches[tdnf.ListedPackageName],
+			Version:      matches[tdnf.ListedPackageVersion],
+			Architecture: matches[tdnf.ListedPackageArch],
+			Distribution: matches[tdnf.ListedPackageDist],
 		}
 
 		pkgID := pkg.ID()
@@ -683,6 +697,44 @@ func convertPackageVersionToTdnfArg(pkgVer *pkgjson.PackageVer) (tdnfArg string)
 	return
 }
 
+func (r *RpmRepoCloner) GetRepoSnapshotTime() string {
+	return r.repoSnapshotTime
+}
+
+func (r *RpmRepoCloner) GetRepoSnapshotArgs() []string {
+	return r.repoSnapshotArgs
+}
+
+func (r *RpmRepoCloner) SetRepoEpochTimeLimitArgs(posixTime string) {
+	var (
+		snapshotTimeArg    string
+		snapshotExcludeArg string
+		excludeRepoIds     []string
+		err                error
+	)
+
+	r.repoSnapshotTime = posixTime
+	r.repoSnapshotArgs = []string{}
+
+	if r.repoSnapshotTime == "" { // no args to add
+		return
+	}
+
+	snapshotTimeArg, err = tdnf.GetRepoSnapshotCliArg(r.repoSnapshotTime)
+	if err != nil {
+		logger.Log.Errorf("Snapshot Time is invalid")
+		return
+	}
+	excludeRepoIds = []string{repoIDBuilt, repoIDToolchain, r.repoIDCache, repoIDCacheRegular}
+	snapshotExcludeArg, err = tdnf.GetRepoSnapshotExcludeCliArg(excludeRepoIds)
+	if err != nil {
+		logger.Log.Errorf("Snapshot Repo to exclude is invalid")
+		return
+	}
+
+	r.repoSnapshotArgs = append(r.repoSnapshotArgs, snapshotTimeArg, snapshotExcludeArg)
+}
+
 // GetEnabledRepos returns the repo flags that the cloner is allowed to use for its queries.
 func (r *RpmRepoCloner) GetEnabledRepos() uint64 {
 	return r.reposFlags
diff --git a/toolkit/tools/internal/rpm/rpm.go b/toolkit/tools/internal/rpm/rpm.go
index 7b9d30d4f9b..8ef77dffe56 100644
--- a/toolkit/tools/internal/rpm/rpm.go
+++ b/toolkit/tools/internal/rpm/rpm.go
@@ -63,11 +63,25 @@ const (
 )
 
 const (
-	installedRPMRegexRPMIndex        = 1
-	installedRPMRegexVersionIndex    = 2
-	installedRPMRegexArchIndex       = 3
-	installedRPMRegexExpectedMatches = 4
+	packageFQNRegexMatchSubString  = iota
+	packageFQNRegexNameIndex       = iota
+	packageFQNRegexEpochIndex      = iota
+	packageFQNRegexVersionIndex    = iota
+	packageFQNRegexReleaseIndex    = iota
+	packageFQNRegexArchIndex       = iota
+	packageFQNRegexExtensionIndex  = iota
+	packageFQNRegexExpectedMatches = iota
+)
+
+const (
+	installedRPMRegexMatchSubString  = iota
+	installedRPMRegexRPMIndex        = iota
+	installedRPMRegexVersionIndex    = iota
+	installedRPMRegexArchIndex       = iota
+	installedRPMRegexExpectedMatches = iota
+)
 
+const (
 	rpmProgram      = "rpm"
 	rpmSpecProgram  = "rpmspec"
 	rpmBuildProgram = "rpmbuild"
@@ -83,6 +97,25 @@ var (
 	// It works multi-line strings containing the whole file content, thus the need for the 'm' flag.
 	checkSectionRegex = regexp.MustCompile(`(?m)^\s*%check`)
 
+	// A full qualified RPM name contains the package name, epoch, version, release, architecture, and extension.
+	// Optional fields:
+	// 	- epoch,
+	// 	- architecture.
+	//	- "rpm" extension.
+	//
+	// Sample match:
+	//
+	//	pkg-name-0:1.2.3-4.azl3.x86_64.rpm
+	//
+	// Groups can be used to split it into:
+	//   - name:			pkg-name
+	//   - epoch:			0
+	//   - version:			1.2.3
+	//   - release:			4.azl3
+	//   - architecture:	x86_64
+	//   - extension:		rpm
+	packageFQNRegex = regexp.MustCompile(`^\s*(\S+[^-])-(?:(\d+):)?(\d[^-:_]*)-(\d+(?:[^-\s]*?))(?:\.(noarch|x86_64|aarch64|src))?(?:\.(rpm))?\s*$`)
+
 	// Output from 'rpm' prints installed RPMs in a line with the following format:
 	//
 	//	D: ========== +++ [name]-([epoch]:)[version]-[release].[distribution] [architecture]-linux [hex_value]
@@ -187,19 +220,15 @@ func getMacroDirWithFallback(allowDefault bool) (macroDir string, err error) {
 func ExtractNameFromRPMPath(rpmFilePath string) (packageName string, err error) {
 	baseName := filepath.Base(rpmFilePath)
 
+	matches := packageFQNRegex.FindStringSubmatch(baseName)
+
 	// If the path is invalid, return empty string. We consider any string that has at least 1 '-' characters valid.
-	if !strings.Contains(baseName, "-") {
+	if matches == nil {
 		err = fmt.Errorf("invalid RPM file path (%s), can't extract name", rpmFilePath)
 		return
 	}
 
-	rpmFileSplit := strings.Split(baseName, "-")
-	packageName = strings.Join(rpmFileSplit[:len(rpmFileSplit)-2], "-")
-	if packageName == "" {
-		err = fmt.Errorf("invalid RPM file path (%s), can't extract name", rpmFilePath)
-		return
-	}
-	return
+	return matches[packageFQNRegexNameIndex], nil
 }
 
 // getCommonBuildArgs will generate arguments to pass to 'rpmbuild'.
@@ -526,10 +555,6 @@ func extractCompetingPackageInfoFromLine(line string) (match bool, pkgName strin
 		pkgName := matches[installedRPMRegexRPMIndex]
 		version := matches[installedRPMRegexVersionIndex]
 		arch := matches[installedRPMRegexArchIndex]
-		// Names should not contain the epoch, strip everything before the ":"" in the string. "Version": "0:1.2-3", becomes "1.2-3"
-		if strings.Contains(version, ":") {
-			version = strings.Split(version, ":")[1]
-		}
 
 		return true, fmt.Sprintf("%s-%s.%s", pkgName, version, arch)
 	}
@@ -636,6 +661,39 @@ func BuildCompatibleSpecsList(baseDir string, inputSpecPaths []string, defines m
 	return filterCompatibleSpecs(specPaths, defines)
 }
 
+// StripEpochFromPackageFullQualifiedName removes the epoch from a package full qualified name if it is present.
+// Example:
+//
+//	"pkg-name-0:1.2.3-4.azl3.x86_64" -> "pkg-name-1.2.3-4.azl3.x86_64"
+func StripEpochFromPackageFullQualifiedName(packageFQN string) string {
+	var packageFQNBuilder strings.Builder
+
+	matches := packageFQNRegex.FindStringSubmatch(packageFQN)
+	if matches == nil {
+		return packageFQN
+	}
+
+	packageFQNBuilder.WriteString(matches[packageFQNRegexNameIndex])
+	packageFQNBuilder.WriteString("-")
+
+	packageFQNBuilder.WriteString(matches[packageFQNRegexVersionIndex])
+	packageFQNBuilder.WriteString("-")
+
+	packageFQNBuilder.WriteString(matches[packageFQNRegexReleaseIndex])
+
+	if matches[packageFQNRegexArchIndex] != "" {
+		packageFQNBuilder.WriteString(".")
+		packageFQNBuilder.WriteString(matches[packageFQNRegexArchIndex])
+	}
+
+	if matches[packageFQNRegexExtensionIndex] != "" {
+		packageFQNBuilder.WriteString(".")
+		packageFQNBuilder.WriteString(matches[packageFQNRegexExtensionIndex])
+	}
+
+	return packageFQNBuilder.String()
+}
+
 // TestRPMFromSRPM builds an RPM from the given SRPM and runs its '%check' section SRPM file
 // but it does not generate any RPM packages.
 func TestRPMFromSRPM(srpmFile, outArch string, defines map[string]string) (err error) {
diff --git a/toolkit/tools/internal/rpm/rpm_test.go b/toolkit/tools/internal/rpm/rpm_test.go
index 72e9a2311de..1731a5bcb69 100644
--- a/toolkit/tools/internal/rpm/rpm_test.go
+++ b/toolkit/tools/internal/rpm/rpm_test.go
@@ -470,7 +470,7 @@ func TestConflictingPackageRegex(t *testing.T) {
 			name:           "perl with epoch",
 			inputLine:      "D: ========== +++ perl-4:5.34.1-489.cm2 x86_64-linux 0x0",
 			expectedMatch:  true,
-			expectedOutput: "perl-5.34.1-489.cm2.x86_64",
+			expectedOutput: "perl-4:5.34.1-489.cm2.x86_64",
 		},
 		{
 			name:           "systemd no epoch",
@@ -494,3 +494,234 @@ func TestConflictingPackageRegex(t *testing.T) {
 		})
 	}
 }
+
+func TestPackageFQNRegexWithValidInput(t *testing.T) {
+	tests := []struct {
+		name           string
+		input          string
+		expectedGroups []string
+	}{
+		{
+			name:           "package with epoch and architecture",
+			input:          "pkg-name-0:1.2.3-4.azl3.x86_64.rpm",
+			expectedGroups: []string{"pkg-name", "0", "1.2.3", "4.azl3", "x86_64", "rpm"},
+		},
+		{
+			name:           "package with epoch and architecture but no '.rpm' suffix",
+			input:          "pkg-name-0:1.2.3-4.azl3.x86_64",
+			expectedGroups: []string{"pkg-name", "0", "1.2.3", "4.azl3", "x86_64", ""},
+		},
+		{
+			name:           "package without epoch, and architecture",
+			input:          "pkg-name-1.2.3-4.azl3.rpm",
+			expectedGroups: []string{"pkg-name", "", "1.2.3", "4.azl3", "", "rpm"},
+		},
+		{
+			name:           "package with architecture but no epoch",
+			input:          "pkg-name-1.2.3-4.azl3.aarch64",
+			expectedGroups: []string{"pkg-name", "", "1.2.3", "4.azl3", "aarch64", ""},
+		},
+		{
+			name:           "package with epoch but no architecture",
+			input:          "pkg-name-0:1.2.3-4.azl3",
+			expectedGroups: []string{"pkg-name", "0", "1.2.3", "4.azl3", "", ""},
+		},
+		{
+			name:           "package without '.rpm' suffix",
+			input:          "pkg-name-1.2.3-4.azl3.x86_64",
+			expectedGroups: []string{"pkg-name", "", "1.2.3", "4.azl3", "x86_64", ""},
+		},
+		{
+			name:           "package with version containing the '+' character",
+			input:          "pkg-name-1.2.3+4-4.azl3.x86_64.rpm",
+			expectedGroups: []string{"pkg-name", "", "1.2.3+4", "4.azl3", "x86_64", "rpm"},
+		},
+		{
+			name:           "package with version containing the '~' character",
+			input:          "pkg-name-1.2.3~4-4.azl3.x86_64.rpm",
+			expectedGroups: []string{"pkg-name", "", "1.2.3~4", "4.azl3", "x86_64", "rpm"},
+		},
+		{
+			name:           "package with release containing two '.' characters",
+			input:          "pkg-name-1.2.3-4.5.azl3.x86_64.rpm",
+			expectedGroups: []string{"pkg-name", "", "1.2.3", "4.5.azl3", "x86_64", "rpm"},
+		},
+		{
+			name:           "package with release containing the '_' character",
+			input:          "pkg-name-1.2.3-45.az_l3.x86_64.rpm",
+			expectedGroups: []string{"pkg-name", "", "1.2.3", "45.az_l3", "x86_64", "rpm"},
+		},
+		{
+			name:           "package with release containing the `~` character",
+			input:          "pkg-name-1.2.3-45.azl3~2.x86_64.rpm",
+			expectedGroups: []string{"pkg-name", "", "1.2.3", "45.azl3~2", "x86_64", "rpm"},
+		},
+		{
+			name:           "package with double dash in name",
+			input:          "nvidia-container-toolkit-1.15.0-1.azl3.x86_64.rpm",
+			expectedGroups: []string{"nvidia-container-toolkit", "", "1.15.0", "1.azl3", "x86_64", "rpm"},
+		},
+		{
+			name:           "package with underscore in release",
+			input:          "nvidia-container-toolkit-550.54.15-2_5.15.162.2.1.azl3.x86_64.rpm",
+			expectedGroups: []string{"nvidia-container-toolkit", "", "550.54.15", "2_5.15.162.2.1.azl3", "x86_64", "rpm"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			matches := packageFQNRegex.FindStringSubmatch(tt.input)
+			assert.NotNil(t, matches)
+			assert.Equal(t, tt.expectedGroups, matches[1:])
+		})
+	}
+}
+
+func TestPackageFQNRegexWithInvalidInput(t *testing.T) {
+	tests := []struct {
+		name  string
+		input string
+	}{
+		{
+			name:  "package with missing version",
+			input: "pkg-name--4.azl3.x86_64.rpm",
+		},
+		{
+			name:  "package with missing release",
+			input: "pkg-name-1.2.3-.azl3.x86_64.rpm",
+		},
+		{
+			name:  "package with missing name",
+			input: "-1.2.3-4.azl3.x86_64.rpm",
+		},
+		{
+			name:  "package with only hyphen",
+			input: "-",
+		},
+		{
+			name:  "package with version not beginning with a digit",
+			input: "pkg-name-0:a1.2.3-4.azl3.x86_64.rpm",
+		},
+		{
+			name:  "package with release not beginning with a digit",
+			input: "pkg-name-0:1.2.3-D4.azl3.x86_64.rpm",
+		},
+		{
+			name:  "package with epoch not beginning with a digit",
+			input: "pkg-name-0:1.2.3-D4.azl3.x86_64.rpm",
+		},
+		{
+			name:  "package with epoch unsupported architecture",
+			input: "pkg-name-0:1.2.3-D4.azl3.other_arch.rpm",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			matches := packageFQNRegex.FindStringSubmatch(tt.input)
+			assert.Nil(t, matches)
+		})
+	}
+}
+
+func TestStripEpochFromPackageFullQualifiedNameWithValidInput(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "package with epoch and architecture",
+			input:    "pkg-name-0:1.2.3-4.azl3.x86_64.rpm",
+			expected: "pkg-name-1.2.3-4.azl3.x86_64.rpm",
+		},
+		{
+			name:     "package with epoch and architecture but no '.rpm' suffix",
+			input:    "pkg-name-0:1.2.3-4.azl3.x86_64",
+			expected: "pkg-name-1.2.3-4.azl3.x86_64",
+		},
+		{
+			name:     "package with epoch but no architecture",
+			input:    "pkg-name-0:1.2.3-4.azl3",
+			expected: "pkg-name-1.2.3-4.azl3",
+		},
+		{
+			name:     "package with architecture but no epoch",
+			input:    "pkg-name-1.2.3-4.azl3.aarch64",
+			expected: "pkg-name-1.2.3-4.azl3.aarch64",
+		},
+		{
+			name:     "package without epoch, and architecture",
+			input:    "pkg-name-1.2.3-4.azl3.rpm",
+			expected: "pkg-name-1.2.3-4.azl3.rpm",
+		},
+		{
+			name:     "package with version containing the '+' character",
+			input:    "pkg-name-1.2.3+4-4.azl3.x86_64.rpm",
+			expected: "pkg-name-1.2.3+4-4.azl3.x86_64.rpm",
+		},
+		{
+			name:     "package with version containing the '~' character",
+			input:    "pkg-name-1.2.3~4-4.azl3.x86_64.rpm",
+			expected: "pkg-name-1.2.3~4-4.azl3.x86_64.rpm",
+		},
+		{
+			name:     "package with release containing two '.' characters",
+			input:    "pkg-name-1.2.3-4.5.azl3.x86_64.rpm",
+			expected: "pkg-name-1.2.3-4.5.azl3.x86_64.rpm",
+		},
+		{
+			name:     "package with release containing the '_' character",
+			input:    "pkg-name-1.2.3-4_5.azl3.x86_64.rpm",
+			expected: "pkg-name-1.2.3-4_5.azl3.x86_64.rpm",
+		},
+		{
+			name:     "package with release containing the `~` character",
+			input:    "pkg-name-1.2.3-4~5.azl3.x86_64.rpm",
+			expected: "pkg-name-1.2.3-4~5.azl3.x86_64.rpm",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := StripEpochFromPackageFullQualifiedName(tt.input)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}
+
+func TestStripEpochFromPackageFullQualifiedNameWithInvalidInput(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "invalid package name",
+			input:    "invalid-package-name",
+			expected: "invalid-package-name",
+		},
+		{
+			name:     "empty package name",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "package name with only hyphens",
+			input:    "----",
+			expected: "----",
+		},
+		{
+			name:     "package name with spaces",
+			input:    "pkg name-1.2.3-4.azl3.x86_64.rpm",
+			expected: "pkg name-1.2.3-4.azl3.x86_64.rpm",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := StripEpochFromPackageFullQualifiedName(tt.input)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}
diff --git a/toolkit/tools/internal/rpm/testdata/no_default_package_or_check.spec b/toolkit/tools/internal/rpm/testdata/no_default_package_or_check.spec
index 9d175e355d2..45b5d30c906 100644
--- a/toolkit/tools/internal/rpm/testdata/no_default_package_or_check.spec
+++ b/toolkit/tools/internal/rpm/testdata/no_default_package_or_check.spec
@@ -5,7 +5,7 @@ Release:        1%{?dist}
 License:        MIT
 URL:            https://test.com
 Group:          Test
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 
 %description
diff --git a/toolkit/tools/internal/rpm/testdata/no_exclusive_architecture.spec b/toolkit/tools/internal/rpm/testdata/no_exclusive_architecture.spec
index 00a51a05e03..ff29a923552 100644
--- a/toolkit/tools/internal/rpm/testdata/no_exclusive_architecture.spec
+++ b/toolkit/tools/internal/rpm/testdata/no_exclusive_architecture.spec
@@ -5,7 +5,7 @@ Release:        1%{?dist}
 License:        MIT
 URL:            https://test.com
 Group:          Test
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 
 %description
diff --git a/toolkit/tools/internal/rpm/testdata/supported_unsupported_architectures.spec b/toolkit/tools/internal/rpm/testdata/supported_unsupported_architectures.spec
index f130eaf4cff..017f34421bb 100644
--- a/toolkit/tools/internal/rpm/testdata/supported_unsupported_architectures.spec
+++ b/toolkit/tools/internal/rpm/testdata/supported_unsupported_architectures.spec
@@ -5,7 +5,7 @@ Release:        1%{?dist}
 License:        MIT
 URL:            https://test.com
 Group:          Test
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 
 BuildArch:      noarch
diff --git a/toolkit/tools/internal/rpm/testdata/unsupported_architectures.spec b/toolkit/tools/internal/rpm/testdata/unsupported_architectures.spec
index b1abc3d8907..3740a9f046a 100644
--- a/toolkit/tools/internal/rpm/testdata/unsupported_architectures.spec
+++ b/toolkit/tools/internal/rpm/testdata/unsupported_architectures.spec
@@ -5,7 +5,7 @@ Release:        1%{?dist}
 License:        MIT
 URL:            https://test.com
 Group:          Test
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 
 BuildArch:      noarch
diff --git a/toolkit/tools/internal/rpm/testdata/with_epoch_and_check.spec b/toolkit/tools/internal/rpm/testdata/with_epoch_and_check.spec
index c46bd4609ab..ddcbe712327 100644
--- a/toolkit/tools/internal/rpm/testdata/with_epoch_and_check.spec
+++ b/toolkit/tools/internal/rpm/testdata/with_epoch_and_check.spec
@@ -6,7 +6,7 @@ Release:        1%{?dist}
 License:        MIT
 URL:            https://test.com
 Group:          Test
-Vendor:         Microsoft
+Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 
 %description
diff --git a/toolkit/tools/internal/safechroot/safechroot.go b/toolkit/tools/internal/safechroot/safechroot.go
index 96f627fd902..72c409df33e 100644
--- a/toolkit/tools/internal/safechroot/safechroot.go
+++ b/toolkit/tools/internal/safechroot/safechroot.go
@@ -30,7 +30,13 @@ const BindMountPointFlags = unix.MS_BIND | unix.MS_MGC_VAL
 
 // FileToCopy represents a file to copy into a chroot using AddFiles. Dest is relative to the chroot directory.
 type FileToCopy struct {
-	Src         string
+	// The source file path.
+	// Mutually exclusive with 'Content'.
+	Src string
+	// The contents of the file to write.
+	// Mutually exclusive with 'Src'.
+	Content *string
+	// The destination path to write/copy the file to.
 	Dest        string
 	Permissions *os.FileMode
 	// Set to true to copy symlinks as symlinks.
@@ -318,7 +324,8 @@ func (c *Chroot) Initialize(tarPath string, extraDirectories []string, extraMoun
 
 // AddDirs copies each directory 'Src' to the relative path chrootRootDir/'Dest' in the chroot.
 func (c *Chroot) AddDirs(dirToCopy DirToCopy) (err error) {
-	return file.CopyDir(dirToCopy.Src, filepath.Join(c.rootDir, dirToCopy.Dest), dirToCopy.NewDirPermissions, dirToCopy.ChildFilePermissions, dirToCopy.MergedDirPermissions)
+	return file.CopyDir(dirToCopy.Src, filepath.Join(c.rootDir, dirToCopy.Dest), dirToCopy.NewDirPermissions,
+		dirToCopy.ChildFilePermissions, dirToCopy.MergedDirPermissions)
 }
 
 // AddFiles copies each file 'Src' to the relative path chrootRootDir/'Dest' in the chroot.
@@ -328,20 +335,66 @@ func (c *Chroot) AddFiles(filesToCopy ...FileToCopy) (err error) {
 
 func AddFilesToDestination(destDir string, filesToCopy ...FileToCopy) error {
 	for _, f := range filesToCopy {
-		dest := filepath.Join(destDir, f.Dest)
-		fileCopyOp := file.NewFileCopyBuilder(f.Src, dest)
-		if f.NoDereference {
-			fileCopyOp = fileCopyOp.SetNoDereference()
-		}
-		if f.Permissions != nil {
-			fileCopyOp = fileCopyOp.SetFileMode(*f.Permissions)
+		switch {
+		case f.Src != "" && f.Content != nil:
+			return fmt.Errorf("cannot specify both 'Src' and 'Content' for 'FileToCopy'")
+
+		case f.Src != "":
+			err := copyFile(destDir, f)
+			if err != nil {
+				return err
+			}
+
+		case f.Content != nil:
+			err := writeFile(destDir, f)
+			if err != nil {
+				return err
+			}
+
+		default:
+			return fmt.Errorf("must specify either 'Src' and 'Content' for 'FileToCopy'")
 		}
+	}
+
+	return nil
+}
+
+func copyFile(destDir string, f FileToCopy) error {
+	dest := filepath.Join(destDir, f.Dest)
+	fileCopyOp := file.NewFileCopyBuilder(f.Src, dest)
+	if f.NoDereference {
+		fileCopyOp = fileCopyOp.SetNoDereference()
+	}
+	if f.Permissions != nil {
+		fileCopyOp = fileCopyOp.SetFileMode(*f.Permissions)
+	}
+
+	err := fileCopyOp.Run()
+	if err != nil {
+		return fmt.Errorf("failed to copy (%s) to (%s):\n%w", f.Src, f.Dest, err)
+	}
+
+	return nil
+}
 
-		err := fileCopyOp.Run()
+func writeFile(destDir string, f FileToCopy) error {
+	dest := filepath.Join(destDir, f.Dest)
+	err := file.Write(*f.Content, dest)
+	if err != nil {
+		return fmt.Errorf("failed to write file (%s):\n%w", f.Dest, err)
+	}
+
+	if f.Permissions != nil {
+		err = os.Chmod(dest, *f.Permissions)
 		if err != nil {
-			return fmt.Errorf("failed to copy (%s):\n%w", f.Src, err)
+			return fmt.Errorf("failed to set file permissions (%s):\n%w", f.Dest, err)
 		}
 	}
+
+	return nil
+}
+
+func (c *Chroot) WriteFiles() error {
 	return nil
 }
 
diff --git a/toolkit/tools/internal/shell/shell.go b/toolkit/tools/internal/shell/shell.go
index 708c98e5334..ca9c80a1161 100644
--- a/toolkit/tools/internal/shell/shell.go
+++ b/toolkit/tools/internal/shell/shell.go
@@ -41,17 +41,30 @@ func CurrentEnvironment() []string {
 
 // PermanentlyStopAllChildProcesses will send the provided signal to all processes spawned by this package,
 // and all of those process's children.
-// Invoking this will also block future process creation, causing the Execute methods to return an error.
+// Invoking this will also block future process creation, causing the Execute methods to return an error. Be aware that
+// this will block the gpg-agent cleanup mechanism from running, which may cause chroots to not unmount properly. Consider
+// using StopAllChildProcesses instead.
 func PermanentlyStopAllChildProcesses(signal unix.Signal) {
 	// Acquire the global activeCommandsMutex to ensure no
 	// new commands are executed during this teardown routine
-	logger.Log.Info("Waiting for outstanding processes to be created")
+	logger.Log.Info("Waiting for outstanding processes to be created before blocking all future processes")
 
 	activeCommandsMutex.Lock()
-	defer activeCommandsMutex.Unlock()
-
 	// Disallow future processes from being created
 	allowProcessCreation = false
+	activeCommandsMutex.Unlock()
+
+	StopAllChildProcesses(signal)
+}
+
+// StopAllChildProcesses will stop all currently running processes spawned by this package, but will not block future process creation.
+func StopAllChildProcesses(signal unix.Signal) {
+	// Acquire the global activeCommandsMutex to ensure no
+	// new commands are executed during this teardown routine
+	logger.Log.Info("Waiting for outstanding processes to be created before stopping all child processes")
+
+	activeCommandsMutex.Lock()
+	defer activeCommandsMutex.Unlock()
 
 	// For every running process, issue the provided signal to its process group,
 	// resulting in both the process and all of its children being stopped.
diff --git a/toolkit/tools/internal/tdnf/tdnf.go b/toolkit/tools/internal/tdnf/tdnf.go
index 4e652c05ba6..2c369e50858 100644
--- a/toolkit/tools/internal/tdnf/tdnf.go
+++ b/toolkit/tools/internal/tdnf/tdnf.go
@@ -7,8 +7,11 @@ package tdnf
 import (
 	"fmt"
 	"regexp"
+	"strconv"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/exe"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
 )
 
 var (
@@ -28,8 +31,7 @@ var (
 	//		Repo	: [repo_name]
 	//
 	// NOTE: we ignore packages installed in the build environment denoted by "Repo	: @System".
-	PackageLookupNameMatchRegex = regexp.MustCompile(`([^:\s]+(x86_64|aarch64|noarch))\s*:[^\n]*\nRepo\s+:\s+[^@]`)
-	PackageNameIndex            = 1
+	PackageProvidesRegex = regexp.MustCompile(`(\S+)\s+:[^\n]*\nRepo\s+:\s+[^@]`)
 
 	// Tdnf may opt to ignore case when doing a provides lookup. While this is useful for a user, it will give
 	// bad results when we're trying to match a package name to a package in the repo. This regex will match the
@@ -63,21 +65,27 @@ var (
 )
 
 const (
-	InstallMatchSubString = iota
-	InstallPackageName    = iota
-	InstallPackageArch    = iota
-	InstallPackageVersion = iota
-	InstallPackageDist    = iota
-	InstallMaxMatchLen    = iota
+	InstallPackageMatchSubString = iota
+	InstallPackageName           = iota
+	InstallPackageArch           = iota
+	InstallPackageVersion        = iota
+	InstallPackageDist           = iota
+	InstallPackageMaxMatchLen    = iota
 )
 
 const (
-	ListMatchSubString = iota
-	ListPackageName    = iota
-	ListPackageArch    = iota
-	ListPackageVersion = iota
-	ListPackageDist    = iota
-	ListMaxMatchLen    = iota
+	PackageProvidesMatchSubString = iota
+	PackageProvidesNameIndex      = iota
+	PackageProvidesMaxMatchLen    = iota
+)
+
+const (
+	ListedPackageMatchSubString = iota
+	ListedPackageName           = iota
+	ListedPackageArch           = iota
+	ListedPackageVersion        = iota
+	ListedPackageDist           = iota
+	ListedPackageMaxMatchLen    = iota
 )
 
 const (
@@ -152,3 +160,76 @@ func getMajorVersionFromString(version string) (majorVersion string, err error)
 	}
 	return
 }
+
+func GetRepoSnapshotCliArg(posixTime string) (repoSnapshot string, err error) {
+	const (
+		errorFormatString = "cannot generate snapshot cli arg for: %s"
+	)
+	if posixTime == "" {
+		err = fmt.Errorf(errorFormatString, posixTime)
+		return "", err
+	}
+
+	_, err = strconv.Atoi(posixTime)
+	if err != nil {
+		err = fmt.Errorf(errorFormatString, posixTime)
+		return "", err
+	}
+
+	repoSnapshot = fmt.Sprintf("--snapshottime=%s", posixTime)
+
+	return repoSnapshot, nil
+}
+
+func GetRepoSnapshotExcludeCliArg(excludeRepos []string) (excludeArg string, err error) {
+	if excludeRepos == nil {
+		err = fmt.Errorf("exclude repos cannot be empty")
+		return "", err
+	}
+
+	repos := ""
+	for _, repo := range excludeRepos {
+		if repo == "" {
+			err = fmt.Errorf("exclude repo member cannot be empty")
+			return "", err
+		}
+
+		if repos == "" {
+			repos = repo
+		} else {
+			repos = fmt.Sprintf("%s,%s", repos, repo)
+		}
+	}
+	excludeArg = fmt.Sprintf("--snapshotexcluderepos=%s", repos)
+
+	return excludeArg, nil
+}
+
+func AddSnapshotToConfig(configFilePath, posixTime string) (err error) {
+	if configFilePath == "" {
+		err = fmt.Errorf("config file path cannot be empty")
+		return err
+	}
+
+	if posixTime == "" {
+		err = fmt.Errorf("posix time cannot be empty")
+		return err
+	}
+	exists, err := file.PathExists(configFilePath)
+	if err != nil {
+		return err
+	}
+	if !exists {
+		// print warning
+		logger.Log.Warnf("config file path does not exist, nothing to append")
+		return nil
+	}
+
+	// create config entry, and add to config file
+	snapshotConfigEntry := fmt.Sprintf("snapshottime=%s\n", posixTime)
+	err = file.Append(snapshotConfigEntry, configFilePath)
+	if err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/toolkit/tools/internal/tdnf/tdnf_test.go b/toolkit/tools/internal/tdnf/tdnf_test.go
index ad4d348cec6..e875bcc9643 100644
--- a/toolkit/tools/internal/tdnf/tdnf_test.go
+++ b/toolkit/tools/internal/tdnf/tdnf_test.go
@@ -4,9 +4,12 @@
 package tdnf
 
 import (
+	"fmt"
 	"os"
+	"path"
 	"testing"
 
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
 	"github.com/stretchr/testify/assert"
 )
@@ -78,7 +81,7 @@ func TestInstallPackageRegex_MatchesPackageName(t *testing.T) {
 
 	matches := InstallPackageRegex.FindStringSubmatch(line)
 
-	assert.Len(t, matches, InstallMaxMatchLen)
+	assert.Len(t, matches, InstallPackageMaxMatchLen)
 	assert.Equal(t, "X", matches[InstallPackageName])
 }
 
@@ -93,7 +96,7 @@ func TestInstallPackageRegex_MatchesPackageArch(t *testing.T) {
 
 	matches := InstallPackageRegex.FindStringSubmatch(line)
 
-	assert.Len(t, matches, InstallMaxMatchLen)
+	assert.Len(t, matches, InstallPackageMaxMatchLen)
 	assert.Equal(t, "aarch64", matches[InstallPackageArch])
 }
 
@@ -108,7 +111,7 @@ func TestInstallPackageRegex_MatchesPackageVersionNoEpoch(t *testing.T) {
 
 	matches := InstallPackageRegex.FindStringSubmatch(line)
 
-	assert.Len(t, matches, InstallMaxMatchLen)
+	assert.Len(t, matches, InstallPackageMaxMatchLen)
 	assert.Equal(t, "1.1b.8_X-22~rc1", matches[InstallPackageVersion])
 }
 
@@ -117,7 +120,7 @@ func TestInstallPackageRegex_MatchesPackageVersionWithEpoch(t *testing.T) {
 
 	matches := InstallPackageRegex.FindStringSubmatch(line)
 
-	assert.Len(t, matches, InstallMaxMatchLen)
+	assert.Len(t, matches, InstallPackageMaxMatchLen)
 	assert.Equal(t, "5:1.1b.8_X-22~rc1", matches[InstallPackageVersion])
 }
 
@@ -132,7 +135,7 @@ func TestInstallPackageRegex_MatchesPackageDist(t *testing.T) {
 
 	matches := InstallPackageRegex.FindStringSubmatch(line)
 
-	assert.Len(t, matches, InstallMaxMatchLen)
+	assert.Len(t, matches, InstallPackageMaxMatchLen)
 	assert.Equal(t, "azl3", matches[InstallPackageDist])
 }
 
@@ -153,3 +156,190 @@ func TestInstallPackageRegex_DoesNotMatchInvalidLine(t *testing.T) {
 
 	assert.False(t, InstallPackageRegex.MatchString(line))
 }
+
+func TestPackageLookupNameMatchRegex_MatchesExternalRepo(t *testing.T) {
+	const line = "xz-devel-5.4.4-1.azl3.x86_64 : Header and development files for xz\nRepo : toolchain-repo"
+
+	matches := PackageProvidesRegex.FindStringSubmatch(line)
+
+	assert.Len(t, matches, PackageProvidesMaxMatchLen)
+	assert.Equal(t, "xz-devel-5.4.4-1.azl3.x86_64", matches[PackageProvidesNameIndex])
+}
+
+func TestPackageLookupNameMatchRegex_MatchesPackageWithEpoch(t *testing.T) {
+	const line = "xz-devel-2:5.4.4-1.azl3.x86_64 : Header and development files for xz\nRepo : toolchain-repo"
+
+	matches := PackageProvidesRegex.FindStringSubmatch(line)
+
+	assert.Len(t, matches, PackageProvidesMaxMatchLen)
+	assert.Equal(t, "xz-devel-2:5.4.4-1.azl3.x86_64", matches[PackageProvidesNameIndex])
+}
+
+func TestPackageLookupNameMatchRegex_FailsForOutputWithoutRepo(t *testing.T) {
+	const line = "xz-devel-5.4.4-1.azl3.x86_64 : Header and development files for xz"
+
+	assert.False(t, PackageProvidesRegex.MatchString(line))
+}
+
+func TestPackageLookupNameMatchRegex_FailsForOutputWithSystemRepo(t *testing.T) {
+	const line = "xz-devel-5.4.4-1.azl3.x86_64 : Header and development files for xz\nRepo : @System"
+
+	assert.False(t, PackageProvidesRegex.MatchString(line))
+}
+
+func TestPackageLookupNameMatchRegex_FailsForEmptyOutput(t *testing.T) {
+	const line = ""
+
+	assert.False(t, PackageProvidesRegex.MatchString(line))
+}
+
+func TestPackageLookupNameMatchRegex_FailsForInvalidOutput(t *testing.T) {
+	const line = "Invalid output line"
+
+	assert.False(t, PackageProvidesRegex.MatchString(line))
+}
+
+func TestPackageLookupNameMatchRegex_MatchesOutputWithCapabilityMatch(t *testing.T) {
+	const line = "[using capability match for 'pkgconfig(liblzma)'] xz-devel-5.4.4-1.azl3.x86_64 : Header and development files for xz\nRepo : toolchain-repo"
+
+	matches := PackageProvidesRegex.FindStringSubmatch(line)
+
+	assert.Len(t, matches, PackageProvidesMaxMatchLen)
+	assert.Equal(t, "xz-devel-5.4.4-1.azl3.x86_64", matches[PackageProvidesNameIndex])
+}
+
+func TestPackageLookupNameMatchRegex_MatchesOutputWithMultiplePackages(t *testing.T) {
+	const line = "xz-devel-5.4.4-1.azl3.x86_64 : ABC\nRepo : toolchain-repo\nother-package-4.4.4-1.azl3.x86_64 : ABC2\nRepo : other-repo\n"
+
+	allMatches := PackageProvidesRegex.FindAllStringSubmatch(line, -1)
+
+	assert.Len(t, allMatches, 2)
+	assert.Len(t, allMatches[0], PackageProvidesMaxMatchLen)
+	assert.Equal(t, "xz-devel-5.4.4-1.azl3.x86_64", allMatches[0][PackageProvidesNameIndex])
+
+	assert.Len(t, allMatches[1], PackageProvidesMaxMatchLen)
+	assert.Equal(t, "other-package-4.4.4-1.azl3.x86_64", allMatches[1][PackageProvidesNameIndex])
+}
+
+func TestPackageLookupNameMatchRegex_MatchesOutputWithExternalAndSystemMix(t *testing.T) {
+	const line = "xz-devel-5.4.4-1.azl3.x86_64 : ABC\nRepo : toolchain-repo\nother-package-4.4.4-1.azl3.x86_64 : ABC2\nRepo : @System\n"
+
+	allMatches := PackageProvidesRegex.FindAllStringSubmatch(line, -1)
+
+	assert.Len(t, allMatches, 1)
+	assert.Len(t, allMatches[0], PackageProvidesMaxMatchLen)
+	assert.Equal(t, "xz-devel-5.4.4-1.azl3.x86_64", allMatches[0][PackageProvidesNameIndex])
+}
+
+func TestPackageLookupNameMatchRegex_MatchesOutputWithSystemFirstExternalSecond(t *testing.T) {
+	const line = "other-package-4.4.4-1.azl3.x86_64 : ABC2\nRepo : @System\nxz-devel-5.4.4-1.azl3.x86_64 : ABC\nRepo : toolchain-repo"
+
+	allMatches := PackageProvidesRegex.FindAllStringSubmatch(line, -1)
+
+	assert.Len(t, allMatches, 1)
+	assert.Len(t, allMatches[0], PackageProvidesMaxMatchLen)
+	assert.Equal(t, "xz-devel-5.4.4-1.azl3.x86_64", allMatches[0][PackageProvidesNameIndex])
+}
+
+func TestPackageLookupNameMatchRegex_FailsForOutputWithOnlyPluginLoaded(t *testing.T) {
+	const line = "Loaded plugin: tdnfrepogpgcheck"
+
+	assert.False(t, PackageProvidesRegex.MatchString(line))
+}
+
+func Test_GetRepoSnapshotCliArg(t *testing.T) {
+	type args struct {
+		posixTime string
+	}
+	tests := []struct {
+		name             string
+		args             args
+		wantRepoSnapshot string
+		wantErr          bool
+	}{
+		{name: "testEmpty", args: args{posixTime: ""}, wantRepoSnapshot: "", wantErr: true},
+		{name: "testIsNotNumeric", args: args{posixTime: "12345qwerty"}, wantRepoSnapshot: "", wantErr: true},
+		{name: "testNumeric", args: args{posixTime: "123456789"}, wantRepoSnapshot: "--snapshottime=123456789", wantErr: false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotRepoSnapshot, err := GetRepoSnapshotCliArg(tt.args.posixTime)
+			assert.Equal(t, tt.wantErr, err != nil)
+			assert.Equal(t, tt.wantRepoSnapshot, gotRepoSnapshot)
+		})
+	}
+}
+
+func Test_GetRepoSnapshotExcludeCliArg(t *testing.T) {
+	type args struct {
+		excludeRepos []string
+	}
+	tests := []struct {
+		name           string
+		args           args
+		wantExcludeArg string
+		wantErr        bool
+	}{
+		{name: "testEmptyArray", args: args{excludeRepos: nil}, wantExcludeArg: "", wantErr: true},
+		{name: "testEmptyMember", args: args{excludeRepos: []string{""}}, wantExcludeArg: "", wantErr: true},
+		{name: "testRepo", args: args{excludeRepos: []string{"local-repo"}}, wantExcludeArg: "--snapshotexcluderepos=local-repo", wantErr: false},
+		{name: "testMultiRepo", args: args{excludeRepos: []string{"local-repo", "test-repo"}}, wantExcludeArg: "--snapshotexcluderepos=local-repo,test-repo", wantErr: false},
+		{name: "testMultiRepoOneEmpty", args: args{excludeRepos: []string{"local-repo", ""}}, wantExcludeArg: "", wantErr: true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotExcludeArg, err := GetRepoSnapshotExcludeCliArg(tt.args.excludeRepos)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("GetRepoSnapshotExcludeCliArg() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if gotExcludeArg != tt.wantExcludeArg {
+				t.Errorf("GetRepoSnapshotExcludeCliArg() = %v, want %v", gotExcludeArg, tt.wantExcludeArg)
+			}
+		})
+	}
+}
+
+func TestAddSnapshotToConfig(t *testing.T) {
+	type args struct {
+		configFilePath string
+		posixTime      string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{name: "testEmptyPath", args: args{configFilePath: "", posixTime: "12345"}, wantErr: true},
+		{name: "testEmptyTime", args: args{configFilePath: "tdnf.conf", posixTime: ""}, wantErr: true},
+		{name: "testBadPath", args: args{configFilePath: "test", posixTime: "12345"}, wantErr: false},
+		{name: "testConfigAdded", args: args{configFilePath: "tdnf.conf", posixTime: "12345"}, wantErr: false},
+	}
+	testConfigFilePath := path.Join("testdata", "tdnf.conf")
+	for _, tt := range tests {
+		testConfigFileLines, _ := file.ReadLines(testConfigFilePath)
+
+		//
+		destpath := tt.args.configFilePath
+		testConfigDir := t.TempDir()
+		if destpath != "" {
+			file.Copy(testConfigFilePath, path.Join(testConfigDir, "tdnf.conf"))
+			destpath = path.Join(testConfigDir, tt.args.configFilePath)
+		}
+		t.Run(tt.name, func(t *testing.T) {
+			if err := AddSnapshotToConfig(destpath, tt.args.posixTime); (err != nil) != tt.wantErr {
+				assert.True(t, (err != nil) != tt.wantErr, "AddSnapshotToConfig() error = %v, wantErr %v", err, tt.wantErr)
+			} else if !tt.wantErr && tt.args.configFilePath == "tdnf.conf" {
+				// check for change
+				resultConfigFileLines, _ := file.ReadLines(destpath)
+				testConfigFileLines = append(testConfigFileLines, fmt.Sprintf("snapshottime=%s", tt.args.posixTime))
+				assert.Equal(t, resultConfigFileLines, testConfigFileLines, "Expected: %v, Actual: %v", testConfigFileLines, resultConfigFileLines)
+			} else if !tt.wantErr && tt.args.configFilePath != "tdnf.conf" {
+				// check for no change
+				resultConfigFileLines, _ := file.ReadLines(path.Join(testConfigDir, "tdnf.conf"))
+				assert.Equal(t, resultConfigFileLines, testConfigFileLines, "Expected: %v, Actual: %v", testConfigFileLines, resultConfigFileLines)
+
+			}
+		})
+	}
+}
diff --git a/toolkit/tools/internal/tdnf/testdata/tdnf.conf b/toolkit/tools/internal/tdnf/testdata/tdnf.conf
new file mode 100644
index 00000000000..a7627887f4c
--- /dev/null
+++ b/toolkit/tools/internal/tdnf/testdata/tdnf.conf
@@ -0,0 +1 @@
+plugins=1
diff --git a/toolkit/tools/isomaker/isomaker.go b/toolkit/tools/isomaker/isomaker.go
index c4e06f56863..721fa740f8c 100644
--- a/toolkit/tools/isomaker/isomaker.go
+++ b/toolkit/tools/isomaker/isomaker.go
@@ -24,6 +24,7 @@ var (
 	releaseVersion    = app.Flag("release-version", "The repository OS release version").Required().String()
 	resourcesDirPath  = app.Flag("resources", "Path to 'resources' directory").Required().ExistingDir()
 	outputDir         = app.Flag("output-dir", "Path to directory to place final image").Required().String()
+	repoSnapshotTime  = app.Flag("repo-snapshot-time", "Optional: tdnf image repo snapshot time").String()
 
 	imageTag = app.Flag("image-tag", "Tag (text) appended to the image name. Empty by default.").String()
 
@@ -46,7 +47,8 @@ func main() {
 		*initrdPath,
 		*isoRepoDirPath,
 		*outputDir,
-		*imageTag)
+		*imageTag,
+		*repoSnapshotTime)
 	if err != nil {
 		logger.PanicOnError(err)
 	}
diff --git a/toolkit/tools/liveinstaller/liveinstaller.go b/toolkit/tools/liveinstaller/liveinstaller.go
index 0811c4984fb..a6a8083146e 100644
--- a/toolkit/tools/liveinstaller/liveinstaller.go
+++ b/toolkit/tools/liveinstaller/liveinstaller.go
@@ -36,8 +36,8 @@ var (
 	imagerTool         = app.Flag("imager", "Path to the imager tool.").Required().ExistingFile()
 	buildDir           = app.Flag("build-dir", "Directory to store temporary files while building.").Required().ExistingDir()
 	baseDirPath        = app.Flag("base-dir", "Base directory for relative file paths from the config. Defaults to config's directory.").ExistingDir()
-
-	logFlags = exe.SetupLogFlags(app)
+	repoSnapshotTime   = app.Flag("repo-snapshot-time", "Optional: tdnf repo snapshot time").String()
+	logFlags           = exe.SetupLogFlags(app)
 )
 
 // Every valid mouse event handler will follow the format:
@@ -45,13 +45,14 @@ var (
 var mouseEventHandlerRegex = regexp.MustCompile(`^H:\s+Handlers=(\w+)\s+mouse\d+`)
 
 type imagerArguments struct {
-	imagerTool   string
-	configFile   string
-	buildDir     string
-	baseDirPath  string
-	emitProgress bool
-	logFile      string
-	logLevel     string
+	imagerTool       string
+	configFile       string
+	buildDir         string
+	baseDirPath      string
+	emitProgress     bool
+	logFile          string
+	logLevel         string
+	repoSnapshotTime string
 }
 
 type installationDetails struct {
@@ -79,11 +80,12 @@ func main() {
 
 	// Imager's stdout/stderr will be combined with this tool's, so it will automatically be logged to the current log file
 	args := imagerArguments{
-		imagerTool:  *imagerTool,
-		buildDir:    *buildDir,
-		baseDirPath: *baseDirPath,
-		logLevel:    logger.Log.GetLevel().String(),
-		logFile:     imagerLogFile,
+		imagerTool:       *imagerTool,
+		buildDir:         *buildDir,
+		baseDirPath:      *baseDirPath,
+		logLevel:         logger.Log.GetLevel().String(),
+		logFile:          imagerLogFile,
+		repoSnapshotTime: *repoSnapshotTime,
 	}
 
 	installFunc := installerFactory(*forceAttended, *configFile, *templateConfigFile)
@@ -451,6 +453,7 @@ func formatImagerCommand(args imagerArguments) (program string, commandArgs []st
 		fmt.Sprintf("--base-dir=%s", args.baseDirPath),
 		fmt.Sprintf("--log-file=%s", args.logFile),
 		fmt.Sprintf("--log-level=%s", args.logLevel),
+		fmt.Sprintf("--repo-snapshot-time=%s", args.repoSnapshotTime),
 	}
 
 	if args.emitProgress {
diff --git a/toolkit/tools/osmodifier/main.go b/toolkit/tools/osmodifier/main.go
index d8ecbb7f71c..80ddcc691e1 100644
--- a/toolkit/tools/osmodifier/main.go
+++ b/toolkit/tools/osmodifier/main.go
@@ -18,10 +18,11 @@ import (
 var (
 	app = kingpin.New("osmodifier", "Used to modify os")
 
-	configFile    = app.Flag("config-file", "Path of the os modification config file.").Required().String()
+	configFile    = app.Flag("config-file", "Path of the os modification config file.").String()
 	logFlags      = exe.SetupLogFlags(app)
 	profFlags     = exe.SetupProfileFlags(app)
 	timestampFile = app.Flag("timestamp-file", "File that stores timestamps for this program.").String()
+	updateGrub    = app.Flag("update-grub", "Update default GRUB.").Bool()
 )
 
 func main() {
@@ -40,9 +41,19 @@ func main() {
 	timestamp.BeginTiming("osmodifier", *timestampFile)
 	defer timestamp.CompleteTiming()
 
-	err = modifyImage()
-	if err != nil {
-		log.Fatalf("os modification failed: %v", err)
+	// Check if the updateGrub flag is set
+	if *updateGrub {
+		err := osmodifierlib.ModifyDefaultGrub()
+		if err != nil {
+			log.Fatalf("update grub failed: %v", err)
+		}
+	}
+
+	if len(*configFile) > 0 {
+		err = modifyImage()
+		if err != nil {
+			log.Fatalf("OS modification failed: %v", err)
+		}
 	}
 }
 
diff --git a/toolkit/tools/osmodifierapi/identifiedpartition.go b/toolkit/tools/osmodifierapi/identifiedpartition.go
new file mode 100644
index 00000000000..fbe15f3cd0a
--- /dev/null
+++ b/toolkit/tools/osmodifierapi/identifiedpartition.go
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package osmodifierapi
+
+import (
+	"fmt"
+)
+
+type IdentifiedPartition struct {
+	Id string `yaml:"id"`
+}
+
+func (i *IdentifiedPartition) IsValid() error {
+	// Check if Id is not empty
+	if i.Id == "" {
+		return fmt.Errorf("invalid id: empty string")
+	}
+
+	return nil
+}
diff --git a/toolkit/tools/osmodifierapi/os.go b/toolkit/tools/osmodifierapi/os.go
new file mode 100644
index 00000000000..43fda9ef566
--- /dev/null
+++ b/toolkit/tools/osmodifierapi/os.go
@@ -0,0 +1,69 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package osmodifierapi
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/asaskevich/govalidator"
+	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
+)
+
+// OS defines how each system present on the image is supposed to be configured.
+type OS struct {
+	Hostname string                     `yaml:"hostname"`
+	SELinux  imagecustomizerapi.SELinux `yaml:"selinux"`
+	Users    []imagecustomizerapi.User  `yaml:"users"`
+	Overlays *[]Overlay                 `yaml:"overlays"`
+}
+
+func (s *OS) IsValid() error {
+	var err error
+
+	if s.Hostname != "" {
+		if !govalidator.IsDNSName(s.Hostname) || strings.Contains(s.Hostname, "_") {
+			return fmt.Errorf("invalid hostname (%s)", s.Hostname)
+		}
+	}
+
+	err = s.SELinux.IsValid()
+	if err != nil {
+		return fmt.Errorf("invalid selinux:\n%w", err)
+	}
+
+	for i, user := range s.Users {
+		err = user.IsValid()
+		if err != nil {
+			return fmt.Errorf("invalid users item at index %d:\n%w", i, err)
+		}
+	}
+
+	if s.Overlays != nil {
+		upperDirs := make(map[string]bool)
+		workDirs := make(map[string]bool)
+
+		for i, overlay := range *s.Overlays {
+			// Validate the overlay itself
+			err := overlay.IsValid()
+			if err != nil {
+				return fmt.Errorf("invalid overlay at index %d:\n%w", i, err)
+			}
+
+			// Check for unique UpperDir
+			if _, exists := upperDirs[overlay.UpperDir]; exists {
+				return fmt.Errorf("duplicate upperDir (%s) found in overlay at index %d", overlay.UpperDir, i)
+			}
+			upperDirs[overlay.UpperDir] = true
+
+			// Check for unique WorkDir
+			if _, exists := workDirs[overlay.WorkDir]; exists {
+				return fmt.Errorf("duplicate workDir (%s) found in overlay at index %d", overlay.WorkDir, i)
+			}
+			workDirs[overlay.WorkDir] = true
+		}
+	}
+
+	return nil
+}
diff --git a/toolkit/tools/osmodifierapi/overlay.go b/toolkit/tools/osmodifierapi/overlay.go
new file mode 100644
index 00000000000..05e7061beb1
--- /dev/null
+++ b/toolkit/tools/osmodifierapi/overlay.go
@@ -0,0 +1,73 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package osmodifierapi
+
+import (
+	"fmt"
+	"strings"
+)
+
+type Overlay struct {
+	LowerDir  string               `yaml:"lowerDir"`
+	UpperDir  string               `yaml:"upperDir"`
+	WorkDir   string               `yaml:"workDir"`
+	Partition *IdentifiedPartition `yaml:"partition"`
+}
+
+func (o *Overlay) IsValid() error {
+	// Validate paths for UpperDir, WorkDir, and LowerDir
+	if err := validatePath(o.UpperDir); err != nil {
+		return fmt.Errorf("invalid upperDir (%s):\n%w", o.UpperDir, err)
+	}
+	if err := validatePath(o.WorkDir); err != nil {
+		return fmt.Errorf("invalid workDir (%s):\n%w", o.WorkDir, err)
+	}
+	if err := validatePath(o.LowerDir); err != nil {
+		return fmt.Errorf("invalid lowerDir (%s):\n%w", o.LowerDir, err)
+	}
+
+	// Check if UpperDir and WorkDir are identical
+	if o.UpperDir == o.WorkDir {
+		return fmt.Errorf("upperDir and workDir must be distinct, but both are '%s'", o.UpperDir)
+	}
+
+	// Check if UpperDir is a subdirectory of WorkDir or vice versa
+	if isSubDirString(o.UpperDir, o.WorkDir) {
+		return fmt.Errorf("upperDir (%s) should not be a subdirectory of workDir (%s)", o.UpperDir, o.WorkDir)
+	}
+	if isSubDirString(o.WorkDir, o.UpperDir) {
+		return fmt.Errorf("workDir (%s) should not be a subdirectory of upperDir (%s)", o.WorkDir, o.UpperDir)
+	}
+
+	if o.Partition != nil {
+		if err := o.Partition.IsValid(); err != nil {
+			return fmt.Errorf("invalid partition:\n%w", err)
+		}
+	}
+
+	return nil
+}
+
+func validatePath(path string) error {
+	// Check if the path is empty
+	if path == "" {
+		return fmt.Errorf("path cannot be empty")
+	}
+
+	// Check if the path contains spaces
+	if strings.Contains(path, " ") {
+		return fmt.Errorf("path (%s) contains spaces and is invalid", path)
+	}
+
+	return nil
+}
+
+func isSubDirString(dir1, dir2 string) bool {
+	// Ensure paths are cleaned and have consistent trailing slashes
+	cleanDir1 := strings.TrimSuffix(dir1, "/") + "/"
+	cleanDir2 := strings.TrimSuffix(dir2, "/") + "/"
+
+	// Check if dir2 starts with dir1 (indicating a subdirectory)
+	return cleanDir1 != cleanDir2 && strings.HasPrefix(cleanDir2, cleanDir1)
+}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go
index 0d23be55a26..0dd50767177 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go
@@ -23,8 +23,8 @@ type BootCustomizer struct {
 	isGrubMkconfig bool
 }
 
-func NewBootCustomizer(imageChroot *safechroot.Chroot) (*BootCustomizer, error) {
-	grubCfgContent, err := readGrub2ConfigFile(imageChroot)
+func NewBootCustomizer(imageChroot safechroot.ChrootInterface) (*BootCustomizer, error) {
+	grubCfgContent, err := ReadGrub2ConfigFile(imageChroot)
 	if err != nil {
 		return nil, err
 	}
@@ -83,7 +83,7 @@ func (b *BootCustomizer) getSELinuxModeFromGrub() (imagecustomizerapi.SELinuxMod
 
 	// Get the SELinux kernel command-line args.
 	if b.isGrubMkconfig {
-		_, args, _, err = getDefaultGrubFileLinuxArgs(b.defaultGrubFileContent, defaultGrubFileVarNameCmdlineForSELinux)
+		_, args, _, err = GetDefaultGrubFileLinuxArgs(b.defaultGrubFileContent, defaultGrubFileVarNameCmdlineForSELinux)
 		if err != nil {
 			return "", err
 		}
@@ -103,7 +103,7 @@ func (b *BootCustomizer) getSELinuxModeFromGrub() (imagecustomizerapi.SELinuxMod
 	return selinuxMode, nil
 }
 
-func (b *BootCustomizer) GetSELinuxMode(imageChroot *safechroot.Chroot) (imagecustomizerapi.SELinuxMode, error) {
+func (b *BootCustomizer) GetSELinuxMode(imageChroot safechroot.ChrootInterface) (imagecustomizerapi.SELinuxMode, error) {
 	// Get the SELinux mode from the kernel command-line args.
 	selinuxMode, err := b.getSELinuxModeFromGrub()
 	if err != nil {
@@ -163,7 +163,7 @@ func (b *BootCustomizer) UpdateKernelCommandLineArgs(defaultGrubFileVarName defa
 func (b *BootCustomizer) PrepareForVerity() error {
 	if b.isGrubMkconfig {
 		// Force root command-line arg to be referenced by /dev path instead of by UUID.
-		defaultGrubFileContent, err := updateDefaultGrubFileVariable(b.defaultGrubFileContent, "GRUB_DISABLE_UUID",
+		defaultGrubFileContent, err := UpdateDefaultGrubFileVariable(b.defaultGrubFileContent, "GRUB_DISABLE_UUID",
 			"true")
 		if err != nil {
 			return err
@@ -171,26 +171,31 @@ func (b *BootCustomizer) PrepareForVerity() error {
 
 		// Disable recovery menu entry, to avoid having more than 1 linux command in the grub.cfg file.
 		// This will make it easier to modify the grub.cfg file to add the verity args.
-		defaultGrubFileContent, err = updateDefaultGrubFileVariable(defaultGrubFileContent, "GRUB_DISABLE_RECOVERY",
+		defaultGrubFileContent, err = UpdateDefaultGrubFileVariable(defaultGrubFileContent, "GRUB_DISABLE_RECOVERY",
 			"true")
 		if err != nil {
 			return err
 		}
 
+		// For verity, the root device will always be "/dev/mapper/root"
+		defaultGrubFileContent, err = UpdateDefaultGrubFileVariable(defaultGrubFileContent, "GRUB_DEVICE", "/dev/mapper/root")
+		if err != nil {
+			return err
+		}
+
 		b.defaultGrubFileContent = defaultGrubFileContent
 	}
 
 	return nil
 }
 
-func (b *BootCustomizer) WriteToFile(imageChroot *safechroot.Chroot) error {
+func (b *BootCustomizer) WriteToFile(imageChroot safechroot.ChrootInterface) error {
 	if b.isGrubMkconfig {
 		// Update /etc/defaukt/grub file.
-		err := writeDefaultGrubFile(b.defaultGrubFileContent, imageChroot)
+		err := WriteDefaultGrubFile(b.defaultGrubFileContent, imageChroot)
 		if err != nil {
 			return err
 		}
-
 		// Update /boot/grub2/grub.cfg file.
 		err = installutils.CallGrubMkconfig(imageChroot)
 		if err != nil {
@@ -206,3 +211,14 @@ func (b *BootCustomizer) WriteToFile(imageChroot *safechroot.Chroot) error {
 
 	return nil
 }
+
+func (b *BootCustomizer) SetRootDevice(rootDevice string) error {
+	updatedGrubFileContent, err := UpdateDefaultGrubFileVariable(b.defaultGrubFileContent, "GRUB_DEVICE", rootDevice)
+	if err != nil {
+		return err
+	}
+
+	b.defaultGrubFileContent = updatedGrubFileContent
+
+	return nil
+}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer_test.go b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer_test.go
index 259beb97b07..c87eb24dc50 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/bootcustomizer_test.go
@@ -161,9 +161,10 @@ func TestBootCustomizerVerity30(t *testing.T) {
 	err := b.PrepareForVerity()
 	assert.NoError(t, err)
 
-	expectedDefaultGrubFileDiff := `6a7,8
+	expectedDefaultGrubFileDiff := `6a7,9
 > GRUB_DISABLE_UUID="true"
 > GRUB_DISABLE_RECOVERY="true"
+> GRUB_DEVICE="/dev/mapper/root"
 `
 	checkDiffs30(t, b, "", expectedDefaultGrubFileDiff)
 
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizefiles.go b/toolkit/tools/pkg/imagecustomizerlib/customizefiles.go
index 15ed8bd8459..570660191d1 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizefiles.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizefiles.go
@@ -17,22 +17,27 @@ const (
 	defaultFilePermissions = 0o755
 )
 
-func copyAdditionalFiles(baseConfigPath string, additionalFiles imagecustomizerapi.AdditionalFilesMap, imageChroot *safechroot.Chroot) error {
-	for sourceFile, fileConfigs := range additionalFiles {
-		absSourceFile := file.GetAbsPathWithBase(baseConfigPath, sourceFile)
-		for _, fileConfig := range fileConfigs {
-			logger.Log.Infof("Copying: %s", fileConfig.Path)
+func copyAdditionalFiles(baseConfigPath string, additionalFiles imagecustomizerapi.AdditionalFileList,
+	imageChroot *safechroot.Chroot,
+) error {
+	for _, additionalFile := range additionalFiles {
+		logger.Log.Infof("Copying: %s", additionalFile.Destination)
 
-			fileToCopy := safechroot.FileToCopy{
-				Src:         absSourceFile,
-				Dest:        fileConfig.Path,
-				Permissions: (*fs.FileMode)(fileConfig.Permissions),
-			}
+		absSourceFile := ""
+		if additionalFile.Source != "" {
+			absSourceFile = file.GetAbsPathWithBase(baseConfigPath, additionalFile.Source)
+		}
+
+		fileToCopy := safechroot.FileToCopy{
+			Src:         absSourceFile,
+			Content:     additionalFile.Content,
+			Dest:        additionalFile.Destination,
+			Permissions: (*fs.FileMode)(additionalFile.Permissions),
+		}
 
-			err := imageChroot.AddFiles(fileToCopy)
-			if err != nil {
-				return err
-			}
+		err := imageChroot.AddFiles(fileToCopy)
+		if err != nil {
+			return err
 		}
 	}
 
@@ -41,8 +46,8 @@ func copyAdditionalFiles(baseConfigPath string, additionalFiles imagecustomizera
 
 func copyAdditionalDirs(baseConfigPath string, additionalDirs imagecustomizerapi.DirConfigList, imageChroot *safechroot.Chroot) error {
 	for _, dirConfigElement := range additionalDirs {
-		absSourceDir := file.GetAbsPathWithBase(baseConfigPath, dirConfigElement.SourcePath)
-		logger.Log.Infof("Copying %s to %s", absSourceDir, dirConfigElement.DestinationPath)
+		absSourceDir := file.GetAbsPathWithBase(baseConfigPath, dirConfigElement.Source)
+		logger.Log.Infof("Copying %s to %s", absSourceDir, dirConfigElement.Destination)
 
 		// Setting permissions values. They are set to a default value if they have not been specified.
 		newDirPermissionsValue := fs.FileMode(defaultFilePermissions)
@@ -56,14 +61,14 @@ func copyAdditionalDirs(baseConfigPath string, additionalDirs imagecustomizerapi
 
 		dirToCopy := safechroot.DirToCopy{
 			Src:                  absSourceDir,
-			Dest:                 dirConfigElement.DestinationPath,
+			Dest:                 dirConfigElement.Destination,
 			NewDirPermissions:    newDirPermissionsValue,
 			ChildFilePermissions: childFilePermissionsValue,
 			MergedDirPermissions: (*fs.FileMode)(dirConfigElement.MergedDirPermissions),
 		}
 		err := imageChroot.AddDirs(dirToCopy)
 		if err != nil {
-			return fmt.Errorf("failed to copy directory (%s) to (%s):\n%w", absSourceDir, dirConfigElement.DestinationPath, err)
+			return fmt.Errorf("failed to copy directory (%s) to (%s):\n%w", absSourceDir, dirConfigElement.Destination, err)
 		}
 	}
 	return nil
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizefiles_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizefiles_test.go
index 9cc46d41e0d..d417162bc08 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizefiles_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizefiles_test.go
@@ -30,10 +30,15 @@ func TestCopyAdditionalFiles(t *testing.T) {
 	copy_2_filemode := os.FileMode(0o777)
 
 	// Copy a file.
-	err = copyAdditionalFiles(baseConfigPath, map[string]imagecustomizerapi.FileConfigList{
-		"files/a.txt": {
-			{Path: "/copy_1.txt"},
-			{Path: "/copy_2.txt", Permissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(copy_2_filemode))},
+	err = copyAdditionalFiles(baseConfigPath, imagecustomizerapi.AdditionalFileList{
+		{
+			Source:      "files/a.txt",
+			Destination: "/copy_1.txt",
+		},
+		{
+			Source:      "files/a.txt",
+			Destination: "/copy_2.txt",
+			Permissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(copy_2_filemode)),
 		},
 	}, chroot)
 	assert.NoError(t, err)
@@ -51,9 +56,10 @@ func TestCopyAdditionalFiles(t *testing.T) {
 	verifyFileContentsSame(t, a_orig_path, copy_2_path)
 
 	// Copy a different file to the same location.
-	err = copyAdditionalFiles(baseConfigPath, map[string]imagecustomizerapi.FileConfigList{
-		"files/b.txt": {
-			{Path: "/copy_1.txt"},
+	err = copyAdditionalFiles(baseConfigPath, imagecustomizerapi.AdditionalFileList{
+		{
+			Source:      "files/b.txt",
+			Destination: "/copy_1.txt",
 		},
 	}, chroot)
 	assert.NoError(t, err)
@@ -65,7 +71,7 @@ func TestCopyAdditionalFiles(t *testing.T) {
 }
 
 func TestCustomizeImageAdditionalFiles(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageAdditionalFiles")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -79,6 +85,9 @@ func TestCustomizeImageAdditionalFiles(t *testing.T) {
 		return
 	}
 
+	// Check output file type.
+	checkFileType(t, outImageFilePath, "raw")
+
 	// Connect to customized image.
 	imageConnection, err := connectToCoreEfiImage(buildDir, outImageFilePath)
 	if !assert.NoError(t, err) {
@@ -93,14 +102,22 @@ func TestCustomizeImageAdditionalFiles(t *testing.T) {
 	helloworld_path := filepath.Join(testDir, "files/helloworld.sh")
 	helloworld_copy_path := filepath.Join(imageConnection.Chroot().RootDir(), "/usr/local/bin/helloworld.sh")
 
+	animals_copy_path := filepath.Join(imageConnection.Chroot().RootDir(), "/animals.txt")
+	alphabet_copy_path := filepath.Join(imageConnection.Chroot().RootDir(), "/alphabet.txt")
+	empty_copy_path := filepath.Join(imageConnection.Chroot().RootDir(), "/empty.txt")
+
 	verifyFileContentsSame(t, a_path, a_copy_path)
 	verifyFileContentsSame(t, helloworld_path, helloworld_copy_path)
+	verifyFileContentsEqual(t, animals_copy_path, "cat\ndog\n")
+	verifyFileContentsEqual(t, alphabet_copy_path, "abcdefghijklmnopqrstuvwxyz")
+	verifyFileContentsEqual(t, empty_copy_path, "")
 
 	verifyFilePermissions(t, os.FileMode(0o755), helloworld_copy_path)
+	verifyFilePermissions(t, os.FileMode(0o644), alphabet_copy_path)
 }
 
 func TestCustomizeImageAdditionalFilesInfiniteFile(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageAdditionalFilesInfiniteFile")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -131,8 +148,8 @@ func TestCopyAdditionalDirs(t *testing.T) {
 	err = copyAdditionalDirs(baseConfigPath,
 		imagecustomizerapi.DirConfigList{
 			{
-				SourcePath:           "dirs/a",
-				DestinationPath:      "/",
+				Source:               "dirs/a",
+				Destination:          "/",
 				ChildFilePermissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(0o755)),
 				NewDirPermissions:    ptrutils.PtrTo(imagecustomizerapi.FilePermissions(0o750)),
 			},
@@ -155,8 +172,8 @@ func TestCopyAdditionalDirs(t *testing.T) {
 	err = copyAdditionalDirs(baseConfigPath,
 		imagecustomizerapi.DirConfigList{
 			{
-				SourcePath:           "dirs/b",
-				DestinationPath:      "/usr/local",
+				Source:               "dirs/b",
+				Destination:          "/usr/local",
 				ChildFilePermissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(0o750)),
 				MergedDirPermissions: ptrutils.PtrTo(imagecustomizerapi.FilePermissions(0o755)),
 			},
@@ -176,7 +193,7 @@ func TestCopyAdditionalDirs(t *testing.T) {
 }
 
 func TestCustomizeImageAdditionalDirs(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageAdditionalDirs")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -205,7 +222,7 @@ func TestCustomizeImageAdditionalDirs(t *testing.T) {
 }
 
 func TestCustomizeImageAdditionalDirsInfiniteFile(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageAdditionalDirsInfiniteFile")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -232,8 +249,8 @@ func TestCustomizeImageAdditionalDirsInfiniteFile(t *testing.T) {
 		OS: &imagecustomizerapi.OS{
 			AdditionalDirs: []imagecustomizerapi.DirConfig{
 				{
-					SourcePath:      srcDirPath,
-					DestinationPath: "/a",
+					Source:      srcDirPath,
+					Destination: "/a",
 				},
 			},
 		},
@@ -261,6 +278,15 @@ func verifyFileContentsSame(t *testing.T, origPath string, newPath string) {
 	assert.Equalf(t, orignContents, newContents, "file contents differ (%s) from (%s)", newPath, origPath)
 }
 
+func verifyFileContentsEqual(t *testing.T, path string, expected string) {
+	contents, err := os.ReadFile(path)
+	if !assert.NoErrorf(t, err, "read new file (%s)", path) {
+		return
+	}
+
+	assert.Equalf(t, expected, string(contents), "unexpected file contents (%s)", path)
+}
+
 func verifyFilePermissions(t *testing.T, expectedPermissions os.FileMode, path string) {
 	stat, err := os.Stat(path)
 	if assert.NoError(t, err) {
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizehostname_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizehostname_test.go
index 77e2c4935ea..5661e3af7c3 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizehostname_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizehostname_test.go
@@ -39,7 +39,7 @@ func TestUpdateHostname(t *testing.T) {
 }
 
 func TestCustomizeImageHostname(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageHostname")
 	buildDir := filepath.Join(testTmpDir, "build")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeos.go b/toolkit/tools/pkg/imagecustomizerlib/customizeos.go
index 24d298ab073..060ae571759 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeos.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeos.go
@@ -75,12 +75,12 @@ func doOsCustomizations(buildDir string, baseConfigPath string, config *imagecus
 		return err
 	}
 
-	overlayUpdated, err := enableOverlays(config.OS.Overlays, imageChroot)
+	overlayUpdated, err := enableOverlays(config.OS.Overlays, selinuxMode, imageChroot)
 	if err != nil {
 		return err
 	}
 
-	verityUpdated, err := enableVerityPartition(buildDir, config.OS.Verity, imageChroot)
+	verityUpdated, err := enableVerityPartition(config.OS.Verity, imageChroot)
 	if err != nil {
 		return err
 	}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeoverlay.go b/toolkit/tools/pkg/imagecustomizerlib/customizeoverlay.go
deleted file mode 100644
index c649a2ab475..00000000000
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeoverlay.go
+++ /dev/null
@@ -1,89 +0,0 @@
-// Copyright (c) Microsoft Corporation.
-// Licensed under the MIT License.
-
-package imagecustomizerlib
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
-	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
-	"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
-)
-
-func enableOverlays(overlays *[]imagecustomizerapi.Overlay, imageChroot *safechroot.Chroot) (bool, error) {
-	var err error
-
-	if overlays == nil {
-		return false, nil
-	}
-
-	logger.Log.Infof("Enable filesystem overlays")
-
-	// Integrate overlay dracut module and overlay driver into initramfs img.
-	overlayDracutModule := "overlayfs"
-	overlayDracutDriver := "overlay"
-	err = addDracutModule(overlayDracutModule, overlayDracutDriver, imageChroot)
-	if err != nil {
-		return false, err
-	}
-
-	// Dereference the pointer to get the slice
-	overlaysDereference := *overlays
-	err = updateGrubConfigForOverlay(imageChroot, overlaysDereference)
-	if err != nil {
-		return false, fmt.Errorf("failed to update grub config for filesystem overlays:\n%w", err)
-	}
-
-	return true, nil
-}
-
-func updateGrubConfigForOverlay(imageChroot *safechroot.Chroot, overlays []imagecustomizerapi.Overlay) error {
-	var err error
-	var overlayConfigs []string
-	var formattedPartition string
-
-	// Iterate over each Overlay configuration
-	for _, overlay := range overlays {
-		formattedPartition = ""
-		if overlay.Partition != nil {
-			formattedPartition, err = systemdFormatPartitionId(overlay.Partition.IdType, overlay.Partition.Id)
-			if err != nil {
-				return err
-			}
-		}
-		// Construct the argument for each Overlay
-		overlayConfig := fmt.Sprintf(
-			"%s,%s,%s,%s",
-			overlay.LowerDir, overlay.UpperDir, overlay.WorkDir, formattedPartition,
-		)
-		overlayConfigs = append(overlayConfigs, overlayConfig)
-	}
-
-	// Concatenate all overlay configurations with spaces
-	concatenatedOverlays := strings.Join(overlayConfigs, " ")
-
-	// Construct the final cmdline argument
-	newArgs := []string{
-		fmt.Sprintf("rd.overlayfs=%s", concatenatedOverlays),
-	}
-
-	bootCustomizer, err := NewBootCustomizer(imageChroot)
-	if err != nil {
-		return err
-	}
-
-	err = bootCustomizer.UpdateKernelCommandLineArgs(defaultGrubFileVarNameCmdlineLinux, []string{"rd.overlayfs"},
-		newArgs)
-	if err != nil {
-		return err
-	}
-
-	err = bootCustomizer.WriteToFile(imageChroot)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeoverlays.go b/toolkit/tools/pkg/imagecustomizerlib/customizeoverlays.go
new file mode 100644
index 00000000000..02544f08651
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeoverlays.go
@@ -0,0 +1,187 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package imagecustomizerlib
+
+import (
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
+	"github.com/microsoft/azurelinux/toolkit/tools/imagegen/diskutils"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/shell"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils"
+)
+
+func enableOverlays(overlays *[]imagecustomizerapi.Overlay, selinuxMode imagecustomizerapi.SELinuxMode,
+	imageChroot *safechroot.Chroot,
+) (bool, error) {
+	var err error
+
+	if overlays == nil {
+		return false, nil
+	}
+
+	logger.Log.Infof("Enable filesystem overlays")
+
+	// Integrate the overlay driver into the initrd image. Including the overlay
+	// driver in initrd is essential for enabling the system to recognize and
+	// mount overlay filesystems during the initrd phase of the boot process.
+	overlayDriver := "overlay"
+	err = addDracutDriver(overlayDriver, imageChroot)
+	if err != nil {
+		return false, err
+	}
+
+	// Dereference the pointer to get the slice
+	overlaysDereference := *overlays
+	err = updateFstabForOverlays(overlaysDereference, imageChroot)
+	if err != nil {
+		return false, fmt.Errorf("failed to update fstab file for overlays:\n%w", err)
+	}
+
+	// Create necessary directories for overlays
+	err = createOverlayDirectories(overlaysDereference, imageChroot)
+	if err != nil {
+		return false, fmt.Errorf("failed to create overlay directories:\n%w", err)
+	}
+
+	// Add equivalency rules for each overlay
+	err = addEquivalencyRules(selinuxMode, overlaysDereference, imageChroot)
+	if err != nil {
+		return false, fmt.Errorf("failed to add equivalency rules for overlays:\n%w", err)
+	}
+
+	return true, nil
+}
+
+func updateFstabForOverlays(overlays []imagecustomizerapi.Overlay, imageChroot *safechroot.Chroot,
+) error {
+	var err error
+
+	fstabFile := filepath.Join(imageChroot.RootDir(), "etc/fstab")
+	fstabEntries, err := diskutils.ReadFstabFile(fstabFile)
+	if err != nil {
+		return fmt.Errorf("failed to read fstab file: %v", err)
+	}
+
+	var updatedEntries []diskutils.FstabEntry
+	updatedEntries = append(updatedEntries, fstabEntries...)
+
+	for _, overlay := range overlays {
+		lowerDirs := overlay.LowerDirs
+		upperDir := overlay.UpperDir
+		workDir := overlay.WorkDir
+		mountDependencies := overlay.MountDependencies
+
+		if overlay.IsInitrdOverlay {
+			// Validate that each mountDependency has the x-initrd.mount option in
+			// the corresponding fstab entry.
+			for i, dep := range mountDependencies {
+				entry, found := sliceutils.FindValueFunc(fstabEntries, func(entry diskutils.FstabEntry) bool {
+					return entry.Target == dep
+				})
+				if !found {
+					return fmt.Errorf("mountDependency %s not found in fstab", dep)
+				}
+
+				optionFound := sliceutils.ContainsValue(strings.Split(entry.Options, ","), "x-initrd.mount")
+				if !optionFound {
+					return fmt.Errorf("mountDependency %s requires x-initrd.mount option in fstab", dep)
+				}
+
+				mountDependencies[i] = path.Join("/sysroot", dep)
+			}
+
+			for i, dir := range lowerDirs {
+				lowerDirs[i] = path.Join("/sysroot", dir)
+			}
+			upperDir = path.Join("/sysroot", overlay.UpperDir)
+			workDir = path.Join("/sysroot", overlay.WorkDir)
+		}
+
+		// Multiple lower layers can be specified by joining directory names
+		// with a colon (":") as a separator, which is supported by the overlay
+		// filesystem in the mount command.
+		lowerDirOption := strings.Join(lowerDirs, ":")
+
+		options := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerDirOption, upperDir, workDir)
+
+		// Add any additional options if needed (e.g., x-initrd.mount,
+		// x-systemd.requires)
+		for _, dep := range mountDependencies {
+			options = fmt.Sprintf("%s,x-systemd.requires=%s", options, dep)
+		}
+		if overlay.IsInitrdOverlay {
+			options = fmt.Sprintf("%s,x-initrd.mount,x-systemd.wanted-by=initrd-fs.target", options)
+		}
+		if overlay.MountOptions != "" {
+			options = fmt.Sprintf("%s,%s", options, overlay.MountOptions)
+		}
+
+		// Create the FstabEntry based on the overlay.
+		newEntry := diskutils.FstabEntry{
+			Source:  "overlay",
+			Target:  overlay.MountPoint,
+			FsType:  "overlay",
+			Options: options,
+			Freq:    0,
+			PassNo:  0,
+		}
+
+		updatedEntries = append(updatedEntries, newEntry)
+	}
+
+	err = diskutils.WriteFstabFile(updatedEntries, fstabFile)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func createOverlayDirectories(overlays []imagecustomizerapi.Overlay, imageChroot *safechroot.Chroot) error {
+	for _, overlay := range overlays {
+		dirsToCreate := []string{
+			filepath.Join(imageChroot.RootDir(), overlay.MountPoint),
+			filepath.Join(imageChroot.RootDir(), overlay.UpperDir),
+			filepath.Join(imageChroot.RootDir(), overlay.WorkDir),
+		}
+
+		// Iterate over each directory and create it if it doesn't exist.
+		for _, dir := range dirsToCreate {
+			if err := os.MkdirAll(dir, os.ModePerm); err != nil {
+				return fmt.Errorf("failed to create directory (%s): %w", dir, err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func addEquivalencyRules(selinuxMode imagecustomizerapi.SELinuxMode,
+	overlays []imagecustomizerapi.Overlay, imageChroot *safechroot.Chroot,
+) error {
+	var err error
+
+	if selinuxMode == imagecustomizerapi.SELinuxModeDisabled {
+		// No need to add equivalency rules if SELinux is disabled.
+		return nil
+	}
+
+	for _, overlay := range overlays {
+		err = imageChroot.UnsafeRun(func() error {
+			return shell.ExecuteLiveWithErr(1, "sudo", "semanage", "fcontext", "-a", "-e", overlay.MountPoint, overlay.UpperDir)
+		})
+		if err != nil {
+			return fmt.Errorf("failed to add equivalency rule between %s and %s:\n%w", overlay.MountPoint, overlay.UpperDir, err)
+		}
+	}
+
+	return nil
+}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeoverlays_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeoverlays_test.go
new file mode 100644
index 00000000000..f11853595ca
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeoverlays_test.go
@@ -0,0 +1,109 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package imagecustomizerlib
+
+import (
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/shell"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCustomizeImageOverlays(t *testing.T) {
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
+
+	testTempDir := filepath.Join(tmpDir, "TestCustomizeImageOverlays")
+	buildDir := filepath.Join(testTempDir, "build")
+	outImageFilePath := filepath.Join(testTempDir, "image.raw")
+	configFile := filepath.Join(testDir, "overlays-config.yaml")
+
+	// Customize image.
+	err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "", true, false)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	// Connect to customized image.
+	mountPoints := []mountPoint{
+		{
+			PartitionNum:   3,
+			Path:           "/",
+			FileSystemType: "ext4",
+		},
+		{
+			PartitionNum:   2,
+			Path:           "/boot",
+			FileSystemType: "ext4",
+		},
+		{
+			PartitionNum:   1,
+			Path:           "/boot/efi",
+			FileSystemType: "vfat",
+		},
+		{
+			PartitionNum:   4,
+			Path:           "/var",
+			FileSystemType: "ext4",
+		},
+	}
+
+	// Connect to customized image.
+	imageConnection, err := connectToImage(buildDir, outImageFilePath, false /*includeDefaultMounts*/, mountPoints)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer imageConnection.Close()
+
+	verifyOverlays(t, imageConnection.chroot.RootDir())
+	verifyOverlaysEquivalencyRules(t, imageConnection.chroot.RootDir())
+}
+
+func verifyOverlays(t *testing.T, rootPath string) {
+	// Verify fstab for Overlays.
+	fstabPath := filepath.Join(rootPath, "etc/fstab")
+	fstabContents, err := file.Read(fstabPath)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	// Check for specific overlay configurations in fstab
+	assert.Contains(t, fstabContents,
+		"overlay /etc overlay lowerdir=/sysroot/etc,"+
+			"upperdir=/sysroot/var/overlays/etc/upper,workdir=/sysroot/var/overlays/etc/work,"+
+			"x-systemd.requires=/sysroot/var,x-initrd.mount,x-systemd.wanted-by=initrd-fs.target 0 0")
+
+	assert.Contains(t, fstabContents,
+		"overlay /media overlay lowerdir=/media:/home,"+
+			"upperdir=/overlays/media/upper,workdir=/overlays/media/work 0 0")
+}
+
+func verifyOverlaysEquivalencyRules(t *testing.T, rootPath string) {
+	mntPoints := map[string]string{
+		"/etc":   "/var/overlays/etc/upper",
+		"/media": "/overlays/media/upper",
+	}
+
+	for mntPoint, upperDir := range mntPoints {
+		mntPointFullPath := filepath.Join(rootPath, mntPoint)
+		upperDirFullPath := filepath.Join(rootPath, upperDir)
+
+		mntPointLabel, _, err := shell.Execute("ls", "-Zd", mntPointFullPath)
+		if !assert.NoError(t, err, "Failed to get SELinux label for %s", mntPointFullPath) {
+			return
+		}
+		upperDirLabel, _, err := shell.Execute("ls", "-Zd", upperDirFullPath)
+		if !assert.NoError(t, err, "Failed to get SELinux label for %s", upperDirFullPath) {
+			return
+		}
+
+		// Modify the labels to remove the first section (before the first colon) and path.
+		mntPointLabel = strings.Fields(mntPointLabel[strings.Index(mntPointLabel, ":")+1:])[0]
+		upperDirLabel = strings.Fields(upperDirLabel[strings.Index(upperDirLabel, ":")+1:])[0]
+		assert.Equal(t, mntPointLabel, upperDirLabel,
+			"SELinux label mismatch between %s and %s", mntPointFullPath, upperDirFullPath)
+	}
+}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizepackages_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizepackages_test.go
index f060cf271c3..4b27103ed8c 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizepackages_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizepackages_test.go
@@ -19,7 +19,7 @@ import (
 func TestCustomizeImagePackagesAddOfflineDir(t *testing.T) {
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImagePackagesAddOfflineDir")
 
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 	downloadedRpmsDir := getDownloadedRpmsDir(t, "2.0")
 
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -134,7 +134,7 @@ func copyRpms(sourceDir string, targetDir string, excludePrefixes []string) erro
 func TestCustomizeImagePackagesAddOfflineLocalRepo(t *testing.T) {
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImagePackagesAddOfflineLocalRepo")
 
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	downloadedRpmsRepoFile := getDownloadedRpmsRepoFile(t, "2.0")
 	rpmSources := []string{downloadedRpmsRepoFile}
@@ -164,7 +164,7 @@ func TestCustomizeImagePackagesAddOfflineLocalRepo(t *testing.T) {
 }
 
 func TestCustomizeImagePackagesUpdate(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImagePackagesUpdate")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -197,7 +197,7 @@ func TestCustomizeImagePackagesUpdate(t *testing.T) {
 }
 
 func TestCustomizeImagePackagesDiskSpace(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImagePackagesDiskSpace")
 	buildDir := filepath.Join(testTmpDir, "build")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizepartitions.go b/toolkit/tools/pkg/imagecustomizerlib/customizepartitions.go
index df4bcb8d1f1..d0d4ba09281 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizepartitions.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizepartitions.go
@@ -12,7 +12,7 @@ import (
 
 func customizePartitions(buildDir string, baseConfigPath string, config *imagecustomizerapi.Config,
 	buildImageFile string,
-) (bool, string, error) {
+) (bool, string, map[string]string, error) {
 	switch {
 	case config.Storage != nil:
 		logger.Log.Infof("Customizing partitions")
@@ -21,24 +21,25 @@ func customizePartitions(buildDir string, baseConfigPath string, config *imagecu
 
 		// If there is no known way to create the new partition layout from the old one,
 		// then fallback to creating the new partitions from scratch and doing a file copy.
-		err := customizePartitionsUsingFileCopy(buildDir, baseConfigPath, config, buildImageFile, newBuildImageFile)
+		partIdToPartUuid, err := customizePartitionsUsingFileCopy(buildDir, baseConfigPath, config,
+			buildImageFile, newBuildImageFile)
 		if err != nil {
-			return false, "", err
+			return false, "", nil, err
 		}
 
-		return true, newBuildImageFile, nil
+		return true, newBuildImageFile, partIdToPartUuid, nil
 
 	case config.ResetPartitionsUuidsType != imagecustomizerapi.ResetPartitionsUuidsTypeDefault:
 		err := resetPartitionsUuids(buildImageFile, buildDir)
 		if err != nil {
-			return false, "", err
+			return false, "", nil, err
 		}
 
-		return true, buildImageFile, nil
+		return true, buildImageFile, nil, nil
 
 	default:
 		// No changes to make to the partitions.
 		// So, just use the original disk.
-		return false, buildImageFile, nil
+		return false, buildImageFile, nil, nil
 	}
 }
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizepartitions_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizepartitions_test.go
index 2e3387d4c7a..e0a1d6088c3 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizepartitions_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizepartitions_test.go
@@ -18,17 +18,27 @@ import (
 )
 
 func TestCustomizeImagePartitions(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
-	testCustomizeImagePartitionsToEfi(t, "TestCustomizeImagePartitions", baseImage)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImagePartitionsToEfi(t, "TestCustomizeImagePartitions"+string(version),
+				baseImageTypeCoreEfi, version)
+		})
+	}
 }
 
 func TestCustomizeImagePartitionsLegacyToEfi(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreLegacy)
-	testCustomizeImagePartitionsToEfi(t, "TestCustomizeImagePartitionsLegacyToEfi", baseImage)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImagePartitionsToEfi(t, "TestCustomizeImagePartitionsLegacyToEfi"+string(version),
+				baseImageTypeCoreLegacy, version)
+		})
+	}
 }
 
-func testCustomizeImagePartitionsToEfi(t *testing.T, testName string, baseImage string) {
-	var err error
+func testCustomizeImagePartitionsToEfi(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
 
 	testTmpDir := filepath.Join(tmpDir, testName)
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -36,7 +46,7 @@ func testCustomizeImagePartitionsToEfi(t *testing.T, testName string, baseImage
 	outImageFilePath := filepath.Join(testTmpDir, "image.raw")
 
 	// Customize image.
-	err = CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "",
+	err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "",
 		false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/)
 	if !assert.NoError(t, err) {
 		return
@@ -94,28 +104,96 @@ func testCustomizeImagePartitionsToEfi(t *testing.T, testName string, baseImage
 	_, err = os.Stat(filepath.Join(imageConnection.Chroot().RootDir(), "/var/log"))
 	assert.NoError(t, err, "check for /var/log")
 
-	partitions, err = getDiskPartitionsMap(imageConnection.Loopback().DevicePath())
+	// Check that the fstab entries are correct.
+	verifyFstabEntries(t, imageConnection, mountPoints, partitions)
+	verifyBootloaderConfig(t, imageConnection, "console=tty0 console=ttyS0",
+		partitions[mountPoints[1].PartitionNum],
+		partitions[mountPoints[0].PartitionNum],
+		imageVersion)
+}
+
+func TestCustomizeImagePartitionsSizeOnly(t *testing.T) {
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
+
+	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImagePartitionsSizeOnly")
+	buildDir := filepath.Join(testTmpDir, "build")
+	configFile := filepath.Join(testDir, "partitions-size-only-config.yaml")
+	outImageFilePath := filepath.Join(testTmpDir, "image.raw")
+
+	// Customize image.
+	err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "",
+		false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	// Check output file type.
+	checkFileType(t, outImageFilePath, "raw")
+
+	mountPoints := []mountPoint{
+		{
+			PartitionNum:   2,
+			Path:           "/",
+			FileSystemType: "ext4",
+		},
+		{
+			PartitionNum:   1,
+			Path:           "/boot/efi",
+			FileSystemType: "vfat",
+		},
+		{
+			PartitionNum:   3,
+			Path:           "/var",
+			FileSystemType: "ext4",
+		},
+	}
+
+	imageConnection, err := connectToImage(buildDir, outImageFilePath, false /*includeDefaultMounts*/, mountPoints)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer imageConnection.Close()
+
+	// Check for key files/directories on the partitions.
+	_, err = os.Stat(filepath.Join(imageConnection.Chroot().RootDir(), "/usr/bin/bash"))
+	assert.NoError(t, err, "check for /usr/bin/bash")
+
+	_, err = os.Stat(filepath.Join(imageConnection.Chroot().RootDir(), "/var/log"))
+	assert.NoError(t, err, "check for /var/log")
+
+	partitions, err := getDiskPartitionsMap(imageConnection.Loopback().DevicePath())
 	assert.NoError(t, err, "get disk partitions")
 
 	// Check that the fstab entries are correct.
 	verifyFstabEntries(t, imageConnection, mountPoints, partitions)
-	verifyBootloaderConfig(t, imageConnection, "console=tty0 console=ttyS0",
-		partitions[mountPoints[1].PartitionNum].Uuid,
-		partitions[mountPoints[0].PartitionNum].PartUuid)
+	verifyBootloaderConfig(t, imageConnection, "",
+		partitions[mountPoints[0].PartitionNum],
+		partitions[mountPoints[0].PartitionNum],
+		baseImageVersionDefault)
 }
 
 func TestCustomizeImagePartitionsEfiToLegacy(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
-	testCustomizeImagePartitionsToLegacy(t, "TestCustomizeImagePartitionsEfiToLegacy", baseImage)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImagePartitionsToLegacy(t, "TestCustomizeImagePartitionsEfiToLegacy"+string(version),
+				baseImageTypeCoreEfi, version)
+		})
+	}
 }
 
 func TestCustomizeImagePartitionsLegacy(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreLegacy)
-	testCustomizeImagePartitionsToLegacy(t, "TestCustomizeImagePartitionsLegacy", baseImage)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImagePartitionsToLegacy(t, "TestCustomizeImagePartitionsLegacy"+string(version),
+				baseImageTypeCoreLegacy, version)
+		})
+	}
 }
 
-func testCustomizeImagePartitionsToLegacy(t *testing.T, testName string, baseImage string) {
-	var err error
+func testCustomizeImagePartitionsToLegacy(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
 
 	testTmpDir := filepath.Join(tmpDir, testName)
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -123,7 +201,7 @@ func testCustomizeImagePartitionsToLegacy(t *testing.T, testName string, baseIma
 	outImageFilePath := filepath.Join(buildDir, "image.raw")
 
 	// Customize image.
-	err = CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "",
+	err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "",
 		false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/)
 	if !assert.NoError(t, err) {
 		return
@@ -145,16 +223,24 @@ func testCustomizeImagePartitionsToLegacy(t *testing.T, testName string, baseIma
 	// Check that the fstab entries are correct.
 	verifyFstabEntries(t, imageConnection, coreLegacyMountPoints, partitions)
 	verifyBootGrubCfg(t, imageConnection, "",
-		partitions[coreLegacyMountPoints[0].PartitionNum].Uuid,
-		partitions[coreLegacyMountPoints[0].PartitionNum].PartUuid)
+		partitions[coreLegacyMountPoints[0].PartitionNum],
+		partitions[coreLegacyMountPoints[0].PartitionNum],
+		imageVersion)
 }
 
 func TestCustomizeImageKernelCommandLine(t *testing.T) {
-	var err error
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, version)
+			testCustomizeImageKernelCommandLineHelper(t, "TestCustomizeImageKernelCommandLine"+string(version), baseImage)
+		})
+	}
+}
 
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+func testCustomizeImageKernelCommandLineHelper(t *testing.T, testName string, baseImage string) {
+	var err error
 
-	buildDir := filepath.Join(tmpDir, "TestCustomizeImageKernelCommandLine")
+	buildDir := filepath.Join(tmpDir, testName)
 	configFile := filepath.Join(testDir, "extracommandline-config.yaml")
 	outImageFilePath := filepath.Join(buildDir, "image.qcow2")
 
@@ -179,9 +265,20 @@ func TestCustomizeImageKernelCommandLine(t *testing.T) {
 }
 
 func TestCustomizeImageNewUUIDs(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImageNewUUIDsHelper(t, "TestCustomizeImageNewUUIDs"+string(version), baseImageTypeCoreEfi,
+				version)
+		})
+	}
+}
 
-	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageNewUUIDs")
+func testCustomizeImageNewUUIDsHelper(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
+
+	testTmpDir := filepath.Join(tmpDir, testName)
 	buildDir := filepath.Join(testTmpDir, "build")
 	configFile := filepath.Join(testDir, "newpartitionsuuids-config.yaml")
 	tempRawBaseImage := filepath.Join(testTmpDir, "baseImage.raw")
@@ -253,8 +350,9 @@ func TestCustomizeImageNewUUIDs(t *testing.T) {
 	// Check that the fstab entries are correct.
 	verifyFstabEntries(t, imageConnection, coreEfiMountPoints, newImagePartitions)
 	verifyBootloaderConfig(t, imageConnection, "",
-		newImagePartitions[coreEfiMountPoints[0].PartitionNum].Uuid,
-		newImagePartitions[coreEfiMountPoints[0].PartitionNum].PartUuid)
+		newImagePartitions[coreEfiMountPoints[0].PartitionNum],
+		newImagePartitions[coreEfiMountPoints[0].PartitionNum],
+		imageVersion)
 }
 
 func verifyFstabEntries(t *testing.T, imageConnection *ImageConnection, mountPoints []mountPoint,
@@ -286,10 +384,10 @@ func verifyFstabEntries(t *testing.T, imageConnection *ImageConnection, mountPoi
 }
 
 func verifyBootloaderConfig(t *testing.T, imageConnection *ImageConnection, extraCommandLineArgs string,
-	bootUuid string, rootfsPartUuid string,
+	bootInfo diskutils.PartitionInfo, rootfsInfo diskutils.PartitionInfo, imageVersion baseImageVersion,
 ) {
-	verifyEspGrubCfg(t, imageConnection, bootUuid)
-	verifyBootGrubCfg(t, imageConnection, extraCommandLineArgs, bootUuid, rootfsPartUuid)
+	verifyEspGrubCfg(t, imageConnection, bootInfo.Uuid)
+	verifyBootGrubCfg(t, imageConnection, extraCommandLineArgs, bootInfo, rootfsInfo, imageVersion)
 }
 
 func verifyEspGrubCfg(t *testing.T, imageConnection *ImageConnection, bootUuid string) {
@@ -302,8 +400,9 @@ func verifyEspGrubCfg(t *testing.T, imageConnection *ImageConnection, bootUuid s
 	assert.Regexp(t, fmt.Sprintf("(?m)^search -n -u %s -s$", regexp.QuoteMeta(bootUuid)), grubCfgContents)
 }
 
-func verifyBootGrubCfg(t *testing.T, imageConnection *ImageConnection, extraCommandLineArgs string, bootUuid string,
-	rootfsPartUuid string,
+func verifyBootGrubCfg(t *testing.T, imageConnection *ImageConnection, extraCommandLineArgs string,
+	bootInfo diskutils.PartitionInfo, rootfsInfo diskutils.PartitionInfo,
+	imageVersion baseImageVersion,
 ) {
 	grubCfgFilePath := filepath.Join(imageConnection.Chroot().RootDir(), "/boot/grub2/grub.cfg")
 	grubCfgContents, err := file.Read(grubCfgFilePath)
@@ -311,11 +410,27 @@ func verifyBootGrubCfg(t *testing.T, imageConnection *ImageConnection, extraComm
 		return
 	}
 
-	assert.Regexp(t, fmt.Sprintf("(?m)^search -n -u %s -s$", regexp.QuoteMeta(bootUuid)), grubCfgContents)
-	assert.Regexp(t, fmt.Sprintf("(?m)^set rootdevice=PARTUUID=%s$", regexp.QuoteMeta(rootfsPartUuid)), grubCfgContents)
+	switch imageVersion {
+	case baseImageVersionAzl2:
+		assert.Regexp(t, fmt.Sprintf(`(?m)^search -n -u %s -s$`, regexp.QuoteMeta(bootInfo.Uuid)),
+			grubCfgContents)
+		assert.Regexp(t, fmt.Sprintf(`(?m)^set rootdevice=PARTUUID=%s$`, regexp.QuoteMeta(rootfsInfo.PartUuid)),
+			grubCfgContents)
+
+	case baseImageVersionAzl3:
+		assert.Regexp(t, fmt.Sprintf(`(?m)[\t ]*search.* --fs-uuid --set=root %s$`, regexp.QuoteMeta(bootInfo.Uuid)),
+			grubCfgContents)
+
+		// In theory, UUID should always be used (unless GRUB_DISABLE_UUID is set in the /etc/default/grub file, which
+		// it isn't). But on some build hosts, PARTUUID is used instead. Not sure why this is the case. But the OS will
+		// still boot either way. So, allow both for now.
+		assert.Regexp(t, fmt.Sprintf(`(?m)[\t ]*linux.* root=(UUID=%s|PARTUUID=%s) `, regexp.QuoteMeta(rootfsInfo.Uuid),
+			regexp.QuoteMeta(rootfsInfo.PartUuid)),
+			grubCfgContents)
+	}
 
 	if extraCommandLineArgs != "" {
-		assert.Regexp(t, fmt.Sprintf("linux.* %s ", regexp.QuoteMeta(extraCommandLineArgs)), grubCfgContents)
+		assert.Regexp(t, fmt.Sprintf(`(?m)[\t ]*linux.* %s `, regexp.QuoteMeta(extraCommandLineArgs)), grubCfgContents)
 	}
 }
 
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go b/toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go
index ed5c4e18e66..f4121a53863 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizepartitionsfilecopy.go
@@ -14,10 +14,10 @@ import (
 
 func customizePartitionsUsingFileCopy(buildDir string, baseConfigPath string, config *imagecustomizerapi.Config,
 	buildImageFile string, newBuildImageFile string,
-) error {
+) (map[string]string, error) {
 	existingImageConnection, err := connectToExistingImage(buildImageFile, buildDir, "imageroot", false)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	defer existingImageConnection.Close()
 
@@ -27,18 +27,18 @@ func customizePartitionsUsingFileCopy(buildDir string, baseConfigPath string, co
 		return copyFilesIntoNewDisk(existingImageConnection.Chroot(), imageChroot)
 	}
 
-	err = createNewImage(newBuildImageFile, diskConfig, config.Storage.FileSystems,
+	partIdToPartUuid, err := createNewImage(newBuildImageFile, diskConfig, config.Storage.FileSystems,
 		buildDir, "newimageroot", installOSFunc)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	err = existingImageConnection.CleanClose()
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	return nil
+	return partIdToPartUuid, nil
 }
 
 func copyFilesIntoNewDisk(existingImageChroot *safechroot.Chroot, newImageChroot *safechroot.Chroot) error {
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go b/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go
index e7e38476013..69a175cec94 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeselinux.go
@@ -56,7 +56,7 @@ func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, resetBootLoaderTy
 		}
 	}
 
-	err = updateSELinuxModeInConfigFile(selinuxMode, imageChroot)
+	err = UpdateSELinuxModeInConfigFile(selinuxMode, imageChroot)
 	if err != nil {
 		return imagecustomizerapi.SELinuxModeDefault, err
 	}
@@ -64,7 +64,7 @@ func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, resetBootLoaderTy
 	return selinuxMode, nil
 }
 
-func updateSELinuxModeInConfigFile(selinuxMode imagecustomizerapi.SELinuxMode, imageChroot *safechroot.Chroot) error {
+func UpdateSELinuxModeInConfigFile(selinuxMode imagecustomizerapi.SELinuxMode, imageChroot safechroot.ChrootInterface) error {
 	imagerSELinuxMode, err := selinuxModeToImager(selinuxMode)
 	if err != nil {
 		return err
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeselinux_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeselinux_test.go
index b8087da656e..46053749d78 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeselinux_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeselinux_test.go
@@ -14,9 +14,20 @@ import (
 )
 
 func TestCustomizeImageSELinux(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImageSELinuxHelper(t, "TestCustomizeImageSELinux"+string(version), baseImageTypeCoreEfi,
+				version)
+		})
+	}
+}
+
+func testCustomizeImageSELinuxHelper(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
 
-	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageSELinux")
+	testTmpDir := filepath.Join(tmpDir, testName)
 	buildDir := filepath.Join(testTmpDir, "build")
 	outImageFilePath := filepath.Join(testTmpDir, "image.raw")
 
@@ -100,9 +111,20 @@ func TestCustomizeImageSELinux(t *testing.T) {
 }
 
 func TestCustomizeImageSELinuxAndPartitions(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImageSELinuxAndPartitionsHelper(t, "TestCustomizeImageSELinuxAndPartitions"+string(version),
+				baseImageTypeCoreEfi, version)
+		})
+	}
+}
+
+func testCustomizeImageSELinuxAndPartitionsHelper(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
 
-	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageSELinuxAndPartitions")
+	testTmpDir := filepath.Join(tmpDir, testName)
 	buildDir := filepath.Join(testTmpDir, "build")
 	outImageFilePath := filepath.Join(testTmpDir, "image.raw")
 
@@ -150,7 +172,7 @@ func TestCustomizeImageSELinuxAndPartitions(t *testing.T) {
 }
 
 func TestCustomizeImageSELinuxNoPolicy(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageSELinuxNoPolicy")
 	buildDir := filepath.Join(testTmpDir, "build")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeservices_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeservices_test.go
index e301a5eca1c..e71bec0fa18 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeservices_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeservices_test.go
@@ -13,7 +13,7 @@ import (
 )
 
 func TestCustomizeImageServicesEnableDisable(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageServicesEnableDisable")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -45,7 +45,7 @@ func TestCustomizeImageServicesEnableDisable(t *testing.T) {
 }
 
 func TestCustomizeImageServicesEnableUnknown(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageServicesEnableUnknown")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -69,7 +69,7 @@ func TestCustomizeImageServicesEnableUnknown(t *testing.T) {
 }
 
 func TestCustomizeImageServicesDisableUnknown(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageServicesDisableUnknown")
 	buildDir := filepath.Join(testTmpDir, "build")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go
index b3607dfd330..2f0dfbeea6e 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeusers_test.go
@@ -25,7 +25,7 @@ var (
 )
 
 func TestCustomizeImageUsers(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageUsers")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -144,7 +144,7 @@ func TestCustomizeImageUsers(t *testing.T) {
 }
 
 func TestCustomizeImageUsersExitingUserHomeDir(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageUsers")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -168,7 +168,7 @@ func TestCustomizeImageUsersExitingUserHomeDir(t *testing.T) {
 }
 
 func TestCustomizeImageUsersExitingUserUid(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageUsers")
 	buildDir := filepath.Join(testTmpDir, "build")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go
index a8e8abbe142..1b12678dc3b 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeverity.go
@@ -5,7 +5,6 @@ package imagecustomizerlib
 
 import (
 	"fmt"
-	"os"
 	"path/filepath"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
@@ -15,7 +14,7 @@ import (
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
 )
 
-func enableVerityPartition(buildDir string, verity *imagecustomizerapi.Verity, imageChroot *safechroot.Chroot,
+func enableVerityPartition(verity *imagecustomizerapi.Verity, imageChroot *safechroot.Chroot,
 ) (bool, error) {
 	var err error
 
@@ -33,12 +32,12 @@ func enableVerityPartition(buildDir string, verity *imagecustomizerapi.Verity, i
 	// Integrate systemd veritysetup dracut module into initramfs img.
 	systemdVerityDracutModule := "systemd-veritysetup"
 	dmVerityDracutDriver := "dm-verity"
-	err = addDracutModule(systemdVerityDracutModule, dmVerityDracutDriver, imageChroot)
+	err = addDracutModuleAndDriver(systemdVerityDracutModule, dmVerityDracutDriver, imageChroot)
 	if err != nil {
 		return false, fmt.Errorf("failed to add dracut modules for verity:\n%w", err)
 	}
 
-	err = updateFstabForVerity(buildDir, imageChroot)
+	err = updateFstabForVerity(imageChroot)
 	if err != nil {
 		return false, fmt.Errorf("failed to update fstab file for verity:\n%w", err)
 	}
@@ -51,26 +50,7 @@ func enableVerityPartition(buildDir string, verity *imagecustomizerapi.Verity, i
 	return true, nil
 }
 
-func addDracutModule(dracutModuleName string, dracutDriverName string, imageChroot *safechroot.Chroot) error {
-	dracutConfigFile := filepath.Join(imageChroot.RootDir(), "etc", "dracut.conf.d", dracutModuleName+".conf")
-
-	// Check if the dracut module configuration file already exists.
-	if _, err := os.Stat(dracutConfigFile); os.IsNotExist(err) {
-		lines := []string{
-			// Add white spaces on both sides for dracut config syntax.
-			"add_dracutmodules+=\" " + dracutModuleName + " \"",
-			"add_drivers+=\" " + dracutDriverName + " \"",
-		}
-		err = file.WriteLines(lines, dracutConfigFile)
-		if err != nil {
-			return fmt.Errorf("failed to write to dracut module config file (%s): %w", dracutConfigFile, err)
-		}
-	}
-
-	return nil
-}
-
-func updateFstabForVerity(buildDir string, imageChroot *safechroot.Chroot) error {
+func updateFstabForVerity(imageChroot *safechroot.Chroot) error {
 	var err error
 
 	fstabFile := filepath.Join(imageChroot.RootDir(), "etc", "fstab")
@@ -117,23 +97,22 @@ func prepareGrubConfigForVerity(imageChroot *safechroot.Chroot) error {
 	return nil
 }
 
-func updateGrubConfigForVerity(dataPartitionIdType imagecustomizerapi.IdType, dataPartitionId string,
-	hashPartitionIdType imagecustomizerapi.IdType, hashPartitionId string,
-	corruptionOption imagecustomizerapi.CorruptionOption, rootHash string, grubCfgFullPath string,
+func updateGrubConfigForVerity(verity *imagecustomizerapi.Verity, rootHash string, grubCfgFullPath string,
+	partIdToPartUuid map[string]string,
 ) error {
 	var err error
 
 	// Format the dataPartitionId and hashPartitionId using the helper function.
-	formattedDataPartition, err := systemdFormatPartitionId(dataPartitionIdType, dataPartitionId)
+	formattedDataPartition, err := systemdFormatPartitionId(verity.DataPartition, partIdToPartUuid)
 	if err != nil {
 		return err
 	}
-	formattedHashPartition, err := systemdFormatPartitionId(hashPartitionIdType, hashPartitionId)
+	formattedHashPartition, err := systemdFormatPartitionId(verity.HashPartition, partIdToPartUuid)
 	if err != nil {
 		return err
 	}
 
-	formattedCorruptionOption, err := systemdFormatCorruptionOption(corruptionOption)
+	formattedCorruptionOption, err := systemdFormatCorruptionOption(verity.CorruptionOption)
 	if err != nil {
 		return err
 	}
@@ -184,11 +163,11 @@ func updateGrubConfigForVerity(dataPartitionIdType imagecustomizerapi.IdType, da
 
 // idToPartitionBlockDevicePath returns the block device path for a given idType and id.
 func idToPartitionBlockDevicePath(partitionId imagecustomizerapi.IdentifiedPartition,
-	diskPartitions []diskutils.PartitionInfo,
+	diskPartitions []diskutils.PartitionInfo, partIdToPartUuid map[string]string,
 ) (string, error) {
 	// Iterate over each partition to find the matching id.
 	for _, partition := range diskPartitions {
-		matches, err := partitionMatchesId(partitionId, partition)
+		matches, err := partitionMatchesId(partitionId, partition, partIdToPartUuid)
 		if err != nil {
 			return "", err
 		}
@@ -203,38 +182,46 @@ func idToPartitionBlockDevicePath(partitionId imagecustomizerapi.IdentifiedParti
 }
 
 func partitionMatchesId(partitionId imagecustomizerapi.IdentifiedPartition, partition diskutils.PartitionInfo,
+	partIdToPartUuid map[string]string,
 ) (bool, error) {
 	switch partitionId.IdType {
+	case imagecustomizerapi.IdTypeId:
+		partUuid := partIdToPartUuid[partitionId.Id]
+		return partition.PartUuid == partUuid, nil
+
 	case imagecustomizerapi.IdTypePartLabel:
-		if partition.PartLabel == partitionId.Id {
-			return true, nil
-		}
+		return partition.PartLabel == partitionId.Id, nil
+
 	case imagecustomizerapi.IdTypeUuid:
-		if partition.Uuid == partitionId.Id {
-			return true, nil
-		}
+		return partition.Uuid == partitionId.Id, nil
+
 	case imagecustomizerapi.IdTypePartUuid:
-		if partition.PartUuid == partitionId.Id {
-			return true, nil
-		}
+		return partition.PartUuid == partitionId.Id, nil
+
 	default:
 		return true, fmt.Errorf("invalid idType provided (%s)", string(partitionId.IdType))
 	}
-
-	return false, nil
 }
 
 // systemdFormatPartitionId formats the partition ID based on the ID type following systemd dm-verity style.
-func systemdFormatPartitionId(idType imagecustomizerapi.IdType, id string) (string, error) {
-	switch idType {
+func systemdFormatPartitionId(partition imagecustomizerapi.IdentifiedPartition, partIdToPartUuid map[string]string,
+) (string, error) {
+	switch partition.IdType {
+	case imagecustomizerapi.IdTypeId:
+		partUuid := partIdToPartUuid[partition.Id]
+		return fmt.Sprintf("%s=%s", "PARTUUID", partUuid), nil
+
 	case imagecustomizerapi.IdTypePartLabel:
-		return fmt.Sprintf("%s=%s", "PARTLABEL", id), nil
+		return fmt.Sprintf("%s=%s", "PARTLABEL", partition.Id), nil
+
 	case imagecustomizerapi.IdTypeUuid:
-		return fmt.Sprintf("%s=%s", "UUID", id), nil
+		return fmt.Sprintf("%s=%s", "UUID", partition.Id), nil
+
 	case imagecustomizerapi.IdTypePartUuid:
-		return fmt.Sprintf("%s=%s", "PARTUUID", id), nil
+		return fmt.Sprintf("%s=%s", "PARTUUID", partition.Id), nil
+
 	default:
-		return "", fmt.Errorf("invalid idType provided (%s)", string(idType))
+		return "", fmt.Errorf("invalid idType provided (%s)", string(partition.IdType))
 	}
 }
 
diff --git a/toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go b/toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go
index c47f14d8c3c..0f96fc2a8d0 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/customizeverity_test.go
@@ -19,9 +19,20 @@ import (
 )
 
 func TestCustomizeImageVerity(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImageVerityHelper(t, "TestCustomizeImageVerity"+string(version), baseImageTypeCoreEfi,
+				version)
+		})
+	}
+}
 
-	testTempDir := filepath.Join(tmpDir, "TestCustomizeImageVerity")
+func testCustomizeImageVerityHelper(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
+
+	testTempDir := filepath.Join(tmpDir, testName)
 	buildDir := filepath.Join(testTempDir, "build")
 	outImageFilePath := filepath.Join(testTempDir, "image.raw")
 	configFile := filepath.Join(testDir, "verity-config.yaml")
@@ -63,20 +74,35 @@ func TestCustomizeImageVerity(t *testing.T) {
 	}
 	defer imageConnection.Close()
 
+	partitions, err := getDiskPartitionsMap(imageConnection.Loopback().DevicePath())
+	assert.NoError(t, err, "get disk partitions")
+
 	// Verify that verity is configured correctly.
 	bootPath := filepath.Join(imageConnection.chroot.RootDir(), "/boot")
 	rootDevice := partitionDevPath(imageConnection, 3)
 	hashDevice := partitionDevPath(imageConnection, 4)
-	verifyVerity(t, bootPath, rootDevice, hashDevice)
+	verifyVerity(t, bootPath, rootDevice, hashDevice, "PARTUUID="+partitions[3].PartUuid,
+		"PARTUUID="+partitions[4].PartUuid)
 }
 
 func TestCustomizeImageVerityShrinkExtract(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	for _, version := range supportedAzureLinuxVersions {
+		t.Run(string(version), func(t *testing.T) {
+			testCustomizeImageVerityShrinkExtractHelper(t, "TestCustomizeImageVerityShrinkExtract"+string(version),
+				baseImageTypeCoreEfi, version)
+		})
+	}
+}
 
-	testTempDir := filepath.Join(tmpDir, "TestCustomizeImageVerityShrinkExtract")
+func testCustomizeImageVerityShrinkExtractHelper(t *testing.T, testName string, imageType baseImageType,
+	imageVersion baseImageVersion,
+) {
+	baseImage := checkSkipForCustomizeImage(t, imageType, imageVersion)
+
+	testTempDir := filepath.Join(tmpDir, testName)
 	buildDir := filepath.Join(testTempDir, "build")
 	outImageFilePath := filepath.Join(testTempDir, "image.raw")
-	configFile := filepath.Join(testDir, "verity-config.yaml")
+	configFile := filepath.Join(testDir, "verity-partition-labels.yaml")
 
 	var config imagecustomizerapi.Config
 	err := imagecustomizerapi.UnmarshalYamlFile(configFile, &config)
@@ -130,10 +156,11 @@ func TestCustomizeImageVerityShrinkExtract(t *testing.T) {
 	defer bootMount.Close()
 
 	// Verify that verity is configured correctly.
-	verifyVerity(t, bootMountPath, rootDevice.DevicePath(), hashDevice.DevicePath())
+	verifyVerity(t, bootMountPath, rootDevice.DevicePath(), hashDevice.DevicePath(), "PARTLABEL=root",
+		"PARTLABEL=root-hash")
 }
 
-func verifyVerity(t *testing.T, bootPath string, rootDevice string, hashDevice string) {
+func verifyVerity(t *testing.T, bootPath string, rootDevice string, hashDevice string, rootId string, hashId string) {
 	// Verify verity kernel args.
 	grubCfgPath := filepath.Join(bootPath, "/grub2/grub.cfg")
 	grubCfgContents, err := file.Read(grubCfgPath)
@@ -141,13 +168,13 @@ func verifyVerity(t *testing.T, bootPath string, rootDevice string, hashDevice s
 		return
 	}
 
-	assert.Regexp(t, "linux.* rd.systemd.verity=1 ", grubCfgContents)
-	assert.Regexp(t, "linux.* systemd.verity_root_data=PARTLABEL=root ", grubCfgContents)
-	assert.Regexp(t, "linux.* systemd.verity_root_hash=PARTLABEL=root-hash ", grubCfgContents)
-	assert.Regexp(t, "linux.* systemd.verity_root_options=panic-on-corruption ", grubCfgContents)
+	assert.Regexp(t, `(?m)linux.* rd.systemd.verity=1 `, grubCfgContents)
+	assert.Regexp(t, fmt.Sprintf(`(?m)linux.* systemd.verity_root_data=%s `, rootId), grubCfgContents)
+	assert.Regexp(t, fmt.Sprintf(`(?m)linux.* systemd.verity_root_hash=%s `, hashId), grubCfgContents)
+	assert.Regexp(t, `(?m)linux.* systemd.verity_root_options=panic-on-corruption `, grubCfgContents)
 
 	// Read root hash from grub.cfg file.
-	roothashRegexp, err := regexp.Compile("linux.* roothash=([a-fA-F0-9]*) ")
+	roothashRegexp, err := regexp.Compile(`(?m)linux.* roothash=([a-fA-F0-9]*) `)
 	if !assert.NoError(t, err) {
 		return
 	}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/defaultgrubutils.go b/toolkit/tools/pkg/imagecustomizerlib/defaultgrubutils.go
index 6a0abcf299e..1625e1dc7b8 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/defaultgrubutils.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/defaultgrubutils.go
@@ -137,7 +137,7 @@ func findDefaultGrubFileVarAssign(varAssigns []defaultGrubFileVarAssign, name de
 //   - cmdLineVarAssign: The variable assignment that matches 'varName'.
 //   - args: The list of kernel command-line args.
 //   - insertAt: An index that new kernel command-line args can be inserted at.
-func getDefaultGrubFileLinuxArgs(defaultGrubFileContent string, varName defaultGrubFileVarName,
+func GetDefaultGrubFileLinuxArgs(defaultGrubFileContent string, varName defaultGrubFileVarName,
 ) (defaultGrubFileVarAssign, []grubConfigLinuxArg, int, error) {
 	varAssigns, err := findDefaultGrubFileVarAssigns(defaultGrubFileContent)
 	if err != nil {
@@ -174,7 +174,7 @@ func getDefaultGrubFileLinuxArgs(defaultGrubFileContent string, varName defaultG
 		insertAt = len(argsString)
 	}
 
-	args, err := parseCommandLineArgs(grubTokens)
+	args, err := ParseCommandLineArgs(grubTokens)
 	if err != nil {
 		err = fmt.Errorf("failed to parse %s's value args:\n%w", varName, err)
 		return defaultGrubFileVarAssign{}, nil, 0, err
@@ -185,7 +185,7 @@ func getDefaultGrubFileLinuxArgs(defaultGrubFileContent string, varName defaultG
 
 // Takes the string contents of /etc/default/grub file and inserts the provided command-line args.
 func addExtraCommandLineToDefaultGrubFile(defaultGrubFileContent string, extraCommandLine string) (string, error) {
-	cmdLineVarAssign, _, insertAt, err := getDefaultGrubFileLinuxArgs(defaultGrubFileContent,
+	cmdLineVarAssign, _, insertAt, err := GetDefaultGrubFileLinuxArgs(defaultGrubFileContent,
 		defaultGrubFileVarNameCmdlineLinuxDefault)
 	if err != nil {
 		return "", err
@@ -215,7 +215,7 @@ func addExtraCommandLineToDefaultGrubFile(defaultGrubFileContent string, extraCo
 func updateDefaultGrubFileKernelCommandLineArgs(defaultGrubFileContent string, varName defaultGrubFileVarName,
 	argsToRemove []string, newArgs []string,
 ) (string, error) {
-	cmdLineVarAssign, args, insertAt, err := getDefaultGrubFileLinuxArgs(defaultGrubFileContent, varName)
+	cmdLineVarAssign, args, insertAt, err := GetDefaultGrubFileLinuxArgs(defaultGrubFileContent, varName)
 	if err != nil {
 		return "", err
 	}
@@ -286,7 +286,7 @@ func insertDefaultGrubFileVarAssign(defaultGrubFileContent string, insertAfterLi
 
 // Sets the value of a variable in the /etc/default/grub file, either replacing the existing variable value (if one
 // exists) or adding a new one.
-func updateDefaultGrubFileVariable(defaultGrubFileContent string, varName string, newValue string) (string, error) {
+func UpdateDefaultGrubFileVariable(defaultGrubFileContent string, varName string, newValue string) (string, error) {
 	varAssigns, err := findDefaultGrubFileVarAssigns(defaultGrubFileContent)
 	if err != nil {
 		err = fmt.Errorf("failed to parse %s file:\n%w", installutils.GrubDefFile, err)
@@ -320,7 +320,7 @@ func updateDefaultGrubFileVariable(defaultGrubFileContent string, varName string
 
 // Checks if the image uses grub-mkconfig.
 func isGrubMkconfigEnabled(imageChroot *safechroot.Chroot) (bool, error) {
-	grub2ConfigFile, err := readGrub2ConfigFile(imageChroot)
+	grub2ConfigFile, err := ReadGrub2ConfigFile(imageChroot)
 	if err != nil {
 		return false, err
 	}
@@ -336,7 +336,7 @@ func isGrubMkconfigConfig(grub2Config string) bool {
 }
 
 // Reads the string contents of the /etc/default/grub file.
-func readDefaultGrubFile(imageChroot *safechroot.Chroot) (string, error) {
+func readDefaultGrubFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	logger.Log.Debugf("Reading %s file", installutils.GrubDefFile)
 
 	grub2ConfigFilePath := getDefaultGrubFilePath(imageChroot)
@@ -351,7 +351,7 @@ func readDefaultGrubFile(imageChroot *safechroot.Chroot) (string, error) {
 }
 
 // Writes the string contents of the /etc/default/grub file.
-func writeDefaultGrubFile(grub2Config string, imageChroot *safechroot.Chroot) error {
+func WriteDefaultGrubFile(grub2Config string, imageChroot safechroot.ChrootInterface) error {
 	logger.Log.Debugf("Writing %s file", installutils.GrubDefFile)
 
 	grub2ConfigFilePath := getDefaultGrubFilePath(imageChroot)
@@ -365,6 +365,6 @@ func writeDefaultGrubFile(grub2Config string, imageChroot *safechroot.Chroot) er
 	return nil
 }
 
-func getDefaultGrubFilePath(imageChroot *safechroot.Chroot) string {
+func getDefaultGrubFilePath(imageChroot safechroot.ChrootInterface) string {
 	return filepath.Join(imageChroot.RootDir(), installutils.GrubDefFile)
 }
diff --git a/toolkit/tools/pkg/imagecustomizerlib/dracututils.go b/toolkit/tools/pkg/imagecustomizerlib/dracututils.go
new file mode 100644
index 00000000000..bed64c89d44
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/dracututils.go
@@ -0,0 +1,50 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package imagecustomizerlib
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
+)
+
+func addDracutConfig(dracutConfigFile string, lines []string) error {
+	if _, err := os.Stat(dracutConfigFile); os.IsNotExist(err) {
+		err := file.WriteLines(lines, dracutConfigFile)
+		if err != nil {
+			return fmt.Errorf("failed to write to dracut config file (%s): %w", dracutConfigFile, err)
+		}
+	} else {
+		return fmt.Errorf("dracut config file (%s) already exists", dracutConfigFile)
+	}
+	return nil
+}
+
+func addDracutModuleAndDriver(dracutModuleName string, dracutDriverName string, imageChroot *safechroot.Chroot) error {
+	dracutConfigFile := filepath.Join(imageChroot.RootDir(), "etc", "dracut.conf.d", dracutModuleName+".conf")
+	lines := []string{
+		"add_dracutmodules+=\" " + dracutModuleName + " \"",
+		"add_drivers+=\" " + dracutDriverName + " \"",
+	}
+	return addDracutConfig(dracutConfigFile, lines)
+}
+
+func addDracutModule(dracutModuleName string, imageChroot *safechroot.Chroot) error {
+	dracutConfigFile := filepath.Join(imageChroot.RootDir(), "etc", "dracut.conf.d", dracutModuleName+".conf")
+	lines := []string{
+		"add_dracutmodules+=\" " + dracutModuleName + " \"",
+	}
+	return addDracutConfig(dracutConfigFile, lines)
+}
+
+func addDracutDriver(dracutDriverName string, imageChroot *safechroot.Chroot) error {
+	dracutConfigFile := filepath.Join(imageChroot.RootDir(), "etc", "dracut.conf.d", dracutDriverName+".conf")
+	lines := []string{
+		"add_drivers+=\" " + dracutDriverName + " \"",
+	}
+	return addDracutConfig(dracutConfigFile, lines)
+}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/extractpartitions_test.go b/toolkit/tools/pkg/imagecustomizerlib/extractpartitions_test.go
index 43ed4a0f38f..567107664b3 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/extractpartitions_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/extractpartitions_test.go
@@ -146,7 +146,7 @@ func verifySkippableFrameMetadataFromFile(partitionFilepath string, magicNumber
 func TestCustomizeImageNopShrink(t *testing.T) {
 	var err error
 
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	buildDir := filepath.Join(tmpDir, "TestCustomizeImageNopShrink")
 	configFile := filepath.Join(testDir, "consume-space.yaml")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go
index f3ce3162e2d..d02b8ac6c4a 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go
@@ -120,7 +120,7 @@ func findLinuxOrInitrdLineAll(inputGrubCfgContent string, commandName string, al
 }
 
 // Find the linux command within the grub config file.
-func findLinuxLine(inputGrubCfgContent string) (grub.Line, error) {
+func FindLinuxLine(inputGrubCfgContent string) (grub.Line, error) {
 	lines, err := findLinuxOrInitrdLineAll(inputGrubCfgContent, linuxCommand, false /*allowMultiple*/)
 	if err != nil {
 		return grub.Line{}, err
@@ -128,6 +128,50 @@ func findLinuxLine(inputGrubCfgContent string) (grub.Line, error) {
 	return lines[0], nil
 }
 
+// Find the linux command within non-recovery mode menuentry block in the grub config file.
+func FindNonRecoveryLinuxLine(inputGrubCfgContent string) ([]grub.Line, error) {
+	grubTokens, err := grub.TokenizeConfig(inputGrubCfgContent)
+	if err != nil {
+		return nil, err
+	}
+
+	grubLines := grub.SplitTokensIntoLines(grubTokens)
+	var linuxLines []grub.Line
+	inMenuEntry := false
+	isRecoveryMenu := false
+
+	// Iterate over all lines to find non-recovery mode menuentry and its linux line
+	for _, line := range grubLines {
+		if len(line.Tokens) > 1 && grub.IsTokenKeyword(line.Tokens[0], "menuentry") {
+			// Found a new 'menuentry', reset flags
+			inMenuEntry = true
+			isRecoveryMenu = false
+
+			// Check if the title (second token) contains the word 'recovery'
+			if strings.Contains(line.Tokens[1].RawContent, "recovery") {
+				isRecoveryMenu = true
+			}
+
+			// If it's a recovery menuentry, ignore this block
+			if isRecoveryMenu {
+				inMenuEntry = false
+			}
+		} else if inMenuEntry {
+			// We are inside a non-recovery menuentry block
+			if len(line.Tokens) > 0 && grub.IsTokenKeyword(line.Tokens[0], "linux") {
+				// Append only lines that contain the 'linux' command
+				linuxLines = append(linuxLines, line)
+			}
+		}
+	}
+
+	if len(linuxLines) == 0 {
+		return nil, fmt.Errorf("no linux line found in non-recovery menuentry")
+	}
+
+	return linuxLines, nil
+}
+
 // Overrides the path of the kernel binary of all the linux commands within a grub config file.
 func setLinuxOrInitrdPathAll(inputGrubCfgContent string, commandName string, filePath string, allowMultiple bool) (outputGrubCfgContent string, oldFilePaths []string, err error) {
 	quotedFilePath := grub.QuoteString(filePath)
@@ -245,7 +289,7 @@ func getLinuxCommandLineArgs(grub2Config string, requireKernelOpts bool) ([]grub
 		return nil, 0, err
 	}
 
-	args, err := parseCommandLineArgs(argTokens)
+	args, err := ParseCommandLineArgs(argTokens)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -295,7 +339,7 @@ func findCommandLineInsertAt(argTokens []grub.Token, requireKernelOpts bool) (in
 }
 
 // Takes a tokenized grub.cfg file and makes a best effort to extract the kernel command-line args.
-func parseCommandLineArgs(argTokens []grub.Token) ([]grubConfigLinuxArg, error) {
+func ParseCommandLineArgs(argTokens []grub.Token) ([]grubConfigLinuxArg, error) {
 	args := []grubConfigLinuxArg(nil)
 
 	for i := range argTokens {
@@ -400,7 +444,7 @@ func replaceKernelCommandLineArgValueAll(inputGrubCfgContent string, name string
 		// Skip the "linux" command and the kernel binary path arg.
 		argTokens := line.Tokens[2:]
 
-		args, err := parseCommandLineArgs(argTokens)
+		args, err := ParseCommandLineArgs(argTokens)
 		if err != nil {
 			return "", nil, err
 		}
@@ -445,7 +489,7 @@ func updateKernelCommandLineArgsAll(grub2Config string, argsToRemove []string, n
 			return "", err
 		}
 
-		args, err := parseCommandLineArgs(argTokens)
+		args, err := ParseCommandLineArgs(argTokens)
 		if err != nil {
 			return "", err
 		}
@@ -474,7 +518,7 @@ func updateKernelCommandLineArgs(grub2Config string, argsToRemove []string, newA
 func updateKernelCommandLineArgsHelper(value string, args []grubConfigLinuxArg, insertAt int,
 	argsToRemove []string, newArgs []string,
 ) (string, error) {
-	newArgsQuoted := grubArgsToString(newArgs)
+	newArgsQuoted := GrubArgsToString(newArgs)
 	foundArgs := findMatchingCommandLineArgs(args, argsToRemove)
 
 	builder := strings.Builder{}
@@ -511,7 +555,7 @@ func updateKernelCommandLineArgsHelper(value string, args []grubConfigLinuxArg,
 
 // Takes a list of unescaped and unquoted kernel command-line args and combines them into a single string with
 // appropriate quoting for a grub.cfg file.
-func grubArgsToString(args []string) string {
+func GrubArgsToString(args []string) string {
 	builder := strings.Builder{}
 	for i, arg := range args {
 		if i != 0 {
@@ -666,7 +710,7 @@ func getSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg) (imagecustomizerapi.
 }
 
 // Gets the SELinux mode set by the /etc/selinux/config file.
-func getSELinuxModeFromConfigFile(imageChroot *safechroot.Chroot) (imagecustomizerapi.SELinuxMode, error) {
+func getSELinuxModeFromConfigFile(imageChroot safechroot.ChrootInterface) (imagecustomizerapi.SELinuxMode, error) {
 	selinuxConfigFilePath := filepath.Join(imageChroot.RootDir(), installutils.SELinuxConfigFile)
 
 	// Read the SELinux config file.
@@ -701,7 +745,7 @@ func getSELinuxModeFromConfigFile(imageChroot *safechroot.Chroot) (imagecustomiz
 }
 
 // Reads the /boot/grub2/grub.cfg file.
-func readGrub2ConfigFile(imageChroot *safechroot.Chroot) (string, error) {
+func ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	logger.Log.Debugf("Reading grub.cfg file")
 
 	grub2ConfigFilePath := getGrub2ConfigFilePath(imageChroot)
@@ -716,7 +760,7 @@ func readGrub2ConfigFile(imageChroot *safechroot.Chroot) (string, error) {
 }
 
 // Writes the /boot/grub2/grub.cfg file.
-func writeGrub2ConfigFile(grub2Config string, imageChroot *safechroot.Chroot) error {
+func writeGrub2ConfigFile(grub2Config string, imageChroot safechroot.ChrootInterface) error {
 	logger.Log.Debugf("Writing grub.cfg file")
 
 	grub2ConfigFilePath := getGrub2ConfigFilePath(imageChroot)
@@ -730,7 +774,7 @@ func writeGrub2ConfigFile(grub2Config string, imageChroot *safechroot.Chroot) er
 	return nil
 }
 
-func getGrub2ConfigFilePath(imageChroot *safechroot.Chroot) string {
+func getGrub2ConfigFilePath(imageChroot safechroot.ChrootInterface) string {
 	return filepath.Join(imageChroot.RootDir(), installutils.GrubCfgFile)
 }
 
diff --git a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go
index 37f0db1168f..2d91123dd49 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer.go
@@ -172,6 +172,8 @@ func CustomizeImageWithConfigFile(buildDir string, configFile string, imageFile
 ) error {
 	var err error
 
+	logVersionsOfToolDeps()
+
 	var config imagecustomizerapi.Config
 	err = imagecustomizerapi.UnmarshalYamlFile(configFile, &config)
 	if err != nil {
@@ -344,7 +346,8 @@ func customizeOSContents(ic *ImageCustomizerParameters) error {
 	}
 
 	// Customize the partitions.
-	partitionsCustomized, newRawImageFile, err := customizePartitions(ic.buildDirAbs, ic.configPath, ic.config, ic.rawImageFile)
+	partitionsCustomized, newRawImageFile, partIdToPartUuid, err := customizePartitions(ic.buildDirAbs,
+		ic.configPath, ic.config, ic.rawImageFile)
 	if err != nil {
 		return err
 	}
@@ -357,8 +360,8 @@ func customizeOSContents(ic *ImageCustomizerParameters) error {
 	}
 
 	// Customize the raw image file.
-	err = customizeImageHelper(ic.buildDirAbs, ic.configPath, ic.config, ic.rawImageFile, ic.rpmsSources, ic.useBaseImageRpmRepos,
-		partitionsCustomized, imageUuidStr)
+	err = customizeImageHelper(ic.buildDirAbs, ic.configPath, ic.config, ic.rawImageFile, ic.rpmsSources,
+		ic.useBaseImageRpmRepos, partitionsCustomized, imageUuidStr)
 	if err != nil {
 		return err
 	}
@@ -370,7 +373,7 @@ func customizeOSContents(ic *ImageCustomizerParameters) error {
 			verityHashPartitionId = ptrutils.PtrTo(ic.config.OS.Verity.HashPartition)
 		}
 
-		err = shrinkFilesystemsHelper(ic.rawImageFile, verityHashPartitionId)
+		err = shrinkFilesystemsHelper(ic.rawImageFile, verityHashPartitionId, partIdToPartUuid)
 		if err != nil {
 			return fmt.Errorf("failed to shrink filesystems:\n%w", err)
 		}
@@ -378,7 +381,7 @@ func customizeOSContents(ic *ImageCustomizerParameters) error {
 
 	if ic.config.OS.Verity != nil {
 		// Customize image for dm-verity, setting up verity metadata and security features.
-		err = customizeVerityImageHelper(ic.buildDirAbs, ic.configPath, ic.config, ic.rawImageFile)
+		err = customizeVerityImageHelper(ic.buildDirAbs, ic.configPath, ic.config, ic.rawImageFile, partIdToPartUuid)
 		if err != nil {
 			return err
 		}
@@ -509,20 +512,25 @@ func validateConfig(baseConfigPath string, config *imagecustomizerapi.Config, rp
 	return nil
 }
 
-func validateAdditionalFiles(baseConfigPath string, additionalFiles imagecustomizerapi.AdditionalFilesMap) error {
-	var aggregateErr error
-	for sourceFile := range additionalFiles {
-		sourceFileFullPath := file.GetAbsPathWithBase(baseConfigPath, sourceFile)
-		isFile, err := file.IsFile(sourceFileFullPath)
-		if err != nil {
-			aggregateErr = errors.Join(aggregateErr, fmt.Errorf("invalid additionalFiles source file (%s):\n%w", sourceFile, err))
-		}
+func validateAdditionalFiles(baseConfigPath string, additionalFiles imagecustomizerapi.AdditionalFileList) error {
+	errs := []error(nil)
+	for _, additionalFile := range additionalFiles {
+		switch {
+		case additionalFile.Source != "":
+			sourceFileFullPath := file.GetAbsPathWithBase(baseConfigPath, additionalFile.Source)
+			isFile, err := file.IsFile(sourceFileFullPath)
+			if err != nil {
+				errs = append(errs, fmt.Errorf("invalid additionalFiles source file (%s):\n%w", additionalFile.Source, err))
+			}
 
-		if !isFile {
-			aggregateErr = errors.Join(aggregateErr, fmt.Errorf("invalid additionalFiles source file (%s): not a file", sourceFile))
+			if !isFile {
+				errs = append(errs, fmt.Errorf("invalid additionalFiles source file (%s):\nnot a file",
+					additionalFile.Source))
+			}
 		}
 	}
-	return aggregateErr
+
+	return errors.Join(errs...)
 }
 
 func validateIsoConfig(baseConfigPath string, config *imagecustomizerapi.Iso) error {
@@ -650,7 +658,8 @@ func validatePackageLists(baseConfigPath string, config *imagecustomizerapi.OS,
 
 func customizeImageHelper(buildDir string, baseConfigPath string, config *imagecustomizerapi.Config,
 	rawImageFile string, rpmsSources []string, useBaseImageRpmRepos bool, partitionsCustomized bool,
-	imageUuidStr string) error {
+	imageUuidStr string,
+) error {
 	logger.Log.Debugf("Customizing OS")
 
 	imageConnection, err := connectToExistingImage(rawImageFile, buildDir, "imageroot", true)
@@ -700,7 +709,9 @@ func extractPartitionsHelper(rawImageFile string, outputDir string, outputBasena
 	return nil
 }
 
-func shrinkFilesystemsHelper(buildImageFile string, verityHashPartition *imagecustomizerapi.IdentifiedPartition) error {
+func shrinkFilesystemsHelper(buildImageFile string, verityHashPartition *imagecustomizerapi.IdentifiedPartition,
+	partIdToPartUuid map[string]string,
+) error {
 	imageLoopback, err := safeloopback.NewLoopback(buildImageFile)
 	if err != nil {
 		return err
@@ -708,7 +719,7 @@ func shrinkFilesystemsHelper(buildImageFile string, verityHashPartition *imagecu
 	defer imageLoopback.Close()
 
 	// Shrink the filesystems.
-	err = shrinkFilesystems(imageLoopback.DevicePath(), verityHashPartition)
+	err = shrinkFilesystems(imageLoopback.DevicePath(), verityHashPartition, partIdToPartUuid)
 	if err != nil {
 		return err
 	}
@@ -722,7 +733,7 @@ func shrinkFilesystemsHelper(buildImageFile string, verityHashPartition *imagecu
 }
 
 func customizeVerityImageHelper(buildDir string, baseConfigPath string, config *imagecustomizerapi.Config,
-	buildImageFile string,
+	buildImageFile string, partIdToPartUuid map[string]string,
 ) error {
 	var err error
 
@@ -738,11 +749,11 @@ func customizeVerityImageHelper(buildDir string, baseConfigPath string, config *
 	}
 
 	// Extract the partition block device path.
-	dataPartition, err := idToPartitionBlockDevicePath(config.OS.Verity.DataPartition, diskPartitions)
+	dataPartition, err := idToPartitionBlockDevicePath(config.OS.Verity.DataPartition, diskPartitions, partIdToPartUuid)
 	if err != nil {
 		return err
 	}
-	hashPartition, err := idToPartitionBlockDevicePath(config.OS.Verity.HashPartition, diskPartitions)
+	hashPartition, err := idToPartitionBlockDevicePath(config.OS.Verity.HashPartition, diskPartitions, partIdToPartUuid)
 	if err != nil {
 		return err
 	}
@@ -788,9 +799,7 @@ func customizeVerityImageHelper(buildDir string, baseConfigPath string, config *
 		return fmt.Errorf("failed to stat file (%s):\n%w", grubCfgFullPath, err)
 	}
 
-	err = updateGrubConfigForVerity(config.OS.Verity.DataPartition.IdType, config.OS.Verity.DataPartition.Id,
-		config.OS.Verity.HashPartition.IdType, config.OS.Verity.HashPartition.Id, config.OS.Verity.CorruptionOption,
-		rootHash, grubCfgFullPath)
+	err = updateGrubConfigForVerity(config.OS.Verity, rootHash, grubCfgFullPath, partIdToPartUuid)
 	if err != nil {
 		return err
 	}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer_test.go b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer_test.go
index 89a6e1a91fd..335fd2c0b39 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/imagecustomizer_test.go
@@ -48,7 +48,7 @@ var (
 func TestCustomizeImageEmptyConfig(t *testing.T) {
 	var err error
 
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	buildDir := filepath.Join(tmpDir, "TestCustomizeImageEmptyConfig")
 	outImageFilePath := filepath.Join(buildDir, "image.vhd")
@@ -64,37 +64,6 @@ func TestCustomizeImageEmptyConfig(t *testing.T) {
 	checkFileType(t, outImageFilePath, "vhd")
 }
 
-func TestCustomizeImageCopyFiles(t *testing.T) {
-	var err error
-
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
-
-	buildDir := filepath.Join(tmpDir, "TestCustomizeImageCopyFiles")
-	configFile := filepath.Join(testDir, "addfiles-config.yaml")
-	outImageFilePath := filepath.Join(buildDir, "image.qcow2")
-
-	// Customize image.
-	err = CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "", false, false)
-	if !assert.NoError(t, err) {
-		return
-	}
-
-	// Check output file type.
-	checkFileType(t, outImageFilePath, "raw")
-
-	// Mount the output disk image so that its contents can be checked.
-	imageConnection, err := connectToCoreEfiImage(buildDir, outImageFilePath)
-	if !assert.NoError(t, err) {
-		return
-	}
-	defer imageConnection.Close()
-
-	// Check the contents of the copied file.
-	file_contents, err := os.ReadFile(filepath.Join(imageConnection.Chroot().RootDir(), "a.txt"))
-	assert.NoError(t, err)
-	assert.Equal(t, "abcdefg\n", string(file_contents))
-}
-
 func connectToCoreEfiImage(buildDir string, imageFilePath string) (*ImageConnection, error) {
 	return connectToImage(buildDir, imageFilePath, false /*includeDefaultMounts*/, coreEfiMountPoints)
 }
@@ -149,8 +118,11 @@ func partitionDevPath(imageConnection *ImageConnection, partitionNum int) string
 func TestValidateConfigValidAdditionalFiles(t *testing.T) {
 	err := validateConfig(testDir, &imagecustomizerapi.Config{
 		OS: &imagecustomizerapi.OS{
-			AdditionalFiles: imagecustomizerapi.AdditionalFilesMap{
-				"files/a.txt": {{Path: "/a.txt"}},
+			AdditionalFiles: imagecustomizerapi.AdditionalFileList{
+				{
+					Source:      "files/a.txt",
+					Destination: "/a.txt",
+				},
 			},
 		}}, nil, true)
 	assert.NoError(t, err)
@@ -159,8 +131,11 @@ func TestValidateConfigValidAdditionalFiles(t *testing.T) {
 func TestValidateConfigMissingAdditionalFiles(t *testing.T) {
 	err := validateConfig(testDir, &imagecustomizerapi.Config{
 		OS: &imagecustomizerapi.OS{
-			AdditionalFiles: imagecustomizerapi.AdditionalFilesMap{
-				"files/missing_a.txt": {{Path: "/a.txt"}},
+			AdditionalFiles: imagecustomizerapi.AdditionalFileList{
+				{
+					Source:      "files/missing_a.txt",
+					Destination: "/a.txt",
+				},
 			},
 		}}, nil, true)
 	assert.Error(t, err)
@@ -169,8 +144,11 @@ func TestValidateConfigMissingAdditionalFiles(t *testing.T) {
 func TestValidateConfigdditionalFilesIsDir(t *testing.T) {
 	err := validateConfig(testDir, &imagecustomizerapi.Config{
 		OS: &imagecustomizerapi.OS{
-			AdditionalFiles: imagecustomizerapi.AdditionalFilesMap{
-				"files": {{Path: "/a.txt"}},
+			AdditionalFiles: imagecustomizerapi.AdditionalFileList{
+				{
+					Source:      "files",
+					Destination: "/a.txt",
+				},
 			},
 		}}, nil, true)
 	assert.Error(t, err)
@@ -206,7 +184,7 @@ func TestValidateConfigScriptNonLocalFile(t *testing.T) {
 func TestCustomizeImageKernelCommandLineAdd(t *testing.T) {
 	var err error
 
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	buildDir := filepath.Join(tmpDir, "TestCustomizeImageKernelCommandLine")
 	outImageFilePath := filepath.Join(buildDir, "image.vhd")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/imageutils.go b/toolkit/tools/pkg/imagecustomizerlib/imageutils.go
index 64ecaeb31b1..b8927491800 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/imageutils.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/imageutils.go
@@ -60,52 +60,52 @@ func connectToExistingImageHelper(imageConnection *ImageConnection, imageFilePat
 func createNewImage(filename string, diskConfig imagecustomizerapi.Disk,
 	fileSystems []imagecustomizerapi.FileSystem, buildDir string, chrootDirName string,
 	installOS installOSFunc,
-) error {
+) (map[string]string, error) {
 	imageConnection := NewImageConnection()
 	defer imageConnection.Close()
 
-	err := createNewImageHelper(imageConnection, filename, diskConfig, fileSystems, buildDir, chrootDirName,
+	partIdToPartUuid, err := createNewImageHelper(imageConnection, filename, diskConfig, fileSystems, buildDir, chrootDirName,
 		installOS)
 	if err != nil {
-		return fmt.Errorf("failed to create new image:\n%w", err)
+		return nil, fmt.Errorf("failed to create new image:\n%w", err)
 	}
 
 	// Close image.
 	err = imageConnection.CleanClose()
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	return nil
+	return partIdToPartUuid, nil
 }
 
 func createNewImageHelper(imageConnection *ImageConnection, filename string, diskConfig imagecustomizerapi.Disk,
 	fileSystems []imagecustomizerapi.FileSystem, buildDir string, chrootDirName string,
 	installOS installOSFunc,
-) error {
+) (map[string]string, error) {
 
 	// Convert config to image config types, so that the imager's utils can be used.
 	imagerDiskConfig, err := diskConfigToImager(diskConfig, fileSystems)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	imagerPartitionSettings, err := partitionSettingsToImager(fileSystems)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	// Create imager boilerplate.
-	_, tmpFstabFile, err := createImageBoilerplate(imageConnection, filename, buildDir, chrootDirName, imagerDiskConfig,
-		imagerPartitionSettings)
+	partIdToPartUuid, tmpFstabFile, err := createImageBoilerplate(imageConnection, filename, buildDir, chrootDirName,
+		imagerDiskConfig, imagerPartitionSettings)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	// Install the OS.
 	err = installOS(imageConnection.Chroot())
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	// Move the fstab file into the image.
@@ -113,10 +113,10 @@ func createNewImageHelper(imageConnection *ImageConnection, filename string, dis
 
 	err = file.Move(tmpFstabFile, imageFstabFilePath)
 	if err != nil {
-		return fmt.Errorf("failed to move fstab into new image:\n%w", err)
+		return nil, fmt.Errorf("failed to move fstab into new image:\n%w", err)
 	}
 
-	return nil
+	return partIdToPartUuid, nil
 }
 
 func configureDiskBootLoader(imageConnection *ImageConnection, rootMountIdType imagecustomizerapi.MountIdentifierType,
@@ -189,6 +189,12 @@ func createImageBoilerplate(imageConnection *ImageConnection, filename string, b
 		return nil, "", err
 	}
 
+	// Create mapping from partition ID to partition UUID.
+	partIdToPartUuid, err := createPartIdToPartUuidMap(partIDToDevPathMap, diskPartitions)
+	if err != nil {
+		return nil, "", err
+	}
+
 	// Create the fstab file.
 	// This is done so that we can read back the file using findmnt, which conveniently splits the vfs and fs mount
 	// options for us. If we wanted to handle this more directly, we could create a golang wrapper around libmount
@@ -232,5 +238,22 @@ func createImageBoilerplate(imageConnection *ImageConnection, filename string, b
 		return nil, "", err
 	}
 
-	return mountPointMap, tmpFstabFile, nil
+	return partIdToPartUuid, tmpFstabFile, nil
+}
+
+func createPartIdToPartUuidMap(partIDToDevPathMap map[string]string, diskPartitions []diskutils.PartitionInfo,
+) (map[string]string, error) {
+	partIdToPartUuid := make(map[string]string)
+	for partId, devPath := range partIDToDevPathMap {
+		partition, found := sliceutils.FindValueFunc(diskPartitions, func(partition diskutils.PartitionInfo) bool {
+			return devPath == partition.Path
+		})
+		if !found {
+			return nil, fmt.Errorf("failed to find partition for device path (%s)", devPath)
+		}
+
+		partIdToPartUuid[partId] = partition.PartUuid
+	}
+
+	return partIdToPartUuid, nil
 }
diff --git a/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck_test.go b/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck_test.go
index c350243af28..b1b92848506 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/installedkernelcheck_test.go
@@ -11,7 +11,7 @@ import (
 )
 
 func TestCustomizeImageMissingKernel(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageMissingKernel")
 	buildDir := filepath.Join(testTmpDir, "build")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/kernelmoduleutils.go b/toolkit/tools/pkg/imagecustomizerlib/kernelmoduleutils.go
index 48da04c017e..bbf599c6237 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/kernelmoduleutils.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/kernelmoduleutils.go
@@ -14,14 +14,27 @@ import (
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
 )
 
+const (
+	modprobeConfigDir    = "/etc/modprobe.d"
+	modulesLoadConfigDir = "/etc/modules-load.d"
+
+	moduleDisabledFileName = "modules-disabled.conf"
+	moduleLoadFileName     = "modules-load.conf"
+	moduleOptionsFileName  = "module-options.conf"
+
+	moduleDisabledPath = modprobeConfigDir + "/" + moduleDisabledFileName
+	moduleLoadPath     = modulesLoadConfigDir + "/" + moduleLoadFileName
+	moduleOptionsPath  = modprobeConfigDir + "/" + moduleOptionsFileName
+)
+
 func loadOrDisableModules(modules []imagecustomizerapi.Module, rootDir string) error {
 	var err error
 	var modulesToLoad []string
 	var modulesToDisable []string
 	moduleOptionsUpdates := make(map[string]map[string]string)
-	moduleDisableFilePath := filepath.Join(rootDir, "etc/modprobe.d/modules-disabled.conf")
-	moduleLoadFilePath := filepath.Join(rootDir, "etc/modules-load.d/modules-load.conf")
-	moduleOptionsFilePath := filepath.Join(rootDir, "etc/modprobe.d/module-options.conf")
+	moduleDisableFilePath := filepath.Join(rootDir, moduleDisabledPath)
+	moduleLoadFilePath := filepath.Join(rootDir, moduleLoadPath)
+	moduleOptionsFilePath := filepath.Join(rootDir, moduleOptionsPath)
 
 	for i, module := range modules {
 		switch module.LoadMode {
@@ -154,10 +167,10 @@ func ensureModulesDisabled(moduleNames []string, moduleDisableFilePath string) e
 	needUpdate := false
 
 	for _, moduleName := range moduleNames {
-		blacklistEntry := "blacklist " + moduleName
-		if !strings.Contains(contentString, blacklistEntry+"\n") {
+		disableEntry := "blacklist " + moduleName
+		if !strings.Contains(contentString, disableEntry+"\n") {
 			// Append the module to be disabled if it's not already in the file
-			updatedContent += blacklistEntry + "\n"
+			updatedContent += disableEntry + "\n"
 			needUpdate = true
 			logger.Log.Infof("Setting module (%s) to be disabled", moduleName)
 		}
@@ -188,8 +201,8 @@ func isModuleDisabled(moduleName, moduleDisableFilePath string) (bool, error) {
 		return false, err
 	}
 
-	blacklistEntry := "blacklist " + moduleName
-	if strings.Contains(string(content), blacklistEntry+"\n") {
+	disableEntry := "blacklist " + moduleName
+	if strings.Contains(string(content), disableEntry+"\n") {
 		return true, nil
 	}
 
diff --git a/toolkit/tools/pkg/imagecustomizerlib/kernelmoduleutils_test.go b/toolkit/tools/pkg/imagecustomizerlib/kernelmoduleutils_test.go
index 31163feb33d..c1295a7d86f 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/kernelmoduleutils_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/kernelmoduleutils_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/file"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -35,9 +36,9 @@ func TestLoadOrDisableModules(t *testing.T) {
 	err := loadOrDisableModules(modules, rootDir)
 	assert.NoError(t, err)
 
-	moduleLoadFilePath := filepath.Join(rootDir, "etc/modules-load.d/modules-load.conf")
-	moduleOptionsFilePath := filepath.Join(rootDir, "etc/modprobe.d/module-options.conf")
-	moduleDisableFilePath := filepath.Join(rootDir, "etc/modprobe.d/modules-disabled.conf")
+	moduleLoadFilePath := filepath.Join(rootDir, moduleLoadPath)
+	moduleOptionsFilePath := filepath.Join(rootDir, moduleOptionsPath)
+	moduleDisableFilePath := filepath.Join(rootDir, moduleDisabledPath)
 
 	moduleLoadContent, err := os.ReadFile(moduleLoadFilePath)
 	if err != nil {
@@ -118,8 +119,8 @@ func TestLoadOrDisableModules(t *testing.T) {
 
 func TestEnsureModulesLoaded(t *testing.T) {
 	buildDir := filepath.Join(tmpDir, "TestEnsureModulesLoaded")
-	modulesLoadPath := filepath.Join(buildDir, "etc/modules-load.d")
-	moduleLoadFilePath := filepath.Join(modulesLoadPath, "modules.conf")
+	modulesLoadPath := filepath.Join(buildDir, modulesLoadConfigDir)
+	moduleLoadFilePath := filepath.Join(modulesLoadPath, moduleLoadFileName)
 
 	// Only create parent directory. Test case where the file does not exist
 	err := os.MkdirAll(modulesLoadPath, os.ModePerm)
@@ -153,8 +154,8 @@ func TestEnsureModulesLoaded(t *testing.T) {
 
 func TestEnsureModulesDisabled(t *testing.T) {
 	buildDir := filepath.Join(tmpDir, "TestEnsureModulesDisabled")
-	modprobePath := filepath.Join(buildDir, "etc/modprobe.d")
-	moduleDisableFilePath := filepath.Join(modprobePath, "blacklist.conf")
+	modprobePath := filepath.Join(buildDir, modprobeConfigDir)
+	moduleDisableFilePath := filepath.Join(modprobePath, moduleDisabledFileName)
 	err := os.MkdirAll(modprobePath, os.ModePerm)
 	assert.NoError(t, err)
 
@@ -185,8 +186,8 @@ func TestEnsureModulesDisabled(t *testing.T) {
 
 func TestRemoveModuleFromDisableList(t *testing.T) {
 	buildDir := filepath.Join(tmpDir, "TestRemoveModuleFromDisableList")
-	modprobePath := filepath.Join(buildDir, "etc/modprobe.d")
-	moduleDisableFilePath := filepath.Join(modprobePath, "blacklist.conf")
+	modprobePath := filepath.Join(buildDir, modprobeConfigDir)
+	moduleDisableFilePath := filepath.Join(modprobePath, moduleDisabledFileName)
 	err := os.MkdirAll(modprobePath, os.ModePerm)
 	assert.NoError(t, err)
 
@@ -216,3 +217,43 @@ func TestRemoveModuleFromDisableList(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "blacklist module2\n", string(content))
 }
+
+func TestCustomizeImageKernelModules(t *testing.T) {
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
+
+	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageKernelModules")
+	buildDir := filepath.Join(testTmpDir, "build")
+	configFile := filepath.Join(testDir, "modules-config.yaml")
+	outImageFilePath := filepath.Join(testTmpDir, "image.raw")
+
+	// Customize image.
+	err := CustomizeImageWithConfigFile(buildDir, configFile, baseImage, nil, outImageFilePath, "raw", "",
+		false /*useBaseImageRpmRepos*/, false /*enableShrinkFilesystems*/)
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	imageConnection, err := connectToCoreEfiImage(buildDir, outImageFilePath)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer imageConnection.Close()
+
+	// Verify 'loadMode: always'
+	loadContent, err := file.Read(filepath.Join(imageConnection.Chroot().RootDir(), moduleLoadPath))
+	assert.NoError(t, err)
+	assert.Regexp(t, "(?m)^vfio$", loadContent)
+	assert.Regexp(t, "(?m)^mlx5_ib$", loadContent)
+
+	// Verify 'loadMode: disable'
+	disabledContent, err := file.Read(filepath.Join(imageConnection.Chroot().RootDir(), moduleDisabledPath))
+	assert.NoError(t, err)
+	assert.Regexp(t, "(?m)^blacklist mousedev$", disabledContent)
+
+	// Verify 'options'.
+	optionsContent, err := file.Read(filepath.Join(imageConnection.Chroot().RootDir(), moduleOptionsPath))
+	assert.NoError(t, err)
+	assert.Regexp(t, "(?m)^options vfio.* enable_unsafe_noiommu_mode=Y", optionsContent)
+	assert.Regexp(t, "(?m)^options vfio.* disable_vga=Y", optionsContent)
+	assert.Regexp(t, "(?m)^options e1000e InterruptThrottleRate=3000,3000,3000$", optionsContent)
+}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder.go b/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder.go
index e6b3311a659..01d8bffb878 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder.go
@@ -928,16 +928,18 @@ func micIsoConfigToIsoMakerConfig(baseConfigPath string, isoConfig *imagecustomi
 
 	additionalIsoFiles = []safechroot.FileToCopy{}
 
-	for sourcePath, fileConfigs := range isoConfig.AdditionalFiles {
-		absSourcePath := file.GetAbsPathWithBase(baseConfigPath, sourcePath)
-		for _, fileConfig := range fileConfigs {
-			fileToCopy := safechroot.FileToCopy{
-				Src:         absSourcePath,
-				Dest:        fileConfig.Path,
-				Permissions: (*fs.FileMode)(fileConfig.Permissions),
-			}
-			additionalIsoFiles = append(additionalIsoFiles, fileToCopy)
+	for _, additionalFile := range isoConfig.AdditionalFiles {
+		absSourceFile := ""
+		if additionalFile.Source != "" {
+			absSourceFile = file.GetAbsPathWithBase(baseConfigPath, additionalFile.Source)
+		}
+		fileToCopy := safechroot.FileToCopy{
+			Src:         absSourceFile,
+			Content:     additionalFile.Content,
+			Dest:        additionalFile.Destination,
+			Permissions: (*fs.FileMode)(additionalFile.Permissions),
 		}
+		additionalIsoFiles = append(additionalIsoFiles, fileToCopy)
 	}
 
 	return additionalIsoFiles, extraCommandLine, nil
@@ -1424,24 +1426,22 @@ func (b *LiveOSIsoBuilder) createWriteableImageFromSquashfs(buildDir, rawImageFi
 
 	// define a disk layout with a boot partition and a rootfs partition
 	maxDiskSizeMB := imagecustomizerapi.DiskSize(safeDiskSizeMB * diskutils.MiB)
-	var bootPartitionStart imagecustomizerapi.DiskSize
-	bootPartitionStart = imagecustomizerapi.DiskSize(1 * diskutils.MiB)
-	var bootPartitionEnd imagecustomizerapi.DiskSize
-	bootPartitionEnd = imagecustomizerapi.DiskSize(9 * diskutils.MiB)
+	bootPartitionStart := imagecustomizerapi.DiskSize(1 * diskutils.MiB)
+	bootPartitionEnd := imagecustomizerapi.DiskSize(9 * diskutils.MiB)
 
 	diskConfig := imagecustomizerapi.Disk{
 		PartitionTableType: imagecustomizerapi.PartitionTableTypeGpt,
-		MaxSize:            maxDiskSizeMB,
+		MaxSize:            &maxDiskSizeMB,
 		Partitions: []imagecustomizerapi.Partition{
 			{
 				Id:    "esp",
-				Start: bootPartitionStart,
+				Start: &bootPartitionStart,
 				End:   &bootPartitionEnd,
 				Type:  imagecustomizerapi.PartitionTypeESP,
 			},
 			{
 				Id:    "rootfs",
-				Start: bootPartitionEnd,
+				Start: &bootPartitionEnd,
 			},
 		},
 	}
@@ -1479,7 +1479,7 @@ func (b *LiveOSIsoBuilder) createWriteableImageFromSquashfs(buildDir, rawImageFi
 
 	// create the new raw disk image
 	writeableChrootDir := "writeable-raw-image"
-	err = createNewImage(rawImageFile, diskConfig, fileSystemConfigs, buildDir, writeableChrootDir, installOSFunc)
+	_, err = createNewImage(rawImageFile, diskConfig, fileSystemConfigs, buildDir, writeableChrootDir, installOSFunc)
 	if err != nil {
 		return fmt.Errorf("failed to copy squashfs into new writeable image (%s):\n%w", rawImageFile, err)
 	}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder_test.go b/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder_test.go
index ea5cb43a2bb..cf5d915afd0 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/liveosisobuilder_test.go
@@ -22,7 +22,7 @@ import (
 // - Kernel command-line arg append.
 // - .iso.additionalFiles
 func TestCustomizeImageLiveCd1(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTempDir := filepath.Join(tmpDir, "TestCustomizeImageLiveCd1")
 	buildDir := filepath.Join(testTempDir, "build")
@@ -82,15 +82,15 @@ func TestCustomizeImageLiveCd1(t *testing.T) {
 			KernelCommandLine: imagecustomizerapi.KernelCommandLine{
 				ExtraCommandLine: "rd.debug",
 			},
-			AdditionalFiles: imagecustomizerapi.AdditionalFilesMap{
-				"files/b.txt": []imagecustomizerapi.FileConfig{
-					{
-						Path: "/b1.txt",
-					},
-					{
-						Path:        "/b2.txt",
-						Permissions: &b2FilePerms,
-					},
+			AdditionalFiles: imagecustomizerapi.AdditionalFileList{
+				{
+					Source:      "files/b.txt",
+					Destination: "/b1.txt",
+				},
+				{
+					Source:      "files/b.txt",
+					Destination: "/b2.txt",
+					Permissions: &b2FilePerms,
 				},
 			},
 		},
@@ -139,7 +139,7 @@ func TestCustomizeImageLiveCd1(t *testing.T) {
 // - vhdx to ISO, with no OS changes.
 // - ISO to ISO, with OS changes.
 func TestCustomizeImageLiveCd2(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTempDir := filepath.Join(tmpDir, "TestCustomizeImageLiveCd2")
 	buildDir := filepath.Join(testTempDir, "build")
@@ -201,7 +201,7 @@ func TestCustomizeImageLiveCd2(t *testing.T) {
 }
 
 func TestCustomizeImageLiveCdIsoNoShimEfi(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	buildDir := filepath.Join(tmpDir, "TestCustomizeImageLiveCdIso")
 	outImageFilePath := filepath.Join(buildDir, "image.iso")
@@ -223,7 +223,7 @@ func TestCustomizeImageLiveCdIsoNoShimEfi(t *testing.T) {
 }
 
 func TestCustomizeImageLiveCdIsoNoGrubEfi(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	buildDir := filepath.Join(tmpDir, "TestCustomizeImageLiveCdIso")
 	outImageFilePath := filepath.Join(buildDir, "image.iso")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/main_test.go b/toolkit/tools/pkg/imagecustomizerlib/main_test.go
index 7f2a507d0bb..9ffa11305df 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/main_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/main_test.go
@@ -23,15 +23,33 @@ const (
 	baseImageTypeCoreLegacy baseImageType = "core-legacy"
 )
 
+type baseImageVersion string
+
+const (
+	baseImageVersionAzl2 baseImageVersion = "2.0"
+	baseImageVersionAzl3 baseImageVersion = "3.0"
+
+	// Most features don't have version Azure Linux version specific behavior.
+	// So, there is only minimal value in duplicating the tests across versions for such features.
+	baseImageVersionDefault = baseImageVersionAzl2
+)
+
 var (
-	baseImageCoreEfi    = flag.String("base-image-core-efi", "", "A core-efi image to use as a base image.")
-	baseImageCoreLegacy = flag.String("base-image-core-legacy", "", "A core-legacy image to use as a base image.")
+	baseImageCoreEfiAzl2    = flag.String("base-image-core-efi-azl2", "", "A core-efi 2.0 image to use as a base image.")
+	baseImageCoreEfiAzl3    = flag.String("base-image-core-efi-azl3", "", "A core-efi 3.0 image to use as a base image.")
+	baseImageCoreLegacyAzl2 = flag.String("base-image-core-legacy-azl2", "", "A core-legacy 2.0 image to use as a base image.")
+	baseImageCoreLegacyAzl3 = flag.String("base-image-core-legacy-azl3", "", "A core-legacy 3.0 image to use as a base image.")
 )
 
 var (
 	testDir    string
 	tmpDir     string
 	workingDir string
+
+	supportedAzureLinuxVersions = []baseImageVersion{
+		baseImageVersionAzl2,
+		baseImageVersionAzl3,
+	}
 )
 
 func TestMain(m *testing.M) {
@@ -65,7 +83,7 @@ func TestMain(m *testing.M) {
 }
 
 // Skip the test if requirements for testing CustomizeImage() are not met.
-func checkSkipForCustomizeImage(t *testing.T, baseImageType baseImageType) string {
+func checkSkipForCustomizeImage(t *testing.T, baseImageType baseImageType, baseImageVersion baseImageVersion) string {
 	if !buildpipeline.IsRegularBuild() {
 		t.Skip("loopback block device not available")
 	}
@@ -74,21 +92,36 @@ func checkSkipForCustomizeImage(t *testing.T, baseImageType baseImageType) strin
 		t.Skip("Test must be run as root because it uses a chroot")
 	}
 
+	param, paramName := getImageParamAndName(baseImageType, baseImageVersion)
+	if param == nil || *param == "" {
+		t.Skipf("--%s is required for this test", paramName)
+	}
+
+	return *param
+}
+
+func getImageParamAndName(baseImageType baseImageType, baseImageVersion baseImageVersion) (*string, string) {
 	switch baseImageType {
 	case baseImageTypeCoreEfi:
-		if baseImageCoreEfi == nil || *baseImageCoreEfi == "" {
-			t.Skip("--base-image-core-efi is required for this test")
+		switch baseImageVersion {
+		case baseImageVersionAzl2:
+			return baseImageCoreEfiAzl2, "base-image-core-efi-azl2"
+
+		case baseImageVersionAzl3:
+			return baseImageCoreEfiAzl3, "base-image-core-efi-azl3"
 		}
-		return *baseImageCoreEfi
 
 	case baseImageTypeCoreLegacy:
-		if baseImageCoreLegacy == nil || *baseImageCoreLegacy == "" {
-			t.Skip("--base-image-core-legacy is required for this test")
+		switch baseImageVersion {
+		case baseImageVersionAzl2:
+			return baseImageCoreLegacyAzl2, "base-image-core-legacy-azl2"
+
+		case baseImageVersionAzl3:
+			return baseImageCoreLegacyAzl3, "base-image-core-legacy-azl3"
 		}
-		return *baseImageCoreLegacy
 	}
 
-	return ""
+	return nil, ""
 }
 
 func getDownloadedRpmsDir(t *testing.T, azureLinuxVersion string) string {
diff --git a/toolkit/tools/pkg/imagecustomizerlib/resolvconf_test.go b/toolkit/tools/pkg/imagecustomizerlib/resolvconf_test.go
index 025c63e3fcf..d09bb30e361 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/resolvconf_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/resolvconf_test.go
@@ -14,7 +14,7 @@ import (
 )
 
 func TestCustomizeImageResolvConfDelete(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageResolvConfDelete")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -51,7 +51,7 @@ func TestCustomizeImageResolvConfDelete(t *testing.T) {
 }
 
 func TestCustomizeImageResolvConfRestoreFile(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageResolvConfRestoreFile")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -122,7 +122,7 @@ func TestCustomizeImageResolvConfRestoreFile(t *testing.T) {
 }
 
 func TestCustomizeImageResolvConfRestoreSymlink(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageResolvConfRestoreSymlink")
 	buildDir := filepath.Join(testTmpDir, "build")
@@ -185,7 +185,7 @@ func TestCustomizeImageResolvConfRestoreSymlink(t *testing.T) {
 }
 
 func TestCustomizeImageResolvConfNewSymlink(t *testing.T) {
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageResolvConfNewSymlink")
 	buildDir := filepath.Join(testTmpDir, "build")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/runscripts_test.go b/toolkit/tools/pkg/imagecustomizerlib/runscripts_test.go
index 818e3bbe953..36cb1863300 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/runscripts_test.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/runscripts_test.go
@@ -14,7 +14,7 @@ import (
 func TestCustomizeImageRunScripts(t *testing.T) {
 	var err error
 
-	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi)
+	baseImage := checkSkipForCustomizeImage(t, baseImageTypeCoreEfi, baseImageVersionDefault)
 
 	testTmpDir := filepath.Join(tmpDir, "TestCustomizeImageRunScripts")
 	buildDir := filepath.Join(testTmpDir, "build")
diff --git a/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go b/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go
index fb272a977ec..3e670221e06 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/shrinkfilesystems.go
@@ -23,7 +23,9 @@ var (
 	fdiskPartitionsTableEntryRegexp  = regexp.MustCompile(`^([0-9A-Za-z-_/]+)[\t ]+(\d+)[\t ]+`)
 )
 
-func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomizerapi.IdentifiedPartition) error {
+func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomizerapi.IdentifiedPartition,
+	partIdToPartUuid map[string]string,
+) error {
 	logger.Log.Infof("Shrinking filesystems")
 
 	// Get partition info
@@ -53,7 +55,7 @@ func shrinkFilesystems(imageLoopDevice string, verityHashPartition *imagecustomi
 		}
 
 		if verityHashPartition != nil {
-			matches, err := partitionMatchesId(*verityHashPartition, diskPartition)
+			matches, err := partitionMatchesId(*verityHashPartition, diskPartition, partIdToPartUuid)
 			if err != nil {
 				return err
 			}
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/adddirs-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/adddirs-config.yaml
index 18d438b3d86..fd1dcc11c1b 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/adddirs-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/adddirs-config.yaml
@@ -1,4 +1,4 @@
 os:
   additionalDirs:
-  - sourcePath: dirs/a
-    destinationPath: /
+  - source: dirs/a
+    destination: /
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/addfiles-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/addfiles-config.yaml
index e761d388e14..b102dc957a2 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/addfiles-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/addfiles-config.yaml
@@ -1,6 +1,21 @@
 os:
   additionalFiles:
-    files/a.txt: /a.txt
-    files/helloworld.sh:
-    - path: /usr/local/bin/helloworld.sh
-      permissions: 755
+  - source: files/a.txt
+    destination: /a.txt
+
+  - source: files/helloworld.sh
+    destination: /usr/local/bin/helloworld.sh
+    permissions: 755
+
+  - content: |
+      cat
+      dog
+    destination: /animals.txt
+
+  - content: |-
+      abcdefghijklmnopqrstuvwxyz
+    destination: /alphabet.txt
+    permissions: 644
+
+  - content: ""
+    destination: /empty.txt
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/cloud-init-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/cloud-init-config.yaml
index 2490f976ae3..13c8f4833ee 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/cloud-init-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/cloud-init-config.yaml
@@ -1,8 +1,13 @@
 os:
   additionalFiles:
-    files/cloud-init/user-data: /var/lib/cloud/seed/nocloud/user-data
-    files/cloud-init/network-config: /var/lib/cloud/seed/nocloud/network-config
-    files/cloud-init/meta-data: /var/lib/cloud/seed/nocloud/meta-data
+  - source: files/cloud-init/user-data
+    destination: /var/lib/cloud/seed/nocloud/user-data
+
+  - source: files/cloud-init/network-config
+    destination: /var/lib/cloud/seed/nocloud/network-config
+
+  - source: files/cloud-init/meta-data
+    destination: /var/lib/cloud/seed/nocloud/meta-data
 
   kernelCommandLine:
     extraCommandLine: "ds=nocloud"
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/cloud-init-iso-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/cloud-init-iso-config.yaml
index de27ebb5f52..9f02bf43c76 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/cloud-init-iso-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/cloud-init-iso-config.yaml
@@ -7,9 +7,14 @@ scripts:
 
 iso:
   additionalFiles:
-    files/cloud-init/user-data: /cloud-init-data/user-data
-    files/cloud-init/network-config: /cloud-init-data/network-config
-    files/cloud-init/meta-data: /cloud-init-data/meta-data
+  - source: files/cloud-init/user-data
+    destination: /cloud-init-data/user-data
+
+  - source: files/cloud-init/network-config
+    destination: /cloud-init-data/network-config
+
+  - source: files/cloud-init/meta-data
+    destination: /cloud-init-data/meta-data
 
   kernelCommandLine:
     extraCommandLine: "ds=nocloud"
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/infinite-file-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/infinite-file-config.yaml
index 2ea59a3665d..ee22fe76c30 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/infinite-file-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/infinite-file-config.yaml
@@ -1,3 +1,4 @@
 os:
   additionalFiles:
-    /dev/zero: /zero.txt
+  - source: /dev/zero
+    destination: /zero.txt
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/install-package-disk-space.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/install-package-disk-space.yaml
index 70b091c9c57..9b6d7b503fa 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/install-package-disk-space.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/install-package-disk-space.yaml
@@ -15,7 +15,7 @@ storage:
 
   bootType: efi
 
-  fileSystems:
+  filesystems:
   - deviceId: esp
     type: fat32
     mountPoint:
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/iso-files-and-args-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/iso-files-and-args-config.yaml
index 7183f1d45c2..df1b469be11 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/iso-files-and-args-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/iso-files-and-args-config.yaml
@@ -1,6 +1,7 @@
 iso:
   additionalFiles:
-    files/a.txt: /a.txt
+  - source: files/a.txt
+    destination: /a.txt
 
   kernelCommandLine:
     extraCommandLine: rd.info
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/legacyboot-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/legacyboot-config.yaml
index f18165b8db9..1c131fe3067 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/legacyboot-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/legacyboot-config.yaml
@@ -14,10 +14,7 @@ storage:
 
   bootType: legacy
 
-  fileSystems:
-  - deviceId: boot
-    type: fat32
-
+  filesystems:
   - deviceId: rootfs
     type: ext4
     mountPoint:
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/mshvkernel-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/mshvkernel-config.yaml
index c4517f3f880..d2a57a50199 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/mshvkernel-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/mshvkernel-config.yaml
@@ -13,7 +13,7 @@ storage:
 
   bootType: efi
 
-  fileSystems:
+  filesystems:
   - deviceId: efi
     type: fat32
     mountPoint:
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/overlays-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/overlays-config.yaml
index 03a07e0d68a..2a72184a0d6 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/overlays-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/overlays-config.yaml
@@ -15,11 +15,13 @@ storage:
     - id: rootfs
       start: 108M
       end: 2048M
-      label: rootfs
+    
+    - id: var
+      start: 2048M
       
   bootType: efi
 
-  fileSystems:
+  filesystems:
   - deviceId: esp
     type: fat32
     mountPoint:
@@ -36,21 +38,35 @@ storage:
     mountPoint:
       path: /
 
+  - deviceId: var
+    type: ext4
+    mountPoint:
+      path: /var
+      options: defaults,x-initrd.mount
+
 os:
   resetBootLoaderType: hard-reset
 
   packages:
     install:
-    - dracut-overlayfs
     - openssh-server
-    - vim
 
-  additionalFiles:
-    # Workaround until updated dracut-overlayfs package has been published.
-    ../../../../../SPECS/dracut/20overlayfs/module-setup.sh: /lib/dracut/modules.d/20overlayfs/module-setup.sh
-    ../../../../../SPECS/dracut/20overlayfs/overlayfs-mount.sh: /lib/dracut/modules.d/20overlayfs/overlayfs-mount.sh
+  services:
+    enable:
+    - sshd
 
   overlays:
-  - lowerDir: /
-    upperDir: /upper_root
-    workDir: /work_root
+    - mountPoint: /etc
+      lowerDirs:
+      - /etc
+      upperDir: /var/overlays/etc/upper
+      workDir: /var/overlays/etc/work
+      isInitrdOverlay: true
+      mountDependencies: 
+      - /var
+    - mountPoint: /media
+      lowerDirs:
+      - /media
+      - /home
+      upperDir: /overlays/media/upper
+      workDir: /overlays/media/work
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-config.yaml
index 53724bfe7df..87c6ef41aef 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-config.yaml
@@ -22,7 +22,7 @@ storage:
       
   bootType: efi
 
-  fileSystems:
+  filesystems:
   - deviceId: esp
     type: fat32
     mountPoint:
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-selinux-enforcing.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-selinux-enforcing.yaml
index 0d2fca42e85..f2951493a8b 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-selinux-enforcing.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-selinux-enforcing.yaml
@@ -17,9 +17,9 @@ storage:
 
   bootType: efi
 
-  fileSystems:
+  filesystems:
   - deviceId: esp
-    type: fat32
+    type: vfat
     mountPoint:
       path: /boot/efi
       options: umask=0077
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-size-only-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-size-only-config.yaml
new file mode 100644
index 00000000000..5b9db946083
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/partitions-size-only-config.yaml
@@ -0,0 +1,35 @@
+storage:
+  disks:
+  - partitionTableType: gpt
+    partitions:
+    - id: esp
+      type: esp
+      size: 8M
+
+    - id: rootfs
+      size: 2G
+
+    - id: var
+      size: 2G
+
+  bootType: efi
+
+  filesystems:
+  - deviceId: esp
+    type: fat32
+    mountPoint:
+      path: /boot/efi
+      options: umask=0077
+
+  - deviceId: rootfs
+    type: ext4
+    mountPoint:
+      path: /
+
+  - deviceId: var
+    type: ext4
+    mountPoint:
+      path: /var
+
+os:
+  resetBootLoaderType: hard-reset
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-config.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-config.yaml
index c9c2a94d6ec..070fe15497b 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-config.yaml
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-config.yaml
@@ -14,19 +14,17 @@ storage:
       end: 1024M
 
     - id: root
-      label: root
       start: 1024M
       end: 3072M
 
-    - id: verityhash
-      label: root-hash
+    - id: roothash
       start: 3072M
       end: 3200M
 
     - id: var
       start: 3200M
 
-  fileSystems:
+  filesystems:
   - deviceId: esp
     type: fat32
     mountPoint:
@@ -42,9 +40,6 @@ storage:
     type: ext4
     mountPoint:
       path: /
-      
-  - deviceId: verityhash
-    type: fat32
 
   - deviceId: var
     type: ext4
@@ -68,17 +63,20 @@ os:
   verity:
     corruptionOption: panic
     dataPartition:
-      idType: part-label
+      idType: id
       id: root
     hashPartition:
-      idType: part-label
-      id: root-hash
+      idType: id
+      id: roothash
 
   additionalFiles:
     # Change the directory that the sshd-keygen service writes the SSH host keys to.
-    files/sshd-keygen.service: /usr/lib/systemd/system/sshd-keygen.service
+  - source: files/sshd-keygen.service
+    destination: /usr/lib/systemd/system/sshd-keygen.service
+
     # Enable DHCP client on all of the physical NICs.
-    files/89-ethernet.network: /etc/systemd/network/89-ethernet.network
+  - source: files/89-ethernet.network
+    destination: /etc/systemd/network/89-ethernet.network
 
   services:
     enable:
diff --git a/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-partition-labels.yaml b/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-partition-labels.yaml
new file mode 100644
index 00000000000..73cfd190b7d
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/testdata/verity-partition-labels.yaml
@@ -0,0 +1,100 @@
+storage:
+  bootType: efi
+  disks:
+  - partitionTableType: gpt
+    maxSize: 5120M
+    partitions:
+    - id: esp
+      type: esp
+      start: 1M
+      end: 9M
+
+    - id: boot
+      start: 9M
+      end: 1024M
+
+    - id: root
+      label: root
+      start: 1024M
+      end: 3072M
+
+    - id: verityhash
+      label: root-hash
+      start: 3072M
+      end: 3200M
+
+    - id: var
+      start: 3200M
+
+  filesystems:
+  - deviceId: esp
+    type: fat32
+    mountPoint:
+      path: /boot/efi
+      options: umask=0077
+
+  - deviceId: boot
+    type: ext4
+    mountPoint:
+      path: /boot
+
+  - deviceId: root
+    type: ext4
+    mountPoint:
+      path: /
+      
+  - deviceId: verityhash
+    type: fat32
+
+  - deviceId: var
+    type: ext4
+    mountPoint:
+      path: /var
+
+os:
+  resetBootLoaderType: hard-reset
+  selinux:
+    mode: disabled
+
+  kernelCommandLine:
+    extraCommandLine: "rd.info"
+
+  packages:
+    install:
+    - openssh-server
+    - veritysetup
+    - vim
+
+  verity:
+    corruptionOption: panic
+    dataPartition:
+      idType: part-label
+      id: root
+    hashPartition:
+      idType: part-label
+      id: root-hash
+
+  additionalFiles:
+    # Change the directory that the sshd-keygen service writes the SSH host keys to.
+  - source: files/sshd-keygen.service
+    destination: /usr/lib/systemd/system/sshd-keygen.service
+
+    # Enable DHCP client on all of the physical NICs.
+  - source: files/89-ethernet.network
+    destination: /etc/systemd/network/89-ethernet.network
+
+  services:
+    enable:
+    - sshd
+    
+  users:
+  - name: test
+    sshPublicKeys:
+      # Your SSH public key here.
+    secondaryGroups:
+    - sudo
+
+scripts:
+  postCustomization:
+    # Move the SSH host keys off of the read-only /etc directory, so that sshd can run.
+  - path: scripts/ssh-move-host-keys.sh
diff --git a/toolkit/tools/pkg/imagecustomizerlib/typeConversion.go b/toolkit/tools/pkg/imagecustomizerlib/typeConversion.go
index 0d421246c21..545acc77506 100644
--- a/toolkit/tools/pkg/imagecustomizerlib/typeConversion.go
+++ b/toolkit/tools/pkg/imagecustomizerlib/typeConversion.go
@@ -37,8 +37,8 @@ func diskConfigToImager(diskConfig imagecustomizerapi.Disk, fileSystems []imagec
 		return configuration.Disk{}, err
 	}
 
-	imagerMaxSize := diskConfig.MaxSize / diskutils.MiB
-	if diskConfig.MaxSize%diskutils.MiB != 0 {
+	imagerMaxSize := *diskConfig.MaxSize / diskutils.MiB
+	if *diskConfig.MaxSize%diskutils.MiB != 0 {
 		return configuration.Disk{}, fmt.Errorf("disk max size (%d) must be a multiple of 1 MiB", diskConfig.MaxSize)
 	}
 
@@ -78,17 +78,14 @@ func partitionsToImager(partitions []imagecustomizerapi.Partition, fileSystems [
 
 func partitionToImager(partition imagecustomizerapi.Partition, fileSystems []imagecustomizerapi.FileSystem,
 ) (configuration.Partition, error) {
-	fileSystem, foundMountPoint := sliceutils.FindValueFunc(fileSystems,
+	fileSystem, _ := sliceutils.FindValueFunc(fileSystems,
 		func(fileSystem imagecustomizerapi.FileSystem) bool {
 			return fileSystem.DeviceId == partition.Id
 		},
 	)
-	if !foundMountPoint {
-		return configuration.Partition{}, fmt.Errorf("failed to find filesystem entry with ID (%s)", partition.Id)
-	}
 
-	imagerStart := partition.Start / diskutils.MiB
-	if partition.Start%diskutils.MiB != 0 {
+	imagerStart := *partition.Start / diskutils.MiB
+	if *partition.Start%diskutils.MiB != 0 {
 		return configuration.Partition{}, fmt.Errorf("partition start (%d) must be a multiple of 1 MiB", partition.Start)
 	}
 
diff --git a/toolkit/tools/pkg/imagecustomizerlib/versionsOfToolDependencies.go b/toolkit/tools/pkg/imagecustomizerlib/versionsOfToolDependencies.go
new file mode 100644
index 00000000000..8f5acd82884
--- /dev/null
+++ b/toolkit/tools/pkg/imagecustomizerlib/versionsOfToolDependencies.go
@@ -0,0 +1,98 @@
+package imagecustomizerlib
+
+import (
+	"os"
+	"os/exec"
+	"regexp"
+	"strings"
+
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
+)
+
+func logVersionsOfToolDeps() {
+	// Map of version flags with corresponding packages
+	versionFlags := map[string][]string{
+		"--version": {
+			"qemu-img", "rpm", "dd", "lsblk", "losetup", "sfdisk", "udevadm",
+			"flock", "blkid", "sed", "createrepo", "genisoimage", "parted", "mkfs",
+			"fsck", "fatlabel", "zstd", "veritysetup", "grub-install",
+		},
+		"-version": {
+			"mksquashfs",
+		},
+		"version": {
+			"openssl",
+		},
+		"-V": {
+			"mkfs.ext4", "mkfs.xfs", "e2fsck", "xfs_repair", "xfs_admin",
+		},
+		"": {
+			"mkfs.vfat", "resize2fs", "tune2fs",
+		},
+	}
+
+	// Get distro and version
+	distro, version := getDistroAndVersion()
+	logger.Log.Debugf("Distro: %s, Version: %s", distro, version)
+
+	// Get versions of packages
+	logger.Log.Debugf("Tool Dependencies:")
+	for versionFlag, pkgList := range versionFlags {
+		for _, pkg := range pkgList {
+			version, err := getPackageVersion(pkg, versionFlag)
+			if err != nil {
+				logger.Log.Debugf("%s: not installed or error retrieving version", pkg)
+			} else {
+				logger.Log.Debugf("%s: %s", pkg, version)
+			}
+		}
+	}
+}
+
+// Function to get the distribution and version of the host machine
+func getDistroAndVersion() (string, string) {
+	output, err := os.ReadFile("/etc/os-release")
+	if err != nil {
+		return "Unknown Distro", "Unknown Version"
+	}
+
+	lines := strings.Split(string(output), "\n")
+	distro := "Unknown Distro"
+	version := "Unknown Version"
+
+	for _, line := range lines {
+		if strings.HasPrefix(line, "NAME=") {
+			distro = strings.Trim(strings.TrimPrefix(line, "NAME="), "\"")
+		} else if strings.HasPrefix(line, "VERSION=") {
+			version = strings.Trim(strings.TrimPrefix(line, "VERSION="), "\"")
+		}
+	}
+
+	return distro, version
+}
+
+// Function to get the version of a package
+func getPackageVersion(pkg string, versionFlagParameter string) (string, error) {
+	var cmd *exec.Cmd
+	var pkgVersion string
+
+	cmd = exec.Command(pkg, versionFlagParameter)
+	output, _ := cmd.CombinedOutput()
+	outputLines := strings.Split(string(output), "\n")
+
+	// If the package does not have a version parameter, we need extract the version from the full output
+	if versionFlagParameter == "" {
+		// Regular expression to match various version formats including num.num.num, num.num, and alphanumeric versions
+		re := regexp.MustCompile(`\b\d+(\.\d+){1,3}(-\w+)?\b`)
+		for _, line := range outputLines {
+			if re.MatchString(line) {
+				pkgVersion = line
+			}
+		}
+	} else {
+		// Packages with a version parameter will have the version outputted as the first line
+		pkgVersion = strings.Split(string(output), "\n")[0]
+	}
+
+	return pkgVersion, nil
+}
diff --git a/toolkit/tools/pkg/isomakerlib/isomaker.go b/toolkit/tools/pkg/isomakerlib/isomaker.go
index e170ec3fff9..5cebe192d9a 100644
--- a/toolkit/tools/pkg/isomakerlib/isomaker.go
+++ b/toolkit/tools/pkg/isomakerlib/isomaker.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -33,6 +34,7 @@ const (
 	isoRootArchDependentDirPath     = "assets/isomaker/iso_root_arch-dependent_files"
 	defaultImageNameBase            = "azure-linux"
 	defaultOSFilesPath              = "isolinux"
+	repoSnapshotFilePath            = "repo-snapshot-time.txt"
 )
 
 // IsoMaker builds ISO images and populates them with packages and files required by the installer.
@@ -54,13 +56,14 @@ type IsoMaker struct {
 	additionalIsoFiles []safechroot.FileToCopy // Additional files to copy to the ISO media (absolute-source-path -> iso-root-relative-path).
 	imageNameBase      string                  // Base name of the ISO to generate (no path, and no file extension).
 	imageNameTag       string                  // Optional user-supplied tag appended to the generated ISO's name.
+	repoSnapshotTime   string                  // tdnf repo snapshot time
 	osFilesPath        string
 
 	isoMakerCleanUpTasks []func() error // List of clean-up tasks to perform at the end of the ISO generation process.
 }
 
 // NewIsoMaker returns a new ISO maker.
-func NewIsoMaker(unattendedInstall bool, baseDirPath, buildDirPath, releaseVersion, resourcesDirPath, configFilePath, initrdPath, isoRepoDirPath, outputDir, imageNameTag string) (isoMaker *IsoMaker, err error) {
+func NewIsoMaker(unattendedInstall bool, baseDirPath, buildDirPath, releaseVersion, resourcesDirPath, configFilePath, initrdPath, isoRepoDirPath, outputDir, imageNameTag, isoRepoSnapshotTime string) (isoMaker *IsoMaker, err error) {
 	if baseDirPath == "" {
 		baseDirPath = filepath.Dir(configFilePath)
 	}
@@ -91,6 +94,7 @@ func NewIsoMaker(unattendedInstall bool, baseDirPath, buildDirPath, releaseVersi
 		imageNameBase:      imageNameBase,
 		imageNameTag:       imageNameTag,
 		osFilesPath:        defaultOSFilesPath,
+		repoSnapshotTime:   isoRepoSnapshotTime,
 	}
 
 	return isoMaker, nil
@@ -128,6 +132,7 @@ func NewIsoMakerWithConfig(unattendedInstall, enableBiosBoot, enableRpmRepo bool
 		imageNameBase:      imageNameBase,
 		imageNameTag:       imageNameTag,
 		osFilesPath:        osFilesPath,
+		repoSnapshotTime:   "",
 	}
 
 	return isoMaker, nil
@@ -554,6 +559,13 @@ func (im *IsoMaker) copyAndRenameConfigFiles() (err error) {
 	if err != nil {
 		return err
 	}
+
+	// add snapshot file here
+	err = im.addSnapshotTimeFile(configFilesAbsDirPath)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -565,6 +577,17 @@ func (im *IsoMaker) copyIsoAdditionalFiles() (err error) {
 	return safechroot.AddFilesToDestination(im.buildDirPath, im.additionalIsoFiles...)
 }
 
+func (im *IsoMaker) addSnapshotTimeFile(configFilesAbsDirPath string) (err error) {
+	if im.repoSnapshotTime != "" {
+		logger.Log.Debugf("Adding snapshot time to file")
+		err = file.WriteLines([]string{im.repoSnapshotTime}, path.Join(configFilesAbsDirPath, repoSnapshotFilePath))
+		if err != nil {
+			return
+		}
+	}
+	return
+}
+
 // copyAndRenameAdditionalFiles will copy all additional files into an
 // ISO directory to make them available to the installer.
 // Each file gets placed in a separate directory to avoid potential name conflicts and
diff --git a/toolkit/tools/pkg/osmodifierlib/modifierutils.go b/toolkit/tools/pkg/osmodifierlib/modifierutils.go
index 0792035e6b8..64a83a9f007 100644
--- a/toolkit/tools/pkg/osmodifierlib/modifierutils.go
+++ b/toolkit/tools/pkg/osmodifierlib/modifierutils.go
@@ -4,13 +4,19 @@
 package osmodifierlib
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
+	"github.com/microsoft/azurelinux/toolkit/tools/osmodifierapi"
 	"github.com/microsoft/azurelinux/toolkit/tools/pkg/imagecustomizerlib"
 )
 
-func doModifications(baseConfigPath string, osConfig *imagecustomizerapi.OS) error {
+func doModifications(baseConfigPath string, osConfig *osmodifierapi.OS) error {
 	var dummyChroot safechroot.ChrootInterface = &safechroot.DummyChroot{}
+
 	err := imagecustomizerlib.AddOrUpdateUsers(osConfig.Users, baseConfigPath, dummyChroot)
 	if err != nil {
 		return err
@@ -21,5 +27,98 @@ func doModifications(baseConfigPath string, osConfig *imagecustomizerapi.OS) err
 		return err
 	}
 
+	if osConfig.Overlays != nil {
+		bootCustomizer, err := imagecustomizerlib.NewBootCustomizer(dummyChroot)
+		if err != nil {
+			return err
+		}
+
+		err = updateGrubConfigForOverlay(*osConfig.Overlays, bootCustomizer)
+		if err != nil {
+			return err
+		}
+
+		err = bootCustomizer.WriteToFile(dummyChroot)
+		if err != nil {
+			return err
+		}
+	}
+
+	if osConfig.SELinux.Mode != "" {
+		bootCustomizer, err := imagecustomizerlib.NewBootCustomizer(dummyChroot)
+		if err != nil {
+			return err
+		}
+
+		err = handleSELinux(osConfig.SELinux.Mode, bootCustomizer, dummyChroot)
+		if err != nil {
+			return err
+		}
+
+		err = bootCustomizer.WriteToFile(dummyChroot)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func updateGrubConfigForOverlay(overlays []osmodifierapi.Overlay, bootCustomizer *imagecustomizerlib.BootCustomizer) error {
+	var err error
+	var overlayConfigs []string
+
+	// Iterate over each Overlay configuration
+	for _, overlay := range overlays {
+		// Construct the argument for each Overlay
+		overlayConfig := fmt.Sprintf(
+			"%s,%s,%s,%s",
+			overlay.LowerDir, overlay.UpperDir, overlay.WorkDir, overlay.Partition.Id,
+		)
+		overlayConfigs = append(overlayConfigs, overlayConfig)
+	}
+
+	// Concatenate all overlay configurations with spaces
+	concatenatedOverlays := strings.Join(overlayConfigs, " ")
+
+	// Construct the final cmdline argument
+	newArgs := []string{
+		fmt.Sprintf("rd.overlayfs=%s", concatenatedOverlays),
+	}
+
+	err = bootCustomizer.UpdateKernelCommandLineArgs("GRUB_CMDLINE_LINUX", []string{"rd.overlayfs"},
+		newArgs)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func handleSELinux(selinuxMode imagecustomizerapi.SELinuxMode, bootCustomizer *imagecustomizerlib.BootCustomizer, dummyChroot safechroot.ChrootInterface) error {
+	var err error
+	currentSELinuxMode, err := bootCustomizer.GetSELinuxMode(dummyChroot)
+	if err != nil {
+		return fmt.Errorf("failed to get current SELinux mode:\n%w", err)
+	}
+
+	if selinuxMode == imagecustomizerapi.SELinuxModeDefault || selinuxMode == currentSELinuxMode {
+		// Don't need to change the configured SELinux mode.
+		return nil
+	}
+
+	logger.Log.Infof("Configuring SELinux mode")
+
+	err = bootCustomizer.UpdateSELinuxCommandLine(selinuxMode)
+	if err != nil {
+		return err
+	}
+
+	err = imagecustomizerlib.UpdateSELinuxModeInConfigFile(selinuxMode, dummyChroot)
+	if err != nil {
+		return err
+	}
+
+	// No need to set SELinux labels here as in trident there is reset labels at the end
 	return nil
 }
diff --git a/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go b/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go
new file mode 100644
index 00000000000..9d835ec12ab
--- /dev/null
+++ b/toolkit/tools/pkg/osmodifierlib/modifydefaultgrub.go
@@ -0,0 +1,97 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package osmodifierlib
+
+import (
+	"fmt"
+
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/safechroot"
+	"github.com/microsoft/azurelinux/toolkit/tools/internal/sliceutils"
+	"github.com/microsoft/azurelinux/toolkit/tools/pkg/imagecustomizerlib"
+)
+
+var grubArgs = []string{
+	"rd.overlayfs",
+	"roothash",
+	"root",
+	"rd.systemd.verity",
+	"systemd.verity_root_data",
+	"systemd.verity_root_hash",
+	"systemd.verity_root_options",
+	"selinux",
+	"enforcing",
+}
+
+func modifyDefaultGrub() error {
+	var dummyChroot safechroot.ChrootInterface = &safechroot.DummyChroot{}
+	// Get verity, selinux, overlayfs, and root device values from /boot/grub2/grub.cfg
+	values, rootDevice, err := extractValuesFromGrubConfig(dummyChroot)
+	if err != nil {
+		return fmt.Errorf("error getting verity, selinux and overlayfs values from grub.cfg:\n%w", err)
+	}
+
+	bootCustomizer, err := imagecustomizerlib.NewBootCustomizer(dummyChroot)
+	if err != nil {
+		return err
+	}
+
+	// Stamp verity, selinux and overlayfs values to /etc/default/grub
+	err = bootCustomizer.UpdateKernelCommandLineArgs("GRUB_CMDLINE_LINUX", grubArgs, values)
+	if err != nil {
+		return err
+	}
+
+	// Stamp root device to /etc/default/grub
+	err = bootCustomizer.SetRootDevice(rootDevice)
+	if err != nil {
+		return err
+	}
+
+	err = bootCustomizer.WriteToFile(dummyChroot)
+	if err != nil {
+		return fmt.Errorf("error writing to default grub:\n%w", err)
+	} else {
+		logger.Log.Info("Successfully updated default grub")
+	}
+
+	return nil
+}
+
+func extractValuesFromGrubConfig(imageChroot safechroot.ChrootInterface) ([]string, string, error) {
+	grubCfgContent, err := imagecustomizerlib.ReadGrub2ConfigFile(imageChroot)
+	if err != nil {
+		return nil, "", err
+	}
+
+	lines, err := imagecustomizerlib.FindNonRecoveryLinuxLine(grubCfgContent)
+	if err != nil {
+		return nil, "", err
+	}
+
+	if len(lines) != 1 {
+		return nil, "", fmt.Errorf("expected 1 non-recovery linux line, found %d", len(lines))
+	}
+
+	argTokens, err := imagecustomizerlib.ParseCommandLineArgs(lines[0].Tokens)
+	if err != nil {
+		return nil, "", err
+	}
+
+	var values []string
+	var rootDevice string
+	for _, arg := range argTokens {
+		if sliceutils.ContainsValue(grubArgs, arg.Name) {
+			if arg.Value != "" {
+				if arg.Name == "root" {
+					rootDevice = arg.Value
+				} else {
+					values = append(values, arg.Name+"="+arg.Value)
+				}
+			}
+		}
+	}
+
+	return values, rootDevice, nil
+}
diff --git a/toolkit/tools/pkg/osmodifierlib/osmodifier.go b/toolkit/tools/pkg/osmodifierlib/osmodifier.go
index 8e402de3a89..2f5a7914ec9 100644
--- a/toolkit/tools/pkg/osmodifierlib/osmodifier.go
+++ b/toolkit/tools/pkg/osmodifierlib/osmodifier.go
@@ -8,12 +8,13 @@ import (
 	"path/filepath"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/imagecustomizerapi"
+	"github.com/microsoft/azurelinux/toolkit/tools/osmodifierapi"
 )
 
 func ModifyOSWithConfigFile(configFile string) error {
 	var err error
 
-	var osConfig imagecustomizerapi.OS
+	var osConfig osmodifierapi.OS
 	err = imagecustomizerapi.UnmarshalYamlFile(configFile, &osConfig)
 	if err != nil {
 		return err
@@ -34,7 +35,7 @@ func ModifyOSWithConfigFile(configFile string) error {
 	return nil
 }
 
-func ModifyOS(baseConfigPath string, osConfig *imagecustomizerapi.OS) error {
+func ModifyOS(baseConfigPath string, osConfig *osmodifierapi.OS) error {
 	err := doModifications(baseConfigPath, osConfig)
 	if err != nil {
 		return err
@@ -42,3 +43,12 @@ func ModifyOS(baseConfigPath string, osConfig *imagecustomizerapi.OS) error {
 
 	return nil
 }
+
+func ModifyDefaultGrub() error {
+	err := modifyDefaultGrub()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/toolkit/tools/pkgworker/pkgworker.go b/toolkit/tools/pkgworker/pkgworker.go
index b8a1585063e..62e259d754c 100644
--- a/toolkit/tools/pkgworker/pkgworker.go
+++ b/toolkit/tools/pkgworker/pkgworker.go
@@ -74,13 +74,13 @@ func main() {
 	logger.InitBestEffort(logFlags)
 
 	rpmsDirAbsPath, err := filepath.Abs(*rpmsDirPath)
-	logger.PanicOnError(err, "Unable to find absolute path for RPMs directory '%s'", *rpmsDirPath)
+	logger.FatalOnError(err, "Unable to find absolute path for RPMs directory '%s'", *rpmsDirPath)
 
 	toolchainDirAbsPath, err := filepath.Abs(*toolchainDirPath)
-	logger.PanicOnError(err, "Unable to find absolute path for toolchain RPMs directory '%s'", *toolchainDirPath)
+	logger.FatalOnError(err, "Unable to find absolute path for toolchain RPMs directory '%s'", *toolchainDirPath)
 
 	srpmsDirAbsPath, err := filepath.Abs(*srpmsDirPath)
-	logger.PanicOnError(err, "Unable to find absolute path for SRPMs directory '%s'", *srpmsDirPath)
+	logger.FatalOnError(err, "Unable to find absolute path for SRPMs directory '%s'", *srpmsDirPath)
 
 	chrootDir := buildChrootDirPath(*workDir, *srpmFile, *runCheck)
 
@@ -118,7 +118,7 @@ func main() {
 	}
 
 	builtRPMs, err := buildSRPMInChroot(chrootDir, rpmsDirAbsPath, toolchainDirAbsPath, *workerTar, *srpmFile, *repoFile, *rpmmacrosFile, *outArch, defines, *noCleanup, *runCheck, *packagesToInstall, ccacheManager, *timeout)
-	logger.PanicOnError(err, "Failed to build SRPM '%s'. For details see log file: %s .", *srpmFile, *logFlags.LogFile)
+	logger.FatalOnError(err, "Failed to build SRPM '%s'. For details see log file: %s .", *srpmFile, *logFlags.LogFile)
 
 	// For regular (non-test) package builds:
 	// - Copy the SRPM which produced the package to the output directory.
@@ -126,7 +126,7 @@ func main() {
 	//   Any output from logger will be on stderr so stdout will only contain this output.
 	if !*runCheck {
 		err = copySRPMToOutput(*srpmFile, srpmsDirAbsPath)
-		logger.PanicOnError(err, "Failed to copy SRPM '%s' to output directory '%s'.", *srpmFile, rpmsDirAbsPath)
+		logger.FatalOnError(err, "Failed to copy SRPM '%s' to output directory '%s'.", *srpmFile, rpmsDirAbsPath)
 
 		fmt.Print(strings.Join(builtRPMs, ","))
 	}
@@ -171,6 +171,7 @@ func buildSRPMInChroot(chrootDir, rpmDirPath, toolchainDirPath, workerTar, srpmF
 	quit := make(chan bool)
 	go func() {
 		logger.Log.Infof("Building (%s).", srpmBaseName)
+		startTime := time.Now()
 
 		for {
 			select {
@@ -180,7 +181,7 @@ func buildSRPMInChroot(chrootDir, rpmDirPath, toolchainDirPath, workerTar, srpmF
 				}
 				return
 			case <-time.After(buildHeartbeatTimeout):
-				logger.Log.Infof("Heartbeat: still building (%s).", srpmBaseName)
+				logger.Log.Infof("Heartbeat: still building (%s) after %s.", srpmBaseName, time.Since(startTime).String())
 			}
 		}
 	}()
@@ -214,6 +215,7 @@ func buildSRPMInChroot(chrootDir, rpmDirPath, toolchainDirPath, workerTar, srpmF
 
 	err = chroot.Initialize(workerTar, extraDirs, mountPoints, true)
 	if err != nil {
+		err = fmt.Errorf("failed to initialize chroot:\n%w", err)
 		return
 	}
 	defer chroot.Close(noCleanup)
@@ -221,27 +223,40 @@ func buildSRPMInChroot(chrootDir, rpmDirPath, toolchainDirPath, workerTar, srpmF
 	// Place extra files that will be needed to build into the chroot
 	srpmFileInChroot, err := copyFilesIntoChroot(chroot, srpmFile, repoFile, rpmmacrosFile, runCheck)
 	if err != nil {
+		err = fmt.Errorf("failed to copy files into chroot:\n%w", err)
 		return
 	}
 
-	// Run the build in a go routine so we can monitor and kill it if it takes too long.
+	// Run the build in a goroutine so we can monitor and kill it if it takes too long.
+	//
+	// It is important to run the timeout logic inside the chroot so that the chroot cleanup
+	// flow in chroot.Run() is executed if the build times out.
+	//
+	// If the timeout logic is run outside of the chroot.Run() call, the process will still
+	// be running in the chroot's context and the automatic chroot cleanup triggered by the
+	// process exiting will fail (see safechroot.go:cleanupAllChroots()). For example,
+	// `unmount /path/to/chroot/dev` will fail since our root is currently `/path/to/chroot`,
+	// and `/path/to/chroot/path/to/chroot/dev` is not a real path.
 	results := make(chan error)
-	go func() {
-		buildErr := chroot.Run(func() (err error) {
-			return buildRPMFromSRPMInChroot(srpmFileInChroot, outArch, runCheck, defines, packagesToInstall, isCCacheEnabled(ccacheManager))
-		})
-		results <- buildErr
-	}()
-
-	select {
-	case err = <-results:
-	case <-time.After(timeout):
-		logger.Log.Errorf("Timeout after %v: killing all processes in chroot...", timeout)
-		shell.PermanentlyStopAllChildProcesses(unix.SIGKILL)
-		err = fmt.Errorf("build timed out after %s", timeout)
-	}
+	err = chroot.Run(func() (err error) {
+		go func() {
+			results <- buildRPMFromSRPMInChroot(srpmFileInChroot, outArch, runCheck, defines, packagesToInstall, isCCacheEnabled(ccacheManager))
+		}()
+
+		var chrootErr error = nil
+		select {
+		case chrootErr = <-results:
+			logger.Log.Debug("Build thread in chroot finished.")
+		case <-time.After(timeout):
+			logger.Log.Errorf("Timeout after %v: stopping chroot...", timeout)
+			shell.StopAllChildProcesses(unix.SIGKILL)
+			chrootErr = fmt.Errorf("build timed out after %s", timeout)
+		}
+		return chrootErr // Internal error is returned via the channel
+	})
 
 	if err != nil {
+		err = fmt.Errorf("failed to build RPM from SRPM in chroot:\n%w", err)
 		return
 	}
 
@@ -266,18 +281,21 @@ func buildRPMFromSRPMInChroot(srpmFile, outArch string, runCheck bool, defines m
 	// Convert /localrpms into a repository that a package manager can use.
 	err = rpmrepomanager.CreateRepo(chrootLocalRpmsDir)
 	if err != nil {
+		err = fmt.Errorf("failed to create local RPM repository:\n%w", err)
 		return
 	}
 
 	// Convert /toolchainrpms into a repository that a package manager can use.
 	err = rpmrepomanager.CreateRepo(chrootLocalToolchainDir)
 	if err != nil {
+		err = fmt.Errorf("failed to create toolchain RPM repository:\n%w", err)
 		return
 	}
 
 	// install any additional packages, such as build dependencies.
 	err = tdnfInstall(packagesToInstall)
 	if err != nil {
+		err = fmt.Errorf("failed to install additional packages:\n%w", err)
 		return
 	}
 
@@ -286,6 +304,7 @@ func buildRPMFromSRPMInChroot(srpmFile, outArch string, runCheck bool, defines m
 		logger.Log.Infof("USE_CCACHE: installing package: %s", ccachePkgName[0])
 		err = tdnfInstall(ccachePkgName)
 		if err != nil {
+			err = fmt.Errorf("failed to install ccache:\n%w", err)
 			return
 		}
 	}
@@ -296,6 +315,7 @@ func buildRPMFromSRPMInChroot(srpmFile, outArch string, runCheck bool, defines m
 	// build failures.
 	err = removeLibArchivesFromSystem()
 	if err != nil {
+		err = fmt.Errorf("failed to remove lib archives from system:\n%w", err)
 		return
 	}
 
@@ -305,6 +325,10 @@ func buildRPMFromSRPMInChroot(srpmFile, outArch string, runCheck bool, defines m
 	} else {
 		err = rpm.BuildRPMFromSRPM(srpmFile, outArch, defines)
 	}
+	if err != nil {
+		err = fmt.Errorf("failed to build/test RPM from SRPM:\n%w", err)
+		return
+	}
 
 	return
 }
diff --git a/toolkit/tools/scheduler/buildagents/chrootagent.go b/toolkit/tools/scheduler/buildagents/chrootagent.go
index fca6c47c0a1..cf3a79b9a5c 100644
--- a/toolkit/tools/scheduler/buildagents/chrootagent.go
+++ b/toolkit/tools/scheduler/buildagents/chrootagent.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/shell"
 	"github.com/sirupsen/logrus"
@@ -38,7 +39,7 @@ func (c *ChrootAgent) Initialize(config *BuildAgentConfig) (err error) {
 // - outArch is the target architecture to build for.
 // - runCheck is true if the package should run the "%check" section during the build
 // - dependencies is a list of dependencies that need to be installed before building.
-func (c *ChrootAgent) BuildPackage(basePackageName, inputFile, logName, outArch string, runCheck bool, dependencies []string) (builtFiles []string, logFile string, err error) {
+func (c *ChrootAgent) BuildPackage(basePackageName, inputFile, logName, outArch string, runCheck bool, dependencies []string, allowableRuntime time.Duration) (builtFiles []string, logFile string, err error) {
 	// On success, pkgworker will print a comma-seperated list of all RPMs built to stdout.
 	// This will be the last stdout line written.
 	const delimiter = ","
@@ -50,7 +51,7 @@ func (c *ChrootAgent) BuildPackage(basePackageName, inputFile, logName, outArch
 		lastStdoutLine = strings.TrimSpace(line)
 	}
 
-	args := serializeChrootBuildAgentConfig(c.config, basePackageName, inputFile, logFile, outArch, runCheck, dependencies)
+	args := serializeChrootBuildAgentConfig(c.config, basePackageName, inputFile, logFile, outArch, runCheck, dependencies, allowableRuntime)
 	err = shell.NewExecBuilder(c.config.Program, args...).
 		StdoutCallback(onStdout).
 		LogLevel(logrus.TraceLevel, logrus.TraceLevel).
@@ -75,7 +76,7 @@ func (c *ChrootAgent) Close() (err error) {
 }
 
 // serializeChrootBuildAgentConfig serializes a BuildAgentConfig into arguments usable by pkgworker for the sake of building the package.
-func serializeChrootBuildAgentConfig(config *BuildAgentConfig, basePackageName, inputFile, logFile, outArch string, runCheck bool, dependencies []string) (serializedArgs []string) {
+func serializeChrootBuildAgentConfig(config *BuildAgentConfig, basePackageName, inputFile, logFile, outArch string, runCheck bool, dependencies []string, allowableRuntime time.Duration) (serializedArgs []string) {
 	serializedArgs = []string{
 		fmt.Sprintf("--input=%s", inputFile),
 		fmt.Sprintf("--work-dir=%s", config.WorkDir),
@@ -93,7 +94,7 @@ func serializeChrootBuildAgentConfig(config *BuildAgentConfig, basePackageName,
 		fmt.Sprintf("--log-level=%s", config.LogLevel),
 		fmt.Sprintf("--out-arch=%s", outArch),
 		fmt.Sprintf("--max-cpu=%s", config.MaxCpu),
-		fmt.Sprintf("--timeout=%s", config.Timeout.String()),
+		fmt.Sprintf("--timeout=%s", allowableRuntime),
 	}
 
 	if config.RpmmacrosFile != "" {
diff --git a/toolkit/tools/scheduler/buildagents/definition.go b/toolkit/tools/scheduler/buildagents/definition.go
index 5e015e145f7..a502d660753 100644
--- a/toolkit/tools/scheduler/buildagents/definition.go
+++ b/toolkit/tools/scheduler/buildagents/definition.go
@@ -48,7 +48,8 @@ type BuildAgent interface {
 	// - outArch is the target architecture to build for.
 	// - runCheck is true if the package should run the "%check" section during the build
 	// - dependencies is a list of dependencies that need to be installed before building.
-	BuildPackage(basePackageName, inputFile, logName, outArch string, runCheck bool, dependencies []string) ([]string, string, error)
+	// - allowableRuntime is how long the package build is allowed to run.
+	BuildPackage(basePackageName, inputFile, logName, outArch string, runCheck bool, dependencies []string, allowableRuntime time.Duration) ([]string, string, error)
 
 	// Config returns a copy of the agent's configuration.
 	Config() BuildAgentConfig
diff --git a/toolkit/tools/scheduler/buildagents/testagent.go b/toolkit/tools/scheduler/buildagents/testagent.go
index b908c1e4348..47bc1c8c2a0 100644
--- a/toolkit/tools/scheduler/buildagents/testagent.go
+++ b/toolkit/tools/scheduler/buildagents/testagent.go
@@ -28,7 +28,7 @@ func (t *TestAgent) Initialize(config *BuildAgentConfig) (err error) {
 }
 
 // BuildPackage simply sleeps and then returns success for TestAgent.
-func (t *TestAgent) BuildPackage(basePackageName, inputFile, logName, outArch string, runCheck bool, dependencies []string) (builtFiles []string, logFile string, err error) {
+func (t *TestAgent) BuildPackage(basePackageName, inputFile, logName, outArch string, runCheck bool, dependencies []string, allowableRuntime time.Duration) (builtFiles []string, logFile string, err error) {
 	const sleepDuration = time.Second * 5
 	time.Sleep(sleepDuration)
 
diff --git a/toolkit/tools/scheduler/scheduler.go b/toolkit/tools/scheduler/scheduler.go
index 51834ac85a4..097b781fd37 100644
--- a/toolkit/tools/scheduler/scheduler.go
+++ b/toolkit/tools/scheduler/scheduler.go
@@ -264,7 +264,7 @@ func cancelOutstandingBuilds(agent buildagents.BuildAgent) {
 	}
 
 	// Issue a SIGINT to all children processes to allow them to gracefully exit.
-	shell.PermanentlyStopAllChildProcesses(unix.SIGINT)
+	shell.StopAllChildProcesses(unix.SIGINT)
 }
 
 // cancelBuildsOnSignal will stop any builds running on SIGINT/SIGTERM.
diff --git a/toolkit/tools/scheduler/schedulerutils/buildworker.go b/toolkit/tools/scheduler/schedulerutils/buildworker.go
index 62d5b803d8e..c7ac8673a82 100644
--- a/toolkit/tools/scheduler/schedulerutils/buildworker.go
+++ b/toolkit/tools/scheduler/schedulerutils/buildworker.go
@@ -5,6 +5,7 @@ package schedulerutils
 
 import (
 	"bufio"
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -278,10 +279,27 @@ func buildSRPMFile(agent buildagents.BuildAgent, buildAttempts int, basePackageN
 	)
 
 	logBaseName := filepath.Base(srpmFile) + ".log"
-	err = retry.Run(func() (buildErr error) {
-		builtFiles, logFile, buildErr = agent.BuildPackage(basePackageName, srpmFile, logBaseName, outArch, runCheck, dependencies)
+
+	// Track the time the build may take, and ensure we don't exceed the maximum limit.
+	attemptNumber := 0
+	totalExecutionTimeout := agent.Config().Timeout
+	deadline := time.Now().Add(totalExecutionTimeout)
+	ctx, cancelFunc := context.WithDeadline(context.Background(), deadline)
+	defer cancelFunc()
+
+	wasCancelled, err := retry.RunWithLinearBackoff(ctx, func() (buildErr error) {
+		if attemptNumber > 0 {
+			logger.Log.Warnf("Build for '%s' failed %d times, retrying up to %d times.", srpmFile, attemptNumber, buildAttempts)
+		}
+		attemptNumber++
+
+		builtFiles, logFile, buildErr = agent.BuildPackage(basePackageName, srpmFile, logBaseName, outArch, runCheck, dependencies, time.Until(deadline))
 		return
 	}, buildAttempts, retryDuration)
+	if wasCancelled {
+		err = fmt.Errorf("after %d/%d attempts, the build exceeded the maximum time of %s", attemptNumber, buildAttempts, totalExecutionTimeout)
+		return
+	}
 
 	return
 }
@@ -296,10 +314,23 @@ func testSRPMFile(agent buildagents.BuildAgent, checkAttempts int, basePackageNa
 	)
 
 	logBaseName := filepath.Base(srpmFile) + ".test.log"
-	err = retry.Run(func() (buildErr error) {
+
+	// Track the time the build may take, and ensure we don't exceed the maximum limit.
+	attemptNumber := 0
+	totalExecutionTimeout := agent.Config().Timeout
+	deadline := time.Now().Add(totalExecutionTimeout)
+	ctx, cancelFunc := context.WithDeadline(context.Background(), deadline)
+	defer cancelFunc()
+
+	wasCancelled, err := retry.RunWithLinearBackoff(ctx, func() (buildErr error) {
+		if attemptNumber > 0 {
+			logger.Log.Warnf("Test for '%s' failed %d times, retrying up to %d times.", srpmFile, attemptNumber, checkAttempts)
+		}
+		attemptNumber++
+
 		checkFailed = false
 
-		_, logFile, buildErr = agent.BuildPackage(basePackageName, srpmFile, logBaseName, outArch, runCheck, dependencies)
+		_, logFile, buildErr = agent.BuildPackage(basePackageName, srpmFile, logBaseName, outArch, runCheck, dependencies, time.Until(deadline))
 		if buildErr != nil {
 			logger.Log.Warnf("Test build for '%s' failed on a non-test build issue. Error: %s", srpmFile, buildErr)
 			return
@@ -312,6 +343,10 @@ func testSRPMFile(agent buildagents.BuildAgent, checkAttempts int, basePackageNa
 		}
 		return
 	}, checkAttempts, retryDuration)
+	if wasCancelled {
+		err = fmt.Errorf("after %d/%d attempts, the check exceeded the maximum time of %s", attemptNumber, checkAttempts, totalExecutionTimeout)
+		return
+	}
 
 	if checkFailed {
 		logger.Log.Debugf("Tests failed for '%s' after %d attempt(s).", basePackageName, checkAttempts)
diff --git a/toolkit/tools/scheduler/schedulerutils/preparerequest.go b/toolkit/tools/scheduler/schedulerutils/preparerequest.go
index 4838b0b4396..33fa3270ca5 100644
--- a/toolkit/tools/scheduler/schedulerutils/preparerequest.go
+++ b/toolkit/tools/scheduler/schedulerutils/preparerequest.go
@@ -207,6 +207,8 @@ func testNodesToRequests(pkgGraph *pkggraph.PkgGraph, buildState *GraphBuildStat
 // - missing RPMs or
 // - user explicitly requesting the node to be rebuilt.
 func isRequiredRebuild(pkgGraph *pkggraph.PkgGraph, node *pkggraph.PkgNode, packagesToRebuild []*pkgjson.PackageVer) bool {
+	logger.Log.Debugf("Checking if node %v is required to be rebuilt.", node.FriendlyName())
+
 	return nodeHasMissingRPMs(pkgGraph, node) || nodeRequestedForRebuildByUser(node, packagesToRebuild)
 }
 
@@ -266,6 +268,11 @@ func calculateExpectedFreshness(dependencyNode *pkggraph.PkgNode, buildState *Gr
 // nodeHasMissingRPMs checks if all RPMs expected from the node's SRPM are present.
 // If any of the RPMs produced by the SRPM are missing, we must build the SRPM and reset the freshness of the node.
 func nodeHasMissingRPMs(pkgGraph *pkggraph.PkgGraph, node *pkggraph.PkgNode) (rpmsMissing bool) {
+	if node.SrpmPath == pkggraph.NoSRPMPath {
+		logger.Log.Debugf("Node %v has no SRPM path, skipping check for missing RPMs.", node.FriendlyName())
+		return
+	}
+
 	expectedFiles, missingFiles := pkggraph.FindRPMFiles(node.SrpmPath, pkgGraph, nil)
 
 	rpmsMissing = len(missingFiles) != 0