From 0c7cd8023e96aad15254c074e597274313347261 Mon Sep 17 00:00:00 2001
From: Pascal Vizeli <pvizeli@syshack.ch>
Date: Sun, 11 Oct 2020 19:38:10 +0200
Subject: [PATCH 01/12] Bump version 5.4

---
 buildroot-external/meta | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/buildroot-external/meta b/buildroot-external/meta
index 72e3fd037..2a80f1a2f 100644
--- a/buildroot-external/meta
+++ b/buildroot-external/meta
@@ -1,5 +1,5 @@
 VERSION_MAJOR=5
-VERSION_BUILD=3
+VERSION_BUILD=4
 
 HASSOS_NAME="HassOS"
 HASSOS_ID="hassos"

From 3337cd0f79e2ef04027b4e35e5c37f9219ebb7e4 Mon Sep 17 00:00:00 2001
From: Aman Gupta Karmani <aman@tmm1.net>
Date: Mon, 12 Oct 2020 12:41:12 -0700
Subject: [PATCH 02/12] Fix var-lib-NetworkManager.mount dependencies (#895)

---
 .../usr/lib/systemd/system/var-lib-NetworkManager.mount       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/buildroot-external/rootfs-overlay/usr/lib/systemd/system/var-lib-NetworkManager.mount b/buildroot-external/rootfs-overlay/usr/lib/systemd/system/var-lib-NetworkManager.mount
index e4e685499..054cc1fd7 100644
--- a/buildroot-external/rootfs-overlay/usr/lib/systemd/system/var-lib-NetworkManager.mount
+++ b/buildroot-external/rootfs-overlay/usr/lib/systemd/system/var-lib-NetworkManager.mount
@@ -1,7 +1,7 @@
 [Unit]
 Description=NetworkManager persistent data
-Requires=mnt-data.mount
-After=mnt-data.mount
+Requires=mnt-overlay.mount
+After=mnt-overlay.mount hassos-overlay.service
 Before=NetworkManager.service
 
 [Mount]

From 59b8636bc83249062eb66394d67125b1ada36185 Mon Sep 17 00:00:00 2001
From: Aman Gupta Karmani <aman@tmm1.net>
Date: Mon, 12 Oct 2020 15:38:04 -0700
Subject: [PATCH 03/12] Fix systemd-time-wait-sync getting stuck with upstream
 patches (#897)

---
 ...02-time-wait-sync-log-inotify-errors.patch | 23 ++++++++
 .../systemd/0003-fix-inotify-watches.patch    | 54 +++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 buildroot-external/patches/systemd/0002-time-wait-sync-log-inotify-errors.patch
 create mode 100644 buildroot-external/patches/systemd/0003-fix-inotify-watches.patch

diff --git a/buildroot-external/patches/systemd/0002-time-wait-sync-log-inotify-errors.patch b/buildroot-external/patches/systemd/0002-time-wait-sync-log-inotify-errors.patch
new file mode 100644
index 000000000..35ae36b2d
--- /dev/null
+++ b/buildroot-external/patches/systemd/0002-time-wait-sync-log-inotify-errors.patch
@@ -0,0 +1,23 @@
+From 4a4298ef78e943d36f3b8d8e78bfa21b1506961e Mon Sep 17 00:00:00 2001
+From: Aman Gupta Karmani <aman@tmm1.net>
+Date: Mon, 12 Oct 2020 13:39:26 -0700
+Subject: [PATCH] time-wait-sync: log errors trying to watch
+ /run/systemd/timesync
+
+---
+ src/time-wait-sync/time-wait-sync.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/time-wait-sync/time-wait-sync.c b/src/time-wait-sync/time-wait-sync.c
+index 96072445f6e..c8ec4850426 100644
+--- a/src/time-wait-sync/time-wait-sync.c
++++ b/src/time-wait-sync/time-wait-sync.c
+@@ -50,7 +50,7 @@ static void clock_state_release(ClockState *sp) {
+ static int clock_state_update(ClockState *sp, sd_event *event);
+ 
+ static int update_notify_run_systemd_timesync(ClockState *sp) {
+-        sp->run_systemd_timesync_wd = inotify_add_watch(sp->inotify_fd, "/run/systemd/timesync", IN_CREATE|IN_DELETE_SELF);
++        sp->run_systemd_timesync_wd = inotify_add_watch_and_warn(sp->inotify_fd, "/run/systemd/timesync", IN_CREATE|IN_DELETE_SELF);
+         return sp->run_systemd_timesync_wd;
+ }
+ 
diff --git a/buildroot-external/patches/systemd/0003-fix-inotify-watches.patch b/buildroot-external/patches/systemd/0003-fix-inotify-watches.patch
new file mode 100644
index 000000000..30d322691
--- /dev/null
+++ b/buildroot-external/patches/systemd/0003-fix-inotify-watches.patch
@@ -0,0 +1,54 @@
+From f6f4f5fe5395a57f10dd446c7266c53f0673eaac Mon Sep 17 00:00:00 2001
+From: Balaji Punnuru <balaji_punnuru@cable.comcast.com>
+Date: Thu, 9 Apr 2020 12:21:49 -0400
+Subject: [PATCH] util: return the correct correct wd from inotify helpers
+
+We need to propagate the acquired watch descriptors because our callers
+are counting on them.
+
+[Lennart: this is split out of #15381 and simplified]
+---
+ src/basic/fs-util.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c
+index 558cafbcaf5..ef3b5a51842 100644
+--- a/src/basic/fs-util.c
++++ b/src/basic/fs-util.c
+@@ -692,28 +692,30 @@ int unlink_or_warn(const char *filename) {
+ 
+ int inotify_add_watch_fd(int fd, int what, uint32_t mask) {
+         char path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int) + 1];
+-        int r;
++        int wd;
+ 
+         /* This is like inotify_add_watch(), except that the file to watch is not referenced by a path, but by an fd */
+         xsprintf(path, "/proc/self/fd/%i", what);
+ 
+-        r = inotify_add_watch(fd, path, mask);
+-        if (r < 0)
++        wd = inotify_add_watch(fd, path, mask);
++        if (wd < 0)
+                 return -errno;
+ 
+-        return r;
++        return wd;
+ }
+ 
+ int inotify_add_watch_and_warn(int fd, const char *pathname, uint32_t mask) {
++        int wd;
+ 
+-        if (inotify_add_watch(fd, pathname, mask) < 0) {
++        wd = inotify_add_watch(fd, pathname, mask);
++        if (wd < 0) {
+                 if (errno == ENOSPC)
+                         return log_error_errno(errno, "Failed to add a watch for %s: inotify watch limit reached", pathname);
+ 
+                 return log_error_errno(errno, "Failed to add a watch for %s: %m", pathname);
+         }
+ 
+-        return 0;
++        return wd;
+ }
+ 
+ static bool unsafe_transition(const struct stat *a, const struct stat *b) {

From b4fad0361342c0d22e1d357ff0462993c5e9b8eb Mon Sep 17 00:00:00 2001
From: Souradip Mookerjee <souramoo@gmx.com>
Date: Thu, 15 Oct 2020 10:49:08 +0100
Subject: [PATCH 04/12] Make clear this should be with UNIX line endings (#884)

---
 Documentation/network.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Documentation/network.md b/Documentation/network.md
index 7c1f101f4..09ce0213a 100644
--- a/Documentation/network.md
+++ b/Documentation/network.md
@@ -10,6 +10,8 @@ Only a manual configuration using NetworkManager connection files is supported.
 
 You can read the [NetworkManager manual][nm-manual] or find many configuration examples across the internet. Keep in mind that the system is read-only. If you don't want the IP address to change on every boot, you should modify the UUID property to a generic [UUID4][uuid]. Inside the `\CONFIG\network\` directory on the USB drive or SD card, create a file called `my-network` and add the appropriate contents below:
 
+**NOTE: Please make sure to save this file with UNIX line endings (LF, and not Windows' default CRLF endings). You can do this using Notepad these days!**
+
 ### Default
 
 A preinstalled connection profile is provided by default:

From dade3adf801e7ae304e449232165bda990909b0b Mon Sep 17 00:00:00 2001
From: Aman Gupta Karmani <aman@tmm1.net>
Date: Fri, 16 Oct 2020 06:12:35 -0700
Subject: [PATCH 05/12] bump rpi-firmware to latest stable release (sep 2020)
 (#899)

---
 buildroot-patches/0002-rpi-firmware-Bump-firmware.patch | 4 ++--
 buildroot/package/rpi-firmware/rpi-firmware.hash        | 2 +-
 buildroot/package/rpi-firmware/rpi-firmware.mk          | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/buildroot-patches/0002-rpi-firmware-Bump-firmware.patch b/buildroot-patches/0002-rpi-firmware-Bump-firmware.patch
index e8e832988..7bd88826d 100644
--- a/buildroot-patches/0002-rpi-firmware-Bump-firmware.patch
+++ b/buildroot-patches/0002-rpi-firmware-Bump-firmware.patch
@@ -16,7 +16,7 @@ index 59ab1da0c6..e3ba1bf99c 100644
 @@ -1,3 +1,3 @@
  # Locally computed
 -sha256 31a84340be08be319570a9d1439f25c0e3513fed73065a56aa5dd61dd605d5d9 rpi-firmware-01ecfd2ba2b7cf3a2f4aa75ada895ee4a3e729f5.tar.gz
-+sha256 4789d4422b3bc7eab157471ba36aebd54efc2a6de4c937f5cfdb4392af04fe80 rpi-firmware-7caead9416f64b2d33361c703fb243b8e157eba4.tar.gz
++sha256 6e5f1bf068995078d4d6a01899a7f7fe094b92a4f5cc19f0d4f67040a3175aa9 rpi-firmware-2b41f509710d99758a5b8efa88d95dd0e9169c0a.tar.gz
  sha256 c7283ff51f863d93a275c66e3b4cb08021a5dd4d8c1e7acc47d872fbe52d3d6b boot/LICENCE.broadcom
 diff --git a/package/rpi-firmware/rpi-firmware.mk b/package/rpi-firmware/rpi-firmware.mk
 index 6fee60b08c..2177ca9859 100644
@@ -27,7 +27,7 @@ index 6fee60b08c..2177ca9859 100644
  ################################################################################
  
 -RPI_FIRMWARE_VERSION = 01ecfd2ba2b7cf3a2f4aa75ada895ee4a3e729f5
-+RPI_FIRMWARE_VERSION = 7caead9416f64b2d33361c703fb243b8e157eba4
++RPI_FIRMWARE_VERSION = 2b41f509710d99758a5b8efa88d95dd0e9169c0a
  RPI_FIRMWARE_SITE = $(call github,raspberrypi,firmware,$(RPI_FIRMWARE_VERSION))
  RPI_FIRMWARE_LICENSE = BSD-3-Clause
  RPI_FIRMWARE_LICENSE_FILES = boot/LICENCE.broadcom
diff --git a/buildroot/package/rpi-firmware/rpi-firmware.hash b/buildroot/package/rpi-firmware/rpi-firmware.hash
index 54607d0a4..1add953cb 100644
--- a/buildroot/package/rpi-firmware/rpi-firmware.hash
+++ b/buildroot/package/rpi-firmware/rpi-firmware.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256 4789d4422b3bc7eab157471ba36aebd54efc2a6de4c937f5cfdb4392af04fe80 rpi-firmware-7caead9416f64b2d33361c703fb243b8e157eba4.tar.gz
+sha256 6e5f1bf068995078d4d6a01899a7f7fe094b92a4f5cc19f0d4f67040a3175aa9 rpi-firmware-2b41f509710d99758a5b8efa88d95dd0e9169c0a.tar.gz
 sha256 c7283ff51f863d93a275c66e3b4cb08021a5dd4d8c1e7acc47d872fbe52d3d6b boot/LICENCE.broadcom
diff --git a/buildroot/package/rpi-firmware/rpi-firmware.mk b/buildroot/package/rpi-firmware/rpi-firmware.mk
index 8d73aa698..dd44bd758 100644
--- a/buildroot/package/rpi-firmware/rpi-firmware.mk
+++ b/buildroot/package/rpi-firmware/rpi-firmware.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-RPI_FIRMWARE_VERSION = 7caead9416f64b2d33361c703fb243b8e157eba4
+RPI_FIRMWARE_VERSION = 2b41f509710d99758a5b8efa88d95dd0e9169c0a
 RPI_FIRMWARE_SITE = $(call github,raspberrypi,firmware,$(RPI_FIRMWARE_VERSION))
 RPI_FIRMWARE_LICENSE = BSD-3-Clause
 RPI_FIRMWARE_LICENSE_FILES = boot/LICENCE.broadcom

From 2b0fff31a367da05a8b6e171ab11860d4c7edee0 Mon Sep 17 00:00:00 2001
From: Stefan Agner <stefan@agner.ch>
Date: Sat, 17 Oct 2020 13:14:47 +0200
Subject: [PATCH 06/12] Bump ODROID boards to Linux 5.9 (#898)

* Bump ODROID boards to Linux 5.9.1

This makes quite some patches obsolete which since have been upstreamed.

* Drop Linux 5.7 header symbols

Since we do not introduce new packages which actually require a newer
kernel headers, there is no value in having config symbols for the new
kernel version. Buildroot is still using the headers from our kernel,
and hence gets the latest version of the headers.
---
 ...nfig-enable-meson-gx-audio-as-module.patch |  43 -----
 ...dts-meson-convert-ODROID-N2-to-dtsi.patch} |  10 +-
 ...-imply-acodec-glue-on-axg-sound-card.patch |  28 ---
 ...mlogic-add-support-for-the-ODROID-N.patch} |  21 ++-
 ...eson-gx-card-fix-sound-dai-dt-schema.patch |  47 -----
 ...meson-add-support-for-the-ODROID-N2.patch} |  16 +-
 ...arm64-dts-meson-g12-add-internal-DAC.patch |  39 ----
 ...son-g12a-mark-fclk_div2-as-critical.patch} |  12 +-
 ...-dts-meson-g12-add-internal-DAC-glue.patch |  39 ----
 ...g12b-odroid-n2-enable-audio-loopback.patch | 123 -------------
 ...odroid-n2-add-jack-audio-output-supp.patch | 168 ------------------
 .../configs/odroid_c2_defconfig               |   4 +-
 .../configs/odroid_n2_defconfig               |   4 +-
 .../configs/odroid_xu4_defconfig              |   4 +-
 buildroot-patches/0008-Linux-5.7.patch        |  68 -------
 .../package/linux-headers/Config.in.host      |   4 -
 buildroot/toolchain/Config.in                 |   5 -
 .../Config.in.options                         |   4 -
 18 files changed, 34 insertions(+), 605 deletions(-)
 delete mode 100644 buildroot-external/board/hardkernel/patches/linux/0001-arm64-defconfig-enable-meson-gx-audio-as-module.patch
 rename buildroot-external/board/hardkernel/patches/linux/{0008-arm64-dts-meson-convert-ODROID-N2-to-dtsi.patch => 0001-arm64-dts-meson-convert-ODROID-N2-to-dtsi.patch} (98%)
 delete mode 100644 buildroot-external/board/hardkernel/patches/linux/0002-ASoC-meson-imply-acodec-glue-on-axg-sound-card.patch
 rename buildroot-external/board/hardkernel/patches/linux/{0009-dt-bindings-arm-amlogic-add-support-for-the-ODROID-N.patch => 0002-dt-bindings-arm-amlogic-add-support-for-the-ODROID-N.patch} (62%)
 delete mode 100644 buildroot-external/board/hardkernel/patches/linux/0003-ASoC-meson-gx-card-fix-sound-dai-dt-schema.patch
 rename buildroot-external/board/hardkernel/patches/linux/{0010-arm64-dts-meson-add-support-for-the-ODROID-N2.patch => 0003-arm64-dts-meson-add-support-for-the-ODROID-N2.patch} (85%)
 delete mode 100644 buildroot-external/board/hardkernel/patches/linux/0004-arm64-dts-meson-g12-add-internal-DAC.patch
 rename buildroot-external/board/hardkernel/patches/linux/{0011-clk-meson-g12a-mark-fclk_div2-as-critical.patch => 0004-clk-meson-g12a-mark-fclk_div2-as-critical.patch} (71%)
 delete mode 100644 buildroot-external/board/hardkernel/patches/linux/0005-arm64-dts-meson-g12-add-internal-DAC-glue.patch
 delete mode 100644 buildroot-external/board/hardkernel/patches/linux/0006-arm64-dts-meson-g12b-odroid-n2-enable-audio-loopback.patch
 delete mode 100644 buildroot-external/board/hardkernel/patches/linux/0007-arm64-dts-meson-odroid-n2-add-jack-audio-output-supp.patch
 delete mode 100644 buildroot-patches/0008-Linux-5.7.patch

diff --git a/buildroot-external/board/hardkernel/patches/linux/0001-arm64-defconfig-enable-meson-gx-audio-as-module.patch b/buildroot-external/board/hardkernel/patches/linux/0001-arm64-defconfig-enable-meson-gx-audio-as-module.patch
deleted file mode 100644
index d323d6860..000000000
--- a/buildroot-external/board/hardkernel/patches/linux/0001-arm64-defconfig-enable-meson-gx-audio-as-module.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From e2b93751cfd0722801b65b4603b588ab9df4c12b Mon Sep 17 00:00:00 2001
-From: Jerome Brunet <jbrunet@baylibre.com>
-Date: Tue, 21 Apr 2020 18:39:30 +0200
-Subject: [PATCH 2/8] arm64: defconfig: enable meson gx audio as module
-
-Enable the module config for the Amlogic GX audio card.
-This module will imply the internal components usually associated
-with it to make a functional sound card on these platforms.
-
-Also enable the simple amplifier module which often used on the
-output stage of those cards.
-
-Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
-Signed-off-by: Kevin Hilman <khilman@baylibre.com>
-Tested-by: Christian Hewitt <christianshewitt@gmail.com>
-Link: https://lore.kernel.org/r/20200421163935.775935-2-jbrunet@baylibre.com
----
- arch/arm64/configs/defconfig | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/arm64/configs/defconfig b/arch/arm64/configs/defconfig
-index 03d0189f7d68..ceb60ee9c340 100644
---- a/arch/arm64/configs/defconfig
-+++ b/arch/arm64/configs/defconfig
-@@ -644,6 +644,7 @@ CONFIG_SND_HDA_CODEC_HDMI=m
- CONFIG_SND_SOC=y
- CONFIG_SND_BCM2835_SOC_I2S=m
- CONFIG_SND_MESON_AXG_SOUND_CARD=m
-+CONFIG_SND_MESON_GX_SOUND_CARD=m
- CONFIG_SND_SOC_SDM845=m
- CONFIG_SND_SOC_ROCKCHIP=m
- CONFIG_SND_SOC_ROCKCHIP_SPDIF=m
-@@ -656,6 +657,7 @@ CONFIG_SND_SOC_AK4613=m
- CONFIG_SND_SOC_ES7134=m
- CONFIG_SND_SOC_ES7241=m
- CONFIG_SND_SOC_PCM3168A_I2C=m
-+CONFIG_SND_SOC_SIMPLE_AMPLIFIER=m
- CONFIG_SND_SOC_TAS571X=m
- CONFIG_SND_SOC_WCD934X=m
- CONFIG_SND_SOC_WSA881X=m
--- 
-2.17.1
-
diff --git a/buildroot-external/board/hardkernel/patches/linux/0008-arm64-dts-meson-convert-ODROID-N2-to-dtsi.patch b/buildroot-external/board/hardkernel/patches/linux/0001-arm64-dts-meson-convert-ODROID-N2-to-dtsi.patch
similarity index 98%
rename from buildroot-external/board/hardkernel/patches/linux/0008-arm64-dts-meson-convert-ODROID-N2-to-dtsi.patch
rename to buildroot-external/board/hardkernel/patches/linux/0001-arm64-dts-meson-convert-ODROID-N2-to-dtsi.patch
index 335f704c6..5f2f534bc 100644
--- a/buildroot-external/board/hardkernel/patches/linux/0008-arm64-dts-meson-convert-ODROID-N2-to-dtsi.patch
+++ b/buildroot-external/board/hardkernel/patches/linux/0001-arm64-dts-meson-convert-ODROID-N2-to-dtsi.patch
@@ -1,10 +1,8 @@
-From 9443f2cd21a8ebd08f0fb64f5b3a8ccb6cd77d8e Mon Sep 17 00:00:00 2001
-Message-Id: <9443f2cd21a8ebd08f0fb64f5b3a8ccb6cd77d8e.1596660075.git.stefan@agner.ch>
-In-Reply-To: <f72fc1866396fed30036e0f06007c15217e47f22.1596660075.git.stefan@agner.ch>
-References: <f72fc1866396fed30036e0f06007c15217e47f22.1596660075.git.stefan@agner.ch>
+From d35db3d5f943fea569dde8e83f15565254643385 Mon Sep 17 00:00:00 2001
+Message-Id: <d35db3d5f943fea569dde8e83f15565254643385.1602360581.git.stefan@agner.ch>
 From: Christian Hewitt <christianshewitt@gmail.com>
 Date: Sun, 19 Jul 2020 14:10:32 +0000
-Subject: [PATCH 08/10] arm64: dts: meson: convert ODROID-N2 to dtsi
+Subject: [PATCH 1/4] arm64: dts: meson: convert ODROID-N2 to dtsi
 
 Convert the current ODROID-N2 dts into a common dtsi in preparation
 for adding ODROID-N2+ support.
@@ -1283,5 +1281,5 @@ index 000000000000..e5bc132ce7d5
 +	phy-supply = <&hub_5v>;
 +};
 -- 
-2.27.0
+2.28.0
 
diff --git a/buildroot-external/board/hardkernel/patches/linux/0002-ASoC-meson-imply-acodec-glue-on-axg-sound-card.patch b/buildroot-external/board/hardkernel/patches/linux/0002-ASoC-meson-imply-acodec-glue-on-axg-sound-card.patch
deleted file mode 100644
index b068aa1e4..000000000
--- a/buildroot-external/board/hardkernel/patches/linux/0002-ASoC-meson-imply-acodec-glue-on-axg-sound-card.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 821b8ac21b1675910423ee69d37cb1977b8f271e Mon Sep 17 00:00:00 2001
-From: Jerome Brunet <jbrunet@baylibre.com>
-Date: Mon, 30 Mar 2020 17:39:04 +0200
-Subject: [PATCH 3/8] ASoC: meson: imply acodec glue on axg sound card
-
-When axg card driver support is enabled, lets enable the related
-internal DAC glue by default.
-
-Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
----
- sound/soc/meson/Kconfig | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/sound/soc/meson/Kconfig b/sound/soc/meson/Kconfig
-index 8b6295283989..363dc3b1bbe4 100644
---- a/sound/soc/meson/Kconfig
-+++ b/sound/soc/meson/Kconfig
-@@ -68,6 +68,7 @@ config SND_MESON_AXG_SOUND_CARD
- 	imply SND_MESON_AXG_SPDIFOUT
- 	imply SND_MESON_AXG_SPDIFIN
- 	imply SND_MESON_AXG_PDM
-+	imply SND_MESON_G12A_TOACODEC
- 	imply SND_MESON_G12A_TOHDMITX if DRM_MESON_DW_HDMI
- 	help
- 	  Select Y or M to add support for the AXG SoC sound card
--- 
-2.17.1
-
diff --git a/buildroot-external/board/hardkernel/patches/linux/0009-dt-bindings-arm-amlogic-add-support-for-the-ODROID-N.patch b/buildroot-external/board/hardkernel/patches/linux/0002-dt-bindings-arm-amlogic-add-support-for-the-ODROID-N.patch
similarity index 62%
rename from buildroot-external/board/hardkernel/patches/linux/0009-dt-bindings-arm-amlogic-add-support-for-the-ODROID-N.patch
rename to buildroot-external/board/hardkernel/patches/linux/0002-dt-bindings-arm-amlogic-add-support-for-the-ODROID-N.patch
index 23b58efb2..39ff63029 100644
--- a/buildroot-external/board/hardkernel/patches/linux/0009-dt-bindings-arm-amlogic-add-support-for-the-ODROID-N.patch
+++ b/buildroot-external/board/hardkernel/patches/linux/0002-dt-bindings-arm-amlogic-add-support-for-the-ODROID-N.patch
@@ -1,11 +1,10 @@
-From 54d8ae2ae7a10dab6998b2d4ac507aec96c6f1da Mon Sep 17 00:00:00 2001
-Message-Id: <54d8ae2ae7a10dab6998b2d4ac507aec96c6f1da.1595882680.git.stefan@agner.ch>
-In-Reply-To: <d83d79b085486a605462fa91e3c6746e4ff0b263.1595882680.git.stefan@agner.ch>
-References: <d83d79b085486a605462fa91e3c6746e4ff0b263.1595882680.git.stefan@agner.ch>
+From 4b9d9159ed5a79ceac5b831012b3cb44cce2516c Mon Sep 17 00:00:00 2001
+Message-Id: <4b9d9159ed5a79ceac5b831012b3cb44cce2516c.1602360581.git.stefan@agner.ch>
+In-Reply-To: <d35db3d5f943fea569dde8e83f15565254643385.1602360581.git.stefan@agner.ch>
+References: <d35db3d5f943fea569dde8e83f15565254643385.1602360581.git.stefan@agner.ch>
 From: Christian Hewitt <christianshewitt@gmail.com>
 Date: Sun, 19 Jul 2020 14:10:33 +0000
-Subject: [PATCH 09/10] dt-bindings: arm: amlogic: add support for the
- ODROID-N2+
+Subject: [PATCH 2/4] dt-bindings: arm: amlogic: add support for the ODROID-N2+
 
 HardKernel ODROID-N2+ uses a revised Amlogic S922X v2 chip that supports
 higher cpu clock speeds than the original ODROID-N2.
@@ -16,17 +15,17 @@ Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
  1 file changed, 1 insertion(+)
 
 diff --git a/Documentation/devicetree/bindings/arm/amlogic.yaml b/Documentation/devicetree/bindings/arm/amlogic.yaml
-index f74aba48cec1..915ef4f355ad 100644
+index 5eba9f48823e..12ba8d074370 100644
 --- a/Documentation/devicetree/bindings/arm/amlogic.yaml
 +++ b/Documentation/devicetree/bindings/arm/amlogic.yaml
-@@ -149,6 +149,7 @@ properties:
-         items:
-           - enum:
+@@ -153,6 +153,7 @@ properties:
+               - azw,gtking
+               - azw,gtking-pro
                - hardkernel,odroid-n2
 +              - hardkernel,odroid-n2-plus
                - khadas,vim3
                - ugoos,am6
            - const: amlogic,s922x
 -- 
-2.27.0
+2.28.0
 
diff --git a/buildroot-external/board/hardkernel/patches/linux/0003-ASoC-meson-gx-card-fix-sound-dai-dt-schema.patch b/buildroot-external/board/hardkernel/patches/linux/0003-ASoC-meson-gx-card-fix-sound-dai-dt-schema.patch
deleted file mode 100644
index 2799dc30f..000000000
--- a/buildroot-external/board/hardkernel/patches/linux/0003-ASoC-meson-gx-card-fix-sound-dai-dt-schema.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 60164df03c6314d8f5f3afef56b0bf97962ec9ee Mon Sep 17 00:00:00 2001
-From: Jerome Brunet <jbrunet@baylibre.com>
-Date: Mon, 24 Feb 2020 14:35:17 +0100
-Subject: [PATCH 4/8] ASoC: meson: gx-card: fix sound-dai dt schema
-
-There is a fair amount of warnings when running 'make dtbs_check' with
-amlogic,gx-sound-card.yaml.
-
-Ex:
-arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0:1: missing phandle tag in 0
-arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0:2: missing phandle tag in 0
-arch/arm64/boot/dts/amlogic/meson-gxm-q200.dt.yaml: sound: dai-link-0:sound-dai:0: [66, 0, 0] is too long
-
-The reason is that the sound-dai phandle provided has cells, and in such
-case the schema should use 'phandle-array' instead of 'phandle'.
-
-Fixes: fd00366b8e41 ("ASoC: meson: gx: add sound card dt-binding documentation")
-Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
----
- .../devicetree/bindings/sound/amlogic,gx-sound-card.yaml      | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml b/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml
-index fb374c659be1..a48222e8cd08 100644
---- a/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml
-+++ b/Documentation/devicetree/bindings/sound/amlogic,gx-sound-card.yaml
-@@ -57,7 +57,7 @@ patternProperties:
-           rate
- 
-       sound-dai:
--        $ref: /schemas/types.yaml#/definitions/phandle
-+        $ref: /schemas/types.yaml#/definitions/phandle-array
-         description: phandle of the CPU DAI
- 
-     patternProperties:
-@@ -71,7 +71,7 @@ patternProperties:
- 
-         properties:
-           sound-dai:
--            $ref: /schemas/types.yaml#/definitions/phandle
-+            $ref: /schemas/types.yaml#/definitions/phandle-array
-             description: phandle of the codec DAI
- 
-         required:
--- 
-2.17.1
-
diff --git a/buildroot-external/board/hardkernel/patches/linux/0010-arm64-dts-meson-add-support-for-the-ODROID-N2.patch b/buildroot-external/board/hardkernel/patches/linux/0003-arm64-dts-meson-add-support-for-the-ODROID-N2.patch
similarity index 85%
rename from buildroot-external/board/hardkernel/patches/linux/0010-arm64-dts-meson-add-support-for-the-ODROID-N2.patch
rename to buildroot-external/board/hardkernel/patches/linux/0003-arm64-dts-meson-add-support-for-the-ODROID-N2.patch
index 42ebf9903..61a55fa7d 100644
--- a/buildroot-external/board/hardkernel/patches/linux/0010-arm64-dts-meson-add-support-for-the-ODROID-N2.patch
+++ b/buildroot-external/board/hardkernel/patches/linux/0003-arm64-dts-meson-add-support-for-the-ODROID-N2.patch
@@ -1,10 +1,10 @@
-From 188bc924b34b7d845324eb2e0e7493a9eaeb2cb5 Mon Sep 17 00:00:00 2001
-Message-Id: <188bc924b34b7d845324eb2e0e7493a9eaeb2cb5.1595882680.git.stefan@agner.ch>
-In-Reply-To: <d83d79b085486a605462fa91e3c6746e4ff0b263.1595882680.git.stefan@agner.ch>
-References: <d83d79b085486a605462fa91e3c6746e4ff0b263.1595882680.git.stefan@agner.ch>
+From 81b5af6c3ce3e0f312be0897bec0b3c942e2ce97 Mon Sep 17 00:00:00 2001
+Message-Id: <81b5af6c3ce3e0f312be0897bec0b3c942e2ce97.1602360581.git.stefan@agner.ch>
+In-Reply-To: <d35db3d5f943fea569dde8e83f15565254643385.1602360581.git.stefan@agner.ch>
+References: <d35db3d5f943fea569dde8e83f15565254643385.1602360581.git.stefan@agner.ch>
 From: Christian Hewitt <christianshewitt@gmail.com>
 Date: Sun, 19 Jul 2020 14:10:34 +0000
-Subject: [PATCH 10/10] arm64: dts: meson: add support for the ODROID-N2+
+Subject: [PATCH 3/4] arm64: dts: meson: add support for the ODROID-N2+
 
 HardKernel ODROID-N2+ uses an Amlogic S922X rev. C chip capable of higher
 clock speeds than the original ODROID-N2. Hardkernel supports the big cpu
@@ -22,10 +22,10 @@ Signed-off-by: Stefan Agner <stefan@agner.ch>
  create mode 100644 arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2-plus.dts
 
 diff --git a/arch/arm64/boot/dts/amlogic/Makefile b/arch/arm64/boot/dts/amlogic/Makefile
-index eef0045320f2..7524cf9680f5 100644
+index 4e2239ffcaa5..b0b3d6791499 100644
 --- a/arch/arm64/boot/dts/amlogic/Makefile
 +++ b/arch/arm64/boot/dts/amlogic/Makefile
-@@ -6,6 +6,7 @@ dtb-$(CONFIG_ARCH_MESON) += meson-g12a-x96-max.dtb
+@@ -8,6 +8,7 @@ dtb-$(CONFIG_ARCH_MESON) += meson-g12b-gtking-pro.dtb
  dtb-$(CONFIG_ARCH_MESON) += meson-g12b-a311d-khadas-vim3.dtb
  dtb-$(CONFIG_ARCH_MESON) += meson-g12b-s922x-khadas-vim3.dtb
  dtb-$(CONFIG_ARCH_MESON) += meson-g12b-odroid-n2.dtb
@@ -93,5 +93,5 @@ index 000000000000..4ebb448d233f
 +};
 +
 -- 
-2.27.0
+2.28.0
 
diff --git a/buildroot-external/board/hardkernel/patches/linux/0004-arm64-dts-meson-g12-add-internal-DAC.patch b/buildroot-external/board/hardkernel/patches/linux/0004-arm64-dts-meson-g12-add-internal-DAC.patch
deleted file mode 100644
index 4059bf8b0..000000000
--- a/buildroot-external/board/hardkernel/patches/linux/0004-arm64-dts-meson-g12-add-internal-DAC.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From e128dd1ca079c5ee558ab100387d9f81bd4f3980 Mon Sep 17 00:00:00 2001
-From: Jerome Brunet <jbrunet@baylibre.com>
-Date: Thu, 7 May 2020 00:16:55 +0200
-Subject: [PATCH 5/8] arm64: dts: meson: g12: add internal DAC
-
-add internal audio DAC support on the g12 and sm1 SoC family
-
-Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
-Signed-off-by: Kevin Hilman <khilman@baylibre.com>
-Link: https://lore.kernel.org/r/20200506221656.477379-7-jbrunet@baylibre.com
----
- arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
-index c0aef7d69117..593a006f4b7b 100644
---- a/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
-+++ b/arch/arm64/boot/dts/amlogic/meson-g12-common.dtsi
-@@ -250,6 +250,17 @@
- 				};
- 			};
- 
-+			acodec: audio-controller@32000 {
-+				compatible = "amlogic,t9015";
-+				reg = <0x0 0x32000 0x0 0x14>;
-+				#sound-dai-cells = <0>;
-+				sound-name-prefix = "ACODEC";
-+				clocks = <&clkc CLKID_AUDIO_CODEC>;
-+				clock-names = "pclk";
-+				resets = <&reset RESET_AUDIO_CODEC>;
-+				status = "disabled";
-+			};
-+
- 			periphs: bus@34400 {
- 				compatible = "simple-bus";
- 				reg = <0x0 0x34400 0x0 0x400>;
--- 
-2.17.1
-
diff --git a/buildroot-external/board/hardkernel/patches/linux/0011-clk-meson-g12a-mark-fclk_div2-as-critical.patch b/buildroot-external/board/hardkernel/patches/linux/0004-clk-meson-g12a-mark-fclk_div2-as-critical.patch
similarity index 71%
rename from buildroot-external/board/hardkernel/patches/linux/0011-clk-meson-g12a-mark-fclk_div2-as-critical.patch
rename to buildroot-external/board/hardkernel/patches/linux/0004-clk-meson-g12a-mark-fclk_div2-as-critical.patch
index 2095a67ba..dcd0d723c 100644
--- a/buildroot-external/board/hardkernel/patches/linux/0011-clk-meson-g12a-mark-fclk_div2-as-critical.patch
+++ b/buildroot-external/board/hardkernel/patches/linux/0004-clk-meson-g12a-mark-fclk_div2-as-critical.patch
@@ -1,10 +1,10 @@
-From c33df0ebe8be16b56741ce7f873221ab9087a0a6 Mon Sep 17 00:00:00 2001
-Message-Id: <c33df0ebe8be16b56741ce7f873221ab9087a0a6.1598564789.git.stefan@agner.ch>
-In-Reply-To: <f72fc1866396fed30036e0f06007c15217e47f22.1598564789.git.stefan@agner.ch>
-References: <f72fc1866396fed30036e0f06007c15217e47f22.1598564789.git.stefan@agner.ch>
+From 6a7c42785788faa862aeb7902cb2b3b08f033ca0 Mon Sep 17 00:00:00 2001
+Message-Id: <6a7c42785788faa862aeb7902cb2b3b08f033ca0.1602360581.git.stefan@agner.ch>
+In-Reply-To: <d35db3d5f943fea569dde8e83f15565254643385.1602360581.git.stefan@agner.ch>
+References: <d35db3d5f943fea569dde8e83f15565254643385.1602360581.git.stefan@agner.ch>
 From: Stefan Agner <stefan@agner.ch>
 Date: Thu, 27 Aug 2020 23:29:57 +0200
-Subject: [PATCH 11/11] clk: meson: g12a: mark fclk_div2 as critical
+Subject: [PATCH 4/4] clk: meson: g12a: mark fclk_div2 as critical
 
 On Amlogic Meson G12b platform, similar to fclk_div3, the fclk_div2
 seems to be necessary for the system to operate correctly as well.
@@ -22,7 +22,7 @@ Signed-off-by: Stefan Agner <stefan@agner.ch>
  1 file changed, 1 insertion(+)
 
 diff --git a/drivers/clk/meson/g12a.c b/drivers/clk/meson/g12a.c
-index fad616cac01e..2214b974f748 100644
+index 9803d44bb157..9a6722a1dc19 100644
 --- a/drivers/clk/meson/g12a.c
 +++ b/drivers/clk/meson/g12a.c
 @@ -298,6 +298,7 @@ static struct clk_regmap g12a_fclk_div2 = {
diff --git a/buildroot-external/board/hardkernel/patches/linux/0005-arm64-dts-meson-g12-add-internal-DAC-glue.patch b/buildroot-external/board/hardkernel/patches/linux/0005-arm64-dts-meson-g12-add-internal-DAC-glue.patch
deleted file mode 100644
index 515ba0574..000000000
--- a/buildroot-external/board/hardkernel/patches/linux/0005-arm64-dts-meson-g12-add-internal-DAC-glue.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 5ea4085da165fd3f3aa211cb3664dd166d0d5fd7 Mon Sep 17 00:00:00 2001
-From: Jerome Brunet <jbrunet@baylibre.com>
-Date: Thu, 7 May 2020 00:16:56 +0200
-Subject: [PATCH 6/8] arm64: dts: meson: g12: add internal DAC glue
-
-add the internal DAC glue support on the g12 and sm1 family
-This glue connects the different TDM interfaces of the SoC to
-the internal audio DAC codec.
-
-Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
-Signed-off-by: Kevin Hilman <khilman@baylibre.com>
-Link: https://lore.kernel.org/r/20200506221656.477379-8-jbrunet@baylibre.com
----
- arch/arm64/boot/dts/amlogic/meson-g12.dtsi | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/arch/arm64/boot/dts/amlogic/meson-g12.dtsi b/arch/arm64/boot/dts/amlogic/meson-g12.dtsi
-index 55d39020ec72..0d14409f509c 100644
---- a/arch/arm64/boot/dts/amlogic/meson-g12.dtsi
-+++ b/arch/arm64/boot/dts/amlogic/meson-g12.dtsi
-@@ -343,6 +343,15 @@
- 			status = "disabled";
- 		};
- 
-+		toacodec: audio-controller@740 {
-+			compatible = "amlogic,g12a-toacodec";
-+			reg = <0x0 0x740 0x0 0x4>;
-+			#sound-dai-cells = <1>;
-+			sound-name-prefix = "TOACODEC";
-+			resets = <&clkc_audio AUD_RESET_TOACODEC>;
-+			status = "disabled";
-+		};
-+
- 		tohdmitx: audio-controller@744 {
- 			compatible = "amlogic,g12a-tohdmitx";
- 			reg = <0x0 0x744 0x0 0x4>;
--- 
-2.17.1
-
diff --git a/buildroot-external/board/hardkernel/patches/linux/0006-arm64-dts-meson-g12b-odroid-n2-enable-audio-loopback.patch b/buildroot-external/board/hardkernel/patches/linux/0006-arm64-dts-meson-g12b-odroid-n2-enable-audio-loopback.patch
deleted file mode 100644
index 0a4741d94..000000000
--- a/buildroot-external/board/hardkernel/patches/linux/0006-arm64-dts-meson-g12b-odroid-n2-enable-audio-loopback.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 15b3cef2ea75c4d81cb067264be1cf49c49f81b1 Mon Sep 17 00:00:00 2001
-From: Jerome Brunet <jbrunet@baylibre.com>
-Date: Mon, 15 Jun 2020 15:38:44 +0200
-Subject: [PATCH 7/8] arm64: dts: meson-g12b: odroid-n2: enable audio loopback
-
-Add capture pcm interfaces and loopback routes to the odroid-n2
-
-Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
----
- .../boot/dts/amlogic/meson-g12b-odroid-n2.dts | 65 +++++++++++++++++--
- 1 file changed, 61 insertions(+), 4 deletions(-)
-
-diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dts b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dts
-index 169ea283d4ee..d4421ad164bd 100644
---- a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dts
-+++ b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dts
-@@ -209,11 +209,28 @@
- 	sound {
- 		compatible = "amlogic,axg-sound-card";
- 		model = "G12B-ODROID-N2";
--		audio-aux-devs = <&tdmout_b>;
-+		audio-aux-devs = <&tdmout_b>, <&tdmin_a>, <&tdmin_b>,
-+				 <&tdmin_c>, <&tdmin_lb>;
- 		audio-routing = "TDMOUT_B IN 0", "FRDDR_A OUT 1",
- 				"TDMOUT_B IN 1", "FRDDR_B OUT 1",
- 				"TDMOUT_B IN 2", "FRDDR_C OUT 1",
--				"TDM_B Playback", "TDMOUT_B OUT";
-+				"TDM_B Playback", "TDMOUT_B OUT",
-+				"TDMIN_A IN 4", "TDM_B Loopback",
-+				"TDMIN_B IN 4", "TDM_B Loopback",
-+				"TDMIN_C IN 4", "TDM_B Loopback",
-+				"TDMIN_LB IN 1", "TDM_B Loopback",
-+				"TODDR_A IN 0", "TDMIN_A OUT",
-+				"TODDR_B IN 0", "TDMIN_A OUT",
-+				"TODDR_C IN 0", "TDMIN_A OUT",
-+				"TODDR_A IN 1", "TDMIN_B OUT",
-+				"TODDR_B IN 1", "TDMIN_B OUT",
-+				"TODDR_C IN 1", "TDMIN_B OUT",
-+				"TODDR_A IN 2", "TDMIN_C OUT",
-+				"TODDR_B IN 2", "TDMIN_C OUT",
-+				"TODDR_C IN 2", "TDMIN_C OUT",
-+				"TODDR_A IN 6", "TDMIN_LB OUT",
-+				"TODDR_B IN 6", "TDMIN_LB OUT",
-+				"TODDR_C IN 6", "TDMIN_LB OUT";
- 
- 		assigned-clocks = <&clkc CLKID_MPLL2>,
- 				  <&clkc CLKID_MPLL0>,
-@@ -236,8 +253,20 @@
- 			sound-dai = <&frddr_c>;
- 		};
- 
--		/* 8ch hdmi interface */
- 		dai-link-3 {
-+			sound-dai = <&toddr_a>;
-+		};
-+
-+		dai-link-4 {
-+			sound-dai = <&toddr_b>;
-+		};
-+
-+		dai-link-5 {
-+			sound-dai = <&toddr_c>;
-+		};
-+
-+		/* 8ch hdmi interface */
-+		dai-link-6 {
- 			sound-dai = <&tdmif_b>;
- 			dai-format = "i2s";
- 			dai-tdm-slot-tx-mask-0 = <1 1>;
-@@ -252,7 +281,7 @@
- 		};
- 
- 		/* hdmi glue */
--		dai-link-4 {
-+		dai-link-7 {
- 			sound-dai = <&tohdmitx TOHDMITX_I2S_OUT>;
- 
- 			codec {
-@@ -476,6 +505,22 @@
- 	status = "okay";
- };
- 
-+&tdmin_a {
-+	status = "okay";
-+};
-+
-+&tdmin_b {
-+	status = "okay";
-+};
-+
-+&tdmin_c {
-+	status = "okay";
-+};
-+
-+&tdmin_lb {
-+	status = "okay";
-+};
-+
- &tdmout_b {
- 	status = "okay";
- };
-@@ -484,6 +529,18 @@
- 	status = "okay";
- };
- 
-+&toddr_a {
-+	status = "okay";
-+};
-+
-+&toddr_b {
-+	status = "okay";
-+};
-+
-+&toddr_c {
-+	status = "okay";
-+};
-+
- &uart_AO {
- 	status = "okay";
- 	pinctrl-0 = <&uart_ao_a_pins>;
--- 
-2.17.1
-
diff --git a/buildroot-external/board/hardkernel/patches/linux/0007-arm64-dts-meson-odroid-n2-add-jack-audio-output-supp.patch b/buildroot-external/board/hardkernel/patches/linux/0007-arm64-dts-meson-odroid-n2-add-jack-audio-output-supp.patch
deleted file mode 100644
index b3f613ef1..000000000
--- a/buildroot-external/board/hardkernel/patches/linux/0007-arm64-dts-meson-odroid-n2-add-jack-audio-output-supp.patch
+++ /dev/null
@@ -1,168 +0,0 @@
-From 978cc250574b7f1ab45f494cc2a094e3c9fd1fa4 Mon Sep 17 00:00:00 2001
-From: Jerome Brunet <jbrunet@baylibre.com>
-Date: Mon, 15 Jun 2020 16:34:37 +0200
-Subject: [PATCH 8/8] arm64: dts: meson: odroid-n2: add jack audio output
- support
-
-Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
----
- .../boot/dts/amlogic/meson-g12b-odroid-n2.dts | 79 +++++++++++++++++--
- 1 file changed, 74 insertions(+), 5 deletions(-)
-
-diff --git a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dts b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dts
-index d4421ad164bd..34fffa6d859d 100644
---- a/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dts
-+++ b/arch/arm64/boot/dts/amlogic/meson-g12b-odroid-n2.dts
-@@ -9,6 +9,7 @@
- #include "meson-g12b-s922x.dtsi"
- #include <dt-bindings/input/input.h>
- #include <dt-bindings/gpio/meson-g12a-gpio.h>
-+#include <dt-bindings/sound/meson-g12a-toacodec.h>
- #include <dt-bindings/sound/meson-g12a-tohdmitx.h>
- 
- / {
-@@ -20,6 +21,14 @@
- 		ethernet0 = &ethmac;
- 	};
- 
-+	dioo2133: audio-amplifier-0 {
-+		compatible = "simple-audio-amplifier";
-+		enable-gpios = <&gpio_ao GPIOAO_2 GPIO_ACTIVE_HIGH>;
-+		VCC-supply = <&vcc_5v>;
-+		sound-name-prefix = "U19";
-+		status = "okay";
-+	};
-+
- 	chosen {
- 		stdout-path = "serial0:115200n8";
- 	};
-@@ -209,16 +218,26 @@
- 	sound {
- 		compatible = "amlogic,axg-sound-card";
- 		model = "G12B-ODROID-N2";
--		audio-aux-devs = <&tdmout_b>, <&tdmin_a>, <&tdmin_b>,
--				 <&tdmin_c>, <&tdmin_lb>;
-+		audio-widgets = "Line", "Lineout";
-+		audio-aux-devs = <&tdmout_b>, <&tdmout_c>, <&tdmin_a>,
-+				 <&tdmin_b>, <&tdmin_c>, <&tdmin_lb>,
-+				 <&dioo2133>;
- 		audio-routing = "TDMOUT_B IN 0", "FRDDR_A OUT 1",
- 				"TDMOUT_B IN 1", "FRDDR_B OUT 1",
- 				"TDMOUT_B IN 2", "FRDDR_C OUT 1",
- 				"TDM_B Playback", "TDMOUT_B OUT",
-+				"TDMOUT_C IN 0", "FRDDR_A OUT 2",
-+				"TDMOUT_C IN 1", "FRDDR_B OUT 2",
-+				"TDMOUT_C IN 2", "FRDDR_C OUT 2",
-+				"TDM_C Playback", "TDMOUT_C OUT",
- 				"TDMIN_A IN 4", "TDM_B Loopback",
- 				"TDMIN_B IN 4", "TDM_B Loopback",
- 				"TDMIN_C IN 4", "TDM_B Loopback",
- 				"TDMIN_LB IN 1", "TDM_B Loopback",
-+				"TDMIN_A IN 5", "TDM_C Loopback",
-+				"TDMIN_B IN 5", "TDM_C Loopback",
-+				"TDMIN_C IN 5", "TDM_C Loopback",
-+				"TDMIN_LB IN 2", "TDM_C Loopback",
- 				"TODDR_A IN 0", "TDMIN_A OUT",
- 				"TODDR_B IN 0", "TDMIN_A OUT",
- 				"TODDR_C IN 0", "TDMIN_A OUT",
-@@ -230,7 +249,11 @@
- 				"TODDR_C IN 2", "TDMIN_C OUT",
- 				"TODDR_A IN 6", "TDMIN_LB OUT",
- 				"TODDR_B IN 6", "TDMIN_LB OUT",
--				"TODDR_C IN 6", "TDMIN_LB OUT";
-+				"TODDR_C IN 6", "TDMIN_LB OUT",
-+				"U19 INL", "ACODEC LOLP",
-+				"U19 INR", "ACODEC LORP",
-+				"Lineout", "U19 OUTL",
-+				"Lineout", "U19 OUTR";
- 
- 		assigned-clocks = <&clkc CLKID_MPLL2>,
- 				  <&clkc CLKID_MPLL0>,
-@@ -275,22 +298,56 @@
- 			dai-tdm-slot-tx-mask-3 = <1 1>;
- 			mclk-fs = <256>;
- 
--			codec {
-+			codec-0 {
- 				sound-dai = <&tohdmitx TOHDMITX_I2S_IN_B>;
- 			};
-+
-+			codec-1 {
-+				sound-dai = <&toacodec TOACODEC_IN_B>;
-+			};
- 		};
- 
--		/* hdmi glue */
-+		/* i2s jack output interface */
- 		dai-link-7 {
-+			sound-dai = <&tdmif_c>;
-+			dai-format = "i2s";
-+			dai-tdm-slot-tx-mask-0 = <1 1>;
-+			mclk-fs = <256>;
-+
-+			codec-0 {
-+				sound-dai = <&tohdmitx TOHDMITX_I2S_IN_C>;
-+			};
-+
-+			codec-1 {
-+				sound-dai = <&toacodec TOACODEC_IN_C>;
-+			};
-+		};
-+
-+		/* hdmi glue */
-+		dai-link-8 {
- 			sound-dai = <&tohdmitx TOHDMITX_I2S_OUT>;
- 
- 			codec {
- 				sound-dai = <&hdmi_tx>;
- 			};
- 		};
-+
-+		/* acodec glue */
-+		dai-link-9 {
-+			sound-dai = <&toacodec TOACODEC_OUT>;
-+
-+			codec {
-+				sound-dai = <&acodec>;
-+			};
-+		};
- 	};
- };
- 
-+&acodec {
-+	AVDD-supply = <&vddao_1v8>;
-+	status = "okay";
-+};
-+
- &arb {
- 	status = "okay";
- };
-@@ -505,6 +562,10 @@
- 	status = "okay";
- };
- 
-+&tdmif_c {
-+	status = "okay";
-+};
-+
- &tdmin_a {
- 	status = "okay";
- };
-@@ -525,6 +586,14 @@
- 	status = "okay";
- };
- 
-+&tdmout_c {
-+	status = "okay";
-+};
-+
-+&toacodec {
-+	status = "okay";
-+};
-+
- &tohdmitx {
- 	status = "okay";
- };
--- 
-2.17.1
-
diff --git a/buildroot-external/configs/odroid_c2_defconfig b/buildroot-external/configs/odroid_c2_defconfig
index dd73aed0f..54f15a685 100644
--- a/buildroot-external/configs/odroid_c2_defconfig
+++ b/buildroot-external/configs/odroid_c2_defconfig
@@ -22,7 +22,7 @@ BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_HASSOS_PATH)/scripts/post-image.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-c2 $(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-c2/hassos-hook.sh"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.7.19"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.9.1"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/kernel-amlogic.config"
 BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_HASSOS_PATH)/kernel/hassos.config $(BR2_EXTERNAL_HASSOS_PATH)/kernel/docker.config $(BR2_EXTERNAL_HASSOS_PATH)/kernel/device-support.config"
@@ -89,7 +89,7 @@ BR2_TARGET_UBOOT_BOARD_DEFCONFIG="odroid-c2"
 BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_HASSOS_PATH)/bootloader/uboot.config $(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-c2/uboot.config"
 BR2_TARGET_UBOOT_BOOT_SCRIPT=y
 BR2_TARGET_UBOOT_BOOT_SCRIPT_SOURCE="$(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-c2/uboot-boot.ush"
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_7=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_4=y
 BR2_PACKAGE_HOST_DOSFSTOOLS=y
 BR2_PACKAGE_HOST_E2FSPROGS=y
 BR2_PACKAGE_HOST_GPTFDISK=y
diff --git a/buildroot-external/configs/odroid_n2_defconfig b/buildroot-external/configs/odroid_n2_defconfig
index 3b1fcecb5..bf50b00dd 100644
--- a/buildroot-external/configs/odroid_n2_defconfig
+++ b/buildroot-external/configs/odroid_n2_defconfig
@@ -22,7 +22,7 @@ BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_HASSOS_PATH)/scripts/post-image.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-n2 $(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-n2/hassos-hook.sh"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.7.19"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.9.1"
 BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
 BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="$(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/kernel-amlogic.config"
 BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_HASSOS_PATH)/kernel/hassos.config $(BR2_EXTERNAL_HASSOS_PATH)/kernel/docker.config $(BR2_EXTERNAL_HASSOS_PATH)/kernel/device-support.config"
@@ -89,7 +89,7 @@ BR2_TARGET_UBOOT_BOARD_DEFCONFIG="odroid-n2"
 BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_HASSOS_PATH)/bootloader/uboot.config $(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-n2/uboot.config"
 BR2_TARGET_UBOOT_BOOT_SCRIPT=y
 BR2_TARGET_UBOOT_BOOT_SCRIPT_SOURCE="$(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-n2/uboot-boot.ush"
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_7=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_4=y
 BR2_PACKAGE_HOST_DOSFSTOOLS=y
 BR2_PACKAGE_HOST_E2FSPROGS=y
 BR2_PACKAGE_HOST_GPTFDISK=y
diff --git a/buildroot-external/configs/odroid_xu4_defconfig b/buildroot-external/configs/odroid_xu4_defconfig
index ecc84e65e..1a3e27d6b 100644
--- a/buildroot-external/configs/odroid_xu4_defconfig
+++ b/buildroot-external/configs/odroid_xu4_defconfig
@@ -23,7 +23,7 @@ BR2_ROOTFS_POST_IMAGE_SCRIPT="$(BR2_EXTERNAL_HASSOS_PATH)/scripts/post-image.sh"
 BR2_ROOTFS_POST_SCRIPT_ARGS="$(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-xu4 $(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-xu4/hassos-hook.sh"
 BR2_LINUX_KERNEL=y
 BR2_LINUX_KERNEL_CUSTOM_VERSION=y
-BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.7.19"
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.9.1"
 BR2_LINUX_KERNEL_DEFCONFIG="exynos"
 BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_HASSOS_PATH)/kernel/hassos.config $(BR2_EXTERNAL_HASSOS_PATH)/kernel/docker.config $(BR2_EXTERNAL_HASSOS_PATH)/kernel/device-support.config"
 BR2_LINUX_KERNEL_LZ4=y
@@ -93,7 +93,7 @@ BR2_TARGET_UBOOT_FORMAT_DTB_BIN=y
 BR2_TARGET_UBOOT_CONFIG_FRAGMENT_FILES="$(BR2_EXTERNAL_HASSOS_PATH)/bootloader/uboot.config $(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-xu4/uboot.config"
 BR2_TARGET_UBOOT_BOOT_SCRIPT=y
 BR2_TARGET_UBOOT_BOOT_SCRIPT_SOURCE="$(BR2_EXTERNAL_HASSOS_PATH)/board/hardkernel/odroid-xu4/uboot-boot.ush"
-BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_7=y
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_4=y
 BR2_PACKAGE_HOST_DOSFSTOOLS=y
 BR2_PACKAGE_HOST_E2FSPROGS=y
 BR2_PACKAGE_HOST_GPTFDISK=y
diff --git a/buildroot-patches/0008-Linux-5.7.patch b/buildroot-patches/0008-Linux-5.7.patch
deleted file mode 100644
index e26780a70..000000000
--- a/buildroot-patches/0008-Linux-5.7.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From e36dc9a2a030204b5b6c6868348878b596f88de3 Mon Sep 17 00:00:00 2001
-From: Pascal Vizeli <pvizeli@syshack.ch>
-Date: Fri, 5 Jun 2020 14:18:26 +0000
-Subject: [PATCH 1/1] Linux 5.7
-
-Signed-off-by: Pascal Vizeli <pvizeli@syshack.ch>
----
- package/linux-headers/Config.in.host               | 4 ++++
- toolchain/Config.in                                | 5 +++++
- .../toolchain-external-custom/Config.in.options    | 4 ++++
- 3 files changed, 13 insertions(+)
-
-diff --git a/package/linux-headers/Config.in.host b/package/linux-headers/Config.in.host
-index 95e85a00..88b9ff99 100644
---- a/package/linux-headers/Config.in.host
-+++ b/package/linux-headers/Config.in.host
-@@ -127,6 +127,10 @@ choice
- 	  If your kernel headers are more recent than the latest version
- 	  in the choice, then select the latest version.
- 
-+config BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_7
-+	bool "5.7.x or later"
-+	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_7
-+
- config BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_4
- 	bool "5.4.x or later"
- 	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
-diff --git a/toolchain/Config.in b/toolchain/Config.in
-index bff57280..c07a92ce 100644
---- a/toolchain/Config.in
-+++ b/toolchain/Config.in
-@@ -470,6 +470,10 @@ config BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
- 	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_3
- 	select BR2_TOOLCHAIN_HEADERS_LATEST
- 
-+config BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_7
-+	bool
-+	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
-+
- # This should be selected by the latest version, above, to indicate that
- # Buildroot does not know of more recent headers than the ones selected.
- # This allows using toolchains with headers more recent than Buildroot
-@@ -481,6 +485,7 @@ config BR2_TOOLCHAIN_HEADERS_LATEST
- # stops affecting a value on the first matching default.
- config BR2_TOOLCHAIN_HEADERS_AT_LEAST
- 	string
-+	default "5.7"  if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_7
- 	default "5.4"  if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
- 	default "5.3"  if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_3
- 	default "5.2"  if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_2
-diff --git a/toolchain/toolchain-external/toolchain-external-custom/Config.in.options b/toolchain/toolchain-external/toolchain-external-custom/Config.in.options
-index 8c38dd9f..b49231e1 100644
---- a/toolchain/toolchain-external/toolchain-external-custom/Config.in.options
-+++ b/toolchain/toolchain-external/toolchain-external-custom/Config.in.options
-@@ -115,6 +115,10 @@ choice
- 	  If your toolchain uses headers newer than the latest version
- 	  in the choice, then select the latest version.
- 
-+config BR2_TOOLCHAIN_EXTERNAL_HEADERS_5_7
-+	bool "5.7.x or later"
-+	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_7
-+
- config BR2_TOOLCHAIN_EXTERNAL_HEADERS_5_4
- 	bool "5.4.x or later"
- 	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
--- 
-2.17.1
-
diff --git a/buildroot/package/linux-headers/Config.in.host b/buildroot/package/linux-headers/Config.in.host
index 1b2e2e5bf..7fbd07015 100644
--- a/buildroot/package/linux-headers/Config.in.host
+++ b/buildroot/package/linux-headers/Config.in.host
@@ -127,10 +127,6 @@ choice
 	  If your kernel headers are more recent than the latest version
 	  in the choice, then select the latest version.
 
-config BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_7
-	bool "5.7.x or later"
-	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_7
-
 config BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_5_4
 	bool "5.4.x or later"
 	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
diff --git a/buildroot/toolchain/Config.in b/buildroot/toolchain/Config.in
index c07a92ce5..bff572805 100644
--- a/buildroot/toolchain/Config.in
+++ b/buildroot/toolchain/Config.in
@@ -470,10 +470,6 @@ config BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
 	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_3
 	select BR2_TOOLCHAIN_HEADERS_LATEST
 
-config BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_7
-	bool
-	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
-
 # This should be selected by the latest version, above, to indicate that
 # Buildroot does not know of more recent headers than the ones selected.
 # This allows using toolchains with headers more recent than Buildroot
@@ -485,7 +481,6 @@ config BR2_TOOLCHAIN_HEADERS_LATEST
 # stops affecting a value on the first matching default.
 config BR2_TOOLCHAIN_HEADERS_AT_LEAST
 	string
-	default "5.7"  if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_7
 	default "5.4"  if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4
 	default "5.3"  if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_3
 	default "5.2"  if BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_2
diff --git a/buildroot/toolchain/toolchain-external/toolchain-external-custom/Config.in.options b/buildroot/toolchain/toolchain-external/toolchain-external-custom/Config.in.options
index b49231e16..8c38dd9fc 100644
--- a/buildroot/toolchain/toolchain-external/toolchain-external-custom/Config.in.options
+++ b/buildroot/toolchain/toolchain-external/toolchain-external-custom/Config.in.options
@@ -115,10 +115,6 @@ choice
 	  If your toolchain uses headers newer than the latest version
 	  in the choice, then select the latest version.
 
-config BR2_TOOLCHAIN_EXTERNAL_HEADERS_5_7
-	bool "5.7.x or later"
-	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_7
-
 config BR2_TOOLCHAIN_EXTERNAL_HEADERS_5_4
 	bool "5.4.x or later"
 	select BR2_TOOLCHAIN_HEADERS_AT_LEAST_5_4

From fc3b098170970cb860996a8e975eaf28b528d810 Mon Sep 17 00:00:00 2001
From: Stefan Agner <stefan@agner.ch>
Date: Sat, 17 Oct 2020 13:16:08 +0200
Subject: [PATCH 07/12] Fix CDC ACM error recovery path (#712) (#905)

Revert CDC ACM cool-down patch. This should fix the error recovery paths
in the CDC ACM driver and allow CDC ACM devices to continue working even
in the event of USB issues.
---
 ...Revert-cdc-acm-introduce-a-cool-down.patch | 132 ++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 buildroot-external/board/hardkernel/patches/linux/0001-Revert-cdc-acm-introduce-a-cool-down.patch

diff --git a/buildroot-external/board/hardkernel/patches/linux/0001-Revert-cdc-acm-introduce-a-cool-down.patch b/buildroot-external/board/hardkernel/patches/linux/0001-Revert-cdc-acm-introduce-a-cool-down.patch
new file mode 100644
index 000000000..8f45af028
--- /dev/null
+++ b/buildroot-external/board/hardkernel/patches/linux/0001-Revert-cdc-acm-introduce-a-cool-down.patch
@@ -0,0 +1,132 @@
+From 5edf98e1fa176a480686ec77a5782b61eb009842 Mon Sep 17 00:00:00 2001
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Thu, 15 Oct 2020 13:58:14 +0200
+Subject: [PATCH] Revert "cdc-acm: introduce a cool down"
+
+This reverts commit a4e7279cd1d19f48f0af2a10ed020febaa9ac092.
+---
+ drivers/usb/class/cdc-acm.c | 30 ++----------------------------
+ drivers/usb/class/cdc-acm.h |  5 +----
+ 2 files changed, 3 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index f1a9043bdfe5..0f47d74c857d 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -410,12 +410,9 @@ static void acm_ctrl_irq(struct urb *urb)
+ 
+ exit:
+ 	retval = usb_submit_urb(urb, GFP_ATOMIC);
+-	if (retval && retval != -EPERM && retval != -ENODEV)
++	if (retval && retval != -EPERM)
+ 		dev_err(&acm->control->dev,
+ 			"%s - usb_submit_urb failed: %d\n", __func__, retval);
+-	else
+-		dev_vdbg(&acm->control->dev,
+-			"control resubmission terminated %d\n", retval);
+ }
+ 
+ static int acm_submit_read_urb(struct acm *acm, int index, gfp_t mem_flags)
+@@ -431,8 +428,6 @@ static int acm_submit_read_urb(struct acm *acm, int index, gfp_t mem_flags)
+ 			dev_err(&acm->data->dev,
+ 				"urb %d failed submission with %d\n",
+ 				index, res);
+-		} else {
+-			dev_vdbg(&acm->data->dev, "intended failure %d\n", res);
+ 		}
+ 		set_bit(index, &acm->read_urbs_free);
+ 		return res;
+@@ -474,7 +469,6 @@ static void acm_read_bulk_callback(struct urb *urb)
+ 	int status = urb->status;
+ 	bool stopped = false;
+ 	bool stalled = false;
+-	bool cooldown = false;
+ 
+ 	dev_vdbg(&acm->data->dev, "got urb %d, len %d, status %d\n",
+ 		rb->index, urb->actual_length, status);
+@@ -501,14 +495,6 @@ static void acm_read_bulk_callback(struct urb *urb)
+ 			__func__, status);
+ 		stopped = true;
+ 		break;
+-	case -EOVERFLOW:
+-	case -EPROTO:
+-		dev_dbg(&acm->data->dev,
+-			"%s - cooling babbling device\n", __func__);
+-		usb_mark_last_busy(acm->dev);
+-		set_bit(rb->index, &acm->urbs_in_error_delay);
+-		cooldown = true;
+-		break;
+ 	default:
+ 		dev_dbg(&acm->data->dev,
+ 			"%s - nonzero urb status received: %d\n",
+@@ -530,11 +516,9 @@ static void acm_read_bulk_callback(struct urb *urb)
+ 	 */
+ 	smp_mb__after_atomic();
+ 
+-	if (stopped || stalled || cooldown) {
++	if (stopped || stalled) {
+ 		if (stalled)
+ 			schedule_work(&acm->work);
+-		else if (cooldown)
+-			schedule_delayed_work(&acm->dwork, HZ / 2);
+ 		return;
+ 	}
+ 
+@@ -581,12 +565,6 @@ static void acm_softint(struct work_struct *work)
+ 		}
+ 	}
+ 
+-	if (test_and_clear_bit(ACM_ERROR_DELAY, &acm->flags)) {
+-		for (i = 0; i < acm->rx_buflimit; i++)
+-			if (test_and_clear_bit(i, &acm->urbs_in_error_delay))
+-					acm_submit_read_urb(acm, i, GFP_NOIO);
+-	}
+-
+ 	if (test_and_clear_bit(EVENT_TTY_WAKEUP, &acm->flags))
+ 		tty_port_tty_wakeup(&acm->port);
+ }
+@@ -1353,7 +1331,6 @@ static int acm_probe(struct usb_interface *intf,
+ 	acm->readsize = readsize;
+ 	acm->rx_buflimit = num_rx_buf;
+ 	INIT_WORK(&acm->work, acm_softint);
+-	INIT_DELAYED_WORK(&acm->dwork, acm_softint);
+ 	init_waitqueue_head(&acm->wioctl);
+ 	spin_lock_init(&acm->write_lock);
+ 	spin_lock_init(&acm->read_lock);
+@@ -1563,7 +1540,6 @@ static void acm_disconnect(struct usb_interface *intf)
+ 
+ 	acm_kill_urbs(acm);
+ 	cancel_work_sync(&acm->work);
+-	cancel_delayed_work_sync(&acm->dwork);
+ 
+ 	tty_unregister_device(acm_tty_driver, acm->minor);
+ 
+@@ -1606,8 +1582,6 @@ static int acm_suspend(struct usb_interface *intf, pm_message_t message)
+ 
+ 	acm_kill_urbs(acm);
+ 	cancel_work_sync(&acm->work);
+-	cancel_delayed_work_sync(&acm->dwork);
+-	acm->urbs_in_error_delay = 0;
+ 
+ 	return 0;
+ }
+diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
+index cd5e9d8ab237..ca1c026382c2 100644
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -109,11 +109,8 @@ struct acm {
+ #		define EVENT_TTY_WAKEUP	0
+ #		define EVENT_RX_STALL	1
+ #		define ACM_THROTTLED	2
+-#		define ACM_ERROR_DELAY	3
+-	unsigned long urbs_in_error_delay;		/* these need to be restarted after a delay */
+ 	struct usb_cdc_line_coding line;		/* bits, stop, parity */
+-	struct work_struct work;			/* work queue entry for various purposes*/
+-	struct delayed_work dwork;			/* for cool downs needed in error recovery */
++	struct work_struct work;			/* work queue entry for line discipline waking up */
+ 	unsigned int ctrlin;				/* input control lines (DCD, DSR, RI, break, overruns) */
+ 	unsigned int ctrlout;				/* output control lines (DTR, RTS) */
+ 	struct async_icount iocount;			/* counters for control line changes */
+-- 
+2.25.4
+

From fa242e32d7bed4bb419c6ddb1daf3e1a4f10cf89 Mon Sep 17 00:00:00 2001
From: Pascal Vizeli <pvizeli@syshack.ch>
Date: Sun, 18 Oct 2020 15:08:11 +0200
Subject: [PATCH 08/12] Remove not needed partition magic (#901)

* Update Documentation/partition.md

Co-authored-by: Stefan Agner <stefan@agner.ch>
---
 Documentation/partition.md | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/Documentation/partition.md b/Documentation/partition.md
index b9d53f832..8cc52da13 100644
--- a/Documentation/partition.md
+++ b/Documentation/partition.md
@@ -51,15 +51,7 @@ Log in as `root` to get to the Home Assistant CLI and then enter `login` to cont
 
 Confirm your USB SSD/HD is connected and recognized using `fdisk -l`.
 
-It is recommended to use fdisk to remove the existing partition(s) before proceeding.
-
-- Type `fdisk /dev/XXX` (replacing XXX with your drive)
-- Type `d` to delete a partition.
-- Continue if needed, then write the changes.
-
-Creating a new partition is not necessary.
-
-With the drive now prepared, use the below command (again, replacing XXX with your drive)
+Make sure the drive has no partition named `hassos-data` (or no partition at all). With the drive, use the below command (again, replacing XXX with your drive)
 
 ```sh
 $ datactl move /dev/xxx

From 0495ba25ad7bba5f3c374c2ee97185e698fabb16 Mon Sep 17 00:00:00 2001
From: Pascal Vizeli <pvizeli@syshack.ch>
Date: Tue, 20 Oct 2020 19:08:19 +0200
Subject: [PATCH 09/12] RaspberryPI: Fix issue with correct SYMLINK with ttyAMA
 (#915)

---
 .../udev/rules.d/{99-rpi.rules => 99-com.rules}  | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)
 rename buildroot-external/board/raspberrypi/rootfs-overlay/usr/lib/udev/rules.d/{99-rpi.rules => 99-com.rules} (57%)

diff --git a/buildroot-external/board/raspberrypi/rootfs-overlay/usr/lib/udev/rules.d/99-rpi.rules b/buildroot-external/board/raspberrypi/rootfs-overlay/usr/lib/udev/rules.d/99-com.rules
similarity index 57%
rename from buildroot-external/board/raspberrypi/rootfs-overlay/usr/lib/udev/rules.d/99-rpi.rules
rename to buildroot-external/board/raspberrypi/rootfs-overlay/usr/lib/udev/rules.d/99-com.rules
index 65ee59e11..e1dfa79f5 100644
--- a/buildroot-external/board/raspberrypi/rootfs-overlay/usr/lib/udev/rules.d/99-rpi.rules
+++ b/buildroot-external/board/raspberrypi/rootfs-overlay/usr/lib/udev/rules.d/99-com.rules
@@ -1,4 +1,5 @@
-KERNEL=="ttyAMA[01]", ATTR{iomem_base}=="0xFE201000", PROGRAM="/bin/sh -c '\
+
+KERNEL=="ttyAMA0", PROGRAM="/bin/sh -c '\
 	ALIASES=/proc/device-tree/aliases; \
 	if cmp -s $ALIASES/uart0 $ALIASES/serial0; then \
 		echo 0;\
@@ -9,6 +10,19 @@ KERNEL=="ttyAMA[01]", ATTR{iomem_base}=="0xFE201000", PROGRAM="/bin/sh -c '\
 	fi\
 '", SYMLINK+="serial%c"
 
+KERNEL=="ttyAMA1", PROGRAM="/bin/sh -c '\
+	ALIASES=/proc/device-tree/aliases; \
+	if [ -e /dev/ttyAMA0 ]; then \
+		exit 1; \
+	elif cmp -s $ALIASES/uart0 $ALIASES/serial0; then \
+		echo 0;\
+	elif cmp -s $ALIASES/uart0 $ALIASES/serial1; then \
+		echo 1; \
+	else \
+		exit 1; \
+	fi\
+'", SYMLINK+="serial%c"
+
 KERNEL=="ttyS0", PROGRAM="/bin/sh -c '\
 	ALIASES=/proc/device-tree/aliases; \
 	if cmp -s $ALIASES/uart1 $ALIASES/serial0; then \

From 5f0a8fe627dcb540aa31ce80f62409f403504ad5 Mon Sep 17 00:00:00 2001
From: Stefan Agner <stefan@agner.ch>
Date: Tue, 20 Oct 2020 22:39:59 +0200
Subject: [PATCH 10/12] Bump firmware to RPi bluez-firmware 1.2-4+rpt6 release
 (#918)

This addresses recent Bluetooth secruity vulnerabilities.
---
 .../package/bluetooth-bcm43xx/bluetooth-bcm43xx.mk            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/buildroot-external/package/bluetooth-bcm43xx/bluetooth-bcm43xx.mk b/buildroot-external/package/bluetooth-bcm43xx/bluetooth-bcm43xx.mk
index 684bf8560..5769c1c30 100644
--- a/buildroot-external/package/bluetooth-bcm43xx/bluetooth-bcm43xx.mk
+++ b/buildroot-external/package/bluetooth-bcm43xx/bluetooth-bcm43xx.mk
@@ -11,8 +11,8 @@ BLUETOOTH_BCM43XX_SITE = $(BR2_EXTERNAL_HASSOS_PATH)/package/bluetooth-bcm43xx
 BLUETOOTH_BCM43XX_SITE_METHOD = local
 
 define BLUETOOTH_BCM43XX_BUILD_CMDS
-	curl -L -o $(@D)/BCM43430A1.hcd https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/fff76cb15527c435ce99a9787848eacd6288282c/broadcom/BCM43430A1.hcd
-	curl -L -o $(@D)/BCM4345C0.hcd https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/fff76cb15527c435ce99a9787848eacd6288282c/broadcom/BCM4345C0.hcd
+	curl -L -o $(@D)/BCM43430A1.hcd https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/a4e08822e3f24a6211f6ac94bc98b7ef87700c70/broadcom/BCM43430A1.hcd
+	curl -L -o $(@D)/BCM4345C0.hcd https://raw.githubusercontent.com/RPi-Distro/bluez-firmware/a4e08822e3f24a6211f6ac94bc98b7ef87700c70/broadcom/BCM4345C0.hcd
 	curl -L -o $(@D)/btuart https://raw.githubusercontent.com/RPi-Distro/pi-bluetooth/cbdbcb66bcc5b9af05f1a9fffe2254c872bb0ace/usr/bin/btuart
 	curl -L -o $(@D)/bthelper https://raw.githubusercontent.com/RPi-Distro/pi-bluetooth/cbdbcb66bcc5b9af05f1a9fffe2254c872bb0ace/usr/bin/bthelper
 	curl -L -o $(@D)/90-pi-bluetooth.rules https://raw.githubusercontent.com/RPi-Distro/pi-bluetooth/cbdbcb66bcc5b9af05f1a9fffe2254c872bb0ace/lib/udev/rules.d/90-pi-bluetooth.rules

From fdcb94f0d83991eca837d5cf5606b631e048c4e0 Mon Sep 17 00:00:00 2001
From: Stefan Agner <stefan@agner.ch>
Date: Wed, 21 Oct 2020 20:34:26 +0200
Subject: [PATCH 11/12] Actually fix CDC ACM error recovery path (#712) (#921)

Instead of reverting the CDC ACM cool-down patch fix the intention of
that change. This should fix the error recovery paths in the CDC ACM
driver and allow CDC ACM devices to continue working even in the event
of USB issues.
---
 ...Revert-cdc-acm-introduce-a-cool-down.patch | 132 ------------------
 ...1-usb-cdc-acm-fix-cooldown-mechanism.patch | 124 ++++++++++++++++
 2 files changed, 124 insertions(+), 132 deletions(-)
 delete mode 100644 buildroot-external/board/hardkernel/patches/linux/0001-Revert-cdc-acm-introduce-a-cool-down.patch
 create mode 100644 buildroot-external/board/hardkernel/patches/linux/0001-usb-cdc-acm-fix-cooldown-mechanism.patch

diff --git a/buildroot-external/board/hardkernel/patches/linux/0001-Revert-cdc-acm-introduce-a-cool-down.patch b/buildroot-external/board/hardkernel/patches/linux/0001-Revert-cdc-acm-introduce-a-cool-down.patch
deleted file mode 100644
index 8f45af028..000000000
--- a/buildroot-external/board/hardkernel/patches/linux/0001-Revert-cdc-acm-introduce-a-cool-down.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From 5edf98e1fa176a480686ec77a5782b61eb009842 Mon Sep 17 00:00:00 2001
-From: Jerome Brunet <jbrunet@baylibre.com>
-Date: Thu, 15 Oct 2020 13:58:14 +0200
-Subject: [PATCH] Revert "cdc-acm: introduce a cool down"
-
-This reverts commit a4e7279cd1d19f48f0af2a10ed020febaa9ac092.
----
- drivers/usb/class/cdc-acm.c | 30 ++----------------------------
- drivers/usb/class/cdc-acm.h |  5 +----
- 2 files changed, 3 insertions(+), 32 deletions(-)
-
-diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
-index f1a9043bdfe5..0f47d74c857d 100644
---- a/drivers/usb/class/cdc-acm.c
-+++ b/drivers/usb/class/cdc-acm.c
-@@ -410,12 +410,9 @@ static void acm_ctrl_irq(struct urb *urb)
- 
- exit:
- 	retval = usb_submit_urb(urb, GFP_ATOMIC);
--	if (retval && retval != -EPERM && retval != -ENODEV)
-+	if (retval && retval != -EPERM)
- 		dev_err(&acm->control->dev,
- 			"%s - usb_submit_urb failed: %d\n", __func__, retval);
--	else
--		dev_vdbg(&acm->control->dev,
--			"control resubmission terminated %d\n", retval);
- }
- 
- static int acm_submit_read_urb(struct acm *acm, int index, gfp_t mem_flags)
-@@ -431,8 +428,6 @@ static int acm_submit_read_urb(struct acm *acm, int index, gfp_t mem_flags)
- 			dev_err(&acm->data->dev,
- 				"urb %d failed submission with %d\n",
- 				index, res);
--		} else {
--			dev_vdbg(&acm->data->dev, "intended failure %d\n", res);
- 		}
- 		set_bit(index, &acm->read_urbs_free);
- 		return res;
-@@ -474,7 +469,6 @@ static void acm_read_bulk_callback(struct urb *urb)
- 	int status = urb->status;
- 	bool stopped = false;
- 	bool stalled = false;
--	bool cooldown = false;
- 
- 	dev_vdbg(&acm->data->dev, "got urb %d, len %d, status %d\n",
- 		rb->index, urb->actual_length, status);
-@@ -501,14 +495,6 @@ static void acm_read_bulk_callback(struct urb *urb)
- 			__func__, status);
- 		stopped = true;
- 		break;
--	case -EOVERFLOW:
--	case -EPROTO:
--		dev_dbg(&acm->data->dev,
--			"%s - cooling babbling device\n", __func__);
--		usb_mark_last_busy(acm->dev);
--		set_bit(rb->index, &acm->urbs_in_error_delay);
--		cooldown = true;
--		break;
- 	default:
- 		dev_dbg(&acm->data->dev,
- 			"%s - nonzero urb status received: %d\n",
-@@ -530,11 +516,9 @@ static void acm_read_bulk_callback(struct urb *urb)
- 	 */
- 	smp_mb__after_atomic();
- 
--	if (stopped || stalled || cooldown) {
-+	if (stopped || stalled) {
- 		if (stalled)
- 			schedule_work(&acm->work);
--		else if (cooldown)
--			schedule_delayed_work(&acm->dwork, HZ / 2);
- 		return;
- 	}
- 
-@@ -581,12 +565,6 @@ static void acm_softint(struct work_struct *work)
- 		}
- 	}
- 
--	if (test_and_clear_bit(ACM_ERROR_DELAY, &acm->flags)) {
--		for (i = 0; i < acm->rx_buflimit; i++)
--			if (test_and_clear_bit(i, &acm->urbs_in_error_delay))
--					acm_submit_read_urb(acm, i, GFP_NOIO);
--	}
--
- 	if (test_and_clear_bit(EVENT_TTY_WAKEUP, &acm->flags))
- 		tty_port_tty_wakeup(&acm->port);
- }
-@@ -1353,7 +1331,6 @@ static int acm_probe(struct usb_interface *intf,
- 	acm->readsize = readsize;
- 	acm->rx_buflimit = num_rx_buf;
- 	INIT_WORK(&acm->work, acm_softint);
--	INIT_DELAYED_WORK(&acm->dwork, acm_softint);
- 	init_waitqueue_head(&acm->wioctl);
- 	spin_lock_init(&acm->write_lock);
- 	spin_lock_init(&acm->read_lock);
-@@ -1563,7 +1540,6 @@ static void acm_disconnect(struct usb_interface *intf)
- 
- 	acm_kill_urbs(acm);
- 	cancel_work_sync(&acm->work);
--	cancel_delayed_work_sync(&acm->dwork);
- 
- 	tty_unregister_device(acm_tty_driver, acm->minor);
- 
-@@ -1606,8 +1582,6 @@ static int acm_suspend(struct usb_interface *intf, pm_message_t message)
- 
- 	acm_kill_urbs(acm);
- 	cancel_work_sync(&acm->work);
--	cancel_delayed_work_sync(&acm->dwork);
--	acm->urbs_in_error_delay = 0;
- 
- 	return 0;
- }
-diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
-index cd5e9d8ab237..ca1c026382c2 100644
---- a/drivers/usb/class/cdc-acm.h
-+++ b/drivers/usb/class/cdc-acm.h
-@@ -109,11 +109,8 @@ struct acm {
- #		define EVENT_TTY_WAKEUP	0
- #		define EVENT_RX_STALL	1
- #		define ACM_THROTTLED	2
--#		define ACM_ERROR_DELAY	3
--	unsigned long urbs_in_error_delay;		/* these need to be restarted after a delay */
- 	struct usb_cdc_line_coding line;		/* bits, stop, parity */
--	struct work_struct work;			/* work queue entry for various purposes*/
--	struct delayed_work dwork;			/* for cool downs needed in error recovery */
-+	struct work_struct work;			/* work queue entry for line discipline waking up */
- 	unsigned int ctrlin;				/* input control lines (DCD, DSR, RI, break, overruns) */
- 	unsigned int ctrlout;				/* output control lines (DTR, RTS) */
- 	struct async_icount iocount;			/* counters for control line changes */
--- 
-2.25.4
-
diff --git a/buildroot-external/board/hardkernel/patches/linux/0001-usb-cdc-acm-fix-cooldown-mechanism.patch b/buildroot-external/board/hardkernel/patches/linux/0001-usb-cdc-acm-fix-cooldown-mechanism.patch
new file mode 100644
index 000000000..af192c5c1
--- /dev/null
+++ b/buildroot-external/board/hardkernel/patches/linux/0001-usb-cdc-acm-fix-cooldown-mechanism.patch
@@ -0,0 +1,124 @@
+From f6fce2e974fe091fd233301bd7c127ca18304039 Mon Sep 17 00:00:00 2001
+Message-Id: <f6fce2e974fe091fd233301bd7c127ca18304039.1603303549.git.stefan@agner.ch>
+From: Jerome Brunet <jbrunet@baylibre.com>
+Date: Mon, 19 Oct 2020 19:07:02 +0200
+Subject: [PATCH] usb: cdc-acm: fix cooldown mechanism
+
+Commit a4e7279cd1d1 ("cdc-acm: introduce a cool down") is causing
+regression if there is some USB error, such as -EPROTO.
+
+This has been reported on some samples of the Odroid-N2 using the Combee II
+Zibgee USB dongle.
+
+> struct acm *acm = container_of(work, struct acm, work)
+
+is incorrect in case of a delayed work and causes warnings, usually from
+the workqueue:
+
+> WARNING: CPU: 0 PID: 0 at kernel/workqueue.c:1474 __queue_work+0x480/0x528.
+
+When this happens, USB eventually stops working completely after a while.
+Also the ACM_ERROR_DELAY bit is never set, so the cooldown mechanism
+previously introduced cannot be triggered and acm_submit_read_urb() is
+never called.
+
+This changes makes the cdc-acm driver use a single delayed work, fixing the
+pointer arithmetic in acm_softint() and set the ACM_ERROR_DELAY when the
+cooldown mechanism appear to be needed.
+
+Fixes: a4e7279cd1d1 ("cdc-acm: introduce a cool down")
+Reported-by: Pascal Vizeli <pascal.vizeli@nabucasa.com>
+Cc: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
+---
+ drivers/usb/class/cdc-acm.c | 12 +++++-------
+ drivers/usb/class/cdc-acm.h |  3 +--
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
+index 7f6f3ab5b8a6..8f087499196a 100644
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -507,6 +507,7 @@ static void acm_read_bulk_callback(struct urb *urb)
+ 			"%s - cooling babbling device\n", __func__);
+ 		usb_mark_last_busy(acm->dev);
+ 		set_bit(rb->index, &acm->urbs_in_error_delay);
++		set_bit(ACM_ERROR_DELAY, &acm->flags);
+ 		cooldown = true;
+ 		break;
+ 	default:
+@@ -532,7 +533,7 @@ static void acm_read_bulk_callback(struct urb *urb)
+ 
+ 	if (stopped || stalled || cooldown) {
+ 		if (stalled)
+-			schedule_work(&acm->work);
++			schedule_delayed_work(&acm->dwork, 0);
+ 		else if (cooldown)
+ 			schedule_delayed_work(&acm->dwork, HZ / 2);
+ 		return;
+@@ -562,13 +563,13 @@ static void acm_write_bulk(struct urb *urb)
+ 	acm_write_done(acm, wb);
+ 	spin_unlock_irqrestore(&acm->write_lock, flags);
+ 	set_bit(EVENT_TTY_WAKEUP, &acm->flags);
+-	schedule_work(&acm->work);
++	schedule_delayed_work(&acm->dwork, 0);
+ }
+ 
+ static void acm_softint(struct work_struct *work)
+ {
+ 	int i;
+-	struct acm *acm = container_of(work, struct acm, work);
++	struct acm *acm = container_of(work, struct acm, dwork.work);
+ 
+ 	if (test_bit(EVENT_RX_STALL, &acm->flags)) {
+ 		smp_mb(); /* against acm_suspend() */
+@@ -584,7 +585,7 @@ static void acm_softint(struct work_struct *work)
+ 	if (test_and_clear_bit(ACM_ERROR_DELAY, &acm->flags)) {
+ 		for (i = 0; i < acm->rx_buflimit; i++)
+ 			if (test_and_clear_bit(i, &acm->urbs_in_error_delay))
+-					acm_submit_read_urb(acm, i, GFP_NOIO);
++				acm_submit_read_urb(acm, i, GFP_KERNEL);
+ 	}
+ 
+ 	if (test_and_clear_bit(EVENT_TTY_WAKEUP, &acm->flags))
+@@ -1352,7 +1353,6 @@ static int acm_probe(struct usb_interface *intf,
+ 	acm->ctrlsize = ctrlsize;
+ 	acm->readsize = readsize;
+ 	acm->rx_buflimit = num_rx_buf;
+-	INIT_WORK(&acm->work, acm_softint);
+ 	INIT_DELAYED_WORK(&acm->dwork, acm_softint);
+ 	init_waitqueue_head(&acm->wioctl);
+ 	spin_lock_init(&acm->write_lock);
+@@ -1562,7 +1562,6 @@ static void acm_disconnect(struct usb_interface *intf)
+ 	}
+ 
+ 	acm_kill_urbs(acm);
+-	cancel_work_sync(&acm->work);
+ 	cancel_delayed_work_sync(&acm->dwork);
+ 
+ 	tty_unregister_device(acm_tty_driver, acm->minor);
+@@ -1605,7 +1604,6 @@ static int acm_suspend(struct usb_interface *intf, pm_message_t message)
+ 		return 0;
+ 
+ 	acm_kill_urbs(acm);
+-	cancel_work_sync(&acm->work);
+ 	cancel_delayed_work_sync(&acm->dwork);
+ 	acm->urbs_in_error_delay = 0;
+ 
+diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
+index cd5e9d8ab237..b95ff769072e 100644
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -112,8 +112,7 @@ struct acm {
+ #		define ACM_ERROR_DELAY	3
+ 	unsigned long urbs_in_error_delay;		/* these need to be restarted after a delay */
+ 	struct usb_cdc_line_coding line;		/* bits, stop, parity */
+-	struct work_struct work;			/* work queue entry for various purposes*/
+-	struct delayed_work dwork;			/* for cool downs needed in error recovery */
++	struct delayed_work dwork;		        /* work queue entry for various purposes */
+ 	unsigned int ctrlin;				/* input control lines (DCD, DSR, RI, break, overruns) */
+ 	unsigned int ctrlout;				/* output control lines (DTR, RTS) */
+ 	struct async_icount iocount;			/* counters for control line changes */
+-- 
+2.28.0
+

From dcfb296dcf2881275f7cba54aac24726ac906cff Mon Sep 17 00:00:00 2001
From: Pascal Vizeli <pvizeli@syshack.ch>
Date: Thu, 22 Oct 2020 17:05:36 +0200
Subject: [PATCH 12/12] Update buildroot to 2020.02.7 (#923)

Signed-off-by: Pascal Vizeli <pvizeli@syshack.ch>
---
 buildroot/.gitlab-ci.yml                      |   42 +-
 buildroot/.gitlab-ci.yml.in                   |   42 +-
 buildroot/CHANGES                             |   91 +
 buildroot/DEVELOPERS                          |   15 +-
 buildroot/Makefile                            |   36 +-
 buildroot/boot/at91bootstrap3/Config.in       |    2 +-
 buildroot/boot/barebox/barebox.mk             |   26 +-
 ...lexer-fatal-errors-actually-be-fatal.patch |   73 +
 ...e-arithmetic-primitives-that-check-f.patch |  128 ++
 ...-we-always-have-an-overflow-checking.patch |  246 +++
 ...005-calloc-Use-calloc-at-most-places.patch | 1840 +++++++++++++++++
 ...low-checking-primitives-where-we-do-.patch | 1326 ++++++++++++
 ...on-t-leak-memory-on-realloc-failures.patch |   72 +
 ...-not-load-more-than-one-NAME-section.patch |   41 +
 ...fxmenu-Fix-double-free-in-load_image.patch |   39 +
 ...ree-in-grub_xnu_devprop_add_property.patch |   58 +
 ...sure-we-don-t-dereference-past-array.patch |   55 +
 ...012-term-Fix-overflow-on-user-inputs.patch |   69 +
 .../boot/grub2/0013-udf-Fix-memory-leak.patch |   59 +
 ...emory-leak-if-grub_create_loader_cmd.patch |   38 +
 .../0015-tftp-Do-not-use-priority-queue.patch |  283 +++
 ...t-grub_relocator_alloc_chunk_addr-in.patch |  153 ++
 ...t-grub_relocator_alloc_chunk_align-m.patch |  341 +++
 ...used-fields-from-grub_script_functio.patch |   37 +
 ...se-after-free-when-redefining-a-func.patch |  113 +
 ...ub_relocator_alloc_chunk_align-top-m.patch |   49 +
 .../0021-hfsplus-Fix-two-more-overflows.patch |   61 +
 ...-potential-data-dependent-alloc-over.patch |  116 ++
 .../0023-emu-Make-grub_free-NULL-safe.patch   |   38 +
 ...formed-device-path-arithmetic-errors.patch |  239 +++
 ...Propagate-errors-from-copy_file_path.patch |   78 +
 ...x-use-after-free-in-halt-reboot-path.patch |  183 ++
 ...id-overflow-on-initrd-size-calculati.patch |   32 +
 ...er-overflows-in-initrd-size-handling.patch |  173 ++
 buildroot/boot/grub2/grub2.mk                 |   11 +
 buildroot/boot/uboot/uboot.mk                 |    5 +-
 .../docs/manual/adding-board-support.txt      |   18 +-
 .../docs/manual/adding-packages-cargo.txt     |   41 +-
 buildroot/docs/manual/adding-packages-waf.txt |    2 +-
 buildroot/docs/manual/contribute.txt          |   31 +
 buildroot/docs/manual/manual.html             |   86 +-
 buildroot/docs/manual/manual.pdf              |  Bin 565242 -> 567183 bytes
 buildroot/docs/manual/manual.text             |   93 +-
 buildroot/fs/cpio/init                        |   11 +
 buildroot/linux/Config.in                     |   10 +-
 buildroot/linux/linux.hash                    |   14 +-
 buildroot/linux/linux.mk                      |    6 +-
 buildroot/package/alsa-utils/alsa-utils.mk    |    4 +-
 buildroot/package/apache/apache.hash          |    5 +-
 buildroot/package/apache/apache.mk            |    2 +-
 buildroot/package/avahi/avahi.mk              |    1 +
 .../package/bandwidthd/bandwidthd.service     |    2 +-
 buildroot/package/bash/0017-bash50-017.patch  |  293 +++
 buildroot/package/bash/0018-bash50-018.patch  |   49 +
 ...ut.h-add-missing-include-on-stdio.h.patch} |    0
 ...20-locale.c-fix-build-without-wchar.patch} |    0
 buildroot/package/bind/bind.hash              |    4 +-
 buildroot/package/bind/bind.mk                |    2 +-
 buildroot/package/bison/bison.mk              |    1 +
 buildroot/package/boost/boost.mk              |    1 +
 ...g-BUILD_SHARED_LIBS-to-choose-static.patch |   92 +-
 ...time-linker-path-to-pkg-config-files.patch |   51 +
 buildroot/package/brotli/brotli.hash          |    2 +-
 buildroot/package/brotli/brotli.mk            |    2 +-
 buildroot/package/busybox/busybox.mk          |   13 +
 buildroot/package/busybox/udhcpc.script       |    6 +-
 buildroot/package/capnproto/capnproto.mk      |    7 +
 buildroot/package/chrony/chrony.hash          |    7 +-
 buildroot/package/chrony/chrony.mk            |    2 +-
 ...-installing-mount.smb3-and-optionall.patch |   41 +
 buildroot/package/cifs-utils/cifs-utils.hash  |    4 +-
 buildroot/package/cifs-utils/cifs-utils.mk    |    7 +-
 buildroot/package/collectd/Config.in          |    1 -
 buildroot/package/cpio/0001-Minor-fix.patch   |   30 +
 ...d-support-for-upcoming-json-c-0.14.0.patch |  179 ++
 ...name-clash-with-newer-json-c-library.patch |  512 +++++
 ...move-man-from-BUILDDIRS-in-configure.patch |    8 +-
 .../cups/0002-Do-not-use-genstrings.patch     |   14 +-
 ...0004-Remove-PIE-flags-from-the-build.patch |    8 +-
 buildroot/package/cups/70-usb-printers.rules  |    3 +
 buildroot/package/cups/S81cupsd               |   48 +
 buildroot/package/cups/cups.hash              |    2 +-
 buildroot/package/cups/cups.mk                |   29 +-
 buildroot/package/cvs/cvs.mk                  |    4 +-
 buildroot/package/dbus/dbus.mk                |    1 +
 buildroot/package/dhcpcd/dhcpcd.service       |    2 +-
 buildroot/package/dhcpdump/dhcpdump.mk        |    2 +-
 buildroot/package/docker-cli/docker-cli.hash  |    2 +-
 buildroot/package/docker-cli/docker-cli.mk    |    6 +-
 buildroot/package/docker-engine/Config.in     |    1 +
 .../package/docker-engine/docker-engine.hash  |    2 +-
 .../package/docker-engine/docker-engine.mk    |    2 +-
 buildroot/package/domoticz/Config.in          |    8 +-
 .../dovecot-pigeonhole.hash                   |    4 +-
 .../dovecot-pigeonhole/dovecot-pigeonhole.mk  |    2 +-
 buildroot/package/dovecot/dovecot.hash        |    2 +-
 buildroot/package/dovecot/dovecot.mk          |    2 +-
 ...-scp-Port-OpenSSH-CVE-2018-20685-fix.patch |   24 +
 .../package/ecryptfs-utils/ecryptfs-utils.mk  |    1 +
 buildroot/package/efl/Config.in               |   17 +-
 buildroot/package/elixir/elixir.mk            |    2 +-
 .../0002-fsck.f2fs-correct-return-value.patch |  195 ++
 buildroot/package/fail2ban/fail2ban.mk        |    7 +
 buildroot/package/ffmpeg/ffmpeg.hash          |    2 +-
 buildroot/package/ffmpeg/ffmpeg.mk            |    2 +-
 buildroot/package/freetype/freetype.mk        |   23 +-
 buildroot/package/gcc/gcc.mk                  |   15 +
 ...-pointer-dereference-in-gdImageClone.patch |   44 +
 ...f-Bounds-Write-on-Heap-CVE-2019-6977.patch |   39 +
 buildroot/package/gd/gd.mk                    |   13 +
 buildroot/package/gdb/gdb.mk                  |    3 +-
 buildroot/package/gdk-pixbuf/gdk-pixbuf.hash  |    6 +-
 buildroot/package/gdk-pixbuf/gdk-pixbuf.mk    |    2 +-
 .../0001-Fix-cross-compilation-issue.patch    |   36 -
 .../package/ghostscript/ghostscript.hash      |    6 +-
 buildroot/package/ghostscript/ghostscript.mk  |    8 +-
 .../glibc.hash                                |    2 +-
 buildroot/package/glibc/glibc.mk              |    2 +-
 buildroot/package/gnutls/gnutls.hash          |    4 +-
 buildroot/package/gnutls/gnutls.mk            |    2 +-
 buildroot/package/go/go.hash                  |    2 +-
 buildroot/package/go/go.mk                    |    2 +-
 ...l-a-libtool-file-with-static-library.patch |   67 +
 buildroot/package/graphite2/Config.in         |    7 +-
 buildroot/package/graphite2/graphite2.hash    |    6 +-
 buildroot/package/graphite2/graphite2.mk      |    5 +-
 ...son-allow-the-user-to-disable-opencv.patch |   31 +
 .../gst1-plugins-base/gst1-plugins-base.mk    |   11 +-
 .../gst1-plugins-ugly/gst1-plugins-ugly.mk    |    2 +-
 buildroot/package/hostapd/hostapd.hash        |    3 +
 buildroot/package/hostapd/hostapd.mk          |    7 +
 .../package/imagemagick/imagemagick.hash      |    4 +-
 buildroot/package/imagemagick/imagemagick.mk  |    5 +-
 ...-Fix-buffer-overflow-vulnerabilities.patch |  132 ++
 ...uffer-overflow-in-ipmi_spd_print_fru.patch |   52 +
 ...er-overflow-in-ipmi_get_session_info.patch |   52 +
 .../0011-channel-Fix-buffer-overflow.patch    |   46 +
 ...er-overflows-in-get_lan_param_select.patch |   92 +
 ...u-sdr-Fix-id_string-buffer-overflows.patch |  141 ++
 buildroot/package/ipmitool/ipmitool.mk        |    8 +
 buildroot/package/iputils/iputils.mk          |    7 +-
 buildroot/package/janus-gateway/Config.in     |    6 +-
 ...001-verify-data-range-CVE-2018-19541.patch |   35 -
 ...ck-null-in-jp2_decode-CVE-2018-19542.patch |   24 -
 .../0003-test-asclen-CVE-2018-19540.patch     |   29 -
 buildroot/package/jasper/jasper.hash          |    2 +-
 buildroot/package/jasper/jasper.mk            |    4 +-
 buildroot/package/json-c/json-c.hash          |    4 +-
 buildroot/package/json-c/json-c.mk            |   14 +-
 ...ix-build-with-disabled-proxy-support.patch |   50 -
 ...ix-build-with-disabled-proxy-support.patch |  159 --
 buildroot/package/libcurl/libcurl.hash        |    4 +-
 buildroot/package/libcurl/libcurl.mk          |    2 +-
 buildroot/package/libeXosip2/Config.in        |    4 +-
 ...001-htp.pc.in-add-lz-to-Libs.private.patch |   29 -
 buildroot/package/libhtp/libhtp.hash          |    2 +-
 buildroot/package/libhtp/libhtp.mk            |    2 +-
 buildroot/package/libraw/libraw.hash          |    8 +-
 buildroot/package/libraw/libraw.mk            |   13 +-
 .../0001-libssh.h-bump-to-version-0.9.4.patch |   29 -
 ...eturning-SSH_AGAIN-from-ssh_channel_.patch |   45 -
 buildroot/package/libssh/libssh.hash          |    4 +-
 buildroot/package/libssh/libssh.mk            |    2 +-
 buildroot/package/libwebsockets/Config.in     |    1 -
 .../libxml-parser-perl/libxml-parser-perl.mk  |    9 +-
 ...of-bounds-read-with-xmllint--htmlout.patch |   40 +
 buildroot/package/libxml2/libxml2.mk          |    2 +
 .../package/linux-headers/Config.in.host      |   10 +-
 buildroot/package/live555/live555.hash        |    4 +-
 buildroot/package/live555/live555.mk          |    8 +-
 buildroot/package/localedef/localedef.mk      |    1 +
 buildroot/package/lua/5.1.5/lua.hash          |    6 +
 .../lua/5.3.5/0003-fix-revision-number.patch  |   31 -
 .../lua/{5.3.5 => 5.3.6}/0001-root-path.patch |    0
 .../0002-shared-libs-for-lua.patch            |    0
 .../0003-linenoise.patch}                     |    0
 buildroot/package/lua/5.3.6/lua.hash          |    6 +
 buildroot/package/lua/lua.hash                |    8 -
 buildroot/package/lua/lua.mk                  |    2 +-
 buildroot/package/mbedtls/mbedtls.hash        |    3 +-
 buildroot/package/mbedtls/mbedtls.mk          |    4 +-
 ...nfigure-Fix-cross-compilation-errors.patch |  142 --
 ...onfigure-Simplify-pointer-size-check.patch |   76 -
 buildroot/package/memcached/memcached.hash    |    8 +-
 buildroot/package/memcached/memcached.mk      |    5 +-
 buildroot/package/mesa3d/Config.in            |    9 +-
 buildroot/package/meson/meson.mk              |    6 +
 .../minidlna/0001-fix-build-with-gcc-10.patch |   49 +
 ...x-CallStranger-a.k.a.-CVE-2020-12695.patch |  133 ++
 buildroot/package/minidlna/minidlnad.service  |    2 +-
 buildroot/package/mosquitto/mosquitto.hash    |    4 +-
 buildroot/package/mosquitto/mosquitto.mk      |    5 +-
 buildroot/package/mpv/Config.in               |    4 +-
 buildroot/package/mpv/mpv.mk                  |    4 +
 buildroot/package/nginx/nginx.service         |    2 +-
 buildroot/package/nodejs/nodejs.hash          |    6 +-
 buildroot/package/nodejs/nodejs.mk            |   10 +-
 buildroot/package/nss-pam-ldapd/nslcd.service |    2 +-
 .../package/nvidia-driver/nvidia-driver.mk    |    4 +-
 ...0001-Fix-build-of-grfmt_jpeg2000-cpp.patch |   37 +
 ...0001-Fix-build-of-grfmt_jpeg2000-cpp.patch |   37 +
 ...on-input-directory-with-mix-of-valid.patch |   43 +
 buildroot/package/openjpeg/openjpeg.mk        |    3 +
 .../package/openvmtools/vmtoolsd.service      |    4 +-
 buildroot/package/paho-mqtt-c/Config.in       |    5 +-
 .../package/paho-mqtt-c/paho-mqtt-c.hash      |    2 +-
 buildroot/package/paho-mqtt-c/paho-mqtt-c.mk  |   16 +-
 ...ke-the-rpath-relative-under-a-specif.patch |   16 +-
 buildroot/package/perl/perl.hash              |   12 +-
 buildroot/package/perl/perl.mk                |    4 +-
 .../0002-iconv-tweak-iconv-detection.patch    |    4 +-
 ...0003-configure-disable-the-phar-tool.patch |    4 +-
 buildroot/package/php/php.hash                |    2 +-
 buildroot/package/php/php.mk                  |    2 +-
 buildroot/package/pkg-kconfig.mk              |   11 +-
 buildroot/package/pkg-meson.mk                |    4 +-
 buildroot/package/pkg-utils.mk                |   31 +-
 buildroot/package/postgresql/pg_config        |    8 +-
 buildroot/package/postgresql/postgresql.hash  |   10 +-
 buildroot/package/postgresql/postgresql.mk    |    3 +-
 .../package/postgresql/postgresql.service     |    1 -
 .../package/python-aenum/python-aenum.mk      |    9 +
 .../python-autobahn/python-autobahn.mk        |   11 +
 buildroot/package/python-cycler/Config.in     |    1 -
 .../package/python-django/python-django.hash  |    4 +-
 .../package/python-django/python-django.mk    |    4 +-
 .../python-engineio/python-engineio.mk        |   10 +
 buildroot/package/python-fire/python-fire.mk  |    9 +
 buildroot/package/python-gunicorn/Config.in   |    1 +
 ...st-11983-from-anntzer-builddepchecks.patch |  170 ++
 .../python-pymodbus/python-pymodbus.mk        |    9 +
 .../0001-Small-Python-2-fix.patch             |   26 +
 .../package/python-semver/python-semver.hash  |    6 +-
 .../package/python-semver/python-semver.mk    |    4 +-
 .../python-sentry-sdk/python-sentry-sdk.mk    |   10 +
 .../python-socketio/python-socketio.mk        |   10 +
 .../python-texttable/python-texttable.hash    |    6 +-
 .../python-texttable/python-texttable.mk      |    4 +-
 buildroot/package/python-tinyrpc/Config.in    |    1 +
 .../python-txtorcon/python-txtorcon.mk        |    9 +
 buildroot/package/python/python.mk            |    7 +-
 buildroot/package/python3/python3.hash        |    8 +-
 buildroot/package/python3/python3.mk          |    9 +-
 buildroot/package/qt5/qt5base/qt5base.mk      |    3 +
 buildroot/package/ripgrep/ripgrep.mk          |   11 +-
 buildroot/package/rtl8188eu/rtl8188eu.hash    |    2 +-
 buildroot/package/rtl8188eu/rtl8188eu.mk      |    2 +-
 ...-fallthrough-comments-for-kernel-5.3.patch |    7 +-
 ...river-crashes-from-aircrack-ng-rtl88.patch |    5 +-
 ...f-for-extending-string-which-causes-.patch |  339 +++
 buildroot/package/ruby/ruby.hash              |    4 +-
 buildroot/package/ruby/ruby.mk                |    2 +-
 buildroot/package/runc/runc.hash              |    2 +-
 buildroot/package/runc/runc.mk                |    2 +-
 ...01-libreplace-disable-libbsd-support.patch |    4 +-
 ...uilt-heimdal-build-tools-in-case-of-.patch |    5 +-
 buildroot/package/samba4/samba4.hash          |    4 +-
 buildroot/package/samba4/samba4.mk            |    2 +-
 .../shadowsocks-libev/shadowsocks-libev.hash  |    8 +-
 .../shadowsocks-libev/shadowsocks-libev.mk    |    2 +-
 buildroot/package/squid/squid.hash            |    8 +-
 buildroot/package/squid/squid.mk              |    2 +-
 buildroot/package/strace/strace.mk            |   10 +-
 ...Lists.txt-compile-squirrel-with-fPIC.patch |   35 +
 buildroot/package/suricata/suricata.hash      |    2 +-
 buildroot/package/suricata/suricata.mk        |    2 +-
 ...-Fix-build-with-libmicrohttpd-0.9.71.patch |   71 -
 ...add-missing-header-for-GRND_NONBLOCK.patch |   39 -
 buildroot/package/systemd/systemd.hash        |    2 +-
 buildroot/package/systemd/systemd.mk          |    4 +-
 buildroot/package/tovid/Config.in             |    6 +-
 buildroot/package/tpm2-abrmd/tpm2-abrmd.hash  |    4 +-
 buildroot/package/tpm2-abrmd/tpm2-abrmd.mk    |    2 +-
 buildroot/package/tpm2-tools/tpm2-tools.hash  |    4 +-
 buildroot/package/tpm2-tools/tpm2-tools.mk    |    2 +-
 ...-security-issues-that-are-present-if.patch |   90 +
 buildroot/package/trousers/trousers.mk        |    3 +
 buildroot/package/uacme/Config.in             |   21 +-
 buildroot/package/uacme/uacme.hash            |    4 +-
 buildroot/package/uacme/uacme.mk              |   15 +-
 buildroot/package/uclibc/uclibc.mk            |    5 +
 .../package/usb_modeswitch/usb_modeswitch.mk  |    3 +-
 buildroot/package/vlc/vlc.mk                  |    3 +
 ...419.patch => 0002-fix-CVE-2015-1419.patch} |    0
 ...003-Prevent-hang-in-SIGCHLD-handler.patch} |    0
 .../wayland-protocols/wayland-protocols.mk    |    2 +-
 buildroot/package/webkitgtk/webkitgtk.hash    |    8 +-
 buildroot/package/webkitgtk/webkitgtk.mk      |    2 +-
 .../wireguard-linux-compat.hash               |    4 +-
 .../wireguard-linux-compat.mk                 |    2 +-
 buildroot/package/wireshark/wireshark.hash    |    6 +-
 buildroot/package/wireshark/wireshark.mk      |    2 +-
 ...-available-for-big-and-little-endian.patch |   32 +
 buildroot/package/wolfssl/wolfssl.hash        |    6 +-
 buildroot/package/wolfssl/wolfssl.mk          |    6 +-
 .../package/wpa_supplicant/wpa_supplicant.mk  |    2 +-
 buildroot/package/wpewebkit/wpewebkit.hash    |    8 +-
 buildroot/package/wpewebkit/wpewebkit.mk      |    2 +-
 .../x11r7/xlib_libX11/xlib_libX11.hash        |   11 +-
 .../package/x11r7/xlib_libX11/xlib_libX11.mk  |    2 +-
 ...ure.ac-Fix-check-for-CLOCK_MONOTONIC.patch |   66 -
 .../0001-modesettings-needs-dri2.patch        |    2 +-
 ...02-Remove-check-for-useSIGIO-option.patch} |    2 +-
 ...003-include-misc.h-fix-uClibc-build.patch} |    0
 ...d-Makefile.am-fix-build-without-glx.patch} |    0
 ...on-xf86Init.c-fix-build-without-glx.patch} |    4 +-
 ...probing-a-non-PCI-platform-device-on.patch |   33 +
 .../x11r7/xserver_xorg-server/Config.in       |    4 +-
 .../xserver_xorg-server.hash                  |   14 +-
 buildroot/package/xen/xen.hash                |    1 +
 buildroot/package/xen/xen.mk                  |    2 +
 ...guage.patch => 0001-only-c-language.patch} |    0
 ...4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch |   36 -
 buildroot/package/zeromq/zeromq.hash          |   10 +-
 buildroot/package/zeromq/zeromq.mk            |    4 +-
 buildroot/package/zstd/zstd.mk                |    2 +-
 .../support/dependencies/dependencies.sh      |    6 +
 buildroot/support/docker/Dockerfile           |    4 +-
 buildroot/support/misc/Vagrantfile            |    2 +-
 buildroot/support/scripts/apply-patches.sh    |    5 +-
 buildroot/support/scripts/pkg-stats           |  449 ++--
 buildroot/support/scripts/pycompile.py        |  124 +-
 buildroot/support/scripts/setlocalversion     |   37 +-
 buildroot/support/testing/infra/__init__.py   |    4 +-
 .../testing/tests/core/test_timezone.py       |    8 +-
 .../tests/package/test_docker_compose.py      |    1 -
 buildroot/utils/check-package                 |   34 +-
 buildroot/utils/checkpackagelib/lib_config.py |    4 +-
 buildroot/utils/checkpackagelib/lib_mk.py     |   60 +-
 buildroot/utils/checkpackagelib/lib_patch.py  |    6 +-
 buildroot/utils/getdeveloperlib.py            |   10 +-
 buildroot/utils/scanpypi                      |    8 +-
 332 files changed, 10767 insertions(+), 1806 deletions(-)
 create mode 100644 buildroot/boot/grub2/0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
 create mode 100644 buildroot/boot/grub2/0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch
 create mode 100644 buildroot/boot/grub2/0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch
 create mode 100644 buildroot/boot/grub2/0005-calloc-Use-calloc-at-most-places.patch
 create mode 100644 buildroot/boot/grub2/0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch
 create mode 100644 buildroot/boot/grub2/0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch
 create mode 100644 buildroot/boot/grub2/0008-font-Do-not-load-more-than-one-NAME-section.patch
 create mode 100644 buildroot/boot/grub2/0009-gfxmenu-Fix-double-free-in-load_image.patch
 create mode 100644 buildroot/boot/grub2/0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch
 create mode 100644 buildroot/boot/grub2/0011-lzma-Make-sure-we-don-t-dereference-past-array.patch
 create mode 100644 buildroot/boot/grub2/0012-term-Fix-overflow-on-user-inputs.patch
 create mode 100644 buildroot/boot/grub2/0013-udf-Fix-memory-leak.patch
 create mode 100644 buildroot/boot/grub2/0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch
 create mode 100644 buildroot/boot/grub2/0015-tftp-Do-not-use-priority-queue.patch
 create mode 100644 buildroot/boot/grub2/0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch
 create mode 100644 buildroot/boot/grub2/0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch
 create mode 100644 buildroot/boot/grub2/0018-script-Remove-unused-fields-from-grub_script_functio.patch
 create mode 100644 buildroot/boot/grub2/0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch
 create mode 100644 buildroot/boot/grub2/0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch
 create mode 100644 buildroot/boot/grub2/0021-hfsplus-Fix-two-more-overflows.patch
 create mode 100644 buildroot/boot/grub2/0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch
 create mode 100644 buildroot/boot/grub2/0023-emu-Make-grub_free-NULL-safe.patch
 create mode 100644 buildroot/boot/grub2/0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
 create mode 100644 buildroot/boot/grub2/0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch
 create mode 100644 buildroot/boot/grub2/0026-efi-Fix-use-after-free-in-halt-reboot-path.patch
 create mode 100644 buildroot/boot/grub2/0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch
 create mode 100644 buildroot/boot/grub2/0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch
 create mode 100644 buildroot/package/bash/0017-bash50-017.patch
 create mode 100644 buildroot/package/bash/0018-bash50-018.patch
 rename buildroot/package/bash/{0017-input.h-add-missing-include-on-stdio.h.patch => 0019-input.h-add-missing-include-on-stdio.h.patch} (100%)
 rename buildroot/package/bash/{0018-locale.c-fix-build-without-wchar.patch => 0020-locale.c-fix-build-without-wchar.patch} (100%)
 create mode 100644 buildroot/package/brotli/0002-Revert-Add-runtime-linker-path-to-pkg-config-files.patch
 create mode 100644 buildroot/package/cifs-utils/0001-Use-DESTDIR-when-installing-mount.smb3-and-optionall.patch
 create mode 100644 buildroot/package/cpio/0001-Minor-fix.patch
 create mode 100644 buildroot/package/cryptsetup/0002-Add-support-for-upcoming-json-c-0.14.0.patch
 create mode 100644 buildroot/package/cryptsetup/0003-Avoid-name-clash-with-newer-json-c-library.patch
 create mode 100644 buildroot/package/cups/70-usb-printers.rules
 create mode 100644 buildroot/package/cups/S81cupsd
 create mode 100644 buildroot/package/dropbear/0001-scp-Port-OpenSSH-CVE-2018-20685-fix.patch
 create mode 100644 buildroot/package/f2fs-tools/0002-fsck.f2fs-correct-return-value.patch
 create mode 100644 buildroot/package/gd/0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch
 create mode 100644 buildroot/package/gd/0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch
 delete mode 100644 buildroot/package/ghostscript/0001-Fix-cross-compilation-issue.patch
 rename buildroot/package/glibc/{2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427 => 2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d}/glibc.hash (70%)
 create mode 100644 buildroot/package/graphite2/0001-don-t-install-a-libtool-file-with-static-library.patch
 create mode 100644 buildroot/package/gstreamer1/gst1-plugins-bad/0002-meson-allow-the-user-to-disable-opencv.patch
 create mode 100644 buildroot/package/ipmitool/0008-fru-Fix-buffer-overflow-vulnerabilities.patch
 create mode 100644 buildroot/package/ipmitool/0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
 create mode 100644 buildroot/package/ipmitool/0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
 create mode 100644 buildroot/package/ipmitool/0011-channel-Fix-buffer-overflow.patch
 create mode 100644 buildroot/package/ipmitool/0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
 create mode 100644 buildroot/package/ipmitool/0013-fru-sdr-Fix-id_string-buffer-overflows.patch
 delete mode 100644 buildroot/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
 delete mode 100644 buildroot/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch
 delete mode 100644 buildroot/package/jasper/0003-test-asclen-CVE-2018-19540.patch
 delete mode 100644 buildroot/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch
 delete mode 100644 buildroot/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch
 delete mode 100644 buildroot/package/libhtp/0001-htp.pc.in-add-lz-to-Libs.private.patch
 delete mode 100644 buildroot/package/libssh/0001-libssh.h-bump-to-version-0.9.4.patch
 delete mode 100644 buildroot/package/libssh/0002-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch
 create mode 100644 buildroot/package/libxml2/0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch
 create mode 100644 buildroot/package/lua/5.1.5/lua.hash
 delete mode 100644 buildroot/package/lua/5.3.5/0003-fix-revision-number.patch
 rename buildroot/package/lua/{5.3.5 => 5.3.6}/0001-root-path.patch (100%)
 rename buildroot/package/lua/{5.3.5 => 5.3.6}/0002-shared-libs-for-lua.patch (100%)
 rename buildroot/package/lua/{5.3.5/0011-linenoise.patch => 5.3.6/0003-linenoise.patch} (100%)
 create mode 100644 buildroot/package/lua/5.3.6/lua.hash
 delete mode 100644 buildroot/package/lua/lua.hash
 delete mode 100644 buildroot/package/memcached/0001-configure-Fix-cross-compilation-errors.patch
 delete mode 100644 buildroot/package/memcached/0002-configure-Simplify-pointer-size-check.patch
 create mode 100644 buildroot/package/minidlna/0001-fix-build-with-gcc-10.patch
 create mode 100644 buildroot/package/minidlna/0002-upnphttp.c-fix-CallStranger-a.k.a.-CVE-2020-12695.patch
 create mode 100644 buildroot/package/opencv/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch
 create mode 100644 buildroot/package/opencv3/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch
 create mode 100644 buildroot/package/openjpeg/0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch
 create mode 100644 buildroot/package/python-matplotlib/0002-Merge-pull-request-11983-from-anntzer-builddepchecks.patch
 create mode 100644 buildroot/package/python-scapy/0001-Small-Python-2-fix.patch
 create mode 100644 buildroot/package/rtl8821au/0003-Fix-using-sprintf-for-extending-string-which-causes-.patch
 create mode 100644 buildroot/package/supertux/0001-CMakeLists.txt-compile-squirrel-with-fPIC.patch
 delete mode 100644 buildroot/package/systemd/0001-Fix-build-with-libmicrohttpd-0.9.71.patch
 delete mode 100644 buildroot/package/systemd/0001-random-seed-add-missing-header-for-GRND_NONBLOCK.patch
 create mode 100644 buildroot/package/trousers/0003-Correct-multiple-security-issues-that-are-present-if.patch
 rename buildroot/package/vsftpd/{0003-fix-CVE-2015-1419.patch => 0002-fix-CVE-2015-1419.patch} (100%)
 rename buildroot/package/vsftpd/{0004-Prevent-hang-in-SIGCHLD-handler.patch => 0003-Prevent-hang-in-SIGCHLD-handler.patch} (100%)
 create mode 100644 buildroot/package/wolfssl/0001-Make-ByteReverseWords-available-for-big-and-little-endian.patch
 delete mode 100644 buildroot/package/x11r7/xserver_xorg-server/1.20.8/0002-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch
 rename buildroot/package/x11r7/xserver_xorg-server/{1.20.8 => 1.20.9}/0001-modesettings-needs-dri2.patch (97%)
 rename buildroot/package/x11r7/xserver_xorg-server/{1.20.8/0003-Remove-check-for-useSIGIO-option.patch => 1.20.9/0002-Remove-check-for-useSIGIO-option.patch} (96%)
 rename buildroot/package/x11r7/xserver_xorg-server/{1.20.8/0004-include-misc.h-fix-uClibc-build.patch => 1.20.9/0003-include-misc.h-fix-uClibc-build.patch} (100%)
 rename buildroot/package/x11r7/xserver_xorg-server/{1.20.8/0005-hw-xwayland-Makefile.am-fix-build-without-glx.patch => 1.20.9/0004-hw-xwayland-Makefile.am-fix-build-without-glx.patch} (100%)
 rename buildroot/package/x11r7/xserver_xorg-server/{1.20.8/0006-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch => 1.20.9/0005-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch} (97%)
 create mode 100644 buildroot/package/x11r7/xserver_xorg-server/1.20.9/0006-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
 rename buildroot/package/ympd/{0002-only-c-language.patch => 0001-only-c-language.patch} (100%)
 delete mode 100644 buildroot/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch

diff --git a/buildroot/.gitlab-ci.yml b/buildroot/.gitlab-ci.yml
index b4dad3173..c838ff3c2 100644
--- a/buildroot/.gitlab-ci.yml
+++ b/buildroot/.gitlab-ci.yml
@@ -4,12 +4,13 @@
 # It needs to be regenerated every time a defconfig is added, using
 # "make .gitlab-ci.yml".
 
-image: buildroot/base:20191027.2027
+image: buildroot/base:20200814.2228
 
 .check_base:
-    except:
-        - /^.*-.*_defconfig$/
-        - /^.*-tests\..*$/
+    rules:
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/ || $CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/'
+          when: never
+        - when: always
 
 check-DEVELOPERS:
     extends: .check_base
@@ -27,7 +28,7 @@ check-flake8:
         - find * -type f -print0 | xargs -0 file | grep 'Python script' | cut -d':' -f1 >> files.txt
         - sort -u files.txt | tee files.processed
     script:
-        - python -m flake8 --statistics --count --max-line-length=132 $(cat files.processed)
+        - python3 -m flake8 --statistics --count --max-line-length=132 $(cat files.processed)
     after_script:
         - wc -l files.processed
 
@@ -69,17 +70,21 @@ check-package:
     extends: .defconfig_base
     # Running the defconfigs for every push is too much, so limit to
     # explicit triggers through the API.
-    only:
-        - triggers
-        - tags
-        - /-defconfigs$/
+    rules:
+        # For tags, create a pipeline.
+        - if: '$CI_COMMIT_TAG'
+        # For pipeline created by using a trigger token.
+        - if: '$CI_PIPELINE_TRIGGERED'
+        # For the branch or tag name named *-defconfigs, create a pipeline.
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-defconfigs$/'
     before_script:
         - DEFCONFIG_NAME=${CI_JOB_NAME}
 
 one-defconfig:
     extends: .defconfig_base
-    only:
-        - /^.*-.*_defconfig$/
+    rules:
+        # For the branch or tag name named *-*_defconfigs, create a pipeline.
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/'
     before_script:
         - DEFCONFIG_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g')
 
@@ -103,17 +108,20 @@ one-defconfig:
     extends: .runtime_test_base
     # Running the runtime tests for every push is too much, so limit to
     # explicit triggers through the API.
-    only:
-        - triggers
-        - tags
-        - /-runtime-tests$/
+    rules:
+        # For tags, create a pipeline.
+        - if: '$CI_COMMIT_TAG'
+        # For pipeline created by using a trigger token.
+        - if: '$CI_PIPELINE_TRIGGERED'
+        # For the branch or tag name named *-runtime-tests, create a pipeline.
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-runtime-tests$/'
     before_script:
         - TEST_CASE_NAME=${CI_JOB_NAME}
 
 one-runtime_test:
     extends: .runtime_test_base
-    only:
-        - /^.*-tests\..*$/
+    rules:
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/'
     before_script:
         - TEST_CASE_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g')
 aarch64_efi_defconfig: { extends: .defconfig }
diff --git a/buildroot/.gitlab-ci.yml.in b/buildroot/.gitlab-ci.yml.in
index 7e6a7598a..08a714f32 100644
--- a/buildroot/.gitlab-ci.yml.in
+++ b/buildroot/.gitlab-ci.yml.in
@@ -4,12 +4,13 @@
 # It needs to be regenerated every time a defconfig is added, using
 # "make .gitlab-ci.yml".
 
-image: buildroot/base:20191027.2027
+image: buildroot/base:20200814.2228
 
 .check_base:
-    except:
-        - /^.*-.*_defconfig$/
-        - /^.*-tests\..*$/
+    rules:
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/ || $CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/'
+          when: never
+        - when: always
 
 check-DEVELOPERS:
     extends: .check_base
@@ -27,7 +28,7 @@ check-flake8:
         - find * -type f -print0 | xargs -0 file | grep 'Python script' | cut -d':' -f1 >> files.txt
         - sort -u files.txt | tee files.processed
     script:
-        - python -m flake8 --statistics --count --max-line-length=132 $(cat files.processed)
+        - python3 -m flake8 --statistics --count --max-line-length=132 $(cat files.processed)
     after_script:
         - wc -l files.processed
 
@@ -69,17 +70,21 @@ check-package:
     extends: .defconfig_base
     # Running the defconfigs for every push is too much, so limit to
     # explicit triggers through the API.
-    only:
-        - triggers
-        - tags
-        - /-defconfigs$/
+    rules:
+        # For tags, create a pipeline.
+        - if: '$CI_COMMIT_TAG'
+        # For pipeline created by using a trigger token.
+        - if: '$CI_PIPELINE_TRIGGERED'
+        # For the branch or tag name named *-defconfigs, create a pipeline.
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-defconfigs$/'
     before_script:
         - DEFCONFIG_NAME=${CI_JOB_NAME}
 
 one-defconfig:
     extends: .defconfig_base
-    only:
-        - /^.*-.*_defconfig$/
+    rules:
+        # For the branch or tag name named *-*_defconfigs, create a pipeline.
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-.*_defconfig$/'
     before_script:
         - DEFCONFIG_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g')
 
@@ -103,16 +108,19 @@ one-defconfig:
     extends: .runtime_test_base
     # Running the runtime tests for every push is too much, so limit to
     # explicit triggers through the API.
-    only:
-        - triggers
-        - tags
-        - /-runtime-tests$/
+    rules:
+        # For tags, create a pipeline.
+        - if: '$CI_COMMIT_TAG'
+        # For pipeline created by using a trigger token.
+        - if: '$CI_PIPELINE_TRIGGERED'
+        # For the branch or tag name named *-runtime-tests, create a pipeline.
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-runtime-tests$/'
     before_script:
         - TEST_CASE_NAME=${CI_JOB_NAME}
 
 one-runtime_test:
     extends: .runtime_test_base
-    only:
-        - /^.*-tests\..*$/
+    rules:
+        - if: '$CI_COMMIT_REF_NAME =~ /^.*-tests\..*$/'
     before_script:
         - TEST_CASE_NAME=$(echo ${CI_COMMIT_REF_NAME} | sed -e 's,^.*-,,g')
diff --git a/buildroot/CHANGES b/buildroot/CHANGES
index 86ecec8f7..77e274f5c 100644
--- a/buildroot/CHANGES
+++ b/buildroot/CHANGES
@@ -1,3 +1,94 @@
+2020.02.7, released October 12th, 2020
+
+	Important / security related fixes.
+
+	meson: Correct SDK cross-compilation.conf file when
+	per-package builds were used to build SDK.
+
+	systemd: Use /run rather than /var/run for PID files in units.
+
+	Toolchain: use Secure-PLT rather than BSS-PLT for PowerPC 32.
+
+	support/script/pycompile: Rework logic to ensure .pyc files
+	contain absolute target paths, fixing code inspection at
+	runtime when executed with cwd != '/'.
+
+	support/scripts/setlocalversion: Correct Mercurial output to
+	match behaviour with Git.
+
+	support/scripts/apply-patches.sh: Use patch
+	--no-backup-if-mismatch, so we no longer blindly have to
+	remove *.orig files after patching, fixing issues with
+	packages containing such files.
+
+	Updated/fixed packages: bandwidthd, barebox, bash, bison,
+	brotli, cifs-utils, cryptsetup, dhcpcd, dhcpdump, docker-cli,
+	docker-engine, ecryptfs-utils, efl, fail2ban, freetype, gcc,
+	gdb, ghostscript, gnutls, go, gst1-plugins-base,
+	gst1-plugins-ugly, ipmitool, libhtp, libraw, libssh, libxml2,
+	libxml-parser-perl, localedef, lua, memcached, mesa3d, meson,
+	minidlna, nginx, nodejs, nss-pam-ldapd, openvmtools, php,
+	postgresql, python, python-aenum, python-autobahn,
+	python-engineio, python-fire, python-pymodbus, python-scapy,
+	python-semver, python-sentry-sdk, python-socketio,
+	python-texttable, python-tinyrpc, python-txtorcon, python3,
+	qt5base, runc, samba4, strace, supertux, suricata, systemd,
+	vlc, wayland-protocols, wireguard-linux-compat, wireshark,
+	xserver_xorg-server, zeromq, zstd
+
+	Issues resolved (http://bugs.uclibc.org):
+
+	#12911: usb_modeswitch installation race condition
+	#13251: cryptsetup does not work on branch 2020.02 following..
+
+2020.02.6, released September 5th, 2020
+
+	Important / security related fixes.
+
+	Fix a 2020.02.5 build regression in busybox when systemd (and
+	not less) are enabled because of missing infrastructure.
+
+	Updated/fixed packages: alsa-utils, avahi, busybox, cups,
+	docker-cli, graphite2, imagemagick, libeXosip2, mbedtls,
+	nvidia-driver, paho-mqtt-c, python-django, systemd, uclibc,
+	usb_modeswitch, wolfssl
+
+	Issues resolved (http://bugs.uclibc.org):
+
+	#12911: usb_modeswitch installation race condition
+
+2020.02.5, released August 29th, 2020
+
+	Important / security related fixes.
+
+	Infrastructure: Ensure RPATH entries that may be needed for
+	dlopen() are not dropped by patchelf.
+
+	BR_VERSION_FULL/setlocalversion (used by make print-version
+	and /etc/os-release): Properly handle local git tags
+
+	Updated/fixed packages: apache, at91bootstrap3, bind, boost,
+	busybox, capnproto, chrony, collectd, cpio, cryptsetup, cups,
+	cvs, dbus, docker-engine, domoticz, dovecot,
+	dovecot-pigeonhole, dropbear, efl, elixir, f2fs-tools, ffmpeg,
+	gd, gdk-pixbuf, ghostscript, glibc, grub2, gst1-plugins-bad,
+	hostapd, iputils, jasper, json-c, libcurl, libwebsockets,
+	linux, live555, mesa3d, mosquitto, mpv, nodejs, opencv,
+	opencv3, openjpeg, patchelf, perl, php, postgresql,
+	python-django, python-gunicorn, python-matplotlib, ripgrep,
+	rtl8188eu, rtl8821au, ruby, shadowsocks-libev, squid,
+	tpm2-abrmd, tpm2-tools, trousers, uacme, webkitgtk, wireshark,
+	wolfssl, wpa_supplicant, wpewebkit, xen, xlib_libX11,
+	xserver_xorg-server
+
+	Issues resolved (http://bugs.uclibc.org):
+
+	#12876: nodejs fails to build when host-icu has been built before
+	#13111: python-gunicorn: missing dependency on python-setuptools
+	#13121: wpa_supplicant fails to build without libopenssl enabled
+	#13141: Target-finalize fail with "depmod: ERROR: Bad version passed"
+	#13156: package live555 new license
+
 2020.02.4, released July 26th, 2020
 
 	Important / security related fixes.
diff --git a/buildroot/DEVELOPERS b/buildroot/DEVELOPERS
index 66ef194dd..5abdb916a 100644
--- a/buildroot/DEVELOPERS
+++ b/buildroot/DEVELOPERS
@@ -186,18 +186,25 @@ F:	package/rauc/
 
 N:	Angelo Compagnucci <angelo.compagnucci@gmail.com>
 F:	package/corkscrew/
+F:	package/cups/
+F:	package/cups-filters/
 F:	package/fail2ban/
+F:	package/grep/
 F:	package/i2c-tools/
+F:	package/jq/
+F:	package/libb64/
 F:	package/mender/
 F:	package/mender-artifact/
 F:	package/mono/
 F:	package/mono-gtksharp3/
 F:	package/monolite/
+F:	package/openjpeg/
 F:	package/python-can/
 F:	package/python-pillow/
 F:	package/python-pydal/
 F:	package/python-spidev/
 F:	package/python-web2py/
+F:	package/sam-ba/
 F:	package/sshguard/
 F:	package/sunwait/
 F:	package/sysdig/
@@ -211,6 +218,8 @@ N:	Anthony Viallard <viallard@syscom-instruments.com>
 F:	package/gnuplot/
 
 N:	Antoine Ténart <antoine.tenart@bootlin.com>
+F:	package/libselinux/
+F:	package/refpolicy/
 F:	package/wf111/
 
 N:	Antony Pavlov <antonynpavlov@gmail.com>
@@ -1035,6 +1044,7 @@ N:	Gwenhael Goavec-Merou <gwenhael.goavec-merou@trabucayre.com>
 F:	package/gnuradio/
 F:	package/gqrx/
 F:	package/gr-osmosdr/
+F:	package/librtlsdr/
 F:	package/libusbgx/
 F:	package/python-cheetah/
 F:	package/python-markdown/
@@ -1713,9 +1723,6 @@ F:	package/systemd-bootchart/
 F:	package/tinyalsa/
 F:	package/tinyxml/
 
-N:	Maxime Ripard <maxime.ripard@bootlin.com>
-F:	package/kmsxx/
-
 N:	Michael Durrant <mdurrant@arcturusnetworks.com>
 F:	board/arcturus/
 F:	configs/arcturus_ucp1020_defconfig
@@ -1810,6 +1817,7 @@ F:	package/tpm-tools/
 F:	package/trousers/
 
 N:	Norbert Lange <nolange79@gmail.com>
+F:	package/systemd/
 F:	package/tcf-agent/
 
 N:	Nylon Chen <nylon7@andestech.com>
@@ -2135,6 +2143,7 @@ F:	package/davfs2/
 
 N:	Ryan Barnett <ryan.barnett@rockwellcollins.com>
 F:	package/atftp/
+F:	package/c-periphery/
 F:	package/miraclecast/
 F:	package/python-pyasn/
 F:	package/python-pysnmp/
diff --git a/buildroot/Makefile b/buildroot/Makefile
index b2dfce197..bf17f52f8 100644
--- a/buildroot/Makefile
+++ b/buildroot/Makefile
@@ -92,9 +92,9 @@ all:
 .PHONY: all
 
 # Set and export the version string
-export BR2_VERSION := 2020.02.4
+export BR2_VERSION := 2020.02.7
 # Actual time the release is cut (for reproducible builds)
-BR2_VERSION_EPOCH = 1595750000
+BR2_VERSION_EPOCH = 1602538000
 
 # Save running make version since it's clobbered by the make package
 RUNNING_MAKE_VERSION := $(MAKE_VERSION)
@@ -113,7 +113,13 @@ DATE := $(shell date +%Y%m%d)
 
 # Compute the full local version string so packages can use it as-is
 # Need to export it, so it can be got from environment in children (eg. mconf)
-export BR2_VERSION_FULL := $(BR2_VERSION)$(shell $(TOPDIR)/support/scripts/setlocalversion)
+
+BR2_LOCALVERSION := $(shell $(TOPDIR)/support/scripts/setlocalversion)
+ifeq ($(BR2_LOCALVERSION),)
+export BR2_VERSION_FULL := $(BR2_VERSION)
+else
+export BR2_VERSION_FULL := $(BR2_LOCALVERSION)
+endif
 
 # List of targets and target patterns for which .config doesn't need to be read in
 noconfig_targets := menuconfig nconfig gconfig xconfig config oldconfig randconfig \
@@ -793,9 +799,9 @@ endif
 # counterparts are appropriately setup as symlinks ones to the others.
 ifeq ($(BR2_ROOTFS_MERGED_USR),y)
 
-	@$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \
-		$(call MESSAGE,"Sanity check in overlay $(d)"); \
-		not_merged_dirs="$$(support/scripts/check-merged-usr.sh $(d))"; \
+	$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \
+		@$(call MESSAGE,"Sanity check in overlay $(d)")$(sep) \
+		$(Q)not_merged_dirs="$$(support/scripts/check-merged-usr.sh $(d))"; \
 		test -n "$$not_merged_dirs" && { \
 			echo "ERROR: The overlay in $(d) is not" \
 				"using a merged /usr for the following directories:" \
@@ -805,20 +811,20 @@ ifeq ($(BR2_ROOTFS_MERGED_USR),y)
 
 endif # merged /usr
 
-	@$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \
-		$(call MESSAGE,"Copying overlay $(d)"); \
-		$(call SYSTEM_RSYNC,$(d),$(TARGET_DIR))$(sep))
+	$(foreach d, $(call qstrip,$(BR2_ROOTFS_OVERLAY)), \
+		@$(call MESSAGE,"Copying overlay $(d)")$(sep) \
+		$(Q)$(call SYSTEM_RSYNC,$(d),$(TARGET_DIR))$(sep))
 
-	$(if $(TARGET_DIR_FILES_LISTS), \
+	$(Q)$(if $(TARGET_DIR_FILES_LISTS), \
 		cat $(TARGET_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list.txt
-	$(if $(HOST_DIR_FILES_LISTS), \
+	$(Q)$(if $(HOST_DIR_FILES_LISTS), \
 		cat $(HOST_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list-host.txt
-	$(if $(STAGING_DIR_FILES_LISTS), \
+	$(Q)$(if $(STAGING_DIR_FILES_LISTS), \
 		cat $(STAGING_DIR_FILES_LISTS)) > $(BUILD_DIR)/packages-file-list-staging.txt
 
-	@$(foreach s, $(call qstrip,$(BR2_ROOTFS_POST_BUILD_SCRIPT)), \
-		$(call MESSAGE,"Executing post-build script $(s)"); \
-		$(EXTRA_ENV) $(s) $(TARGET_DIR) $(call qstrip,$(BR2_ROOTFS_POST_SCRIPT_ARGS))$(sep))
+	$(foreach s, $(call qstrip,$(BR2_ROOTFS_POST_BUILD_SCRIPT)), \
+		@$(call MESSAGE,"Executing post-build script $(s)")$(sep) \
+		$(Q)$(EXTRA_ENV) $(s) $(TARGET_DIR) $(call qstrip,$(BR2_ROOTFS_POST_SCRIPT_ARGS))$(sep))
 
 	touch $(TARGET_DIR)/usr
 
diff --git a/buildroot/boot/at91bootstrap3/Config.in b/buildroot/boot/at91bootstrap3/Config.in
index faab7635d..bd3873860 100644
--- a/buildroot/boot/at91bootstrap3/Config.in
+++ b/buildroot/boot/at91bootstrap3/Config.in
@@ -1,6 +1,6 @@
 config BR2_TARGET_AT91BOOTSTRAP3
 	bool "AT91 Bootstrap 3"
-	depends on BR2_arm926t || BR2_cortex_a5
+	depends on BR2_arm926t || BR2_cortex_a5 || BR2_cortex_a7
 	help
 	  AT91Bootstrap is a first level bootloader for the Atmel AT91
 	  devices. It integrates algorithms for:
diff --git a/buildroot/boot/barebox/barebox.mk b/buildroot/boot/barebox/barebox.mk
index 1efe5665d..9d62037e7 100644
--- a/buildroot/boot/barebox/barebox.mk
+++ b/buildroot/boot/barebox/barebox.mk
@@ -88,13 +88,6 @@ $(1)_KCONFIG_DEPENDENCIES = \
 	$(BR2_BISON_HOST_DEPENDENCY) \
 	$(BR2_FLEX_HOST_DEPENDENCY)
 
-ifeq ($$(BR2_TARGET_$(1)_BAREBOXENV),y)
-define $(1)_BUILD_BAREBOXENV_CMDS
-	$$(TARGET_CC) $$(TARGET_CFLAGS) $$(TARGET_LDFLAGS) -o $$(@D)/bareboxenv \
-		$$(@D)/scripts/bareboxenv.c
-endef
-endif
-
 ifeq ($$(BR2_TARGET_$(1)_CUSTOM_ENV),y)
 $(1)_ENV_NAME = $$(notdir $$(call qstrip,\
 	$$(BR2_TARGET_$(1)_CUSTOM_ENV_PATH)))
@@ -109,12 +102,23 @@ endef
 endif
 
 ifneq ($$($(1)_CUSTOM_EMBEDDED_ENV_PATH),)
-define $(1)_KCONFIG_FIXUP_CMDS
-	$$(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_ENVIRONMENT,$$(@D)/.config)
-	$$(call KCONFIG_SET_OPT,CONFIG_DEFAULT_ENVIRONMENT_PATH,"$$($(1)_CUSTOM_EMBEDDED_ENV_PATH)",$$(@D)/.config)
+define $(1)_KCONFIG_FIXUP_CUSTOM_EMBEDDED_ENV_PATH
+	$$(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_ENVIRONMENT)
+	$$(call KCONFIG_SET_OPT,CONFIG_DEFAULT_ENVIRONMENT_PATH,"$$($(1)_CUSTOM_EMBEDDED_ENV_PATH)")
 endef
 endif
 
+define $(1)_KCONFIG_FIXUP_BAREBOXENV
+	$$(if $$(BR2_TARGET_$(1)_BAREBOXENV),\
+		$$(call KCONFIG_ENABLE_OPT,CONFIG_BAREBOXENV_TARGET),\
+		$$(call KCONFIG_DISABLE_OPT,CONFIG_BAREBOXENV_TARGET))
+endef
+
+define $(1)_KCONFIG_FIXUP_CMDS
+	$$($(1)_KCONFIG_FIXUP_CUSTOM_EMBEDDED_ENV_PATH)
+	$$($(1)_KCONFIG_FIXUP_BAREBOXENV)
+endef
+
 define $(1)_BUILD_CMDS
 	$$($(1)_BUILD_BAREBOXENV_CMDS)
 	$$(TARGET_MAKE_ENV) $$(MAKE) $$($(1)_MAKE_FLAGS) -C $$(@D)
@@ -136,7 +140,7 @@ endef
 
 ifeq ($$(BR2_TARGET_$(1)_BAREBOXENV),y)
 define $(1)_INSTALL_TARGET_CMDS
-	cp $$(@D)/bareboxenv $$(TARGET_DIR)/usr/bin
+	cp $$(@D)/scripts/bareboxenv-target $$(TARGET_DIR)/usr/bin/bareboxenv
 endef
 endif
 
diff --git a/buildroot/boot/grub2/0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch b/buildroot/boot/grub2/0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
new file mode 100644
index 000000000..001dda820
--- /dev/null
+++ b/buildroot/boot/grub2/0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
@@ -0,0 +1,73 @@
+From a7ab0cc98fa89a3d5098c29cbe44bcd24b0a6454 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 15 Apr 2020 15:45:02 -0400
+Subject: [PATCH] yylex: Make lexer fatal errors actually be fatal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When presented with a command that can't be tokenized to anything
+smaller than YYLMAX characters, the parser calls YY_FATAL_ERROR(errmsg),
+expecting that will stop further processing, as such:
+
+  #define YY_DO_BEFORE_ACTION \
+        yyg->yytext_ptr = yy_bp; \
+        yyleng = (int) (yy_cp - yy_bp); \
+        yyg->yy_hold_char = *yy_cp; \
+        *yy_cp = '\0'; \
+        if ( yyleng >= YYLMAX ) \
+                YY_FATAL_ERROR( "token too large, exceeds YYLMAX" ); \
+        yy_flex_strncpy( yytext, yyg->yytext_ptr, yyleng + 1 , yyscanner); \
+        yyg->yy_c_buf_p = yy_cp;
+
+The code flex generates expects that YY_FATAL_ERROR() will either return
+for it or do some form of longjmp(), or handle the error in some way at
+least, and so the strncpy() call isn't in an "else" clause, and thus if
+YY_FATAL_ERROR() is *not* actually fatal, it does the call with the
+questionable limit, and predictable results ensue.
+
+Unfortunately, our implementation of YY_FATAL_ERROR() is:
+
+   #define YY_FATAL_ERROR(msg)                     \
+     do {                                          \
+       grub_printf (_("fatal error: %s\n"), _(msg));     \
+     } while (0)
+
+The same pattern exists in yyless(), and similar problems exist in users
+of YY_INPUT(), several places in the main parsing loop,
+yy_get_next_buffer(), yy_load_buffer_state(), yyensure_buffer_stack,
+yy_scan_buffer(), etc.
+
+All of these callers expect YY_FATAL_ERROR() to actually be fatal, and
+the things they do if it returns after calling it are wildly unsafe.
+
+Fixes: CVE-2020-10713
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/script/yylex.l | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/script/yylex.l b/grub-core/script/yylex.l
+index 7b44c37b7..b7203c823 100644
+--- a/grub-core/script/yylex.l
++++ b/grub-core/script/yylex.l
+@@ -37,11 +37,11 @@
+ 
+ /* 
+  * As we don't have access to yyscanner, we cannot do much except to
+- * print the fatal error.
++ * print the fatal error and exit.
+  */
+ #define YY_FATAL_ERROR(msg)                     \
+   do {                                          \
+-    grub_printf (_("fatal error: %s\n"), _(msg));     \
++    grub_fatal (_("fatal error: %s\n"), _(msg));\
+   } while (0)
+ 
+ #define COPY(str, hint)                         \
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch b/buildroot/boot/grub2/0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch
new file mode 100644
index 000000000..5c5211346
--- /dev/null
+++ b/buildroot/boot/grub2/0003-safemath-Add-some-arithmetic-primitives-that-check-f.patch
@@ -0,0 +1,128 @@
+From 782a4580a5e347793443aa8e9152db1bf4a0fff8 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 10:58:42 -0400
+Subject: [PATCH] safemath: Add some arithmetic primitives that check for
+ overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This adds a new header, include/grub/safemath.h, that includes easy to
+use wrappers for __builtin_{add,sub,mul}_overflow() declared like:
+
+  bool OP(a, b, res)
+
+where OP is grub_add, grub_sub or grub_mul. OP() returns true in the
+case where the operation would overflow and res is not modified.
+Otherwise, false is returned and the operation is executed.
+
+These arithmetic primitives require newer compiler versions. So, bump
+these requirements in the INSTALL file too.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ INSTALL                 | 22 ++--------------------
+ include/grub/compiler.h |  8 ++++++++
+ include/grub/safemath.h | 37 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 20 deletions(-)
+ create mode 100644 include/grub/safemath.h
+
+diff --git a/INSTALL b/INSTALL
+index 8acb40902..dcb9b7d7b 100644
+--- a/INSTALL
++++ b/INSTALL
+@@ -11,27 +11,9 @@ GRUB depends on some software packages installed into your system. If
+ you don't have any of them, please obtain and install them before
+ configuring the GRUB.
+ 
+-* GCC 4.1.3 or later
+-  Note: older versions may work but support is limited
+-
+-  Experimental support for clang 3.3 or later (results in much bigger binaries)
++* GCC 5.1.0 or later
++  Experimental support for clang 3.8.0 or later (results in much bigger binaries)
+   for i386, x86_64, arm (including thumb), arm64, mips(el), powerpc, sparc64
+-  Note: clang 3.2 or later works for i386 and x86_64 targets but results in
+-        much bigger binaries.
+-	earlier versions not tested
+-  Note: clang 3.2 or later works for arm
+-	earlier versions not tested
+-  Note: clang on arm64 is not supported due to
+-	https://llvm.org/bugs/show_bug.cgi?id=26030
+-  Note: clang 3.3 or later works for mips(el)
+-	earlier versions fail to generate .reginfo and hence gprel relocations
+-	fail.
+-  Note: clang 3.2 or later works for powerpc
+-	earlier versions not tested
+-  Note: clang 3.5 or later works for sparc64
+-        earlier versions return "error: unable to interface with target machine"
+-  Note: clang has no support for ia64 and hence you can't compile GRUB
+-	for ia64 with clang
+ * GNU Make
+ * GNU Bison 2.3 or later
+ * GNU gettext 0.17 or later
+diff --git a/include/grub/compiler.h b/include/grub/compiler.h
+index c9e1d7a73..8f3be3ae7 100644
+--- a/include/grub/compiler.h
++++ b/include/grub/compiler.h
+@@ -48,4 +48,12 @@
+ #  define WARN_UNUSED_RESULT
+ #endif
+ 
++#if defined(__clang__) && defined(__clang_major__) && defined(__clang_minor__)
++#  define CLANG_PREREQ(maj,min) \
++          ((__clang_major__ > (maj)) || \
++	   (__clang_major__ == (maj) && __clang_minor__ >= (min)))
++#else
++#  define CLANG_PREREQ(maj,min) 0
++#endif
++
+ #endif /* ! GRUB_COMPILER_HEADER */
+diff --git a/include/grub/safemath.h b/include/grub/safemath.h
+new file mode 100644
+index 000000000..c17b89bba
+--- /dev/null
++++ b/include/grub/safemath.h
+@@ -0,0 +1,37 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2020  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ *  Arithmetic operations that protect against overflow.
++ */
++
++#ifndef GRUB_SAFEMATH_H
++#define GRUB_SAFEMATH_H 1
++
++#include <grub/compiler.h>
++
++/* These appear in gcc 5.1 and clang 3.8. */
++#if GNUC_PREREQ(5, 1) || CLANG_PREREQ(3, 8)
++
++#define grub_add(a, b, res)	__builtin_add_overflow(a, b, res)
++#define grub_sub(a, b, res)	__builtin_sub_overflow(a, b, res)
++#define grub_mul(a, b, res)	__builtin_mul_overflow(a, b, res)
++
++#else
++#error gcc 5.1 or newer or clang 3.8 or newer is required
++#endif
++
++#endif /* GRUB_SAFEMATH_H */
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch b/buildroot/boot/grub2/0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch
new file mode 100644
index 000000000..a2e19f0ea
--- /dev/null
+++ b/buildroot/boot/grub2/0004-calloc-Make-sure-we-always-have-an-overflow-checking.patch
@@ -0,0 +1,246 @@
+From 5775eb40862b67468ced816e6d7560dbe22a3670 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:15:29 -0400
+Subject: [PATCH] calloc: Make sure we always have an overflow-checking
+ calloc() available
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This tries to make sure that everywhere in this source tree, we always have
+an appropriate version of calloc() (i.e. grub_calloc(), xcalloc(), etc.)
+available, and that they all safely check for overflow and return NULL when
+it would occur.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/emu/misc.c          | 12 +++++++++
+ grub-core/kern/emu/mm.c            | 10 ++++++++
+ grub-core/kern/mm.c                | 40 ++++++++++++++++++++++++++++++
+ grub-core/lib/libgcrypt_wrap/mem.c | 11 ++++++--
+ grub-core/lib/posix_wrap/stdlib.h  |  8 +++++-
+ include/grub/emu/misc.h            |  1 +
+ include/grub/mm.h                  |  6 +++++
+ 7 files changed, 85 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/kern/emu/misc.c b/grub-core/kern/emu/misc.c
+index 65db79baa..dfd8a8ec4 100644
+--- a/grub-core/kern/emu/misc.c
++++ b/grub-core/kern/emu/misc.c
+@@ -85,6 +85,18 @@ grub_util_error (const char *fmt, ...)
+   exit (1);
+ }
+ 
++void *
++xcalloc (grub_size_t nmemb, grub_size_t size)
++{
++  void *p;
++
++  p = calloc (nmemb, size);
++  if (!p)
++    grub_util_error ("%s", _("out of memory"));
++
++  return p;
++}
++
+ void *
+ xmalloc (grub_size_t size)
+ {
+diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
+index f262e95e3..145b01d37 100644
+--- a/grub-core/kern/emu/mm.c
++++ b/grub-core/kern/emu/mm.c
+@@ -25,6 +25,16 @@
+ #include <string.h>
+ #include <grub/i18n.h>
+ 
++void *
++grub_calloc (grub_size_t nmemb, grub_size_t size)
++{
++  void *ret;
++  ret = calloc (nmemb, size);
++  if (!ret)
++    grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
++  return ret;
++}
++
+ void *
+ grub_malloc (grub_size_t size)
+ {
+diff --git a/grub-core/kern/mm.c b/grub-core/kern/mm.c
+index ee88ff611..f2822a836 100644
+--- a/grub-core/kern/mm.c
++++ b/grub-core/kern/mm.c
+@@ -67,8 +67,10 @@
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
+ #include <grub/mm_private.h>
++#include <grub/safemath.h>
+ 
+ #ifdef MM_DEBUG
++# undef grub_calloc
+ # undef grub_malloc
+ # undef grub_zalloc
+ # undef grub_realloc
+@@ -375,6 +377,30 @@ grub_memalign (grub_size_t align, grub_size_t size)
+   return 0;
+ }
+ 
++/*
++ * Allocate NMEMB instances of SIZE bytes and return the pointer, or error on
++ * integer overflow.
++ */
++void *
++grub_calloc (grub_size_t nmemb, grub_size_t size)
++{
++  void *ret;
++  grub_size_t sz = 0;
++
++  if (grub_mul (nmemb, size, &sz))
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++      return NULL;
++    }
++
++  ret = grub_memalign (0, sz);
++  if (!ret)
++    return NULL;
++
++  grub_memset (ret, 0, sz);
++  return ret;
++}
++
+ /* Allocate SIZE bytes and return the pointer.  */
+ void *
+ grub_malloc (grub_size_t size)
+@@ -561,6 +587,20 @@ grub_mm_dump (unsigned lineno)
+   grub_printf ("\n");
+ }
+ 
++void *
++grub_debug_calloc (const char *file, int line, grub_size_t nmemb, grub_size_t size)
++{
++  void *ptr;
++
++  if (grub_mm_debug)
++    grub_printf ("%s:%d: calloc (0x%" PRIxGRUB_SIZE ", 0x%" PRIxGRUB_SIZE ") = ",
++		 file, line, size);
++  ptr = grub_calloc (nmemb, size);
++  if (grub_mm_debug)
++    grub_printf ("%p\n", ptr);
++  return ptr;
++}
++
+ void *
+ grub_debug_malloc (const char *file, int line, grub_size_t size)
+ {
+diff --git a/grub-core/lib/libgcrypt_wrap/mem.c b/grub-core/lib/libgcrypt_wrap/mem.c
+index beeb661a3..74c6eafe5 100644
+--- a/grub-core/lib/libgcrypt_wrap/mem.c
++++ b/grub-core/lib/libgcrypt_wrap/mem.c
+@@ -4,6 +4,7 @@
+ #include <grub/crypto.h>
+ #include <grub/dl.h>
+ #include <grub/env.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -36,7 +37,10 @@ void *
+ gcry_xcalloc (size_t n, size_t m)
+ {
+   void *ret;
+-  ret = grub_zalloc (n * m);
++  size_t sz;
++  if (grub_mul (n, m, &sz))
++    grub_fatal ("gcry_xcalloc would overflow");
++  ret = grub_zalloc (sz);
+   if (!ret)
+     grub_fatal ("gcry_xcalloc failed");
+   return ret;
+@@ -56,7 +60,10 @@ void *
+ gcry_xcalloc_secure (size_t n, size_t m)
+ {
+   void *ret;
+-  ret = grub_zalloc (n * m);
++  size_t sz;
++  if (grub_mul (n, m, &sz))
++    grub_fatal ("gcry_xcalloc would overflow");
++  ret = grub_zalloc (sz);
+   if (!ret)
+     grub_fatal ("gcry_xcalloc failed");
+   return ret;
+diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
+index 3b46f47ff..7a8d385e9 100644
+--- a/grub-core/lib/posix_wrap/stdlib.h
++++ b/grub-core/lib/posix_wrap/stdlib.h
+@@ -21,6 +21,7 @@
+ 
+ #include <grub/mm.h>
+ #include <grub/misc.h>
++#include <grub/safemath.h>
+ 
+ static inline void 
+ free (void *ptr)
+@@ -37,7 +38,12 @@ malloc (grub_size_t size)
+ static inline void *
+ calloc (grub_size_t size, grub_size_t nelem)
+ {
+-  return grub_zalloc (size * nelem);
++  grub_size_t sz;
++
++  if (grub_mul (size, nelem, &sz))
++    return NULL;
++
++  return grub_zalloc (sz);
+ }
+ 
+ static inline void *
+diff --git a/include/grub/emu/misc.h b/include/grub/emu/misc.h
+index ce464cfd0..ff9c48a64 100644
+--- a/include/grub/emu/misc.h
++++ b/include/grub/emu/misc.h
+@@ -47,6 +47,7 @@ grub_util_device_is_mapped (const char *dev);
+ #define GRUB_HOST_PRIuLONG_LONG "llu"
+ #define GRUB_HOST_PRIxLONG_LONG "llx"
+ 
++void * EXPORT_FUNC(xcalloc) (grub_size_t nmemb, grub_size_t size) WARN_UNUSED_RESULT;
+ void * EXPORT_FUNC(xmalloc) (grub_size_t size) WARN_UNUSED_RESULT;
+ void * EXPORT_FUNC(xrealloc) (void *ptr, grub_size_t size) WARN_UNUSED_RESULT;
+ char * EXPORT_FUNC(xstrdup) (const char *str) WARN_UNUSED_RESULT;
+diff --git a/include/grub/mm.h b/include/grub/mm.h
+index 28e2e53eb..9c38dd3ca 100644
+--- a/include/grub/mm.h
++++ b/include/grub/mm.h
+@@ -29,6 +29,7 @@
+ #endif
+ 
+ void grub_mm_init_region (void *addr, grub_size_t size);
++void *EXPORT_FUNC(grub_calloc) (grub_size_t nmemb, grub_size_t size);
+ void *EXPORT_FUNC(grub_malloc) (grub_size_t size);
+ void *EXPORT_FUNC(grub_zalloc) (grub_size_t size);
+ void EXPORT_FUNC(grub_free) (void *ptr);
+@@ -48,6 +49,9 @@ extern int EXPORT_VAR(grub_mm_debug);
+ void grub_mm_dump_free (void);
+ void grub_mm_dump (unsigned lineno);
+ 
++#define grub_calloc(nmemb, size)	\
++  grub_debug_calloc (GRUB_FILE, __LINE__, nmemb, size)
++
+ #define grub_malloc(size)	\
+   grub_debug_malloc (GRUB_FILE, __LINE__, size)
+ 
+@@ -63,6 +67,8 @@ void grub_mm_dump (unsigned lineno);
+ #define grub_free(ptr)	\
+   grub_debug_free (GRUB_FILE, __LINE__, ptr)
+ 
++void *EXPORT_FUNC(grub_debug_calloc) (const char *file, int line,
++				      grub_size_t nmemb, grub_size_t size);
+ void *EXPORT_FUNC(grub_debug_malloc) (const char *file, int line,
+ 				      grub_size_t size);
+ void *EXPORT_FUNC(grub_debug_zalloc) (const char *file, int line,
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0005-calloc-Use-calloc-at-most-places.patch b/buildroot/boot/grub2/0005-calloc-Use-calloc-at-most-places.patch
new file mode 100644
index 000000000..096c2dfc4
--- /dev/null
+++ b/buildroot/boot/grub2/0005-calloc-Use-calloc-at-most-places.patch
@@ -0,0 +1,1840 @@
+From 8185711241d73931269f402bb6799f7e2c58f04b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:26:01 -0400
+Subject: [PATCH] calloc: Use calloc() at most places
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This modifies most of the places we do some form of:
+
+  X = malloc(Y * Z);
+
+to use calloc(Y, Z) instead.
+
+Among other issues, this fixes:
+  - allocation of integer overflow in grub_png_decode_image_header()
+    reported by Chris Coulson,
+  - allocation of integer overflow in luks_recover_key()
+    reported by Chris Coulson,
+  - allocation of integer overflow in grub_lvm_detect()
+    reported by Chris Coulson.
+
+Fixes: CVE-2020-14308
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/bus/usb/usbhub.c                |  8 ++++----
+ grub-core/commands/efi/lsefisystab.c      |  3 ++-
+ grub-core/commands/legacycfg.c            |  6 +++---
+ grub-core/commands/menuentry.c            |  2 +-
+ grub-core/commands/nativedisk.c           |  2 +-
+ grub-core/commands/parttool.c             | 12 +++++++++---
+ grub-core/commands/regexp.c               |  2 +-
+ grub-core/commands/search_wrap.c          |  2 +-
+ grub-core/disk/diskfilter.c               |  4 ++--
+ grub-core/disk/ieee1275/ofdisk.c          |  2 +-
+ grub-core/disk/ldm.c                      | 14 +++++++-------
+ grub-core/disk/luks.c                     |  2 +-
+ grub-core/disk/lvm.c                      |  8 ++++----
+ grub-core/disk/xen/xendisk.c              |  2 +-
+ grub-core/efiemu/loadcore.c               |  2 +-
+ grub-core/efiemu/mm.c                     |  6 +++---
+ grub-core/font/font.c                     |  3 +--
+ grub-core/fs/affs.c                       |  6 +++---
+ grub-core/fs/btrfs.c                      |  6 +++---
+ grub-core/fs/hfs.c                        |  2 +-
+ grub-core/fs/hfsplus.c                    |  6 +++---
+ grub-core/fs/iso9660.c                    |  2 +-
+ grub-core/fs/ntfs.c                       |  4 ++--
+ grub-core/fs/sfs.c                        |  2 +-
+ grub-core/fs/tar.c                        |  2 +-
+ grub-core/fs/udf.c                        |  4 ++--
+ grub-core/fs/zfs/zfs.c                    |  4 ++--
+ grub-core/gfxmenu/gui_string_util.c       |  2 +-
+ grub-core/gfxmenu/widget-box.c            |  4 ++--
+ grub-core/io/gzio.c                       |  2 +-
+ grub-core/kern/efi/efi.c                  |  6 +++---
+ grub-core/kern/emu/hostdisk.c             |  2 +-
+ grub-core/kern/fs.c                       |  2 +-
+ grub-core/kern/misc.c                     |  2 +-
+ grub-core/kern/parser.c                   |  2 +-
+ grub-core/kern/uboot/uboot.c              |  2 +-
+ grub-core/lib/libgcrypt/cipher/ac.c       |  8 ++++----
+ grub-core/lib/libgcrypt/cipher/primegen.c |  4 ++--
+ grub-core/lib/libgcrypt/cipher/pubkey.c   |  4 ++--
+ grub-core/lib/priority_queue.c            |  2 +-
+ grub-core/lib/reed_solomon.c              |  7 +++----
+ grub-core/lib/relocator.c                 | 10 +++++-----
+ grub-core/lib/zstd/fse_decompress.c       |  2 +-
+ grub-core/loader/arm/linux.c              |  2 +-
+ grub-core/loader/efi/chainloader.c        |  2 +-
+ grub-core/loader/i386/bsdXX.c             |  2 +-
+ grub-core/loader/i386/xnu.c               |  4 ++--
+ grub-core/loader/macho.c                  |  2 +-
+ grub-core/loader/multiboot_elfxx.c        |  2 +-
+ grub-core/loader/xnu.c                    |  2 +-
+ grub-core/mmap/mmap.c                     |  4 ++--
+ grub-core/net/bootp.c                     |  2 +-
+ grub-core/net/dns.c                       | 10 +++++-----
+ grub-core/net/net.c                       |  4 ++--
+ grub-core/normal/charset.c                | 10 +++++-----
+ grub-core/normal/cmdline.c                | 14 +++++++-------
+ grub-core/normal/menu_entry.c             | 14 +++++++-------
+ grub-core/normal/menu_text.c              |  4 ++--
+ grub-core/normal/term.c                   |  4 ++--
+ grub-core/osdep/linux/getroot.c           |  6 +++---
+ grub-core/osdep/unix/config.c             |  2 +-
+ grub-core/osdep/windows/getroot.c         |  2 +-
+ grub-core/osdep/windows/hostdisk.c        |  4 ++--
+ grub-core/osdep/windows/init.c            |  2 +-
+ grub-core/osdep/windows/platform.c        |  4 ++--
+ grub-core/osdep/windows/relpath.c         |  2 +-
+ grub-core/partmap/gpt.c                   |  2 +-
+ grub-core/partmap/msdos.c                 |  2 +-
+ grub-core/script/execute.c                |  2 +-
+ grub-core/tests/fake_input.c              |  2 +-
+ grub-core/tests/video_checksum.c          |  6 +++---
+ grub-core/video/capture.c                 |  2 +-
+ grub-core/video/emu/sdl.c                 |  2 +-
+ grub-core/video/i386/pc/vga.c             |  2 +-
+ grub-core/video/readers/png.c             |  2 +-
+ include/grub/unicode.h                    |  4 ++--
+ util/getroot.c                            |  2 +-
+ util/grub-file.c                          |  2 +-
+ util/grub-fstest.c                        |  4 ++--
+ util/grub-install-common.c                |  2 +-
+ util/grub-install.c                       |  4 ++--
+ util/grub-mkimagexx.c                     |  6 ++----
+ util/grub-mkrescue.c                      |  4 ++--
+ util/grub-mkstandalone.c                  |  2 +-
+ util/grub-pe2elf.c                        | 12 +++++-------
+ util/grub-probe.c                         |  4 ++--
+ 86 files changed, 176 insertions(+), 175 deletions(-)
+
+diff --git a/grub-core/bus/usb/usbhub.c b/grub-core/bus/usb/usbhub.c
+index 34a7ff1b5..a06cce302 100644
+--- a/grub-core/bus/usb/usbhub.c
++++ b/grub-core/bus/usb/usbhub.c
+@@ -149,8 +149,8 @@ grub_usb_add_hub (grub_usb_device_t dev)
+   grub_usb_set_configuration (dev, 1);
+ 
+   dev->nports = hubdesc.portcnt;
+-  dev->children = grub_zalloc (hubdesc.portcnt * sizeof (dev->children[0]));
+-  dev->ports = grub_zalloc (dev->nports * sizeof (dev->ports[0]));
++  dev->children = grub_calloc (hubdesc.portcnt, sizeof (dev->children[0]));
++  dev->ports = grub_calloc (dev->nports, sizeof (dev->ports[0]));
+   if (!dev->children || !dev->ports)
+     {
+       grub_free (dev->children);
+@@ -268,8 +268,8 @@ grub_usb_controller_dev_register_iter (grub_usb_controller_t controller, void *d
+ 
+   /* Query the number of ports the root Hub has.  */
+   hub->nports = controller->dev->hubports (controller);
+-  hub->devices = grub_zalloc (sizeof (hub->devices[0]) * hub->nports);
+-  hub->ports = grub_zalloc (sizeof (hub->ports[0]) * hub->nports);
++  hub->devices = grub_calloc (hub->nports, sizeof (hub->devices[0]));
++  hub->ports = grub_calloc (hub->nports, sizeof (hub->ports[0]));
+   if (!hub->devices || !hub->ports)
+     {
+       grub_free (hub->devices);
+diff --git a/grub-core/commands/efi/lsefisystab.c b/grub-core/commands/efi/lsefisystab.c
+index df1030221..cd81507f5 100644
+--- a/grub-core/commands/efi/lsefisystab.c
++++ b/grub-core/commands/efi/lsefisystab.c
+@@ -71,7 +71,8 @@ grub_cmd_lsefisystab (struct grub_command *cmd __attribute__ ((unused)),
+     grub_printf ("Vendor: ");
+     
+     for (vendor_utf16 = st->firmware_vendor; *vendor_utf16; vendor_utf16++);
+-    vendor = grub_malloc (4 * (vendor_utf16 - st->firmware_vendor) + 1);
++    /* Allocate extra 3 bytes to simplify math. */
++    vendor = grub_calloc (4, vendor_utf16 - st->firmware_vendor + 1);
+     if (!vendor)
+       return grub_errno;
+     *grub_utf16_to_utf8 ((grub_uint8_t *) vendor, st->firmware_vendor,
+diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
+index db7a8f002..5e3ec0d5e 100644
+--- a/grub-core/commands/legacycfg.c
++++ b/grub-core/commands/legacycfg.c
+@@ -314,7 +314,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
+   if (argc < 2)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+ 
+-  cutargs = grub_malloc (sizeof (cutargs[0]) * (argc - 1));
++  cutargs = grub_calloc (argc - 1, sizeof (cutargs[0]));
+   if (!cutargs)
+     return grub_errno;
+   cutargc = argc - 1;
+@@ -436,7 +436,7 @@ grub_cmd_legacy_kernel (struct grub_command *mycmd __attribute__ ((unused)),
+ 	    {
+ 	      char rbuf[3] = "-r";
+ 	      bsdargc = cutargc + 2;
+-	      bsdargs = grub_malloc (sizeof (bsdargs[0]) * bsdargc);
++	      bsdargs = grub_calloc (bsdargc, sizeof (bsdargs[0]));
+ 	      if (!bsdargs)
+ 		{
+ 		  err = grub_errno;
+@@ -559,7 +559,7 @@ grub_cmd_legacy_initrdnounzip (struct grub_command *mycmd __attribute__ ((unused
+ 	return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("can't find command `%s'"),
+ 			   "module");
+ 
+-      newargs = grub_malloc ((argc + 1) * sizeof (newargs[0]));
++      newargs = grub_calloc (argc + 1, sizeof (newargs[0]));
+       if (!newargs)
+ 	return grub_errno;
+       grub_memcpy (newargs + 1, args, argc * sizeof (newargs[0]));
+diff --git a/grub-core/commands/menuentry.c b/grub-core/commands/menuentry.c
+index 2c5363da7..9164df744 100644
+--- a/grub-core/commands/menuentry.c
++++ b/grub-core/commands/menuentry.c
+@@ -154,7 +154,7 @@ grub_normal_add_menu_entry (int argc, const char **args,
+     goto fail;
+ 
+   /* Save argc, args to pass as parameters to block arg later. */
+-  menu_args = grub_malloc (sizeof (char*) * (argc + 1));
++  menu_args = grub_calloc (argc + 1, sizeof (char *));
+   if (! menu_args)
+     goto fail;
+ 
+diff --git a/grub-core/commands/nativedisk.c b/grub-core/commands/nativedisk.c
+index 699447d11..7c8f97f6a 100644
+--- a/grub-core/commands/nativedisk.c
++++ b/grub-core/commands/nativedisk.c
+@@ -195,7 +195,7 @@ grub_cmd_nativedisk (grub_command_t cmd __attribute__ ((unused)),
+   else
+     path_prefix = prefix;
+ 
+-  mods = grub_malloc (argc * sizeof (mods[0]));
++  mods = grub_calloc (argc, sizeof (mods[0]));
+   if (!mods)
+     return grub_errno;
+ 
+diff --git a/grub-core/commands/parttool.c b/grub-core/commands/parttool.c
+index 22b46b187..051e31320 100644
+--- a/grub-core/commands/parttool.c
++++ b/grub-core/commands/parttool.c
+@@ -59,7 +59,13 @@ grub_parttool_register(const char *part_name,
+   for (nargs = 0; args[nargs].name != 0; nargs++);
+   cur->nargs = nargs;
+   cur->args = (struct grub_parttool_argdesc *)
+-    grub_malloc ((nargs + 1) * sizeof (struct grub_parttool_argdesc));
++    grub_calloc (nargs + 1, sizeof (struct grub_parttool_argdesc));
++  if (!cur->args)
++    {
++      grub_free (cur);
++      curhandle--;
++      return -1;
++    }
+   grub_memcpy (cur->args, args,
+ 	       (nargs + 1) * sizeof (struct grub_parttool_argdesc));
+ 
+@@ -257,7 +263,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
+ 	return err;
+       }
+ 
+-  parsed = (int *) grub_zalloc (argc * sizeof (int));
++  parsed = (int *) grub_calloc (argc, sizeof (int));
+ 
+   for (i = 1; i < argc; i++)
+     if (! parsed[i])
+@@ -290,7 +296,7 @@ grub_cmd_parttool (grub_command_t cmd __attribute__ ((unused)),
+ 	  }
+ 	ptool = cur;
+ 	pargs = (struct grub_parttool_args *)
+-	  grub_zalloc (ptool->nargs * sizeof (struct grub_parttool_args));
++	  grub_calloc (ptool->nargs, sizeof (struct grub_parttool_args));
+ 	for (j = i; j < argc; j++)
+ 	  if (! parsed[j])
+ 	    {
+diff --git a/grub-core/commands/regexp.c b/grub-core/commands/regexp.c
+index f00b184c8..4019164f3 100644
+--- a/grub-core/commands/regexp.c
++++ b/grub-core/commands/regexp.c
+@@ -116,7 +116,7 @@ grub_cmd_regexp (grub_extcmd_context_t ctxt, int argc, char **args)
+   if (ret)
+     goto fail;
+ 
+-  matches = grub_zalloc (sizeof (*matches) * (regex.re_nsub + 1));
++  matches = grub_calloc (regex.re_nsub + 1, sizeof (*matches));
+   if (! matches)
+     goto fail;
+ 
+diff --git a/grub-core/commands/search_wrap.c b/grub-core/commands/search_wrap.c
+index d7fd26b94..47fc8eb99 100644
+--- a/grub-core/commands/search_wrap.c
++++ b/grub-core/commands/search_wrap.c
+@@ -122,7 +122,7 @@ grub_cmd_search (grub_extcmd_context_t ctxt, int argc, char **args)
+     for (i = 0; state[SEARCH_HINT_BAREMETAL].args[i]; i++)
+       nhints++;
+ 
+-  hints = grub_malloc (sizeof (hints[0]) * nhints);
++  hints = grub_calloc (nhints, sizeof (hints[0]));
+   if (!hints)
+     return grub_errno;
+   j = 0;
+diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
+index c3b578acf..68ca9e0be 100644
+--- a/grub-core/disk/diskfilter.c
++++ b/grub-core/disk/diskfilter.c
+@@ -1134,7 +1134,7 @@ grub_diskfilter_make_raid (grub_size_t uuidlen, char *uuid, int nmemb,
+   array->lvs->segments->node_count = nmemb;
+   array->lvs->segments->raid_member_size = disk_size;
+   array->lvs->segments->nodes
+-    = grub_zalloc (nmemb * sizeof (array->lvs->segments->nodes[0]));
++    = grub_calloc (nmemb, sizeof (array->lvs->segments->nodes[0]));
+   array->lvs->segments->stripe_size = stripe_size;
+   for (i = 0; i < nmemb; i++)
+     {
+@@ -1226,7 +1226,7 @@ insert_array (grub_disk_t disk, const struct grub_diskfilter_pv_id *id,
+ 	  grub_partition_t p;
+ 	  for (p = disk->partition; p; p = p->parent)
+ 	    s++;
+-	  pv->partmaps = xmalloc (s * sizeof (pv->partmaps[0]));
++	  pv->partmaps = xcalloc (s, sizeof (pv->partmaps[0]));
+ 	  s = 0;
+ 	  for (p = disk->partition; p; p = p->parent)
+ 	    pv->partmaps[s++] = xstrdup (p->partmap->name);
+diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
+index f73257e66..03674cb47 100644
+--- a/grub-core/disk/ieee1275/ofdisk.c
++++ b/grub-core/disk/ieee1275/ofdisk.c
+@@ -297,7 +297,7 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
+       /* Power machines documentation specify 672 as maximum SAS disks in
+          one system. Using a slightly larger value to be safe. */
+       table_size = 768;
+-      table = grub_malloc (table_size * sizeof (grub_uint64_t));
++      table = grub_calloc (table_size, sizeof (grub_uint64_t));
+ 
+       if (!table)
+         {
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index 2a22d2d6c..e6323701a 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -323,8 +323,8 @@ make_vg (grub_disk_t disk,
+ 	  lv->segments->type = GRUB_DISKFILTER_MIRROR;
+ 	  lv->segments->node_count = 0;
+ 	  lv->segments->node_alloc = 8;
+-	  lv->segments->nodes = grub_zalloc (sizeof (*lv->segments->nodes)
+-					     * lv->segments->node_alloc);
++	  lv->segments->nodes = grub_calloc (lv->segments->node_alloc,
++					     sizeof (*lv->segments->nodes));
+ 	  if (!lv->segments->nodes)
+ 	    goto fail2;
+ 	  ptr = vblk[i].dynamic;
+@@ -543,8 +543,8 @@ make_vg (grub_disk_t disk,
+ 	    {
+ 	      comp->segment_alloc = 8;
+ 	      comp->segment_count = 0;
+-	      comp->segments = grub_malloc (sizeof (*comp->segments)
+-					    * comp->segment_alloc);
++	      comp->segments = grub_calloc (comp->segment_alloc,
++					    sizeof (*comp->segments));
+ 	      if (!comp->segments)
+ 		goto fail2;
+ 	    }
+@@ -590,8 +590,8 @@ make_vg (grub_disk_t disk,
+ 		}
+ 	      comp->segments->node_count = read_int (ptr + 1, *ptr);
+ 	      comp->segments->node_alloc = comp->segments->node_count;
+-	      comp->segments->nodes = grub_zalloc (sizeof (*comp->segments->nodes)
+-						   * comp->segments->node_alloc);
++	      comp->segments->nodes = grub_calloc (comp->segments->node_alloc,
++						   sizeof (*comp->segments->nodes));
+ 	      if (!lv->segments->nodes)
+ 		goto fail2;
+ 	    }
+@@ -1017,7 +1017,7 @@ grub_util_ldm_embed (struct grub_disk *disk, unsigned int *nsectors,
+       *nsectors = lv->size;
+       if (*nsectors > max_nsectors)
+ 	*nsectors = max_nsectors;
+-      *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++      *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+       if (!*sectors)
+ 	return grub_errno;
+       for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
+index 86c50c612..18b3a8bb1 100644
+--- a/grub-core/disk/luks.c
++++ b/grub-core/disk/luks.c
+@@ -336,7 +336,7 @@ luks_recover_key (grub_disk_t source,
+ 	&& grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
+       max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
+ 
+-  split_key = grub_malloc (keysize * max_stripes);
++  split_key = grub_calloc (keysize, max_stripes);
+   if (!split_key)
+     return grub_errno;
+ 
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index 7b265c780..d1df640b3 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -173,7 +173,7 @@ grub_lvm_detect (grub_disk_t disk,
+      first one.  */
+ 
+   /* Allocate buffer space for the circular worst-case scenario. */
+-  metadatabuf = grub_malloc (2 * mda_size);
++  metadatabuf = grub_calloc (2, mda_size);
+   if (! metadatabuf)
+     goto fail;
+ 
+@@ -426,7 +426,7 @@ grub_lvm_detect (grub_disk_t disk,
+ #endif
+ 		  goto lvs_fail;
+ 		}
+-	      lv->segments = grub_zalloc (sizeof (*seg) * lv->segment_count);
++	      lv->segments = grub_calloc (lv->segment_count, sizeof (*seg));
+ 	      seg = lv->segments;
+ 
+ 	      for (i = 0; i < lv->segment_count; i++)
+@@ -483,8 +483,8 @@ grub_lvm_detect (grub_disk_t disk,
+ 		      if (seg->node_count != 1)
+ 			seg->stripe_size = grub_lvm_getvalue (&p, "stripe_size = ");
+ 
+-		      seg->nodes = grub_zalloc (sizeof (*stripe)
+-						* seg->node_count);
++		      seg->nodes = grub_calloc (seg->node_count,
++						sizeof (*stripe));
+ 		      stripe = seg->nodes;
+ 
+ 		      p = grub_strstr (p, "stripes = [");
+diff --git a/grub-core/disk/xen/xendisk.c b/grub-core/disk/xen/xendisk.c
+index 48476cbbf..d6612eebd 100644
+--- a/grub-core/disk/xen/xendisk.c
++++ b/grub-core/disk/xen/xendisk.c
+@@ -426,7 +426,7 @@ grub_xendisk_init (void)
+   if (!ctr)
+     return;
+ 
+-  virtdisks = grub_malloc (ctr * sizeof (virtdisks[0]));
++  virtdisks = grub_calloc (ctr, sizeof (virtdisks[0]));
+   if (!virtdisks)
+     return;
+   if (grub_xenstore_dir ("device/vbd", fill, &ctr))
+diff --git a/grub-core/efiemu/loadcore.c b/grub-core/efiemu/loadcore.c
+index 44085ef81..2b924623f 100644
+--- a/grub-core/efiemu/loadcore.c
++++ b/grub-core/efiemu/loadcore.c
+@@ -201,7 +201,7 @@ grub_efiemu_count_symbols (const Elf_Ehdr *e)
+ 
+   grub_efiemu_nelfsyms = (unsigned) s->sh_size / (unsigned) s->sh_entsize;
+   grub_efiemu_elfsyms = (struct grub_efiemu_elf_sym *)
+-    grub_malloc (sizeof (struct grub_efiemu_elf_sym) * grub_efiemu_nelfsyms);
++    grub_calloc (grub_efiemu_nelfsyms, sizeof (struct grub_efiemu_elf_sym));
+ 
+   /* Relocators */
+   for (i = 0, s = (Elf_Shdr *) ((char *) e + e->e_shoff);
+diff --git a/grub-core/efiemu/mm.c b/grub-core/efiemu/mm.c
+index 52a032f7b..9b8e0d0ad 100644
+--- a/grub-core/efiemu/mm.c
++++ b/grub-core/efiemu/mm.c
+@@ -554,11 +554,11 @@ grub_efiemu_mmap_sort_and_uniq (void)
+   /* Initialize variables*/
+   grub_memset (present, 0, sizeof (int) * GRUB_EFI_MAX_MEMORY_TYPE);
+   scanline_events = (struct grub_efiemu_mmap_scan *)
+-    grub_malloc (sizeof (struct grub_efiemu_mmap_scan) * 2 * mmap_num);
++    grub_calloc (mmap_num, sizeof (struct grub_efiemu_mmap_scan) * 2);
+ 
+   /* Number of chunks can't increase more than by factor of 2 */
+   result = (grub_efi_memory_descriptor_t *)
+-    grub_malloc (sizeof (grub_efi_memory_descriptor_t) * 2 * mmap_num);
++    grub_calloc (mmap_num, sizeof (grub_efi_memory_descriptor_t) * 2);
+   if (!result || !scanline_events)
+     {
+       grub_free (result);
+@@ -660,7 +660,7 @@ grub_efiemu_mm_do_alloc (void)
+ 
+   /* Preallocate mmap */
+   efiemu_mmap = (grub_efi_memory_descriptor_t *)
+-    grub_malloc (mmap_reserved_size * sizeof (grub_efi_memory_descriptor_t));
++    grub_calloc (mmap_reserved_size, sizeof (grub_efi_memory_descriptor_t));
+   if (!efiemu_mmap)
+     {
+       grub_efiemu_unload ();
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 85a292557..8e118b315 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -293,8 +293,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct
+   font->num_chars = sect_length / FONT_CHAR_INDEX_ENTRY_SIZE;
+ 
+   /* Allocate the character index array.  */
+-  font->char_index = grub_malloc (font->num_chars
+-				  * sizeof (struct char_index_entry));
++  font->char_index = grub_calloc (font->num_chars, sizeof (struct char_index_entry));
+   if (!font->char_index)
+     return 1;
+   font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t));
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index 6b6a2bc91..220b3712f 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -301,7 +301,7 @@ grub_affs_read_symlink (grub_fshelp_node_t node)
+       return 0;
+     }
+   latin1[symlink_size] = 0;
+-  utf8 = grub_malloc (symlink_size * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++  utf8 = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, symlink_size);
+   if (!utf8)
+     {
+       grub_free (latin1);
+@@ -422,7 +422,7 @@ grub_affs_iterate_dir (grub_fshelp_node_t dir,
+ 	return 1;
+     }
+ 
+-  hashtable = grub_zalloc (data->htsize * sizeof (*hashtable));
++  hashtable = grub_calloc (data->htsize, sizeof (*hashtable));
+   if (!hashtable)
+     return 1;
+ 
+@@ -628,7 +628,7 @@ grub_affs_label (grub_device_t device, char **label)
+       len = file.namelen;
+       if (len > sizeof (file.name))
+ 	len = sizeof (file.name);
+-      *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++      *label = grub_calloc (GRUB_MAX_UTF8_PER_LATIN1 + 1, len);
+       if (*label)
+ 	*grub_latin1_to_utf8 ((grub_uint8_t *) *label, file.name, len) = '\0';
+     }
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 48bd3d04a..11272efc1 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -413,7 +413,7 @@ lower_bound (struct grub_btrfs_data *data,
+     {
+       desc->allocated = 16;
+       desc->depth = 0;
+-      desc->data = grub_malloc (sizeof (desc->data[0]) * desc->allocated);
++      desc->data = grub_calloc (desc->allocated, sizeof (desc->data[0]));
+       if (!desc->data)
+ 	return grub_errno;
+     }
+@@ -752,7 +752,7 @@ raid56_read_retry (struct grub_btrfs_data *data,
+   grub_err_t ret = GRUB_ERR_OUT_OF_MEMORY;
+   grub_uint64_t i, failed_devices;
+ 
+-  buffers = grub_zalloc (sizeof(*buffers) * nstripes);
++  buffers = grub_calloc (nstripes, sizeof (*buffers));
+   if (!buffers)
+     goto cleanup;
+ 
+@@ -2160,7 +2160,7 @@ grub_btrfs_embed (grub_device_t device __attribute__ ((unused)),
+   *nsectors = 64 * 2 - 1;
+   if (*nsectors > max_nsectors)
+     *nsectors = max_nsectors;
+-  *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++  *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+   if (!*sectors)
+     return grub_errno;
+   for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
+index ac0a40990..3fe842b4d 100644
+--- a/grub-core/fs/hfs.c
++++ b/grub-core/fs/hfs.c
+@@ -1360,7 +1360,7 @@ grub_hfs_label (grub_device_t device, char **label)
+       grub_size_t len = data->sblock.volname[0];
+       if (len > sizeof (data->sblock.volname) - 1)
+ 	len = sizeof (data->sblock.volname) - 1;
+-      *label = grub_malloc (len * MAX_UTF8_PER_MAC_ROMAN + 1);
++      *label = grub_calloc (MAX_UTF8_PER_MAC_ROMAN + 1, len);
+       if (*label)
+ 	macroman_to_utf8 (*label, data->sblock.volname + 1,
+ 			  len + 1, 0);
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 54786bb1c..dae43becc 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -720,7 +720,7 @@ list_nodes (void *record, void *hook_arg)
+   if (! filename)
+     return 0;
+ 
+-  keyname = grub_malloc (grub_be_to_cpu16 (catkey->namelen) * sizeof (*keyname));
++  keyname = grub_calloc (grub_be_to_cpu16 (catkey->namelen), sizeof (*keyname));
+   if (!keyname)
+     {
+       grub_free (filename);
+@@ -1007,7 +1007,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
+     grub_hfsplus_btree_recptr (&data->catalog_tree, node, ptr);
+ 
+   label_len = grub_be_to_cpu16 (catkey->namelen);
+-  label_name = grub_malloc (label_len * sizeof (*label_name));
++  label_name = grub_calloc (label_len, sizeof (*label_name));
+   if (!label_name)
+     {
+       grub_free (node);
+@@ -1029,7 +1029,7 @@ grub_hfsplus_label (grub_device_t device, char **label)
+ 	}
+     }
+ 
+-  *label = grub_malloc (label_len * GRUB_MAX_UTF8_PER_UTF16 + 1);
++  *label = grub_calloc (label_len, GRUB_MAX_UTF8_PER_UTF16 + 1);
+   if (! *label)
+     {
+       grub_free (label_name);
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 49c0c632b..4f1b52a55 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -331,7 +331,7 @@ grub_iso9660_convert_string (grub_uint8_t *us, int len)
+   int i;
+   grub_uint16_t t[MAX_NAMELEN / 2 + 1];
+ 
+-  p = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
++  p = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
+   if (! p)
+     return NULL;
+ 
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index fc4e1f678..2f34f76da 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -556,8 +556,8 @@ get_utf8 (grub_uint8_t *in, grub_size_t len)
+   grub_uint16_t *tmp;
+   grub_size_t i;
+ 
+-  buf = grub_malloc (len * GRUB_MAX_UTF8_PER_UTF16 + 1);
+-  tmp = grub_malloc (len * sizeof (tmp[0]));
++  buf = grub_calloc (len, GRUB_MAX_UTF8_PER_UTF16 + 1);
++  tmp = grub_calloc (len, sizeof (tmp[0]));
+   if (!buf || !tmp)
+     {
+       grub_free (buf);
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 50c1fe72f..90f7fb379 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -266,7 +266,7 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+       node->next_extent = node->block;
+       node->cache_size = 0;
+ 
+-      node->cache = grub_malloc (sizeof (node->cache[0]) * cache_size);
++      node->cache = grub_calloc (cache_size, sizeof (node->cache[0]));
+       if (!node->cache)
+ 	{
+ 	  grub_errno = 0;
+diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
+index 7d63e0c99..c551ed6b5 100644
+--- a/grub-core/fs/tar.c
++++ b/grub-core/fs/tar.c
+@@ -120,7 +120,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	  if (data->linkname_alloc < linksize + 1)
+ 	    {
+ 	      char *n;
+-	      n = grub_malloc (2 * (linksize + 1));
++	      n = grub_calloc (2, linksize + 1);
+ 	      if (!n)
+ 		return grub_errno;
+ 	      grub_free (data->linkname);
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index dc8b6e2d1..a83761674 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -873,7 +873,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
+     {
+       unsigned i;
+       utf16len = sz - 1;
+-      utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
++      utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
+       if (!utf16)
+ 	return NULL;
+       for (i = 0; i < utf16len; i++)
+@@ -883,7 +883,7 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
+     {
+       unsigned i;
+       utf16len = (sz - 1) / 2;
+-      utf16 = grub_malloc (utf16len * sizeof (utf16[0]));
++      utf16 = grub_calloc (utf16len, sizeof (utf16[0]));
+       if (!utf16)
+ 	return NULL;
+       for (i = 0; i < utf16len; i++)
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 2f72e42bf..381dde556 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -3325,7 +3325,7 @@ dnode_get_fullpath (const char *fullpath, struct subvolume *subvol,
+ 	}
+       subvol->nkeys = 0;
+       zap_iterate (&keychain_dn, 8, count_zap_keys, &ctx, data);
+-      subvol->keyring = grub_zalloc (subvol->nkeys * sizeof (subvol->keyring[0]));
++      subvol->keyring = grub_calloc (subvol->nkeys, sizeof (subvol->keyring[0]));
+       if (!subvol->keyring)
+ 	{
+ 	  grub_free (fsname);
+@@ -4336,7 +4336,7 @@ grub_zfs_embed (grub_device_t device __attribute__ ((unused)),
+   *nsectors = (VDEV_BOOT_SIZE >> GRUB_DISK_SECTOR_BITS);
+   if (*nsectors > max_nsectors)
+     *nsectors = max_nsectors;
+-  *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++  *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+   if (!*sectors)
+     return grub_errno;
+   for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/gfxmenu/gui_string_util.c b/grub-core/gfxmenu/gui_string_util.c
+index a9a415e31..ba1e1eab3 100644
+--- a/grub-core/gfxmenu/gui_string_util.c
++++ b/grub-core/gfxmenu/gui_string_util.c
+@@ -55,7 +55,7 @@ canonicalize_path (const char *path)
+     if (*p == '/')
+       components++;
+ 
+-  char **path_array = grub_malloc (components * sizeof (*path_array));
++  char **path_array = grub_calloc (components, sizeof (*path_array));
+   if (! path_array)
+     return 0;
+ 
+diff --git a/grub-core/gfxmenu/widget-box.c b/grub-core/gfxmenu/widget-box.c
+index b60602889..470597ded 100644
+--- a/grub-core/gfxmenu/widget-box.c
++++ b/grub-core/gfxmenu/widget-box.c
+@@ -303,10 +303,10 @@ grub_gfxmenu_create_box (const char *pixmaps_prefix,
+   box->content_height = 0;
+   box->raw_pixmaps =
+     (struct grub_video_bitmap **)
+-    grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
++    grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
+   box->scaled_pixmaps =
+     (struct grub_video_bitmap **)
+-    grub_malloc (BOX_NUM_PIXMAPS * sizeof (struct grub_video_bitmap *));
++    grub_calloc (BOX_NUM_PIXMAPS, sizeof (struct grub_video_bitmap *));
+ 
+   /* Initialize all pixmap pointers to NULL so that proper destruction can
+      be performed if an error is encountered partway through construction.  */
+diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
+index 6208a9763..43d98a7bd 100644
+--- a/grub-core/io/gzio.c
++++ b/grub-core/io/gzio.c
+@@ -554,7 +554,7 @@ huft_build (unsigned *b,	/* code lengths in bits (all assumed <= BMAX) */
+ 	      z = 1 << j;	/* table entries for j-bit table */
+ 
+ 	      /* allocate and link in new table */
+-	      q = (struct huft *) grub_zalloc ((z + 1) * sizeof (struct huft));
++	      q = (struct huft *) grub_calloc (z + 1, sizeof (struct huft));
+ 	      if (! q)
+ 		{
+ 		  if (h)
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 6e1ceb905..dc31caa21 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -202,7 +202,7 @@ grub_efi_set_variable(const char *var, const grub_efi_guid_t *guid,
+ 
+   len = grub_strlen (var);
+   len16 = len * GRUB_MAX_UTF16_PER_UTF8;
+-  var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
++  var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
+   if (!var16)
+     return grub_errno;
+   len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
+@@ -237,7 +237,7 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+ 
+   len = grub_strlen (var);
+   len16 = len * GRUB_MAX_UTF16_PER_UTF8;
+-  var16 = grub_malloc ((len16 + 1) * sizeof (var16[0]));
++  var16 = grub_calloc (len16 + 1, sizeof (var16[0]));
+   if (!var16)
+     return NULL;
+   len16 = grub_utf8_to_utf16 (var16, len16, (grub_uint8_t *) var, len, NULL);
+@@ -383,7 +383,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ 	  while (len > 0 && fp->path_name[len - 1] == 0)
+ 	    len--;
+ 
+-	  dup_name = grub_malloc (len * sizeof (*dup_name));
++	  dup_name = grub_calloc (len, sizeof (*dup_name));
+ 	  if (!dup_name)
+ 	    {
+ 	      grub_free (name);
+diff --git a/grub-core/kern/emu/hostdisk.c b/grub-core/kern/emu/hostdisk.c
+index e9ec680cd..d975265b2 100644
+--- a/grub-core/kern/emu/hostdisk.c
++++ b/grub-core/kern/emu/hostdisk.c
+@@ -615,7 +615,7 @@ static char *
+ grub_util_path_concat_real (size_t n, int ext, va_list ap)
+ {
+   size_t totlen = 0;
+-  char **l = xmalloc ((n + ext) * sizeof (l[0]));
++  char **l = xcalloc (n + ext, sizeof (l[0]));
+   char *r, *p, *pi;
+   size_t i;
+   int first = 1;
+diff --git a/grub-core/kern/fs.c b/grub-core/kern/fs.c
+index 2b85f4950..f90be6566 100644
+--- a/grub-core/kern/fs.c
++++ b/grub-core/kern/fs.c
+@@ -151,7 +151,7 @@ grub_fs_blocklist_open (grub_file_t file, const char *name)
+   while (p);
+ 
+   /* Allocate a block list.  */
+-  blocks = grub_zalloc (sizeof (struct grub_fs_block) * (num + 1));
++  blocks = grub_calloc (num + 1, sizeof (struct grub_fs_block));
+   if (! blocks)
+     return 0;
+ 
+diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
+index 3b633d51f..a7abd367a 100644
+--- a/grub-core/kern/misc.c
++++ b/grub-core/kern/misc.c
+@@ -690,7 +690,7 @@ parse_printf_args (const char *fmt0, struct printf_args *args,
+     args->ptr = args->prealloc;
+   else
+     {
+-      args->ptr = grub_malloc (args->count * sizeof (args->ptr[0]));
++      args->ptr = grub_calloc (args->count, sizeof (args->ptr[0]));
+       if (!args->ptr)
+ 	{
+ 	  grub_errno = GRUB_ERR_NONE;
+diff --git a/grub-core/kern/parser.c b/grub-core/kern/parser.c
+index 78175aac2..619db3122 100644
+--- a/grub-core/kern/parser.c
++++ b/grub-core/kern/parser.c
+@@ -213,7 +213,7 @@ grub_parser_split_cmdline (const char *cmdline,
+     return grub_errno;
+   grub_memcpy (args, buffer, bp - buffer);
+ 
+-  *argv = grub_malloc (sizeof (char *) * (*argc + 1));
++  *argv = grub_calloc (*argc + 1, sizeof (char *));
+   if (!*argv)
+     {
+       grub_free (args);
+diff --git a/grub-core/kern/uboot/uboot.c b/grub-core/kern/uboot/uboot.c
+index be4816fe6..aac8f9ae1 100644
+--- a/grub-core/kern/uboot/uboot.c
++++ b/grub-core/kern/uboot/uboot.c
+@@ -133,7 +133,7 @@ grub_uboot_dev_enum (void)
+     return num_devices;
+ 
+   max_devices = 2;
+-  enum_devices = grub_malloc (sizeof(struct device_info) * max_devices);
++  enum_devices = grub_calloc (max_devices, sizeof(struct device_info));
+   if (!enum_devices)
+     return 0;
+ 
+diff --git a/grub-core/lib/libgcrypt/cipher/ac.c b/grub-core/lib/libgcrypt/cipher/ac.c
+index f5e946a2d..63f6fcd11 100644
+--- a/grub-core/lib/libgcrypt/cipher/ac.c
++++ b/grub-core/lib/libgcrypt/cipher/ac.c
+@@ -185,7 +185,7 @@ ac_data_mpi_copy (gcry_ac_mpi_t *data_mpis, unsigned int data_mpis_n,
+   gcry_mpi_t mpi;
+   char *label;
+ 
+-  data_mpis_new = gcry_malloc (sizeof (*data_mpis_new) * data_mpis_n);
++  data_mpis_new = gcry_calloc (data_mpis_n, sizeof (*data_mpis_new));
+   if (! data_mpis_new)
+     {
+       err = gcry_error_from_errno (errno);
+@@ -572,7 +572,7 @@ _gcry_ac_data_to_sexp (gcry_ac_data_t data, gcry_sexp_t *sexp,
+     }
+ 
+   /* Add MPI list.  */
+-  arg_list = gcry_malloc (sizeof (*arg_list) * (data_n + 1));
++  arg_list = gcry_calloc (data_n + 1, sizeof (*arg_list));
+   if (! arg_list)
+     {
+       err = gcry_error_from_errno (errno);
+@@ -1283,7 +1283,7 @@ ac_data_construct (const char *identifier, int include_flags,
+   /* We build a list of arguments to pass to
+      gcry_sexp_build_array().  */
+   data_length = _gcry_ac_data_length (data);
+-  arg_list = gcry_malloc (sizeof (*arg_list) * (data_length * 2));
++  arg_list = gcry_calloc (data_length, sizeof (*arg_list) * 2);
+   if (! arg_list)
+     {
+       err = gcry_error_from_errno (errno);
+@@ -1593,7 +1593,7 @@ _gcry_ac_key_pair_generate (gcry_ac_handle_t handle, unsigned int nbits,
+ 	arg_list_n += 2;
+ 
+   /* Allocate list.  */
+-  arg_list = gcry_malloc (sizeof (*arg_list) * arg_list_n);
++  arg_list = gcry_calloc (arg_list_n, sizeof (*arg_list));
+   if (! arg_list)
+     {
+       err = gcry_error_from_errno (errno);
+diff --git a/grub-core/lib/libgcrypt/cipher/primegen.c b/grub-core/lib/libgcrypt/cipher/primegen.c
+index 2788e349f..b12e79b19 100644
+--- a/grub-core/lib/libgcrypt/cipher/primegen.c
++++ b/grub-core/lib/libgcrypt/cipher/primegen.c
+@@ -383,7 +383,7 @@ prime_generate_internal (int need_q_factor,
+     }
+ 
+   /* Allocate an array to track pool usage. */
+-  pool_in_use = gcry_malloc (n * sizeof *pool_in_use);
++  pool_in_use = gcry_calloc (n, sizeof *pool_in_use);
+   if (!pool_in_use)
+     {
+       err = gpg_err_code_from_errno (errno);
+@@ -765,7 +765,7 @@ gen_prime (unsigned int nbits, int secret, int randomlevel,
+   if (nbits < 16)
+     log_fatal ("can't generate a prime with less than %d bits\n", 16);
+ 
+-  mods = gcry_xmalloc( no_of_small_prime_numbers * sizeof *mods );
++  mods = gcry_xcalloc( no_of_small_prime_numbers, sizeof *mods);
+   /* Make nbits fit into gcry_mpi_t implementation. */
+   val_2  = mpi_alloc_set_ui( 2 );
+   val_3 = mpi_alloc_set_ui( 3);
+diff --git a/grub-core/lib/libgcrypt/cipher/pubkey.c b/grub-core/lib/libgcrypt/cipher/pubkey.c
+index 910982141..ca087ad75 100644
+--- a/grub-core/lib/libgcrypt/cipher/pubkey.c
++++ b/grub-core/lib/libgcrypt/cipher/pubkey.c
+@@ -2941,7 +2941,7 @@ gcry_pk_encrypt (gcry_sexp_t *r_ciph, gcry_sexp_t s_data, gcry_sexp_t s_pkey)
+        * array to a format string, so we have to do it this way :-(.  */
+       /* FIXME: There is now such a format specifier, so we can
+          change the code to be more clear. */
+-      arg_list = malloc (nelem * sizeof *arg_list);
++      arg_list = calloc (nelem, sizeof *arg_list);
+       if (!arg_list)
+         {
+           rc = gpg_err_code_from_syserror ();
+@@ -3233,7 +3233,7 @@ gcry_pk_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_hash, gcry_sexp_t s_skey)
+         }
+       strcpy (p, "))");
+ 
+-      arg_list = malloc (nelem * sizeof *arg_list);
++      arg_list = calloc (nelem, sizeof *arg_list);
+       if (!arg_list)
+         {
+           rc = gpg_err_code_from_syserror ();
+diff --git a/grub-core/lib/priority_queue.c b/grub-core/lib/priority_queue.c
+index 659be0b7f..7d5e7c05a 100644
+--- a/grub-core/lib/priority_queue.c
++++ b/grub-core/lib/priority_queue.c
+@@ -92,7 +92,7 @@ grub_priority_queue_new (grub_size_t elsize,
+ {
+   struct grub_priority_queue *ret;
+   void *els;
+-  els = grub_malloc (elsize * 8);
++  els = grub_calloc (8, elsize);
+   if (!els)
+     return 0;
+   ret = (struct grub_priority_queue *) grub_malloc (sizeof (*ret));
+diff --git a/grub-core/lib/reed_solomon.c b/grub-core/lib/reed_solomon.c
+index ee9fa7b4f..467305b46 100644
+--- a/grub-core/lib/reed_solomon.c
++++ b/grub-core/lib/reed_solomon.c
+@@ -20,6 +20,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#define xcalloc calloc
+ #define xmalloc malloc
+ #define grub_memset memset
+ #define grub_memcpy memcpy
+@@ -158,11 +159,9 @@ rs_encode (gf_single_t *data, grub_size_t s, grub_size_t rs)
+   gf_single_t *rs_polynomial;
+   int i, j;
+   gf_single_t *m;
+-  m = xmalloc ((s + rs) * sizeof (gf_single_t));
++  m = xcalloc (s + rs, sizeof (gf_single_t));
+   grub_memcpy (m, data, s * sizeof (gf_single_t));
+-  grub_memset (m + s, 0, rs * sizeof (gf_single_t));
+-  rs_polynomial = xmalloc ((rs + 1) * sizeof (gf_single_t));
+-  grub_memset (rs_polynomial, 0, (rs + 1) * sizeof (gf_single_t));
++  rs_polynomial = xcalloc (rs + 1, sizeof (gf_single_t));
+   rs_polynomial[rs] = 1;
+   /* Multiply with X - a^r */
+   for (j = 0; j < rs; j++)
+diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
+index ea3ebc719..5847aac36 100644
+--- a/grub-core/lib/relocator.c
++++ b/grub-core/lib/relocator.c
+@@ -495,9 +495,9 @@ malloc_in_range (struct grub_relocator *rel,
+   }
+ #endif
+ 
+-  eventt = grub_malloc (maxevents * sizeof (events[0]));
++  eventt = grub_calloc (maxevents, sizeof (events[0]));
+   counter = grub_malloc ((DIGITSORT_MASK + 2) * sizeof (counter[0]));
+-  events = grub_malloc (maxevents * sizeof (events[0]));
++  events = grub_calloc (maxevents, sizeof (events[0]));
+   if (!events || !eventt || !counter)
+     {
+       grub_dprintf ("relocator", "events or counter allocation failed %d\n",
+@@ -963,7 +963,7 @@ malloc_in_range (struct grub_relocator *rel,
+ #endif
+     unsigned cural = 0;
+     int oom = 0;
+-    res->subchunks = grub_malloc (sizeof (res->subchunks[0]) * nallocs);
++    res->subchunks = grub_calloc (nallocs, sizeof (res->subchunks[0]));
+     if (!res->subchunks)
+       oom = 1;
+     res->nsubchunks = nallocs;
+@@ -1562,8 +1562,8 @@ grub_relocator_prepare_relocs (struct grub_relocator *rel, grub_addr_t addr,
+ 	    count[(chunk->src & 0xff) + 1]++;
+ 	  }
+     }
+-    from = grub_malloc (nchunks * sizeof (sorted[0]));
+-    to = grub_malloc (nchunks * sizeof (sorted[0]));
++    from = grub_calloc (nchunks, sizeof (sorted[0]));
++    to = grub_calloc (nchunks, sizeof (sorted[0]));
+     if (!from || !to)
+       {
+ 	grub_free (from);
+diff --git a/grub-core/lib/zstd/fse_decompress.c b/grub-core/lib/zstd/fse_decompress.c
+index 72bbead5b..2227b84bc 100644
+--- a/grub-core/lib/zstd/fse_decompress.c
++++ b/grub-core/lib/zstd/fse_decompress.c
+@@ -82,7 +82,7 @@
+ FSE_DTable* FSE_createDTable (unsigned tableLog)
+ {
+     if (tableLog > FSE_TABLELOG_ABSOLUTE_MAX) tableLog = FSE_TABLELOG_ABSOLUTE_MAX;
+-    return (FSE_DTable*)malloc( FSE_DTABLE_SIZE_U32(tableLog) * sizeof (U32) );
++    return (FSE_DTable*)calloc( FSE_DTABLE_SIZE_U32(tableLog), sizeof (U32) );
+ }
+ 
+ void FSE_freeDTable (FSE_DTable* dt)
+diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
+index 51684914c..d70c17486 100644
+--- a/grub-core/loader/arm/linux.c
++++ b/grub-core/loader/arm/linux.c
+@@ -78,7 +78,7 @@ linux_prepare_atag (void *target_atag)
+ 
+   /* some place for cmdline, initrd and terminator.  */
+   tmp_size = get_atag_size (atag_orig) + 20 + (arg_size) / 4;
+-  tmp_atag = grub_malloc (tmp_size * sizeof (grub_uint32_t));
++  tmp_atag = grub_calloc (tmp_size, sizeof (grub_uint32_t));
+   if (!tmp_atag)
+     return grub_errno;
+ 
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index cd92ea3f2..daf8c6b54 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -116,7 +116,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
+   fp->header.type = GRUB_EFI_MEDIA_DEVICE_PATH_TYPE;
+   fp->header.subtype = GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE;
+ 
+-  path_name = grub_malloc (len * GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
++  path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
+   if (!path_name)
+     return;
+ 
+diff --git a/grub-core/loader/i386/bsdXX.c b/grub-core/loader/i386/bsdXX.c
+index af6741d15..a8d8bf7da 100644
+--- a/grub-core/loader/i386/bsdXX.c
++++ b/grub-core/loader/i386/bsdXX.c
+@@ -48,7 +48,7 @@ read_headers (grub_file_t file, const char *filename, Elf_Ehdr *e, char **shdr)
+   if (e->e_ident[EI_CLASS] != SUFFIX (ELFCLASS))
+     return grub_error (GRUB_ERR_BAD_OS, N_("invalid arch-dependent ELF magic"));
+ 
+-  *shdr = grub_malloc ((grub_uint32_t) e->e_shnum * e->e_shentsize);
++  *shdr = grub_calloc (e->e_shnum, e->e_shentsize);
+   if (! *shdr)
+     return grub_errno;
+ 
+diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
+index e64ed08f5..b7d176b5d 100644
+--- a/grub-core/loader/i386/xnu.c
++++ b/grub-core/loader/i386/xnu.c
+@@ -295,7 +295,7 @@ grub_xnu_devprop_add_property_utf8 (struct grub_xnu_devprop_device_descriptor *d
+     return grub_errno;
+ 
+   len = grub_strlen (name);
+-  utf16 = grub_malloc (sizeof (grub_uint16_t) * len);
++  utf16 = grub_calloc (len, sizeof (grub_uint16_t));
+   if (!utf16)
+     {
+       grub_free (utf8);
+@@ -331,7 +331,7 @@ grub_xnu_devprop_add_property_utf16 (struct grub_xnu_devprop_device_descriptor *
+   grub_uint16_t *utf16;
+   grub_err_t err;
+ 
+-  utf16 = grub_malloc (sizeof (grub_uint16_t) * namelen);
++  utf16 = grub_calloc (namelen, sizeof (grub_uint16_t));
+   if (!utf16)
+     return grub_errno;
+   grub_memcpy (utf16, name, sizeof (grub_uint16_t) * namelen);
+diff --git a/grub-core/loader/macho.c b/grub-core/loader/macho.c
+index 085f9c689..05710c48e 100644
+--- a/grub-core/loader/macho.c
++++ b/grub-core/loader/macho.c
+@@ -97,7 +97,7 @@ grub_macho_file (grub_file_t file, const char *filename, int is_64bit)
+       if (grub_file_seek (macho->file, sizeof (struct grub_macho_fat_header))
+ 	  == (grub_off_t) -1)
+ 	goto fail;
+-      archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
++      archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
+       if (!archs)
+ 	goto fail;
+       if (grub_file_read (macho->file, archs,
+diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
+index 70cd1db51..cc6853692 100644
+--- a/grub-core/loader/multiboot_elfxx.c
++++ b/grub-core/loader/multiboot_elfxx.c
+@@ -217,7 +217,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+     {
+       grub_uint8_t *shdr, *shdrptr;
+ 
+-      shdr = grub_malloc ((grub_uint32_t) ehdr->e_shnum * ehdr->e_shentsize);
++      shdr = grub_calloc (ehdr->e_shnum, ehdr->e_shentsize);
+       if (!shdr)
+ 	return grub_errno;
+       
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 7f74d1d6f..77d7060e1 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -800,7 +800,7 @@ grub_cmd_xnu_mkext (grub_command_t cmd __attribute__ ((unused)),
+   if (grub_be_to_cpu32 (head.magic) == GRUB_MACHO_FAT_MAGIC)
+     {
+       narchs = grub_be_to_cpu32 (head.nfat_arch);
+-      archs = grub_malloc (sizeof (struct grub_macho_fat_arch) * narchs);
++      archs = grub_calloc (narchs, sizeof (struct grub_macho_fat_arch));
+       if (! archs)
+ 	{
+ 	  grub_file_close (file);
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 6a31cbae3..57b4e9a72 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -143,9 +143,9 @@ grub_mmap_iterate (grub_memory_hook_t hook, void *hook_data)
+ 
+   /* Initialize variables. */
+   ctx.scanline_events = (struct grub_mmap_scan *)
+-    grub_malloc (sizeof (struct grub_mmap_scan) * 2 * mmap_num);
++    grub_calloc (mmap_num, sizeof (struct grub_mmap_scan) * 2);
+ 
+-  present = grub_zalloc (sizeof (present[0]) * current_priority);
++  present = grub_calloc (current_priority, sizeof (present[0]));
+ 
+   if (! ctx.scanline_events || !present)
+     {
+diff --git a/grub-core/net/bootp.c b/grub-core/net/bootp.c
+index 04cfbb045..653957200 100644
+--- a/grub-core/net/bootp.c
++++ b/grub-core/net/bootp.c
+@@ -766,7 +766,7 @@ grub_cmd_bootp (struct grub_command *cmd __attribute__ ((unused)),
+   if (ncards == 0)
+     return grub_error (GRUB_ERR_NET_NO_CARD, N_("no network card found"));
+ 
+-  ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
++  ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
+   if (!ifaces)
+     return grub_errno;
+ 
+diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
+index 5d9afe093..e332d5eb4 100644
+--- a/grub-core/net/dns.c
++++ b/grub-core/net/dns.c
+@@ -285,8 +285,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
+       ptr++;
+       ptr += 4;
+     }
+-  *data->addresses = grub_malloc (sizeof ((*data->addresses)[0])
+-				 * grub_be_to_cpu16 (head->ancount));
++  *data->addresses = grub_calloc (grub_be_to_cpu16 (head->ancount),
++				  sizeof ((*data->addresses)[0]));
+   if (!*data->addresses)
+     {
+       grub_errno = GRUB_ERR_NONE;
+@@ -406,8 +406,8 @@ recv_hook (grub_net_udp_socket_t sock __attribute__ ((unused)),
+       dns_cache[h].addresses = 0;
+       dns_cache[h].name = grub_strdup (data->oname);
+       dns_cache[h].naddresses = *data->naddresses;
+-      dns_cache[h].addresses = grub_malloc (*data->naddresses
+-					    * sizeof (dns_cache[h].addresses[0]));
++      dns_cache[h].addresses = grub_calloc (*data->naddresses,
++					    sizeof (dns_cache[h].addresses[0]));
+       dns_cache[h].limit_time = grub_get_time_ms () + 1000 * ttl_all;
+       if (!dns_cache[h].addresses || !dns_cache[h].name)
+ 	{
+@@ -479,7 +479,7 @@ grub_net_dns_lookup (const char *name,
+ 	}
+     }
+ 
+-  sockets = grub_malloc (sizeof (sockets[0]) * n_servers);
++  sockets = grub_calloc (n_servers, sizeof (sockets[0]));
+   if (!sockets)
+     return grub_errno;
+ 
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index d5d726a31..38f19dfc9 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -333,8 +333,8 @@ grub_cmd_ipv6_autoconf (struct grub_command *cmd __attribute__ ((unused)),
+     ncards++;
+   }
+ 
+-  ifaces = grub_zalloc (ncards * sizeof (ifaces[0]));
+-  slaacs = grub_zalloc (ncards * sizeof (slaacs[0]));
++  ifaces = grub_calloc (ncards, sizeof (ifaces[0]));
++  slaacs = grub_calloc (ncards, sizeof (slaacs[0]));
+   if (!ifaces || !slaacs)
+     {
+       grub_free (ifaces);
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index b0ab47d73..d57fb72fa 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -203,7 +203,7 @@ grub_utf8_to_ucs4_alloc (const char *msg, grub_uint32_t **unicode_msg,
+ {
+   grub_size_t msg_len = grub_strlen (msg);
+ 
+-  *unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
++  *unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
+  
+   if (!*unicode_msg)
+     return -1;
+@@ -488,7 +488,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ 	    }
+ 	  else
+ 	    {
+-	      n = grub_malloc (sizeof (n[0]) * (out->ncomb + 1));
++	      n = grub_calloc (out->ncomb + 1, sizeof (n[0]));
+ 	      if (!n)
+ 		{
+ 		  grub_errno = GRUB_ERR_NONE;
+@@ -842,7 +842,7 @@ grub_bidi_line_logical_to_visual (const grub_uint32_t *logical,
+       }							\
+   }
+ 
+-  visual = grub_malloc (sizeof (visual[0]) * logical_len);
++  visual = grub_calloc (logical_len, sizeof (visual[0]));
+   if (!visual)
+     return -1;
+ 
+@@ -1165,8 +1165,8 @@ grub_bidi_logical_to_visual (const grub_uint32_t *logical,
+ {
+   const grub_uint32_t *line_start = logical, *ptr;
+   struct grub_unicode_glyph *visual_ptr;
+-  *visual_out = visual_ptr = grub_malloc (3 * sizeof (visual_ptr[0])
+-					  * (logical_len + 2));
++  *visual_out = visual_ptr = grub_calloc (logical_len + 2,
++					  3 * sizeof (visual_ptr[0]));
+   if (!visual_ptr)
+     return -1;
+   for (ptr = logical; ptr <= logical + logical_len; ptr++)
+diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
+index c037d5050..c57242e2e 100644
+--- a/grub-core/normal/cmdline.c
++++ b/grub-core/normal/cmdline.c
+@@ -41,7 +41,7 @@ grub_err_t
+ grub_set_history (int newsize)
+ {
+   grub_uint32_t **old_hist_lines = hist_lines;
+-  hist_lines = grub_malloc (sizeof (grub_uint32_t *) * newsize);
++  hist_lines = grub_calloc (newsize, sizeof (grub_uint32_t *));
+ 
+   /* Copy the old lines into the new buffer.  */
+   if (old_hist_lines)
+@@ -114,7 +114,7 @@ static void
+ grub_history_set (int pos, grub_uint32_t *s, grub_size_t len)
+ {
+   grub_free (hist_lines[pos]);
+-  hist_lines[pos] = grub_malloc ((len + 1) * sizeof (grub_uint32_t));
++  hist_lines[pos] = grub_calloc (len + 1, sizeof (grub_uint32_t));
+   if (!hist_lines[pos])
+     {
+       grub_print_error ();
+@@ -349,7 +349,7 @@ grub_cmdline_get (const char *prompt_translated)
+   char *ret;
+   unsigned nterms;
+ 
+-  buf = grub_malloc (max_len * sizeof (grub_uint32_t));
++  buf = grub_calloc (max_len, sizeof (grub_uint32_t));
+   if (!buf)
+     return 0;
+ 
+@@ -377,7 +377,7 @@ grub_cmdline_get (const char *prompt_translated)
+     FOR_ACTIVE_TERM_OUTPUTS(cur)
+       nterms++;
+ 
+-    cl_terms = grub_malloc (sizeof (cl_terms[0]) * nterms);
++    cl_terms = grub_calloc (nterms, sizeof (cl_terms[0]));
+     if (!cl_terms)
+       {
+ 	grub_free (buf);
+@@ -385,7 +385,7 @@ grub_cmdline_get (const char *prompt_translated)
+       }
+     cl_term_cur = cl_terms;
+ 
+-    unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
++    unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
+     if (!unicode_msg)
+       {
+ 	grub_free (buf);
+@@ -495,7 +495,7 @@ grub_cmdline_get (const char *prompt_translated)
+ 		grub_uint32_t *insert;
+ 
+ 		insertlen = grub_strlen (insertu8);
+-		insert = grub_malloc ((insertlen + 1) * sizeof (grub_uint32_t));
++		insert = grub_calloc (insertlen + 1, sizeof (grub_uint32_t));
+ 		if (!insert)
+ 		  {
+ 		    grub_free (insertu8);
+@@ -602,7 +602,7 @@ grub_cmdline_get (const char *prompt_translated)
+ 
+ 	      grub_free (kill_buf);
+ 
+-	      kill_buf = grub_malloc ((n + 1) * sizeof(grub_uint32_t));
++	      kill_buf = grub_calloc (n + 1, sizeof (grub_uint32_t));
+ 	      if (grub_errno)
+ 		{
+ 		  grub_print_error ();
+diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
+index cdf3590a3..1993995be 100644
+--- a/grub-core/normal/menu_entry.c
++++ b/grub-core/normal/menu_entry.c
+@@ -95,8 +95,8 @@ init_line (struct screen *screen, struct line *linep)
+ {
+   linep->len = 0;
+   linep->max_len = 80;
+-  linep->buf = grub_malloc ((linep->max_len + 1) * sizeof (linep->buf[0]));
+-  linep->pos = grub_zalloc (screen->nterms * sizeof (linep->pos[0]));
++  linep->buf = grub_calloc (linep->max_len + 1, sizeof (linep->buf[0]));
++  linep->pos = grub_calloc (screen->nterms, sizeof (linep->pos[0]));
+   if (! linep->buf || !linep->pos)
+     {
+       grub_free (linep->buf);
+@@ -287,7 +287,7 @@ update_screen (struct screen *screen, struct per_term_screen *term_screen,
+ 	  pos = linep->pos + (term_screen - screen->terms);
+ 
+ 	  if (!*pos)
+-	    *pos = grub_zalloc ((linep->len + 1) * sizeof (**pos));
++	    *pos = grub_calloc (linep->len + 1, sizeof (**pos));
+ 
+ 	  if (i == region_start || linep == screen->lines + screen->line
+ 	      || (i > region_start && mode == ALL_LINES))
+@@ -471,7 +471,7 @@ insert_string (struct screen *screen, const char *s, int update)
+ 
+ 	  /* Insert the string.  */
+ 	  current_linep = screen->lines + screen->line;
+-	  unicode_msg = grub_malloc ((p - s) * sizeof (grub_uint32_t));
++	  unicode_msg = grub_calloc (p - s, sizeof (grub_uint32_t));
+ 
+ 	  if (!unicode_msg)
+ 	    return 0;
+@@ -1023,7 +1023,7 @@ complete (struct screen *screen, int continuous, int update)
+   if (completion_buffer.buf)
+     {
+       buflen = grub_strlen (completion_buffer.buf);
+-      ucs4 = grub_malloc (sizeof (grub_uint32_t) * (buflen + 1));
++      ucs4 = grub_calloc (buflen + 1, sizeof (grub_uint32_t));
+       
+       if (!ucs4)
+ 	{
+@@ -1268,7 +1268,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
+   for (i = 0; i < (unsigned) screen->num_lines; i++)
+     {
+       grub_free (screen->lines[i].pos);
+-      screen->lines[i].pos = grub_zalloc (screen->nterms * sizeof (screen->lines[i].pos[0]));
++      screen->lines[i].pos = grub_calloc (screen->nterms, sizeof (screen->lines[i].pos[0]));
+       if (! screen->lines[i].pos)
+ 	{
+ 	  grub_print_error ();
+@@ -1278,7 +1278,7 @@ grub_menu_entry_run (grub_menu_entry_t entry)
+ 	}
+     }
+ 
+-  screen->terms = grub_zalloc (screen->nterms * sizeof (screen->terms[0]));
++  screen->terms = grub_calloc (screen->nterms, sizeof (screen->terms[0]));
+   if (!screen->terms)
+     {
+       grub_print_error ();
+diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
+index e22bb91f6..18240e76c 100644
+--- a/grub-core/normal/menu_text.c
++++ b/grub-core/normal/menu_text.c
+@@ -78,7 +78,7 @@ grub_print_message_indented_real (const char *msg, int margin_left,
+   grub_size_t msg_len = grub_strlen (msg) + 2;
+   int ret = 0;
+ 
+-  unicode_msg = grub_malloc (msg_len * sizeof (grub_uint32_t));
++  unicode_msg = grub_calloc (msg_len, sizeof (grub_uint32_t));
+  
+   if (!unicode_msg)
+     return 0;
+@@ -211,7 +211,7 @@ print_entry (int y, int highlight, grub_menu_entry_t entry,
+ 
+   title = entry ? entry->title : "";
+   title_len = grub_strlen (title);
+-  unicode_title = grub_malloc (title_len * sizeof (*unicode_title));
++  unicode_title = grub_calloc (title_len, sizeof (*unicode_title));
+   if (! unicode_title)
+     /* XXX How to show this error?  */
+     return;
+diff --git a/grub-core/normal/term.c b/grub-core/normal/term.c
+index a1e5c5a0d..cc8c173b6 100644
+--- a/grub-core/normal/term.c
++++ b/grub-core/normal/term.c
+@@ -264,7 +264,7 @@ grub_term_save_pos (void)
+   FOR_ACTIVE_TERM_OUTPUTS(cur)
+     cnt++;
+ 
+-  ret = grub_malloc (cnt * sizeof (ret[0]));
++  ret = grub_calloc (cnt, sizeof (ret[0]));
+   if (!ret)
+     return NULL;
+ 
+@@ -1013,7 +1013,7 @@ grub_xnputs (const char *str, grub_size_t msg_len)
+ 
+   grub_error_push ();
+ 
+-  unicode_str = grub_malloc (msg_len * sizeof (grub_uint32_t));
++  unicode_str = grub_calloc (msg_len, sizeof (grub_uint32_t));
+  
+   grub_error_pop ();
+ 
+diff --git a/grub-core/osdep/linux/getroot.c b/grub-core/osdep/linux/getroot.c
+index 90d92d3ad..5b41ad022 100644
+--- a/grub-core/osdep/linux/getroot.c
++++ b/grub-core/osdep/linux/getroot.c
+@@ -168,7 +168,7 @@ grub_util_raid_getmembers (const char *name, int bootable)
+   if (ret != 0)
+     grub_util_error (_("ioctl GET_ARRAY_INFO error: %s"), strerror (errno));
+ 
+-  devicelist = xmalloc ((info.nr_disks + 1) * sizeof (char *));
++  devicelist = xcalloc (info.nr_disks + 1, sizeof (char *));
+ 
+   for (i = 0, j = 0; j < info.nr_disks; i++)
+     {
+@@ -241,7 +241,7 @@ grub_find_root_devices_from_btrfs (const char *dir)
+       return NULL;
+     }
+ 
+-  ret = xmalloc ((fsi.num_devices + 1) * sizeof (ret[0]));
++  ret = xcalloc (fsi.num_devices + 1, sizeof (ret[0]));
+ 
+   for (i = 1; i <= fsi.max_id && j < fsi.num_devices; i++)
+     {
+@@ -396,7 +396,7 @@ grub_find_root_devices_from_mountinfo (const char *dir, char **relroot)
+   if (relroot)
+     *relroot = NULL;
+ 
+-  entries = xmalloc (entry_max * sizeof (*entries));
++  entries = xcalloc (entry_max, sizeof (*entries));
+ 
+ again:
+   fp = grub_util_fopen ("/proc/self/mountinfo", "r");
+diff --git a/grub-core/osdep/unix/config.c b/grub-core/osdep/unix/config.c
+index 65effa9f3..7d6325138 100644
+--- a/grub-core/osdep/unix/config.c
++++ b/grub-core/osdep/unix/config.c
+@@ -89,7 +89,7 @@ grub_util_load_config (struct grub_util_config *cfg)
+   argv[0] = "sh";
+   argv[1] = "-c";
+ 
+-  script = xmalloc (4 * strlen (cfgfile) + 300);
++  script = xcalloc (4, strlen (cfgfile) + 300);
+ 
+   ptr = script;
+   memcpy (ptr, ". '", 3);
+diff --git a/grub-core/osdep/windows/getroot.c b/grub-core/osdep/windows/getroot.c
+index 661d95461..eada663b2 100644
+--- a/grub-core/osdep/windows/getroot.c
++++ b/grub-core/osdep/windows/getroot.c
+@@ -59,7 +59,7 @@ grub_get_mount_point (const TCHAR *path)
+ 
+   for (ptr = path; *ptr; ptr++);
+   allocsize = (ptr - path + 10) * 2;
+-  out = xmalloc (allocsize * sizeof (out[0]));
++  out = xcalloc (allocsize, sizeof (out[0]));
+ 
+   /* When pointing to EFI system partition GetVolumePathName fails
+      for ESP root and returns abberant information for everything
+diff --git a/grub-core/osdep/windows/hostdisk.c b/grub-core/osdep/windows/hostdisk.c
+index 355100789..0be327394 100644
+--- a/grub-core/osdep/windows/hostdisk.c
++++ b/grub-core/osdep/windows/hostdisk.c
+@@ -111,7 +111,7 @@ grub_util_get_windows_path_real (const char *path)
+ 
+   while (1)
+     {
+-      fpa = xmalloc (alloc * sizeof (fpa[0]));
++      fpa = xcalloc (alloc, sizeof (fpa[0]));
+ 
+       len = GetFullPathName (tpath, alloc, fpa, NULL);
+       if (len >= alloc)
+@@ -399,7 +399,7 @@ grub_util_fd_opendir (const char *name)
+   for (l = 0; name_windows[l]; l++);
+   for (l--; l >= 0 && (name_windows[l] == '\\' || name_windows[l] == '/'); l--);
+   l++;
+-  pattern = xmalloc ((l + 3) * sizeof (pattern[0]));
++  pattern = xcalloc (l + 3, sizeof (pattern[0]));
+   memcpy (pattern, name_windows, l * sizeof (pattern[0]));
+   pattern[l] = '\\';
+   pattern[l + 1] = '*';
+diff --git a/grub-core/osdep/windows/init.c b/grub-core/osdep/windows/init.c
+index e8ffd62c6..6297de632 100644
+--- a/grub-core/osdep/windows/init.c
++++ b/grub-core/osdep/windows/init.c
+@@ -161,7 +161,7 @@ grub_util_host_init (int *argc __attribute__ ((unused)),
+   LPWSTR *targv;
+ 
+   targv = CommandLineToArgvW (tcmdline, argc);
+-  *argv = xmalloc ((*argc + 1) * sizeof (argv[0]));
++  *argv = xcalloc (*argc + 1, sizeof (argv[0]));
+ 
+   for (i = 0; i < *argc; i++)
+     (*argv)[i] = grub_util_tchar_to_utf8 (targv[i]); 
+diff --git a/grub-core/osdep/windows/platform.c b/grub-core/osdep/windows/platform.c
+index 7eb53fe01..1ef86bf58 100644
+--- a/grub-core/osdep/windows/platform.c
++++ b/grub-core/osdep/windows/platform.c
+@@ -225,8 +225,8 @@ grub_install_register_efi (grub_device_t efidir_grub_dev,
+     grub_util_error ("%s", _("no EFI routines are available when running in BIOS mode"));
+ 
+   distrib8_len = grub_strlen (efi_distributor);
+-  distributor16 = xmalloc ((distrib8_len + 1) * GRUB_MAX_UTF16_PER_UTF8
+-			   * sizeof (grub_uint16_t));
++  distributor16 = xcalloc (distrib8_len + 1,
++			   GRUB_MAX_UTF16_PER_UTF8 * sizeof (grub_uint16_t));
+   distrib16_len = grub_utf8_to_utf16 (distributor16, distrib8_len * GRUB_MAX_UTF16_PER_UTF8,
+ 				      (const grub_uint8_t *) efi_distributor,
+ 				      distrib8_len, 0);
+diff --git a/grub-core/osdep/windows/relpath.c b/grub-core/osdep/windows/relpath.c
+index cb0861744..478e8ef14 100644
+--- a/grub-core/osdep/windows/relpath.c
++++ b/grub-core/osdep/windows/relpath.c
+@@ -72,7 +72,7 @@ grub_make_system_path_relative_to_its_root (const char *path)
+       if (dirwindows[0] && dirwindows[1] == ':')
+ 	offset = 2;
+     }
+-  ret = xmalloc (sizeof (ret[0]) * (flen - offset + 2));
++  ret = xcalloc (flen - offset + 2, sizeof (ret[0]));
+   if (dirwindows[offset] != '\\'
+       && dirwindows[offset] != '/'
+       && dirwindows[offset])
+diff --git a/grub-core/partmap/gpt.c b/grub-core/partmap/gpt.c
+index 103f6796f..72a2e37cd 100644
+--- a/grub-core/partmap/gpt.c
++++ b/grub-core/partmap/gpt.c
+@@ -199,7 +199,7 @@ gpt_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
+   *nsectors = ctx.len;
+   if (*nsectors > max_nsectors)
+     *nsectors = max_nsectors;
+-  *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++  *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+   if (!*sectors)
+     return grub_errno;
+   for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/partmap/msdos.c b/grub-core/partmap/msdos.c
+index 7b8e45076..ee3f24982 100644
+--- a/grub-core/partmap/msdos.c
++++ b/grub-core/partmap/msdos.c
+@@ -337,7 +337,7 @@ pc_partition_map_embed (struct grub_disk *disk, unsigned int *nsectors,
+       avail_nsectors = *nsectors;
+       if (*nsectors > max_nsectors)
+ 	*nsectors = max_nsectors;
+-      *sectors = grub_malloc (*nsectors * sizeof (**sectors));
++      *sectors = grub_calloc (*nsectors, sizeof (**sectors));
+       if (!*sectors)
+ 	return grub_errno;
+       for (i = 0; i < *nsectors; i++)
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index ee299fd0e..c8d6806fe 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -553,7 +553,7 @@ gettext_append (struct grub_script_argv *result, const char *orig_str)
+   for (iptr = orig_str; *iptr; iptr++)
+     if (*iptr == '$')
+       dollar_cnt++;
+-  ctx.allowed_strings = grub_malloc (sizeof (ctx.allowed_strings[0]) * dollar_cnt);
++  ctx.allowed_strings = grub_calloc (dollar_cnt, sizeof (ctx.allowed_strings[0]));
+ 
+   if (parse_string (orig_str, gettext_save_allow, &ctx, 0))
+     goto fail;
+diff --git a/grub-core/tests/fake_input.c b/grub-core/tests/fake_input.c
+index 2d6085298..b5eb516be 100644
+--- a/grub-core/tests/fake_input.c
++++ b/grub-core/tests/fake_input.c
+@@ -49,7 +49,7 @@ grub_terminal_input_fake_sequence (int *seq_in, int nseq_in)
+     saved = grub_term_inputs;
+   if (seq)
+     grub_free (seq);
+-  seq = grub_malloc (nseq_in * sizeof (seq[0]));
++  seq = grub_calloc (nseq_in, sizeof (seq[0]));
+   if (!seq)
+     return;
+ 
+diff --git a/grub-core/tests/video_checksum.c b/grub-core/tests/video_checksum.c
+index 74d5b65e5..44d081069 100644
+--- a/grub-core/tests/video_checksum.c
++++ b/grub-core/tests/video_checksum.c
+@@ -336,7 +336,7 @@ grub_video_capture_write_bmp (const char *fname,
+     {
+     case 4:
+       {
+-	grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
++	grub_uint8_t *buffer = xcalloc (3, mode_info->width);
+ 	grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
+ 	grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
+ 	grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
+@@ -367,7 +367,7 @@ grub_video_capture_write_bmp (const char *fname,
+       }
+     case 3:
+       {
+-	grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
++	grub_uint8_t *buffer = xcalloc (3, mode_info->width);
+ 	grub_uint32_t rmask = ((1 << mode_info->red_mask_size) - 1);
+ 	grub_uint32_t gmask = ((1 << mode_info->green_mask_size) - 1);
+ 	grub_uint32_t bmask = ((1 << mode_info->blue_mask_size) - 1);
+@@ -407,7 +407,7 @@ grub_video_capture_write_bmp (const char *fname,
+       }
+     case 2:
+       {
+-	grub_uint8_t *buffer = xmalloc (mode_info->width * 3);
++	grub_uint8_t *buffer = xcalloc (3, mode_info->width);
+ 	grub_uint16_t rmask = ((1 << mode_info->red_mask_size) - 1);
+ 	grub_uint16_t gmask = ((1 << mode_info->green_mask_size) - 1);
+ 	grub_uint16_t bmask = ((1 << mode_info->blue_mask_size) - 1);
+diff --git a/grub-core/video/capture.c b/grub-core/video/capture.c
+index 4f83c7441..4d3195e01 100644
+--- a/grub-core/video/capture.c
++++ b/grub-core/video/capture.c
+@@ -89,7 +89,7 @@ grub_video_capture_start (const struct grub_video_mode_info *mode_info,
+   framebuffer.mode_info = *mode_info;
+   framebuffer.mode_info.blit_format = grub_video_get_blit_format (&framebuffer.mode_info);
+ 
+-  framebuffer.ptr = grub_malloc (framebuffer.mode_info.height * framebuffer.mode_info.pitch);
++  framebuffer.ptr = grub_calloc (framebuffer.mode_info.height, framebuffer.mode_info.pitch);
+   if (!framebuffer.ptr)
+     return grub_errno;
+   
+diff --git a/grub-core/video/emu/sdl.c b/grub-core/video/emu/sdl.c
+index a2f639f66..0ebab6f57 100644
+--- a/grub-core/video/emu/sdl.c
++++ b/grub-core/video/emu/sdl.c
+@@ -172,7 +172,7 @@ grub_video_sdl_set_palette (unsigned int start, unsigned int count,
+       if (start + count > mode_info.number_of_colors)
+ 	count = mode_info.number_of_colors - start;
+ 
+-      tmp = grub_malloc (count * sizeof (tmp[0]));
++      tmp = grub_calloc (count, sizeof (tmp[0]));
+       for (i = 0; i < count; i++)
+ 	{
+ 	  tmp[i].r = palette_data[i].r;
+diff --git a/grub-core/video/i386/pc/vga.c b/grub-core/video/i386/pc/vga.c
+index 01f47112d..b2f776c99 100644
+--- a/grub-core/video/i386/pc/vga.c
++++ b/grub-core/video/i386/pc/vga.c
+@@ -127,7 +127,7 @@ grub_video_vga_setup (unsigned int width, unsigned int height,
+ 
+   vga_height = height ? : 480;
+ 
+-  framebuffer.temporary_buffer = grub_malloc (vga_height * VGA_WIDTH);
++  framebuffer.temporary_buffer = grub_calloc (vga_height, VGA_WIDTH);
+   framebuffer.front_page = 0;
+   framebuffer.back_page = 0;
+   if (!framebuffer.temporary_buffer)
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 777e71334..61bd64537 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -309,7 +309,7 @@ grub_png_decode_image_header (struct grub_png_data *data)
+   if (data->is_16bit || data->is_gray || data->is_palette)
+ #endif
+     {
+-      data->image_data = grub_malloc (data->image_height * data->row_bytes);
++      data->image_data = grub_calloc (data->image_height, data->row_bytes);
+       if (grub_errno)
+         return grub_errno;
+ 
+diff --git a/include/grub/unicode.h b/include/grub/unicode.h
+index a0403e91f..4de986a85 100644
+--- a/include/grub/unicode.h
++++ b/include/grub/unicode.h
+@@ -293,7 +293,7 @@ grub_unicode_glyph_dup (const struct grub_unicode_glyph *in)
+   grub_memcpy (out, in, sizeof (*in));
+   if (in->ncomb > ARRAY_SIZE (out->combining_inline))
+     {
+-      out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
++      out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
+       if (!out->combining_ptr)
+ 	{
+ 	  grub_free (out);
+@@ -315,7 +315,7 @@ grub_unicode_set_glyph (struct grub_unicode_glyph *out,
+   grub_memcpy (out, in, sizeof (*in));
+   if (in->ncomb > ARRAY_SIZE (out->combining_inline))
+     {
+-      out->combining_ptr = grub_malloc (in->ncomb * sizeof (out->combining_ptr[0]));
++      out->combining_ptr = grub_calloc (in->ncomb, sizeof (out->combining_ptr[0]));
+       if (!out->combining_ptr)
+ 	return;
+       grub_memcpy (out->combining_ptr, in->combining_ptr,
+diff --git a/util/getroot.c b/util/getroot.c
+index 847406fba..a5eaa64fd 100644
+--- a/util/getroot.c
++++ b/util/getroot.c
+@@ -200,7 +200,7 @@ make_device_name (const char *drive)
+   char *ret, *ptr;
+   const char *iptr;
+ 
+-  ret = xmalloc (strlen (drive) * 2);
++  ret = xcalloc (2, strlen (drive));
+   ptr = ret;
+   for (iptr = drive; *iptr; iptr++)
+     {
+diff --git a/util/grub-file.c b/util/grub-file.c
+index 50c18b683..b2e7dd69f 100644
+--- a/util/grub-file.c
++++ b/util/grub-file.c
+@@ -54,7 +54,7 @@ main (int argc, char *argv[])
+ 
+   grub_util_host_init (&argc, &argv);
+ 
+-  argv2 = xmalloc (argc * sizeof (argv2[0]));
++  argv2 = xcalloc (argc, sizeof (argv2[0]));
+ 
+   if (argc == 2 && strcmp (argv[1], "--version") == 0)
+     {
+diff --git a/util/grub-fstest.c b/util/grub-fstest.c
+index f14e02d97..57246af7c 100644
+--- a/util/grub-fstest.c
++++ b/util/grub-fstest.c
+@@ -650,7 +650,7 @@ argp_parser (int key, char *arg, struct argp_state *state)
+   if (args_count < num_disks)
+     {
+       if (args_count == 0)
+-	images = xmalloc (num_disks * sizeof (images[0]));
++	images = xcalloc (num_disks, sizeof (images[0]));
+       images[args_count] = grub_canonicalize_file_name (arg);
+       args_count++;
+       return 0;
+@@ -734,7 +734,7 @@ main (int argc, char *argv[])
+ 
+   grub_util_host_init (&argc, &argv);
+ 
+-  args = xmalloc (argc * sizeof (args[0]));
++  args = xcalloc (argc, sizeof (args[0]));
+ 
+   argp_parse (&argp, argc, argv, 0, 0, 0);
+ 
+diff --git a/util/grub-install-common.c b/util/grub-install-common.c
+index ca0ac612a..0295d40f5 100644
+--- a/util/grub-install-common.c
++++ b/util/grub-install-common.c
+@@ -286,7 +286,7 @@ handle_install_list (struct install_list *il, const char *val,
+       il->n_entries++;
+     }
+   il->n_alloc = il->n_entries + 1;
+-  il->entries = xmalloc (il->n_alloc * sizeof (il->entries[0]));
++  il->entries = xcalloc (il->n_alloc, sizeof (il->entries[0]));
+   ptr = val;
+   for (ce = il->entries; ; ce++)
+     {
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 8a55ad4b8..a82725f29 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -626,7 +626,7 @@ device_map_check_duplicates (const char *dev_map)
+   if (! fp)
+     return;
+ 
+-  d = xmalloc (alloced * sizeof (d[0]));
++  d = xcalloc (alloced, sizeof (d[0]));
+ 
+   while (fgets (buf, sizeof (buf), fp))
+     {
+@@ -1260,7 +1260,7 @@ main (int argc, char *argv[])
+       ndev++;
+     }
+ 
+-  grub_drives = xmalloc (sizeof (grub_drives[0]) * (ndev + 1)); 
++  grub_drives = xcalloc (ndev + 1, sizeof (grub_drives[0]));
+ 
+   for (curdev = grub_devices, curdrive = grub_drives; *curdev; curdev++,
+        curdrive++)
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index bc087c2b5..d97d0e7be 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -2294,10 +2294,8 @@ SUFFIX (grub_mkimage_load_image) (const char *kernel_path,
+ 		      + grub_host_to_target16 (e->e_shstrndx) * smd.section_entsize);
+   smd.strtab = (char *) e + grub_host_to_target_addr (s->sh_offset);
+ 
+-  smd.addrs = xmalloc (sizeof (*smd.addrs) * smd.num_sections);
+-  memset (smd.addrs, 0, sizeof (*smd.addrs) * smd.num_sections);
+-  smd.vaddrs = xmalloc (sizeof (*smd.vaddrs) * smd.num_sections);
+-  memset (smd.vaddrs, 0, sizeof (*smd.vaddrs) * smd.num_sections);
++  smd.addrs = xcalloc (smd.num_sections, sizeof (*smd.addrs));
++  smd.vaddrs = xcalloc (smd.num_sections, sizeof (*smd.vaddrs));
+ 
+   SUFFIX (locate_sections) (e, kernel_path, &smd, layout, image_target);
+ 
+diff --git a/util/grub-mkrescue.c b/util/grub-mkrescue.c
+index ce2cbc4f1..51831027f 100644
+--- a/util/grub-mkrescue.c
++++ b/util/grub-mkrescue.c
+@@ -441,8 +441,8 @@ main (int argc, char *argv[])
+   xorriso = xstrdup ("xorriso");
+   label_font = grub_util_path_concat (2, pkgdatadir, "unicode.pf2");
+ 
+-  argp_argv = xmalloc (sizeof (argp_argv[0]) * argc);
+-  xorriso_tail_argv = xmalloc (sizeof (argp_argv[0]) * argc);
++  argp_argv = xcalloc (argc, sizeof (argp_argv[0]));
++  xorriso_tail_argv = xcalloc (argc, sizeof (argp_argv[0]));
+ 
+   xorriso_tail_argc = 0;
+   /* Program name */
+diff --git a/util/grub-mkstandalone.c b/util/grub-mkstandalone.c
+index 4907d44c0..edf309717 100644
+--- a/util/grub-mkstandalone.c
++++ b/util/grub-mkstandalone.c
+@@ -296,7 +296,7 @@ main (int argc, char *argv[])
+   grub_util_host_init (&argc, &argv);
+   grub_util_disable_fd_syncs ();
+ 
+-  files = xmalloc ((argc + 1) * sizeof (files[0]));
++  files = xcalloc (argc + 1, sizeof (files[0]));
+ 
+   argp_parse (&argp, argc, argv, 0, 0, 0);
+ 
+diff --git a/util/grub-pe2elf.c b/util/grub-pe2elf.c
+index 0d4084a10..11331294f 100644
+--- a/util/grub-pe2elf.c
++++ b/util/grub-pe2elf.c
+@@ -100,9 +100,9 @@ write_section_data (FILE* fp, const char *name, char *image,
+   char *pe_strtab = (image + pe_chdr->symtab_offset
+ 		     + pe_chdr->num_symbols * sizeof (struct grub_pe32_symbol));
+ 
+-  section_map = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (int));
++  section_map = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (int));
+   section_map[0] = 0;
+-  shdr = xmalloc ((2 * pe_chdr->num_sections + 5) * sizeof (shdr[0]));
++  shdr = xcalloc (2 * pe_chdr->num_sections + 5, sizeof (shdr[0]));
+   idx = 1;
+   idx_reloc = pe_chdr->num_sections + 1;
+ 
+@@ -233,7 +233,7 @@ write_reloc_section (FILE* fp, const char *name, char *image,
+ 
+       pe_sec = pe_shdr + shdr[i].sh_link;
+       pe_rel = (struct grub_pe32_reloc *) (image + pe_sec->relocations_offset);
+-      rel = (elf_reloc_t *) xmalloc (pe_sec->num_relocations * sizeof (elf_reloc_t));
++      rel = (elf_reloc_t *) xcalloc (pe_sec->num_relocations, sizeof (elf_reloc_t));
+       num_rels = 0;
+       modified = 0;
+ 
+@@ -365,12 +365,10 @@ write_symbol_table (FILE* fp, const char *name, char *image,
+   pe_symtab = (struct grub_pe32_symbol *) (image + pe_chdr->symtab_offset);
+   pe_strtab = (char *) (pe_symtab + pe_chdr->num_symbols);
+ 
+-  symtab = (Elf_Sym *) xmalloc ((pe_chdr->num_symbols + 1) *
+-				sizeof (Elf_Sym));
+-  memset (symtab, 0, (pe_chdr->num_symbols + 1) * sizeof (Elf_Sym));
++  symtab = (Elf_Sym *) xcalloc (pe_chdr->num_symbols + 1, sizeof (Elf_Sym));
+   num_syms = 1;
+ 
+-  symtab_map = (int *) xmalloc (pe_chdr->num_symbols * sizeof (int));
++  symtab_map = (int *) xcalloc (pe_chdr->num_symbols, sizeof (int));
+ 
+   for (i = 0; i < (int) pe_chdr->num_symbols;
+        i += pe_symtab->num_aux + 1, pe_symtab += pe_symtab->num_aux + 1)
+diff --git a/util/grub-probe.c b/util/grub-probe.c
+index 81d27eead..cbe6ed94c 100644
+--- a/util/grub-probe.c
++++ b/util/grub-probe.c
+@@ -361,8 +361,8 @@ probe (const char *path, char **device_names, char delim)
+       grub_util_pull_device (*curdev);
+       ndev++;
+     }
+-  
+-  drives_names = xmalloc (sizeof (drives_names[0]) * (ndev + 1)); 
++
++  drives_names = xcalloc (ndev + 1, sizeof (drives_names[0]));
+ 
+   for (curdev = device_names, curdrive = drives_names; *curdev; curdev++,
+        curdrive++)
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch b/buildroot/boot/grub2/0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch
new file mode 100644
index 000000000..aaad72563
--- /dev/null
+++ b/buildroot/boot/grub2/0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch
@@ -0,0 +1,1326 @@
+From 4ad7e85adc3803788d65707a9db11fd681aebe4a Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 15 Jun 2020 12:28:27 -0400
+Subject: [PATCH] malloc: Use overflow checking primitives where we do
+ complex allocations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This attempts to fix the places where we do the following where
+arithmetic_expr may include unvalidated data:
+
+  X = grub_malloc(arithmetic_expr);
+
+It accomplishes this by doing the arithmetic ahead of time using grub_add(),
+grub_sub(), grub_mul() and testing for overflow before proceeding.
+
+Among other issues, this fixes:
+  - allocation of integer overflow in grub_video_bitmap_create()
+    reported by Chris Coulson,
+  - allocation of integer overflow in grub_png_decode_image_header()
+    reported by Chris Coulson,
+  - allocation of integer overflow in grub_squash_read_symlink()
+    reported by Chris Coulson,
+  - allocation of integer overflow in grub_ext2_read_symlink()
+    reported by Chris Coulson,
+  - allocation of integer overflow in read_section_as_string()
+    reported by Chris Coulson.
+
+Fixes: CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/commands/legacycfg.c | 29 +++++++++++++++----
+ grub-core/commands/wildcard.c  | 36 ++++++++++++++++++++----
+ grub-core/disk/ldm.c           | 32 +++++++++++++++------
+ grub-core/font/font.c          |  7 ++++-
+ grub-core/fs/btrfs.c           | 28 +++++++++++++------
+ grub-core/fs/ext2.c            | 10 ++++++-
+ grub-core/fs/iso9660.c         | 51 ++++++++++++++++++++++++----------
+ grub-core/fs/sfs.c             | 27 ++++++++++++++----
+ grub-core/fs/squash4.c         | 45 ++++++++++++++++++++++--------
+ grub-core/fs/udf.c             | 41 +++++++++++++++++----------
+ grub-core/fs/xfs.c             | 11 +++++---
+ grub-core/fs/zfs/zfs.c         | 22 ++++++++++-----
+ grub-core/fs/zfs/zfscrypt.c    |  7 ++++-
+ grub-core/lib/arg.c            | 20 +++++++++++--
+ grub-core/loader/i386/bsd.c    |  8 +++++-
+ grub-core/net/dns.c            |  9 +++++-
+ grub-core/normal/charset.c     | 10 +++++--
+ grub-core/normal/cmdline.c     | 14 ++++++++--
+ grub-core/normal/menu_entry.c  | 13 +++++++--
+ grub-core/script/argv.c        | 16 +++++++++--
+ grub-core/script/lexer.c       | 21 ++++++++++++--
+ grub-core/video/bitmap.c       | 25 +++++++++++------
+ grub-core/video/readers/png.c  | 13 +++++++--
+ 23 files changed, 382 insertions(+), 113 deletions(-)
+
+diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
+index 5e3ec0d5e..cc5971f4d 100644
+--- a/grub-core/commands/legacycfg.c
++++ b/grub-core/commands/legacycfg.c
+@@ -32,6 +32,7 @@
+ #include <grub/auth.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -104,13 +105,22 @@ legacy_file (const char *filename)
+ 	if (newsuffix)
+ 	  {
+ 	    char *t;
+-	    
++	    grub_size_t sz;
++
++	    if (grub_add (grub_strlen (suffix), grub_strlen (newsuffix), &sz) ||
++		grub_add (sz, 1, &sz))
++	      {
++		grub_errno = GRUB_ERR_OUT_OF_RANGE;
++		goto fail_0;
++	      }
++
+ 	    t = suffix;
+-	    suffix = grub_realloc (suffix, grub_strlen (suffix)
+-				   + grub_strlen (newsuffix) + 1);
++	    suffix = grub_realloc (suffix, sz);
+ 	    if (!suffix)
+ 	      {
+ 		grub_free (t);
++
++ fail_0:
+ 		grub_free (entrysrc);
+ 		grub_free (parsed);
+ 		grub_free (newsuffix);
+@@ -154,13 +164,22 @@ legacy_file (const char *filename)
+ 	  else
+ 	    {
+ 	      char *t;
++	      grub_size_t sz;
++
++	      if (grub_add (grub_strlen (entrysrc), grub_strlen (parsed), &sz) ||
++		  grub_add (sz, 1, &sz))
++		{
++		  grub_errno = GRUB_ERR_OUT_OF_RANGE;
++		  goto fail_1;
++		}
+ 
+ 	      t = entrysrc;
+-	      entrysrc = grub_realloc (entrysrc, grub_strlen (entrysrc)
+-				       + grub_strlen (parsed) + 1);
++	      entrysrc = grub_realloc (entrysrc, sz);
+ 	      if (!entrysrc)
+ 		{
+ 		  grub_free (t);
++
++ fail_1:
+ 		  grub_free (parsed);
+ 		  grub_free (suffix);
+ 		  return grub_errno;
+diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c
+index 4a106ca04..cc3290311 100644
+--- a/grub-core/commands/wildcard.c
++++ b/grub-core/commands/wildcard.c
+@@ -23,6 +23,7 @@
+ #include <grub/file.h>
+ #include <grub/device.h>
+ #include <grub/script_sh.h>
++#include <grub/safemath.h>
+ 
+ #include <regex.h>
+ 
+@@ -48,6 +49,7 @@ merge (char **dest, char **ps)
+   int i;
+   int j;
+   char **p;
++  grub_size_t sz;
+ 
+   if (! dest)
+     return ps;
+@@ -60,7 +62,12 @@ merge (char **dest, char **ps)
+   for (j = 0; ps[j]; j++)
+     ;
+ 
+-  p = grub_realloc (dest, sizeof (char*) * (i + j + 1));
++  if (grub_add (i, j, &sz) ||
++      grub_add (sz, 1, &sz) ||
++      grub_mul (sz, sizeof (char *), &sz))
++    return dest;
++
++  p = grub_realloc (dest, sz);
+   if (! p)
+     {
+       grub_free (dest);
+@@ -115,8 +122,15 @@ make_regex (const char *start, const char *end, regex_t *regexp)
+   char ch;
+   int i = 0;
+   unsigned len = end - start;
+-  char *buffer = grub_malloc (len * 2 + 2 + 1); /* worst case size. */
++  char *buffer;
++  grub_size_t sz;
+ 
++  /* Worst case size is (len * 2 + 2 + 1). */
++  if (grub_mul (len, 2, &sz) ||
++      grub_add (sz, 3, &sz))
++    return 1;
++
++  buffer = grub_malloc (sz);
+   if (! buffer)
+     return 1;
+ 
+@@ -226,6 +240,7 @@ match_devices_iter (const char *name, void *data)
+   struct match_devices_ctx *ctx = data;
+   char **t;
+   char *buffer;
++  grub_size_t sz;
+ 
+   /* skip partitions if asked to. */
+   if (ctx->noparts && grub_strchr (name, ','))
+@@ -239,11 +254,16 @@ match_devices_iter (const char *name, void *data)
+   if (regexec (ctx->regexp, buffer, 0, 0, 0))
+     {
+       grub_dprintf ("expand", "not matched\n");
++ fail:
+       grub_free (buffer);
+       return 0;
+     }
+ 
+-  t = grub_realloc (ctx->devs, sizeof (char*) * (ctx->ndev + 2));
++  if (grub_add (ctx->ndev, 2, &sz) ||
++      grub_mul (sz, sizeof (char *), &sz))
++    goto fail;
++
++  t = grub_realloc (ctx->devs, sz);
+   if (! t)
+     {
+       grub_free (buffer);
+@@ -300,6 +320,7 @@ match_files_iter (const char *name,
+   struct match_files_ctx *ctx = data;
+   char **t;
+   char *buffer;
++  grub_size_t sz;
+ 
+   /* skip . and .. names */
+   if (grub_strcmp(".", name) == 0 || grub_strcmp("..", name) == 0)
+@@ -315,9 +336,14 @@ match_files_iter (const char *name,
+   if (! buffer)
+     return 1;
+ 
+-  t = grub_realloc (ctx->files, sizeof (char*) * (ctx->nfile + 2));
+-  if (! t)
++  if (grub_add (ctx->nfile, 2, &sz) ||
++      grub_mul (sz, sizeof (char *), &sz))
++    goto fail;
++
++  t = grub_realloc (ctx->files, sz);
++  if (!t)
+     {
++ fail:
+       grub_free (buffer);
+       return 1;
+     }
+diff --git a/grub-core/disk/ldm.c b/grub-core/disk/ldm.c
+index e6323701a..58f8a53e1 100644
+--- a/grub-core/disk/ldm.c
++++ b/grub-core/disk/ldm.c
+@@ -25,6 +25,7 @@
+ #include <grub/msdos_partition.h>
+ #include <grub/gpt_partition.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ #ifdef GRUB_UTIL
+ #include <grub/emu/misc.h>
+@@ -289,6 +290,7 @@ make_vg (grub_disk_t disk,
+       struct grub_ldm_vblk vblk[GRUB_DISK_SECTOR_SIZE
+ 				/ sizeof (struct grub_ldm_vblk)];
+       unsigned i;
++      grub_size_t sz;
+       err = grub_disk_read (disk, cursec, 0,
+ 			    sizeof(vblk), &vblk);
+       if (err)
+@@ -350,7 +352,13 @@ make_vg (grub_disk_t disk,
+ 	      grub_free (lv);
+ 	      goto fail2;
+ 	    }
+-	  lv->name = grub_malloc (*ptr + 1);
++	  if (grub_add (*ptr, 1, &sz))
++	    {
++	      grub_free (lv->internal_id);
++	      grub_free (lv);
++	      goto fail2;
++	    }
++	  lv->name = grub_malloc (sz);
+ 	  if (!lv->name)
+ 	    {
+ 	      grub_free (lv->internal_id);
+@@ -599,10 +607,13 @@ make_vg (grub_disk_t disk,
+ 	  if (lv->segments->node_alloc == lv->segments->node_count)
+ 	    {
+ 	      void *t;
+-	      lv->segments->node_alloc *= 2; 
+-	      t = grub_realloc (lv->segments->nodes,
+-				sizeof (*lv->segments->nodes)
+-				* lv->segments->node_alloc);
++	      grub_size_t sz;
++
++	      if (grub_mul (lv->segments->node_alloc, 2, &lv->segments->node_alloc) ||
++		  grub_mul (lv->segments->node_alloc, sizeof (*lv->segments->nodes), &sz))
++		goto fail2;
++
++	      t = grub_realloc (lv->segments->nodes, sz);
+ 	      if (!t)
+ 		goto fail2;
+ 	      lv->segments->nodes = t;
+@@ -723,10 +734,13 @@ make_vg (grub_disk_t disk,
+ 	      if (comp->segment_alloc == comp->segment_count)
+ 		{
+ 		  void *t;
+-		  comp->segment_alloc *= 2;
+-		  t = grub_realloc (comp->segments,
+-				    comp->segment_alloc
+-				    * sizeof (*comp->segments));
++		  grub_size_t sz;
++
++		  if (grub_mul (comp->segment_alloc, 2, &comp->segment_alloc) ||
++		      grub_mul (comp->segment_alloc, sizeof (*comp->segments), &sz))
++		    goto fail2;
++
++		  t = grub_realloc (comp->segments, sz);
+ 		  if (!t)
+ 		    goto fail2;
+ 		  comp->segments = t;
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 8e118b315..5edb477ac 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -30,6 +30,7 @@
+ #include <grub/unicode.h>
+ #include <grub/fontformat.h>
+ #include <grub/env.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -360,9 +361,13 @@ static char *
+ read_section_as_string (struct font_file_section *section)
+ {
+   char *str;
++  grub_size_t sz;
+   grub_ssize_t ret;
+ 
+-  str = grub_malloc (section->length + 1);
++  if (grub_add (section->length, 1, &sz))
++    return NULL;
++
++  str = grub_malloc (sz);
+   if (!str)
+     return 0;
+ 
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 11272efc1..2b65bd56a 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -40,6 +40,7 @@
+ #include <grub/btrfs.h>
+ #include <grub/crypto.h>
+ #include <grub/diskfilter.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -329,9 +330,13 @@ save_ref (struct grub_btrfs_leaf_descriptor *desc,
+   if (desc->allocated < desc->depth)
+     {
+       void *newdata;
+-      desc->allocated *= 2;
+-      newdata = grub_realloc (desc->data, sizeof (desc->data[0])
+-			      * desc->allocated);
++      grub_size_t sz;
++
++      if (grub_mul (desc->allocated, 2, &desc->allocated) ||
++	  grub_mul (desc->allocated, sizeof (desc->data[0]), &sz))
++	return GRUB_ERR_OUT_OF_RANGE;
++
++      newdata = grub_realloc (desc->data, sz);
+       if (!newdata)
+ 	return grub_errno;
+       desc->data = newdata;
+@@ -622,16 +627,21 @@ find_device (struct grub_btrfs_data *data, grub_uint64_t id)
+   if (data->n_devices_attached > data->n_devices_allocated)
+     {
+       void *tmp;
+-      data->n_devices_allocated = 2 * data->n_devices_attached + 1;
+-      data->devices_attached
+-	= grub_realloc (tmp = data->devices_attached,
+-			data->n_devices_allocated
+-			* sizeof (data->devices_attached[0]));
++      grub_size_t sz;
++
++      if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
++	  grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
++	  grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
++	goto fail;
++
++      data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
+       if (!data->devices_attached)
+ 	{
++	  data->devices_attached = tmp;
++
++ fail:
+ 	  if (ctx.dev_found)
+ 	    grub_device_close (ctx.dev_found);
+-	  data->devices_attached = tmp;
+ 	  return NULL;
+ 	}
+     }
+diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
+index 9b389802a..ac33bcd68 100644
+--- a/grub-core/fs/ext2.c
++++ b/grub-core/fs/ext2.c
+@@ -46,6 +46,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -703,6 +704,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+ {
+   char *symlink;
+   struct grub_fshelp_node *diro = node;
++  grub_size_t sz;
+ 
+   if (! diro->inode_read)
+     {
+@@ -717,7 +719,13 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+        }
+     }
+ 
+-  symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
++  if (grub_add (grub_le_to_cpu32 (diro->inode.size), 1, &sz))
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++      return NULL;
++    }
++
++  symlink = grub_malloc (sz);
+   if (! symlink)
+     return 0;
+ 
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 4f1b52a55..7ba5b300b 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -28,6 +28,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -531,8 +532,13 @@ add_part (struct iterate_dir_ctx *ctx,
+ 	  int len2)
+ {
+   int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
++  grub_size_t sz;
+ 
+-  ctx->symlink = grub_realloc (ctx->symlink, size + len2 + 1);
++  if (grub_add (size, len2, &sz) ||
++      grub_add (sz, 1, &sz))
++    return;
++
++  ctx->symlink = grub_realloc (ctx->symlink, sz);
+   if (! ctx->symlink)
+     return;
+ 
+@@ -560,17 +566,24 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
+ 	{
+ 	  grub_size_t off = 0, csize = 1;
+ 	  char *old;
++	  grub_size_t sz;
++
+ 	  csize = entry->len - 5;
+ 	  old = ctx->filename;
+ 	  if (ctx->filename_alloc)
+ 	    {
+ 	      off = grub_strlen (ctx->filename);
+-	      ctx->filename = grub_realloc (ctx->filename, csize + off + 1);
++	      if (grub_add (csize, off, &sz) ||
++		  grub_add (sz, 1, &sz))
++		return GRUB_ERR_OUT_OF_RANGE;
++	      ctx->filename = grub_realloc (ctx->filename, sz);
+ 	    }
+ 	  else
+ 	    {
+ 	      off = 0;
+-	      ctx->filename = grub_zalloc (csize + 1);
++	      if (grub_add (csize, 1, &sz))
++		return GRUB_ERR_OUT_OF_RANGE;
++	      ctx->filename = grub_zalloc (sz);
+ 	    }
+ 	  if (!ctx->filename)
+ 	    {
+@@ -776,14 +789,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ 	    if (node->have_dirents >= node->alloc_dirents)
+ 	      {
+ 		struct grub_fshelp_node *new_node;
+-		node->alloc_dirents *= 2;
+-		new_node = grub_realloc (node, 
+-					 sizeof (struct grub_fshelp_node)
+-					 + ((node->alloc_dirents
+-					     - ARRAY_SIZE (node->dirents))
+-					    * sizeof (node->dirents[0])));
++		grub_size_t sz;
++
++		if (grub_mul (node->alloc_dirents, 2, &node->alloc_dirents) ||
++		    grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
++		    grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
++		    grub_add (sz, sizeof (struct grub_fshelp_node), &sz))
++		  goto fail_0;
++
++		new_node = grub_realloc (node, sz);
+ 		if (!new_node)
+ 		  {
++ fail_0:
+ 		    if (ctx.filename_alloc)
+ 		      grub_free (ctx.filename);
+ 		    grub_free (node);
+@@ -799,14 +816,18 @@ grub_iso9660_iterate_dir (grub_fshelp_node_t dir,
+ 		* sizeof (node->dirents[0]) < grub_strlen (ctx.symlink) + 1)
+ 	      {
+ 		struct grub_fshelp_node *new_node;
+-		new_node = grub_realloc (node,
+-					 sizeof (struct grub_fshelp_node)
+-					 + ((node->alloc_dirents
+-					     - ARRAY_SIZE (node->dirents))
+-					    * sizeof (node->dirents[0]))
+-					 + grub_strlen (ctx.symlink) + 1);
++		grub_size_t sz;
++
++		if (grub_sub (node->alloc_dirents, ARRAY_SIZE (node->dirents), &sz) ||
++		    grub_mul (sz, sizeof (node->dirents[0]), &sz) ||
++		    grub_add (sz, sizeof (struct grub_fshelp_node) + 1, &sz) ||
++		    grub_add (sz, grub_strlen (ctx.symlink), &sz))
++		  goto fail_1;
++
++		new_node = grub_realloc (node, sz);
+ 		if (!new_node)
+ 		  {
++ fail_1:
+ 		    if (ctx.filename_alloc)
+ 		      grub_free (ctx.filename);
+ 		    grub_free (node);
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 90f7fb379..de2b107a4 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -307,10 +308,15 @@ grub_sfs_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
+       if (node->cache && node->cache_size >= node->cache_allocated)
+ 	{
+ 	  struct cache_entry *e = node->cache;
+-	  e = grub_realloc (node->cache,node->cache_allocated * 2
+-			    * sizeof (e[0]));
++	  grub_size_t sz;
++
++	  if (grub_mul (node->cache_allocated, 2 * sizeof (e[0]), &sz))
++	    goto fail;
++
++	  e = grub_realloc (node->cache, sz);
+ 	  if (!e)
+ 	    {
++ fail:
+ 	      grub_errno = 0;
+ 	      grub_free (node->cache);
+ 	      node->cache = 0;
+@@ -477,10 +483,16 @@ grub_sfs_create_node (struct grub_fshelp_node **node,
+   grub_size_t len = grub_strlen (name);
+   grub_uint8_t *name_u8;
+   int ret;
++  grub_size_t sz;
++
++  if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
++      grub_add (sz, 1, &sz))
++    return 1;
++
+   *node = grub_malloc (sizeof (**node));
+   if (!*node)
+     return 1;
+-  name_u8 = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++  name_u8 = grub_malloc (sz);
+   if (!name_u8)
+     {
+       grub_free (*node);
+@@ -724,8 +736,13 @@ grub_sfs_label (grub_device_t device, char **label)
+   data = grub_sfs_mount (disk);
+   if (data)
+     {
+-      grub_size_t len = grub_strlen (data->label);
+-      *label = grub_malloc (len * GRUB_MAX_UTF8_PER_LATIN1 + 1);
++      grub_size_t sz, len = grub_strlen (data->label);
++
++      if (grub_mul (len, GRUB_MAX_UTF8_PER_LATIN1, &sz) ||
++	  grub_add (sz, 1, &sz))
++	return GRUB_ERR_OUT_OF_RANGE;
++
++      *label = grub_malloc (sz);
+       if (*label)
+ 	*grub_latin1_to_utf8 ((grub_uint8_t *) *label,
+ 			      (const grub_uint8_t *) data->label,
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index 95d5c1e1f..785123894 100644
+--- a/grub-core/fs/squash4.c
++++ b/grub-core/fs/squash4.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/deflate.h>
++#include <grub/safemath.h>
+ #include <minilzo.h>
+ 
+ #include "xz.h"
+@@ -459,7 +460,17 @@ grub_squash_read_symlink (grub_fshelp_node_t node)
+ {
+   char *ret;
+   grub_err_t err;
+-  ret = grub_malloc (grub_le_to_cpu32 (node->ino.symlink.namelen) + 1);
++  grub_size_t sz;
++
++  if (grub_add (grub_le_to_cpu32 (node->ino.symlink.namelen), 1, &sz))
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++      return NULL;
++    }
++
++  ret = grub_malloc (sz);
++  if (!ret)
++    return NULL;
+ 
+   err = read_chunk (node->data, ret,
+ 		    grub_le_to_cpu32 (node->ino.symlink.namelen),
+@@ -506,11 +517,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ 
+   {
+     grub_fshelp_node_t node;
+-    node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++    grub_size_t sz;
++
++    if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
++	grub_add (sz, sizeof (*node), &sz))
++      return 0;
++
++    node = grub_malloc (sz);
+     if (!node)
+       return 0;
+-    grub_memcpy (node, dir,
+-		 sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++    grub_memcpy (node, dir, sz);
+     if (hook (".", GRUB_FSHELP_DIR, node, hook_data))
+       return 1;
+ 
+@@ -518,12 +534,15 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+       {
+ 	grub_err_t err;
+ 
+-	node = grub_malloc (sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++	if (grub_mul (dir->stsize, sizeof (dir->stack[0]), &sz) ||
++	    grub_add (sz, sizeof (*node), &sz))
++	  return 0;
++
++	node = grub_malloc (sz);
+ 	if (!node)
+ 	  return 0;
+ 
+-	grub_memcpy (node, dir,
+-		     sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++	grub_memcpy (node, dir, sz);
+ 
+ 	node->stsize--;
+ 	err = read_chunk (dir->data, &node->ino, sizeof (node->ino),
+@@ -557,6 +576,7 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ 	  enum grub_fshelp_filetype filetype = GRUB_FSHELP_REG;
+ 	  struct grub_squash_dirent di;
+ 	  struct grub_squash_inode ino;
++	  grub_size_t sz;
+ 
+ 	  err = read_chunk (dir->data, &di, sizeof (di),
+ 			    grub_le_to_cpu64 (dir->data->sb.diroffset)
+@@ -589,13 +609,16 @@ grub_squash_iterate_dir (grub_fshelp_node_t dir,
+ 	  if (grub_le_to_cpu16 (di.type) == SQUASH_TYPE_SYMLINK)
+ 	    filetype = GRUB_FSHELP_SYMLINK;
+ 
+-	  node = grub_malloc (sizeof (*node)
+-			      + (dir->stsize + 1) * sizeof (dir->stack[0]));
++	  if (grub_add (dir->stsize, 1, &sz) ||
++	      grub_mul (sz, sizeof (dir->stack[0]), &sz) ||
++	      grub_add (sz, sizeof (*node), &sz))
++	    return 0;
++
++	  node = grub_malloc (sz);
+ 	  if (! node)
+ 	    return 0;
+ 
+-	  grub_memcpy (node, dir,
+-		       sizeof (*node) + dir->stsize * sizeof (dir->stack[0]));
++	  grub_memcpy (node, dir, sz - sizeof(dir->stack[0]));
+ 
+ 	  node->ino = ino;
+ 	  node->stack[node->stsize].ino_chunk = grub_le_to_cpu32 (dh.ino_chunk);
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index a83761674..21ac7f446 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -28,6 +28,7 @@
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
+ #include <grub/udf.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -890,9 +891,19 @@ read_string (const grub_uint8_t *raw, grub_size_t sz, char *outbuf)
+ 	utf16[i] = (raw[2 * i + 1] << 8) | raw[2*i + 2];
+     }
+   if (!outbuf)
+-    outbuf = grub_malloc (utf16len * GRUB_MAX_UTF8_PER_UTF16 + 1);
++    {
++      grub_size_t size;
++
++      if (grub_mul (utf16len, GRUB_MAX_UTF8_PER_UTF16, &size) ||
++	  grub_add (size, 1, &size))
++	goto fail;
++
++      outbuf = grub_malloc (size);
++    }
+   if (outbuf)
+     *grub_utf16_to_utf8 ((grub_uint8_t *) outbuf, utf16, utf16len) = '\0';
++
++ fail:
+   grub_free (utf16);
+   return outbuf;
+ }
+@@ -1005,7 +1016,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+   grub_size_t sz = U64 (node->block.fe.file_size);
+   grub_uint8_t *raw;
+   const grub_uint8_t *ptr;
+-  char *out, *optr;
++  char *out = NULL, *optr;
+ 
+   if (sz < 4)
+     return NULL;
+@@ -1013,14 +1024,16 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+   if (!raw)
+     return NULL;
+   if (grub_udf_read_file (node, NULL, NULL, 0, sz, (char *) raw) < 0)
+-    {
+-      grub_free (raw);
+-      return NULL;
+-    }
++    goto fail_1;
+ 
+-  out = grub_malloc (sz * 2 + 1);
++  if (grub_mul (sz, 2, &sz) ||
++      grub_add (sz, 1, &sz))
++    goto fail_0;
++
++  out = grub_malloc (sz);
+   if (!out)
+     {
++ fail_0:
+       grub_free (raw);
+       return NULL;
+     }
+@@ -1031,17 +1044,17 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+     {
+       grub_size_t s;
+       if ((grub_size_t) (ptr - raw + 4) > sz)
+-	goto fail;
++	goto fail_1;
+       if (!(ptr[2] == 0 && ptr[3] == 0))
+-	goto fail;
++	goto fail_1;
+       s = 4 + ptr[1];
+       if ((grub_size_t) (ptr - raw + s) > sz)
+-	goto fail;
++	goto fail_1;
+       switch (*ptr)
+ 	{
+ 	case 1:
+ 	  if (ptr[1])
+-	    goto fail;
++	    goto fail_1;
+ 	  /* Fallthrough.  */
+ 	case 2:
+ 	  /* in 4 bytes. out: 1 byte.  */
+@@ -1066,11 +1079,11 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+ 	  if (optr != out)
+ 	    *optr++ = '/';
+ 	  if (!read_string (ptr + 4, s - 4, optr))
+-	    goto fail;
++	    goto fail_1;
+ 	  optr += grub_strlen (optr);
+ 	  break;
+ 	default:
+-	  goto fail;
++	  goto fail_1;
+ 	}
+       ptr += s;
+     }
+@@ -1078,7 +1091,7 @@ grub_udf_read_symlink (grub_fshelp_node_t node)
+   grub_free (raw);
+   return out;
+ 
+- fail:
++ fail_1:
+   grub_free (raw);
+   grub_free (out);
+   grub_error (GRUB_ERR_BAD_FS, "invalid symlink");
+diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
+index 96ffecbfc..ea6590290 100644
+--- a/grub-core/fs/xfs.c
++++ b/grub-core/fs/xfs.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -899,6 +900,7 @@ static struct grub_xfs_data *
+ grub_xfs_mount (grub_disk_t disk)
+ {
+   struct grub_xfs_data *data = 0;
++  grub_size_t sz;
+ 
+   data = grub_zalloc (sizeof (struct grub_xfs_data));
+   if (!data)
+@@ -913,10 +915,11 @@ grub_xfs_mount (grub_disk_t disk)
+   if (!grub_xfs_sb_valid(data))
+     goto fail;
+ 
+-  data = grub_realloc (data,
+-		       sizeof (struct grub_xfs_data)
+-		       - sizeof (struct grub_xfs_inode)
+-		       + grub_xfs_inode_size(data) + 1);
++  if (grub_add (grub_xfs_inode_size (data),
++      sizeof (struct grub_xfs_data) - sizeof (struct grub_xfs_inode) + 1, &sz))
++    goto fail;
++
++  data = grub_realloc (data, sz);
+ 
+   if (! data)
+     goto fail;
+diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
+index 381dde556..36d0373a6 100644
+--- a/grub-core/fs/zfs/zfs.c
++++ b/grub-core/fs/zfs/zfs.c
+@@ -55,6 +55,7 @@
+ #include <grub/deflate.h>
+ #include <grub/crypto.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -773,11 +774,14 @@ fill_vdev_info (struct grub_zfs_data *data,
+   if (data->n_devices_attached > data->n_devices_allocated)
+     {
+       void *tmp;
+-      data->n_devices_allocated = 2 * data->n_devices_attached + 1;
+-      data->devices_attached
+-	= grub_realloc (tmp = data->devices_attached,
+-			data->n_devices_allocated
+-			* sizeof (data->devices_attached[0]));
++      grub_size_t sz;
++
++      if (grub_mul (data->n_devices_attached, 2, &data->n_devices_allocated) ||
++	  grub_add (data->n_devices_allocated, 1, &data->n_devices_allocated) ||
++	  grub_mul (data->n_devices_allocated, sizeof (data->devices_attached[0]), &sz))
++	return GRUB_ERR_OUT_OF_RANGE;
++
++      data->devices_attached = grub_realloc (tmp = data->devices_attached, sz);
+       if (!data->devices_attached)
+ 	{
+ 	  data->devices_attached = tmp;
+@@ -3468,14 +3472,18 @@ grub_zfs_nvlist_lookup_nvlist (const char *nvlist, const char *name)
+ {
+   char *nvpair;
+   char *ret;
+-  grub_size_t size;
++  grub_size_t size, sz;
+   int found;
+ 
+   found = nvlist_find_value (nvlist, name, DATA_TYPE_NVLIST, &nvpair,
+ 			     &size, 0);
+   if (!found)
+     return 0;
+-  ret = grub_zalloc (size + 3 * sizeof (grub_uint32_t));
++
++  if (grub_add (size, 3 * sizeof (grub_uint32_t), &sz))
++      return 0;
++
++  ret = grub_zalloc (sz);
+   if (!ret)
+     return 0;
+   grub_memcpy (ret, nvlist, sizeof (grub_uint32_t));
+diff --git a/grub-core/fs/zfs/zfscrypt.c b/grub-core/fs/zfs/zfscrypt.c
+index 1402e0bc2..de3b015f5 100644
+--- a/grub-core/fs/zfs/zfscrypt.c
++++ b/grub-core/fs/zfs/zfscrypt.c
+@@ -22,6 +22,7 @@
+ #include <grub/misc.h>
+ #include <grub/disk.h>
+ #include <grub/partition.h>
++#include <grub/safemath.h>
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/zfs/zfs.h>
+@@ -82,9 +83,13 @@ grub_zfs_add_key (grub_uint8_t *key_in,
+ 		  int passphrase)
+ {
+   struct grub_zfs_wrap_key *key;
++  grub_size_t sz;
++
+   if (!passphrase && keylen > 32)
+     keylen = 32;
+-  key = grub_malloc (sizeof (*key) + keylen);
++  if (grub_add (sizeof (*key), keylen, &sz))
++    return GRUB_ERR_OUT_OF_RANGE;
++  key = grub_malloc (sz);
+   if (!key)
+     return grub_errno;
+   key->is_passphrase = passphrase;
+diff --git a/grub-core/lib/arg.c b/grub-core/lib/arg.c
+index fd7744a6f..3288609a5 100644
+--- a/grub-core/lib/arg.c
++++ b/grub-core/lib/arg.c
+@@ -23,6 +23,7 @@
+ #include <grub/term.h>
+ #include <grub/extcmd.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ /* Built-in parser for default options.  */
+ static const struct grub_arg_option help_options[] =
+@@ -216,7 +217,13 @@ static inline grub_err_t
+ add_arg (char ***argl, int *num, char *s)
+ {
+   char **p = *argl;
+-  *argl = grub_realloc (*argl, (++(*num) + 1) * sizeof (char *));
++  grub_size_t sz;
++
++  if (grub_add (++(*num), 1, &sz) ||
++      grub_mul (sz, sizeof (char *), &sz))
++    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++  *argl = grub_realloc (*argl, sz);
+   if (! *argl)
+     {
+       grub_free (p);
+@@ -431,6 +438,7 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
+   grub_size_t argcnt;
+   struct grub_arg_list *list;
+   const struct grub_arg_option *options;
++  grub_size_t sz0, sz1;
+ 
+   options = extcmd->options;
+   if (! options)
+@@ -443,7 +451,15 @@ grub_arg_list_alloc(grub_extcmd_t extcmd, int argc,
+ 	argcnt += ((grub_size_t) argc + 1) / 2 + 1; /* max possible for any option */
+     }
+ 
+-  list = grub_zalloc (sizeof (*list) * i + sizeof (char*) * argcnt);
++  if (grub_mul (sizeof (*list), i, &sz0) ||
++      grub_mul (sizeof (char *), argcnt, &sz1) ||
++      grub_add (sz0, sz1, &sz0))
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++      return 0;
++    }
++
++  list = grub_zalloc (sz0);
+   if (! list)
+     return 0;
+ 
+diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
+index 3730ed382..b92cbe98d 100644
+--- a/grub-core/loader/i386/bsd.c
++++ b/grub-core/loader/i386/bsd.c
+@@ -35,6 +35,7 @@
+ #include <grub/ns8250.h>
+ #include <grub/bsdlabel.h>
+ #include <grub/crypto.h>
++#include <grub/safemath.h>
+ #include <grub/verify.h>
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/int.h>
+@@ -1012,11 +1013,16 @@ grub_netbsd_add_modules (void)
+   struct grub_netbsd_btinfo_modules *mods;
+   unsigned i;
+   grub_err_t err;
++  grub_size_t sz;
+ 
+   for (mod = netbsd_mods; mod; mod = mod->next)
+     modcnt++;
+ 
+-  mods = grub_malloc (sizeof (*mods) + sizeof (mods->mods[0]) * modcnt);
++  if (grub_mul (modcnt, sizeof (mods->mods[0]), &sz) ||
++      grub_add (sz, sizeof (*mods), &sz))
++    return GRUB_ERR_OUT_OF_RANGE;
++
++  mods = grub_malloc (sz);
+   if (!mods)
+     return grub_errno;
+ 
+diff --git a/grub-core/net/dns.c b/grub-core/net/dns.c
+index e332d5eb4..906ec7d67 100644
+--- a/grub-core/net/dns.c
++++ b/grub-core/net/dns.c
+@@ -22,6 +22,7 @@
+ #include <grub/i18n.h>
+ #include <grub/err.h>
+ #include <grub/time.h>
++#include <grub/safemath.h>
+ 
+ struct dns_cache_element
+ {
+@@ -51,9 +52,15 @@ grub_net_add_dns_server (const struct grub_net_network_level_address *s)
+     {
+       int na = dns_servers_alloc * 2;
+       struct grub_net_network_level_address *ns;
++      grub_size_t sz;
++
+       if (na < 8)
+ 	na = 8;
+-      ns = grub_realloc (dns_servers, na * sizeof (ns[0]));
++
++      if (grub_mul (na, sizeof (ns[0]), &sz))
++	return GRUB_ERR_OUT_OF_RANGE;
++
++      ns = grub_realloc (dns_servers, sz);
+       if (!ns)
+ 	return grub_errno;
+       dns_servers_alloc = na;
+diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c
+index d57fb72fa..4dfcc3107 100644
+--- a/grub-core/normal/charset.c
++++ b/grub-core/normal/charset.c
+@@ -48,6 +48,7 @@
+ #include <grub/unicode.h>
+ #include <grub/term.h>
+ #include <grub/normal.h>
++#include <grub/safemath.h>
+ 
+ #if HAVE_FONT_SOURCE
+ #include "widthspec.h"
+@@ -464,6 +465,7 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ 	{
+ 	  struct grub_unicode_combining *n;
+ 	  unsigned j;
++	  grub_size_t sz;
+ 
+ 	  if (!haveout)
+ 	    continue;
+@@ -477,10 +479,14 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen,
+ 	    n = out->combining_inline;
+ 	  else if (out->ncomb > (int) ARRAY_SIZE (out->combining_inline))
+ 	    {
+-	      n = grub_realloc (out->combining_ptr,
+-				sizeof (n[0]) * (out->ncomb + 1));
++	      if (grub_add (out->ncomb, 1, &sz) ||
++		  grub_mul (sz, sizeof (n[0]), &sz))
++		goto fail;
++
++	      n = grub_realloc (out->combining_ptr, sz);
+ 	      if (!n)
+ 		{
++ fail:
+ 		  grub_errno = GRUB_ERR_NONE;
+ 		  continue;
+ 		}
+diff --git a/grub-core/normal/cmdline.c b/grub-core/normal/cmdline.c
+index c57242e2e..de03fe63b 100644
+--- a/grub-core/normal/cmdline.c
++++ b/grub-core/normal/cmdline.c
+@@ -28,6 +28,7 @@
+ #include <grub/env.h>
+ #include <grub/i18n.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+ 
+ static grub_uint32_t *kill_buf;
+ 
+@@ -307,12 +308,21 @@ cl_insert (struct cmdline_term *cl_terms, unsigned nterms,
+   if (len + (*llen) >= (*max_len))
+     {
+       grub_uint32_t *nbuf;
+-      (*max_len) *= 2;
+-      nbuf = grub_realloc ((*buf), sizeof (grub_uint32_t) * (*max_len));
++      grub_size_t sz;
++
++      if (grub_mul (*max_len, 2, max_len) ||
++	  grub_mul (*max_len, sizeof (grub_uint32_t), &sz))
++	{
++	  grub_errno = GRUB_ERR_OUT_OF_RANGE;
++	  goto fail;
++	}
++
++      nbuf = grub_realloc ((*buf), sz);
+       if (nbuf)
+ 	(*buf) = nbuf;
+       else
+ 	{
++ fail:
+ 	  grub_print_error ();
+ 	  grub_errno = GRUB_ERR_NONE;
+ 	  (*max_len) /= 2;
+diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
+index 1993995be..50eef918c 100644
+--- a/grub-core/normal/menu_entry.c
++++ b/grub-core/normal/menu_entry.c
+@@ -27,6 +27,7 @@
+ #include <grub/auth.h>
+ #include <grub/i18n.h>
+ #include <grub/charset.h>
++#include <grub/safemath.h>
+ 
+ enum update_mode
+   {
+@@ -113,10 +114,18 @@ ensure_space (struct line *linep, int extra)
+ {
+   if (linep->max_len < linep->len + extra)
+     {
+-      linep->max_len = 2 * (linep->len + extra);
+-      linep->buf = grub_realloc (linep->buf, (linep->max_len + 1) * sizeof (linep->buf[0]));
++      grub_size_t sz0, sz1;
++
++      if (grub_add (linep->len, extra, &sz0) ||
++	  grub_mul (sz0, 2, &sz0) ||
++	  grub_add (sz0, 1, &sz1) ||
++	  grub_mul (sz1, sizeof (linep->buf[0]), &sz1))
++	return 0;
++
++      linep->buf = grub_realloc (linep->buf, sz1);
+       if (! linep->buf)
+ 	return 0;
++      linep->max_len = sz0;
+     }
+ 
+   return 1;
+diff --git a/grub-core/script/argv.c b/grub-core/script/argv.c
+index 217ec5d1e..5751fdd57 100644
+--- a/grub-core/script/argv.c
++++ b/grub-core/script/argv.c
+@@ -20,6 +20,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/script_sh.h>
++#include <grub/safemath.h>
+ 
+ /* Return nearest power of two that is >= v.  */
+ static unsigned
+@@ -81,11 +82,16 @@ int
+ grub_script_argv_next (struct grub_script_argv *argv)
+ {
+   char **p = argv->args;
++  grub_size_t sz;
+ 
+   if (argv->args && argv->argc && argv->args[argv->argc - 1] == 0)
+     return 0;
+ 
+-  p = grub_realloc (p, round_up_exp ((argv->argc + 2) * sizeof (char *)));
++  if (grub_add (argv->argc, 2, &sz) ||
++      grub_mul (sz, sizeof (char *), &sz))
++    return 1;
++
++  p = grub_realloc (p, round_up_exp (sz));
+   if (! p)
+     return 1;
+ 
+@@ -105,13 +111,19 @@ grub_script_argv_append (struct grub_script_argv *argv, const char *s,
+ {
+   grub_size_t a;
+   char *p = argv->args[argv->argc - 1];
++  grub_size_t sz;
+ 
+   if (! s)
+     return 0;
+ 
+   a = p ? grub_strlen (p) : 0;
+ 
+-  p = grub_realloc (p, round_up_exp ((a + slen + 1) * sizeof (char)));
++  if (grub_add (a, slen, &sz) ||
++      grub_add (sz, 1, &sz) ||
++      grub_mul (sz, sizeof (char), &sz))
++    return 1;
++
++  p = grub_realloc (p, round_up_exp (sz));
+   if (! p)
+     return 1;
+ 
+diff --git a/grub-core/script/lexer.c b/grub-core/script/lexer.c
+index c6bd3172f..5fb0cbd0b 100644
+--- a/grub-core/script/lexer.c
++++ b/grub-core/script/lexer.c
+@@ -24,6 +24,7 @@
+ #include <grub/mm.h>
+ #include <grub/script_sh.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ #define yytext_ptr char *
+ #include "grub_script.tab.h"
+@@ -110,10 +111,14 @@ grub_script_lexer_record (struct grub_parser_param *parser, char *str)
+       old = lexer->recording;
+       if (lexer->recordlen < len)
+ 	lexer->recordlen = len;
+-      lexer->recordlen *= 2;
++
++      if (grub_mul (lexer->recordlen, 2, &lexer->recordlen))
++	goto fail;
++
+       lexer->recording = grub_realloc (lexer->recording, lexer->recordlen);
+       if (!lexer->recording)
+ 	{
++ fail:
+ 	  grub_free (old);
+ 	  lexer->recordpos = 0;
+ 	  lexer->recordlen = 0;
+@@ -130,7 +135,7 @@ int
+ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
+ 			  const char *input)
+ {
+-  grub_size_t len = 0;
++  grub_size_t len = 0, sz;
+   char *p = 0;
+   char *line = 0;
+   YY_BUFFER_STATE buffer;
+@@ -168,12 +173,22 @@ grub_script_lexer_yywrap (struct grub_parser_param *parserstate,
+     }
+   else if (len && line[len - 1] != '\n')
+     {
+-      p = grub_realloc (line, len + 2);
++      if (grub_add (len, 2, &sz))
++	{
++	  grub_free (line);
++	  grub_script_yyerror (parserstate, N_("overflow is detected"));
++	  return 1;
++	}
++
++      p = grub_realloc (line, sz);
+       if (p)
+ 	{
+ 	  p[len++] = '\n';
+ 	  p[len] = '\0';
+ 	}
++      else
++	grub_free (line);
++
+       line = p;
+     }
+ 
+diff --git a/grub-core/video/bitmap.c b/grub-core/video/bitmap.c
+index b2e031566..6256e209a 100644
+--- a/grub-core/video/bitmap.c
++++ b/grub-core/video/bitmap.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -58,7 +59,7 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
+                           enum grub_video_blit_format blit_format)
+ {
+   struct grub_video_mode_info *mode_info;
+-  unsigned int size;
++  grub_size_t size;
+ 
+   if (!bitmap)
+     return grub_error (GRUB_ERR_BUG, "invalid argument");
+@@ -137,19 +138,25 @@ grub_video_bitmap_create (struct grub_video_bitmap **bitmap,
+ 
+   mode_info->pitch = width * mode_info->bytes_per_pixel;
+ 
+-  /* Calculate size needed for the data.  */
+-  size = (width * mode_info->bytes_per_pixel) * height;
++  /* Calculate size needed for the data. */
++  if (grub_mul (width, mode_info->bytes_per_pixel, &size) ||
++      grub_mul (size, height, &size))
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++      goto fail;
++    }
+ 
+   (*bitmap)->data = grub_zalloc (size);
+   if (! (*bitmap)->data)
+-    {
+-      grub_free (*bitmap);
+-      *bitmap = 0;
+-
+-      return grub_errno;
+-    }
++    goto fail;
+ 
+   return GRUB_ERR_NONE;
++
++ fail:
++  grub_free (*bitmap);
++  *bitmap = NULL;
++
++  return grub_errno;
+ }
+ 
+ /* Frees all resources allocated by bitmap.  */
+diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c
+index 61bd64537..0157ff742 100644
+--- a/grub-core/video/readers/png.c
++++ b/grub-core/video/readers/png.c
+@@ -23,6 +23,7 @@
+ #include <grub/mm.h>
+ #include <grub/misc.h>
+ #include <grub/bufio.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -301,9 +302,17 @@ grub_png_decode_image_header (struct grub_png_data *data)
+       data->bpp <<= 1;
+ 
+   data->color_bits = color_bits;
+-  data->row_bytes = data->image_width * data->bpp;
++
++  if (grub_mul (data->image_width, data->bpp, &data->row_bytes))
++    return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
+   if (data->color_bits <= 4)
+-    data->row_bytes = (data->image_width * data->color_bits + 7) / 8;
++    {
++      if (grub_mul (data->image_width, data->color_bits + 7, &data->row_bytes))
++	return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++
++      data->row_bytes >>= 3;
++    }
+ 
+ #ifndef GRUB_CPU_WORDS_BIGENDIAN
+   if (data->is_16bit || data->is_gray || data->is_palette)
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch b/buildroot/boot/grub2/0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch
new file mode 100644
index 000000000..6b0aee080
--- /dev/null
+++ b/buildroot/boot/grub2/0007-iso9660-Don-t-leak-memory-on-realloc-failures.patch
@@ -0,0 +1,72 @@
+From e0dd17a3ce79c6622dc78c96e1f2ef1b20e2bf7b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sat, 4 Jul 2020 12:25:09 -0400
+Subject: [PATCH] iso9660: Don't leak memory on realloc() failures
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/iso9660.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
+index 7ba5b300b..5ec4433b8 100644
+--- a/grub-core/fs/iso9660.c
++++ b/grub-core/fs/iso9660.c
+@@ -533,14 +533,20 @@ add_part (struct iterate_dir_ctx *ctx,
+ {
+   int size = ctx->symlink ? grub_strlen (ctx->symlink) : 0;
+   grub_size_t sz;
++  char *new;
+ 
+   if (grub_add (size, len2, &sz) ||
+       grub_add (sz, 1, &sz))
+     return;
+ 
+-  ctx->symlink = grub_realloc (ctx->symlink, sz);
+-  if (! ctx->symlink)
+-    return;
++  new = grub_realloc (ctx->symlink, sz);
++  if (!new)
++    {
++      grub_free (ctx->symlink);
++      ctx->symlink = NULL;
++      return;
++    }
++  ctx->symlink = new;
+ 
+   grub_memcpy (ctx->symlink + size, part, len2);
+   ctx->symlink[size + len2] = 0;  
+@@ -634,7 +640,12 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
+ 		   is the length.  Both are part of the `Component
+ 		   Record'.  */
+ 		if (ctx->symlink && !ctx->was_continue)
+-		  add_part (ctx, "/", 1);
++		  {
++		    add_part (ctx, "/", 1);
++		    if (grub_errno)
++		      return grub_errno;
++		  }
++
+ 		add_part (ctx, (char *) &entry->data[pos + 2],
+ 			  entry->data[pos + 1]);
+ 		ctx->was_continue = (entry->data[pos] & 1);
+@@ -653,6 +664,11 @@ susp_iterate_dir (struct grub_iso9660_susp_entry *entry,
+ 	      add_part (ctx, "/", 1);
+ 	      break;
+ 	    }
++
++	  /* Check if grub_realloc() failed in add_part(). */
++	  if (grub_errno)
++	    return grub_errno;
++
+ 	  /* In pos + 1 the length of the `Component Record' is
+ 	     stored.  */
+ 	  pos += entry->data[pos + 1] + 2;
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0008-font-Do-not-load-more-than-one-NAME-section.patch b/buildroot/boot/grub2/0008-font-Do-not-load-more-than-one-NAME-section.patch
new file mode 100644
index 000000000..f4616292f
--- /dev/null
+++ b/buildroot/boot/grub2/0008-font-Do-not-load-more-than-one-NAME-section.patch
@@ -0,0 +1,41 @@
+From 73bc7a964c9496d5b0f00dbd69959dacf5adcebe Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Tue, 7 Jul 2020 15:36:26 +0200
+Subject: [PATCH] font: Do not load more than one NAME section
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The GRUB font file can have one NAME section only. Though if somebody
+crafts a broken font file with many NAME sections and loads it then the
+GRUB leaks memory. So, prevent against that by loading first NAME
+section and failing in controlled way on following one.
+
+Reported-by: Chris Coulson <chris.coulson@canonical.com>
+Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/font/font.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/grub-core/font/font.c b/grub-core/font/font.c
+index 5edb477ac..d09bb38d8 100644
+--- a/grub-core/font/font.c
++++ b/grub-core/font/font.c
+@@ -532,6 +532,12 @@ grub_font_load (const char *filename)
+       if (grub_memcmp (section.name, FONT_FORMAT_SECTION_NAMES_FONT_NAME,
+ 		       sizeof (FONT_FORMAT_SECTION_NAMES_FONT_NAME) - 1) == 0)
+ 	{
++	  if (font->name != NULL)
++	    {
++	      grub_error (GRUB_ERR_BAD_FONT, "invalid font file: too many NAME sections");
++	      goto fail;
++	    }
++
+ 	  font->name = read_section_as_string (&section);
+ 	  if (!font->name)
+ 	    goto fail;
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0009-gfxmenu-Fix-double-free-in-load_image.patch b/buildroot/boot/grub2/0009-gfxmenu-Fix-double-free-in-load_image.patch
new file mode 100644
index 000000000..732d16664
--- /dev/null
+++ b/buildroot/boot/grub2/0009-gfxmenu-Fix-double-free-in-load_image.patch
@@ -0,0 +1,39 @@
+From 9ff609f0e7798bc5fb04f791131c98e7693bdd9b Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <amakhalov@vmware.com>
+Date: Wed, 8 Jul 2020 20:41:56 +0000
+Subject: [PATCH] gfxmenu: Fix double free in load_image()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+self->bitmap should be zeroed after free. Otherwise, there is a chance
+to double free (USE_AFTER_FREE) it later in rescale_image().
+
+Fixes: CID 292472
+
+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/gfxmenu/gui_image.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/gfxmenu/gui_image.c b/grub-core/gfxmenu/gui_image.c
+index 29784ed2d..6b2e976f1 100644
+--- a/grub-core/gfxmenu/gui_image.c
++++ b/grub-core/gfxmenu/gui_image.c
+@@ -195,7 +195,10 @@ load_image (grub_gui_image_t self, const char *path)
+     return grub_errno;
+ 
+   if (self->bitmap && (self->bitmap != self->raw_bitmap))
+-    grub_video_bitmap_destroy (self->bitmap);
++    {
++      grub_video_bitmap_destroy (self->bitmap);
++      self->bitmap = 0;
++    }
+   if (self->raw_bitmap)
+     grub_video_bitmap_destroy (self->raw_bitmap);
+ 
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch b/buildroot/boot/grub2/0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch
new file mode 100644
index 000000000..72cf58d44
--- /dev/null
+++ b/buildroot/boot/grub2/0010-xnu-Fix-double-free-in-grub_xnu_devprop_add_property.patch
@@ -0,0 +1,58 @@
+From dc9777dc17697b196c415c53187a55861d41fd2a Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <amakhalov@vmware.com>
+Date: Wed, 8 Jul 2020 21:30:43 +0000
+Subject: [PATCH] xnu: Fix double free in grub_xnu_devprop_add_property()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+grub_xnu_devprop_add_property() should not free utf8 and utf16 as it get
+allocated and freed in the caller.
+
+Minor improvement: do prop fields initialization after memory allocations.
+
+Fixes: CID 292442, CID 292457, CID 292460, CID 292466
+
+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/loader/i386/xnu.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
+index b7d176b5d..e9e119259 100644
+--- a/grub-core/loader/i386/xnu.c
++++ b/grub-core/loader/i386/xnu.c
+@@ -262,20 +262,19 @@ grub_xnu_devprop_add_property (struct grub_xnu_devprop_device_descriptor *dev,
+   if (!prop)
+     return grub_errno;
+ 
+-  prop->name = utf8;
+-  prop->name16 = utf16;
+-  prop->name16len = utf16len;
+-
+-  prop->length = datalen;
+-  prop->data = grub_malloc (prop->length);
++  prop->data = grub_malloc (datalen);
+   if (!prop->data)
+     {
+-      grub_free (prop->name);
+-      grub_free (prop->name16);
+       grub_free (prop);
+       return grub_errno;
+     }
+-  grub_memcpy (prop->data, data, prop->length);
++  grub_memcpy (prop->data, data, datalen);
++
++  prop->name = utf8;
++  prop->name16 = utf16;
++  prop->name16len = utf16len;
++  prop->length = datalen;
++
+   grub_list_push (GRUB_AS_LIST_P (&dev->properties),
+ 		  GRUB_AS_LIST (prop));
+   return GRUB_ERR_NONE;
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0011-lzma-Make-sure-we-don-t-dereference-past-array.patch b/buildroot/boot/grub2/0011-lzma-Make-sure-we-don-t-dereference-past-array.patch
new file mode 100644
index 000000000..a7d5a48e5
--- /dev/null
+++ b/buildroot/boot/grub2/0011-lzma-Make-sure-we-don-t-dereference-past-array.patch
@@ -0,0 +1,55 @@
+From 78829f0c230680e386fff9f420bb1631bc20f761 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Thu, 9 Jul 2020 03:05:23 +0000
+Subject: [PATCH] lzma: Make sure we don't dereference past array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
+using the GetLenToPosState() macro which checks if len is less than 5,
+and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
+Obviously we don't want to dereference that far out so we check if the
+position found is greater or equal kNumLenToPosStates (4) and bail out.
+
+N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
+without any history.
+
+Fixes: CID 51526
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/lib/LzmaEnc.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
+index f2ec04a8c..753e56a95 100644
+--- a/grub-core/lib/LzmaEnc.c
++++ b/grub-core/lib/LzmaEnc.c
+@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
+       }
+       else
+       {
+-        UInt32 posSlot;
++        UInt32 posSlot, lenToPosState;
+         RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
+         p->state = kMatchNextStates[p->state];
+         LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
+         pos -= LZMA_NUM_REPS;
+         GetPosSlot(pos, posSlot);
+-        RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot);
++        lenToPosState = GetLenToPosState(len);
++        if (lenToPosState >= kNumLenToPosStates)
++        {
++          p->result = SZ_ERROR_DATA;
++          return CheckErrors(p);
++        }
++        RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot);
+ 
+         if (posSlot >= kStartPosModelIndex)
+         {
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0012-term-Fix-overflow-on-user-inputs.patch b/buildroot/boot/grub2/0012-term-Fix-overflow-on-user-inputs.patch
new file mode 100644
index 000000000..77b01a481
--- /dev/null
+++ b/buildroot/boot/grub2/0012-term-Fix-overflow-on-user-inputs.patch
@@ -0,0 +1,69 @@
+From 8d3b6f9da468f666e3a7976657f2ab5c52762a21 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Tue, 7 Jul 2020 15:12:25 -0400
+Subject: [PATCH] term: Fix overflow on user inputs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This requires a very weird input from the serial interface but can cause
+an overflow in input_buf (keys) overwriting the next variable (npending)
+with the user choice:
+
+(pahole output)
+
+struct grub_terminfo_input_state {
+        int                        input_buf[6];         /*     0    24 */
+        int                        npending;             /*    24     4 */ <- CORRUPT
+        ...snip...
+
+The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow
+npending with "q" (aka increase npending to 161). The simplest fix is to
+just to disallow overwrites input_buf, which exactly what this patch does.
+
+Fixes: CID 292449
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/term/terminfo.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/term/terminfo.c b/grub-core/term/terminfo.c
+index d317efa36..5fa94c0c3 100644
+--- a/grub-core/term/terminfo.c
++++ b/grub-core/term/terminfo.c
+@@ -398,7 +398,7 @@ grub_terminfo_getwh (struct grub_term_output *term)
+ }
+ 
+ static void
+-grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
++grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, int max_len,
+ 		       int (*readkey) (struct grub_term_input *term))
+ {
+   int c;
+@@ -414,6 +414,9 @@ grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
+     if (c == -1)						\
+       return;							\
+ 								\
++    if (*len >= max_len)                                       \
++      return;                                                   \
++                                                                \
+     keys[*len] = c;						\
+     (*len)++;							\
+   }
+@@ -602,8 +605,8 @@ grub_terminfo_getkey (struct grub_term_input *termi)
+       return ret;
+     }
+ 
+-  grub_terminfo_readkey (termi, data->input_buf,
+-			 &data->npending, data->readkey);
++  grub_terminfo_readkey (termi, data->input_buf, &data->npending,
++			 GRUB_TERMINFO_READKEY_MAX_LEN, data->readkey);
+ 
+ #if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275)
+   if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0013-udf-Fix-memory-leak.patch b/buildroot/boot/grub2/0013-udf-Fix-memory-leak.patch
new file mode 100644
index 000000000..d79de9059
--- /dev/null
+++ b/buildroot/boot/grub2/0013-udf-Fix-memory-leak.patch
@@ -0,0 +1,59 @@
+From 748b691761d31bfff7e9d0d210caa606294c2b52 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Tue, 7 Jul 2020 22:02:31 -0400
+Subject: [PATCH] udf: Fix memory leak
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CID 73796
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/udf.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index 21ac7f446..2ac5c1d00 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -965,8 +965,10 @@ grub_udf_iterate_dir (grub_fshelp_node_t dir,
+ 	    return 0;
+ 
+           if (grub_udf_read_icb (dir->data, &dirent.icb, child))
+-	    return 0;
+-
++	    {
++	      grub_free (child);
++	      return 0;
++	    }
+           if (dirent.characteristics & GRUB_UDF_FID_CHAR_PARENT)
+ 	    {
+ 	      /* This is the parent directory.  */
+@@ -988,11 +990,18 @@ grub_udf_iterate_dir (grub_fshelp_node_t dir,
+ 				       dirent.file_ident_length,
+ 				       (char *) raw))
+ 		  != dirent.file_ident_length)
+-		return 0;
++		{
++		  grub_free (child);
++		  return 0;
++		}
+ 
+ 	      filename = read_string (raw, dirent.file_ident_length, 0);
+ 	      if (!filename)
+-		grub_print_error ();
++		{
++		  /* As the hook won't get called. */
++		  grub_free (child);
++		  grub_print_error ();
++		}
+ 
+ 	      if (filename && hook (filename, type, child, hook_data))
+ 		{
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch b/buildroot/boot/grub2/0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch
new file mode 100644
index 000000000..f3e2a0414
--- /dev/null
+++ b/buildroot/boot/grub2/0014-multiboot2-Fix-memory-leak-if-grub_create_loader_cmd.patch
@@ -0,0 +1,38 @@
+From 49bf3faa106498e151306fc780c63194a14751e3 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Fri, 26 Jun 2020 10:51:43 -0400
+Subject: [PATCH] multiboot2: Fix memory leak if
+ grub_create_loader_cmdline() fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: CID 292468
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/loader/multiboot_mbi2.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c
+index 53da78615..0efc66062 100644
+--- a/grub-core/loader/multiboot_mbi2.c
++++ b/grub-core/loader/multiboot_mbi2.c
+@@ -1070,7 +1070,11 @@ grub_multiboot2_add_module (grub_addr_t start, grub_size_t size,
+   err = grub_create_loader_cmdline (argc, argv, newmod->cmdline,
+ 				    newmod->cmdline_size, GRUB_VERIFY_MODULE_CMDLINE);
+   if (err)
+-    return err;
++    {
++      grub_free (newmod->cmdline);
++      grub_free (newmod);
++      return err;
++    }
+ 
+   if (modules_last)
+     modules_last->next = newmod;
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0015-tftp-Do-not-use-priority-queue.patch b/buildroot/boot/grub2/0015-tftp-Do-not-use-priority-queue.patch
new file mode 100644
index 000000000..833606bef
--- /dev/null
+++ b/buildroot/boot/grub2/0015-tftp-Do-not-use-priority-queue.patch
@@ -0,0 +1,283 @@
+From b6c4a1b204740fe52b32e7f530831a59f4038e20 Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <amakhalov@vmware.com>
+Date: Thu, 9 Jul 2020 08:10:40 +0000
+Subject: [PATCH] tftp: Do not use priority queue
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There is not need to reassemble the order of blocks. Per RFC 1350,
+server must wait for the ACK, before sending next block. Data packets
+can be served immediately without putting them to priority queue.
+
+Logic to handle incoming packet is this:
+  - if packet block id equal to expected block id, then
+    process the packet,
+  - if packet block id is less than expected - this is retransmit
+    of old packet, then ACK it and drop the packet,
+  - if packet block id is more than expected - that shouldn't
+    happen, just drop the packet.
+
+It makes the tftp receive path code simpler, smaller and faster.
+As a benefit, this change fixes CID# 73624 and CID# 96690, caused
+by following while loop:
+
+  while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0)
+
+where tftph pointer is not moving from one iteration to another, causing
+to serve same packet again. Luckily, double serving didn't happen due to
+data->block++ during the first iteration.
+
+Fixes: CID 73624, CID 96690
+
+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/net/tftp.c | 168 ++++++++++++++-----------------------------
+ 1 file changed, 53 insertions(+), 115 deletions(-)
+
+diff --git a/grub-core/net/tftp.c b/grub-core/net/tftp.c
+index 7d90bf66e..b4297bc8d 100644
+--- a/grub-core/net/tftp.c
++++ b/grub-core/net/tftp.c
+@@ -25,7 +25,6 @@
+ #include <grub/mm.h>
+ #include <grub/dl.h>
+ #include <grub/file.h>
+-#include <grub/priority_queue.h>
+ #include <grub/i18n.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+@@ -106,31 +105,8 @@ typedef struct tftp_data
+   int have_oack;
+   struct grub_error_saved save_err;
+   grub_net_udp_socket_t sock;
+-  grub_priority_queue_t pq;
+ } *tftp_data_t;
+ 
+-static int
+-cmp_block (grub_uint16_t a, grub_uint16_t b)
+-{
+-  grub_int16_t i = (grub_int16_t) (a - b);
+-  if (i > 0)
+-    return +1;
+-  if (i < 0)
+-    return -1;
+-  return 0;
+-}
+-
+-static int
+-cmp (const void *a__, const void *b__)
+-{
+-  struct grub_net_buff *a_ = *(struct grub_net_buff **) a__;
+-  struct grub_net_buff *b_ = *(struct grub_net_buff **) b__;
+-  struct tftphdr *a = (struct tftphdr *) a_->data;
+-  struct tftphdr *b = (struct tftphdr *) b_->data;
+-  /* We want the first elements to be on top.  */
+-  return -cmp_block (grub_be_to_cpu16 (a->u.data.block), grub_be_to_cpu16 (b->u.data.block));
+-}
+-
+ static grub_err_t
+ ack (tftp_data_t data, grub_uint64_t block)
+ {
+@@ -207,73 +183,60 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+ 	  return GRUB_ERR_NONE;
+ 	}
+ 
+-      err = grub_priority_queue_push (data->pq, &nb);
+-      if (err)
+-	return err;
+-
+-      {
+-	struct grub_net_buff **nb_top_p, *nb_top;
+-	while (1)
+-	  {
+-	    nb_top_p = grub_priority_queue_top (data->pq);
+-	    if (!nb_top_p)
+-	      return GRUB_ERR_NONE;
+-	    nb_top = *nb_top_p;
+-	    tftph = (struct tftphdr *) nb_top->data;
+-	    if (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) >= 0)
+-	      break;
+-	    ack (data, grub_be_to_cpu16 (tftph->u.data.block));
+-	    grub_netbuff_free (nb_top);
+-	    grub_priority_queue_pop (data->pq);
+-	  }
+-	while (cmp_block (grub_be_to_cpu16 (tftph->u.data.block), data->block + 1) == 0)
+-	  {
+-	    unsigned size;
+-
+-	    grub_priority_queue_pop (data->pq);
+-
+-	    if (file->device->net->packs.count < 50)
++      /* Ack old/retransmitted block. */
++      if (grub_be_to_cpu16 (tftph->u.data.block) < data->block + 1)
++	ack (data, grub_be_to_cpu16 (tftph->u.data.block));
++      /* Ignore unexpected block. */
++      else if (grub_be_to_cpu16 (tftph->u.data.block) > data->block + 1)
++	grub_dprintf ("tftp", "TFTP unexpected block # %d\n", tftph->u.data.block);
++      else
++	{
++	  unsigned size;
++
++	  if (file->device->net->packs.count < 50)
++	    {
+ 	      err = ack (data, data->block + 1);
+-	    else
+-	      {
+-		file->device->net->stall = 1;
+-		err = 0;
+-	      }
+-	    if (err)
+-	      return err;
+-
+-	    err = grub_netbuff_pull (nb_top, sizeof (tftph->opcode) +
+-				     sizeof (tftph->u.data.block));
+-	    if (err)
+-	      return err;
+-	    size = nb_top->tail - nb_top->data;
+-
+-	    data->block++;
+-	    if (size < data->block_size)
+-	      {
+-		if (data->ack_sent < data->block)
+-		  ack (data, data->block);
+-		file->device->net->eof = 1;
+-		file->device->net->stall = 1;
+-		grub_net_udp_close (data->sock);
+-		data->sock = NULL;
+-	      }
+-	    /* Prevent garbage in broken cards. Is it still necessary
+-	       given that IP implementation has been fixed?
+-	     */
+-	    if (size > data->block_size)
+-	      {
+-		err = grub_netbuff_unput (nb_top, size - data->block_size);
+-		if (err)
+-		  return err;
+-	      }
+-	    /* If there is data, puts packet in socket list. */
+-	    if ((nb_top->tail - nb_top->data) > 0)
+-	      grub_net_put_packet (&file->device->net->packs, nb_top);
+-	    else
+-	      grub_netbuff_free (nb_top);
+-	  }
+-      }
++	      if (err)
++		return err;
++	    }
++	  else
++	    file->device->net->stall = 1;
++
++	  err = grub_netbuff_pull (nb, sizeof (tftph->opcode) +
++				   sizeof (tftph->u.data.block));
++	  if (err)
++	    return err;
++	  size = nb->tail - nb->data;
++
++	  data->block++;
++	  if (size < data->block_size)
++	    {
++	      if (data->ack_sent < data->block)
++		ack (data, data->block);
++	      file->device->net->eof = 1;
++	      file->device->net->stall = 1;
++	      grub_net_udp_close (data->sock);
++	      data->sock = NULL;
++	    }
++	  /*
++	   * Prevent garbage in broken cards. Is it still necessary
++	   * given that IP implementation has been fixed?
++	   */
++	  if (size > data->block_size)
++	    {
++	      err = grub_netbuff_unput (nb, size - data->block_size);
++	      if (err)
++		return err;
++	    }
++	  /* If there is data, puts packet in socket list. */
++	  if ((nb->tail - nb->data) > 0)
++	    {
++	      grub_net_put_packet (&file->device->net->packs, nb);
++	      /* Do not free nb. */
++	      return GRUB_ERR_NONE;
++	    }
++	}
++      grub_netbuff_free (nb);
+       return GRUB_ERR_NONE;
+     case TFTP_ERROR:
+       data->have_oack = 1;
+@@ -287,19 +250,6 @@ tftp_receive (grub_net_udp_socket_t sock __attribute__ ((unused)),
+     }
+ }
+ 
+-static void
+-destroy_pq (tftp_data_t data)
+-{
+-  struct grub_net_buff **nb_p;
+-  while ((nb_p = grub_priority_queue_top (data->pq)))
+-    {
+-      grub_netbuff_free (*nb_p);
+-      grub_priority_queue_pop (data->pq);
+-    }
+-
+-  grub_priority_queue_destroy (data->pq);
+-}
+-
+ static grub_err_t
+ tftp_open (struct grub_file *file, const char *filename)
+ {
+@@ -372,17 +322,9 @@ tftp_open (struct grub_file *file, const char *filename)
+   file->not_easily_seekable = 1;
+   file->data = data;
+ 
+-  data->pq = grub_priority_queue_new (sizeof (struct grub_net_buff *), cmp);
+-  if (!data->pq)
+-    {
+-      grub_free (data);
+-      return grub_errno;
+-    }
+-
+   err = grub_net_resolve_address (file->device->net->server, &addr);
+   if (err)
+     {
+-      destroy_pq (data);
+       grub_free (data);
+       return err;
+     }
+@@ -392,7 +334,6 @@ tftp_open (struct grub_file *file, const char *filename)
+ 				  file);
+   if (!data->sock)
+     {
+-      destroy_pq (data);
+       grub_free (data);
+       return grub_errno;
+     }
+@@ -406,7 +347,6 @@ tftp_open (struct grub_file *file, const char *filename)
+       if (err)
+ 	{
+ 	  grub_net_udp_close (data->sock);
+-	  destroy_pq (data);
+ 	  grub_free (data);
+ 	  return err;
+ 	}
+@@ -423,7 +363,6 @@ tftp_open (struct grub_file *file, const char *filename)
+   if (grub_errno)
+     {
+       grub_net_udp_close (data->sock);
+-      destroy_pq (data);
+       grub_free (data);
+       return grub_errno;
+     }
+@@ -466,7 +405,6 @@ tftp_close (struct grub_file *file)
+ 	grub_print_error ();
+       grub_net_udp_close (data->sock);
+     }
+-  destroy_pq (data);
+   grub_free (data);
+   return GRUB_ERR_NONE;
+ }
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch b/buildroot/boot/grub2/0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch
new file mode 100644
index 000000000..293b9f89b
--- /dev/null
+++ b/buildroot/boot/grub2/0016-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch
@@ -0,0 +1,153 @@
+From 1c7b619c84f229c1602c1958bcd054b6d9937562 Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <amakhalov@vmware.com>
+Date: Wed, 15 Jul 2020 06:42:37 +0000
+Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_addr()
+ input args against integer underflow/overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use arithmetic macros from safemath.h to accomplish it. In this commit,
+I didn't want to be too paranoid to check every possible math equation
+for overflow/underflow. Only obvious places (with non zero chance of
+overflow/underflow) were refactored.
+
+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/loader/i386/linux.c    |  9 +++++++--
+ grub-core/loader/i386/pc/linux.c |  9 +++++++--
+ grub-core/loader/i386/xen.c      | 12 ++++++++++--
+ grub-core/loader/xnu.c           | 11 +++++++----
+ 4 files changed, 31 insertions(+), 10 deletions(-)
+
+diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
+index d0501e229..02a73463a 100644
+--- a/grub-core/loader/i386/linux.c
++++ b/grub-core/loader/i386/linux.c
+@@ -36,6 +36,7 @@
+ #include <grub/lib/cmdline.h>
+ #include <grub/linux.h>
+ #include <grub/machine/kernel.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -547,9 +548,13 @@ grub_linux_boot (void)
+ 
+   {
+     grub_relocator_chunk_t ch;
++    grub_size_t sz;
++
++    if (grub_add (ctx.real_size, efi_mmap_size, &sz))
++      return GRUB_ERR_OUT_OF_RANGE;
++
+     err = grub_relocator_alloc_chunk_addr (relocator, &ch,
+-					   ctx.real_mode_target,
+-					   (ctx.real_size + efi_mmap_size));
++					   ctx.real_mode_target, sz);
+     if (err)
+      return err;
+     real_mode_mem = get_virtual_current_address (ch);
+diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
+index 47ea2945e..31f09922b 100644
+--- a/grub-core/loader/i386/pc/linux.c
++++ b/grub-core/loader/i386/pc/linux.c
+@@ -35,6 +35,7 @@
+ #include <grub/i386/floppy.h>
+ #include <grub/lib/cmdline.h>
+ #include <grub/linux.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -218,8 +219,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+     setup_sects = GRUB_LINUX_DEFAULT_SETUP_SECTS;
+ 
+   real_size = setup_sects << GRUB_DISK_SECTOR_BITS;
+-  grub_linux16_prot_size = grub_file_size (file)
+-    - real_size - GRUB_DISK_SECTOR_SIZE;
++  if (grub_sub (grub_file_size (file), real_size, &grub_linux16_prot_size) ||
++      grub_sub (grub_linux16_prot_size, GRUB_DISK_SECTOR_SIZE, &grub_linux16_prot_size))
++    {
++      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++      goto fail;
++    }
+ 
+   if (! grub_linux_is_bzimage
+       && GRUB_LINUX_ZIMAGE_ADDR + grub_linux16_prot_size
+diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c
+index 8f662c8ac..cd24874ca 100644
+--- a/grub-core/loader/i386/xen.c
++++ b/grub-core/loader/i386/xen.c
+@@ -41,6 +41,7 @@
+ #include <grub/linux.h>
+ #include <grub/i386/memory.h>
+ #include <grub/verify.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -636,6 +637,7 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
+   grub_relocator_chunk_t ch;
+   grub_addr_t kern_start;
+   grub_addr_t kern_end;
++  grub_size_t sz;
+ 
+   if (argc == 0)
+     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+@@ -703,8 +705,14 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
+ 
+   xen_state.max_addr = ALIGN_UP (kern_end, PAGE_SIZE);
+ 
+-  err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start,
+-					 kern_end - kern_start);
++
++  if (grub_sub (kern_end, kern_start, &sz))
++    {
++      err = GRUB_ERR_OUT_OF_RANGE;
++      goto fail;
++    }
++
++  err = grub_relocator_alloc_chunk_addr (xen_state.relocator, &ch, kern_start, sz);
+   if (err)
+     goto fail;
+   kern_chunk_src = get_virtual_current_address (ch);
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 77d7060e1..9ae4ceb35 100644
+--- a/grub-core/loader/xnu.c
++++ b/grub-core/loader/xnu.c
+@@ -34,6 +34,7 @@
+ #include <grub/env.h>
+ #include <grub/i18n.h>
+ #include <grub/verify.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -59,15 +60,17 @@ grub_xnu_heap_malloc (int size, void **src, grub_addr_t *target)
+ {
+   grub_err_t err;
+   grub_relocator_chunk_t ch;
++  grub_addr_t tgt;
++
++  if (grub_add (grub_xnu_heap_target_start, grub_xnu_heap_size, &tgt))
++    return GRUB_ERR_OUT_OF_RANGE;
+   
+-  err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch,
+-					 grub_xnu_heap_target_start
+-					 + grub_xnu_heap_size, size);
++  err = grub_relocator_alloc_chunk_addr (grub_xnu_relocator, &ch, tgt, size);
+   if (err)
+     return err;
+ 
+   *src = get_virtual_current_address (ch);
+-  *target = grub_xnu_heap_target_start + grub_xnu_heap_size;
++  *target = tgt;
+   grub_xnu_heap_size += size;
+   grub_dprintf ("xnu", "val=%p\n", *src);
+   return GRUB_ERR_NONE;
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch b/buildroot/boot/grub2/0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch
new file mode 100644
index 000000000..e04e72aba
--- /dev/null
+++ b/buildroot/boot/grub2/0017-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch
@@ -0,0 +1,341 @@
+From 0cfbbca3ccd84d36ffb1bcd6644ada7c73b19fc0 Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <amakhalov@vmware.com>
+Date: Wed, 8 Jul 2020 01:44:38 +0000
+Subject: [PATCH] relocator: Protect grub_relocator_alloc_chunk_align()
+ max_addr against integer underflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This commit introduces integer underflow mitigation in max_addr calculation
+in grub_relocator_alloc_chunk_align() invocation.
+
+It consists of 2 fixes:
+  1. Introduced grub_relocator_alloc_chunk_align_safe() wrapper function to perform
+     sanity check for min/max and size values, and to make safe invocation of
+     grub_relocator_alloc_chunk_align() with validated max_addr value. Replace all
+     invocations such as grub_relocator_alloc_chunk_align(..., min_addr, max_addr - size, size, ...)
+     by grub_relocator_alloc_chunk_align_safe(..., min_addr, max_addr, size, ...).
+  2. Introduced UP_TO_TOP32(s) macro for the cases where max_addr is 32-bit top
+     address (0xffffffff - size + 1) or similar.
+
+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/lib/i386/relocator.c        | 28 ++++++++++----------------
+ grub-core/lib/mips/relocator.c        |  6 ++----
+ grub-core/lib/powerpc/relocator.c     |  6 ++----
+ grub-core/lib/x86_64/efi/relocator.c  |  7 +++----
+ grub-core/loader/i386/linux.c         |  5 ++---
+ grub-core/loader/i386/multiboot_mbi.c |  7 +++----
+ grub-core/loader/i386/pc/linux.c      |  6 ++----
+ grub-core/loader/mips/linux.c         |  9 +++------
+ grub-core/loader/multiboot.c          |  2 +-
+ grub-core/loader/multiboot_elfxx.c    | 10 ++++-----
+ grub-core/loader/multiboot_mbi2.c     | 10 ++++-----
+ grub-core/loader/xnu_resume.c         |  2 +-
+ include/grub/relocator.h              | 29 +++++++++++++++++++++++++++
+ 13 files changed, 69 insertions(+), 58 deletions(-)
+
+diff --git a/grub-core/lib/i386/relocator.c b/grub-core/lib/i386/relocator.c
+index 71dd4f0ab..34cbe834f 100644
+--- a/grub-core/lib/i386/relocator.c
++++ b/grub-core/lib/i386/relocator.c
+@@ -83,11 +83,10 @@ grub_relocator32_boot (struct grub_relocator *rel,
+   /* Specific memory range due to Global Descriptor Table for use by payload
+      that we will store in returned chunk.  The address range and preference
+      are based on "THE LINUX/x86 BOOT PROTOCOL" specification.  */
+-  err = grub_relocator_alloc_chunk_align (rel, &ch, 0x1000,
+-					  0x9a000 - RELOCATOR_SIZEOF (32),
+-					  RELOCATOR_SIZEOF (32), 16,
+-					  GRUB_RELOCATOR_PREFERENCE_LOW,
+-					  avoid_efi_bootservices);
++  err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0x1000, 0x9a000,
++					       RELOCATOR_SIZEOF (32), 16,
++					       GRUB_RELOCATOR_PREFERENCE_LOW,
++					       avoid_efi_bootservices);
+   if (err)
+     return err;
+ 
+@@ -125,13 +124,10 @@ grub_relocator16_boot (struct grub_relocator *rel,
+   grub_relocator_chunk_t ch;
+ 
+   /* Put it higher than the byte it checks for A20 check.  */
+-  err = grub_relocator_alloc_chunk_align (rel, &ch, 0x8010,
+-					  0xa0000 - RELOCATOR_SIZEOF (16)
+-					  - GRUB_RELOCATOR16_STACK_SIZE,
+-					  RELOCATOR_SIZEOF (16)
+-					  + GRUB_RELOCATOR16_STACK_SIZE, 16,
+-					  GRUB_RELOCATOR_PREFERENCE_NONE,
+-					  0);
++  err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0x8010, 0xa0000,
++					       RELOCATOR_SIZEOF (16) +
++					       GRUB_RELOCATOR16_STACK_SIZE, 16,
++					       GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+   if (err)
+     return err;
+ 
+@@ -183,11 +179,9 @@ grub_relocator64_boot (struct grub_relocator *rel,
+   void *relst;
+   grub_relocator_chunk_t ch;
+ 
+-  err = grub_relocator_alloc_chunk_align (rel, &ch, min_addr,
+-					  max_addr - RELOCATOR_SIZEOF (64),
+-					  RELOCATOR_SIZEOF (64), 16,
+-					  GRUB_RELOCATOR_PREFERENCE_NONE,
+-					  0);
++  err = grub_relocator_alloc_chunk_align_safe (rel, &ch, min_addr, max_addr,
++					       RELOCATOR_SIZEOF (64), 16,
++					       GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+   if (err)
+     return err;
+ 
+diff --git a/grub-core/lib/mips/relocator.c b/grub-core/lib/mips/relocator.c
+index 9d5f49cb9..743b213e6 100644
+--- a/grub-core/lib/mips/relocator.c
++++ b/grub-core/lib/mips/relocator.c
+@@ -120,10 +120,8 @@ grub_relocator32_boot (struct grub_relocator *rel,
+   unsigned i;
+   grub_addr_t vtarget;
+ 
+-  err = grub_relocator_alloc_chunk_align (rel, &ch, 0,
+-					  (0xffffffff - stateset_size)
+-					  + 1, stateset_size,
+-					  sizeof (grub_uint32_t),
++  err = grub_relocator_alloc_chunk_align (rel, &ch, 0, UP_TO_TOP32 (stateset_size),
++					  stateset_size, sizeof (grub_uint32_t),
+ 					  GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+   if (err)
+     return err;
+diff --git a/grub-core/lib/powerpc/relocator.c b/grub-core/lib/powerpc/relocator.c
+index bdf2b111b..8ffb8b686 100644
+--- a/grub-core/lib/powerpc/relocator.c
++++ b/grub-core/lib/powerpc/relocator.c
+@@ -115,10 +115,8 @@ grub_relocator32_boot (struct grub_relocator *rel,
+   unsigned i;
+   grub_relocator_chunk_t ch;
+ 
+-  err = grub_relocator_alloc_chunk_align (rel, &ch, 0,
+-					  (0xffffffff - stateset_size)
+-					  + 1, stateset_size,
+-					  sizeof (grub_uint32_t),
++  err = grub_relocator_alloc_chunk_align (rel, &ch, 0, UP_TO_TOP32 (stateset_size),
++					  stateset_size, sizeof (grub_uint32_t),
+ 					  GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+   if (err)
+     return err;
+diff --git a/grub-core/lib/x86_64/efi/relocator.c b/grub-core/lib/x86_64/efi/relocator.c
+index 3caef7a40..7d200a125 100644
+--- a/grub-core/lib/x86_64/efi/relocator.c
++++ b/grub-core/lib/x86_64/efi/relocator.c
+@@ -50,10 +50,9 @@ grub_relocator64_efi_boot (struct grub_relocator *rel,
+    * 64-bit relocator code may live above 4 GiB quite well.
+    * However, I do not want ask for problems. Just in case.
+    */
+-  err = grub_relocator_alloc_chunk_align (rel, &ch, 0,
+-					  0x100000000 - RELOCATOR_SIZEOF (64_efi),
+-					  RELOCATOR_SIZEOF (64_efi), 16,
+-					  GRUB_RELOCATOR_PREFERENCE_NONE, 1);
++  err = grub_relocator_alloc_chunk_align_safe (rel, &ch, 0, 0x100000000,
++					       RELOCATOR_SIZEOF (64_efi), 16,
++					       GRUB_RELOCATOR_PREFERENCE_NONE, 1);
+   if (err)
+     return err;
+ 
+diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
+index 02a73463a..efbb99307 100644
+--- a/grub-core/loader/i386/linux.c
++++ b/grub-core/loader/i386/linux.c
+@@ -181,9 +181,8 @@ allocate_pages (grub_size_t prot_size, grub_size_t *align,
+ 	for (; err && *align + 1 > min_align; (*align)--)
+ 	  {
+ 	    grub_errno = GRUB_ERR_NONE;
+-	    err = grub_relocator_alloc_chunk_align (relocator, &ch,
+-						    0x1000000,
+-						    0xffffffff & ~prot_size,
++	    err = grub_relocator_alloc_chunk_align (relocator, &ch, 0x1000000,
++						    UP_TO_TOP32 (prot_size),
+ 						    prot_size, 1 << *align,
+ 						    GRUB_RELOCATOR_PREFERENCE_LOW,
+ 						    1);
+diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c
+index ad3cc292f..a67d9d0a8 100644
+--- a/grub-core/loader/i386/multiboot_mbi.c
++++ b/grub-core/loader/i386/multiboot_mbi.c
+@@ -466,10 +466,9 @@ grub_multiboot_make_mbi (grub_uint32_t *target)
+ 
+   bufsize = grub_multiboot_get_mbi_size ();
+ 
+-  err = grub_relocator_alloc_chunk_align (grub_multiboot_relocator, &ch,
+-					  0x10000, 0xa0000 - bufsize,
+-					  bufsize, 4,
+-					  GRUB_RELOCATOR_PREFERENCE_NONE, 0);
++  err = grub_relocator_alloc_chunk_align_safe (grub_multiboot_relocator, &ch,
++					       0x10000, 0xa0000, bufsize, 4,
++					       GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+   if (err)
+     return err;
+   ptrorig = get_virtual_current_address (ch);
+diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
+index 31f09922b..5fed5ffdf 100644
+--- a/grub-core/loader/i386/pc/linux.c
++++ b/grub-core/loader/i386/pc/linux.c
+@@ -453,10 +453,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
+ 
+   {
+     grub_relocator_chunk_t ch;
+-    err = grub_relocator_alloc_chunk_align (relocator, &ch,
+-					    addr_min, addr_max - size,
+-					    size, 0x1000,
+-					    GRUB_RELOCATOR_PREFERENCE_HIGH, 0);
++    err = grub_relocator_alloc_chunk_align_safe (relocator, &ch, addr_min, addr_max, size,
++						 0x1000, GRUB_RELOCATOR_PREFERENCE_HIGH, 0);
+     if (err)
+       return err;
+     initrd_chunk = get_virtual_current_address (ch);
+diff --git a/grub-core/loader/mips/linux.c b/grub-core/loader/mips/linux.c
+index 7b723bf18..e4ed95921 100644
+--- a/grub-core/loader/mips/linux.c
++++ b/grub-core/loader/mips/linux.c
+@@ -442,12 +442,9 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
+   {
+     grub_relocator_chunk_t ch;
+ 
+-    err = grub_relocator_alloc_chunk_align (relocator, &ch,
+-					    (target_addr & 0x1fffffff)
+-					    + linux_size + 0x10000,
+-					    (0x10000000 - size),
+-					    size, 0x10000,
+-					    GRUB_RELOCATOR_PREFERENCE_NONE, 0);
++    err = grub_relocator_alloc_chunk_align_safe (relocator, &ch, (target_addr & 0x1fffffff) +
++						 linux_size + 0x10000, 0x10000000, size,
++						 0x10000, GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+ 
+     if (err)
+       goto fail;
+diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
+index 4a98d7082..facb13f3d 100644
+--- a/grub-core/loader/multiboot.c
++++ b/grub-core/loader/multiboot.c
+@@ -403,7 +403,7 @@ grub_cmd_module (grub_command_t cmd __attribute__ ((unused)),
+   {
+     grub_relocator_chunk_t ch;
+     err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch,
+-					    lowest_addr, (0xffffffff - size) + 1,
++					    lowest_addr, UP_TO_TOP32 (size),
+ 					    size, MULTIBOOT_MOD_ALIGN,
+ 					    GRUB_RELOCATOR_PREFERENCE_NONE, 1);
+     if (err)
+diff --git a/grub-core/loader/multiboot_elfxx.c b/grub-core/loader/multiboot_elfxx.c
+index cc6853692..f2318e0d1 100644
+--- a/grub-core/loader/multiboot_elfxx.c
++++ b/grub-core/loader/multiboot_elfxx.c
+@@ -109,10 +109,10 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+       if (load_size > mld->max_addr || mld->min_addr > mld->max_addr - load_size)
+ 	return grub_error (GRUB_ERR_BAD_OS, "invalid min/max address and/or load size");
+ 
+-      err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch,
+-					      mld->min_addr, mld->max_addr - load_size,
+-					      load_size, mld->align ? mld->align : 1,
+-					      mld->preference, mld->avoid_efi_boot_services);
++      err = grub_relocator_alloc_chunk_align_safe (GRUB_MULTIBOOT (relocator), &ch,
++						   mld->min_addr, mld->max_addr,
++						   load_size, mld->align ? mld->align : 1,
++						   mld->preference, mld->avoid_efi_boot_services);
+ 
+       if (err)
+         {
+@@ -256,7 +256,7 @@ CONCAT(grub_multiboot_load_elf, XX) (mbi_load_data_t *mld)
+ 	    continue;
+ 
+ 	  err = grub_relocator_alloc_chunk_align (GRUB_MULTIBOOT (relocator), &ch, 0,
+-						  (0xffffffff - sh->sh_size) + 1,
++						  UP_TO_TOP32 (sh->sh_size),
+ 						  sh->sh_size, sh->sh_addralign,
+ 						  GRUB_RELOCATOR_PREFERENCE_NONE,
+ 						  mld->avoid_efi_boot_services);
+diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c
+index 0efc66062..03967839c 100644
+--- a/grub-core/loader/multiboot_mbi2.c
++++ b/grub-core/loader/multiboot_mbi2.c
+@@ -295,10 +295,10 @@ grub_multiboot2_load (grub_file_t file, const char *filename)
+ 	      return grub_error (GRUB_ERR_BAD_OS, "invalid min/max address and/or load size");
+ 	    }
+ 
+-	  err = grub_relocator_alloc_chunk_align (grub_multiboot2_relocator, &ch,
+-						  mld.min_addr, mld.max_addr - code_size,
+-						  code_size, mld.align ? mld.align : 1,
+-						  mld.preference, keep_bs);
++	  err = grub_relocator_alloc_chunk_align_safe (grub_multiboot2_relocator, &ch,
++						       mld.min_addr, mld.max_addr,
++						       code_size, mld.align ? mld.align : 1,
++						       mld.preference, keep_bs);
+ 	}
+       else
+ 	err = grub_relocator_alloc_chunk_addr (grub_multiboot2_relocator,
+@@ -708,7 +708,7 @@ grub_multiboot2_make_mbi (grub_uint32_t *target)
+   COMPILE_TIME_ASSERT (MULTIBOOT_TAG_ALIGN % sizeof (grub_properly_aligned_t) == 0);
+ 
+   err = grub_relocator_alloc_chunk_align (grub_multiboot2_relocator, &ch,
+-					  0, 0xffffffff - bufsize,
++					  0, UP_TO_TOP32 (bufsize),
+ 					  bufsize, MULTIBOOT_TAG_ALIGN,
+ 					  GRUB_RELOCATOR_PREFERENCE_NONE, 1);
+   if (err)
+diff --git a/grub-core/loader/xnu_resume.c b/grub-core/loader/xnu_resume.c
+index 8089804d4..d648ef0cd 100644
+--- a/grub-core/loader/xnu_resume.c
++++ b/grub-core/loader/xnu_resume.c
+@@ -129,7 +129,7 @@ grub_xnu_resume (char *imagename)
+   {
+     grub_relocator_chunk_t ch;
+     err = grub_relocator_alloc_chunk_align (grub_xnu_relocator, &ch, 0,
+-					    (0xffffffff - hibhead.image_size) + 1,
++					    UP_TO_TOP32 (hibhead.image_size),
+ 					    hibhead.image_size,
+ 					    GRUB_XNU_PAGESIZE,
+ 					    GRUB_RELOCATOR_PREFERENCE_NONE, 0);
+diff --git a/include/grub/relocator.h b/include/grub/relocator.h
+index 24d8672d2..1b3bdd92a 100644
+--- a/include/grub/relocator.h
++++ b/include/grub/relocator.h
+@@ -49,6 +49,35 @@ grub_relocator_alloc_chunk_align (struct grub_relocator *rel,
+ 				  int preference,
+ 				  int avoid_efi_boot_services);
+ 
++/*
++ * Wrapper for grub_relocator_alloc_chunk_align() with purpose of
++ * protecting against integer underflow.
++ *
++ * Compare to its callee, max_addr has different meaning here.
++ * It covers entire chunk and not just start address of the chunk.
++ */
++static inline grub_err_t
++grub_relocator_alloc_chunk_align_safe (struct grub_relocator *rel,
++				       grub_relocator_chunk_t *out,
++				       grub_phys_addr_t min_addr,
++				       grub_phys_addr_t max_addr,
++				       grub_size_t size, grub_size_t align,
++				       int preference,
++				       int avoid_efi_boot_services)
++{
++  /* Sanity check and ensure following equation (max_addr - size) is safe. */
++  if (max_addr < size || (max_addr - size) < min_addr)
++    return GRUB_ERR_OUT_OF_RANGE;
++
++  return grub_relocator_alloc_chunk_align (rel, out, min_addr,
++					   max_addr - size,
++					   size, align, preference,
++					   avoid_efi_boot_services);
++}
++
++/* Top 32-bit address minus s bytes and plus 1 byte. */
++#define UP_TO_TOP32(s)	((~(s) & 0xffffffff) + 1)
++
+ #define GRUB_RELOCATOR_PREFERENCE_NONE 0
+ #define GRUB_RELOCATOR_PREFERENCE_LOW 1
+ #define GRUB_RELOCATOR_PREFERENCE_HIGH 2
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0018-script-Remove-unused-fields-from-grub_script_functio.patch b/buildroot/boot/grub2/0018-script-Remove-unused-fields-from-grub_script_functio.patch
new file mode 100644
index 000000000..7b0a5e514
--- /dev/null
+++ b/buildroot/boot/grub2/0018-script-Remove-unused-fields-from-grub_script_functio.patch
@@ -0,0 +1,37 @@
+From 73aa0776457066ee6ebc93486c3cf0e6b755d1b8 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 10 Jul 2020 11:21:14 +0100
+Subject: [PATCH] script: Remove unused fields from grub_script_function
+ struct
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ include/grub/script_sh.h | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
+index 360c2be1f..b382bcf09 100644
+--- a/include/grub/script_sh.h
++++ b/include/grub/script_sh.h
+@@ -359,13 +359,8 @@ struct grub_script_function
+   /* The script function.  */
+   struct grub_script *func;
+ 
+-  /* The flags.  */
+-  unsigned flags;
+-
+   /* The next element.  */
+   struct grub_script_function *next;
+-
+-  int references;
+ };
+ typedef struct grub_script_function *grub_script_function_t;
+ 
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch b/buildroot/boot/grub2/0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch
new file mode 100644
index 000000000..0fd60357d
--- /dev/null
+++ b/buildroot/boot/grub2/0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch
@@ -0,0 +1,113 @@
+From 26349fcf80982b4d0120b73b2836e88bcf16853c Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Fri, 10 Jul 2020 14:41:45 +0100
+Subject: [PATCH] script: Avoid a use-after-free when redefining a
+ function during execution
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Defining a new function with the same name as a previously defined
+function causes the grub_script and associated resources for the
+previous function to be freed. If the previous function is currently
+executing when a function with the same name is defined, this results
+in use-after-frees when processing subsequent commands in the original
+function.
+
+Instead, reject a new function definition if it has the same name as
+a previously defined function, and that function is currently being
+executed. Although a behavioural change, this should be backwards
+compatible with existing configurations because they can't be
+dependent on the current behaviour without being broken.
+
+Fixes: CVE-2020-15706
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/script/execute.c  |  2 ++
+ grub-core/script/function.c | 16 +++++++++++++---
+ grub-core/script/parser.y   |  3 ++-
+ include/grub/script_sh.h    |  2 ++
+ 4 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
+index c8d6806fe..7e028e135 100644
+--- a/grub-core/script/execute.c
++++ b/grub-core/script/execute.c
+@@ -838,7 +838,9 @@ grub_script_function_call (grub_script_function_t func, int argc, char **args)
+   old_scope = scope;
+   scope = &new_scope;
+ 
++  func->executing++;
+   ret = grub_script_execute (func->func);
++  func->executing--;
+ 
+   function_return = 0;
+   active_loops = loops;
+diff --git a/grub-core/script/function.c b/grub-core/script/function.c
+index d36655e51..3aad04bf9 100644
+--- a/grub-core/script/function.c
++++ b/grub-core/script/function.c
+@@ -34,6 +34,7 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
+   func = (grub_script_function_t) grub_malloc (sizeof (*func));
+   if (! func)
+     return 0;
++  func->executing = 0;
+ 
+   func->name = grub_strdup (functionname_arg->str);
+   if (! func->name)
+@@ -60,10 +61,19 @@ grub_script_function_create (struct grub_script_arg *functionname_arg,
+       grub_script_function_t q;
+ 
+       q = *p;
+-      grub_script_free (q->func);
+-      q->func = cmd;
+       grub_free (func);
+-      func = q;
++      if (q->executing > 0)
++        {
++          grub_error (GRUB_ERR_BAD_ARGUMENT,
++		      N_("attempt to redefine a function being executed"));
++          func = NULL;
++        }
++      else
++        {
++          grub_script_free (q->func);
++          q->func = cmd;
++          func = q;
++        }
+     }
+   else
+     {
+diff --git a/grub-core/script/parser.y b/grub-core/script/parser.y
+index 4f0ab8319..f80b86b6f 100644
+--- a/grub-core/script/parser.y
++++ b/grub-core/script/parser.y
+@@ -289,7 +289,8 @@ function: "function" "name"
+ 	      grub_script_mem_free (state->func_mem);
+ 	    else {
+ 	      script->children = state->scripts;
+-	      grub_script_function_create ($2, script);
++	      if (!grub_script_function_create ($2, script))
++		grub_script_free (script);
+ 	    }
+ 
+ 	    state->scripts = $<scripts>3;
+diff --git a/include/grub/script_sh.h b/include/grub/script_sh.h
+index b382bcf09..6c48e0751 100644
+--- a/include/grub/script_sh.h
++++ b/include/grub/script_sh.h
+@@ -361,6 +361,8 @@ struct grub_script_function
+ 
+   /* The next element.  */
+   struct grub_script_function *next;
++
++  unsigned executing;
+ };
+ typedef struct grub_script_function *grub_script_function_t;
+ 
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch b/buildroot/boot/grub2/0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch
new file mode 100644
index 000000000..fc518c5f3
--- /dev/null
+++ b/buildroot/boot/grub2/0020-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch
@@ -0,0 +1,49 @@
+From 06aa91f79f902752cb7e5d22ac0ea8e13bffd056 Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <amakhalov@vmware.com>
+Date: Fri, 17 Jul 2020 05:17:26 +0000
+Subject: [PATCH] relocator: Fix grub_relocator_alloc_chunk_align() top
+ memory allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Current implementation of grub_relocator_alloc_chunk_align()
+does not allow allocation of the top byte.
+
+Assuming input args are:
+  max_addr = 0xfffff000;
+  size = 0x1000;
+
+And this is valid. But following overflow protection will
+unnecessarily move max_addr one byte down (to 0xffffefff):
+  if (max_addr > ~size)
+    max_addr = ~size;
+
+~size + 1 will fix the situation. In addition, check size
+for non zero to do not zero max_addr.
+
+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/lib/relocator.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/lib/relocator.c b/grub-core/lib/relocator.c
+index 5847aac36..f2c1944c2 100644
+--- a/grub-core/lib/relocator.c
++++ b/grub-core/lib/relocator.c
+@@ -1386,8 +1386,8 @@ grub_relocator_alloc_chunk_align (struct grub_relocator *rel,
+   };
+   grub_addr_t min_addr2 = 0, max_addr2;
+ 
+-  if (max_addr > ~size)
+-    max_addr = ~size;
++  if (size && (max_addr > ~size))
++    max_addr = ~size + 1;
+ 
+ #ifdef GRUB_MACHINE_PCBIOS
+   if (min_addr < 0x1000)
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0021-hfsplus-Fix-two-more-overflows.patch b/buildroot/boot/grub2/0021-hfsplus-Fix-two-more-overflows.patch
new file mode 100644
index 000000000..9ea678021
--- /dev/null
+++ b/buildroot/boot/grub2/0021-hfsplus-Fix-two-more-overflows.patch
@@ -0,0 +1,61 @@
+From feec993673d8e13fcf22fe2389ac29222b6daebd Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sun, 19 Jul 2020 14:43:31 -0400
+Subject: [PATCH] hfsplus: Fix two more overflows
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Both node->size and node->namelen come from the supplied filesystem,
+which may be user-supplied. We can't trust them for the math unless we
+know they don't overflow. Making sure they go through grub_add() or
+grub_calloc() first will give us that.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/fs/hfsplus.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index dae43becc..9c4e4c88c 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -31,6 +31,7 @@
+ #include <grub/hfs.h>
+ #include <grub/charset.h>
+ #include <grub/hfsplus.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -475,8 +476,12 @@ grub_hfsplus_read_symlink (grub_fshelp_node_t node)
+ {
+   char *symlink;
+   grub_ssize_t numread;
++  grub_size_t sz = node->size;
+ 
+-  symlink = grub_malloc (node->size + 1);
++  if (grub_add (sz, 1, &sz))
++    return NULL;
++
++  symlink = grub_malloc (sz);
+   if (!symlink)
+     return 0;
+ 
+@@ -715,8 +720,8 @@ list_nodes (void *record, void *hook_arg)
+   if (type == GRUB_FSHELP_UNKNOWN)
+     return 0;
+ 
+-  filename = grub_malloc (grub_be_to_cpu16 (catkey->namelen)
+-			  * GRUB_MAX_UTF8_PER_UTF16 + 1);
++  filename = grub_calloc (grub_be_to_cpu16 (catkey->namelen),
++			  GRUB_MAX_UTF8_PER_UTF16 + 1);
+   if (! filename)
+     return 0;
+ 
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch b/buildroot/boot/grub2/0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch
new file mode 100644
index 000000000..ad97ad0b1
--- /dev/null
+++ b/buildroot/boot/grub2/0022-lvm-Fix-two-more-potential-data-dependent-alloc-over.patch
@@ -0,0 +1,116 @@
+From a1845e90fc19fb5e904091bad8a378f458798e4a Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sun, 19 Jul 2020 15:48:20 -0400
+Subject: [PATCH] lvm: Fix two more potential data-dependent alloc
+ overflows
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It appears to be possible to make a (possibly invalid) lvm PV with
+a metadata size field that overflows our type when adding it to the
+address we've allocated. Even if it doesn't, it may be possible to do so
+with the math using the outcome of that as an operand. Check them both.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/disk/lvm.c | 48 ++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 40 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/disk/lvm.c b/grub-core/disk/lvm.c
+index d1df640b3..139fafd47 100644
+--- a/grub-core/disk/lvm.c
++++ b/grub-core/disk/lvm.c
+@@ -25,6 +25,7 @@
+ #include <grub/lvm.h>
+ #include <grub/partition.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ #ifdef GRUB_UTIL
+ #include <grub/emu/misc.h>
+@@ -102,10 +103,11 @@ grub_lvm_detect (grub_disk_t disk,
+ {
+   grub_err_t err;
+   grub_uint64_t mda_offset, mda_size;
++  grub_size_t ptr;
+   char buf[GRUB_LVM_LABEL_SIZE];
+   char vg_id[GRUB_LVM_ID_STRLEN+1];
+   char pv_id[GRUB_LVM_ID_STRLEN+1];
+-  char *metadatabuf, *p, *q, *vgname;
++  char *metadatabuf, *p, *q, *mda_end, *vgname;
+   struct grub_lvm_label_header *lh = (struct grub_lvm_label_header *) buf;
+   struct grub_lvm_pv_header *pvh;
+   struct grub_lvm_disk_locn *dlocn;
+@@ -205,19 +207,31 @@ grub_lvm_detect (grub_disk_t disk,
+ 		   grub_le_to_cpu64 (rlocn->size) -
+ 		   grub_le_to_cpu64 (mdah->size));
+     }
+-  p = q = metadatabuf + grub_le_to_cpu64 (rlocn->offset);
+ 
+-  while (*q != ' ' && q < metadatabuf + mda_size)
+-    q++;
+-
+-  if (q == metadatabuf + mda_size)
++  if (grub_add ((grub_size_t)metadatabuf,
++		(grub_size_t)grub_le_to_cpu64 (rlocn->offset),
++		&ptr))
+     {
++ error_parsing_metadata:
+ #ifdef GRUB_UTIL
+       grub_util_info ("error parsing metadata");
+ #endif
+       goto fail2;
+     }
+ 
++  p = q = (char *)ptr;
++
++  if (grub_add ((grub_size_t)metadatabuf, (grub_size_t)mda_size, &ptr))
++    goto error_parsing_metadata;
++
++  mda_end = (char *)ptr;
++
++  while (*q != ' ' && q < mda_end)
++    q++;
++
++  if (q == mda_end)
++    goto error_parsing_metadata;
++
+   vgname_len = q - p;
+   vgname = grub_malloc (vgname_len + 1);
+   if (!vgname)
+@@ -367,8 +381,26 @@ grub_lvm_detect (grub_disk_t disk,
+ 	      {
+ 		const char *iptr;
+ 		char *optr;
+-		lv->fullname = grub_malloc (sizeof ("lvm/") - 1 + 2 * vgname_len
+-					    + 1 + 2 * s + 1);
++
++		/*
++		 * This is kind of hard to read with our safe (but rather
++		 * baroque) math primatives, but it boils down to:
++		 *
++		 *   sz0 = vgname_len * 2 + 1 +
++		 *         s * 2 + 1 +
++		 *         sizeof ("lvm/") - 1;
++		 */
++		grub_size_t sz0 = vgname_len, sz1 = s;
++
++		if (grub_mul (sz0, 2, &sz0) ||
++		    grub_add (sz0, 1, &sz0) ||
++		    grub_mul (sz1, 2, &sz1) ||
++		    grub_add (sz1, 1, &sz1) ||
++		    grub_add (sz0, sz1, &sz0) ||
++		    grub_add (sz0, sizeof ("lvm/") - 1, &sz0))
++		  goto lvs_fail;
++
++		lv->fullname = grub_malloc (sz0);
+ 		if (!lv->fullname)
+ 		  goto lvs_fail;
+ 
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0023-emu-Make-grub_free-NULL-safe.patch b/buildroot/boot/grub2/0023-emu-Make-grub_free-NULL-safe.patch
new file mode 100644
index 000000000..f30e56a8b
--- /dev/null
+++ b/buildroot/boot/grub2/0023-emu-Make-grub_free-NULL-safe.patch
@@ -0,0 +1,38 @@
+From 320e86747a32e4d46d24ee4b64493741c161da50 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sun, 19 Jul 2020 16:08:08 -0400
+Subject: [PATCH] emu: Make grub_free(NULL) safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The grub_free() implementation in grub-core/kern/mm.c safely handles
+NULL pointers, and code at many places depends on this. We don't know
+that the same is true on all host OSes, so we need to handle the same
+behavior in grub-emu's implementation.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/emu/mm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/kern/emu/mm.c b/grub-core/kern/emu/mm.c
+index 145b01d37..4d1046a21 100644
+--- a/grub-core/kern/emu/mm.c
++++ b/grub-core/kern/emu/mm.c
+@@ -60,7 +60,8 @@ grub_zalloc (grub_size_t size)
+ void
+ grub_free (void *ptr)
+ {
+-  free (ptr);
++  if (ptr)
++    free (ptr);
+ }
+ 
+ void *
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch b/buildroot/boot/grub2/0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
new file mode 100644
index 000000000..48b5b8912
--- /dev/null
+++ b/buildroot/boot/grub2/0024-efi-Fix-some-malformed-device-path-arithmetic-errors.patch
@@ -0,0 +1,239 @@
+From c330aa099a38bc5c4d3066954fe35767cc06adb1 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sun, 19 Jul 2020 16:53:27 -0400
+Subject: [PATCH] efi: Fix some malformed device path arithmetic errors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Several places we take the length of a device path and subtract 4 from
+it, without ever checking that it's >= 4. There are also cases where
+this kind of malformation will result in unpredictable iteration,
+including treating the length from one dp node as the type in the next
+node. These are all errors, no matter where the data comes from.
+
+This patch adds a checking macro, GRUB_EFI_DEVICE_PATH_VALID(), which
+can be used in several places, and makes GRUB_EFI_NEXT_DEVICE_PATH()
+return NULL and GRUB_EFI_END_ENTIRE_DEVICE_PATH() evaluate as true when
+the length is too small. Additionally, it makes several places in the
+code check for and return errors in these cases.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/efi/efi.c           | 64 +++++++++++++++++++++++++-----
+ grub-core/loader/efi/chainloader.c | 13 +++++-
+ grub-core/loader/i386/xnu.c        |  9 +++--
+ include/grub/efi/api.h             | 14 ++++---
+ 4 files changed, 79 insertions(+), 21 deletions(-)
+
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index dc31caa21..c97969a65 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -332,7 +332,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ 
+   dp = dp0;
+ 
+-  while (1)
++  while (dp)
+     {
+       grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+       grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -342,9 +342,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+       if (type == GRUB_EFI_MEDIA_DEVICE_PATH_TYPE
+ 	       && subtype == GRUB_EFI_FILE_PATH_DEVICE_PATH_SUBTYPE)
+ 	{
+-	  grub_efi_uint16_t len;
+-	  len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
+-		 / sizeof (grub_efi_char16_t));
++	  grub_efi_uint16_t len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++
++	  if (len < 4)
++	    {
++	      grub_error (GRUB_ERR_OUT_OF_RANGE,
++			  "malformed EFI Device Path node has length=%d", len);
++	      return NULL;
++	    }
++	  len = (len - 4) / sizeof (grub_efi_char16_t);
+ 	  filesize += GRUB_MAX_UTF8_PER_UTF16 * len + 2;
+ 	}
+ 
+@@ -360,7 +366,7 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+   if (!name)
+     return NULL;
+ 
+-  while (1)
++  while (dp)
+     {
+       grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+       grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -376,8 +382,15 @@ grub_efi_get_filename (grub_efi_device_path_t *dp0)
+ 
+ 	  *p++ = '/';
+ 
+-	  len = ((GRUB_EFI_DEVICE_PATH_LENGTH (dp) - 4)
+-		 / sizeof (grub_efi_char16_t));
++	  len = GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++	  if (len < 4)
++	    {
++	      grub_error (GRUB_ERR_OUT_OF_RANGE,
++			  "malformed EFI Device Path node has length=%d", len);
++	      return NULL;
++	    }
++
++	  len = (len - 4) / sizeof (grub_efi_char16_t);
+ 	  fp = (grub_efi_file_path_device_path_t *) dp;
+ 	  /* According to EFI spec Path Name is NULL terminated */
+ 	  while (len > 0 && fp->path_name[len - 1] == 0)
+@@ -452,7 +465,26 @@ grub_efi_duplicate_device_path (const grub_efi_device_path_t *dp)
+        ;
+        p = GRUB_EFI_NEXT_DEVICE_PATH (p))
+     {
+-      total_size += GRUB_EFI_DEVICE_PATH_LENGTH (p);
++      grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (p);
++
++      /*
++       * In the event that we find a node that's completely garbage, for
++       * example if we get to 0x7f 0x01 0x02 0x00 ... (EndInstance with a size
++       * of 2), GRUB_EFI_END_ENTIRE_DEVICE_PATH() will be true and
++       * GRUB_EFI_NEXT_DEVICE_PATH() will return NULL, so we won't continue,
++       * and neither should our consumers, but there won't be any error raised
++       * even though the device path is junk.
++       *
++       * This keeps us from passing junk down back to our caller.
++       */
++      if (len < 4)
++	{
++	  grub_error (GRUB_ERR_OUT_OF_RANGE,
++		      "malformed EFI Device Path node has length=%d", len);
++	  return NULL;
++	}
++
++      total_size += len;
+       if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (p))
+ 	break;
+     }
+@@ -497,7 +529,7 @@ dump_vendor_path (const char *type, grub_efi_vendor_device_path_t *vendor)
+ void
+ grub_efi_print_device_path (grub_efi_device_path_t *dp)
+ {
+-  while (1)
++  while (GRUB_EFI_DEVICE_PATH_VALID (dp))
+     {
+       grub_efi_uint8_t type = GRUB_EFI_DEVICE_PATH_TYPE (dp);
+       grub_efi_uint8_t subtype = GRUB_EFI_DEVICE_PATH_SUBTYPE (dp);
+@@ -909,7 +941,10 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
+     /* Return non-zero.  */
+     return 1;
+ 
+-  while (1)
++  if (dp1 == dp2)
++    return 0;
++
++  while (GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
+     {
+       grub_efi_uint8_t type1, type2;
+       grub_efi_uint8_t subtype1, subtype2;
+@@ -945,5 +980,14 @@ grub_efi_compare_device_paths (const grub_efi_device_path_t *dp1,
+       dp2 = (grub_efi_device_path_t *) ((char *) dp2 + len2);
+     }
+ 
++  /*
++   * There's no "right" answer here, but we probably don't want to call a valid
++   * dp and an invalid dp equal, so pick one way or the other.
++   */
++  if (GRUB_EFI_DEVICE_PATH_VALID (dp1) && !GRUB_EFI_DEVICE_PATH_VALID (dp2))
++    return 1;
++  else if (!GRUB_EFI_DEVICE_PATH_VALID (dp1) && GRUB_EFI_DEVICE_PATH_VALID (dp2))
++    return -1;
++
+   return 0;
+ }
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index daf8c6b54..a8d7b9155 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -156,9 +156,18 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
+ 
+   size = 0;
+   d = dp;
+-  while (1)
++  while (d)
+     {
+-      size += GRUB_EFI_DEVICE_PATH_LENGTH (d);
++      grub_size_t len = GRUB_EFI_DEVICE_PATH_LENGTH (d);
++
++      if (len < 4)
++	{
++	  grub_error (GRUB_ERR_OUT_OF_RANGE,
++		      "malformed EFI Device Path node has length=%d", len);
++	  return NULL;
++	}
++
++      size += len;
+       if ((GRUB_EFI_END_ENTIRE_DEVICE_PATH (d)))
+ 	break;
+       d = GRUB_EFI_NEXT_DEVICE_PATH (d);
+diff --git a/grub-core/loader/i386/xnu.c b/grub-core/loader/i386/xnu.c
+index e9e119259..a70093607 100644
+--- a/grub-core/loader/i386/xnu.c
++++ b/grub-core/loader/i386/xnu.c
+@@ -515,14 +515,15 @@ grub_cmd_devprop_load (grub_command_t cmd __attribute__ ((unused)),
+ 
+       devhead = buf;
+       buf = devhead + 1;
+-      dpstart = buf;
++      dp = dpstart = buf;
+ 
+-      do
++      while (GRUB_EFI_DEVICE_PATH_VALID (dp) && buf < bufend)
+ 	{
+-	  dp = buf;
+ 	  buf = (char *) buf + GRUB_EFI_DEVICE_PATH_LENGTH (dp);
++	  if (GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp))
++	    break;
++	  dp = buf;
+ 	}
+-      while (!GRUB_EFI_END_ENTIRE_DEVICE_PATH (dp) && buf < bufend);
+ 
+       dev = grub_xnu_devprop_add_device (dpstart, (char *) buf
+ 					 - (char *) dpstart);
+diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
+index addcbfa8f..cf1355a8c 100644
+--- a/include/grub/efi/api.h
++++ b/include/grub/efi/api.h
+@@ -625,6 +625,7 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
+ #define GRUB_EFI_DEVICE_PATH_TYPE(dp)		((dp)->type & 0x7f)
+ #define GRUB_EFI_DEVICE_PATH_SUBTYPE(dp)	((dp)->subtype)
+ #define GRUB_EFI_DEVICE_PATH_LENGTH(dp)		((dp)->length)
++#define GRUB_EFI_DEVICE_PATH_VALID(dp)		((dp) != NULL && GRUB_EFI_DEVICE_PATH_LENGTH (dp) >= 4)
+ 
+ /* The End of Device Path nodes.  */
+ #define GRUB_EFI_END_DEVICE_PATH_TYPE			(0xff & 0x7f)
+@@ -633,13 +634,16 @@ typedef struct grub_efi_device_path grub_efi_device_path_protocol_t;
+ #define GRUB_EFI_END_THIS_DEVICE_PATH_SUBTYPE		0x01
+ 
+ #define GRUB_EFI_END_ENTIRE_DEVICE_PATH(dp)	\
+-  (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
+-   && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
+-       == GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE))
++  (!GRUB_EFI_DEVICE_PATH_VALID (dp) || \
++   (GRUB_EFI_DEVICE_PATH_TYPE (dp) == GRUB_EFI_END_DEVICE_PATH_TYPE \
++    && (GRUB_EFI_DEVICE_PATH_SUBTYPE (dp) \
++	== GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE)))
+ 
+ #define GRUB_EFI_NEXT_DEVICE_PATH(dp)	\
+-  ((grub_efi_device_path_t *) ((char *) (dp) \
+-                               + GRUB_EFI_DEVICE_PATH_LENGTH (dp)))
++  (GRUB_EFI_DEVICE_PATH_VALID (dp) \
++   ? ((grub_efi_device_path_t *) \
++      ((char *) (dp) + GRUB_EFI_DEVICE_PATH_LENGTH (dp))) \
++   : NULL)
+ 
+ /* Hardware Device Path.  */
+ #define GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE		1
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch b/buildroot/boot/grub2/0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch
new file mode 100644
index 000000000..eb3e0f0e2
--- /dev/null
+++ b/buildroot/boot/grub2/0025-efi-chainloader-Propagate-errors-from-copy_file_path.patch
@@ -0,0 +1,78 @@
+From fb55bc37dd510911df4eaf649da939f5fafdc7ce Mon Sep 17 00:00:00 2001
+From: Daniel Kiper <daniel.kiper@oracle.com>
+Date: Wed, 29 Jul 2020 13:38:31 +0200
+Subject: [PATCH] efi/chainloader: Propagate errors from copy_file_path()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Without any error propagated to the caller, make_file_path()
+would then try to advance the invalid device path node with
+GRUB_EFI_NEXT_DEVICE_PATH(), which would fail, returning a NULL
+pointer that would subsequently be dereferenced. Hence, propagate
+errors from copy_file_path().
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/loader/efi/chainloader.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
+index a8d7b9155..7b31c3fb9 100644
+--- a/grub-core/loader/efi/chainloader.c
++++ b/grub-core/loader/efi/chainloader.c
+@@ -106,7 +106,7 @@ grub_chainloader_boot (void)
+   return grub_errno;
+ }
+ 
+-static void
++static grub_err_t
+ copy_file_path (grub_efi_file_path_device_path_t *fp,
+ 		const char *str, grub_efi_uint16_t len)
+ {
+@@ -118,7 +118,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
+ 
+   path_name = grub_calloc (len, GRUB_MAX_UTF16_PER_UTF8 * sizeof (*path_name));
+   if (!path_name)
+-    return;
++    return grub_error (GRUB_ERR_OUT_OF_MEMORY, "failed to allocate path buffer");
+ 
+   size = grub_utf8_to_utf16 (path_name, len * GRUB_MAX_UTF16_PER_UTF8,
+ 			     (const grub_uint8_t *) str, len, 0);
+@@ -131,6 +131,7 @@ copy_file_path (grub_efi_file_path_device_path_t *fp,
+   fp->path_name[size++] = '\0';
+   fp->header.length = size * sizeof (grub_efi_char16_t) + sizeof (*fp);
+   grub_free (path_name);
++  return GRUB_ERR_NONE;
+ }
+ 
+ static grub_efi_device_path_t *
+@@ -189,13 +190,19 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
+   d = (grub_efi_device_path_t *) ((char *) file_path
+ 				  + ((char *) d - (char *) dp));
+   grub_efi_print_device_path (d);
+-  copy_file_path ((grub_efi_file_path_device_path_t *) d,
+-		  dir_start, dir_end - dir_start);
++  if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
++		      dir_start, dir_end - dir_start) != GRUB_ERR_NONE)
++    {
++ fail:
++      grub_free (file_path);
++      return 0;
++    }
+ 
+   /* Fill the file path for the file.  */
+   d = GRUB_EFI_NEXT_DEVICE_PATH (d);
+-  copy_file_path ((grub_efi_file_path_device_path_t *) d,
+-		  dir_end + 1, grub_strlen (dir_end + 1));
++  if (copy_file_path ((grub_efi_file_path_device_path_t *) d,
++		      dir_end + 1, grub_strlen (dir_end + 1)) != GRUB_ERR_NONE)
++    goto fail;
+ 
+   /* Fill the end of device path nodes.  */
+   d = GRUB_EFI_NEXT_DEVICE_PATH (d);
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0026-efi-Fix-use-after-free-in-halt-reboot-path.patch b/buildroot/boot/grub2/0026-efi-Fix-use-after-free-in-halt-reboot-path.patch
new file mode 100644
index 000000000..75dd05d48
--- /dev/null
+++ b/buildroot/boot/grub2/0026-efi-Fix-use-after-free-in-halt-reboot-path.patch
@@ -0,0 +1,183 @@
+From 8a6d6299efcffd14c1130942195e6c0d9b50cacd Mon Sep 17 00:00:00 2001
+From: Alexey Makhalov <amakhalov@vmware.com>
+Date: Mon, 20 Jul 2020 23:03:05 +0000
+Subject: [PATCH] efi: Fix use-after-free in halt/reboot path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+commit 92bfc33db984 ("efi: Free malloc regions on exit")
+introduced memory freeing in grub_efi_fini(), which is
+used not only by exit path but by halt/reboot one as well.
+As result of memory freeing, code and data regions used by
+modules, such as halt, reboot, acpi (used by halt) also got
+freed. After return to module code, CPU executes, filled
+by UEFI firmware (tested with edk2), 0xAFAFAFAF pattern as
+a code. Which leads to #UD exception later.
+
+grub> halt
+!!!! X64 Exception Type - 06(#UD - Invalid Opcode)  CPU Apic ID - 00000000 !!!!
+RIP  - 0000000003F4EC28, CS  - 0000000000000038, RFLAGS - 0000000000200246
+RAX  - 0000000000000000, RCX - 00000000061DA188, RDX - 0A74C0854DC35D41
+RBX  - 0000000003E10E08, RSP - 0000000007F0F860, RBP - 0000000000000000
+RSI  - 00000000064DB768, RDI - 000000000832C5C3
+R8   - 0000000000000002, R9  - 0000000000000000, R10 - 00000000061E2E52
+R11  - 0000000000000020, R12 - 0000000003EE5C1F, R13 - 00000000061E0FF4
+R14  - 0000000003E10D80, R15 - 00000000061E2F60
+DS   - 0000000000000030, ES  - 0000000000000030, FS  - 0000000000000030
+GS   - 0000000000000030, SS  - 0000000000000030
+CR0  - 0000000080010033, CR2 - 0000000000000000, CR3 - 0000000007C01000
+CR4  - 0000000000000668, CR8 - 0000000000000000
+DR0  - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
+DR3  - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
+GDTR - 00000000079EEA98 0000000000000047, LDTR - 0000000000000000
+IDTR - 0000000007598018 0000000000000FFF,   TR - 0000000000000000
+FXSAVE_STATE - 0000000007F0F4C0
+
+Proposal here is to continue to free allocated memory for
+exit boot services path but keep it for halt/reboot path
+as it won't be much security concern here.
+Introduced GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY
+loader flag to be used by efi halt/reboot path.
+
+Signed-off-by: Alexey Makhalov <amakhalov@vmware.com>
+Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/kern/arm/efi/init.c   | 3 +++
+ grub-core/kern/arm64/efi/init.c | 3 +++
+ grub-core/kern/efi/efi.c        | 3 ++-
+ grub-core/kern/efi/init.c       | 1 -
+ grub-core/kern/i386/efi/init.c  | 9 +++++++--
+ grub-core/kern/ia64/efi/init.c  | 9 +++++++--
+ grub-core/kern/riscv/efi/init.c | 3 +++
+ grub-core/lib/efi/halt.c        | 3 ++-
+ include/grub/loader.h           | 1 +
+ 9 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/grub-core/kern/arm/efi/init.c b/grub-core/kern/arm/efi/init.c
+index 06df60e2f..40c3b467f 100644
+--- a/grub-core/kern/arm/efi/init.c
++++ b/grub-core/kern/arm/efi/init.c
+@@ -71,4 +71,7 @@ grub_machine_fini (int flags)
+   efi_call_1 (b->close_event, tmr_evt);
+ 
+   grub_efi_fini ();
++
++  if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
++    grub_efi_memory_fini ();
+ }
+diff --git a/grub-core/kern/arm64/efi/init.c b/grub-core/kern/arm64/efi/init.c
+index 6224999ec..5010caefd 100644
+--- a/grub-core/kern/arm64/efi/init.c
++++ b/grub-core/kern/arm64/efi/init.c
+@@ -57,4 +57,7 @@ grub_machine_fini (int flags)
+     return;
+ 
+   grub_efi_fini ();
++
++  if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
++    grub_efi_memory_fini ();
+ }
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index c97969a65..9cfd88d77 100644
+--- a/grub-core/kern/efi/efi.c
++++ b/grub-core/kern/efi/efi.c
+@@ -157,7 +157,8 @@ grub_efi_get_loaded_image (grub_efi_handle_t image_handle)
+ void
+ grub_reboot (void)
+ {
+-  grub_machine_fini (GRUB_LOADER_FLAG_NORETURN);
++  grub_machine_fini (GRUB_LOADER_FLAG_NORETURN |
++		     GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY);
+   efi_call_4 (grub_efi_system_table->runtime_services->reset_system,
+               GRUB_EFI_RESET_COLD, GRUB_EFI_SUCCESS, 0, NULL);
+   for (;;) ;
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index 3dfdf2d22..2c31847bf 100644
+--- a/grub-core/kern/efi/init.c
++++ b/grub-core/kern/efi/init.c
+@@ -80,5 +80,4 @@ grub_efi_fini (void)
+ {
+   grub_efidisk_fini ();
+   grub_console_fini ();
+-  grub_efi_memory_fini ();
+ }
+diff --git a/grub-core/kern/i386/efi/init.c b/grub-core/kern/i386/efi/init.c
+index da499aba0..deb2eacd8 100644
+--- a/grub-core/kern/i386/efi/init.c
++++ b/grub-core/kern/i386/efi/init.c
+@@ -39,6 +39,11 @@ grub_machine_init (void)
+ void
+ grub_machine_fini (int flags)
+ {
+-  if (flags & GRUB_LOADER_FLAG_NORETURN)
+-    grub_efi_fini ();
++  if (!(flags & GRUB_LOADER_FLAG_NORETURN))
++    return;
++
++  grub_efi_fini ();
++
++  if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
++    grub_efi_memory_fini ();
+ }
+diff --git a/grub-core/kern/ia64/efi/init.c b/grub-core/kern/ia64/efi/init.c
+index b5ecbd091..f1965571b 100644
+--- a/grub-core/kern/ia64/efi/init.c
++++ b/grub-core/kern/ia64/efi/init.c
+@@ -70,6 +70,11 @@ grub_machine_init (void)
+ void
+ grub_machine_fini (int flags)
+ {
+-  if (flags & GRUB_LOADER_FLAG_NORETURN)
+-    grub_efi_fini ();
++  if (!(flags & GRUB_LOADER_FLAG_NORETURN))
++    return;
++
++  grub_efi_fini ();
++
++  if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
++    grub_efi_memory_fini ();
+ }
+diff --git a/grub-core/kern/riscv/efi/init.c b/grub-core/kern/riscv/efi/init.c
+index 7eb1969d0..38795fe67 100644
+--- a/grub-core/kern/riscv/efi/init.c
++++ b/grub-core/kern/riscv/efi/init.c
+@@ -73,4 +73,7 @@ grub_machine_fini (int flags)
+     return;
+ 
+   grub_efi_fini ();
++
++  if (!(flags & GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY))
++    grub_efi_memory_fini ();
+ }
+diff --git a/grub-core/lib/efi/halt.c b/grub-core/lib/efi/halt.c
+index 5859f0498..29d413641 100644
+--- a/grub-core/lib/efi/halt.c
++++ b/grub-core/lib/efi/halt.c
+@@ -28,7 +28,8 @@
+ void
+ grub_halt (void)
+ {
+-  grub_machine_fini (GRUB_LOADER_FLAG_NORETURN);
++  grub_machine_fini (GRUB_LOADER_FLAG_NORETURN |
++		     GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY);
+ #if !defined(__ia64__) && !defined(__arm__) && !defined(__aarch64__) && \
+     !defined(__riscv)
+   grub_acpi_halt ();
+diff --git a/include/grub/loader.h b/include/grub/loader.h
+index 7f82a499f..b20864282 100644
+--- a/include/grub/loader.h
++++ b/include/grub/loader.h
+@@ -33,6 +33,7 @@ enum
+ {
+   GRUB_LOADER_FLAG_NORETURN = 1,
+   GRUB_LOADER_FLAG_PXE_NOT_UNLOAD = 2,
++  GRUB_LOADER_FLAG_EFI_KEEP_ALLOCATED_MEMORY = 4,
+ };
+ 
+ void EXPORT_FUNC (grub_loader_set) (grub_err_t (*boot) (void),
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch b/buildroot/boot/grub2/0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch
new file mode 100644
index 000000000..823f20556
--- /dev/null
+++ b/buildroot/boot/grub2/0027-loader-linux-Avoid-overflow-on-initrd-size-calculati.patch
@@ -0,0 +1,32 @@
+From a2a7464e9f10a677d6f91e1c4fa527d084c22e7c Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 24 Jul 2020 13:57:27 -0400
+Subject: [PATCH] loader/linux: Avoid overflow on initrd size calculation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/loader/linux.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
+index 471b214d6..4cd8c20c7 100644
+--- a/grub-core/loader/linux.c
++++ b/grub-core/loader/linux.c
+@@ -151,8 +151,7 @@ grub_initrd_init (int argc, char *argv[],
+   initrd_ctx->nfiles = 0;
+   initrd_ctx->components = 0;
+ 
+-  initrd_ctx->components = grub_zalloc (argc
+-					* sizeof (initrd_ctx->components[0]));
++  initrd_ctx->components = grub_calloc (argc, sizeof (initrd_ctx->components[0]));
+   if (!initrd_ctx->components)
+     return grub_errno;
+ 
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch b/buildroot/boot/grub2/0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch
new file mode 100644
index 000000000..bf6590d8e
--- /dev/null
+++ b/buildroot/boot/grub2/0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch
@@ -0,0 +1,173 @@
+From 0367e7d1b9bac3a78608a672bf6e4ace6a28b964 Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Sat, 25 Jul 2020 12:15:37 +0100
+Subject: [PATCH] linux: Fix integer overflows in initrd size handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+These could be triggered by a crafted filesystem with very large files.
+
+Fixes: CVE-2020-15707
+
+Signed-off-by: Colin Watson <cjwatson@debian.org>
+Reviewed-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
+---
+ grub-core/loader/linux.c | 74 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 54 insertions(+), 20 deletions(-)
+
+diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
+index 4cd8c20c7..3fe390f17 100644
+--- a/grub-core/loader/linux.c
++++ b/grub-core/loader/linux.c
+@@ -4,6 +4,7 @@
+ #include <grub/misc.h>
+ #include <grub/file.h>
+ #include <grub/mm.h>
++#include <grub/safemath.h>
+ 
+ struct newc_head
+ {
+@@ -98,13 +99,13 @@ free_dir (struct dir *root)
+   grub_free (root);
+ }
+ 
+-static grub_size_t
++static grub_err_t
+ insert_dir (const char *name, struct dir **root,
+-	    grub_uint8_t *ptr)
++	    grub_uint8_t *ptr, grub_size_t *size)
+ {
+   struct dir *cur, **head = root;
+   const char *cb, *ce = name;
+-  grub_size_t size = 0;
++  *size = 0;
+   while (1)
+     {
+       for (cb = ce; *cb == '/'; cb++);
+@@ -130,14 +131,22 @@ insert_dir (const char *name, struct dir **root,
+ 	      ptr = make_header (ptr, name, ce - name,
+ 				 040777, 0);
+ 	    }
+-	  size += ALIGN_UP ((ce - (char *) name)
+-			    + sizeof (struct newc_head), 4);
++	  if (grub_add (*size,
++		        ALIGN_UP ((ce - (char *) name)
++				  + sizeof (struct newc_head), 4),
++			size))
++	    {
++	      grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++	      grub_free (n->name);
++	      grub_free (n);
++	      return grub_errno;
++	    }
+ 	  *head = n;
+ 	  cur = n;
+ 	}
+       root = &cur->next;
+     }
+-  return size;
++  return GRUB_ERR_NONE;
+ }
+ 
+ grub_err_t
+@@ -172,26 +181,33 @@ grub_initrd_init (int argc, char *argv[],
+ 	  eptr = grub_strchr (ptr, ':');
+ 	  if (eptr)
+ 	    {
++	      grub_size_t dir_size, name_len;
++
+ 	      initrd_ctx->components[i].newc_name = grub_strndup (ptr, eptr - ptr);
+-	      if (!initrd_ctx->components[i].newc_name)
++	      if (!initrd_ctx->components[i].newc_name ||
++		  insert_dir (initrd_ctx->components[i].newc_name, &root, 0,
++			      &dir_size))
+ 		{
+ 		  grub_initrd_close (initrd_ctx);
+ 		  return grub_errno;
+ 		}
+-	      initrd_ctx->size
+-		+= ALIGN_UP (sizeof (struct newc_head)
+-			    + grub_strlen (initrd_ctx->components[i].newc_name),
+-			     4);
+-	      initrd_ctx->size += insert_dir (initrd_ctx->components[i].newc_name,
+-					      &root, 0);
++	      name_len = grub_strlen (initrd_ctx->components[i].newc_name);
++	      if (grub_add (initrd_ctx->size,
++			    ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
++			    &initrd_ctx->size) ||
++		  grub_add (initrd_ctx->size, dir_size, &initrd_ctx->size))
++		goto overflow;
+ 	      newc = 1;
+ 	      fname = eptr + 1;
+ 	    }
+ 	}
+       else if (newc)
+ 	{
+-	  initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
+-					+ sizeof ("TRAILER!!!") - 1, 4);
++	  if (grub_add (initrd_ctx->size,
++			ALIGN_UP (sizeof (struct newc_head)
++				  + sizeof ("TRAILER!!!") - 1, 4),
++			&initrd_ctx->size))
++	    goto overflow;
+ 	  free_dir (root);
+ 	  root = 0;
+ 	  newc = 0;
+@@ -207,19 +223,29 @@ grub_initrd_init (int argc, char *argv[],
+       initrd_ctx->nfiles++;
+       initrd_ctx->components[i].size
+ 	= grub_file_size (initrd_ctx->components[i].file);
+-      initrd_ctx->size += initrd_ctx->components[i].size;
++      if (grub_add (initrd_ctx->size, initrd_ctx->components[i].size,
++		    &initrd_ctx->size))
++	goto overflow;
+     }
+ 
+   if (newc)
+     {
+       initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
+-      initrd_ctx->size += ALIGN_UP (sizeof (struct newc_head)
+-				    + sizeof ("TRAILER!!!") - 1, 4);
++      if (grub_add (initrd_ctx->size,
++		    ALIGN_UP (sizeof (struct newc_head)
++			      + sizeof ("TRAILER!!!") - 1, 4),
++		    &initrd_ctx->size))
++	goto overflow;
+       free_dir (root);
+       root = 0;
+     }
+   
+   return GRUB_ERR_NONE;
++
++ overflow:
++  free_dir (root);
++  grub_initrd_close (initrd_ctx);
++  return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ }
+ 
+ grub_size_t
+@@ -260,8 +286,16 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+ 
+       if (initrd_ctx->components[i].newc_name)
+ 	{
+-	  ptr += insert_dir (initrd_ctx->components[i].newc_name,
+-			     &root, ptr);
++	  grub_size_t dir_size;
++
++	  if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
++			  &dir_size))
++	    {
++	      free_dir (root);
++	      grub_initrd_close (initrd_ctx);
++	      return grub_errno;
++	    }
++	  ptr += dir_size;
+ 	  ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
+ 			     grub_strlen (initrd_ctx->components[i].newc_name),
+ 			     0100777,
+-- 
+2.26.2
+
diff --git a/buildroot/boot/grub2/grub2.mk b/buildroot/boot/grub2/grub2.mk
index f77dc0f9d..5fca2315e 100644
--- a/buildroot/boot/grub2/grub2.mk
+++ b/buildroot/boot/grub2/grub2.mk
@@ -21,6 +21,17 @@ endef
 GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF
 HOST_GRUB2_POST_PATCH_HOOKS += GRUB2_AVOID_AUTORECONF
 
+# 0002-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch
+GRUB2_IGNORE_CVES += CVE-2020-10713
+# 0005-calloc-Use-calloc-at-most-places.patch
+GRUB2_IGNORE_CVES += CVE-2020-14308
+# 0006-malloc-Use-overflow-checking-primitives-where-we-do-.patch
+GRUB2_IGNORE_CVES += CVE-2020-14309 CVE-2020-14310 CVE-2020-14311
+# 0019-script-Avoid-a-use-after-free-when-redefining-a-func.patch
+GRUB2_IGNORE_CVES += CVE-2020-15706
+# 0028-linux-Fix-integer-overflows-in-initrd-size-handling.patch
+GRUB2_IGNORE_CVES += CVE-2020-15707
+
 ifeq ($(BR2_TARGET_GRUB2_INSTALL_TOOLS),y)
 GRUB2_INSTALL_TARGET = YES
 else
diff --git a/buildroot/boot/uboot/uboot.mk b/buildroot/boot/uboot/uboot.mk
index 2bfa50779..9cbd81b05 100644
--- a/buildroot/boot/uboot/uboot.mk
+++ b/buildroot/boot/uboot/uboot.mk
@@ -16,6 +16,7 @@ UBOOT_INSTALL_IMAGES = YES
 
 # u-boot 2020.01+ needs make 4.0+
 UBOOT_DEPENDENCIES = $(BR2_MAKE_HOST_DEPENDENCY)
+UBOOT_MAKE = $(BR2_MAKE)
 
 ifeq ($(UBOOT_VERSION),custom)
 # Handle custom U-Boot tarballs as specified by the configuration
@@ -247,7 +248,7 @@ UBOOT_POST_PATCH_HOOKS += UBOOT_FIXUP_LIBFDT_INCLUDE
 ifeq ($(BR2_TARGET_UBOOT_BUILD_SYSTEM_LEGACY),y)
 define UBOOT_CONFIGURE_CMDS
 	$(TARGET_CONFIGURE_OPTS) \
-		$(BR2_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \
+		$(UBOOT_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \
 		$(UBOOT_BOARD_NAME)_config
 endef
 else ifeq ($(BR2_TARGET_UBOOT_BUILD_SYSTEM_KCONFIG),y)
@@ -284,7 +285,7 @@ define UBOOT_BUILD_CMDS
 		cp -f $(UBOOT_CUSTOM_DTS_PATH) $(@D)/arch/$(UBOOT_ARCH)/dts/
 	)
 	$(TARGET_CONFIGURE_OPTS) \
-		$(BR2_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \
+		$(UBOOT_MAKE) -C $(@D) $(UBOOT_MAKE_OPTS) \
 		$(UBOOT_MAKE_TARGET)
 	$(if $(BR2_TARGET_UBOOT_FORMAT_SD),
 		$(@D)/tools/mxsboot sd $(@D)/u-boot.sb $(@D)/u-boot.sd)
diff --git a/buildroot/docs/manual/adding-board-support.txt b/buildroot/docs/manual/adding-board-support.txt
index f6d74ae1f..33ed70953 100644
--- a/buildroot/docs/manual/adding-board-support.txt
+++ b/buildroot/docs/manual/adding-board-support.txt
@@ -10,9 +10,9 @@ that is known to work. You are welcome to add support for other boards
 to Buildroot too.
 
 To do so, you need to create a normal Buildroot configuration that
-builds a basic system for the hardware: toolchain, kernel, bootloader,
-filesystem and a simple BusyBox-only userspace. No specific package
-should be selected: the configuration should be as minimal as
+builds a basic system for the hardware: (internal) toolchain, kernel,
+bootloader, filesystem and a simple BusyBox-only userspace. No specific
+package should be selected: the configuration should be as minimal as
 possible, and should only build a working basic BusyBox system for the
 target platform. You can of course use more complicated configurations
 for your internal projects, but the Buildroot project will only
@@ -22,7 +22,17 @@ selections are highly application-specific.
 Once you have a known working configuration, run +make
 savedefconfig+. This will generate a minimal +defconfig+ file at the
 root of the Buildroot source tree. Move this file into the +configs/+
-directory, and rename it +<boardname>_defconfig+.
+directory, and rename it +<boardname>_defconfig+. If the configuration
+is a bit more complicated, it is nice to manually reformat it and
+separate it into sections, with a comment before each section. Typical
+sections are _Architecture_, _Toolchain options_ (typically just linux
+headers version), _Firmware_, _Bootloader_, _Kernel_, and _Filesystem_.
+
+Always use fixed versions or commit hashes for the different
+components, not the "latest" version. For example, set
++BR2_LINUX_KERNEL_CUSTOM_VERSION=y+ and
++BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE+ to the kernel version you tested
+with.
 
 It is recommended to use as much as possible upstream versions of the
 Linux kernel and bootloaders, and to use as much as possible default
diff --git a/buildroot/docs/manual/adding-packages-cargo.txt b/buildroot/docs/manual/adding-packages-cargo.txt
index b6029e1ee..edf698e70 100644
--- a/buildroot/docs/manual/adding-packages-cargo.txt
+++ b/buildroot/docs/manual/adding-packages-cargo.txt
@@ -47,32 +47,31 @@ package. Let's start with an example:
 13: FOO_DEPENDENCIES = host-cargo
 14:
 15: FOO_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo
-16: FOO_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release)
-17:
-18: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
-19:
-20: FOO_CARGO_OPTS = \
-21:   --$(FOO_CARGO_MODE) \
-22: 	--target=$(RUSTC_TARGET_NAME) \
-23: 	--manifest-path=$(@D)/Cargo.toml
-24:
-25: define FOO_BUILD_CMDS
-26: 	$(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
-27: 		cargo build $(FOO_CARGO_OPTS)
-28: endef
-29:
-30: define FOO_INSTALL_TARGET_CMDS
-31: 	$(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
-32: 		$(TARGET_DIR)/usr/bin/foo
-33: endef
-34:
-35: $(eval $(generic-package))
+16:
+17: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
+18:
+19: FOO_CARGO_OPTS = \
+20: 	$(if $(BR2_ENABLE_DEBUG),,--release) \
+21: 	--target=$(RUSTC_TARGET_NAME) \
+22: 	--manifest-path=$(@D)/Cargo.toml
+23:
+24: define FOO_BUILD_CMDS
+25: 	$(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
+26: 		cargo build $(FOO_CARGO_OPTS)
+27: endef
+28:
+29: define FOO_INSTALL_TARGET_CMDS
+30: 	$(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
+31: 		$(TARGET_DIR)/usr/bin/foo
+32: endef
+33:
+34: $(eval $(generic-package))
 --------------------------------
 
 The Makefile starts with the definition of the standard variables for package
 declaration (lines 7 to 11).
 
-As seen in line 35, it is based on the
+As seen in line 34, it is based on the
 xref:generic-package-tutorial[+generic-package+ infrastructure]. So, it defines
 the variables required by this particular infrastructure, where Cargo is
 invoked:
diff --git a/buildroot/docs/manual/adding-packages-waf.txt b/buildroot/docs/manual/adding-packages-waf.txt
index ffc004c29..101cddf1f 100644
--- a/buildroot/docs/manual/adding-packages-waf.txt
+++ b/buildroot/docs/manual/adding-packages-waf.txt
@@ -34,7 +34,7 @@ will automatically download the tarball from this location.
 
 On line 10, we tell Buildroot what options to enable for libfoo.
 
-On line 11, we tell Buildroot the depednencies of libfoo.
+On line 11, we tell Buildroot the dependencies of libfoo.
 
 Finally, on line line 13, we invoke the +waf-package+
 macro that generates all the Makefile rules that actually allows the
diff --git a/buildroot/docs/manual/contribute.txt b/buildroot/docs/manual/contribute.txt
index bde7543c2..70d178d00 100644
--- a/buildroot/docs/manual/contribute.txt
+++ b/buildroot/docs/manual/contribute.txt
@@ -371,6 +371,37 @@ in the following cases:
 * whenever you feel it will help presenting your work, your choices,
   the review process, etc.
 
+==== Patches for maintenance branches
+
+When fixing bugs on a maintenance branch, bugs should be fixed on the
+master branch first. The commit log for such a patch may then contain a
+post-commit note specifying what branches are affected:
+
+----
+package/foo: fix stuff
+
+Signed-off-by: Your Real Name <your@email.address>
+---
+Backport to: 2020.02.x, 2020.05.x
+(2020.08.x not affected as the version was bumped)
+----
+
+Those changes will then be backported by a maintainer to the affected
+branches.
+
+However, some bugs may apply only to a specific release, for example
+because it is using an older version of a package. In that case, patches
+should be based off the maintenance branch, and the patch subject prefix
+must include the maintenance branch name (for example "[PATCH 2020.02.x]").
+This can be done with the +git format-patch+ flag +--subject-prefix+:
+
+---------------------
+$ git format-patch --subject-prefix "PATCH 2020.02.x" \
+    -M -s -o outgoing origin/2020.02.x
+---------------------
+
+Then send the patches with +git send-email+, as described above.
+
 ==== Patch revision changelog
 
 When improvements are requested, the new revision of each commit
diff --git a/buildroot/docs/manual/manual.html b/buildroot/docs/manual/manual.html
index aca28363f..87aaa4f27 100644
--- a/buildroot/docs/manual/manual.html
+++ b/buildroot/docs/manual/manual.html
@@ -1,8 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Buildroot user manual</title><link rel="stylesheet" type="text/css" href="docbook-xsl.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div xml:lang="en" class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="idm1"></a>The Buildroot user manual</h1></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="preface"><a href="#idm4"></a></span></dt><dt><span class="part"><a href="#_getting_started">I. Getting started</a></span></dt><dd><dl><dt><span class="chapter"><a href="#_about_buildroot">1. About Buildroot</a></span></dt><dt><span class="chapter"><a href="#requirement">2. System requirements</a></span></dt><dd><dl><dt><span class="section"><a href="#requirement-mandatory">2.1. Mandatory packages</a></span></dt><dt><span class="section"><a href="#requirement-optional">2.2. Optional packages</a></span></dt></dl></dd><dt><span class="chapter"><a href="#getting-buildroot">3. Getting Buildroot</a></span></dt><dt><span class="chapter"><a href="#_buildroot_quick_start">4. Buildroot quick start</a></span></dt><dt><span class="chapter"><a href="#community-resources">5. Community resources</a></span></dt></dl></dd><dt><span class="part"><a href="#_user_guide">II. User guide</a></span></dt><dd><dl><dt><span class="chapter"><a href="#configure">6. Buildroot configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#_cross_compilation_toolchain">6.1. Cross-compilation toolchain</a></span></dt><dt><span class="section"><a href="#_dev_management">6.2. /dev management</a></span></dt><dt><span class="section"><a href="#_init_system">6.3. init system</a></span></dt></dl></dd><dt><span class="chapter"><a href="#_configuration_of_other_components">7. Configuration of other components</a></span></dt><dt><span class="chapter"><a href="#_general_buildroot_usage">8. General Buildroot usage</a></span></dt><dd><dl><dt><span class="section"><a href="#make-tips">8.1. <span class="emphasis"><em>make</em></span> tips</a></span></dt><dt><span class="section"><a href="#full-rebuild">8.2. Understanding when a full rebuild is necessary</a></span></dt><dt><span class="section"><a href="#rebuild-pkg">8.3. Understanding how to rebuild packages</a></span></dt><dt><span class="section"><a href="#_offline_builds">8.4. Offline builds</a></span></dt><dt><span class="section"><a href="#_building_out_of_tree">8.5. Building out-of-tree</a></span></dt><dt><span class="section"><a href="#env-vars">8.6. Environment variables</a></span></dt><dt><span class="section"><a href="#_dealing_efficiently_with_filesystem_images">8.7. Dealing efficiently with filesystem images</a></span></dt><dt><span class="section"><a href="#_graphing_the_dependencies_between_packages">8.8. Graphing the dependencies between packages</a></span></dt><dt><span class="section"><a href="#_graphing_the_build_duration">8.9. Graphing the build duration</a></span></dt><dt><span class="section"><a href="#graph-size">8.10. Graphing the filesystem size contribution of packages</a></span></dt><dt><span class="section"><a href="#top-level-parallel-build">8.11. Top-level parallel build</a></span></dt><dt><span class="section"><a href="#_integration_with_eclipse">8.12. Integration with Eclipse</a></span></dt><dt><span class="section"><a href="#_advanced_usage">8.13. Advanced usage</a></span></dt></dl></dd><dt><span class="chapter"><a href="#customize">9. Project-specific customization</a></span></dt><dd><dl><dt><span class="section"><a href="#customize-dir-structure">9.1. Recommended directory structure</a></span></dt><dt><span class="section"><a href="#outside-br-custom">9.2. Keeping customizations outside of Buildroot</a></span></dt><dt><span class="section"><a href="#customize-store-buildroot-config">9.3. Storing the Buildroot configuration</a></span></dt><dt><span class="section"><a href="#customize-store-package-config">9.4. Storing the configuration of other components</a></span></dt><dt><span class="section"><a href="#rootfs-custom">9.5. Customizing the generated target filesystem</a></span></dt><dt><span class="section"><a href="#customize-users">9.6. Adding custom user accounts</a></span></dt><dt><span class="section"><a href="#_customization_emphasis_after_emphasis_the_images_have_been_created">9.7. Customization <span class="emphasis"><em>after</em></span> the images have been created</a></span></dt><dt><span class="section"><a href="#customize-patches">9.8. Adding project-specific patches</a></span></dt><dt><span class="section"><a href="#customize-packages">9.9. Adding project-specific packages</a></span></dt><dt><span class="section"><a href="#_quick_guide_to_storing_your_project_specific_customizations">9.10. Quick guide to storing your project-specific customizations</a></span></dt></dl></dd><dt><span class="chapter"><a href="#_frequently_asked_questions_amp_troubleshooting">10. Frequently Asked Questions &amp; Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="#faq-boot-hang-after-starting">10.1. The boot hangs after <span class="emphasis"><em>Starting network…</em></span></a></span></dt><dt><span class="section"><a href="#faq-no-compiler-on-target">10.2. Why is there no compiler on the target?</a></span></dt><dt><span class="section"><a href="#faq-no-dev-files-on-target">10.3. Why are there no development files on the target?</a></span></dt><dt><span class="section"><a href="#faq-no-doc-on-target">10.4. Why is there no documentation on the target?</a></span></dt><dt><span class="section"><a href="#faq-why-not-visible-package">10.5. Why are some packages not visible in the Buildroot config menu?</a></span></dt><dt><span class="section"><a href="#faq-why-not-use-target-as-chroot">10.6. Why not use the target directory as a chroot directory?</a></span></dt><dt><span class="section"><a href="#faq-no-binary-packages">10.7. Why doesn’t Buildroot generate binary packages (.deb, .ipkg…)?</a></span></dt><dt><span class="section"><a href="#faq-speeding-up-build">10.8. How to speed-up the build process?</a></span></dt></dl></dd><dt><span class="chapter"><a href="#_known_issues">11. Known issues</a></span></dt><dt><span class="chapter"><a href="#legal-info">12. Legal notice and licensing</a></span></dt><dd><dl><dt><span class="section"><a href="#_complying_with_open_source_licenses">12.1. Complying with open source licenses</a></span></dt><dt><span class="section"><a href="#legal-info-buildroot">12.2. Complying with the Buildroot license</a></span></dt></dl></dd><dt><span class="chapter"><a href="#_beyond_buildroot">13. Beyond Buildroot</a></span></dt><dd><dl><dt><span class="section"><a href="#_boot_the_generated_images">13.1. Boot the generated images</a></span></dt><dt><span class="section"><a href="#_chroot">13.2. Chroot</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="#_developer_guide">III. Developer guide</a></span></dt><dd><dl><dt><span class="chapter"><a href="#_how_buildroot_works">14. How Buildroot works</a></span></dt><dt><span class="chapter"><a href="#_coding_style">15. Coding style</a></span></dt><dd><dl><dt><span class="section"><a href="#writing-rules-config-in">15.1. <code class="literal">Config.in</code> file</a></span></dt><dt><span class="section"><a href="#writing-rules-mk">15.2. The <code class="literal">.mk</code> file</a></span></dt><dt><span class="section"><a href="#_the_documentation">15.3. The documentation</a></span></dt><dt><span class="section"><a href="#_support_scripts">15.4. Support scripts</a></span></dt></dl></dd><dt><span class="chapter"><a href="#adding-board-support">16. Adding support for a particular board</a></span></dt><dt><span class="chapter"><a href="#adding-packages">17. Adding new packages to Buildroot</a></span></dt><dd><dl><dt><span class="section"><a href="#_package_directory">17.1. Package directory</a></span></dt><dt><span class="section"><a href="#_config_files">17.2. Config files</a></span></dt><dt><span class="section"><a href="#_the_literal_mk_literal_file">17.3. The <code class="literal">.mk</code> file</a></span></dt><dt><span class="section"><a href="#adding-packages-hash">17.4. The <code class="literal">.hash</code> file</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_packages_with_specific_build_systems">17.5. Infrastructure for packages with specific build systems</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_autotools_based_packages">17.6. Infrastructure for autotools-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_cmake_based_packages">17.7. Infrastructure for CMake-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_python_packages">17.8. Infrastructure for Python packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_luarocks_based_packages">17.9. Infrastructure for LuaRocks-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_perl_cpan_packages">17.10. Infrastructure for Perl/CPAN packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_virtual_packages">17.11. Infrastructure for virtual packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_packages_using_kconfig_for_configuration_files">17.12. Infrastructure for packages using kconfig for configuration files</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_rebar_based_packages">17.13. Infrastructure for rebar-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_waf_based_packages">17.14. Infrastructure for Waf-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_meson_based_packages">17.15. Infrastructure for Meson-based packages</a></span></dt><dt><span class="section"><a href="#_integration_of_cargo_based_packages">17.16. Integration of Cargo-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_go_packages">17.17. Infrastructure for Go packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_packages_building_kernel_modules">17.18. Infrastructure for packages building kernel modules</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_asciidoc_documents">17.19. Infrastructure for asciidoc documents</a></span></dt><dt><span class="section"><a href="#linux-kernel-specific-infra">17.20. Infrastructure specific to the Linux kernel package</a></span></dt><dt><span class="section"><a href="#hooks">17.21. Hooks available in the various build steps</a></span></dt><dt><span class="section"><a href="#_gettext_integration_and_interaction_with_packages">17.22. Gettext integration and interaction with packages</a></span></dt><dt><span class="section"><a href="#_tips_and_tricks">17.23. Tips and tricks</a></span></dt><dt><span class="section"><a href="#_conclusion">17.24. Conclusion</a></span></dt></dl></dd><dt><span class="chapter"><a href="#patch-policy">18. Patching a package</a></span></dt><dd><dl><dt><span class="section"><a href="#_providing_patches">18.1. Providing patches</a></span></dt><dt><span class="section"><a href="#patch-apply-order">18.2. How patches are applied</a></span></dt><dt><span class="section"><a href="#_format_and_licensing_of_the_package_patches">18.3. Format and licensing of the package patches</a></span></dt><dt><span class="section"><a href="#_integrating_patches_found_on_the_web">18.4. Integrating patches found on the Web</a></span></dt></dl></dd><dt><span class="chapter"><a href="#download-infra">19. Download infrastructure</a></span></dt><dt><span class="chapter"><a href="#debugging-buildroot">20. Debugging Buildroot</a></span></dt><dt><span class="chapter"><a href="#_contributing_to_buildroot">21. Contributing to Buildroot</a></span></dt><dd><dl><dt><span class="section"><a href="#_reproducing_analyzing_and_fixing_bugs">21.1. Reproducing, analyzing and fixing bugs</a></span></dt><dt><span class="section"><a href="#_analyzing_and_fixing_autobuild_failures">21.2. Analyzing and fixing autobuild failures</a></span></dt><dt><span class="section"><a href="#_reviewing_and_testing_patches">21.3. Reviewing and testing patches</a></span></dt><dt><span class="section"><a href="#_work_on_items_from_the_todo_list">21.4. Work on items from the TODO list</a></span></dt><dt><span class="section"><a href="#submitting-patches">21.5. Submitting patches</a></span></dt><dt><span class="section"><a href="#reporting-bugs">21.6. Reporting issues/bugs or getting help</a></span></dt><dt><span class="section"><a href="#_using_the_run_tests_framework">21.7. Using the run-tests framework</a></span></dt></dl></dd><dt><span class="chapter"><a href="#DEVELOPERS">22. DEVELOPERS file and get-developers</a></span></dt><dt><span class="chapter"><a href="#RELENG">23. Release Engineering</a></span></dt><dd><dl><dt><span class="section"><a href="#_releases">23.1. Releases</a></span></dt><dt><span class="section"><a href="#_development">23.2. Development</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="#_appendix">IV. Appendix</a></span></dt><dd><dl><dt><span class="chapter"><a href="#makedev-syntax">24. Makedev syntax documentation</a></span></dt><dt><span class="chapter"><a href="#makeuser-syntax">25. Makeusers syntax documentation</a></span></dt><dt><span class="chapter"><a href="#migrating-from-ol-versions">26. Migrating from older Buildroot versions</a></span></dt><dd><dl><dt><span class="section"><a href="#br2-external-converting">26.1. Migrating to 2016.11</a></span></dt><dt><span class="section"><a href="#migrating-host-usr">26.2. Migrating to 2017.08</a></span></dt></dl></dd></dl></dd></dl></div><div class="list-of-examples"><p><strong>List of Examples</strong></p><dl><dt>17.1. <a href="#idm3080">Config script: <span class="emphasis"><em>divine</em></span> package</a></dt><dt>17.2. <a href="#idm3087">Config script: <span class="emphasis"><em>imagemagick</em></span> package:</a></dt></dl></div><div class="preface"><div class="titlepage"><div><div><h1 class="title"><a id="idm4"></a></h1></div></div></div><p>Buildroot 2020.02.4 manual generated on 2020-07-26
-08:11:28 UTC from git revision dee53013da</p><p>The Buildroot manual is written by the Buildroot developers.
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>The Buildroot user manual</title><link rel="stylesheet" type="text/css" href="docbook-xsl.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /></head><body><div xml:lang="en" class="book" lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="idm1"></a>The Buildroot user manual</h1></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="preface"><a href="#idm4"></a></span></dt><dt><span class="part"><a href="#_getting_started">I. Getting started</a></span></dt><dd><dl><dt><span class="chapter"><a href="#_about_buildroot">1. About Buildroot</a></span></dt><dt><span class="chapter"><a href="#requirement">2. System requirements</a></span></dt><dd><dl><dt><span class="section"><a href="#requirement-mandatory">2.1. Mandatory packages</a></span></dt><dt><span class="section"><a href="#requirement-optional">2.2. Optional packages</a></span></dt></dl></dd><dt><span class="chapter"><a href="#getting-buildroot">3. Getting Buildroot</a></span></dt><dt><span class="chapter"><a href="#_buildroot_quick_start">4. Buildroot quick start</a></span></dt><dt><span class="chapter"><a href="#community-resources">5. Community resources</a></span></dt></dl></dd><dt><span class="part"><a href="#_user_guide">II. User guide</a></span></dt><dd><dl><dt><span class="chapter"><a href="#configure">6. Buildroot configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#_cross_compilation_toolchain">6.1. Cross-compilation toolchain</a></span></dt><dt><span class="section"><a href="#_dev_management">6.2. /dev management</a></span></dt><dt><span class="section"><a href="#_init_system">6.3. init system</a></span></dt></dl></dd><dt><span class="chapter"><a href="#_configuration_of_other_components">7. Configuration of other components</a></span></dt><dt><span class="chapter"><a href="#_general_buildroot_usage">8. General Buildroot usage</a></span></dt><dd><dl><dt><span class="section"><a href="#make-tips">8.1. <span class="emphasis"><em>make</em></span> tips</a></span></dt><dt><span class="section"><a href="#full-rebuild">8.2. Understanding when a full rebuild is necessary</a></span></dt><dt><span class="section"><a href="#rebuild-pkg">8.3. Understanding how to rebuild packages</a></span></dt><dt><span class="section"><a href="#_offline_builds">8.4. Offline builds</a></span></dt><dt><span class="section"><a href="#_building_out_of_tree">8.5. Building out-of-tree</a></span></dt><dt><span class="section"><a href="#env-vars">8.6. Environment variables</a></span></dt><dt><span class="section"><a href="#_dealing_efficiently_with_filesystem_images">8.7. Dealing efficiently with filesystem images</a></span></dt><dt><span class="section"><a href="#_graphing_the_dependencies_between_packages">8.8. Graphing the dependencies between packages</a></span></dt><dt><span class="section"><a href="#_graphing_the_build_duration">8.9. Graphing the build duration</a></span></dt><dt><span class="section"><a href="#graph-size">8.10. Graphing the filesystem size contribution of packages</a></span></dt><dt><span class="section"><a href="#top-level-parallel-build">8.11. Top-level parallel build</a></span></dt><dt><span class="section"><a href="#_integration_with_eclipse">8.12. Integration with Eclipse</a></span></dt><dt><span class="section"><a href="#_advanced_usage">8.13. Advanced usage</a></span></dt></dl></dd><dt><span class="chapter"><a href="#customize">9. Project-specific customization</a></span></dt><dd><dl><dt><span class="section"><a href="#customize-dir-structure">9.1. Recommended directory structure</a></span></dt><dt><span class="section"><a href="#outside-br-custom">9.2. Keeping customizations outside of Buildroot</a></span></dt><dt><span class="section"><a href="#customize-store-buildroot-config">9.3. Storing the Buildroot configuration</a></span></dt><dt><span class="section"><a href="#customize-store-package-config">9.4. Storing the configuration of other components</a></span></dt><dt><span class="section"><a href="#rootfs-custom">9.5. Customizing the generated target filesystem</a></span></dt><dt><span class="section"><a href="#customize-users">9.6. Adding custom user accounts</a></span></dt><dt><span class="section"><a href="#_customization_emphasis_after_emphasis_the_images_have_been_created">9.7. Customization <span class="emphasis"><em>after</em></span> the images have been created</a></span></dt><dt><span class="section"><a href="#customize-patches">9.8. Adding project-specific patches</a></span></dt><dt><span class="section"><a href="#customize-packages">9.9. Adding project-specific packages</a></span></dt><dt><span class="section"><a href="#_quick_guide_to_storing_your_project_specific_customizations">9.10. Quick guide to storing your project-specific customizations</a></span></dt></dl></dd><dt><span class="chapter"><a href="#_frequently_asked_questions_amp_troubleshooting">10. Frequently Asked Questions &amp; Troubleshooting</a></span></dt><dd><dl><dt><span class="section"><a href="#faq-boot-hang-after-starting">10.1. The boot hangs after <span class="emphasis"><em>Starting network…</em></span></a></span></dt><dt><span class="section"><a href="#faq-no-compiler-on-target">10.2. Why is there no compiler on the target?</a></span></dt><dt><span class="section"><a href="#faq-no-dev-files-on-target">10.3. Why are there no development files on the target?</a></span></dt><dt><span class="section"><a href="#faq-no-doc-on-target">10.4. Why is there no documentation on the target?</a></span></dt><dt><span class="section"><a href="#faq-why-not-visible-package">10.5. Why are some packages not visible in the Buildroot config menu?</a></span></dt><dt><span class="section"><a href="#faq-why-not-use-target-as-chroot">10.6. Why not use the target directory as a chroot directory?</a></span></dt><dt><span class="section"><a href="#faq-no-binary-packages">10.7. Why doesn’t Buildroot generate binary packages (.deb, .ipkg…)?</a></span></dt><dt><span class="section"><a href="#faq-speeding-up-build">10.8. How to speed-up the build process?</a></span></dt></dl></dd><dt><span class="chapter"><a href="#_known_issues">11. Known issues</a></span></dt><dt><span class="chapter"><a href="#legal-info">12. Legal notice and licensing</a></span></dt><dd><dl><dt><span class="section"><a href="#_complying_with_open_source_licenses">12.1. Complying with open source licenses</a></span></dt><dt><span class="section"><a href="#legal-info-buildroot">12.2. Complying with the Buildroot license</a></span></dt></dl></dd><dt><span class="chapter"><a href="#_beyond_buildroot">13. Beyond Buildroot</a></span></dt><dd><dl><dt><span class="section"><a href="#_boot_the_generated_images">13.1. Boot the generated images</a></span></dt><dt><span class="section"><a href="#_chroot">13.2. Chroot</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="#_developer_guide">III. Developer guide</a></span></dt><dd><dl><dt><span class="chapter"><a href="#_how_buildroot_works">14. How Buildroot works</a></span></dt><dt><span class="chapter"><a href="#_coding_style">15. Coding style</a></span></dt><dd><dl><dt><span class="section"><a href="#writing-rules-config-in">15.1. <code class="literal">Config.in</code> file</a></span></dt><dt><span class="section"><a href="#writing-rules-mk">15.2. The <code class="literal">.mk</code> file</a></span></dt><dt><span class="section"><a href="#_the_documentation">15.3. The documentation</a></span></dt><dt><span class="section"><a href="#_support_scripts">15.4. Support scripts</a></span></dt></dl></dd><dt><span class="chapter"><a href="#adding-board-support">16. Adding support for a particular board</a></span></dt><dt><span class="chapter"><a href="#adding-packages">17. Adding new packages to Buildroot</a></span></dt><dd><dl><dt><span class="section"><a href="#_package_directory">17.1. Package directory</a></span></dt><dt><span class="section"><a href="#_config_files">17.2. Config files</a></span></dt><dt><span class="section"><a href="#_the_literal_mk_literal_file">17.3. The <code class="literal">.mk</code> file</a></span></dt><dt><span class="section"><a href="#adding-packages-hash">17.4. The <code class="literal">.hash</code> file</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_packages_with_specific_build_systems">17.5. Infrastructure for packages with specific build systems</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_autotools_based_packages">17.6. Infrastructure for autotools-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_cmake_based_packages">17.7. Infrastructure for CMake-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_python_packages">17.8. Infrastructure for Python packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_luarocks_based_packages">17.9. Infrastructure for LuaRocks-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_perl_cpan_packages">17.10. Infrastructure for Perl/CPAN packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_virtual_packages">17.11. Infrastructure for virtual packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_packages_using_kconfig_for_configuration_files">17.12. Infrastructure for packages using kconfig for configuration files</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_rebar_based_packages">17.13. Infrastructure for rebar-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_waf_based_packages">17.14. Infrastructure for Waf-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_meson_based_packages">17.15. Infrastructure for Meson-based packages</a></span></dt><dt><span class="section"><a href="#_integration_of_cargo_based_packages">17.16. Integration of Cargo-based packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_go_packages">17.17. Infrastructure for Go packages</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_packages_building_kernel_modules">17.18. Infrastructure for packages building kernel modules</a></span></dt><dt><span class="section"><a href="#_infrastructure_for_asciidoc_documents">17.19. Infrastructure for asciidoc documents</a></span></dt><dt><span class="section"><a href="#linux-kernel-specific-infra">17.20. Infrastructure specific to the Linux kernel package</a></span></dt><dt><span class="section"><a href="#hooks">17.21. Hooks available in the various build steps</a></span></dt><dt><span class="section"><a href="#_gettext_integration_and_interaction_with_packages">17.22. Gettext integration and interaction with packages</a></span></dt><dt><span class="section"><a href="#_tips_and_tricks">17.23. Tips and tricks</a></span></dt><dt><span class="section"><a href="#_conclusion">17.24. Conclusion</a></span></dt></dl></dd><dt><span class="chapter"><a href="#patch-policy">18. Patching a package</a></span></dt><dd><dl><dt><span class="section"><a href="#_providing_patches">18.1. Providing patches</a></span></dt><dt><span class="section"><a href="#patch-apply-order">18.2. How patches are applied</a></span></dt><dt><span class="section"><a href="#_format_and_licensing_of_the_package_patches">18.3. Format and licensing of the package patches</a></span></dt><dt><span class="section"><a href="#_integrating_patches_found_on_the_web">18.4. Integrating patches found on the Web</a></span></dt></dl></dd><dt><span class="chapter"><a href="#download-infra">19. Download infrastructure</a></span></dt><dt><span class="chapter"><a href="#debugging-buildroot">20. Debugging Buildroot</a></span></dt><dt><span class="chapter"><a href="#_contributing_to_buildroot">21. Contributing to Buildroot</a></span></dt><dd><dl><dt><span class="section"><a href="#_reproducing_analyzing_and_fixing_bugs">21.1. Reproducing, analyzing and fixing bugs</a></span></dt><dt><span class="section"><a href="#_analyzing_and_fixing_autobuild_failures">21.2. Analyzing and fixing autobuild failures</a></span></dt><dt><span class="section"><a href="#_reviewing_and_testing_patches">21.3. Reviewing and testing patches</a></span></dt><dt><span class="section"><a href="#_work_on_items_from_the_todo_list">21.4. Work on items from the TODO list</a></span></dt><dt><span class="section"><a href="#submitting-patches">21.5. Submitting patches</a></span></dt><dt><span class="section"><a href="#reporting-bugs">21.6. Reporting issues/bugs or getting help</a></span></dt><dt><span class="section"><a href="#_using_the_run_tests_framework">21.7. Using the run-tests framework</a></span></dt></dl></dd><dt><span class="chapter"><a href="#DEVELOPERS">22. DEVELOPERS file and get-developers</a></span></dt><dt><span class="chapter"><a href="#RELENG">23. Release Engineering</a></span></dt><dd><dl><dt><span class="section"><a href="#_releases">23.1. Releases</a></span></dt><dt><span class="section"><a href="#_development">23.2. Development</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="#_appendix">IV. Appendix</a></span></dt><dd><dl><dt><span class="chapter"><a href="#makedev-syntax">24. Makedev syntax documentation</a></span></dt><dt><span class="chapter"><a href="#makeuser-syntax">25. Makeusers syntax documentation</a></span></dt><dt><span class="chapter"><a href="#migrating-from-ol-versions">26. Migrating from older Buildroot versions</a></span></dt><dd><dl><dt><span class="section"><a href="#br2-external-converting">26.1. Migrating to 2016.11</a></span></dt><dt><span class="section"><a href="#migrating-host-usr">26.2. Migrating to 2017.08</a></span></dt></dl></dd></dl></dd></dl></div><div class="list-of-examples"><p><strong>List of Examples</strong></p><dl><dt>17.1. <a href="#idm3089">Config script: <span class="emphasis"><em>divine</em></span> package</a></dt><dt>17.2. <a href="#idm3096">Config script: <span class="emphasis"><em>imagemagick</em></span> package:</a></dt></dl></div><div class="preface"><div class="titlepage"><div><div><h1 class="title"><a id="idm4"></a></h1></div></div></div><p>Buildroot 2020.02.7 manual generated on 2020-10-12
+21:37:29 UTC from git revision d8082db677</p><p>The Buildroot manual is written by the Buildroot developers.
 It is licensed under the GNU General Public License, version 2. Refer to the
-<a class="ulink" href="http://git.buildroot.org/buildroot/tree/COPYING?id=dee53013da87dfa4bcb3433bdef79ec43b5a5c24" target="_top">COPYING</a>
+<a class="ulink" href="http://git.buildroot.org/buildroot/tree/COPYING?id=d8082db677046e004a6537828b3e4f4b9a818a4f" target="_top">COPYING</a>
 file in the Buildroot sources for the full text of this license.</p><p>Copyright © 2004-2020 The Buildroot developers</p><div class="informalfigure"><div class="mediaobject"><img src="logo.png" alt="logo.png" /></div></div></div><div class="part"><div class="titlepage"><div><div><h1 class="title"><a id="_getting_started"></a>Part I. Getting started</h1></div></div></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a id="_about_buildroot"></a>Chapter 1. About Buildroot</h2></div></div></div><p>Buildroot is a tool that simplifies and automates the process of
 building a complete Linux system for an embedded system, using
 cross-compilation.</p><p>In order to achieve this, Buildroot is able to generate a
@@ -2346,9 +2346,9 @@ Python and should follow the
 hardware boards, so that users of such a board can easily build a system
 that is known to work. You are welcome to add support for other boards
 to Buildroot too.</p><p>To do so, you need to create a normal Buildroot configuration that
-builds a basic system for the hardware: toolchain, kernel, bootloader,
-filesystem and a simple BusyBox-only userspace. No specific package
-should be selected: the configuration should be as minimal as
+builds a basic system for the hardware: (internal) toolchain, kernel,
+bootloader, filesystem and a simple BusyBox-only userspace. No specific
+package should be selected: the configuration should be as minimal as
 possible, and should only build a working basic BusyBox system for the
 target platform. You can of course use more complicated configurations
 for your internal projects, but the Buildroot project will only
@@ -2356,7 +2356,15 @@ integrate basic board configurations. This is because package
 selections are highly application-specific.</p><p>Once you have a known working configuration, run <code class="literal">make
 savedefconfig</code>. This will generate a minimal <code class="literal">defconfig</code> file at the
 root of the Buildroot source tree. Move this file into the <code class="literal">configs/</code>
-directory, and rename it <code class="literal">&lt;boardname&gt;_defconfig</code>.</p><p>It is recommended to use as much as possible upstream versions of the
+directory, and rename it <code class="literal">&lt;boardname&gt;_defconfig</code>. If the configuration
+is a bit more complicated, it is nice to manually reformat it and
+separate it into sections, with a comment before each section. Typical
+sections are <span class="emphasis"><em>Architecture</em></span>, <span class="emphasis"><em>Toolchain options</em></span> (typically just linux
+headers version), <span class="emphasis"><em>Firmware</em></span>, <span class="emphasis"><em>Bootloader</em></span>, <span class="emphasis"><em>Kernel</em></span>, and <span class="emphasis"><em>Filesystem</em></span>.</p><p>Always use fixed versions or commit hashes for the different
+components, not the "latest" version. For example, set
+<code class="literal">BR2_LINUX_KERNEL_CUSTOM_VERSION=y</code> and
+<code class="literal">BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE</code> to the kernel version you tested
+with.</p><p>It is recommended to use as much as possible upstream versions of the
 Linux kernel and bootloaders, and to use as much as possible default
 kernel and bootloader configurations. If they are incorrect for your
 board, or no default exists, we encourage you to send fixes to the
@@ -2849,7 +2857,7 @@ flags.
 The argument to be given to <code class="literal">LIBFOO_CONFIG_SCRIPTS</code> is the file name(s)
 of the shell script(s) needing fixing. All these names are relative to
 <span class="emphasis"><em>$(STAGING_DIR)/usr/bin</em></span> and if needed multiple names can be given.</p><p>In addition, the scripts listed in <code class="literal">LIBFOO_CONFIG_SCRIPTS</code> are removed
-from <code class="literal">$(TARGET_DIR)/usr/bin</code>, since they are not needed on the target.</p><div class="example"><a id="idm3080"></a><p class="title"><strong>Example 17.1. Config script: <span class="emphasis"><em>divine</em></span> package</strong></p><div class="example-contents"><p>Package divine installs shell script <span class="emphasis"><em>$(STAGING_DIR)/usr/bin/divine-config</em></span>.</p><p>So its fixup would be:</p><pre class="screen">DIVINE_CONFIG_SCRIPTS = divine-config</pre></div></div><br class="example-break" /><div class="example"><a id="idm3087"></a><p class="title"><strong>Example 17.2. Config script: <span class="emphasis"><em>imagemagick</em></span> package:</strong></p><div class="example-contents"><p>Package imagemagick installs the following scripts:
+from <code class="literal">$(TARGET_DIR)/usr/bin</code>, since they are not needed on the target.</p><div class="example"><a id="idm3089"></a><p class="title"><strong>Example 17.1. Config script: <span class="emphasis"><em>divine</em></span> package</strong></p><div class="example-contents"><p>Package divine installs shell script <span class="emphasis"><em>$(STAGING_DIR)/usr/bin/divine-config</em></span>.</p><p>So its fixup would be:</p><pre class="screen">DIVINE_CONFIG_SCRIPTS = divine-config</pre></div></div><br class="example-break" /><div class="example"><a id="idm3096"></a><p class="title"><strong>Example 17.2. Config script: <span class="emphasis"><em>imagemagick</em></span> package:</strong></p><div class="example-contents"><p>Package imagemagick installs the following scripts:
 <span class="emphasis"><em>$(STAGING_DIR)/usr/bin/{Magick,Magick++,MagickCore,MagickWand,Wand}-config</em></span></p><p>So it’s fixup would be:</p><pre class="screen">IMAGEMAGICK_CONFIG_SCRIPTS = \
    Magick-config Magick++-config \
    MagickCore-config MagickWand-config Wand-config</pre></div></div><br class="example-break" /><p>On line 14, we specify the list of dependencies this package relies
@@ -4073,7 +4081,7 @@ an example :</p><pre class="screen">01: ########################################
 12:
 13: $(eval $(waf-package))</pre><p>On line 7, we declare the version of the package.</p><p>On line 8 and 9, we declare the name of the tarball (xz-ed tarball
 recommended) and the location of the tarball on the Web. Buildroot
-will automatically download the tarball from this location.</p><p>On line 10, we tell Buildroot what options to enable for libfoo.</p><p>On line 11, we tell Buildroot the depednencies of libfoo.</p><p>Finally, on line line 13, we invoke the <code class="literal">waf-package</code>
+will automatically download the tarball from this location.</p><p>On line 10, we tell Buildroot what options to enable for libfoo.</p><p>On line 11, we tell Buildroot the dependencies of libfoo.</p><p>Finally, on line line 13, we invoke the <code class="literal">waf-package</code>
 macro that generates all the Makefile rules that actually allows the
 package to be built.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="waf-package-reference"></a>17.14.2. <code class="literal">waf-package</code> reference</h3></div></div></div><p>The main macro of the Waf package infrastructure is <code class="literal">waf-package</code>.
 It is similar to the <code class="literal">generic-package</code> macro.</p><p>Just like the generic infrastructure, the Waf infrastructure works
@@ -4224,27 +4232,26 @@ package. Let’s start with an example:</p><pre class="screen">01: #############
 13: FOO_DEPENDENCIES = host-cargo
 14:
 15: FOO_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo
-16: FOO_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release)
-17:
-18: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
-19:
-20: FOO_CARGO_OPTS = \
-21:   --$(FOO_CARGO_MODE) \
-22:     --target=$(RUSTC_TARGET_NAME) \
-23:     --manifest-path=$(@D)/Cargo.toml
-24:
-25: define FOO_BUILD_CMDS
-26:     $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
-27:             cargo build $(FOO_CARGO_OPTS)
-28: endef
-29:
-30: define FOO_INSTALL_TARGET_CMDS
-31:     $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
-32:             $(TARGET_DIR)/usr/bin/foo
-33: endef
-34:
-35: $(eval $(generic-package))</pre><p>The Makefile starts with the definition of the standard variables for package
-declaration (lines 7 to 11).</p><p>As seen in line 35, it is based on the
+16:
+17: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
+18:
+19: FOO_CARGO_OPTS = \
+20:     $(if $(BR2_ENABLE_DEBUG),,--release) \
+21:     --target=$(RUSTC_TARGET_NAME) \
+22:     --manifest-path=$(@D)/Cargo.toml
+23:
+24: define FOO_BUILD_CMDS
+25:     $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
+26:             cargo build $(FOO_CARGO_OPTS)
+27: endef
+28:
+29: define FOO_INSTALL_TARGET_CMDS
+30:     $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
+31:             $(TARGET_DIR)/usr/bin/foo
+32: endef
+33:
+34: $(eval $(generic-package))</pre><p>The Makefile starts with the definition of the standard variables for package
+declaration (lines 7 to 11).</p><p>As seen in line 34, it is based on the
 <a class="link" href="#generic-package-tutorial" title="17.5.1. generic-package tutorial"><code class="literal">generic-package</code> infrastructure</a>. So, it defines
 the variables required by this particular infrastructure, where Cargo is
 invoked:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
@@ -5212,11 +5219,24 @@ large number of commits in the series;
 </li><li class="listitem">
 deep impact of the changes in the rest of the project;
 </li><li class="listitem">
-RFC <a href="#ftn.idm5511" class="footnote" id="idm5511"><sup class="footnote">[4]</sup></a>;
+RFC <a href="#ftn.idm5520" class="footnote" id="idm5520"><sup class="footnote">[4]</sup></a>;
 </li><li class="listitem">
 whenever you feel it will help presenting your work, your choices,
   the review process, etc.
-</li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="_patch_revision_changelog"></a>21.5.4. Patch revision changelog</h3></div></div></div><p>When improvements are requested, the new revision of each commit
+</li></ul></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="_patches_for_maintenance_branches"></a>21.5.4. Patches for maintenance branches</h3></div></div></div><p>When fixing bugs on a maintenance branch, bugs should be fixed on the
+master branch first. The commit log for such a patch may then contain a
+post-commit note specifying what branches are affected:</p><pre class="screen">package/foo: fix stuff
+
+Signed-off-by: Your Real Name &lt;your@email.address&gt;
+---
+Backport to: 2020.02.x, 2020.05.x
+(2020.08.x not affected as the version was bumped)</pre><p>Those changes will then be backported by a maintainer to the affected
+branches.</p><p>However, some bugs may apply only to a specific release, for example
+because it is using an older version of a package. In that case, patches
+should be based off the maintenance branch, and the patch subject prefix
+must include the maintenance branch name (for example "[PATCH 2020.02.x]").
+This can be done with the <code class="literal">git format-patch</code> flag <code class="literal">--subject-prefix</code>:</p><pre class="screen">$ git format-patch --subject-prefix "PATCH 2020.02.x" \
+    -M -s -o outgoing origin/2020.02.x</pre><p>Then send the patches with <code class="literal">git send-email</code>, as described above.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="_patch_revision_changelog"></a>21.5.5. Patch revision changelog</h3></div></div></div><p>When improvements are requested, the new revision of each commit
 should include a changelog of the modifications between each
 submission. Note that when your patch series is introduced by a cover
 letter, an overall changelog may be added to the cover letter in
@@ -5416,7 +5436,7 @@ to trigger all run-test test case jobs:
 </li></ul></div><pre class="screen"> $ git push gitlab HEAD:&lt;name&gt;-runtime-tests</pre><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 to trigger one test case job, a specific branch naming string is used that
 includes the full test case name.
-</li></ul></div><pre class="screen"> $ git push gitlab HEAD:&lt;name&gt;-&lt;test case name&gt;</pre></div></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div id="ftn.idm5511" class="footnote"><p><a href="#idm5511" class="simpara"><sup class="simpara">[4] </sup></a>RFC: (Request for comments) change proposal</p></div></div></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a id="DEVELOPERS"></a>Chapter 22. DEVELOPERS file and get-developers</h2></div></div></div><p>The main Buildroot directory contains a file named <code class="literal">DEVELOPERS</code> that
+</li></ul></div><pre class="screen"> $ git push gitlab HEAD:&lt;name&gt;-&lt;test case name&gt;</pre></div></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div id="ftn.idm5520" class="footnote"><p><a href="#idm5520" class="simpara"><sup class="simpara">[4] </sup></a>RFC: (Request for comments) change proposal</p></div></div></div><div class="chapter"><div class="titlepage"><div><div><h2 class="title"><a id="DEVELOPERS"></a>Chapter 22. DEVELOPERS file and get-developers</h2></div></div></div><p>The main Buildroot directory contains a file named <code class="literal">DEVELOPERS</code> that
 lists the developers involved with various areas of Buildroot. Thanks
 to this file, the <code class="literal">get-developers</code> tool allows to:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem">
 Calculate the list of developers to whom patches should be sent, by
diff --git a/buildroot/docs/manual/manual.pdf b/buildroot/docs/manual/manual.pdf
index d37de3d278bbb23dcbf23b49d7187ec06268896b..a085d4b98e2f3f2e8cd135679d3b3e0d48fa979d 100644
GIT binary patch
delta 100901
zcmb5Ubx<8k)b7p3A-F?ucXxLS?(XjHFt|%_w?L5K?(Pl=?(Po312^ZKukKgxy?@=R
zo?UBpP50E)^sM!Jp6-_((u5h(T5G!WLTL~>1Pcpyx(EX}4RDdA?^?u(5q|ZDuC>t;
zevT@M(G%UVl<$IEe*HqC9eXg1z=EX}oKptyrx=VtbT*-~wz+aLWggBUBh1x2k_Mmd
z2Tjj}BqaBZQBmUWz!5!9n_Vhx-9dR|%t}G$j!m`^DmWaBN?;%e9U8N%$|SASc+;i|
z=t4UaiWk)+12a_l+)k|lISDZ%pktQs#=2dZt%2Efb{s`$0J)$W9)CGQoN#15lM!ag
zFo^9}kH1Ht6r|^6G+#PWSg+Xf(ov!-$CE$UxW)2OnZ$GNM7{A_UAXcwoJm)Z$-W9$
zxaAmZ@Qyw{Mc-sIRqPS1G+U}-gI*jl(RlyGc%B#}@cV07HdGKb;P|@Jx=_VvLWn*8
z4hs5N--%1|hZH-8*`Tt=)bv;95ml9FZIOCUBYf4uFY;+MD+bG^9r~3mQ0q{TMyU%N
z3?b#ZGszvKWGY{tvvhW63SH{tZTZ6i)tNX7%-n!blcR`U@bf1yH$y{4Lxc8{gQkf{
z9G~VY0LFuO_v5<qw@>6%P2C!n=!=!}4jy)WtKc~#)o8;Y_|HFM23gtMpZcja>jx0#
z#LOSW3I^1R<4_h@_3$s-Vc9Y{qif;oPwdk%V9sl02;d~{@g+j}K{D9i6Xi?tUyYlh
z32k(+$)qDFSU%g+YBvY8vw<?o90?*?w?bCo0eB&p@eSey1jj+>jeIhPEgukB)C4|R
z@&r<OrEC+W1(=`^U(41v<|*E8<4u@NV4#66e?F;m+%e7gp;DApHbIjF8F^Qic;nmm
z#-Bgihcl^ca4Sg^4i8Y;Bs-HkuJd*~q>9HR5!*gdXa?D+WV$O1l~=0_IK;wB`dZW&
z1Ck!*;foo@6X)zKxMQAo%JL-QtP}U%6Bt9anm;{<WDU`xixGwt;Irn@#f@{uxFbuy
zPi|8CzmLwIJZ2uFJH4g%7BX;S1=7;>u~(w~Jh4Y%GE1S4FW}{7EWdxGBgXRz5D-c$
zqojcQ#h!j5Bk*c|m%{oJ%Z0(aEp_h41%M`qCL>T#Yx;`pKAH4NW`C$zfuMR&XM3o9
zy33@sdXm8~#Dm^SbhH^r3K+-r{=nN&8zZ)*$_h6t&ljQPd;TQs|Ks+MeCU0ExMDm^
zDoxLWGz#YwwVSAa@iaFkbA-mR>RX`;rv01w+u8Hb)9nxKh)6SA3*Cg6OSv?27y###
z-;zR|>d)Y8>8e1Zz463-WgG>EoqlUdB71HLGe^ApR#JVLOun9w*s=PVWvjLjU8Sdv
z*fFw>00EF2HrtICUUAUEmfeOu)NncU1=sU1oJT@nZ@^M75<fJr00Yw*DT*p`S~wEU
z)41>B)_h;oD9sn)VL^7d;kvtu4j3H(<7y9XIUO(gp#iL?sGEHLt$SUiG%m|=VYVuk
z1NHdemnP@>>(x!A*mkruHU7L!J;>q3s5z^+=B{_kH74B92ZeE7XOXLgk8J!Pi#$vH
zPBVLrGWv^0fpSUzB@(-^)3>hOjyN#&k!2;wo}V9S2@48HkOkdP9wk~hr&Lhe{*ZxJ
zbhiN%w`+;4$k&7?eZ);8Bb<$>`U>E;Nq_7<z`auM&C-K@LZT=0GIN2LlR;rLfUbT5
zK?|aPPmgHAg_yg9$~W>}*sp_5x&=@Oe8|>_Lfq5eIPlJ)AMm6<{AV)fc;mCpLd_u0
zMcG^}y?Drn62uJ3(Nw<v5UDh2D&R1kB8f3&D8$fn<ncP9Ewn(?@v&OD=DAdM<nE2o
z{wYDLAd9MZBGS2+2mLZ7tmX853BXXhVH$HLexec>>e>0C=4_}O5Q^@ZV-2^e(nekL
zFqvReJO8Bosd=MJAcIG+9;1@n&kSvnjgSLTLw6_$>dZ?N@hWXJJoPKbv&58G^WW=7
z+uU!_>gn=NNi;WeR7dr_hzrR#5xQgCIzf=i2x=ThN={rz#GFfR%C)*bfV~43#P3v_
zzk*9AeSMs)w`+^HB|*YAc>=0neYv;JdMgKUrB7JU0iE96R&`3Lm1zj6+wM&%N?#84
z2yHM8$_qLD9N=uua!r2CLSET_RaQM7?^O-Ka8eS5_=P=y-IC??JzSDOY`O6FA@_0N
zCrAeraZMNzKlzAF=Ym4)P9P^L>=GqL2B{0zkr8BwG~QT7-v5O;UHo0nh-r*h>zj8m
zI3~_=kaw>G0yJs)ScxURduLIfIAla8^cPIpK_hZf=7N|$S#fxI$Pdy>KkzM(Z)jq#
zk~r_ZeJ#eEIGnJ@w?>(eD%e;M7KACtSTG1XFih1f^RW+$5&8_p9`IsVMvX7i93U`h
zgu@|?uT;@~nujMhUFND^DQdDW-B~y4Ga*PS*!iNMhH(yBD|<bdE1LLS@eu%^SLbhS
zZf+P>&ujs%J-HtjQx^c^64T{ofbZRdME{{YQw`Ae{`=+N(~1J)k|kHo)j&+vx8#E)
z)57g8$*d}`s3+)k;KAGLo?0(I;w=BFyZzJB$PV(=^>%j08a2l_(ST*X{<S9|*<syv
zZo{BX+hT^UfQk5wX|XPSSoqJPq@YU{Q*6<o);u6D@o~#<aw5~jdz(_G_(~}uyDL&$
zGt=bIZ;m}Km9e~E!)Unmv`YTQgy`;;yAx&E8-Aw$_Zjd8u)V=CNl2~RKx_~?YypoO
z6A{_@>l>Sn`}xEsjeiQMmS6wupb)mknzmwk%{y1FzpcSh>*sfO`Tlu>u0g9-BocyK
zs&NQtMP>qMb4zR9-Cf%PqL@0{x&W9**(m-Zgw2gE;PvHj<It+*3()iYFjc{H833C-
zFU!P?`y>G@JM3+Gznn5ihyHnG>R8^|>A*!9L*3iyZmzqm888}6t#i_K&#8!2AF(l=
zGG#FRUAI`*T!-YtdAw3!8Ip(iKZA6bF8<>K5hi3G@7d3^KMM(mJNyamZwoY`yI7A?
zb2lecr&<rOTC6g8&*O~iq(X}U8nNk8#~(ImP%a`k(dBG9wsPjtnJ$8C!I*`FB6OtO
zq!FVmrGi6o`O|Txh9ub{c2%gI6bTDQZ}I{Hf+Sm!>jp}gorGSt0;J<aLsWeEs1duF
zuqolL`~IxxRCmvQy$XEjcyq9hmqR8K0fQsYlxI37OAPMul0n3Yv*n0@8rGn#A_Hwq
z0ytZcrUVjE%n^;ly&FMcNhDkyWE(d)x=lz5F&&@E&u6|iwHP>aXcHSV$^<!Nlb>*P
zPv8_gL?z%B1=)*AF__Y}@tIJ(tY)gz-PBpZnCfT}?!`qu-D()aD%u;QHxlxi2<^9U
z<@1=dvXM>0th`bw&D7t4o%!#I&aU0@E)$6bFt_B#utP%N=+OgY1Wmt&lIjwnp!m_M
ztf<@ARBr6tMd|H>l9UJwz1EqdkNKrY)jR%n4RB9Nlx8tzhm_oJ!6gkYE6J$4%S^=2
zl&7PQ)b`L=TrrQ%zB6s=GdMB%N~cD}xKp>_XV(44tsIB8(*PFGI*{%i{3>p&C@=k;
ziP_L~ei5?&t1?eUkelohjm5MlOByPP=Qb1PH@(qPA07mVq-pFJAGvYvucV1$V*G&_
zl>4OCVQF8LwaH$hf5Zh6@Aly{9no3S#YA!sEND^e(qJqUCQYYDlNKha37K_`^3Z(8
z?HdKBa27-VWFad7ys0LtEa)9A^9W&3yU@zp;St9e{Q_4>+IKzAAws~&#PlV%iA-2|
z%snuV&%Hy1ksqct(rv4226srxzB}WBrL4c|uaY3fD}+x!Y~|@uLbcq0K7!$tHHrC@
zs@=@vF)c*^8NRkMQ2@eznD#lBK_-Z2>^-VulcivX0R^!Dai=3YV_4gFqXg$8tP)?f
zpXKJUbhn>)C%=DamGq7g&z-ui=hToFYp%fWsAGJgAnph*MsiOP0v)Y%|AEbsy0@&j
zY6-mSAqs7I1Bg3Ut{`?+K5z6LfE3dIYXmtKx^9N<m7I(Gi>w+%X9KSGl^r<Ch#N~H
zj?$q()$HF7#B4TML=jp5_g+%9_y47B+o5!ibpC!cwP^6c3mJJxha&FmZ#VyfL%T17
zLg<raYS||UtsYNPkTg|gNA1@#;3JO}SV0gq5AAn8-CQz$#s;`(2UlxgNOk!+wM-Wm
zzToq<gGHBCkle=(j`D<n&Q2m~ztSJ4?01r}ph)krD?F!izAHjCfE&4+2fDT|W^8xk
zH|dVMt{;QT5n6k$#GpONNpW7f;)XCCZ>1nDiDsl`2pzej6<&+U8DN2RHxawmBO94m
zLyaAzWTgprUjrU?I6?(cVb`61Z~e*XIp>?ho_w$k+)<eS>VRZ+BUCSc^jTGwKiHvt
zJu0m|9J`_E=HwwLYlPF<KRy>~ncr8>dl1qy$MY#?Z+zd+jcwpha!3TFrUQLy3H}tk
z7u&!yt<-0!?7v@ds)_44{cJL72xa(iu&CHHWZ}e4Ah7fdW+@3qjel)pN3(;Gd91c1
zs=1ww`)&x&X57rQ%ri@^a<r@+D8>~N$5A}7*jt-tD!@qU4#kh`Ibwjl3ldeY)j4`e
zYzN<ApQno&=$H)TNtGcl8T<P*^Jdo!x!kF}xDEbbTggZbu=>4lH#i&6GCb(<KhU>a
zv?`9lffUU6?~YT|;q2ji`W(&t95PMdxGM9sL!RfEuKIFQcWP&%_E6-P?WVJ`;&Uy~
zqFLFSjhJ7(EEL3=UpOTOWecYfvsQwk%UPk%T^Gw5&lc_avG^Ky(RqTvo<76N=dkT1
zkeloxgNqvp2r;EEeFXge^Ji*JRdpJsF}<ie2QWC&;s$#Aw6}_iZ6xYtpquMF`xD}X
zM4TUfAzwgtR&GNVQY+JUiIcTPC4HAKR@=AeD{g0D9@mg5p<O%ntNtguoavBsD`bA{
znCH?HbQfaHyn{fCkPH)2Gr3aalJ1rj*d165y18~cR5f~|Y9LA&_|y>av*1li>up38
zxa&bppDFi`o;V_a$samsC{_&g{;Yb$Su$-emwR`_^2!@{!ue0T<jk|(YkRm}2Wwvg
zYk&RQ3YK8H1do4<)FAu#&z^-C5Z%8hFqN`v;8w&h3}=n#Ohe8}6_i~|#0fe7Kv3@{
zIljO?gccHy4)E#xF^&rR9taC(4Op*n`+kJotif<jSDrwBMyerehGD$yf;_rAtDn6C
z2KF&UvT2B1jgb}jr+|&S9Nh~3Yvof)ga?~C?DZ4Iaa5vD*Uo3mJPJ5o^y9eB7_%@N
zw)!lAJAML|&6&>CZzARxLX(_h6Y#&uEs)<5<uQu8yW`+r64eC7!#_Yp3}RJ1@a7I?
zu5K>o#`gb2jwUwn?CfmB%*6jh{QU4ta^?<}ZdSw`%$&)@-L!zJuHqUqM!-zXwJ9mX
zaQbq*cQGEOor&EiWYwKQ`y3;NI6f-ey{(xj{q{7{VwtpQo(G<-Hh;+iXxPc37*gI2
z3^ZwKo}Gd+u)VKe;6vS1jFeK0P_YweW#Ghah6=KO;{Eb<Jx=+(YO#VeLFr9hJ;Ue<
z=>juy0-G)aClL?m*TbE(Ec)C>3u4XHSanK*UAdxVs6sDhTipZ-pKMlxf-@)ke(kq`
z5XhvdJ$)d$r3}gL4T$iSshJ;F62_?_i6db#U<BlRs&vfLyJ)+tSN+AKH%R)1kJNI0
zt?POYP12=uWCs?BF;<}U>%Hb~8mID%%e3u^#zHvj7i$5+GABJ`>AM9MmfaXM-j#g7
zqnZ0w#p34*OD13B-UN`Wp>(izC0>JibBIh93%=p+h_X0?iso#}?aD%iQvIt$3I3k8
zJCZwVow%MZ0u9FbvwVT!2=edL$TIdgLB5pN-`x=?OuK(O{#c#+!6nk3LS`#jA1nR@
z=doG}OHT=;ucWULX>#3dA8MoKU80i88`U~IMwU`<WcF37V?S7(Cwg+Q2a$B)bv&c@
z%Qd;qlW@i&=jmKd+M&npT2`EmfH^7RY&s*DpGdPicK?1fxVkC$-9k>RCY)wYOaTs$
z0dFH`zujDgOswEP7b_f9|M6T1fRZ}#uKt}U$p6Po`PT+&coE<Lr3b}<&>KXBo*+T2
z4SeDRkRYDqL~!&5JLxc(^qmGM^ae<!XebcpzkhyHhkyaGCWB_s8`|{5;6ZH3L2noh
zsFpdfe|y!TQz3D){qLE_%F30z15E==>DW7d=0ba~Htb87if|d*L5Sdg@{vYwMRa14
zOai}vdL~}`tXW3(Z1$Y={_1Pd<Uyd@tg%?aO^j5&p?$m4Idfi;r0-N-79+!qCG`WR
zVoyu|N1seQPSG!6oH0xVoa73d$CV+R8zW3?8Mh>xVc7)-V;PxP8D|#D4i$ZXo`esn
zZz$TFTU<)SUNoK>LoTUke#1nn(nA9OfEpbMb2-$B!Zi3G^G2<1gopb_U~lXnYLidU
zl>Fgvv!zBYPL+^2lY#xwx~;@4iWzK_Jlt40^i=!|Mo|{o%PT=q5(r6iIPbxRfmm=8
zaDn0wB(0*TJ&>ApkD-Wm{UXaiU~zD1Ll8r&9Wt5~+Zy~_)CMFOk0;P-ABcgl8|(fF
zXArs!P0<PWz5v7<)!fa1f~c$^M@+tWUd-2=gw6*IK`I{gCpDKk%_!2qrrth!qA&&S
zI=Ek&mU0&2{EQVfj}aAp0Q#CIvsku&P(cd^Ju<g1)$W^76C5L(c#;J0E3{Bk`=V2+
zQm>X@tbu*mphO3?)tSAN2G4Q6Tn24d$v3c2gqFa52(lFtuQ+p8yq6eO)(J|HPEDMc
z0g8h%R))jGS!dZRhlNHmmVg$QMWforx1J94mX4zzRf4H>BdUbh_l;tQ9sCfpF#ae*
z7%!MY_R=eUgsv86+~yP@(W*cbhe32*m{%^qQ>T?jLZX~n+hWpL;?JMKu8_GqJoQ@m
z^Zsi0zE=DkP{(hdeg%Hc+UXczXTZU<IdnNv?7fj!xz2|uxaJ-0wVa<s#pg9eI1c^o
z=yJQ4!%^>UVE3Y*gK2{+-OH{y!#CO>ukETkdwc7h+2$6!<7*|biIGs|Qy*e;BeQ2g
ztU1zB_rxuTSG~E8g!*jOKi)U+09{ykGgrJnl~q*FrAaPF_`(e<k4GerQ3H9E8Pq?Y
zE>P);f<s7vkQ1WGtxNj5F00GJ>Nhbn*{PGGY~^Xp5Mg-dWE*CUNXv=}AyI@{f>tcb
zp(`gBVdtqv_Tmi?HZZpoYDQc;qc2Bhm;o&<)e|hwhQXmlh_X^@QkUY7=#G+wYOgbB
zIfy>U`^4jwQ7owIfZ}AaY9~q6qrjwb@$;8vVB(HNqLesGOUzbu;`ko(&ttq8jNVd6
z9Jl~15a+?MY2t`FXIwe?k}z7;bKeklG2SStfXphinO`5E6t+ph9NK9f6FH`|+KD<c
z<kp7wtI2?DG`2{6qRL-_HMntQq*a2W8$32Nb`Sx|m`a3nR>kTVODyrmI5c?qli~0-
zyoyZp!ZtsWsoxTz?QssaEU}|ERoJn0cHw@F5p^0fo=|nrU=n|&*XOTH2nXMNVOk;<
z3_A{w4Bsz+?zl9+A9SOCz}X!G+yma<v!0w-4BhF7NN<?VB9N4|=g-P9#WwJf*`+3i
z#<H=T^j+_7XE_|#X6PQ@zaZhu&#cPafuA+sEl_+@uOGR{Nsp;Gknvqv@Zb0jG?q4;
zJjTpa@5K_I5YJ0e!}!&Kxv=Y-z^OSI%WvL1pk?a<B&J{g3gbVN7DZ+5H{mNRMpW|#
zM$MGL>G64}E8mHOl-Js@4XL^gpZi2wMD9BGJnu@LPkz(Az8)?u{51jPT{(51_bOJN
zPh9G>o`-HL+nyIH)9lwepO)sBYTlm*wk%2k0fxfa6K6?*!8XL8Qtc!x+L7`DWIw%9
ziZmJk@Ot>puPncnM3sVG%Qb$-SVyca0$zIkra^Z_{7N;^v7YW35Z&pRZ&k*-MRA$H
z6wC@MGoD}h(*LMM(pY*rq4T@S{<;?K{5)XUhQ#)RIGfDG%z2^Ww<rpw%?f^Qz#ACU
zh{r`nz*i1$+kka2k;9ZKHa6H%0U>H@n2t6;{w-r8R+tXgG-<?IIo(2Sj0JL@fISlH
zL>}zX<Cm))>f_HlxyO6{2myJ)5dyh)&Kpi^y8?eDyw6s+?usIZtdUrz{y&%<_zDhd
zN#!I~6=i>Sr?@FPrrc#1P;00yulRUT)4+`pKeTicK}E6(Wnm2aEZw`V^xZq6JE|7|
zh>g@frn7SraYTz|n_td<JPuaZCojirVs=#TXm9xl-1^Xa_jFFyZ<xUw`4Cgj{J6?$
zFEix0%FFQ2Ovz;woSMP@^=smA1!B$yOjN{saxtfw5CMKHI#{D}Os<=J1969fIN;@e
z?8DQiIcHi^6Z_rl#u?dZk!?~(uYQvRh^Dc9*8u;VT#!+axZDEM-OU4TV7_0L)z!r=
zO?@AB_jEj|!EuEm;ehVw3jW!OD3<iIRbqEx?|e{W8B|1{{P$j?pTau7!)}>%Mt|%Z
zJE>yTR`PFP$D^FubRXT(UY*>@p7^ihHFS~dCe#sGGi||0kv^m~{!pydu8?Wy0;mz7
zyss~-XWqsgFI+bBJP+$4M#MxFc94xA&nT`<h>S)w(|d@R1Yf;7d{9;{Qy~Vrh^>X~
zi8@;PA;U|m^@;k^;(wO;=cH5>nmK=SLp1W8u<Clb7ACS>c|Wpgwi6P)>eko8St>c&
z1JP3Nm$hdoZ&PSCXflr&c+2cc0hvixlxpf8(q(@i@b3F(D+V`;RFTF914(agdm{qz
zY@;N4cj78iu|nfU839P<uUH}~5j#x^E;R1URsJ!|p;)|R*2FX@<nKVa7x`wz7m9F!
z0b%{p&WD4($W-LQTaq|xauln+bBs?oI!cQbU6KBcAG&_{b)aO}Gt@U~pgx{nn((5E
zTb3~Rcl5ly^d&c9lykA<J%suktUa$9_Tzl$cz}%wQLdX!l8<}T&xAIjCZaDw)iY5l
zEkve5DnbuuN<ECf&y;%zPYhNf7TC-TNl79QALir?d5Qb(nqCdeTBrfR4n6%%>u4Zn
zdRj=~XrpW8ZD2P6;r(O<kbyf}>I{DQyo&0KaCYY+$@37pzdsY4`%N^lvI{<0StkPT
zwIl{Lk3Avy)x=|t5%CQt5Z6G2W&^C5+XnYW6_g)TRMoc*k)%_T>_}`*Bd9&`67^NV
z@(Tb_0Tb!-)}KEU|7QX2UFgP>=UGS^Rw4C&pm}nh9yEyUACkgsp!a6}m$xt)oP2!X
z|6wqUhWAiOgnuH;2JJ*c#N-=A^oEH%a)kfT3%mjr{h!W`e-VwaTLj`iY;)<ehWQWM
zE=N(J)3=)-FdEQj_FzHm|1elG;W8qKBiWhxKlEB}MSbt?2^Q{I_h*)Hd19qsr%U?u
zldk|Om>Z@M@y*x}!<XqSweDwL?)!@%*~Ikf+49eE7|2L6Sw3>9flSLh5=?r!qTs1<
zNxfX<P^v!d1JmJ!avbpLVik{8pVTgX<ngSW*~syB>bT;{77Mgd+RsVqeWuc%)ro-!
zNj`46?AQ@>H<J)!IK_GqM}%~UVJd4gx7*?znOkzYBQrh66f(*;v(!(a3WC&faW{Ty
zj60aYdPR}s2U^3awkY~Iak03Cof9~0UJ=m0$c4jW<#4Yr8MhDSf;xxRXCuLjG>IkP
z;2}FPoY8g)I-S3HYY?7NyWQiU@ZtamV;xa%!U%J)x;{zMsEBje54S;cxa}|E$2qf6
zYgA7wkpZZ``lYS5!$;}rh`;l<)iGdEiq|ENj%AP-JFsZ6qF`X+S|GuhvKB?W<<!~D
zQkvninIl-sNYK~8S)(y)H%f}%%=Wi}R!0^|afp4ic_d4Fe+t(u&TA!R=<@+Fve$57
z5o7%dB%j$?6$gXI`ZhBRDbPIoVaH-@aN}S*LhaOLS$T43DclgXs#44`T{P@!9hecb
z>BE_$8H|l8@pR_~znV~G^_FKa6IJ$`+*uKmaz<2b!^XnIO1@6xXao%N6`}4QFyO5y
zl3E-<ZpAVqQ)Tv=ICzl82Jrw<%+Ql2f)G0hRMC;Sc3Srhw0!rG8BFM%G$u_boB=L=
z{4|1oZS?9lHeJ<OGB@q3^y5=fAvo-%Lrg<8Lo=-+khu!cj|ZK~M5x%S10<2Tl$8)B
z!c^S+=0C6PM|15g5r^sD+w=fN0|KHJHjJ9Xsd^o3sv*ZKAhm}mEgN_?jM@EFLcg@|
zZT_sD=ACtoQ8PwfokQsT{uks2((H_RDVxc=h7f55n}&65z>&Nw98}Ht%A4QnvAzWI
z(zNR$q*T#%Q@WAdEE=ISi`95YYIclh!-b7^RmIfGjtwdn$H0c(1K!U0$|;x-DLT8J
zeTELleU|-<jekqVw`_o4hv7_eW+n~jSyzj>=zLylnAni7SoJ0XP}ersyQM7{l#gql
zWQ5o2IY%)AwFp9%A5(b+HHM;S-<AE#)NUmID5YQMT3NckDHGU<a_aPNLKWfO*c<mp
zLV3)crg&YCr&S#ItX13Gyg&u_TROk<UFeNpfF~?nI^}M=AON%VV>a1?PEG=WB-g6h
zDbN-7ua^3M9653qs;0J$drZ^XTXQ(??ka5V+PqkZTv6*{_Duy)psXj&D`YNjpl9Em
zsn(`F-eMaGcC5|nB8kx#!P&kd@Plp&V7!pAc#xXcbE7V$&f~i_%M$v`t?mslKi+46
zg~X=SL~@EyY`~?@r$Z+<;0w1n0h<f69s`;1%V@C7G3=?k;)8vYgHA^`l<Ic2pkp8E
ztvxzteT%(Q?rc-yJ_B0Wx>51&MoCtF3Ud+dW|wzGH1dIak-`<zP{)Zj4^6;u=s|mV
z*rBv%9iVT|byx2YW&C<<cwoZgudiR>F(iz(jh3`q1y}@Sd;UTU2P@c&t-V_%7UO$}
zy)L-7_q~MQTBRoU+EMzvv2viK>eXWje}%*{6xXwqp-0_RMjrce=+h8e3Ns874b9LP
z?ZnY<Sj3FAuf@tcvSZ}w?*4sdaScoJ^i<U~44Xz{Vx{wsVm=pk#egz1@qmT#TP1_r
zv`h@oC}3e<$tS&Vp*PQ~livj2gMZ3Xj52G5VtFmF<8Pu);}5PP<Aw1%;2Dy>&+U7O
zekXc@q`(4^f=5_>NOEF*Ss02&c{+V$S96)L@0brW`fIG+E$_FVO~b;R1V{ki*ND$F
zxrX%b5LZJ$q}Z;ZO)kt0QF|+Lb4UB7?8buU62J_Pog-FRharhH8B(kvRa+=X?zG7+
zxF|W>K>jJO$0i(a7~*cE?4gtdD-(g@BDY?}NSkI<irTlXN>i%JL2=oc*^FhI9P~&~
z2tEl*S87fc)tkN?K@|g9bbu6d6)c3NU}i-&vgHa|wV45Di%3(=4HIrH&9*U1jj*AH
z2RPkqylJjt35ph>MB7)7z1@{lup3<JsIjFy2|YtlvYDjh)vHcxT2z{*$A7<df|-mi
zbG+5lB(!(zg6<Hk!Bkf<FAK1r)h!PL>RD`8L{7-)DDo8l3^xTej=53m`huN2*1jWc
zB8T0#BA+<Z7mpydtHNB=g<RuEs_<o?1N#u=;1o(7uI1+FsCd#h+<qTsstZkCM^>;`
zUihP*Ys1uC819LiPB7N<OO}kJ?fTYe#tZrdTb3C<$81K@9UaLom0kE#a$y82EsYsG
zUECAW46baP7*5KeMX(@lXE+O4tyN9seJdM74G-ymU8BF4lYN-IRxoDjM2|zb0`~J@
z_jVLc$OTx@*kQG?YRoSBV$2^IaeU_gj{R$*WZmkBNCRsOSsJ^e-}9v3DqBxTds@fi
z?sZgF`&31Uz>jij?jec7NPd4-F)bAQ&NDOI3rG$dkQO?q{<iH95!5jrY^{dZp9F!k
z-}tvkF3XDvgYfdgr_<u{?9Z5hhSPQdn3GkB2AT;I<*Bn>6Xo~9>@!r|-Z@)3OV?1G
z0p7LHTYZHCrF5T?D;0AWgxuVmHyh~O2N&txUR_-6)NoC_106#KAtt7w?A2B2%jm6w
zBUpkkz6l3dT5g_*d+Hq!AyPM-w6AtU+S0F>33YAkiQo0sB@Hkq@q2-Q+sIAg1wwhc
zpO7{RbMjAE;*~MaEwEIvAo5>?U(NWiq~EA}iRmn2T+S=Cr!z(T_W42~uVn0yX}k7?
zU6dE|vrlg;*z(sG3=B_8I<@$n63=}Oheg)S`K88QDWnN?gZHnK@Q3P`w7YYN=coI|
zHAyZ6Nxb0U`2sB1NCe3N8gE#Rsq&AsL$dm<6>C{`Uny7>XJoB&E26xT(J@=cpPq_O
zxW0mvuVn&;qF6&XBLVf&8>{B0G@n<+ZVc+v8goW}C%a2eG^f+ckl_0}YNM+%X~(FL
z4CZ}<JN!N{&^tb2NhvTAEyZTc1MY=G%t?esY&fUX{4D<6>iIjJ3K#VL;4%Bk0~?2Y
z*}4fS#)G0`T{~5?R>S}s*2-sxy{U1oKsg3z$U(Rj%bEQ?HtVZcS-}Dy!r~9)wHAS`
z|G{zpTCAMu1^<v*){ZIie<+4><NWFWGsIHg2>&s}{(56ABhVm`Pw7s<keDq5XrOy|
z5No=#3Iuu!1p$Zv;V+y0rL=S#8W7??Xy*y>m(#Q+90<4&HfA)fRv3Sv(j=yUkqHz2
zvz;NBJEmC@%Ucga1Y)ZnnfT8uVf^0yD&f+->0By1o77L-+sNW#Jyn@;hNf^yl`AWD
zW%I_gQ4D*<$#}dd%vv24hF*19^+1Sbq};~E`O{uDi!;nB@;-bWjwn=}dzo32N^S>o
zfUdVGsd7iR$PD6)U7@R4Mpu3#5UQz9t5gOLUJ&sOo(BaoCQ$k87$G8FJoE<MK%5{(
zMt;z!x))V9Hzlw<)Eja@H#rO;ifuM{y4UHu__QJBU72yK31LW+8%wk)iy_rpTA%`U
z=DZLhf4S`L?j$CbDfBQr?=*qO_UXDY@auFwZqE5MkkiruGxu^fP0J>8o;i0r3N}9_
zFidl~oTkK#4$O0M?UPj|1>w7@7Lma%7nyo^1g2p5g4FLc8#+!J1hwoyqQwe(BMfLY
zXDU%x_4OEn0c;u+Ngg09;YS-;hv#}Sv-SmZUi_iTwhW6V-Lxe&Z}%Xxn;+a8U{`b+
z4<7Cp#iFuj4i|VM^i?7#rM3W5REn1uAqp!`kEKckocFpM5yq5o$acVIDj(t0j`AIj
z?Xxtl9Fn{Vp;x85)&wj%67{Ch0;ijtcv|uHSZysv*#MvdtA{WcngxJ|8<ErX_9l;Q
z8<a1DL+i_ge9@;MRX~u$F0)z%*0K+=Pn7DSWPMT(w*o#Oi0YB#%2HrjiE{m4?k#+7
z_l4?6GwX20mKRyYR8i^4Q~kw8YSS<|V~xUCm?rTDUOLeR&~(llP@1JZP9$n)wX4xW
zgR2MEHL_b6!mE-P#)EV@V=@a>rgDQVsB=07_j`4=cZoG57c=lsz#2w?ZIou6hhvof
zdJ9{Y7M4CtfkSvk2G97m;1o8PBMNbt6PCNAlye&1&?+YhImF256><v$TIQ?BOiyXa
zq#lHgEyCQAzjFGD%<}gg$*VN$-WN|Vm7^FKNSCf&;>n40LGK^Qx4*|?5Owlu$KP(f
zUf+#evygth-3|q089E9A`6V@w1|N5i&_tW>ZJCEh#0@;W0)5wE<Lo`FId(JgTaF58
zIX#^(?sq$TYnE#>C$rcXZy2Uh50Y&OTv`_wEG5?kZM~lKqz_Z1Ld1FM`-~WTZS$DO
zm%&WCe0-d+P3Lg5q3*PcCR(A3%~<uCwPkUvaX2vZscp3a!g$iamH3jGi{ay$`{P;H
zx{#0n@2bi0z;{tMSxpUtZpFL4m5yHr&*=$Lfc#y<#ZAQ2O}(f$+XwpxzmQPzK_5@o
z$cz^!>BG6m%BRBB&-9U5mCk7<y#o4no?j1%T54M0(mpQt&o|(pfpx-zyhMV1U#{7B
z%ljlz8a8sbB2jl>D9+SO8PUY|a@AC8aBv)LfVCcoGp>MXM;&m95QsHh)?rJfPGkFV
zfReWT3F-Z_NTR{fyJ551k*)5JbQlL3z7Kn$$DEcumKGd^Sn5fq(c4w@d$^`=J|f1_
zvv{k<_MU%7kuM7G;+WRn_FDJa4_1<k7Fc@W&8^XU*+T`&a~rmhQR4WOkoQ8<VgjWZ
z%1AD-NY$#La}_+LV>-6i;#F;zv*T6iv~nz68>q3|y-QIv@JK!9h&530P4J6zK9L67
zL)#lL;9p_kdyLmO2JLqD8PD7H8P7sYRP}jETl^ivttq@qMw3o!Db?~4r@2oNZQvUL
zMWlI)6fB@aLf5kpX@pyEa+(lN@w--7q>>(L&h)5De{4(jFu>MR;xM4p4JPyRZ#ve;
zjvA+@PRMSF!;0n4X5HcLQB8QESmZiL#<uBtn%~xWo6W!D==ao>lW{YpHf`JqQ<DKY
zXU3IVwSqsDUkY#5o^+fo^)AWI9fxwassv3~mg=a<<ec<&4;G;pys;=-2}Y<YJj?Ue
zDdcX}UEur*y^<#$y*|L<sQPo#`%FN8_4q#`y~TzJgo5yI6vqcbM+9-EqY{8HTAHLm
z?EjqnoA3XqgO(BgCi#C)PE0_L2>;6VmODofF$9R^pT(0FYFAJ<?BC^;f9l4IFK7TB
zoQ>t*0&y4)LQ3Be{kJ@9IigFU1UwqnsTghtb>(j4=C06+!V~KhYlw!*+M|lbyOLw|
z#oI~Qf4l~`hHjI?RGOBbitV;_Tv=H3<Qn>-tw2c?Gg?yBajU;Y7Gc~}#20V3wBv*%
zW9ZRCe`18%R`K9L3n(%zi84!`xYjJPuByfw=C}`2A`v#;1|SPX%ZBE_CT4SCm<sqQ
z*2Bz$#8T?Zp%^VY<WVO35W)~Dz(kp`+1RmFv4ZFh$@fGjzYOd4YazW$8>wxB<ietu
z<;rl)J=CVC2Q)APjhUcXnXwd~sCa^*!g_a2nwzj#1t;qe`ta#`1LLDGIvEdf^rCF`
zgCffgwP+YM0M|-kMUIhZQJiHX6kEF#8-x&Q&_d`R6cSib^nOAL?od9|V4mSq6?o|3
zvlTlTm#CeZ$W}E-9FXL8$u?=Gh-y|!pmK&1BYGl2A$aB70ZIYPycvABF|3h(qi~s4
z2mFIzA0j=U6dTCK1^kZ+1Z1U3AcW#}o2W7LiVAut5Z$C{MaW+{J85HN#Tdz4KC3r)
zFWi6<+h1yDM&~z<H%ZNIyBKA%(ni{S&Il8l8V(MMw?!EV6;P)SgtMa&{aSQF;*t|>
zpTj%7{D~~M0SeY6*OdYNduYM10W~38w&>Sss7)F_6Ia<pPA`*$>$G6FHS6j~If+Ua
z2{39=pb?T^Q%O}+COITT=5ewMl{nb<pndD(3EjsZ#3iu|<J8v5F9h&;zddCylM|M#
z)&}`a*=xnGuwAwoCu@qUe@YX5P*-Kc8goH^^=n&h4S`q^fDwB+$vuMI^r0Xfg<bP<
zCz4UjCnDAwKYE3wAT+bOFsM#zC<@ryY`r`H8jh-cH$J+Ym!J(lT<7-s?i=&n6pcF#
z?H0=v2hNf&)q4yKsxAKbP-_oV8NMbz-;dooK2mbWKs?Nm5+^UcU@ex=l{tyNzy-8w
z(HGuKDG5(e&=oxRPK1ECPV(qAss7j~5o~%0c`~(^w)XOFWwEhUk}jM!XlZFGj#@AR
zyL2}2@bvw%L457}o5Gfl6Mi>^eEi%v^llLiQ+{p7@$Fj%U9~+hmf2H7FC*1_xsKC}
z34iRK>t4P1H!3><JOq2R9uwl3j*h4*4qPCton1CPfhnO$qW-g2p6PRjx>;uE;aM`j
z-f9v70r(f-xMhf}ebt>`@Y^mrd{i{xQ^DvN?D^Rbv$IUCJA6J|eg*x$#YnqI3a}2w
z5?0pMtv!YoEJWfoR{c#g=iuFz8*TXWN~1eqZ0_~YygNJn*}%I^LZllNe!oclp(adp
zlLX@ysj!xblQ;_RkNFvTA-i!yK_1sj;K?9Nb=>l?Y9Xbacwr0&hY9ANdV70d5uoQ>
zs~t1tYzGw9M<GN#WU9$>C&DNDcV1+jC49~0;5=Ew-DeciYIt!i_WgNR)Wv!SPcfZ~
zR@Qo>HqThJuNIMKkt`Zc&MP0!XtII~s}-)c%E*11cXVd87&O?boy%l?5KDSEs<jB5
z2`XTx|8fPIpS|7(`0i_Bo}U3f=NE@=FHctBqnm4$q-uN8h2v_eMF)F{Kxc{b$@jMn
zLX1(Za}U%+hOKFAoL07w>*r?jnXt9m*gS5Hwc%PV-LaqH@_pF$dt8{;v(1g6Hvx@}
zaYoKacNEHGSmu09&%)n*_y#$Qt2p-s#<#1+J&UN3EU8y2mSx&h&&h!+?Q?SfqEUTy
zaITc#n^n<)p`%r_FE`x#OZyiP65sZVavj8OM5-F`k>m*5E=v#2z7GiUbL-19O%vwc
zWB=JT`!l;y3DwUx$+)(CwGhlguNz>C&Y8CDZWm85K-!|ReuUG?;TQnd{5t%#gpZ}T
z@e6`=!5Ue~FoEm?r`H*vCcGX^kv~#KG$4D;-~7i^>)Va;HQjPu%_q}Y6u*5=yLu+n
zxD?zpm(Pf(`XO{2CiX3^=!^0D<&DbWCmSuIEc@_HZC}VYyQ4UbmBWggB_K=;RX543
z9|b?zjJBXJ2!daxmOXs0Ys=dNGt3`2mz#?o$|Swidg^v*?q-Ux#kh1Sdv$3Y@biIq
z%gtjCZ%QzH0QEq{NS+m`pr_52G+ck&e2)B?OCm*c)n?f^fbR_P)+JE%z+-}u-H`Bo
zE+XY^)Q=xNZjQ=fFgRYV<>$TOd!2H^|1EF0IsX$aX>lObPk&eR|EW)%86eqD|LK~v
zRS;c^L@`M8)4$@UC94KB0uRplU%85I2O%c^B%}qZ{)d>MyCF#oL?uRUWtasQNs`bd
z`!v#K6$0HIL?rz3DA4IW?=cMb*^**v5>+BG0y!=*MI*K`(g<e=VSqjtt|(RTCb|;^
zG*mSU7VEpi$)aL>fzwudW<oEqe1l*;j3cECzfR8!VQKC*bZk!T^mE*98IbbH4E7Hl
zcRMGm)4=+aN_mgUpb+$VNNT&l@C+0hEFXk6GFX?|{F84V_x^OFHdEy!6y42g%lg)2
z-0K*GB_|o!<Yo;b%n;6?X-0`4jAlrIKtQztLmtIt&TywEf_Onh<a;)O@Xa)R-WEk1
zX<_;F8xApu?DU2vHtLGg7?5}9?PVWSTBkJLb+)3%)|#kI8nmh_4`W}40KQIxiQOJw
z(Tj^gAdEGLh=uIK72(c*w|4fB>zB7!CQZY86I1YK8Nd<*ue`Pi3Fl;<15=daS0D*9
zCholH$H>RWFv^(1$Nw6x$c**H3jxN6MR$@!DMSjT4^KQe!Yfdw4`3t|p=jxE=o{`U
zEC&r^v2jA7^HA>=!1BfKE=&6C4SkM;{$i{y=L8;c7uu&8ArfXR4I?7Kivw{&O1AHX
zI-~;QE*>H-qBf-5`A8b#4kBRwyDddEQKk=LG}Ecb6S~5;4CJIV+(+W9H7{aw;X8&j
z9FiI@M%zcu?5up)2H@k<XG<N7g4rL)th_zE5=lrA^iD4R*nTTbuQ3!dyxe%j_sGx$
z(Wxw3tKSHQ5j4<B=l7eaaWjTtRzc*+8f%|QM^jXzm&hCQEkupV8SB<8x>PGUa;T`m
z^L0rEey<()K{l_dmAjD439)B8=m|ej)Lh(N+~hrtx%yr594M`gv(4wxj8y%e=L%)g
znshi#*`Q87g0Im<I_s)c7fqf%a9f$gmN{F->Qeo+T3uJgA^As=D-@q*Qx2Vy9x<1t
zLGYSSk_Ew`{aEoYR7`rAwn+HqoGIRZa1PoC39ZplWwhVO0TU|-%Bbd-c=t}8KFUZ)
z<A*434W3_+<^blWSDI6AsSDo^!K^Z5qHp4tM_(Jg{hIl_+q<Zx%<rD&j92*Ay1S@}
zxV#@`vKa*NKic#;k?VFI?sxI^2Lqn#z3T<G^z(A<W**~)-WO`t(re<0&NtJF!m&?v
zXkMU1I3JFdFP;!cqnqB50zU5DV4|cbc&n9Y@Tzeft$^AQhV0UGCdP-Eo=)CBzAOC8
zxn1jd7oIjVTtfB%oBaHzuMx8skP+VmPa$bY-*K(8arVWy8fOT6<1Vl4pBn7~)&<ru
zxwku9EB%`IstjHqjlVg5lg^JOkAzla3Ae?kK#R(RzHLaDp$#^3l20ZcYZXl*avJsj
zEaVuKRtNn2f$(Fl@O$lQ#TO*nD#?iSewT_k>WB-2wQc-n?Kncl5CTD4!!LTaTAzI{
zi))>@5)W#{ws&*r!d(t>yd#w2zUV_&gx^~6Bul^)r?KJc9LvhIM9CYux{y_B+HTTn
z%)!~f$9yu$<^Q!zKEbOu=O8)sF~0S2aDLXdzDo(XmFityB<ndmaJ0Qe!%fyuQkku`
z@@=N&R0j)DQjzC09r`0yw1}_5dvLqFWcg~=X;7433C@$3Lriil_PZdiF}o-@gw{^u
zW3{~UmLArI@?A__{;BXycmi04mbCsPjtM6c|7z;E<~?=|S$Z!#8NFHUSU*<YZ5iS^
zmv04%9tx^yvs^?yM<6}=Ia^Pbs{NZNxS!9SriLC6ss`i2iQlV=KL^`xGYziOVwK#c
zetE_7DA;p3WKZ+juid7Y%IyE4Bmd*`qtiu7|8BU(cU`0j9hig3-t$)H{q^D8L{jpw
zI6^f6OI8$A_2hTMWq|UhBZGw}gVE+ivhbDiUVPB|JN!cxBT2L*wz(xNFLdf3MD73{
zNwy=Kv#yVW7~~6~pW;q`EPBO++eZx`0GjQkTCSM$o`x0o!2i1@@NlK?H2w9iGJ8Qn
z@F4DgqzN()$N%2t#lp(QnXD{M4aB9-+2nAcgk3$-+=DO3vf)`n%Q3EQcZf>6&Mofu
zlYgOs?BGT!cHB}tYvnN4Jv4bf`glB+&SFc77cFi?`(_^db0LOl(_{Hr;$*_Bg;c<6
znpD-h`kVb;XPJARGW$8o>Ue?ttOqxDs)><U(=vEz(Iis7PG+-nLuIpb1yEV%Y@lJM
zhoSi-Y0AAVDU`q*o|3U0p0>$L^q7&22u=n|mGS*CE~LgYAJU+mxgKXya*;c<NkE{t
z`G^~oog#>56ygnrApHva!k!Ta3h%R1D22Wwr!Z!oY3t)t)JJAnQ^47VYvAgw^|b61
z*=)bsSIF=TH|fXc>q>5H267D#Deb9R@4jE%RBDJr9#TlSdA6qn&eTaJ&SmmpuzHln
zXf*TbUoS5kQ8{Idk&gGBqbR&1TabQvA;CW!(gGhE{A?7lA|t~+Nr(`_KdwQR5qSPF
z@OLKy(5t`z7O&CBb}cM&(Lg|2T*ltJuWbGaKg5U*Uqg*1Bv9Yo7QmmMUnVX37GLEu
zSj~vGf;ZnBW;Ln6uqzDtEN(@*OhrZ>96-W>`eu7^N*r?<DKCyJIKyyEy4p6>=HeNn
zK;-Lp)Q=~R?e9i%D-b;Wa$GMZJS-*UMoK64(uP4b#~8DSO;?bs%RSdduk2BFh1LIp
z)2<8aAKQeasTr|%2DqR%+8)^RyuVG<3|Zuw*~KY`#b0*&z1+WFpDuiusMArT1}U`s
zpr6F>Xy&y@($v9ZA2(tsj+ZuxP-~Dj@!fzgtzETI;-#@mXn)MYX!hRtL={4?(^OYp
zQrm4~s$E=byQq*@TKkKZPalb|QMTSATsAdzf@vc1cIv?M9?;;>wxmD)kvLJ)zEs%u
zR^K#V=kmP3L-#v*AWQuVQu>B*^ZHM-(kj>eVx>f00V=39fBmGCZ%yqM4h}gy3%UyM
z+6Mmn#oOBzmpn9~misEhJG!O^#VAef38@$wk{gGVVHY~OE>fwKm}|-X564Y4IT$#3
zw0{SpqArzC0O0jBr)cIze(<`;ehvDOry88x<KURo|InA2srrqpYSBg3$!zs09cAg!
zGvVO$2Y!vS();{AUIg}*D1z42?Zx-KQ!0(4=PB>A8G9#sMV84CF62j|0A7K#Y!|<~
zmv;QE+-||N9zOraBO<Ez);||+-0!_$3Z4o16V*T#5fJaFn19v7@5g;(J^ZVbNRbHW
z`Sbp6+qROci*wXZ-#v5crRdm#thDVtg8NSTsp3y^*cGo!9ToRk*GX8vH(Y>+gz7PA
zRMRwSeh5-d$Rj>h`kc6nmfo<(2Ms-AQOmlQCB4E^<^b<>pC(d=k_vxB?uW4jlkr7;
zW*6iTK5+Tj3ceyEc2uTr>YVeG#_rRkumb$RwRQ_W)_`SNazC@5(@`x>ccz|*MQbcM
z!{*mlGo%<UJvOSa9mKAKV&=}mgd7YA$K$+YlWjyX7rIDY{W!Df*26`AD0yS==6xp?
zat0R_C#fNXzb^@P@Sor2SX^n@xtD{AJt%tJ#|PTPWKrw~LsvR!DoWD>Gu46jBb5?U
zgKiPS{$0c>3h$e6P8SvG%~^h`uwBH`{bH2Pog5w-NXJ$k1^DTxc1Z>JzR!#^Rm6P+
zKDS1w>xDJgI&V-jD7nSyJ2>Fz5X^rQ-9IJ`^(<%*?mqzjSOGbH`p?n{Isj=Rr#q=Y
zV6>dygJ_ZeUe1<|ssT=o#Qgu~N>0xIa%GpcuA?p&Lcn9q?B0VCL1GFu94!2OupI<v
zfz|6Q!?D;Zp4i+pp$qOR(34P~OIe=F8nwp1%zN)C9?g}AKymmLoFeUOga6TNmVdf%
zfAg%cy1g>QU0`!BZ>@kdYi%*{PyibI&pU)qNZLBbt6~n#aVbhVO%jN!V^|DoxIhZw
zY41KpR^69O(Teafd|t$8Bc}dgu~ByEugs}I^&^5-%L%syB8)a6ix71gZj_`;Q?{%~
zs=Zonv*g<gkc3eDF1YM|DeO+mKPt6?rA|Vi32FZxtFa|dWhI@(+sbDJK~hB`5D6v2
z0~pJ{3U-Q+FKE2(1+8YA$|2~e0X_~scC|6cRMq|xxdkgFG&V#$Q;td%itSbcelTO2
z5RKYX3)+k%w#Fz-uYKb)ctQziM1ENgJfwkfN!#s0UaM_o>)GC-G-yJUI9)uf=2Tqb
zzUlRqr)F?u7KmbK!$J$okkim1J4h}R!tMp0$m;?)4PGmr(Q!hhC<NbqV8_zh+#dHZ
zu+H2(&LE_+64WqJ3mpot(jgN&Fu(=_v=$S<_mq6ibb^<K^jr|3i-h=vp~r-M$7w}K
zH=2NHMJri^<-#%7$FT3fIXGR2gVR%@w44&#qg2eIg%Y7M+KGloZ$k*7DWSCN4ZEq_
zE&<U;w?HrIWjNL-trUv}Oe&&CWkN^Qu_}^_^2_Y5^!3^K;KlRikcAx?`}{sKG(yKL
zwPdUdIoo~P8(C_IKz1Bdi6;=;>!*x5tRbX#kCK^>u*aVg&|j9FtK8|giH6lD;(Qzx
zEN&ci62nfj-9K!A)ML@HXb%?9W1Q~q6UjhA{bB!mnnbUwCLNX>xNBSp@lHr{yP3Zh
z--GLr|7#sM8cxpiD`(^h2q65LcrI;l>N`F-0*;<`p01wle85ZYhE~d<+E!m1PM+V~
zyaR4M0@~r<L|#qbFaO-^9h5qm(SKo@3+^zFuIhpA*+aJr_UjG?c-~s^85KSPsadNN
zG;|v)cG`bbe_Lt?evBLKLSaV>@YV4QZH~gFVO$9Q4l0-GK=#|7Cv{*Y((;W<S%7oE
zD_5s#?Jrr+F`7zTutsM<8!ES$!vF5oC#u~3i*lUC!g*C(HKC2yUd1OSEE;{?hJMI8
zS%t&IlPUv6ZIhcu%~U~QA+>n!6ds$KjBEc;jUceDR@J=?kflGp{}cNfGfL;Wn=#hb
z;1<1ND`I`kTLUHGOTXDj4P|h&!Mzl@+Yg83SMiGj@<2*nf#cI@LRM}y3A2&C!qRr^
z{=t-6S)!@4O{T;*pJZ${sVapjmdpNAcO?ay#oc-QCPG_Jn|LQoF6VYZ>$oc31-Ylo
z{dqQ@`sFSaKst(ME;pu>4_mtGe^K?$(UEN5ALzukZQHi(OzdQ0TOHfU#I|kQ$;7se
ziT!f#{l2$;?~kgkK3!dF)mgP_pS?fWKDvZ#T{8Zxd|I^0D|hCL5^1W-sR+H+o(`W!
z*1TVzzPE<#e0tfP89A`%rw{k%_v`luVZ(t^59r52GLfX=s=$W@6%=f`yKViB!hU?%
zTAoP7`pFC_K+>P5s0`iu^hUAw4OGYVuShB><s8uoXK;(_0MmQ1hmZhktAG`7`VPxD
zo1M-I@Kx|+JhoAG+Us(mW`B#HaP?r7{i7DsSyQ2sSv&<A;b&@2=sFN(TLo`|BbgIs
zHdPPcL3-NPXeR1V`UuSDQ`cA~J}&u8M3^u*h?N+P%g-V$`7?53GcI*hN{yP3()>w2
zFYLE11YFDmfLojFMs!k`{NiQ;iZC_EC|df`9-AAAV3NElRMhLT3&ex>DRK0LGIs!A
z?_fASG5VgH9=HAl{sL4aPti)tc0s0tIxILvF7N&F679YP`9PhqQlce#g9fObCIV`;
z?&wnucb$PfLi)kiQ10Wrw%9YHHe|z*ui8eqC1y_!pfgWiz5J_q%45XdwrezFNbh<p
z;K&7bNaaAskY!?wT{uXa(r02`>Ft{3iZicUv?{qNFO#8^1I?{s6BY8hdRy{G`v_=m
z7%k4MmIS!|WR$FE0hZupgIWwAMqqM#>dVXi)x*K{-6B?ssl?p)ah87NnIPIP`j3)p
z(mI+1;7L~4WD!eNS<xJ{ajA}oKh-c#*KP1=A}s2vTSHtlA3xC7q{eptSJJBPnLJ2V
z&a^^zMlj-vk~MY@I}%c7>itOCsM(>*`xCX<N?3f9s+OP?*_@qS{<k)DGe5OEpgUD%
z1(xQmS2;d9!s*up`dOfsjNw;ltJj13i|eWn9E49>vu(HYCxjzU+}l6V4fPwO_!qvQ
z1qJ>C2g1bqKg<Fe3z+y{b|OlP02%NF#D8IrpAOgt@}IDW+S0=YtOofn3PQmTY=iK9
zgw|3f2W$-n#MOeX0{ja64=$n(%nZWJ$e4ILN)6Cbvcu(o_ubad8#&r#MW%{SHbk|@
zIjHVMgUrOWcN4<L^{T#QTV-3a;{14eQtHT9U$fG-Qn;JZn0O&oLVbzPw1`sGwPzZ>
zAcg@?!lN?moh?$-mEB8NK_RCAT1m<(BsZW~BzJOblN%Oj3&K*Tk{=@t*Fn;bSr|f0
z^am^)EQ${St&*>ao3sXjiA6;Jm_}1TAvcd8?`NRH!VwJDXdSz0G;c;SQ;W!0v|>*K
zl^{xA0t<A7564tnCx}p5Cx<pxO{e7|HnRp|jAxf)3=F?4<CdPiPdbzQ2DFS}#vWNg
zQUa$&HMnFF4G(oPU}>x@nJX)c3=mEvg8|=PQ<}9yikmKz>m;Vg6E8SL6U&SiDy#dL
znjToW<@3fy>%#DKR_j6{_!_zC!4wQFs!b4XBWcWr5*)_r!Y|qzuxjFDm{QfCjTdao
zNuw+i`|!dtV4cbeu_~{TRZvzX;X+`fQvH>Ni2LP2#8_9*DAB1d4T^fp*0TCu0Y>UW
zQ9D89Y0cuT*v65N0=;cF3*-mpk*d#z)2{TBIyI3}`K^DOgO<pFzn`L2ts*X*D?REA
zNPJy2vv`9}+)-LcP54&A(VfLvTTpn=FZOel-ua{q+K$XiKTiGWbEva=tx-ik*<C55
ztKcw6Yi-pO8s`vNP8)m$CSutIz)^omBNzHEyXpmO5T4o+3!=QH9MDOrrSvXyW1J1p
zIT88U#fdq4=f{Vm^T7GM{>bXhyiqsyaRm)bjUS;v8XU#`;-04mdpa!9nn_R8F-D01
zeRr!Hcmj2{y$6|?{@EMWl9mzDz#TS#H;1A2q=U^uu#p@Nr!(i{W*`O|0LO*1r327t
z+6MHbezD{D>d^ifF<qzaB=}^1=Y7AYZzd?-ULEfmP<w&ho-fT_*<<(Grz+Z$f^0Q*
zb3O>+uzf!N)|<dFY`XnS^{7jIJ39;xL{FsbNB-u=VB9j+?d$j)T5s$*`6$Lhs=1+g
zgd112Jr2Tsy)XA{>KhFLc6(#Ay!}`vYXp2e0SsE!A{wL;`nx(l2J-y<6dk=~<T(!4
zJ_btqh|szQ(+A(CJTS6Fue2@BzF-ozA--VLH0NA3f`%?UtgkCkNbq6$oA1JtC7ohw
zCtbf=q85A&Vs{@L9UjdFgGrqAx*Z4BZzs;0S+>K=2HlLQhklI!P*2H=pU-oxAzWA_
z4ae<`S2{7XKvm}d`ZEyvM2B(9d3C*C?4KT5>g>HZ_l4}gSUab!QdFRmdXQ+!WpnW(
z-#c*g3D)WDrfcRajFt@U(HWXPGg<kHBBjp|wnF+ZAN?3;ydT$7tTLgboZP-J3Jd%r
z*#-MFC3%o!fM{X>Ko7t_L=0@KRcM?DSY_#d@I~Jc6BrM8>wT)<!LRj8sxmqUg~+MD
z_eUYiQS5LIShXr)Qe=JZUw|-EZdE2ormn^V6DQyV)AzJ7L{j&{5JwDJX=9AgsEN<c
z<|`hBQNB6?8&epE=@>!dD|B5EvjYKIoX6YWfS4vCvKZk9FrGQsH5m}3_CnG6>;wtR
zw5c2?CAR1_AWW7@H{SVGo>d8*fuQsm^DGLgK)_3ddR(CDm3wun-ZfNUz-1td?Yj!D
z0|_WLUQ7s^`|G@?2ivzTaTL)0J&&Ox;gL8$kH3(ulGC%Yu;JwAw#0!Qp+kVP3jt)l
zTYvdHIW)Bc-hDA`ZEfH895Z8c1fq_Q_uKSo0X_~2!xul{;b6u=e=5FfH^4T_oiZ*~
zv$ubAb86Gkr$l}keONfd0C~)O5=&183JV3zC&F_0@)HQ?WKL5kRT4%D=Ztsv<|#%p
zFAvx}=G=PM@oqA$*gM^>57~F}zPZ;0oOp8Sb+xJi!b<U#zc<CO6aM6&W9bi;-kth6
z2stoug#{RKvg|^X${=70w*W&<qDxS1jBK9ovbXJY77fc;B`K?B%L_nn%Z4v!ayB=P
z2Uqv>1vjfXiZ(-N)iu?0-EfI6c9|2*ibg{#a*f99-g!~aY8QB~?|@|*$3kCMKbme>
zp8=3uF|V*qkn{f68e3Uh?)MUuc;$zf7|z-5yF2voi!)Qtr(^s3JE8#oRx!k5(&C|s
zzq)poVa-TG?eRE5Pc(EQd+|;%@feh{6umj597|BJsJo%;wjxTnfmM(Nv}9*1tFbVV
zkcw*O=m0yFN;hk-S!>cTe;MmzwPGNfCq3X4kqui-jlXbdTg-0asa)?jPaouPZOYM;
zUlA~E8H#m{taJ%B)Q4Gk9SW?M)e=7=%e%9kaV>-_qb^;RW$xBPtt15|tcq<5E`&=7
zU~63#+L2;;<!6+LBV4c}&+<x2VzR`=z?jqDu+?gx!htSrKZ#buK7C*>3hvJL9$mmI
zg2EpH)YSsr&u=fGcCwp!)sD3j*9M(U^@)w~ZmEZqN`RnU7UF84XB|=C^6A*rY4sET
zD$_pxNE8a^QSn?|tV2fMk{XHJi)+>eorUNcJrXSrp2Y)|nIfxaDCwKiz(Z)(z280m
zE(Kk!b%N10{W?#E34`Z_48{19V62`=In;w+kH=egbmir`o0G}K!#W^IR}){!q#qd=
zKM*;8<!f%{j6VQF%3MFguv9`OjAv}U`}vXV+U_Pj)Myih@3rvcWdLh}h_x}&x6)|~
zA~~w3qXza1B9lQdIAz!Ado98I?}9*H57-v^KRjvH9GDCyF%B5D1=<<d3jDuSM3^Tq
zF35kYh*lq9UZDR*AppP||12m_Tb@FJlOg{7Q(i1^7eoq=9x!YQt~xLt?ElHAzjY3t
z)ZhF$Z3XRr2og0bBM1I`JRK}vWs0N;ls1Lx5rn_ji1EW5p!)0L>we#FKV?7_+A<nN
zuNNbPa5;5ny-i->N2u!9qmp#2-2+?~Fa;dqFU1_{pfOjAOrp+|k;u~bOL1$ta45L)
z7=a}+S<zBP(d4B?mkFUkv%{>@_|GPa0YMfDi%Qbvdf`U2@4M#2y~jF4*<<kst_{2x
zx_%`_ON`mjli@%Li>yph75TKZ)_odBCD>D9KXGb+<4sUSK$W5wbqY%vp>iYs2I)kZ
z@a`C~>p4OO-eM+UB0#IKplM8?%L%atL-9kB{?Y)7Ce#{~k&GD1C*Dc1<n63d18n|G
z(NaTMEz0c+;|i#!JlsPLKNHqKCKUpS5*t<x^z&OZK%z83W-Lrxbw{K~UIlj0ytnCF
zFUN-<vlj9X2?1lGRBE6ujS*qSq6}6<4Jl<3J5&Sy9gU$xY0?Qg&Z_E~8E^}Vio+0C
zFT1dp8V{v7)2BuUM3fAr3LR;h4-nL8mSv@+IT8h_A>S7gt11VU+A02xw+r23)VW6*
z*Y2;CXrL*Il;>N=o+lo}8fjTz&fym!UrB-JqqyjPF}Nn2$gqTg?N~P~Xe(&i8gI}A
ziG{!|%JTb$QZtf?h&`dn7DY&6NnH{YkL>#gX(oK<1#{k$(pC4FS<2`~z>~y4#f$an
z<J0C1^i4!JKWO+)lQwe9JX{qTgw5;C#j3e`Luza+xs2OI2nU0H+wSGT{9IPljWk%#
z$G&9%M#*vF><zFqdBb7TW5>zstUYI2b`ARe*uycFL1zy6FN~5u$2l7gKSa{qtIEd@
zta$vp=fQ%05KK;Mi!p500j7u>Zd3FDPF|vVp%Qe95R(C`mfU=87<8+@PzA>ha1s{4
zlB2#TQvpDkJJwgACH;C7niQNbAu;bb&pp$=<8BQ(&q}KV-w-`l5I$gwd4YDF*%p$f
ztmd+gtYG)W+kss(HQk>1ov{;NZwIJ4yVTV9IVkxqU<&&3l*xh-K$%}tS*7VC4c1z)
z*g<9jFQ7L`9~$`KGtY<{m4b1%YR~%a{j3F0*kVZexeYfk5=-#$VtsfVd1vU!ls#EZ
zvHT4!H$NTjzFW3q_}pBl5ELsI-tS)|WBM?Ajs2R8)$tY?afsHV29Pw^IdiMDufo)a
zYBNygngm|yQfi_CbRSZ`QZu^2A9j1GA4lP~|7=g=L4S@tf1EBl*59b+wD&~S%1hSs
zW7aPNd3_mZNNl^B%qvP$Xsn!%UILd$`|b~}2K_!^nQ-0gSgLdHbxpZ$d??^a+uxKw
zs=dSgwPqGmQ$UcpkJI}Udz97pG<}=ZcLE~x*xt(t@giOYAiy=g04Yg`Pg;XI+G}to
z2OBXXC{tmUU&ma?n$3-{*s=m&yns29C*U-qsIJ0@s#`J-&2q2${S~gOdA6yS+^Ng(
zt9^b#xf!eL`~<?w1BJ7$MDbHVY08_Uoa+jAF|#=>?)-$o3$>lly6yK0nB|DOb!mO4
z*YCrsa#}kTfN4j-!!sH-V4cKm)qa=yRLM|Zz%iwD9*8GoC&O2t(zCkElj5nedig+X
zZ;4`YV$6s=ZB6LGnjc?pdZYrO_G4it<yswMzG2sqH|N9Gp__v*E2{>Pyyv~q`*qQw
z&e|oGc71~c#*Q`)nVXEoRR?Mg>Szb#nBTr%J%z&-@Q%|LzyszM;2>htHh+|~8d^i~
z++`qTU+Wrx<(9ODbsRL0=|avpv{R-?ftfNcnPnIQ7s_<X8d$jZV>QjDA1_|S_g$6v
zP57;sY=8Ey+@@8dvG$IA);z-|-^Qs<1LD^$=%tu}R%MofS<SY=TQAja$ZGgv4bU9S
zaH9+z;1P^ue<dsbUTWBT#QhXjT)vh1U^+95)sF`cl~rnD11e;S$eFuTKb#$5U2Z2V
zQiaY3o;i=TUt|Y(EOk_Ng-7HZG&C%_86gAP!(sud8ff`o0c!d(n;|u$SJHs!G&0kd
zeq5D@3}R!{hyWb~+O!cpN&u+vl%Doqyej1g6Br)&yWaXQP<5CE%n16Ad=3?aiHkjv
zsGACascE;tez(~pe3FPBW*X5R=?k{kZ?Rbnb!HvmD+v=w<Iq*^Vl8Hq`SFys8$~Yx
z7r`Hn4S(D%xy#Gh|MI!#>E-Z1J(f8+VT8rA-i0!xmkB1H(8qC`WwZP3fCJIhmK1Ma
zqhPA$Y_mRpJ$4eK-ef6XzV=@CaeJmlorww<9Rf;#NgR{`ftsW(q6B#-b*VYopFsVi
zvtiBf*?t2g#ra9<ACwrMxQs#Yi6{@`CBWSe)3D%CpW1}-(w`^<dp_>rb~_QAYW4dy
zCdX3={f(tbkW3*22<mQA2+ykmC<3|RzMG^7BTRLVX;())KE=d3EM;gI!&ZqM!Fd#r
z88d<o1=&I|>I-t7Y(f2si&l{IQl{M5Vr2-{8?Zv}{X@t2RLoFT=UDv@Fo#`+-tXwX
zo|#Q5m81RPYvIvQm6F$bJj6$J>=kxT5|XF=;aHtb{|4F{_cb+By)3Aod7=bJa=(AC
zsinukm(ye`IxSipLC;|v4IMEf=2>Y0gwGMmOKf0aMS5Ko2%W|eK$Y(6NX;33!u7FI
zg4Fwo&471bn<|O2ujHASLqu?h5je4TRa;DL7^-2v^0U*G|6O1dmeH?}TIcg5<g5Jb
zxxM`w4B~-*pwK<EsY;Ph>w6!&os6Z0jcgWxg%SeS%Jxm>^I7*SC=X8o!%bcX$UztW
zpn%&9=qdK`M^Cs~g-!>zEpQR?;@dySQtv8m%2$|o{m#B|Q=KF(Olujb>WK_uAK767
zL>luX122IxXbqrhf852rV8dpSUR@I-n}R?smqIUn68dN#LWCV-SlI$Zk?n<lmI8?T
zs%`X}%75^L_BRP`i-}S5L8DRtsx4<YnTiPCGwS)*%tIa?#xiTx6;f=B2k;5mbz-TP
zF_G(>w;R3BO7D=vk40e>@fSf7nL-~;29TCIfQo6dp4tVY2g0g=ZjOibW}OKkevc#!
z)G$BGZM0iUpN~L6_BReE#pS04DJKj==AaOx(T!07Xpx9{3j^rP(WBo1kuvNkD5mRs
zYuq>r+7F0xB2;%OPeM<$T1B3{<$ak%q7c7Uj=seh&U56QX!bp3k)3=l!{7-IaP-P8
zwmjfMdiZ(fLbVu;P0G(dq63+SGEX5{g9!R!b>ApjCsr0BRz>+P9SA8V8nOP&Y^i86
zQN@s%`I9~7?VHG!6iT%MPO8c~RsAF99~n^_c01<Vh%<WspvGw=THn-t-YL6M62PnT
zg5r-k`?+!jKUv~=t{+GW7V0<~IP8G?(*+Sm@ZTxJ^hCA__p&_9?D<}}mV~tHlmFUO
zh?s#<24G@YK0tOF0YR6?w$FIwHZc&WuN5;OUpx&6#cqs~i<XT7bb(2lW-oH2LWw5$
zQ$|zzVGKMC`t=ilii26P5X<P961Ubck%@z$OisO_+0$Baf7RC8s1(mH@xt#e3(6jM
zF1oF$(<8MCw47wj3bjg|O_(HzuTk2B`g9!y68<%qK{mDzXg;!()87qe#idhmMGUZU
z+Zv3gn+C!lugJ6osPf%h|4i*4J(bumeU6?&<NbU2fzd@z!jQ0f;9_+IX+#87P?TlY
zSIW<-WTmR(y#(rmDLkXsT6WR^qInqr9cKqoRrez=!N9FQZJOP5ns#RTu`w%-3GTLL
zUV~uKK7va_Ww+lv70bqZZ(FhxD-28Cd4eyf_X+_fO{iB3z#;1r+Ig=vJ3BsYBE^h2
zNICAEE;ubQgLp?4F5w$g*-m8g-bMgi>&_n1KVgd^ST-!lo5YtXpy{V~YXG?n29RCH
zplKvwNJVVMQG_l5m%$;2NGRt^2+NsQ5LS?<!V1q;Z6HH}|MXzyt17SO^2t9G+K)1n
z^vO<>3*SWsyjUR%?|2F^itkpyHGb7s<SYnS;+bSa1^}ua9$23%H5fDX>zB+Oga>hd
zcsD#-pop^SRU!VaOBq}hO?s73sZ>nqP7yy<esLhwM*8XLdm%8fBI_=d?g*2BD~iUB
zoKEtGy$KW!w6%Bg!-P)-(cp-DcnIo8Pbxx^*bLln0GIjJHUgv$(v5A)h<Nid-f=9S
zw>8dlk#pdI?c1-C?f`#@jL(Wc2jAeCpV$xPoBI7eieL~b6jskF+z>=%V$3OLABt=J
z?QV~+^$!IOH#=LsZ`Z}o&Bx0>Pd!^3T^&AeM}T8A5q)@8biEw!R&z%t=jsD}$BwUu
z!}BK&fRzvl2t&3vkB-mlE|?+q$tl2$1~@Y`0~1^I&IJYrH#8hJ7z6Cj-T^wqAHNXN
zcVUcrv|2%6|H(?+R>MFDj0h$xFFLU#Am+(M?;Z2puJZKHWTX(pi}~a}e}v9r?0|{3
z>f{o<SrDe4!RP8OF^Psv7fpYN3F)}sj{H*e03aOC;;9Uk#d*p)Mm}oUXs)bCV~!;=
zr4xsihIr6PdoyahJDQBnOYZb&vTbC<>G_sI3WRmWz+ODpj7NgPB3ddqQ@l)fBmVZj
zb0E2{1he@zx;@h!tWA4Zxx>BHChsUYnjU|hV~A|?D_<VlyI?~udMDUVL6n>Kc+=K=
zKuDQYhw7*sIp~5GTyFhRlvrPE$C+$~>RT-;(MklY;{3cRrT3BAN__}i4i}rO`qdlD
zLBW}mHY(liOO@Mj5*`-)wO1?4=94-v6YnojgOq@tM=p}@1ZfJ`Kf+-c%dtrOWd^0d
zVYn8^<pC~6-76R+<f>aY3$e(C&WIWSa0)qUd_(?2`T%?i2tQo3R@F7mdC8UyTm)j%
zGrPG*KScOr)asYJi^hYWasZzRBXLcX`fJqwP&sPGk=P=2CfB>HtWOLD4pXHL>By5;
zb>4Ej=>d|2%93p+TUSjT^ma*l8IM`3`0$21@_OK&af9y$=63T5V;Ukd>6X2V_>I}#
zJ9eJ}L<6n;r>R&tPkv1o_kejq_)QNl_ZM8KoxsPx5Hm0f+rODJTp92d<bRaQmajVC
zJ*fY(=*JG=6=)!~e^KR>4|@<85Dw;VNIIAbNHc|D1egXO*`ceILo1!hH+YoSL!wOj
z5U%WfKg79TP!oc=-IqrFr*B^bt?xNM-Td3KCoL`y>W4T(`U&g{sQ}qPSqz~`qA{u*
z)1q;hq`PA<X!J-gHB|rDjuQU&ES1xXMoGS6vJ~owQ4c#2YJ|B5(Rsk_9PB0ys2HjB
zy<Oz~eWn8>mK(7Bbb*Q$1CIcOL8}%{Sl09{3TTnW0=s6~j@Cy@NDmDaI*Ogy0h_aD
zw9gzggh$5wU`tb^G$t*L&@$y+qzv4j(jqSI9TLS59YU-Z?<6jSH0{+Ntjz778I2Id
zh-Ioh11>CYH_w;nAP-Pg4c(>m)R4psu6IwX_y5L<Oas*9&$zbakn>WR^d9%fiLoOG
z+0B>_SVb`XGN%P7NVSf08VYrkvm%MoP)QdQXPyfTC@o1NLJOfNft1yBSwWE!2MG(=
z{1NtY88P=OxiMw*WKnmNmGPoXDcWclli7?Z(NRNBsH4!nhkoaCV^(BX>@26Njf7;G
zfdO15g=`kAHTEJ7aLCz|#MV+v;|4+Vw9<w^xe&@q>2uEt&WH;uxtTKq&kSfwcmskK
zl}wlj)8jPCu|rz97yHD?W{JpjDozvw$1EQ9n+_t*@}>AoV+c(b>!iYtPIe3yx|k_6
z((x-^t4@92J`mhZ5@nms&TA`womW)M&jRj_2X+S4C#uP5g15lwt&2|9debUJ^Wie{
z$p#DICi{p_qYeJ5Lto+C%z8I7LqHVs2vem@@ko>&wxf|zNDe*%9VT@fB=Lz2OKxTi
zc{^^@OopFsb#gOrc6`o{d$aw$x^syo7(V_e^@0lgux>&%Qz4MpT=(VDXCVJ@8~~`6
zzZD5&#OO~7q@nyOWM2WV91NgJ@`U!<2LlHxE55`GZCJ$(%(lkV+)x(Zf;OeejSzdD
zX7X`c=t^anehpr8D%n)nJij8tM{H4Xa0nPPd?=`f9-mwNfejr~dE?}`=;@DFvt7ez
z@^t6yx{8O7Tk3yhU!OkxYt!NBd>yd-_vyf>sr@tWoZt7|T;RSU@?~{S{>b&wjYChq
zc)sDK&<h%Z;K*2VO#OmGXU7;E#l$YSqSf=<$yb(QdEz_o%FcdxG<w)Q+oe|-b`&FC
zg`l~B;;%!)feSSk*?nv4+<5i=z~cXN;q9=M^#E{L{&-O4&*nNF$KN#-2Lt$xD*^=x
z-;MGb;?+Kt27N87XfDsWdFw9!F+lZdplZ{=IH!m44%~7ylHXE~djtfwB*imrB1)5_
zLRRFn2N*Zbau|V}1!(srK-H?_Xv|^a1ja)<W|h%RhR5T;M;rWE`n>^eMtc*7U6)6#
z#FzQE4!3JN_K50w?%nL%ycqB@Y8!eq+p{%&xNd6hj0az1RfC{k#uxW{iQJFfDd7q)
zgDfE?8g(Pdk7pqjFXL+DrK3$~G)I<xc)7yY@Lc6?llr4x##Wu`71~*#rDiVUgy-k!
z4-IN!v2Ok3FS(1VjQ2p6>COy?7_VQMAFepZH>qV3=P{@xQQd0++3<kq5>r(S394Z3
z)Yrq;kNTg=BgN3j&9`Q77sm=hStb_CFs=fbKX%kjSB)a*ve!1Cc*w?_bE5ajU#Amr
ze;_0u*cg<raMs&_?sv@YhsA8Y%|V*o+vm-Ohf&I~tb)QznjeaD2v@3?Rw3zF=Py9Q
zuNL>onL)zNjps2<_kEXPqCvb4+MkCR-;iyvHbg^vxis3`+;P!Czi`^bRwE&tHV*qP
zo{sudpSXuaGqsS-rm#L_;{thKasE0|jsS6Pz6IH@GMIfV76XRLb{4(sKYwhGM09)i
zWb0+Qq$Ivv{5gGTsJOlGj%Hk4ELnW2vVnhEWwpz{HYp`y%rggAS%5;^>xhK@6=F;l
zDH@Jfky;9#fdsGkmfnMh^^L1Zp`;>RBVPeMig1vL7zl$~*@6{V6$>Hb|0qDKpDy9)
zT|dIZEBTGH&2B%~*6m_&(d@{y1TJnRgo@n<-$z*ohg<93#zx_2*SEmgw<FkpZ@w(f
z0r{lF*<7p}Q`HFI7%_WFr6Xq!lrJ2QE^-+aD453MP7G2JFIt$J*IctWrQR+n>Im;n
zWDM<v%y^e5gsS|>u>mVSFtq_WEZSBq&N%%<b;QoN>&?KiYGW|y5vLPcOSMn9i_`Z^
zU+rR2tCcs*h@w%2Y6(i>?+CFB4qmmmkc#5i$Gx1Is9}oR$9g0R?^w;c#NSSNZfvZ4
zfKIqoIRp6d^D5lwzX11*EC17fq6KamSmqyr!MD+1i}fn7GQ@YZ`{#IW2Ur~Zf5HR0
zV_^1g5%oWeD!0GDFK{V{>cCWR|EKoL&h?*qy6OM2sSq^_MRomh1sO)!4L~BA5Y_|u
z-K#UOq%Qj%Y9F_+3*<A;H78haMXd2(dFCh*h^c~+O)+rEsOiIfe=ff|IiaF}4y#yD
z#~EK?yJmKfw@d0K>LgVor3j}Bj?x!Z_qA3TmnW{UO-V%~8rfrMK^`~)PO)8s+sWG#
z^1|JlLaM2%#rj5(Xhq1?3|Yy^GH&`3)cO&aPHMtkfOMB3&bY~tJLH$O-a6b-mqt_x
zfBSJEn@ujbq>>!_ff=_VtCCqFen<*irdJQtu({xoS2Ue7YDVgYj;OcO^T02VXMsWJ
z8YP^i)-%t0fKNy};PL<gCMPzrpb*hD(r?iNOUgkNKwt-`6eQizM47~fdqI?<#-x*6
zqWmegj{Sf6>qBINIl=MnMq{>~@2thWp@Q1EIV~R%qZmdc=;Fd^K?~>d)Tv^?xIwjQ
z%^94cdfuoyhBf6Q^Kf>)5fN*E>o{uEb;DR<vKYlgC|VA53`tP}xN$nEq9hF&QLcuq
zqMo7UrhW*uQ(KOfT_TF-Z~fAcND@$WSIHl?6f=nkX(gO9(13&VCY0P&>x(EVYYIjz
z_P_sWB-wVJKT&8%v;t`_whUFc<bs8iji?lG8LV;Le&!g3w@g^p29`YSQ(&kR=eTSL
zpM{Hjgm}t5883nf0A@e_X9AbGxp*^W_1la^+YLm%u8INgFDZ!^ES0@<&rzvbx|vyB
z8N6PPF7_7B)#CQm_}LAHMbE%r>%CNO&^Rl-O5Q`wwf<Z$=#`mNui!lEz5YHTt?9iB
zD-i6jLDVmC(fmT$e}l3NKxFPrbO@RwAZ$oD(f`bzpzHxIR<R{S_X^USB>Bhja&W7D
zYP-3g6ici;y0{-ha+P0-lDf7hK`oXQZZc@_89wRr6Q&$)(#V~cjHepEdNySDXj*U9
zWpw+x92DDO<g{E_zP9M|)7=bQm@uVvgZ>_}^r{XnV@Z<*=x5e2u-^^6C|0&#wG6!-
zUJSi9@W2D)Q4)G}Ru@IPo840Fn)?WA+k$|;yqmO)XN;F&is#x{ydY$Y?dU(Z9*^}?
zD(1)Thdl3m>rS15+~#vidSvzSRRD@wPPC9<2)6+XRX7Bi(JBEMN(XFKj6hGF+K<s0
zpN+m9uJ)4%U$)8Xhi3-{P7ckS0;x4W36d!wCKds)mgP8C^VopHZjf>QkUh&X{=s;I
z?%-}`SMaoi1Uy{j@6dLihfb2Zit>{rbu`gs2ay-L29CDLgB4bsaWaa&7jk-N#GJKZ
zN4p{uDoTBf<9zgl&Zi+g2FgKZ6}nn4gB}HwkAzySJ}^8wQ~MD)8eUYq)D7;biq(xK
zZ4)r*u^fKck(k!_HYPjnM%Iu)lj6xDhNz4XTM}kh{9NJfGXh_#?GAnDFd@O>X!nwa
z-}tV2u=STkfK+5lR6j&YbUA*c{4XV^F-MG991~;WGD<uWt~U}19P5i-09K|qoDt~A
zjz~jHlzc!UQl*WWlr==C$$>1<>)iL<X#qU)s~ob3yS?-q?E(4=uexu0X0a+E){C)u
zDZ-mjm&&Dv6f^QWS%_}JYf$wlt|ZHU3vEyX$_!hQ{5<_g$T(uvYjUrGa3wNIojO}|
zYG!D1V>Yd`@TEu-m%XrrI`k|!lSRGvlPW(pDSsypS=MPzBk)fhmDu0(JsNdv(E@(`
zQW%MdUw7Q0QIF~tjO{=$Y|`}BAT&CPq$vEIzq}r{AQuE8b8SsZsQeYW09(BJ&3!t4
zV^t@qp-95339D3Zyz@k?@kymYoCZyo1MVD^Y`H)|=AtI*OqB?q5}209_&!<Ki2g8L
zrRrqs1Ss>-kkY++XD}vv{v1us1aSMI4x3%b>|6SJZ~FGfvq?f`$d;;`yePT9?hUB$
z(SUj!i}rOWpJCFo?yQJ|9j%W2s;40m%X0Bl?}@NIC&IJ7V2JB^_}gFajdA(VfzM1l
zRi;OMUglC`M$DcCcUd5Ni>GAS%)0+Nk6}F_U}{O6=i5sf+iz5y@zXwr3_zmM({>4j
zt5mYK5`0dXikWH3@Kd$LvrQuBjC4a_QHnCwX8XSR1Iml0I<RDBkjVcOz+8`z?}GEH
z+`Xl%_Q!2s_lwRzz-3eT+LpQznSzGh1B=Hj%AcfPx7^`C!{O1GDImUgCKJ0)i&~j2
z0E<tTlmzprIyl-OwJm<unO@5&15<8<?R6=t*!W;g@q15ne<wcgAbg5uJi|1NDn4-P
zgR#w9^$B4t{Lc7aAY@}n$;|>mYe|CuS^77~p|u2|fV9K^oBt^hgK!}NvA0Arg9v_q
z{wE*b76yq!_{Zz*`%Gn!J9rQ_X0CrzK{(d`LojAb0jmFQ>olaHtB}P3+kO1=z_H7G
zi_>AxMEJKkO|x`{>TmhAkk;J$Qn3ooFsHb0g7FByH|`E<T0k>QZ;gY|i0{QpUOHK!
zAlp+f8Xz$!Z#!7HI8PLc%xSbLl=zVVUKTA1snx%)AUNIGrYvu%5ezuf5Em-iMhT$`
z=NBl|IFPm|7eF@e*Z#pwhJ!Sw2`+pAHbjr|TveMtvy7&o3tPMwVSr}tjZ}VT!~+*i
z4RWbjCvIunEp(|RueT#JKD#OYj8aB+Ii-SnbKso*rn|;cz3<s+24#&<XxweCNc!zf
z1;xJMn_e^oo)4rm>j@?&6Xgk}E?VCZ7ur6YVm@yxFJPZg+Cnt_)^XH;T1_x5J^=Bz
zs5B9KFpje%2wM_F>@WH=Hh*|0`O6))JKK?IBP$+PbeB4Own(Bp<6~PZq~48=+uFNP
zG;RZT{E$d^Khit;0ObS^3>;ME>pe#Mu3Jn$W*7r4s{FMddCFsxKk^{<{K4o<OBtmL
zbRkq5^8gS8-^zK6rXaKc6u*8~zIE4LYmEIx#o-x311ywYSUsrBp(Sa9=|(W<Tr(G2
zkVZ`sAp9S;8a6*j+=3MYquHodaNhO9)gXTR(OODN{cvwkhLv{45X6B1uEf6aw?ESw
zM6q4WVp)2uw(?h7sd_UloUQ$^$87C&mn>ZPZtLVx+wTsd%BC%7S~&9fxOC5bK@!Q6
z@T!~o`F?(_sBLWzd4q~HV(<8QIMKHhiSYzIZ?4qv8FF*=Zi3a^GSC<a+o90_!x<&x
zXbz=0i%sf&vKOdGMQ`3;4L95K-ft0?`wB)kzuxdNyJd~_IB@^?V4J%2r<;D@H_&xY
z)->QIc0i$_>J%+1EsGWd+IGHytt*4>==hgJ!w~e%@SD%$?eopyyVc51@CfAvNtfc4
z5ukg#Y(tb>xyc(GTPo+v<YQ4L5rq_d6zLURifS2sP9%s(D9v3I@))QXN2mheLE#~)
zNwSy=R*+6kMg7cvHb)oF0<#!44+KfFGatYXiagiS)jc>u#3g%u56y;(b?GYqE_;6A
z5o$Fbv}L+NDp>@Eq>k3bDi-QAn`;f4;0fU`SxzA5MXW?-N8AA{lqC1UTo!V%xPZMV
zsOpTct3IkplD%Rl=oEYlPGe<e=%!_?1;vFdsbC%~u}!RAUe3KG7w9KsE-vE)rA~nT
zGIubJ*dsBju2|)kbm%mtWzHeWG#`6O28+}J&lE-GeGLnF(78+mOIfMY0{A)wEt#w1
zFld&<#Ud6;x#uFcaezE8{Plyhhv?HVYd*U&|89^>H<vLpsWLT!Rgx{M#9I4Yu{hLt
z(8#_P36`5SNxVdh_}sEKNn?b0VGm#%du;Pl8C7_I1{Tt$6OVngJ~t%x40ZbCj6L7C
zfH4AwOKw;dWq$bFE|GDu^;U0_aw5LrCuRyGM+sW$@l4JwNnB^l*16_RXdTa)?nVDJ
zLElxQlOyv;@mocn%2a#NCTMeU*Bye)+vnx;K~B}_;WumSV$!)V@O1ff>K<U3b0P9A
znDn2Cg7q<=#I-?<;yb<3GM0wT!*klwOZ83b$$@zOESVoToIO4+xnmfS*v>9<S{eXO
z5->Q>Na-G@DU_y`H*BpiDY3UQHx%vcN7l?_=XkGLrO<|6lO`%*JZn{-4TY<-I&|*>
z-L76cZ@5Cc0-&B_US1pM<^V{)y+)g{_w9^)Osn}kc!^FL_HbOpoEIoxO%@b$vAX*+
zmDj{K7^VeiYoFbHfiZzr;+JQ?IK3cUHuSbN7>s=``tCU|To6_@`5qMu*H=sJB)YY)
z44*#ci9^{5L-C_=ecrT)Lg&bYQU=LNPo#u~)Qt9Gfbdpf1RN!f^#KnSn$GRpxP#}A
z$b5L&(COS8S?s#Mlb9xBQkl+IO_JI7-%jp!PaR!D#x74UM|H0geN83ANtwdGe!1TC
z-UqTuXhAJ1LS@BuGjj|pvR-i%_%27ud8!D$bny#7dx+1OQXVV;JH>+00mR$Uxmvly
z@l4iMx7fkvWBiTQG60|MPvQXI*G`>mdf)8gq0^BX2j54F{zD!f%}Mn625l;ZMGv5_
z*l4ARMxw)!0+sAnm0~9{oo+VCIdF?0t(la9Txi1?>qEUs#cq`dC(qtq2NBOpB{71C
ztbWg$I+fIWs4DK@#O^${9DDrNkfp4CF_DXuBBksDmoHz`FEAJ}VtdjQp&*cdh{gXH
z%(p}tf`}skv$Osi;I`aA-2ZbpZLtUfd4mP|S7V6U;t>x*@vlV+YD;4lNIwiP2jf4q
zWVDv(G7#1O&q(E=3FHv&+fwTvb<MwZP~h)q`k#-MrmmeT2cplm{_e<MzZ$;mIzF`^
zR6&b)EhsWoOPoXh5IWJ^O>-#Z_qXiZ;#wk@G;6^<f77cC<3H~Fd>n1b$jYNlJ0)RA
zT#7W}k~_S5i@nOx=0eKs`4GE(vxJto@_qJ%j-`BmZX$#W`gUi^u#^G=WauDlHZga|
zsdoT~VbJI_zK-m-)=99bA+lrcz%F4tt{9MHc)XQ#L-qk9a}cq0XmI#3gZrGWz+-_B
zb;=Nb@DoqTJ=@f(Tur_kaS;{V?(CMh46N4k!yAfP6*DJOV@37Na~rTJS~ja33L0Q9
zg8Vkzqs|S9|3QS$nd(=#D>e`yZKe{ITQ?6d_*F|v=2gE5yA;ZDVMDNG-ut)<PYHgm
zn)st^4MIUg%H*#XFk9iCnE&r+V#WQ7T7x`RcUWm~1;NvuMMY=?J&;8(W>19RG1?WP
zKsmNjWzvc=SR`PYofUV@#J-)@x%xENwSLnh@C&^K`5&8Ha9;h^ndNQ5P<5?(x&9Ua
z&@kYih<<HCpbhC3+{BChipc0;cpX@3bci^@VOBW2@Ed=3h(@)8X|w`rv%wK?+^{$=
zmR)WL)mPmmp+w7WcaWq^Zy-_Mf0Tm?)nX6jp6y5>jzcjMDocVRl&Q}35~V<AgvQH&
zmH7Q#36dx*CDY=-ge5lW+cZ$CQ`;#5e77O&MhZ<=&bqvuD*i<<{jH{XeLwVO=hLF6
zKZ=ZONiL7#708qey=$3ptC)Y;nN5Fsdmmc83!Qk{<@6__p2c0^8mXpWxoGMqPp0;X
z-q!yXW!$^#a`b8~!;#3FA>dn=GQ~BVo@@$W?7y@$44tpu+qZc#>BAYGn!LIIJem2p
zr@#GCc)B1*5?IZ|77mbEkkv~^;?V|~7GXDhSJq+Xl~R2*`L#n%9iC6=)U)X@>P9lJ
z!AfuCSo8Xo;vcId?x4cO2W?NDYfgSXjMB}aiQ$LtcUHHA8ou7u^bCAtlJr60Wl#kD
z-P_FIpwJhUi9VmCn(d#5o2Co}@Y|DN>Sh`+ZC0R6QfV2z^@6Sw_ty9!AdU^pL5wDL
z>pA&N&d4C6^+OLHf<Oy@5Cl&C7BVh5J+<`kWDV7hCyGVrzqkJU+`CKdO6ER)_^A>)
zAz#+u;e0eDS&GE=LK9yb-pz^%{Zkbch5*wcQ{@eRM>U>k5kedzY<v>|P+XPQ4M)p|
z+}{gv6!Pwp4$pyez{}G|8sEU#msYS@<-MayTrp3Tk6Ofe86}T36lr6jYD9p!IA^QC
z&-k>`xl3C#G%TM3xwz6kPm%B)5??{l7?HW;B%sDV+FI<WtzE;%Qk=yTZ90n%E_K%I
zwY${U$~Rur6<@UVz+3MDlyM1O!RF0xI;tJrR7Qet@N%u{zfiX7E-x-(lUtre?2ZxS
zmbK($S}fQyPH?oR*l#d8MzZ?M+2lqcny=!Mx_0m*)hRTv=>z4nn4ZLK<#~+HVy^CX
z>1o+``dTHI4>q}!8gXJ^XwwU#BlztV>f$;3><ud9a}2m6HgO~X0gu})Tf)u$k-zaM
z&^PrX=P3fNYNk$6j3Qx6#)Ilp(tHc$3$%|Ein6HJ%}Qq9`MBYrNPzg+vCC`u?%<=v
z?bt3)9}FpJsI$!|Fqf+yJ%&2eVBT2iY=#G_<?X0!96WnE=GR-CxzmY`FreBLWn0^v
zq#V4b4DUW4vAzxg-c0&gSz7|%Z+`61?w<57p3v@+yK|)67K^Tb?)RFVaq{OVjC_>P
zdIflKtn>j0Nkf4T&4WLa&k6+>0p`Ahu|ohIfu~CVlkZBX<v#;8n^42gd1DsG5w{{;
z$AKVfS^P+*pjq=2b1;s*rzjSvPOfKBI5Lxa_u-Ne0L?7^`25nE@A-I+)yd+)807y@
zylhlzQ`f{f>`+&KYvtuXUTZnLp8JWU{;2t7Y}{q4(v?5V-bU4Xk;A{m+{yc?9wenC
zi!UY=J26wTlo(5a1(Ejn^cdo20g%jzDHedwS?S5q)78oB`S3`e7RbyQx<kOI$z6AR
z_`9_Tr)5WQYIpVc1yncA_diID<DV8KXe}1wAoS4xdTO_nFMw#lCi;C3V(o%}ep{RT
zmtQemfVjc`&y%a`6@&pQ#ZLr`6_}OjKPT;PQxlzUhsHOWMr({kG^&Us=x>KcM(kX$
z2vV>$Y`xZLLZ<X-%xO@`&+bsiwO1yK6HcLy8x5x;o%lVOgF`)KDU*!^)-MH%$!n6?
z((YPSDE&%hWT!$$OAJXlxgm^%M%h9#oBGgTa=c9>8FDs<5)&U_z6b6Wtg;LeWx$+)
z1Zcerac1dE(2dgCAYqvF&{j3Y*dS^}S&;^DHOc_QQ@BvUcnn)+DfU|gGE`d4jheF&
zVGA?UsChKe0D+aUQJmqB+@9tAoIN`4q7Q`?;%sO!mAxRqI*3pFDYTK4e$hf&V|9>|
ziAgA+pRy1oaZolfbgHcl=LTe%3ZMp8af+Q9a_$@xGpLNmG8%W4DkQ!iE+pOnjAf5O
zBL~a8(8Lx9>qG_zU569S<J-9VE2pGF-m3d75quakrZ4oH%J~!`<^;tEmOnrw_xm`J
zQS9)Al;83&eAnL+1w`SSFAkbKc_XB=z`kFCP`LpU;<UsLE($BDmWCN*0dT|j*5f-H
zU97GqR*#$YFp8UXF^Xd{|K5s$>`|#Oz)v)wOz!)oMoIc76KdrYWRS~h8NR!pUbo#9
z5s4UJ(K-vKi*9=0A(5_;AEhaigKK7?A`8Yd5rDDos0xl21RxA+8oodg6_mQW3!REH
z*BzZ6b;K7BFOm@kWR#!+)cKmm+go~iT6m>H!*s;?1*9ha^t?x0OrD)Gd7^8$d>k!S
z6m)q#eP&rF;Q&8EzZf)Z6@Pp*;`T0l?4^MOZMyda{R(?#!1bJcV<Y<H8-B-m)bi!s
z&g9j#nK#t(^>&U+{#DVke&3S%>v~%KTXs2QY3BhMU-9tR^b?u^prr7aOi{6%!EsDM
zGt#PWAW)f|gD<esDHkelSzsDc(XM#45BWFdPn{Go-t|*!kDgua>8_ZmQ&Y86PEglj
z-_iTanYXQ0O!9T|$b^V@-&l-JEJ~)J)*rZsG0A%L);uNjAQEW{+rb?^pSyK*FZ%7A
zYJmRL^|b=j#7E*K;MA;(SJ&6`@5)!VXWM3W*QcxI^j22ZQG?rhN`}i;X3sOWrS9$G
z^T^NbxT6R^5uhnB&6a_N{g7WuA%7{^ByDR+qi~5^l<ow7gpO4T(OdH<^7fnjnMBl_
ztXGFl&>rg-n#g-L#U_z%-iW(lV(z>`!XUv2GEBitGvw}Z`R=GiEL5@sK3N2@DHq7%
zz!;<W#%wXO+1meIM^UlA`vsqk5G{Fx6h*>HgvDVLH#zD6<C#%vx?v#Xh_nIm3ZTB7
zvQ2hxB+OCXV<5l}?Nnu<Vu||NP4`Iqm`!hs)FD%;V-TWG?=psqSCgO@$v?<GpCN41
zOvYZ&6l>6!0ZeNtRplQWx2@)R$H}6#I5{8pYm%K@vQt_iq_;gJ*!+@P6$=6J0S=3w
z4Y@bRWvkmLf*4baH~hY4wo)K}T1z{aPk=x58!aX=OG+iK>VO?i^`)!njmYn7E&su2
zLeG|j6*uQD*N*Czlnk<2+ePuU81@R-dlRPW)F;nNfJ~f{uJ?Uxe4b+y5}Dfp+sLR3
z=3nko@Q}HSdEY2&y0=~|k_y6_?}=u6vK6Yg$H#Sct7@fVGd~^=8Z0JElcuLTLB;n4
z0?!HvCsKjq4rXG@O$Hq+Pop|Pee^hgg?z|)G{Lj^^8kEM!_HsyLl?i}($<)R<v7OD
z*1Yo=z(acA%7lv{*8$)DvGOru>E-R{%KPi;aBb$2A!HBk0PV48xELF3jFPXh;%h~$
zIL55#kr3-}ZnzcXrD1UIxD}J<H=cvXapdgw;t<0y%|+}KG|!k~nPXfOJIbMMfC=kq
zb49_nlsH3|mG#C{6(&vrHOikBLng<(4NJvnSaxY!*Hdo*aJEbsW=b6jC@K)^e@N0Z
z6zDY6|63zlLjhI!pT(jeAt?60_KYCRoE-la#ahy6LC+w8v|7U0K;?l!TxDASy$~=f
zYl^=J7-b3uCn(&%4Xc{I-}Sg^h~I9!8)UStKIabl320OZSaE_83A8_GA_uXEBF({H
zh=O~LRaYIrOF#}ut=C#6O3ppn%RS9!WXWcC5*o>~lZv;MiOXCKbaaTrSIN>_I||8(
zQW{C8$oMSEaB#sJ+f2x_ic?h7P$Z>XRz!r$!euy{s$Jt2b^&nk>7Gtfas{o0MM`K9
zMI}tS%yX(EldPdqvOfOsnLFO61M)Z7E2gcAESi16W2SgQ_4~PkV(h#`%eH5eALC|u
z!n!u}f$id90O76j$QwZh_<^E|2}J!IdaGspJy3094M;R_iVoP6(>xL{9Yh}OYH5~Z
zY%=mY7uMmjb^t6}?kO{8-x)J+-+(Dy9U){Uw|w>w(aAF?!5@{`KTu;UC~^nHtLOux
z)$P+1=V+M<1~f9%eS<3_Ck$XU{h%l!GfwbW8M|ROpxH*INM#>sTS>g}c*)|8n1g8Z
zlhcW$7CgY^!<ay&9Wdd@LuR2_4Ml0Ic<{e2Y+;aO>;UwERYK$-PKVrwxpk9!%)?_g
zd5z3j8<f%LOxeVnTA5p6+G8(p5J{OkwG|hz5Qj<8dks5$@kV_jq>Exf^Y?_DW#tnF
z`OV#ZQ1xbw>0snhk4D_IHi&&ogEZuX<?=AU@(-Hg&Qm$DQpjy-&=QHJrH9|bFVs1k
zxwzM86##QktC7lc4UO-A&+W>Zt=X+|+LRPJDq8IHZSi@Z-RyDN{9&2w%i1u){hKn5
zutBY+!2S|yu#94WMw*l<<)pEMp@5>87C6A_NUPU!fhIGtjN^im{AmJLq1d<v3i*S!
z0ps76JSj9+N8F8H2?gUW+Lz9_2a^~x_6cs)KMe4J0+&>Ay6yuuQa8aFWwJl!4WKu+
zG(A^gVm#wudsdF0<dvu;A7sJkR!Q9dxMIe`D>}qfG1d`qipu8QCYT*QJ(4xgVK=V1
zo;jRdwVUQY{Q&n&DLH<dKVF}3PDn0Mh?)Ou^mfI(neKhNoTL4|zj(bq^%wJ~rDFmn
z!wF#P)4;o~cTqE~(1Nkt@W)iZZacHfvk{OY4-M*~u81oWu8e<2cG1Nhio8xAv5$b_
zZ{e8{c0EIdiGyHfN?)&jDsnHk*8Wo=z@U{B7qmsne4hoLzGBK1j+SoVny@vBwrjXo
zLt`%;PA46_Z;j=5DGp>@BUqmf%VRcSDl5Ra2qqx1l4BjMlD$>7&yptH#-{JN5QohS
zRi}4`Ft%_yijEO-DZUA`f^Lo_Ihrt4dkJX@d{L)BEIxnKsdnv|e~j+6`>%m)FCjWu
zqp1Ms@UmjHA){gcHeQwf%$>mf%K*^LDql}atQUW`0)NRd1A<!zUs5*d7cX<ml?K4A
z*UZEB;dSmBz`g!ar-^_0XWRPErnpDjd+q!83YMscsYM<MvD?y7<jveZ&-iU5MS7S+
z`K-t=n|%l0lRc;8@a-egN0_O*t<}@VKlIOIhwREdGr&rUn^wIh^xF)-Z+W!jc#i1R
zXMOmQPksH7qPMXfvdX`%oJDN2w;VA2M7pwEJUbI>!TKEe6T+Kd+t`Iu^y~Pn792gP
z^!^J3Hve&)$=+%O`KLgadY=ZKI>!^6z1T!b?jO0?zg~=g<SGv#>a6i{0u1V72o`l_
zZrL<0BV4MZ4bsmk+nnG6lzO)U*y`YHL_JJ!(yLC1YV)t<;M$2m<o;eo{#^u&pyH>U
zntgW&uSqNNU9h@9>rtplt8|k{{!n~ClSr<KHQo6jy~u=v+Tp!z*{x{0c^!OZtWLd>
zr+E{j<FESk@AlzhRMCp{uY0MkUeu2g)1rlAvKJbuQJQ*0kyEUT2`?5Fs{QbEdv@yG
zzKqu1`~RCxrCehIg8_5>+gh+?gAcR><{u6DKi;~jQlQ&#|1$f5IleV!qu)4(j*Z<q
zC-P^uKG6nVEqk@ub9o9djLsgXh3h;gMh6UTd!%5KsdlNcscF&brhZQnC0Vi2S^~wz
zL!@djZgloB5f=-3a8_GjR%F5a?d)wE1}6}-&KdW98i~#U_~b3H$9)(}Hg^uszSzR0
zl0Q#L?5$%uxm5AzTWgH6iz|Sj8h^m_spVE-<e1;p+hW?ZjqA!|^q1;ZWi6`W>ee04
z$eCbi&J!1QRIIN6aXpgjXe5N{BkJ_Q=gI#=)i;J$(lzZ)Y#S5Xw(U%8+cx&ZwmGqF
z+qP{?GBGE~+0XmD-*?XW(S7x9tnRMbtEyM6yY9MoSj(8`{Wvll0^9YX(ca+=G!)CA
zolToLJL{Ef^QGx}bro<jWmN><ID`oVt??xxAYmX0Ayrd6b%`^K=KWy0LY)U>P<Au!
z^JLQ05)MeG9n7rO$vRr>q|o!uBk5sztiXO7IHE81BewLHJ%9{1=?%>LRb_sQKU|4Q
zKh3`?8VIGfXuw=DDb>6vbunI=`o!-wfZ}ovCojJF)4nMs4(nyf@tNmwsdl$3k29m(
z1SG5%CajBU{{?rZQYUFz2Q3ufJ4F-KNVe{*L4sU7`&o@Oe%QdqC#|l9UAseTesq6w
zbQBhqX^4Ht<grC0RP$f}OVP_fR-Wt_HZh8n&E{;L1v_75*ZcMc*%Qa7zOLaey@PG7
zZ>7v>VAVN}z#%WKH}~zgHM4V3bY#F3CuA(GBsoP730zWQ*1`4pmJ%hPb@;`}sXtFO
zi=!dhPSN3fds_PIG%2co`_-|`V?(hg+k%hVK#Nqe70DFpqAG*n7ZF`GmG>E<x28b1
zpLC*`-_B(FOIW=DdpM`JYW1@V8R0JF5`kogACcq_i)nl>>=Za!^LOk_38Z=J4ttK^
zM78()CnGN0-EDu|n0F7rVbW$)Kakj?<!j&m;rzthlb4|Rd#DJJfo3+T+q+O?{!At{
zCJ0FvNyZ;iukZAQ((Xhae&gDg>xnK$lP{yV^1wUE1MkG<M2ONGom;mixk#cd&;*gm
zj6O!$3fW{&2+g*n#X2{YBuqdX;O_Blx*XiQD;#geQ+_jKIujtD`2KFW>_}!FRcADL
z78h0wZ;JQ!wzOvNM{f_CL<YjH*I1q$aJr6GXHQ6FSk`C`qLLxkW;PJsJwgqmG~dAf
z;QB7~kT;V#pTtctSRgjL%lQ{e>*>ep<@@1b4)ZxrhMA%fE{<zYwMOF1Wp$j+aQCP@
zu$(|JH5D^E{xkprabKyuDPkHH>O&s`(e=ws$1cd3Z0vIZ66T18%&aVhg9A>H;Yu#a
zvU*1S0yO~=;*)jaD4?vDuSojSaQDEfh#}Z)*AiE8pvrTpOG~SpDtf3=3%926!6}iy
z#H>{-u_9@8I4<qlX6cHVfv50D&tK0qcVb8J*13G9U<-iPj9dm6RU~UB>UK&;y;<s{
z-bWH}K^=|(x}Ulbi{Gj&>9)kqMJ<utV8{ObQTNXDgG;Nd@dxeMQ5;!BZ)5{uhluNn
z*(IIa<lU}Hw%T`%i?UqiE`X+le5q6bKevTW)y7R<QsL|ddR11~bl(q+7__=RO@%%@
zwJZ{vms0@Vm(3X0vtF>CPjP0Z9})Qvi<oRjL7`}eWNUOvdEp0e5)QNKO{hR<w-xw;
zQ&P+>bQKO}TYUCEP@BgrIjtJYW$RFZ2*86am&7w16}VUEv~gZy#t35D0?1-Obs--o
z_~5aJeO;<fl}}AxrBGTw1!N25u)7R|z{_7A10p`om`RdEeA=C+1(5lH7d)iH{}$)x
z<e2U`9o*k$4BDJOzVY5<L=vpH6+*U`0aeS7VMhh(92KZ@={$H0uazD2P7))wzpk5v
zwx@Z^Z`2NJtf$jo6|K`~>@F^ie0Q;?l01y}iJ0SGe`{Nqzp3wMvge#X1@Hv%*sK6>
z^2f~d%Nz3|W*A1p%BtK@&d$%vA-;ACP1)pg)hEfaTU2r3BGXq==UnfZa)kBRC*jeK
zyv+t=9Kka5^q!zr3q_ONom?KR1x%p7I`=_`d@(R|4rN=B$lx!k5|}X!j}llgNQ<~l
zJWkUzg62WG9>X}lI=gx-flSaC03ARf@YEtWV9#b?6w=3GK;B?GFsp%0t_~;#3LOe4
z*W61|!n6n`BZMY@jy4?KUkEktX;9LB2~~}l%&TN_r*<~@a%EIIxXr+h*bMB5ORz|<
zU2?N94tz{)u)Wp!z;+6N?L-rJB>YK>U_(KGl(>DG*xq|f6UF>l0QeKOKl)bDTWGTB
zTjV)>^83zRhoyn^L5HygJayE8&o~2ixY|mg6=?~7NvrWBJ>H{i=h$Ai%Scr`ePwR(
z3Tz%IMTt0Puk%-r14z=Rhdb}dpO!58W}yOc4VZ-m$C}GK#$5tl{Pe$ZnxK+tme3!Z
zJX;?1<%^|M&urx*0UdsM=s+7&EX6g@Mn{j_doENWj559fs>q2nh<H(f!$XIru3tPU
zeCX!k$x3ilHt;Ef?JyBoD`ITJcJ>s&2mC9c3g2I$_-8<<bp450NM%*vvw7+;kZpXW
z9S*uoTC5D1Qc)1pv(1{=>At*@;##o83Awbq#9z~v&W-E?R8vd0BB`PRUoO!%u;N#d
z<>!b5ak?Ivt${w^Z_lKSPlsL#i)Nt?P)m3~EnWMnNHy;!E>QUHhE;lEHq*fK1+Nd}
z3Vph)u<Tv*PI$Yg?KU3yud_%Oh?qgG92IXuO#rp4rB5Q1oNR_Lfjg?M3*7&|k^{uO
zheukoocIh>TCqiGC^e>ZNR<ib>E~=e3g$L%+lptvrdQV&ZbCJHxvfko^t2akOvw-9
zjp`nIKi?jm_NTHeOJqJv^sm(vtOd~0sf`D)X8^^*62N1V3gd=iVpbe<y%BWu`l_C{
ziouOGXmFRdSS@zK%i7FA4k@Fm4=|Po1F8TL*qPYl9mLB0p9<b9^yXz0j_rVz?SijX
z99O2mj37I#C2(AZDjmS*MndpW%aGSF-PzxnZu(|$=O>?gZ>-@25q7xN+PVm06l-cK
z*sgz;1$ojWH%TPf6H1{0&A+^W__6W8PREQ&qN)CeN0Fz+=7m>h!<Zf5s-AKvOM<;x
zWe^N=;!05Ncjx?NE6(PK#*o^2Kr=}GCKMucS>p-FJ_=cd0|8S5V-F7<yu<9DLms=^
zsKqo-h&8kgAzG1Rnw6%4O(<&!psZ;bBnsYcKnpPsm<H6E91tvlrpOX#S@OJoZe0w*
zRXJ^kF=0^Zh$^-si2;x<s&M#ENLx1^XP=h+v}Y{mTOF;)t+FL6sbVOrCkAE>94lw5
z=$+*TsEm8QLN~W!3@FKhyKD=*KY8{?Z)|!D_&2tWb!|2DSD$Gu)Y7cxJuxht8WsfI
zp0~ubHRT7J{!(nW`p&wikL;(JHPzS^`LE09Yv$4oviUM+CjnZL>%G?}X&sWvNQq}R
z@gj3}^@*<zUKLD{P7-E#BGoVG7-HL!vQ#v%0jpO|bYICS@)HWj>W^J+%1<+x^Nr|I
z<Pgdsl?}qwc{}&_Wj@wAhXxo|J~fidPtWq4GQNe)&iUWid-a2udy^%41xL!A)!#lW
zmJ7WTp`=auyx4Us><AvOZaaMb$P8d9;V$>+mVM%-(Mgec30DM5Mp(S*`?S~@lpHB9
zq!Zp5P4t3PlIgbp2LS}e&GK(12mJr7n9a<Vv<LYQn}Oax?0|kic0iMNWW9)@p3pp@
z4HBII1gb>%HOwPox9BMwYphr>*DwFDrcE<D^|~v9C*<_BXQ||we5#$J1n#1E$y6e7
zfGqZtuBf?7Q+%hFHxbJ$^wN?jHPcA{Sit0upg^*WdPihtsObFoq5L{8iLznH<+%<o
zZEV0(q{|r0yw;6?iyBt{MY=wgq^gA@b5-gixnVX!XshmYn56W{;6QPD?I7-nXgbLS
znr)uz<GG31J+Y=8F4*O4%v2b5^+k&t1pj3Z#2|2bY_U3{_7CyklO294Iu%ZYCM3B@
z{f|632xi#93RuYRViIJ)l<kws0IrPM{tZ9^48+<Rc(AFZqiv=&334#VvbqvV0b(eS
zl3`6Ze3|D`YHEJm7uzs7jwV2*e%;$p2BNXt=*TEUPJ)2Vg5$1Fz(u1VQ=&y0chEX?
z&~<psCcRu$k4fKAz9VAAPz#i8s0?h;#ARzp*IG;YC*3t2bpFM&xd1p`5tnU9m=j<%
zp>@3N5<-1GM_7Ga+G7)sj<ncAbI_L*8iy8Hx{TF08b3HDB>?`Uq%EI2dpZmoRNaVJ
zLV5xnJ3$%v=EF_c;Y!24;YujksEMMui}0AnP38haXIwOO$c2^2Fv^o-nG|^ja-YF$
z3_S4aLF6Zwb)l~kRNhil#ME%gE&z8=uB_ZJ7t^9WxnIHOKwbg3;*koSa(eZ-mX6N$
z_H=%)J1-`Gyzr-hVljSV0VdhsYcWW2_`FN^0j$G_c7A)whmMK;q~g<_gl(niEZqHW
zL#o-6LLuSFIi`I$I`2|RhmY2Hh)9F3(ThtSCb3R4BRlxoHs>E;4b45HdjPuA?wCNl
z%-^AgJLkvd{6OnJ=#{Q7Ac(lQez48q3+?rEx(T7LtIue@$Qo==)zYdRniTs>o-%6l
zaofD7Z5xC0{-dc)TVFu07w#06rcg}e_AJqa5G&lHy`L;H?fa)C5SzMiza3LB*?=b=
z6PIc<w*KJS-L7qG`{c^}0buG*&)o;n>6(L>u1`@GD#*P+hj}diqpWTn+s>J%@JHW{
z`S9V;`O%w)hp*|iwD8rvU0=R*ah8(t;m`b^&8y8nCFckn?cQ#!UG0(gk6ELd3#-)?
zE=>nZg=!T`h3c?43F$qyO0Am9*6nYHcZRK1k0)<C4RocJe{)ozxB)iNb9f?mqLjY{
zynh9RxX_g;FfeHcYj&{$aInpgJerZFOok@5;jWc@pa|Pq%U08nwzTDj6dbFW)tmwo
z*15gbkt4LSVOdx`pOhuhBeG!|%ne+ORU-S|`<5idejR|5K6`Po6O(;s;Gx9sUC7Qv
zzTQa8$;`8fF6JsH-2yb5aj^?S;dOI|J%PuBsi1YXj+IN>g8?^_ba^Y<T&COE*a&u=
z{XS1M%>DKz=nOo}c6NPVC39*MoaR4#au|Opt3A?j-UUnwiLO>6Wj`9iGjbvQ9Q~51
ze=0Y&OzLeOFTcy!G2aCTzXT<)r)l8ta-g9SMe*I(+Y)y21uO-Kf51vke+OMkxb?s-
z`Lk+q`R$ERk5N5p+S&i+$@vpkM__HoZZ+%pc>3^02~O!UtqJ*g-bWq}m*Jx~015s&
zy=!l%p5r!<`a+`;P8TZw>yLut?Ad;{?NX|-yU1kU^c95c=(M~76X({JLMrXD)bhA<
zzg@KGZ*Wpp8Gu`ZZoJQ6H@y7P1$w7tXF~QQvK{A8yKuexU_`V1V0nvX>%OW^)uv+w
z{fZrz73L*J1zOcMBrp3s<NHQ-=2@xVJ;isO&ix_n*8Qd6>P<)M0cEEU9(E%Jr+5`K
ziipGhuR}iY8B`T#>jA1(>FmsS^||Y%;2*->Ff!UgSqv&@A~40jfjdOXJ=5~ZU4gnv
z2J$6=pQ5g3<tLLxJ{L@!Z61A!KVn@CSjndaEP$hdGBN)fj-Imw--b=<Cqr-TcLA>j
z*6#t*5VQsdf}i}C2?r1Ze)CTbA28y~3d;UJbBq6rT9NeZTQ!LjEQyQ<rJ`4+B?eXA
zq(VAxC`Pfwvg1Jgc;;u7CL-gs1m$}GVez<bC-6CW@$BM82|;%*z;8R-MID*z#V<=1
zTCmQu&n0NU786N8k&zF`*dJqp%uW%Z@A?TQp&^M#j|VD&#x8SaN`Tm%SqcbEm|7e#
zynkS#`#~Ta89IY%iVm-<Oyo95qN%4u4n@L3cp^LPo9?G@GWg)qY{jW*EC4eUu@qQ)
zAgIaz1MfRCHYt)^$sR2({~<YPu;E8>gZYpykLkr*F{0LVSU_31;-Yf`-H6V}bFn(M
ziRCxC228&Q_!H}K@eAk4V`o6o%2e1WuyM!kOr*kSQ=lQX6%fNOK>HDnt`}UQ9{Q#Y
zE3N_?Ww`EL7bs%d13HPh#FcCdCo(MC0>N%d9Q9iFGH@b#97PTbL9fde^PRcP2A9`r
zdAiib{zNod0=TFHjr6w6&siCZdtwQ!d*Tr$3hF2c4R!b-WYR@|5Ii%7Q9yRILSY|^
z00N?%M46HiPNBp<hB=^74W91Qwg}X%9lIP{j6s5Cq}3J&RkQhQBEi^R9ik{$QaR9M
zFP~kS2vc?;hYVXG`CG7LDlweq8nTRxCQd3t_>W<kbzk_(j9N(3SziQoc7xFxnG?K@
zUbd=^Azf6Ow0gkWrjFd~0Ls{UU5-KM`Lp0BeDg4c%mKcQ=C57=pv&{`%jKLxy)oEJ
zAN_D7>PsJ;63i#W3vhxlq`RBxI}z#OK^7Rgc8#2^ct;bA+@<fMgzMsIC6tKK)JWT6
z)Rnnc+eSzsQ@5u(a*0M|T;~n-Q6)gI>gM3+%9@#9`~|S=?NM@IIFGeBxx9Yj+o_wQ
z2OawAuhY%V@73^%9gB*uW<90X9C;9LGQ_)XjC=-aUH&o~!8H9hIb3py<jDZrPb?)b
z%jzA~FQa9IRJm4xN&5F7x3fHb1y4uc78Am_f+J2n+bJ8DH2QBXthNVyVtIY004HEQ
zw6rXbnKeLAeG*!f>B9xYDM2Ua^xPGfj8mXWOd;=Lc1U47>-5|l)toRPHUzrU3OJPU
z(&92y4Z51fpJGOXvN1j5`{~Sq^Oln2Tlq|utJ+mOcyHJF#<Qj>Go`~3Hu&~*#M!Tn
z_50e=OOL4Yar1Zc=4Qil&o?t~0e*fGpSf51dKN$-TI^`5%MxM`x3Jt?YYM8*Mc<VU
z4btGl{mC*#9xBpK%}V9f`Q3b2(lKw<=e+ylGc1}x4T1HF|5%f%T!p*ymN6tHP7yK{
z>syHwS>qzlU|MMwdobEB-CvOjrDJaLCFxFWyVc{X^J%J=F$F~j;Dtrxy!~vd+*xSw
zBfEgabwbwyYgyIaq>m4dcgB&22EuCeZDYavI5K`1saU!E+9=BkSSPVR_;ZsI*S`<`
zUi-GL=jL|x4zt=nbHBH52U)o6@p^GUDe&a{hFD!wehk2ijUAbW8JQ2@O+$+=EIi!@
zCw1%QzTdKr49Z?3aZ+XEisKr}IDu?V98dsOsioT1N}@S?7}HAPv0lO}M%v=Om>z|)
zCr?a!FNS3xS%#CyUFSy7Rdt&2DpiWNI4uz|iOl3GSAw>ppk#M^k9x!V371_g*4^~h
z*M_U?q)b|vUvga}At9PGu9XxWs?FFbP^ZtB{o`RVB!_&wVt!ByH5)ad+gTP_Jevui
zz$Av^!Agl;pt-Jv8c4OWPX{B6uH&8xzRAP!hmI&RC!3u(+_-io6Ira@$Ai{8)=9<g
zOK>`=X>&U1#)DHav3G%Q+D(?)aQs&-G>g!iy&x3^YUkM{Qa1SbcsoA8y07Xh69^)q
z8)$O4dU56I_J7s=;(xJdeZN^`%gF}ND=O~VraCqH@$z@g3rKe>X8C{jTW;MW%~)>1
zscRu=eyejM3qNrT>=esQ$>Vku4YVM)M2yD!kpuk2RHN8jkEVNl@p97lS`+JlDCgnk
z>$2ynG0F)x(hQT+#fpbB+QB(Z#+4-?`UU1loge%Ehr1op;upZdL7AEV^%aM?;4Hw3
zqG?Wn;OMP172rt!O@Whd2498;Vg3j7NSP)x01k95|CENS*3@xO`Iq@j(sL}gd+K-b
z|M(7(;uaJn3T|+?3$%4gAmY)Vl{o=K5?7fZF`BaRecIn;U8@v32#z5{A+|x58565L
zf}|6_&@z!!fy8uFkNt=S3MKP$&YbRSOMG4rJ^+)t<XePT8VQ*#5;eDNK?i(!c`QEQ
zp~6H;&FzNR#6b!}8Kqa*B|!uXlPJ7VD12#{&X~IL9mg;vQtD?J-L<*UlD>GL9x1mh
zq?k<wnAj|EsjUbSBqleEcT^FR<YgclXT*dLkQ4qCzTu^2U?wY;7C5Qmv5n8V*kd4H
z1_`nT5B)K&<a)qBn;_x|BLWFlNCilUjuVeCHB=>6-YSzJ11qFXK<z0Jn^5O>H$*pd
zC2tT*6GdK;2^^{rg%4uUf>zR?fD^SQ!k1;8A+7)|kA(FRqO5=|XA}OJTX4Zc=0u`S
zcTCg~i6K`Ziz=F52ik19k2zzEwhYot5d*TaLX!<+ObddIf%rfn*Sse+00W>FQMRuK
zAwO<0lj>-Z)~0QZA;wt7kVIG2AhwF#%M<JVR_IpL3E2r2gn_VMlt_NK&y_;cR)$m|
z?bcT&?$&3i1YD|k3?K4%3|);4T@77r<Bnhu!LJs=!D3;lxl>^Sf+Nw4i4zXd)kfnr
z-G-eIMMyABmDNI)?hjr(0nB_Jr)9<xZoSTf27s@_winRafa@fkUEjYi=C?-?nYjv=
z>)#1G_nX{T?KQFk4|>o#(e2*~BqN4%=pNP2qcW6BS)RV@+m}Q&I=P?Pd%pf%LZ}^8
zZ0rp3{dn~r5=_-NH1>piapHF<?yIOWfUh07a&2tKZf#wz?hqWA1T5d3KaA(dP9Dq%
z5EJ8y@4n&f(Q~ee@o0243u@I;+IstMP7PH*9HVbcxr3J9#F%urGiPsi<via1seB9@
zzH!~qjl~N=atPfG#Tsn9FC!c}gv(|>y}mt^QS6aL4L%_i(Gh(*IEq;CJqa}^T}={=
zCXna6cX#6^=-$TH18muzp6`wh>?k@>9A9KL#SZBw)sy`yQan1KC3LrlN~yHEGI^xl
zxtt)jW%I@QQ^(zCVYPvio>)F6VAW>HAP~8J&E}oHfApdW5{f2HI1?&p&>jCv^3Un(
zTbfau?(}4F?{tL6;)(Ucr4s=VaMLZK&x2n>&4jAwKrpRo5BMH;@@BGQx4-jv`ufr2
zFKBmqyD->o)b88b(Xk%=&LAT^@!_ozFIoQ*ooLtm`m^Y@f}*!^C&j_&1vhb?OD&>l
zIvs9INN+8=-ABS~Bf8v+?B_hT*5p|V$6;`<`o&%?<4O$JYvlZ}sT}{ib~JN-sxO>G
zrqk^!ZuIFOKH%h7`!j#XAHchN`G$0T%I&v1>*D!Ca97Yb_FWC#4|L`O7{lo<tT@>-
zv#!G_y@p8&p5`K1MZ=2$bM8jZayoyBayMeNA9J&oIFzA+Cv__(T5p_BO-du4F{ew2
zTggG`8yQJYUQ19JNk`XR=f^V{==SzvU5nOvB*rxv05re!jifsoIhbbPXaExjk6Y}=
zE$KA;SVoW*s}zT^QDZ@{ikZpMtNbWTq{{NmIDl()#c^y@n&GT&LwMPFY&4PqGwW!W
z<LJpHY_zUi#|&JX$T@e}<`FV*gTjQE=zX~zF`y`{$qQ#;=4<-XUCYIORm+o3SZ+^^
z%r^qq&q<&Rs-&@Q|58b0lBQR#6b%l-2Nf}&8~4o_%k${IUu|al?D;(OtH@mKDpEIp
z?rN0!>fNIKN^SOeWg&JWLpu4A^8C?1j-Oci15x0lX5_I=OAlX<kx^i8O7ec1&rW?Z
z?)?u>jI5pD9nE@cPv=>b;<jz{I+<7@^M+p9+bB4@{myAOP!?m|$Vu~DjcK(wb|Wy|
zy+BE!EJ|~XfU_T(u#W`)Fr~&d5s~i^V;TvDEkP?R=Q|z4MlFaG9>GSPNS9Asjv300
ztS_N5=7JfC|Iz0tG7^83d)>~4gnh}WyYfN~|CjrZ(lcQIa(<H2J{mX+3p2~VrKZQg
zXMy;a|7=$*fO|myLlE-MWGTlccrtLZ^q<l_+h^dQu>ZpF@9w~b;6b=joWNMq+^Iom
z0nNZ*ld2><5Himkchk3Z>&Zv>KahD8n&y~0<bg;Du};gz^0VGQ^=O7ETj*g;ND*B-
ztSzU}qffRaD<ZJmXb>{s#0Y<FD)#%DD}IRNR|N)>JgFfh$}I+>1K}8hY^198QShSq
z?#rgI)9@$w+A3HXqLj_qvS-TxHdF}~c?40p#R2S+bLgscYoQC!&1_H<o3-e=@(3C3
zc%I`4<ce~l`m3<IpT%VgpcwTIIz;8>;0zV*7HwrBj!Ja}+TU*Er$MP4=R3{~+Z)ee
zi`4fq2gXVQqm<MjI3wgj#HFXe0>8~)80j)cOoI(*TD!Wa)qqdwB{0AP#x+-8hG(P>
z(+UXk(u`>6s;epx^DDvhmKs9fwlN+%c6X*2Tuoe;kNegHQ)BzqJ->z78kyNfHQxT*
zX2L`2;Jn6Q*!vZA`>j<sbKg)rIvg^qz!0MXW!^PS0zB~Nj;rHJ<oRCJy1Qf1me#Cx
z`;}fCOvVK1B{2sV-ZH8iAUILV?PoGs#bvOse8u3X$cW47kB4kx;s}&R84P8@n|U3o
zkZGB)C0mG<NH4rPx)X%_6ziS%%i_#dkjd#Tgsmj=R--=2#>;OfGOh1Sdxe`J-_Fg}
zVz6(RAK19ax2U!#q`;-)z*S+$Rm`M}nL^p*Gy*L}L{O!;V!FGB0j_oWc7wo_9K^b?
z*r*R&l60I^5@Qn6<z{`47p)Z^)4RpesPkoWKkv4!P~afK+X=aZb5e2Bv8zwx;%Iu8
zFzw~w=);+rKWy;W+9$u<)*Wl{@_6{o*`=eat;3__-R$-H_tE;B3YRjlKDc*H_mAI)
z*q;g<Oo6m4XRy7!0PSj{hqDR-D^1QWJVWO1`aRnlr@v;^2{9KNA5XTOO#~Kh9~K{+
zz5T_Wga>(sL&c0C0Atl<X5pd!D@~E*AWaTO-$TzwAG6%j^@Ak|Q?r)u{*D_^W;G_Y
zo=!%M%FMY@F%BePC=}kb?tVclh8JKK?0CzSkylRM-yibM1C;l(z!E7@+xzk1V9Vij
z>#GARfk5EMz^c0doyfqW+W<4MezW@k**FaLU5L<Ss^zGZwQf@>S|`u(_zB<&dHkQP
zz%H@kn}7`C3jGsjkp=F0D=}2cwrGNRsGPl>0(UFIw&k+#0}v97QR_G?tZi)>61!DJ
z8?fe;7l1)p>ebB@^zCzj6t*<;m+k7t-|7{(IMc`1GR;w+zM#$;q0@mXO9Uri_u)L(
zFMaK!B)`E`qRh}Kx$<-CUi#p#i`gkPkzHyOm{1!yPa&E6OoH?s`_&Xaa?5+Nb~?Sj
z*q2Me2GG|gJT(twJ91u%1-Wi(2c28a^d3%YbO10{KXVKv1Qn;DQv2)8C^7vY#dn}a
zbaC7WJOY>>@u(Rbug_xIKM4)tVPDOoKGof?DfYjMzjof&FI@R1-|D@#@h-@Gr6suA
zhYsto&86XBBJHFzWv?Mel@h5HvE)MW#d{Xa)Q%cwMV5Ya^WQUF{j#53sXTXldwi7r
z@BuuWy1(CsS@E=Q)$Ho$=JZBA0UGrk4uKi!-o7Ra)#m~qCRiWSHf&IkN!dAjk?R&W
z{CyiHdWL*|NtX8^3MXcty146_s2celAa&yn%-lz^A=1`lJObIHfk#=3m3<BQvP~+N
zkrecEZ-4*#rGHu{ZG5o}$1tBY9lW5o2Ec)E;~UPruPfiDmQYBAS@fb_21fQeAD%VV
zzVa%boI5L?{_ZjCz6$91V|^S$L_>}I=C#0#K39xHi#{cL0*>XTSJ&^@phjF8W)SmT
z4CmI$fT;o(@?A^w;rg9Y!r7%rbm_(qlB|T-r=`6}Z+-FyWizA+k+_N3l7Ur1bTO_3
z(ko93V{j`^0}4zX_&#WCl(GE0UL}d7D))iZ>a|8iy4Ad<f59-zz0+<BLD0ZhSb;-@
zf6Tfb1VldMe?|>yg7l!Yt^Dv1!vEG{NI-{31ft#lIf;W10v6)m*pvzxggnT<ZlIAI
z0_ERJTi0kIfXH|tD+fj^9tVUOLK@2#I8|DiC<Fq~ll+ram9{GifeiSO%w_t00dpPJ
zR%qU}uZ0Ndm1)6H7=LY5==qOF*_xH|Zb^qb({JJkIl>5ZFEM4A@Yonu;$%ar4CHQB
z0StJ2e+*@q9+;h>=-zBKWcfg3WM*nL7`zz;sNth*3T8<arqM>Y5+)NCoLhYqW3qB0
z9Fzbeq5Q&cFeX1-xpM&Lh1NGPg}P>@zGG&fI1=D^L~wN}7bNME>39K;+$)T3$#7!B
zFQ^q#l2uu7#$8MNVr6L^5zzP9aC3PT-_>wRxXZcP1|*li`DrSO-)KN%j9{B>>+80I
zkuDFah2k8kO5C83BVhzHN>#wil81-|HmK?;ybR}0<OR8;fMf&wQiLVVQ_gE5A!#V8
z=oEV89gFY5zf&6z;iif~1}xu{1S`2^K=wz~1a6xY(*$*12j&h9Y0~$BDh*=6L8>D3
z)fmQB7*ffq(Ti%y@L;4Gd8Y{DsIU`EI+Zuz7G2<t$wY+qMNz3?aiJGqV`dYdLeL12
zI~TMJ_M-=SqaOi?mqjP!?>fZm!l=|VA(Qk{Frt?#Q##AbRt6@FV^Be*Lz0!&aHJ8e
zZu44J)oz%@HO%sOoxUeX>v}~LD+i2E45~Wk{2U}AVh#8uttoy0&-;fW7-L=Sa0u^d
znX4|+kKY+$*SoyImaDEoq+q`@hFC0HN<IuN{g0z@8x<!2MmFG?WqtRTtHU(&jMI?Q
zr(uWS=U=!H?GcfksOhzd>ASZ#)4K~b2*MeA@5Ww-4$+tVt!eIHQd9O|FM=Jtaq*-<
z>#8sp1QD^e*m~<{e*s>>%%_tz*FU=inb(I8E)Lfi{(n#1BN-JKOOvh<k`*1^LUL0&
zR*K%4^rlh)_xI-q47IB34vSHhi$GN3$(nFHnbyq?`d!Ny%tOvhJ+uM=qS!Fu*49+r
z*{$A_a%0beK1kBFrPs>pY_I<IU;cCb*%PcqujPG(4ucMl?JN@m!7{DWwI9?g)Tg@j
z!rw0%<Q=JAjT5xK@s`!_v24#a#<2!Tb!i$NEdL$>KsqeSy3I}?BP3F+zY|?~walBT
zuq5xH3q&qJdSfgc6+j4X^bNg4nY8)+?Hzj6(Onbx^kV%Ku*3M0wBHLOc*1PIqei+9
zU1ag0WoQXV^2R>SgONiu0@#Be*76Cmg^MfLfE6ZckLM%cgVUz*#oELvPcZ#yInj{H
z`U~p>K<_0<iTN8yR%^aYaD;<~P-YABNc3)qQ%pkzH=lllY?nxh7PEH8H2d3JG8t5)
zP?gn}q}ZING=#qqfq~BoS`G;hhjA`F`Wg9S`<@G20-Ak7-f%>p^;DuRlek*bLWu^q
zA6?1Bmy`=Ui<&J^iB|WB!%-w+ais`G&JgS!Ad!_Kf+O#Qh8>fhB9YWDSvmcKb*+^L
zOar{KHIBp4iRvll{hp4aNP=Krz#OmjG(nJrT>{*{ZsW8iK(t}WyQqs&7RaEmXW<+J
zEC@XCC`iL-mFGvkUeU$3<>hR$k#+>RK#myF6o{sP$8J2XMcspfpW{Z%7U(4Jgpbz`
z7*p9{-<V3QCbabk?F*@9Y)6T{r`WQF1kKPfNemZCTZ0`znJ7n)8>^POuQs%pT&4Ek
z0<wbff~HN2j&$7<AM%w@dWC=5E3$ke=pt<@t*OpQvs(1x{=N0h;w#(F!F6Uul6%2F
z=^}^p%tcRRncBZ?S2uUNHM=bii7kg45IbJL9SeQ)jmxR#+6EL&&OY=&pY!SU1drXp
z1~VnV##_3xQA&Na>|h0~mmv6&s0QjGJNX_Y*zlnaMIZ8B1Vm8k7dSo7iSS4cfT#Pa
z^nMhHhqs3=V)`u>+sVq9d4MCxA=vl&eo<n`0hhUG83*}b(n+?>TqI8a&r)wNz$ESP
z!dv5R{6peGpd;wxqavTTY_yv9!vE_=0if@D@xD2Xr03DnrMuR6y!<%q%W-*S>t9}Q
zSt;%?%UJ8*ku%GXdioLf9G<3=bsgm%^;QChbw1fF8do#>yDTksR10xXG3}#D`*H2<
z>MBa^(ahe?0M?s+&!VMP=b`iiFtFp_vAv`Gz>QdsWvV|%_)&27rMag-wm0vtum6a5
zYv8wWSsK-IdAexT`n$FUYkS?-L7=;E$hCGr-#?`dF0OpaZ0b^PzkjG2>94$D_lR;4
zN1eWj>|KoE5}%)o6)2Rhyq-1NVBuOD>gWB6DC8T*eoj<q6<lBy;XWC^_9baH5j82!
zskUe1XV#SWI0dQDS%@V6^B>JZe9$vg`|{w9zP5UsJJE!R@jH)BlC?nm2j7(+3)UdC
zdswH<ss)z$FgGCncV=DODYc2CY*q_%AzyGa%AC$=0cH^B|4sb5l7X0kO<TwTQc=yQ
zL40EW<3rIwnK}Lqwr%U`)NXR1`V01oKtJ_El1LO?_ZL_u>Mx+%HC};WMv);kiEmn)
zj;9>CtQ+(WX4#HEaW5Gq>-`obiJ%B8+~*v8mAdep*|^OntkpL#=zbwq$U!egiO9Z8
zL6e}8@uO7O$2B?SaS@oR;k3O@oXhIoITcseP@^S$MyNdA2BfC?Xio|1_4?e39&p2i
zNBJ@^gu}=LV)LLSGR5WzXHV&m!BN0CxITV7E*ofITYDi2lzo%`nA5Va74W^whWGb5
z^`w$QJ5^uW;vs%Qz9nsA%oeQqbUH3yy^A$q>_=3M8f<#@Czh}xN+H1xp+fdP3!Q<&
z^2z1&5q$2(0obLv{GR5hN|32N8Ol;?_FY@(velBFBu|2f!o7C$Gm6jk;~ymlxm)=0
z^f8M-ds>5}=l8(poR((u+O+5QdldmN&?vK<f46X{vUK8SpF0Tl<Rjm$)mZ){UQ$tC
zSaZUaU0=o6yUnyMx_DR54=vbKm4!LIO*DXt)#a&W2Wa)8{S#$PA5ud@p0|E^BJ=fK
z({<2pusXnqNW?6LzB|p+Iz;PbyMac>Q}0#i*i3`Hy7K)9!fcr)n1i=vO5=GT_V25^
zsM_~eTx0n5B5n3Orp$fY;Z*ubeHr+l0{D=B?+(9Z2t;=GMI?fUeB%|OU_^2XhDO8>
zTp)9^J^@t4=C38W_dGNOaY-0upCJ|*PT6cuq@59tt=gL|4Axgc7n6N}PQV5{ZX|H_
z()P+nM3eR>Y)V9gB}(O+Nv8ce&qTn-5{aV2h7I|puEt*Vac6AD30hWj*Qp;Bg^}gn
ztNmCh5KCHT7`%8M+RnJ^oKC5tjzbEsgf4Fpl?(8cRavXx0lgtc@Bd5v?Mt$Uf!GuY
z`M3Uv5Btxf!Dg&y(wsws<sOdv*xigNM1tB^+HFLB?c}eIhMniUkydz$VdFBvj;(NW
zt?5kjwFA6GY9i>p$kHGigC25yyOeJDSt85<a6Y|N_U2rq)t_<}-95gtms+&E1KS_i
zUOfP|Q=9Z1ceU-zS9u?Eb2LHZIL|Rsq_%<Wy5sx9)O;t|ASX)j;RwO)w&!D=*v{&P
zG|3FHvBjf{LM-ovg^2cI#{6%nMvalK<SP1u8!^PtoKsZ?2$fm*nqf-EI*Zp>?^oBZ
z{@`FHi*3Ow=wS3sQom=J=Ul*f<y6r3gwO!LE0laq+w+gL8<RJ?s6vA+^Jy4VJ@@bx
z_;#PU68FMy6j@!vk+kQiZ_ioDmXsQ?7w}2ce06RwTBE-Jq-`erNPGk|QqdOj&Bw-t
zFX4W7l+tH=q1Qn6wrXJKb3G88h}yHyHext-nTD0XE9pRXO~hi|dH=qB4ZBUQvjFfb
zBmgHr(kSllNzje=P@#c{jHcGQkO#-iCkl)%FHJ1K?(^{5>lCC0p{Go-IJ;D~z6`4`
zYV*bR6XbDp6imj)pTPXVnbews5A#Yy&87M~$#<uK^pzNpX8Xe+(RzK?|CTbk(sylH
z?#_?eZMW>MOBeG!`mso?Yn3}U=MwO;1()VpIX6_8j!*1)7Ke<^_kQD_o48)dJ>u#9
zaZ*jU%(}Q;YOy8Ro=^|f6HoiVc>e89OO53U`|9MUMg0V5z|)>7nL@&DHBU7+6?j(V
z1-;$2{fE(Brd42_qAP7(rsAqaaF7nTe_3UF4NEIrs=BKa71o)^PdBhdwNSv^^N)D4
z#cGyd<SP-D?;rSMtywWwDeSWYBI&PaRZ^?FQzrzm%!QGtL8O*iVJpPs&V-glqJ81^
zJP(NPUheJl?;2ZKvrS$iE3a~IXOh36N(exyRj?Jqc5^*tU$iT{BbT`X9EF7FqZ65w
z>dzY50o+k}P~X@Z{LMl?t#<)6v;w4A%Qg3I`nhyBF%W4mi6ZC}FE(WU!l)z%-`&-h
z@K@_t@JucB5a*{oElx;4NWM%<4iC2M<xTUX4+^OwT(eGT2vxtERcWoficp5QD&4N@
zQpl89tn9BuMlF65_rDNY`5DN?x1k3^xT}}YN!dL1-QGDRK{(=X${iU1(H?tOpJ_{t
zn7Sxn6KL8%b<|t_@-IqVeJkRd{%bRfI~M3=eM~;_c_T`lxUHkrotjar4)2dyPNIu*
z?1fdkXeTXHKJ)77m1ccQSk^VhXJDIpL!+&^`r0yK${?q6rgYwActvk=+^#BT6<|W}
z*6KC*DAuLM^R9LsyC(&ps3};eZbII=U1oi)oFEE;S3d>y(llF0?-ke4Sof!n2RROO
zG<+3F@BNDp^_?AA9KvQ3Or9uUs&7B65T(34kE_iArK%h(*7RxgeVk>xnFvv{xVqq~
ze#qrSsiKYS*20(*riO^g;n;B?DSo_GgklT-(q*aQou9E$*O&xw=<}-~Mo4Jzc~p$1
zvVsA7w!_RuS~8ZW3S){X&f`~#^<9A^xP2$eK7VB;Hb_297oJ|rYe2Tuybx>NV44NV
zXrGWC@Jltl%j5o43Ew~89YS#%NfP_jDh;(#?h|3p-JmI`tYsz3-FjAY%VWt%=RBsp
zD>);vkC{+O<9PvaSUj=Z@4zn52IsQqU4DTMt1tpPv82hr`U6!xL}K)CCX0jez@bwB
zNAgFxb;ZttDE`j@dK=tvqIR%e$abExGR#s^v=?yYZ805{nzznn>*EQGw}4wcy<W~-
z1XF+^&-bmy-*S?~2CgJfB!{^Ph^%%(9j_r5(lX*P_WhuMsbUH0C*-M;4`FY$CS=6b
zERc1+2DZ}@=VnnR1+{>%P4Rq!BmX-mpYKV<U?4GR&TXZL(sub#))K7K`564YW*r9J
z@kFPz85F+m58Jc8*QiyQKIW&5l$WIzkQiZ95rc;jZ_)M4fz*nt+-pJCn~|LZsDa1b
zY%Y7F(1Sw&MkxM7`ft>Gf`7^TUZc8}TB8u%OC!noz`WtXu_<0-`($3;c`)C?gpMf#
zR<s{zYIVYKxH77>AoY<w(04TwswkzZyr3ly8!&A}U%eOP^_Lk>?Xe}pGDr8$$smj&
zR3Bwz-6jVEfOH$EV^4uI?%td@@S_)aesm(@#XH`Bv`ASbdcGnQ8L5XcDwi}^*Y9=W
zI?L9#3Pm8@_;od0af>L(*^%(Rm-Jv#wHx+1img>RNTL(zU3qzXP1WZYU=hSNSvTQe
z5kwl<j$n2~yRqHtv^G62LIv35-m+I8FwebRPr0oSzyv!u>5B7D)Xq(eCiKPIbw`i(
z<J4S$o?7_$;B;T_r8!v)sbfsw`BNI?9lbDnM#BU)2uLQDoJBOyVVP(G9oAqVa<TXO
zRSM2ukEW8#%xk$EC(+RtHGO{|GAx~w$Y~?iRV{Z1Ct_E%)f_`!Lp%Wfh}KX#rhF|F
zgZBQApkQ9nWYz+O@Qwgg;Z)e~HI=}$`ZoX?=}z>>DCMW7(cK+19tlWdwqF0W1n4$;
zYKivWr~4!YD_!@YsW}t~0|Ko6%mn-U3aTn^rW@9=@I#o{PlO|#w~Xcn(!bG+)}a^i
zKed(Ecwvm7BXzKAa&D>PpUS=P^;)WWf;&g|_lv1+OEyn&##)0%O($eb_Sl4_nYID*
zHvzu9CTqag)8GrNBm6M1a64GUYqV0z4rksp)$z;Oy05n~m%pE1x-)(9VN2f=Teuwm
zTgte*0H{h~e<sW}4nEX8bzQn~BoItw4XNd4zQ<**-ouXO+twB~=psifQC8C;NeuR6
zQF%Dl*%;7XM-f0N4iC1bzYgnKngskI6-llKs6J{;y!388JcX>nes+pAlt*SQ4i1j=
zlO;!cvS3|Iwz?AAm`S$%NGEy}9`q=c9VO%!?D35pMUKH+Iij~)Pb=OlWb(JiI3O;%
zI?hLA{f2iDU;lJR`6CXDD_+%w<s0zh0o0SlEQQ(E0G}dr3L7Z?kvetvU;yVk${pHW
z?<@B~r?tr$&F;t3$Cv~B7yg9*%jH0o@h*!S=uVf~_(rLJTzG_OZxV3}<1T7_5_M&C
z0C`Hre;ZPJYG^$82JvR%bsxuC4^<mPscQs$=%!qtY65?q7S5^A$~i1~Xq*4)OlT}E
z@Acx!-G0FW-76FYq)TnEEJHsHZzAMXSCkfF3?Dcu%KRu3%=RFBB}GaxQfSM292Yh}
z7_a?B@P=v9jR_Tvz}wDQ`5c=%b)YkvetN7ze5Bd-UEudpS9mOVA(M3U95em{lz`yJ
zb6!DL?)#wxNLLgV-?0PU2h?_spyU6K6i6f72l8k${f7)5gzZ1H6j!)<ahq+oet?j=
zvmp4P1}VSNVT|#7k9PD`eMTL0ac3m$sFvjvv0nl!x4nPh!;<ONcifC^=fVUs3PM>2
zUvm@mZ0y=s;y4}t*kcNcMWk>^kBMH|n?dBGQRHHf-{3J{GBgToc;GQ--S;)`x_c!o
zE4MtXu@{u6WvJ_E1E%~teR^Mr-K(+ZLI?`(Nw0_e!H3W(Mo74jho1udvEy#%rVXy`
z{d<kR9c$Yfg2Z|UG}Ac<e4c3Ibon^6$Nm~xQ4mg5@6!$QA+CbE9Gn)k*Y%@cl?K&4
zn2ifd=cjb`qrEesgy%9I@w+B-GG-1|sM6M~Y)sD`uH_~?1aRu=i|iw7oRRT)37a=F
zbwQ^;87N?z{MCRxv^K{W@V1*j(6|DHq0D+j((4OrtalIi!)euw8N;%2-&PfOKj(HO
z$q~5NdH?6(x?RQBdBR^FuP`c_U%WCtOhGL7j)eyQuva-`mBpv3j>-A&H~MKe-5F`4
z`_hmc%uRXk3;@TU%LgR|j0vu;*CWVlEf)91>V9MG1U)Hp0M3?AdwEGHXmp*dT?m8%
zdI+NhE%3oMCYq;mTQO3(7)r|EY|YxGFAqenObaY2-Q5CY+R%pQi5lkir&e3LnJQuc
zvn7vAMhf_lu2-DP(GX7rEKUQz?KT)Vo2rJRp`J{307nf4Ip(CDB!ld&_tsjj8F^S&
z5{v{WDP>`#Y8pGDZph#*tXc25rBTpAj)<z&_Yx{olXm%9Iup*ccnR}Kx-n8Noyc}@
zqiR<m6$ID6-{B8HSer*l1EPmed71faex}gDMriEfXg_BLHSq-aU%%fNPUC=?StgvQ
z(XNDM08q$xJ@{rhi&mPYbX54HKWP0&ab@Ur$^jm%kl!AD?o)Vxk1YmGZyK08zH+jT
zr29R8@Pc|Bwboj?y)}Et!u9pX`ZGmxjq&KqJMmg1BzfkRgQhrtbIee0YFl;7m&($$
zf?J8FY7~J%CUE!a<R<2!ddFwHt{iYfgdq2x1<0(JZOn{g#+juLA>OxfyY+IaS?X6e
zx5?$xw9;p;G9ObpVYl^4F#qD*{s0W2O05{D00hKY9YuOu^JQ6`&t7Bk?rn76&MWAT
zatGU<jg5Q*zdD%w`5V(T?D9B9Ejp~<2hD`>uKth+HOyK)@&6L|y^|Oh+5f5%64Wrx
z2q0e6`I9_z^(xxi)!*i*C48xv(M}%rF~s+!oc5D$bRg}LmExtgY0V~szh#yx6uA$?
z<r~CUqj<%~y>zA5fMpM|zJ7_<db3T$?IX(>kHM+r^7#QDmf6PH)(6C+@|g&7T%dyz
zBLuT0{f)E^Vcx_1tGF3mijw3oysePmF@Py2=(!<_Y^ur9RFIcD1zYs`rcF^X?#K*K
z(ZidN!8evKY-w1}wPq()jWa}QZRG6!3pb9d<PI+Bt9YFrT8}8FOV=GPufe-rih00a
zFS{*ue)3)$*^x3h@f^Tkn<MCwESAfA^M&lW1LjxZ+#?Qs6kqqPlBEk^7aWPZ1sLM6
z#J7n+IcC=2C+?EA>Q&Y|ihZIGmh^A}t7|CLXlka<%b9DNaE1Ih1LHqK9<eL;RvJ>q
z$waVY+r}&lkA6e4Rc|(w_D4$9`oMTxRw-eCJCj=~(XQ_M<aAZCggP;X<aM(GM)2(w
zTnZS|8PXamlNCW)l#-}^8BO>l0?LCv;~x<;y$!;hPBno@=qt&3!lA_yyHYezD<N{~
zZ2(P0fl`|J)2^w_5Bml8<hix@Ia9N@p5n}Sg~Vy0_(yQ|4C%<=g4QV=e)=pKcrRPA
zdQiCAfw>(!=WI349)~oNYFu4!F?6f~x%<FWtJLL!`EQY!1c78Q+IpuGfZL_Y(kpP{
zTvZs*bR3u(S=<t$>Rej0N+?^;3h*CMDOE6SC~75{>$wF?X-R|RiqOywTOR!ox>M)*
zh&(U-vHT|qi2NgNN`X2=3>yok6w5H^qW0ME(=PhcHudyRE=LL&H002{dQo1vITf0k
z$h@NW)jqD`o}~w{$}8?d0A-<6OP#n<N6840`!bHV$wLM`|7%KS`D{nVS!iVXn?3iH
zY*B0kB07R`)IBaz8GI;XYfQH`@qxpmfR|2ChgnM)I5Q1hq;f~6cUI}pT>lCC$9Grx
zs8SP95k9Ok&>9O{=xp;iY`?{dD<FN~`TbT|Xf$6~=Z7a429HTSz%JR_I2uCSVgaj6
zQ+I)#Sp?suyv5y1>8u>pg6MjDjP6Ps<};CTaUeL6r8pjdEY)I8MJ@lAr@}<u7iZ=y
zfnsEIL<}d1FgpQSm~JXCm(hr>&nECt$SdcJ17Qs@PT*Uc;h)~fYTO+VrMn&~$PBg|
zOU!51wW}2bI~uAN00cI2j3v}f3{?x|5j?!3A<+VU7X~uvjW)5QO>(mYvUj@U13K0Y
z^+CEMvCNYf`cI;GI^raOITgaIxiMGn0at_|O{u{B0E>MF?^FscM$UHSu!Vl5Ku|+R
z%RXf^Us74&a@-x;WCmne5G&SALVX!>b+=O6d@)D|fp&&3K-F1#TGQ^4nSRk@xg|6?
z%+cVTDZFnfWf$1H^&S419C*~RgbX>SW~D7`?+`&X5*wVNGNA$72QEgW*93xHf(_1I
zd3We;WTY4@(m6CK|4|A>H;SUAm3Kw;;xSmqc2V+D-B7WhuPIMZqoNShmJ%OdawtJJ
zRJULDTtGuAKswobnYYYJWzpYhEh_ed8;w5RYUFsj=)zUn);c{G2OLtp9Xkir*#?&U
zhZTL}jO&9{N(Oc3<g~WS@>qe*JJ;guiF~$_g2%$zwK>7sjK4QSEy0KpwSjy^z8+(K
z%MQ}vRUsTgZivcD0SW+L)`V(16&bGSug3=kg!Nk!z(tBcc1tjhq3Cd~GnbK7gNbA#
z9&mPdh>O6H6R|ONe_4-Wqzj)tv<&(=<i*td{0;P80+(O{-8dxy8BzN4(?|&p12?R;
z1ZoXu$Pm6?(MT}MJM?QbTMUmcrbS-uu2>4SO%*e7z?n30=WOiVrLY6TS{dfmhRT81
zQz-u@;J_+bwTJnG;8Ho&>`z3{E#lf}PiAXL#`%Wbs(%Vg*xz#7cnRWebDuP>n~i{4
zmhCvf;CwSB^Zbj+m%04up792Jm@;ol_}}Msbzf_doYM`$*OVh61Re$Zm&uLE%QOap
z?~f>=x=wqj60?#<XZeYKXmJYSNMN())VW(@fQZ5#*|DJuIt{KV>`3YF9k}`2??kC5
zq&peG5JC}$Id81NpV8;SC|IwzT%jLL1ru;4lr<#I25TV1l|x9A#HRf|6Uxv;<n*wI
z6;$DCt*qS!<-H^24K?FBxUgj|!DXyxDsSrtzfbic1Uxsx-<S<5{&WJ<${dE(Hx%X$
z0h&crQ<<F`dwE0!!hPT#wvLx@kL2yr8~N1P;GoKCQ1LY%vov3P4jbJAxD?1+v_K+|
zQ<mBVbzt`q8i&$Vdx%e{Rt=GJ69&n0i%j<jmcA_wMYy>E>p2tbeTG8(vq!K45^Gru
zFHw=7T($o(7rb|^yu!YwQV)pnb6tp&f>3PINfI$%Y}q_{G!8ffwLrko^ANn(duVoc
zvSwoi*tZ2igX}7s59Cv6AN~3+4cVM7hjaeCv`gxDrmp*C^ZEVNpuhij)_-E~piDrX
z2Oy{C|6AjMi}OE}Jj1{e5C6biXKOXf86SWZej9mx$_pxf)S#*<C92zzszRKi(*-J;
z{`&Fq{9$gVl7!tc(&Ps{g##o<cfU4qaWu`|-&+Hp|LUfG<i@@;1{D`=XStz1oK3Uj
zQd3|S@F7n`;d3NnVJ;358Yf#(44048f^lF`Q()4fkt7-ehzfC#t4gpH$HV-F=O#=^
z5;8MOAU^Q?rVf%K6=E(b2W#?Ur%|~tLWOxM)VLe^A@Bb%^^VbzL<_ifY)@?4nb@`_
zwrx8d+qP{d6Wg}UiS6X(ob!Em-QQi^yH@R5y?51%N4s{oug-~j`~V0>(8IG**#m77
z@{KyQqA7=}C>Gx=g0%QX)j2s-&8UpW99jBkkLirxKY4r{7Ad7Nn*;lr@&FsZghUZM
zfIX)X8}SX`UK<Kwe(uBS`I9^!0TSdJjF=dPU2=1XP&SHS;aiS`^@pJr##Aon8I|bX
zCp0Qg77z<buq4P;G7(fKQo&~r&aAwf20KZ@5Jay069=VL!43rd&xh4Ufl0rwIKQk4
zDko@M7+12U)7-C&rxUGm&){EO6uLG8?Ev^K8WIBl30N;wn+_3AxI9HZPB9>2sIM5C
z4?IYp)f+|OF@g%)z4i_%Px%@uy#Fz#+%EzQxvt5*G(JfE*QzQNgbMWxPB|YO7PC+d
z&nS|fM;uZ49U+P1k)T-AKf)K41e!R1g(PLX7^GC?#drm6$LJq-?~`KAZuFl*_}35)
zrEF;cV|?X1jC(gWM#WI^xwOzUQ5gavV!PKd>T7!3ta!=$(aKI<=n|3y(HdA^V`XHd
z8RU-dyG0#EW-&5uaJ4uiTfmrDku^?Q=VS4$vE&$YDq<gE$eK9<qU<wJ_w<Ate(#!z
zX#ZCkwN-aY8mmqddW}F>kGe(HI&U^&;(;&VcWH^2=e7Tt+*@m*2gA+bmPst)wC)4s
z)-%%f%y4iDQ|UE<v-qcBTZa7GP=lw+Hsa^&!^PFjau&5jgu2-8BOr_<vp6@l5h6`4
zRkO|XDF|H8_Nw-ZW!5t^``InL<CD)${C_zvvF#&U&+ff=x#jr3HvI-S0`_U>HGar0
zb(PT>s7cjkLwI_;1P-Rp##~-YTbw*qDDB*d4qTJ%2Un$qBX4f!M;yAo3of5S&aRKk
z2=^FUTa{-+uilu$wQ?c%d(V+)h9B5cwl4}^BVGjCCFZ=giApWgshRlSKwUBO5~}aw
zIG9fln@}<FHiG-Cf$72|n72Q>R#|<3q_q;sVkBMpoIRzZs^P(yxfEOID#TMlzE~k$
zryHAikJhj)`5EMzbhCicm!sswk?FkSI=6*Kxi6lAYLMP91JRdf%r%+;rv~H&9T8{u
zIS)$p-&2?cCgB}N&mhoWhFsgaGP)aMH|<`0aJB8e%Uyd{M5`17_VsN(i{G4p+?a*6
z$c@;z+kuZQvH9yVuJ$4mcP6eryxDKu0<uC1k;voin)ma@vmp-edj$HAniWVdS6{ws
zjK~?aXr(%?5D8k<P-?h_7BHKm>ET}Pm8ttLSpbvvQ&{~g$EOh&C(gU3D1XWRKX;{>
zof@X4(B@%G73+R|e`w?k!;dfkG&sV&o=`6Y@RgiwyU_wKt{g;QR+r25*UWS7$IHXl
z-0jNo#F_u3JXfbChI5x6OJPcM!(`^S7_1|u0A>wO{!V^I+>Gi72c3lSr<+pj(9*rA
z-lrLKU`T6cxjdai7CR1h0mj6@2+lgWrw&rS+MSKMHF`=Ic3)J3%sc|Xba9TY4qF)e
zS{z@Iq8`uthg*95w@0hjbmQg173sy48_M?E6={XF$Gc$hI>$l~@-pBr#YRyiG__wI
zOCd~eXA|o%1;Y&eh;NL=@x+lPdSwSnvVOC0VVU?AHS$@~f+`*Ur++<izbB4uk$Rqv
z>9FjBC)}Vky(A5$4NEbA%|6JVx7iSD`qoCj@3W}M@E38-<1VJnZ9eh^BgF6`Ldj|w
zi>lsYrWh@{5==MRh4m`eUt8e!x~LL1MvM0kifksb(^lZ5ER&OG4H@>7ImF|gPqR%4
z_Q;H+uE>nTu3=S~!8BOLn$!6ZD0ob@hj;oP8%Kr33Gn%ybyg?f!zrz&VP?gvd|GXV
zeg4$dVmI>?uqn~%&)*(z3p~=V+9I~8%BbDsLb3%h-5xASg89qNp&q$vLSG_!*Dq;2
z+BGH(UUQ08*Dc4C@%V7jo!_7(9s3$XpVRgcdOVD5#T-s<NGeX%ez-Rmr%$3|^WQJp
zq?X?qSm6CBi<nb@sG}uh_5e<GifB{QyX9on3C@;Pwe{X0xS~Z&>>#*JK6^V*D_qG!
zc_^&aQxu`E{7tri`qtOYQxwA}ziO8lsI_&?=+S)HCRGx;yp_l~GvBp`zgwy<UE4NH
z)R$W}6K__9#8!q~%2nNzW}m#KqO=T<eYT=i-7KJ?%V4#7&^>Ad&&7+!<;n9TZgs->
zqYM+Yp@978>oUDT1Ul;=-2T5`y<whl4<|$u8ef1<4kI*i*1%`$&$HP=h(7;)n2Xo%
z^ONi!V}7<6jYg<BZK?xnZSqSn+6U|g6gzt=@*X%U2s6unT*M&1+5Y=#=_pIfX@d>j
zZ|9TdrH&=pj2a5)+GoQ(!Fs-FgWOgxK_-;gAlxcq_YOt$+ZPyD0o{0wEbvb@URN3+
z6fQ2V_sOmy&Z-9Is)x_x{*&b`byPOy5HNh!2KNY}0#b(@W~7-!*2d&3M~6=1Ip^c;
zg=i{<#*_zat<Hd@giS&NKsw@lrqvFkmiR(MNPAbxL03ZYFt~t;EIdv^8LDs%1V2cu
zVSZ_1qw-r9SrLZ&P!L>k=`q{c>G77umHGCvIxrqXd|EYmlY_4>tleJ%V>+}_ueR<A
zo$o?d1XoB=CJeC3&mbn$@+SfXm74C&a(aZb4|B%X>dp~7qGcQmK&<F?)M+BS(R;3w
zZN18RYqnt(Vb<9ViGxW#G@S(#8HAd_%~*i5uc2Eanp!W`9j^hBUXiRVp=#H_TO97~
zk6vyaFA!N_n1KpDfnXUJbLT>(@+-PUp`p?pn!tCh`J8X7$VHd8DIp0f>Fe=GzUQ)-
zudL|pL*+}~V&%9KAkuKqP#KiB`ux1RIB$!eO%`WwMt2JT_p&B|H&xQNv<G&Gh(b2w
z>wwK}#iJays(DmA<wf_{i$(Vd+#O!U6V|w0WeNW0exVvK!>5szrq3vg72$~rQ<NuN
z314>09yRTzEHqEQ5nQ_o@?ci2XErjSuDqxL1%w2-i0VB75L)*o=LG(&iSulHZ9pR#
zvth1Njz$Jl1{k^n7$sA!-zbOa%^$-5e6ON;N5O-Rv+dTKhys^K`Shoy$N=O$sCLwJ
zvL)E?StWy<6uw`{J;*9yDv}MlA^Y?<xq3GGyaw3Y6IG^YR9iW{#<j(Dc6GE|E-j`4
zPFN?JPqjk<eVt5Ijsg*g-B#<`B1HqINJI=_gOpJ85^Z)I92JIOsOgUHaqXL-2fDd(
zjKv3z^4m($GlGj*P!K$K@YRvi__0B*`n`k`Xh1jqx%eWNf{5taM+vHwCFk4qMVFop
zUV+cM6J=yuR&qg1ItB41p^2$C{R5+P15hWT*RAV-<X<nurp=pCQpyWum8LwGY*p6j
zF_^K$iAkSZ&DS$cNvt%~X_$tN`jXg+sP4XY6R&TBheW1raqd3IO!5L*DZp-5`}R-3
z7xbF)ucn1EHWkwESS8omu!{JG7@z}lt7r=bRRf8~{DFCj=saUj@gfCBd)oxh+r?XF
z&gEVJPPr(R*(;^)GFV|;Rl~O-QMD!y6`o<~X~g#B7&jkNL{h6*XYco`qicp8JZLk?
zcHguPA=HkHOhCQSrso*rGg)SrRK!40+x14JN2_M0fkdy`RYz{tKj^oT-VdpNKeTs4
zGBrNq)9PaL*ZHQZ1h#%>RmSWU);AoZxK(NZqB60uNGh}mYqEY9WjR^VlY2RJ^Q;b1
zQEByvO9r2YkYTwrnn$6w#L?xhM^g>Z2)eB>qIQ2YZ+*skhwOq1TJ1)#E*TyEhj#v@
z81S8g`E=*~ep00%FrDg~8tw!itK}KSHN|IHsmvjj*H~6DJs2=k!g)Jfzj}^~CAtzI
zx3LBSuHf@!Li-8n21a*m6-4yPvU@I?CV~V_8Aq3~SogOV(K2-$VkLfgLQUpr1S6Vg
zmsxmK2pX*oVnEfrT#9)U6rNlkp_qa?bQ?{gO|;Vj-7{Znu21pU?=_(iV>Lcq0=gF+
zRKuBD?|@CpBv{|{>qH<$<hQ|fok<M<tJ4*N+Dk~&!rxe&o53f4F&|LEw9)yNI|C&L
z(w?1cIEy_6Rl*d)TfMw06!ltMiO!V`qCF`~uVcK65FUBVuv6r(P-HWFY2<i{-Zr<6
z!aPzo*SOoZWnUbY&JgF4!uk7?BlZ!&KNW8>+5Hz6xhzsf^}3Oz!lOxc;c?A?1`;Gk
zDj1(GKOYL>cg6^jJWS=Q+f@WintI%aF=t_uuvT0uEfsONB%Z4<5==^qWqy3Gbmmuz
zivx#gwjXo~MxqB(N#{JRPUFK@EVblyA{vh3tEzH$ybFL+N5wfBE<4FS?1PGm`AEy~
zN8Eyn3ECWuek6~CcX97JdbtM#=p}HS=&)4Xu&uEI9Nz2ZuvJy*AtBMU8}dPxEVlC+
zUVB>-{XeIdhE3C$JXo7{%b@~i7x>^B2R=vRu7?fl8O*cCwPFu9JSw{y2D((NO%$A;
z@)%|W=Uoy~jX?R|*BjbpBI238i)&mrT08iyzRRs55*vG!3B~wewA}z)NV2afgqk$m
zAcGRdijIFtUD-vuWoE_=PxA>MN{!}{?8XXyBpY=&VUHIl2iomT(zA?gv_2pNOmgAb
zpG%nc^C1$PP|&;ZwzN<kotjy0q7O$w8k~?)H(Ai~c#NL{PyLAwZqW4|bNMU(`IH9L
z!|sO(GtAGZs6V3u0)%G7Ibi5x`Vl)Tl~k|6LiIWu6Hfb~r;SN7?&u_&R9(TsYeJ#m
z88Sq^t4L8?xR|iQLfoYhY*g_4iCmDO3nGUZd1yi~r^(3=e$EHFpt?ccNu07kJ@*3O
z?Rk^ITpJU5a^I_0Ig8n{t(5*I(Vbm>nT)shke2r)Pcj2Ix%WtKHQMT0W2M_LCh7W&
zHa`ojfaY&}{!mfNav_i)S#^>h&Y{{#;I%RdZ4@`kw~(QS>1KD+Nxrr5Pz4fRwUdX)
zquN0c_z~lPFo#E7&P0J<Sgcw*yJx0h^ntW4$AEtS2yNy+Qx6mf^*7&363BLj@AIv$
zBL|L8sT)A%{hy08gBUN~85wYGm+s5Es`mf<;wkv(J%i<a{ijxm9tPWLBCz>*E7<Ih
zVhGgEcej7@4cu$8a*^_J&JOwl@~`K_3_P}CAb6~eWl+n|tnwe!zp_wo_IApDBCFgq
z?qG80<RmjcbM_w%Zk2@oZr~;1Cl#Obiw9*OykB`2Z>$w`Mt2Q)*B}DKQ*kq!^Ee)A
z8iic=KVR849=9|Ks%y=j#4P!r_PdEF85Hc_MA9uU_eOX-aI(g8yW;@*ttE0|7)0f9
z%<f|}hp11&xn`buM<?#ZY|_l+y}Br43a8Xv%v6<(=ig0`&p3Yq(E0vypf%zX<%_ZY
z()w7mQ7ok&Af^}e{Z6%Lwc6GTtm{E8@44UI69dx`&@rp~7g0nnr)zKT{n^*IrEvG?
zvW-55GS6<eo1W_CGT-EqIu5J&u!QiQi8~8Z;ZFQ_<Fo_!kpC;tp)cfFF857w%Y`hW
zYNN%{SDhB2qSU*QepPRg$VI5Ln|#i?IW4z+a+I<?jp1t`RlWv}@L;i6F9(zV!e=5|
z?;CV@PVDx-JGlQC_8Y-}fw3^LF{Z|I15*L8HyjUI9=G)JL-|It(L~~QZAur?FI?Cp
zDW+-`_%2MD8NtVJm4f;wxUN>7adG|Fm0~(8N)fUBfgG+l*!#6E(6{$Lhbk*0A3Hd7
zifE%h%pIC_f{-KU^^r?&2=0fLOm96rTng#cd{620nmy{vn`}?(t5rk`yJ)pEw7&qJ
zkDqTk`*bKk7~oKHgM88=aHDXf(@LvI6cenU4*Y$x7<RSvzCF7)DXqJ_&~>a(7;8W9
ziP~*LP^%pV9`bo(2ea)>2B9k^{xE%QT0Wf*?>&u{P9iU8y<RJaw3ruIPHAxDBPVng
z+f#cSj9j(N`_7|tsWEZ}H<9Y19x=cYd^EELjiD#0uwDHfIBbDEAzzN?gjFN5xLfL`
z*0`6a`R~u`B%Q5{B_G|xhKB2tDfnpHhhl>MueoWsu_lQkoqzUN#8Z^DBO5T)c9$il
zO&*mH5)aE)|5oE%a^`L#PhNwwYp&15E+uix`H{rqM502&8~xjPah;c{;)MW6)vvWH
z8=kx*W62vG`+2pqFv=-7zdQ8PQ$1KhXU&+N2}VM-P8jbf^{EgyO)IT>Rm@a;%`IL3
z!nlKQEj1T_gCd50Ii?nFcI)2RTVS|pYH6ZPe-S;03N8H(3>eZ$z^_)Hx|t7M05^-q
zr|bE0&Zz<sSJ5J7ASCB$^)&|^p=pp`A%@`EDmoUd)e+C~&~(sl2?RFK{P;Cn+g~Ft
z#+a2-@PAjY3w6fBN3U!Cr9x`ep}*7mZQ1b$#M6(dkP}fml;MX~MFS}QGFMjNI$@qy
zq1}COt62YMSV%1%Q}Qibtazn&A1$i$3oqEx*`hgQpS2%00Vs+t2Xg~pn#lfF3?{0Q
zd-Ou}3RME}xmWRoN!mZczcfnpghYgb1XFkC0MNEc$+c%=utOBzC$Nq|qx>MH`o7dc
z7qO&wX;mBf!KD??4T7tQu@*fk-Law$?PrIJ94ZA*2VolaTA>WiYv;l$1c%uZa=!Y<
z*L+SSLI1UHK3z+UI{6Inshf=Rry#yxz*y|X!hB5%Pt@Y~9uI55sB^fjv6&uOU*G6d
zYqH4e0%>-E3?4R!yIbMKxL4AY=gu-XFV6I?-n^b9z3kdrJRuN*Mz;rpk_%ns`vj#n
z$h%O`gxd4NA1x)yQ%)EHM-hAr>IBUK;!&1GV~N56xGUD34N5COY{z4pseV@+JZ`&7
zrt!upZx}_QsDr$c2edeQYpwL#`Cpxt=q;H2ia6Pb!%!VEcJ$2Tvp7GdRH9&%^)~;}
zMvp_rAl>V=kSqmt;@z?n=2lHM9&MN;bSMc7IrGAoC?YoFax+Dr+fRG!-T``F?z+QI
zuJR=M@o4BqCYuOAOyJJ#z{p%zeHJFo8FI79m)E;MvIf!l8_t}c^yUd~j`zFS8+I;>
zvyrHlJk>m8lFH?SQL$@vyS3fD?4fUO8sv5X*630Gc`PXUNH&W&glfF_;wQx3Wh91Y
zGj+?&jNbH+4T3+zzksh6x<=hwRCwILPmOXM4c1EoVxDGz9qihvr6V>)zVUX7;3z7+
zwRi7i81$&2`0?9#TfJ9w9_Ta`fMp)KO+IM%H&HK@6rXNyAi;sB$xhss-}Z#F7v%-2
zCigTvDCV^ADeodeqV>fgJSSRKm+L9nYxI17V4FO{=6OnqErf2hR)snIuc|EjH#~|?
z>2v}Pi2))2*XAn846?gFXJqmk4C1NN4MB7GcP}P964g2cU$`yS(97(kJ8DCa+t_Jl
z>$m6of&91k`|U!MtZ1BgNxaw6QM)ioR2fn!i96z6n?J!YmN%Oe<DkSuFdBH20;*Do
zRdT$F^T!ihd@UXmr0Ed_?Y?2wP1j7OkZz)A_m=?R``IhAS6l0#RKe0YwR!l>v<O_m
zr-xg`%cJsCy&+q$e%vv{?_}Djx4&)TaCMYPCX#tq2ve~(z>my6;=O$`w|ZiGb<i{v
zqW%3CWGdo(2h+w;Moq9S9{#G1tIExx`wyhf$u5?RqhBeLOGPZDQ$7nEcWd(I#!Ucl
zM|&~AElP?cF-riszGKju>l?9Tp-qyF<b!b*Qj<zqPaPFqnKP9?lqpiwv+5xoSu}&0
ze^001N4~d18#_J_o`0|j#Si9V?G!2S($>uWMg0#aDubzCuuM?)`HVEuHXLfzKcM)P
z6+f0I7>Hjn5v`svIZ0%a^O?s|FMW3%AT#2CgjJ3>XVWB7ou9TbL+yPsCXwgpG3v`@
ztO5}G&%LsOtbD3~o75;PED$MRD9GfW>F~5)TLiw57u8HYUryM>5W4|l(=Km^9hT&=
zCu1sOPEX=bw?35X;F&W~7#*~pelE29Cs;xqsfD3Uvvp;wErI7rsD#pJCw1+cAM{gY
zmF>Q?{Jipp==tIYA7J3NZ*Es~UAKx46?8cDhQMs`4$|&#!&|7!FB5fwhmALIIwEuB
zDEm-H<1XOHhb2UtOmI!^>#+H0pC>QX*e#rjLC3_fnQ4e7)u+k&+X@xKNU?cmLkPJO
zW{?V7vY`yUu_<G_Nkt$^G}EPJdQJ>*Xx?E6Pi_r?8d?Ygj(*2XvmVWj?tNG(M7h%e
zRlhzdhK&9&mDZ8T(?L`RneCR8ae;75`OJu_^>oPua{Xl(0))UsD9L?F!z=Gc@zz**
zRurbp7%PthUVNF|G?m}n6-NZTD15fL9G5_9%yUX>?!qk&RTQtwML6hJ2qp`_!?jOT
zl^X+cQJ=42WsQ2d18N@0ung+dPb&J$c-qds&gy8bbJI^()*UWV*s;kWkEv3T9|ESD
zwyqInl4XvW(v{Z7#yJ-sU#nX+9~VrF3)?E+-9ZeJ@I1W4=&1=L8*xq_o=eKRFm7M6
zUqU;T#s08we|U5KS!4n~6iERftP_v})evpz>3v1AL?LiwA=tERFIzO^zEF(Ko0{Ph
zK@vW_GYs_ua`JxHepy7%?REQnRAPiP5Z$ew|H1e`=r?Q4?iSjd20pVAU=HTxUQ+<y
z|FNP4VEr8lRp>P^M6hZs3}?`(xf~qO(TQ+-L)b{e>+bTz_2qrMl=ufA@nS1w>Y&Pj
zQp<%%-JG;rp5uidy0oA?E}BO}WzpYK^Z%tsAa=H9bMA&j1wl?h$a?FphYmB-l?=BX
zksj93Z{bn_8jg}8@bzVV;sy6TdGEtkPmy(v2^H$N73=ehxV+w7h}tEfD&J2sM{$wl
z#!Tu>=1*+LR2U2X$kPG9`ehzg_ib*j&`|C`vOjlYvJ0#Q(4Vrg7@Ctu3!DJ;a&KV;
z_bua+Eq&qO6D)v%8=BvpV78QM;qM*TU3U!r{cQb)J;1M|cY@-jttUACQKqJLm+;NM
z=<=Itw%D`6Q1%8kN50<Z#f<t%+c1`9SzdkjHsAE~MT7OdU7-QMqtSS|SMGVFFdwr2
z`oI+eDAAoEdur45m;~92%~%G|bH_%+nk8;wex)~XXRcBxo9GS(46@zwjXT!x?Z)O}
zuh4%wCC-@j4G@`RF+aRM^!V-z?opW(%oJZhf7~a1dJk$EkS6i-Wik%m%%Bdh4d&Rs
z@*vB!!TRxk-Y5fbB7Y5s4h<~4ONf8P>b@L;;O0``+cEVF45zoqs(MXPUU>HSq-x9?
zZJD~Kn{KSTTCXGx$QkYvd<wy`O?0T91VRi1eGM8BU$l=VUOAOWZ^T}dzh$0lhEDvs
zTH3K_dEXD9v$hOC@W9>n4t}Mg@ac%}E&>a1u$%9vZF&W;nQP?>9vV2Ai>~<EV=u2A
zQKNj_4Wukzy7el~pc3fps1m*P`ZV;T?Y1r-leiqZ;OT2)j)JHDyTYcTcilMusarBV
zWBW6MS9)g}k&|;~8S+=$zqZ=ULf4J<03LzO4SYA6tIW};R#0Jq>*kLeUjO+`%keyD
z6{h1<G1MHOXK7Ez=z2=V-`Hv$xIphb!Zeh?&A>u}VIS+UcnarOEK1Pe_Qb?TL8EXJ
z{mtI)ICI=vx-V0aCcdcX&%`9$Ie*XR2!p;PF{4-UUkiWv;y;-gAtgr)r{ln17!7od
zIQO@RIj6+AP{S)|qPv<Y=B52QTE7A#(M+A(kYV<0j*A;8ryS4)dn(!0@5!-$BQSfI
zNBw~VMW<}ug#0y77=A8lU}Jy97Ur6|cgI{gc|_#)-S9qX%g5X=xpYM%UaTsh?{P>j
zoYlYx9qWU|o`v_SJt;aa5;v`9lGgE;zE{y}UyHux8^cT6yYqj~AngB57=tpgar}?T
zc%&hnxWNY3{jPR88_1J*bVu|re$2SUBJp?n7}40%tRyp*Mu81$!{O;%^tTUiz@4V<
z^)Svz*MkTWm;e%CJ|f#QI{ve+T#k+`y`D&TY8`1(z8mYa^Ju?_ha!j(X=ml;`>r0{
z)Ps=a75{l8v)#Y;LW`Y@kTMm`M+?qRfb-+qo#<p2=43F;6nMO`15%&qazY#~YQbtx
zk>Dt1GWkp`xgG^bQ5%J=Hjqkjmo@9_O}H0lRo4>-Y{F_sO9G8N>~s-~KYiD8V(YJ~
zn4umo9y)cDIC+BN#pQ6piFf;a&gbt8n7+?;Ncn-;nfZvYCTpt#)w5J82~74%!2LeS
z3A1!ZL5-%Nt6Y;7S9z5kwvx+li}UWWs9$syEu&M>ZP6ygZr-Usd=!`v^<|&dtB#rb
z_DLdmRd46TG?wB-!8ekX%{uT*T}r(7`}X{7N0v;f(Zhg}^KOlmY70TlwgXj8<Y<dG
z%flSEe2^)TvMyNQy~PYyOYT`o0FHu^rL&2>=P#Bl7Yi1&`W{9dX}E`mvN&|#t=+#8
zH6`^-O8J7F%(Cn7Y$-9L|CZW+gLbGF!;0%-Y&nwBe2mK!Kh<W-A56}zIrQahov8#u
zvcUv0MS&0y^sv}KDk2m;?D*}ymXtBJIb6^S;$9x&wRy~?Rne68?;r)*0<a^hqsPKm
zYQvjlR}8JtVzb#uG3SCoZ8J{5)4-(r^=9X}E*r?=-Ph-vV)au*ka8bw2+myp>QqOv
zlH0PtH(x(6@<4(Bz1ndxm+6es0Xq;;>&P_cqN5e6L1w(%*t`E#gF=mT-wjrrEDEbb
zBGijSD)Fb#K%vkz>U_PL01#+!Pj+<)VltH<7=SX<D!eJbE89F>AgY|F;knub)5ed<
z+b?5VqvIoAYo`bOF`96#Qz9P-W5H|d{9>j~Xss4lgUh#0xpZ)B9bb|A44xT?R|CaO
zmUQf%jK0iG`<s~UBXI28?~L1i&Cb)MrZU&H)0C~jd%iJM_4Rc11_%vAP|*WFiF_UX
z2q)rST7nee3DclFfE4}cXR_r-288TP`FOatdTTHYUthgjC<80ibLjmn9`Z7WW7B+u
ziPVM$X&+TG#QGd|_~1(RF~9g?-J;z3&B}IU?q7UAtUDm$?IGR5$PWd7Hz9H=hH2W<
zBK1|%^0i!;%%PY#0CrkYQ@0XCf2odyPo8%>9{XV;-C_!aGQl=s5;|<uuDC4d6wvk3
zxLPy7O0<yi&rq&ecX9gFkU1ma@(oO*lL%A+L){8Q0na7#hA3Nlc^2)xtDz^0`b%-8
zfnA_o^aQAm%Q>>l{DWymA3RO55LXUSUxh^7M4*`l0v4gf2ZYTlpZ55C9m|*Q%REMd
zx69R*)XTh&_YdfpL1@{^N0x8-E@Et2(?a@%;uK#BnrF4lGHOO$_Jf~686k2BqEigC
zT4IB;_3{~6F$FoP4(59)G$H7Ptdh-+qtB5zDI^_66xYF0QfmS<oK3h$zU*r8Ig5)e
zvZ|&qY^4{H0cR;LS5KMT@s`;3-vn?9pF<ubl7fVeGiAlA{G-+fAC@wnPEf5gwqEc`
z=JVaNo{D%dC-yKy!fr=&fBjEFP=Ow31H}zGkWZV>u!(nEF)6uNe$x|W;t<!CFA3V1
z6YZ)P*GX(a(3k!eknK2)NLDI6$d|kH?rj8YsI9wZ08|^Ws~@WyMWKbEn<BvbD{LXo
zKpol~OgGK)s9IFQ)C*9lI{Ul!S`@e`1Gnzx=jSJrSam4>xhdyCI9&3V&nJ6G{ch27
zF_A{s>=!zo3Ev){$yn^BD^g5Ofo)Zh64pc0^J-mmg$GA`!TA91ziO&FUxr={!E_fz
z;1-VM1Z0I;LlnY>(EwH&h2t~RZE{T+ipJL35&}CHY4`qp{jrOL8t$e-kKAL=Z=wya
zdtEa%$s#D|?RvV6KV?yffbK;$JBP@3G9!+d4vBoa$PI~<b9;i)MwJ>San=^@Lcm{y
zr;oVe=yTbjk7Wxtxu#s>&-s3P=X>$|IJA8*0qC9Nd@Q`zXIJx#6biyJ<A>dV#4{p~
ze3SJnIZUD=`tGg?Gj%@a^E)p2hs>p-91E9=U?<em$qS2$tovp^`VpLomn_<-C~K^p
zlx)4<T5KZ@oyMu9JsJU`{$w-~au~fTQX2?*ci%OdeK*}XwKtBW5}-+-i@trU`Q~iu
zk;=w6ne-m+r1G2&*4GLLKOtu1>XjpSivg#C@!ws~_8`AX|Dc3_^iN=p|J7vRm4e?v
zf^agoBG-b?fB|zR%%HYDHiEMPgD`Ra-}*f`5H^<o%B26lGwHc@Roq>FW_tRf`u{87
z6AhBGQN(ww57^iZyfA|P^66O<{!_}?yDmtG%xw1IVd{G2wO?#}5S97|E*z5pH^&iJ
za1BZgAw4buWt+4DmyOeuEP?1mvK)?D6_phE6^oQZfvAF(`7nEbG%#V@NTK*{5DDO<
zK<zg!R}SUn&A6W|kqmAU;RoYQBm#+szi+5agg^dAu@5*mr6?)19#t6%4(Cz0h~QDU
zj^OdUbTT<q*rA4}4X8aoV2M}KL#EImkLRn>GCew0F8Yt&P+rJCMZ<C)zeHtx=OS&7
z+4#SAc_gJkcraAD9w7N-)N-8$C%*wG{doag_{fH8)C`#TpdkZ{OJS1C7gnRBfl|q8
zaE%zJeij@>cOY2kZ3L*!60;Hzr?YMQhcC+Devo5@PQZJpB)HJTi8*{f{&Z+sq#=t=
zlHaJ3g;s4z|48iy9gdjFv^@-iypM?3lBnf_m5$0MD_AWdxE|Rj(GkG#M!^7kOp`A)
zWgS8RhYCuh{uqg#h_|WAEWgTWEV(I1CzL(nQmssh*NPS=1y+m0#Bjw5@Tp_rv;H`M
zRG30cilVFOGD~njVu3_vDeMp<g-Iw6$j(|n2lx%B^J>OG$o)|h<U%Okhfy})hG~G+
zT*LrxXAXj$hs#w%M@8j@zJmv#P}2ldps8hrD+dM`#*E&t_4QSGecpa<I)_e}@K3fU
zPQ5DR0(5A<(_LoXmX5q1hw~q{ES{yG8@#?k{tZ-lvG!n2;>=8=C=*_=^?^#zW?D`r
zMuV*8b8;|lg`fFe={=Wt8Q|+YTyNW?MD86VE_rX+sbbte8r?sf!F>bpZ4pcLhpgJg
zGUK!JY(!w}CF&*sfWRNQ2+i9F>24YQ8x$U<Z#V#<*N`QF8a-1HlhQ6z>W%43kYeH3
zhSi5GK~};JX04!|9A5JvGt$>0@@NK|xfrW@XZ9OUklvh7U%=lG4kuzX&E3;0#WU&Z
zW;c)e6ru9!s_6Z5NgD9!@!*QNT?_cvUOD7hrxv+)dA!+gvUSi!H!$0PfcHB5o8cz>
z&75FCe@zs?*?N+BJ_NZ@ThjvX<qv~^DLviEyhQ-`GRYADH_|>ysuuo9H>|9b=86tX
zhv7=ik)&$&`O|W#;izWOotD_>Hxb)-$nK7E5VRYTaA?>Ly#dUFv1NzD8foWYOq&*0
zA%?Z<<FUz{{EaUh+<L`79m|s4f~e9)u5k_EQsha8TM!cEz2U~~g-Mdj=i?UfYTqIg
zITO~MM;Kyco;|+|7)#w?4_+=T`Ob5M_q;i)Tw3)%yHf^AeOaz>lAkv|937sjzV$7^
z^G(!aiE<Q)H2@t$w`(v$&Qwk$-KtyIZ|7H~rb|om;S0RyN?s|p&WCe_X?9**Ok60X
zKAI!;K5VYh_fz|Cj!VzNbW0nhSCY?efNtN9UE9z%bXpFPAsAQ43$>KSZ$9#sk9*&a
zjkrg3ZN43wmbum~2zan_WgJYS7;Q^X*sQ^^)_|dZ2!J&R^eRzQoW6^>CoP*NE*wXa
zw5+LW-(gc*r$YT{EHr`W-5|&CXj{|86su^ql|HIy{VE=M_F<6~vaZM`|9UVbYZp9^
za~&%gT$mE36K@Aqh8mmQqUuT}az4{VNh2BiU;P5sQP4G;=qjsFrWbF;Oyq4-T3t%5
z{^8ZSUx4*q1hpu!8AYN>wIeorSGK>ZV-DJSZW(*u(f>L~a5Vx&54N**ymAWDw=z$N
zE`HAlW1oDt;0SG+IBbalT#{t`4N#~%;Az9~q%FbDrFhbXe(CFhE%>kZy-Ah9XLXXr
zMC<>swhn;nT{Pu?N<ZkvTQ&XR;dtwjWma8^mH<--uSqzCvZ6a&qhCXAX6f5Cd;!Wn
zTJHBrw-3EXTw|YxGGBc|Y3`|Awm3dcPUBoqJ~U}n-8(j*6lRaI<~SUvIOHn<RCUG=
zUz-r<+9Vc^k{Mt|C~~fu(2PbHOBjLC`WFS0UOP`ua-CV%6uL29WZO^G^q~ye$F6|<
za0@hz>(PMA*0Aok);CMm(_`AZp%ul|!GWjuGHkyr*L1~=)7t4WX#232slCkK1ziW)
zAD<i;&$|#x=BW^k(O(r56upT#A8h)=21X=l^{Eqwzq3FhTi@JL2yi}`kw2U49=^d5
zu``hV*E9Yj?D$9jwEOWlgUdjHvN5qF#{YCx2oL@=L4mORuMzNd99#<;gyqLeTl>>J
zZn+3v4fc~3yOl?6rCkGmflQ?v1V>24{qfm?u(GBq>Vi-Ky41AfHzZJh+_h=q?x*fo
zsc01<XY-=#mX-5T9g(x+q!6?L+0EJDU!T5a39~?Qj7|T9&u(A1cm5K{C;bY5Hf=H(
zW-=)>Q)E60GM)E8p;gk2-%U#amY8T7&??U(2I;z;RF?(O9bpVWN@p!11#cvpqda!z
zQk=8`ksb&Dkh@rDK!t#f6hx5rLg&hXBnp)jLXBbB(*SP-OeX~yLzki!rA_aqGoMWg
zz?@Aom%DH|#d&kx%U~y4`wek$EyPth7?b>YIHcE32KE*cW)*3Wbw<|cmF5{Hl;|&n
zO5%t%H?b!r;z%}J)>q4!*9Tgb>I(u^FNI4q6GMpse6WojiQbJus0?X=L;5|&qnHwc
z7dix$BF!Uz4JN6AKAx6CsWQ@`W@|u?AtQ)rO8tpOvgVqXp^2YN6gfnY6z!kaQr7Wu
z9Q2f6lAL87?+*%uHX02At-qB7iIn6Bm8*|<!Bw~355!n6Ng_JR$dKn`C@)L^L%+j8
z;jtG4^g={gF_iro&3h`3!KdB+lOR~^L)bCOCnY^LP>4_-KdZ{6eg}>=N902MbxN5C
zhFDOXBc$UZLyMe_9>EhfnviGB1r{hqVKv7@!kUZ~%*Z?hn@D~%0}CDgaqlh?Fps4P
zIfN|;5?S!(k%3X2AaZ{wAv_N^OzJ-r2buE^V2lE5I+O;EfS)G8OJwm6PL{%SK>b?W
z%d7B$m%9%MGU~xB<@0rA=OWr!d%*C<A6B_5L%y`Mu+{E;ZrK55^M@jg>kGtJRT*=6
zS$~1_t7(x_<m*6+lsy41_(Dl3Ha0RQyY6D)T{y*u%9h)8=JCi@byw6^F{%Od23=(Z
zFrUI$#6Ql5VZ&=TEZVV(dv;;OM0M}>NXMNYY*KhM&W#>*NR-pByX^;t1Ggpe(hOyh
zUVS9&m@yvx>h7m|Jit9hG7aEa<@%_-WUO;WHn|n<^C!U=s4Hu27492$h~@OqaGI^r
z9glBmesj<vd0eQ`z{J^Pl?$fOX>@b|%%buN@NYo*=)<n;4iPe@;HmW^fWz7jDVSol
zF*#CV+89AVm^U51Si^zCUQPA_MMq_!e-PHOrEpix`|A%B;*3|pV{|R7L8@jftQ?67
zH?eWl;-gpRAVi|qVy9U5R9MF4)Hxdwx8iHa`zb!v*piDTN(@;%X}Koh?E>Qf_L4p@
zNkBFi+lr)<P<VDViL>|lcGEM+!FFR#%<woGcP9Q(Z|rPHqc?mys4c6wX8C-2i+sD%
zci1j}C76f~*^O5^iXq>&{~bN0dRK@#f6BdYNRxBjJN1li@*ZP1#QVHxdiL{L`KolI
zw7qB}_tn#C%V}ZU=@M@C8AH$ki1X*Fya(W||NNiaAzj$l!R?*Ip6_qG)X|Fpp4+gS
zO|(-Bhv%yv<!faSE6<jM?15?8g6|~w*^2fajCyxr0?yg(->KwBXx|k8<yiBb3+NWk
z9*35xycwcKy3CR1r)C``ke#nE%aFs{PX>gmV4F!om=MdVb}uruf!RlZdC51Op}?ep
zv}AT3p3G=67XMpmFU-a$dn0{slmV=Oud|imP#gA%%$SKq2X65T;W-x*m%ep`ks;$}
zXm9WInf3w=i;LW)`<SlG)CEbUl`Yecf>O7b>-Cy8Q`y_=PU{G(jI&a%N=XG88iISv
z1UDC_5!2Tf7#xGj`T0cv0gLB!sg|?q^jYvQ^$YM`TJSJ$0#VNG60uEY^M%lPUUzqn
znu%K|4{hqIEkGwF9~ZB_)@H6Q(u0$VZJ}dCF8cgmXJ;Bar-`A{_$KuXr0iCU-SFdM
zRTeqk^3o&fgGuhwhjsLBcW_-9&iGpwIk)gvq~#s$0Q0Jzo!%56Zw00IE&@%y+;;rR
zQOiI47Ws_234g>k!<+2~ep;?0mMk0bz3QTyk6eD<YC&5_IY(3_d*AT)(057ED%kXq
zv$8|_0am4<<}K8E2uZa|4-MY%eVOMTz1#MQrE1<WTMw;@#_W>qf*Dqi#+!qQbSdcg
z;<%wqeR{h7n-QA8tlZLMq5=eT?s#g8O=wHpU1KMY<5_zL;u|0VBDVYAl?Rland!fr
zWQ5-^3^FFRX3pk>Oswo|iHahWfMhk<AFn7<*Sp$9^{tFeA{cZ4OS<tqsVvK_OyYXB
zuD8F0gpepQE&l~aPq&@me8R8b28Lyr#crRDcUNd}3seOGMQmskWWX@0*$0(m@JIR|
z%t32oR2XPsFjOhmzUzS~pP)R6B5P9Au?w&eQsjnI1yaN7<amj-FyRPLKn#*N>O>Gc
zLiwr$W%!4rl;plVDp`blf}e4jUse!lFh4S>QlFU2Bz{PdGV=*(v9d!IDG3@A{EZ5<
zQZjOR)R^>-3z9NlMob_jp<yzYvgjg`DBg)M-5R@pyfe5;`1^OXf#j3KFLl0P)T0QV
z9#qPBiZTU8WKt;qh!A1}K!jB9pNo7y6mc2oqycs21`w&LwgMQqgs_7Emoy1J;i)+w
z00b&knji!Ob8=WbFc~~1c#sf1J#Ajmq%ydE9>^HFf->zY2<VWCDzF0clL|1ValaQ3
zne;0y*cf4$ygpGd;jI}E6zX@(M)dDB5bseLl`wwAix~m-JIbsIzzq}e2QnW-tGqkJ
z<`;(yGAKxtVNG&`LWw$)61@n@ekF=~+)L>u%-C;KVaaJVc&-Okt{-s+dmWQXe)I(S
zy;d7uFYLDwtZjN4zHztZY$22o00Ik=@8_I_=%Ha@4bA+5LMeB5$e?NanDV5EK(75Y
zkYpqTQyE|2JkcBgz3GLw{pSKiMVQQ?Y@$^kSeT@I(q&3;>81K{WiN+E((P>pk%(98
zb3@#oa~YkDHC$>Zw^Uu8E_eGgM-5HM`J#3c1-#h~5)h#~FQF}(@#h^Ztvu)0M#r0n
zyHDNi&C!)DCI3!U*;N^&Sa9g^KDM!R9Dg@zuW$Bube3`hHmWTwfbDl&O{HBc)$a8z
zf!=3NJ*UjK))fpamC#B+ETv%=wy=~GtM8|n>MnrN7zogO3SY&YwhioieHhZ0eOZz^
zDy%LF%m^GODCS@WfM3>^%!>cAl67M1q%iVyXzZBZe5$*cvK}%jzxwE|w`befQ$p;p
z4^`JVDk<y$0{#KV`qp1N^UZ&DWJlC7Ckt8=I!`CRYHmb`F0c2;sp%YOyWz60kLaMm
zf=se(4t0Cwoa0XBgfhx47f(Dc_VjP56fb}~W?CG%aUAse;NwoOuOFfd3utvQEuNX0
zv{U4betP3K=$GFK_6a$##va8gm<w*Do1%Q241dA`4)NkU?YLW;cVf)>GBrO_$F^K2
zghLhU;qg0;bJlCl?rZFh$w1?vj}Kbt;aQHsq<rkKcX{{cr{l36Z^zQsTVLW20(WPd
zN}F;0e$`9+AiB9OHJKN%+@md3I!p4e#RI(}m<hFqoRVMP_c#6BL6Q#)b49Y#X>O`?
z8dXyR3?bNeV4+Vh+zcWxJiA{G)p-3J;D+RKV5_)uVidJ-!!6~};ykr{JsQ}+dq`J`
zr=rd$Do<~-1Sp254geo3E?>{3JOSE#arFFFX++luGXKar9VXT#+OgQWG<BdnpK}vu
zTXG;cif53X*=y>%ZE-~#XW@o1lHG|RvDXJ6ztc57dvY<ujFIlrEWF+t%U8%YHdiy$
zVi2d~TdX%%f3oYKc5ogB8#{Hz(Ws?qTzTPbc|6lOu6SI%k))T#vJh01reY%L`R|Dd
zTKPn(aqqz14ciMI6E2YmJw8t~EaT~tH5N4(L5<J@uMJ%8OWWPUS9|K3WDmsPp@IU^
z+4w;SHnJDI^g%}8zE%*`>e(+Lm|y2JUDb2hfo+FZqR(GFTSMBAA5Xjo^Z|Qx?&!<y
zn$161Ktlf70+?2o6>Hl9fysdA%In-m-nA5*HB6{6L{R5dB+tn$JmpVMbg7HH-wOD3
zPr7LX>O7FY`6g@aJ!bq4;P~+vJY)b3E?W0_C_o1#Hd>K#H{i#!<3u8tC&HsTP!NND
zm-QQ7kygK>?;h=2)8tO_7x0|-WVAl#FOjock?5?8{lDXur(ipgFnZ?yR<qNn4o;nU
zr#aAn+q?OqSQ<q%c5iny8{yYEtgo>26R5nE_x}?*U*DdL9-|zPZtVAhP#Itry3ec$
zQf$8eb!(sQ4m+3fT;&Tuc6%`chrhznhv#sL1Y(>MOdFxb^p}(Wf*eF7vi;wh!okj*
zI)?+r49djJ`ro%{KgkN)4GE;qcbd1BF(T%ZDc}I0dU!K<V^9+4C%HtD$T|@e@72nl
zoqux!^|XrfqSWxE6&>wfAqnNblHz2t$&>F|iEseicL6<0C;=GrK|!i;V9+D6e?Fvm
zKxO|7^QII@G63O9PB@lRB;T0k#zk=HCj5!<CpJmDf~O+*5ew#pm?b1f)VCAaW^ZR_
zb+v&cm?gF6jGOfJM=>XQ;{|#AQ1LMd^Oh3)2`5@Q6^z$XF*33udJ`H^#{1*%W7K$x
zBiIL&EQ#Y#w>-<k5<wXc(IAskI>TfC+$m~!qJ-~~okkAYFH3=lf)^{wkG&@W?-P3@
z36BOX&4LgC3JszirDv=dsZiNKsR&1?v8gp1L~Z;Hzp$y->w%-;;4n5wybMTdv5fT%
zq2sFS0*o+?^^MMM{FT+Q`hp{0^V$0?VhsKsP>s|nNRm0xF-y=n(J8lu3XJyBsQT0G
z(UFA0c|Y{AB;G`Mw8XWwg^VHd5aa-0j*tWC2<dbI!uH4$(R+!^%Y>rbCRM<tG`uIN
z`+`|iGoWR0*huDFd)xOC<^$Tcu}?5ej6pw<vD?*7Y=RbjBYGb2p9leDYh7^y7#2qq
zHc|^m6EYMCf~tRB0y(lE_0kncSSW6Z|8iqkVq6tA;$ZojI~VHEl)wiNJorB12;wYd
zu)hHyXv&-sX}wV4BXTD9><&Z6w-T`8>>*6hzLyW{p|`vwG8&#07W;5CF%<e<HDi`v
z*j++Ck=rmb>*GB#Wu~zZ>PoyA;f$8zqB6UrFdf-a^Zp!VL)i@N9PG0=1Hv0Z-K0SP
zLyhr1@R?5if)h;8+H-0EXu=E7M($3X@vi~ci8X53b>&<>&l%hBYjkvXbQEUZ;2yjD
z()7d~Cyq*zs+9n&Fx0vfq_+EDSJrBnDPfpAO6c@tg~ne@l`yZku+kAwn20XiK^a{>
zvtu)9@Zjy#>ONz*@X-n_nSEF%H9dV<nP;?LmQQRnoQ-&IpzT@J-*p|!o~JPHqbC7g
z8D}(|`K=<6v7W_BU>G*ik6-yrw71UxhKW#*qtE<v<&;VQJQ1Nkj;eR8{Bm#d;Qswr
zICJt}4S#$k+k);2UTPVXY*|FizX*kM`pNp&w(<5Z_ITWiPB_K<ne~xbrI5`0+H=l!
z5P6q@&R-P<Pm!h%T~#69r&LWUX$znL&((zi<^bWTO~sb?<WORs1u_6_15EYt93TDh
zQ>3i$G9sP*!tzWTCd~BhU+Z_G%vkLzfJ9{@LdnK&qN`k!tqTq#oxKjrbyJ-k1Wq$t
z#I>iS&ZN(%cJjlcrb#u{65F*$1Ba%-jS0%_Ym+YvI;l^;10~b@0}#g^0h|&*zG(T#
z)>_~dGifjAnvdrwm$PXRo*ha9j(9D|iDv_j{56@J(-A^@`xk{5j2YMZw(V=c*h%}^
zwv*jiDW@bN*I&IS7TkO#*&>`@vWMB1#9M8vd$DV)$m+REc9j5T@A!SzM^&5kW!S21
zhU@FR&E0n18<e&9WiO|W?yfG&LdcKaVirvkK;8IG=!ID}f3_FYN6Gp<krm1JrsunC
z*A7({8wW8b4`+V1p6(9d)1d(`-ntZWv$4yM{&`mZH!%V>=br2>TkK`-KI^?V#Rg#P
zyF2<*P5k7O#6N+n=;4k0oxrf!?{DfHGvqH&MrM}(q2O5l7rIJT-Ld=GNc+y{IoMhG
zlc7n*C;1ihF6*E9HN&RB4f%D=GG9Wahzj#3m;ye#3yTLWjI?|iy-{9$+;+BZMUo{X
zq02=q|8RceFsFR8poANcQ20Y8QwkE(Q%N%Kby1V050l9<r&{alWUyemXP3Gsk|&9|
zQ&ToyP^lD=@Bm~bE89lmS|Z@3xniX`v4-rN1MCZk#$cdLt4I3@;AEGXwQ(9aJ7%#=
zA_itTO&rFc#=!@oi?WQQWTgI@pot0VqpZ-<n)KPIH<>t!PzUM5z^)11^9>S-BthE}
znQWTrr?(-}GM_|g7|T$lWcZ6>4Vxy2WY~XTskdN_Apr!jSu*^|qR+;W{I_cYM9nVf
zP6nm>(A8ze`RX*%qDV&j3`Mm?!Pu5={H>uTDitJ%6REWH$J8O4`VH}jfu-pSgP|Nr
zQBp)*MEg|{V3QR<ViS}=V4Fw!v1q}6QqmW_%nrFkRGd~q#&rek!073>+!Aq8cie4B
z5iU?c<N%f7Nr_UKzn((G0gHK&ZP&B<QKDSMG3rhEi%g!s!+yI5fukGkQxn%oYJ*26
z<D$K3Y9^`XgOIY+a8d(BTG7wOFfZT=MnE-0y&`2ylEAKO9V?Qd5IIeyh=F-b(`HNz
zl!}}>Z_L)UQ8J<17_ILKH#&{I!*S2!CL4&?ivc<{V7B|CQ9C3tty4IE*#}ah)%#KT
zqH4pSk<^6|CZDanKR;ZBZ0iJX2wc;j$!^SO>N%T~F$8rX?GyV*6Yynq{k84);e4Kw
zr}Ke(EYQ|XVx=1&@8Olp2jsP>*OmlKp?{D$cNZ%xY}$GAGMtm~bF?#L*0`bBXxBSV
zPyvFT7!5jZMgLO5uEXth3;i9SXtnNHi5za$S-{ZQan}qojVdedHn~$lUO-Q6G2P)P
z2@f|%^iuTd`t5t1ai4DW`7w4dM_LA3PqtYAiR<Enkuk6G>*kKt`v9Z+)@2VdQt~<C
z^&fhvl%zNnVs8#DDPHhJ0mb;Nmx=e2O&LHQtw5aUJd95x0>8L(P#)Dtj44|W!3GQc
zVUBgez5<B_#sl2v?SZkdYGsWa5ygoqD__qv|N4{}-}A6|5cu=LvaZ@^3s3H+eet%E
zk(b|fa)w#CMmI;-g1h99J0QGxI!3-qLr>L#xW-%QJ!08lTkThoNnsP+m3L%j4J`mC
zx$9@tlxwu(^#a<He8LaUntKPTS4xw?oY>Vf$2-O8Slk8Du|pL}`P?#k1-Fy4*oLc~
z=;n+UqNFj(I>U$8xLf+5ifq5+TK&(~=@q&s+^@8;zUxvXRl2`kYO1y&)JDX0X<jQy
z`2?PE>(h2IBP3#UfDw7R1?_JSC%`+yl_Oy5<Nk<bt8WD?MR18uEc$vH!{oB!j=u-7
z3lz^!t@}I<T*3ptuqJ2ZWO(TELBZ86G-L?joUz_^LKerOy@XbEr1AE_r3W8E_;UH{
zWN%*ZwELK;J0i=f^^QltXxj)6TW@G|qr;J<FBP})wf9ne^VJXyRw0N(5U_rA`{E1{
z?I{>osUaSlZ%5wRh|N#|8kjlbkd7mMPylV!PTe8@d0{^eiQ-)pQE{UC<>2LT!bW+r
zK-lG~<1q4P>;EwIkI|KMUE44mTOHfZj%{~r+jctEj;)TZj&0kv)v;}Kk}v0VKjR(W
zkD7a}nsZ^)u3DNn0t_Xv6wsW#am-gkZ%0Du9Lerj_!iY1e+ddA;Y8kJ@Q3X`(h-$W
z248VGQje%%nBO|bpjhd1tfFR&Xa&8wy%{O~L}Hz=<4}9G9-W!(J9Ws{>R@oQP{ZU?
zezETk*JH<Y0nX=~&R<`#&9n_m<U@O}%4gO1x#f+&PE_s#uBZ1tdY#-1-n4pj>+iE4
zzK{)8XF~oPZZW?7BS>1I&|8{cA(imJI5__=M}Pr^h!4iW{a+5FMVJ}Nh!c$S+XDN)
zT$?47xkBn*7#LbAP6RYci%2U}ATAi^|LVbL*_ekSW(E6ppZ%XKDim}qekwc-3}Pyv
z6$-YcnG~841&r%|HKDh>vp_eYfpM|^pX|s_Xh9J$uK(3T(n1pf9i<G$_5bRb*nox*
z0^?-+Z)N=d9}9z(nd$#5sxGy495z}}zmMy8_8FcE(P_3J(Bav-%rn{6$mQlSedFzh
z=gI(W37f_5=Q9X2WsL+CPPhQ1X+nr^)vfta<||hrU`Td^oRoP1?$f9&Lbg^`vOk~g
zhmlh>hJ0GTFeN1)i{|fO_$(9j-SwD0^JZ`i6cX}H^4Xd?j9}PMpb4sQun>0yxrkMz
z|M(~(hgbmvp}3fJC<fFrcIBYhkTo=IAoXcGx>9MVM200pZ30SFulY1-fgaZWpyLWE
z+I|N)a~?J=+>KQwb^<kQ0uJ#{kSx}I(&}2MG%_3`IiaaMeFj*Q$(RL2w9+uVQtluV
zN33-i_V~cFJWNqJAhzO<AoQz?aE!&Q7-q=`GBE<G6YDIx*;BY<xLRWQSxiu6h!LC}
zO-giaNIz2+5l=8cJaa!tP+F2DQEP-00!S*826GaiFA!qCmqLtjuNrDMD*JCyXoe#z
z!eXI~49qj3MDlO{8)wLtgf<Qsn?l9R$cXr98#q$i)^jy6V7uWjY*Mx8eYU~nLCdZq
zF>$2dp?S_&h<W*_%x56W)EHzOd3h|%vEWE&qbm?l1pE*O3;p7tfhEa<I5!G-OsJO}
zbt#Gw;lFpx5XoY|AQ9T~5uuP^Oi^8E$zVmbg+&8L{ZYX9AjqL(C7HmXC~*IQx4=50
zZxM;_5Qp-C0-G;j@(82+BX>Z<ZOD5OmANrNQ_%-FAW7LJA-Z~L(MUEBYH5u|nH3R2
zdr@j95@F>`M^RmPU100(Uzqbtg1Z4T(jvLP4Te`vJL{Inru`^-zPj%x7V0g_Z5u7?
zjioaZF6irhl#|Ww&({~%V>2rOhG&1=?jo`^4o#Uufo)%;R=<z_eu^+#F_UPlA*xG6
zS@BaxcuOhRXJ#>EI0rw)SFlZBB@<v`xc~GWyI7G|HL-!V%i-8R*MS85%#TJ|PkiP3
z3Pp?i5OY>bW(D3iRSF>Dl6Ho}V@r$&n#N=|-Dld!OvmOB{N}3&;|Fv_FAQ0xux}8@
z69lr(0$tVA8x|E9Yb4Li{%MNfCGC$-FN}N6&yY7&)pw+!xF5V3(<N*`VL$InRc&~M
zrDCKPY0a&Y(hsLZ(^6j@fZ)K8V$9};GJs7o7IQF`1o>(3H%yGb(pQ{^RMDWO`-`ib
zZ+Y6?zvdBNLUvVc^#^LIMj2zRg{w+hxPeEd0P{{5QWWSiIRsFs1EUw#KRulBhQA?U
zaz7p2a&g+NW@d7U@CgJ3xkDb)bXqb%KE8t@f-+9qsUeS^tQgx1<9O=(``P@K0hf>J
zImY0uBE;YL^Xq8R)@dRT?2Ut<=4l2NV67utp9wm!(HC|~1urD^QDr%g$3im#zZhR|
z2Mk!dd%u9JO!nG%rGH0iusYnotpAy=V2JaWp59v^@)NmD!nOJz16%?xenMUl;`DyY
z%t9RL{rNQXrp+ygKZQQ3JcN7O+ifl0bLybnk7<6mX*Un6)t4LR=h`9bH2-INQrm*n
z*hB>Eo#FNvgXjG>Pdok}1*tKY**`pBlYt%shPDpWgp}Yx?>y`N`*}n%i#>2C*?Vsv
zopHQG=-U6Db%8a_U&-fW^IC!|iv4Q{3MO_NZi{ZmM$vvkcBVRDVPmm#L6cB8)p2#+
ztQ|TDT?C*(b%FpVgyjK@xfsrythq;54cmkw&uM+T&zZI_RHTl|kcT0v0}fVKU0^TW
z-EVM?w~Nr*ix*V8mtP+@@qI-#@K>%ohg`U$*DOTVC&MOdW|!Ycw)jbNdaF79+c{B}
zNON26Hsfn6)nWGTFe7eesape0%eQU!QTKRB1yfH19G!|18lkIi1Vwf$mzxwmC->@p
zRN!`lsEj2GV+oqZsyY?zrF$ojr9kPJxij)DnsQ4!JPH~!hx`eDN*F6-0@Z)Eno2)`
zMw+`$O)_RJ#lsv3T+K2eX?Jgn*oBIz>tNhSlGHBTob`vT{iawe%?KOs+<NvGZXY{I
zvqKC>Z~ZSFpAa6Pe8b9jOqep=$i7E->sjaa{XKq#E)<k|Zc-1XRx0msT0ldS@V6pI
zs`|m=RI<hsqkWD!I|F_LCjFoB?>Q)6`5TrVFP$U1`?+q__FIi91P)Z4XE4B(i|`(!
zXK#H|zt-dY(09ra0T<#w9kbKHz-O1%I9G`4r_NTr;Mg0xE}8JHf3dZC2DxGzo+P_^
z2kV0<-@*L};aSujymeMuc7Rv52)^|hc#v;+=ZeyO>ds`b*wZoLywOHIx#PqQd%c5V
zz6C$Y9BUaxHTgS*a@B=eN8;R1)>_&q9>lfSW^DPZ>pfM}d9Oa@c!F|*7FtH$y?gli
z`8F+nxE!1|QufEKZqPZ5hHa%K>J`F9LA=NY8om`0ZWNHv2K-i7cm>jB%GKcg`{5l{
zfP1lFw%Yc$(38VYS@st^{jB5q>KeEIYJTb^;2-;DnRh_X%AoG<?`u<N!sBb>uer~|
zwLZvI;G2Eo2OmjCMC6Tzxvc(O#|Oxf-&2%juU}Wp#|%;~Q5WCar5pzy{n<c0*XkDC
z{n(|D7(zfV0Qwm8j}{OGnlOy3@PGuVI>kwh08X-nB-#|`XFW!AL&@<76-hK2uihq7
z5J|4_<zKB@3T$VbP$VOmF3?aICE`_(5c7>Z5BG<=kD)`_$UjOsTd`uyabg2B`&9A%
z5?+8?kQ5I*z%ipj?j^rfT~=|>V844|hf^@41L-IaDQpVNF$oaWeS>V*Rz+458y)A~
zj991Y<|Ar?vxf2etYulwkS$Q^UsR3Q@G~S@a0o0nh(!e?@agRC<ir=o!mtRW#;xr)
zHdZrO2)(G$gyJ5e6Eg|YBrZv8mHNLmB8M+7kG4n?Y5-In3_{c^4nSBldM$d`w&hO2
zz<}_o#ZrEJEfdJXy~^L1hzOrc0}{lTu%(_|TEy?<snEA^ZCGHs9|+rm-qcx?R;B)#
z`TTzDz^Gn}5HH)->!R5TQ)}4}EM8yKTgn?RyMu`*vSxkRv+;hvG_kLfhj4?yQLX0#
zi`=n6i=PbW>)SBwFxXGOh@%6Y3D%65qObV!WM-h!Vg^Fqt}P{3*)lh?zxJN0{j70D
zm2lB6G5~yZQsYI{tSc(ZUQTf-SaiFxj9b;E#oQE)HRdI<%q&Ds+l4I8yM#K_&l~SS
zYgpoBm*i2mXxL407PGsp<eu;uEV}4Uo6~fCa`ZGq!cC0BR^2yt7X#PI3(btI?wbmy
zT+QgaXn|N5nh0*oYlu~sSZVt{LQx1%u@jwuJkOL@ZTs_#^_eI(XcrF1CPV!0k<jkO
ze1#K2U+LVr;|EAzDT6uRH)vlu<P#EK(YO=lkHnl=6|bLv=YM$#GoJFk<;0e|{2Svy
zT7W6vUTj|44H6T<8iL4TW}t(Q+hQvs<0(didjc-dbQR-#aDIsW;`swff12f2j8SDJ
ziuC~hA?<L&`Iee!sY9RKbKc20T~9edg^6h?A`!*cg4i?!ap6DG3X#S1brkBSTf$ar
z!EC)r&jDulG{0^<^H%3=1^I$36R-9luD&$2aNbDT3QkbiHzm$tRc-U-IZ-8JE%|j;
z=LwYS(OQbj)UOeY75(t?{=kdtst9e(h2!K6bi&l$OO)yP{FlnIf!A`%)M1WqaIf5G
zngtglLpa#l$9k3#V7%08+Uvb1jIil(qswX^v+py;LAYA{612+Uk)qq+V222UfjgQo
z>v{B_2#+rNw3r~%bntc*(Qs=%+24!+ppA`aI0d-tNmm%N;|Y3;c`mjo5ur}^dmMkb
zrzms-`+X=@7+hNkq51CTNo|vP0gispE@4ptZ@Nd8yd9!NqjSJW6G3aujU(o-1<IL~
zH3%f-So*<_JGa1G^tXA|*v1IVCu$A9&Qz!$RyCqG&9>KO6&osG()Vc6K2YSO-@y<t
z`xxc*#`wW--u-Cy-syh(c~dGk75zmEXREpiZYk>SLB;TFp?)rg8CNf}PNw~0gHjOv
z_bKgiuvOTGRcsO`7S(JEUh{Dc@2-|0CL^tlnU49}YRxQ7!(LS<<KR;|VU$iP&0S$n
zf&0a*%9if4uHTp38_0jfYtL9*#EWi1pO2H64Yj3~kgF6z6vE5=0@YpBIDWhDY;d~c
z)Z=ztQO?@6wOTvhbRw@dZyv@K>!tPux;K5S^WQcI9gO?`V5E__xc)y?E(;Uq|7|Xc
zH2cZ{ZHQaX8ZXfOiMBG$M%Xam4N{V!@p_}i#HlxiX~EA|!3Wo5YFbP68*0guTV?Hf
z5)$>XzU|CEAYjtqA%jul^Fzb60-;F65i~(XV%ZI&xD^Xf@{M-zMWfq-6Li99Rum&d
zCx3|SKZL6)f|7_WyVs!$SI`@prbq&Nnd|(P3(OU8i~LoU$fgX~foR$x^<w>KbY~q2
z=r%FP5vF>Hi>UdtqzTkCUxnvM*1@H}9pz@pBc+>9+DmO4%%f<;))n`DYOEOjF8zHF
zuRqw|jzl40rdPsmt+f&$1WKDj8A$0_H-@FtRT}rZ{HJnW?V{xPxYmlAmPj3tk34~~
z^n{1LM{)pCh%idv8*xGFwy>nEt{*-Iq3}FSWVrC0OM20TfPJkFQQ?W4$~qxPd6YZB
zkMdnA4*`NrB?9*_zKy!Rkz7NO@6@!qU4lA$lAa>Qm{{oBxKV5tU4chxl$yIR5xt^1
zQC`_tk1D$`E2*sWr{{URO9D19IoBmYb3)>jJh_VWlzgeaNyV8hzm7cx^iH$@T~kFG
z0+s!{$U)T%v0|2sbKY6Bb*?aOUvRrT&sbLdPv)Cti+H!YZ_<ZOTTj%RU~<mN6bvTC
znQpqM^bW=nD<1ZfG^zBA2PZed<&!v3QpBA|jD)4VouNrl^BCEb2`D2qPZ#edt!+jz
zMWf~pUvOYqcy6jnYkEkPon)4w!K3xeoG8Ei-F$YX6xENyL=pWJDJr_6yO*QPkrKhL
z<6MW`1!Td`kIVD@1^2I)!{g^(WY5n#$~j6=7@(KW+tzW9FCwsy{3F5QckyB?^n59Q
zeARYfmNatVF6zHW;O%A0mr6NT;rM1i!-E4nj5V@p#&g~(6+Ms`L$qYtQaG4!l;J}7
z3X=6+LKy?x9%|FelZ6FymFnTQYLQDC+#J|D`7?ca5tgpan@~Aa7xz@@dHhx1HUqa$
z-2-uxK`yNbN2h>;^VyR^ZJhX^0H%_{!55VpuJY+e?ZCk@5ImId;xeHEtPku{h?f7=
z9h-&k>QZ`0c}d^G`VhR#nJBPS<B9NKyT$fU2}`Wdml9}3TQHqg3B}#)Jv$pX9k}ZT
zcJE2ceajn-2)c3QdZ-Utk{`}D`4pS^E^w?5^0*N3u8LJjBw4UhR={?_Gauy)Uy$vo
zoS)r!^V_)|NRxw@j<<RXQoLu2+p(ljS<=Sw+@fIHtQ5szG}KJ9&4JXEL*V=?{4Hlo
zb_CQZdNBB5#9$lv_OBt(_v>{+V|PM~ckJ)i%cC!6z{a1Lw62fWj}lIHi&o%=&SSh?
zT%6ahn&&V^hp%<t5&?M_?@NLJ1(eU5r|ajffohadAW0!?-wR&Yw0q4rR?N~9MA!P?
z!Bo|`qQG<2GNes!8Z<*|g<e&85Jb>am<yD<;8{KjoY*q2KdTij_RnVvGUW%#yGgWn
ziXVOpUBta;B+F>Q`u34@!J7DBh%hs6(W1B$mszoMu`8Jb4Kf&vDn>Xh<*6*-Jasz&
zO#GohpiEsJ8vGq>pp#}KWVWUw>V#5=Q`#`3MBO0Xf1G|Z+Q#?tUn51Dy%CU<b@(vZ
z?|$Mv#9Vbk-NNDEMIQnlpe_j@oe+b|KYQ5+N<?ax@OqV)YEcoI_dre|93_}SSw-An
zZq12|Hb<NSk%oN(y%g*MPbltHm^3$Bk1~KG%Jbz(+5|g=M51X1B+t_AyZ&U**cCNF
zez7C^{N1Lp4EHg9<Bn@tNy<5Ib6*<E{-ORd5N<H1N0NiLT)4>lK~6-F_}4ji32W?s
zdR@&4GnLdu&<vg-4xACW)=?^Kp<KFlUu|)!Q0|n=v+%+6$z~nXPI@%ygxu2<yP$w<
zRHptip$AB48OUg&OrbK63B0n@+r$WAu&9inTR6<Tvu&m96vskNZh801IvaM8F~+Gb
zB_2n4vs!ACsc#X862j|>I!AMD>mZs({}R?tEu5=oRJ*Qao&%@L_iWXiT!3jQ`zMvO
z)9R0qMy<ZgOB8u%leUr;y<Bid!TCV6$qNOihmzKZl9PWl)1MDTGy9jk9~^yi)!Oj#
z?yGBRS(j&7o{f=Icvly+({30N9g#8}k<-<Cwi*Upy{LV#=Jgef;(gR<ul+b%bla^O
zE>{=^n{=}2sSBqUwB4&q5del7bPElq`iftVOc{NDI@I|QR;mtptF~XYvwVS<zsFe^
z_5QHdGvTeJU(B}!{;Hm>E`o67JE`jE^7>=BH1NnM=opJ-KH^<ie`YlHQAUuKeJ+NX
zqK=WJ7BW`ett!~w^QS}Nae%_?RldUg|4DZ5CwRNSI0nv+F;vlVRlp^x`IhB)LI6x2
z&BwhT*$p(V0Srl}2|Pe$t-q<ibP_~+Z6FBkDKxd!sO6<~6+jS;q$0ADUVcim$y?y~
zj`X#*G|U$5gSsj2X-Tt5N2DqnQ&Ct`!DIs%i^SxmUC4^~<f#;t_mrf4$S9nZ3$&y?
zlThjZV?q2UL|>GYopcwIG|v^wCKd6MW-cbFK2bTR$g~Vtc|FlKB`=MmfWouZxhU_p
zF7;UarX=l|;nOhN^(MQrL{-w}@`oGWk50#oH7`*)qbQgwr9Mg7Svm6Zdl^42En_BL
zQaQ@$?+KyH5-rbkTRhD5kB_aNHIEL*L3+6EpfxG+zR{nPA`TNP1rsZ4DCCuB&66pG
z120Prvh$PP4tl>QV`OwA8gE}<pGNPK4t#pA-_|KkHN~?`!NSStQ^Jk%y>aae(j?U_
z^ZzX;{uj2F3W<y3|65Kle=jlqXIdPR_P6|i17Y}jM&$)^TswuHMiEmwU!y2#9&0tK
zOOu-3wxuY}z=|@5j7Hx1m*X^7?x$wYL1v$}PFa!NhI$^mjw0v}9Yd=>8wHrA^C6C>
zTThaVfAZ<`6r1<~A*(JP=-ca=4BEeqcp8(d)(Djk*X6=%LHucymM}J&`yhd}8NpDH
z<QtrMLJ}J*MZF%T3lgCH`9Ih&3~PN$#~M}z8ZX9_MPuq*JHXW%oAWD%i-ena0VK0t
zE|5h{M(+N_0k-c#Uk^yQ0}1%1w61h9?Y`Dv2!?cBaurR<!zjx#YcJ{X)n0wlhIG_0
zn7WM(tD$x&O5fTmmn9doHF%%{WJgLl9WB?eN2E3Dg^C?Hizb3y?6x7THf>~lmGx=U
zde{1x{t(M-sH<J(@T~k(XtTm0Z{T6Ukjv%;(xvIOt-Ix(Z#>QUk^ENuio9F3TbNtD
zOoOksZ0gkAg8WlV71HHF>A;f}6?7hr4V46VhbS+1MohRR6}0w>7%!0f?T^j+*e#dA
zoIFzfx+X7oYhabj_Jhw~mm+4u<B9*VmgVR7ee57g?cKsKMTwggc%?KiRS*k<Ou|a6
z6oI8ESh&lA%c7LHn4)pf*q18V2B@{zUg!^{sbRyb2+&tLyViWQNbEuSXK?VGcwARa
zOzTNZ_0^U7!}^-Q^CfJU5TZxt#QuzwD)j6TzJ|b2_3qeoKiXmFpa6D2sGG8N3--E{
z=OpVnk(C=uWj1>7+tbIh1Cig?-DTViPw-ohwx9R=O;FWt+vnrL$_&uY8|nR?$UyMx
zeel!ib>jG|`_yf<<?G?_{I8qd^OhjcOMm?SZlvc^sqPxMzA+NV?412uO-uOz$NFdS
zh?(N-SG@{06<nMt5prF!h&$Y6yH|>$uU+?>M&!(y!L5Ax%FHf*y)DfhLX!lh{vpF2
z`pM7y5%a~O9mhZqG8o|-@_{3W^N1bQ6FSK4ZH%;<nXqO}vf=x5oSFNwU7t4+mbOuT
z@tpi4(?&Dk)d~8Jn2|!th;rW#5oZ<Om_XEuzbaWv*SGQ|iTGMcV;TA8rn-mnu>fl-
zIPdz#!c2S;la6Y?L8q*(?4@g(>9c2#k|kt`<x$gbz|}iv`!G?forwON3(a~~eBM9$
z8h^>88#)@^_=mJU2(KI8uF}pqCm(;v1gOz$<uASin+&7AF_tC*V=HsUtZ#iBUpKE~
z0ZDj}ku>y163_^-czrMC+7{ulM7ErPKd5x~f{{v^_24;T17-R%{}j%}82Wte+<h$I
zvmq)#xQ8?c7js*#BeJ37rzi5|Tm8uRSfpahA`1$Fn$AmaW26C<fF+kUjk*jzs)CU%
zHNR>AHkSMdiWr6Xyr~8sLF+ZMT-&qky&Hl=s-e}27o~UQu3EZP9f=V+C}Z#}k1biZ
zhagj+!s)&z-*6-4!cYepqm&P@Unc|&G!?KIes5g9oZlSf&^6_Y_=mtQGX^(BBQ{@a
z7r<tG?OJO@eyO(pOIs(3(c+^$L1cp0niQ5DnBHvXfLCKK9GoTcGbX47%}NH+1<tXc
zmQ!(9d6(da5qFs}tr#okuXP1)C@$}O_y+i7%>q>h@s)q&W}yk0id!M$zWIknT#0mR
z2i^1OYf9q`FYPOb_}Td5ZQ5hiPZ-wMuRL1E))XD<qI3f)2d>4e?r?vxEIJpac{l-U
zK*ZzGG-)jX->k7@TW15fj-B~~NY=Ilxhr830o9ZojjZG33(p3_hfXRS9y+?UaY6_Q
z^x&dAZ)a0FZxmZ$M=P@-Ev+$i4tQgq>W9N$L)<!J(@(_MM65Cvbkl3nZq1(aDeCH3
z$rzoXq1+;g-Q%4s+xb!kW(O#1!ioIXK)S{4=%PR97S0rzn?WLRQ>8M(&~hAY(0wpd
zQlUs0|JOF_F8N7i<$o<kvv#{Q?`2itXVC+~rn!~JV%d%r$uQ&fQ<(Zkdt3b^xXx+U
z+6hS|{FaNjsOZ+lD23&xjZRI6xV6UQQ%cy=a2PCRwKS%e*=ZbI>g!#A^%q$H3##vm
zlK`xy7K+?>i$R8Y!Kr@9*#?JI`tXrreHauMy3`g}UMToVC@Fyl5bqH?)x`CxLM4v=
zl%M2J<5nXDdxy_DZf?n1_QhP?=(I(neO=uQ3jU_Y`sv9303&m4ibrk<7u(~TSV#_O
zD~DEYNEGeOW?6));WWT+D^bmw9%yFn6Kc^F6HD!BChl<<2Xs=i#=>ZPGu0YMi9*}#
zUB@KE?jO-fa|!jk)Oa61nM62KW)Y#c{L%W#m{Q=7s&eManTv8Xaeq@p`h`1}UTL1~
zQ>x~9q$EHRSaof|{Ji0zha^yF)q^LM=sRoxA)t`t4CIGnFpvYD<Oz5Fh@Ra+#dVoA
z?83DDfvYR>{WZlnK#;Mu{`WO$_k6P(DcGij7wn~Db6hF2AhIpYT4}gHae2|E1FKEH
zlNmedj+ibKMEG_-tW1?QE;A7qvdA^Kk&JCG>}SchpQ|UgEzrIA>z<m`D?P+Y^|Ug`
z6Vn6EPqj&Kn+qMH|A<(qr2eM?{oeX>Cf1=*qA)YDa{hmlH9N;QzU?>AJFtq+&f%UT
z;qN=$KPO-Rjy+yj04CSwlfHjJ%L(Dtgpm<-Y{JW)W*Okv>h0XYoO(Qot+9T{*ODlG
zz>^5cLXu`)ZK-%&5^r-D{-1_JaKZ~nkE%cPHK+6*x&z0!j!!%u0Xko6Z5>8n))rTU
zro3I&^WQ$vrd!Opstt&sUqFCjHN>6{r~+XLUeAyE`4`h2*!Uy_rsAxDlG-1`!7<9c
zVq8Wyu#R15fBVo-N>xKlh@*s<F%p#5cN5nn!9hIgl^DL2G2h3QN+n##qj(fMQXpk{
zYyuH6DeEA}pc%M9Ng-g_bYAm#f5?r}Vw?<rc+}(30q#)jO=9wxdw_M@^PRO$BKd@d
z5*B-jtF6R*Hy|CJWr~<(z2@?JiQ6xE@i}an#O%@(my{>r@RUu1qHl5_EHCIBB$|yV
z-|p}LrvedCI=cY)7gg0|Vy8U1@>2Lxx?o~aYDfQBC{J4WIC)~Nc$sjab=rqyVpm}}
z681G|@Rq(#+}1H-HlX7|FJg3{C2ngU;Gmefd3NCjW>d9P5g&20ah949hEz!0G(RA-
zIpYM3^OAo$L<sd~JQq|ejv3t!ls2r%*cx#U)3%{1_Ktalf4h;Rmbf}w?-VXeI;j0J
zT@u3ntQtAaV5TGLK63cL9}*H~Qvw8VPWVk-Vwu2^5G*GKN8mlrG^G8u^kP34=QW~p
zP%B!#^XL><OP-{@CMhX)Jvl@VOf2Bk@KQ}JB*g{$FkuskSd%XHNF+;xm`Ok+Pb0u3
zNR3(?9r}|>ypg9isoy#YVVTY&UeiM}L3tKJ_qo>k!5#Rv;12v(V*<41s6~Y=49V?z
z-xoBYg}HsL0lKbay{Ccf39a}H4hjhZt^F>4sLjm?esNP-8fpE7S;r9`<-v~}Q(V-A
zV*O2maQAs$*YUudJ9kZVJ~jiis`2kagI8xUQQNXO^sTlRb|bQf=%PcBMTd~-Ge>vn
z10OqBQhg^kp4V4s)PPr~HK8!C)J?0eXH}=PNX{}a2dZspatj(ka@$&4vN9*;c5tl`
zJ3md!bG>t09J5TD7Z;{GyV=6<W-G<hp_fNQLGK<xG>DrI_y(%W!q%g%+x}jAC6z%(
z73Q$FYd)%^Rm3)}jV+3&r_kBb7?({=$PBq9Hik3d)f;r4UNg0sZUs9g=j}L>Z9a--
z5VJt#0Lq52FR*jMOC)N3sP?d@PJR8`Wfc7P{C%8qYyf<Db=W|>C<^X;9WYoQxN`8_
zdem9{vp?G-*klK^e?RiB3$Y%Yk)VhTeJx$LkJgX2KERN>caMK~al1IKmo@+LWq1TW
zOyQ01CiFVxfjNn@S>d9xk>8U@iP91&vlZTx0Odr@8BF&0rfEmbVYZIY=@Hv}M(1Y5
zpcO<(h~RVp;&L41N{_u0=FR)$`W#w6x^y{cn(Nl5Ldg*i>!rRCHEdC*3Vo81ad1&9
zT}HjL)KQQxO)FrfBt+XxC|0GU6TOw7aL2nO{nQeFM^fJUi7)T7>GMFQBxoL)lT#p-
z0d)<FEUB?Ht#HT5lyGpzT@_P8+30d`_mPS*27iSUQR>brdl@TWe9Of3>m4!|(`6(j
z7UXdxU`^YNXm#46f1$-Gy(r-SoO5ty2CE7ae#-^E+=k_TBQLTT^{%fVUpD;})Qu|{
zL1KY2CmDeY@79~tm*koBu-(qQH~A$1#Lt}gtP)t6nZhglORwIiw)gMF<09^|P2f^t
z<o<Ex!)75nbAj;A`Byi{PW@1^Rn~`6F7nj=rx&PktzVN2O5V-u#_c}@g}C>U{h9}l
zOC8i-U#dh3E7fiBCgS~`60fm6{drZP$(=w;0iC?~H4(!Z4%Xp}P=xHFWI{s^;NKp$
z_v52Y7guC2g1`QQAs!jzD9S>1@kZ~B*Bwx7Ez?Ji2en^^UVNQbj7}4CMx#9MqFeke
z?_qCX4}Z@G=p0wQX*NH>D6a!<t-hXk1Ox~agb3SH<7W*LaFjtVk?CPwP6e&1U7`%z
zN;VLHR;i-zPkwKMIDcb5Cb}W<fY*$dO}uQxhoJqW+LEzw&Bp_$k$r(z7-t;+Tzn`)
z9J^VJz*+-U{R1iOglA({n=KrPCJ9xj<gYsR2bv^2-#CyF%KpV1Kr3>w^JD*hGV7=v
zO>N9jGPYe{XOB?6em|NI`o)OIaG2?==iP?Vuuns~+H!e%qf9iT`7@fM1E~M@boru_
zHQ(9QvzWSXW*`W<v7z8%=(6$o9ek3wRM-+V-?LDclbk~n<`K5YIwvQ#7JK^Rl(k%H
z`Kwdt3j0IwAussR(bvzs5r@pKzE^10D}!PdCq6=eYC??>J~nX85BZ}==7=rFALA(F
z!+XUKpNQlxpm(J1yr#A@6bKm(S{4Mb^z^kAczQ9&Q4V(FtdJERwunE1$X~k5t?Bi`
zL*ApTC4tP0M;$eJzx1&_mvAXlWoA`~e&)r<Qq<3=dTk1Y1nn~bikJ@oa#;wEK9Ssm
znVp~i^2jdNHcqCc=B!^;UD0ffJc@GPMHq7wwLP~Bb`DnNHXnYV0S^>Jii_liVN9k$
zb{JQ%yB`lR*n$kObV+O3wzo;1n^&M=PO!ou48vp$*?eVPN&rO2nTxe8va&oH-O=4_
zo2*Bn2Jas~3W0<P*xH~#_s0Ogh4qd$ut;|9$hBwY*M5!w1|nySK>15>Pn76pAfMY*
zzC(usTx8=ESkE&Sa6H)Xu(e45DFWTiB)`on@y65g%^^+9zP^olsk`wn%VST|7Tuv|
zOKBi54%XvN=A3YjvGu2-kE6nZFuH6#1<HLH7<jA#0b9h@qrVK;J{;JwBcDJsG|bn)
zBmEVXvg$4p)FKV`dFm-c%=$)MztIhn!=uf>PAl)cFirdrP@F>C^XydH{c<<?_jtPa
z-v{=A4^bcNW591vuxWis?BS}2KB;^Arlt7nzw0CCG`K%27<UY4PCJXG!Sz_m=#?*b
zw=_zX2KBcy2YztO8MzL1p;@IZ2G+4<Tr~=It{g|C{^Q5<d1AaYeRE9Wbv@HS{G=c>
zaJF3GTilw@2X1fFvrJx{Rq)>TEGfv2s<srlT|iF^#G;iud5m)G+#6YdT5F8*YMKcb
zf4kQiHa8l_qD;sZqfm9<Vw+7}b?S8w2ebY|jM}T_&WgRpIx9=)uCZ9{c^;WK<U!w*
zs%f<$Y4Q4+9kU%M-X4srlCY-5q;U#%nL;CnJ2_>N02ZSKFz!6YvvipFim)+D;4PCa
zA~IeU<+gB)+YE10{PKx8o9~sWY{NGBoe9!FZSI1hKl%gq>~?^xDN^d|ejx;x5m$CM
zZUm^>Jmi~JP7ZJx5o1+#B1j+-Z3$*i{NXgo;<J+U#q&{Qv{6D;Iu~{Zz7fIPLfK(f
z6s33?4|JurX+PQz&n9hbdVIw>+qJM=$(p8`s}B{^Fj39A?FB8s|BOg3Y_{fTn`u!c
zQF9*gUg=!XyWk;xmRTSm`_aS&qD}1<);mu-7I8n_jqN9p-Grf(8V2Tpleupi5zlj7
z=)o7BhXfJxtM4YHES`;L@SnlWH2uFLia-=fNTAV5Rz}8~v8Bc&7YsRJO_;~>K-Qa(
z0?v$QO7^6nby1D8&KvlC<!j23@eDV6N_B!j>iN6(Mu0HV)@@fwB3w2m_u`4-85rG;
z&%dgG!G&&Pc0mUF@|v(sF4bKy#%qV!Rmw-vUu=Uv;F!GNEs_y`yjQ&N9ldH<?%?P(
z*#g@&Y;V2>Jgwd+mNNe|ETRM(A~3Od*)oJ_vAy)B+qTKNC{A{gJi*mR6Nc$gWmE*Q
zqwBOBT$~>+ui$k7mb*(|f@kM_>WaJArDy-{_8vU+#^^a@Ww-JP3PjKBj9sV>r_&5S
zSl%q3i0V1@HU9n+8>Y^=c;!{>A1J#OumfD3G)lmZLpjnpO>NloK&=%CkcxF)EAbmj
z`C_Ulny58S&(JBa(-hs<+4dR~0GnLu{tfy5R0r9fn&aGuV(ftn^xNidbbW5cLq#)7
zVhXV6$YzO!ywpFNfUkla82GCX+YT5?8Fy@jCtJL}E}7Yi*WK$8RXu5JRc3F)!vo%L
zeQ%0LT`q>v2K3Ym14r}O=qnb67u>1i+-XWKh%W>(7;^BXGW#>wwqj%q!=P5p&N2@{
zC6(6Ljo}-VI(n^8<{wXY6~VDILr=l5VS0i@zQo*Dy*NTSS5ME3u?s!@I8>FmnO7>l
zgYta8KYcf!>?b&6odJly0&b*PUx7~egB?TG0%#6cDpcG^+Hk2MH|hAVoAtf1896vk
zJzJ%!^RYpovT08hY~jT@r~aG+Uh+S#i<%V0ownRqTBsTH&CgZYV}szJj}xr$v(iy(
z8k;iGQ5mC}oEL<B{tBlIiqq7mi(3gpur?I*+5O^yxR{b9X9~-n0!v*@=Ky;A!DY<j
zB6;M<9UEQ6*LOF8r!cdoIT4DJ<E7MNQz$WoUoQN$_&sU5@e{o(5TkqpQd&l#V+?>|
zETN3uh{DFQ#~K0ze{*DZsR9DrYKI7ri7gho2pDgz<-;4P%obv|?D>v_uB-*fHf#pd
zG+9m*W#RHMOIO|5S`J#G%7ObET&Gti0-WjWnQg7>ofZ4IL%f&+1<~lggGz=s>b6Wx
z6tH?;>)seR;Iy_K{;Kd6sT^YbVCZ=2d~dyAnAIV${H36y)?T$Xw~JO+ZXU1VEot$=
zk%Y)v+P_2p;4n?p5!e35rY~T_krONe)*Z>HQ#)D)x5dh5Ro`J<&>y%Ytf9LpI?BJ)
zb8%y78fNzuTg~n60+~?lRPTB0_6$Ox@th8wTZwsjAoqm2F0y5$-<bpXqZez=l{_eO
z6lAyQ51|DQ-H?3-<l`iIj#2<+NB;cj8(~m5`WU5;_bUV`zZYOg(RVFI<8z-feP#$e
zDNN<p1PqhiZ`f;UuT<dbyz$BcEb1C@mt0x8SJ-~OVga|`e4$W-6%zZ%EAGN+>@7}Y
z$@zdi!oE#dNP%?CJzq=7n|jI->8Ld0{E6ysmb-qihIFkl?IKm-XS)ugfc@l*v}g-X
z7fNVd>O)@cG%y9M(tX*oBq+D7!+W1Rl`!!xb#%MH_Sx|2(?}qln<V(Hv^iFdY4NZe
zjtvh5rz~xBC{C?(+@omcS|8RStebU?FodKVJ%N44>xumxQoMHX3qQRF3%uy;1XPEx
z<fw_|VIv<^t&29t(a~+w=os6X1WZP_uGhsaac{oMr=P{?VS@{O5;z42{Tc}%0M0)a
zDH*F{R~a1YR~hix7OuOFazTI{TDi=O9Nq;3^byq(g!<%->qcl()RfwAUM6EAdS-Mg
zZ(9wkWcEELc~5I0GuI?~+W&+!8S@tZ1V*!03@xrk>PYDMLtfSLXT=4-FLWRGW(VB2
zTY|<~cdy=jQ4@pE99DG#B=!1y8R{ZRqu3hiL-n$h7ZT7@&rSkCB!Itt@H9b&=_0$z
zgZgo18Vmi8{Av`c>bzC5uG)s3)`416S=Un;jjj-T(<enKiKUc_OsXoR!$RiHHbz0T
zKHT$mO<BzRuhDaB=yov%k4$}R<RZmF_mLpF?=%^5H-wrh9QvN*ut|)y+GVZTZ;hpt
z+wej3RiMs#t<28|Dq@PEn<5(}Hm$sv>K!{TaXo-R-f`h^yv9<o`>L5$%-s3Ke#k3W
zdFeQ9MD?j;p4b}7B4%Dno{^m0P!Zc>NYc;iVHpk0fQO7umk`Z7&LcCL=u<V%Q}{@$
zH`6@Y-T4*pWNo!f87nXTBJMY@!Mm%62b%C>IpE&uACwuL!G&Xz?{Kc{l17IfvIW{{
z7$F1=r5|q@PietTM=_W51hnY3yD+22q}Q;Twc>di?w-$Kk^VMq8>~^>l{JUNCzsm#
ze~4j6ZO~^Wexft6cQp-F;2{tg-9+(eg0*9~f;WT@yx}69kfGtv;QE@vXG+09nBJv~
zxB}68R_Y+BecK1@wjhdXJSz1UJi7g$H@#^m;Erdhgzd{3&|zF%$ZFse-<~9r@*Z&F
zX@wAdzXn#xMVQO1d=<`>ypUe2*V!acgHXN26%G7{krBi}tzpXH6=fL5lk!aM-5neV
zi;m-0mMG(xHxz>lMxx{S7S$o>ceI69CV`Ma+EPS}=(6T>o5O2rO&=-Z`f3~BGK_Vc
z5N2R%WQ+3}iq#<Eaaz;V5RVY_yHJ6l>`j-IZL*{8OT*kAP{i~qHsYnk)M$}V`6tX1
zs>VOcPjcMakfoy(<z^NA3)-sM@D9FTwAY+<xZ<7cGi4_K9eM(lXb{HEa+5Pyp#P4U
z76li~b~<y!4`L5j^({J~f+YA#@5nxgFw@k02=!YJjPBqaOc0L7Nrq_R0OFxQ@<0T5
zFcrj1L*X{+Q`E~Gw?-`zqlr5<m^%QBtz9}R62z`6#jk#U;?Cwpz8Zgt(`T=K;bn^L
z$iUSj?cz9bl=eXGLt&Km{(E8<V2DLi@3Py=JvKZFE^FF5+_?3`P8CgfH;gT|G3Nw<
zD#<8WI2QX(8=noct#P&?tTFg;u%6PaJx(VEWSy&P!XxBUm3;j-KHM2OUf60K&p@@j
ztwy$y23525bft&l7=2JnG4Wgfo$MTz&x5h|8UDHOg<Q4;8Z1X~EV2>+n5u_D2lw_Z
zRY07w&QJ?yoP7z#Nc&>^&(avK-?lHy22#k`!|GZqe&o9F!S~|<Fe29J{kDq`Kf;<x
z<X^k}BpVa-{Zs}5$-6gcwBkkL&4qD=pHp^-&ru!3g#p#z`*09i5Ov+X^*oZ>0779t
z;fqt+f&N-d%;e-}H8!C61aWm~ct~R@{y7cc&uvXc9n+f)dInbN=cmZ>OjeBpvK;h=
zx(}or0CeeDm8jCvGK|MOaG1s;Qz$s!+8tpga@%0EVj8~~22(Sw*d{451SimmCz3kq
zNctvyP-gJmI`V}wmp$iLCR%PMz!XyFR){5tzEsq0^c&4Xhy@s|=AInm%vx%5mM|Hb
znl8rCIZ9r)OF<dXpvM$8_t$A`{R00da5iL%)B=_9$I4=%N*;jbfQbi!Mb~fw+fr+v
zKR~I_V+tI00gGwuY`fa>tOftbSM3nRsyh$)b;_GiGWI?Ia+p_cqCfo4J~yi9@pU<F
zh`w=kne-ixzCI9+&7h76j*Y{29GgbJo+%Q22C}(8(kWScZowAkyZ7bTmY!RDpr|HF
zDAK5k_d@OAn4!?~{EfAI@zwbu9Tk<v$_d&EQna6P04lzT4D@o3ki8+E8ssvS+p~C%
zWD_HDnZp&fCLO3>a!T!THDD8|SM%aS{U?-qj=L2m*g#qa+)0rA3lr$o42i82;m#U!
zpVPUzOdp@yZ`v7kwWz!J9#DK_)Tq1qF@ii1Lcedp!kYHX{usm&YKGrb2Z#<-;l=#f
zH@4&t@@Ho;AVkTrZsmYAA~oE`TG_VVH6X5TY#EY-Cx$+te}_%uR;b?vQntQ5kuHOQ
zW1+TNAw85tf@kO#We@ih_?VOJDM~2%$W<}P&)<h~l6#elfdOlB1JBlK8uP<<>+vip
z8lf(Aoebz9%ij-;>|9IJM~k}hq^t#jwCoi~RCkU1pLQ56RZa<p>pQffF#UI+sSw?c
zYWfbR$r%mV6AVe*Z;w);SuAX%Bse%zp#TsA=#+n7loeFBIohVqOwY^q2}?r~4c^P8
z#k$W$8Ez40UN;j3HDRsB2VN&D@pXiE*7P?k`_?=@0x|E_By~CKOY^CR@iJHVJx7Vt
z>SkKeYuz1HR6T`Mwk2!ycKmXzKqoDQ1__yeTNm{c_z7DL0YB{cn<mz6tp&!+C_ilk
zPVs9Q8#WjwmXfyoJXH)7oZ8$pA13~cd5upj81u)_UFp)dyu(4RuVdI(B){g)HB1R)
z=zsi|R=_g&W9{dPR~u8|9w6TH)~l(lzgC=iw9q=Ag1jt<GXc#ZWf2QpiX3Ins1~4H
z$|nF?tb}{V=>NklvngB{y6grY_7#Bh7*{=bdJCc%+j_TFDWN=%TiHi1im2{UOOIQ=
zURy$MZ<4b7FvyG(#kxJMp`@SfzmP+Z&1secyKs4;g!O8t>_znB@K(`N>9u_-j>Y^Y
zzN;5g<_;<~LnG!6i9o_ha|iRb7kQea-gVsR2k!=>3X{w(PZ>52@B2eG_S`N{?l}vG
z97`klY|I6khL*Ca1H+e%H60IwuGb6tV&ZeBr)7r`qRH*{15!b)CV}HgudJ@eSmw#G
z?YEP2WMjE&jvFrT%!IQGJ7+tb=2kg7?IUf%Up)GDn`y4h-oVTXi$@L(H9RCO<0lSl
z=aCCL1ihfFy$Sxcsu2z%4C|++44;DwyU%A`&H7;`yi_-njHkA|jE5!hxK~ST)9d>>
zlb_F7ao~xDJfel|X|ajitjk1`7{q&uzj#E+uU{TV1V7&ffd4LAdcN-8CVD<r1iv2t
ze!Xu1KR<weU%-xKzrO++lV*+v!0t~$XU5X1Cb>HAfc+>EzzCKMC^o*Tzi$BW<1q~Q
zHRAB~f<?f}{O`O*@Z*$s?v*OEInn(B1R9cg?|^LBzd;3ofbtsU<8T$Vin)hgK^9!s
ze%%3jnL4F6*cdzw6~SwA=>Q$g&}j#U$hfs+ZRgE48|Y@!n_!G&t7zNC5Yi?eSxh}7
zq+%<BM&^fiWhFg_Ua}Qf4Do%7XDHHKxf0yuYR)-eJf*nPieZ3Xu8M%7>eg?r4i<XX
zM+FW{CAP1@8a>EjsYTXi)?orojrx!9dkD)q4U`!hO-gU8HTb7d;<~g_D!9TI%6D;K
zhB+E=MFtZ&QW*0ZJqVD49;D-|h+rS%Ewk_!dV*zhA-Vv^Hgt%!tV0n+0Ok+24~jhV
z3vr<Fjqt_HjK_WSei>>Ue4<-aI!=&rTKY#Zwz;{5O?RrndmgrK>T|%+x$5c2WpnCr
zA|j2ABsUjSnU%-ynNRj^O$LtrZW@?klbJ?fkNYMc%akz>m&znFE}ZGqe?$%y7t{Qk
zV3^A#)FGoK%uSNXP1f}_CxQw~ba1<Y<KqVx`P2pH&2yE4916Mmq#fp*_uAsbxJUbC
zDo*;-4B@9K0sOg#cxt-}v2QnS#8~IpQe8mECKS)AMW5u#I;Itmu_*&_ppC46etGFc
z=52>GGkR95sU)I`=lH<|Dfq#K99%GRA4kMukIg3U(V1z4ry?3y+w8%vMa2IKHx<BM
zvnHtGXWDK8&H3eRBU(u%n!!G@&Y@+wp{$Z+;LVch;EiJ7;q@*HD^9{RbHYW`_RB?7
zG23PI=%C?|3agWYhSZdw`{z7?nKydhNLHzNm*`91ObPdOdfmT4#*V(<f5<scVte(U
zAV^yHfvmq_i0r1uZB(=~DV*I82xgiGwL+2uB4Lmsc$mBZlx?%V0kGX|--nz3>nky)
z5C8=(h7r!lt)Wzb)`ThH-O5hOxgp#!0MU@Q?vlvd%lLbbxb_B2b)pff&c*(|xV|rl
z-W@~eRb&@&fyoC+&N-eH1t_6vqGD%f4eAFQUBM8)7)GLy_sp!-qp<XxRoVv|11Q7~
z+!bUSR_@TEbY1Pr$%AoYy+bL@CFD9j=An9720C?$jv-i7UFRq#gz|db1l3UMKm$Pj
znLws$5M_!tuzb{UZ0as35MgC7&^SKx5E}9|CxT+ARx_jn*+%VoB(~ew4?D-wIN$ou
zmT@-iMnfg~<1jNdE+@1RjsalzF&=y&wZKh%(NT7KIQbc2OLN^a5IgyoM4r-dOo807
zoiW3U-_>&3-xR9iG#LOQ7xN?qE}@PbR0>oUHYK<W5Il0l)Ud1}#E9hqZ7x@;sD2ae
z(SqfXkzbSp7wnA{#}eUW#`MHsRHUtw8)oHLAkq<)^_AP)8G@*yb*v-Q>*2&@P!^31
zZn<FJuRJY+Q1o+97Kf_&V?b8Hmd<>faX-*+?6D$^rp*t76|vgD?nmd+I>~Ur1+Vel
zKK+Odkn_YxHck1V|EMX0Hy0%hIeP|LHf*{We13KQ>b>{gbu2>VQY1bzSB`VN3Jfh0
zhp8wHd|wqTO{EfiV`j^PsN9K9_4hZsA!1{q0}w&ewMizz+!~fFMFsUddsCk3J&4R^
zKxHjR$lBE@Gmxjhjd2Cm8Wt+7b(N1ZP!0){{PW+BtfN9>&rCX>1wus%6CUz5YvDJy
z@=xI!Ry|6XIYL8h!cW#vEh=GNQ-nlQg!?S!NgiojM34IK`(!zlIF*|UT+$i8ULBLz
zj{En?EyJRX5~7WAzKcjm{i-I4O*qmO#HW~Q^K12M*?HT2+p<K@a`m<kqvirit)mo6
zw9hiO`Z<O;YwWyj1)hhUyTex#`IK&kIp)Wrt=y8NP?an8wt}Jbwu0RB+@2y|&n=#n
zPDL%*m@ST<JO>=xc;l8t{)tA7fr9y?s{kIXRDGQVrz`Pa!h}Xk_rc_=TR!I5tobm!
z!>)Fsb^Fi-6YcyX3mZ^U4t)M)9L<<A8+EAq=;!vY?(nrc?)=r4rz;oS#Ag?7Y*ok4
zOAs1rqV((o9~<ze{JG(8Lv*=%h~&4a5UpoPwXA~6?$Lq$Z~zIX1~PQ$rY=7|wlmO5
z9TXQDF^^~!)oy6olpyBUD^p2A9NaI`*R0+o$!$t=u{)dqSS74d0-(|t$^@FyWXZuj
zEFN`-AC0xj`I1hgu(G;^`eHHVG7XgQM#S;VtZ-Ztjd;EV2ft;@#AE-qsUl4VV0xvT
zIifZ?OTEf0a1#}&9Is!a;Ce5K&>%&X=Bpk)RQfgbYDyW&m=hv-L^#`+KvNkIU<VH6
z+XH|dK$E+08E30N2R7HD)~Z))MsM`F0;XrjG2o+E8=Z%Yz4BgJ0fD<Y=0zDHdVd=4
z+WY&t9-+_CgWxsy#OU&g0d4soeNSwU7?^#I3JvxP{UX>?B^!B~Yp#*Paw+VKk<K9$
zh)txTYbB62gAN1qauwlG2+LO`3yj#!IG9qaXgFgp#;{+tK*|1`QORL9*Y$I8DPD=6
z>iL1>*H~Ni;3H=@=x#fj1UdbCq7?%wnjV&}9^<R>I^GhnZhX8|)AB}-UKI^0nzoj%
zZnW?zvV@b=l)YKTZ~!DWU`{sE=0fF%>YCg_PC{P2OB6qaa1&#S;Xnc!JOn|Czh)lj
zCX^q$t+6LL@Z9nrd_Krah$3_vzN~*xkWD@HgrH`&X1OQnIgzm^DLf+`5qg%bkL=A4
zUYe>{fEiVhnyYGz3=(uYfyY_c_t4beHM}gBT`;Z;I6@x2I4e|j>(tCn`nlprV6iOE
z284qDuQLm?nv(Xe<v4WHI)}W`6wY0-m3{H9Qx?EmEI8Kujr)e-H<pdN`}bWT%-od}
zYgyw|XcM<L!yw}u_=z(wIlPT8>%yP^I5rm=OLSPswsP%prZRqG;)`ZhUYx5<F=Nts
zsr>>pXDY<J*tM2u4H28*aMc*c*D)>T4h_wl>N^$Iv84;b#|{1dOris{P)Q@EYhFbN
z93lZH82L>`0eAN$x<-K5yZ>nX|7gO0)TBc!*9mQbY%6v-#626Nhr02}s)u_kA>|!*
zjjE@OF5dUfEqC<^nU%jz{B3-#!&YAd<va^{@!V$=g|W?JmcbKv<1-#`T5*B+{gT6^
z>b8PL<1^?($2DMGbs`a3TyFr4SmB=vv=;kJpkoF1H@P51l}1t;2<=GvPz)q3Bmu$H
zM9=#_mh}lt7&bV;_A$Ww>}RT%FpuAgbRJ~V8`lf660DlUx#3B$S}EHau$=?G!;Zo8
z?^Aw{DFNSo-U6kCM$2<T(Ls-5Ett<?*i>i|*UDNQ{%`hLCbZD)0j?KZOtj|ZI(@_&
zxgWogh+bWE^+Wc5yuX~_a5D4HhxkoDf|Kk9_eyXR%__-5+a@VcMvFfVHUh&BBdCiD
z?#jZ`B{?f2J@|u-(-1HE(UQd+)j49N3B6yw$EE#b6>98cZ#T^BpNBcw;w4IL78dD~
zrJD^6H!QTC7l6)aU^|M(-|O#Cj}ZHs*fH%2T=38Z_IuO)0i~I(4UWWTgnN~RxSxiy
zQ|*AkF2sv{J*=4hOcN#d7{flzMZN!DZ*Lt`$MUs}27<do2n2U`w;;g@?iSqLWpH;0
z?gV#tcP9`mxVyXGopa7lzPH}G-(UCER84h1z4}>e?^)BcdW|&6!X$VuxX0sB-w?Dx
zMJWu4+5?nKkQGU%YbS@ZwAxlCD(#D}OQ&B3x9b(nLahH?hhGMVD<t)T{>)kMjkCX(
z2~e!xxTi9_q*qyab9;S=LDQOz<7m=+rjw>z1(Q2(9^n-+wKlxutrgj>B3o5k{^XDP
zp|(KD1cqFc86y50qoGXL3)SKp*FCRQagz`P4}l#3lc?Iy4R@Q0zIm-z2)l|5Yo93i
zYp>xvQtfqFWQPzpir#s=tJ&zsu8x2O5^&ie^U}mTl*V+^+M`!K%fqs?b~H5EOj%g0
zCNKqKA6?ma<B#EeIKD<0nBi_wA3slZ7&tC_yW{?`q;Z8hex5c#u^WEX{t~^z9knQ)
zN55TVYIq4uIrPkMuh`v&Lf_@P_|xqmXC<|7CbOfm)`_7*(WMzhcxhN+1_owH2e2qH
zq&zz=d+DaUbX?skwSS~YU-cWU*ZP-4QNCJ9284z({fVKkdhy$>0wxa+tWyc&Tw|wv
zkx)mOa~lE$`qO81<t1))cV!C$U6j%mv?npOS+oW0jgq*jMuEw4`Hr%NzBZ^u^<ayj
zn3wMJC79b3j@~nfxUzX_XHqwb4nPurGO4cv^$NRM(Wm}ZPbX<{uNkYZh4ii!ay&Cm
z>kR7$yg5b<By3=!RD(;aNtsP6dbb+g$CEmSA*uv;IJihi`N%}o0CyuJGJ8!;&!EQ!
zo^wqOk6X41$npyuf=PwpB1szT?hc?KJ0A_U9J_A0jgFe%z-uW3hW>j*2~ej4CznTE
zo|HFJBpKfF_3+5*l(hwCu65aLtE&<SS@B(a#CPUaHhUrD%0PB1-d4&Fgb_{j{Jf)i
zI4s2HWyA30BGLJCz2-FRcWbII){M&2M!IgbB{bEQ9_q@fnP<6Pd$)>BTMT+-)RGeB
zdMY<RNGsLVmE&t1(4+_yIDy&{QlmXtb^g<(@|~AFY@XNM{*s_R{%{p#qgxq1;l93(
zB9jn`g}ZA6A>^mj%nh{qx5UhLU=zIdef>^twt;%Of0WU<RNQDus=!lJnyTq-CX{m3
zL>*r>LHx8FS76Bm1(grCUnXgey7I{)$6Sf=WJj)wvfFJ=Ep>YIi6#Z>^Nq5$0Hj{j
zlyQuok@D7}%WR3yIDe$d&XG`q_}~WP5SF^pNi`kL1I@dunNd<X(R434xT(hmq$f16
zE~u}Zl<(sG;cRVfy@0LN-OEgQbSc{x0Z3~q_`j1K`rlw^;s5hi9cvO38aNFo?J;VP
z*BrI-L}SiXA7gU~%e*=8;uoqu=DbO7*xI7`vtgS`BI;rd*)~~Ol3dRCQ~^S0ef=D)
zMm$ih$Ba8rZF)G^lHdV@Y%w_9u;f-=mQCcTh+;2pUo}IP9%H8Tbo<iqrc|JLQzj=U
zK1<>GhwjC8I|j|n?F_~-O;#J=T1QNw8{f!Kz8O}_V9{l!o?7>SNAaW}G~D0uOeL$*
zpBmOZO7Rj_n2dHv=A`ZCMHQlvLsYokUR!A|$t3nvQkYQd9<%HynZG`oQR6TdhC4~5
zMnj)&FR5<T<T^rZJWm!mV))wZiFOw6W%lD6t3^dRX}G$>4QajxpFjo>=3p$mLP=!&
zbXgczQ@__+EY60<pLw`VBvW`u^5a1%FB_9<R%;yec3Fuq-;RO(PdI-xX2@R%BSQ&a
z*(k{rh0@@}H^3t757MCzV<O}^3%5&?1W`o<O4n=C)9(f};mpUsuojeYuGxy!@0K>U
z$d^MVjoT_&;0jmHv2G#(N=Jnn@LV4uaUo9x=QI_REOJ!pO6PKGKgD8ngzML|jFgA}
zeAJdSr!zkKE@9D3X-ZqncH$kcA!RPZ)i@BRF>{{EBT-)bHdn#E6<42^WllG2SV2*r
z2-hN#StjgZ!J)b4+}~wVpZMP0K*d7cBS}N?NcKWdrrZc@tZdE@@az1Y8^1o4tPvlO
zS=7ganh>TD&#kVFScn7`pkYbLcK$m<`zL?JoJculwSKIlPm2QeVM%=n=~AIa=_-_s
z!lhQ^FnIpT-0bd;C^c0nMgqsG2Q%=ik|T<<^1yE-s_&l<vfiGrqu<=0?cDfYCIL^t
z%ftKaV#ogFIcCHJI1w>9Q6716d_0>W97A!Z$AEc{jRix3tpbCN*-|?p_bnFy9tQ#b
z7gzVCb9bfZyF%c_0=YCzkHeuA>GQ^CWc`hvcltX$rk_u)l|t4jTzux9$xDK5yLC2?
zxvG*lJ&=ycCNkf9gx2mw@_j1M%XNof%L?5@Rfx2U<n0><MA}?T&@c8wLR~GxLR}3@
zLZ`ucT*=*`-_ez1ip|Oy$KRUTkc8fu*dSi69!HX|Cbb7P-)viXzDoa!TK^ys8n+!u
zx*FIX+s9MI5$Ae$BZhX?7PL&@_*FobH+Y2w=S!$PMns+n7u<k+E*|6+t9+E7UBbav
z7_1#n#`yp{paeFUMTRksnT!fYA|(zZ;)k>ZoR~rZ>4y%%3sHE73F!NQ2hkg(b5R2-
z#l+ldQVd<z#DLB4pwFEA1`?(wp;*RTYPjR`@@FvF)ueTmq99N=d_W;b3nxSn+L1XC
z4qH7rT%e1>B-h1<;e%9QO+rNeXLU)C1TEQnHA+BgSdF@_mK5HB>gnAKr+>*Rs-Qvf
z*TlGLB`T?1v+Q2>k5b=j5+d_Q>S@Q=@YZSm;`s-YR38~o$fq^x)uEDFR4Z|0G=z8H
zQzIVxV+~;(=&v+<h4}3T340>qhPGXcP9_;MA=@TnSgXkUPJL43;@uBIY#@_T)lbPa
z*AR4THME9o$bdpJi7+x_zX}Cn8Q+kF+1SE9xm=wBwyqNEe1}pO(vxdM6-+nkQn@Q>
z>lVe<B_=NFeGOiLC8Q&lq$-$p)U>i-Ql2B`)DERKq@x=*zoj4i7o5SilbAuc24165
zKRUU^61`Ey2I_^&gmMrB;D5rrxP@Mn!LMy}Pi|M9+M&|Mbi6440;!!jtt^B+I&)|u
z61CHI!vda!gf-M6yCH3ZZSWFNR2$LkEjGn+gTXXO^0vrG%B;FmoI?Uz89J3^$kFXv
znz#Cix7@cWR!KutP*%YVlWiMARG3~mU^NaNJ*RfNeW&_?y9mDv5dIP$nj#{A{yEk{
zI_7yvM9+^jfZSgv$33L>hnG+30fu?&J8hCs(iduQ31Vr8IPtj(;uw({XG~wxxcX8U
zJ9-bEzTKm2=Xc1Y-|Z^KI$}l8WH5;qzMB*2urZ=;iZY90f=Va7nmcS?mjbbUx?}wl
z@l526i2e75n)PG>nedy5Uv+AG(lB8(t>^1U*$wavM7dGNPRs>Dd&9I@`JqFoiu5uf
zQ6Bagq9pcaET^j@Q@q+VC;IVb4IC3u(*?+K1EF<hUGaQnb+N}1s!8l|eEQ12#cz!m
zcC0&)%v;ZYv#!GjQlJ=-Q=`D5D~E`w<VPCH-Re(^)l_-_%~DrRAj9Shz~tENrVGGy
zi}PTd@dtm@#o`S)ONxFX{%o0E@4R?*WQGo++O%Y5iU-Rb6G0_LOJL>ENP%fs?h~on
zxm5`S{Rs{5mE$zN$1X|<gmBUcM7R`!X0`H!nrN78uB4RA7AItM%oDW1is7vBhP}DO
zA_>PdN<ct%j8$M53Pw%oS5&{x?3mN!ODN7fg$T#rNnG>0;X_j(+G0{*&ixos*JHDy
zez3acFvrRm5S^ZE=A*biQ5Dt&QpS*2nWZHNGJBdWMF@hH!v3#4CYakQ&!rXUZ-72W
zVUO#}>m-d+Ol(krs`19;2xmqo0yGSnsI1BnS_gB+XN0VfwannH2!nI->FRv(g8m4`
zg(f!CLB?4pHhdGYw=~Ixt!Yom=i)g$0Y|V3N5gMCByv!~BD_+<BHAKEH;f(Dv;M7#
zZyXHW{yyg1DYv6%Hnas!j^fZPh>|H*Fd?N#ko4)k$4!aHNA)ND2U9vAE5s0=1@#ew
zi<tStHShd;neB){!;m_LCluAE+=9k%rU|dGbd(eX>DYGvVL{A?mm$OTuxE39<`~ha
z5h<yH+@&2RB!LOxvv-Cc6%&Toe^7d6-(m1|dBA;I;Oj@)=Re+p-;+Oi_vw*Jf=*J3
zf}~kfUW5C?@JiV9^sx9TppuY?Iv{REq|@p`lUnKjo4zekR?HswEDFQEI9CeOO`fI+
za$v(jT@7#CVeKH|T2lroi@)4zWSQP~o;h7S>Yi}e(5`r<jK!~%4l;z<uhbjs#E<5P
z6w2IV-CWZHU48tp?UtN5<gm@1eDa3Z(02sfFm{C4(Bq{R2?%D8IfF6$Jes009s~Ow
z)-Z7R-L!m6*FL3~pyL;m8Mj|NJ}?1M#1MjCz`(Qe?%_nfhf?Q$=62C^Rvdb|pF59g
zxNy>`MQ=V)+hgO2eJGr;a3)6onlXPYVw}xg*%B%(<fP*?bBbTFxFvr9L*7I@=<cLb
zho16y*k(#$zYCZ!Pl?jo&o*Qi3g&I0UL+uW-DQ#I6+949%MEaAN@$WIq?PaCg^@~N
zMDAfesrrPv*8Y>tgO~bKH-vr)+OCjVL4X@dB9(rKU^XfYA?*wi8p_3rhjwjm-X_?{
zyB=mT+OCzc6-baQmSFPN9&i|RZV_<ej;F2l<BK9!2mn0*mW<YiF(&}bD4UW523=AO
zLjQBHxJciqP!i&fGzRilF%%WkBuI)_dvHnOe255<--N`tW+JFlICrQ6wx4dC!5SQS
zVtb!cP2}}+vCc<CU~sq)is=Ysw(r{-9LDQBpi4j_-ARu{vAOZ0GLOZW;f&^zx`FYc
zJg7_yaFx`SYkplNsASN6^Y*%bxW73Y6ktG}A0<dS+IcwYkCAOH9ZGMsZe;Y+nfLMl
zJev9Wyo0MhyhaapDxY6pDYINGeenJ6)%xu2`ttI8dk@^ErR)Ck2HLffa=FyZuXa+v
zTi51KN@?3t&eENx8Z*|+O<=mB3k52pZR92afFJZe$-~9@<;%wW&g0|tWtpB=M?Mch
z{j0m1mxn9Ro_d`~*4Eb9&hORA>)Fij=>>{k9_;wPFAa6NotNEy^5!c+*X{UtefE2K
zw6<Z>hUQwX-1vE=(V|?iuz~fI^=`R?21(DP+tAns_D*ZJjMlM2`qOE11+AL;t+qN)
zSF@zVm~?=*x0j`u=nc4@%iE2PN03X-m#HmU`HUO&k0_ie)YmLSPDjNl>VETu*@6s1
zej>o+NUu}zqRfa-1g)y!p@`M^#I>(wY}cB_HEsl|xb<ln`-ZrYByx_msV>{kY$g^&
z>5MwQc)jOJQeQrG)2C5nEsp*{RtLOxEKe9=g}510$d0(l+x1FFsd<&)J4-2fWwzj`
z`yF2WN^5K~n)j^^__a6HNI{8yTHyAVjeaRPNB-U31^be}27kH0-!RTjbX$^X8}=J7
zM829jpUtv+&QLG9kO;w!Ygej<Fwq&9SnfvYZ80YqEz>eKi=8g4Fr0A!&&*i)M_vOt
z_Y(mFUwW8>2C^LO*l$T0pkpCL17^%r&g$9mX3oXc<8rx~7+z||1rNB>tiU8W66lcW
ztwSd-Z{j$fOZK8QmKmfDq)wz4b}ovqew{|NlG(Vf5KBGATF9-`efoVv!T)vqv>n$)
z#zI6r>I>;wML3GR^<Jw6&_s=q7!yO>+SG?(*GgfxciPe4w3B8uC!5GrtxC;Z?zFm5
zGhBD9hMFX;r5Z3wh96`&1%F4EarV8*=5|_SNi$Xaq-Q!VBVd$j<vGi?^2f(s*gJ_!
zG^HNCxG|EX(<7_jj>t(4EnKujvMZjJm1J5lqx8ne+*%={#j<H(fK%wms!dZ2v&(76
z#BR9}`xb?q`fWmluDu5h=P2^1pi%n99$DxIle=aM_`%az`MXOmuW`*$3+rGY1JiQ2
zr5@UbT0wnIq5ap6zN=8|VH_lH`Ve}S<fWJP_i`i5Xc~JCE{UZATJ=875WGY_I61;c
zCnN>}dmZ~oXk>L)z@GT-MyVl@mN#r@<-Si7CM8iZP(^ZO*|!jWnvB7<n$U}`mp&9(
zy}44;$YQ0(0E$XG9;;|trq9)LiUG#e;cJV?CppA0TDLBEe}#K@-P2OlMUD1zxEyD6
z^?E_Nhwf6}-=dJwkmijMn~{PiA@zk|-u9lKsqV<itm*V`0ne^A-OI+@fZU0&9aBY)
zh?BTZ7wuIWmnWy*8ayiJ{IynQ`MX1};v&t_g?Res@ZHSoGwV688npS?$7}c>^pf60
z2U=J~3L&1vZrp&<CjW~cw&Dq{$l@Ten^*5Ac`QKFFB1#!Z_4+hTlA%{VRS1MZF7Hm
zobTP5%vu8gfi|s9?TQ7jl@z9p$)qzmUBDo$Wt<}E$fafQZ74U94NKFrc`qG!dpO^D
zIe2Oeo^K4t=NaNFeR#Q@|EBwP6D^SWsbilYY0n1d#jpq&#rfk0gDKThIRo&U5+30c
z{7#(?UY&=ZgH{DcrL?$Ijqp+$@8y5qoAT4&6#yN8mK`XteUam75Z~(ev%;{rA$m7I
z`qm+!%^*NOX_NSIFzu(uL2vZno=x=OiA{W={Ocv?^-ToHwhVS%U7gie*LH#=(^t;P
zZ<V?PS-|V-L%@NT_0i4cEbbH?SJcQz%oj)c+gWH%_~O9`-US$#hp!Q#ok;z#7)bpM
z@0QVkd(mn-a3?idkF3W>k9Tmpx8GxLLH-@AhG7t;+uJ|c<((SzZ7D+Ts6nxmj_2Ko
zn=<fG&|GXp4}wJvKg>$h&O*+P``Cu(&8Rv<A%Qhf^W`E__iR>D|D*r9PapCI79QL^
z(W+mbFC!|>@EnpKi6)oXmnQ|BH}%nx+V2AZeatsRH0YA=(MUMf90T(c=$}7bEEe~?
z<Q~>6Yr3uW%1>BC^5Hd{A*bA1_;$*qhTG#YMLusNm{~$X%NS8M@QU3Ib(x72Rt0z4
z6MiVJ;uROmqQ$1R(7R_MM2K9!3nv5#6-lfJ5$-9!SiQS%CP`4HI6qk&Yni%Cnw16)
z?EEPzzSIvwt~Q-IeoAuL;|crac0V(}=D50rb^L;~lDlyG=8YR>)p~UGl~$!~bHt#f
zeGOX+<734IcGPNN$1A(fazq)}wy_~wWy5@44Sn5vflm5gl$Fqo?u)nkRvnJ@953`I
z)+5~KCt0>!s=?pVze@`<O-L=bEW8^ATBhDvRX~hqRoq6M{gf4-KiT3n55bB0vDu<z
zdtFaoPqw<_WY*6$->`MDJimJF;l0&h-!{SFG1}6^r=_0M(E9Ue+IhuM`?qzfwVO`s
zs=}iF@8Bx!M6Hiqe8YA0{g}gT^!+D8nuV@!xf6uQ1DP9_VY-(5KSrfX^3{w!>IY?*
zMRJoQi(+QrYB=wR#ghwHY=21^bGvwXSSDm0CstaJUY+?}k5W8dHAt?*GOJxz<c~0H
zwa{?W_=uQO-g7tRLRVLRe=9XgSoi(LdASa)K`VJm^4YlM-SZnKVVdG!$*1@1>?}!2
zPB1YPOpHv-%uFmCtZW)oa11gwh9dfoMue0i+{}#3jQ?p&f_H|g!{q>_tHjLg9UKWc
z{uKXN+J~8go$>FbeKcfjK60Ufmi9SM<`TD#Qx-*oL7;WESF?0xPEJ`F)gv5o9wZS-
zY<m=EfAbEv<QueBC?6&(Dr&hu#4LSiX*uDFJBZk$9EcqkW5m#A&xK_-CQ0cl6FZEk
z53MnZB*U)RiNGADA+@pm1^go3DyvmBueQs)s*#wV#4g1IBEq%4IXNATxDUIUU<z|<
zk7y1j2FZ8GawDSK)aH*u(<cV?FK8F%>r;J)VKUV2Xi`KAjB@-Llk|;D7z0DW(uA_G
zG?5MCy3@Q_ny2zxdya@3rc@9QQdmxLH6qz(1fKE`jc!IKGGg4_F=0z)TF7~)AmQOv
z^*qt>>eN(bVBB=#<2do4dGhNiW^XmBKwlW@W_od=nrld;7-`~KTx>EtQ3p$$C2klx
zch>xstV^U+cN?s%eE<cz=dTx(N%F5FPIKYH^r0Hv0qY~~En7d6LJU90jfHTdw<gz4
z|H_Tz@}QG-Byu3J$+Z@57!rY#U<#2L)Bcf|jMD;I5lK3NOfgI>jnp8fL3!`WX*tD^
z%OqPfO>1bLDsX$WqJ*THPKQ|nJ_qM_6jcJ>Hzq0t9l7ufw4@MI%Xv%`S#ymM%HKa4
zW~|2w8f^C9J?s{*Zx2tFN{_M<qhD5^UyXsbl{=T<S!b3;ee0Ly7rpdbQxk6{1B&qz
z<ljZ75x|U5p$)fN$TrIa8kI~TLM#){TT_d7r@I#Z#Li0C%hutpaaa|?`T;_dYT>E+
z=m$yT;|b2In&k>HJmQClT9FaRo@wHA0|r#t_pX+Hg<x&!h)M4=zBe#5Mt(w<$(rm~
zxQ%`6(<aokw+_%*Kio}My|XeL<~M)(e9LwRdL}mC+g-ChquG1<7}g|MJe6EC&N@(s
z*aG_4dCt2l$|RkPIm2$(gV50=Jt1TKTY|?bVyWy@eWcj#sN-nP#&5IlEWMEPx8IwL
z<pPMJmO9Ypk6$_av^n#dgjjXRaiQ0LK}|HO9RKd{wCLZROL!U<UAr}ETWDfpU7Qvb
z_MHIGBSGu#*~gi7kh<uX_AIKVR`KiBc}ZHtTRlo5$JJV8jq=amJ{(^uipYK7ATA6^
zl%iyiwbGm5w|?jmByaEvlwKiYw$#{aOCka?TZCe*@HzVBgI?lV7z|X*Wd_+tKFLvA
zXV^S>-pVh1Ssb(?Fj-5;%)GRMkgcXo64wD*t=n0ZRvs%h?EOdCwDNUNMuUsw6BpkU
zJj9NWXyoeYYWUGtNO?PGZQ=^AB(@_jJy)|hMn~O%RYrn|Cx@S2yl2RZYnDe)@hmh-
zft=S*z2;Yp9vZ7&8vNJpV%+<y`cJHycUe#M+%BUx8j(v|=3a096T}p_S*oqQcFlm;
z^|39lrAz6K22141K`O&&^yI7dTlLya8c%;UEJxocybf(liy~deu?kuLirvbYiObUX
z;B2pDJr$issAB(~rK@t-JT|}g$h+zi7cb?PnXBnHtrd$17qje5CO_9TCq`NX=sfdl
zg0+{ul_z9@&Ziw!(Wk*2Al;)_&=dHg=A#c2@s6aYC<O7yJic9h`A+U-SLe=b_6&Pz
z{9ChHCHvqT9sf<MOsCE^JtwVoC)SpC<I1N)L)v@w^V)S2J_J%rnuBtM`vnH%!HnN>
zttWf4UO?7`+({#+)h+*C$8WsH;1y<<mv2vYc8$w?me`G>?P9#TDkkBd)iHpP+^<+X
zyIrPJE1<{cAzo^@pPTp3=1L2_tULSd*3Phyzl=8zI2DBo%ix)BR)r!pBSK%&EN|&N
zoi4G{o<_Gm_j+|$G|EN4>}G#herfjPzUEPG7X!~e5S;NZ7#wgTRnO|0l-fhz+q&$m
z9d~wa{Y~qlYqA%9BJ|Tg7g`jEzVz5uCUB)lZavwWF<&_|UK&5nPFpr9IeO7=r-l~H
z>@?|~--q!2vjxZy8j33$M4_4n;O??~AB3W%MEkQzPKrmKU|9NAkt`Pppv^ZS*#Frg
zE?Mli7=23>vp)}6Xr)f#QlR?d`ltG&W*_?X^~w1hK5nq(0%-XI4RC6(e>Q4*@zTsy
zv3G^qD|iGp^{pliGr=KZcJI|7tKjr7zn=Q^eJ)MXA#P$a_0BD35~A@@c~|aZ{$(5U
zgtQ<ln8`S`5SPVI86qWw`pXaWSlI~0<Q?_X8-~{%nrIVoTZ#3!uUi3@Xy)mrXf?bv
zov&0A29YU%AhoX&I2BA&u+I$Px(QR>+yz^~sz6Q;>5zcXYw;B$3{-Cnl{93Cfi%Zm
z1sHCXUI3WJl$D=#yi<I3*!p16W1B94FT@JPKEFDO|LeC^WrLb<=ANc#tz?Jy7=46m
zIB9&whH@xtGw1GDtYbzIDZ7!EpIcz3WsvH!8<WidWe4&naj=2en+Cg1lwYaYbKBi;
z?ov~lm+@ZPR!*H?3$K*lW7HAOZ-dr0mx@u(9p=xi;C|bmwIJ2|`~#L)20~*>&2Ior
z#u>FAF5cjXDU|RhL?}5F9Sp6IUMNK?B}s(5DDvB55d{pZP<E&g0-V%WwYXva5tyx7
ze#i1h;Bz)CxD5EWKO}L|><UG<zZB8Y$_S@O^&kVuC}{(W*)Mq$u}3N^EyRadgfgjo
z&><2Dt1t>$DBnjg83;GQ9!h^T30sHo$`7gA{MGAMA@Ezuih9Xakf?}7D1$1u4@J$d
zOCi-=jS@y7M<K6a%EXUf@pEiW6+~b@Mu8A8tdbmA=<dglex1Uk$AXcVQ?>kHHpb}w
z9AA-dg5YJm&tkA@3_~ld*DQsetgu3vW0%EPmy$Cck&>EIj$mcPGb^++2O#34g%Cn$
z8;|uP=o`V%v=+a@&Z>X(+WHVdG=d;+EZv8oZZt&QTD<%7=1a8Ra6RYexDRn-IKCf%
z+z}MzTgCGD=cbZS4QL+W*biZ2$vz+AMq-q16*J<&M$~P!P8(dZZX-FYFu8xE5RFH`
zCKFX4*zF8J@CH5JPMnU%zXH}D;YOy6gV<Sib%UCi`@SDN+|^aR52`H02ts2?NM<@@
zPDsf4p%vX?qzx`;YU{JlERw`D$E*|&<fLjv*Y~zeV(?d*Lr~HR>wi$B6(;>aJbZ)U
zq2cmf_ifVysnPvY%}9*$!1~Bnu^?vqt=@&k{uTJL=h+fpNT?~rfv%AlkswlgzN!v2
z&+Gny7PqUQpj75x2}}*l*D*Q4coYIQj~h$9+b%~YYB9dq%;YLT#LO76=w4@cz}7|K
z$F9!`pdXB*!PVb+*}uKHWD!&V$EuuN3@(EyT|WJDd+Dh2KJM#Zb<+|-MM&Y&g;O3~
zG#%G!5)?JxE;tAk!YaQF<ucE`@Qhm}`YAQv0XSBb>}n9U>>{@_ZYN1t3!Z{GR3>N)
zIaAtnhF6%1+ykD0xnCv-m_TyV;OO+vxbVSn5Ewu()5NIzj=>qKFgC+EB@q}*n8gSx
zK*mwWDEa<?+f^pwDis1Yx=<;LwH{e&X7ueZ#IPx=1w$bXDg?D4H>r8O@^qImOlt(=
z1ABKybjiWKCqBx((;;*9&L?<k*U@=h{fgaH+3DqVIDWI16ujfE`DE+#;=tc{iQTRc
zRC<Iw*y~>Z!FzL~aHIFzgF*l08{TE*i5Kv4<`q3U8hw`3_~QO{dvYT;IQVjwf!nEb
zW^MhA$-AxjL0GZr_57F3tIF*!we1_=U9uqmzoKT=q#|z^Vt}1Z8;(KI%-x8Pg`J%Z
zjzN`BlZlXpkO_n;*w{G!L752|2^HWNB&>~X{#051sfrM4@(Q!CvWT*AiZOEviLo=W
zGYYY?i3u?>3UP{X3b8P8vhWlBUqnzqG9Xp|#NV8t1<@{sr~tAhm$E!v?|HkdCBBXs
zlhf<f(G2&(B%b!W)lnN_hUa(XWbD~1D89Lzw8Y`Us1mf$p7E68>O?Vwa1t0cFkwuk
zgf=KqqIla!f+3$JFzU(}Y5ObBUa#idp6|`}UbqG)9WuA1$>SdY;gqqj<VJ~aTM-J9
zDUKYHBvkS0ctCzm&Y0mV7jHFZ*)@!g2A;oNvJWk-51w?-XElg$eOTH+qbfX=F3Ds+
z<tp5{E)6y4BYk+wK&vWz_HNS=gzuZ_99?1*4+uI4^cN=VUCs;8GqxBLJsCOO)ecn<
zD!m#Du&o=6>3%G>kf+@SuH1rV(9*p^CROj9d*~MsJpet1WB(UML})^G9*E!#7`(s_
zoKS-s5a|Jmwzv~r>YUJf`dIW`qD>G<8*s}$X}0jzz4%S=^Lh>=5ig}hGo|L2z7{-i
z*c(_yEz_l7+_2<AWX>u*)N1d|YaHH1b(y&$`4b{`uDmN;CtnT<J_pz7P6NXgW@JwI
zFsu`tb`HR-_6~x<&0!7beGmyc?e=nghrEHx8zg?K=n6Ht0Vy(|+il_c-ev>8Eg1P6
zmET|PeVvjTO*aZcFN`TEUF47a*gDp@M6u~GXGcCGtk>BE=U<@&fd;l%S~lG`Sk}GT
zO~{jaw&$^rj0+7NIEg(NWkK~-sJC5Uwh@n1obLgDg9ur<Zu12g9);bh@Q7*ph4)YE
zXhp+`<g3$tnyIc*=r(4XbTV!Ep^dB;{{{Y>`FC??d1SVJBfG!x+Vrtzs+Ux)jhP-D
zVp+a#J!@4W)ZBEJ2CkaadyBt8(fYcgM6B8ATn!B+sXPlHvT$rb7Z%Jvh*M(~0a_2r
zy2lFVhgqEf+!mv$v_Td_Kz|kFZI3r6^2K*e#*j%hy7%$xqxDv{coSV*t_X4)YzXWh
zvp)DqEWl{$6Ql=}+Tv&WRy8<c(BX?pefc>pU-$n~JfhwQkTvFoI)6^v)Lnn1dl8fR
ztH@fPSTHyJO9K@}raZs6{$JHp4Jk#7{sVJOI;+zBpY=$EW4F5S1Pt0g_4-}yz-R+^
zY+<5&xG9k)+}e1M)Q7ss7r<KucO0R|jlMa9C-zEkBC05<cC#;ld2A5k1)<x5LE#Gm
z&aN0(U8J;rWL0o;U05M4^G0=!ALz8jq>_F<ZbJ`Eo==kE`03;L%H#a6XGZQryKIV=
zZb)AFR9>gOdC~?suRpe)s5gX`rnlXQ=SA9w{QN3B_8vP<Xy>VhhIU-p?hmd=HtYBZ
z^gwqegaJ_Xp#Wr!gL$bQopk<Kif-79Hll?dNtsm26-o6sKFc7ws*mjXW5*e4t(Xnn
zNT9Q6o$y#9g=TWg!$V&H&!-n<&z{oA+7s~Hff?(9<%BI<hr^RgfezpFFj>b-4_0q_
zhrNNO6*L3UrqTj6zX7!zpm`3r`MP61!u#TW47{>02YT2NeCiT*g^1pO<qb4B$J;cu
z*)SSud$?Ix`{;^Hu)%V_ok{-Q`&VI*9*&qE#(*9kIUzi1j|<gRV14xoc!;C7c*^Zt
z=wxC~Zo<RmfSMM<s6J$qN%HS^qYAq;S(`M9>-^tFy!w7|t0AZ9u~_<+S0Og^>MSHP
z3jog))!28&imiIl=0IK@!E&55J_HB5;*-Lz&1w`Kl5cA>6$h>2;5y#ekFm8UG0z>&
zbf5V3Oyfh^F+YzV#ZtEKE4m*N9v;s68j?1^wIJ^l6#aR8eow1;pl??E;+y|<lJKzi
zpk{}C+WW;78CkL5!lU{YmDkSKPW2IC*$|Lv_eok;u{vZE!EXz6X$YA%Io)NaMoeHE
zG$`y@A8;=sMIh6sgcX*+k?i@378J*r5Re0cZlz9(rA}d`;Pp{$b?n2{(1NC!QGDZI
z5=655+(NJ7G%wID^6O<UKNb1M;U#Qm*AeCOF>F2G(;@!$J}dkt&n{Ub9~T*C2_zWi
zZR^z4L95Z7$fgLWqiVv)m=O$#Nw7=Wf3?5Ujq{&Iu+`aY+YZg{Gcub3^Sq<@#$f;T
zGU1OcQwbCPY6+YSp`r&wS`uc*Y1Jus2|s=~;s+FvLgz1`V4wKr^?6fS_b)Q=Nt!Jd
zEP(ChQ=mkX949R>RO^206!8oN?$K8AQQl-FQn~fdg(W{a555v39J|muhn%6T5p@WA
zn$YGGJgAiIwDlU95a;^?-24We!k)qRNEi4MJT*Tz@`U9~+$2rBSsPG%k)ASUWykZK
zc|)A`Pp4LX@;Qps<-OmJS=O)bl{T@E<am`hmJB}=7a6?L3_eBb#P{X_o}KGXqZ-zT
znuYDZFiicd;@NhJ%D=t_246YPY*#nhdTl5s&a@=6UW7aYw~>bN<9N7zkY@0~4qOe7
zW0wDP3;qM+3kDxV8L#EEqMK1P_nPksN$NhI*%1yOm>z@dEOX8*xZZOa(AeZjciHTw
z%4}QxasB>{WeyEk+h{}gczvgzbvi+zX-Me1SKipm2%g6XwZ#aguJ(>AIUukK2CElM
z4Q^DAtIX#+BV?%_TbXZt71CU<*aAe_KNmyiAJ?P05$J1(9_!%8k_Q$5iOO-HR~13Q
z#yh+KVOyN2F8O3%16w@VF3>P!vQC@sf5iyzvhfX&6u5x5Tb8o@P|>B_^w;_6$74&d
z+TEVu?d*2E4#w*@cn*=-!{Ul`f$@U73O5c-X4+@eE_XoilCd!R<sKo~`o65&(SIAN
z6VdzQGyA>O`O<o0w~hbW{~ZV#d;_3{5#v6Ra)?{UEE6^h*&9F~2WWRW`X4~mBbtBw
z#a?9fb%`^1n&VAzU|lf%Wh23xjyhM!9;EI+{TM&})N28mZ~!%fSnyGrgS5;J^<RAd
z2nMm^N^?Zmu<l!jNN#;XS<`FLU(XYA@jnHiRuEf0I&$n=<6xQDu1@uR?Bn?6vrQKw
zx5Xy{!D(Z=djEqsmmLkkSKi+ep%{mI2$yR(su#jgUkDeM3nwkZe>kC|o&gKHhnR6Q
zMjJc`za~hh1~mMXK?tKRD(mqQw?ZLE8qRmSFT5L|tohIA^JgU0<G=xChfe=GPTk^P
zZVB=HdTk*hybVpd7^QCi3^aObq#n2tk%ovph9=$jQn#Lxoh*1xwqW!<WK9UF>(pBQ
zA8p|gmJH8)tJ99(yMntYJidH8J|p6t3&}HdrFg>A>5_7VtlU6sV*|(d+<UejyuJkB
zwYozStg}2l?SokWc)!eiUwTMseWY<mtZLPTh~b!^$e<y)C=tM~EG<CiU6-5h75E-x
z16(s}oiT9-F*xKc{4w?dLzS*xXP39{J@^IWCVU@u2*bI`LVA#MdbD<bO3mMGFW^uA
zE&Mmp1iT1l2z7e!0V}H)eH1{10MZpAC<FmV{1wI54+cXdoA4Pj4xSWSoIXa2u!J!!
zDC))hIQowb6YwrRSKupwgCLuxdh%Euy-h4{F}@Y8nCkd$gAapx5iL@hY#8CTJULWD
zcHU5Wi3>-&h*Av*3gqVyyjfr!{kGxD&vAKB+it6<p0B^+?gX5?kGN2RxI3LL5B-hb
z3SSA?^I9hywR<Z{pB}?luk-1u6W6%wovd0W%rj=WOPv;rEQX!vkF@5R%N*4AYGl>D
zRB<0A*>1m>dR2zS>~TllyqN7nr&X(@RajKr2%GIQ*n~~qm(QpbR!``ysF}UE;yxbc
z-oxd9NHpv-fYBDbU-btqmcNYhCTud+K!$i91<cvtoJGL3eh-p-qjfH!DZ0{}uR0=~
zXFKMeajGu*m{H-Nv)3kTuMN^M<AhoS+O-@x&L33FXd`!~&$DfE*WchAyliWI`^x@T
zq==K6{z*zWQXrzzP#<g?bfy21ll53x?My@q`1MyoB=#_?A<^iOmHDwT!X9-q9$dGu
zUe7=q03Y?%J!{azHT6H@`O}&0AJG`}JA?dIpW!&zjPaP;3d8vk1uuxi79(O%Hp}P9
z78|PI?Lh7Lfi&H3#ujR#hl>-r_K&j~HG!*c;P$Dxa&nyWc)>@!%C0d%;C%;us|$EJ
zblHkQUPt8(qBzIM>~?SkW7xoK3*tD(TJ83@e+Rnw>$M!?7!{04C#BG{XdAciLW$*$
zq6@mDoHDN%<&KahNzlh@kvF%oA`Tk7n5L{T!|&{v?Q2?Wvb2oqKqhc8co2Lg@1W)1
zaq99;IjzBl+>xn*<YaKr0rh#G4A6V{f4#lTZlgeSdi{nMa?dQkBZU6e4iIF83UUps
zFEZ5X8h4I)tH+EC3PFrGCdt8S{X&`fFME#jMgKCTWz-S$*{K;d{`jERbHj9~C!@{L
z4Xv>e@OjnAm(rlCq%M`@AoV81vxwg|!JHC{`@wC&X8XXB07fhJ_nM*v(R^BJBYCQD
zNp+=>Tm`KE4eH>#Q^b9}j+a-^f7xJ7e_2$+NbP95&i}zc=0$ZNC7~<%s4$%r*O74T
z1nFgVb_DmBJDn8SVR>zo$MDf>aeq`ym;JHk=RZ(o-afoIpey(YK8+pI;d2f7gMrXX
z;@D&I7f7J(`Ub(PdjIIdf8^!t0dmC3h_82l=>rF;ny0!pDz8-B50}(c0;$6O4q{0;
zwK#qWH*<YzUC5fc7R_g%1}O&7G$JH@Asg@@`f#`=(aR!0khX#?z4?R+fK5E5-*KHe
ztQNMuF(T?dFjNP^T!)?oPbHb%4@dXIaqW)^=^{PaPbK+x;9c)zzoqPx;rKzuNc3j4
z*5W;R{yQK{3j(&Hw>(zAcx6iU>SjiZGL-P^LP+U<pbf^XLMzb2EDK_*!kYUt5P#H1
zw+zCsf^R6?00<sf?CLUX!JG>>I$yruTOuF(zqds}>elB3|Dq2S<=beMmE{v}3n%N(
zVVRW`=rAVoUCYmcaq8s`AVPBckQ=(@b7#v3@?(qYTk>V!R$JuL-uJFB(OsHtlUY8h
zZdn5Ud!Sig56yYh*%ik*s%cqZH?rA1b|-r9^LA|lASTxN(FWP9ta##gw$t10UB5}$
zoLYIchCzKIBv;W+m&FKf65AQIMN1`aDVvJLzZwV3BWM2$Q0%XlF}rVk6H14wXY=|N
zxrUp=7H84wJDNJ5$M)G`HFoYggU#IH*IZG#yk=g5m{sI&+<LZpO+{d_UeWAcpe#aI
zLDQgq*U3VLLn}V#x9EDKnCZC30!T%R#k}tyItEh<_cKr@bBmyLZu!N8*-t+<1X81f
zFF||*<|oY@3Gxj7P){qmVU=G&R9Kx*%t}x1NasIaQluFXb~8qFQAYUAr?8-}XY58`
zXS3*7PS6I30#!JPJ{);0qg_WoQ~q<D*dx;)W$~VA(}QlzNbe{v7NO2B9gSIB{kdyF
zkvr(xxmq%D9K=_JecQ{5=i|Swd@`ng-r>AUIo8F*iA1rEq2<S7X1LQC>cI8S1l|=a
zX=Z3n@uHo^7SXy(rU|lf0|_+q0RDUGQS~^Iw&Qy8${dL|H0Y}%+?D_!6ReYXLX{ob
z4~CavwKp;-X#Qvrw~GBuTrX-K{tL^YhCNlR<4mfW?oZvkrin3f>{X>quSMKGc8$1G
z)I0nc>w)f4Qw#n`j}JwI)ggPxJa(42R1_UH>=zd3gL1%s^O56WJkZ6d^2Uf+19TH%
z+aLn-@Brs6_vrlCB!H}=$0l|yw+wUAXCLzq>2~AL9{>+Soi26t>yHN0DB=G@>EG@D
zWd-YpY;k+}n6QEm7{VN#{Tzb!OhCaWMs35EA;;JQ;u-DvIU~?8=E517FxhVc;RyX%
z;O(e-$Svu#LTnkc7_|G-ob(%1*l8?9b&)uYTPACkvQOHkAJ#T+{pI}OxI&6#?Ja53
zR2tNHxnxvdiqx_+GlZNKT^R%FGisBxM&GIJ-KsD@>kX2xUjsnZlSV0fRfv|~HXM#u
zOKhll{}9HtlKz(lYv~oee}-7?f>!CjhyVWo$ZR=9dlUr@2*Sy3>0*);Te+cU_NzN>
zqi#u8^n2P9t?4dY{{VOKFGkZto#%#pOg!KKDAK0Ur;Jp3vo6CA{-22_@QN-a+=s`r
zfr>Hllt1%gx-$QpDlqmQ@&yD<J(}bp=2rYM<CK*@q1-VTi<a?Sw|8>Td%d~QV<N^I
zqg$B2(@EXw$%~5rx*qBcj2(+MK_qRYs<Ybp0;)4Z492;R`2XdT|8hy9K7l{8;eUs4
zfiCBt_`AN`Cy24U^};F#3)ZVbyXdYx!(XImDKA#m=o)oOy3D5MQtv5Gl%}h4Rod(9
zw2ioZzxoR>CQ=Tq9Qo=5w_ky#jQ=eAwv=S2H39rj!In~<`an*ak&@P#p|e--<G?HG
z73G#vN7aK0W^J-&Nh{?@Rg>u<;8nwNz;RZon0iL}D!=4U^R#w;tE9{K0}xVBda2b8
zw~@Y0J**s8N~&t(5hW?<GBeZ&a3c*n{v#r-no_|GXdAVR{2$2Q0I26|^2yDx9gErZ
zq3BgwP_RB;(Dc45JwFSwxhsN77jv?B9(*UNMQs%dmOs_kUYZR;TDd&M+KYB7Mh<h=
zzYo+{0q!bjibP}SfAX({-@o#GAz5Er-UUws`@3&ACjXir>0!;EgHjl~)`)4XY@S%s
zXSn>J00xu3;AaMvvpZ}>mlG)UH@y#9Rq__9kHr4I{r%kr7;nIrbDYdB&88%=!tiSU
zLOr;}b17Fu@_59-<5uMJpVzfhSM-sY_es@@CW2P{#^q!<;NDkxX4j>K-vR-1&;v9C
za(OPVDxPAd{Lls0JH_K^^GTr9_BzM9>S{;QgyusT(vFe}*=>4sGuL?Q-5M^pcM7NX
zuNeAI4<>4}3VGyQRx!GH_uM9~(i_KnM_DrVNIF>}y*Ip%eeQWL+%~WJ_ChBK-W87$
zfVW&Z?j20bWEApDI%Xd54wC~uhF66%rbOnvlWv)(yen=WMsy(xuE^nc4<<&1UU5;f
zOt}9NoiRQ%9A6wx9gbxKc#q0e=5%3db}5Zs$_by^4_P0kbP;PFn(SK)ymPti)ma+;
zw6!ly?DldEuc8_*f!-LfPup&QT4HCZrNcT&uDIuqd|i*d&jjXH$U9_omLLY%SFBo=
z92*a;EhelcmNYy)I3r(2Ci{@K^UKHURDb-Oev6zG$sYGkdtvXiLN%RPnfqIOW~HE2
z#)ZdGN<tIe23{uZo_)ruU`e_$#hPWsxMkci?cl$FxxKmrvn=sEfrqtC=}?<2D4<|T
z!zJzX-^%}HdrBSp5*Rz*5i16qg7Pp-Pw_A8Pgb`}$Bm0NwQI(me_63-6}Kcey)W>b
zvk(qbr*73Lnb&zfdmr(_eqlw|fzQAse7R2XnDjzRzreEJ{<g0B#S9H9*ZW1PniDj?
z|7&uuh77>Z>~jD-9c};X9A9>)FO#E3Wg$ikIQn96m!^koDV5iGwQ_ICbL^8*1@GL;
z&k5!+V|w@TV&}#7-M^!j-mWu4hKenWWaHoA7Ci4w=;)QWq4(&-%Ex;k!|h<PH{$w>
zszz=5zbOHm$|ylPO2<x3`b;_uYXO>A24QDbO$JO#%aB{t?Nbf}pVaVF++kkze|=PN
zM=)l+{Wfy0cwU*QqcrS*bBz^$m6ZSrZo;#u+JiW-NLX#UBN`u){hmMZt3@by_FG&&
zxJce|a16~7@D1OOH8@P@O%UYnu2FKWG^2(ivF-uCcL!)Y6ckV$(6KUR(>2mG^)3SA
zs58^*_R)6llQj)5QqbHSq-a}Kxg^rBYFXYyB=Gj0Z^ug0xl+>8YVO4)826+z(^TUf
zrnyWGx1ZnVJ5{abnrAJ&d!=Fn<RnD)*fqCJt>G=}UB8%pv}_dLPhXg59!&4dCvA0T
zrK<r1DE1vzHzwA;#_ct~V2K({c%E@JQeDj_j6G-a7|K`dl6stm^wUUg@^Ki*!|X+M
z+l413u*Px4W+g3vcIXce@RGy=6qi?<d=!@s!~%d06+Z}6L*+qvc&L@MV~x#<Ztp7&
zeSS8}Z$bi9ga<^!pPwc2i-<s#D<J$3<H3#2k^WF;dvEL8=Y*k2i#`W^Wl&{=1e{o)
zvU*Zfhxk%n2DKujO;(>i4ktF6J90s6`{tvAA3t_1G8nM{cI<rp7$R{N4_C-@;~OP$
z=j1oPkY}BI{g9zEdECH|XX|`BP*Gvzvxs-00uu2hPXZRG*gE|!WC*ZP)PO^MD3=^1
z0tE_YWFp%fH07Y)<oRqUv1>(jAnA_@;HVEblGUOj{2kb>(L<HWVGf}~gR)zFB$uV%
zH>pW3?V#kzP#>uBi#kI*(@$ANwpA(d142BtmOvITC~|}Ni$V-gVs&#J!9hR8qL7fd
zQ~UryWIHcx5)cycRxraNzTDU%7TLz8)D8;q9BKvifXzQbiAA2_AR-nhaQsMoi5lLD
z5=$W8f{gkwG$kA|giOT;5`{RW64_>voD|yTLH(ITcxha=E877T%Ms4za!D7`mQvmv
ze+Fuk533Am`%u*!e>;yS@(O5UxhWbr$e2uFJOC3P$qJV++-fZyWaj5E+#D<%WH5hX
zxB&)ZY_l4Q+cKTwY|3_u+b=Ur^V@k;m&W_MsoQL#9b4{c(j20zhHF}iw5b;XIrgC2
ztr%`I-VQRp7GZ70UCjlK?4li4f)WX7#5R8R6;zipu^c&^^B4~WLurQT7Ga(sZr%wt
zK(vGElAL5Om3S>8Hb7I7cn!lXKG8uY)+Veibga2x2&80tS4(j_?Sj!=Mq(SphUWM;
z8x!~6Y_u7Fvt>_!>;jP~{~^P0LoffEWqAH?mVjd|7LaGkmWAMlw85@68{^4r^Hc*#
zob^qkeB~JPM3)(yhFWz)X)u`<Vu+!h6cY?3EIK&&s$nhI53*X)A!u&svkv1`)R!4e
zmmxkwPac*PAKXHRzOacl5nl!;5Ql;e^Gt}9$g59WHV4Tik>GY3>cfj<7H@~~bl;o-
z>Vp>+y2!S{obvN94>7^p_YZ*~ycfX3zg$yCl9yd>m*j8f)cJ844su8tGtlAPnd}@P
z@4Wlk{+D|O&a&JZ@)O%Q$3mYBdy4SC9-OT55X7!!V}uMn(GqBiY;So~KZSTc7n4qq
z5fku4qDK!60x17>Q@6sz=*RG(!2?-gP-h*$1%>$1&MKIQn7|+Ai;yR8s+>D()-})~
zF}W9?IZ46yAh){}{mn#h;AP2r`s%^Zn?2HK%q?|HSKQ#}RV#tMpc-8OD__d&I2>KR
zC4IoWpHf@G;LX}5p`zeoI9k3Xap2C=hGBl@zIaK#C3fIUR`kFam*HiRaz%2hvymN;
zY}EcNu9HlT^lS`4MS8Ua+bK2E7ux8b+`o2C?!kZbbH!nYul}c^Fkk(gVmx2{lHwL0
zmiyTC!XeWFN!=II=+RF}e7GL0w>ZZjpz@1ObmJ!*z7h9?n}tKr+Uq4>l%n%Kec^L=
zzrIdBh@B?M{~{Tkpu?*fI~_hqt>6w^h=@uud@3*|%FLtx%==k8$kqK);8BN{Q#;tz
zxCQp2>Bl#Ziyw~In?%D1aXP#NZp}Z#zmUxMdt4}8V{G~kjs47|&$~mr#%iC>&f9-b
z6_g|R>4Dr5y!vH|<r*rZrw9GLrd%XCJ#VZYOprc=m_EXQK6p*lJ9|c0(7g*<Ac(9A
zBeC0F4U9$~PNmyi?Y)IQepxVL6)JnT@d7v~^JE!}Uxn`6ZN2c`L!SVYcj9~pz43R_
z$#@+HFBshxO}5*N^S#N&f8A`NvBj+Dc4`9S*uYv2;<3g4&wbVZnPdX~m1QFAU`Ba^
z1X$J8h&n!d2HwM6U~ba%sfJXd=>C5R0RKOzF(UMq#|?P{LpR0BhY)5&AYp_vU_?TX
z351OCN0m^63D;wy_06wBNbH4EgH=p|&V(TqmF@-Ogb7|}#PiK#d_TDUCl?LMf%Jah
zgx_1|9qWN?f=OCu*77a2MXcyWY=UiEX9wjz%r-|mnZ90-+%dlq=*rgsNk6k-KEZRc
Ob1=e@k%`KQ!TmoI%zkeG

delta 98933
zcmb6Ab8se67e0#Sjm<Z<ZQGo9V%yflZ|sR}I}_WsZ5tDFk~#Bz-|yaA_nf~@)#|RN
zyI1Y*>e{u}v!1nf+$`C9FIk;6eVS+pBnBiaD<^vznlFGBlsWBM#0Bj8{YB4{nIZNF
zx8Te@?$NQRxG=O$v>;g5a>Wwek69=CzN#q(YZrmRpH=#dj2+Cn;&V{;QUc?Ih3w={
z)SVZjC={}_FNC7JCx3#B^e4cS`se~j%#zL3VI)a+-#a4c?t@Lyf^8E1p?NBl!*Y^_
zv1sU1;LY<M6bJ~f*az1`g2^WilYy&}ddC`lFP(ogdwhYdtm+G_kvU?Q&pCH-d%)#k
zf7+CWc@1Gd{ng=mt_<rN0^y#^vs$z(ou3<qE6sEPsJ)1+AElBin2nr=c3CX~i<xD^
z4!YCNG@GBAqE<X*n?TT3j8^T4|0!A0l5&cw=r@!FvKH;T-0k${$?aYiFPP=w1c~IQ
zGW4{`2#yVtDPmvFYE3T9zR6agUeR!tmxz%+aePC-#UGa>ZyS5o1anZyZ!8xW2#AAo
z6~K8XAg_w8#Z)D$9g?$Xbg6WE8>c}lQMtcWD$-3}G5P`r+vZNY3{P{k@j46*iSuJ$
zh2Td8eSxf2yaXs<SJv#=N!>ZxoPrT>^?rK<VWdb}fK@!1F-<q;NII*^&6|du6|jAf
z&KcWUGZjuCX@++S4Tv4pNNY(BKei}E1>V-l62eJ75=e&lBFhq&cw`mey=>d02yiqp
z>C23AvYOhn>3aBgEJCM`*9wMeu>@?u!wbWJCN@cy!?;aiZj{n8$_)C)7WhVKh8m<R
z>nc_xVD_RL5gr&L9}3IxErRzyxdlFMlJF8&kJHTc1TIO%<>FSwiHL?)MLLGlR4>0}
z;aTR6n>U5=WUZ3A{Pbl0VGJ?M-71sw)5axDwVG_bl<hLR^1FJ;h#&qjDPg)F3VQ=R
zh`nh95#ORLV@9Uu9HlcfKB7?hlu!jY*q_uxtMQKhouZj`Ltv34#l1dZl<PEON9tUR
zV*LOXeeSSf#Hg2`ITV{imnFll$RPW)WK1a&2@3<>_Pc&W^Q$L)qPixfFNKDW2(NWp
z?|Nw17O_`nsAUq4c4;otan?JTPG%Gc^z9SdMWAh=HNUMy8POikn@&>A%@tRn;W<x*
z$(s~CpA@f$PxcwyrwR9*yz`wuL4p(ywTDRT3voa(cx<p>mgcfaUU|Em_pjU6<?!*_
zvU}%pPQ=VfMO5^T{89!ZPL+TqrCIH5A4|TRU{lSHLd_MaT3CF{UlL@Gg%uJxpfVeK
zIF%GZr4}nxZ<XkgUp8AUR&?jx>!|O+RA-}k6XZ>fp<(vnr&DG(>VBmfcdEtR*V0n+
zeXqB;nu^F`dEcYx_``=zCCo`AviQ08KyOFhsAsW3BRx8iZdkiNKH=|K`)UmPbw4Lc
zHJd?OZdF6_7p-Tu$Fw!893Px0AZxVktOso_#;1$#vI&)>dCzWUvqS>hOQOBg@t{2D
z{#-oBX6QSyU*>+Ui@vq|;M#1Bx)fPCZx@Mh9IBdYpCS-E<Z|>ax{!4Urh|WBR{s8Q
zYhp$q0b6FQqvwO2-viqj0bJ#jL$8cGO5?o;AjzOWSMUlw&j3}9DM*;TV9YNJ6HyAh
z(h@qMFp{)cxYG)np=d$Py83b3Eogqdy+Lu;;$FPj`|*%5V6up<P&$1w_wg&Y!G{bw
zMg0y&wSkYjF9ea7b_+vf=xA$Dl={{j1jwg{Q!<qyz~U1U9afvMWfmP4=NQW5pv&o?
zAF=3_$MN4#rh&bOxmQRquk#f8#RtW}{uH7i{u}H3U0?{5rZ-4|)bh_a7XsKXS>{8-
zyToi~!|^|G)Hghnlt-x(ln*xCUuwanBY8S=*CSiOm50;{qTdFT=tQ?~%TMx~)d{TT
zVyPQU93t(k;8K$e8@yRK|M_cQ9#N)S3M~h#@7U35VH3&FL~;lJCL?4IAc+dH;X;7=
zaR_Gekj;d9l?u8@&t6vcJ`iN|WZPK`{ss|F38e`Srt0ci1Qx`9eAw17iLd001@GV0
zuJ1Ch%&yHCM%nM?N?VXRF)Fx3*QF|M|EiCXTJs}{F`O#BRZNP}v<4`^DFc9^<Y4hr
z>1taZqUYrJ#TG)S;}{!E)FHA5FZy^z60z!5&5!JI1_es`K0iljqEbJXb$^0>>!MsL
zMTuq*)Io7y2JR=j(T~1Nj>!-hL|6{<C{;j`m}z$zQxwZfrzYVvW;>_0A4HQZ0SWJ>
zVihS<5VdDGl%upqI44a52b3%}?Z(U`<5dBV&oR3w7Sn{B0Q(u(5Wtex2bsSQ%(xRe
z8;~p@Oa$SVnn%9Rx~p%I%54Xc9mwR&20@gQ|1#c<;5%Ju$qDl-oimz8PEfrYMt74e
zKv|Qj(a#lV*Xw=%{ldNfetvzu{dxR;{NZ@h`q10m{yBU6zP`Qb=(y7(v(|Nf{KUN4
zYak3F-5fuDAD+JaxGgL_Gi%pk0Cug)G-EQ)7lRI4lm?Ti_utLizTR%CI-UIRzHX6G
zdfGdGsuulW^}Qd50-drJ5+R)0q4R?3@oJXIrS83A+<ulQt9VbD<@<14i7}A;+GJ+G
z|H>Ne%BD?)aY&Tdh`n-N#7;QVE=}h(<X{|?OHwPKS2opqS}FCMAMFxAVutk29l+jy
ze*y`A;eLh4&ZD+&h_r@pzU=zF-0z=Q{%C!{f3v*Bu?L;uKKp}sLZFxqaV(%Z%?K<V
zzOEsYf6eahbbsALe}`K=Rmuy!)Z`Z43QrSGnR(Fs+tIEkJc{7x@O!tvOO?z}8T$9l
zPOqQeg9CfhW=Zd^@5jlq<qzQy1)CD=azxM-nOm##ZvoH~7RA8V*Cf;P4^M7FGTuVr
ztx>KKKR&lGf^&pc*0=`-(<##>)(xCV9KRU%82gyuTx4&)v-AA2{~K7(w+zlj^5!~Q
z&*x61i90Un-5eF2h3;lMOA)QTdNjzb99h=c>N3BW<L($H+6N_;0@oFH)zm5BfBJ+y
z|M0#f_?}@>nmrq16jBww808cjLCT<W@qO#{e2eE9vk>=n1+QQCUdwN0XKC>h<KXAm
zb!bV@GK6D|wC5Z7-{MpD11(Qz@REH3=e(&`S^hkfGwV@*X)A2w>252#6KUV<+J@Y3
zS6&D?MXDsQ6!)MdXgY*H&1G2ZNpawuf$EZo#L=5T?zcxyF-0^CUpNzI9;zc~T2T$}
zCYjUUN2;7u#kjW>2?+vZf)TVz5yRLF=wAhNM$op4crNwe*3+zwMn8e`z(nS#QX`2}
z2^GQ`6+uHf+zHi;ZL(WQMNOdXF@|adeJV}=D&3-0v<%2TL2j`8Ti(IRAI=7ggnXC-
zifXh(5DyhaxU}t(B6hSfIRd&Tq>f603%;21A|GjLi%~*65vkV}OVpWwG>LkrlC!J7
zhY4&k4htOt`GIb51W6^W#iOsq5LwYVB9ck6eTJ7u#=(iNVa=RoCe9H2GPfRCi;eWf
zrczoI*&ygLG$2J1oGOY0-p59a&M)x2lDw4)H7sJHAF=qmcdp5aFGdkGN;?Fo9t}=R
zV0p3tKi;iJt6?<x97dJGrTi8KbumPbqDG5SLTw|Whs>6o1Qx_HI{6meR3a&nZEVwo
zeg}-Ya7vg-lamsmtniQUMsrn_V-HGziXK8zU;w3)V&2Wh#8>L%n4bD-#-n{d9x4PB
z!eTL!P|6C8&b-Z#kT;n8q@e#(^w!hZHC68_bP%7!hOj2(P|X;ab#(IQ4^mKMb*Gap
zT0~gYKnbtIjFQ?=Mr;3T;7_qvB7g?#f5u%B&2P(TMx=8xzOEk4y)Wn=N4WL6icy7|
z28oIoF^pb~-pFF_Jwy;bj&ew%YQM#-V(A;b@-3D8O)u>mBbmE!-OBEjfvuHC*jK0c
zMoH2URE)ej<_|s7==%Yi9sXij@w+wPp_e#B^FtWb;OQmsw)*GI-aS~^<o^s=v5}!8
z&MSsb3f~mBDDG~*oohrNu{!ML5R}hNF`#-TgzU|BHl9x%oQvpPM3evj#+<ldcZ=+w
zKCKuuluU2ez8b(nX6GE%!NcIa&_hP~rt2Gxh=b`if$`%y^!V_*Pb`K>P<uAgB+UTg
z&iWcq#r=DXUTS_7=C}$o@l*}FRk_fpq5;_O;u5O2l+n>uf57vjxRwl-n%tBJ1vI$z
z)d(#y?crZF7J4v^SvM!eMLdkDH1Z$cxJDHW0>;U&n0!>hv(6(%{FqE`p`Nl9jCEie
z(H|^(70H195#y8KeXUp$ithk<h8mK#Y@JdNWju2=A;JiXl?kapo?mPZR9ja`dh0Wl
zXiLb$0N=H7fx-s35z+Wl>a-Bp1D`f*N(*FW?L1erSHMZVf=-^PC4g%dFAXVgFZKaB
z%QZVAJI(=bN|@J^#zot-lEd6eqc02kFl&8-XF~4;Ry}Iw-|xst#^GS)paSxyqlJK&
z!jTM4A+n)il-Kr_wNwXa$>u96B@F@{@veG-QUeTzbuRHmGCBX=gS^ebbrR2{3lQ%d
z_Rf|#!MqiiBDB@Ng>h0BwauxLKEZ@7BQun>+cAe^7&`U2QaD-Du9Jt~T!{P*7sEOU
zQzv-N5;cavLrRp?Dy8}yLVh`<iwts2=>jtkH9ps^uOf{x_R;(~UCLLXK_ZUZE_X-h
zV_}Fb?wUoXZ>A53^x0uOlb4up1sBV_+*!hmZ(}Vb)%Ck1GbvR*#hZ2$4dhsax$;{X
zYr5318^GdUI>6u!1bao2RJ>w8ltyR03kE~8nq{6me(E*!1A!i%m*O7)*C6vM=I6N;
ztQi!ZwM!qMS`94Mc;Cvi;%ogK2GCOQQ(38R65e4i3VnFtn_5tojP{0vjHCmWTO~bV
zkzIyaWkd6fF5~yD?7UU@JNJo@t&*Po`-+c*iR|C;YaDcclp~vayF~BRFVKiPkYmD2
zzUP4-f>u86IJ%UtsW~Tv2S5kJKc@dm>Fs#beXue)@)HR~Pi`W|34@=wyX9P-@vY9g
z&&--WJA*CS|HroN1y)B~ulL&lZmj^fmwzT&i{kA!cNuIz{P>=~3ezog_LP%b!Xbrg
zN>mhkr?%(I69JFE^lJURB>EnS*Rgkj`L$pCaq&}a+Rkq;TpR=|@ojTs?W4A7Td2<2
zf{A<0Neh2|+t_)Q5+^5ak}U7<b)qJZZJ2jVpdgPk$KSSLUT$fxy`m)roa%WKl(t3r
zWO5;_y@QPcmn()_EjFLQ1Ri3wnun+ngww}tmC}8I2k{9Se;o6~G|b5)9M0RrOd41(
zKU=g%@(SNu*uTsWJa5%1@a7I?u5K>o#`ga~jwUwn92~49EF}Ly0s`>N^5zbfZdN3m
zESyR6{PZ9N*G&@C?n_OlWDB~6093M3Pduds#mtt8g2SUdtu<ph1Z-J_hu_hVQMRiY
zGmk?;YknV3U`?U{C-aiHIr{LC6sf$^D(zANqwQugGC$yhCg2$l?qw-yk5LUDJAPHO
z=7jrIRkyZGmKv^%i+lNbXoJxa=+8iR$jdRnA0&c)$_qEI1ZzI_#P~}La*{O6$~yP+
z=-3wxL*!3%>y!6oFw8xiwM%A$l`{PB_}L?sNB*iw%*(<cbJIwiq7(=Y9n~02B;`|t
zXP%Z*DZnu;L<W_xuw_a!1IIfXA^qcc3g6bYB~UtCPlGbK^I2EWSzXQ<Iz)ZanB-S<
zGAsiK_rvu_m0;;=&o+TA&i(RtZp{tfvghsV!R!pi(I{jJGX<%DM)NxD<^jbtPh@R}
z_=--g+F~q*Q@LZM^Qw;p+N|S^@0f44#<ip4hcx!ZbzJVDej*!<m@2;1UM{V_eU8z1
zyW?lHj#9&gJdgf_C}*%1G^ww2(i5pz^t?If`TTivd0L>&OFg8_2TTVB>e6D?Q*NQ=
z{93NrIBtZ<tM-GBrue%!cduBwwo)wLP}tr6_sN_LeK8XMdhZ7y><uk-(g?{nm;$fY
zmE8}YIGCDVcd`k{6YVfny1D>mWqU5@-<i{Z;R@zV6$a9eJmPnJ4`O`5|1(XH{{QAl
z8Ywye*oY^@0Z57m2R51rzd!<58g(QHA^$4?HAcyV!K9%@{Ch;990>*BNJ;?5XzW*q
zfB~>1k$Pb?uIY)x1K83;DgWJOw#<PA@Fdk^P^Z0z0T3YB*m${<>i^J#9Pvjn{ZDIg
z@|nlQEi7lunF2Eh>i364HgH-HI5_`^B-n;W$X5c@`TzFpYX8F2E*vUpLxx|=B=zz*
z$#NC8O#SB4?>x@bV8RgVGNP3;bkPP~Mr#to1T!M@%c+0tm&Kf>GwVo5WQU9nl^%vh
zrBoDUN}UEHQz=Ed8uqsckfNAVJ)1E)VQ4ZdsWk8k-(x771x-2;7ehpjRi1)|s#1{x
zjKY+Vq@XY#&4r-BDCj4700M-s{4<6!x={oeJcfTmeGwEzq&Zm>gj}<uQ-cIo|03=w
z76Y;YP##fOgF6x4Arb%wEr!J4NgCzY+0AK`2#atC0VrNmMO-rhjlo-C;GSK?H1U^+
zE?Zr0SUelaJrnl^yC)(L$-GvK2mlN!TErTlg63(dTCiqHw(Hp;NBb4=b2f;_Ayv>*
zY4XQWn~si};J^0LbPgp*-hlbgYsg7<N}6e8>-7*+&=nGCG$!;Ua*!=D#_}=JJkll+
zVkBP_Blt9$3xyaUz^JMP0m?_I>UA0XPqHg0%t=;!$0hSH<bcx*Qp#*JjG|CFb5^}I
zN_?t7I&;e0z1MV+U|=O=<bItNX;vnU8f}>k1A5wBS3PW!$&gli-8I}n;x#pcmI8g9
zVWeoCi$|yv-f&@PW6gIxwDNFkcNL>mSl2Ps)PuU=C2?{PB00Jz-mp6I^Un?&IzW3{
zW;!)Bb<)Z5@6#GvBF40;>0&Q0ua0w}zfD?ST-H5?HK*6_?g9E?+|zN>jVE`PYkuh*
z%p2<?-822v{VLJkYlc)x0kxc7$l!(2H%CL9%=!<57t0fzN?V%Po_6&*-cbg<9=m?r
z{k@0AYR@*H7{zr22@y5H{;hnyT-Pn6qx(lbEaFjV@@4u#FH|oo7FsBjEc}qL5$VAz
z3?PNYoe3Gnz4D-_m8UNUn$;f19*Q6V3sAeuf+$34M0~M|8F9z5%^N+R&La8MJMX>p
z&iLpmIy5KZbGj<^z;)~+;Ap-i*lB-1n<hdD3oZbJ;$R!#bdSwKPE%EjWmx3Ngmp4D
z_=Y6LUWi-quEzK)DlS5CXq{Y)w6YQ<)1xrslTUEB$yVuba4%6H5Lab-QQHP$<+o^m
z5j}$`g~a37tzCp!go4nBOYgvaI^R89L>MD~@vBLOL6i{IHp~&i7^PY|Q!x1vBeChj
zXZ;Nb(nUz$am39+5RwiONfHacp?2&R)&t0~Q;Tm176$JIA;d}MFG3-c?zd%0!zY9&
zm$OO&AfT|fXl;TSe$CARM@Ks{rs3<NbOai=d>~T#0mLIY-LBfe(a8{{UjT1Y%DHW;
z7FYe<PSd^qZ>=9xIvwE>z;z9g=Eg1oejm_7<m<Uj`?-dHR9CYdv3C@($3IgiWnubG
z<iWQ)v)c}^$~l`S;67dTd^pnmmJKmm_IpG20q3%1aym2=#%F8BtG+{Tb|d=N(M8X@
z55J-OKMvwXXbDu=;b<Vq2eOZ!E^?-dOfMz<=<4n}(U`$4=H~b6jb5iA*Y7g%Km@J9
zz46`e#~iTPJZk)~5`9m!KQ-{pdCZiirrw60E{ffqo;=B8&Rzdo>%VO`(`%pkBl@Rs
zw_f)2YSr>c?aJ@WDy3<Q?Uw1oyu82nSH!}9>{<U_cG;`gOXezl%k9mXIKN5`eRJFC
z`KQ6c<z1***1gOg)9!Z&6ky1A9(#e3v=S=S=p9ju(U4K%KZB2R9LDjV9w3hVJ|*~+
za~#oMMl~h(12b=wH2jh$xwQ-SWtP(zRc!^f?7?9=iR&*0-yy~x#^3Su{8nZ6LP(l7
z(Y{`>;A5{hSU>a4o>vgtz!O^mJ~;8Z{>p~{57(Smp-$XD4GgK34{H@TswGefE2P;6
zM?{MhabNe~BZ2Nv(W5}<rnf;XhgS_u`XBd$?uBv~nM1A`5`B6ZJ?MFpY81>7cbFxC
z8rbg%u}P{ulqJQ|-bECq-UV7Jt2)vQuSR|bICha2$>0)RAXS`8g+--vu*F`*E~P+^
zdA7=#cxh}-q5OPB=}5s##(I#Ykj#~&W0asHJK`ml<0zw^Ee>%?8s_uL!m5>bzJ7D*
zN{0An=Hh<j`l;-??~}1tOXdu7X6^3?4G2`a3DbJyT24V_X$@dgW=-!U!s#HY0oXw}
z3h^IM+3%Ib<CFWXS&iRuV3rCU$p}$8cTqYM8#O6?QW`)E4)l-MzE#lb-kv)8Ww+1e
z3_HAE3WpG1<1zz`M8f6JM|L0b27l2Qvd)mhlDiiPqfNiDQ#%j`5v6##M;T8FK|6&5
zk%<~=a$?YLAGYAv1Y@4&xlEp>>hD7r;pa%t_1u1kve-L6CkilAZmnG7MvWw@P7eeq
zuiO1!vwtQWuf5lE-A_QyA*14Aiu))=ke4N@vEUxwUUwho7e$6GS^Nov2E4Fa(ap=i
zg7i+VrWN}}p{@Di-V2(a8>9PXegx4NC6|9U+;f{Rf^Qt6YB&GtF|AztoNaSgxgKsj
z+6jn2g%YS^W55e|aC&v-w0@&9Z%?B=w-8f*3kbR3yAv|(2wnk+VOtVP*tU{thb=;n
z2V3D%(dxh~SeVgp#H2QcgF!El$($H_(pE8-Aea7h$1ymIxff9-F?s`4cq&V8AwsNt
z7i2<QV$|q-B(A?FRTJ{~o<#Z^+`^T?$m#_-c-wbp^Dm=N>{@{FfH$OYRP~@itWjsU
z;&v9NLGz8c%b+#Ls+^p&@OOEXl+_|_imr{=IS=PNQDyhd{Lh3Bm3Ng7)+f`O(S^88
z*P_SkQGddV)e?Wfi&b(#x{o^Vuq%7gqq^tJ<+26Q_}Aqdq@RO@f7TC7T%C((zx+FR
ze1!EqdKpt4H9=;#D6@)kYdiOJ7mjrT2RJLIDIqRbfbnrq9#ocT7@4+Dv)hkA{qphW
z3*3S4ibZ=uhS{yQ5W>(#ftq8_9-1g?2j%8{C{TZp3G9(h(Bd1O_>SRK7Y^2SR!~AX
z468petBFW1?p#4FJWpxte{$Z?cyRZ{JANP|*fR?OgrmE$$3GQzMb@I95X*OeZF;n4
zw(2u|re(cCf5D`AXniHAcw+$AllpTp8ri+r0BNe0P{2knZ*Tbja4?KU=um0I{~@CU
zW27`dJQPObQZ5BznlS|guo1Be1_Qv_2<%aV_@9$czctK%DckE9Ds<Z2<3AQhFnb95
z4?$5UQLQ1TsgOa^fu?or9XEN<zitfs<2s4O5(s(_QQ8HYbRRte`SYzh`ff1a_OLnc
zM(V-8^%TEc{>ELG&Ea8AOo4)LLSy_nw(oS3VJQQZm8{a=&=BZ69VM^Pk9+Lew_GWM
ztXYOW>8F~3{>wnywiqqh9U$0NUES&dyd4TJ2gh}@K9ZFf1o>?B7oE-1?<?MW;xm`U
z+(aguZz1i_Wz}rSPT-!WY4M&~0cq%^;h4QtnY13mh4f+P=;*MK_N7F`--jnzb+`JG
zByiBU_2p2Xq<BXdz(+hX$R5oz*iLR(e_*q4g;B;uh8kf)g`u~78yD*piQ<Vmk@ZTN
zN1=BtFtx&u0kt;X&lK#oBpjL73Pkp>(!}XnX&s9XOrkNDJjZ^|mF$h^gkC{mgN-RJ
z)S8>XU<J7qp$;cQUr<s*53XgY+)|Izz<HNGvog$m_4VPPvx{Pzh>mcunCvmMh{3Fz
z?xRbv9ZIIE43jC-@M-fZ(s@%O6`9!Dgqc#zClp2Df=YuASS`_vQ)0A2;E=)w*2~R?
zvy5^joZ137m4u|{MJTl&14d~F%)#w46RW}9zQvrTJ4`qco`sD_=?;&yt8i%451T|u
zUDcVS(?m}f1xBn1Na@vc%;)d_6elkL^hSiukCA0zMmtK`&dCTwVSP%q`G!!tND$AP
z1caQTf&5(1ANm{Xjp`7v0vgw-EK?NX{R<~<P1a^ebc!vjAqS}9V&kNT%W5@C=yn*=
z)Y<8FG^(`Q-|bL?Pnup!UYlQWg;62PiVjS9?UyXma%Lc<&C1|3s2g;y<TIKM!P=9a
zibeB=dru~#52o*&`Ni%mHm0h~omKxl-)X-61r2&F>V4MG{F)qp^xZmRu4>TJXjEmM
zJQ>aN$J^fpY<SJ+1SJNo<_@psQ;J2K%q9EKb7O{5T@L?|(yVG6TrMPV8=>pC;@sM3
zT#ld{@|x4?_qSP|vuzNnDp>Vp)m2v~?-;Kc?s9m1wEK#yQs>lF%Ie*f6)1W0&{~fD
z0KH1seH?m_Ww?uEgEhFJH#Jow5fF`)n4*64sEm$Q@~8|8S1F~??Nkt7G~|SOXp9ms
z_fwe_QC0_BX9DQ4sA3pIY~AIye9R|@ecK&0n>{}gQ}`f5XAl1T*l17Qgd+O2z0cQw
zye4PTxIx8ApofAJoSm;A*RB5kAg1|O7ZgM7Zp-eumWNZq^lN1L@lS`2KCt%0R3>8s
zUv^UjxK}l)k@RN-G5_;Wu_gEF71x@-Z*j~74KTR^&K^%D0JzH!cSnmR@X@`Qk$55Z
z7&Z94bh;Pv;;T0N8}vt-P`irI3Yj_t+jGRFTPs_LlAtg)v3So07qB47C7~xO4!Rld
zsZCX|U44;h?D9GlytnPKACP)(L1IE{u|HCb?xGN$`+jGvuAn5Bu7XLt)2%sNc3-Me
z_L6om_*zYXDQw#3vc6=5VsB{jw?n74)O?$*?s=tma^3e&ONYvJ6e;5%C55}rG&nc$
z2)!FXWc#s>-M+Y;&_~Ks*?S|m6Ex7u1rKMiwkq|*gLetIbDc4eB`#lo_ktIU@B=d?
zq{HDCzPl1i3`)E+qg|*IXZ>-)hACWR%uK!Tn!cgoW#e(ja7xGff}Sbau!&Gc3+U0y
zwVj6m3WAM63k`P#i|@49{N1dPYlX1*!kf;9ka1Qg)DY!~Koxc^^FgM@2$UZ?RH;D+
zUz~VLbMbi(r4_U<r_kw1O>}LK!n2O)52pw{QAi-7RifB1B&y4@uGl~{HPl0r)rECo
z`!mpvkKoIL1Vy;-^q^`O6ybA6?3?$BGA|GV>iy}{n-RT~lvTBDu>C9->;!;9p~0m?
zJ?#_d<0*v1hi3&pRTwn22Z0HGYuJ0svM4tenD`*A{4|dUJs_6b;5RSnYf#-mR(^KT
zXO7j`&aF3f95d;IgZFU>foCDF&Q3+b12;4w&Siww>I5K8zlGo>_l*ezC_Jl~=w53Z
zS?s#l*pi~&+*RUf9T(t51tIA+cP0NAK~}j$C)KZcZ0cZ`n3Uzs0;Mz-@yBhF3|(BR
zd{>Wt-&Cs5p+0u;HUMKS{*C9qo-Dm-I1F)uD~3|qMBf!^aHN@&(K$YXnAE1&pnCAO
zRAY!QGx@w4Xm<@L-W`1B_Y?*$910bW7Q_>^&JniG5w)TcS(7ve^O}Fqi$E+o?3^?3
z$IZ*$t%3fUsV_Hsf=-QKckg-Pxs4F2j&#mM=@x0*dgW_(;@5&&zbA`^n*YUG%Mt19
zM$?>OPWh#>`62&{8LZ$}QqA$^zMyJEW9MLRW(Eba=~+MPq5mA8Ne*9BA(b@FGyLx|
z?Tw<8tAhO;E9R~wLY$p(0gRE)oCR5LGYTuz1_p!i4Ii5yzd=C-(%mlJLOnJUDIQ<O
z<_UUnZuRuOX-qLK<L*hvh@($AW+e>n6<NqaNft&{*xKML63E+TvNSB9H0y{LZte82
z_w$y*y=!C$M|y;o;04rFf<BT_NA1a-sa6h1VE&i&ncdFWc*hrCg~O3&!CFhSg?j36
zb>_<OarK{C2ap4_9YDI)KDkk12xrO!W8w$zm6-lTM$fmDaaK1ECk6_}Icw%{3goVo
z1oa9~i3-!x(;pLm%AKVZsr#x|ByZ$7mA1yKu>7FI=NNTq$lPE@@CAd_>f`CxdmELN
zVP9Uy%)2Ae4%1!o?Rt<IzxV~^t^yY1R51sbjK}>p1}NW!Cf=+Qg~E#@z78J}$86XR
zt!d6S6~i1gPsF7I-_68F`J56av9Y1Ys<O&)#@9vD$FC;q-sQPZvf(@(-^V#^pMdgr
z8i|(`T;e$=Z<Kj$qi?uKc}}ped%~ul*ewv~@n^t7%vVO$h1e!j{DpB^+N`&65lCB0
z%+TUX0GczcFY@!uB<sY<k=+&C$G&<?zbbn6MbZYE5_FD}x!a~y6xms!4D*lcEZkeG
za%+b-+3}Aj0te=Qq;j&lCpObyie1rU8X52jAXfYCn+$xb_GH0`<@yaJ^RcY`8*E*2
za60BlH%s%^)=^P8P7W1LR6cBhOLV02nsD#%g?R3|$u-KXmYHMQPi}hRIo4(zR8(p+
zLxCii+2U??x;NDdc9~rae|WVo6#ZM=%m1g6%EkFVy4A36hVmZ-Y^1w$Lij)8*RMZB
z@Br5T=wPjT&;U^c07qKFPXMr$3mxzXpB7&Qf!Qid2p~ZG$NK(>Vo2O9|6eVZl_QM=
z7o0B502&e&G^=T~&Qys;D@4%;8xOOEWfe#=URaYLNfb<GwMT0QBlEW>Jc$Q)a~0`R
z%Z-(MyNW!DEKcSE&((Uk4I7O^bws2nl&`2+%)zRg1;z&05-`1h@6?_0tIwUz?_z>Q
z`hAGK_-Cv}l*uo5#)}ZF2ATPT9B2oiV_?=Wl<7hgNU54!O)4z~E^S{++B;)zG5?^c
zPqbGG5E7(Nkif%-p==)t`=9`q6F8ht!pgw~9+sn7n$E<?;#pJ>fb3>=)kKzq!!`!j
zJxwx7uo&o`J{~hjQx8GQK~opc4Hr~{?XcEloIW1Nsud&do^=*-<2f(x?syh*fpb>C
zi#QYnBFtjvgHR6Vxwe-C62f2!bAhiFngT}LMmtV)JV#3R>UJo0JkL4mmI8ddr|@DF
z1NO6-rZu@B3DYNxDwr@nh6nTqBOw+sMbaA|^8*6$1eZ8oi+y;|XD)*CFG7xRzsbww
zu4r<V$k?Vs6)c!UTA%GjvV5mWO^=;%fJ5vD33#&41zOuFD#OwH*q&LThKkHX)1x55
z2@o%#g^qTK8u3iv9}VT18aq4ni+;bub+K?-h#q`pGeQr)G=p9iMa<yRRMczgUyIG-
z3MH`0N9q`INHJ1(?3;t-#W)I+C0JA^S<Z;Ep@9y!t)qD@G@8HIGivr%jU8~W5um>W
z?fU<PfZ(h?u1s;Rixuty{dIZT>j#-g(gm~NGVCn#6!TVV2J^CMUA24Q(1jzlXAYw4
zqzi=F>jVqnGPHf~q$*I>^g*VdmqXrc_SS$&y~t%3FEfCloSth#o}Le^S&qP_t)8*r
z<svCx<|(1Id%=@t3^lJ};%#N^$0R=m!8@qJoa%{=q$IhFmtTx!V4qh=bto9~>m`^%
zh#9y~XQbgx@w=Yn=p?i;i=niRS|0D^SED3U2`TYP=w#+~$`DHUeg&l4o#IH?eQr_5
zQV915NUGe*f@x?A3$FKg_3+Y5n}0rz8*BHj`3le*0zL0$ckvOs-d!7Ygu~cCS%-~_
z=mpS=nwOSYi`U^v+*ynIV!Pe%?hnt~RnnVr$L0H>Cf{Z1&0&{W4NaOgsZr~z%)omr
z(Uxnm-T-&i<VXbp6*bJBPQ<=MyS#O><*Pfq;YjLwE?OZP+VJZLTFJaA7K$)S5zY0x
zfq3Nb9rPUSH6PcNAJ-Z;hQb0Mp&hXUmB@Q$wT`BH2j6D@ul=X>o42$dqoA6VxE5+h
zZt70Vjmama%e>XNII9;_zV3btGJG`Y=X@I@Nn&t>!Wr~m8w73P{F{Qzm&C2iEl{a{
zZypCPzsvi#3jQi0<3D>b&KI0rg9=kUo>^sI!rJ1oRBxp4STZILmz2K(Rr4~Cf4mU1
zNattqGN7yt@`hh`t4^A<7lJDq!}aVP?Kn+Ws8oCz#x7ZD#wN${6Vd){x^7$YwfPi^
z!`ZjuWvV4;re=~3(P6!Dim2gZa33)H8?vo{Pujnpnb*{(uIae~ofN-6HLj&`8qIY0
z1w0S7-Fk|&$SDtZzN};fF-><DggrXah+VtP-FXE!wV?>j%EBVM(lRp{*LEs08aZ>;
z9B4CK+>6py!;}4Jq*y^EaN*md>L8bZrbl)#U?OnDB6yyttqnYA={H_T*<(2&oUB=Q
zh@X1y-#u7Hf95k_Gz!*CXm`~L%;N}`<kv-?G>!u{1#8SC4zO8)hB<BszhM~%CTeYC
zO1$K}Jkx@{W%?vda>VIgAz8)he4<YuvTO4B8i0X<Pomdst$IR`qGXlC@X;B|>in#(
z5mX#->6dBB9DM7~*=f@@7S7wrlM{sXrSR|#6@H)7`K`WQ`<Ar1;<b`KuO2W7W$&1>
zayyYJGaaaQeb@w3UUbo6Y{gzCy=18=?W1SDZMgt^XFOMje|xSPXZ;@k#QwM#)JZFl
z0sKqf|C^V$`ZEJi5&s7Z_yHJ5X(E*1z}7Jt04LIaVn7uHMk|^IU=0z#`oD`$6Tk~1
zfUWh(5x@okVEJ#kq?O+l&<p#oqVk{cf$R$yga>Ei{r?nC{-y8d;IyD=txX4fZdAWj
zP1Lh*_oz(agOhbE;5=|!(EnnDVqi-c+SvUF7TLEjilXt|m#L9R_w}J<NTA<8<(&vQ
z+?AJIkBoK3j94DlQ-VB5nr(<^){cf+VAvA{SSJJs`;pC_J0npxYodA=Jk<|-D=`dI
zN{=foj-WotrpFP<j|T0a7AMf7PJ?>}*ij)u4g~iw#lwe2e8WYRP*Hvo8v=t*grTYo
z10)tXoUbdZ5<(bItFr-VemiAGbhB|yqq#IVRN~1v1ryZExh+O?!^dVouu#(T;448M
z7i7Pz@s3&vRGHM{5F-o?+SI|MQX3`eFeTiv%#u*Y1#U3a-+>CFM5&o8aTpGw=~B_5
zb2#0kFu$$W1#`NhBZjcjgvow_<*}IK9bF;%s56*Ad#7iwvs@ZvAcljF^WrJi_1N^u
z*70u*Uzn#1(+OGHk%lB4G%>IuvpMOJa7J_YOB&^ilE82p6^Q^W(;`Fz9Vs*R+!4lc
z%*q2FV8SdLfFMMtHa&vEC?iV-SOC`yR3bkT0)=!NAGS<vp^=Otk&978yi+NnZn*p!
z5Fsd&%QTAwS>=R886E|4A~dLk51-JNlF5W5O4JSAmkxIRj8qymC_$Ex8mA9itPipb
zEmRZGgGz=d7j$H1q82zrMI{l{ccxM#0$Z!rC1RDF4{{+<HUbNL)I!a;xYyc)5q+cz
zw+^&U{3gJ|hsRMnr9G0(?x^r^Y6vog$TCVCS~qFW*ioQ54L+R(MYx-ND<701W{_8o
zG^dY9#$#wVigx0}f~$)a%uq->IUD1kcB=8!b`9d`GV~AfBpo{Y>{1<C#fA-dbSF|l
z>trqF0y&;E&RchKSeAM{Tnusi-cb7XU_baH&r!Dv$Dld*gp$j#Y!YfL-2E-zYm>?1
z$Ae1e*=u>$dv`Yhis6({2D{}_$-Fm33S@)oO#P-4GFtw~Bb2{D&J4-FMO#{3c3dS7
zAJ45#^udIy*X}gO>c`HXjV=d+1C$xBUlTD-@F13aq%mlT@{$-5rFE=YiL>fS@U8Rh
zVRW{v-I2w(>AQKAR&iGWomk7olcu-BYuiu3b^|6yY+>%{Wlt}^AI8#+StlnZZF(Hn
zR%|``O|wilBT18Qb}d6z-n`aXpb_FxrGh8_s8QHfOGfCN;l7WRe%moYgqAOqrxj1L
zzaZ4OSsHC<Y8k95vrf#es=bdrsE@USHsr~E^rKayBF|`56)1&(pmUo#BhN{ab~*;^
z$$x_Xu??M2@vc;l(9v0s7jDY~+f_;$Jr%5NfyfHIE{GX8fLws;0UIh_k1VTJ;kd-N
zuZqcKcI#DwY^7EmU4nkeNL@MLjhe%(2a3d8n(Sz_{+wT{9&C{8Z3HP+9|K4`*)q$n
zCrSv-;P0>V_6&JxObhMI<>g^C8k`KrO$5plx3MAJ3N%o;(W{?h+bFa+#ygiGl7r{1
zcsd-eO(IN;EFY>q5!9c#Y!Gr(v^X^&z8bkk!3U4F5td6Wrl*~}xwF?UkEf5yKriKn
zt%u{D-cSAlejwhj+XD4QQ;u-9#<w<oyX0T#KWOx;_C{YTQKF5E48tYq?Ydu5w62B4
z3AySed-cPAmPh(+t%MJ+tB$#Ad2q?*`0@55yGsu;*5qw?*R|=c52-~$*}LW-Cr2%R
zXklu!lM;vo<4?6pMQyvE)wK{_gKnwT%|RsV=I?;<ZT7(P^87sA@{flUU0*q@wEF>#
zUQU+!CvQ{taXu9r-Wvuln@mHC-xkpRo-UlkI|jm?c8;6p#|IVKr$JNvk4*nQwJje7
zpR>0F{xYd?VRiJ`I6?Ocr5*a$V-`w(iz6bO{iyOfZJ6A;9qaJ5$a>WtC`A`Ati!NA
zXZbE<=fU;d-iz{WX&2rfX7k0p0Ocb4sUCUqow9JjEUHA=5<0FD4ME*xd9wh%O4CKr
zol5-0!M4E4g?+i=TXK#6PW3=gs7pmO^iYoz4~aEO4?@&KR%B(~9<rR;XN=Z#neCqA
z3rqL+B@^eeTYmK2A2%yLj+@FY_UXvY`^cZ?c&`bWOX16LhOw%cSfMN41#}Dr^5F!3
z<90<tS~3YpLHV;*;X)=zf6`~md*aT9!;JhYmjc(HA4j{DfB)+tWti$8UNu&k0<TTq
zHw+z6iT;1)Iy`Cfe&Cp`#XkY)2mqe{1*wU2z&C{d<v3}08vy!NwPJu6!hbWN*2-GI
z2s}9F|AJOV2LK7cnU+BNZ?8yA`Zq@cZp6{wAGB_ED9ce~v<U%dBq(i+bKs(h;=1H8
zquNcP5RQ8=@%|rQyk1KlBXEna9F2{=q_jN}Ki!#Xw9?3eqOsWZq)2btX2e|gY)W48
zyB_<8+b|t4H0i2CY?-e*SWn2VUXiS^vazoFe-^U0X+w)b>Egl*8d-vZiLA}xA7N9@
z=g0-k?Bq#IgMzJhf)@|SdDd2GL~z!C$v6%Kl|u+<N9kN!=_aIY=XF~~v`^#si?L;p
zIF9IX0VVMqTBV+%6h`H!;bx)m#{mUmNG$tLfN)$rQFcA9eDGQa#D+1#RAfd$4*aQW
zj^K=2Qqg-@%UGj51qYDUj9pt`H#D)khfHp_TVR?Un?tpuo!t2bM3`9)K>R*GfYhsR
z%1J#B2}@BX7u`0z&sy0=8Ev1HA%7I#LU})jD@??l7|l~uO}8%!9|-|%^+egG(aG@Z
zen4J1kcD+n_GAoTT?aF15lIoWsx`$GmQp80#0z=ho2Di}mINY69t~JE#+VIDA@dXv
zuh_4R{7WddKKS4O)$c5DE(secm0(1ueTam+YTU*xV0=_T9yM^AH`qu9bfI#P>WeR8
zG(nb1;E$z@G=UlmA`5mu9HYa%B^Irh2ZozAvq`4|)@~;g24s-V$e1?7*b-&=<(=5J
zNI(P$E67Sb8lb8vS68RHbs;)wDHTVhiRaeczchRoVC+*>Bz<LRwT8mGTb(c39y;nc
z@g}3yQA0BIZFB@VCX$yT*QHvie2FIftLwC*s<jyB87BDZ;%n^H-c|Dss#lMA&50)A
z>e6qeS~<%}LgHAf<?F!7qL$)zecJ~;n&e_B<Fd7p6p#fI@SxjcA{5+RyYpm)s!^Sz
zi=fItrHfaiy3qMpD_7lxDM_d@Mvo?>$>!UHy{fuPfe8LDn|5WR!GNu7AN~QUaSrmf
zR>~~o0y?ck7Zpr9-aNDkG4C16bTQOcJvsCVaD3S)N%f%>cO=2BJcH!m;08g7uk}t%
z<oe@}50I|ibV$YVr>otM$9<G5d(-yt;_Ji4&+)}=NnX0m(KzJE=k=Rw$+z;Obzw)3
z*TdJ@ZHo_7_#b81r#NU72D^57S2HhZmeidO<~CYHpB+AL7q9(a_PjQp`M;WH&Bv-v
zW(%%g5y@C?-}wK0ou3n-$E7;c$wyh!{o-cOY6DF_pC3m@AHOiyD*oNEBfgq7xS7FH
zxPE&syPn+)mu~t4yQx@Lu2`g4Q1XRq-^rec5<I=Yj}?8xEaa=xB7Bo~jR1bT&Aa2<
zEL>x7{^2yAgA?S8s({*<d4N~oY?oj)<(Dt~@mfu41-;4;Nr9`Gcm%`Xf;)Z6xXdOr
zO#`|r;tb0IR;lT`ls8>S@uuq9cb{tAZ$O`}S)}O9?Cdu#=p5>p+B38#nV{Y5FpeUN
zMz|K>Or*Hp5H8pfEU{JNwMb94Gf<H<XHT+Vt>z+TtwClb;hT4NoYpi%$tr(mK=yOL
zmv0<rAP*_ru8yj`*!}x-b=kdj!0@2Zy#=~TGH^Kj`*=^!B$A+Kt$5btOw?7ws~;-N
zMa_}jyzlpOS(nZ}lrT282Wv-trIO-WUrr&BtIyB0hGBIrjQ;dU3hr{Mo~M45mvi(v
z%$06;{tAtlx^$|!`YU}rzoSp-nbGU|r_lH%inugWZO;2N?(j8}B?i@%;F>0;xECnx
zbuH)$IJyo`9<*>F<8;4zmleH@D;0?kA?nK`ivqd2$Go&fhoJd3QQ-HJFug6CciMx9
z7t3q?RKC7aBk5#>SFfT>D|@ao{#a{;&wB=GDi%YU$xc27i<FkjLis6sGCpFB^J6vT
z(~|CUW%^2&o2AUTaW3a*6MlP_xL@Gr0<{pw?U23A$V6FNvG4AQC5%^7H}8|#&==?L
zJQdlhBbI=*e^NIzsA6w*O_yt3UBe-!@h^BjmfLe0pcsGw&c*xRw4|~RAOsKK`mcJ$
z%klqHuh`N^$HD19Khyf7^te$aUp_J41ItS)6V;%Cu_H6|`*;i}SPc*rF~BXTregZv
zJ_rOyW8oCaB^RG|Iy(|C<SMJ;4Rp>ghMPiU?uNhLUJBTp+uk}#dfy61O(A7TZXSRz
z3Gq)QO|!+ov79!dczJlB)0JsW1HUsi4wh-0thK3VY_@5GQth|s=(%R1>3yBvz%8$F
zzTxar@gyzio>H3L*y9AEg<!-i@b3;%1uB74QFQbx)?EQT<WX+d*z*E1Bw9ztpr=M&
za9DKbsIUB3>Tp<4EFmFIXz>vrvi}_y-tbhC17J$&nzz;iSNzRxi`y^M=|3z?1_=1O
zlbTv`b`?Rnn?$p2=slJ_I%s$P@C(#(JEm}eT2pJZOBQCG^&21)F474n+?YhQ<X+Zj
zs|!8>WEXO{7u=M*ES5NI_&UC|D4#PM8ge5{4&PKbJcZixr4iMJS+HMiC{k=;H$<!y
z%O-8Ss`(|pSRE8q0iEuCU18K8v|yvzWQV1eF#xF1J|!V(xw)SuF6V0{pJ<<&tnIWO
z8Sf~`8LhuZITQB1`8iWW&Ao}L5F$?+!8^jEi3jUuK1k^KHrCx-0o!k`m2*LyVz}c9
zE#B$UO3`e%n3xfI-T?9Ec~(o&Fj+&<@Q#julaWvQ4VD;j%gXu5iJQOn4m4s-7t?7T
z=nd2yqfHH=U74cp^7n2q{NM7${Ds2jr)C~kQrD=SC2L@<KIQ|>FIFjuZmSBTOBsIc
zUX?mvQ`Ju<W9+l!XH#4^eYpdUTOGPOBBWsKw>%=JWV~9PbDTLaqr%(eqP0jj-fT*z
zuEEr6hm`8b)Vrd)e8gv(r14YFf4MvJ<Q_EXtYUwBU*)Q?qJ+#ZML52nxxDV8n>5&{
zI4N5|=I*TsuXx)*K`UwNKE1U?L%yu52(N9h?V_qYS?Qw)zc1`UTa>$^@A6%X&>cGh
zs8Q|En>gT6!{}8gmlTyGYwYv5p{W>kqZW{x6jUkGJSH2MP{~W#QB#@vJqS_lDI0{Y
z_Rw)H1;6<-Gvj+9cTLf8a=sbzM;vM^%D?`flhSNQR>`mSaYh5iFSvTuoZ;uU0@JCo
zw^i!Xa|EZ4RR1BCJVQaDuD|E^dON8PRcWoqe@^bt+kLMerwu^{uTC!?$8KMN0KJ>M
zJeC5O<?}!9_m8)Ccb~`SEW4vs#LS@HPv@7<!Ls|7JCmV&rm2HYjZuE@PM;8PVIRcD
zO$PbD+z7kwM+fpw&pwOv2&cNY*qR)nOo?mrw0FGa`vhI5b!{<JiGv4h8%qROY4f@c
zUF=wx{wH;@uD2<JOv%7m<1+OOUfPp32a8%!*6<J2i~%|-au-!Q_Ri@a@SC82HOi!*
zOIQn|qdJ@(Ru@%7MB*)8hA>B}A9FZuF%*nD@$@Fh(cF6M)Wd!F-jlMdw_y&vw1|#p
zxk&@JVWjPZLkcxgY?fPkmp$^Ob$?oqoLDIsT~wWZ4<Q~E=R=x6|HBX?h!iDOpYO|e
z@Tr}iDPyt)2p_fWgvA(1^(rn6=Y3zNs-;}DyZN=ocVR`8UUy-GE~+#;PM(VJ!}yBh
zvZS7aysoOSJ5J5nz@^9z2I|l~q_k6y_&sDnZ7s+jXY^&Ed&otgqT$^%iQLSzyLA8%
zoc%wV46s#v4loG!Kc@SS`8pu{YjgdtvXgxb&_GEWK!U<(g?a+eqkyyium81`7Xf?@
z>7TkY9|oXF(}n~`2K=90irw0}j>-RIoL$5H(dR(z*<n-NsQ9*s7FBxEy#o6o@c{ME
z{B^oC_%FX%o-C0uCZ4qW#2m-x>e1bdD#DooTIw0HaRwpIW~@9<Ww-*0UqnIF34j_|
zUnAWGfu0N5Z@wkG)~%8+newK%%WCrCG~+d4d*dH-OKP($jLTT1pr$ga!1`<*q@T_g
z0vw4Qli*^1I8fB>3J`%U=^t~(+;-yO(hl{!!AL5|72<fm(X-Uy^!th3cNxs5>Qsyd
zC+7O4#vx$vhr^ITa>RUVPK11Gw_I*@DwJ->_|0K6cV&0~JRa)y>*is+M9rE1xpt!v
zwjpDY1YT_&Ky`yCjR`xDE5d$RyqfVqg-Q6HQS7_3+o^>DYvZd#F9eGdhoId_#Hx`9
z?STJ=rg1+r8YG8x2}XLE+lMN-|2H-x5*I4@f(y^TPLvfBW(72C-sc4y)p$H~lTh7P
zSSocXD|d<LrMW;wbzHtcjz57U^ZO{b`Ia|lSk5E+)F9YF{B9Av9jjLt&)~p0yqOu2
z?;p3s1A}BoB+X`ehm0Z-w5w451rc9H@b#vYr&>cKl4hh^Bu{hw;Toowx1tS10LW5R
zT>oKY)qN6N`m#c_O;ohM%SJ)Gn5SBClqq<>2V<_R5)fgRk9hS0UZ3*`Ds!{RKlT_;
z@#s7^&_ED(lnb(C7pQaN%_+k>J0@>D*FQpJ6=xUjUxdFxM5FXDxGp?92Nz#{8#3MO
z{-xuhcaP@_KK=!K`=|1Yp;>)jn*heh8w+AAI3wHUm?2mEgcRipO_2+V&l@-qyD+T#
zF!S?Fe12ZIhf8#L$fAY~>_PK^OtT}x;XPkr$_1fvdq5A_OqNMsuFh&wTMIMh3Hc|c
zGHVbkE`%0f6aUrTj}GqDh(0FA(I?C$kX~<o{WN*AbMF!o^zO#v<6Zo0@qT#T+kY3|
zm{m?Tpn<nyFI_Pl*y%^Z68$L@4Dx<cd1K!BB4U@EXx*Tx{FA1pFXh-)$;85jz$Cv-
zRS!z7;Le4#EwzeuHM#+&_#tQGOQvLi`_vAdB<-C5n>~>A_P<*v8F8cMJw{?v<`l0h
z$V@V5Wi%<h4^bwa7b^+;5NpqcNZToQ%7AQ@E0KRMR->*Kg0rAlw#x<nGV@C0d*o!x
zDxOisuU1fnA;HWjMrKTlQW_D;6p%E`fdnDoD*dX?8MhEDM^fRw6n#=OZ(*<zU7BXH
zOJQM=55mk7!o{NtwaG2UB_~nOLPQFMu>E&t1=g<1g}0|oP)rue3F&sR1SPG?o<Mfj
z%|MqQ$v4Zhjn;g>PMTuXab6ssv#edZpqP%Cok<cn%$D@?z}BI$?76#jJN&=6I?JHO
zwrE>Ja2j`acXxO9#-VX{_u%gC?(XhR<L*vF<Jvg%<D7GE-KzI1shwo+U6oYEnsa_*
zEKry+;5aRqN>dh`)Ff0`n00jr&`l;%&)3ig1Y`1~tWII{zRn(Tmp&D7RnlHva!Aat
z<K6RR@@`%rE^KYtx*IXJf+~@UoJeqHjzD+6W6=4hKR*^7zv5)x3gZe4*<Xif!d^W>
z70OTM@t15rvOV*~tfYhVCU37dJYVJ>L!wP>AW>_;WG%J{?wZ>)(Pn?AG30t^iXQ7Y
z2h(+?aI3!_1iP)%uW;hWi4^AQ_}K-UNVoWNdIdtRE*<W)!v}AK0~5b0vO_wJL^_3?
zHn~Q>)+)!(UFb{Q-|m?}t{Sd(YRKBdpVcZ`Rt85yYv!vHeO>EeFaSY2ZVp^#@s*`V
z;0Ff^YM{kHar`{*L9ax(<B}TOb;rfp_-WOBkAcF-^|c-EN-&u_+GuPjn1I(aOzdF(
zO1Do+nwuwSg1+Mz8?d`4_)|S#3pVuWxiiC?TG-u`xrj%-O5={JH-dIa*Dh^Ex2}{u
z?Yx-%ar(!x>sDV39fAsn2ruTV#GVfW@TP<4WH9G(Cvb=sCy_WATn!^Ga|_7``rC=U
zIFH%it|{J$bVlZ?49@6#i2Kr_Hi<GJFZaI^pf|j9AhA<twr~&8nry=42aZ@m&KsR^
zeTX|XJJp{(?(erZM|(r~7~+$|3$wA`4oUK4bc2mAs8(@f?X-fqN?F^B4d$e{fZD1<
z`E&rp%QNJ^Kg7|puVmH4(9YVy#N6`<{x0;VZ?{~z%$?qz{RZA6Eu^zu4RA6TNuV_W
z1u;kTJjLOmuuE_IP)51y$?<B`-u~#Z!ScMZhn~v*j`EIdA8O>TS63@y>2Ol}mKQXd
z0JzvP@_O&?y0{X~+gORoifyivN0EGAkq@(76c`q0iTewZq*cL~hWrhH24MSlJb~8s
zHHs$wk3DQtBL`eS{VRHDEASAsZ9sZ}F!a~tVt^fB0sY^^gHHfpi}>HuZh3$m#D7xA
zuL}4LNJ|8OQKu=W17N|Kxj8x0gz>++L0WqDI-DrJt95(E_x0UJ4rWpq5}<9u8vuF(
zGA)BmBE(qVHpeWfP_m)ZzFpSjrSCTDr8eY3s&U7;yk8dmB+k)shIXt7J-PMpGpa+V
zC|MIl6$fbuI9EJeQXUNE!0g~rX@xbeVg;*oAqxj?4#xwT+R%Y}{}CbTPs&SvAW=CM
z9Xg#53|dlDp~ufXYbLs&I+U2fH|=E%|MsaEC@BW`FisgOzHr+0WJu*r4lEh9U&{+<
zfv4aZXvMeCYV;E1lA6e}WSS(Yqo|U}@`@9&D#S&Rq@|B&Tr;J-OB4~Ks!|xXd{QfO
z9`V%+9&nWy)u2Oz8!=`18&;9*Kp7SSwII*vupT8_iPZxY-H9qLV&05&M=`n9TRc4!
z-d<=|RkMuYz@VuX{^6>TYDDW26`XG@G#R(BCTi?ed!Tg+u(-d7V$v>daN~qCm>uo#
zXpK=dLCwvXs^PM*;J!Ik#y}A#UP2p?u1#=2LbNxt2BE<$fn!pd(JL*(09)LvxYY-7
z9^<26DlWwKzQea9>WoB4)LVfR#6U<+4QL{ZIk!fpII&}FwK^CJTT$05dp8X(l0rD)
zY(xlwv1bKfW>ctU8vsl<iP(m;S~0<sGqOcoDv`ZZgX8fws@5&%xj?_`A{6Y?1P-AQ
z4XfJ4LZmr6m^0G^2LAO|0j7<RfZ6?S%v4$PU0F!=kI$CF+xf}8Ix#<Q;_>nH>v!nk
zsY`1%TwU!B{pObdmICENug&l89X~0Ec7`_h%l1$9!#Ep0(%~4#no7LEtUX7RNnQB2
z@Q4d`P((@(q@ml5-Cd4CHSC@pAH9x4Pp+~ccDmE$egE7|`95uf1OM{tC6En7t=EOO
zttn{xvd`9>wd_<$23KxI@{P5Un1%ySL;t=%cD-ptui+8XqZ976ELI^B?(9Th=pbRt
z|F)LO*&7x(*z4-oUAJCQs5kksSD?37d_-^V5>TOr$oYx)Zp5L-A=)RDOI78rPXv1&
z+Kkp%N~*Ot{+brj2eeZ{_p*P+*j@57h}kz0;Pqxd=-+m@dk?|YkIPHFx;znZae5u&
z!uIp0Idti$m)l8Y)6kl#JvJ}8Rnfck!=GhT=*#nUn(iu&q+Dxtco^9_K5{`IE*;dC
zaGrx$u}}HAWR+qi|2uRX*T^)u4eHKmty@zJN_8=@meHmI6sVl$S(cX9^JQp=b><V)
ztsn5vPXMYVng0%GJXCgPZ&IWdKzg`!@Ir#fOR!Zs<1eyOLa`4~+#jPp2aB8og%1ou
z@~DBt3e~<pfT#%*5tcr!!iOu_Tdw5W(nvUqFhnwWBLnCEDFA6{IBUrJtx|DZ+1-4=
z_8~~i0rPo=4%iMxC-rlM$Tcv?JVk&B)%yXbXYa_ljF~HuG2*p9f<?CiQ5JnHHnkja
zY9LKtM>BX?e*iiVi5H^C{DFJnuxgC>Eb#YbC((O(XMK-eg0EMY?E?kU9RD`UjGn<m
zF4aZ@VstGgj4<y&aCUq#;*>?R)7er+if@9xgNQ~VFOW0c>5(JuAs}L}A;*fWo%3O5
z));ZW#4{|-%+Kkm&~&@dLJyVOCfq}Dv9Su)kj3#fk0yAig&AEQsks4ETsfyGW`)YF
zbfvSlrI7=V5WfW?^iVx4RAZ>`$EVHTUe7*VeLr5f)zwu$H*SToxa-mT``fMAV<2Bw
zk<lY<7%%|BHjvihvuavwo%OnG!>DF+x2fsZg_FP=>K$T{4s?0YBc`$u0U9hxHi2pT
z?cvMw)q#r_(g<uN)kDPurVK)lg^VjO>%*NdZ(6YpjzjmyyDKx^?Cj1Dx`EEjxF~Z@
zoCLZzHWIBz3$eReI+)p%SMvUG(-Op=5EABR5Wpf-^HXqhk)Wa+11tq9_dr|N)fsq-
zkgPI=2^e3DZ}>JF??C+>0)E1rBHHbld3HW-N%IYpqh^YqW`lHDFikdh9u;BZ8`xSr
zoA9(|75)qH5Tx=k-jsQc8;OqxR?Mwff*I3kWrV%_elO=qi%JT=D?Gj%43GYBX)d_R
zBLpfYI11>>)d}Rx2=1g2J`pa8-W9J?>*O!5m|L{y^c|_nKkZ6{1R<1;e}kZ}$xpTz
z5VFW5rXw5tMhX;{CnM1zmE+F8IhdnE-Ke1pVsz@0|4GaUUyp@QVoLblaG^KB&|Rb$
z@}yi;Qi=0)`loF^>#@fy&-o0T6l-XPtq%xBhi<U1P_LJftiX<SZx+#j3g>M;?Yoz}
zSH=q!gm3UQzB^R|+pY-{=NTAh`gJ_su<G*q%Z?R!u+1vQS8A<nMQKi_rL=Yo<jw6i
zna8NrdUx32>aywER{b6$u{Z1G?&q$}N7&dZV&sIe?x!UCprfo*oT_cZ%B5FtcLgxD
zBgGfv%w9`S)IJ+&ImoL)IAQg4e(1FINnnHd5MeA@(M|4+sMT$%k(i?vXNcH-b;3@%
z$k#7wym4N+Hn)gG+}O=vT@SZ*$2J8j`3cN#K_u0b`Z1(_d%a%oVeLe$`8t50Tn%a|
zD6mBjeOvC&B`Z74<JlvjZQ4(;NIdcS5dX3KkoxP+g;#+<Oc-r1VWgWO`r(=b`2?P*
zCyn;wf^>JWI6fLLfz6_;q|nxRMERMn{=#SP`=2*ay62yWkOs`-|5V1PX_09Fgd{po
z=r&({fGzC*;%<K}0Oa422FcLcxLg3%kpHY6P}^F)0C-@aEdRC<k9`4rp#N3U96-S4
z|Ewd(!U1Xj*hs$|rERlufF7u?nbZ6U1lt#6@&CaOH_V<)X>HhvA;|sGdmKXFz};Y*
z+28lZb;jxo*-c=i|Mr?oNLP+lWj1OTgC4~<nV$#@?Y|;*JC24S#kiaJjKp;#p>S09
z#U~3<prt}&VWlL>Psun^KoksHjCa9MEi;i9aH$$4K;(9@Lz8s#Rb%r~E&z)hq)GJi
zze{^y6*WR@{-U9Mmll7Hl2AK>h}Ue9_GeyFj@2S3$4b$XT0^fRbD(<=&sNP$&j7~=
zF2MZ6?rKqos4A?t3Pcnk4f~FPqYHsZLvJu569sAZ4L)>8yJWx<2C2F~gG#Y~2Yi$;
z9^{ZLb%-{gYObI9h~}8p0Rm_S85Z`vdDL37A}t+GEP_sgX@$p;8Tm{YKmdtRpo`2x
zd379|LX#L2Ax)Z<6ES?pMj1gRCi<cI5CTUb9zDc>0gs)HXASG13R#0uf}W(S){9<6
z*Bsa^L^J-=xCBKeUQJnhI5Ig^E)oYuj7=OS%tSj98p6k3WkE_vK?aBelMZ7}13#!4
zQ=V_?+ae-XO9IH16GwsZ8>*y&C$Un(5nH005B+|`7CA2Hgd^^OR{^IjCXlca{98&J
z4LL(3GZ-0}tR^b_IUYkI_)wZwbiv=?dN}Hdx?zDRsQZ8j>~H;D{6JzmGGchr*O96P
zB2vi`VF?DAplA|t9AE(#dTr9sko41W+~$r;9b@gQ^pjCK<J-%f0xVnpxFW^2G?23z
zWAW2YuUY1;qOZHxL%@g4TqIvc9iW@oR+6jOZw*SJQeORRKC3n->wLW0b2#kM_x_s2
zeX}D|k*ZrQS}>#0wEm*b){w#{S-TF4$Po~6E7*NQ=uaB`3n<|*HNgT~f{bS?&ioGV
z6WyOaB)W)Sr2g|Y#~8fDPoIQSpn)fq?-7STsI6-?%Ft_raT+`D{cg?0{xweaKIAs_
zcTv<%lpkDNq@O!m9-@JlS@T$w_Qs(g{faiQB(9g`G#4>y(yzd1%kxR}snR<DUXCAg
zy0jkVj{%IXGLRR;7UVmgjkF5q$Y^>1uU?N{p!w6`pZ8K;9zHdg?RghZ{;96TtCJ*+
zJMTNYj_!}za{-@cgSul{Ub@=O^*_ydyMNrbnY#F%8#_94@WIb7x_-T_t5SV%^-zQ3
ze*a-V?=vrBJ7Sq3Q?Itbsq&U2S0pl4bJO`^1Cg0y>H=hNk&hBx#*8vXk)Ot(<iN8W
z&CR@e+n+Xwzfml`X0S{97<|23dM^o92ORsyjP|Q{?mmvzM||ogeAktZF_2MzHALmY
zu$SbW!AcEG(eGCMW2Z*P!Iko?uO---n1ow#)aXta=b9$a8{t<U7w6yBcHA?d^Y*-B
zuoRHJE)O)2qi%iOKuEpsfQc>u2vf)GCDW@KD={r@?BQ}7qe&FmJ%lp;KCZEP9^@#x
zZVmubI8f0Uu&`dfc0{pHzUy<OLEWu0mFZe$S@v#;c616`>H4}*>R3Os*7e=ru_`{6
z)5guss_w<&Nm5dZ0@$rs$%rjG3q@eG3HEiKDX?2L^_D@al~Hq)QDd<Uzr(rv`tgGB
z*W+{oZ&wfG#a?!eQ_?ic>YfpN-&stjm@JxGuA2SpNO#_8z8AM#SK5%vAA-&wRIkUE
zXI^gW+j3zq*Q**(O;In)uy&1;ag${~VxqV&RP?fbL!p|0)4?R_k)8yjrs1&%CN(iQ
z;sUu2$`9v*fM{~<s>KpacI7F!uCdwGZ=FH*5URleCCJ$hlGHJNvFW2e#vsNH>H@AU
z0ge^Phzjz1O3cy9ML4;zkmI8khn>-%vvJol1Zn5dlQ)9;ECkziXX7J<$vtrqD(>7A
zKN&Ei<e8HGa5=LIw<zHZP;0#~Y(T~$a{{L%s(s+|)tNf=stcyEqZ@c3tq!9<V;>iO
z!^O7KI2g-?)AYwcqC^%uS%Hh1pWwhJ*NGiYyTRc(IMQ@X_a7zTToF4!n!6kwIl6Uj
zK)ZoL+2V4j+gH3wI5@Ubj7c!9(*Ix@>xVXYTsr1{(H-t(b8>4>2;s0P2emxfY=*l*
z&uH-E|3Gc5Bscn3e!y720J(%OLIENdKo6caxC?;>#=-T4<XL{9a+<Pn*%C;-vvqsp
zQu?V+LydH%MQaTyVFy#>PSxd5UXYDKs5sqSe+9nlEyFcYc#lUEc6RQ3xCUHj<L`R*
zb@5)<?V5(DdWhqc&g>tNRit4gB%$9-0Zx>-^R`9lpEwN<y4;-?)r(Y6duFs_#as*X
z#Jm1FJ$t+{Jmuhhd2Ep@qnf5Bi;$wR<)uOIw61m*NTHp#n%?&7-^?-n<FCOn5k=NA
zxJ=vL-bdVNG~a$d>+2rP1SMQ#lil<%$pqNt?7H_|zPqY<?tyotp;^|$eiOMH<RUTe
zts7y=fSyZ9?m^6EdLR)*bj-TmB8x~v&knz?^xf<FzL;m31k4Q+E&%N2ggbA5)o7OG
zj}d7WQ=h2cY$$_5Ohr!VFN0K<7NiYRYw4Nygm0<*NwV;Yv2XB3>!eN#5%d-0n=MMm
zF@;bV#noJKBBZ!l^^I?L3O2$%W+L1ywaJrG&zJn6EXP*E)tVS=#jK8q)qzE>1946J
zVFg5eX{bVv0Lr(dTVUggqN?VEmz*?G#O8-73tN}`j-VvQx`AK`<c0>+Num54K;|Ff
zQ|g29`c26{5o^(kpjLG1xl0T8tH2yoToE+_=bHb9pj_|~w0E}J<47GCZ(G6R+4Eh^
zCJ%P@k!nb&yrLB<5XGhEZT&PO`7Tw7wJyA!9`OxN4HzI7-+?aJ5~v$ycqD)=8L%iD
z(F;yp0j0n#!z^70@vWkPH3hPv#WlIt4#UU^Awc`C#*&k^c{`M0eG5z;Tj+<Co540q
zT?c=%)g%tjYA{OIQ#;+5ek<N4a(34`jbD`*L_~})Ci&r-_^eKc2MFH0F^AC^gU9bu
zT)8)ZFOc)RjQ5X6k=No$Kl2B7xQY?tbH`iMfnE?DuA2S=Z}?UeYt?*9rcSF<GvE48
zr^IFJr6k8^$L56Xze+?8>iv3)oN8R*S_UwMgZRlS@Y&KyLGh%JpW^h*@L|7y;A0`7
z47c<sLPPrK%&oOq8kNY}*#gG|!l0^94K(7r%z@nVgL9EE#XLzfF22PE2@0GSEK2@x
z>~Y#C{MPF0)Lfpp75<`JAR@x%qGZbHw)uEYF>zA;pv-D#9Q^*?aav-ZOqG2FYLHC_
z$&0M>nGxS2ma(-i3(~?$O}{6b6wiSloO-fRBGx#GIHn-mO<LO1E{WPEObWy`q9qf1
zbO6~%0r8f65-;p_%hMfSr<@8<fimJuTiF56`SFH=-mgUz3|e@+33C1I0NShC5naE|
z8y0Ie&{uqpX@+0VRlL3POhoXpkgxt;nDS~s{Y=#VpsM-^#w927eiR@38C(C#ttbpD
zX#=fLqf}Qa$CR-`pbF~(=53{j=%EK%0tli0o`}eVbCiKjCTB#NG;u4ReZpj?tC4|#
z`~Ysu%z;J_&D2L%)4(J4kT;f?R;r9*C4MyvYu$u4&ejM+SU!S#reeDKOC7#&IH=-h
z8x%s(a+}WWYi{0{tXU?qwo;7Z8yj;!o|e+!o(Ut5HE@Fo_TDs}&Uqi#S>0iB6WFI;
z?Un8!t*KjSw~#HwXyWL!Jx_SECE=2K12a=uo8&7lq>}E9ia7-;DpGG^E`g5LfcLGZ
z+i*?^VtyVMQ7y9pnoCo`IR6-4kp1Ib>gd;kaaKAL+0C8x6R7?>D4Qin3@1*#jJn7s
zLlCuF1{dy}6ATf!<#>HZ=80S3C{V{c1fV;b-Cel3O6L=0T#71Kjf2&AJFG3yy82Lp
zBN<doCH@3+15-7Dki7e#bhNRo&;Nwc$bvkZ?rGCJ;Jo$FUuqK9_HDpK%Ahp?fj7Z&
z{az?cnLkrT0C$7p?b29eF6hkjU2!GG;3mU9UEb#-fykLZknvs)0cP-o1t<u@CvB)D
zPpK6dkF7C+O1}`itT@cU0H&d6Wx}r!5<=cNk+;mglL@IY7?l2V;|L<<M~oC^k*@5~
zSElc}71vtly~kP%5hJ?bbUp4q+SeIaASUVZn*z3k55y+|6-&$PcK6CorIQ!=e%@YE
z6bI|4GTum<Um7XRj-}a{0Xr~524pGhHP%{9d;J*~_%_6vA9ys<8ffYX<)wrcnMOh+
z6MrJ_VdmBlG|Ib}J#ng{Ib}u3Oh?+>#IQ+DD>Cp%cqaPam*{f1iseWw)AQXGqN+cg
z*=;(QG)W5-6r3Ad_HEx@gMM&e&A$KLTYSs8Ux!BTmIFehclgw};{TkHO9@6iOGUUM
z>HVWfg3vP<_ji^t0tk9V-URcnd;wV5|LK~dwb4}pwxR!J>d@K<ngRPT|653*^#ayl
zzsjGlDu@c6<Nt6APL{L+I4EjBi)Nbq1b`Me?vb;Y&Eb^IzgFrg5P>G`TNoQBfNSpa
zFoHB`&;I=r>IFsoW)yQ792LM;fQH&=6&bM}B@}ua&`*)V5*RNhjg2$tj7eJ@PCQTn
zu4j<J2kFC|K`Q}Tr9h!VI4p3wn@(hkA0=)0jlw7(xpJO6Nh4hfE@kZILQI@Q8F?4T
z#G=6-1XU7lIhdK9RF=#XNz%(FP%;Q&N~bv;B~b1;>YwfcGF6{+x|R_yg)tdC-v4J0
zl=i@7m<5?B19jF)30-daLUN!fLIM8-P8wg4!pk)qSy$1jNu;t+c4jz#K#o8~S&s?2
z=!~Senui6t`-pe|ocxx>&}^lIWt0UNg`fp4;v-UPv=VPJrP1`;iR~!x3_7utwTbxp
zdm52rXiPRdL>Uj7@|+ZrX7Dc&k;`~9dJ<SPL(=@C@W4tyaWxZ`aUBoVVKEPutb!aG
zmMmR~IupltM?_Pp3^gd@j^eDw0+L_ow9)8#kTStmN_uSL>1UCKbsRLf62B9GaOH)W
z{TF!4V$-40@@jk~xTwoS9&^ZNsakUJ_mBit3_>!MK@D`SQc{%W$H-(@v<j~E%Eem~
z0}>ULK{1u=agoO~S+PvQPL1bCu2NdA17z3VF^S2S6Qn^Wxwx=g>!x5hEJs@XtUJG~
zK|^G%Yeb`~CZ<(0D;gSQMPF=pA0mTIiPuJdMm1dpe0HJu0`34F9r2>A!Ch(tx?Mor
zaZ?I67t=PfRpVAPw}=hrP+YMT^87TRn*1xKY6!CUsN8neh>z1&-BiTsPB#zBcGu_P
zPao#Ht9#ctsKa}|rJmpczgBJ7U*!qPPpv;@R->f*x(kSxKNj-j#~6<d@}?q!0%<q>
zwP`d(D$43P^$k$=C#Lbjn%41>a<}Gc+DlxzkQXF`8X|8}jCtIadeRwZUPCsV%eED_
z&#%ZoiR{V_4#1=CD>j0)6=&8#HlSmxk!+ooy#ny-cI%i-)AXhQm_Sdb25r5+bFPGf
ze$9lh%OmeLmXyxCZ(X>Il#8e9J`4OIL5TOv#U``}2p43*aLoxl=x)ExYGz-Ub95Qs
zMqa$URyL!S!>Yo%<ha*^0j7l2b3|n}w25QH8%iFWX=%85b%H}D899tIT}_{LSDk(O
zKUZ19z-;4gSc(As(!g?%#6#E&$_ubZf|Q%TUNmoCIna!6uh`L$#hph+B@yjIfVR14
zqM!rkyVgM8uc43<q{n*b*AiN64ZQ^!uV{pMJ`}$En;nEKMZdPKfwZv=oCM9dYiTRf
zAy;dFDCt_0D|uUhqd&=1%$ib4If25<TI|lX<UQxuux+N~B(VM4v?PtYMed+`yH68*
z%+=7o@8zFaOe;haY)a}4;YocR-^m3Dr`Ds9G|`y#hEu=nzON9Y_lYATpPn<!Rsr@O
zmnwyqdXc>V+o?A9Q;ydiJsyzMNT~$($va>~Ps%NndB)*3UDK}Mq^q+_llPQM(e-FT
z(A<laY+^0HCh(zg;bJ2@bg@Ub@5iIe5to#3H;3JcuOJZC3M>t3OQ?EBXHVUfTRoCK
zcVi32{b&3TL)ggIRao#q5L5Tt`qdmYO?IJ2?Tg0RGxE`CV+<sAF>rFi!y9kZQL)mr
z$?E6fx3p?5&LtcgB2-AZOtK&mQ;C_vX~IUi4mnJnfrrEGIYp7ULl?5mrZ;<dfD;hd
zh`2$YZDcM&dAXf9sHVQjpo**MAnI#Z=ZN--J@x1;4zF~gHirkcc6dkE_J`6Odx*3T
zqm>`q57q53-I<CjgnMtA^J&+si&afmPAqvJ-26Z{_S~F0WQwlW=GV@gX}h!_CtP1f
zQTPBDptz1KDOdh1PG>k`U;{o4`%Jb><K1yNJe;~~%RD?17(&o!2KFt3Ayhq~7cUDq
zg-QLfIunm64%t3veY5#YnRkCyD1J^^3TLbBUU-+!`7oF5uNrk+tQrVq3vgcWqG1k)
z{^MUO+2dWXrK1p#P$;F6-rt+W+v5fsQm&kAfbeh5Hl9-$s2RePD)O*9JV$xTCkQ#x
zgVTj7R;Q<Q+m@$RTO}o%61%eLq6We6BRh~QtL$5F5<}Bl(4!(9r4me657fsTO#2FX
zPL|-LGeJi@!SdLcF#mifjy0@7%dqUB8U0ozN~BmY$xn8+26Ni-G2FzM)y^^85#Kq8
z<ct-LNKRyoFN=_y1UM+j`(xI$3q(dD+Ay9GFG#{v{u4De*8duNOmhI4Z~tb-wZ&`#
zRG~nb+x8CtT9E$>k}I47IREGM^asEz{69e@RB1$@5O80x;eQRk7OhD;9Z9(Db6T@?
z20k38(0h<*5YK+w01W6%x(yty@|hUgwFH2cL{i`NzSP}4M}e_*LU<atyGQ6zd^WBO
z83UJ0vL4C@eJ#gFO{|d$sG>MK9$u4GI^IdGA!dbjVblWqL`gga(s0QVyJnlKoFhsV
z?6PzW4O^NPJ99fwR}FO{#jd@9w!<3SCHcp&YJPNyv7?w)$C;B{F^XJ+i4@EpmRg#W
z`<!dFtlPGmywuN%v!9)|`?X-2GX62(xY)V-(HhQIOjxu9LrbKEJRenT%P{J773Vi!
zxzkX_^ltdkErl5SDhO(Z0Gk0lJu>vz%UpELqeA<BvawGfB$k5+2-fEw{49g5fu@3|
zh)QFQ#poarENX`kKvI1z)I78XUQsNbldl2A-UCCdHKkV60?hpiUd7#=9@<?!EKoC8
z)DW;o#UD=Il`fm+UscUJWNgFld81J{j+;jc;qpsnJR!C!`sn<cgxR1=R;olB$Hu=n
zxO`vK43-$EiscjBbsvwn@C0RqBC3H*=ISYeBW-iWOSVgKL@#oNt$!ORMpgwb#XaO7
zeAHi59!zI@W;>9%5cx?<tQh2_6Ys)Z-WIZE3af`nEWJuDRdWtbog1$lcpqYN-Fe^?
zjjutRQahwP2No(83=dC1wx*O6Zy;KHZa^AV8x#YqKCPxsaIX34`As~e@Jf_QX8+#Z
zeuxwNJJ{<p%32t=dxnvAa&k>Eo9m08{WZX|)uiqvisx|n*=xkg;ehrd;go}kayKxA
zReaas%yzH8m-xG!fz<^VY!1BcM3_x9j7%J*Ng+Jlbdn>G3yPpQW>1q(@~e%}WNuA>
z91#aJn<0LoayN2n)~(*&FUTS&SXr9pl`Lnqr91#%RHv|IE5FU6yvTKkZbPJ!@qCh5
z%q?fJk^51XN@*Y3!t1uUS{J+ZaCzf-Sv%GDac9{tIHeFa@jzY<7xgD(<*j$c<n_&=
zp<6cx4l|2j&b1Hz`lJbSa`uW#h**BF_QDEC@?(>CEvu$J{IR}sK=21$s^){oB7DjU
z{y9EVMsLTv_jVreORXptF(;Sb43}+#-52x9`s98Pr~;L=Dc6v^u<jt(H4z1VqLu|S
zVX7Ia!Bgzzy3h7HF6O1$ry&Hq?C&o7@c+mrsAiZAiwa8mbuje)V9@)ltmjJVvta|Q
z8*~?1AM*z-QX@Q&V%Zh356TfPEjED)OODyY@+}{MHhUaihNieP(c=QI6OD$UYw?5w
zm0;S69<>8MIWT7H)VisPnFJqIJIr!5jgIKm(hGy>H%4m?tXef(0UyN*S4g=qFd{uk
z?GZBuQAR$~8}qH2+NLq%wBB(we7gb~QT*~_Mt!L@a&taOv`>W=Io-cSxt&G<ey_WJ
z4tUKW=4(tf$65FDo_kb{cxufX5~Vqkf8daJ(7E%hri}|^RXDVOzy@RW?AgE?7{Fv+
z=m)=MUeXzuSS6BhfD>Rl|Cvt4g+0Kdo-*v_ASE$_R>(-dK2VTC$%C^>e$WM+6|Z@k
z6`$U9Ww4v!Dv6V>-DPeQ*?}>oT*{ei6@ljsa06Tix1+kzYIrU%!%i$YXv+u*_OoYX
zjXi73xr@XWi7r9xWHDl<qtA`m#VW*+CBn!<uBu0$r*Nz$N_`wu-EUK+EE+ObA5%i*
znNgZU-weDu_2^EUpD2z+DsKXv_Gs0kJBUcB2?wp%eX!!0DTh!OWagjj)wadk>mMd0
z04#riQqy~xf1Eu18WhdhMQSWHx=AXv=O@mEyC3&!h1yXq*kQs+inbaRsg8cfh8q!(
zyWKguaa=5F!GvJ5??<ZEr0@I&&3@dc5~~IOxClw$$846o{kX><kv0XstNb~ge9il1
z6qg&ht?DB$!yjV(1SWMk@I9GTldYb*m+8Dsh0(XZV!Y+{Ip@dBT-D5@7bNqCnoAr$
z{mj5Q<p9+DMp#$t>YsFMONNi8Ouyt<2vu;-A=i(?^&W38`cdL{0x#ZFG`v<0p81#n
zW)Lxsz+0#%O_snvX`2MV{`SuN9!%17tZY-pymGr~r?}o_>2_dM5>Xuf?t|(p>WsQB
zXTsokC;;P6ADIu*<>p-4-JjD+uimWd*Xdoq^UjbR--<bf?CP~6(~C@I$XF@&iqRC~
zk?pt<XbI3E2P<&vDyd~?vniK^XoL1H435D4V+n~>%UN3^7yMQF-#V<FvC7t>%$>0z
zOtZLpV=y%u(b8k>s#y4CyIovb1MQ9dgsXdhL4>Q`w*Ko#va|jhgWA>w1Gf4<>Q;gd
z){T&a+KbxeLI%c-1j^P{%LXR&_4pq>3J?d2NBk$R3%#vO4eTBPjDz)mxl$`IaYQh7
z7S4a`zck!Yux|hkj{h80BU(C&x{`2yCmK`6_wn3^lUp=s5oCoiOESt*C9UC5BI+<!
z!z6AAiNM|2CS8m*vE#x=;yq(N<G7C(7Sx}*BCyG-2${E8-uab8!GKkQ_GTg*ATojq
zDi%LgK!IKmh7K)?4L>wIcNskr_mKb>IT}6-dol+Xy&85lffYLt;d5t=OQs-YV1Lfi
zf$V{gi;0?ibE8`BF{8!bYP%dK+~fwQoX6vNz@|GoXUa+mP0Hd1OO1eUKzU(rKg=p9
zmM@lal$JJ0SXk07C~S5xC=6bPJ@=&`@fOx)iN#}X{_AZ`89#ONi~hjkyUo=GLE-nT
zKbAl$uz0|$;qw89L7+fQXTo@jkZ_q|jFg6?(gza9sUS)qcnrv7IVD$6JkX0^^|5F0
z=kcv^-D-_(o5~T1*jk^<mJ2#2_6$!}AQ_>qvI~j~PXxN7Nc%zVO~A|+ZWsV`Y~7on
zgajBwCL~51{zO>Xa-Q)vP%8Nn>b)G5WTBDzLZ^Ge;-^5j8wB+4Q_r!NR=AtW@sNC~
z(kR6`Caeni6<Wg%0;bM(%+<2^PIzkAJg_h~vqs&pnz(A;jLN2o)KHjq=|_({vO8<Y
zVKs#$Krf9z>9_z))?Faq*6%>oV4#`vbwHfBw%yFCZLO@4wb~~igYLG*{FEY+5cCo1
z9dF{LD&T+wED;uKM#+XP2H5JSE02#W4?Gv7IrLS#A*Zu_pP`SMa8o^E11pp#KYH<O
zdOVne-A^bd>wEA^_3{g9RxU^eKN2t0G1Qx1@S(b&{W%$3E>PU)H)?xvdew1-CLbPc
z{F*s+LO+;#e0y+9pPK3>9ZdV*?8{i+_iq+$ti6B`#%7e0Atkzve{>eR){Xr9+}KzN
z+R(3`*2fNq((daFcZ2<t#vL%Wuyq9edxuzU093@Ja-Sme4&R=v+xRFWL&MZ{<ftS#
z-<>312P4Q;*|=VUrHuoNbO)t=Q3(|&YLdITWd^7a@WO_ua!F1r*qf}RCq4O-&C_%#
zaybH<2M<wJ6dJZ99^FH9A|XarDRsT7$I0^?>>3K?UV>Xj&ma<IB4Tocm1i0}Yd}PJ
zxs3~9@+W7~rB2qmSSiXkq=e1oib)`<SSfxJA%g{|YI=)#JHg6EE#)vH*Uo=aDnRMr
zPJ*??5Z}fYy26>4${Ca|q%fDm8j)SbMvVp%D)&H-ETJ^DEf}sva4@|DcZ?jku&TyT
zeJJdk^yM%UH`me36c?7xo0;V~q^ym9eFnY3)Lf2Ar^<B{e8}};=TT;>$lLgA-i$QQ
zK_rQBCj9}2dg24J1a~MwzNpz!X)xOi|3JA&xyD_xD3g#MXSq=T$53q;@BL%GeCJE{
ztAxwFLqH2+whe=-)t7E^a|WX;>`2czVT;=17frUXj5gLjIbc*{ao^4)v|@hh8?qVF
zE6_TK5BZeF3ElB{)m;M+NA1$O)-E52E);kvDV=RP`#O~~wc45y18OX<--n!h{<`_x
z&8|E+`8|GVhD&kK>FVk9gH_&W7*>XBFqk3M>0yb`Vf*$-s2b5UGkM6|j6+(i1sE1E
z!+B+B;YC0r*7dZiTcncA5q3y#P+?z%X>jQby;iwu@i=fd!?%$Hi<Xu<M0u<xa_1VQ
zOFec~_U5v($8WV~@I$mgKi<8q!R{LVX~0WM@6g_$Cob#ujQ<cucsA62DaA?yzM(BI
z5KwbWJ4I<qdWCsHh@t7jCkPr1a#0RE{|(IM59SddSX#<#;4j>NTpJ6*Z)EkpD3EGv
znkNYL(Yx~d__RzA#f=w@lZfTF(IYDRsuKe9WtHZW0%e?Iq_cW*MgW3VLq~bv?4FkG
zp0a{G@P!M@hLQ}*lbSpABKY4*2)Nspr|E1*pXN`77Jps9akiDU1!et7ax(=&ktViB
z{55y87`ueBjBT!b^pj2xW)gQ&){T6Pn;zd~H%{6?Q}U~ujT4y>A`va%|EO%G!g|3z
zrTMdWMs`TFIP>_Z#B>R#B<H<Ic)hdMmnXoORu+|4X6g8PYn`3vn>puWP8qds<mE>D
zOFA3=8Hg9XcLz`XgD~e#Etlm-4r{^7u~HJe6u-%UZtjhIy9LGzv03<avXRwOyTewz
zzPDP#-xMcUogb=YOzWuHZm^WzqO<~rSC649*@H&JkCQ5Cl%Cr_rpS=%!sk2kzsOX_
zlYS%C&YykYYLQU?6?z<O|1qDBo?squUn!PoZGoX+um4tWU$zLew!|bbim!}|e}Rvw
zJg~tp@#6l^LtIn^rv7gfhAcQ*8$vtS(Z42%FVf@R3?$(67a*#}4d<KpBSF%Gh|}@H
zr<$f1aK^AutEQ~Jv0aI{&GHT1qBIi$<^7G{?OU@8h&wEb3h(rD?r^NH4P{%03L^E9
z4C&DVGZncKD!v0%vMW)+Qe_YhS5`3uM$!Y(1Q{uG78wM#XDY2~c@U8yf-M_erszo_
z0H((snhFSKG0A6zCGUC;8v(b-R7o);IYSW?p~bU;p(!VA3iwqVPctVzWb#baifOo=
zJW)?dkt7Vo$u5^K>a>VVAjOXDvb2<6R5~ecy$rvBP_Hu7Yrt&QQmcxM=*^6k98;J(
zB$I4|u_cl0QUcqS=n36br~*!-4LckiH;U!r3k{@9NVXv+va~t}>D4AOVE-N^wn(H!
z<zm&O`8(Qfpr7qb_d8himFS<LJ{LnhTrAg={US0ItywJgBxS0b##mU1<B(c8DGD%j
zDLHj!95{RjQR;9(Vfw8Zt2^kB6y=r!;voqxB%0!iNuFGeD1yNdm`<Jk&KGB)RVLuz
z1q(1U6tHt_0*;N6o=DFLz!Xa%3PWtL4amz_9+{R<3Ri|yjhcWivTH<XPn^Iif^6lu
zh}Gf1mfES@&u^tn5|+eF61F9znVe%r>aKPaiWid%cA=u6{klCzq<D0mz3-qUYU)8s
zEB&OlQXLgqWFzT;%O&-L&>h1vSCFZZRKNrsiP2N2ToEmeUKiO8j?MK9`PtpP>7nK>
zO}f>l)4j_+>$lIh(}O=YUd_5a>2(OGcl`MBee#NBV`1yPQ>EtjNv>SUY(^5`@%GH5
z{J~yqXULLBIPKf@O{k?oOdp*-y>N?34%c|BifK`6#xqYtLt(7%TiYl!cu-EIe}Lgk
zr05cK+Cn#F(RCXMI>pwZd@x~DvYqcuOdo%q1owq!5`-FJM^MANJl>9{=P~D1if)@z
z%F!HxSR>;Qbzu}RDK(cK&%m7{GqnYn2HJ>L*l%{68aNcM11dg@W(b}+7{avogkL8a
z$Aex$gZPkfjY}+nEqvVRq}7HSKwu+g>B+tOxr0j%_1hTZNz*Aa+6?Bob4|7Q2`%wV
zn!N_){e6^`b)(=hqe2`Z{Vv2|JY0mfuab<BhT8>UU46K^Q`5=DN=7Y9fy7cz9n(I|
z>w+>Bf@6N@bN`;B!lk6Ys(7dxVfzX)l)GR$hl($%rWe^<Kh$yPyK5)H7!dx5k9UA9
zp^0lCqbT=>&z@T0qc^4|q&T&LU=gnPt&vWn%mrAH_8IXo)G<L;+Kh^}%|&#CQcMl6
zF^QHDrMa9EC~3l?YjXTnp5&WOh&&=}8oLu?kv0dOlznn{jjT>eR!L22jm)Na7=M@_
zuY0AI<Zc;+^Qp4K-9(Q_3otjC3W1*l-ofC3K9fmdyqBWebaP#Rz*v-T<MLqsEk<4S
z%~pH*`va%WG{p^O*I3Sg1-tw>)XG%?r1t=Ss&bBjB^Mlz?Wi7$lk+RK#@6p0!kIyp
zCe-L47x|qORB`@4?fqQ0l0E4!{rn>m2jHasH9W?FI?@;V1TY)GU7!c-Iyi&2Tehal
zU*&9OWS775+04Z1W?b?V$vsmKtge~DoV1%#I^SEXa!TU}=PjkMU~U@bl|rsF+AP=(
z)!TX;?^%+eXm-XGm|}G<?<3u-Fdk1^T~ZJ?p?d70y?UJI!hB})i?9zqNr*8cVJO`h
zs5fv?SAN^~9`<E39s{culc3DUDC-(dp{ibh&THN*eG~p}Su5V?AJZ#cFmO-kcY&yf
zg_rDLZE-S3V5FNxxum`ZTLKRd>4?$ilE#jK?1WyffsP-)m$D6X1-&j6m}&`0xj%Fr
zKd^Q_i2aSZj7frodA`;^m`DDs6bn?x7tPp|sp%uws0nEI4!}{dpF+N0tCY0A<I5dR
zpiie|R%J1FF+Vr%+O18OSG%lId$vD_ebJjmz@C>h?bp@nG8&}qVIAJe(%Pb_Hi2di
zs%XoS%AFrUFn>;eA1c_8E?&*VQm4Dgzqv4dyj)a#?s&K8=jHrmkvG4dRXALK`$N0d
zs@u~I>{&Utc0vKR^@V<}UGiS^B)a_tQ=29C`A=}Zre6PSE79gP1;zyXui*5qfN8;f
znd<&MOnV3h@s&)`#(V`9iSWOfO0(}^O#h72{+Xbq>3{>ieR&*`_96dCQqr;hvMT#M
z)y)~dDdA5?OOT?YjzcU8eIu7HsJRU~r;D)cw7!5R``UtHywvpq9(xStGHBKL*k@r&
zvPg6^QHG=_q4Gdbr*I=@Zdg61AJ;85S&dSXiu#6#%Q6d3x<*bxUfvWjxRk@|Kw+Zt
zIV-h#)|SpSBRjWKentuyl%pz(GtHfXf}TkSS&|ecNz>~dGA>K5XNrTmiqarQK({C0
z>4C;MPUC_)q+ZI@ns|@KVwJ`BZsAB^jQKqjE+o423K?QnJAm5%&w(PW&Dbk-DdG>c
z8>jY-<DanthNO<jo!a^~cER6=!C{c5mnalbSUu6cwppca8Te2EQq%=xHdsPh$r14B
znBEZ;xt(B}Q1Q+ZiPi`~${kA(5C=t<5|9MP*L*>-`?>RhX&iW^2NLpF!SFe<l8Fbc
zF7kl}{ty8ot{2P~XqmLg7W*A2eki+m$z;g6-LO^^arP?akIx%Ci)A_}IWIwQ$T=#!
z#b;Pd01Vmt^i6+Y^a?&F(NGdRnn`=)5v0_~L{Rh&1tQC+OTT}#<EekDRR9>0oCzDc
zvm|xmR#PKs{P%n^(F$#TFZ`<t^eU{4@4qH0^Z7jRKg(nI#=$}sT<+?Zia=ny?ciep
z%xkRB0kuP-FkQ`aCI$IF<!Jb5QYKK9a+mSXine?>7mDeCNvlGCCYp)|ZS8?Td(T9K
zgdqrs4?6n3&qv-$);2AIWb}+SzkmMTcY>f$ed@LB7eD>95%zlgI*vgC@HNPE<&;h$
z5tUuUlRV@%eFpU>XHT+{PO5Bq<R)ho5f<)@{@7)GBHtf;tiv+K{-}9O9YgBSwrA{K
zC>`$kwSERPx_^8(adp)4O?p~9`*nI-G~MO$yY%<m)Qw+V@*7uR_o1^*;N69WH=k}D
z=i0+fqjiTiXYm&sdS~JM>EtTFNiR8xIJx+XnZRH@;oK4Mt@5$jf=z<GZ6S%~S7i5K
zuU15W_vd3A{iCiQpWfdNzOCInl+-ZF&BbXi&)#?7-9^P;-+Qkv{;p>~t(l#?oa3ga
z&DAW|o$S6>3@bfLH*DHBPW4^o$-pUL#VLr82jP0Vf;y5YzeK1zR!DUZlvu<7S1E$=
z2_~%hD8v2D0Km7Po(mC!FY}d%aD8fYVqC!dEK3YBgwEqV5v0Tt|Dn-dAe$I1d;oUs
z{UIw5j)5Hu4bQ6M!JysJfdb(ec|%J=4{AW2CCxxdO7b}0H=Uj(&VazMcAV=d&_E(a
zhiOABlUCf7f&EbIRj|cld6QoMSCjU;>mf6~?s-Ns_RL?8+3wg+li4kZ)J$d)A9x4L
zb;((z_LhXna%G2E7Hy>J)GBaSyOv*8!h)PY;kL+)u|JQ&cgjpK3Map3LY%7xEY9<{
zyym7iWLtCiO);@RACv_kN3j-)Jd2l|>iD5kLt(!eF+ae;jGE-0VMIq1YQ6kn05@ak
za8!a9wAFmDv%N9Sxt0hTj!@eC&@Q}8_qw!Gt&7>DpTA<0*obAWf}1j7wqeiv^I+`{
zoY#BjAOsUNZ9s-_Ut%BYXQ9J|TJGm(eQV)|<e2s|j1JHd*J~rvB!99KcKF4|g=L4F
zol5`P+)%_&6-ka96CN@ojL?4|e{VEiI#Aef3ujI?aBqc0m5J)&sU}OK{I3hed59fn
zKC?g-s9vAj=11-JR5tIINnwv)5VD{Z7&V{^cWFDfUAGOaX&s|9AG@FF*=l!r)5v=U
zc>#UhFd&r>X3|Ey%oKDBs4&({AOJ7Y+rWAP0Ve3aqd*xmwjoOVUGka@nl~?h9(V?Q
zRdo-^F(@a)12>)$^R5$S3U%3JpT7n-PTg^}-HJii#Vw*iovkxub||PuQ4^I!ny?an
zTbe`vt*!Hco9+|-KQ#px+ke9&XgKice<_H6B2&-N!Ii%XiGSK<Xl-99_E`TW?V$m<
zxc;Re+R7Qg&!8d1P!y8Y+mblJ6#!s1vhDv$#@DRrb_9$XfrI7$*a=pyG-B*8KCtBr
z5Jcnr2N1kr<{rMJNt<kK7C9)8Cm}}xAdt}_@JS%UW=1>`Cjj&6tT3@c5h@^@P91^w
zE$63|XQjfVDZ@#L&0;}jnGk)^vh4man37z~yeg>fl4ReVic2bEEfN<vG+k`WH=Pns
zlM^zzOiMZ7D#)qr>hp{BYz8WTNu=zqu3`&RvCV9m28WfFa*|$|2iXb7SgjzsH&pPb
zYMq9F%LsVd$P^yPQ@-p~L$cgo5xf<xeg4GT;Lr>)@&LGkQdG7rYVKg)7VH|wLVdg;
z3O&3b+q~Eo+!2YOcV;=UprzAPPUtMAoP81olb?o)3|2n}3gkwZ$g4Af#^IpyV@Ti_
zV>f(VU}#-S+QcI0wC?_o!v_fdmvmPktR)GC(4?HdhfonM41<W|rkTNZOmkv|*QjE@
zJEunc4);7YLt{u;^TelRCos{V7^6_1W>#pykS!C|^vooNTSf_{B(OaIl2mQX!4J(;
zE)!2Orm+)MdCMU1%`GznZy>oLwN_(CkC6<pP`VTpZPQiCWX0P{)FxHIr6bEYlacP;
zLm7kl1`3kv&AD8VTf>Q-iZQ}$mbbzKQ%qlip-M7n%|J_8I5dUDID6n5@u0x9uIL&L
z4UgrD%jEv>ds&4<);O5SIKzdNYHldL&yU~v4IV(!b5K%d{SxK@l73T?j$62UXxmj?
ztgdf79gn2j)a&uQw{bq1IhiQ=rEe7tmsIckEwSVm05{NNV!Vu~V?|d-&HOl87dkP5
z<p7r~EfE3+hh&wRl?0P)XtoAIPorZu5H1HdkxJ}XoyE#4nzp_U%6JgnQ*0oe>EatD
ze$oe|@nGs3y9JRvaH0naEc`C7rfPIN=N`H;S|Pb+cw{_$H+iq1kmnw6ARTE|_nC^K
z>}}hWhg*7*`sd$vzhg90r(PXxon9?e8K1PQ7)4uzd3Wp9<4evpcTbOA;ERWM#>~Rq
z&48tLuFbA~=@Uub`^PE<kngW?m)4c&yPLbGA^argCS6=B5c93-K5aAVeDrv&Zd0Q!
zZ+Ej#-W)<G3!XamR)i|<1@104&lvUm$ZkL~R!G$II-F368p{=5o-wTx<5cu9X0ubW
z4st@N!YRHwNomwPTUR~m5~sr|bVt|;yW<gqw2k9{7q_Dvd}4t$r5uMTUM$GO4qH?{
zUM`Wj1Y)8DSc|!dUQ4A`YS0WZ(rP)^yFt%xmaH3JFu+%7YbNI=+!#$qj&-T+Jz9@U
z)?|jQY_Bv)kCUto?uQ_Od+)OH+w<4JZ+~G1fW^Iccr<4A)}V<<n4n$F59NEorI#Vd
zn-TWD$ujo7d(7qcUsrZ*W2NS+*8-(02`-d2sbd<9K!%UcwAC&_&dHvSm#WK-Nvhe@
zywtq3H}fOT(iK^(V9b<iDneLv9v&2Z0Tz946~;)v%Drt@djW;XxHrnTU;`g_$3F)E
z#J-(t7Q=<f_a5$3Ce0p#NAhV8@i)02JSKg#o9Vq{R_mXbEHwxs)+W(sa?0#XmG|_h
z7dmD0z&*u9i{v^2e8_Dx7cP^(C%@|@YN3@+|3YC$Y~YTKSEi$A{OD1iz`|Fjd}4PJ
zov0Je`L1;5JvXaea|G34gPs>?(ilm&-I0GF%d`Q1m>rv+wMo_S^?OC`uN_EV3+5>F
zG(pYub^De8;c73V6vLxL7Kiwg(_YoXq%@1-1z6HD8hh_p)8O8<xs*BKv(<P(yToau
zB_NO*a4((CjgGL#cU$FQP2auKAka)(dT3{wH+isqM*8?R6p&lUFEM)5#iI^n$FyVS
z93F>2?-O@#Rb(58F_l9@hfTaZ-`+U!|K8|^mJ($AfOx>CWAp#T%cX9Bf&;k!XGMP^
z2wwi}zs%GkS@1phfA&NHXW`^zO-f**0*>hFeeGF-;X7N0<c5g_rNjDOs%GFXkIy+R
zhhuK+?msd`q+~;mai)o_Woh=f%1EvfQIXzi61v?h^?iJ(%9&xpyN-NdkHLT7bRcYE
zU|td#0y&)Pc;JY`0PiLooFq{)AaH{2xrH->GR$|%;CjfoGyRvAdih_0+C<%)ZQ$7C
zn1|!@+fi9j95I{-%$PKcWC#fHfKxpz^<ZNUw72A$zk}u@H<kjzCzntoGTdAggyy5k
zz{BU>>aHPE67Y@M-(SM;My;hA5i1Y`m0=ch;CXKsN@*8ex33EcqA|lD!O<HoAe<&E
z9wZ!04O`_2&hL^G+Rz^9BrN>T6|nJBzFWrZ=UJGCSGeJ|wNJRg^_5cV1-T%e)0z%7
z04YIK#%I)lo9qBNpQ)M}%Vcu%0ijrSI@OQ>(|^9)?iDxKBca?aRLa+L73D`VB}!KJ
zxLQlhjkb=bw{kdr5ogJmq4SN*&V@QYEzh7U&yl$F*y?jF0Zt8K3^a6!D-h?FW0E5}
z6084ty?2?<Ti0UGvX$<@<wc*G^tuhLj4zu5FBAmSl86X0S_45<-&{p4+QR?WrKE5!
zc-uLFQNC^Os}%?VaX)b#lv01W&1Ga=c4NQ~Z}%+Zm4;&Tz47fet2-&h%3~J2EMC4s
zqH0P+G3{Kd=XVArN{wZ-17JOhGEX*hN42e>?*94Y;lS)z+0c1hQNp@q*(YDHzv{js
z0qU+YfrjzrT`;(q)3(~(9{pXsQ%KiDqqy@aZOe03%MbpzRj;KQcWbg$5r*rfED4I<
zB8l434R#b1IfokL^^$oyPpQ<V?_JW#^j(Uribc0auV<4UEbX~?KY%$1l&fPJL5iz~
zjA>~_RTJ&!VkX2$!+E3skEw5rjx6Zbj*W?J+qP|IVsqk&)6vAXCq~D%CU!FM#J0`(
zdfxZm_1zzJ`kY=>byn@FuIjz_v!4yqRWuk^`UmR}SCq2pmwWoJN{d9rXrUhjvSa)#
zX_{bUdjd}6na^?b?fCZTa>GFhKlG_v6iU4typH9YViv?hKhPX^1<)_-s&Z`*f~KiS
zx5PPyk`BiN9otu$9dTOixu-6#k^z<z-nx@}X-vr?B-rc;j<#nS_Unhz>uJ<<5H_8r
z<}l)iE^ItEL>tSCx}9&kaHRSIbvD^a&c))EPUoPvpM&0Rjrs#@j8L;4=Q8W_uF%Wo
z_3W*vs2co)zLP0$SFry1rPN3-VA;Wcf$mty?gAQ4a+Z#*neYM{g&K+!fM!(dynUs$
z1NLOhv&hW~jda26m@j+CLc36coNHBslgE2G)nHLFopy?z6o~Yhig_EjU`%{l)m86w
z!l;I0w!xEGGT&DIt=XZp5(i7RqibqUD^Wx_dc?r9bIR4@w&VHcw?8z>TWG^3udj}g
zbvMn%8=WEJf}Xm55jTVfz%-A@Y*jVZz@o!H4;zaqsl2C9m+gxa?Zv1!!$<j8hZs#*
zpjksjY0;%ZUKMefn+G-lbnb0h@%541%>bEscj`C8!FJ}qLM2igE){X7#CvbyQop}P
zGFn6KuNW_eiNSoiZw=wP-dHlRHm|m44Jk1AGOMsyih%U_Is8{Y3ZP6u->Lz4GlSex
z!T{CCnw15UzgDP_w*8$pm@sOX`a&@`=t()Zs4Eaj2CJEnu0PHnSxs@Y;ed$5`l$2n
zxGm7|Z;BoJ_nDQAPw_Vl(kKGkd(j;sw-O~mi<Z(A4`GqOSI^_Qw`K?lf;@!BDJ$bS
zE~^dSep&Lj8Z-bX9cjknO9>JB%3#BDO|<I9wKPpU6o@f58t+(nH8OYnn!dC6?BHI1
zQWj3K=qC!+f(2f=GMo(uTI6t`MJ`1O=Zw}O+h~tAT*RUivSWqJfAQ0`uSdx9Q>M`|
zvuZVaZKLQsqNVtro##XqtnJNd85gX=YbyIEX!Qgf0_>_bW-Qd{REs|t?e?s#ll{A@
z+{lhkPAWn^w~8D%C-Tyw8S^|IILm|eo${=91$?q9>%Xgnpp^rtL9wPqxj&J^aQ6H`
zELOMgi&4^G@75Dc5t8)Gk5sxKiL!zu8k|TAMOHNtSKe*5OfoYaz9-~P5X1b}?Yqk#
zmw-fos?_%8KKl*Pfh*S%vktAOtjA@H^ICp792SGG`OKiF#SBRFzQG}^RX@oonQ}fX
zy!g6!@r;nBA8#MLTj=>i4d;1#&-4#T4WMr~i@9!yN<2UvF<HAp<rYx<@iAk?3i?0&
z#H6Kj`c@4MmJ^${6C1rZ%m7eSA3iu=*Vi9g-Osa<G-p<Gats~EWm+Twl`ml{x5u&8
zj9PPTJU=;Zi2SEPzrh(b1kwd8xWTV)>qm2A!aHU%f90Ikgv#g8TKq5_yj<RQ{AgR#
zP>q#&+K)P!#^hY@p6N4Je+#Q%%XP_f$Nv5vG^izdHKl{>C8OiPxd^zd0A+{ftO8^?
zb+?jY>HF?YgO=NW#*7Pzd%6p0r?LO){Jq}v<QvBrVml#?RQN;Z-aS`dTQ_e&chJR(
z(PMd~9!|G%BQCJ1Kbs-zIj-gyG^bc-5ar5wg)MiuGW7P>Qbv$lv4Ym-7yDvxsvp64
zVbxD(a|ae(2Qq+=tuF<jj1O8dS4wc8jTTPFyjpyl6$1Ap37MG$NvwdfVe4<+nX>go
z=s0Vat@W;e-H~0Dp#U1hq&qZ3I%<Mue1+5ex4XQ@y{C=&j<YE(_bVkQP)AOn#qZ+=
z?p!>9p3yY-CTvvNDp%GqCt)!8!8h8g%rDIsq9b?n2q3YEIuDp*3m;bevA?-KG3e>e
z0&00l6(4%sf&9(z;g=@p`xTJ%|NG0Z41_Zb>gxm=HSTj8QeOZew6O0E&foWau3w7J
z*1R$_)qp%MNM16Igi6f{614fUW$PJNK2w!@QKdYcGb19XJSnWp=#@OcR|kfS%l2-7
z8CHz18#>0;oPt4YbEn+PIQV=sbk_wPwHk<F0ocs_!)g2prz-`l)k@kh$p=Y`czX&~
z(NBiNnQQ415-x<l?~j(De3~oPRU2WE?2q#vn{V5lbLS3KxmFQimB!@*)zLJxn&5Rj
zkDx}6pjR}6lf&tLh!X`l5!&S##sFwWj*dLgTV*DLLJ=st$1HXQ#`i%2rbYvg^Z1dF
z&x0b+r1%JCq7dcTP!Za~6urJcj4-^(S$C3ye_5~d?UT!7S+w@2=LNnQSxp0^lg6(>
z&m45nzEB2*3V!4hLgl3s(QHh)X}C3_wYg)Rm+gLXedvs6Y)Wr<bI3s511PEmZADL5
z)RaUWgkll#CNaRkErL1f9*Q|oCy}Lua6kr}Vvh~jM0U-`;SK%{3b$`zf4nJ>B2?3{
zMr)!}Mw%I4uvxk+Vm!y#$L4Lzg0JszKC|rY!l5vB;8;U9uQ}kBYIVrzuI|1@%^26d
z69SletrMzxp^dwzd+d4uGe!%BR$6<O`o*ii-!XUHFe2-6hT1=^c3N+9KY3O5vZWgA
zx@`X5Rs<n<cSPJhL$_f%lI^)~C>)!zdq^I?ET*4Mfc>sNBT<RBL?u^sN~KirNYj>C
zVc1!~`n5^)NS6Wt8CgNW!{hl5xhI=Lg5KYuH9H}IkXoyv0;+#)UIG>}hRZOFQqSHD
zOdh;LJvcaf$K*3r6ZMUpW_69mlSPQ<4e%H)J}WQPw#Gs**>i=N7Z^mRW@s`FyXS*v
zk_B!3R@Fav7U^ZFZK;68GJG@V-7ZeqJqGe63KAVN;R=6YNjIm){)-^uWB+fw2g?7U
z*W}~^C5(9o#WX7Yqfzd@s-0!y)1^o(6h@#3Ozv|G#D;Ugv9W*NuEM$Gp8i&61bNbX
zMX~(Na0EG{7}}>U{O&MTHZkSi>TVQMeU!qDws09eY-0}uMkn)>&?jXth6PH*qT#*^
z(n4deV<IJuBZ;Dv&{Fl|O4}AtOO=OeBPGsy#)HuSc&&fTj|SqRaOj9SXLO1^%V@Ik
zVpLh-Qph4Zvl<=P;cn87vA#2y>4tD2oslW9AsLl0Xm3}YUQ3WHlnNvGasIY7S8mtJ
zZ4Fy)G;O;u%Ros$vIkj`g5pi(BoS!!u&MeRILS%Ji{;RREh90d?U<6)Img1}NR`um
zB1|*@=xD|I?dw<@w$sqS7DI7mencZ|#mK6XguzmVW+{8a*;ErC6L(B?s&A)wG({;|
zcg?)=>)p~1Q!5y0O(uowW^#Qk3Ysw7hVT$wMW*nmPIip>Ubo*2F_9DwTOM!ftj%Vg
zi@sbi$Hi-(bv(CS<uP#G)Hn@cySIrcL2*qAIPl<|A2qR^u^d2PWK$F$OT$!bvS5&P
zstYp}!fdFz2d}I|O{rwHg`Wfb$hNZllEq5^LsEhdLz09Pf?BUn$|DtKdaV`>DxId+
zbG$RO1xoS*=cfHKBltnkB;BBj6rcv$bt#k)Nv2x5Lv=9rxJw}xoWfP$m9eXzfKLY>
zJmtB>j`H|l_wzHoP!;v3P|l9JewEpkm5r;7)<3CnBLCbAv!}11rNt`}3LxxKSVs{_
z-6m?pwY9YgsxK@(B>F~mDEsa6o1t6d>fR?daNvQN+oRgKwi!7Nd<JBo)Em8C=1MST
zxY!qlyOnklG#Pg9nb;nECGe$v1ngUR;(GdY>&?XDtU2SCF0-HxxHml4Ap<%DUp_t{
zP^VdN8c(3tS+v*eH%cbo9QgGOYMr?6h915hv7d(z4c)%Kyh`vYfmz5>R)rY3p6?-j
zPV?YOzBKKTRB78I`E&>{b217rFL-?kW3!&WdpI<!ub-P=z2CUE^9dqQ1l%Y>W|`BI
z%bLv(5x^5jZ8bYo@EvaU@%MN)4n@pAO)RdRm;knhf1(_&9r$n&sfZAF|L&#f{nmQb
zn_23av41)>b$d!ay?m8NUd$2=bXzbC^R?J#DT~{jOXfhIKZ5p%E!Un{bUO0wtXs;S
z@HN#_QG2T_dvw(%0e`bo1iY^xbk6i#i0%+VmjR<=%t`idj1%l7<_2XB*~|_ush-No
z`(!SePWkpJTCp+elMU<@n|a5M&vUv~X{io(t4KL0W;Pelq{ywI^*U?$+UcaO{Vh%@
z#C<@O{E4TtzGR`m<|fD3+fHYR&Pk1du5i+e{=)3j`goxG6o9nT3|icuKe=4>ZqYeh
zK~X{1&P$Zbafa)7ZfP((H(Vn}y#W^E6f&iLtBKx#+uK(E9_eARr<u1dzZ@XYzCAIX
z5i+<&hlKC!7p{>jF=_l?jUk|)0h{~Ta#W7|&spwPa?%V0F9S`B&UOr}6g4!YNRN@%
zp`}DAN(lQjX#n_H->oNMsnaseS>U}$yFnFp_JQBk$IClYX;*9aY7NiCU1ix$P-yvq
z8|9$?qoWc5)Uxb3C55M=kt=WouiGHfFb7h{2IHgPmyEX5$TX{6QTfjSVOJ`@ADlFL
zt_v!rB<;l+xtjR1sLBnOND1u9?3^n0(}VCk(N(-|WPlav`&Jkdz6xq*<vOHAsC`P$
zMX2e#5U)UL=SPDIAbd^*11JznFGW2cekJoLxHjZZj*yOOe_E~-ot#uqd?k7hjkS{I
zuczHA_|~Y9X+4Y@^oQg{nKblp&w}z$l`%bx)awdf`$BYKkAL;7oeoKN+}xPyQ?FBU
zp*7*TRCcQ(<-PEyv&uuQzb{Er3HDs)Sjavn<#MUP8xQ_#y?G*r9N|f!1I_Z(>;4xk
zEXYPAJ+TuS1LTkFM~22~EwqDLM}XkqO9y!=F<VnSpsG>+S-i1YwL_r}{y8-<T9xCW
zZvRoKh-E=>{V(x}k`sXpQumq8BpaW_cV3BU8B-`{^fqJ=eSQvvBQlABl+q6<b<zpZ
z*Q+;Kfk+}bx;vNSe)jY?P~9HyfsGv6ADFJ>2#l{H;ik(}s)?dSzm5+p$WTM>`{;g<
z)3NG!#Po%1=aZI9yN=Vz>d2sQF_3GN$1aQ(Bznu+02T!aec0nenGY)pzUHt0GC|Ju
z#Wi%_Mx({@*a=tH&@2#5nMya+x-<QqIXO}{SQ@*SV$nk!p`nH-+)q`7U;Y?`8zD=C
z7JWQUut!ZX*he2-XEkVmCt`b?j4Wa%99jSr9^PIaGh4T`5{zOXmV+eC!|a5w(sfOo
zFlc<`1VA@uqLSffq7F1?ecQda5Po-OBWYL;R~G%^fN2;?I(&RM(8T4$XBwE~ASCNY
z#%>&Di71|{&;q^FVDa^ftKKcEF>*=W3qGTQrc_*;4SxOMFQxgF6dXN&r8DEHaNN|%
za9k}=nUW90Pa8gzh~Wl3Y-EIrDO`<5h2a7QMngkWO&xwAa~qZBnd1HQfmf8KW&AmY
zy9m7m>N+P@qr0D7-Q&6)w}L;yAVyP{zR?mc(vq&jRW+wl3tYm5<|`@Eln*}cH%h9Z
zKIehQp;>=68yIRc3ECkO)A-{q(*x3!DIF88JC_8-Lk!(TKdesr%-Vi*<jP@I9aI1a
z3MeDfcp}Hk;aYkvsM!1QDU*QDa4Y9H7?o93v)RS>Q^@bx+xeot@KU(0X@!-GB*Wfe
z1;w+E=4_Fhkm$z=)WgN{Oiq5^UUx<I+c5RHJJI&5-Lcio6-yJRmHGO~s+Ew4p~HY)
zMxGEK{CxCKr{nXN+aVDroHmymJ2pTzF~z%CbGN2<T@Ywj9y)ln<1jWbQV4qq(CacV
z64dWSw5CsEr!*4?o5p<OmFbE`h6!S~$eyW|%&-fP9fSm;39#NTnbVuoIC{?U*jBDn
zaJdBA4ld<VC;-*4W}&UFArRez72-?y%ld64Q|WQqnh431jaY-8r{HVg2LYbb?X0(o
z%8W^KgNV~Bpd{}S?dB{)@XF{9oNhsP+q|QhhwBQ2>bWME&Pdiu&Xm$Z)&3?0<z<67
zClf?ie3abA)pVBUcJj8yC3N#QcFn{2*2{*`$`e`GT*8@QWY+U1i$A}1etNh22xSvj
z^RVC$Af`>1{VXk;-{WXN%mr)_GH~$k=vMKK#BsnMAq+w>8PKV|z^vDo+;S?4)EHMm
z(z{$Onl-O59-(d;O&Xg&pmIm|VrM-2xfnM-8kUxr1yf*bXvE^>SR|Mo<3$d@Dot+M
z8t#rA_(1OrQnZ$t?bCg<P-{%u5Te@OI^H8M&bALHMq$JxrJX}*=l~9?lv#0mDH^v<
zBp0=1dtyJ9X>JW4IRNl)bK)gLk43GYam8ieNfa6eRE5>_gJ?o-+u9U7-(3QHn+=`P
zaGbt-eNPrWS_Ke%{1jY+6&`K$-!7gXGpZZR8icLk<)_!7!IhD@n1Uakn{)LHPVCUm
z^{z=WqoHYuSs6l{CIW<hFKrjEmNuoqg(jTR!@xVfAJxM+L4Q#C4f~DoA$A0|hAJuj
zO-dRQn+4a~>WK3i809uC5F0Egz=MT9&zqHu|0BW5RlSI^STAQ`v?!l?dh#Go4TFY@
z9pBDQ+0KG<Av1?-%%;4N*FNdt;TOD=h~bJ}QWgG2E>%Ar+A4sd6-sUYlo4JGlZsD4
z{EL*SwH#a_?S>wDFzwPgBYcZT)ux^(CIO$l_?IDS&?zce@9oLp6Zcv1=M#`sM%Fns
zPrJ1)i2SN}*Hrse9$ew`If|8EcIzI}mhp8JM?kID8l95n$n~=Tyz$eXUzooEZoa;G
zZ~o-|?5^w;lr;3};_(7?-ra@InAy1I$fetxYvXURKmI$F<Lk=DE>x0OXC-P?bwmUz
zgOC_!C&s$;em8m(szKuRzmFIm(p3hrw>~fbq;X|uzJ;3$$Ri1&En!xo)91&a`GPnn
zRNPvn<Ne&#QQoC)+tQ%M6N-D|wdex+|FxK>XLdp(La?#@*EL$555*3Gx%^8kiPid0
z355a*Gx&#!!ES|GLINE#raW-8=`)}fkX+m#WQ@i?Dil!CFc~EOWl*fZ?e=PWf*V~7
zm@-5wxISr}Mt*f7?9e8!xOz2Nb<qBmuWV&l)+pHCVL!W+%aJn*%fKq8glB)rY-7>6
zddxXFj~ZpVIi`~Ppj_yFTP1bpxELs_e2<0TY<qNJJ1zthsfR3O2PUZpIvu}YWd~G6
z1+#!3K!ZpO2n<2RQxKz1h<Z*1Mq}dF)v>z3NJ8Lxutj^NEPf!>iAzz6YGQkGklNLf
z_tzwzQ$ZGTErJ(XgNn`~JUAV=L>ID@JLV;AAZ2ue$*4Nrs1CSFl){RbdRBztILLT5
zs^p;?m2?^?#swjvyGzSYmYOQ-(gj5(Q4U~{r-Uq`O^k^LO0u&8(dkgQsFH%_Qe@#R
z;)!q@Y;?#KocW+kt0iTt_y_rElUc_)@ao_yf}Fj<-o9W-01JO5&qe}8>5<_`=`=Kn
z7$ZEI<Gi5fv>1Oi9OxDes(Mw4GU>Hdi!v#Bh*rzFugKSE@k+?LGJxY^q1;m|f($sa
z!5L<V2`OLwRMo%LV^aCI$muh*l12`?$eu?8pCV9Bp%p`@vGnz&MRE-y<5t-a;Zi9;
zkk)Aex6KeWlTQQHqE7?o3PDBJqwiP@R0jLN78g2CJ0Qi91X*{$T)7H#Pa)9hm5)PH
zh|0?Og9m};BYbcktP{mRhzh{b(9MmR*9mjdf}ykZx97c?UP2t>Z3b3<*RwU1pPS5i
zLK^e)wnCkI<~%vU%io^{=^`!!>J{2c0T1d!0(h3E^sYWn(O*j0mxzp<N+<4IzT<rJ
z`nX*{b{d{(><st2JFpr=oj7x0>jHak%WG9Pk;*ehvflgNv0)Im)_Drh-f-Gmw0rS;
zJ!gi%Twg8IHz+#(3P9{SfQgnpLhyW~IeQ3|V!6!9Y%7^^pjo$XKrrSjona2UTk~uT
z`0LU9*@l~^l3nRibiH$NJ#lU4<%0GQ?d2EQeYh_4X>c;;3GZ(sOrFnW!J?c;J9YH!
z+1rPMZ}51`UBF34XKxPBIW>21@jdS|fd2gBi?w=9kKCE;ITxP7tz3r$bI+}*XA3An
zRJDJV@DQvaUuf*~*{%?`^&=w@KcvQQ^i>*UoT(uhwzUgs9*!JB5{5qK!sCIL>$g>g
z7vEdcJf{Hsu*$_QgV)X+FA>KYnO@?fos*&shW(P<9cKuNxral*T+G43jZMYY(FXSA
zhF_+L;u-4vcj8*Xb%L~sr^>UnskW;^%;KEdCuncX=$V2J?QB%ptiKEUJWHLoOi0EO
z?D%E$i7j|;;CQsK*=(LOvuiOG-jsoJxOx-E3EX?3f3;7yYgv|lK)yr;4Ou7(z3IoW
z6{PtgN@uxTzu?CJ-UbK{4|G3kHb0#Ow$5JTFOT>F)@C#Snj%|UekgBRnEt=Oo}95R
zzFw6B`MmIO9fm7>f4!S<#Em`-O78_4unbul@P8H=uEY?y=4Q>cp(6~)8q&!=Iy4>Z
zTSheEDeM<{SVGm+vr$uh-%nwqhL-t0Go0aEYjlaky{GLDhyXn>3D>bv8>|rMSq;z0
zXq)p@e`Uv?Q2QBkGr)PK!4?*3-X~^@1W#=b`d5W+XOlUFiw<1WU=ItGzp-M$9Z=^S
z4vlcmz&97?+hgS#hH9lDEFI1wZ`x3=W`plvwy~fv=S>z!oZ>CeA3JsvZ?b2lHl&}k
zwx5q+*XIE=y4*V`b&U4o*#DL?5Q$1WggXRsotUMF{myV_GqI_sCW`xb^q3a96@ERY
zD`{~mOVR(ls@5>ldGD*Vyf88%D~{Xme<y**q4(xOPbyPIF*>Xnd1%u!B;H_T5iy&Q
zxw{Z_)Sggzd*Y8(sNQm8SZ(bQIgVD@aEMu@lq^c`9)sd_x;*N}H~%%-{Uv#hw=sP=
z1~hM*Td{0A5hs)c=D}Gv^`ODgHeklG6;QLFf#xsxWYC6wnGYm_a<c@GfY_~)Ej%dd
z%gn0iqHvXi*(fnta}wAn+sj~4rXYu3!zS>1LxV()gib%fadHb{|D$z4va|imMvT=O
zKMumv{71WRT7dF`gW%*#Py7eI|5%4g27&Ke6HlQq5&jG3Z@Y&Q{fDXi59bKm|HsX6
za;68dfY_UxbwTKS&}lMLn<3+6a_J?Q7f&yakl!R*9SWEFN7@_CREna|uxVBEe(Pz4
z;F!Ce4#k$l_25Cs^PKN-CC|c+t2lw9L^P7LI8H`G3B{life;};l(rzEJBf6RlS`IO
z36WiKUgDqy)-?2wR<edoi%IEhR@Nw=`|nhaa3g?{#xL2@MAku0t{BrSn31Ro{$gfb
zfq2ouQ*L5OCCx%nyJ!Z9^3rke@`CJNu#8e3RH|scUm@k1rA!L5yu%{tp)g`tfPAVZ
zg_)3Es%NDG<GD((_C$oPL%%4p<x7C{8FCi%se_EpV9Ry|_e?=6962U_cJ6LkH7OxX
zC&7S`G>`r=Gq&HkvTBI46RcQ_n%Y=t)rQFB-Dy*XeJu-!E5}nyKfWP7fTNk5ll+Y9
zTlFfB=za<0BEv&nA#J<~^k;iQ!04DT6YRrao^lqd!$s@Jqb)w!l@67YhFTBWbZ1?P
zIx(qQ{f-~wv7}4Uw%!>gr$?+8vSQ+(iR=J4E1+cG2rOQk0K+McxkPiS$Y2gHocj?<
z88$-?Uo30_$;PA#tP!(&gzmv=T&i!#XbwuP)C);2$>Or`x3zNI&fye5hUCs73I`|H
zn1<wK+&~!&j5Vc!xKB5o!-b?l2#15uC8hgIDodLwPX$_91sM3Hd!$)m2?&&u<^T{{
zlHY)d#}pu<7``Gg(jS0~<`-j+CXCi_s$cu|%1F^XwqK_5RH}2fxH@Ns5jSvuI%Jx$
z$tdjjYmC^aB9R9WV6Z)O@;0=2PY8oEF;!C9;NQ#BZDdeWvt%7Tana7Pp%U$RR5qji
z^OsAoc$j3Y6$?nI2<o2a!tO`Ivjs$p=rZeo0-?XgFH{pOA=mK`8Fp{1T#?MAlRTDM
zS3YzO{c$KxJ_$cLxPQ+$5AW~@LyjCo_)Pe!R*8!IQEiK*0eRdvDu6KmRLN7x+6@;k
z%(yf$G?Xl&ynIyV#Dbk3pPFy4V-#x6kR!dr())>>_eH9jzxyFWRV+;h2M0joSy=Lm
z8<tXq(lvw+dqD-K&Fm{Q><a89CUpBgWGg20*dF9WL@>o6WI8beeK%r^R*@!)w%Jn>
zS@qx!l?43==tBALf^dtT`U}=7s=_C80$%QDuoO)$XPezelEgjOH~J5n|F(9~BQy?f
zH=|YA#N_s_6~2FSk{u)<qZ)`>Tg=$XK&RWGLN)dE=(FB~vn^L%i=wD~-LT^O+)oNp
zPs<fXUa1RHVb=Kay*ShyU&dd`tj)U8F2NY5@X@G~+eZ3s!O+4-AWB>^U$<`wS>I+6
znR&-6wm23&=Y4su{whD5B(OrCUf<;pvh01|bz1gQ-AxbpiQOFy_+0m3C?KlCm^?nJ
zc<E#3Z8;w-oXH=3>&sv$n%-k(Ee)U;f*yt<lBxL%iyI=|vs&1jmfI=kC8PFv=vQ^}
zU0D8asoy%0ZOO-ktN_ozE)4$h1X47jlVXKKxbFH}IeDs!(00%u23LR(_L`<3(fL*O
zkCSZ&w;p|EnfaMofbr>8(H2j3{FV|(ZL@lKJbm9aY&!C3{xi7v`f>j}T+Fa1{9%ss
zv1rZ-3zM9ayB)P^eJ#}I^X3`kaucl?juS&KvUYda_q%ZNu?x>xEFg6i&kftaj9~*_
zn<oq>W;#XwCdkDwu3B4!*V}v85)j~%J3t*-;mOh_>BNlzkoPn#!&z{_vY$557|@Ez
zVZ<oCQwQR#C*tjaV?BzL19P2p7L`#iZ-utXCawy5*8^SpGrEr^gV{dhT!LM42aR$}
znqK(7<{kF6DKD*(xuYQA6L^3$u<pooe*C#kX7w*O_d(DaF`x63u+s1Me?x?wlX-z0
zl<H~{NgR|cqX-MK*0K#P>C#4ZEjZtU=MGk~^Z8uPSI0O~2{W^B6zhF(q{kOKB!-Qz
z7kvf)dk%20{g+mk92PqNKYYBHtspjkhyTqstc?wwhyecIDsQCF@X-HwJFr^usG$|W
z|9dKU(m<pAPs1E0Xl8`}5_@d$KwBe&bN@3{aX|8L^Zdt2@gI7BB>(>a>%SQKC!}y%
z5dFqpMQ{+EbMI>*MSWpaHy0yZSr&b|@}ym}Ro^OYAVTt$C7+ksMUzWRK`%7lQ-oV3
zFvBQh7<O9{V<*FaA>M*=GD8TXtRTf5MkQTk)qy9FQ-&QY9xTcz9Lv}n;!Bod%~b3c
z7q!sP1wcE<)6oZt%YdWzlb*Tu<6RZmU5Bax8*Kb!y`k`=LyZ%}Ad{KVaXVOfAkH+Z
zjLq6p*d<q=34w6NR&!I(qw*UPfv@U3X!YPn5S)@<JTxr>+X{IN=Vcbb{B>2N>XhNI
zU?zSPuSFMDJ?Jd36p!a88l;*s*M}nnv(wX407P|rBUr_^?OcP|;kClzlYmJ4Nww^X
z3WW`Uc&jI23kX9etw=h2Dzp8pKnxE=8H{d?Cw5a!rQsO0Ijsev0`@?n-QOp0LAVT%
z%(y{flhc7!QIax+^mV<XTGgU>jmlWGd#C!&gDO<<2b4OQuflYeyyS<3$li=PK<1zt
zfVwAx!{`eH7XJ4dT2D#bANknOq3#~PR~BBx_97z~6u*qsjH652O=NI(G}=v7sa5rW
z!;crEL8q%%Fb@&0`WiwX1r=4YhYH9MNe!s)p%)C}rO3^QD|<koNQmv**|;Xs(@W=g
zQi$V5SMEn~>@u|PvH@jKU~r6qiZM`gfO65vF;{acd{gyP=d@Au^w@p;gF24go){EV
znT@Y*QEr6JIU*UCAQ}${J&=RdzaIW;yW#qJPOMQkaC`5>(Fp}r$unl-=pe`3p|>iG
zblYEdBAPmU5jT7qge$IGVAH<XoGDGG+1t#?y8Ku(pZ6yOTu%L?S6h$08F~RccrA1X
z-QGBgEI01Df0n<o=BeN`PTcrq>HyDMZx;98AMP9Zw7%f9MEE9;tr<+`U-^YeIp3xc
zN^i_vTwq4$F*m0FewFuyj_F7qk}?+g%isRtyU?9CT{GMW9LV+Pb-(K1DeDPP)lXkh
zonEpHY<CF3U!a;`rG0To)B^(u080hgHfHAIH6T^GGR$`^eC$J7-_@rY$qSW#Q~F*N
zL$YX}970j?{)q2t3NmU>F>H#6=Vpcf+{L}T{L2#Xsm*wP30S=siJM^l1lYjLpfa5^
zxgKC(2Sga*F-5ix4RNzp{!oL;>eD2DE|X^cOgjn>GfSNR(?^@#QalTQL4jsCYBH=6
zlBXMRX?631{u5LCr6sCX)|R4|bc~_;PlzBW7CMEoK$422$^sK2R=kOVPIBU4Oj5%k
zAjA4`F9;zdP@0Fd4jve5#b0(H7>Ud*C<nDLAU%xek{$E(<zwTH7b*-<YZD6loJ-CQ
ziXrxQlm~W6A(|o@*DwztSfVacoC3G`my|6ehkOn<iIRypXN1#!6<NwG0#DFf!0K;V
zyc?TlJUf^-ZS(CYlZVGSm}!)u9v6U76!JQ*Ok4cw@P+q&ylgCS5K-0lRuFSbntpuB
zlZ9LxTFkS>@^KQnYTKvG!4KF!I^zPV>EQxp4N7m~mZXNeswvt4*1aY*inJW2Ri5CY
zM&?jy)*3oxGYVYq@lNS!^`wW8i|H@C(GPrF!7iIoO}_&vG%8gx;C9fz_VbEIuJwhk
zM{#Z;eCGz_?zVOcTmobgn!HCtpM)*Q*X}7%=e927VERHlLmwBK8*kLtIgM_8dHTkL
zthWeq8z1Q6nzo7oK1Xn`vLogEtEf-e(a~>d7*97rr5ryT8*C81@_K<yCIMfv`k=<A
zRM*d1{Ci%cr`GtQZu_`|=0DX^be79Ov61IXkiEpA52V7@qc4GhU+(MBw59id#5|Mw
zqc<IAz*1b^&c7In<Ov1LuHIQztQ22GprupOl}0E<@Q4coo=$AhZ?Y-Fn)pKkpIz5+
zmlcoa&T_L-ozK+`46j`IJGW#vWIWxybh+GR9@;!;Hm*oEPiCT3K$N9_3(lCam)(5p
zGu92JO6NC~t(WOLGADg~y@g&*zHxW!8$60^QW#w-ZdhMnKb&At|9-LyCpP@Ks>YJ*
zFhV#ugY(e@Xz-Z~@C;BZ@0qNAahbIb66EOpw)ykP&G+f#n`h~<8=;?Zf;ZadF^&Q$
z=bjP9^^#yM%}3Z@ou4SLH(gh+t6u9&uVYhPof$-v!xIU(B$_J|wdkIQj`VJuhY!qm
zCc8_ppVW0m=5*==y0!J0{uH=eDq99wec(D8Be9%<fT-As9T6v?anUVpud70}CFp`G
zk{tx0GYSJSb!m3x=4<K?p3H|8h2W4`M5l-KUh7y_=luD<x@f1t+ru?us8aOxsaM~n
zwu1@p{Tw2i^#h^Lce~Q$F_}WMQR|Xt*5)g2^ewWft2y0w{z4Qs^R)f1ozB$p-(C98
zPH1RIPF9eH6$_5p3RHxi0-cusEOb#i(4V*<CG20G9Z(D!J%G?KevSLqAMgWhJp@@Y
zM)s70HcCO{H@8%6`x!*I#BbO?rH;)F`|`Kn9s@p*`HCIJZfh{5+IO8<u%!|QcASN6
zQ8re;A5QmlzMMWD4xO>)4N;=#vUYAvz6V0F{rtfuD8b)pII}tB<mtM@x|Iv?Q2gzY
zc!bqMte|IN%K~U9lEvxW?D4+gceO?fL~MgN`Vk{(1Q%i}n*uXS7IVmQEv8q@zv1WW
zdpCmoL;Er&Pc^V+{b%(f&sBhjwf*y>)gd}doYhmuLBOF#IxDd#U+#zN-4nsG;)Kvo
zBT4I7#{0eDcRzVE)I_tC=fQcemAFPv6c0ns&+q*k?d1S%#M5cd2v;(kg`ZngmPyvS
zA;wZIhN5Ndig!%tg<?9Mhpftiq(6x7ehO6hjO+-ml0+GVXo|S9Gy*k^gWG8-x#{*v
zWc0LMKm2x_d9ri_?#Pl64`;6Gy$g)(2DjaM`pYmYiCXjy-u%@~9or}3Pw>x@9a4#x
zVSs%j@=5@?8EKySzSI7v7k=-n4hJfF+_~+pl*R7Q3UKg+6gt(_Czo*;L<9<w^tWP7
zFZ4x*yuVDfn5y_-?rNq*zQtcsh;Pk<j8W?_vBMbA_00I_ZrqZzq<VyF_VLfsQJ*oN
zy`e20kus6{Kq_L2kS9v9<z#j=l1NUqEZJ|&og9D$l+n{JH~~uuo^^MNgid>I{7Vae
z_=*&9NYns13PwK-m?FJ_ve!K8qQ*ezFFs-G?$ax|7Ucw*C3*h(_`^VSxGV6+%|E3I
z+bnAWV=YtQhyzx$WGn$Z<vRm4aF}OUY82UJM&PmVlS)<ek}??m!A4Q&Fn*Eb7>%W)
zHV^=4+5Bp=b+AzNr$pWF=zfP%4N46-zG~XCn`zH;f#}3<+Nk~ae3OUv+iT`_O?sBi
zImE|`l_$5<tw3fL#ZJnQ@$SQbLY;;BB3@2P<_G*j6j%EfiO4$gYJzOBf?c!f{OPJi
zw+Z<y;OvRthSu^e#Jj&xsU~4cW|~#gb1?um-<4%T-GNFB{1ahYzr@VPpeAMn??%s}
z;zglhYX8p|4*@Lpd(v~9<Ce*@dJX1D9t9itOI(m&dK+5f9&g+{cy5rA$$AUgDn2-V
zHF!yufmNz_`g4sTWyoY@6NE<_wD#e;Y&Ct3T9zBBe4%F0YaJ(YN{3<Tq12shQ7>R|
zj8?RP7A-DmLAtYBR{g7%Yynm`DniNNxUcO977d(D?X1nGaAOHc>V-N}v&9no8t1qC
z3x4d>S4sqXG&S{EF$ej+{Z(!np9u3*1~uKF20u}DUqQ-+qbVs^W$+iZWUw8T<Voyw
zt~En)Y!~zn6*h2aL>2ok&NsJ8#20{^+RbRA?wQ(6J8Z64(TjGC7=m~;4n|0Z|59KI
z{X|nfovuPV2IAo_^rNAPAA8~b6$gBG3khA`rRy|=S{9|{3qfLVSdoata@pTuNpl!g
zeQWHiDOKp3>wHd%XPGPD;|vFbX|(ksQ>@p(n1EegqWOQ2d6(0+yWe4w9Jm0aa9H+Z
zOHb&!J{o%Wr+Gg#?MA<7Xca?*w)jL&BHU@e1Bthq-zA1nHz!fe(V@nLG#7=D;UH5d
zWC@2F#izNCK20EXJuj%<NrP#cAxTYu`td*FnQahz9xUHtoKYA^*`h_j8}Lo)b4_<h
zhP`2y=BB$m4+Y-HSS>Mkc6$Jet{yc;%w$2*>f9ajK+P7eM7;}p|2{b;V8Hf4xCA}B
zW1PU^#zUU(O~J)S<!OS@Ch|T3rVnImS>_U|+;RO$1`r-Vsi72BMHYsWz`8q+Rs?!x
zlco?5{gtw1UUa4NvGSJ`p`K~5pq3RVTG?wrrMHSxa~|oG7_!$y0-yzscb`EAq;Eah
zXWUalLP3tf6c#tItf-e}Kc0{7HNKg0Xy!U!ulA{{P>U%&Q&8D(Hb7EFjD)I(p>syj
z)YdwyD1*@)C5)p&;&ropeH_|7BJmw}+N{luT=p4_byW+ut#i#^>5`vUqqtAtI83Cy
zE=z8teou7e#$N?@1q_oD?VC!*3q*CNnXM+%U7EI|G|<eZ$q{UiL~2n*+xtCn`l>3M
z@npmaWnIfOj984~o3(-cMl7R{#`u&qi;?~wSk?BW(Dg6iPvtxS<$)u5SN9Pr%Skx?
z>Ln#}HOj)-#@qBGPm|gxX6Hfkc0O1{IbfJ#%{ZWIg@zHS3ZO#Mkhh*ZCTDR$Ayf-)
zH55(j5;U6ZA`a?YIRi;gBIb+v?pVZJs7MlSQ6dp3HW|%2&zehZ^5kV7>a2RV6eWvr
z^8DWu#&w!a=I5*7B+I<b=A0d}*TIo|FLpG$UnF$m|JsRzQwYYXh4!?siv(QVUIU?~
zd~f%Z)8qhD^e?u1*J1{n%~&_MwL~`-G9uWQkpueLr!&*>mZqqCQ)9YqpczF}`8UI_
z;aqv&o@$~0XNL2H(!J0GL~>`Xc#k>+kFuu%mnOo40Jhy@o<dRw**|+P{>(h@^0W6g
zn~LBsPA<2<SH6>`sN>EuBwskDy`=jO0n$z31o1|=cjEU~#uB&&^KoYsrDH(TGl&~~
z?qOPjb^}@K(ouxU&`!ML-r-n^{hqi$5PJ@Ga1=)AJjFe~{E8&6f)Oy%u@HNAu=jc%
zXRH>e!b}#==9*~-|Mhx=X~)Kb1&0ytfsCYPTHn{oc)&YnCA+K4xD9h?DAEcB@Ni|g
z)m`&vV()vU3jPz}et~f(4|#IBaI?zWtz78ki-q5BknB~4$$fKG$bUkqtwgK*nE-U}
z+-yNU(Rj;7^5o91LW#ICm5MK_l8f@Vv8!|L#1{|QSiEJE5`zT=KbtFl`JlxZ6#fI{
z&33cueq(|7IZ8zc8r<S82l^bqC`+n1JomWbD}qb<-^eOe8E4Kx1ebda8uL_;6sp*<
zSI??;)zDu)yre!F^Mvm=aO4@-7BF3YJ{O1_B01{}>*|OT!mi}a+0?Rotm_j+#M$P8
zLk@k1!4{gRH#_3fUa(SA^L2e&pc1%DZ_s`2kypRr<>BK8+t$}GT#^Hj+6_V#dWU5F
zxtvh&@4(+=4XPy0T8$}+Qv_4_NY(gR+Iz-JMw|$@sT87=mo@+Py{e=i>~E2Mkf-3R
zxeEgeY2|(khucWVXymf>T<Z_a2RYa5B#OV~^X~3Ou|8&pkUg}H$zN=f0`j^I`}U2Q
zXiM(aYI{ehJ<l`cBu_p8lRr(tO=hFR)yWUvJNsK)K8cdy-KnEkW$w}s;kqy_ld_T@
zOsJPDgb)BfH9Jv$t6`%N|2QgpQqs*wPs|AsirFYMB}5xPLy9^GQQ8_D%)jG!dFjvl
z`7M@k*oUD}`4?@xg2(w5AEs-v-!VQ$j#lkqLC<3b^maY8dxypcfK_g{bN<DF>3Of|
z*~{YX%|Q`ul(wz+USoBwCmb_T2-X2e%-n!bMRP28$ZeBG$gVimb>Wg{cy<4ns*d>4
zwfbF~t#6TJQ{(a>6%IvtEA&Pi@l!U8DEgerHw?`NjN3eK90u_FBIEDE7*{;&RNtde
ztMRRQ^Hi$O#Y<}kVBE;@Zan%-H|N#>)=QzTYVb)Ux^=Mcb5--nxbMc+dWqW*uN>@W
z((IAPq1A*zRMX@c18m2nS>Grf(PFy<*&F#=!vJ%T`Q!)xU!``KCjnaxA1$280*0?)
zHxTCTJt-$w_G>msEwRcrYc^11JtDb|_WdMf^q@Uxt3@ppAb$FB;<)x8j1#tBf$~=;
zWO;}cY6J6nrU0e_b(}f|{|W4QlAf2pl?On{&lt)Aai;R*^L$Y^!xOY#QGZx=r0XGD
z(t|IS`eX)9c5?M>c8{BV#80TD$}V6PiFI%TRwSDoJCP^LRx8t!W>!<g1o&iuE5;;Q
ziPSsBEf<Rc03rE9A~W-Kt8dM<JvNdOMS@b^Xw|LB$g9m+3+|p~LS#G|#|{fj!2$(S
z%i}CL;9uQG0*STKe10!%TJLr~3MVIP7130tS##eHDBh$E@gd8eflskA2~=EZR7?iw
zWt$<$q(+t2V8R8zd@#>>U+0zG&1fliSU0W}kWMK9pz?bBiW5p~^GDQkuV1qr3!zm2
zKD+b~@ghBxz@QCkwS#WCh46a2D$d%xg8pWbd_*shNs8IBW$DI2sIVz{LM8c}G$G4{
z2(FBkO}&*LaaYA}l5T`+KLu|_QmZ1A)^IWRJBidF^1H@+j)gKA>PbjZ-TY=$d-#Cd
zlHoT%v^rJU^IGVMkBQqVc#Oj{ScT{V5fku_k-sQ19a3CJVO|$-XiUI}aHljGsIau6
z>ax9hZiRB!m%ZSb+hhZOfjg9#@dsmmP3=faRxk{`JdYsZkqf&Z|0OEZpI*!B5knnj
zD?nF-V`~T-G5!o{ahFc&fTMA$6hHbQ_jk`X^2$>-Ht?OHv+^C;upHLb%^g)lAai0}
z^q=}<=wZ^DZcTrp(7e*$U($6?>HW2!zcE&P1@11@=-n+LyICUx--nTrt&G`QU(bGJ
zc6TlIpWD%Y=;||>UqIR>)SX>2!!4ODzhzW*enQ?s!BqdVgkpjK68|XoA=r5T!vfN+
zr;xlhiu^B243lQ6)D2zIG#Qr8>MC#cNX>!4xsa-bf*JCd_H$hofFwWYo3P}J_F=+A
z`6_b$oXs}m?4G{$MDyqE{pEGj+m|x!(_&wM6OpoZljozY$q?Q9aGnQk70creIrmo)
z*9%VxJ*?^!A%B!y8(U55sRXU;EdUCMCkgtpyy&{HsEg^jfE@0Cm3-3CP~R7t$G8AN
z5wX&;r|`1Bg5IJB`kUntbufvk%PPhJZq*P=!umBBrI8*QDa}~kHG8nWxH?N^WyX01
z!f66RM!R}>SH*caN;5d6D5Ki)FL{kR`ZnBW6H9J}%b!{XRK&B*Zw-9O!vM==<ia%~
z9#(-Ifh<kUYeddG`{)45-iT9qt4zJs<`!XGx<|PX&t1x|O*fmZU)NKh&mjfuxs5Eg
zY?T~8VMcu4^dqY<BvYIO-ynR~AYfiNl+ut%5FG#Ht+w?7_X_Ghf316HYj^#0(y?5=
zn|2JK;|Z_;NFWdX7MJzwgaah}M)#+&CnFFZqB_%+UyQ11Q<<Sg@NY6JV}xZeHeCK&
z^EemHxs~dnXUX&}PWn!eCieMHO|_tQ;rB`X^I|bkdl5O!cWUVem!FtObg=mQICQBm
zChH2XR1Y?S?IzDjlL6RWF;56MXl=e<Qyd`oJ2*bHI4#tlN3GCLAejN-Ej<x9-)zSg
zTk+PJJ9OWiiKHjKG<&I8(PWub5b^h~<L{Gnh3+$W=66}vM1F*kg2(=<OUwlS;FR!R
z7$sA={~AHua+0C*o5g_5XtTA!1bp0KbP-!Wuv9Bi+CW^~c^0>(DRn5p9y%)+=Ge(+
zQs1Ki|5csat-gC$7|Rz>IsJVFYFprm%6L_<(N9=wOooaiw0}ys-08}ltP&QV0#R6U
zF;Zl@dd`?#dY_Oq=mNlz%yW;+r#WQyCLOV>(g?{$_+fER-`O6?j7h?3k>mA%{9Pgd
z&jZA(L>@XaDrd-jt+N%M_DKvbY+SrlFb!7O^rNRE@oh$>Q=1kL8p?7d)&Z*;Bm17@
zJ{&vU7Akz40j)D6%@Tb9KGhYP2vwYGQOQ!ZK+UEsGiQ8SDX^nNPtj|2#1JU+T{@&K
zw_*IRH-LgG-NTXG#eGxlRZx2(&w78>IQ&y9ov&2wAjJ8YpCDu-bdb_cru#JJB@RZD
zewy)`#@>fWLgOdk!%Z!vO-x(sX-fEaxy|=rRd%#YtRWjuEym){V%=+qtw;%#WmRS7
zYz=Rt3i@BO@WHC{WP@7C3A0b{U=lOPmI`4+pST{=OYW}bG?5hDI%LWs3-ky%xOUv7
z7RRSh_K$M=r^Ep{b%Ahp&6a6mu+*HJFk%poa)-E&%NSSylZag2C^|n=n3yVb5hR(>
zV2^QiSyC!wdLp1r1Z5Lqo|7hc6|l4Bym9k7F<&ft=J+Vfqnnq0J4CBIvp1E`BFQlU
z=24`0hZ;aI6e6uv0{z15OQ0z+A}@%b++-p=Rb2&q0Lqb)rMior{P~%E`_^)HC4VXm
zZQ<lqg5wA<<kn+Zi%ZMjw701sWwE8tbfE)Jb__FflB`TQyUw`20mre>LQ6NzAnwa0
z2Gf1!mwvLKx3pZ4vTT0Lv~pW**_K=UU~<4MeN6lK;S*)85dZmTf%GfF<>bx&>3gey
zgt*(Z>ICwL(y>{}VrMuxqTdblm}DS?m=QDL&X)jy_JOBN62p|#>6T?O1bwhdnUNiS
zidVDP%X+4CNFNr=#jHdBwNNW{8FvVn>hf-KcR()zUS}7nbkk&IL7zRm8LB@%%_1{Z
zn07v4Nl_fMh>gq-ve&Q#Hdv?O-A(7@xaW#SMU|8REEhbSPme1WpY;PrZz4~%RqzUc
z_unVLjPz-F5<iCrW;^{^PO}ZKb0Yrhxs$2MQ!&rf<5Q)pEH3?fpGN@@C8K}*2aXd}
zDGGI4-6*UAX<TT5QZpests+dCZQhXKBHKcQ6FU+wNnt72mjxF^sTdyiy*sYD(3KRl
zIOp^51<U^6hMg#H1aN;vvaFmWnqsIJYu;#pHyZDR;*q@}aVBT)E?na`6UrR&fiwAj
zse+^vh_7Vj^vYU8EC_}{oX`Hme;kthKU<T;jdX4WaAFTmgwrld(R&bV&WGYBn|XgJ
z3{78Q>hlkzf7oG(+@wU9d46*fEu!P6RBj93M<7k{iCp#SHOT}=h=a(zi9hU?J>%d6
zl={x+Jrzy0Qrevbp@!D35Keb=!NnQhLeT#{6q>k28Ieyw_R15CX1$WL_^3P2YT7zG
z^gat>f^@o^gN?=3*p|jjZ1`<Dk(e`wus`OCA}=gJ(TL4XVmCJ{fygKfhB5v*Kpo|f
z#@?e|vN@O(uq*I3i|M^KA%A&oK=b$uP>*7fA>FkB^UVQ3-Z^lo`@o<vv-sc<JQqG+
zYh6%#X3DCI&nuR~JZq~Sf=enk6MX++g=Rpgbf$S<OkPt8ZHzp`6Wub%sr;b&P~z>9
z(S}nRZn^Q(`VW~0q>cOg^W7Vu_pdjZfv9!o=itLiaifL2zn-I}dO(I&X}#?Mz`18q
z4KAmaZDeLidAAE8z2Z8g(W@dUS|p;2DQXy%7VL&>%G19SU69AUD@+Lj<(Nq#QdD##
zs38j<j)`99s(_dMvP4&(vE?JBafw2uEF2j*PVt8dA+EUHrE+g{Lm^-7y|fs<IGg3K
zQi7W2s<u6HTb^M)50<gb$aSwvz@IfcriBR6)}R&9VlQet9`)oqj0;Ov879eJ-5^gH
zDYfnr7L>UqTRCNET66&wkL={f-uXURbCS*=HaTB&!{Jma4h@2)fSwv4dF3i!v%s6)
zN0sVuDkG6yt&jq-l>fN4fFbAH+d3*viZv%m%qmSF#Lf7qr<$ZTtSFKXH`#B_!fnRr
zO-B;0q@AGWPz3ESw2Vwj#DBfEoUB~`f#D$i9~cf_dIB9d13+)?+kbMX>wH;Bf9&rf
zMB$@EELtg+%YtCyuIrB8Ko0&vu|+NJU?|b?E%{#-^>4rhd4<)@ZzSmP(&0Hf&Q@Ns
zFWWgT!>}^ck{@SE6+c(M$Y9Xok87dDJc&B@11jtqb|&c~B5OoRttm_NNZH2DcqFOi
zwEMFawFamGBS3i8LDmFCcr7#~y6fO5vXMgkpp=5!=`Y@yVyR?Q>P2G-G(Ws$Cyl7K
z3pF_MkmL*_o^(YGvwZe*vdsL%$jX&<QZ<hhpl966Q5S8)Fy&~LR?QXZP0?Mn!VA!W
zD2)mg{Ljg{9!4cq9f5kTu^7Kb;@H#r;fSO>Nb5`iKNq>*O_wSlK*zEes+n%Mn0!L<
zE-SY>(O1$%6KQMR(_a)~2zC@cvL&Y`6fQ&k!^4$u1bB(_&(6wP(B?lDysJ{8HIH(|
z!pfB)T81k%3|Q%Xxe}4rYs?GQcu8>+Pj&mJQ?p<S;UOA3pyA4W$l=v@mCB3CfD8$e
z9;3B@QDvQ=?l{8AX$ksMgs`F5RZP+YU^Mk`78Lxj8IXVFi?K%?nYu?^;%OdvAKMTV
zfoy%oS>CUaj1X!pZpOpHiUiZ51;5EUHP^*RF?3DCU`-5mYYI&a^ffw4pae{mXI5K=
zyx+n#ncAQ|8ni>4b9o0C-C5o);_5y*1X%|_H0Bpv8<1a?ZmIq{zm1<eb6-4%h-9XN
z=8y_OQ+1A}^zEqkGgj;CR1jv8lC!C|oA-;|<HK?<vQ+~gcQBRD#OSaztDa;jnxaEH
z=X4BmE3xSt)VqUj+~M<z`%K-LH^(7fOSgm6In<x=VwsVAIp#k|t)vz=!^Bn>Mpa>e
z7h936^itoO{mhf;*QcTvo9pudk9d~pt^3AH0^F<gJ^im*T)bz>uMf_RSx;w5Z@><c
z*XW^_y`66F3V+@-8zFRFSO+n0Xx}3S#lmi9fsvvE*S=yF9!H&x*VG4u43GHmMX6q3
za)-{w-DT$`fnOiKaRrH6RUr9Va7Q$NS?}UkL?spz>UdiBuCkL+d`9D2K)v6x5WjE@
zc8AQJ3mYRS73vku)=4kRX58L`j^VN~a~jXpMV-&QP>-GgXbh(B6RXZ_??<ln#J!=(
z0>0(pBO^kB<n=Lu`zh6XuD&B8Vk&y{77t*ykQ9061pWVysc($VYzfwmHL-2mwmGrw
zOl&7_Y?~8Kj5oHE2`9EWvF$JCocpbNf9xN<S68j(uHDsD&qKP2*%)g9d@MkTc>_G6
zuJy8bW#bm$+sVWRigh$7<627kw5%d$_u{jyTg5;&G-y8oqc#|36)V#3QWog_fra<a
z?lazP9y8vW8x`>8bWbwd)xAV4I|dj(zlbGyMckQ}L1cjWD5!%k)Zq({xR4(fEQHmE
zn(l&nZnfb%`b$h5dA^Sf^OggSZ2&>uV}Jp}@1dJNGcIaxz!#wE9dvu#?X0%|oBklK
zBQLL6G$GKWk9^gyhu2UqZa|X=7z#MQ4;JWY)w(~u-_XCM$-fSumaZGC5Z1GUmBr5)
zn(=eo>O2CRFomBI@-*XO2{HaXG&SrvI@DYL?r`!2wOjIHe1knWLdndo1Q7Rxt0#j+
zK!ji>F&2ZkP-bXXo%7?%L4e|T9ZD|!^n7{WGT;~Bd7tIaAu4+-K3m`g>YLb>SglcK
zw?CV95{E<W1HJpb!tF(Ks!@6Eq}3iTn~6@dmrlDc@+goIn*EpZR(E|@1*Q|ah>P-s
zrrl>$#X<}t*MO}$TBOzx0G~$lsB<IpJv$==Nn1T4mU>26zNf_r=<7DaxPT4Qy~$yb
ztCslS?F#_@VEN(UmeqZ@rjAmfey>lxLTjNFbOd+i3?#C_YWCi3%i)q~4_LNWtIqh$
zNp++w&|9>qJlX&u@i=A9fa&Ka%qom&7eb3H{WM9A6PCb?FuXGjpgG9Nwqza(6C$G=
z<Ft-v9V$-CkiL33B*rFJYY-DL)(9Gxx|~3M_K1zK?}#f_OHZE0k#2bfnBH~)>auL6
zikETs^d^wkhbnGZkkqhw?Z;Tcmp-HTbotIxGq|Rp@U*EAJKkJA#1ES+Noh^z%4Gem
z9{xf}*kT3B&qr1Rur){y<;TXI5v-pVf7>F2RO#_>@9L%w=kAd-@@u|Xe4GEpHtKdD
zEye{wU8?)-lK>qVrVEYO|HWT+lUIpN^o{x*cK49YN?I*0BAV~mr>sQ{S#fY?E|1th
zCR#@H0xLX3?6bFx)^RBjA?_3UV&Q{y2RW`S`eQ>X*>8IaAeeOqIy}+(KB&Q5LGlk9
zEe*w?Bs1o6dpCCOLg^YOGghTQ8^T#ryUs?hlj!Rv&ts5CE<aZok8QR)9(R$O%HGcq
zh;}r*NAd`%Sau7m-UDWKC~%1NlVm@<Wh^}11|DRs^v3obl`bXDz_x7%t93LeK-zjM
z75wi+-@TszAW&iUtI(f?cRDEd27kW#Eo{7C=38wocC41@-_t3GSR<t-6~ZHm8?1JB
zO`Vb+qmQgK38}{tb5;R%dw@{65P>>Ldwf=8T`H^J0pX3w$$cW^LvlC%5n9R?zXHX1
zhW{tov~O#ByEfx*B&kXoVk8f-gAm{Q&HM>^mv=&edD$3AI2h@Cq0NGPp@kj(Jp3%e
z(~F~N0H}CELb|c$7ZoiB%fH~)UzD`W>2)QLGyuIXX9FkdKh6eYq}fF{QsJQZ_1(yG
z=Uv<Shj{~AO}IkhNIvxPD;CrDSIB8%3P*NR7MN7oV<T{g>DY_kOR>W+j=4>HybcZq
z8ygc_A$4d)+{A${EzVW}LCY@vTE!&p7hj1>qZ?t0mLcuQnhIGA<Ar5A4dtG&Z4Bdh
zfHZ}k^>=OnTHAN>Wyqgqhv5(s{?xpxIm~eoBG?Ll6O2%03bU6yxO%pXX2#sEL?A>?
zl&MxWeP4EY<&+<b_DF@|a-<fVPnFI{cOgmhc!(T6T=uM+^w3o^Q%BcKCkf&7w_s@`
z>zHuHO`^cXftSeWQgy1%miP3fF3+!p0Lp$l=w9sc#pbsrbNP>IjLGAj49x%&)KA!c
z+OUJwzzOKsiVP6=H&eA|K~fQTt*3C@=fgJcJd427?-dp;bYrVl^ks+b+cXQsf7NsU
zo`RyACqL>=8T>W8U!_wv%pa9EM-a=}UP8Xn+ec+343YmxL$1ek2MOUv^5SLe0w`9#
z@FQbX-mVG|tg?l{4Ub^V*f$oiKI<Z;HUYuIqLBBM1vF;sdj#&;%<rcd-NM_}AOyC$
z%jayReJHf+cSheG_|n!JIEaLOsUjRG&TC6$LanjKx?{<>M3?V}2NFlOP^A|85qnX7
zkDy@yF?SAMe7klIIed-Gb=ViY0I@_X-7m?nwMncSx#ep8H@CQqPi^oGF-%i7**{mf
z_*5@lJH{u`8yMXWIr%Y+k-ay=je}Z=u<wJp#g~yJZx;yxd=5=m?g1_BCb1V@>2WV^
z%4VZszn-T@rg|1TC$u@4k9ro(JnVWlHjfTV#=d_CHzi?#LyqgePO!RZ0f-ki0T0Po
zB24zfKkiBE+WyRbLDJKQp`)P2hD#*(P+(Sv5(Eq}i=xj}4(y&Y$Z@_EBExUT7_-A<
zy)lqjF`R+GK#>%(cM8HRKELd`u&S4$7a30*IlzkODnk=16|=|HAO>E}<)jWh9y}Bx
z-|gI)v%`Ohiu@yr{sKUUH1Kt!e$!$%?;r2#-3bOLlY2Y*v*DsDe56S?eoYjr0MS=o
z4S1pfdIUrqr6hRa*MLTR4JZgH3KZ#6MIyEVdL$#hLQI(WS8Gx2Lj4FmGV+<Hsb2Gb
z5_Qrldc5yEJO9m79}H4G?;K`zi|@%TKMy6?zGIY3^tlcOtg<Vf7JL|-S7te+gKxa&
z9vv4IhJ2<IMR6&(&-f9?8chk{K7B2k?FP&T->aEriNs4ojHk`&tc`ll2`0E+<mUAv
z(CK{#SYaDuXb|QYW%QX!u<ahNcdeAi@n|sSfQ<($5cX$XuxXuTP!M?W#J4{O_aIl-
zyK_wHcxN*Jpe3*+<Y#pmc!HFeGP*v-%|}w(Qn>!T)fL;b?(Wn-LU&^O?bqs{S4^2c
z0?P*RP{Lmw1^Jp55Md_ai!GD$7ORT)!l#$;>qodFA#|)Eg23d^8Ar>TmciVwCG03g
z?QH6+-isD^S-3pl2xP{6`0CDb!`IM00OJ8bsTx?H_;iS$L<52STD_;&E#N=9fZzd#
z-Z0^t>Y$hXB2)3(^v3LGnQshrTv@<XY!X`sDYmfDty%2F{-2i-{vjv@-Yc(xxpyM+
z1L<{MyJ72@OA@Z-owN~#PpVr=N6^4@e7nZ4=`0fXM_ldPMzSHaZ*vyCxe&1zAP}2)
zcuds&aWkhB5IK(k{9|`*@N)Lc$Iv#=>2<uZLqYla7=E~>^QT^^?mH-AS$&l)-W5$r
zvRiT;>zY_1?KAD?o{Z`(MGB+q`HY1B^D}2PTXVqMIiK{LuX=q2V|KB<>__c!OskoS
z(*~IicqCK(t6j;#=-M6vaHney@Yg?SlPTNw#9PykD~~9VYRJ7i1Jz@8EF{V~s%X@^
z=0f$`3C{2SLS9E4g~NvD&#0k>aWLwPo=D)JhP0`<UElPr()`DT@Y$zm$ZG*y2dTzJ
zT26W8{z)AeR3tvg2u0QI)!#sttRSK5L@WrYS}N*2I?+s@91~*(0Zcbgz;V{;YHGzs
ziT0T6hF~>U!Wz1&C}fvNrZkHi)mZ?l{-_T2uT+^d43h#-@g|YZU8!7jI)#Puz6$oh
zGs`84OvbQeR_5@l{$L({uY+*Ob2Q`^!B4%dS<N3DhU&LyX*o@eP+;T}79rjnsI^-p
zA|#Ydk5n>>_YvSoL(4XifP1az?(HOt&=NL9BUQfAs_Bof82>8OA1%-au1al;a13-$
zWXW8FbkvDqscP_oP1@?sq1?XKelk7yN+d4cA`BDcdFRCQjhbCsG)}+^)ZhtO48#70
z`Gu-K=q5n95&P&G_h;e-Q?LFeepH>*zpcg``&m&f68-D#ymFTmfHF4)#`dphz4t_y
zgV||^>K^LRv!_ynt~xkBmQPo)Cfa%mCS4~uX%BOf^N$2Zw<U~`#OwBv`?BLQiattC
zTK2O*yEggL#st)|^zU~V*KlriGW6T4r*T(GvPT{){g<}n^{h`x3E$K3`8!8l@t8A5
zm^Xka-~y%x?#<Tq0NV$}4SD^;ED`RTcz*%tMmUNfzYVxLx@Q&>aad}@zx=_M>dLqT
zY|qgXUS$+p9H^v;TwbLI@=c@^SS&u{w-oRuLZWng!)lcnEvQ2xinm&sq%_Vrl8fy$
z*x&b8Z%WK&Ka^k$Qm*t7;EA~OmO4|LGaU{DknXG5(P)Cn0pSV1-O7z&`k)hPS1CFx
zwA%8Z)a1$7wn~#VeXQoym@)9#3l%wnBIdbdhW3Sp&B{Qe!`Py)DkwcO=Pqi<YQ~PJ
zi>cxYe?)4jV(A(adPVvmN&H~c<68KGLk?|ss9r4-+9q30$-m#An{Hd~Gsh`_**l-q
zuLc$($8t+=2ylctAtYU^qhw|Pb>W%xs*ut?CdPt7niZB<#Ql?zcYrRZy#C>R&PMW1
zggRx#1!%D)d2!PiUDKXKm!JCaegTZ&3+Z0pK+-`AO%jt*`1!HPk26MYs_xdFy{)?u
zk<hAu^j=))5SxB%$r@v>u#jH1ETgM_{$y3j;Q6>b2e?7fKFH0v6>ltyKf7VS3pZ&Z
zaPQNjownmT@Ji&ztMF`2Dy81a&1xB{=Z9&R0W9o~8gCnOT4C@%$*MQh+q(<wT~}*K
zElI50{@zq`#vSh;Vb(u-7O9CzxKu`~sa3;X!%AujXQ|psapRX4M%IQW7$Md2jo@gN
z64f?50bo{*3wIP-?MK5^NEhm-5hxnf>&bU@RGddHv^#=}NTe~YUf>MI>fNH<3bHR_
zA)wpE73yfJi{|PX{hFpaX7AfbdX@=L!yOC2Ye(kcUsCPXqE)#jF^!Wyuo_dNhQe7X
z9}IiD>9Br(lSH!M&Zq9*Fu4m~`t<vP8Z|To0G>R-R0Fl7ev7O%>Yoxu=gU*P+Cpwd
z9k*hB?(>uNED%#0XDo_li|!ZGyufMlgQ~f{5TXZZ*-%p%NsyvPoR=9-xbsn=(6oG+
z-fZ@RDcrZeP|7{&3oU8eveJj@y6#i=D3oVg7BUs?fYP@aG4?YJ=f7cR^EM9M%Sr=2
zaI9iPKCePQgcch9y9@glY#9xVjU}CB8jKb&gl7}K*L?l@0q1uFjmJG#NPXf21Gn$i
z_X{D491nd+AKA)$RYNfiU%=ks^^|Xb#9W5%az%OFA5{V|{C3xhTdZwz(kb`yqPx9E
zw+Ggg%ED<Ia`JsK5%inMPRLg<;>Ef{jz{!smrf1;F=MxNgRg3;xmc}THLW#4QlSFi
z=Aia*t9DDg1`V`bn3z}SPHR6LnDKki3m&cCs;&h3ku=Bk@%(+`(gQzVFFa2=pj?#q
zc;{lHwx%Jl?vfz=*=e8OdL)>vZJZxPn9sw%`}KN~!?w-uf%F1Ii+T?fkkqhDRmeXn
z`u7L#nfT#GR7Xw6lcWH>fRSs<{)Gu39fOaQuRyBkBuwXr3f-<hvHX&@mmpeTap*_e
z-G;>CS%XPi(4<7LGls}?I^BcjiPoaFs)nMRrw?RqokQR+19jCPwib0~B{@Y#!o>di
z7hz^?g{gX-8>>3qF$op3Pi4HU6!zfz0%gJ<<V&rBjBR>l>-n@1b<3wLlx8CUQK4q*
z>b1SPs;njwI{}g?ZVQ9K^N?^V(Qby@*a~Z%&h_tAjW@<Ln%s1VaLJMhKeTPB7Ox<p
zJ17hkh?6JMe?pGHA%6vB?*!ICVA9fXqD63H$Dm_Et<;nrMQWo<U`8=$c2i**{w3C8
zijsb57qLK3#95f1Xh^06Qt34Uh9n)h*xZ7sNkqi`3QMfuw6NXT6W?HIoMmIjs-D)p
z9kHvizRYHC@z~g6!a5C_VQ(0ndS#G2MjcL}v0O<07&SXBLX2!O<x0Vj4FIepKW_wL
zuEB^daN2YS<!MV@6)l4Ejr`My@~pCc<NTO{=BQjLDlch(MbozRk5e!pXu7wXeev-p
z)v&*C5Z=?TMZK$KifZG%%4UCWYN46&HBy^0b)kh=UTm#uE!!WT`MUAI&+^piB9&2#
zcP;Z+P+=}$HP!s-sC0CtgDZV-C=MsUhuC{rpp%$K$VL=CRY(AF8FyuHtPl!J>kN|V
z+n$`OSKls(91&{cff6IYdO@jH1K+jyU`H4VGS^Fk+M2>l`5Y9!h;n4Oi`L4~G`HHV
z5tK(~g=e)FMrCRavG&g&T<yfa=fCa030|qA3ZizWu359y(e<K2UOwFJ3CcZ&JZM=E
z{8EtdQ#9Abi9&d_zzg&MaEO3}I|!qDENdRHgVq36J1EZ4g&r~i;{ye^WR-t=eOzqu
ztRG>g38-2YO39OAq9=nih)Q4rnX2#}VP=j5^MR?nI{U2!KYyDA@WTH<GH)ndWGO$r
z*KnAjheo1qUGjs1EnG?0`4w@pY-X<9Qx9IUW<{hEpXvT{x<W14%);mJR}=OC_e{PW
z&G;W16%L%4#H3nxfJU7es+l12MICKo%U1}#Q3$~Xxq@!|TT*NURAsBX+o^No<9FTt
zlL_B(yf&D<-0A3nw1HudqG@U1^gRJi8@wnLd@RuLCctamgWs{TPL;-TEj|=#xx^=r
z33)IEx=ud;*(Ky>bY6cgia*}4e!VD>Cdel32U^4eOl7VZAU02a8)j1zy5673J_UK|
z<sth%J<!KD4ieu21aVGWip;QGD?9G6p&j}121i{tra+TvuXebbK*rB_@-M3e*K?}p
z`1n;)_VXX^_S3W{#}!mn6>Z?H)%BVWq~|A{0FT`}R5!Xn@+}FwQ-|k6*J%eP?TJVz
z{G?W{T+e(Upci^;uVrl${Ep4zQBQ?wd7UKT51Cfd=^h1vH&a9rBXVOrRVbdUcLboM
z>=4yw(@r*B1|^$3!1p|A$-vRQ@@T^|@vW57g)8V-i0f&H=z03v9mTdP9R9kzq1YSS
zJxBWT?F%YP@{F+ljKab%He!IV{x)eSa*OH`@~6BT;19(^XM1M^B%#nTo%f$lq8DB~
z^pwzcjfQng(mRLJ6_St4tX#P>uRk{lkbz4}Ral#94TgubG>nV3KAjr1HAaHzEpw+|
zs=6k>G#PAw43gMdT-BHTi9fz_qFaf*no8dAHDMA;eRfPi@=Kolq@gL9gnm2FH=X;H
z$Mp=bMeTCr*+VZ-4F9}O#T$yJ#_r0j4}Y?xeYF_GH4Z@++LXus>PIL`_A(v45ITK5
z&KltDTnF!)DCI#8`)uanN_!y^i4C$Z<-i-%t;Mg=I+Y4|)iKI@A6ZtaJDrvv6(`<n
zS+=(6$phjh`?-~A5QKZ3<F10^Ofg6CdRG7oeN?X$-|yr7#bk<Ve#Xg*&dTJ__nIf?
zaEuv!CHPi(!~TI7FT*)G^|5NwD1v)6_?Rj;D(O%Plxh%+f5S8s+?D1L_H5hWd>yXc
z<@QS8xur9AD;3sg^$eDyFycUZ+%oC1?9qC;r<1=SF1#jLCwl|44Y)=p<-eba%eDbb
zH5X&jOCKL=Tx}K_rNDF*XFD&npd9^a3GP)ox5|oWsk`X752`}(@J{jvYSv6};HB8x
zsKKU$MBGkmSnf+YgzGu}fXvj+_}8@<u7wr|cC}6tGgOnz4sQD}pIS=zsr@KAL$B66
zaiG<gRmP)dlw>KNXJ+eriQoFT`lba)V!B%|md5D9khQb6K8X?HCz??D*(lMz)FkA&
zcA^g(Yt}HzTwVQ5m^+p=&8oDUhTiniXX&1{3&F9TMh$JVO36Z|D;Fg^*Ns&RArdM!
zmYs)Fhb9X&IED41EAC@)@S2~Clba;Ioj-%$SED#pRM|RA-lUrjbo)DlU1AYHg^qYS
zY-9><z|%495N<E4fo;L$Vt4}Ux?GR{Du#|k^l8w$M3TzzA^%gynE^7N8)l>sn7HpI
zQ!OS+L2#>K&#I=Lbp!_Q#tD@&A7r&!0R}rGr{Anz0Z*-^+N?}<6}d~{TiQ9@)4v9X
zlc$n5s}8@BmXKK2m#@iGykrW{B^cLPXuU@0Smn%Drs<OL*$?FR8}(#%{@F^yDHDn(
z58qPb=)*eD@_U}ujRco3LDsK9%<;+d2UG2ithYuxd82A*Mbhux<!nhE6Q@;oOX!>U
z{<LTxAU<d1eYy0UlFJ|;VnTYpSLm+*y;Kp-I-;`m?i&GzYjEOC!OUHNpNBTd*)f4P
zmo{V^jiIwX{5%#m9JssMLpKPo?HO*m2MYf3cUmy`(e0}b&?ih`*o>$Cbpme6*qRYh
zw6;H~jHtg!Mh>5He%FvkR$8OVspWJj1mDX0-DQdawFg|(+r_uSMxx~6Z3%PaJ@MCT
zR1PHsLn?OuknW*;cqLu~zV>E(jL5URj*yq}FUHzKtRmagi`$X{{oQj!PqH^Q4z90_
z$BqRhzslB6u~KCdf~efH-NGjwcQu9nVrx>1>`kn_9i|EU9-4F-EbvQD3xA0Cvb~`a
zdPhL~tz~Zi>&u`pN%;V$Ae#s2e`oo_dDo&ZuTo0Lg!JwsT?PgaFGfuu!4y9I_)thB
z!9QQJ9lUB68yMYvs5#3vKzxxeX4Xy{vE*2{&=J7hjbkO!Y_5y#>N?{>8iq*vSI+;!
zwqOdwrZWXds0YI@sGtuH8SHA#&TY$0S6*9iZ7lCwyK)tB)H=-R3wDn3-IG!!=whx~
z*mI@KP6w0QMv4INhj8k3S(XJqY_6x`JVJz7+AE@$P}?a=WI-dcO^IT{NqyP$Bmz5n
zysCV_x`B`Y;rllq&ff!}6Xq9Ajv4b!6|Na}gODdMq@7b^h0DF`Ok^-fS7kHC^X1ql
zBzz-hqpaI02SJI9Wy9b3W*T^ytOT-r_P9Uv7xzcO?*Z?Cht$kQ&D6k!mwxl(`~2;@
zc9v5+1nI!^E5X8mF{CiucuGh3O;uj?7@R(zwX7Oh3M$G8-uHcsPWyX1SNzhLXRVyH
zZ#z&A_H3NT?!O#KBo$Sc(O-m7C4a-$<)M;;$igNW)j`_{Dks|~pRC|bTvw@L7lT71
zQr#Vy4{pZ-mIru#6@Yquvj3bX;N&o4!M3ppjz$kdj!-YPbv#K9y%_I1t2JmgeG%P$
zy13QVTWeT)6zIA93fb^h;yg9>Ck7s4;J@|nlhwsi0qdt3zp)gM>Ds=QGm2|acsm&5
zmCia^q{$x5V6I$N<5Xlvg+RY6W`s=Boy+;ns1`APFK1fYhP*ycJ_vVw0S6yU1f(OW
zV&3Jq7iDou%Ll(Fo^H5~WBgQaURyELNm@4xvYoV$6`BXTIavZ9RQ+stx{`5u7rNma
z2Y{;JGt>Te#Q4e$4uL@Xhr~E}hK~ktprPQf#th%}s(A$zgQJI|ICY_hs?u63XmRWQ
zCBPlG=joU;NwmC`hfbrLJegZZUz#gD8Xun`Er4AB60&wg8)?Bc7C<7&3OfoHLOwf~
zAJY^iS|9REu6>B5O6lmlkiJmAV$auew$^#QNm>2c*zPHRVZntfqRWfJ$6Euyp3z$|
z<D(p#hN2e8^b*T-7nyNG^@}c(AelC#Sf17rZjSsL4<q+_j+o$BwDXGC1}c&W)Y9n*
zVwyRG8K_IZ-qEwP&tn@FCxITKVUgvrXkjWNk8w5{v;tQ^tQ4uJgEf&&$npbIlqYym
z`*7q4e|xpTPTt{3ClAX6D4hY~fHb{)kH%H-w=TUK_|lR}ZT&ov$}h&A4L0x0-zG{?
zom5gbxVKfeYNS*(j!p0%=I+Dep`~@7JH~;xtQIPz*>BjN{=6{`FYR=OVV$Tm2X;$@
zn1Jc@fnjvYq#r@oG-yIb&=}&l64Xf5{zmfnxsJ4F2kyGHMEa_jLk0l(X14@952Z`<
zA9xSl_E-*G>E3gK2ing8Bdk3J>_2j=yBvI!7bSXE@O^r00dUK##X6-V>e`m-Jris1
z{v#bHmDa7aORl>}Ps1A0#xQd)z9(dDlq`ICFZkDaC4!|`d<K5S`Qo#mN`8!nSjkSm
z&Px2yZ(1Z`{0Q_CGV)MF$_!#yT8c+L|32<QkAyyL{<liF{(-haYssjFynzPe{x1(b
z?+arY;)}rNYyF_NIJQG_fP(R`q>C_sp|`~JL(0K`b1-xN2U5cIzaS+X|3mIG^nW0)
zZWC789J$#-QF>*zIfcJrJHa(_ylqEsm$@|tHi9MfT#{h$)px{6sZ4{VNjOa*^6-;~
zcaZRKPC`@+c}9_{p~10_@`xph6DP}ZqK`Pn6iSD=1d?Xrt0gM@B@N;l8kUjX%*NGX
zU+^3zM1|Y~9~~0}^rzL5qL6<lrPxbes)VO0XT+QO?sgR?lhbGSQ!X@eJ7(&{=qjPU
z3d^VnVxdpc`0Kf^2#(ECgI>x})ejTj_30JTH0J|FCi-S8j{PX%ilPexCc`2;Rx!|X
zq#pi@v=T8cS(U(6369h}(gw4<3LI2sof?OeoSZ(IG6(@MiTYzbE4Tt^VF6n_SmKF5
zF0Y30%^ZzjIiFZ`HX2eT6|XESf_XsHIU(u@BvPa~X<KV>j8p>6REa=Dg%kNhdQ8&f
z>j{c2wm`Ej!-DOLDd$}_S~gno1zSnv2*&1gRwA(7uVNgKysj7+Q|FO5Ng#uTfg#g8
zpzYn~&;`_otD)NN2joiXYd=<TODh+_%SO~gXo-#(5Nl;nJj0+Xxz}&VC$OuHVAEO`
z_KN>vCt;2UONge(*cT@0GjNtrpCKm_KOiwvFJKQ^GXF;Y#{~jcJAYi1s*Vi!4K*Yx
zi8ygxsg99u7(=sR-&pja&+8046S6enju57bIuoF7Txo4VBK%Z_*j!<O`B7KI%)_1G
zdMOC_N*Q+)ybPD|sBg!<dt_>O-b%hO?`h3q{7w+Hnd>Ix;n1#G`n6BmTjs|5a!Sm!
zHO5CJ#RDrD93#K2DPfn1xi}iNqs_g~_nay`uD&_00G@zZQ(;q6Saaq*I(pyJrzWDY
z(7t|)FA=$$Kwpbhs>C|`s{T-uxYFy&;ka2v@>#yGYv2*NnN6_rMqML;i-hDBu?whU
zL-Ek)DjuKNGqtB)Tx|;@xQ1JI@E!a6yh;iRbrOZej}vuVcsJvp-P?Nhv;$$ZA8jqC
zd`;*eT~2WYIpt#9oe+NNKWM7@)U|&RD+Atlz31wd{-O);_olX#yuQZ^{c)M%EZj<m
z=baw>TbZ5RAT@K9oH&n@qmG5wmsk}ZO35rcE~{$~Hk?)E+T*ib<S%FiMo>VMaxWld
zWq7Y4zWt7clNuG(*%k0qy7tYAxQbQdJPzyqU=*D{^Wy0~@pw}~2;uLU;L`Bn(i}kM
z5$<>Ctuf8J{t`x5Ps()rVdcfr@xs}g`RAyW3i%3@jtA)Jub{KNTS&}A`ZAkN%30Kh
z`!|f1yLpry+u@XC))a6g0Sxo-=7E((;;!nN+~s!cu<Tnm0=+5=F3sp}BKGGCf48ZQ
zo|ou@hOW~kOS1}~7Q-<<_>}33gC1Z}t@BTw+q>t!(Uau6ZDC$j9t-n>fB~wh5h-5l
zLM-<Az>OC=UQlc~Mohjqx+dN-4;{1_8g@}31^%<0kt1oa6&^MuF`F_T_EtHkbAQO7
zodSYn%l=}hSR)U+bHCv7L~IUFjLup?NuH%yiHs^^)|MtV$0(`sW_bqcw=qClS1eq4
zjdy7TRuXWkqmMY+zB&T?GrcPQtCDY%r?54+>JZNf9#26KVHz%1M4j$o3n!3l4fh}d
zltT#qR<-o`9qsMHYU_F4An)Z-(XRM`v($Z;!{4Q&C0Jr@uqo32W)K^EfPx>hIq-VI
zw95fXO0I~&4IV!4N25$!ARxJ+oC6nRb-tY$3ZKv}$<$~9lYf<bxHm2l7@J5|Ecfp_
z$0Rw^46*7(tSvZ3>@3_37)U7-D>t$|X)}8Wwz$FYDF{Br3&Ya;i;;0%23n6EIRAxr
zZ?HqaBgA)~M~J_6B_j%V`k7Sto^=E<Wi5f3MF>32LBXj@oE?CN^IWe{vM%1s#Y(O`
zAn<aSsH)k21BL%3t8-Q?RfCmeTh4&UD>t+IxtYu}o72#P8q}*YncTr8X}=CL?lPlW
zF85->#fgkRz3Y@|$?n7f?cJ5!Mwh$?iQA-M9VQOD=Z9+{A-F2=2JZgT98mn4_TJ&J
zV|P+^b+iX%_hsq*{e~M|_$!Dar8f8o7wl9KvX7`LjSa8%7MQ^vVjzh8*0|vqIbS8|
zpC-#O<gpRB3<KW4$Dy>_|1n5t>63?$h{-u%FfHd}kOfd+tjzziSQpJe>cWDtvL`2g
zWpksgLDoQkvi%2-vakjD3=Ph~^FJ1e^M5T8Crf%k)7Ra9m*$%Nnl$Pc2;;ozO#<cX
zrT{aPW0K5bFT4dZRqqAV@1QgtPUFn^1U3B6_Z({(!fJ+5`TFH>>Y>H*IX6BD?G@y5
z@`JG?Gny5pV%gy^N^=anFts~dty#)E?pcyNPgdSM2v)&7@p@T>lw=C+VJelR<e0wj
zhG+3)rrSsWiNj4K1(B19X>tCoOmRf5u_uHDw>X6iZ8@bR9yVt}ifr;cep#~TJS8){
z<!|w3dKsHcah{|cQu=8g)0Lp`=x6$*JKj7Rtpf3<5!o>OYDsgGZ9Ye)3#LR?;H*>P
zvdYM`6+caO{8fPq4G)Ul4G!2GOCAYxfD`zk8CVCvn~{A09(mD4TBoKmh%IGk{EeaJ
zF${d?scRh5*KY!|1}15P9wsQUwSSkzEN4h6Vq*9{A~U`yw#_WZ(sf1DlcoMZRupqZ
z1;~o1)_%9n6Rw;<@rYwSt>Tm@l22iHtQV4+eMwQp&+j-V>qNiVTaO<N9Syf~Q+&;#
zYcvDMq#y<(0J{)QZA_d960}Oz#qBjAZQ&sXv#E#HTD%`nJLMl+H$F$tGwy91M~e;m
zk^UN<WQEm6fI=@g#X7sRY5o;YOY9Qwf6`0O-^$B8DTc+%Z4dX2%%sAYBq(DIT;gb?
z&5OD(WmeIsV2wgC5qdcVKX5o98+GR|B_2G0TQ?zff<6Hh^^o#*ou(#XI9yo|Jl+|1
zh~o;|t*9v{Cr3WY!;Wow6c*!>e;&dO5D;ndyBd~YG&VL%SYnOIG4s#El#pVSP`kVL
zPpB99AtHw@<!cr{f+Lfl+NY%W$MF!Rib{5x&F%hqc!6;tG{q>SatF-~_IsPJyUZ=X
zY*mdxi{Y_LBsgAmFESdXdWdJ>YXu@X{{!P57gpD=DKEYQ<j?0?z#QE%L`gyrQej9=
z)`E$X6S7_Iw!06N#9$#dbTbUXsWCeC01Y~n5qT?mGyXVzFmuLfq7joPPYf6y1Ej-E
z;<n1wZye|}WgxLsV1d~Vaekr^Ss@-^yegKOg>0`^HhPvHxA;)Jku2vDGnzIpB6Q1i
zi!5!o@rO==zd;WRPnA@QWpA<PhI_-j`Rq;Mla!N2XCF9cKjbir1e6LS$*oT{df-<5
zci5@um~cvn?McmaaPDZs)4wI$0z9K!=%sT7_Sw6gPj@>ppIxnlVdkHz%Egj^^#!i`
zBsNq#5A`e6Ye9vz520IL1`8&XBl~!>b#=b|P&Xf~^Nu6Sg>GnDf{&$#wN-#)_%4OR
zI#OJy7cZvl`xWBQ_%5FN5#!5B#RWLgdVx=`XM8mBnI{l_=aWgZI`2VZoG7i5F@D62
zjAKk^t=1rusQF~UoJMwjLyHMecwlHKi5*|j2Ew7c{oN&ZvfOja-xk)~f2NdPA0^aV
zCcd$3p~cDx>-}v04D@ngSA_YY8Hucql6yxC8+uWL$W!4mC>LY4pkD*_V@DtgM`&BZ
zvl$o90&09V)-(;pIA#I~@WuP{DMjb-Hud|Hu)}--LG*8=kCWu(9P>Qj55_%s+}zm#
z+S6UT4r2M5caA}GWuQUr$xxNe+77e7z#P-$<txdCO8ST1f_}TXg3$d6t%#k&bG5a_
z!nFHiV^s;)GK^F%r{;V2{-L$gpe0_8fsbu6QDU674?i*Nv%JHiIp3N2l7YkO+M2p5
z(qq|xMP%3dR=NVMrR5!<T#-P(`b3*o{*n-y!!Fy)ujz!gW^gB|%`SJ#)o!aNtGQ*|
zJJHX|Y7O$})NiwLoFFJ1rN8i^^#tjsYvfC*#RL5S<%(gqKUeT34Tw6zuTnLSdq=;j
zzKN#@*X-4wy%+7)ZSos+v-b707RTQ<G!UQ?OFuG(DWh@GMEw>4<2z}u=i=w=S*tuv
z0~~)t`BpezC7R7))>a%;!q-0tf2zl8Ar0d+o3~Zlqaxhb3x#c{?WhK0QHjq^XjytJ
zl@~<)T?Q!in_uW`s3sFfbe~+rqn!AKES(c%-S*zU)x+qLd<y0<olq*f^Pd=bSj1co
ze)ud*8Y1ZP>Qu$5a{_*J&+D&U!Az%DR921;T|aRm_-9u@Zl(Rb_0}2iaq1yF@InZ>
zSE+W$lXG9Qkw52XFqXDTOH0tO?p>WT$Gt$!Vl8oYLRx9RXb6wJ#Ztwg(fZd|fpf8b
z;rwPnP$T@`gAm8R`E9A13NAU^$X$n;cXr7YO$ex9%BixnTiH=IblN^POx?`HQ@{aY
z%)s2y+N~v%jCiw&<!&weqovvoL#}#hae2^4@nUic|M39Vu^z}!(JK)ZY_I4-B_BC?
z(kn~_(i_aTU(2YW<g@!Yh(Ts4Knl`w3?g(15~(1bD0U)t2>>h*6(a$TOfaPQjf_I(
z$0v0m_gz|s2?n?}1$yZOIw)FSIQLh?VQ{|q?RXve`RH&|BNgVbboBFJmdXwT%`aFq
zIZ?P^B@kYbNs&SEBp511klK)^9o3-Z-GIp7H0IfeN)(1%2<Qdet&)9ay_wee(tXqc
zaOPDgV&D?qNdRgWY#DzhNLh5Y4s`gGS_T#P)JKIrVXu93YTA2F=7`W1P>R2_Cm`@i
zAS|vR=r#D?jS`qu2^=3y9KgYIy^->Z@x_W*jK^5mOL3XO2}r90@G9E4K$m30J$c}#
zjR=D5NB%647$Cl@2AYM)KZQV(TJT>az`w)RN)LJBs{l$i2k1tGAZ1fPgylL5!6LDz
z^Od5ul8y3Pt#N75>+U!qqWs_&jr(hlBF0Bk=YMjC&!b>l<>9q(-p`OSOYb4GXchlB
zvC9Yu_+fRV>`h<=iG!3`bd9>Zo!mca2|F`N;?gUJ!VEW02^oCCJt#vr7{Ewjv>f&$
zL0(fVQw2clAm=E{<3dhGW=MxFDp~ad!A-UnAvYipjvIGAQuGB4+sNc+m#++#rt9^n
zfo{8};#BTv$L!+a3qQQUbfxChPk?oUh4P}y31*o6_*iSx=|q&?^MI25X$^y=z-vO+
zFUs-smGxFE)!rQtU%TvvvGq(i13L|M?unOrT1tT5(DrNF#YE>H-{seO-Rba7T0Bci
zzk}`9lGgE)b@X{YC4t?UsfXN2F4s?YQ<T3YoDm2ildH6bW)#kse43bHo6b<xO&dS-
z>f-sBEFdzdTF3n!`KO$jeQ-tDiS<_b@m@8TU)$@o1J@~ap3&lP9lH?`Eo)f3ymbFI
zj->&@+N*N2FHoqj{RP+P%Z_w8(dp6Gs^tC1SsL??<$ZqIM>IYd5?@B_cb%S9yzR{S
zYLOl<pY+JvYr+hfQ;%WB+jUSbHTiAcpEsI;u=e{JaHJal&Jj+nR`}Kl&S)PsAxUHy
z^TRh93BM&sY>sfr86<9yv4LZKg`-HDZgK+Pp;kLdd!lnI>@KtuBfW&YapY%!o&Jh&
z%?(o*>}h$r=IoF7Y~fZ1uE!7_ddtn<HZU&mvt!xq(g}G6vGB(^!O5#@%pZ1NahfT6
zyN(;an=;#Yui?EoTG{48s&w-WKq&=n&=;F(`3CqH4_G?9BT=_yl>{aUt`J4L0!l3)
z;j;C@y@5NW$w6^a`HpTZkV$T;f3?5U+BWt^KCZu{<dT!j(G2C4q2bYsmj%um{VMhN
z&9k10qeMS-GJWYA%J_7ny)x%VExf?WBneY7D_5MgZidW-55b1lBVwDSm;Ec+7i(rF
z(!#hs3voBtL6jytLp`4uo2m7f?f@hpGiV+<Br7l7JlX9jMLtPZktC-bqIhj>sHJ-%
zo&C}))eV!+T?yW7^#jh=+9Pf&5Cxy@$q>m--Nt(_En&1}v(?yd6QXrgzoj`(gymZV
zo-)y2JgC=i4!;|KBPVTZuDftIx3m=s9u8{<u`v7O%NF<V4O*(lt%=ov32)2*;c$k6
z;q?uXg<7hDeMDODF-)7wV4j#ERpFw&H@NIa_}0vw;k|OPq{*5I4GNHpqZ(HV-af1h
zQ@U{EraVNHOHpQGDBJjrO-+8WIch_AkLVd*gxs_IZ#H`Gx-C+U>muxQr|?f}jrKqH
zg1KLFC&w*#EG5=EGY}gx$A!)SU3nqDGj^*Sd@(-^CT;^__Y4$a07bJ*92!_Uhu&-)
zlz2D>Sv=irWw@AGTdo+0P1!#q&dqlT#C5B+-#<w0@oY)LuOSx$*qUHK$m06(D~!O|
z+vahs_wU@6jrE4Z(`TCDvr)Wl7BNQ^H%fjhtpVURSvv+4XMjni<zpKJ2q#nVn*Iej
z?${mbCQCg&LZkLo$0j3tfR+y^mH(^<H`kYs?H}v$f0B$?IsW6w&i%(-`>*+!uv-&D
zyVeDZ0^2}8hdRO((LK{oJJte{;ijb6e!O=V*it#!u59AxpzvJ&>C7yk&g7HA8RZ|2
z-}?-5?fb+y_@SRXLXMXfqGHR9%4=Cf4C;}Ig%cU13CB(A1PUIvdJ_f8aEswdo0OQW
zA|F9zj$Akb0igLygDf>}W;H8WZ!Aql2rngRfyM01nx#xiw)b^>m;c#NFd~ac#;%>)
zOusTnkKaaLjlR!bI})Q8Bq!4*JQ*5dGQdAOoxnH(m#g7Sd()`m$dO;J1eRtF7J&lR
z2~?s>ywQM4I~c^MpkSNSI{-q|k^o4OU5iQ8ev>5B0+jUXMS~@N&0kSBZrgG!={do(
zOIZ!G2ouK`(Tl>F(wkrdGjeX(MtWr}Sd8i@wMTj>383h|vo4Z?TYCKo8p6Q;LmI5-
z%>FHHotbDbf`1BSAn2DghvWLA8aS0F7<ONzCBIDQ95BY>+a1o7WT0`fC>4E<#H1D>
z8%+`<79a+}<SI<Q4TzoUyfc_;Y;n=NJ1R@kw2ysOrTWU9z?c+@P=wt#`J2@+P%8VS
zj}ensEsX>`I;l4(I`kX8*>=j;p#_oF_*&dl+W1;oc{JW~wJvWYEHIQp6_3g2*DkYY
zF+!ivSycwoAJr9L^fs7jCF?{FYM2L0hHSAOF+gcYuMQGZP%=uc>dNE#noR$_u+m}2
zBfpaA&R+fZg-TbcVjkn>#`^j+*5`J*@d4S!{r!9o0KDw)LB;L0$`R<Drf0Fxt2a+9
ziR&HqZXp3^Ca5bxiJOa*-DBfATH(FAW;oPly2;+w#7W0^dx5qe1PS!uWn1a^>yQ)R
z9&jdvpbogquG#NWp4NG-^>2c!D{79qufUu83M4-~&i9GU4wa^G`gT%bn3hOc5Hp8@
z`xsSn9S@=zeKXlIA9~0cvwy)!(M1rzUQPBO>Wd3Gn(ikpu~F1~PQ^q*#pM7^>0y+9
zJMB(ovb53pGkn@Pvc&%&`-fZs$$b009Dtk1QoH3*4(zq0!q4Pr%=3_sHk+n`Angc_
zJrrZ_ds*0uqR#AN`|;<m(D+!xSqOnMtDBS<u|Mm^&99lS<$!#;k2WT}#w@8<?#wks
z&Rg>(spU#+!Yh*u=Qt#{vlr(!g8ms46-xs7mLH-wdFkhG+$Q=v*%p}N&Cz~CIDk^I
zW&w(LH?C6mgGz4=O|jT=KWjb!pfPwYeJ0nzx2h7!M&-mCKd)VnkSgI7wlMEGLM6Vk
z0eT@-Ism%<otZ}0)uNc77PTHvVhZBWx*ku#f#$pF0b)h_M~B`M8;0GM{enR7lzM~T
zR99GD3As?&{zG~89!xGR=~jdm1z>%J_9ixp;4LGDAn0EE{daKG8ZwiLo@(ui1<ShW
z{loDC)C66pJ(3<N-@Lbj{gPqN<}?J7=W&ci8@JZMrQb7~TC@w2NL~3uJ(FpFp6;cI
z>LnL^DMH)`qGDY9_!sp3l+gDyvikEo5T9nu-UGs?NYO!&FPI_p+FN8i96Ou+XW2o?
zQK4GX&zV^-LvkaP@C-@&di}Wj?JdMd%QvAP8C>X=gN9o~LZV#jM+2oOdFOW+^>YPi
zFdN)E4{7=Umci?l#9^jOLBCmsihC*QW~hev<LLKo%j0P36Qh(PDs$i4izg)S(a!Jb
zEH984pgjM54F8V@=ZmcAUk^^I#y>RF$iA1g%Pls6lo&M1=z)d8wSB*!^_WDm#T<LP
zrdjRK(j>%)WabP34UH-BoXx4wR5nR$IV<|rIh6JJA+zKdDYzd@G*eFiNm3aeC33U%
z8S<M}m4p~wZBf=_e3+!RU1G+berS9n$pqD`VYaOLkW4l)ZT?c!F@UpR5qY_|OG1+D
zUK(lYaB9v?NTxcd{zMi00c74N<d4yb{H3TV;Z{yx$VPP5Lt)j#27z@|Y{}yg`7vsS
z5$bOJQnMJS28;2eYhJ0wwU8eqyI#T4Byuu|#Iy2-()*HE3ttVw^x!e%tqG*qILC}Y
zuVm^?l6;m-7%B7z2c*dl!NAoAWg=*){T@R=r~U)UY&42i1^XsK121JX%5$$rpNMx0
zhoZ%fB}}fA|I8V97bQB#K~0Tb3kyU)3r2t=%g_!Oa_rj1NQ~^@IU%SEqN`O|CxMsg
zJJ}&Zu}-|vq~RVNfso1ktsg2~r&5m62Sy4k*0V?~3{<IM1Kfm^89^=!lR{nye;cE(
zFIGyBNVgKr#9#>mqsR<hQ~Fhf{)al%;+GY(9-c=5@!<ugm4xdLerQOqzBW-d**_e+
zv$DB$f+?cE1w|pHF_Z2Kddw2pG(<#<cX74k)dDb+C0W2C6Da?(3(~^A$e#VA>L#1=
zsE&}nlnop?3jvghHoOOEvv<q(NloXJPdvf2q|kp!0{@_twbpL-lzMC(ZFsf9-Ce{O
zw7gfjnIDSz(cYCyD-PkkT<t8J{{Ca@Qr~p2%1GemhlT4<$u)d^!{fV$S>xn({FB5p
z<O>Nx=v2aVt>$>V#sQx}RBXxJiM63Rdro+TFf}Pw17IKMSC?qZeuFJA6Siuz7i}Z<
zu0m$bULSdcrK?<&TKW`eaWf--m==3r4)^WFEZf|(Jkgi^2L7cbO)%7ZC%v@0B(!!N
zg3~MF+_mB7Sn`FZ;H2o*Oy*j<cU-6E(kzy4u-)Ftg=5m)W>jAI@$-zSe_BEP{mnt@
zqN%JuDIi1Z#H2QQ2JDZw;UB-Q;wBqw%^AvxSL>iAlg8$O+%w0yT#TZIuV(z7FfeUq
z=*kOEx;k!~9Inoo8H*6Wshc~`n3=4_pQ9h$*Ooh9O!eQ9I{|Z}lL9=qe+n*IQ}41k
zvEm?T#0cWBZiXr~p#g7js$MtS+J`b9faN=zfGLtH-FmJ?P4_TbQ&M0i-rCbNl7O_`
zVe^-xaAsVH!GmE=&%n3i1*r$I+yC|PQn9gLA59BNQxlt`hEMxxRpTRkE!-c1AmFg(
zGyzh}3%jWK=kR50?C|lTN2S=nF3Kr$UCmo_EW7^R`2Dr*dd~(^c%RZ*tdE>IerL!9
zz~*9CWq*CSX%7_lmhg1Cm6p~))1PmLkw@b;ZLLnP&6(hvQW&?$>cz#AE0n@ZNQsM`
zlt+OBWs8e<mVhzvmS+V;A)3<mXx$_4b!8_7iQH2rReh@K?eyB&yoLJkow%z}zs;ob
zAz=AB>J`>&B?OO%t<n6gZU=5Xg8y3!zzySU{ZG7D*sfmD;g#q6WV{-hs0TiG%3dcN
zo9;RJ>^c`WYF0<^2jTs|b_~5m+J-&dXVpIRk>fE@!OAkDyXAo#A<YP?f2^ZsEaXOB
zBXs*&=@vUu+i$r7XrE<;92+h^CG%VMQ_nP_sonQpC-=NI?H;|G1L#=*66)hSAUxb}
zQEKMsuUIM`ybyd}t^L~ekT%#Wrgr1PM*Q+m$Ih!Qo{+)^;yI<k_^Ch!13<@4XYY|D
zBBJWAqB6WodnsD~?$QTAmzYJt!srWZPae!9qO+$1PWIDa(J=Sc-#j&)m+Kb2E@*oC
zIr{k<I%ZD*Bfn1F|BtSk&hzrcX~fFGobH4Nh1o<5rHBW{!P@dwAi)RYVE^YWdP^A>
zlnECY2j_n!Vh1Qo#q>h&FK>NTH&hZX80Wvj=q;ivP$X<%oUH#<^MZ$t$4{T}14BzU
z;(>-}A)<k1L<ZyhA0?(d&`oIRB!Dj^bPCX7qF`MADM`=mhC*mbjE9a^0pt1~O{}}n
zkiuUV*#FoNs&t(DuLiSyIcG?4zDStPb+sM7E&%+OYLA8ypuRU;+7n|FPaa1SSehJ4
z5?Ylr*pNlyCXJEbp0-pVWhU9KB*pfbSQ;a5oE24cSDaK7N`JG!r-?91Ln8rVh|Abw
zIN|FmU?Y8_Hy$$?M#;gLVCm<%2n^NRPDu{I+XzOSz%m{K(T*j^;F{i%5HSPn00$yc
z;Q4~2(Im;0A&29jNZ`(}3mXUH$i~WlZdVcOY~%ipTm<6_vPubOlYnnno*8r`hw+dM
zABxN9&1ExDW}f7!n=q0>rDIU~8?{Uf#Wl#XKgr;PiWMEi9c%(4snwT&OdXAZn*I$|
zAXpEC+7vPhY}F{Hh#stwq74-A0un(JNDs=<z<S4hg6aW6H0_2BPQgm>8-0g%5^Ovu
zoRD7Gik^{yn$-$+FhMlm9sOwj2fnJ2REZ-2vXW@w9b98M7%}7tyU24^pb3Qvl(}_S
z3^((V=ngNkbmg*(INm`(xUqOgz89JB4zJY!G8w!rxN;06(hPAfgK!@J3ZfYvJ3uf3
z5?NV7BM1gQrl7Bl9WlVqJ5CF_SXjg;2&_}45DN^19U@p)AqT8RcnoKnlQ*fs2qg02
z1cDgys*2j^doW)>b;xmG%(PfGHnjXVP);Xdu(NPZWBk|(VKI1ucnsXe5hV#DjVn(|
zkZ*MKR-rOx2HZf-ISC+u(-VHqlM_3m7P^#1YqO7a7^M;d0DUPT2-lfeM1un^F^~wl
zz-$p903vCpb%h=GF^O#gx)w4(H4_CjWD2GL<!#}3<#{<nCaMVIr<|)1B1rLR?b}13
zJ{O)NpoTP3+w<_@#wwH@v+B-Hkfgoxz~p;t<hS%z)p1P{t*Z!N;^(P7k-=%vJS>i3
zw=d}>3*~CcOXaZt&L^{XI%6k}oY<Ru(os9Q+)`cZut|=#)LZ_rC50fL_#weV@Z!Yb
z3zX64z3@A=R43Su%d)t@^X4StEUp-xmSWI*y0#@FL4)nGadi7eTXi_swa8^BHhJp2
z`&o73z$L=60-*@7Hf&Y~NC(}G|K954`SDo}y%WxL0rfs1+=b+|`Ed5$FtEopwfQsQ
zc4j%*nOFGE2mF(uk^9!IAuw#j8sEoA@~1*z&*KpoUJ51adSmrUt9u}01l#qTyC09I
ze)h)BwtyFZ_VcmPooVp)k89=UKj2EUZ#m5eNUUWqF8fLV(p!X%g@X&8R?mj>k9|L>
zB4dJcKLbrPm00NQ_t)DQPbE!txo!G<DF>DK$%;<$1r20>Y<Xbp>(j#P#6Z8`k>3uK
z3XU1S?X`;R)`?D4%gv1nwkZj>jXa|xPDHY2sE;%(6z8_zGRzFxuv0Q5Xul3N((7#d
zQ1`qC@+cd?4u48?n}Q@3vd`#TRB3w#!*fOo=L>Jjksd4HlU7(wHY5JE`=Q$^<>|8R
z!@&NNZb{SC@^)JETc~Im=I*k4O>7#{;$<tRcXseuj(~TOB^|*b5N36z;WklkWaio^
z=d!sK>U9GxaVb2A;m?7bR!bw(h|Srj-$l=0xY#^E^l`{C3_Y`+X<J=<Jdo@6QP{)8
zhl<`U*55i-^*Sc6{XosD8N_$|=L9i>c)PgOmNr&`;zTBVk0<#AKNj-{-@GZc1g6~Z
z9D;Tmm+T^+$0~Ecq&KX0uttehUfoV8zw_Eq^9c2i_2MqMC#Azk|B^sflW5It94i{z
znF<*|g{`_?m%Y0Av`*%1byd_XCEX6%LBCIw*{XU2X>>;x#t(W%b~=8^LnU`}D|w6F
zCLVN?5#5mA-(e66s>P^4j{hG~?--^z7jz5Hv~AnAZJX1!ZR4J{ZQHhO+t##gpMKu+
zo%j2Zit5@)D%m@gO4V9OI?++qYt^-!tE^31w?o-D*iOsWDv)cg`OGU#fYgy4p_>q7
zbJXi~L&;~ItRX)Xrvce#yE>&HG++lVBmlITWS-B^50D8;M1eiE8KSG8I9A)=C<~&J
znxLNCu1b=QKcU~VEbFv<ZWMf97A`JI3!2WI>w7M)FB@Xwrt|?>G#62v@SGP|IOxT|
zSg%5yxIK%`>@g<bGo12;!WcMwk4^%U?+pY0+C&j#-`nBvX;OfM*;i=y)yWNMjREpL
zPM}vbMr!00b&C1jb?{a3)}(Cv;Zt>p4sJHBqb23Y8V-34LqrM%2(28=I_l8wxV~Zm
z1H7J#1tt7u*|Wz>jXq}?zP#y8s$0;{H4~7NIN6<EPPN|?2?Yhfe|iU7ao9wLQQzN}
z;O|W2?dwBq`=KDYlm$}xY~Os>kpP$aM+uHk^D)8b_Ew@XMA(@dMjRfq$p?zxx6T|-
z3_!r-RXLsD2)u8Mm+}6ht~0mKSbmvMcg^5G_yTd?FF(u-d*HF(hYK!uPU25D;wHm4
zAua`UN8k({WAqWQclS1j0MCbum!Vtw8u5e%4<{8__~)mJ+g(cnrN4v>;{ZWkec1C=
zzX&?GB6oD~l?jgUNT7Zj^kA)E!WMsrx5Lkj799+`PkUchnBXsxn-mWSMQg}l&0vFe
zhQc<m;EQ~LS{)QmY?Pd6J@2m@2h^e4HFsxLq$wgKVAWyV*uP?E>Vsf3uGlo!dYL?1
zfXv#=L~Ps$%o`fT)SI*4{eY@-9K`7kiT+C<NVAo-K$oa|5Ivy$7Op*Te7<hqM*~y{
z$1b=?K?b_cEdsePoj&Ku{=)TNW);AIx4VPe+he*+SaQ%0%NQ+hM3q`p3TsR#tze?+
zx`@mD-qN|Dx*wFb&&w^l5c)q3)=UwiG%t=2Qi<I9r>R5hu;$I&uK@BIK0I6!7Q2eE
z^KslO+}A!<@EnU@#5cSY#g-*0j{A;seH+pYK^;%M&dTAsa+IDG3Eyw`eeZ5ReBjph
zOt>%!b@pq0h8IX^L&-1&c6-K1%GTiFYiAdL_3zK42zE7rwOum>geyYqQQHdpMlJt<
zmMrI<e`c17)y^L>;{cP5RBE~J28$l7$YNmvelGs!rkp1q;ck0RzWie&A}FrPiR<hy
z#v09-n)TTD+%Iu}w%q>7uC+|b{TOC93#Qy@E>_G$`m}e{{Jf*TUH$ke0bR8s6Bo7L
z+-gpVE)ETLrfv7!n)~*wFKb%j!~XF_zkJ+kDb}p1HXHf_JwQ*bG2L_hOJnXS|0z3L
z?H-E+j5A{ne*NXTmi*+eoOo@mUQ`7ojJ#MK`;)BjC;q)7%!xOowIIjNE;g2C^8@2n
ziTsK3TO?lz{fV@v0HC1egpfDC=9JM#7*Jw&3dvh^ed6`z=UbR_V&?fL<<qVkHg!4|
zTU55-H$Dgw7a#{t0Q0l_>1I_{+EeV^SwPU2s}S8;<Xg69jxlSNvg#!AOVDb4HhKEg
z?T!3X5HQ~ZB%0H@cuQwh!;jTeaN9fZ+vUNU5AQws?ey2--w_UQsnkyx>7MEi7WbKt
zO4t?-2-^ldHaxTCiK`-Hf&LJL6V->;QrmTMbQ4(yU;u7%Rt9{5px4~s3}ZEqQpQV7
z@|4xb5EVei6Z%WY`St$tRZr`w8Zw`a%HLr*i3BWV=ruym)tY|OW#}T^-c(k4DBixE
zI<pgfk8Qcs3aDN6_txV&@|7+~XY-9Vs$9)0hhBV?Taww8XmeE4VY;`KnZQ}~-$@rx
zlxL#dCcx5Oy8Rj0p0yf>7k|GE)$1~dHaE5s9i(}CwHrT>?GLWzp%Zo&{6w<!=cyN>
zow7kQRrZ=U$3y(})=Xbl*{UY8qBUQSG^f;-)FAuOEW1L1suRtMr@fw$0~#Mb^t)aZ
zn1Tf8Fv&mOk8IjzwnM^re>_CSY@e;L02=2*M1V3>BULjaBXU~m=u2uHae}*aVZ>h*
zq5Rgcs?hse_F>$#(p15)`LZZbE6*CBDr%()SF`+xQnV>+Yh>lDR7>Qz(@|@7vf@xn
zCK@DWA|ghnCPrLjWZe5@nMEXI>?H$aA}x{pWYK?rN|w{N(prg_9B9f%hQK>-Y|PG9
zIRL=$6V`5gd+0L~WNj$EvuRvZP7G}aSN-AWb5Jln)^b^cI6a!tSuinn9&BprCUeS=
zepx(*Oimg3{<}|bl_Hhve<P&=gCwC)P8XRdk(|n!p}{=Ek`}{i8^``off5$G0~N^N
zIefrXI&(?NG>DRW<f2Iyab-~zA6yG{)C0z=t8~aNkaz|nHpht1=qe*6jjg$KY4CMT
zm0wJkNqU#-xoaKQ)^yOe$~ME!p!8^qqiZ`F_C=Ah4xSJ529y?eWl+izVx2yo{cY6K
zNdNF0VP`{$ofNW+c*s=~9Z}GwwgXd3e1}C&J~%6-Fr=x5`ytRg;HvLo&k2Z;X&E@A
zQGu79Bk8LiuKU$-*D9_3p$bqWiz$Q|O`1|>KNj-frOxuk5z;5BY>;YdWn>E_MR4V8
zA5JG((^%K$L!lg~NDO?$P2J^Z8Uz`2@*R)k8R@+6+}lBCD*65e(pggfU;GR?1)LHb
zF2$N10vDF`f0Lk?7?}R&Z*-7`Y{kVW?ACKlDL+EC3h5F!3@~A=tPqlrD`AA6b};w=
z$z%s|JOF>}vYymst*fncYe}4oD(kMzb*zd^g0v+Wp&g9Z#2m?4qOAZVNI5TGP!2@c
zp9hI`IhX88BOu;#i4{|6;y{t9c~LrvTEgOQwV+IaCDd3z?I#`wA)vlG9yPUrW`L38
zOs62d7G}AWgrrP`NMbY*AGAY7o3utGvG%t`AQJ0dz<3G#kk#GgPv^)}m}r+9k8MY(
zag1-2Eufj3b>UGWGae%>GQnz(mLA`9#+BA9e-fsWYO`?{nWvtWl5}*IRH>DS?$h*R
zLr}m({Y-VyS>{tp0N~6I5bd0>zACTJN>C`M;>{2D7rM`nD7ly^U}>ZSS#vKdu2|f4
zyGVHPN__owj?bMJ&QFJcK4~I~V*)xQL9K!+Oi(EdLsBF%)FICzu?;5z7Hm4<T4P#&
zgSi8Bp~WdbjOCM#rs4!U=fVUDuBH(3YvBWK8Pv-0lO(!i1~8E26;I{S#lc}CkeklC
z2>Dg?qEiq%P}k!tIByHAppG#%8W1$PJL`~xs_G9dI4mN@LMTmXsm_mSI=2XLX+Sp1
z3Wl{WlV??GoA3*CmpUre9H}(Tcu0_2B}gVpIKueFOE^aAvc#u>&%4ZzHAk(*$~9{{
zXU$qF6^YD`0mRbqk?KT*S0u?Zo;cz2*2|;+QwR<x&$8ALx0E2?_%)Ou$ChOlM&Ytr
z9xvxw*)9ilJ%2pnw!_=~aS8bTlF<9Q8;HT*!PE17uF(U0B|>_R2I=v!sFVr6ogYm6
zKug?fy>&!7&CTRfm3qy-Gn*U12TP~~R2~rb@#6t@0DvUw=Lv1j1!hsY`V}n#<yV;2
zdFE2}og#sw`@lq$nH|Yq=2B*J=tBPQx7UT09Mp?vJ;3YJtIFe_Lwvx?(<{$JbIgpk
z^T*ryu{^#f&hqg}&r)jkZ6ABgXFomuw+CL<8zT`)z+ZF-z}w69@jZ$zVQ*Nhm&h+Q
z;cdXVPd%??y7e;%_r}g)DiwP|_)Z~J^;4D<2nld1{V#GM9irW^zr+O2TJf1<0}V3<
zH6ccNhEx}1s<34UxL$>-b)#T;+5{KQb+m}}KSiYWcN<oJuTHO6W!t^{C#HfOiv3+P
zr0g=QUA33s#Apx(^IN>t-j!(d2Z7xEYF7Zir0aSq(QpK5z$3C2Aq;=hqqU+(V8A7W
zUn{$`JSY5j8W@9)1e5CqVfNvonRC2CcHM>bKo?uTmf8Ov{!T%4W&3*sWG{YV6J}2Z
zve9bi1&#9=jE~CC?%k|!>)wf}&pc)RDEm*qgcQTN7?YN*pbB8PHsAx>)PZHnOa^%W
zw>A^Q?G>4J?xC%3W5?7m(^;rg@w*VZ7uTQ!2{Bx-_Z>NM;B;?hx?rCZ>g&&(E>nh4
z@O#GOlCnmY_vk+cgKlt|ZuU+dnN=Jz9QcI&mWUK36Q|VKR&fG)7F|3t;|JkKyxJE?
zO*IKIew0UMMAM)NOcG*pf3Lv(BM|^KIKlTs_TM6%UvhyalEaRMjhPPTloFoFt@4a>
zReOR5vUQth<nR=}!u^VxoxU$qik3XIVDetY>+ju-n&y>MVijBfCd4~OoGA986Infk
zOx2+xRZ$~VM$ILNP+f*|s3^iAa|!s~uv(Q+#zG93Q>&a$T52z5AC=DQn-75efn`Wk
z+z&p#k?D<c*S5Wp8e)EZZw{WcUFdMmegr=(YwumK(FY|M086s(#y@Q<>k@=M)q}sC
zDPwp==%GoxJk5hOOaFpOqysBFsE8l*K%Ver0sW~DX8P*t!Yqv23!-J?BmPwdO+?SD
zFg;DJ8Zk01$lO@CuGYC)KNCRx;6*8D1h3BXzRly+YG#K+|6rfMr8G5J(H7)t39i{8
zuo|JGscODNF#E$H%uC?$G__S|+AaN5l{&cx=qFy9?9ALSZB%{-?bo%|YGW=H<4(F>
zYrrpF+Zyv-Kgs%hxL3QVnA3)3FC$(u?#bM+Y#cbi^V`yaJUgofu?7?lJ_6Yj(MTH-
zlll^q-YsZ!U2{-vZ)i+Z9sFif+NU7BQ_3$&9F+)L|2Y5+eUXTm)PtDRkUTj!Wn2nU
zPaF~^rDCGetrC?qWn7%nDLRB#U1OpWqY{-}VIr`8?9ZNjb|oq?DN-p)@TZA3S~00x
zNo$&BnkFM{>O;2+z$b58;8+ftr<vY3uh)Sq;m&qviy9%@{rsiBLkGg<RamXE2H!b|
zksaach8hT<nr4d*qXnAYmK}(z#Y;7hlTKI0`d8r9Z#6Qs$grT7$w$yxe6k6%YJDEs
zUtPbQ(a@98&?AR}&?B(Hj4T@V8q4njzD(zP?W`E2zQSl;04c1uWs$k837q9te`h*p
zOSDM?V(Af@4O><MsX=%U-&)PCv)!_{w)9k|ka8|!ywRc18*Q1yIor&dHYz4WFH44|
z4u<xF4b|ARs!aoaJzr$qb9Hd9b%ZpC|J<aKp(GBfiM7GYrHlNhg?%X*JB0cQpQHAB
zj;xA7cX;&>0JyfAd7|n&=&r~pb)Y4Rqn&X}%B=0c+;t3dy*M;oHu$JxK_ylatMZg-
zZ@p^)4c>nib}6%EgWB_)$!-U)^yB4tYTA@1$2RHW*iN&2!cA$yHevi3k%sP+wv17P
zF0*}Z4@RdNa>Sg>W*)}BzM1d&aQ<Ha*C2)K4HPOxhV#ck@M-^z4bREJ^1m(uBPUZz
z9OVzaa8T+*`KA~`@bfX{1JK?>6&;WfgkPl)1R?!y5PERz-^)NA-*VH%^l~N1^;KT8
z!X7#uz&Uo4ORrLLb96Jo__vRarCochJcILG%C;c738rd|MI+3z)w=qx4!SdcVfyM$
zg#dPq-hNT~Y8wMGjYJm>LHcC=6`^wVH>LAZKs%MR4FyzZJPCp1m?h1f$&zZ)5*1>a
zN14E<?4MedL~E0!WU11XIFgz8tjfa;)bQ%V=6nn0@gdQB)2c?eAIE)Bpde3sQ?UmW
z5ku9;{Bu?XR0L05^?{AbvxZEv5;JndraT{#S99b}o?g{y4lG&qIu`Cp$}@yy4IAwz
zPn-8b$E$aKkS~0jQ0HRyfy=@uL^Y`>23InvC@zad(#HO{dVGGY`%jlJ*P2><rX&~V
z`1-antMPH^`OX;=-iFlt*jy7^yj-+md3AbaqcDkN^vH62AWlpdDI!LFTYJ2uLYY`;
zLGL_u{8WI_gVq`p1wk6p4bWpA(UjjXAf~4Yw2(t1%EfQ)al;Q<U<spOLh8Io(YU!$
z_pI?3Y*m3YO!9^?DWfw1Hmh#!Nn)%sQiL4jDF@$qlH7iS?kNf1ztqBn7YyTgx&2tS
zF(`Bp!!W`u5s;`KA^T$){}>CgQ<Ca-W{M-_vbQSd_;AzkdC4&0cFTR>EF?gpoK$lz
zb>dREUHw_a;^u>$3E^y?$SDc$ndoWZgWh$L98v|f0+*zvszzB|x-Plwp?H_l08v7|
zn*_Or>F(t~NXs*SxA*sbgC_RSUQbWgcj@`9_V?52`EgG-|L51oz{<=wU(D~%m)ioh
z6S2H(ijTKf{?8W<`Dm!4A_4&LIjWQ!r}KmV#t}c@_3iSVdgxh?&xiST8}RmykNBQ9
zG|I$VGis0A)-kGOqG*rN=Sr*YZPz@WukQod%nJ4PX^}|D!UpADz~C)KiV8x!Y6nt*
z%rjPt+2=^Bz6KpFQ(H~nC&li+3u;AWuB|i@rSIgg)vq|4TD*+hR|bepFUDF(#9lzL
zOXnP0U|GsA-FURX3Xh9ml;vceLMtz%qZ}qBZ57E`pnEn1@yaSrZ=0FNYkTIRWrF30
z%hU7Scj<zuLfNxCm89*gM}&D=M`i1CDTLBTd5iMDPq<ScTaDCjLo<HzxA=joN!Zt<
z<3P16|0`y&*|>#m4hQIMKJXfzvB;uL<>rHn>j=}9C$ei}E^O<`96qeLw()(P)WKgg
z)zpe;(<*sn%j!AOm4=Zmwn5nlo<1C}lDsn>FHz^qS5sF8Rpz@3>t7ZahwzJw1j<xl
zMD2C6p0K!jLfgIYtLAxtLX}JQacXwV3syK0?vtf(iWlIKBml6Ir8WTVYcMXPtwqJ^
zIIQLI7oHO)a;oI!1g?Af##eHR=4!V%z9@ry0-M&DOyHihHw@sg2UHWcC`fs}VT>L@
zv~~2;km4Eux8V@7Q@Q^;O7vJ`pcntg3*nh?go%}S6j~21c-@9#vX)CDp2!P<MxTl&
z3TDEYZ;fJo2ntvbuOZZmHugfm(XB1?A7+WOJ}4}rm;f_r)5!?#%^>?oTw~srLG~TD
zkF-urA-=!LYc?$u83S|V6uJ`Z<1OF}(q@aDKy)m~HQR20`3W!H<AHQpSXyEQ)Z-{V
z5uBLukZQ3RPk`6cp3Y(t6-g8lf@^lsnnpPplX=?_GXwaud5A}IsYRW6MV`JSr3r=W
zQ6$-*xRlnZBmAczz_<}PABd(+V`18rL{<WTUJ@;-LdEPiA-Ga9O;)4yyU-pwr6_CS
z_f(0x5k=@z+X6!)2{s|x#V2Gqpx}sC<v>b+ilK&CFl3p<tr~{17Z%W*^k#f_kg&9N
zqiAd2;sBV0^#RSF2Wf<JFW?0L23&C#xIV}Di)5V(=yvkSuUi^!hClvRGz0buO;|)~
zZVFQ=TxLB15Rs<@>D3`4mRtk++F*~G2JR_>XG{!q*xtk^I>}}nkrQB>5S}SfizWlD
z){WSLcI|QLwipYKk0SO|#)D#8>J{Ktm&^@Ci-3TX;AbRvynbPdgQ9IaArJKD2aUz3
z1<y7#>uq;luL_~5m$EIEfrIm(3rdgQkR8i5HT&s3iJP`kPxPjgK8(^}N|Zupg0uWl
z3+N5TsYyf)cp#q(943F5CZ*yues0Sjsk9`R1|{R=fLwlZB~#LYN|dxmf|HrBM2#^9
z0JW$oFT|Tue&KN-p=P8Ab~a36w~DB6F~-=#P3i6OuWx3{8Fy~BcEGd3J0VNz>?c>F
zII0XL8tj0fvHHV9ASGeGfqEniHYyLmV7%5G1C4mVaQv@11uAjTm7p11#RgEO_UESm
z=K-Wy?w(rYhbP1lj#GTce~Vby$v^;VEd3#fN(ZP__}%RN%I%&$p2-|Stw`f@J^CIo
z0Q`{vI`9de5a#UAul5l14dTvXSS^{oOXD7I4L>kvM*k~3%Wfrk@l|_zv8yO3ya2=o
zab&FaA>b`ALHJN|Of1u((aMhgNro(~fl7=t)_<`=R9F&25M?3xok{(iT*_#f4WKJ_
zBXhGfV(G90f%M*=_yR?ObpP{h55&Zga{B;Ej>yQs%KX1?ZZ-zSA5ImEpFf=1T6Pz$
zalScvb1|o&p8fBj5I{6+4e0s|*fMDE^$=K&TFp(iEj*S@Gw!}V<>B#~NYe4l@M)tT
z>c(5@l|*aeoCR)%C91RBlsvwvSx|`l7t<IK__oJ^gYZ4~(Oe-qiNE=Yln6CYxXT)c
z>Dv;-POf*QFAF0A`%f4j1NHz(19SOXl*cf>ZCT-XCHd38#iMWVOHQe;B5MWmf>tr9
zaec?KAQAt~3SCw*Ef%{ii=COdvO)a>*^U!eUO<I7ByD_;^GU;N@7F;-!U@ub*(hE4
zu!8g)(F-9MLR32bp8ciof(BE~Em{LDDa+XkA_!f+%(q{hxz1->gjWHW06P*K(18I1
zS%S7BDH(`^{?IJDr;7SD2P%VU&0+Yx1osprrt{HyTgEt1f#=96>A~mxW`#-z#{Na<
zE5;HsM9HE#3`w%UfQ`Y?Z{6DtQWs}~fkVc?;UB!#2s_#uyypC?cyA$3ls3A;fURIb
zpCO|zn5)-%ctM|_v9TXO(8G}5xQoGnO`)P$5eq|L!8>KD&xVZ~*Jmvk|Ja*4kIBSr
zF6|$oKt1_S=nT5SL(qqI@*nHzZypiP3PrY`4cD>E&<(E`ituQr&{74~x#*Ctg@00M
zISjY@t#?%xp&CRb8#GdBu^s@h!6|bVEQBXo!@INGnd_8<MALwOEZ&xPQ1;fOmBPHe
zJW?R@n2``*`IMO<@}kPEzjFR4>_Ft~Cf=NadW#v(ORKZoz&7~3CNcd`;eG!tI<(i0
zsep1Hkx!K+KfYtYmW0S*z?KM-@l2HsAi6;|1s*U2uWe%rPsGw^Q#ZTq;Qu`B;Qx|e
z%9d6y)u*m|f9(M9e^L8ZJbbR?Q_|B`tH)vaQUPon6yG0?d(@^-zriBrclgmBO3s7d
zTHe4G!QZ!XzGaj@RXUSaw!T02==ndc;rYLQKKEZ<?Y#6w7W6y#KZ^Kpzn0NtJ3^Y`
z(!cJ@syC#!l6NL}MZnnYR9DZAt2}!e$gEg7)XqNKb{hen73-Yz3EO}ir%yeb*I;k=
zt=l*(kXmRtKHK=!!@*Wb#RMF73rnQ~GGSTIX(RsoA97rF=|fYV`~os=+q*@UI6{R4
ze0EWDA@ELiN|dep&b80kuwz+BEW62!_(hg~vXqus_r)x%Q69>{>HV!^O3KD<18pI;
z&=+~x)|mj9(=rQdbx=>G@o3p%BG#x!5!a;yIZXxf0jJ}qXImaOES4gMmzZFcpQhxj
ztmlnd7J}1<ZA)lbWmlaR2RpLxKH%DEYmejj<V+zKSq$J=O$JkW9o=}Bvk(_8cu+W-
zP<fnu`5*Q@h`(D7Zbv`K*+{N)QW=z_ORjSOFM!*SoG;*)`n&=zv>(VrUcSxpdm~^(
z;DT5aOpy)KE@rt7yqF^|4-XpplJZWxop9+}?QX%BptPXK&&ik=Rjs9zeQzGMl#QB^
zmHM{CW8%T1J4evn_8n2yo7WdbZMma^Ti2jI{ZFh7Vut=>yQL${ZoC-zrJ4s1D=WkM
z7l4Y&v6iy#Sa^Pkhxk{yo+4_U^2%-AN2Nhv99^N*#)vwm7829Jp{D2Ge@5?0csUc&
zYbdm%s$G2uYUxh;5aI$B_Wf_Ct8AnaS8uaUIeRY?Ra{+oH5L<$brD=6%5yv`BO&`x
z2R-N|YN>k|`ZIjGf=9G6-hAC%a5?fzn1JAt%@$(7>C!Cs?5zs2@XAxd8&wYHM7lNe
zn>KyP+vVp+7;m@g<wPAAE`H5p6=zcK5#%P3g~Xa)*2Jl|u-Te2nS-5gdA20MMNL)C
zFZNw1356n7hV|LTN6<;|u8`TVtc_yN)}~Q;tr%S3_;{}x_#Zrq=3J5W6rJKYdVnM=
zcG#S(GTNY&gY|?J^l(@5Nl!pWX8N0F(O9_?Qf<}w{b^AtU8)$2oI^+Rqt>I=nNoLG
z56a4!Cr!5g`g@LfuW|E%^sS=5GVsEn(5pmUwVqUriGx`6cu5Hq+CUL6fQ(V{Jx47R
zH{kP!H@6JWc4j7%#o&ZdQ@_`o5fFuB4ihSplW=5t7ic7C(_{9rNpjDatxpxnI`Uln
zRf^YlZ}2y!+`_K5vmG=P&LUqu_U=jD7v~mm5DVnE)x;E3iBEWhsa?Uzx1(>VO=cVH
zLbw{t_m^jRhwixDT_k~uwjuN28HxjwQ%&pD>Nhk{X3tCDXs}|pn?d9!EZ_<v;25um
z6{8XxrO7S3q}_vB6YAOGQz6ouDCcru(`znUS7~vjt5qI>KP)wwjgnZ(102vs`b=A0
zLxB0=GDHd_eQ=3uXy@bgE5!G={NGc1NSJbYzbl^bku9<#kz@*!e)@#taIfLj8!NBM
zzwgI%p?PRG*To!jJB?3Q#el!+l;CU|Y@m9pWV46EPw5_fEAYmG3hTFZmgCA=>^X@k
zj|Ra1ya0I;5SnsY=SJuf2JCo3*M%E{K6v9#*kEzocD4{r^p7oZFFR-dlJ+|%c<<aw
z|Kjtl*ao@wvHD*Gc#MN}>Lbw_)H0MdwDYhkkg&BN(?LE^+h;1P@&cC0?Y|c;X)np0
zN9$yMdqBOtxwK0cJlKxfW3(@5-D)zi_y%!HfQtDNCaPa~cB9Jrc$&1{d2GG14t*-$
zGYpS~{r+uah9lNRq`q^Vt>tq2Rpr~6m0%e82J{)_KW&v`kt<2oCYs|F$Ql7t5I3T`
zGocKcVcya{za3_z-US#|T+56pdERHLQ&L~(GkaH(Z|_JQDWj+UkaqGO%awgqU}+N^
zsMTX+nY_Xpl=`+CLOx*H?_Ml#Uf{Xl*z0!eFb8J4c16Ru1akmypb2%}83&I{mYalB
zN*^QHXR+fFTbt*uNvV<Tr~Hx=^;OHBUg9Pb)qTF}*46*!`vX`xrzPDKo=bM6&8*_!
zW3g;BP_{t|o-d%Ms*mL$kbMR51G40bjQb4hML*GmNRw5~jFXujYk!3B7?Ad{IWCHV
z3!i(A=jvv&tlrJEoDR-v;Jr5#`-AzGAo7b4pPyH$Y_&urrGy$)cX73YAMaanJ^9IC
zJf2|=7f3c`h!w!$4Y+ENU_FR4cYNML`Z_;24zJ3|CJ?`_ho8g`UR^)8No<$c!moF=
zkX80oQKuBr(9+H(#P=O`tm3D_Np|7hCM}u=-cGz0O@Inx*=@3>T4#*JdpSYjs;NiU
zAtV{eDYd8j$IokB-B$Gb?u;J>R6QS4l&2iglO>Bop$y<h)sdegq!tPXtMtX6x_4!E
zuPq=1`r|w&9@pmrsqZZ*??4FiY|EW0gm7;A?Z>S`J{$0r-)ZeYLw8Xg1dk2&R3=vK
zIr-?>U0=HZV{x!9c}bfg6zg@z`UoRI3kT>g*^ve&zM<Yf5N;JrwncdA_|o34pG6k~
zm0pf#PXq83$NP9zt=6QKjuN{=Ao!56<#z&gajvSX=h7pH<X4$hy<Hl$D~#IxE=TS>
z)7PkBMqrG>H&<i<v)rdEZJ_kK2!UFw#PQ55wFpXiOV~HAU21!-p~I9$ohgJ0yaoe>
zY|nh~;Ce}K(#(favLc@fGcoW3>>QIP_CxS~gaAbu`IoClu0n7%7%1eQ>K3*Z=qlpT
z0xW${D<+uV`7N8?;vbFzxKM9Vh^e#e#+<3(GDT{dCdW^De{h-gZNV3R*#@GLedZ><
zMLjGo$FRb9*;shE;RTByryLIm>#)Rx*!n3(-XeQ9##mTsoZKjB>zPxU;{m)#8>t1t
zp8?PJ$9WN6r{CNYm}$pA8$`5lsi!3~;PAp0J{aWw`OI4i^3O;(VishhdnxTvOjUay
zI7pkqJ^OIG4)`Vs)4qx4^m1eQA${-g<|hNA56do*ijLD$XgYrsYR21Hl#1&X%6=7H
zonp!u?iIO%8+--X=1x_@Ugx|g99GA@1pzb?ay#voLsxP<AlH}~u2P)VjNJ9Gj)4zA
zjRB8rEc>##sn3HQ0(+)W(UyT41tp%uMy`V+t=CKg20hreNg=}!R0+yH36^F|yS&wD
zPQfjs#rzW3SaDqPNF&;j?{xJMDKlbIYrj;ncoTlp=SHzLh=oKk7ag1jVs<d(E&-$`
ziQo&eBRVxV*-8$$w51lvY6~(RflOL4W8A;Xz{u(3YeMpT6~}4Y{kCR0jyLxaH-%D9
zA9+rhAQ^e3A2&8Gm6~!G1lp1MsY|~=D)^Q1dGgUKCyE$nFnOx%xO;W=vh>I6Jp#^n
zkD{6QSM?5kTuQY;pQlxwFyLronE{-~){U5BgtL*ebjm48W`*k7iO;2;5|(`}taCR$
zUSnds$7kI7$zsSq6x8|Jm>$LPdxqx>V|Z^Zga^pC!sQ@h9pazc=n}>7ongD4rSu^&
z=X+2~^I^?zzA<O?nsCmxB4!E>!I|gE0GS=Nj-#W48^zogI^((^)IGWQFu>-Pxj^F}
zuJHOSru|}d>DI&LR<bAh$L|YJ!>e0W<Ff~q5652MC}6a6@b*le*&$KDE7O@<89cm#
zENc!j`FV=^3h`D%KSl0Xq5B0&{rh<t3-w|eUVC+|Eu4ygtl61P(>3VEJ4%Zi4%Bh{
zeC>u;{ckWv#<QEtBV;g(IRK;=JymtcUbpU($8;-wwl7cSgx5!aZ5A@`*0fnD(3T1v
ze1uiLY#DQvLX<)l8juP3LgxaBN_scEYNt^N%V*LqbD>U4$iVJh3s{5DR!_G_^~?}&
z8E!*v;NE*=ymVguqN`}>ke}n!uIgHz)~-ADa+~uCU%U2#(XLe84xmDg*4<m+$P6GU
z02}h}&4Y8UPG}{DZWK*T2Mxq@vMSEZzlb_XxLqmDvcqlCBBieWy?5pDZ>%yZ{Hdwf
z)6!m>H<%p3{?Y^1;G`CO0y~dSwcPW2h^;n+P$_O)*Rr}XU&#ze&clg(Pw*%Yk8Y-O
z0aM^?_LNn`5MnErF<@f{AEyiJ{Mu<a7icyP2tx`sw`4(oBEYYA@~VP}A>fcJ)g=#P
z5-J&z9zuoF{CDC*@8~_j6$KTYf+Y|z{Ct9R9IZvLU9hvN_JvRld(c6NnANE->x`iM
zE|5tsvp`zF*Lwg;sn|-%1t!%g(^?hero;4HwUmqxiVjaj5MXT%O*a%2C2H>x$r4fr
zYYnlTq=|g7Msmw(2GK4eitN^Oj3n-A95_Y^^>V;pUqueQEs(06O<e&~by9Fhwr(Js
zbQ>iD&o!hwdrCoi1X#MVV8~y~aBIP(O-lfH3xqx|&enmwDr(bdFvD=6;JWoN{Nanc
z9n@+;`Q{`=0U%2`JU{BZT32YBB*#0My!v3BNw|%+F<0C*$c0-pO8W0+@8O1wOPKi5
zBU}75jkDtvF+658X)(jFgIBtfl8skVP1-6_w*($N0Mqis*g(+Qv!OauM*ueu`mA{5
zbbNxgjun0W0bK}-*G0{jFn_+n?FhY6c4kXe9bqzd2(XVt`w1j)Bi*|&!+v2ZvLGXJ
zzd_ACTf>RQLpyuT1!OlN&~p<Co%o;?Gx{#ki(z@#UyC6W1&4hHW-1wSiHeJZOLr3t
zf#DZ*)Y6Cmp{>s~Pp!J`lur-~zom%OYO>u+bJW@uPrN?ruA3jqR`0(e%JOg%j?S*h
zHM5J$2AGGpNBbir!#`Aqy)R}8IdX}LGbbiT8;T8SJc(crTb#4G3YzHab8rYG#Xo2u
zl#LWRZ|B&#f#lKb>$T3BmNdwhef8{QM8YzAw1_0tb2tZGT9k9cz$HmB%wjYNR1Tq&
z;JKSkyp6J9nNC0>ljBQFfvzBZf^;5@H%t>H12~J8CQfKCSVO{YI}U9b5{uAi>upDV
z!1izbn?DqcJPacm0sHKN8GhC*L!t<#DBMG`j^_18^=YueP#M2571`6kQ@m71fH%+g
zH*DZAD9X}h>k%+%!Qh*Y%MaA{MYdP8yQ=jWu?5gDDsFywwc#gFIpow&-8Y`ydTJmJ
z0-)2@sQz~>5dG}FW)P!&CSvs%B<>Ab^jOrdz6=IJP7wM*47Xo{#PJ<Kr6jvC6pkRm
zt-bivl{WohQ<>JXEEm7e?3L=Br~+A_{i@q+BH6G5VW2evaiIO$GtsE;Tsr?bYXR-E
zk{tL$?70-~X+*gzV{$-Pu^ziaB#q%T5&#0nC-qwX{itCB8Ty<7QG=qD(A7eXj4z5V
zx2h+#jkXh_C2ndU3jHQ*q06233bvK*4JB@X8ev+LPR6ek>@r^Re@s!UOsjQ%2v5R2
z7pwUQ{_8L^YXcF=T4MGj64;BjT@MXgA#0}rZCG}MD<3p|*o96la?MUtdYPTK0YE^g
zkj7X4Q`h*=8DThl4qSmI<K|-wI;g#J9~~8Di(slFkN}R^fN9L2$?)z5q8XEN865=l
zr72m50E3bG2~RNTAskCXf;fMEH-*CzR}~h*i_*P@a*>He_y<D9L70Wc_?DImo-<Hg
z$Iuk}NON!NHhsYc65~cZnulLK2>>}^m^vl3r#_@lM;&Aa8<bXw;@4DD09fctg{2(G
zCftmjpX2w}znXS$>*7s>z2JU`w{~`9`L*vg4i6H50AkT%!r1OK8$HBg;Hx9FV#2H}
zB-if%FDwl1sws^@UMQ1~F=OQHWrPclRHTzjLaRP)WG2I$c%DE0@HD*!3h<CXl)E9Y
zFl^+H6f|4|K`X$7<tLUkA1W^mJI!>IR@q;<`{3$FiSX!WiI|g|G}nk><O;3JG^#kH
z)U_M6c!t?)Pc3(9%zg2&*w6Kdtwe)?k6-Ke=P+*Bb&o~C|0u5w`xzXiH=Sw6?qz7a
zvQ73^?{Sa^wi_@!!r^Je0NMKo!MT<*2)1F8(P$vtw49o|I9dq>9(8}`K7UGoUG7lm
z(J4^<EQRN5k119}m&O)47e6MQlW1V!=Vj{~c_h%s=IaQ?h*2VnDlQ+J%F|K{+1;>Y
zbx%O)VIhg#4J6R|CWO@X`x`K}Oe1;?ol|J{gELKM5UL|A;?XUq0V&oY4$H2%!)3j0
z>iUdK<Q<al#&QkaLkJ_BKUYRrXUstlwPk43k~2%oHlZBPAl9IcG+c}Enp{`mAFMrF
z+m;l3n63>4fzd{m0TOhWZmo$BZ&hz0C{b<ECV-kSZ?lQOydib)?++GtMqBTUG;+si
zfH6x?FQdkkG#*I<z+)(&@Fl8~kV(s8b6d&?op7y-g^b?0Q-CDq;E2!xhaOJyfF%Nv
z{vsoUbAt0IIrlJly8b>Mn`^}IFgV)5CJhQlY+U7CVx~wtG%iH6iLiLbDY3%P5Ivof
zZc+v;Dj0k$f9{STjfD%3BtvY*pT$JI$zsG+u8ow&0mnTW5VqILEb{@Dt#{XlpdRT>
zA%aGXA8sft*JTFLGDw0RIjJPgM**C|KBf{2N@o*aMgXn7Ork7^)><f8>`x`pLuk6m
z9C&V6>`5abcVFfTB~`EP$y%aL)0MVBBW6f7U`SG|xh0PLKh`Wug&40}nCIpk;xrvU
z3qa!$>j7*X#N)4-JoeEj#6Lx9C#f98+nPNxnXLLr|27$~4fsPNmb^DFoW^vR3mXw<
z*|w-y48v*OLRB(-#zM4-l(0>2xosK8FkPk`jMEAuz7F?uRLdhcf?vc<njM7yIwgqv
zT^McZq1;kI)je^}G$JbvIZ+FZ`Rz483=bEz`2e5<r@d8Id0|JH_BwJYDx)S8f8*dX
z4H)Ntrx^T7&K}`HBc3s4hDp($sKNs#i+1X#WgKH}Q)zy$Q`?0TZpZfqy<!k4=AyPQ
z>0?5b^4oIm5Gs2|5B_sF*_>3Hh2#?SCls1FfrGJ@z`$=rVzD<uN*4(<A}(d{(H%S0
zn*v~MOIrqmtydPwc*n#>FJq#vztFD|49Z6Rvv??nW~?SY6eUA=h%LRzW}y}$+Qz`l
zJDwZ|e(H8CRZD;fl^uIRB5wwv)nZ|6jny)4n|4+-`UkU2H{ALz<t%HI3{bWm7T-e2
z+j1PwpLB-XKzP)7vdz=|r%W?^)3>JGl8n+3oJQ*5o2T!m9x{QOLQ$s)IqFD|sZ;}2
zJj^CIKJXJ9tHKKA|EB33sX}l7v9c$`F;D=4w0{7@JEA6!DY-V0FIq+8h(IxX{fEHh
zV8J{70t0)o-^{#g(KIKVaw#n{Kh_l)Dk6!N$zKz$_&nlyN<MqnN_QO(w0<mm-&na$
zgtThjC(GYkuFu<Ut6`@HH|Wq3!4_-J7k;bD`*bbc0M0*~b!)RP;?0?JhL`NHUmF3s
z1b!`*{ETtlnt*+yrs8Ky^MCx0wkcBAuOumFv-sy_dR)uWD+#(>CWi?+%fW{Wtu#~1
z33_avhsxS$a1kC+uE!bZX?0&&@|Rd_JUNG04lzq&=cmw9-wP9J&-Y_=Ey*^GN0ciU
zs`nEmX7HNYgzVc)H42T?&!|SmR`Y=B(6H|WtLAK;ANt9di=-3QDuoWyLYj8-ruQdn
zId9%4?u~?^Q5#-vGU@mY+MVqbvgb_6VtU1NiSE1!Pnr~3_-3}<Ig^d`ix;hq^v1ZZ
z>k3v$`s$ITbeO4N^sr`?{)s<UU3u^m7FBLzJxfcPEh;K0g6DYMnp)Ww(*A(M2JKa}
zE^Bo)D`~-xOG_KcRM|=iORl`o>g8m>+@R%@6z&fk1gk*>>wTnZ)6)8#dgZcp6B~$*
zo?nY0bAY5x6B`(ccC!tLaqUw2j``{zt8MJbKUTI1)|JbfwBK%`hWD6jA*kv$VH<y}
zjGEA(Y<~oBUz>`yaNkW!1)#~ptGU_G(xd&$wTZ22yF)XBuffb$&vA#7#W{+p4V1Bo
zCB;jlav4pnZ9=hoc!5{TvW`e2xqfXOir2!YcXEYTEYq`cM4+@fI&?F%R8&-iLE;b3
zgc9l0vU6>}=;6pU;QPSs`;))t^XPgd=j-76>nrB_``GULJ*DUK129AOJY$-(bWFPB
z^Lgv(2dr;D`&$l9%zwfPCG!_HC}|z)81(yn%+BYE9^n0)zuWoU=Jog|8*d=Ga?@Ph
zeE?Sfn4sNcybo@c0;1AM#xDwZ<>GPUZV<KIwVK-aQu|NodRsYyYFp{7N?P$HIS=<g
zzhminmdyogR65@UQ^20*v5x<_4h7hXM+t`Zu@qzLw2d?}uP=7CdH+41M1#`y;~1le
zHwd@^rXJ1SnuilYb=IW-E8nE!jLRovV_LsfFh_$E!kNqw!C~64AcwoJ1B0R0Te8h#
zMr!s+|4iSfHuCb}-BKWHn>VLH73j%?6?gBjASeZR^PNGmIG{c_#p%`f*Wq0l@Zp{0
z&wLEz1Vw~EoI9=wzK$pEk{#>c*&|qN#Y&#;!I?|xN~<UC87rSVSLe=~pG^<{<bw$M
z0Gs;+MpK{3NG@zO*RZwy9HVi7RWu@Y38FOEg+=F6&a5m(QuGfhwQ;|o`V)P!LMJt-
zALIxEOue2nVD_|SFN{)163hlIjzo?T#t1Up0A->O1I(d^GMI65!>`ykbT7L&IhRFs
zNn9ZVC-CUS5OPlJfItPiU+~4}LcFY-H0UUd#?z!z?IiJ5E>E6?b2%I|9ouRMNH(g;
zuy5F}#5;5^j7(@OlPyAl2`&3i9Yds1C}{fo8Zz`3U<gU~8F@ji9b|%6)yr@!s|9B3
z16l(@oLO9$j+A{$8m4U#2pfFwW0f3X$<ENT5c>5*$q;qR$o?nkHAS94&;FGvC7iw{
z=p9~K*5$|KtACi#w0oqA{m<2yVPeA5^<SiKr~7uoVoRr%gUe4s)U#8G@-xLzfWmE;
zE5(=rTa{5*Q!Ijb5J_V92fufkI&j_JLNKl@;99%4gfdw5Gsk}wqd4h{)%_Y4TG`8P
zy4{|~xn^C8*>I%4mMWO)@Aygh^fGrmI>Ji_^=K21G_;SoAlC!XGy7_rc6LfP<WgME
z2hv$mTC8(INPika&XhYKR4*Yft#Bb9+juMjl;$6xHA01{gA}DD3zGUviwfr+sDIR1
zbiy<t(=S)j2sZ9G>?R6`TAlcfC@qGM29)L_Cqjw}*HTu5_^@#T->2ZMj|OOBj0tlb
zUTbOXel(gpVd?Ojk8JG!TW0}}PA7&-n)_+z#RJaRdSYYu%s^`!Obs5%nGXoC+c(V%
z0q%Mw@FIT=yzrdN6TP6k_)xg{dDG2wJ(J#U?#p1MJ^P`bY}tsxJ>j+u$D^mbz?0l=
z*0#-w+L~Pq-k?2m=W&q&u9aVlj&JRE=GJzpAe~;r#17Mfa!-%YP>Gd6fR!B;fDrk^
z0TXC=4~;7^TweC+OZL%L#mxiwBr6tgkBv$)djG7%Sl|pzHA7wS<);RdhIrTU!`+lm
zy*cWZw;l;e%U(4cip@9=K^4BD|2+HE=Bv(l`0veN7(JQgsbkpT0a(id-_V07A{T0#
za!}=lkC4b;90Z8SU4Q`3e+0On@Sk7Fe@`-5bf@uDO`%5SFWN~8FhRgZF2;kk9OLMk
zzaj8ywyD=rf_`fWrD(#@Yu9wPh&pf0%Gv@@8!3)Ri5?~R9HjcVU_CE)HD3>`yvUwj
zbKi;5mx;@KG*C0d2B9-bEjk)XM(?VODyn&zijnYr)AYjumvWNnX{UyJcGlMu6)N-u
zi)T`JkO@|o)KLGEU>D%5p6SW*Nv$7xfLGQ_cM7EfE55d05<dplN&d1p$b_(~d7!^O
z7B6PYm$1ogb~w(IX9{keX3<!6K-Z(XHs7FTQ$bxrf!cydSmb)dGGpfX`JZS^SsY(k
z+$8;FzCp6YNdgw6G|7WxR3IsmW}80<d!UZBcuD-AL`+1<@;-pFa<`<(9cluh2~FMr
zGJkoWl7@d#lP9PsL^Gm9hWBO>o^f-ba;TwUJ##$3B^;8WNF97QzmRNk8+?SRv)y*2
zq+4yKeiPXz8l=P50@HcbL&kr1Knel!tmMj4Y4(@z?clFg+*0|Tu+zBegUjg*xW9dU
zkoHOlzGoj*_R4@``k<6I9*4)D!A>zKVa>3t>BOa3-7+i2^(cKnaGW#*pgyHwMR+L;
z#{-x`e`t*@=dCfFS~gr;gDPlJr@|d-BCtG2{bh8yG+yY_VKw(G1U0}rMde9RaimG>
zIgOwK<xj|qh&18KPcj;)&q{k{K$c!3x){B3B9pDgj0O1YBOBVq_|w@0#ci^Xa%v>b
z!sd0+%yOAEG+-~^Af%-6m8>rJFkYVxVsNTQ(-(Xs0_plUDger!o26o7@J?d+=5AUG
z?^jX)+$;yiFK}>jff9nvMt(l;_RnUXIME=nfQk^Hh@ajDik79#8+xqGV?Ki9TT#IC
z=$rf2z6OAvKvtzV*5-sb*5)|*r_DY({Lj+spJg(Erj508w)>YRTEJfRzXq7v#%;^;
zmM72&2?kfWR05i#h@xLOI2XTKj_H@I4BL*mtne7x)hDq=#8x6S4p!CUNCm-Hf6gc<
z0C`t;^_5SHdI4GIrOkogh(PQ3&fxzO-+(*K(UJH;ki9P-(V@|Ct{5|`SMt~zr&s%C
z)A6H$wRFl9c<-MuGFOy1vS$N57+;pJR(7d>q&?FvQ6@BzqB{u@g2qqb(7t|ORFbJP
zr~QY^A1*p(bvUsSpE;34!sJj!V-lf$7ZogXni?!sZ-xy#=DZTS4&Dwb9gK-pF+dVt
zq=|Kb6#Q^=#(&cFKWVxN92)lN;P&`p<DMTDYluCi$k|+XaG~hpWmK|OaP~9|*C4)h
z8I{EzBh_h>gRB~}6YQ1#>A`xgbo6f+ZAG!ItuB78lsbQy%Cz9_sjr;gh-bCAl3}|g
z(V(^DbfzLLJxLhGHOhDK55Tcj>%oZ6HOtVX1m(Q9Su5r2cEetJ!K#{=r0ZY%SZrq1
z>b$?zpMWarR%2H6*WYTD!M4c$?9BYQgdVak&fu4qeHd+6oSUSmZ;4z&hPCI)5TSKF
z+^StZX*QT*W4o0@iGAku%3!XSkZzJ-8Tp8f0ji@2^+wjmsqRyS_W%)?IlfV62#eKd
zbWlxF@r%;w`mFLFden>6^NRku9m6R-4P1W8%9&HJb15At!i@d)2>#LH7P>@u$Dn+=
z5;&%b<t~|>ZN4P6*8_LT209Y1SE%x<caB#i$jBrdzeOE%@&vOiV(zu{rM`*@IR=l*
zoHvWSiUS4mjAkxDXFz>f`2h<#aZU6~W@HW5?hgj@B4W1PdBtZ_Gw#gw8ONmLx<ZH>
zpSc<fqERTR(5A{=0wLJ<+SB~R`{b1hOLc<)c~LNzh=WqRQlYL~ux=JOC#I(h)?p!m
z$}umWTjvAo-1+H4=h=na8HuX1D-$$D_@LY!gJ|69*hg+_H{hBCTv>bjxou<k?7V~U
z$4xbm0paAT;PQ=?H7Byd$2V3dOZ?McMUt1RAaCB{u%uShIN5xGBN|D7nixovCzcl%
zt1yauh7ul_D8!tnbM^A@XyZnZ%4f4!qG25-CpxYq?M$VFrkQ__UMxX^ElaW0*>zH0
zqxE9qnx8^M2|%Tspw3e%q^S;6io08Pq(J@29|@Vyi=Aw7Nh+zJZvgJ<e8ZMv9iJG_
zQz`iH=SZ|n+<^~Kin=@BW8gwTiVN`U*;Wc(^V1C{SLs}oD|MyJQaDxO%o{JVFTBz^
zjxz9>xlr4Zt7utf$LmY}p%)<@<+Z4~=Jv<oF!$L)1Q_$zJVpt}zKd$=nFd~0Tk!b!
zY-B+c3ry>zL&X(<RmpSt(|${k`je=Kdy_{t2mZwccRjdg<BpZC!Mrr7CmSLjQvJe6
zbauphu)$0|EcU@Q3z^|<&>OgOPPR#!?=mWt%MQ4hI@{!w&@`2p@GmrR;lV!aSHvYB
zc^W)%0f^a^Y*xT!1RN^5Wb)XBOAy(0o%OoJ$1C9mPqAUf+il3jK8<%pAL|F3n8d%<
zMW>Uc%~b~9lW2hDen=udf%5hKH-qF8_}z+ay`*Q@N}2|kzqLJvrS9F${r%BT4$#_P
zruW7nc)rB_<(Bc2I+u}(cPiJ}wNR|QGVKBwnt9zEPx?>34I%Bvu>cWt*7y=}|L54E
z^&C4<r@;R|IpCZAo8XX{4&Qes<TLrVfIFb$@VjGY@Ii$A*l+qX)96(?(n@GkG#SBd
z_HO0_X)9ZSTOkp?jvF!3oB8=dCRB{oRQxPyGe8D!z70H$C)Wv{sRgjKUQ%J#0o=3M
zUyDE3@CN2|Conzfd&e*>J9;RXnGriC%)w5$0CykLS%S|w&DR!U(BovL7y(<9UB>(V
z$z35&wpO!4nn;D2#OwB>rySjBmg$>m?}*GCRi4QImnEuvQMpJ^^{i|@m+Dc)VzzH~
zVd{Wk?BN+_Ax2r|4uCu^|KI+36$^zV7FEZeHPVs~mX1AeUpvooaZk#4C#3&7EhsFY
zj9I8#g&!`atVP(got~aeTnNl45tlHUmnqI-G%iw<iX~%#E{!S`<O*-a>z!ohY~dTa
z5v3A=qK+vQ<`QXyqo|Nb$N7gR%HBG=6lNUc=0pL0>~n)%Hh&mZER|5sqEsZQid8mW
zNEM}GF<-|J|NaELSyE%yf!wEJp_C+6&Qc~tteUP;<gHhtd;6o(w<}@RG6FBJw-XHR
zA8q{dk5`D!TR9IW?Ls!mk))nIX*_OZ+gXBRe)T<e?1fwT-l+JWguh*RGBJ2}nRb~&
zi2xkL1;1^%nm~=%h-mNLWo+~tw@!pnJKAi;?UhiC*dx@*QmO9mF03W$T(yD%;@ulp
z3CsPg#-W79PiO;FT>g~bW)S>v|3COG3p+FO{{%Lov}NrMd7`_YYi=BzO7YGUkQh=I
zx<iIwT+thPb<qNH<5k{ho#V$<RGAjOeaFO`jWimq=wL%)DDDVN!s1mgy&ZLSICF%|
zY?4D(Um+k}821QW+Me%Xxs7Hip0gYTjn|yX5XKTNWzIwiJEotOeGbTHx;z^XzI;SF
zR@VTjbJ1KGQ3)lBoCo<l4$pKq{DSRJW8(>@+GhbgYtzqc;|b@TkFVJLuhU*qM9^8}
zU@u{k#u2)u&|)uvd@g;Y5AhucUULjS=<&>V#_g-%b*9$nv|)4|Xc|#A7(1d=|EIRM
zjH+Yl+C_uA1_<u%?h>4Z1$TD{?%qgncMtAPa0nV)LV~+P2rj|pEcV{7oNt^v&i!%k
z=pMDIpD8t0*X-_D)zwwUV(&N}IqE4W1cUNpI|CWru!OuPiKwnj9+)$TKL90iidwKA
zJFupr-1G~~7DN9KT2QoeyDnnKESQs=OX$Z+rcDR(!cnKY?EHcqy8DGfxC6+4H%^hB
zlsWwh{f*BbnXiFp|1M#p2<b81r!gjbS@^wdq6PIpTm%VG?<Y#b`_0ZTTyK+FcNa53
z1_i$tGmp*lpt(ngB>Lxg?*;*Wh7)H7)34Df8;hAtu7bK>lE1M&eCr>}htPEyjEW#N
zozMj-7=2{suOBRDXV!KSs^eNG_&(<;gYV#TKvu_fny}k5=L_;Q`Y8OzB)zR65c#cb
zj0+8lXBq1l<&zZN62y-<4Jog9e+pfs#gXCdDGm_Bi9|C_4n}4|^}rio-m5c92A3kC
z`g}p6+ct&~fz0G1R-Tk?419vwu#(~yWqp%bwM60<(uCAoOkFv)2!U^NDpC!+4b)jb
zp>)SkS<vD{`-3I$&z5c3TjHgsK{aKaCaHxqJ8unElDnVIU)OEReVFere&_~#+Vs|i
z4M<S;PdnnfN_}a>na+Wt^LhI~w&Wbu1Y#ZSfoLN^G0t&F4*I<S?cV3>V>E!Ti@3JE
zyLxNA>*?SF0p%CzdH$3)<CR*_IBL-WlGt)RG6U$2S<TjwL)BZ<6OTlJXpt><0$aod
zuw+Mpobbj-pkVZ-DbxU3gJHrhQMAv@Db1||U5-)5Js9x83Elt-)TtF0d}rY_=~=8n
zaF0MJiub^x)G@3`bR#ZT60TJOC;T=eHA)|Alx&cE1eG?n7-Q1n-n&z*uL?mckQzxg
z*xKZ!qQjV8C}OF!R_F~9%E9PX1x!I;C8w~WMG=V>Z>`C>-pQz{4AwAN%W4Os*Hzh&
z87<mg7ItXZB>|tAeoSg`L|9o;`Job;A$%kid0!-o6OTEn)Yv>k<7+p=eGp=zLXZQ2
z!8KwX4_6eeC?7mXFZaF((#zbn1Y%V8YU5*JGpLpkg}ZT@Cgq_0PsqJ!>8^q~Z2hQK
z=>@Z{d6lYHnjPNZ$DPb#2pip<GI?ljya}^6W?Zz8DhB`tX{{)N(o`NYt^E`Ocvw%?
z)u^CR%6t?!{W4DqEdYli*6BP$`i-HbFm+{PaBhn6FD63X)~=kfGI@-e7JRkFY*@bc
z2El@)RJ6u*O-;;Lh6GIt-o}oc*3?mj+QA!T2VAso*zvI-=+5b<F&uiDe{sD<TCEss
zh4=;FQ5A5eQ=-u8fa?j%+_D!vsKAyHS4`<>u0iRqf3F--rcSO?VzaLXf0dl`Ry=RN
z6E^TO5<axIy^Br0xjHPksPZY7q72ISvXP@ETPC%lMm5O?YS(y*bOYr_9C~yE^S_Ei
zKbP74WXQrQojFGi^g_mm-jk(^O@=E5D&)<pT}LsK$KTj>d7U*XFO#Q@iXA4W(58gU
z6_<&^yOE=aHLCn1m5`&81b<<<V)0e`FSFY64F?D`x#_xSusM2Mg^(C4)4z=~aMTzP
zFHlRj=-o%IF(pC>=}ypJWT{(jeyjyAR_s$KS~pwSOit<%Y}ESkk3Bl2>k+_}_1D>#
z!Rs!jJR7V;4-Ii1rNF(aTDNFjz`_2i5bBSsHj0;EB$GTFL8>|mE6Q3lN{uaEW2?dT
zY1vMFAsFoUOqnui9GTh@J!KfQ4k`En7b@kCW4if2;e3)DSmiyc*HD7sb5!(Lp?_->
z$0k(Fz?EYqubHEW_4w8TqVVZF%a5tsoGS|y#VShPwfvD*KBc1J%{Ta;Jm~~{LeW{w
zfid*0-Ij`@t-m}ixkZ>3qZmRZy%a*_R|@_R!ykzFvMQD~5?Ah#fn9cpCMM@LHFN{M
z^>OzA9p^U2JW=hbi@E^V;^E1DNc^fA%RsxB$u0ZJ7Lb#cKM*_{;c28e0LfZwf}y3v
z28qLkOv$79(7Oq~d_azz^wLV4^pdQc^y288^rB}R^xe?m&38>#KbgGop6DH<w3~t(
z4oCVch>{Oz&??=}+KGP_$-no~@(7Mw#(HO%7`aA0WIT&HT5e9PalG;84XL_tC9ZR^
zyn&aNd$6-34S)+t+$@}qLfjI`V@2Mq7*j3T6_m*m<qN}Qh~o$Q^}~+bogfu1Ik8n%
z@mJL=`vi&qknbXGx)?98XMMGI<Q5_JRcJycP@Xp&3q691#M=upnZsNqx%5#FB5m3U
zJ7d7fPwd%u-^e!D?7m>d=?>^}Ce)Vg0b^u_MSK5AkQj4De^PAi*w;mSL~fy^5+hJ>
z8NViw#0YXW(D83eyP(6%RedC6{JJN8WOZnq!b<M+SKhtnPsZd<(-EMxyyHVvnjw{t
z=R-0sgFYIR(LZ9(1K%I83Pt(6zwgR((n_DU&6F!M#EvSP&e#Bj&NH}8Kg$TYq&og!
zcib+4FO#w0LW;1sr@O1$%Lboyk>`~c-lNH|{r<bNYfto&>BXmp*+1Lf{3JIlR-BIh
zt1o67xBdxB0{$bPQFA-SYFiGUb1%pyCv^Zl)P26jJO0#KMY*O>h8G`i)x{kruClE0
zvK^<xNAE|cHA5iILB#$0{`BF=Rl|c|Hp|d7fy);sJ(q5sC;xUm50bPmdD}it_pJu8
zAHr7qy>4!u+CCecwsUr^79R7sd*8HKUZSyV9U*ymcyAlnTBT;Fo3wa;6uX*?p-T5>
zOo$99{Z{^sfbwfAJ5GP_c=-5$ti`6Y;YjwdiE4h_V0R`^eLL@SVD#9-Gwey;IPH-l
zibGae9zQ&&KR_x+j?`q2qusIK=XEygIH161kDB6yP~@h@$2@W5S|l(`X)}FrK$=vh
zK$9IT56MPI-K6Lrq9QOth>nm|>%uTl^QV5a5UY**s%amy*?OL1n9??%SV*3_arrmP
zgX$M-l43KUiA>{1yvi(W#j(tcSjA7;;&PPoxs<XHy%_!S3EQLUlVVSB;S&l7x{Xa<
zK~?y6DyA3m${{~T(jsL0gcZjO66(T&rz3;UPbwE90p+X8fCTv=_4|b;t4gxLyXaZc
zJ<<nO&BTpwO^=HHi~a*FBW6{J)Lzl*-jq=@-wOd+z9Ra$MA3=@dQq}d^`WCH=Y`fi
z+_11gCW!<`&v1GkUcuzOnub#0$)`kbUUlWvcA-D_atu<X8tsNEOEetdj--1mhKMvO
z^OFv&)3#c{-LoAV=VVy{)mnaPjZzJU*v-$$m5;PHg?mz+&{ogF1smMzpOk0`RGa!x
za#MhEMaB;kuKP;j1R`hwLw|B@9DV3Y6}YNB=?WEUR{CL*Y}l__wM?#hshdkJ7)~~?
zK?CXf=bX6^VsQc>mk*HkZfay`t!i8Q;;b9&peaM;dO@z~9Hdq!OoskeYs~#X#MT7W
z2@{CG(G(U0l9GKFdGwPSp_2?-aH%&7HNf{vbP0rHB$p55UD7`VpXz<{E3uq>Pxq?G
z71x3d;N-vP>ggI$DDIn@zbn0%9mA_9Iow~2TL86r{W4jcn$)fT>^#G#O-yjmh2h@r
zMNHj?nwM#fpqp&dmEXXXu^(SY<#b6VCMHxf-pyHE*4S*6@QqHx93GTSt{zIISPys$
z(TQ`SvGO1`W5Rnh+&jyv8cZ)$q#$2aGE*sG?LAW?U@6baLZ(zi@WO;wX!HqrJ;f+Y
zFQv@Q)lde?&Z?wPD$z|qg^-}_*btk7%IG~G)krlZ&XEEMugZB9khBbRd(Iew^r$ra
z1&tnT?vog<1cxSFm^_~B46)Ok2Y~hKw%>9#%%)chyViJPA8SKao?8YdI4IMetIIDu
zcS3+?niqZbAJPfwHX_cC5-M)pCD_rr2mXGti@c|&Nld(ka^GTXi0?j8Jb&C2Fs$z_
zTwGVlgPX1X-ccU0g*BGIBXTI0dQ-cgPXeqTudf^WA1m&c_T%ZYWCov>rUBdAEb{!O
zC20Ha+>)NvB_?#ouYV;cXVl%c7EC+e-<jT=Ir(}m>DR#V)#O<>+_^pZHIMlF`U{^B
z-^TSXC#8R0%V^j3Gc%dto(&u^I`;Kk$o)ebeW|l*HV2ZmV@_+FYs?C86!_(Yrk6au
zv-WThy&V%4NAm6nxj+2zX&dkq?j&9VFEhI+)$X&}Ep)uN!qTfBmAkfUC6<1BE_mz9
zub;~@t&Q+5YC=x!u1(2GMxXe`;k0`#F1-)#9dnp;{n&$7c2JCNZN`F$tlc+MGKX*J
zdoC2H=}u{D0H0cmozRPzc?d2;Wkx!yKF`)Cj;fGWUtqEx!!*c1WdNYDUT&Gx6rMev
zN7xXkK2Bo}G5Lhgrc){veMiG%qAf63m<WodP%f6L^{ZH}eM?FhrQk8L@60xhjL;_<
zZdahN@U%?5@`)qhz~YY{vDunosj{H1l`Uq(&-|@7Xe9?)w#*;MZ>j~OI*+BntB5H&
zJF>2b>u+P6rsC@gnyCV(1s_qg6Iue(Okv((15{^b1Z_K@11VTtpXd6sN{t1Rz@#$w
zE17(8JLaN=d~R%&ex)(_-|3B%p=enB<vWPMjxAQ*if`6A35y5Ap|hMRQngA4NLzL-
zndI_k=%V1YRy5BCtNC*)(v~ur_L*wh6>r{Jn()nOqZ&sYwoU^?tr=R)C)7M9i)BmA
z4wz0_6iU9Yf3%14c$M8XeX-;aNa9VMtH&t(6Qp@(ZAFpX&)@Oew@p(3+yf)fwZyb;
z5IwOgkTzQVHVL0?GRB!=FhOQL+=<a-&NocN?NWW6Z8((!A=KA4`^ve!4Qp$qd^5I?
zraKukwt8-*1{m^L!e>G-540}Ga)Q^83tP|Im5S8uu%=_~M%R`d8`yXIKCQp%J$osr
zC!&u}`_3Wlr!$H(-2lpPUGmn2sh+IUsgqk|7?1kl+<6?FhS*4S%=gWpTE4>kxG=9j
z>Z1)aCXd`H_rt$%BPo|nIFp;W2e6emRppe<b*5*3X#g<FY@gM)2aeC@>rleChN}V^
zt}HqrN5%MOJLQy8r;o7vV%9TH?D`s*<1C|)>ac$5_*+*+eIce_`R1}#6VPzxo#RNG
zxk+u@uIlE1fjZDC+-bu0S>wIc9=1|NXkHx3%q8;zwo*IF3GC)YA)n+8&ZY_{j8K0u
zETT83^AA9tfs}LBYM}v$;14CwvY%2I4QOsz+}bajo{yjky`TS$8>wAtdTa384S8K*
zc0*^}tmdn5UTanPT0vynRP`C#K(ir4e!0(aq=gPdeun0IwaF)xuCMHg`94vs_ACM_
zr3(#2^F$0j&MNB)o#&}lv7#S{u*{<rc}mK+8VUgKV4KB=#CynM6TSo7tA^N-$^>ts
zBu$F)gb8y{C!0t@;*4*W74u;myS!>SDIp9|{~FV8+)y&E^rP5OYDOE}(5bVrY_|e0
zkn7Y6c_ej%YP}Q>V;1*EH+gsaIcr?(u)^401A<RlTTA{lYL9k*nzaTKvCTo@R5bNO
zKGpy&dvu>L3RkG|0#tv^@FA`+w8Ph&;FicO9BEEE!(_LP-D&6G-P8V47atgW|79C&
zt4Fu_ca7on?m4;)<G;=$8)V%#SI&@JC&GeE(RSyZ9_4wfws$QT4|)Ar<qtjYX6taE
zLq=rLUQ|fWqK=Jy4bjq!y8}PGb^hU?XHo-{-mH#oUXqeHPd=o*^Y6*;UU|UlJM$7W
z6uJIApU>%Ea69y@-3`sJNO1{!$&lywsA)n5)3_x5HWJ8=%kzHr<kNGHD{a}|j$1uP
z5%-hPUETRZ^Bk2}GOT-CHk+G$dwCwAzIrQC*6P&cxE;|<z!PO(M~gOLb$he^eA5DS
zKh6U$*YhvNA77k=I!Bud=46QZaoxS_SAMiP-RuqKWU9KG7aJlRJxy;uon3#!6Ch^3
zDQ$UpdKx=F-p;)dLECTXANv{|cKFoKA}BawnKzdqcrixNEqFn2ZDzj$@Xh<5Sm}8R
zAJvjr`umII3dem2qp24`{`O#uHQYsd_k8Ovw4uYwkn{PJ<Yu3w^damigsa5j?D_=)
zXUA*(uc0_l+??ELBVO?FG^{-A+^oE8Y+P(Qbciep4rUU@uI8k)68zx#vsnK_ObhUa
zZ^Y#WFV`Vu?d;-8%Eia`?~ifW_|oF(An1XV3<ZZ3ZuHR82L?}h)DDJ34slF)WGn?m
zg`@(*G*Z^N<}G;bQ~R4j$rryco$d%GcGnzn)*rII`$Vx<R#@K?<ShlI*-~lYdRx(*
z(PKU&2AeH-p{Q7X(nGC6V27Rjmd^5Ft>}D5V(@ovhLmlUix<^X@4eGGmYSq(Y(YIh
zXcC)PUqIt?z;9aU#@8@No#wm~eJJC+6Z3`rSyt*@EJw@&Z*3xegp+LtVL61;Hnwv0
zl&2&+bHg6FccdIyt|eCt^WMiVMGD#z6$%bRruXmKitsg5O-Jt*JFO-Ss+h6Go=eq{
z*kTT;#P!p@yX24^Ua(oB@QDz+gmy*)2|N;oXwsot{Iia>GQ4}HCbZFa)(5nM=bcux
zG59)|T;-t1Q&&~J=ULr;Q?~(ueol=EpMH5Sp%0-{@itcYgesG3Q9r(p&z|*Kg$$_|
zDBmn5e30T88<M$McA2B96ga(Xx({ZJ8R|^P&Xh8vbXDYPl*c5TF!-9u1mN2PsC&UT
z?P)o8>W3A&UL>B-p8_ysP=zN`9l|;`%jUbmQ*{nKyLa=WE>G-=^q*gv17E?zzMqS|
zoV@svvzEsyr|Y^F9a@IQvZjSeS`S`M=9gFXyZO2vc{^G?vp)oANW`B&*~LD*;nUUJ
zahcOY8}jegF<e{I^NR_aXi?(?Iu5^A<~-Lq*2wo2K;ux=(FS5e%ghW~V;ZJiS6o{E
znfLvY1OCj%y}y0^drQ`xQ&aab!x~dIKd+nP?>Yh0a=y&bH3n<1{am%*XYWTlwMb$Q
zHyvlT7#Ugi0>NL+#i0@t3G&;9ibr;3jefxPEWpQcIkclY-2BmB7$zNe0r(W{6;lbw
zwhpz|Ob1h9>!)9`?i<G{0b=$$`0bMx5ocOFzw2w%s5~iNx8$67yn#>~oVpN;3A)~Q
z{ot)|FS;{*Df57_jc--oI;v8-qwET^AM151T#0Thnv+9=@vJy_S3ZN4j`_M_>BgtY
zs3zgK7g%>l0(K%W&CuWtvVtgH%aQ3vl~UQgB&{TrFU&3C8Me}Cz&A15$a~3bo05v@
zH-;Ep<i3(vg5<fw3P05NXS2#K9K-A08q*X^V%$;gB-zTT!K|oFGYO^@Ah=`x&fZ|i
zpG1f#p2BkT_K=tGGG-VDou!=k9ULM;M)i=LDJZK0XR5PG)|8N22;rrQ=+Mv@qBfDC
z1qpf;g81;bG)CEswt*ecCy92~35fC}C~M3`1qhmX+}f>>t_V|9^R^VHk<w6ZNQO3$
zi_m6C!3^=K?{%Cfm{kI;-zitDFheW8<y9cA3DAbL7~#p1fhlQ03X@!Hg_e0s`U-17
zngAm_KH;Xyx(7CyZ#W^QBphLSFyF|{9FdJ=-Dq)WP#Gh-QU}qUrSxcSSs)FRlh0mb
zT2bd^;Ksh!gw&7FeJVWWpkoNp844PQW>4xtUywCo09E>2+^?E~uDO!la6pVx)<HL5
z4$J<uA!d%x=_tP#he}1zDtYr^gFdhlO9%Lx1Y?pvf(`P7Os4C3TPB-FFS(q$QxhMZ
z;t!KV*QX{C0ih15MmN}Ok<D4Pu*3ifF#=7gDi+hL2B}J?EY5)>-^{TvDn|k_3{9#U
zM2DX8UhPDOB{Sc%E)2gLm(yY@osEsdakPidqk4W^X@fzf+8mG3qAr~ci^FO(j}BO#
zle54{Z?wHg86tujK*r*bGJ=)IV>Ms4A<+kZ3Psq|>LX)v$c*Cxc#P(C$@-N(4FP3)
z_HIw+Zp+_!Dm(n2Z)`-WYUZAN*K3DPvCUyO*n`KS5z<99V71$_13W6YuBZ6Qw4guX
zp<9f%BS*8dj_y|Z7-;6buP+Gr6bR@Is*MFuLuKkIHtoB;#WL|q;&?OmhS4<0oHemm
zhM8vJvfVW0{>eL*iT`t~?rN@^B-&kYP4q!ZpbRW|Teg9Rq5b~0NABI`!YOKn&#&6c
z>;3OAO+t`*c#h`LHOTMT-;C`3x_5N*%A;=TK-MxhN?~hYA08&9NTWDxX}Sc6+<End
zuxh`;bL5Q%(3|R+J0|o>G7rs)kz=*z2YJD2;Tf4DS0Qt=FAVSY@T)uCRIH;Oj{PpM
z!S&r;nAOOsiGO<hLUJ(_d-t3yQn2br_ikWgEPxTJ0elW1v||S<7Y})WF0Y5@G@kC~
z>#Eb>=pSjl+OU>*+2)R^NdRzi(|b)rG>AO@o*AkQd51lIj85n>Nzo7M-FOe=Z^SZ&
zyqbXapXVIX=fBaZa06i$u#GeW^dZ~_miAGUXXlN2p&5H>-gH17A=WW)3m$T{-s4cD
z128k#N}BKWA>0P;O4m)gq$zu681gCuY9QMYf6+7h<;r{zv4ozk@q7S)&txCg4j>hg
zc$qdD1EzzVG<_cw0p||^wh#>=?WIUBjR<E3vTGu;XAcZtPtd&YZ@XpN-^4yYpVsh<
zk!TLhdix0IJ{JfS)3jY)`ZW6j{54?{p1&T?a+uZ+q82tE0hR6UODYiuhx=WUFyhiU
zxb>Qv`#+nrmAf6&tDB_arM(VgPXm&K!SnClk#L3VKInJf8Lz0ACd>mQ3baE1dh+w6
zsf5Cl1Dw42h%Bns-sYqn+?>3KESjXcY@{5dY+zKy!NK(v<sxMzRY7C{*;_cg9&-P4
zC_$<#$i>OVDayts#x2Ij&dR|n#Vx_Z!6V8gA<E0i!z;nTBTV{#VZi|NfQynhx3_e)
zBIRZ0`TO-5)rwbD<+{QAx$x@of!E}k<(lQ^eXph0<n#XGD9gE0w5F0M=|Yr*i8wqp
zcm9n=g3>36_rapHp`wSoI#s0?@A2jPB@u8fNx>5xU;p`&>oGUIi8uG~WzN5S&fA?i
zZS2WQIBje{ab+ual8y?*+(uL^mN+&Mry`u2bq}}_)huKywL|mRO$K3(hhpvZP|Ek}
zrNdnsLoj}ltivraMqmsvuOrmxk=25!G={SMq)>-9C(1Um3y@BFp;Wmg&TkCfVghDd
zwm~^{1Qr{V(Ja&=LU4Qi>{<}IMg&J;rjC%zeRiI2;s(p?LRahN@oWRD>rk5eQ5O(8
zi~ydaz}rFL1vEG#Skyi;US#PFTEgIMM@Yp!I$jjZ4aV%?OGgOiKB`vO`AyhQQ@V}>
zVmJ4cJcsiIiY%2QNHun_lf7<AZcY29$j+<?^iHfOa>jgRBfZ4DZ-zDz1jqKN4QfJ7
z9Z~Figgg<yZ|>seKo62JCfD?EwW2v}tOB^$ry7xU=;SgU8_X-g4`*+P`zSn-KWxwm
z2JfFi8uT%EqBv|Ybq3#@K?uhtl-Dr^3d+BS;7pXK82Kk*T>3Ff$#e6t)!}r_;Rvr7
zbXeWGHj2^;<FUaO{XK7LLL6eR7g7sy%m}6`@VE|+u+RrtvF8?dKwr)X52y;90NKBs
zXaCe#Ko!^&ESr>n`<?Ur{~<{q`46da-ImE}VbOc)h+{%{`mdyi9ffiF|CAK4Gtp1~
zlf*DHP_;F6qeBj&)N2_6a6TKPdcg#&_9O$!5Ei|yk`wnPh<m->3lJR}oZqBt`WbLb
z%`|*4eOtd`p!Os1!k}$nbOxNy%W@#d_u((R5!j^F3t~9KrR1JgHsg<!mrgjKWhas>
zDI9ji%7`WZpCEJaGie9-<6!yjgaaP-Cn=z0efWwXqa@YZM%zqWb&Rt~{(mIPqm9+_
z%cGp_NADAtALTZ;+Zgb>bt_8h-r)2K^S=3=$1i;TvkqFAM@_TeEw3hYc>^JO`S%gW
z7h^U;@R+QaJ@y4?T_c*KU?@kd$=+5dnM=uZC{<Q8oF1@)5&)#X4bl=0*xB`^O2&qT
z@1b_SpT$wehau3u$FLAZun<RdF~Te{Vjd5^0~gpw9=><OK5~3t!aHS>bH`-qhEdc1
z))RKS{lgfHqxS9{=tS3_y|fV>r(cH`a=Wug-))MiS8)N3XOmbkK>Cbu(0|`HClsX)
z!JW6VxDGOv5@<^jA+&5qPVL9n%GgnSG3cyEoCBYI*pEpoi$doounX{6#z?jyU+aWM
z^!ageqqa|igz898d%Gw-jzPXVZwNn8IAX>2O7dp!oIHQOT>;ln=_Yb^h>IgJbB~i7
zpnJfs7g*_tQq%9^iI|qSvfWM45to&&i@yF9%43rlSP6qWLnrPv^@L>Ez!sEqu6<TM
zI;H9i^f)6H?vZZccuxL6^IxZ9=hQ9nAqv1Tlp_ne;~sgMBN_ULWMrTCKp<!0Ld+O6
zu%T$|&BZA1y#7os+yK2IB;VnaZh%l}#8eghrw)R<k9q;(W8zBM3+eS%tgSZ#V5@oT
zk?bBwkZ|yI!`;H$GV!4o={&}7gV=t_ZuE+b7X~hAMf1hWcZZcQuy8}s;+`@a!b56$
zf0JG>bQ*L*^X%h0Pc(C--3on@S5iya2Ji{2eT8*m@qTAd*=FcZ<ggON``~c~dqUM#
zJ0LWF<>&bea@#7dw|e$U)f3hpm?|;sk@JM9^`k(&S`%8qFRpI@ZUEC#lJ~ea+#mat
z-iBtf&V0(JM&>duLl9TMwK<w!0nM)<%z>T4(ZI!2>uu<g7<ynP{ES52pjXUgCczp0
zc@wtc1z}lJCgIFZUNb+)Jv&NuyM^2SVg1(Gc2r7%+onM|DJIi)W+f1qYlf<9vICs}
zk|rO;RF@I{q7crkT+Z+0xuf&eIvHFF<l%VqZ=-I!_<9^kqT2WqyxPOrG);=r#OqUE
zwi+A-Vn4Lp`sl2*UF{C@se~G?iQv8O#P?|Y2d-wYy(csy1={sc-6A$<Wd5J(3{ATS
z{bQc+&$+ffego#ke6vG2QTjHPDYZF7uHP9Obq_uV+(Mi~ZNYs*iv(S?EIW04zY7=>
zr2}0H#m+B~po@_Dzkdw4475eQ#hv2NN~WZF@%9ymhCM<{<>Q*=JiGk({wClg@Whz3
z0E(ywJg03Xlm#q7;*Ji7d+`7orOAfoa=-~hH<UlzBP!5%64)$4>h=EOJqznp9o!BI
zD%HsLdfbzf@P=>CUBEg7cCaewVpHUsv<z{)AgNa#c=lW>_~9P30f-T(L^w*cS9l5n
zIi1+*8mb+xWj2so$jHr+2h?Sb3s+!^?%*hF<aS02>T0B2qw?>$BlTw<IIT_tT@bzS
zfdSwQ|C{9*PM`29SeV3*3C`dA>v%sjRv!G9Jm@cEA$+U|s;uw!dVRItAQ@vYhFWVu
z${FJ^hGExXYV_i3AsreC*#^YaA#l@-eD98OS%Y2PWVBUCT=Ezq5CGqFf>!I`uKWJS
z<1Os1Bc@`nH7``lh8~bO12D$=fUi}_R_L@%M7@wh$G0avA6s)MMRdZ6Rzm*$L?ZPU
z=nl{ndz<TXNaL(GmqmG3ej20y_4UD&e&Sgu?i{v`+D+sy@aTSfe73yV((mwp2ZrK+
zXVej*L;*?<nUnYxvNmyNOAhekxyLo^0JVw8MqtLh>{w}eF^kghWg?p_koVyUbRlOL
zdq@T54BPp)C~n9v)>Y&7{#UVSq7nhjIX<}msQil&3LlJ1aq+u)NEEvegrBmmvaS5c
z?*PP2!%k3FiP{BRJ&;3Pc~7mjh_(dS7%vdNm0rS<LuPyMo;t4Gm2nryVzO!|MFwI)
z!BSD67Hca7Eyh#dg#h^Lyf8_ii_>?5dsyQz+sMUtMs@jSJ;jaiIQ^Ws0kljoh3Lh*
zMzjTu;0m*0WmneuPo4GSEC7hhJz7%Ma7Ul?>j<J9lK-x(o^<I0Qd~VcqEPV76*)9H
zHW(uzF+c4m9_w!v{v68S7fd%toXK9V);I4qG4(<#9f^?VlI?>rvVQ7&!t*5U+&rrs
zoe~R9g`2X#y2<`mFtIIszKX{BEPghmZQB*va<&FM6W{;%Ggr$<Pk*FIP4*`t4%D?#
z(y5dX9?7b<lSdAhvIu$}S@BG}MBK-oWXRTBs2B%bjJ?nblS5)(GaP9y)P5sdtgSO7
z>k{(~xkWt3-eTxfpQE~C5-`zxrPdi5clY^+JRv^(!(L~&+1ck6@~W?ZUII{8>_4IG
zw)7zs$E9~x!U&9nSChyC>&7Sxe=m8<K&dHHGo?z_CZ@eBpD6OUT`%%#1TT1ryGaID
zP2xBE*kTMfNsk#;@+s11pUP+x^uWB%RFnkERf2LCEdXm*uY;sZO{c;I+Pi^|Y!`HJ
z`U)*sau*JdeN3(gCpN&of6=@48TTQfo^=54bP~e&*Tphbt$_Wt;bW9%+6nWtK1xUB
zNk>%DW15&p+B$QSzFqs6P1-DTrT*eCn-P8H4n6m_Bj?54pIV~%9b6;8gJHxI#?op&
z`KN9<QxDC=mq`Hk)CR1kxr1c{n16|#zdioBP+UJ|G!Jim12`tWbgf6kp)c(=R8o1g
z9gT`=W}S>mX>zwey5AjNEbq3+S>049PnI<uf}Y{JMBFPFSi6*e*(~TMcHq0GS(_4v
z)Ua7Yk%TbsONk(^wldnaGeGLwErrYE%Xxt9U)A@INyKVg5=&dMk3J1uk5i-_G<`eV
z4~-kYq7ELHm;(@;PQHfSh`3QNvMg&kL2ayPd;O4F@KHu=^8G4Ws7ZB*$gw9n89RWP
z@{t4Ax8$+6#VB<csJ-`;FWZH;E7S{+%SLeETa8hj+q?nmn~skngaLT0h#iOUD}lPK
z+)o?;x{om8&<1aIK$0V(Vm}@)(*6dd-X}RnJQDy~Fq`0H)r~0n?xfv%gNJ_KJ@F;P
znDB!6Ux7h*Bsgx~;Oh)XJ3}<+C-6i%-4OD9Q*wx^X4yXJnsdNE{f8VEs7VVr;a_!Y
zKa`jS)g<ZBv?)6KiLxg=>@CoByW#wfN_?yh`wV7y`^IhZ&;sK3xA}q6F3g2mU|OF?
zNXZcCFz}Lp-!1VlEAXJ*E4ZC5`2O1Lk%J0V!Z)Yvo_DbO66qZLh+V85Ium$syFNUc
zhbi~RmB>@{cuMan-{PNkD>;;(&#2+hw`{ksC{Xms`P&-TdF!fNnTzgjPQ~CS{_{VM
z%oc8e1m*ibsJ3q|jiHW00S-qf1A@wRXs5&mHbk$R#7B~@sMRQ0eYM{OD(_O-%VxIu
zC5oBp-IUA!8<hM98l_E>f86~Z%cf#n=*zBr|9Jr`GodrO$c&PTf({QfA|orM!k(Cz
zkR0s_Lt#yFfGAbKo*0v08*OGvNkFlPI|2;Ka7#6?{eu-1;vx*oyqAJx$Ba)1h=w+!
zB&7fmX6WOO49XZtd50!wMPDJmiv2A`?&Zpwq4h||to~XIxe>U~oIaU3DgKazvS<l&
zN_q-qJcQx!gM>k0{xo@8LA-~znSWCVD1`cH2geJa0TXVSP${0Ih>X*y+EomBW@!wF
zN$Ko3UJ@ta0v}hFjMlTJ+fexEa1soD?^Joga0~v#-~__x9V1FO3O?MCUKv!WQ%M#$
zgiq^nBi|kzqUJAHAz*0x7-@Tt%(gTE24PEZ?emR%Gknmo&HQ|C!ps;DQulgqW(+K@
zLrw+y5w#F1jku};o9a-x`!yDl<$dpr3GI-wL+nPrq4|f;H}@+pK=~Mx9ECx#LcwjK
zr;9&q!4rm<Iuedo`Z-}LvR&#O2<nB_pVazNp?X0SL>PwfI8tTY4z1&#8U$xKBH8y7
zwIbbY2&Z>EY>}n+JZ!NE29};7Zy}E#`JDrpYY;KVthd}5w~Jt}51w}h8TZx3YTMy2
zS9}q&Up4F|sjXkKXqvFen!UD_F-A?#wsl$L7GIq6Ytpv+@(+c((oSQ!s`)=aGrfJS
z0=574>43G;@*GX`o!#3d>b9>at+rWM;4C-C(ws+gxt;1VP|~bmm$k&*WM{KH(>!ah
zYu*w^^>%%Dh^!o}oqJ?y4yDDs%n$YURq6p;oPx&#;@L8Fqn%E3^^Lvia!E6hxFg%S
ztoDOF`}w-YAlV&Qt3{I?yA$<q^A)3)tD!B58L(wThERAm-7tyEWPDZrSF40O#*m0g
zpR@rZY8MOc^vUcDaGU5g&S53t|AH<bIr(3q4ruci5VQUH({>#_T~RkdZFOjq(VDA;
z&|h5v%{>~d`TSpq+<TZ8P<)J7((`f_(JZVjEjCCAgZdqzV|%@L6R>bzY_iAx)u1nR
zB%`ZZ$II=2Pum3O^@0x_q3rvZT2cP11rA?Xl3mHR_{>Om<c|;M4Z#MUT5_#Vz!Qxm
zV73BHb7D@jyjn%KxLMXNWr@B?-KNsT?ATo8_N@P$%cgQhW7f=#o-X@&{v38%J+bmp
z<F5KbceiEKA!YsdtGfkERs4Ze*Ql)0&<3hAF>C)fO*0zh)jAeRyDhQ?ZXZ-ypM{(>
zC^hfErBS)!rg_uS2|iVxWB7xWnpb;6O4Pn8rSDdM1$OgBZDtEX!S*l^RQz|L|Iq(q
zMa3Tsuw6lFey~7(*7|Qb(l&e~)btv5ee?EF*OUYLY5s$s@dsqn{Sie<FIcr0tc=tl
zEdIjWd?Y`GX2Qep&tHk+Hm{lWd?`UnFPV$@9kLPe#4t)U5V49tk^At5<4Sn<Rgx2D
z2^hO0YT#Fc>z@E^I{3Nxe%c}H7WWT(M7<-D1y+?Fh*Sh-UJskr!74CtZMyrXCQhd=
zqW-Ng@xM!`Hwu0&yd+E>ErXa{$jp2A>Mv{l1$5RDopbw|Q4K+V$_NAHUn@BM_=d(u
z;w-%5JA4;^Y3!SJNwzOO8I}zO{TqSqbHgn|?KD+-aC^HKbC@Qi)_r>wvxpUr+8A-K
zPcR(~$%u?G$hs9;E~)PWW2C-zw6g_YRX|D|qDDXdzv6Erl(CEnBeJoKzdM%dT6f3)
z_C~EUXA2RnKh75abT0Kcr*jN#Qf3EDJHk!|4X|4Rll?HQ@S2Qy5lEfcSpL^C$u)gk
zt*AU3)GI;Dj&LV^Lak_M8)Tnuht8ls_i=clvTRUw2F;(r{_TxPeYvMDViSU8*A|Ib
zUDwm+nR;A{4h`#O-5`%?=K|_|g~_aJ9zF->wVlopucXVr031@T2!~N67rLocN}!^R
zo$d;tjUD?J^<V5D50}d34alryt`?e*_1Fb&K8K&HMI9iIq!a3Cg~TlIcok2Vm5`U-
z?uc5p)kfKh5!Y#za_Uuu_AFPP1N)z=X6+-cNe3l@JS^h8G;JW~q#f!Jg^wW@5kHTM
z&ca^UP+!RaSXW7wJWqx_`#%Ez1w=<0wZF<)FkapNYHcg>JQt{TXlUhY%H*5aPck{T
z>9in9HlHk4A1#+0v-Wpa$$tFe$rIAXO2Qc55YN|?$TPvB7&*O;k*kY1W=vHTG+PH-
zRnid3H&Gk*+GhGY{x%Xgdh@ZGkwTH_pZ)XwmDB;@(TB*xxgk7oD8maMw!x}3U@q!p
z^Y_l=Wb@xUwqvG9E*4L2Y>q*IoFle<e@ap7F2nf=S1ZIO&s^3jOl4nHuR`^|_iBYp
zkHoDS!&oB0P@vRkGo7oooU7GZ7-tRKnwrZC`OE`4AC~YvhEmdvRsV>v6S(foM(2Ne
z>}kqfr_M|@K+ug>i=p!wy7F#xCY9-cLHDPoL6N(@jhD`dbu!Z>gQ{-xT<y3+#uB@(
z`NgPQ($;ov)atapMYp_1#!16$p!wujb{Zc~O?GMqGoY$WUEIk<mkQ8c_xWc$u|Jq!
zj~%7m1pP|6f!hC@lf}iLqysFw!#-l3I7XRPsJOkPNI5WCJ3v-kF7L4z*~`9fZcJ+!
zSccg?7AiRkR?afy7A|>*T4!j{J^nAP;Hg~18C?vTaq8uL`EV#3z%)iGz#NZ-L*HVF
zQ`+Xq#ioYhICRhhbncL;BU2rrsNh$$x<J^nZut02%VuXoc037+Y=S$--^WoZEfH3!
zEK|KCDPK%z{CHPb9yc@kd*)Hv#>>qHld@@$pX+U6CIV>UQ&Fm3X^FVXG+FsU{ERDj
z#sx|)qD1%pwldcy7Y?#=KyvAoFeATYzN99(w3>u<Sh+2Kz>ScY2@PV}Qv@s61N~&4
z-jh&CA}v>6E6<3ZQ91p$qD)kfLYTbY&#H0nqE#n>mmefiP#6v-lw53ynYf^8><=BT
zSuZjj^NA*vSR@wfoYG4~EjziH1hp6rij>ELwv@oMh0xEF>7v{3q2~#f7PN&|>~zmZ
z*R((E_`!5-gc4AE;{&+%O;sm(aNZ|kz0960{2%)V+|CTFF&INaK<9_x9yUYdk4D-m
zk1=rPOU_yl493`1p>B0ZbJPR9iMMCo|McnE)e*S^eY{DkPq%}_Q`Nw8StHu@@?)Os
z8w=Y(K9W!3-0QC`P;S%b8(LhB7s8K@asA+Np(%<%oAuvolfi*}7E8)xkeg?&A#F|=
z5_c|xK6D(6A8Jh6X5>VvtY&W^Z*DHFei#8a3B&3qU2YP(RoLy)ToU@#5Fc(5+Euve
zom`+0i^R+9^0Ug(cfH^Hw>pH68507sP9-e1gKS$3j9GWSa&*5pVkUU=%j!J19cU$w
z{p;{7KS+M`-9CG;z$+Ct{E`tcR4m-FmWtkt$X!bdGWnRQkTQ)qG-sQYmTcBwPP*|W
z(-y(v<LDj?)q(BAm+~duOXI)^7g?lU!;<d+VUtAT?)T|^4p}*)as@HnF{8E#Raui|
z9qXj0)T3sNWx;&PUrb5fxst_H->d&{$I)qjU0t$Lt<jltYT;fMETCLuYRS(HsiRtB
z`sgS^qOt@bU?*!UM`0cDxQ|Db;2^m(&_Q)k9scNF?8!t<;_wZX{K6+?%L?OeK`vVd
zknnF&(UX=CM#XzalraBGM_C->j<>sPGQ87$F|s{wcxd2LS$OC5GGZmhUF${odkF&p
z2LuHMa*|m}<LdCvnmnr5>Tutg@}p+*3-74ZycY5cviCc>7<Wyw<m-{cVN9<UxQYJt
zBVIiWCbw6lzWyXYy;1-->%T}8oZG`6Vu2T&7im87?imY6j5{jXx9ADE8uVfk{`D#d
z<QGxND&fN{YMGzHA0dm|z@%EN@Zs;Okq#0&+b;DF;g88G*>V!X?(N9r7cR*f?<IsM
zjj$zlEE%c;!+o<)_`%F7OK-scqFDhwfrZu%jH-PDxWk9{Q{2JKHg@kMc3fnA-tYJ*
ze}4d{B*~}&!#8UTM9>MRUsd^$$=7`<U9lv(Zln%)!+lSieuB{N))<PXNiV*p$y$o;
z_^>2T1`pqS276(`sgNqzjCG$1S8T9=!~s88p#G-<Sb(B<87vSc>j4%(OFjX>5(QW!
z7<X$z#S6K^H(MW_91~7gl_NQ@?+gejnB{hST9OM;CA!|xU|~~Vd?k=o?jT=}`cg_x
zApIQYue{?kZ=1MZ-&Owk@Q>|!k>x{)w`TIUzJ6a-p_HVN_^{^^@3ds-$s|Bki0k0I
z8x;4V@Q0Z;qM`IxiFd_np(~I?T%7egM-|iS`?SIz-V3GGqOjj3-j>M{Ye{aZLSjM&
zJO}6P<!f|Q2{+NJYH@yOOA6jo_7xstpdBGQp4qq9aVrYmJ77Q_40!O&CNZF`D|p|6
z0SPb=2<8xr+f?vIcBt@>0RvHB4lT4D1#eP^3Z6pB3qV`Kpi{`1Cqr`QhGF0%#+@gH
zJ9@%;C6;v5@Q}gQ4EaSz$`(KQh0}2Bukc63;<9{jT^g!cO89rE%=k$NGgC`Q?zGT{
z%!d2wc}b9xcWZ;J8o(8s^vN9KE=G1MU2>;T(VQo0xK<PMijkZIQbHJ<SI4{q=bOQK
zV7OM}uLB#&SAyDKc|LS7xmypk^CjH((_Z27x*ogFY_0T;<Zso#{PG;$Q$pAu`W+cL
z$%m8_QgRZJRMmf6v(pU7L<0NRF{;GQ*K4{ijD)!F11A(0?q_t9ROBQAF>r9?7i_th
zaWP=8Mb;1nB-YCPbfCc3+^QRTf(KD9H`o<x?A}W3=wFpGkqYOU#M=>k>zAx|Rag=^
zh7^5igfo%1APK)Ig#w*_=&EoRnV|fVid6`12)h~iB%@M&>AHne=Fc9#Z{t$tPaOaK
zBAXmbUA&bmaiFELbo+ASEJ!!;SW25CBdhrgN>&7@i@R0Bf0h?rEx&NemIfYtpuFj0
zY5MBR?jwz#^>*Y43NW^Pxz)|`JH3uLby@Sc^Hcw+so<wRubJbgzM^^TM}L2HMRz#8
zVA=HDCU;6W-;eo0@7nqZ4Agx$%Iy^P@>{#_{6lxBI%iq=T_d+lSlKW3p777X0mrl@
z`2HuKn<32MXK{bN9Qk)<{0c2VxD-Hl<$3DQD?K2A$&p{D@b!C=d!hWLb8pkag5%d+
z@W7w^>@}5k#S&y+bjo+%MO*}6yAu1o806Qk|5}IEms&@5HFWsVjl>_>g%{f;TySb!
z+jWxvf_sJhRGO#yO9bvo^o8md;=S1CyMsfRdk0atsTRRj7K|q+@;zdrsBVCvH2FO-
zb>17vbQmh|%zER2p!EN}X9`mbam?s75>I<7fu|(=SDXfZOXG+f3w}|EP`bgH9r(o&
zb+SM0eJMN+;D~n859J9TxAAxT`*S~%CqnH8S7%_$8R}X;9BCID&P(rBV;jmA!8e|8
z2lRE)E>Yj$TiEmeZvf!`7p?!Vln!p~Q<(zi>w9q%os@sQKaONYl4T`ONry^eg>f+^
z9uI@5L&xbgNe`u}!%FS_SIEFshx7U_@C||STiZ~kI_&0N_XP+6<9A1)LUr%1d;NLe
za5$o)_8Rj-N^jy4{`Fdc>Pz>Zwbr?=Lur>6w0OmgrvEGq=1>Zcjl|8v%8N)vCHX-L
G@qYn1#Hh*u

diff --git a/buildroot/docs/manual/manual.text b/buildroot/docs/manual/manual.text
index eb20b407c..1f0e94811 100644
--- a/buildroot/docs/manual/manual.text
+++ b/buildroot/docs/manual/manual.text
@@ -167,13 +167,13 @@ List of Examples
 
 ---------------------------------------------------------------------
 
-Buildroot 2020.02.4 manual generated on 2020-07-26 08:11:34 UTC from
-git revision dee53013da
+Buildroot 2020.02.7 manual generated on 2020-10-12 21:37:33 UTC from
+git revision d8082db677
 
 The Buildroot manual is written by the Buildroot developers. It is
 licensed under the GNU General Public License, version 2. Refer to
 the COPYING [http://git.buildroot.org/buildroot/tree/COPYING?id=
-dee53013da87dfa4bcb3433bdef79ec43b5a5c24] file in the Buildroot
+d8082db677046e004a6537828b3e4f4b9a818a4f] file in the Buildroot
 sources for the full text of this license.
 
 Copyright © 2004-2020 The Buildroot developers
@@ -3670,7 +3670,7 @@ build a system that is known to work. You are welcome to add support
 for other boards to Buildroot too.
 
 To do so, you need to create a normal Buildroot configuration that
-builds a basic system for the hardware: toolchain, kernel,
+builds a basic system for the hardware: (internal) toolchain, kernel,
 bootloader, filesystem and a simple BusyBox-only userspace. No
 specific package should be selected: the configuration should be as
 minimal as possible, and should only build a working basic BusyBox
@@ -3682,7 +3682,17 @@ This is because package selections are highly application-specific.
 Once you have a known working configuration, run make savedefconfig.
 This will generate a minimal defconfig file at the root of the
 Buildroot source tree. Move this file into the configs/ directory,
-and rename it <boardname>_defconfig.
+and rename it <boardname>_defconfig. If the configuration is a bit
+more complicated, it is nice to manually reformat it and separate it
+into sections, with a comment before each section. Typical sections
+are Architecture, Toolchain options (typically just linux headers
+version), Firmware, Bootloader, Kernel, and Filesystem.
+
+Always use fixed versions or commit hashes for the different
+components, not the "latest" version. For example, set
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y and
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE to the kernel version you
+tested with.
 
 It is recommended to use as much as possible upstream versions of the
 Linux kernel and bootloaders, and to use as much as possible default
@@ -5877,7 +5887,7 @@ will automatically download the tarball from this location.
 
 On line 10, we tell Buildroot what options to enable for libfoo.
 
-On line 11, we tell Buildroot the depednencies of libfoo.
+On line 11, we tell Buildroot the dependencies of libfoo.
 
 Finally, on line line 13, we invoke the waf-package macro that
 generates all the Makefile rules that actually allows the package to
@@ -6080,31 +6090,30 @@ for such a package. Let’s start with an example:
 13: FOO_DEPENDENCIES = host-cargo
 14:
 15: FOO_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo
-16: FOO_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release)
-17:
-18: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
-19:
-20: FOO_CARGO_OPTS = \
-21:   --$(FOO_CARGO_MODE) \
-22:     --target=$(RUSTC_TARGET_NAME) \
-23:     --manifest-path=$(@D)/Cargo.toml
-24:
-25: define FOO_BUILD_CMDS
-26:     $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
-27:             cargo build $(FOO_CARGO_OPTS)
-28: endef
-29:
-30: define FOO_INSTALL_TARGET_CMDS
-31:     $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
-32:             $(TARGET_DIR)/usr/bin/foo
-33: endef
-34:
-35: $(eval $(generic-package))
+16:
+17: FOO_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(FOO_CARGO_MODE)
+18:
+19: FOO_CARGO_OPTS = \
+20:     $(if $(BR2_ENABLE_DEBUG),,--release) \
+21:     --target=$(RUSTC_TARGET_NAME) \
+22:     --manifest-path=$(@D)/Cargo.toml
+23:
+24: define FOO_BUILD_CMDS
+25:     $(TARGET_MAKE_ENV) $(FOO_CARGO_ENV) \
+26:             cargo build $(FOO_CARGO_OPTS)
+27: endef
+28:
+29: define FOO_INSTALL_TARGET_CMDS
+30:     $(INSTALL) -D -m 0755 $(@D)/$(FOO_BIN_DIR)/foo \
+31:             $(TARGET_DIR)/usr/bin/foo
+32: endef
+33:
+34: $(eval $(generic-package))
 
 The Makefile starts with the definition of the standard variables for
 package declaration (lines 7 to 11).
 
-As seen in line 35, it is based on the generic-package infrastructure
+As seen in line 34, it is based on the generic-package infrastructure
 . So, it defines the variables required by this particular
 infrastructure, where Cargo is invoked:
 
@@ -7499,7 +7508,35 @@ the following cases:
   * whenever you feel it will help presenting your work, your
     choices, the review process, etc.
 
-21.5.4. Patch revision changelog
+21.5.4. Patches for maintenance branches
+
+When fixing bugs on a maintenance branch, bugs should be fixed on the
+master branch first. The commit log for such a patch may then contain
+a post-commit note specifying what branches are affected:
+
+package/foo: fix stuff
+
+Signed-off-by: Your Real Name <your@email.address>
+---
+Backport to: 2020.02.x, 2020.05.x
+(2020.08.x not affected as the version was bumped)
+
+Those changes will then be backported by a maintainer to the affected
+branches.
+
+However, some bugs may apply only to a specific release, for example
+because it is using an older version of a package. In that case,
+patches should be based off the maintenance branch, and the patch
+subject prefix must include the maintenance branch name (for example
+"[PATCH 2020.02.x]"). This can be done with the git format-patch flag
+--subject-prefix:
+
+$ git format-patch --subject-prefix "PATCH 2020.02.x" \
+    -M -s -o outgoing origin/2020.02.x
+
+Then send the patches with git send-email, as described above.
+
+21.5.5. Patch revision changelog
 
 When improvements are requested, the new revision of each commit
 should include a changelog of the modifications between each
diff --git a/buildroot/fs/cpio/init b/buildroot/fs/cpio/init
index b0af18b67..f74ef7e15 100755
--- a/buildroot/fs/cpio/init
+++ b/buildroot/fs/cpio/init
@@ -1,4 +1,15 @@
 #!/bin/sh
 # devtmpfs does not get automounted for initramfs
 /bin/mount -t devtmpfs devtmpfs /dev
+
+# use the /dev/console device node from devtmpfs if possible to not
+# confuse glibc's ttyname_r().
+# This may fail (E.G. booted with console=), and errors from exec will
+# terminate the shell, so use a subshell for the test
+if (exec 0</dev/console) 2>/dev/null; then
+    exec 0</dev/console
+    exec 1>/dev/console
+    exec 2>/dev/console
+fi
+
 exec /sbin/init "$@"
diff --git a/buildroot/linux/Config.in b/buildroot/linux/Config.in
index c19ccb70a..f83474e1e 100644
--- a/buildroot/linux/Config.in
+++ b/buildroot/linux/Config.in
@@ -30,7 +30,7 @@ config BR2_LINUX_KERNEL_LATEST_VERSION
 	bool "Latest version (5.4)"
 
 config BR2_LINUX_KERNEL_LATEST_CIP_VERSION
-	bool "Latest CIP SLTS version (4.19.118-cip25)"
+	bool "Latest CIP SLTS version (4.19.132-cip30)"
 	help
 	  CIP launched in the spring of 2016 to address the needs of
 	  organizations in industries such as power generation and
@@ -49,7 +49,7 @@ config BR2_LINUX_KERNEL_LATEST_CIP_VERSION
 	  https://www.cip-project.org
 
 config BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION
-	bool "Latest CIP RT SLTS version (4.19.115-cip24-rt9)"
+	bool "Latest CIP RT SLTS version (4.19.132-cip30-rt12)"
 	help
 	  Same as the CIP version, but this is the PREEMPT_RT realtime
 	  variant.
@@ -128,9 +128,9 @@ endif
 
 config BR2_LINUX_KERNEL_VERSION
 	string
-	default "5.4.45" if BR2_LINUX_KERNEL_LATEST_VERSION
-	default "4.19.118-cip25" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
-	default "4.19.115-cip24-rt9" if BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION
+	default "5.4.70" if BR2_LINUX_KERNEL_LATEST_VERSION
+	default "4.19.132-cip30" if BR2_LINUX_KERNEL_LATEST_CIP_VERSION
+	default "4.19.132-cip30-rt12" if BR2_LINUX_KERNEL_LATEST_CIP_RT_VERSION
 	default BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE \
 		if BR2_LINUX_KERNEL_CUSTOM_VERSION
 	default "custom" if BR2_LINUX_KERNEL_CUSTOM_TARBALL
diff --git a/buildroot/linux/linux.hash b/buildroot/linux/linux.hash
index 39a75711d..b2eccb38e 100644
--- a/buildroot/linux/linux.hash
+++ b/buildroot/linux/linux.hash
@@ -1,13 +1,13 @@
 # From https://www.kernel.org/pub/linux/kernel/v5.x/sha256sums.asc
-sha256  103f039f34a9009c42ea643b4f473bda6bb9607d5ad7f63b56b3e2351615fe2e  linux-5.4.45.tar.xz
+sha256  c0b3d8085c5ba235df38b00b740e053659709e8a5ca21957a239f6bc22c45007  linux-5.4.70.tar.xz
 # From https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
-sha256  418299385195f09b27e371a35f305f3aff148e7557a341b53460091303aa9bb7  linux-4.4.226.tar.xz
-sha256  460a8c168fe5c60ce5b30015a4e4bf348d93a89f8b949de1f90779567ef345ca  linux-4.9.226.tar.xz
-sha256  4265afef56819b04656107a5abecde205c5bc5fb04b2e81447955e7e45db8085  linux-4.14.183.tar.xz
-sha256  82af886bc588b5c8d7474beb2bac13810ee3ed07da356a2553c81ae8e52e586f  linux-4.19.127.tar.xz
+sha256  067814035c17e77dee84076dcc06a95eb675344cd926b7b79a16b80fee593364  linux-4.4.238.tar.xz
+sha256  b1eaf60b771ec4df0546d2b7539e164355008ea2f680a0642ae430e9cb134a3f  linux-4.9.238.tar.xz
+sha256  5d404a0224a34b5379f1871cc46825487d557c2660459d2b5c3cd4871d699a38  linux-4.14.200.tar.xz
+sha256  f2f709ef086a4d8cb3c15a857daa44dfecf1b88d7d7c53c980fb180f6dccbace  linux-4.19.150.tar.xz
 # Locally computed
-sha256  ea53913813cb5a9069608532b327de7a7ed0fdc8fed8c6f10cd55d1ac6a58ffb  linux-cip-4.19.118-cip25.tar.gz
-sha256  7f0a0db0e1cfb14053523f4432f1ad1468b5bd42305b44905c4b103466c8d655  linux-cip-4.19.115-cip24-rt9.tar.gz
+sha256  c20f9014b89ea3e27f55f1d407aa5a4724ed38ac520c197291e9d644f164c43a  linux-cip-4.19.132-cip30.tar.gz
+sha256  81dd791d9ad6c3fddaeaffc6d7d8df0e13831283a5fe494c437ac7820d79ca39  linux-cip-4.19.132-cip30-rt12.tar.gz
 
 # Licenses hashes
 sha256  ee5808b032a67f587d3541099d46de34f5bec8cd5976114ba07f1299ee6001ff  COPYING
diff --git a/buildroot/linux/linux.mk b/buildroot/linux/linux.mk
index 5a1cb42eb..fd44f0f0e 100644
--- a/buildroot/linux/linux.mk
+++ b/buildroot/linux/linux.mk
@@ -160,7 +160,8 @@ endif
 
 # Get the real Linux version, which tells us where kernel modules are
 # going to be installed in the target filesystem.
-LINUX_VERSION_PROBED = `$(MAKE) $(LINUX_MAKE_FLAGS) -C $(LINUX_DIR) --no-print-directory -s kernelrelease 2>/dev/null`
+# Filter out 'w' from MAKEFLAGS, to workaround a bug in make 4.1 (#13141)
+LINUX_VERSION_PROBED = `MAKEFLAGS='$(filter-out w,$(MAKEFLAGS))' $(MAKE) $(LINUX_MAKE_FLAGS) -C $(LINUX_DIR) --no-print-directory -s kernelrelease 2>/dev/null`
 
 LINUX_DTS_NAME += $(call qstrip,$(BR2_LINUX_KERNEL_INTREE_DTS_NAME))
 
@@ -535,7 +536,8 @@ endef
 # Run depmod in a target-finalize hook, to encompass modules installed by
 # packages.
 define LINUX_RUN_DEPMOD
-	if grep -q "CONFIG_MODULES=y" $(LINUX_DIR)/.config; then \
+	if test -d $(TARGET_DIR)/lib/modules/$(LINUX_VERSION_PROBED) \
+		&& grep -q "CONFIG_MODULES=y" $(LINUX_DIR)/.config; then \
 		$(HOST_DIR)/sbin/depmod -a -b $(TARGET_DIR) $(LINUX_VERSION_PROBED); \
 	fi
 endef
diff --git a/buildroot/package/alsa-utils/alsa-utils.mk b/buildroot/package/alsa-utils/alsa-utils.mk
index 2cd3c4a33..7af46e239 100644
--- a/buildroot/package/alsa-utils/alsa-utils.mk
+++ b/buildroot/package/alsa-utils/alsa-utils.mk
@@ -90,10 +90,10 @@ define ALSA_UTILS_INSTALL_INIT_SYSTEMD
 		$(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service
 	$(INSTALL) -D -m 0644 $(@D)/alsactl/alsa-state.service \
 		$(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service
-	mkdir $(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d
 	printf '[Install]\nWantedBy=multi-user.target\n' \
 		>$(TARGET_DIR)/usr/lib/systemd/system/alsa-restore.service.d/buildroot-enable.conf
-	mkdir $(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d
 	printf '[Install]\nWantedBy=multi-user.target\n' \
 		>$(TARGET_DIR)/usr/lib/systemd/system/alsa-state.service.d/buildroot-enable.conf;
 endef
diff --git a/buildroot/package/apache/apache.hash b/buildroot/package/apache/apache.hash
index 7b0e4ad8e..bd3f6ac7b 100644
--- a/buildroot/package/apache/apache.hash
+++ b/buildroot/package/apache/apache.hash
@@ -1,4 +1,5 @@
-# From http://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2.sha256
-sha256  a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43  httpd-2.4.43.tar.bz2
+# From http://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2.{sha256,sha512}
+sha256  740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea  httpd-2.4.46.tar.bz2
+sha512  5936784bb662e9d8a4f7fe38b70c043b468114d931cd10ea831bfe74461ea5856b64f88f42c567ab791fc8907640a99884ba4b6a600f86d661781812735b6f13  httpd-2.4.46.tar.bz2
 # Locally computed
 sha256  47b8c2b6c3309282a99d4a3001575c790fead690cc14734628c4667d2bbffc43  LICENSE
diff --git a/buildroot/package/apache/apache.mk b/buildroot/package/apache/apache.mk
index 068f36e32..203d637fb 100644
--- a/buildroot/package/apache/apache.mk
+++ b/buildroot/package/apache/apache.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-APACHE_VERSION = 2.4.43
+APACHE_VERSION = 2.4.46
 APACHE_SOURCE = httpd-$(APACHE_VERSION).tar.bz2
 APACHE_SITE = http://archive.apache.org/dist/httpd
 APACHE_LICENSE = Apache-2.0
diff --git a/buildroot/package/avahi/avahi.mk b/buildroot/package/avahi/avahi.mk
index 53021f6b6..8d451c179 100644
--- a/buildroot/package/avahi/avahi.mk
+++ b/buildroot/package/avahi/avahi.mk
@@ -81,6 +81,7 @@ AVAHI_CONF_OPTS = \
 	--disable-mono \
 	--disable-monodoc \
 	--disable-stack-protector \
+	--disable-introspection \
 	--with-distro=none \
 	--disable-manpages \
 	$(if $(BR2_PACKAGE_AVAHI_AUTOIPD),--enable,--disable)-autoipd \
diff --git a/buildroot/package/bandwidthd/bandwidthd.service b/buildroot/package/bandwidthd/bandwidthd.service
index 9c03d4294..ab7f05a2e 100644
--- a/buildroot/package/bandwidthd/bandwidthd.service
+++ b/buildroot/package/bandwidthd/bandwidthd.service
@@ -5,7 +5,7 @@ After=network.target
 [Service]
 Type=forking
 ExecStart=/usr/bin/bandwidthd
-PIDFile=/var/run/bandwidthd.pid
+PIDFile=/run/bandwidthd.pid
 
 [Install]
 WantedBy=multi-user.target
diff --git a/buildroot/package/bash/0017-bash50-017.patch b/buildroot/package/bash/0017-bash50-017.patch
new file mode 100644
index 000000000..6758b203f
--- /dev/null
+++ b/buildroot/package/bash/0017-bash50-017.patch
@@ -0,0 +1,293 @@
+From https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash55-017
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	5.0
+Patch-ID:	bash50-017
+
+Bug-Reported-by:	Valentin Lab <valentin.lab@kalysto.org>
+Bug-Reference-ID:	<ab981b9c-60a5-46d0-b7e6-a6d88b80df50@kalysto.org>
+Bug-Reference-URL:	https://lists.gnu.org/archive/html/bug-bash/2020-03/msg00062.html
+
+Bug-Description:
+
+There were cases where patch 16 reaped process substitution file descriptors
+(or FIFOs) and processes to early. This is a better fix for the problem that
+bash50-016 attempted to solve.
+
+Patch (apply with `patch -p0'):
+
+*** bash-5.0-patched/subst.c	2019-08-29 11:16:49.000000000 -0400
+--- b/subst.c	2020-04-02 16:24:19.000000000 -0400
+***************
+*** 5337,5341 ****
+  }
+  
+! char *
+  copy_fifo_list (sizep)
+       int *sizep;
+--- b/5337,5341 ----
+  }
+  
+! void *
+  copy_fifo_list (sizep)
+       int *sizep;
+***************
+*** 5343,5347 ****
+    if (sizep)
+      *sizep = 0;
+!   return (char *)NULL;
+  }
+  
+--- b/5343,5347 ----
+    if (sizep)
+      *sizep = 0;
+!   return (void *)NULL;
+  }
+  
+***************
+*** 5409,5414 ****
+  	if (fifo_list[i].file)
+  	  {
+! 	    fifo_list[j].file = fifo_list[i].file;
+! 	    fifo_list[j].proc = fifo_list[i].proc;
+  	    j++;
+  	  }
+--- b/5409,5419 ----
+  	if (fifo_list[i].file)
+  	  {
+! 	    if (i != j)
+! 	      {
+! 		fifo_list[j].file = fifo_list[i].file;
+! 		fifo_list[j].proc = fifo_list[i].proc;
+! 		fifo_list[i].file = (char *)NULL;
+! 		fifo_list[i].proc = 0;
+! 	      }
+  	    j++;
+  	  }
+***************
+*** 5426,5433 ****
+  void
+  close_new_fifos (list, lsize)
+!      char *list;
+       int lsize;
+  {
+    int i;
+  
+    if (list == 0)
+--- b/5431,5439 ----
+  void
+  close_new_fifos (list, lsize)
+!      void *list;
+       int lsize;
+  {
+    int i;
++   char *plist;
+  
+    if (list == 0)
+***************
+*** 5437,5442 ****
+      }
+  
+!   for (i = 0; i < lsize; i++)
+!     if (list[i] == 0 && i < fifo_list_size && fifo_list[i].proc != -1)
+        unlink_fifo (i);
+  
+--- b/5443,5448 ----
+      }
+  
+!   for (plist = (char *)list, i = 0; i < lsize; i++)
+!     if (plist[i] == 0 && i < fifo_list_size && fifo_list[i].proc != -1)
+        unlink_fifo (i);
+  
+***************
+*** 5560,5568 ****
+  }
+  
+! char *
+  copy_fifo_list (sizep)
+       int *sizep;
+  {
+!   char *ret;
+  
+    if (nfds == 0 || totfds == 0)
+--- b/5566,5574 ----
+  }
+  
+! void *
+  copy_fifo_list (sizep)
+       int *sizep;
+  {
+!   void *ret;
+  
+    if (nfds == 0 || totfds == 0)
+***************
+*** 5570,5579 ****
+        if (sizep)
+  	*sizep = 0;
+!       return (char *)NULL;
+      }
+  
+    if (sizep)
+      *sizep = totfds;
+!   ret = (char *)xmalloc (totfds * sizeof (pid_t));
+    return (memcpy (ret, dev_fd_list, totfds * sizeof (pid_t)));
+  }
+--- b/5576,5585 ----
+        if (sizep)
+  	*sizep = 0;
+!       return (void *)NULL;
+      }
+  
+    if (sizep)
+      *sizep = totfds;
+!   ret = xmalloc (totfds * sizeof (pid_t));
+    return (memcpy (ret, dev_fd_list, totfds * sizeof (pid_t)));
+  }
+***************
+*** 5648,5655 ****
+  void
+  close_new_fifos (list, lsize)
+!      char *list;
+       int lsize;
+  {
+    int i;
+  
+    if (list == 0)
+--- b/5654,5662 ----
+  void
+  close_new_fifos (list, lsize)
+!      void *list;
+       int lsize;
+  {
+    int i;
++   pid_t *plist;
+  
+    if (list == 0)
+***************
+*** 5659,5664 ****
+      }
+  
+!   for (i = 0; i < lsize; i++)
+!     if (list[i] == 0 && i < totfds && dev_fd_list[i])
+        unlink_fifo (i);
+  
+--- b/5666,5671 ----
+      }
+  
+!   for (plist = (pid_t *)list, i = 0; i < lsize; i++)
+!     if (plist[i] == 0 && i < totfds && dev_fd_list[i])
+        unlink_fifo (i);
+  
+*** bash-5.0-patched/subst.h	2018-10-21 18:46:09.000000000 -0400
+--- b/subst.h	2020-04-02 16:29:28.000000000 -0400
+***************
+*** 274,280 ****
+  extern void unlink_fifo __P((int));
+  
+! extern char *copy_fifo_list __P((int *));
+! extern void unlink_new_fifos __P((char *, int));
+! extern void close_new_fifos __P((char *, int));
+  
+  extern void clear_fifo_list __P((void));
+--- b/274,279 ----
+  extern void unlink_fifo __P((int));
+  
+! extern void *copy_fifo_list __P((int *));
+! extern void close_new_fifos __P((void *, int));
+  
+  extern void clear_fifo_list __P((void));
+*** bash-5.0-patched/execute_cmd.c	2020-02-06 20:16:48.000000000 -0500
+--- b/execute_cmd.c	2020-04-02 17:00:10.000000000 -0400
+***************
+*** 565,569 ****
+  #if defined (PROCESS_SUBSTITUTION)
+    volatile int ofifo, nfifo, osize, saved_fifo;
+!   volatile char *ofifo_list;
+  #endif
+  
+--- b/565,569 ----
+  #if defined (PROCESS_SUBSTITUTION)
+    volatile int ofifo, nfifo, osize, saved_fifo;
+!   volatile void *ofifo_list;
+  #endif
+  
+***************
+*** 751,760 ****
+  #  endif
+  
+!   if (variable_context != 0)	/* XXX - also if sourcelevel != 0? */
+      {
+        ofifo = num_fifos ();
+        ofifo_list = copy_fifo_list ((int *)&osize);
+        begin_unwind_frame ("internal_fifos");
+!       add_unwind_protect (xfree, ofifo_list);
+        saved_fifo = 1;
+      }
+--- b/751,762 ----
+  #  endif
+  
+!   /* XXX - also if sourcelevel != 0? */
+!   if (variable_context != 0)
+      {
+        ofifo = num_fifos ();
+        ofifo_list = copy_fifo_list ((int *)&osize);
+        begin_unwind_frame ("internal_fifos");
+!       if (ofifo_list)
+! 	add_unwind_protect (xfree, ofifo_list);
+        saved_fifo = 1;
+      }
+***************
+*** 1100,1123 ****
+        nfifo = num_fifos ();
+        if (nfifo > ofifo)
+! 	close_new_fifos ((char *)ofifo_list, osize);
+        free ((void *)ofifo_list);
+        discard_unwind_frame ("internal_fifos");
+      }
+- # if defined (HAVE_DEV_FD)
+-   /* Reap process substitutions at the end of loops */
+-   switch (command->type)
+-     {
+-     case cm_while:
+-     case cm_until:
+-     case cm_for:
+-     case cm_group:
+- #    if defined (ARITH_FOR_COMMAND)
+-     case cm_arith_for:
+- #    endif
+-       reap_procsubs ();
+-     default:
+-       break;
+-     }
+- #  endif /* HAVE_DEV_FD */
+  #endif
+  
+--- b/1102,1109 ----
+        nfifo = num_fifos ();
+        if (nfifo > ofifo)
+! 	close_new_fifos ((void *)ofifo_list, osize);
+        free ((void *)ofifo_list);
+        discard_unwind_frame ("internal_fifos");
+      }
+  #endif
+  
+
+*** bash-5.0/patchlevel.h	2016-06-22 14:51:03.000000000 -0400
+--- b/patchlevel.h	2016-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 16
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- b/26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 17
+  
+  #endif /* _PATCHLEVEL_H_ */
diff --git a/buildroot/package/bash/0018-bash50-018.patch b/buildroot/package/bash/0018-bash50-018.patch
new file mode 100644
index 000000000..efecb1897
--- /dev/null
+++ b/buildroot/package/bash/0018-bash50-018.patch
@@ -0,0 +1,49 @@
+From https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash55-018
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+
+			     BASH PATCH REPORT
+			     =================
+
+Bash-Release:	5.0
+Patch-ID:	bash50-018
+
+Bug-Reported-by:	oguzismailuysal@gmail.com
+Bug-Reference-ID:
+Bug-Reference-URL:	https://lists.gnu.org/archive/html/bug-bash/2019-10/msg00098.html
+
+Bug-Description:
+
+In certain cases, bash does not perform quoted null removal on patterns
+that are used as part of word expansions such as ${parameter##pattern}, so
+empty patterns are treated as non-empty.
+
+Patch (apply with `patch -p0'):
+
+*** bash-5.0.17/subst.c	2020-04-02 17:14:58.000000000 -0400
+--- b/subst.c	2020-07-09 15:28:19.000000000 -0400
+***************
+*** 5113,5116 ****
+--- b/5113,5118 ----
+  				      (int *)NULL, (int *)NULL)
+  	     : (WORD_LIST *)0;
++   if (l)
++     word_list_remove_quoted_nulls (l);
+    pat = string_list (l);
+    dispose_words (l);
+
+*** bash-5.0/patchlevel.h	2016-06-22 14:51:03.000000000 -0400
+--- b/patchlevel.h	2016-10-01 11:01:28.000000000 -0400
+***************
+*** 26,30 ****
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 17
+  
+  #endif /* _PATCHLEVEL_H_ */
+--- b/26,30 ----
+     looks for to find the patch level (for the sccs version string). */
+  
+! #define PATCHLEVEL 18
+  
+  #endif /* _PATCHLEVEL_H_ */
diff --git a/buildroot/package/bash/0017-input.h-add-missing-include-on-stdio.h.patch b/buildroot/package/bash/0019-input.h-add-missing-include-on-stdio.h.patch
similarity index 100%
rename from buildroot/package/bash/0017-input.h-add-missing-include-on-stdio.h.patch
rename to buildroot/package/bash/0019-input.h-add-missing-include-on-stdio.h.patch
diff --git a/buildroot/package/bash/0018-locale.c-fix-build-without-wchar.patch b/buildroot/package/bash/0020-locale.c-fix-build-without-wchar.patch
similarity index 100%
rename from buildroot/package/bash/0018-locale.c-fix-build-without-wchar.patch
rename to buildroot/package/bash/0020-locale.c-fix-build-without-wchar.patch
diff --git a/buildroot/package/bind/bind.hash b/buildroot/package/bind/bind.hash
index 282b2aeba..4ba0182b1 100644
--- a/buildroot/package/bind/bind.hash
+++ b/buildroot/package/bind/bind.hash
@@ -1,4 +1,4 @@
-# Verified from https://ftp.isc.org/isc/bind9/9.11.20/bind-9.11.20.tar.gz.asc
+# Verified from https://ftp.isc.org/isc/bind9/9.11.22/bind-9.11.22.tar.gz.asc
 # with key AE3FAC796711EC59FC007AA474BB6B9A4CBB3D38
-sha256  306831a738a275693bbe1d6839a09b34a2c8b5c26f8a42ea57ef000a6a99c2b6  bind-9.11.20.tar.gz
+sha256  afc6d8015006f1cabf699ff19f517bb8fd9c1811e5231f26baf51c3550262ac9  bind-9.11.22.tar.gz
 sha256  da2aec2b7f6f0feb16bcb080e2c587375fd3195145f047e4d92d112f5b9db501  COPYRIGHT
diff --git a/buildroot/package/bind/bind.mk b/buildroot/package/bind/bind.mk
index 80f8defca..18fc4845f 100644
--- a/buildroot/package/bind/bind.mk
+++ b/buildroot/package/bind/bind.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BIND_VERSION = 9.11.20
+BIND_VERSION = 9.11.22
 BIND_SITE = https://ftp.isc.org/isc/bind9/$(BIND_VERSION)
 # bind does not support parallel builds.
 BIND_MAKE = $(MAKE1)
diff --git a/buildroot/package/bison/bison.mk b/buildroot/package/bison/bison.mk
index 4cc635c44..738052096 100644
--- a/buildroot/package/bison/bison.mk
+++ b/buildroot/package/bison/bison.mk
@@ -13,5 +13,6 @@ BISON_LICENSE_FILES = COPYING
 BISON_MAKE = $(MAKE1)
 HOST_BISON_DEPENDENCIES = host-m4
 HOST_BISON_CONF_OPTS = --enable-relocatable
+HOST_BISON_CONF_ENV = ac_cv_libtextstyle=no
 
 $(eval $(host-autotools-package))
diff --git a/buildroot/package/boost/boost.mk b/buildroot/package/boost/boost.mk
index 2daf7f5a9..8e47a90c3 100644
--- a/buildroot/package/boost/boost.mk
+++ b/buildroot/package/boost/boost.mk
@@ -134,6 +134,7 @@ define BOOST_CONFIGURE_CMDS
 	(cd $(@D) && ./bootstrap.sh $(BOOST_FLAGS))
 	echo "using gcc : `$(TARGET_CC) -dumpversion` : $(TARGET_CXX) : <cxxflags>\"$(BOOST_TARGET_CXXFLAGS)\" <linkflags>\"$(TARGET_LDFLAGS)\" ;" > $(@D)/user-config.jam
 	echo "" >> $(@D)/user-config.jam
+	sed -i "s/: -O.* ;/: $(TARGET_OPTIMIZATION) ;/" $(@D)/tools/build/src/tools/gcc.jam
 endef
 
 define BOOST_BUILD_CMDS
diff --git a/buildroot/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch b/buildroot/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch
index ae5386b1c..2a3204fc3 100644
--- a/buildroot/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch
+++ b/buildroot/package/brotli/0001-CMake-Allow-using-BUILD_SHARED_LIBS-to-choose-static.patch
@@ -1,6 +1,6 @@
-From 7289e5a378ba13801996a84d89d8fe95c3fc4c11 Mon Sep 17 00:00:00 2001
+From 6cb16322decd643fed9de332d9cda77f7738b7af Mon Sep 17 00:00:00 2001
 From: Adrian Perez de Castro <aperez@igalia.com>
-Date: Mon, 26 Mar 2018 19:08:31 +0100
+Date: Mon, 7 Sep 2020 12:14:22 +0300
 Subject: [PATCH] CMake: Allow using BUILD_SHARED_LIBS to choose static/shared
  libs
 
@@ -18,16 +18,16 @@ This way, the following will both work as expected:
 
 This is helpful for distributions which need (or want) to build only
 static libraries.
----
- CMakeLists.txt        | 42 ++++++++++++++----------------------------
- c/fuzz/test_fuzzer.sh |  6 +++---
- 2 files changed, 17 insertions(+), 31 deletions(-)
 
 Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
-Upstream-Status: Submitted [https://github.com/google/brotli/pull/655]
+[Upstream status: https://github.com/google/brotli/pull/655]
+---
+ CMakeLists.txt        | 46 ++++++++++++++-----------------------------
+ c/fuzz/test_fuzzer.sh |  6 +++---
+ 2 files changed, 18 insertions(+), 34 deletions(-)
 
 diff --git a/CMakeLists.txt b/CMakeLists.txt
-index fc45f80..3f87f13 100644
+index 4ff3401..f889311 100644
 --- a/CMakeLists.txt
 +++ b/CMakeLists.txt
 @@ -6,6 +6,8 @@ cmake_minimum_required(VERSION 2.8.6)
@@ -36,10 +36,10 @@ index fc45f80..3f87f13 100644
  
 +option(BUILD_SHARED_LIBS "Build shared libraries" ON)
 +
- # If Brotli is being bundled in another project, we don't want to
- # install anything.  However, we want to let people override this, so
- # we'll use the BROTLI_BUNDLED_MODE variable to let them do that; just
-@@ -114,10 +116,6 @@ set(BROTLI_LIBRARIES_CORE brotlienc brotlidec brotlicommon)
+ if(NOT CMAKE_BUILD_TYPE AND NOT CMAKE_CONFIGURATION_TYPES)
+   message(STATUS "Setting build type to Release as none was specified.")
+   set(CMAKE_BUILD_TYPE "Release" CACHE STRING "Choose the type of build." FORCE)
+@@ -137,10 +139,6 @@ set(BROTLI_LIBRARIES_CORE brotlienc brotlidec brotlicommon)
  set(BROTLI_LIBRARIES ${BROTLI_LIBRARIES_CORE} ${LIBM_LIBRARY})
  mark_as_advanced(BROTLI_LIBRARIES)
  
@@ -50,14 +50,20 @@ index fc45f80..3f87f13 100644
  if(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
    add_definitions(-DOS_LINUX)
  elseif(${CMAKE_SYSTEM_NAME} MATCHES "FreeBSD")
-@@ -137,24 +135,22 @@ endfunction()
- transform_sources_list("scripts/sources.lst" "${CMAKE_CURRENT_BINARY_DIR}/sources.lst.cmake")
+@@ -161,29 +159,25 @@ transform_sources_list("scripts/sources.lst" "${CMAKE_CURRENT_BINARY_DIR}/source
  include("${CMAKE_CURRENT_BINARY_DIR}/sources.lst.cmake")
  
--add_library(brotlicommon SHARED ${BROTLI_COMMON_C})
--add_library(brotlidec SHARED ${BROTLI_DEC_C})
--add_library(brotlienc SHARED ${BROTLI_ENC_C})
--
+ if(BROTLI_EMSCRIPTEN)
+-  set(BROTLI_SHARED_LIBS "")
+-else()
+-  set(BROTLI_SHARED_LIBS brotlicommon brotlidec brotlienc)
+-  add_library(brotlicommon SHARED ${BROTLI_COMMON_C})
+-  add_library(brotlidec SHARED ${BROTLI_DEC_C})
+-  add_library(brotlienc SHARED ${BROTLI_ENC_C})
++  set(BUILD_SHARED_LIBS OFF)
+ endif()
+ 
+-set(BROTLI_STATIC_LIBS brotlicommon-static brotlidec-static brotlienc-static)
 -add_library(brotlicommon-static STATIC ${BROTLI_COMMON_C})
 -add_library(brotlidec-static STATIC ${BROTLI_DEC_C})
 -add_library(brotlienc-static STATIC ${BROTLI_ENC_C})
@@ -68,27 +74,27 @@ index fc45f80..3f87f13 100644
  # Older CMake versions does not understand INCLUDE_DIRECTORIES property.
  include_directories(${BROTLI_INCLUDE_DIRS})
  
+-foreach(lib IN LISTS BROTLI_SHARED_LIBS)
+-  target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
+-  string(TOUPPER "${lib}" LIB)
+-  set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION")
+-endforeach()
 +if(BUILD_SHARED_LIBS)
 +  foreach(lib brotlicommon brotlidec brotlienc)
 +    target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
 +    string(TOUPPER "${lib}" LIB)
-+    set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION" )
++    set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION")
 +  endforeach()
 +endif()
-+
- foreach(lib brotlicommon brotlidec brotlienc)
--  target_compile_definitions(${lib} PUBLIC "BROTLI_SHARED_COMPILATION" )
--  string(TOUPPER "${lib}" LIB)
--  set_target_properties (${lib} PROPERTIES DEFINE_SYMBOL "${LIB}_SHARED_COMPILATION" )
--endforeach()
--
--foreach(lib brotlicommon brotlidec brotlienc brotlicommon-static brotlidec-static brotlienc-static)
+ 
+-foreach(lib IN LISTS BROTLI_SHARED_LIBS BROTLI_STATIC_LIBS)
++foreach(lib brotlicommon brotlidec brotlienc)
    target_link_libraries(${lib} ${LIBM_LIBRARY})
    set_property(TARGET ${lib} APPEND PROPERTY INCLUDE_DIRECTORIES ${BROTLI_INCLUDE_DIRS})
    set_target_properties(${lib} PROPERTIES
-@@ -167,9 +163,6 @@ endforeach()
- target_link_libraries(brotlidec brotlicommon)
+@@ -200,9 +194,6 @@ target_link_libraries(brotlidec brotlicommon)
  target_link_libraries(brotlienc brotlicommon)
+ endif()
  
 -target_link_libraries(brotlidec-static brotlicommon-static)
 -target_link_libraries(brotlienc-static brotlicommon-static)
@@ -96,7 +102,7 @@ index fc45f80..3f87f13 100644
  # For projects stuck on older versions of CMake, this will set the
  # BROTLI_INCLUDE_DIRS and BROTLI_LIBRARIES variables so they still
  # have a relatively easy way to use Brotli:
-@@ -183,7 +176,7 @@ endif()
+@@ -216,7 +207,7 @@ endif()
  
  # Build the brotli executable
  add_executable(brotli ${BROTLI_CLI_C})
@@ -104,8 +110,8 @@ index fc45f80..3f87f13 100644
 +target_link_libraries(brotli ${BROTLI_LIBRARIES})
  
  # Installation
- if(NOT BROTLI_BUNDLED_MODE)
-@@ -199,13 +192,6 @@ if(NOT BROTLI_BUNDLED_MODE)
+ if(NOT BROTLI_EMSCRIPTEN)
+@@ -233,13 +224,6 @@ if(NOT BROTLI_BUNDLED_MODE)
      RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}"
    )
  
@@ -119,26 +125,6 @@ index fc45f80..3f87f13 100644
    install(
      DIRECTORY ${BROTLI_INCLUDE_DIRS}/brotli
      DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}"
-diff --git a/c/fuzz/test_fuzzer.sh b/c/fuzz/test_fuzzer.sh
-index 9985194..4b99947 100755
---- a/c/fuzz/test_fuzzer.sh
-+++ b/c/fuzz/test_fuzzer.sh
-@@ -13,12 +13,12 @@ mkdir bin
- cd bin
- 
- cmake $BROTLI -DCMAKE_C_COMPILER="$CC" \
--    -DBUILD_TESTING=OFF -DENABLE_SANITIZER=address
--make -j$(nproc) brotlidec-static
-+    -DBUILD_TESTING=OFF -DBUILD_SHARED_LIBS=OFF -DENABLE_SANITIZER=address
-+make -j$(nproc) brotlidec
- 
- ${CC} -o run_decode_fuzzer -std=c99 -fsanitize=address -I$SRC/include \
-     $SRC/fuzz/decode_fuzzer.c $SRC/fuzz/run_decode_fuzzer.c \
--    ./libbrotlidec-static.a ./libbrotlicommon-static.a
-+    ./libbrotlidec.a ./libbrotlicommon.a
- 
- mkdir decode_corpora
- unzip $BROTLI/java/org/brotli/integration/fuzz_data.zip -d decode_corpora
 -- 
-2.19.1
+2.28.0
 
diff --git a/buildroot/package/brotli/0002-Revert-Add-runtime-linker-path-to-pkg-config-files.patch b/buildroot/package/brotli/0002-Revert-Add-runtime-linker-path-to-pkg-config-files.patch
new file mode 100644
index 000000000..892aa1da1
--- /dev/null
+++ b/buildroot/package/brotli/0002-Revert-Add-runtime-linker-path-to-pkg-config-files.patch
@@ -0,0 +1,51 @@
+From 09b0992b6acb7faa6fd3b23f9bc036ea117230fc Mon Sep 17 00:00:00 2001
+From: Eugene Kliuchnikov <eustas.ru@gmail.com>
+Date: Wed, 2 Sep 2020 11:38:26 +0200
+Subject: [PATCH] Revert "Add runtime linker path to pkg-config files (#740)"
+ (#838)
+
+This reverts commit 31754d4ffce14153b5c2addf7a11019ec23f51c1.
+[Retrieved from:
+https://github.com/google/brotli/commit/09b0992b6acb7faa6fd3b23f9bc036ea117230fc]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ scripts/libbrotlicommon.pc.in | 2 +-
+ scripts/libbrotlidec.pc.in    | 2 +-
+ scripts/libbrotlienc.pc.in    | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/scripts/libbrotlicommon.pc.in b/scripts/libbrotlicommon.pc.in
+index 10ca969e..2a8cf7a3 100644
+--- a/scripts/libbrotlicommon.pc.in
++++ b/scripts/libbrotlicommon.pc.in
+@@ -7,5 +7,5 @@ Name: libbrotlicommon
+ URL: https://github.com/google/brotli
+ Description: Brotli common dictionary library
+ Version: @PACKAGE_VERSION@
+-Libs: -L${libdir} -R${libdir} -lbrotlicommon
++Libs: -L${libdir} -lbrotlicommon
+ Cflags: -I${includedir}
+diff --git a/scripts/libbrotlidec.pc.in b/scripts/libbrotlidec.pc.in
+index e7c3124f..6f8ef2e4 100644
+--- a/scripts/libbrotlidec.pc.in
++++ b/scripts/libbrotlidec.pc.in
+@@ -7,6 +7,6 @@ Name: libbrotlidec
+ URL: https://github.com/google/brotli
+ Description: Brotli decoder library
+ Version: @PACKAGE_VERSION@
+-Libs: -L${libdir} -R${libdir} -lbrotlidec
++Libs: -L${libdir} -lbrotlidec
+ Requires.private: libbrotlicommon >= 1.0.2
+ Cflags: -I${includedir}
+diff --git a/scripts/libbrotlienc.pc.in b/scripts/libbrotlienc.pc.in
+index 4dd0811b..2098afe2 100644
+--- a/scripts/libbrotlienc.pc.in
++++ b/scripts/libbrotlienc.pc.in
+@@ -7,6 +7,6 @@ Name: libbrotlienc
+ URL: https://github.com/google/brotli
+ Description: Brotli encoder library
+ Version: @PACKAGE_VERSION@
+-Libs: -L${libdir} -R${libdir} -lbrotlienc
++Libs: -L${libdir} -lbrotlienc
+ Requires.private: libbrotlicommon >= 1.0.2
+ Cflags: -I${includedir}
diff --git a/buildroot/package/brotli/brotli.hash b/buildroot/package/brotli/brotli.hash
index 82163040d..22f894c40 100644
--- a/buildroot/package/brotli/brotli.hash
+++ b/buildroot/package/brotli/brotli.hash
@@ -1,5 +1,5 @@
 # Locally generated:
-sha512  a82362aa36d2f2094bca0b2808d9de0d57291fb3a4c29d7c0ca0a37e73087ec5ac4df299c8c363e61106fccf2fe7f58b5cf76eb97729e2696058ef43b1d3930a  v1.0.7.tar.gz
+sha512  b8e2df955e8796ac1f022eb4ebad29532cb7e3aa6a4b6aee91dbd2c7d637eee84d9a144d3e878895bb5e62800875c2c01c8f737a1261020c54feacf9f676b5f5  v1.0.9.tar.gz
 
 # Hash for license files:
 sha512  bae78184c2f50f86d8c727826d3982c469454c42b9af81f4ef007e39036434fa894cf5be3bf5fc65b7de2301f0a72d067a8186e303327db8a96bd14867e0a3a8  LICENSE
diff --git a/buildroot/package/brotli/brotli.mk b/buildroot/package/brotli/brotli.mk
index 134f48089..5209d3186 100644
--- a/buildroot/package/brotli/brotli.mk
+++ b/buildroot/package/brotli/brotli.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-BROTLI_VERSION = 1.0.7
+BROTLI_VERSION = 1.0.9
 BROTLI_SOURCE = v$(BROTLI_VERSION).tar.gz
 BROTLI_SITE = https://github.com/google/brotli/archive
 BROTLI_LICENSE = MIT
diff --git a/buildroot/package/busybox/busybox.mk b/buildroot/package/busybox/busybox.mk
index b9d82ed71..55aa9b0bb 100644
--- a/buildroot/package/busybox/busybox.mk
+++ b/buildroot/package/busybox/busybox.mk
@@ -237,6 +237,18 @@ define BUSYBOX_SET_SELINUX
 endef
 endif
 
+# enable relevant options to allow the Busybox less applet to be used
+# as a systemd pager
+ifeq ($(BR2_PACKAGE_SYSTEMD):$(BR2_PACKAGE_LESS),y:)
+define BUSYBOX_SET_LESS_FLAGS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_DASHCMD)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_RAW)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_TRUNCATE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_FLAGS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_LESS_ENV)
+endef
+endif
+
 ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
 define BUSYBOX_SET_INDIVIDUAL_BINARIES
 	$(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
@@ -338,6 +350,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
 	$(BUSYBOX_SET_SELINUX)
+	$(BUSYBOX_SET_LESS_FLAGS)
 	$(BUSYBOX_SET_INDIVIDUAL_BINARIES)
 endef
 
diff --git a/buildroot/package/busybox/udhcpc.script b/buildroot/package/busybox/udhcpc.script
index 711963f97..0196351cd 100755
--- a/buildroot/package/busybox/udhcpc.script
+++ b/buildroot/package/busybox/udhcpc.script
@@ -42,19 +42,19 @@ case "$1" in
 		rm -f $TMPFILE
 
 		if [ -x /usr/sbin/avahi-autoipd ]; then
-			/usr/sbin/avahi-autoipd -k $interface
+			/usr/sbin/avahi-autoipd -c $interface && /usr/sbin/avahi-autoipd -k $interface
 		fi
 		;;
 
 	leasefail|nak)
 		if [ -x /usr/sbin/avahi-autoipd ]; then
-			/usr/sbin/avahi-autoipd -wD $interface --no-chroot
+			/usr/sbin/avahi-autoipd -c $interface || /usr/sbin/avahi-autoipd -wD $interface --no-chroot
 		fi
 		;;
 
 	renew|bound)
 		if [ -x /usr/sbin/avahi-autoipd ]; then
-			/usr/sbin/avahi-autoipd -k $interface
+			/usr/sbin/avahi-autoipd -c $interface && /usr/sbin/avahi-autoipd -k $interface
 		fi
 		/sbin/ifconfig $interface $ip $BROADCAST $NETMASK
 		if [ -n "$ipv6" ] ; then
diff --git a/buildroot/package/capnproto/capnproto.mk b/buildroot/package/capnproto/capnproto.mk
index 34fb88591..2afeb8ffa 100644
--- a/buildroot/package/capnproto/capnproto.mk
+++ b/buildroot/package/capnproto/capnproto.mk
@@ -21,5 +21,12 @@ endif
 # The actual source to be compiled is within a 'c++' subdirectory
 CAPNPROTO_SUBDIR = c++
 
+ifeq ($(BR2_PACKAGE_OPENSSL),y)
+CAPNPROTO_CONF_OPTS += --with-openssl
+CAPNPROTO_DEPENDENCIES += openssl
+else
+CAPNPROTO_CONF_OPTS += --without-openssl
+endif
+
 $(eval $(autotools-package))
 $(eval $(host-autotools-package))
diff --git a/buildroot/package/chrony/chrony.hash b/buildroot/package/chrony/chrony.hash
index c31c6893a..57ce91ac8 100644
--- a/buildroot/package/chrony/chrony.hash
+++ b/buildroot/package/chrony/chrony.hash
@@ -1,5 +1,4 @@
-# From https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2019/05/msg00001.html
-md5 5f66338bc940a9b51eede8f391e7bed3  chrony-3.5.tar.gz
-sha1 79e9aeace143550300387a99f17bff04b45673f7  chrony-3.5.tar.gz
+# From https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html
+sha256  1ba82f70db85d414cd7420c39858e3ceca4b9eb8b028cbe869512c3a14a2dca7  chrony-3.5.1.tar.gz
 # Locally calculated
-sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6  COPYING
+sha256  ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6  COPYING
diff --git a/buildroot/package/chrony/chrony.mk b/buildroot/package/chrony/chrony.mk
index d7f5c0518..f8938a80f 100644
--- a/buildroot/package/chrony/chrony.mk
+++ b/buildroot/package/chrony/chrony.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CHRONY_VERSION = 3.5
+CHRONY_VERSION = 3.5.1
 CHRONY_SITE = http://download.tuxfamily.org/chrony
 CHRONY_LICENSE = GPL-2.0
 CHRONY_LICENSE_FILES = COPYING
diff --git a/buildroot/package/cifs-utils/0001-Use-DESTDIR-when-installing-mount.smb3-and-optionall.patch b/buildroot/package/cifs-utils/0001-Use-DESTDIR-when-installing-mount.smb3-and-optionall.patch
new file mode 100644
index 000000000..e36ec5b5d
--- /dev/null
+++ b/buildroot/package/cifs-utils/0001-Use-DESTDIR-when-installing-mount.smb3-and-optionall.patch
@@ -0,0 +1,41 @@
+From dbb4452787cb966cc74b2015689961875fd5d668 Mon Sep 17 00:00:00 2001
+From: Ryan Barnett <ryanbarnett3@gmail.com>
+Date: Mon, 27 Apr 2020 22:03:25 -0500
+Subject: [PATCH] Use DESTDIR when installing mount.smb3 and optionally install
+ man page
+
+Properly create mount.smb3 symlink by using DESTDIR. Also use
+CONFIG_MAN to optionally install manpage for mount.smb3.
+
+Signed-off-by: Ryan Barnett <ryanbarnett3@gmail.com>
+---
+Upstream: https://marc.info/?l=linux-cifs&m=158804444725745&w=2
+---
+ Makefile.am | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index fe9cd34..e0587f1 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -119,11 +119,13 @@ endif
+ SUBDIRS = contrib
+ 
+ install-exec-hook:
+-	(cd $(ROOTSBINDIR) && ln -sf mount.cifs mount.smb3)
++	(cd $(DESTDIR)$(ROOTSBINDIR) && ln -sf mount.cifs mount.smb3)
+ 
++if CONFIG_MAN
+ install-data-hook:
+-	(cd $(man8dir) && ln -sf mount.cifs.8 mount.smb3.8)
++	(cd $(DESTDIR)$(man8dir) && ln -sf mount.cifs.8 mount.smb3.8)
++endif
+ 
+ uninstall-hook:
+-	(cd $(ROOTSBINDIR) && rm -f $(ROOTSBINDIR)/mount.smb3)
+-	(cd $(man8dir) && rm -f $(man8dir)/mount.smb3.8)
++	rm -f $(DESTDIR)$(ROOTSBINDIR)/mount.smb3
++	rm -f $(DESTDIR)$(man8dir)/mount.smb3.8
+-- 
+2.17.1
+
diff --git a/buildroot/package/cifs-utils/cifs-utils.hash b/buildroot/package/cifs-utils/cifs-utils.hash
index bbfbc1d8f..ca97eb8e5 100644
--- a/buildroot/package/cifs-utils/cifs-utils.hash
+++ b/buildroot/package/cifs-utils/cifs-utils.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-sha256	18d8f1bf92c13c4d611502dbd6759e3a766ddc8467ec8a2eda3f589e40b9ac9c	cifs-utils-6.9.tar.bz2
+sha256  b859239a3f204f8220d3e54ed43bf8109e1ef202042dd87ba87492f8878728d9  cifs-utils-6.11.tar.bz2
 
 # Hash for license file:
-sha256	8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903	COPYING
+sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
diff --git a/buildroot/package/cifs-utils/cifs-utils.mk b/buildroot/package/cifs-utils/cifs-utils.mk
index 511e9ccc0..b06ce7ddd 100644
--- a/buildroot/package/cifs-utils/cifs-utils.mk
+++ b/buildroot/package/cifs-utils/cifs-utils.mk
@@ -4,12 +4,12 @@
 #
 ################################################################################
 
-CIFS_UTILS_VERSION = 6.9
+CIFS_UTILS_VERSION = 6.11
 CIFS_UTILS_SOURCE = cifs-utils-$(CIFS_UTILS_VERSION).tar.bz2
 CIFS_UTILS_SITE = http://ftp.samba.org/pub/linux-cifs/cifs-utils
 CIFS_UTILS_LICENSE = GPL-3.0+
 CIFS_UTILS_LICENSE_FILES = COPYING
-# Missing install-sh in release tarball
+# Missing install-sh in release tarball and patching Makefile.am
 CIFS_UTILS_AUTORECONF = YES
 CIFS_UTILS_DEPENDENCIES = host-pkgconf
 
@@ -17,6 +17,9 @@ CIFS_UTILS_DEPENDENCIES = host-pkgconf
 # the global BR2_RELRO_FULL option.
 CIFS_UTILS_CONF_OPTS = --disable-pie --disable-man
 
+# uses C11 code in smbinfo.c and mtab.c
+CIFS_UTILS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -std=gnu11"
+
 ifeq ($(BR2_PACKAGE_KEYUTILS),y)
 CIFS_UTILS_DEPENDENCIES += keyutils
 endif
diff --git a/buildroot/package/collectd/Config.in b/buildroot/package/collectd/Config.in
index 303b5dc01..5b194e943 100644
--- a/buildroot/package/collectd/Config.in
+++ b/buildroot/package/collectd/Config.in
@@ -593,7 +593,6 @@ comment "grpc needs a toolchain w/ C++, gcc >= 4.8"
 
 config BR2_PACKAGE_COLLECTD_MQTT
 	bool "mqtt"
-	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # mosquitto
 	select BR2_PACKAGE_MOSQUITTO
 	help
 	  Sends metrics to and/or receives metrics from an MQTT broker.
diff --git a/buildroot/package/cpio/0001-Minor-fix.patch b/buildroot/package/cpio/0001-Minor-fix.patch
new file mode 100644
index 000000000..429df7d5f
--- /dev/null
+++ b/buildroot/package/cpio/0001-Minor-fix.patch
@@ -0,0 +1,30 @@
+From 641d3f489cf6238bb916368d4ba0d9325a235afb Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org>
+Date: Mon, 20 Jan 2020 07:45:39 +0200
+Subject: Minor fix * src/global.c: Remove superfluous declaration of
+ program_name
+
+[Retrieved from:
+https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=641d3f489cf6238bb916368d4ba0d9325a235afb]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/global.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/global.c b/src/global.c
+index fb3abe9..acf92bc 100644
+--- a/src/global.c
++++ b/src/global.c
+@@ -184,9 +184,6 @@ unsigned int warn_option = 0;
+ /* Extract to standard output? */
+ bool to_stdout_option = false;
+ 
+-/* The name this program was run with.  */
+-char *program_name;
+-
+ /* A pointer to either lstat or stat, depending on whether
+    dereferencing of symlinks is done for input files.  */
+ int (*xstat) ();
+-- 
+cgit v1.2.1
+
diff --git a/buildroot/package/cryptsetup/0002-Add-support-for-upcoming-json-c-0.14.0.patch b/buildroot/package/cryptsetup/0002-Add-support-for-upcoming-json-c-0.14.0.patch
new file mode 100644
index 000000000..6a7313903
--- /dev/null
+++ b/buildroot/package/cryptsetup/0002-Add-support-for-upcoming-json-c-0.14.0.patch
@@ -0,0 +1,179 @@
+From 604abec333a0efb44fd8bc610aa0b1151dd0f612 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
+Date: Mon, 13 Apr 2020 11:48:17 +0200
+Subject: [PATCH] Add support for upcoming json-c 0.14.0.
+
+  * TRUE/FALSE are not defined anymore.  1 and 0 are used instead.
+  * json_object_get_uint64() and json_object_new_uint64() are part
+    of the upstream API now.
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ lib/luks2/luks2_internal.h      |  4 +++-
+ lib/luks2/luks2_json_metadata.c | 38 +++++++++++++++++----------------
+ 2 files changed, 23 insertions(+), 19 deletions(-)
+
+diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h
+index b9fec6b5..939101d6 100644
+--- a/lib/luks2/luks2_internal.h
++++ b/lib/luks2/luks2_internal.h
+@@ -58,9 +58,11 @@ json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr);
+ void hexprint_base64(struct crypt_device *cd, json_object *jobj,
+ 		     const char *sep, const char *line_sep);
+ 
++#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99))
+ uint64_t json_object_get_uint64(json_object *jobj);
+-uint32_t json_object_get_uint32(json_object *jobj);
+ json_object *json_object_new_uint64(uint64_t value);
++#endif
++uint32_t json_object_get_uint32(json_object *jobj);
+ 
+ int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val);
+ void json_object_object_del_by_uint(json_object *jobj, unsigned key);
+diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
+index 781280c2..712c2bbd 100644
+--- a/lib/luks2/luks2_json_metadata.c
++++ b/lib/luks2/luks2_json_metadata.c
+@@ -234,13 +234,14 @@ static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value)
+ 	tmp = strtoull(json_object_get_string(jobj), &endptr, 10);
+ 	if (*endptr || errno) {
+ 		*value = 0;
+-		return FALSE;
++		return 0;
+ 	}
+ 
+ 	*value = tmp;
+-	return TRUE;
++	return 1;
+ }
+ 
++#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99))
+ uint64_t json_object_get_uint64(json_object *jobj)
+ {
+ 	uint64_t r;
+@@ -262,6 +263,7 @@ json_object *json_object_new_uint64(uint64_t value)
+ 	jobj = json_object_new_string(num);
+ 	return jobj;
+ }
++#endif
+ 
+ /*
+  * Validate helpers
+@@ -273,9 +275,9 @@ static json_bool numbered(struct crypt_device *cd, const char *name, const char
+ 	for (i = 0; key[i]; i++)
+ 		if (!isdigit(key[i])) {
+ 			log_dbg(cd, "%s \"%s\" is not in numbered form.", name, key);
+-			return FALSE;
++			return 0;
+ 		}
+-	return TRUE;
++	return 1;
+ }
+ 
+ json_object *json_contains(struct crypt_device *cd, json_object *jobj, const char *name,
+@@ -300,7 +302,7 @@ json_bool validate_json_uint32(json_object *jobj)
+ 	errno = 0;
+ 	tmp = json_object_get_int64(jobj);
+ 
+-	return (errno || tmp < 0 || tmp > UINT32_MAX) ? FALSE : TRUE;
++	return (errno || tmp < 0 || tmp > UINT32_MAX) ? 0 : 1;
+ }
+ 
+ static json_bool validate_keyslots_array(struct crypt_device *cd,
+@@ -313,17 +315,17 @@ static json_bool validate_keyslots_array(struct crypt_device *cd,
+ 		jobj = json_object_array_get_idx(jarr, i);
+ 		if (!json_object_is_type(jobj, json_type_string)) {
+ 			log_dbg(cd, "Illegal value type in keyslots array at index %d.", i);
+-			return FALSE;
++			return 0;
+ 		}
+ 
+ 		if (!json_contains(cd, jobj_keys, "", "Keyslots section",
+ 				   json_object_get_string(jobj), json_type_object))
+-			return FALSE;
++			return 0;
+ 
+ 		i++;
+ 	}
+ 
+-	return TRUE;
++	return 1;
+ }
+ 
+ static json_bool validate_segments_array(struct crypt_device *cd,
+@@ -336,17 +338,17 @@ static json_bool validate_segments_array(struct crypt_device *cd,
+ 		jobj = json_object_array_get_idx(jarr, i);
+ 		if (!json_object_is_type(jobj, json_type_string)) {
+ 			log_dbg(cd, "Illegal value type in segments array at index %d.", i);
+-			return FALSE;
++			return 0;
+ 		}
+ 
+ 		if (!json_contains(cd, jobj_segments, "", "Segments section",
+ 				   json_object_get_string(jobj), json_type_object))
+-			return FALSE;
++			return 0;
+ 
+ 		i++;
+ 	}
+ 
+-	return TRUE;
++	return 1;
+ }
+ 
+ static json_bool segment_has_digest(const char *segment_name, json_object *jobj_digests)
+@@ -357,10 +359,10 @@ static json_bool segment_has_digest(const char *segment_name, json_object *jobj_
+ 		UNUSED(key);
+ 		json_object_object_get_ex(val, "segments", &jobj_segments);
+ 		if (LUKS2_array_jobj(jobj_segments, segment_name))
+-			return TRUE;
++			return 1;
+ 	}
+ 
+-	return FALSE;
++	return 0;
+ }
+ 
+ static json_bool validate_intervals(struct crypt_device *cd,
+@@ -372,18 +374,18 @@ static json_bool validate_intervals(struct crypt_device *cd,
+ 	while (i < length) {
+ 		if (ix[i].offset < 2 * metadata_size) {
+ 			log_dbg(cd, "Illegal area offset: %" PRIu64 ".", ix[i].offset);
+-			return FALSE;
++			return 0;
+ 		}
+ 
+ 		if (!ix[i].length) {
+ 			log_dbg(cd, "Area length must be greater than zero.");
+-			return FALSE;
++			return 0;
+ 		}
+ 
+ 		if ((ix[i].offset + ix[i].length) > keyslots_area_end) {
+ 			log_dbg(cd, "Area [%" PRIu64 ", %" PRIu64 "] overflows binary keyslots area (ends at offset: %" PRIu64 ").",
+ 				ix[i].offset, ix[i].offset + ix[i].length, keyslots_area_end);
+-			return FALSE;
++			return 0;
+ 		}
+ 
+ 		for (j = 0; j < length; j++) {
+@@ -393,14 +395,14 @@ static json_bool validate_intervals(struct crypt_device *cd,
+ 				log_dbg(cd, "Overlapping areas [%" PRIu64 ",%" PRIu64 "] and [%" PRIu64 ",%" PRIu64 "].",
+ 					ix[i].offset, ix[i].offset + ix[i].length,
+ 					ix[j].offset, ix[j].offset + ix[j].length);
+-				return FALSE;
++				return 0;
+ 			}
+ 		}
+ 
+ 		i++;
+ 	}
+ 
+-	return TRUE;
++	return 1;
+ }
+ 
+ static int LUKS2_keyslot_validate(struct crypt_device *cd, json_object *hdr_jobj, json_object *hdr_keyslot, const char *key)
+-- 
+2.20.1
+
diff --git a/buildroot/package/cryptsetup/0003-Avoid-name-clash-with-newer-json-c-library.patch b/buildroot/package/cryptsetup/0003-Avoid-name-clash-with-newer-json-c-library.patch
new file mode 100644
index 000000000..83ce71c6f
--- /dev/null
+++ b/buildroot/package/cryptsetup/0003-Avoid-name-clash-with-newer-json-c-library.patch
@@ -0,0 +1,512 @@
+From 55cf272d275c561459f2c9c3dc943ef7a69c9d4c Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Tue, 14 Apr 2020 17:24:54 +0200
+Subject: [PATCH] Avoid name clash with newer json-c library.
+
+This is partial revert of previous commit and also
+fixes wrong decision to name our internal helpers with
+json_object prefix.
+
+(cherry picked from commit e6a356974330e3ae21579a5737976e9a2aad1b51)
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ lib/luks2/luks2_internal.h      |  8 +++-----
+ lib/luks2/luks2_json_format.c   |  6 +++---
+ lib/luks2/luks2_json_metadata.c | 18 ++++++++----------
+ lib/luks2/luks2_keyslot.c       |  8 ++++----
+ lib/luks2/luks2_keyslot_luks2.c | 16 ++++++++--------
+ lib/luks2/luks2_keyslot_reenc.c | 20 ++++++++++----------
+ lib/luks2/luks2_luks1_convert.c | 22 +++++++++++-----------
+ lib/luks2/luks2_reencrypt.c     | 16 ++++++++--------
+ lib/luks2/luks2_segment.c       | 12 ++++++------
+ 9 files changed, 61 insertions(+), 65 deletions(-)
+
+diff --git a/lib/luks2/luks2_internal.h b/lib/luks2/luks2_internal.h
+index 6a8b8f2a..d2222e84 100644
+--- a/lib/luks2/luks2_internal.h
++++ b/lib/luks2/luks2_internal.h
+@@ -59,11 +59,9 @@ json_object *LUKS2_get_segments_jobj(struct luks2_hdr *hdr);
+ void hexprint_base64(struct crypt_device *cd, json_object *jobj,
+ 		     const char *sep, const char *line_sep);
+ 
+-#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99))
+-uint64_t json_object_get_uint64(json_object *jobj);
+-json_object *json_object_new_uint64(uint64_t value);
+-#endif
+-uint32_t json_object_get_uint32(json_object *jobj);
++uint64_t crypt_jobj_get_uint64(json_object *jobj);
++uint32_t crypt_jobj_get_uint32(json_object *jobj);
++json_object *crypt_jobj_new_uint64(uint64_t value);
+ 
+ int json_object_object_add_by_uint(json_object *jobj, unsigned key, json_object *jobj_val);
+ void json_object_object_del_by_uint(json_object *jobj, unsigned key);
+diff --git a/lib/luks2/luks2_json_format.c b/lib/luks2/luks2_json_format.c
+index d4f36247..32ea0ea4 100644
+--- a/lib/luks2/luks2_json_format.c
++++ b/lib/luks2/luks2_json_format.c
+@@ -325,8 +325,8 @@ int LUKS2_generate_hdr(
+ 
+ 	json_object_object_add_by_uint(jobj_segments, 0, jobj_segment);
+ 
+-	json_object_object_add(jobj_config, "json_size", json_object_new_uint64(metadata_size - LUKS2_HDR_BIN_LEN));
+-	json_object_object_add(jobj_config, "keyslots_size", json_object_new_uint64(keyslots_size));
++	json_object_object_add(jobj_config, "json_size", crypt_jobj_new_uint64(metadata_size - LUKS2_HDR_BIN_LEN));
++	json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size));
+ 
+ 	JSON_DBG(cd, hdr->jobj, "Header JSON:");
+ 	return 0;
+@@ -400,6 +400,6 @@ int LUKS2_set_keyslots_size(struct crypt_device *cd,
+ 	if (!json_object_object_get_ex(hdr->jobj, "config", &jobj_config))
+ 		return 1;
+ 
+-	json_object_object_add(jobj_config, "keyslots_size", json_object_new_uint64(keyslots_size));
++	json_object_object_add(jobj_config, "keyslots_size", crypt_jobj_new_uint64(keyslots_size));
+ 	return 0;
+ }
+diff --git a/lib/luks2/luks2_json_metadata.c b/lib/luks2/luks2_json_metadata.c
+index 52421fac..19fb9588 100644
+--- a/lib/luks2/luks2_json_metadata.c
++++ b/lib/luks2/luks2_json_metadata.c
+@@ -219,7 +219,7 @@ int LUKS2_get_default_segment(struct luks2_hdr *hdr)
+  * json_type_int needs to be validated first.
+  * See validate_json_uint32()
+  */
+-uint32_t json_object_get_uint32(json_object *jobj)
++uint32_t crypt_jobj_get_uint32(json_object *jobj)
+ {
+ 	return json_object_get_int64(jobj);
+ }
+@@ -241,15 +241,14 @@ static json_bool json_str_to_uint64(json_object *jobj, uint64_t *value)
+ 	return 1;
+ }
+ 
+-#if !(defined JSON_C_VERSION_NUM && JSON_C_VERSION_NUM >= ((13 << 8) | 99))
+-uint64_t json_object_get_uint64(json_object *jobj)
++uint64_t crypt_jobj_get_uint64(json_object *jobj)
+ {
+ 	uint64_t r;
+ 	json_str_to_uint64(jobj, &r);
+ 	return r;
+ }
+ 
+-json_object *json_object_new_uint64(uint64_t value)
++json_object *crypt_jobj_new_uint64(uint64_t value)
+ {
+ 	/* 18446744073709551615 */
+ 	char num[21];
+@@ -263,7 +262,6 @@ json_object *json_object_new_uint64(uint64_t value)
+ 	jobj = json_object_new_string(num);
+ 	return jobj;
+ }
+-#endif
+ 
+ /*
+  * Validate helpers
+@@ -457,7 +455,7 @@ static int hdr_validate_json_size(struct crypt_device *cd, json_object *hdr_jobj
+ 
+ 	json = json_object_to_json_string_ext(hdr_jobj,
+ 		JSON_C_TO_STRING_PLAIN | JSON_C_TO_STRING_NOSLASHESCAPE);
+-	json_area_size = json_object_get_uint64(jobj1);
++	json_area_size = crypt_jobj_get_uint64(jobj1);
+ 	json_size = (uint64_t)strlen(json);
+ 
+ 	if (hdr_json_size != json_area_size) {
+@@ -545,7 +543,7 @@ static int hdr_validate_crypt_segment(struct crypt_device *cd,
+ 		return 1;
+ 	}
+ 
+-	sector_size = json_object_get_uint32(jobj_sector_size);
++	sector_size = crypt_jobj_get_uint32(jobj_sector_size);
+ 	if (!sector_size || MISALIGNED_512(sector_size)) {
+ 		log_dbg(cd, "Illegal sector size: %" PRIu32, sector_size);
+ 		return 1;
+@@ -1569,7 +1567,7 @@ static void hdr_dump_keyslots(struct crypt_device *cd, json_object *hdr_jobj)
+ 		log_std(cd, "  %s: %s%s\n", slot, tmps, r == -ENOENT ? " (unbound)" : "");
+ 
+ 		if (json_object_object_get_ex(val, "key_size", &jobj2))
+-			log_std(cd, "\tKey:        %u bits\n", json_object_get_uint32(jobj2) * 8);
++			log_std(cd, "\tKey:        %u bits\n", crypt_jobj_get_uint32(jobj2) * 8);
+ 
+ 		log_std(cd, "\tPriority:   %s\n", get_priority_desc(val));
+ 
+@@ -1652,7 +1650,7 @@ static void hdr_dump_segments(struct crypt_device *cd, json_object *hdr_jobj)
+ 			log_std(cd, "\tcipher: %s\n", json_object_get_string(jobj1));
+ 
+ 		if (json_object_object_get_ex(jobj_segment, "sector_size", &jobj1))
+-			log_std(cd, "\tsector: %" PRIu32 " [bytes]\n", json_object_get_uint32(jobj1));
++			log_std(cd, "\tsector: %" PRIu32 " [bytes]\n", crypt_jobj_get_uint32(jobj1));
+ 
+ 		if (json_object_object_get_ex(jobj_segment, "integrity", &jobj1) &&
+ 		    json_object_object_get_ex(jobj1, "type", &jobj2))
+@@ -1749,7 +1747,7 @@ int LUKS2_get_data_size(struct luks2_hdr *hdr, uint64_t *size, bool *dynamic)
+ 			return 0;
+ 		}
+ 
+-		tmp += json_object_get_uint64(jobj_size);
++		tmp += crypt_jobj_get_uint64(jobj_size);
+ 	}
+ 
+ 	/* impossible, real device size must not be zero */
+diff --git a/lib/luks2/luks2_keyslot.c b/lib/luks2/luks2_keyslot.c
+index 7d06df80..d853fc8e 100644
+--- a/lib/luks2/luks2_keyslot.c
++++ b/lib/luks2/luks2_keyslot.c
+@@ -301,11 +301,11 @@ int LUKS2_keyslot_area(struct luks2_hdr *hdr,
+ 
+ 	if (!json_object_object_get_ex(jobj_area, "offset", &jobj))
+ 		return -EINVAL;
+-	*offset = json_object_get_uint64(jobj);
++	*offset = crypt_jobj_get_uint64(jobj);
+ 
+ 	if (!json_object_object_get_ex(jobj_area, "size", &jobj))
+ 		return -EINVAL;
+-	*length = json_object_get_uint64(jobj);
++	*length = crypt_jobj_get_uint64(jobj);
+ 
+ 	return 0;
+ }
+@@ -840,8 +840,8 @@ int placeholder_keyslot_alloc(struct crypt_device *cd,
+ 
+ 	/* Area object */
+ 	jobj_area = json_object_new_object();
+-	json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset));
+-	json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length));
++	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
++	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
+ 	json_object_object_add(jobj_keyslot, "area", jobj_area);
+ 
+ 	json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
+diff --git a/lib/luks2/luks2_keyslot_luks2.c b/lib/luks2/luks2_keyslot_luks2.c
+index 7b438a8b..953ba168 100644
+--- a/lib/luks2/luks2_keyslot_luks2.c
++++ b/lib/luks2/luks2_keyslot_luks2.c
+@@ -220,7 +220,7 @@ static int luks2_keyslot_set_key(struct crypt_device *cd,
+ 
+ 	if (!json_object_object_get_ex(jobj_area, "offset", &jobj2))
+ 		return -EINVAL;
+-	area_offset = json_object_get_uint64(jobj2);
++	area_offset = crypt_jobj_get_uint64(jobj2);
+ 
+ 	if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2))
+ 		return -EINVAL;
+@@ -313,7 +313,7 @@ static int luks2_keyslot_get_key(struct crypt_device *cd,
+ 
+ 	if (!json_object_object_get_ex(jobj_area, "offset", &jobj2))
+ 		return -EINVAL;
+-	area_offset = json_object_get_uint64(jobj2);
++	area_offset = crypt_jobj_get_uint64(jobj2);
+ 
+ 	if (!json_object_object_get_ex(jobj_area, "encryption", &jobj2))
+ 		return -EINVAL;
+@@ -494,8 +494,8 @@ static int luks2_keyslot_alloc(struct crypt_device *cd,
+ 	/* Area object */
+ 	jobj_area = json_object_new_object();
+ 	json_object_object_add(jobj_area, "type", json_object_new_string("raw"));
+-	json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset));
+-	json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length));
++	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
++	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
+ 	json_object_object_add(jobj_keyslot, "area", jobj_area);
+ 
+ 	json_object_object_add_by_uint(jobj_keyslots, keyslot, jobj_keyslot);
+@@ -607,7 +607,7 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
+ 	log_std(cd, "\tCipher:     %s\n", json_object_get_string(jobj1));
+ 
+ 	json_object_object_get_ex(jobj_area, "key_size", &jobj1);
+-	log_std(cd, "\tCipher key: %u bits\n", json_object_get_uint32(jobj1) * 8);
++	log_std(cd, "\tCipher key: %u bits\n", crypt_jobj_get_uint32(jobj1) * 8);
+ 
+ 	json_object_object_get_ex(jobj_kdf, "type", &jobj1);
+ 	log_std(cd, "\tPBKDF:      %s\n", json_object_get_string(jobj1));
+@@ -617,7 +617,7 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
+ 		log_std(cd, "\tHash:       %s\n", json_object_get_string(jobj1));
+ 
+ 		json_object_object_get_ex(jobj_kdf, "iterations", &jobj1);
+-		log_std(cd, "\tIterations: %" PRIu64 "\n", json_object_get_uint64(jobj1));
++		log_std(cd, "\tIterations: %" PRIu64 "\n", crypt_jobj_get_uint64(jobj1));
+ 	} else {
+ 		json_object_object_get_ex(jobj_kdf, "time", &jobj1);
+ 		log_std(cd, "\tTime cost:  %" PRIu64 "\n", json_object_get_int64(jobj1));
+@@ -640,10 +640,10 @@ static int luks2_keyslot_dump(struct crypt_device *cd, int keyslot)
+ 	log_std(cd, "\tAF hash:    %s\n", json_object_get_string(jobj1));
+ 
+ 	json_object_object_get_ex(jobj_area, "offset", &jobj1);
+-	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1));
++	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
+ 
+ 	json_object_object_get_ex(jobj_area, "size", &jobj1);
+-	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1));
++	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
+ 
+ 	return 0;
+ }
+diff --git a/lib/luks2/luks2_keyslot_reenc.c b/lib/luks2/luks2_keyslot_reenc.c
+index 64b8d274..c6b92db3 100644
+--- a/lib/luks2/luks2_keyslot_reenc.c
++++ b/lib/luks2/luks2_keyslot_reenc.c
+@@ -67,13 +67,13 @@ int reenc_keyslot_alloc(struct crypt_device *cd,
+ 
+ 	if (params->data_shift) {
+ 		json_object_object_add(jobj_area, "type", json_object_new_string("datashift"));
+-		json_object_object_add(jobj_area, "shift_size", json_object_new_uint64(params->data_shift << SECTOR_SHIFT));
++		json_object_object_add(jobj_area, "shift_size", crypt_jobj_new_uint64(params->data_shift << SECTOR_SHIFT));
+ 	} else
+ 		/* except data shift protection, initial setting is irrelevant. Type can be changed during reencryption */
+ 		json_object_object_add(jobj_area, "type", json_object_new_string("none"));
+ 
+-	json_object_object_add(jobj_area, "offset", json_object_new_uint64(area_offset));
+-	json_object_object_add(jobj_area, "size", json_object_new_uint64(area_length));
++	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(area_offset));
++	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_length));
+ 
+ 	json_object_object_add(jobj_keyslot, "type", json_object_new_string("reencrypt"));
+ 	json_object_object_add(jobj_keyslot, "key_size", json_object_new_int(1)); /* useless but mandatory */
+@@ -113,8 +113,8 @@ static int reenc_keyslot_store_data(struct crypt_device *cd,
+ 	    !json_object_object_get_ex(jobj_area, "size", &jobj_length))
+ 		return -EINVAL;
+ 
+-	area_offset = json_object_get_uint64(jobj_offset);
+-	area_length = json_object_get_uint64(jobj_length);
++	area_offset = crypt_jobj_get_uint64(jobj_offset);
++	area_length = crypt_jobj_get_uint64(jobj_length);
+ 
+ 	if (!area_offset || !area_length || ((uint64_t)buffer_len > area_length))
+ 		return -EINVAL;
+@@ -242,14 +242,14 @@ static int reenc_keyslot_dump(struct crypt_device *cd, int keyslot)
+ 		log_std(cd, "\t%-12s%d [bytes]\n", "Hash data:", json_object_get_int(jobj1));
+ 	} else if (!strcmp(json_object_get_string(jobj_resilience), "datashift")) {
+ 		json_object_object_get_ex(jobj_area, "shift_size", &jobj1);
+-		log_std(cd, "\t%-12s%" PRIu64 "[bytes]\n", "Shift size:", json_object_get_uint64(jobj1));
++		log_std(cd, "\t%-12s%" PRIu64 "[bytes]\n", "Shift size:", crypt_jobj_get_uint64(jobj1));
+ 	}
+ 
+ 	json_object_object_get_ex(jobj_area, "offset", &jobj1);
+-	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1));
++	log_std(cd, "\tArea offset:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
+ 
+ 	json_object_object_get_ex(jobj_area, "size", &jobj1);
+-	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", json_object_get_uint64(jobj1));
++	log_std(cd, "\tArea length:%" PRIu64 " [bytes]\n", crypt_jobj_get_uint64(jobj1));
+ 
+ 	return 0;
+ }
+@@ -304,7 +304,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
+ 			return -EINVAL;
+ 		if (!validate_json_uint32(jobj_sector_size))
+ 			return -EINVAL;
+-		sector_size = json_object_get_uint32(jobj_sector_size);
++		sector_size = crypt_jobj_get_uint32(jobj_sector_size);
+ 		if (sector_size < SECTOR_SIZE || NOTPOW2(sector_size)) {
+ 			log_dbg(cd, "Invalid sector_size (%" PRIu32 ") for checksum resilience mode.", sector_size);
+ 			return -EINVAL;
+@@ -313,7 +313,7 @@ static int reenc_keyslot_validate(struct crypt_device *cd, json_object *jobj_key
+ 		if (!(jobj_shift_size = json_contains(cd, jobj_area, "type:datashift", "Keyslot area", "shift_size", json_type_string)))
+ 			return -EINVAL;
+ 
+-		shift_size = json_object_get_uint64(jobj_shift_size);
++		shift_size = crypt_jobj_get_uint64(jobj_shift_size);
+ 		if (!shift_size)
+ 			return -EINVAL;
+ 
+diff --git a/lib/luks2/luks2_luks1_convert.c b/lib/luks2/luks2_luks1_convert.c
+index 7f5f26b7..cbaa8603 100644
+--- a/lib/luks2/luks2_luks1_convert.c
++++ b/lib/luks2/luks2_luks1_convert.c
+@@ -91,8 +91,8 @@ static int json_luks1_keyslot(const struct luks_phdr *hdr_v1, int keyslot, struc
+ 	}
+ 	area_size = offs_b - offs_a;
+ 	json_object_object_add(jobj_area, "key_size", json_object_new_int(hdr_v1->keyBytes));
+-	json_object_object_add(jobj_area, "offset", json_object_new_uint64(offset));
+-	json_object_object_add(jobj_area, "size", json_object_new_uint64(area_size));
++	json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(offset));
++	json_object_object_add(jobj_area, "size", crypt_jobj_new_uint64(area_size));
+ 	json_object_object_add(keyslot_obj, "area", jobj_area);
+ 
+ 	*keyslot_object = keyslot_obj;
+@@ -145,7 +145,7 @@ static int json_luks1_segment(const struct luks_phdr *hdr_v1, struct json_object
+ 	/* offset field */
+ 	number = (uint64_t)hdr_v1->payloadOffset * SECTOR_SIZE;
+ 
+-	field = json_object_new_uint64(number);
++	field = crypt_jobj_new_uint64(number);
+ 	if (!field) {
+ 		json_object_put(segment_obj);
+ 		return -ENOMEM;
+@@ -401,8 +401,8 @@ static int json_luks1_object(struct luks_phdr *hdr_v1, struct json_object **luks
+ 	json_object_object_add(luks1_obj, "config", field);
+ 
+ 	json_size = LUKS2_HDR_16K_LEN - LUKS2_HDR_BIN_LEN;
+-	json_object_object_add(field, "json_size", json_object_new_uint64(json_size));
+-	json_object_object_add(field, "keyslots_size", json_object_new_uint64(keyslots_size));
++	json_object_object_add(field, "json_size", crypt_jobj_new_uint64(json_size));
++	json_object_object_add(field, "keyslots_size", crypt_jobj_new_uint64(keyslots_size));
+ 
+ 	*luks1_object = luks1_obj;
+ 	return 0;
+@@ -418,8 +418,8 @@ static void move_keyslot_offset(json_object *jobj, int offset_add)
+ 		UNUSED(key);
+ 		json_object_object_get_ex(val, "area", &jobj_area);
+ 		json_object_object_get_ex(jobj_area, "offset", &jobj2);
+-		offset = json_object_get_uint64(jobj2) + offset_add;
+-		json_object_object_add(jobj_area, "offset", json_object_new_uint64(offset));
++		offset = crypt_jobj_get_uint64(jobj2) + offset_add;
++		json_object_object_add(jobj_area, "offset", crypt_jobj_new_uint64(offset));
+ 	}
+ }
+ 
+@@ -749,7 +749,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
+ 				return -EINVAL;
+ 			if (!json_object_object_get_ex(jobj_area, "offset", &jobj1))
+ 				return -EINVAL;
+-			offset = json_object_get_uint64(jobj1);
++			offset = crypt_jobj_get_uint64(jobj1);
+ 		} else {
+ 			if (LUKS2_find_area_gap(cd, hdr2, key_size, &offset, &area_length))
+ 				return -EINVAL;
+@@ -781,7 +781,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
+ 
+ 		if (!json_object_object_get_ex(jobj_kdf, "iterations", &jobj1))
+ 			continue;
+-		hdr1->keyblock[i].passwordIterations = json_object_get_uint32(jobj1);
++		hdr1->keyblock[i].passwordIterations = crypt_jobj_get_uint32(jobj1);
+ 
+ 		if (!json_object_object_get_ex(jobj_kdf, "salt", &jobj1))
+ 			continue;
+@@ -822,7 +822,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
+ 
+ 	if (!json_object_object_get_ex(jobj_digest, "iterations", &jobj1))
+ 		return -EINVAL;
+-	hdr1->mkDigestIterations = json_object_get_uint32(jobj1);
++	hdr1->mkDigestIterations = crypt_jobj_get_uint32(jobj1);
+ 
+ 	if (!json_object_object_get_ex(jobj_digest, "digest", &jobj1))
+ 		return -EINVAL;
+@@ -847,7 +847,7 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
+ 
+ 	if (!json_object_object_get_ex(jobj_segment, "offset", &jobj1))
+ 		return -EINVAL;
+-	offset = json_object_get_uint64(jobj1) / SECTOR_SIZE;
++	offset = crypt_jobj_get_uint64(jobj1) / SECTOR_SIZE;
+ 	if (offset > UINT32_MAX)
+ 		return -EINVAL;
+ 	/* FIXME: LUKS1 requires offset == 0 || offset >= luks1_hdr_size */
+diff --git a/lib/luks2/luks2_reencrypt.c b/lib/luks2/luks2_reencrypt.c
+index 6bac4420..c99577cc 100644
+--- a/lib/luks2/luks2_reencrypt.c
++++ b/lib/luks2/luks2_reencrypt.c
+@@ -165,7 +165,7 @@ static uint32_t reencrypt_alignment(struct luks2_hdr *hdr)
+ 	if (!json_object_object_get_ex(jobj_area, "sector_size", &jobj_sector_size))
+ 		return 0;
+ 
+-	return json_object_get_uint32(jobj_sector_size);
++	return crypt_jobj_get_uint32(jobj_sector_size);
+ }
+ 
+ static json_object *_enc_create_segments_shift_after(struct crypt_device *cd,
+@@ -200,13 +200,13 @@ static json_object *_enc_create_segments_shift_after(struct crypt_device *cd,
+ 		json_segment_remove_flag(jobj_seg_new, "in-reencryption");
+ 		tmp = rh->length;
+ 	} else {
+-		json_object_object_add(jobj_seg_new, "offset", json_object_new_uint64(rh->offset + data_offset));
+-		json_object_object_add(jobj_seg_new, "iv_tweak", json_object_new_uint64(rh->offset >> SECTOR_SHIFT));
++		json_object_object_add(jobj_seg_new, "offset", crypt_jobj_new_uint64(rh->offset + data_offset));
++		json_object_object_add(jobj_seg_new, "iv_tweak", crypt_jobj_new_uint64(rh->offset >> SECTOR_SHIFT));
+ 		tmp = json_segment_get_size(jobj_seg_new, 0) + rh->length;
+ 	}
+ 
+ 	/* alter size of new segment, reenc_seg == 0 we're finished */
+-	json_object_object_add(jobj_seg_new, "size", reenc_seg > 0 ? json_object_new_uint64(tmp) : json_object_new_string("dynamic"));
++	json_object_object_add(jobj_seg_new, "size", reenc_seg > 0 ? crypt_jobj_new_uint64(tmp) : json_object_new_string("dynamic"));
+ 	json_object_object_add_by_uint(jobj_segs_post, reenc_seg, jobj_seg_new);
+ 
+ 	return jobj_segs_post;
+@@ -256,7 +256,7 @@ static json_object *reencrypt_make_hot_segments_encrypt_shift(struct crypt_devic
+ 		jobj_seg_shrunk = NULL;
+ 		if (json_object_copy(LUKS2_get_segment_jobj(hdr, sg), &jobj_seg_shrunk))
+ 			goto err;
+-		json_object_object_add(jobj_seg_shrunk, "size", json_object_new_uint64(segment_size - rh->length));
++		json_object_object_add(jobj_seg_shrunk, "size", crypt_jobj_new_uint64(segment_size - rh->length));
+ 		json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_seg_shrunk);
+ 	}
+ 
+@@ -336,7 +336,7 @@ static json_object *reencrypt_make_post_segments_forward(struct crypt_device *cd
+ 				goto err;
+ 			jobj_old_seg = jobj_old_seg_copy;
+ 			fixed_length = rh->device_size - fixed_length;
+-			json_object_object_add(jobj_old_seg, "size", json_object_new_uint64(fixed_length));
++			json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(fixed_length));
+ 		} else
+ 			json_object_get(jobj_old_seg);
+ 		json_object_object_add_by_uint(jobj_segs_post, 1, jobj_old_seg);
+@@ -491,7 +491,7 @@ static json_object *reencrypt_make_hot_segments_backward(struct crypt_device *cd
+ 	if (rh->offset) {
+ 		if (json_object_copy(LUKS2_get_segment_jobj(hdr, 0), &jobj_old_seg))
+ 			goto err;
+-		json_object_object_add(jobj_old_seg, "size", json_object_new_uint64(rh->offset));
++		json_object_object_add(jobj_old_seg, "size", crypt_jobj_new_uint64(rh->offset));
+ 
+ 		json_object_object_add_by_uint(jobj_segs_hot, sg++, jobj_old_seg);
+ 	}
+@@ -575,7 +575,7 @@ static uint64_t reencrypt_data_shift(struct luks2_hdr *hdr)
+ 	if (!json_object_object_get_ex(jobj_area, "shift_size", &jobj_data_shift))
+ 		return 0;
+ 
+-	return json_object_get_uint64(jobj_data_shift);
++	return crypt_jobj_get_uint64(jobj_data_shift);
+ }
+ 
+ static crypt_reencrypt_mode_info reencrypt_mode(struct luks2_hdr *hdr)
+diff --git a/lib/luks2/luks2_segment.c b/lib/luks2/luks2_segment.c
+index 6ece2fdd..cd5108e8 100644
+--- a/lib/luks2/luks2_segment.c
++++ b/lib/luks2/luks2_segment.c
+@@ -55,7 +55,7 @@ uint64_t json_segment_get_offset(json_object *jobj_segment, unsigned blockwise)
+ 	    !json_object_object_get_ex(jobj_segment, "offset", &jobj))
+ 		return 0;
+ 
+-	return blockwise ? json_object_get_uint64(jobj) >> SECTOR_SHIFT : json_object_get_uint64(jobj);
++	return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj);
+ }
+ 
+ const char *json_segment_type(json_object *jobj_segment)
+@@ -77,7 +77,7 @@ uint64_t json_segment_get_iv_offset(json_object *jobj_segment)
+ 	    !json_object_object_get_ex(jobj_segment, "iv_tweak", &jobj))
+ 		return 0;
+ 
+-	return json_object_get_uint64(jobj);
++	return crypt_jobj_get_uint64(jobj);
+ }
+ 
+ uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise)
+@@ -88,7 +88,7 @@ uint64_t json_segment_get_size(json_object *jobj_segment, unsigned blockwise)
+ 	    !json_object_object_get_ex(jobj_segment, "size", &jobj))
+ 		return 0;
+ 
+-	return blockwise ? json_object_get_uint64(jobj) >> SECTOR_SHIFT : json_object_get_uint64(jobj);
++	return blockwise ? crypt_jobj_get_uint64(jobj) >> SECTOR_SHIFT : crypt_jobj_get_uint64(jobj);
+ }
+ 
+ const char *json_segment_get_cipher(json_object *jobj_segment)
+@@ -229,8 +229,8 @@ static json_object *_segment_create_generic(const char *type, uint64_t offset, c
+ 		return NULL;
+ 
+ 	json_object_object_add(jobj, "type",		json_object_new_string(type));
+-	json_object_object_add(jobj, "offset",		json_object_new_uint64(offset));
+-	json_object_object_add(jobj, "size",		length ? json_object_new_uint64(*length) : json_object_new_string("dynamic"));
++	json_object_object_add(jobj, "offset",		crypt_jobj_new_uint64(offset));
++	json_object_object_add(jobj, "size",		length ? crypt_jobj_new_uint64(*length) : json_object_new_string("dynamic"));
+ 
+ 	return jobj;
+ }
+@@ -252,7 +252,7 @@ json_object *json_segment_create_crypt(uint64_t offset,
+ 	if (!jobj)
+ 		return NULL;
+ 
+-	json_object_object_add(jobj, "iv_tweak",	json_object_new_uint64(iv_offset));
++	json_object_object_add(jobj, "iv_tweak",	crypt_jobj_new_uint64(iv_offset));
+ 	json_object_object_add(jobj, "encryption",	json_object_new_string(cipher));
+ 	json_object_object_add(jobj, "sector_size",	json_object_new_int(sector_size));
+ 	if (reencryption)
+-- 
+2.20.1
+
diff --git a/buildroot/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch b/buildroot/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
index b1ab7cbac..7fcf7133c 100644
--- a/buildroot/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
+++ b/buildroot/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
@@ -6,15 +6,17 @@ Subject: [PATCH] Remove man from BUILDDIRS in configure
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 [Fabrice: updated for 2.3.0]
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Michael: updated for 2.3.3]
+Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
 ---
  config-scripts/cups-common.m4 | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4
-index fbba715..77d0f5c 100644
+index a460a73..d427acb 100644
 --- a/config-scripts/cups-common.m4
 +++ b/config-scripts/cups-common.m4
-@@ -446,7 +446,7 @@ AC_ARG_WITH(components, [  --with-components       set components to build:
+@@ -434,7 +434,7 @@ LIBHEADERSPRIV="\$(COREHEADERSPRIV) \$(DRIVERHEADERSPRIV)"
  
  case "$COMPONENTS" in
  	all)
@@ -24,5 +26,5 @@ index fbba715..77d0f5c 100644
  
  	core)
 -- 
-2.8.1
+2.17.1
 
diff --git a/buildroot/package/cups/0002-Do-not-use-genstrings.patch b/buildroot/package/cups/0002-Do-not-use-genstrings.patch
index b3566b8b1..c7d6735b5 100644
--- a/buildroot/package/cups/0002-Do-not-use-genstrings.patch
+++ b/buildroot/package/cups/0002-Do-not-use-genstrings.patch
@@ -16,23 +16,25 @@ genstrings call.]
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 [Fabrice: updated for 2.3.0]
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Michael: updated for 2.3.3]
+Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
 ---
  ppdc/Makefile | 2 --
  1 file changed, 2 deletions(-)
 
 diff --git a/ppdc/Makefile b/ppdc/Makefile
-index 68bf6b2..d57a0c9 100644
+index 32e2e0b..7b18879 100644
 --- a/ppdc/Makefile
 +++ b/ppdc/Makefile
-@@ -242,8 +242,6 @@ genstrings:		genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \
-	$(LD_CXX) $(ARCHFLAGS) $(ALL_LDFLAGS) -o genstrings genstrings.o \
-		libcupsppdc.a $(LINKCUPSSTATIC)
-	$(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@
+@@ -186,8 +186,6 @@ genstrings:		genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \
+ 	$(LD_CXX) $(ARCHFLAGS) $(ALL_LDFLAGS) -o genstrings genstrings.o \
+ 		libcupsppdc.a $(LINKCUPSSTATIC)
+ 	$(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@
 -	echo Generating localization strings...
 -	./genstrings >sample.c
  
  
  #
 -- 
-2.6.4
+2.17.1
 
diff --git a/buildroot/package/cups/0004-Remove-PIE-flags-from-the-build.patch b/buildroot/package/cups/0004-Remove-PIE-flags-from-the-build.patch
index 8401e133e..c2765dff0 100644
--- a/buildroot/package/cups/0004-Remove-PIE-flags-from-the-build.patch
+++ b/buildroot/package/cups/0004-Remove-PIE-flags-from-the-build.patch
@@ -13,15 +13,17 @@ Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 Signed-off-by: Olivier Schonken <olivier.schonken@gmail.com>
 [Fabrice: updated for 2.3.0]
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Michael: updated for 2.3.3]
+Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
 ---
  Makedefs.in | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Makedefs.in b/Makedefs.in
-index 3afef0a..299b297 100644
+index 5f1d32f..d669ea8 100644
 --- a/Makedefs.in
 +++ b/Makedefs.in
-@@ -148,7 +148,7 @@ IPPFIND_BIN	=	@IPPFIND_BIN@
+@@ -155,7 +155,7 @@ ALL_CXXFLAGS	=	-I.. -D_CUPS_SOURCE $(CXXFLAGS) \
  			$(ONDEMANDFLAGS) $(OPTIONS)
  ALL_DSOFLAGS	=	-L../cups @ARCHFLAGS@ @RELROFLAGS@ $(DSOFLAGS) $(OPTIM)
  ALL_LDFLAGS	=	-L../cups @LDARCHFLAGS@ @RELROFLAGS@ $(LDFLAGS)  \
@@ -31,5 +33,5 @@ index 3afef0a..299b297 100644
  ARFLAGS		=	@ARFLAGS@
  BACKLIBS	=	@BACKLIBS@
 -- 
-2.7.4
+2.17.1
 
diff --git a/buildroot/package/cups/70-usb-printers.rules b/buildroot/package/cups/70-usb-printers.rules
new file mode 100644
index 000000000..67e7f5e93
--- /dev/null
+++ b/buildroot/package/cups/70-usb-printers.rules
@@ -0,0 +1,3 @@
+# Allow USB printers in the lp group
+# Match rules converted from usblp.c driver's usblp_ids
+ACTION=="add", SUBSYSTEM=="usb", ATTR{bInterfaceClass}=="07", ATTR{bInterfaceSubClass}=="01", GROUP="lp"
diff --git a/buildroot/package/cups/S81cupsd b/buildroot/package/cups/S81cupsd
new file mode 100644
index 000000000..45d0cbcc2
--- /dev/null
+++ b/buildroot/package/cups/S81cupsd
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+DAEMON="cupsd"
+PIDFILE="/var/run/$DAEMON.pid"
+
+start() {
+	printf 'Starting %s: ' "$DAEMON"
+	# shellcheck disable=SC2086 # we need the word splitting
+	start-stop-daemon -b -m -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
+		-- -C /etc/cups/cupsd.conf -s /etc/cups/cups-files
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+stop() {
+	printf 'Stopping %s: ' "$DAEMON"
+	start-stop-daemon -K -q -p "$PIDFILE"
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		rm -f "$PIDFILE"
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+restart() {
+	stop
+	sleep 1
+	start
+}
+
+case "$1" in
+	start|stop|restart)
+		"$1";;
+	reload)
+		# Restart, since there is no true "reload" feature.
+		restart;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac
diff --git a/buildroot/package/cups/cups.hash b/buildroot/package/cups/cups.hash
index 8f037c642..2eb289e20 100644
--- a/buildroot/package/cups/cups.hash
+++ b/buildroot/package/cups/cups.hash
@@ -1,4 +1,4 @@
 # Locally calculated:
-sha256 1bca9d89507e3f68cbc84482fe46ae8d5333af5bc2b9061347b2007182ac77ce  cups-2.3.1-source.tar.gz
+sha256 261fd948bce8647b6d5cb2a1784f0c24cc52b5c4e827b71d726020bcc502f3ee  cups-2.3.3-source.tar.gz
 sha256 cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
 sha256 a5d616e6322a9cb1a971e18765025edfca4f3cd9c0eafc32d6d2eb4b8c8787b5  NOTICE
diff --git a/buildroot/package/cups/cups.mk b/buildroot/package/cups/cups.mk
index 18f01d848..2f4385671 100644
--- a/buildroot/package/cups/cups.mk
+++ b/buildroot/package/cups/cups.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CUPS_VERSION = 2.3.1
+CUPS_VERSION = 2.3.3
 CUPS_SOURCE = cups-$(CUPS_VERSION)-source.tar.gz
 CUPS_SITE = https://github.com/apple/cups/releases/download/v$(CUPS_VERSION)
 CUPS_LICENSE = Apache-2.0 with GPL-2.0/LGPL-2.0 exception
@@ -21,7 +21,11 @@ CUPS_CONF_OPTS = \
 	--with-docdir=/usr/share/cups/doc-root \
 	--disable-gssapi \
 	--disable-pam \
-	--libdir=/usr/lib
+	--libdir=/usr/lib \
+	--with-cups-user=lp \
+	--with-cups-group=lp \
+	--with-system-groups="lpadmin sys root" \
+	--without-rcdir
 CUPS_CONFIG_SCRIPTS = cups-config
 CUPS_DEPENDENCIES = \
 	host-autoconf \
@@ -71,4 +75,25 @@ else
 CUPS_CONF_OPTS += --disable-avahi
 endif
 
+ifeq ($(BR2_PACKAGE_HAS_UDEV),y)
+define CUPS_INSTALL_UDEV_RULES
+	$(INSTALL) -D -m 0644 package/cups/70-usb-printers.rules \
+		$(TARGET_DIR)/lib/udev/rules.d/70-usb-printers.rules
+endef
+
+CUPS_POST_INSTALL_TARGET_HOOKS += CUPS_INSTALL_UDEV_RULES
+endif
+
+define CUPS_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 0755 package/cups/S81cupsd \
+		$(TARGET_DIR)/etc/init.d/S81cupsd
+endef
+
+# lp user is needed to run cups spooler
+# lpadmin group membership grants administrative privileges
+define CUPS_USERS
+	lp -1 lp -1 * /var/spool/lpd /bin/false - lp
+	- - lpadmin -1 * - - - Printers admin group.
+endef
+
 $(eval $(autotools-package))
diff --git a/buildroot/package/cvs/cvs.mk b/buildroot/package/cvs/cvs.mk
index 563802cc9..6f83ca640 100644
--- a/buildroot/package/cvs/cvs.mk
+++ b/buildroot/package/cvs/cvs.mk
@@ -12,7 +12,9 @@ CVS_LICENSE = GPL-1.0+, LGPL-2.0+, LGPL-2.1+ (glob)
 CVS_LICENSE_FILES = COPYING COPYING.LIB lib/glob-libc.h
 CVS_DEPENDENCIES = ncurses
 
-CVS_CONF_ENV = cvs_cv_func_printf_ptr=yes
+CVS_CONF_ENV = \
+	ac_cv_func_working_mktime=yes \
+	cvs_cv_func_printf_ptr=yes
 
 CVS_CONFIGURE_ARGS = --disable-old-info-format-support
 ifeq ($(BR2_PACKAGE_CVS_SERVER),y)
diff --git a/buildroot/package/dbus/dbus.mk b/buildroot/package/dbus/dbus.mk
index 5c2a5fb2c..952eff1fc 100644
--- a/buildroot/package/dbus/dbus.mk
+++ b/buildroot/package/dbus/dbus.mk
@@ -107,6 +107,7 @@ HOST_DBUS_CONF_OPTS = \
 	--disable-selinux \
 	--disable-xml-docs \
 	--disable-doxygen-docs \
+	--disable-systemd \
 	--without-x \
 	--with-xml=expat
 
diff --git a/buildroot/package/dhcpcd/dhcpcd.service b/buildroot/package/dhcpcd/dhcpcd.service
index 0552b5c73..e648092c9 100644
--- a/buildroot/package/dhcpcd/dhcpcd.service
+++ b/buildroot/package/dhcpcd/dhcpcd.service
@@ -5,7 +5,7 @@ After=network.target
 [Service]
 Type=forking
 EnvironmentFile=-/etc/default/dhcpcd
-PIDFile=/var/run/dhcpcd.pid
+PIDFile=/run/dhcpcd.pid
 ExecStart=/sbin/dhcpcd $DAEMON_ARGS
 Restart=always
 
diff --git a/buildroot/package/dhcpdump/dhcpdump.mk b/buildroot/package/dhcpdump/dhcpdump.mk
index 241381288..ec9571c0a 100644
--- a/buildroot/package/dhcpdump/dhcpdump.mk
+++ b/buildroot/package/dhcpdump/dhcpdump.mk
@@ -20,7 +20,7 @@ DHCPDUMP_CFLAGS = $(TARGET_CFLAGS) -DHAVE_STRSEP
 
 define DHCPDUMP_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) CC="$(TARGET_CC) $(DHCPDUMP_CFLAGS) \
-		-D_GNU_SOURCE" LIBS="$(DHCPDUMP_LIBS)"
+		-D_GNU_SOURCE" LIBS="$(DHCPDUMP_LIBS)" dhcpdump
 endef
 
 define DHCPDUMP_INSTALL_TARGET_CMDS
diff --git a/buildroot/package/docker-cli/docker-cli.hash b/buildroot/package/docker-cli/docker-cli.hash
index 8868a60e3..8f9e69e59 100644
--- a/buildroot/package/docker-cli/docker-cli.hash
+++ b/buildroot/package/docker-cli/docker-cli.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256	a5b1d6c5766f77896273e864a448a7f0ea4055bb52f50f884f14ad6ef0d5fdb4  docker-cli-19.03.11.tar.gz
+sha256	00801d6b7e9777cf2cf54255ca5afb7b58b3d35c14bb0f60bb9f07d031883223  docker-cli-19.03.12.tar.gz
 sha256	2d81ea060825006fc8f3fe28aa5dc0ffeb80faf325b612c955229157b8c10dc0  LICENSE
diff --git a/buildroot/package/docker-cli/docker-cli.mk b/buildroot/package/docker-cli/docker-cli.mk
index 1466b0afb..49abefcaf 100644
--- a/buildroot/package/docker-cli/docker-cli.mk
+++ b/buildroot/package/docker-cli/docker-cli.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DOCKER_CLI_VERSION = 19.03.11
+DOCKER_CLI_VERSION = 19.03.12
 DOCKER_CLI_SITE = $(call github,docker,cli,v$(DOCKER_CLI_VERSION))
 DOCKER_CLI_WORKSPACE = gopath
 
@@ -17,8 +17,8 @@ DOCKER_CLI_TAGS = autogen
 DOCKER_CLI_BUILD_TARGETS = cmd/docker
 
 DOCKER_CLI_LDFLAGS = \
-	-X github.com/docker/cli/cli.GitCommit=$(DOCKER_CLI_VERSION) \
-	-X github.com/docker/cli/cli.Version=$(DOCKER_CLI_VERSION)
+	-X github.com/docker/cli/cli/version.GitCommit=$(DOCKER_CLI_VERSION) \
+	-X github.com/docker/cli/cli/version.Version=$(DOCKER_CLI_VERSION)
 
 ifeq ($(BR2_PACKAGE_DOCKER_CLI_STATIC),y)
 DOCKER_CLI_LDFLAGS += -extldflags '-static'
diff --git a/buildroot/package/docker-engine/Config.in b/buildroot/package/docker-engine/Config.in
index 1fd229fcb..4fe6956ab 100644
--- a/buildroot/package/docker-engine/Config.in
+++ b/buildroot/package/docker-engine/Config.in
@@ -5,6 +5,7 @@ config BR2_PACKAGE_DOCKER_ENGINE
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on !BR2_TOOLCHAIN_USES_UCLIBC # docker-containerd -> runc
 	depends on BR2_USE_MMU # docker-containerd
+	select BR2_PACKAGE_CGROUPFS_MOUNT if !BR2_PACKAGE_SYSTEMD # runtime dependency
 	select BR2_PACKAGE_DOCKER_CONTAINERD # runtime dependency
 	select BR2_PACKAGE_DOCKER_PROXY # runtime dependency
 	select BR2_PACKAGE_IPTABLES # runtime dependency
diff --git a/buildroot/package/docker-engine/docker-engine.hash b/buildroot/package/docker-engine/docker-engine.hash
index 99159f937..3283e4eb4 100644
--- a/buildroot/package/docker-engine/docker-engine.hash
+++ b/buildroot/package/docker-engine/docker-engine.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256	5ff62d7b3638a275b2c459e53a4d1a7a8fb03dde8305defcd55e05e059e5618d  docker-engine-19.03.11.tar.gz
+sha256	858e4e74ee0097bcbdb71d737e268dfcfd1970efa4a1600354253b02fd403e39  docker-engine-19.03.12.tar.gz
 sha256	7c87873291f289713ac5df48b1f2010eb6963752bbd6b530416ab99fc37914a8  LICENSE
diff --git a/buildroot/package/docker-engine/docker-engine.mk b/buildroot/package/docker-engine/docker-engine.mk
index fa30d9a22..c12013221 100644
--- a/buildroot/package/docker-engine/docker-engine.mk
+++ b/buildroot/package/docker-engine/docker-engine.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DOCKER_ENGINE_VERSION = 19.03.11
+DOCKER_ENGINE_VERSION = 19.03.12
 DOCKER_ENGINE_SITE = $(call github,docker,engine,v$(DOCKER_ENGINE_VERSION))
 
 DOCKER_ENGINE_LICENSE = Apache-2.0
diff --git a/buildroot/package/domoticz/Config.in b/buildroot/package/domoticz/Config.in
index b99e54801..0639718c2 100644
--- a/buildroot/package/domoticz/Config.in
+++ b/buildroot/package/domoticz/Config.in
@@ -1,11 +1,10 @@
 config BR2_PACKAGE_DOMOTICZ
 	bool "domoticz"
-	depends on BR2_USE_MMU # mosquitto
-	depends on BR2_TOOLCHAIN_HAS_SYNC_4 # mosquitto
-	depends on !BR2_STATIC_LIBS # mosquitto
+	depends on BR2_USE_MMU # fork()
+	depends on !BR2_STATIC_LIBS
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 # sleep_for
 	# pthread_condattr_setclock
-	depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL
+	depends on BR2_TOOLCHAIN_HAS_THREADS_NPTL # mosquitto
 	depends on BR2_INSTALL_LIBSTDCPP
 	depends on BR2_USE_WCHAR
 	depends on BR2_PACKAGE_LUA_5_3
@@ -30,7 +29,6 @@ config BR2_PACKAGE_DOMOTICZ
 
 comment "domoticz needs lua 5.3 and a toolchain w/ C++, gcc >= 4.8, NPTL, wchar, dynamic library"
 	depends on BR2_USE_MMU
-	depends on BR2_TOOLCHAIN_HAS_SYNC_4
 	depends on !BR2_INSTALL_LIBSTDCPP || \
 		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_8 || \
 		!BR2_TOOLCHAIN_HAS_THREADS_NPTL || \
diff --git a/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.hash b/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.hash
index 28a49b13d..7f4b8579c 100644
--- a/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.hash
+++ b/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.hash
@@ -1,3 +1,3 @@
 # Locally computed after checking signature
-sha256 36da68aae5157b83e21383f711b8977e5b6f5477f369f71e7e22e76a738bbd05  dovecot-2.3-pigeonhole-0.5.9.tar.gz
-sha256 fc9e9522216f2a9a28b31300e3c73c1df56acc27dfae951bf516e7995366b51a  COPYING
+sha256  0b972a441f680545ddfacd2f41fb2a705fb03249d46ed5ce7e01fe68b6cfb5f0  dovecot-2.3-pigeonhole-0.5.11.tar.gz
+sha256  fc9e9522216f2a9a28b31300e3c73c1df56acc27dfae951bf516e7995366b51a  COPYING
diff --git a/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.mk b/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.mk
index 95bfa6fc4..d7068cd87 100644
--- a/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.mk
+++ b/buildroot/package/dovecot-pigeonhole/dovecot-pigeonhole.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-DOVECOT_PIGEONHOLE_VERSION = 0.5.9
+DOVECOT_PIGEONHOLE_VERSION = 0.5.11
 DOVECOT_PIGEONHOLE_SOURCE = dovecot-2.3-pigeonhole-$(DOVECOT_PIGEONHOLE_VERSION).tar.gz
 DOVECOT_PIGEONHOLE_SITE = https://pigeonhole.dovecot.org/releases/2.3
 DOVECOT_PIGEONHOLE_LICENSE = LGPL-2.1
diff --git a/buildroot/package/dovecot/dovecot.hash b/buildroot/package/dovecot/dovecot.hash
index 09295816d..e5c2ab6f4 100644
--- a/buildroot/package/dovecot/dovecot.hash
+++ b/buildroot/package/dovecot/dovecot.hash
@@ -1,5 +1,5 @@
 # Locally computed after checking signature
-sha256  6642e62f23b1b23cfac235007ca6e21cb67460cca834689fad450724456eb10c  dovecot-2.3.10.1.tar.gz
+sha256  d3d9ea9010277f57eb5b9f4166a5d2ba539b172bd6d5a2b2529a6db524baafdc  dovecot-2.3.11.3.tar.gz
 sha256  a363b132e494f662d98c820d1481297e6ae72f194c2c91b6c39e1518b86240a8  COPYING
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LGPL
 sha256  52b8c95fabb19575281874b661ef7968ea47e8f5d74ba0dd40ce512e52b3fc97  COPYING.MIT
diff --git a/buildroot/package/dovecot/dovecot.mk b/buildroot/package/dovecot/dovecot.mk
index 59b52a3f8..f0508753a 100644
--- a/buildroot/package/dovecot/dovecot.mk
+++ b/buildroot/package/dovecot/dovecot.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 DOVECOT_VERSION_MAJOR = 2.3
-DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).10.1
+DOVECOT_VERSION = $(DOVECOT_VERSION_MAJOR).11.3
 DOVECOT_SITE = https://dovecot.org/releases/$(DOVECOT_VERSION_MAJOR)
 DOVECOT_INSTALL_STAGING = YES
 DOVECOT_LICENSE = LGPL-2.1, MIT, Public Domain, BSD-3-Clause, Unicode-DFS-2015
diff --git a/buildroot/package/dropbear/0001-scp-Port-OpenSSH-CVE-2018-20685-fix.patch b/buildroot/package/dropbear/0001-scp-Port-OpenSSH-CVE-2018-20685-fix.patch
new file mode 100644
index 000000000..4372d615d
--- /dev/null
+++ b/buildroot/package/dropbear/0001-scp-Port-OpenSSH-CVE-2018-20685-fix.patch
@@ -0,0 +1,24 @@
+# HG changeset patch
+# User Haelwenn Monnier <contact+github.com@hacktivis.me>
+# Date 1590411269 -7200
+#      Mon May 25 14:54:29 2020 +0200
+# Node ID 087c2804147074c95b6a3f35137b4f4b726b1452
+# Parent  009d52ae26d35f3381c801e02318fa9be34be93c
+scp.c: Port OpenSSH CVE-2018-20685 fix (#80)
+
+[backport from 2020.79 to 2019.78 for Buildroot 2020.02.x]
+Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
+
+diff --git a/scp.c b/scp.c
+--- a/scp.c
++++ b/scp.c
+@@ -935,7 +935,8 @@ sink(int argc, char **argv)
+ 			size = size * 10 + (*cp++ - '0');
+ 		if (*cp++ != ' ')
+ 			SCREWUP("size not delimited");
+-		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
++		if (*cp == '\0' || strchr(cp, '/') != NULL ||
++		    strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
+ 			run_err("error: unexpected filename: %s", cp);
+ 			exit(1);
+ 		}
diff --git a/buildroot/package/ecryptfs-utils/ecryptfs-utils.mk b/buildroot/package/ecryptfs-utils/ecryptfs-utils.mk
index 326ff4f2d..3a3253a36 100644
--- a/buildroot/package/ecryptfs-utils/ecryptfs-utils.mk
+++ b/buildroot/package/ecryptfs-utils/ecryptfs-utils.mk
@@ -15,6 +15,7 @@ ECRYPTFS_UTILS_CONF_OPTS = --disable-pywrap
 
 #Needed for build system to find pk11func.h and libnss3.so
 ECRYPTFS_UTILS_CONF_ENV = \
+	ac_cv_path_POD2MAN=true \
 	NSS_CFLAGS="-I$(STAGING_DIR)/usr/include/nss -I$(STAGING_DIR)/usr/include/nspr" \
 	NSS_LIBS="-lnss3"
 
diff --git a/buildroot/package/efl/Config.in b/buildroot/package/efl/Config.in
index ff4916116..ce1e51e2f 100644
--- a/buildroot/package/efl/Config.in
+++ b/buildroot/package/efl/Config.in
@@ -1,19 +1,18 @@
 config BR2_PACKAGE_EFL
 	bool "efl"
-	 # g++ issue with 4.4.5, tested with g++ 4.7.2
-	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_7
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # C++11
+	depends on BR2_HOST_GCC_AT_LEAST_4_9 # host-efl
 	depends on BR2_INSTALL_LIBSTDCPP
-	depends on BR2_PACKAGE_LUAJIT_ARCH_SUPPORTS # luajit
 	depends on BR2_TOOLCHAIN_HAS_THREADS # untested without threads
 	depends on BR2_USE_MMU
 	depends on BR2_USE_WCHAR # use wchar_t
 	depends on !BR2_STATIC_LIBS # dlfcn.h
+	# https://phab.enlightenment.org/T2728
+	depends on BR2_PACKAGE_LUAJIT
 	select BR2_PACKAGE_DBUS
 	select BR2_PACKAGE_FREETYPE
 	select BR2_PACKAGE_JPEG # Emile needs libjpeg
 	select BR2_PACKAGE_LIBCURL # Ecore_con_url, runtime dependency
-	# https://phab.enlightenment.org/T2728
-	select BR2_PACKAGE_LUAJIT # Lua support broken
 	select BR2_PACKAGE_LZ4
 	select BR2_PACKAGE_ZLIB
 	help
@@ -302,9 +301,9 @@ comment "SVG loader needs a toolchain w/ gcc >= 4.8"
 
 endif # BR2_PACKAGE_EFL
 
-comment "efl needs a toolchain w/ C++, dynamic library, gcc >= 4.7, threads, wchar"
+comment "efl needs a toolchain w/ C++, dynamic library, gcc >= 4.9, host gcc >= 4.9, threads, wchar"
 	depends on !BR2_INSTALL_LIBSTDCPP \
-		|| !BR2_TOOLCHAIN_GCC_AT_LEAST_4_7 \
-		|| BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS || !BR2_USE_WCHAR
-	depends on BR2_PACKAGE_LUAJIT_ARCH_SUPPORTS
+		|| !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 \
+		|| !BR2_HOST_GCC_AT_LEAST_4_9 || BR2_STATIC_LIBS \
+		|| !BR2_TOOLCHAIN_HAS_THREADS || !BR2_USE_WCHAR
 	depends on BR2_USE_MMU
diff --git a/buildroot/package/elixir/elixir.mk b/buildroot/package/elixir/elixir.mk
index 7a545d43b..6d935516f 100644
--- a/buildroot/package/elixir/elixir.mk
+++ b/buildroot/package/elixir/elixir.mk
@@ -8,7 +8,7 @@ ELIXIR_VERSION = 1.9.4
 ELIXIR_SITE = $(call github,elixir-lang,elixir,v$(ELIXIR_VERSION))
 ELIXIR_LICENSE = Apache-2.0
 ELIXIR_LICENSE_FILES = LICENSE
-ELIXIR_DEPENDENCIES = host-erlang
+HOST_ELIXIR_DEPENDENCIES = host-erlang
 
 define HOST_ELIXIR_BUILD_CMDS
 	$(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) -C $(@D) compile
diff --git a/buildroot/package/f2fs-tools/0002-fsck.f2fs-correct-return-value.patch b/buildroot/package/f2fs-tools/0002-fsck.f2fs-correct-return-value.patch
new file mode 100644
index 000000000..b420e27a0
--- /dev/null
+++ b/buildroot/package/f2fs-tools/0002-fsck.f2fs-correct-return-value.patch
@@ -0,0 +1,195 @@
+From eee12fe5e2e6c5f71bc7cbe25a608b730fd5362e Mon Sep 17 00:00:00 2001
+From: Chao Yu <yuchao0@huawei.com>
+Date: Fri, 7 Aug 2020 10:02:31 +0800
+Subject: [PATCH] fsck.f2fs: correct return value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+As Norbert Lange reported:
+
+"
+$ fsck.f2fs -a /dev/mmcblk0p5; echo $?
+Info: Fix the reported corruption.
+Info: Mounted device!
+Info: Check FS only on RO mounted device
+Error: Failed to open the device!
+255
+"
+
+Michael Laß reminds:
+
+"
+I think the return value is exactly the problem here. See fsck(8) (
+https://linux.die.net/man/8/fsck) which specifies the return values.
+Systemd looks at these and decides how to proceed:
+
+https://github.com/systemd/systemd/blob/a859abf062cef1511e4879c4ee39c6036ebeaec8/src/fsck/fsck.c#L407
+
+That means, if fsck.f2fs returns 255, then
+the FSCK_SYSTEM_SHOULD_REBOOT bit is set and systemd will reboot.
+"
+
+So the problem here is fsck.f2fs didn't return correct value to userspace
+apps, result in later unexpected behavior of rebooting, let's fix this.
+
+Reported-by: Norbert Lange <nolange79@gmail.com>
+Reported-by: Michael Laß <bevan@bi-co.net>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Norbert Lange <nolange79@gmail.com>
+---
+ fsck/fsck.h | 11 +++++++++++
+ fsck/main.c | 45 +++++++++++++++++++++++++++++++--------------
+ 2 files changed, 42 insertions(+), 14 deletions(-)
+
+diff --git a/fsck/fsck.h b/fsck/fsck.h
+index ccf4a39..c8aeb06 100644
+--- a/fsck/fsck.h
++++ b/fsck/fsck.h
+@@ -13,6 +13,17 @@
+ 
+ #include "f2fs.h"
+ 
++enum {
++	FSCK_SUCCESS                 = 0,
++	FSCK_ERROR_CORRECTED         = 1 << 0,
++	FSCK_SYSTEM_SHOULD_REBOOT    = 1 << 1,
++	FSCK_ERRORS_LEFT_UNCORRECTED = 1 << 2,
++	FSCK_OPERATIONAL_ERROR       = 1 << 3,
++	FSCK_USAGE_OR_SYNTAX_ERROR   = 1 << 4,
++	FSCK_USER_CANCELLED          = 1 << 5,
++	FSCK_SHARED_LIB_ERROR        = 1 << 7,
++};
++
+ struct quota_ctx;
+ 
+ #define FSCK_UNMATCHED_EXTENT		0x00000001
+diff --git a/fsck/main.c b/fsck/main.c
+index 8c62a14..b0f2ec3 100644
+--- a/fsck/main.c
++++ b/fsck/main.c
+@@ -591,7 +591,7 @@ void f2fs_parse_options(int argc, char *argv[])
+ 	error_out(prog);
+ }
+ 
+-static void do_fsck(struct f2fs_sb_info *sbi)
++static int do_fsck(struct f2fs_sb_info *sbi)
+ {
+ 	struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi);
+ 	u32 flag = le32_to_cpu(ckpt->ckpt_flags);
+@@ -614,7 +614,7 @@ static void do_fsck(struct f2fs_sb_info *sbi)
+ 			} else {
+ 				MSG(0, "[FSCK] F2FS metadata   [Ok..]");
+ 				fsck_free(sbi);
+-				return;
++				return FSCK_SUCCESS;
+ 			}
+ 
+ 			if (!c.ro)
+@@ -646,7 +646,7 @@ static void do_fsck(struct f2fs_sb_info *sbi)
+ 		ret = quota_init_context(sbi);
+ 		if (ret) {
+ 			ASSERT_MSG("quota_init_context failure: %d", ret);
+-			return;
++			return FSCK_OPERATIONAL_ERROR;
+ 		}
+ 	}
+ 	fsck_chk_orphan_node(sbi);
+@@ -654,8 +654,14 @@ static void do_fsck(struct f2fs_sb_info *sbi)
+ 			F2FS_FT_DIR, TYPE_INODE, &blk_cnt, NULL);
+ 	fsck_chk_quota_files(sbi);
+ 
+-	fsck_verify(sbi);
++	ret = fsck_verify(sbi);
+ 	fsck_free(sbi);
++
++	if (!c.bug_on)
++		return FSCK_SUCCESS;
++	if (!ret)
++		return FSCK_ERROR_CORRECTED;
++	return FSCK_ERRORS_LEFT_UNCORRECTED;
+ }
+ 
+ static void do_dump(struct f2fs_sb_info *sbi)
+@@ -763,7 +769,7 @@ static int do_sload(struct f2fs_sb_info *sbi)
+ int main(int argc, char **argv)
+ {
+ 	struct f2fs_sb_info *sbi;
+-	int ret = 0;
++	int ret = 0, ret2;
+ 	clock_t start = clock();
+ 
+ 	f2fs_init_configuration();
+@@ -771,10 +777,15 @@ int main(int argc, char **argv)
+ 	f2fs_parse_options(argc, argv);
+ 
+ 	if (c.func != DUMP && f2fs_devs_are_umounted() < 0) {
+-		if (errno == EBUSY)
++		if (errno == EBUSY) {
++			if (c.func == FSCK)
++				return FSCK_OPERATIONAL_ERROR;
+ 			return -1;
++		}
+ 		if (!c.ro || c.func == DEFRAG) {
+ 			MSG(0, "\tError: Not available on mounted device!\n");
++			if (c.func == FSCK)
++				return FSCK_OPERATIONAL_ERROR;
+ 			return -1;
+ 		}
+ 
+@@ -789,8 +800,11 @@ int main(int argc, char **argv)
+ 	}
+ 
+ 	/* Get device */
+-	if (f2fs_get_device_info() < 0)
++	if (f2fs_get_device_info() < 0) {
++		if (c.func == FSCK)
++			return FSCK_OPERATIONAL_ERROR;
+ 		return -1;
++	}
+ 
+ fsck_again:
+ 	memset(&gfsck, 0, sizeof(gfsck));
+@@ -808,7 +822,7 @@ fsck_again:
+ 
+ 	switch (c.func) {
+ 	case FSCK:
+-		do_fsck(sbi);
++		ret = do_fsck(sbi);
+ 		break;
+ #ifdef WITH_DUMP
+ 	case DUMP:
+@@ -856,8 +870,8 @@ fsck_again:
+ 			char ans[255] = {0};
+ retry:
+ 			printf("Do you want to fix this partition? [Y/N] ");
+-			ret = scanf("%s", ans);
+-			ASSERT(ret >= 0);
++			ret2 = scanf("%s", ans);
++			ASSERT(ret2 >= 0);
+ 			if (!strcasecmp(ans, "y"))
+ 				c.fix_on = 1;
+ 			else if (!strcasecmp(ans, "n"))
+@@ -869,12 +883,15 @@ retry:
+ 				goto fsck_again;
+ 		}
+ 	}
+-	ret = f2fs_finalize_device();
+-	if (ret < 0)
+-		return ret;
++	ret2 = f2fs_finalize_device();
++	if (ret2) {
++		if (c.func == FSCK)
++			return FSCK_OPERATIONAL_ERROR;
++		return ret2;
++	}
+ 
+ 	printf("\nDone: %lf secs\n", (clock() - start) / (double)CLOCKS_PER_SEC);
+-	return 0;
++	return ret;
+ 
+ out_err:
+ 	if (sbi->ckpt)
+-- 
+2.27.0
+
diff --git a/buildroot/package/fail2ban/fail2ban.mk b/buildroot/package/fail2ban/fail2ban.mk
index a0a2dc704..a4ee0852c 100644
--- a/buildroot/package/fail2ban/fail2ban.mk
+++ b/buildroot/package/fail2ban/fail2ban.mk
@@ -27,6 +27,13 @@ define FAIL2BAN_FIX_DEFAULT_CONFIG
 endef
 FAIL2BAN_POST_INSTALL_TARGET_HOOKS += FAIL2BAN_FIX_DEFAULT_CONFIG
 
+# fail2ban-python points to host python
+define FAIL2BAN_FIX_FAIL2BAN_PYTHON_SYMLINK
+	ln -snf $(if $(BR2_PACKAGE_PYTHON),python,python3) \
+		$(TARGET_DIR)/usr/bin/fail2ban-python
+endef
+FAIL2BAN_POST_INSTALL_TARGET_HOOKS += FAIL2BAN_FIX_FAIL2BAN_PYTHON_SYMLINK
+
 define FAIL2BAN_INSTALL_INIT_SYSV
 	$(INSTALL) -D -m 755 package/fail2ban/S60fail2ban \
 		$(TARGET_DIR)/etc/init.d/S60fail2ban
diff --git a/buildroot/package/ffmpeg/ffmpeg.hash b/buildroot/package/ffmpeg/ffmpeg.hash
index 35bd68132..752372619 100644
--- a/buildroot/package/ffmpeg/ffmpeg.hash
+++ b/buildroot/package/ffmpeg/ffmpeg.hash
@@ -1,5 +1,5 @@
 # Locally calculated
-sha256  9df6c90aed1337634c1fb026fb01c154c29c82a64ea71291ff2da9aacb9aad31  ffmpeg-4.2.3.tar.xz
+sha256  0d5da81feba073ee78e0f18e0966bcaf91464ae75e18e9a0135186249e3d2a0b  ffmpeg-4.2.4.tar.xz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING.GPLv2
 sha256  b634ab5640e258563c536e658cad87080553df6f34f62269a21d554844e58bfe  COPYING.LGPLv2.1
 sha256  cad1218c22121b169fb1380178ab7a0b33cb38a3ff6d3915b8533d1d954f3ce7  LICENSE.md
diff --git a/buildroot/package/ffmpeg/ffmpeg.mk b/buildroot/package/ffmpeg/ffmpeg.mk
index 736aa5b4b..ca90242f9 100644
--- a/buildroot/package/ffmpeg/ffmpeg.mk
+++ b/buildroot/package/ffmpeg/ffmpeg.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-FFMPEG_VERSION = 4.2.3
+FFMPEG_VERSION = 4.2.4
 FFMPEG_SOURCE = ffmpeg-$(FFMPEG_VERSION).tar.xz
 FFMPEG_SITE = http://ffmpeg.org/releases
 FFMPEG_INSTALL_STAGING = YES
diff --git a/buildroot/package/freetype/freetype.mk b/buildroot/package/freetype/freetype.mk
index 8b3a4ca09..9cf75d162 100644
--- a/buildroot/package/freetype/freetype.mk
+++ b/buildroot/package/freetype/freetype.mk
@@ -14,8 +14,16 @@ FREETYPE_LICENSE_FILES = docs/LICENSE.TXT docs/FTL.TXT docs/GPLv2.TXT
 FREETYPE_DEPENDENCIES = host-pkgconf
 FREETYPE_CONFIG_SCRIPTS = freetype-config
 
+# harfbuzz already depends on freetype so disable harfbuzz in freetype to avoid
+# a circular dependency
+FREETYPE_CONF_OPTS = --without-harfbuzz
+
 HOST_FREETYPE_DEPENDENCIES = host-pkgconf
-HOST_FREETYPE_CONF_OPTS = --without-zlib --without-bzip2 --without-png
+HOST_FREETYPE_CONF_OPTS = \
+	--without-bzip2 \
+	--without-harfbuzz \
+	--without-png \
+	--without-zlib
 
 # since 2.9.1 needed for freetype-config install
 FREETYPE_CONF_OPTS += --enable-freetype-config
@@ -37,9 +45,7 @@ endif
 
 ifeq ($(BR2_PACKAGE_LIBPNG),y)
 FREETYPE_DEPENDENCIES += libpng
-FREETYPE_CONF_OPTS += LIBPNG_CFLAGS="`$(STAGING_DIR)/usr/bin/libpng-config --cflags`" \
-	LIBPNG_LDFLAGS="`$(STAGING_DIR)/usr/bin/libpng-config --ldflags`"
-FREETYPE_LIBPNG_LIBS = "`$(STAGING_DIR)/usr/bin/libpng-config --libs`"
+FREETYPE_CONF_OPTS += --with-png
 else
 FREETYPE_CONF_OPTS += --without-png
 endif
@@ -52,14 +58,5 @@ define FREETYPE_FIX_CONFIG_FILE
 endef
 FREETYPE_POST_INSTALL_STAGING_HOOKS += FREETYPE_FIX_CONFIG_FILE
 
-# libpng isn't included in freetype-config & freetype2.pc :-/
-define FREETYPE_FIX_CONFIG_FILE_LIBS
-	$(SED) "s,^Libs.private:,& $(FREETYPE_LIBPNG_LIBS)," \
-		$(STAGING_DIR)/usr/lib/pkgconfig/freetype2.pc
-	$(SED) "s,-lfreetype,& $(FREETYPE_LIBPNG_LIBS)," \
-		$(STAGING_DIR)/usr/bin/freetype-config
-endef
-FREETYPE_POST_INSTALL_STAGING_HOOKS += FREETYPE_FIX_CONFIG_FILE_LIBS
-
 $(eval $(autotools-package))
 $(eval $(host-autotools-package))
diff --git a/buildroot/package/gcc/gcc.mk b/buildroot/package/gcc/gcc.mk
index 50f2a3fcb..b58f17575 100644
--- a/buildroot/package/gcc/gcc.mk
+++ b/buildroot/package/gcc/gcc.mk
@@ -138,6 +138,14 @@ ifeq ($(BR2_sparc)$(BR2_sparc64),y)
 HOST_GCC_COMMON_CONF_OPTS += --disable-libsanitizer
 endif
 
+# The logic in libbacktrace/configure.ac to detect if __sync builtins
+# are available assumes they are as soon as target_subdir is not
+# empty, i.e when cross-compiling. However, some platforms do not have
+# __sync builtins, so help the configure script a bit.
+ifeq ($(BR2_TOOLCHAIN_HAS_SYNC_4),)
+HOST_GCC_COMMON_CONF_ENV += target_configargs="libbacktrace_cv_sys_sync=no"
+endif
+
 # TLS support is not needed on uClibc/no-thread and
 # uClibc/linux-threads, otherwise, for all other situations (glibc,
 # musl and uClibc/NPTL), we need it.
@@ -220,6 +228,13 @@ HOST_GCC_COMMON_CONF_OPTS += \
 	--with-long-double-128
 endif
 
+# Set default to Secure-PLT to prevent run-time
+# generation of PLT stubs (supports RELRO and
+# SELinux non-exemem capabilities)
+ifeq ($(BR2_powerpc),y)
+HOST_GCC_COMMON_CONF_OPTS += --enable-secureplt
+endif
+
 # PowerPC64 big endian by default uses the elfv1 ABI, and PowerPC 64
 # little endian by default uses the elfv2 ABI. However, musl has
 # decided to use the elfv2 ABI for both, so we force the elfv2 ABI for
diff --git a/buildroot/package/gd/0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch b/buildroot/package/gd/0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch
new file mode 100644
index 000000000..8234de45a
--- /dev/null
+++ b/buildroot/package/gd/0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch
@@ -0,0 +1,44 @@
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+
+[Retrieved (and updated to remove .gitignore and tests) from:
+https://github.com/libgd/libgd/commit/a93eac0e843148dc2d631c3ba80af17e9c8c860f]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/gd.c                          |  9 +--------
+ tests/gdimageclone/.gitignore     |  1 +
+ tests/gdimageclone/CMakeLists.txt |  1 +
+ tests/gdimageclone/Makemodule.am  |  3 ++-
+ tests/gdimageclone/style.c        | 30 ++++++++++++++++++++++++++++++
+ 5 files changed, 35 insertions(+), 9 deletions(-)
+ create mode 100644 tests/gdimageclone/style.c
+
+diff --git a/src/gd.c b/src/gd.c
+index 592a0286..d564d1f9 100644
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -2865,14 +2865,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ 		}
+ 	}
+ 
+-	if (src->styleLength > 0) {
+-		dst->styleLength = src->styleLength;
+-		dst->stylePos    = src->stylePos;
+-		for (i = 0; i < src->styleLength; i++) {
+-			dst->style[i] = src->style[i];
+-		}
+-	}
+-
+ 	dst->interlace   = src->interlace;
+ 
+ 	dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2907,6 +2899,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gdImagePtr src) {
+ 
+ 	if (src->style) {
+ 		gdImageSetStyle(dst, src->style, src->styleLength);
++		dst->stylePos = src->stylePos;
+ 	}
+ 
+ 	for (i = 0; i < gdMaxColors; i++) {
diff --git a/buildroot/package/gd/0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch b/buildroot/package/gd/0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch
new file mode 100644
index 000000000..11c7575dd
--- /dev/null
+++ b/buildroot/package/gd/0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch
@@ -0,0 +1,39 @@
+From 2e886046f86d0d6bfc14aab94a881259a081e3f4 Mon Sep 17 00:00:00 2001
+From: wilson chen <willson.chenwx@gmail.com>
+Date: Fri, 20 Dec 2019 10:12:04 +0800
+Subject: [PATCH] Fix #497: gdImageColorMatch Out Of Bounds Write on Heap
+ (CVE-2019-6977)
+
+Fixed CVE-2019-6977 and add corresponding testcase.
+
+Original patch by Christoph M. Bechker <cmbecker69@gmx.de>
+https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
+
+[Retrieved (and updated to remove .gitignore and tests) from:
+https://github.com/libgd/libgd/commit/2e886046f86d0d6bfc14aab94a881259a081e3f4]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/gd_color_match.c                    |  5 ++---
+ tests/gdimagecolormatch/.gitignore      |  1 +
+ tests/gdimagecolormatch/CMakeLists.txt  |  1 +
+ tests/gdimagecolormatch/Makemodule.am   |  1 +
+ tests/gdimagecolormatch/cve_2019_6977.c | 25 +++++++++++++++++++++++++
+ 5 files changed, 30 insertions(+), 3 deletions(-)
+ create mode 100644 tests/gdimagecolormatch/cve_2019_6977.c
+
+diff --git a/src/gd_color_match.c b/src/gd_color_match.c
+index f0842b69..f0194302 100644
+--- a/src/gd_color_match.c
++++ b/src/gd_color_match.c
+@@ -31,9 +31,8 @@ BGD_DECLARE(int) gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
+ 		return -4; /* At least 1 color must be allocated */
+ 	}
+ 
+-	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * im2->colorsTotal);
+-	memset (buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
+-
++	buf = (unsigned long *)gdMalloc(sizeof(unsigned long) * 5 * gdMaxColors);
++	memset (buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
+ 	for (x=0; x < im1->sx; x++) {
+ 		for( y=0; y<im1->sy; y++ ) {
+ 			color = im2->pixels[y][x];
diff --git a/buildroot/package/gd/gd.mk b/buildroot/package/gd/gd.mk
index e2a46dca3..419d9a638 100644
--- a/buildroot/package/gd/gd.mk
+++ b/buildroot/package/gd/gd.mk
@@ -14,6 +14,19 @@ GD_CONFIG_SCRIPTS = gdlib-config
 GD_CONF_OPTS = --without-x --disable-rpath --disable-werror
 GD_DEPENDENCIES = host-pkgconf
 
+# 0001-bmp-check-return-value-in-gdImageBmpPtr.patch
+GD_IGNORE_CVES += CVE-2018-1000222
+# 0002-Fix-420-Potential-infinite-loop-in-gdImageCreateFrom.patch
+GD_IGNORE_CVES += CVE-2018-5711
+# 0003-Fix-501-Uninitialized-read-in-gdImageCreateFromXbm-C.patch
+GD_IGNORE_CVES += CVE-2019-11038
+# 0004-Fix-492-Potential-double-free-in-gdImage-Ptr.patch
+GD_IGNORE_CVES += CVE-2019-6978
+# 0005-Fix-potential-NULL-pointer-dereference-in-gdImageClone.patch
+GD_IGNORE_CVES += CVE-2018-14553
+# 0006-Fix-497-gdImageColorMatch-Out-Of-Bounds-Write-on-Heap-CVE-2019-6977.patch
+GD_IGNORE_CVES += CVE-2019-6977
+
 # gd forgets to link utilities with -pthread even though it uses
 # pthreads, causing linking errors with static linking
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
diff --git a/buildroot/package/gdb/gdb.mk b/buildroot/package/gdb/gdb.mk
index 46d745a89..469f25ff9 100644
--- a/buildroot/package/gdb/gdb.mk
+++ b/buildroot/package/gdb/gdb.mk
@@ -67,7 +67,8 @@ GDB_DISABLE_BINUTILS_CONF_OPTS = \
 	--disable-binutils \
 	--disable-install-libbfd \
 	--disable-ld \
-	--disable-gas
+	--disable-gas \
+	--disable-gprof
 
 GDB_CONF_ENV = \
 	ac_cv_type_uintptr_t=yes \
diff --git a/buildroot/package/gdk-pixbuf/gdk-pixbuf.hash b/buildroot/package/gdk-pixbuf/gdk-pixbuf.hash
index 9cb947f19..8fa178b55 100644
--- a/buildroot/package/gdk-pixbuf/gdk-pixbuf.hash
+++ b/buildroot/package/gdk-pixbuf/gdk-pixbuf.hash
@@ -1,4 +1,4 @@
-# From http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.10.sha256sum
-sha256 f8f6fa896b89475c73b6e9e8d2a2b062fc359c4b4ccb8e96470d6ab5da949ace  gdk-pixbuf-2.36.10.tar.xz
+# From http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.36/gdk-pixbuf-2.36.12.sha256sum
+sha256  fff85cf48223ab60e3c3c8318e2087131b590fd6f1737e42cb3759a3b427a334  gdk-pixbuf-2.36.12.tar.xz
 # Locally calculated
-sha256 d245807f90032872d1438d741ed21e2490e1175dc8aa3afa5ddb6c8e529b58e5  COPYING
+sha256  d245807f90032872d1438d741ed21e2490e1175dc8aa3afa5ddb6c8e529b58e5  COPYING
diff --git a/buildroot/package/gdk-pixbuf/gdk-pixbuf.mk b/buildroot/package/gdk-pixbuf/gdk-pixbuf.mk
index 33de2e3d3..3320827d0 100644
--- a/buildroot/package/gdk-pixbuf/gdk-pixbuf.mk
+++ b/buildroot/package/gdk-pixbuf/gdk-pixbuf.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 GDK_PIXBUF_VERSION_MAJOR = 2.36
-GDK_PIXBUF_VERSION = $(GDK_PIXBUF_VERSION_MAJOR).10
+GDK_PIXBUF_VERSION = $(GDK_PIXBUF_VERSION_MAJOR).12
 GDK_PIXBUF_SOURCE = gdk-pixbuf-$(GDK_PIXBUF_VERSION).tar.xz
 GDK_PIXBUF_SITE = http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/$(GDK_PIXBUF_VERSION_MAJOR)
 GDK_PIXBUF_LICENSE = LGPL-2.0+
diff --git a/buildroot/package/ghostscript/0001-Fix-cross-compilation-issue.patch b/buildroot/package/ghostscript/0001-Fix-cross-compilation-issue.patch
deleted file mode 100644
index a13c7f838..000000000
--- a/buildroot/package/ghostscript/0001-Fix-cross-compilation-issue.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 5fed765abb8ff07c381cc3ebb9367e9560f7a658 Mon Sep 17 00:00:00 2001
-From: Bernd Kuhls <bernd.kuhls@t-online.de>
-Date: Mon, 20 Mar 2017 23:43:03 +0100
-Subject: [PATCH] Fix cross compilation issue
-
-Without this patch unsafe paths are used:
-x86_64-linux-gcc: ERROR: unsafe header/library path used in cross-compilation: '/libtiff'
-
-Downloaded from
-http://bugs.ghostscript.com/show_bug.cgi?id=696508#c3
-
-Slightly updated to work with 9.23
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- configure.ac | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/configure.ac b/configure.ac
-index d0f62d7..0d49344 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1173,7 +1173,7 @@ XPSWRITEDEVICE=''
- 
- 
- LIBTIFFDIR='src'
--LIBTIFFCONFDIR=''
-+LIBTIFFCONFDIR='src'
- TIFFCFLAGS=''
- 
- TIFFDEVS_ALL='tiffs tiff12nc tiff24nc tiff48nc tiff32nc tiff64nc tiffcrle tifflzw tiffpack tiffgray tiffsep tiffsep1 tiffscaled tiffscaled4 tiffscaled8 tiffscaled24 tiffscaled32'
- FAX_DEVS_ALL='cfax dfaxlow dfaxhigh fax faxg3 faxg32d faxg4 tiffg3 tiffg32d tiffg4 tfax'
--- 
-2.7.4
-
diff --git a/buildroot/package/ghostscript/ghostscript.hash b/buildroot/package/ghostscript/ghostscript.hash
index 51b3a2a09..143b28014 100644
--- a/buildroot/package/ghostscript/ghostscript.hash
+++ b/buildroot/package/ghostscript/ghostscript.hash
@@ -1,5 +1,5 @@
-# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs950/SHA512SUMS
-sha512 3c1e5db519a427f4b6bfb8d93f3c3dfb67d5ec9ccd19c7afa7670deb768515f3fc617c5588e54934bbfbedfdf8609ce2ffa36dd7da3cb618937fe034f64f43ee  ghostscript-9.50.tar.xz
+# From https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9532/SHA512SUMS
+sha512  73aa6013aeecbd1345317a40349089a2f19a2205fc11b8ca0b619df1e91f2ca8b03efc09be9e079cb5ab8e1b838aa2236349cd1c177217c14308242f99138ae4  ghostscript-9.53.2.tar.gz
 
 # Hash for license file:
-sha256 6f852249f975287b3efd43a5883875e47fa9f3125e2f1b18b5c09517ac30ecf2  LICENSE
+sha256  6f852249f975287b3efd43a5883875e47fa9f3125e2f1b18b5c09517ac30ecf2  LICENSE
diff --git a/buildroot/package/ghostscript/ghostscript.mk b/buildroot/package/ghostscript/ghostscript.mk
index a6e85d989..31d23fd20 100644
--- a/buildroot/package/ghostscript/ghostscript.mk
+++ b/buildroot/package/ghostscript/ghostscript.mk
@@ -4,13 +4,10 @@
 #
 ################################################################################
 
-GHOSTSCRIPT_VERSION = 9.50
+GHOSTSCRIPT_VERSION = 9.53.2
 GHOSTSCRIPT_SITE = https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs$(subst .,,$(GHOSTSCRIPT_VERSION))
-GHOSTSCRIPT_SOURCE = ghostscript-$(GHOSTSCRIPT_VERSION).tar.xz
 GHOSTSCRIPT_LICENSE = AGPL-3.0
 GHOSTSCRIPT_LICENSE_FILES = LICENSE
-# 0001-Fix-cross-compilation-issue.patch
-GHOSTSCRIPT_AUTORECONF = YES
 GHOSTSCRIPT_DEPENDENCIES = \
 	host-lcms2 \
 	host-libjpeg \
@@ -34,7 +31,8 @@ GHOSTSCRIPT_POST_PATCH_HOOKS += GHOSTSCRIPT_REMOVE_LIBS
 
 GHOSTSCRIPT_CONF_ENV = \
 	CCAUX="$(HOSTCC)" \
-	CFLAGSAUX="$(HOST_CFLAGS) $(HOST_LDFLAGS)"
+	CFLAGSAUX="$(HOST_CFLAGS) $(HOST_LDFLAGS)" \
+	PKGCONFIG="$(PKG_CONFIG_HOST_BINARY)"
 
 GHOSTSCRIPT_CONF_OPTS = \
 	--disable-compile-inits \
diff --git a/buildroot/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash b/buildroot/package/glibc/2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d/glibc.hash
similarity index 70%
rename from buildroot/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
rename to buildroot/package/glibc/2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d/glibc.hash
index 6677d32db..21ee1faea 100644
--- a/buildroot/package/glibc/2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427/glibc.hash
+++ b/buildroot/package/glibc/2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d/glibc.hash
@@ -1,5 +1,5 @@
 # Locally calculated (fetched from Github)
-sha256  4462f56696332efbc5b0c2f86d7aa75a2a02c3d44bc4345fa42b5bab1225de5c  glibc-2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427.tar.gz
+sha256  ce788d30851a215d58ff94c972d9cff5956725cc5ee906298711ddc63078c315  glibc-2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d.tar.gz
 
 # Hashes for license files
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/buildroot/package/glibc/glibc.mk b/buildroot/package/glibc/glibc.mk
index 4621c9c2f..08170fbbc 100644
--- a/buildroot/package/glibc/glibc.mk
+++ b/buildroot/package/glibc/glibc.mk
@@ -17,7 +17,7 @@ else
 # Generate version string using:
 #   git describe --match 'glibc-*' --abbrev=40 origin/release/MAJOR.MINOR/master | cut -d '-' -f 2-
 # When updating the version, please also update localedef
-GLIBC_VERSION = 2.30-67-g4748829f86a458b76642f3e98b1d80f7b868e427
+GLIBC_VERSION = 2.30-73-gd59630f9959b0bb8991964758ab854ff4378b20d
 # Upstream doesn't officially provide an https download link.
 # There is one (https://sourceware.org/git/glibc.git) but it's not reliable,
 # sometimes the connection times out. So use an unofficial github mirror.
diff --git a/buildroot/package/gnutls/gnutls.hash b/buildroot/package/gnutls/gnutls.hash
index 6a4203f3a..c360a56f9 100644
--- a/buildroot/package/gnutls/gnutls.hash
+++ b/buildroot/package/gnutls/gnutls.hash
@@ -1,6 +1,6 @@
 # Locally calculated after checking pgp signature
-# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.14.tar.xz.sig
-sha256  5630751adec7025b8ef955af4d141d00d252a985769f51b4059e5affa3d39d63  gnutls-3.6.14.tar.xz
+# https://www.gnupg.org/ftp/gcrypt/gnutls/v3.6/gnutls-3.6.15.tar.xz.sig
+sha256  0ea8c3283de8d8335d7ae338ef27c53a916f15f382753b174c18b45ffd481558  gnutls-3.6.15.tar.xz
 # Locally calculated
 sha256  e79e9c8a0c85d735ff98185918ec94ed7d175efc377012787aebcf3b80f0d90b  doc/COPYING
 sha256  6095e9ffa777dd22839f7801aa845b31c9ed07f3d6bf8a26dc5d2dec8ccc0ef3  doc/COPYING.LESSER
diff --git a/buildroot/package/gnutls/gnutls.mk b/buildroot/package/gnutls/gnutls.mk
index 34878e97b..9f5315000 100644
--- a/buildroot/package/gnutls/gnutls.mk
+++ b/buildroot/package/gnutls/gnutls.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 GNUTLS_VERSION_MAJOR = 3.6
-GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).14
+GNUTLS_VERSION = $(GNUTLS_VERSION_MAJOR).15
 GNUTLS_SOURCE = gnutls-$(GNUTLS_VERSION).tar.xz
 GNUTLS_SITE = https://www.gnupg.org/ftp/gcrypt/gnutls/v$(GNUTLS_VERSION_MAJOR)
 GNUTLS_LICENSE = LGPL-2.1+ (core library)
diff --git a/buildroot/package/go/go.hash b/buildroot/package/go/go.hash
index f58449d07..ce8e27c97 100644
--- a/buildroot/package/go/go.hash
+++ b/buildroot/package/go/go.hash
@@ -1,3 +1,3 @@
 # From https://golang.org/dl/
-sha256	197333e97290e9ea8796f738d61019dcba1c377c2f3961fd6a114918ecc7ab06  go1.13.14.src.tar.gz
+sha256	5fb43171046cf8784325e67913d55f88a683435071eef8e9da1aa8a1588fcf5d  go1.13.15.src.tar.gz
 sha256	2d36597f7117c38b006835ae7f537487207d8ec407aa9d9980794b2030cbc067  LICENSE
diff --git a/buildroot/package/go/go.mk b/buildroot/package/go/go.mk
index 72604a250..1f95bec82 100644
--- a/buildroot/package/go/go.mk
+++ b/buildroot/package/go/go.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GO_VERSION = 1.13.14
+GO_VERSION = 1.13.15
 GO_SITE = https://storage.googleapis.com/golang
 GO_SOURCE = go$(GO_VERSION).src.tar.gz
 
diff --git a/buildroot/package/graphite2/0001-don-t-install-a-libtool-file-with-static-library.patch b/buildroot/package/graphite2/0001-don-t-install-a-libtool-file-with-static-library.patch
new file mode 100644
index 000000000..ac150622d
--- /dev/null
+++ b/buildroot/package/graphite2/0001-don-t-install-a-libtool-file-with-static-library.patch
@@ -0,0 +1,67 @@
+From 3edb88b55c0870989778c670d555aa159a2c3abc Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Mon, 31 Aug 2020 20:56:43 +0200
+Subject: [PATCH] don't install a libtool file with static library
+
+Static library is supported since version 1.3.11 and
+https://github.com/silnrsi/graphite/commit/2f143c04da5caa43ddf4dba437b2f2bc26bf4238
+
+However, graphite2 is still installing libgraphite2.la which contains
+incorrect information (i.e. dlname set to libgraphite2.so and
+old_library set to ''):
+
+dlname='libgraphite2.so'
+
+library_names='libgraphite2.so.3.2.1 libgraphite2.so.3 libgraphite2.so'
+
+old_library=''
+
+dependency_libs=''
+
+This will result in the following build failure with any applications
+using this file such as harfbuzz:
+
+arm-linux-g++.br_real: error: /home/buildroot/autobuild/run/instance-3/output-1/host/arm-buildroot-linux-uclibcgnueabi/sysroot/usr/lib/libgraphite2.so: No such file or directory
+make[5]: *** [main] Error 1
+
+Instead of trying to fix this libtool file, just disable it when
+building a static library as it is not needed
+
+Fixes:
+ - http://autobuild.buildroot.org/results/9ebe1d11e80755d59190ef2aae82bbba5cc45e44
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status: https://github.com/silnrsi/graphite/pull/65]
+---
+ src/CMakeLists.txt | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
+index b6ac26bf..a7ace040 100644
+--- a/src/CMakeLists.txt
++++ b/src/CMakeLists.txt
+@@ -131,7 +131,9 @@ if  (${CMAKE_SYSTEM_NAME} STREQUAL "Linux")
+         nolib_test(stdc++ $<TARGET_SONAME_FILE:graphite2>)
+     endif ()
+     set(CMAKE_CXX_IMPLICIT_LINK_LIBRARIES "")
+-    CREATE_LIBTOOL_FILE(graphite2 "/lib${LIB_SUFFIX}")
++    if (BUILD_SHARED_LIBS)
++        CREATE_LIBTOOL_FILE(graphite2 "/lib${LIB_SUFFIX}")
++    endif()
+ endif()
+ 
+ if  (${CMAKE_SYSTEM_NAME} STREQUAL "Darwin")
+@@ -146,7 +148,9 @@ if  (${CMAKE_SYSTEM_NAME} STREQUAL "Darwin")
+     include(Graphite)
+     nolib_test(stdc++ $<TARGET_SONAME_FILE:graphite2>)
+     set(CMAKE_CXX_IMPLICIT_LINK_LIBRARIES "")
+-    CREATE_LIBTOOL_FILE(graphite2 "/lib${LIB_SUFFIX}")
++    if (BUILD_SHARED_LIBS)
++        CREATE_LIBTOOL_FILE(graphite2 "/lib${LIB_SUFFIX}")
++    endif()
+ endif()
+ 
+ if  (${CMAKE_SYSTEM_NAME} STREQUAL "Windows")
+-- 
+2.28.0
+
diff --git a/buildroot/package/graphite2/Config.in b/buildroot/package/graphite2/Config.in
index 5499e17e2..ec92ff7be 100644
--- a/buildroot/package/graphite2/Config.in
+++ b/buildroot/package/graphite2/Config.in
@@ -1,13 +1,12 @@
 config BR2_PACKAGE_GRAPHITE2
 	bool "graphite2"
 	depends on BR2_INSTALL_LIBSTDCPP
-	depends on !BR2_STATIC_LIBS
 	help
 	  Graphite is a project within SIL's scripts and software dev
 	  groups to provide cross-platform rendering for complex
 	  writing systems.
 
-	  http://graphite.sil.org/
+	  https://github.com/silnrsi/graphite
 
-comment "graphite2 needs a toolchain w/ C++, dynamic library"
-	depends on !BR2_INSTALL_LIBSTDCPP || BR2_STATIC_LIBS
+comment "graphite2 needs a toolchain w/ C++"
+	depends on !BR2_INSTALL_LIBSTDCPP
diff --git a/buildroot/package/graphite2/graphite2.hash b/buildroot/package/graphite2/graphite2.hash
index e0c1aae67..e005375f8 100644
--- a/buildroot/package/graphite2/graphite2.hash
+++ b/buildroot/package/graphite2/graphite2.hash
@@ -1,6 +1,4 @@
-# From http://sourceforge.net/projects/silgraphite/files/graphite2
-md5 b39d5ed21195f8b709bcee548c87e2b5  graphite2-1.3.10.tgz
-sha1 668f3bce96fc02d90ea875b401ed36b2e8957d2f  graphite2-1.3.10.tgz
+# From https://github.com/silnrsi/graphite/releases/download/1.3.14/graphite2-1.3.14.sha256sum
+sha256  f99d1c13aa5fa296898a181dff9b82fb25f6cc0933dbaa7a475d8109bd54209d  graphite2-1.3.14.tgz
 # Locally computed
-sha256  90fde3b2f9ea95d68ffb19278d07d9b8a7efa5ba0e413bebcea802ce05cda1ae  graphite2-1.3.10.tgz
 sha256  a9bdde5616ecdd1e980b44f360600ee8783b1f99b8cc83a2beb163a0a390e861  LICENSE
diff --git a/buildroot/package/graphite2/graphite2.mk b/buildroot/package/graphite2/graphite2.mk
index 2bb4f463b..40206bf0f 100644
--- a/buildroot/package/graphite2/graphite2.mk
+++ b/buildroot/package/graphite2/graphite2.mk
@@ -4,9 +4,10 @@
 #
 ################################################################################
 
-GRAPHITE2_VERSION = 1.3.10
+GRAPHITE2_VERSION = 1.3.14
 GRAPHITE2_SOURCE = graphite2-$(GRAPHITE2_VERSION).tgz
-GRAPHITE2_SITE = http://downloads.sourceforge.net/project/silgraphite/graphite2
+GRAPHITE2_SITE = \
+	https://github.com/silnrsi/graphite/releases/download/$(GRAPHITE2_VERSION)
 GRAPHITE2_INSTALL_STAGING = YES
 GRAPHITE2_LICENSE = LGPL-2.1+
 GRAPHITE2_LICENSE_FILES = LICENSE
diff --git a/buildroot/package/gstreamer1/gst1-plugins-bad/0002-meson-allow-the-user-to-disable-opencv.patch b/buildroot/package/gstreamer1/gst1-plugins-bad/0002-meson-allow-the-user-to-disable-opencv.patch
new file mode 100644
index 000000000..02e91e33e
--- /dev/null
+++ b/buildroot/package/gstreamer1/gst1-plugins-bad/0002-meson-allow-the-user-to-disable-opencv.patch
@@ -0,0 +1,31 @@
+From 1bc387f8feaab9020be72e88cf26ccc1a67a6a10 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Sat, 22 Aug 2020 23:33:48 +0200
+Subject: [PATCH] meson: allow the user to disable opencv
+
+Allow the user to really disable opencv through meson (i.e.
+-Dopencv=disabled).
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status:
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1533]
+---
+ gst-libs/gst/opencv/meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gst-libs/gst/opencv/meson.build b/gst-libs/gst/opencv/meson.build
+index 6cc4602f3..fb6c46e40 100644
+--- a/gst-libs/gst/opencv/meson.build
++++ b/gst-libs/gst/opencv/meson.build
+@@ -13,7 +13,7 @@ opencv_dep = dependency('opencv', version : '>= 3.0.0', required : false)
+ if not opencv_dep.found()
+   opencv_dep = dependency('opencv4', version : '>= 4.0.0', required : false)
+ endif
+-if opencv_dep.found()
++if not get_option('opencv').disabled() and opencv_dep.found()
+   gstopencv = library('gstopencv-' + api_version,
+     opencv_sources,
+     c_args : gst_plugins_bad_args + ['-DBUILDING_GST_OPENCV'],
+-- 
+2.28.0
+
diff --git a/buildroot/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk b/buildroot/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk
index 1781a5d46..42fe09bf5 100644
--- a/buildroot/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk
+++ b/buildroot/package/gstreamer1/gst1-plugins-base/gst1-plugins-base.mk
@@ -38,19 +38,22 @@ else
 GST1_PLUGINS_BASE_CONF_OPTS += -Dorc=disabled
 endif
 
-ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_HAS_API),y)
+ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_HAS_API)$(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_HAS_PLATFORM)$(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_HAS_WINDOW),yyy)
 GST1_PLUGINS_BASE_CONF_OPTS += -Dgl=enabled
+else
+GST1_PLUGINS_BASE_CONF_OPTS += -Dgl=disabled
+endif
+
 ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_OPENGL),y)
 GST1_PLUGINS_BASE_GL_API_LIST = opengl
 GST1_PLUGINS_BASE_DEPENDENCIES += libgl libglu
 endif
+
 ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_GLES2),y)
 GST1_PLUGINS_BASE_GL_API_LIST += gles2
 GST1_PLUGINS_BASE_DEPENDENCIES += libgles
 endif
-else
-GST1_PLUGINS_BASE_CONF_OPTS += -Dgl=disabled
-endif
+
 GST1_PLUGINS_BASE_CONF_OPTS += -Dgl_api='$(subst $(space),$(comma),$(GST1_PLUGINS_BASE_GL_API_LIST))'
 
 ifeq ($(BR2_PACKAGE_GST1_PLUGINS_BASE_LIB_OPENGL_GLX),y)
diff --git a/buildroot/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk b/buildroot/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk
index 9f8b1d335..0261dc323 100644
--- a/buildroot/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk
+++ b/buildroot/package/gstreamer1/gst1-plugins-ugly/gst1-plugins-ugly.mk
@@ -89,7 +89,7 @@ endif
 
 # Add GPL license if GPL plugins enabled.
 ifeq ($(GST1_PLUGINS_UGLY_HAS_GPL_LICENSE),y)
-GST1_PLUGINS_UGLY_LICENSE += GPL-2.0
+GST1_PLUGINS_UGLY_LICENSE += , GPL-2.0
 endif
 
 # Use the following command to extract license info for plugins.
diff --git a/buildroot/package/hostapd/hostapd.hash b/buildroot/package/hostapd/hostapd.hash
index bf5016acc..e2f76c12d 100644
--- a/buildroot/package/hostapd/hostapd.hash
+++ b/buildroot/package/hostapd/hostapd.hash
@@ -1,3 +1,6 @@
 # Locally calculated
 sha256  881d7d6a90b2428479288d64233151448f8990ab4958e0ecaca7eeb3c9db2bd7  hostapd-2.9.tar.gz
+sha256  2d9a5b9d616f1b4aa4a22b967cee866e2f69b798b0b46803a7928c8559842bd7  0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
+sha256  49feb35a5276279b465f6836d6fa2c6b34d94dc979e8b840d1918865c04260de  0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
+sha256  a8212a2d89a5bab2824d22b6047e7740553df163114fcec94832bfa9c5c5d78a  0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
 sha256  9da5dd0776da266b180b915e460ff75c6ff729aca1196ab396529510f24f3761  README
diff --git a/buildroot/package/hostapd/hostapd.mk b/buildroot/package/hostapd/hostapd.mk
index b94a0e457..676e36d8b 100644
--- a/buildroot/package/hostapd/hostapd.mk
+++ b/buildroot/package/hostapd/hostapd.mk
@@ -8,6 +8,10 @@ HOSTAPD_VERSION = 2.9
 HOSTAPD_SITE = http://w1.fi/releases
 HOSTAPD_SUBDIR = hostapd
 HOSTAPD_CONFIG = $(HOSTAPD_DIR)/$(HOSTAPD_SUBDIR)/.config
+HOSTAPD_PATCH = \
+	https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \
+	https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \
+	https://w1.fi/security/2020-1/0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch
 HOSTAPD_DEPENDENCIES = host-pkgconf
 HOSTAPD_CFLAGS = $(TARGET_CFLAGS)
 HOSTAPD_LICENSE = BSD-3-Clause
@@ -16,6 +20,9 @@ HOSTAPD_LICENSE_FILES = README
 # 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 HOSTAPD_IGNORE_CVES += CVE-2019-16275
 
+# 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
+HOSTAPD_IGNORE_CVES += CVE-2020-12695
+
 HOSTAPD_CONFIG_SET =
 
 HOSTAPD_CONFIG_ENABLE = \
diff --git a/buildroot/package/imagemagick/imagemagick.hash b/buildroot/package/imagemagick/imagemagick.hash
index f95fa275d..3380378fd 100644
--- a/buildroot/package/imagemagick/imagemagick.hash
+++ b/buildroot/package/imagemagick/imagemagick.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256 238ee17196fcb80bb58485910aaefc12d48f99e4043c2a28f06ff9588161c4e3  7.0.8-59.tar.gz
-sha256 5b47db932754743460eba7a226aea85b63e3408d3c7affb4d0117f70c9594ded  LICENSE
+sha256  9f2b8b131222354b196c640fca4e53eb0bbf62246621b9d467f223366272d7a7  imagemagick-7.0.10-28.tar.gz
+sha256  e2d364de83dd9e7c866bd99ee7dac2fe92071fb70e9b187293353fb285cf09ac  LICENSE
diff --git a/buildroot/package/imagemagick/imagemagick.mk b/buildroot/package/imagemagick/imagemagick.mk
index 5ef04973a..d44b7d1d1 100644
--- a/buildroot/package/imagemagick/imagemagick.mk
+++ b/buildroot/package/imagemagick/imagemagick.mk
@@ -4,9 +4,8 @@
 #
 ################################################################################
 
-IMAGEMAGICK_VERSION = 7.0.8-59
-IMAGEMAGICK_SOURCE = $(IMAGEMAGICK_VERSION).tar.gz
-IMAGEMAGICK_SITE = https://github.com/ImageMagick/ImageMagick/archive
+IMAGEMAGICK_VERSION = 7.0.10-28
+IMAGEMAGICK_SITE = $(call github,ImageMagick,ImageMagick,$(IMAGEMAGICK_VERSION))
 IMAGEMAGICK_LICENSE = Apache-2.0
 IMAGEMAGICK_LICENSE_FILES = LICENSE
 
diff --git a/buildroot/package/ipmitool/0008-fru-Fix-buffer-overflow-vulnerabilities.patch b/buildroot/package/ipmitool/0008-fru-Fix-buffer-overflow-vulnerabilities.patch
new file mode 100644
index 000000000..a39713fdb
--- /dev/null
+++ b/buildroot/package/ipmitool/0008-fru-Fix-buffer-overflow-vulnerabilities.patch
@@ -0,0 +1,132 @@
+From d615cb6c39d401a569941be2a615176191afa7ac Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:33:59 +0000
+Subject: [PATCH] fru: Fix buffer overflow vulnerabilities
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `read_fru_area_section` function only performs size validation of
+requested read size, and falsely assumes that the IPMI message will not
+respond with more than the requested amount of data; it uses the
+unvalidated response size to copy into `frubuf`. If the response is
+larger than the request, this can result in overflowing the buffer.
+
+The same issue affects the `read_fru_area` function.
+
+[Retrieve from
+https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2]
+Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
+---
+ lib/ipmi_fru.c | 33 +++++++++++++++++++++++++++++++--
+ 1 file changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index cf00eff..af99aa9 100644
+--- a/lib/ipmi_fru.c
++++ b/lib/ipmi_fru.c
+@@ -615,7 +615,10 @@ int
+ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 			uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+-	uint32_t off = offset, tmp, finish;
++	uint32_t off = offset;
++	uint32_t tmp;
++	uint32_t finish;
++	uint32_t size_left_in_buffer;
+ 	struct ipmi_rs * rsp;
+ 	struct ipmi_rq req;
+ 	uint8_t msg_data[4];
+@@ -628,10 +631,12 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 
+ 	finish = offset + length;
+ 	if (finish > fru->size) {
++		memset(frubuf + fru->size, 0, length - fru->size);
+ 		finish = fru->size;
+ 		lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ 			"Adjusting to %d",
+ 			offset + length, finish - offset);
++		length = finish - offset;
+ 	}
+ 
+ 	memset(&req, 0, sizeof(req));
+@@ -667,6 +672,7 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 		}
+ 	}
+ 
++	size_left_in_buffer = length;
+ 	do {
+ 		tmp = fru->access ? off >> 1 : off;
+ 		msg_data[0] = id;
+@@ -707,9 +713,18 @@ read_fru_area(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 		}
+ 
+ 		tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++		if(rsp->data_len < 1
++		   || tmp > rsp->data_len - 1
++		   || tmp > size_left_in_buffer)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
++
+ 		memcpy(frubuf, rsp->data + 1, tmp);
+ 		off += tmp;
+ 		frubuf += tmp;
++		size_left_in_buffer -= tmp;
+ 		/* sometimes the size returned in the Info command
+ 		* is too large.  return 0 so higher level function
+ 		* still attempts to parse what was returned */
+@@ -742,7 +757,9 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 			uint32_t offset, uint32_t length, uint8_t *frubuf)
+ {
+ 	static uint32_t fru_data_rqst_size = 20;
+-	uint32_t off = offset, tmp, finish;
++	uint32_t off = offset;
++	uint32_t tmp, finish;
++	uint32_t size_left_in_buffer;
+ 	struct ipmi_rs * rsp;
+ 	struct ipmi_rq req;
+ 	uint8_t msg_data[4];
+@@ -755,10 +772,12 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 
+ 	finish = offset + length;
+ 	if (finish > fru->size) {
++		memset(frubuf + fru->size, 0, length - fru->size);
+ 		finish = fru->size;
+ 		lprintf(LOG_NOTICE, "Read FRU Area length %d too large, "
+ 			"Adjusting to %d",
+ 			offset + length, finish - offset);
++		length = finish - offset;
+ 	}
+ 
+ 	memset(&req, 0, sizeof(req));
+@@ -773,6 +792,8 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 	if (fru->access && fru_data_rqst_size > 16)
+ #endif
+ 		fru_data_rqst_size = 16;
++
++	size_left_in_buffer = length;
+ 	do {
+ 		tmp = fru->access ? off >> 1 : off;
+ 		msg_data[0] = id;
+@@ -804,8 +825,16 @@ read_fru_area_section(struct ipmi_intf * intf, struct fru_info *fru, uint8_t id,
+ 		}
+ 
+ 		tmp = fru->access ? rsp->data[0] << 1 : rsp->data[0];
++		if(rsp->data_len < 1
++		   || tmp > rsp->data_len - 1
++		   || tmp > size_left_in_buffer)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
+ 		memcpy((frubuf + off)-offset, rsp->data + 1, tmp);
+ 		off += tmp;
++		size_left_in_buffer -= tmp;
+ 
+ 		/* sometimes the size returned in the Info command
+ 		* is too large.  return 0 so higher level function
+-- 
+2.20.1
+
diff --git a/buildroot/package/ipmitool/0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch b/buildroot/package/ipmitool/0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
new file mode 100644
index 000000000..213a2ad7b
--- /dev/null
+++ b/buildroot/package/ipmitool/0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
@@ -0,0 +1,52 @@
+From 879f57c3b1ff17b1ca0dbdc8aac9c7a814e876fc Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:44:18 +0000
+Subject: [PATCH] fru: Fix buffer overflow in ipmi_spd_print_fru
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_spd_print_fru` function has a similar issue as the one fixed
+by the previous commit in `read_fru_area_section`. An initial request is
+made to get the `fru.size`, which is used as the size for the allocation
+of `spd_data`. Inside a loop, further requests are performed to get the
+copy sizes which are not checked before being used as the size for a
+copy into the buffer.
+
+[Retrieve from:
+https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10]
+Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
+---
+ lib/dimm_spd.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dimm_spd.c b/lib/dimm_spd.c
+index 41e30db..68f3b4f 100644
+--- a/lib/dimm_spd.c
++++ b/lib/dimm_spd.c
+@@ -1621,7 +1621,7 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ 	struct ipmi_rq req;
+ 	struct fru_info fru;
+ 	uint8_t *spd_data, msg_data[4];
+-	int len, offset;
++	uint32_t len, offset;
+ 
+ 	msg_data[0] = id;
+ 
+@@ -1697,6 +1697,13 @@ ipmi_spd_print_fru(struct ipmi_intf * intf, uint8_t id)
+ 		}
+ 
+ 		len = rsp->data[0];
++		if(rsp->data_len < 1
++		   || len > rsp->data_len - 1
++		   || len > fru.size - offset)
++		{
++			printf(" Not enough buffer size");
++			return -1;
++		}
+ 		memcpy(&spd_data[offset], rsp->data + 1, len);
+ 		offset += len;
+ 	} while (offset < fru.size);
+-- 
+2.20.1
+
diff --git a/buildroot/package/ipmitool/0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch b/buildroot/package/ipmitool/0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
new file mode 100644
index 000000000..94a5ce650
--- /dev/null
+++ b/buildroot/package/ipmitool/0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
@@ -0,0 +1,52 @@
+From cd785a7fe4f42ab59bcefcf01b9175f039af29b5 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:51:49 +0000
+Subject: [PATCH] session: Fix buffer overflow in ipmi_get_session_info
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_get_session_info` function does not properly check the
+response `data_len`, which is used as a copy size, allowing stack buffer
+overflow.
+
+[Retrieve from:
+https://github.com/ipmitool/ipmitool/commit/41d7026946fafbd4d1ec0bcaca3ea30a6e8eed22]
+Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
+---
+ lib/ipmi_session.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/ipmi_session.c b/lib/ipmi_session.c
+index 141f0f4..b9af1fd 100644
+--- a/lib/ipmi_session.c
++++ b/lib/ipmi_session.c
+@@ -309,8 +309,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
+ 		}
+ 		else
+ 		{
+-			memcpy(&session_info,  rsp->data, rsp->data_len);
+-			print_session_info(&session_info, rsp->data_len);
++			memcpy(&session_info,  rsp->data,
++			       __min(rsp->data_len, sizeof(session_info)));
++			print_session_info(&session_info,
++			                   __min(rsp->data_len, sizeof(session_info)));
+ 		}
+ 		break;
+ 		
+@@ -341,8 +343,10 @@ ipmi_get_session_info(struct ipmi_intf         * intf,
+ 				break;
+ 			}
+ 
+-			memcpy(&session_info,  rsp->data, rsp->data_len);
+-			print_session_info(&session_info, rsp->data_len);
++			memcpy(&session_info,  rsp->data,
++			       __min(rsp->data_len, sizeof(session_info)));
++			print_session_info(&session_info,
++			                   __min(rsp->data_len, sizeof(session_info)));
+ 			
+ 		} while (i <= session_info.session_slot_count);
+ 		break;
+-- 
+2.20.1
+
diff --git a/buildroot/package/ipmitool/0011-channel-Fix-buffer-overflow.patch b/buildroot/package/ipmitool/0011-channel-Fix-buffer-overflow.patch
new file mode 100644
index 000000000..62e04c3e2
--- /dev/null
+++ b/buildroot/package/ipmitool/0011-channel-Fix-buffer-overflow.patch
@@ -0,0 +1,46 @@
+From 1d479fc61feacc64adea64da9601f3dfcf6f74b3 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 16:56:38 +0000
+Subject: [PATCH] channel: Fix buffer overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `ipmi_get_channel_cipher_suites` function does not properly check
+the final response’s `data_len`, which can lead to stack buffer overflow
+on the final copy.
+
+[Retrieve from:
+https://github.com/ipmitool/ipmitool/commit/9452be87181a6e83cfcc768b3ed8321763db50e4
+
+The patch is slightly modified manually. The define
+(MAX_CIPHER_SUITE_DATA_LEN) was introduced upstream in another patch.
+Replace the define by the value 0x10.]
+
+Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
+---
+ lib/ipmi_channel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/ipmi_channel.c b/lib/ipmi_channel.c
+index fab2e54..59ac227 100644
+--- a/lib/ipmi_channel.c
++++ b/lib/ipmi_channel.c
+@@ -413,7 +413,10 @@ ipmi_get_channel_cipher_suites(struct ipmi_intf *intf, const char *payload_type,
+ 			lprintf(LOG_ERR, "Unable to Get Channel Cipher Suites");
+ 			return -1;
+ 		}
+-		if (rsp->ccode > 0) {
++		if (rsp->ccode
++		    || rsp->data_len < 1
++		    || rsp->data_len > sizeof(uint8_t) + 0x10)
++		{
+ 			lprintf(LOG_ERR, "Get Channel Cipher Suites failed: %s",
+ 					val2str(rsp->ccode, completion_code_vals));
+ 			return -1;
+-- 
+2.20.1
+
diff --git a/buildroot/package/ipmitool/0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch b/buildroot/package/ipmitool/0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
new file mode 100644
index 000000000..aba9ad2c7
--- /dev/null
+++ b/buildroot/package/ipmitool/0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
@@ -0,0 +1,92 @@
+From ceebf5998b71e11c81133680560b498977d3d3cd Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 17:06:39 +0000
+Subject: [PATCH] lanp: Fix buffer overflows in get_lan_param_select
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Partial fix for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+The `get_lan_param_select` function is missing a validation check on the
+response’s `data_len`, which it then returns to caller functions, where
+stack buffer overflow can occur.
+
+[Retrieve from:
+https://github.com/ipmitool/ipmitool/commit/d45572d71e70840e0d4c50bf48218492b79c1a10]
+Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
+---
+ lib/ipmi_lanp.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/lib/ipmi_lanp.c b/lib/ipmi_lanp.c
+index 65d881b..022c7f1 100644
+--- a/lib/ipmi_lanp.c
++++ b/lib/ipmi_lanp.c
+@@ -1809,7 +1809,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 		/* set new ipaddr */
+ 		memcpy(data+3, temp, 4);
+ 		printf("Setting LAN Alert %d IP Address to %d.%d.%d.%d\n", alert,
+@@ -1824,7 +1824,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 		/* set new macaddr */
+ 		memcpy(data+7, temp, 6);
+ 		printf("Setting LAN Alert %d MAC Address to "
+@@ -1838,7 +1838,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "def", 3) == 0 ||
+ 		    strncasecmp(argv[1], "default", 7) == 0) {
+@@ -1864,7 +1864,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "on", 2) == 0 ||
+ 		    strncasecmp(argv[1], "yes", 3) == 0) {
+@@ -1889,7 +1889,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (strncasecmp(argv[1], "pet", 3) == 0) {
+ 			printf("Setting LAN Alert %d destination to PET Trap\n", alert);
+@@ -1917,7 +1917,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (str2uchar(argv[1], &data[2]) != 0) {
+ 			lprintf(LOG_ERR, "Invalid time: %s", argv[1]);
+@@ -1933,7 +1933,7 @@ ipmi_lan_alert_set(struct ipmi_intf * intf, uint8_t chan, uint8_t alert,
+ 		if (p == NULL) {
+ 			return (-1);
+ 		}
+-		memcpy(data, p->data, p->data_len);
++		memcpy(data, p->data, __min(p->data_len, sizeof(data)));
+ 
+ 		if (str2uchar(argv[1], &data[3]) != 0) {
+ 			lprintf(LOG_ERR, "Invalid retry: %s", argv[1]);
+-- 
+2.20.1
+
diff --git a/buildroot/package/ipmitool/0013-fru-sdr-Fix-id_string-buffer-overflows.patch b/buildroot/package/ipmitool/0013-fru-sdr-Fix-id_string-buffer-overflows.patch
new file mode 100644
index 000000000..2a519f3c7
--- /dev/null
+++ b/buildroot/package/ipmitool/0013-fru-sdr-Fix-id_string-buffer-overflows.patch
@@ -0,0 +1,141 @@
+From bf3ded3a474d85da99eb717acdcd8ff4f89f9879 Mon Sep 17 00:00:00 2001
+From: Chrostoper Ertl <chertl@microsoft.com>
+Date: Thu, 28 Nov 2019 17:13:45 +0000
+Subject: [PATCH] fru, sdr: Fix id_string buffer overflows
+
+Final part of the fixes for CVE-2020-5208, see
+https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
+
+9 variants of stack buffer overflow when parsing `id_string` field of
+SDR records returned from `CMD_GET_SDR` command.
+
+SDR record structs have an `id_code` field, and an `id_string` `char`
+array.
+
+The length of `id_string` is calculated as `(id_code & 0x1f) + 1`,
+which can be larger than expected 16 characters (if `id_code = 0xff`,
+then length will be `(0xff & 0x1f) + 1 = 32`).
+
+In numerous places, this can cause stack buffer overflow when copying
+into fixed buffer of size `17` bytes from this calculated length.
+
+[Retrieve from:
+https://github.com/ipmitool/ipmitool/commit/7ccea283dd62a05a320c1921e3d8d71a87772637]
+Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
+---
+ lib/ipmi_fru.c |  2 +-
+ lib/ipmi_sdr.c | 40 ++++++++++++++++++++++++----------------
+ 2 files changed, 25 insertions(+), 17 deletions(-)
+
+diff --git a/lib/ipmi_fru.c b/lib/ipmi_fru.c
+index af99aa9..98bc984 100644
+--- a/lib/ipmi_fru.c
++++ b/lib/ipmi_fru.c
+@@ -3062,7 +3062,7 @@ ipmi_fru_print(struct ipmi_intf * intf, struct sdr_record_fru_locator * fru)
+ 		return 0;
+ 
+ 	memset(desc, 0, sizeof(desc));
+-	memcpy(desc, fru->id_string, fru->id_code & 0x01f);
++	memcpy(desc, fru->id_string, __min(fru->id_code & 0x01f, sizeof(desc)));
+ 	desc[fru->id_code & 0x01f] = 0;
+ 	printf("FRU Device Description : %s (ID %d)\n", desc, fru->device_id);
+ 
+diff --git a/lib/ipmi_sdr.c b/lib/ipmi_sdr.c
+index 2a9cbe3..62aac08 100644
+--- a/lib/ipmi_sdr.c
++++ b/lib/ipmi_sdr.c
+@@ -2084,7 +2084,7 @@ ipmi_sdr_print_sensor_eventonly(struct ipmi_intf *intf,
+ 		return -1;
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (sensor->id_code & 0x1f) + 1, "%s", sensor->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (sensor->id_code & 0x1f) + 1, sensor->id_string);
+ 
+ 	if (verbose) {
+ 		printf("Sensor ID              : %s (0x%x)\n",
+@@ -2135,7 +2135,7 @@ ipmi_sdr_print_sensor_mc_locator(struct ipmi_intf *intf,
+ 		return -1;
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (mc->id_code & 0x1f) + 1, "%s", mc->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (mc->id_code & 0x1f) + 1, mc->id_string);
+ 
+ 	if (verbose == 0) {
+ 		if (csv_output)
+@@ -2228,7 +2228,7 @@ ipmi_sdr_print_sensor_generic_locator(struct ipmi_intf *intf,
+ 	char desc[17];
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (dev->id_code & 0x1f) + 1, "%s", dev->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (dev->id_code & 0x1f) + 1, dev->id_string);
+ 
+ 	if (!verbose) {
+ 		if (csv_output)
+@@ -2285,7 +2285,7 @@ ipmi_sdr_print_sensor_fru_locator(struct ipmi_intf *intf,
+ 	char desc[17];
+ 
+ 	memset(desc, 0, sizeof (desc));
+-	snprintf(desc, (fru->id_code & 0x1f) + 1, "%s", fru->id_string);
++	snprintf(desc, sizeof(desc), "%.*s", (fru->id_code & 0x1f) + 1, fru->id_string);
+ 
+ 	if (!verbose) {
+ 		if (csv_output)
+@@ -2489,35 +2489,43 @@ ipmi_sdr_print_name_from_rawentry(struct ipmi_intf *intf, uint16_t id,
+ 
+    int rc =0;
+    char desc[17];
++   const char *id_string;
++   uint8_t id_code;
+    memset(desc, ' ', sizeof (desc));
+ 
+    switch ( type) {
+       case SDR_RECORD_TYPE_FULL_SENSOR:
+       record.full = (struct sdr_record_full_sensor *) raw;
+-      snprintf(desc, (record.full->id_code & 0x1f) +1, "%s",
+-               (const char *)record.full->id_string);
++      id_code = record.full->id_code;
++      id_string = record.full->id_string;
+       break;
++
+       case SDR_RECORD_TYPE_COMPACT_SENSOR:
+       record.compact = (struct sdr_record_compact_sensor *) raw	;
+-      snprintf(desc, (record.compact->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.compact->id_string);
++      id_code = record.compact->id_code;
++      id_string = record.compact->id_string;
+       break;
++
+       case SDR_RECORD_TYPE_EVENTONLY_SENSOR:
+       record.eventonly  = (struct sdr_record_eventonly_sensor *) raw ;
+-      snprintf(desc, (record.eventonly->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.eventonly->id_string);
+-      break;            
++      id_code = record.eventonly->id_code;
++      id_string = record.eventonly->id_string;
++      break;
++
+       case SDR_RECORD_TYPE_MC_DEVICE_LOCATOR:
+       record.mcloc  = (struct sdr_record_mc_locator *) raw ;
+-      snprintf(desc, (record.mcloc->id_code & 0x1f)  +1, "%s",
+-               (const char *)record.mcloc->id_string);		
++      id_code = record.mcloc->id_code;
++      id_string = record.mcloc->id_string;
+       break;
++
+       default:
+       rc = -1;
+-      break;
+-   }   
++   }
++   if (!rc) {
++       snprintf(desc, sizeof(desc), "%.*s", (id_code & 0x1f) + 1, id_string);
++   }
+ 
+-      lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
++   lprintf(LOG_INFO, "ID: 0x%04x , NAME: %-16s", id, desc);
+    return rc;
+ }
+ 
+-- 
+2.20.1
+
diff --git a/buildroot/package/ipmitool/ipmitool.mk b/buildroot/package/ipmitool/ipmitool.mk
index 525466887..123dd274f 100644
--- a/buildroot/package/ipmitool/ipmitool.mk
+++ b/buildroot/package/ipmitool/ipmitool.mk
@@ -10,6 +10,14 @@ IPMITOOL_SITE = http://downloads.sourceforge.net/project/ipmitool/ipmitool/$(IPM
 IPMITOOL_LICENSE = BSD-3-Clause
 IPMITOOL_LICENSE_FILES = COPYING
 
+# 0008-fru-Fix-buffer-overflow-vulnerabilities.patch
+# 0009-fru-Fix-buffer-overflow-in-ipmi_spd_print_fru.patch
+# 0010-session-Fix-buffer-overflow-in-ipmi_get_session_info.patch
+# 0011-channel-Fix-buffer-overflow.patch
+# 0012-lanp-Fix-buffer-overflows-in-get_lan_param_select.patch
+# 0013-fru-sdr-Fix-id_string-buffer-overflows.patch
+IPMITOOL_IGNORE_CVES += CVE-2020-5208
+
 ifeq ($(BR2_PACKAGE_IPMITOOL_LANPLUS),y)
 IPMITOOL_DEPENDENCIES += openssl
 IPMITOOL_CONF_OPTS += --enable-intf-lanplus
diff --git a/buildroot/package/iputils/iputils.mk b/buildroot/package/iputils/iputils.mk
index 0d260891e..d09bc58b3 100644
--- a/buildroot/package/iputils/iputils.mk
+++ b/buildroot/package/iputils/iputils.mk
@@ -40,13 +40,8 @@ IPUTILS_DEPENDENCIES += libgcrypt
 else ifeq ($(BR2_PACKAGE_OPENSSL),y)
 IPUTILS_CONF_OPTS += -DUSE_CRYPTO=openssl
 IPUTILS_DEPENDENCIES += openssl
-else ifeq ($(BR2_PACKAGE_LINUX_HEADERS),y)
-IPUTILS_CONF_OPTS += -DUSE_CRYPTO=kernel
-IPUTILS_DEPENDENCIES += linux-headers
 else
-IPUTILS_CONF_OPTS += -DUSE_CRYPTO=none
-# BUILD_NINFOD=true and USE_CRYPTO=none cannot be combined
-IPUTILS_NINFOD = n
+IPUTILS_CONF_OPTS += -DUSE_CRYPTO=kernel
 endif
 
 ifeq ($(BR2_PACKAGE_SYSTEMD),y)
diff --git a/buildroot/package/janus-gateway/Config.in b/buildroot/package/janus-gateway/Config.in
index 9b70fa0ca..45990b633 100644
--- a/buildroot/package/janus-gateway/Config.in
+++ b/buildroot/package/janus-gateway/Config.in
@@ -59,12 +59,11 @@ comment "transports"
 
 config BR2_PACKAGE_JANUS_GATEWAY_MQTT
 	bool "MQTT"
-	depends on !BR2_STATIC_LIBS
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	select BR2_PACKAGE_PAHO_MQTT_C
 
-comment "MQTT transport needs a toolchain w/ threads and dynamic library support"
-	depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS
+comment "MQTT transport needs a toolchain w/ threads"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS
 
 config BR2_PACKAGE_JANUS_GATEWAY_RABBITMQ
 	bool "RabbitMQ"
@@ -89,7 +88,6 @@ config BR2_PACKAGE_JANUS_GATEWAY_UNIX_SOCKETS
 
 config BR2_PACKAGE_JANUS_GATEWAY_WEBSOCKETS
 	bool "WebSockets"
-	depends on BR2_USE_MMU
 	select BR2_PACKAGE_LIBWEBSOCKETS
 
 endif
diff --git a/buildroot/package/jasper/0001-verify-data-range-CVE-2018-19541.patch b/buildroot/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
deleted file mode 100644
index 35b4299dc..000000000
--- a/buildroot/package/jasper/0001-verify-data-range-CVE-2018-19541.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 24fc4d6f01d2d4c8297d1bebec02360f796e01c2 Mon Sep 17 00:00:00 2001
-From: Michael Vetter <jubalh@iodoru.org>
-Date: Mon, 4 Nov 2019 18:17:44 +0100
-Subject: [PATCH] Verify range data in jp2_pclr_getdata
-
-This fixes CVE-2018-19541.
-We need to verify the data is in the expected range. Otherwise we get
-problems later.
-
-This is a better fix for https://github.com/mdadams/jasper/pull/199
-which caused segfaults under certain circumstances.
-
-Patch by Adam Majer <adam.majer@suse.de>
-Signed-off-by: Michael Vetter <jubalh@iodoru.org>
----
- src/libjasper/jp2/jp2_cod.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/libjasper/jp2/jp2_cod.c b/src/libjasper/jp2/jp2_cod.c
-index 890e6ad..0f8d804 100644
---- a/src/libjasper/jp2/jp2_cod.c
-+++ b/src/libjasper/jp2/jp2_cod.c
-@@ -855,6 +855,12 @@ static int jp2_pclr_getdata(jp2_box_t *box, jas_stream_t *in)
- 	  jp2_getuint8(in, &pclr->numchans)) {
- 		return -1;
- 	}
-+
-+    // verify in range data as per I.5.3.4 - Palette box
-+    if (pclr->numchans < 1 || pclr->numlutents < 1 || pclr->numlutents > 1024) {
-+        return -1;
-+    }
-+
- 	lutsize = pclr->numlutents * pclr->numchans;
- 	if (!(pclr->lutdata = jas_alloc2(lutsize, sizeof(int_fast32_t)))) {
- 		return -1;
diff --git a/buildroot/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch b/buildroot/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch
deleted file mode 100644
index 515a6162c..000000000
--- a/buildroot/package/jasper/0002-check-null-in-jp2_decode-CVE-2018-19542.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From fc62d1b7164ded2405fd6a0604548b34a5a77462 Mon Sep 17 00:00:00 2001
-From: Timothy Lyanguzov <timothy.lyanguzov@sap.com>
-Date: Mon, 18 Mar 2019 16:46:24 +1300
-Subject: [PATCH] Fix CVE-2018-19542: Check for NULL pointer in jp2_decode
-
-Signed-off-by: Michael Vetter <jubalh@iodoru.org>
----
- src/libjasper/jp2/jp2_dec.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/libjasper/jp2/jp2_dec.c b/src/libjasper/jp2/jp2_dec.c
-index 03b0eaf..a535c19 100644
---- a/src/libjasper/jp2/jp2_dec.c
-+++ b/src/libjasper/jp2/jp2_dec.c
-@@ -388,6 +388,9 @@ jas_image_t *jp2_decode(jas_stream_t *in, const char *optstr)
- 				jas_image_setcmpttype(dec->image, newcmptno, jp2_getct(jas_image_clrspc(dec->image), 0, channo + 1));
- 				}
- #endif
-+			} else {
-+				jas_eprintf("error: invalid MTYP in CMAP box\n");
-+				goto error;
- 			}
- 		}
- 	}
diff --git a/buildroot/package/jasper/0003-test-asclen-CVE-2018-19540.patch b/buildroot/package/jasper/0003-test-asclen-CVE-2018-19540.patch
deleted file mode 100644
index 9401da511..000000000
--- a/buildroot/package/jasper/0003-test-asclen-CVE-2018-19540.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From e38454aa1a15b78c028a778fc8bfba3587e25c25 Mon Sep 17 00:00:00 2001
-From: Michael Vetter <jubalh@iodoru.org>
-Date: Fri, 15 Mar 2019 11:01:02 +0100
-Subject: [PATCH] Make sure asclen is at least 1
-
-If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.
-
-Regards CVE-2018-19540.
-Regards https://github.com/mdadams/jasper/issues/182 bug#3
-Fix by Markus Koschany <apo@debian.org>.
-From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
-Signed-off-by: Michael Vetter <jubalh@iodoru.org>
----
- src/libjasper/base/jas_icc.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/libjasper/base/jas_icc.c b/src/libjasper/base/jas_icc.c
-index 4607930..762c0e8 100644
---- a/src/libjasper/base/jas_icc.c
-+++ b/src/libjasper/base/jas_icc.c
-@@ -1104,6 +1104,8 @@ static int jas_icctxtdesc_input(jas_iccattrval_t *attrval, jas_stream_t *in,
- 	if (jas_stream_read(in, txtdesc->ascdata, txtdesc->asclen) !=
- 	  JAS_CAST(int, txtdesc->asclen))
- 		goto error;
-+	if (txtdesc->asclen < 1)
-+		goto error;
- 	txtdesc->ascdata[txtdesc->asclen - 1] = '\0';
- 	if (jas_iccgetuint32(in, &txtdesc->uclangcode) ||
- 	  jas_iccgetuint32(in, &txtdesc->uclen))
diff --git a/buildroot/package/jasper/jasper.hash b/buildroot/package/jasper/jasper.hash
index 7e9ce0ea9..67ad90d73 100644
--- a/buildroot/package/jasper/jasper.hash
+++ b/buildroot/package/jasper/jasper.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256 f1d8b90f231184d99968f361884e2054a1714fdbbd9944ba1ae4ebdcc9bbfdb1  jasper-2.0.16.tar.gz
+sha256 b9d16162a088617ada36450f2374d72165377cb64b33ed197c200bcfb73ec76c  jasper-2.0.19.tar.gz
 sha256 4ad1bb42aff888c4403d792e6e2c5f1716d6c279fea70b296333c9d577d30b81  LICENSE
diff --git a/buildroot/package/jasper/jasper.mk b/buildroot/package/jasper/jasper.mk
index 287c35888..f6ae2ead7 100644
--- a/buildroot/package/jasper/jasper.mk
+++ b/buildroot/package/jasper/jasper.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-JASPER_VERSION = 2.0.16
-JASPER_SITE = $(call github,mdadams,jasper,version-$(JASPER_VERSION))
+JASPER_VERSION = 2.0.19
+JASPER_SITE = $(call github,jasper-software,jasper,version-$(JASPER_VERSION))
 JASPER_INSTALL_STAGING = YES
 JASPER_LICENSE = JasPer-2.0
 JASPER_LICENSE_FILES = LICENSE
diff --git a/buildroot/package/json-c/json-c.hash b/buildroot/package/json-c/json-c.hash
index 0e0300747..a20d370eb 100644
--- a/buildroot/package/json-c/json-c.hash
+++ b/buildroot/package/json-c/json-c.hash
@@ -1,4 +1,4 @@
 # From https://github.com/json-c/json-c/wiki
-sha256 b87e608d4d3f7bfdd36ef78d56d53c74e66ab278d318b71e6002a369d36f4873  json-c-0.13.1.tar.gz
+sha256  b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6  json-c-0.15.tar.gz
 # Locally calculated
-sha256 74c1e6ca5eba76b54d0ad00d4815c8315c1b3bc45ff99de61d103dc92486284c  COPYING
+sha256  74c1e6ca5eba76b54d0ad00d4815c8315c1b3bc45ff99de61d103dc92486284c  COPYING
diff --git a/buildroot/package/json-c/json-c.mk b/buildroot/package/json-c/json-c.mk
index 2788fe563..5e27c9b23 100644
--- a/buildroot/package/json-c/json-c.mk
+++ b/buildroot/package/json-c/json-c.mk
@@ -4,19 +4,11 @@
 #
 ################################################################################
 
-JSON_C_VERSION = 0.13.1
+JSON_C_VERSION = 0.15
 JSON_C_SITE = https://s3.amazonaws.com/json-c_releases/releases
 JSON_C_INSTALL_STAGING = YES
 JSON_C_LICENSE = MIT
 JSON_C_LICENSE_FILES = COPYING
 
-# update config.h.in timestamp to avoid autoheader run
-define JSON_C_UPDATE_CONFIG_TIMESTAMP
-	touch $(@D)/config.h.in
-endef
-
-JSON_C_POST_EXTRACT_HOOKS += JSON_C_UPDATE_CONFIG_TIMESTAMP
-HOST_JSON_C_POST_EXTRACT_HOOKS += JSON_C_UPDATE_CONFIG_TIMESTAMP
-
-$(eval $(autotools-package))
-$(eval $(host-autotools-package))
+$(eval $(cmake-package))
+$(eval $(host-cmake-package))
diff --git a/buildroot/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch b/buildroot/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch
deleted file mode 100644
index b6d89859b..000000000
--- a/buildroot/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 3a46be47cad5a3498b5f6d6007b7d1fe5b8dff78 Mon Sep 17 00:00:00 2001
-Message-Id: <3a46be47cad5a3498b5f6d6007b7d1fe5b8dff78.1594274321.git.baruch@tkos.co.il>
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Thu, 9 Jul 2020 08:14:49 +0300
-Subject: [PATCH] bearssl: fix build with disabled proxy support
-
-Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
-defined.
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
----
-Upstream status: https://github.com/curl/curl/pull/5666
-
- lib/vtls/bearssl.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
-index 628e16a124a9..44e7406e8e39 100644
---- a/lib/vtls/bearssl.c
-+++ b/lib/vtls/bearssl.c
-@@ -300,8 +300,12 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
-   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
-   struct ssl_backend_data *backend = connssl->backend;
-   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
-+#ifndef CURL_DISABLE_PROXY
-   const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
-     conn->host.name;
-+#else
-+  const char *hostname = conn->host.name;
-+#endif
-   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
-   const bool verifyhost = SSL_CONN_CONFIG(verifyhost);
-   CURLcode ret;
-@@ -386,8 +390,11 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
-      */
- 
- #ifdef USE_NGHTTP2
--    if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
--       (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
-+    if(data->set.httpversion >= CURL_HTTP_VERSION_2
-+#ifndef CURL_DISABLE_PROXY
-+      && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
-+#endif
-+      ) {
-       backend->protocols[cur++] = NGHTTP2_PROTO_VERSION_ID;
-       infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
-     }
--- 
-2.27.0
-
diff --git a/buildroot/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch b/buildroot/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch
deleted file mode 100644
index 0d1286338..000000000
--- a/buildroot/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From d040da28f57d0b3fcd6f63809a8c85a600f87a62 Mon Sep 17 00:00:00 2001
-Message-Id: <d040da28f57d0b3fcd6f63809a8c85a600f87a62.1594274337.git.baruch@tkos.co.il>
-From: Baruch Siach <baruch@tkos.co.il>
-Date: Thu, 9 Jul 2020 08:14:49 +0300
-Subject: [PATCH] nss: fix build with disabled proxy support
-
-Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
-defined.
-
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
----
-Upstream status: https://github.com/curl/curl/pull/5667
-
- lib/vtls/nss.c | 44 +++++++++++++++++++++++++++++++++++---------
- 1 file changed, 35 insertions(+), 9 deletions(-)
-
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index fca292613815..0f0d1ee6c80f 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -1027,9 +1027,11 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
-   CERTCertificate *cert;
- 
-   /* remember the cert verification result */
-+#ifndef CURL_DISABLE_PROXY
-   if(SSL_IS_PROXY())
-     data->set.proxy_ssl.certverifyresult = err;
-   else
-+#endif
-     data->set.ssl.certverifyresult = err;
- 
-   if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
-@@ -1553,24 +1555,32 @@ static void nss_close(struct ssl_connect_data *connssl)
- static void Curl_nss_close(struct connectdata *conn, int sockindex)
- {
-   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
-+#ifndef CURL_DISABLE_PROXY
-   struct ssl_connect_data *connssl_proxy = &conn->proxy_ssl[sockindex];
-+#endif
-   struct ssl_backend_data *backend = connssl->backend;
- 
--  if(backend->handle || connssl_proxy->backend->handle) {
-+  if(backend->handle
-+#ifndef CURL_DISABLE_PROXY
-+    || connssl_proxy->backend->handle
-+#endif
-+    ) {
-     /* NSS closes the socket we previously handed to it, so we must mark it
-        as closed to avoid double close */
-     fake_sclose(conn->sock[sockindex]);
-     conn->sock[sockindex] = CURL_SOCKET_BAD;
-   }
- 
-+#ifndef CURL_DISABLE_PROXY
-   if(backend->handle)
-     /* nss_close(connssl) will transitively close also
-        connssl_proxy->backend->handle if both are used. Clear it to avoid
-        a double close leading to crash. */
-     connssl_proxy->backend->handle = NULL;
- 
--  nss_close(connssl);
-   nss_close(connssl_proxy);
-+#endif
-+  nss_close(connssl);
- }
- 
- /* return true if NSS can provide error code (and possibly msg) for the
-@@ -1828,6 +1838,12 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
-   CURLcode result;
-   bool second_layer = FALSE;
-   SSLVersionRange sslver_supported;
-+#ifndef CURL_DISABLE_PROXY
-+  const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
-+    conn->host.name;
-+#else
-+  const char *hostname = conn->host.name;
-+#endif
- 
-   SSLVersionRange sslver = {
-     SSL_LIBRARY_VERSION_TLS_1_0,  /* min */
-@@ -1932,9 +1948,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
-     goto error;
- 
-   /* not checked yet */
-+#ifndef CURL_DISABLE_PROXY
-   if(SSL_IS_PROXY())
-     data->set.proxy_ssl.certverifyresult = 0;
-   else
-+#endif
-     data->set.ssl.certverifyresult = 0;
- 
-   if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
-@@ -1991,12 +2009,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
-     goto error;
-   }
- 
-+#ifndef CURL_DISABLE_PROXY
-   if(conn->proxy_ssl[sockindex].use) {
-     DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state);
-     DEBUGASSERT(conn->proxy_ssl[sockindex].backend->handle != NULL);
-     nspr_io = conn->proxy_ssl[sockindex].backend->handle;
-     second_layer = TRUE;
-   }
-+#endif
-   else {
-     /* wrap OS file descriptor by NSPR's file descriptor abstraction */
-     nspr_io = PR_ImportTCPSocket(sockfd);
-@@ -2077,8 +2097,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
-     unsigned char protocols[128];
- 
- #ifdef USE_NGHTTP2
--    if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
--       (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
-+    if(data->set.httpversion >= CURL_HTTP_VERSION_2
-+#ifndef CURL_DISABLE_PROXY
-+      && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
-+#endif
-+      ) {
-       protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
-       memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
-           NGHTTP2_PROTO_VERSION_ID_LEN);
-@@ -2101,14 +2124,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
-     goto error;
- 
-   /* propagate hostname to the TLS layer */
--  if(SSL_SetURL(backend->handle, SSL_IS_PROXY() ? conn->http_proxy.host.name :
--                conn->host.name) != SECSuccess)
-+  if(SSL_SetURL(backend->handle, hostname) != SECSuccess)
-     goto error;
- 
-   /* prevent NSS from re-using the session for a different hostname */
--  if(SSL_SetSockPeerID(backend->handle, SSL_IS_PROXY() ?
--                       conn->http_proxy.host.name : conn->host.name)
--     != SECSuccess)
-+  if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess)
-     goto error;
- 
-   return CURLE_OK;
-@@ -2127,11 +2147,17 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
-   struct Curl_easy *data = conn->data;
-   CURLcode result = CURLE_SSL_CONNECT_ERROR;
-   PRUint32 timeout;
-+#ifndef CURL_DISABLE_PROXY
-   long * const certverifyresult = SSL_IS_PROXY() ?
-     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
-   const char * const pinnedpubkey = SSL_IS_PROXY() ?
-               data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
-               data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+#else
-+  long * const certverifyresult = &data->set.ssl.certverifyresult;
-+  const char * const pinnedpubkey =
-+              data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+#endif
- 
- 
-   /* check timeout situation */
--- 
-2.27.0
-
diff --git a/buildroot/package/libcurl/libcurl.hash b/buildroot/package/libcurl/libcurl.hash
index 46f72c1ea..2bd1890ca 100644
--- a/buildroot/package/libcurl/libcurl.hash
+++ b/buildroot/package/libcurl/libcurl.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://curl.haxx.se/download/curl-7.71.1.tar.xz.asc
+# https://curl.haxx.se/download/curl-7.72.0.tar.xz.asc
 # signed with key 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2
-sha256  40f83eda27cdbeb25cd4da48cefb639af1b9395d6026d2da1825bf059239658c  curl-7.71.1.tar.xz
+sha256  0ded0808c4d85f2ee0db86980ae610cc9d165e9ca9da466196cc73c346513713  curl-7.72.0.tar.xz
 sha256  db3c4a3b3695a0f317a0c5176acd2f656d18abc45b3ee78e50935a78eb1e132e  COPYING
diff --git a/buildroot/package/libcurl/libcurl.mk b/buildroot/package/libcurl/libcurl.mk
index 2581207b0..e233926cb 100644
--- a/buildroot/package/libcurl/libcurl.mk
+++ b/buildroot/package/libcurl/libcurl.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBCURL_VERSION = 7.71.1
+LIBCURL_VERSION = 7.72.0
 LIBCURL_SOURCE = curl-$(LIBCURL_VERSION).tar.xz
 LIBCURL_SITE = https://curl.haxx.se/download
 LIBCURL_DEPENDENCIES = host-pkgconf \
diff --git a/buildroot/package/libeXosip2/Config.in b/buildroot/package/libeXosip2/Config.in
index 4cb8218f2..9fbe9789f 100644
--- a/buildroot/package/libeXosip2/Config.in
+++ b/buildroot/package/libeXosip2/Config.in
@@ -4,10 +4,10 @@ config BR2_PACKAGE_LIBEXOSIP2
 	select BR2_PACKAGE_LIBOSIP2
 	help
 	  eXosip is a library that hides the complexity of using the
-	  SIP protocol for mutlimedia session establishement.
+	  SIP protocol for multimedia session establishment.
 	  This protocol is mainly to be used by VoIP telephony
 	  applications (endpoints or conference server) but might be
-	  also usefull for any application that wish to establish
+	  also useful for any application that wish to establish
 	  sessions like multiplayer games.
 	  eXosip is based in libosip.
 
diff --git a/buildroot/package/libhtp/0001-htp.pc.in-add-lz-to-Libs.private.patch b/buildroot/package/libhtp/0001-htp.pc.in-add-lz-to-Libs.private.patch
deleted file mode 100644
index b21ea6053..000000000
--- a/buildroot/package/libhtp/0001-htp.pc.in-add-lz-to-Libs.private.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 39e534ab696157b244ec226d649c789dcf423e42 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Wed, 24 Apr 2019 20:48:57 +0200
-Subject: [PATCH] htp.pc.in: add -lz to Libs.private
-
-zlib is a mandatory dependency so add it to Libs.private otherwise
-static linking of packages linking with htp (e.g. suricata) will fail.
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Upstream status: https://github.com/OISF/libhtp/pull/294]
----
- htp.pc.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/htp.pc.in b/htp.pc.in
-index 2fec995..9b1a6cc 100644
---- a/htp.pc.in
-+++ b/htp.pc.in
-@@ -7,6 +7,6 @@ Name: @PACKAGE_NAME@
- Description: A security-aware HTTP parser, designed for use in IDS/IPS and WAF products.
- Version: @PACKAGE_VERSION@
- Libs: -L${libdir} -lhtp
--Libs.private: @LIBICONV@
-+Libs.private: -lz @LIBICONV@
- Cflags: -I${includedir} -I${libdir}/htp/include
- 
--- 
-2.20.1
-
diff --git a/buildroot/package/libhtp/libhtp.hash b/buildroot/package/libhtp/libhtp.hash
index 765acd5bf..df75336df 100644
--- a/buildroot/package/libhtp/libhtp.hash
+++ b/buildroot/package/libhtp/libhtp.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256  953651fdfe828805bb82dc1aa8b56187b0e2f80781727343e68ccf8afd6a9122  libhtp-0.5.33.tar.gz
+sha256  4c3ac4c6027710455ffe725f24ac6a83b2c13fe0afc83b74df2cca78ba46976a  libhtp-0.5.35.tar.gz
 sha256  87c93904e5434c81622ea690c2b90097b9f162aaa92a96542649a157dbf98d15  LICENSE
diff --git a/buildroot/package/libhtp/libhtp.mk b/buildroot/package/libhtp/libhtp.mk
index b77d8715f..c402cf750 100644
--- a/buildroot/package/libhtp/libhtp.mk
+++ b/buildroot/package/libhtp/libhtp.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-LIBHTP_VERSION = 0.5.33
+LIBHTP_VERSION = 0.5.35
 LIBHTP_SITE = $(call github,OISF,libhtp,$(LIBHTP_VERSION))
 LIBHTP_LICENSE = BSD-3-Clause
 LIBHTP_LICENSE_FILES = LICENSE
diff --git a/buildroot/package/libraw/libraw.hash b/buildroot/package/libraw/libraw.hash
index 3337396f5..e8117cd1f 100644
--- a/buildroot/package/libraw/libraw.hash
+++ b/buildroot/package/libraw/libraw.hash
@@ -1,5 +1,5 @@
 # Locally calculated
-sha256	40a262d7cc71702711a0faec106118ee004f86c86cc228281d12d16da03e02f5	LibRaw-0.19.5.tar.gz
-sha256	eea173a556abac0370461e57e12aab266894ea6be3874c2be05fd87871f75449	LICENSE.LGPL
-sha256	0e3098d2d54a12434715f6679ea408d57da5e8d613c385c58ecc6fe5d30cc81f	LICENSE.CDDL
-sha256	ed971b7f1f57fd8e7d28419ff7749cfe0f296e701687756e798a69555fd76646	README.md
+sha256  1f0a383da2ce9f409087facd28261decbf6be72cc90c78cd003b0766e4d694a3  LibRaw-0.20.0.tar.gz
+sha256  eea173a556abac0370461e57e12aab266894ea6be3874c2be05fd87871f75449  LICENSE.LGPL
+sha256  0e3098d2d54a12434715f6679ea408d57da5e8d613c385c58ecc6fe5d30cc81f  LICENSE.CDDL
+sha256  313415f7f48f6cd3cc78856626aab4bbe97dbb1e9a11db9c25396ca8d0e76cd9  README.md
diff --git a/buildroot/package/libraw/libraw.mk b/buildroot/package/libraw/libraw.mk
index 9a647f8d5..e33674e6f 100644
--- a/buildroot/package/libraw/libraw.mk
+++ b/buildroot/package/libraw/libraw.mk
@@ -4,15 +4,13 @@
 #
 ################################################################################
 
-LIBRAW_VERSION = 0.19.5
+LIBRAW_VERSION = 0.20.0
 LIBRAW_SOURCE = LibRaw-$(LIBRAW_VERSION).tar.gz
 LIBRAW_SITE = http://www.libraw.org/data
 LIBRAW_INSTALL_STAGING = YES
 LIBRAW_CONF_OPTS += \
 	--disable-examples \
-	--disable-openmp \
-	--disable-demosaic-pack-gpl2 \
-	--disable-demosaic-pack-gpl3
+	--disable-openmp
 LIBRAW_LICENSE = LGPL-2.1 or CDDL-1.0
 LIBRAW_LICENSE_FILES = LICENSE.LGPL LICENSE.CDDL README.md
 LIBRAW_DEPENDENCIES = host-pkgconf
@@ -43,4 +41,11 @@ else
 LIBRAW_CONF_OPTS += --disable-lcms
 endif
 
+ifeq ($(BR2_PACKAGE_ZLIB),y)
+LIBRAW_CONF_OPTS += --enable-zlib
+LIBRAW_DEPENDENCIES += zlib
+else
+LIBRAW_CONF_OPTS += --disable-zlib
+endif
+
 $(eval $(autotools-package))
diff --git a/buildroot/package/libssh/0001-libssh.h-bump-to-version-0.9.4.patch b/buildroot/package/libssh/0001-libssh.h-bump-to-version-0.9.4.patch
deleted file mode 100644
index d6ec50509..000000000
--- a/buildroot/package/libssh/0001-libssh.h-bump-to-version-0.9.4.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 8d8428cbbc2c00d078cfbc967e4e6fee7ff7bf0b Mon Sep 17 00:00:00 2001
-From: Heiko Thiery <heiko.thiery@gmail.com>
-Date: Wed, 15 Apr 2020 11:57:29 +0200
-Subject: [PATCH] libssh.h: bump to version 0.9.4
-
-In the released version of libssh the version bump was not done
-properly. Therefore the current release 0.9.4 reports 0.9.3.
-
-Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
----
- include/libssh/libssh.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/libssh/libssh.h b/include/libssh/libssh.h
-index 79030131..e2a8d991 100644
---- a/include/libssh/libssh.h
-+++ b/include/libssh/libssh.h
-@@ -79,7 +79,7 @@
- /* libssh version */
- #define LIBSSH_VERSION_MAJOR  0
- #define LIBSSH_VERSION_MINOR  9
--#define LIBSSH_VERSION_MICRO  3
-+#define LIBSSH_VERSION_MICRO  4
- 
- #define LIBSSH_VERSION_INT SSH_VERSION_INT(LIBSSH_VERSION_MAJOR, \
-                                            LIBSSH_VERSION_MINOR, \
--- 
-2.20.1
-
diff --git a/buildroot/package/libssh/0002-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch b/buildroot/package/libssh/0002-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch
deleted file mode 100644
index 9cc938947..000000000
--- a/buildroot/package/libssh/0002-channels-Avoid-returning-SSH_AGAIN-from-ssh_channel_.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 6417f5a3cac8537ac6f6ff7fc1642dfaa0917fb4 Mon Sep 17 00:00:00 2001
-From: Jakub Jelen <jjelen@redhat.com>
-Date: Thu, 16 Apr 2020 11:13:34 +0200
-Subject: [PATCH] channels: Avoid returning SSH_AGAIN from
- ssh_channel_poll_timeout()
-
-This addresses a regression introduced in 3bad0607, partially fixed in 022409e9,
-but the function was still able to return SSH_AGAIN, which was not expected by
-callers.
-
-Based on discussion in [1] and [2]
-
-[1] https://gitlab.com/libssh/libssh-mirror/-/merge_requests/101
-[2] https://www.libssh.org/archive/libssh/2020-03/0000029.html
-
-Signed-off-by: Jakub Jelen <jjelen@redhat.com>
-Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-
-[Backport from upstream commit:
-6417f5a3cac8537ac6f6ff7fc1642dfaa0917fb4]
-Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
----
- src/channels.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/channels.c b/src/channels.c
-index bcc1c207..9fe309d0 100644
---- a/src/channels.c
-+++ b/src/channels.c
-@@ -3116,6 +3116,12 @@ int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr)
-         session->session_state == SSH_SESSION_STATE_ERROR) {
-         rc = SSH_ERROR;
-         goto out;
-+    } else if (rc == SSH_AGAIN) {
-+        /* If the above timeout expired, it is ok and we do not need to
-+         * attempt to check the read buffer. The calling functions do not
-+         * expect us to return SSH_AGAIN either here. */
-+        rc = SSH_OK;
-+        goto out;
-     }
-     len = ssh_buffer_get_len(stdbuf);
-     if (len > 0) {
--- 
-2.20.1
-
diff --git a/buildroot/package/libssh/libssh.hash b/buildroot/package/libssh/libssh.hash
index 62b860300..bc6fa3f1f 100644
--- a/buildroot/package/libssh/libssh.hash
+++ b/buildroot/package/libssh/libssh.hash
@@ -1,5 +1,5 @@
 # Locally calculated after checking pgp signature
-# https://www.libssh.org/files/0.9/libssh-0.9.3.tar.xz.asc
+# https://www.libssh.org/files/0.9/libssh-0.9.5.tar.xz.asc
 # with key 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
-sha256  150897a569852ac05aac831dc417a7ba8e610c86ca2e0154a99c6ade2486226b  libssh-0.9.4.tar.xz
+sha256  acffef2da98e761fc1fd9c4fddde0f3af60ab44c4f5af05cd1b2d60a3fa08718  libssh-0.9.5.tar.xz
 sha256  1656186e951db1c010a8485481fa94587f7e53a26d24976bef97945ad0c4df5a  COPYING
diff --git a/buildroot/package/libssh/libssh.mk b/buildroot/package/libssh/libssh.mk
index abc9aec9a..67e3ad9f9 100644
--- a/buildroot/package/libssh/libssh.mk
+++ b/buildroot/package/libssh/libssh.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 LIBSSH_VERSION_MAJOR = 0.9
-LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).4
+LIBSSH_VERSION = $(LIBSSH_VERSION_MAJOR).5
 LIBSSH_SOURCE = libssh-$(LIBSSH_VERSION).tar.xz
 LIBSSH_SITE = https://www.libssh.org/files/$(LIBSSH_VERSION_MAJOR)
 LIBSSH_LICENSE = LGPL-2.1
diff --git a/buildroot/package/libwebsockets/Config.in b/buildroot/package/libwebsockets/Config.in
index 2b350bf38..1d927bb4e 100644
--- a/buildroot/package/libwebsockets/Config.in
+++ b/buildroot/package/libwebsockets/Config.in
@@ -1,6 +1,5 @@
 config BR2_PACKAGE_LIBWEBSOCKETS
 	bool "libwebsockets"
-	depends on BR2_USE_MMU # fork()
 	select BR2_PACKAGE_ZLIB
 	help
 	  Libwebsockets is a lightweight pure C library built to use
diff --git a/buildroot/package/libxml-parser-perl/libxml-parser-perl.mk b/buildroot/package/libxml-parser-perl/libxml-parser-perl.mk
index fcde5fc93..37cef2e41 100644
--- a/buildroot/package/libxml-parser-perl/libxml-parser-perl.mk
+++ b/buildroot/package/libxml-parser-perl/libxml-parser-perl.mk
@@ -12,9 +12,14 @@ LIBXML_PARSER_PERL_LICENSE = Artistic or GPL-1.0+
 LIBXML_PARSER_PERL_LICENSE_FILES = README
 LIBXML_PARSER_PERL_RUN_PERL = `which perl`
 
+HOST_LIBXML_PARSER_PERL_CONFIGURE_OPTS = \
+	$(HOST_CONFIGURE_OPTS) \
+	LD="$(HOSTCC)"
+
 define HOST_LIBXML_PARSER_PERL_CONFIGURE_CMDS
 	(cd $(@D) ; \
-		$(HOST_CONFIGURE_OPTS) $(LIBXML_PARSER_PERL_RUN_PERL) Makefile.PL \
+		$(HOST_LIBXML_PARSER_PERL_CONFIGURE_OPTS) \
+			$(LIBXML_PARSER_PERL_RUN_PERL) Makefile.PL \
 			PREFIX=$(HOST_DIR) \
 			EXPATLIBPATH=$(HOST_DIR)/lib \
 			EXPATINCPATH=$(HOST_DIR)/include \
@@ -25,7 +30,7 @@ define HOST_LIBXML_PARSER_PERL_CONFIGURE_CMDS
 endef
 
 define HOST_LIBXML_PARSER_PERL_BUILD_CMDS
-	$(HOST_MAKE_ENV) $(MAKE) -C $(@D)
+	$(HOST_MAKE_ENV) $(MAKE) $(HOST_LIBXML_PARSER_PERL_CONFIGURE_OPTS) -C $(@D)
 endef
 
 define HOST_LIBXML_PARSER_PERL_INSTALL_CMDS
diff --git a/buildroot/package/libxml2/0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch b/buildroot/package/libxml2/0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch
new file mode 100644
index 000000000..460f2a3ae
--- /dev/null
+++ b/buildroot/package/libxml2/0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch
@@ -0,0 +1,40 @@
+From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Fri, 7 Aug 2020 21:54:27 +0200
+Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
+
+Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
+array access.
+
+Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
+the report.
+
+Fixes #178.
+
+[Retrieved from:
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ xmllint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/xmllint.c b/xmllint.c
+index f6a8e4636..c647486f3 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -528,6 +528,12 @@ static void
+ xmlHTMLEncodeSend(void) {
+     char *result;
+ 
++    /*
++     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
++     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
++     * an out-of-bounds read.
++     */
++    memset(&buffer[sizeof(buffer)-4], 0, 4);
+     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+     if (result) {
+ 	xmlGenericError(xmlGenericErrorContext, "%s", result);
+-- 
+GitLab
+
diff --git a/buildroot/package/libxml2/libxml2.mk b/buildroot/package/libxml2/libxml2.mk
index acbdfb772..e9379b05a 100644
--- a/buildroot/package/libxml2/libxml2.mk
+++ b/buildroot/package/libxml2/libxml2.mk
@@ -13,6 +13,8 @@ LIBXML2_LICENSE_FILES = COPYING
 LIBXML2_IGNORE_CVES += CVE-2020-7595
 # 0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch
 LIBXML2_IGNORE_CVES += CVE-2019-20388
+# 0003-Fix-out-of-bounds-read-with-xmllint--htmlout.patch
+LIBXML2_IGNORE_CVES += CVE-2020-24977
 LIBXML2_CONFIG_SCRIPTS = xml2-config
 
 # relocation truncated to fit: R_68K_GOT16O
diff --git a/buildroot/package/linux-headers/Config.in.host b/buildroot/package/linux-headers/Config.in.host
index 7fbd07015..87a72af6e 100644
--- a/buildroot/package/linux-headers/Config.in.host
+++ b/buildroot/package/linux-headers/Config.in.host
@@ -318,11 +318,11 @@ endchoice
 
 config BR2_DEFAULT_KERNEL_HEADERS
 	string
-	default "4.4.226"	if BR2_KERNEL_HEADERS_4_4
-	default "4.9.226"	if BR2_KERNEL_HEADERS_4_9
-	default "4.14.183"	if BR2_KERNEL_HEADERS_4_14
-	default "4.19.127"	if BR2_KERNEL_HEADERS_4_19
-	default "5.4.45"	if BR2_KERNEL_HEADERS_5_4
+	default "4.4.238"	if BR2_KERNEL_HEADERS_4_4
+	default "4.9.238"	if BR2_KERNEL_HEADERS_4_9
+	default "4.14.200"	if BR2_KERNEL_HEADERS_4_14
+	default "4.19.150"	if BR2_KERNEL_HEADERS_4_19
+	default "5.4.70"	if BR2_KERNEL_HEADERS_5_4
 	default BR2_DEFAULT_KERNEL_VERSION if BR2_KERNEL_HEADERS_VERSION
 	default "custom"	if BR2_KERNEL_HEADERS_CUSTOM_TARBALL
 	default BR2_KERNEL_HEADERS_CUSTOM_REPO_VERSION \
diff --git a/buildroot/package/live555/live555.hash b/buildroot/package/live555/live555.hash
index f5df69f24..2072b0ddf 100644
--- a/buildroot/package/live555/live555.hash
+++ b/buildroot/package/live555/live555.hash
@@ -1,5 +1,5 @@
 # From http://www.live555.com/liveMedia/public/live555-latest-md5.txt
 md5 12e105c8fef9d34658d68367dc26a3d9 live.2019.09.30.tar.gz
 # Locally generated
-sha256 ef44f48a84324525cebc2081dd2d0f1e908f2d0a79d9d30dd41967e142dfb06b  live.2019.09.30.tar.gz
-sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
+sha256  ef44f48a84324525cebc2081dd2d0f1e908f2d0a79d9d30dd41967e142dfb06b  live.2019.09.30.tar.gz
+sha256  da7eabb7bafdf7d3ae5e9f223aa5bdc1eece45ac569dc21b3b037520b4464768  COPYING.LESSER
diff --git a/buildroot/package/live555/live555.mk b/buildroot/package/live555/live555.mk
index cbe1c1bc0..81c8b3de8 100644
--- a/buildroot/package/live555/live555.mk
+++ b/buildroot/package/live555/live555.mk
@@ -7,8 +7,12 @@
 LIVE555_VERSION = 2019.09.30
 LIVE555_SOURCE = live.$(LIVE555_VERSION).tar.gz
 LIVE555_SITE = http://www.live555.com/liveMedia/public
-LIVE555_LICENSE = LGPL-2.1+
-LIVE555_LICENSE_FILES = COPYING
+# There is a COPYING file with the GPL-3.0 license text, but none of
+# the source files appear to be released under GPL-3.0, and the
+# project web site says it's licensed under the LGPL:
+# http://live555.com/liveMedia/faq.html#copyright-and-license
+LIVE555_LICENSE = LGPL-3.0+
+LIVE555_LICENSE_FILES = COPYING.LESSER
 LIVE555_INSTALL_STAGING = YES
 
 LIVE555_CFLAGS = $(TARGET_CFLAGS)
diff --git a/buildroot/package/localedef/localedef.mk b/buildroot/package/localedef/localedef.mk
index f6e26b566..d6f1625e3 100644
--- a/buildroot/package/localedef/localedef.mk
+++ b/buildroot/package/localedef/localedef.mk
@@ -14,6 +14,7 @@ HOST_LOCALEDEF_DL_SUBDIR = glibc
 
 HOST_LOCALEDEF_DEPENDENCIES = \
 	$(BR2_MAKE_HOST_DEPENDENCY) \
+	$(BR2_PYTHON3_HOST_DEPENDENCY) \
 	host-bison \
 	host-gawk
 
diff --git a/buildroot/package/lua/5.1.5/lua.hash b/buildroot/package/lua/5.1.5/lua.hash
new file mode 100644
index 000000000..22ff8b7da
--- /dev/null
+++ b/buildroot/package/lua/5.1.5/lua.hash
@@ -0,0 +1,6 @@
+# Hashes from: http://www.lua.org/ftp/
+md5  2e115fe26e435e33b0d5c022e4490567  lua-5.1.5.tar.gz
+sha1  b3882111ad02ecc6b972f8c1241647905cb2e3fc  lua-5.1.5.tar.gz
+
+# Locally computed
+sha256  ee5e3e82af1e1b543c4f216e399d7c8cfee797711913f349e385101c4ae60a79  COPYRIGHT
diff --git a/buildroot/package/lua/5.3.5/0003-fix-revision-number.patch b/buildroot/package/lua/5.3.5/0003-fix-revision-number.patch
deleted file mode 100644
index ed2e0460e..000000000
--- a/buildroot/package/lua/5.3.5/0003-fix-revision-number.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Fix revision number
-
-In 0002-shared-libs-for-lua.patch, revision number is used to set 
-library name:
-TO_SOLIB = liblua.so.$(R)
-
-However, library is built using PKG_VERSION which is passed only during
-build step:
-$(CC) -o $@.$(PKG_VERSION) -shared -Wl,-soname="$@.$(PKG_VERSION)" $?
-
-As a result, dynamic library is not installed in staging or target paths
-since bump to lua 5.3.5
-
-So, instead of replacing R by PKG_VERSION and passing this variable in
-all steps, simply update R to 5
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-
-Index: b/Makefile
-===================================================================
---- a/Makefile
-+++ b/Makefile
-@@ -47,6 +47,6 @@
-
- # Lua version and release.
- V= 5.3
--R= $V.4
-+R= $V.5
-
- # Targets start here.
- all:    $(PLAT)
diff --git a/buildroot/package/lua/5.3.5/0001-root-path.patch b/buildroot/package/lua/5.3.6/0001-root-path.patch
similarity index 100%
rename from buildroot/package/lua/5.3.5/0001-root-path.patch
rename to buildroot/package/lua/5.3.6/0001-root-path.patch
diff --git a/buildroot/package/lua/5.3.5/0002-shared-libs-for-lua.patch b/buildroot/package/lua/5.3.6/0002-shared-libs-for-lua.patch
similarity index 100%
rename from buildroot/package/lua/5.3.5/0002-shared-libs-for-lua.patch
rename to buildroot/package/lua/5.3.6/0002-shared-libs-for-lua.patch
diff --git a/buildroot/package/lua/5.3.5/0011-linenoise.patch b/buildroot/package/lua/5.3.6/0003-linenoise.patch
similarity index 100%
rename from buildroot/package/lua/5.3.5/0011-linenoise.patch
rename to buildroot/package/lua/5.3.6/0003-linenoise.patch
diff --git a/buildroot/package/lua/5.3.6/lua.hash b/buildroot/package/lua/5.3.6/lua.hash
new file mode 100644
index 000000000..74849b310
--- /dev/null
+++ b/buildroot/package/lua/5.3.6/lua.hash
@@ -0,0 +1,6 @@
+# Hashes from: http://www.lua.org/ftp/
+md5  83f23dbd5230140a3770d5f54076948d  lua-5.3.6.tar.gz
+sha1  f27d20d6c81292149bc4308525a9d6733c224fa5  lua-5.3.6.tar.gz
+
+# Locally computed
+sha256  2ddff2161e0c4487d744943565538743c0721485873092f6809d072a983b06ef  doc/readme.html
diff --git a/buildroot/package/lua/lua.hash b/buildroot/package/lua/lua.hash
deleted file mode 100644
index 3e7812b7d..000000000
--- a/buildroot/package/lua/lua.hash
+++ /dev/null
@@ -1,8 +0,0 @@
-# Hashes from: http://www.lua.org/ftp/
-md5 4f4b4f323fd3514a68e0ab3da8ce3455           lua-5.3.5.tar.gz
-sha1 112eb10ff04d1b4c9898e121d6bdf54a81482447  lua-5.3.5.tar.gz
-
-md5 2e115fe26e435e33b0d5c022e4490567           lua-5.1.5.tar.gz
-sha1 b3882111ad02ecc6b972f8c1241647905cb2e3fc  lua-5.1.5.tar.gz
-# Locally computed
-sha256  ee5e3e82af1e1b543c4f216e399d7c8cfee797711913f349e385101c4ae60a79  COPYRIGHT
diff --git a/buildroot/package/lua/lua.mk b/buildroot/package/lua/lua.mk
index 8a5f9258a..83637caf0 100644
--- a/buildroot/package/lua/lua.mk
+++ b/buildroot/package/lua/lua.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 ifeq ($(BR2_PACKAGE_LUA_5_3),y)
-LUA_VERSION = 5.3.5
+LUA_VERSION = 5.3.6
 else
 LUA_VERSION = 5.1.5
 endif
diff --git a/buildroot/package/mbedtls/mbedtls.hash b/buildroot/package/mbedtls/mbedtls.hash
index b75a8fa80..0082eee4a 100644
--- a/buildroot/package/mbedtls/mbedtls.hash
+++ b/buildroot/package/mbedtls/mbedtls.hash
@@ -1,3 +1,4 @@
+# From https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8:
+sha256  fe9e3b15c3375943bdfebbbb20dd6b4f1147b3b5d926248bd835d73247407430  mbedtls-2.16.8.tar.gz
 # Locally calculated
-sha256  4786b7d1676f5e4d248f3a7f2d28446876d64962634f060ff21b92c690cfbe86  mbedtls-2.16.7.tar.gz
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  apache-2.0.txt
diff --git a/buildroot/package/mbedtls/mbedtls.mk b/buildroot/package/mbedtls/mbedtls.mk
index 4ae8291c1..5094434e6 100644
--- a/buildroot/package/mbedtls/mbedtls.mk
+++ b/buildroot/package/mbedtls/mbedtls.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-MBEDTLS_VERSION = 2.16.7
-MBEDTLS_SITE = $(call github,ARMmbed,mbedtls,mbedtls-$(MBEDTLS_VERSION))
+MBEDTLS_VERSION = 2.16.8
+MBEDTLS_SITE = $(call github,ARMmbed,mbedtls,v$(MBEDTLS_VERSION))
 MBEDTLS_CONF_OPTS = \
 	-DENABLE_PROGRAMS=$(if $(BR2_PACKAGE_MBEDTLS_PROGRAMS),ON,OFF) \
 	-DENABLE_TESTING=OFF
diff --git a/buildroot/package/memcached/0001-configure-Fix-cross-compilation-errors.patch b/buildroot/package/memcached/0001-configure-Fix-cross-compilation-errors.patch
deleted file mode 100644
index 5c5d94832..000000000
--- a/buildroot/package/memcached/0001-configure-Fix-cross-compilation-errors.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From 1146bf07624b5820b942b84b68e66f0d3dd25914 Mon Sep 17 00:00:00 2001
-From: Ola Jeppsson <ola.jeppsson@gmail.com>
-Date: Mon, 7 Oct 2019 18:07:30 -0400
-Subject: [PATCH] configure: Fix cross-compilation errors
-
-AC_RUN_IFELSE does not work when cross-compiling so we need to provide
-fallback methods for those cases.
-
-I tried to use constructs that work with Autoconf 2.52.
-Alas, I wasn't able to generate a working build system with that version.
-
-Autoconf 2.58 / Automake 1.7.9 is the earliest combo that I could get
-to work (with and without this patch).
-Perhaps it's time for a slight bump for the required version numbers?
-
-Cross-compiles sucessfully against:
-riscv64-unknown-linux-gnu
-
-Downloaded from upstream PR:
-https://github.com/memcached/memcached/pull/552
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
----
- configure.ac | 80 +++++++++++++++++++++++++++-------------------------
- 1 file changed, 41 insertions(+), 39 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index fb78fc5..27dc939 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -264,23 +264,42 @@ return sizeof(void*) == 8 ? 0 : 1;
-     ],[
-       CFLAGS="-m64 $org_cflags"
-     ],[
--    AC_MSG_ERROR([Don't know how to build a 64-bit object.])
-+      AC_MSG_ERROR([Don't know how to build a 64-bit object.])
-+    ],[
-+       dnl cross compile
-+       AC_MSG_WARN([Assuming no extra CFLAGS are required for cross-compiling 64bit version.])
-     ])
- fi
- 
- dnl If data pointer is 64bit or not.
--AC_RUN_IFELSE(
--  [AC_LANG_PROGRAM([], [dnl
--return sizeof(void*) == 8 ? 0 : 1;
--  ])
--],[
--  have_64bit_ptr=yes
--],[
-+AC_CHECK_HEADERS([stdint.h])
-+AS_IF([test -z "$have_64bit_ptr"],
-+  [AC_RUN_IFELSE(
-+     [AC_LANG_PROGRAM([], [return sizeof(void*) == 8 ? 0 : 1;])],
-+     [have_64bit_ptr=yes ],
-+     [have_64bit_ptr=no],
-+     [dnl cross compile (this test requires C99)
-+      AS_IF([test "x$ac_cv_header_stdint_h" = xyes],
-+        [AC_COMPILE_IFELSE(
-+           [AC_LANG_PROGRAM([
-+              #include <stdint.h>
-+              #if UINTPTR_MAX == 0xFFFFFFFFFFFFFFFFUL
-+              /* 64 bit pointer */
-+              #else
-+              #error 32 bit pointer
-+              #endif
-+            ], [])],
-+            [have_64bit_ptr=yes],
-+            [have_64bit_ptr=no])],
-+        [have_64bit_ptr=unknown])
-+     ])
- ])
--
--if test $have_64bit_ptr = yes; then
-+AS_IF([test "$have_64bit_ptr" = "unknown" ],[
-+  AC_MSG_ERROR([Cannot detect pointer size. Must pass have_64bit_ptr={yes,no} to configure.])
-+])
-+AS_IF([test "$have_64bit_ptr" = yes],[
-   AC_DEFINE(HAVE_64BIT_PTR, 1, [data pointer is 64bit])
--fi
-+])
- 
- # Issue 213: Search for clock_gettime to help people linking
- #            with a static version of libevent
-@@ -570,30 +589,10 @@ fi
- AC_C_SOCKLEN_T
- 
- dnl Check if we're a little-endian or a big-endian system, needed by hash code
--AC_DEFUN([AC_C_ENDIAN],
--[AC_CACHE_CHECK(for endianness, ac_cv_c_endian,
--[
--  AC_RUN_IFELSE(
--    [AC_LANG_PROGRAM([], [dnl
--        long val = 1;
--        char *c = (char *) &val;
--        exit(*c == 1);
--    ])
--  ],[
--    ac_cv_c_endian=big
--  ],[
--    ac_cv_c_endian=little
--  ])
--])
--if test $ac_cv_c_endian = big; then
--  AC_DEFINE(ENDIAN_BIG, 1, [machine is bigendian])
--fi
--if test $ac_cv_c_endian = little; then
--  AC_DEFINE(ENDIAN_LITTLE, 1, [machine is littleendian])
--fi
--])
--
--AC_C_ENDIAN
-+AC_C_BIGENDIAN(
-+  [AC_DEFINE(ENDIAN_BIG, 1, [machine is bigendian])],
-+  [AC_DEFINE(ENDIAN_LITTLE, 1, [machine is littleendian])],
-+  [AC_MSG_ERROR([Cannot detect endianness. Must pass ac_cv_c_bigendian={yes,no} to configure.])])
- 
- AC_DEFUN([AC_C_HTONLL],
- [
-@@ -670,12 +669,15 @@ AC_DEFUN([AC_C_ALIGNMENT],
-   ],[
-     ac_cv_c_alignment=need
-   ],[
--    ac_cv_c_alignment=need
-+    dnl cross compile
-+    ac_cv_c_alignment=maybe
-   ])
- ])
--if test $ac_cv_c_alignment = need; then
--  AC_DEFINE(NEED_ALIGN, 1, [Machine need alignment])
--fi
-+AS_IF([test $ac_cv_c_alignment = need],
-+  [AC_DEFINE(NEED_ALIGN, 1, [Machine need alignment])])
-+AS_IF([test $ac_cv_c_alignment = maybe],
-+  [AC_MSG_WARN([Assuming aligned access is required when cross-compiling])
-+   AC_DEFINE(NEED_ALIGN, 1, [Machine need alignment])])
- ])
- 
- AC_C_ALIGNMENT
--- 
-2.20.1
-
diff --git a/buildroot/package/memcached/0002-configure-Simplify-pointer-size-check.patch b/buildroot/package/memcached/0002-configure-Simplify-pointer-size-check.patch
deleted file mode 100644
index 1a5dc3196..000000000
--- a/buildroot/package/memcached/0002-configure-Simplify-pointer-size-check.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From ec7f3bc97c53578d5ca332b9e86c4d08d155c5a0 Mon Sep 17 00:00:00 2001
-From: Ola Jeppsson <ola.jeppsson@gmail.com>
-Date: Mon, 7 Oct 2019 19:57:46 -0400
-Subject: [PATCH] configure: Simplify pointer size check
-
-Tested with:
-Autoconf 2.59 / Automake 1.7.9
-Autoconf 2.69 / Automake 1.16.1
-
-Downloaded from upstream PR:
-https://github.com/memcached/memcached/pull/552
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
----
- configure.ac | 31 ++-----------------------------
- restart.h    |  2 +-
- 2 files changed, 3 insertions(+), 30 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 27dc939..7e5bd5d 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -271,35 +271,8 @@ return sizeof(void*) == 8 ? 0 : 1;
-     ])
- fi
- 
--dnl If data pointer is 64bit or not.
--AC_CHECK_HEADERS([stdint.h])
--AS_IF([test -z "$have_64bit_ptr"],
--  [AC_RUN_IFELSE(
--     [AC_LANG_PROGRAM([], [return sizeof(void*) == 8 ? 0 : 1;])],
--     [have_64bit_ptr=yes ],
--     [have_64bit_ptr=no],
--     [dnl cross compile (this test requires C99)
--      AS_IF([test "x$ac_cv_header_stdint_h" = xyes],
--        [AC_COMPILE_IFELSE(
--           [AC_LANG_PROGRAM([
--              #include <stdint.h>
--              #if UINTPTR_MAX == 0xFFFFFFFFFFFFFFFFUL
--              /* 64 bit pointer */
--              #else
--              #error 32 bit pointer
--              #endif
--            ], [])],
--            [have_64bit_ptr=yes],
--            [have_64bit_ptr=no])],
--        [have_64bit_ptr=unknown])
--     ])
--])
--AS_IF([test "$have_64bit_ptr" = "unknown" ],[
--  AC_MSG_ERROR([Cannot detect pointer size. Must pass have_64bit_ptr={yes,no} to configure.])
--])
--AS_IF([test "$have_64bit_ptr" = yes],[
--  AC_DEFINE(HAVE_64BIT_PTR, 1, [data pointer is 64bit])
--])
-+dnl Check if data pointer is 64bit or not
-+AC_CHECK_SIZEOF([void *])
- 
- # Issue 213: Search for clock_gettime to help people linking
- #            with a static version of libevent
-diff --git a/restart.h b/restart.h
-index 76cd0a8..9de5096 100644
---- a/restart.h
-+++ b/restart.h
-@@ -4,7 +4,7 @@
- #define RESTART_TAG_MAXLEN 255
- 
- // Track the pointer size for restart fiddling.
--#ifdef HAVE_64BIT_PTR
-+#if SIZEOF_VOID_P == 8
-     typedef uint64_t mc_ptr_t;
- #else
-     typedef uint32_t mc_ptr_t;
--- 
-2.20.1
-
diff --git a/buildroot/package/memcached/memcached.hash b/buildroot/package/memcached/memcached.hash
index 98e47d6c0..e599cd2fa 100644
--- a/buildroot/package/memcached/memcached.hash
+++ b/buildroot/package/memcached/memcached.hash
@@ -1,6 +1,6 @@
-# From http://www.memcached.org/files/memcached-1.5.19.tar.gz.sha1
-sha1 14e6a02e743838696fcb620edf6a2fd7e60cabec  memcached-1.5.19.tar.gz
+# From http://www.memcached.org/files/memcached-1.5.22.tar.gz.sha1
+sha1  3fe5d3929130e860efcfde18d4d396a29db006b7  memcached-1.5.22.tar.gz
 
 # Locally computed
-sha256 3ddcdaa2d14d215f3111a7448b79c889c57618a26e97ad989581f1880a5a4be0  memcached-1.5.19.tar.gz
-sha256 bc887c4ad8051fe690ace9528fe37a2e0bb362e6d963331d82e845ca9b585a0c  COPYING
+sha256  c2b47e9d20575a2367087c229636ffc3fb699a6c3a7f3a22f44402f25f5f1f93  memcached-1.5.22.tar.gz
+sha256  bc887c4ad8051fe690ace9528fe37a2e0bb362e6d963331d82e845ca9b585a0c  COPYING
diff --git a/buildroot/package/memcached/memcached.mk b/buildroot/package/memcached/memcached.mk
index 9b362d2a3..8a980677c 100644
--- a/buildroot/package/memcached/memcached.mk
+++ b/buildroot/package/memcached/memcached.mk
@@ -4,16 +4,13 @@
 #
 ################################################################################
 
-MEMCACHED_VERSION = 1.5.19
+MEMCACHED_VERSION = 1.5.22
 MEMCACHED_SITE = http://www.memcached.org/files
 MEMCACHED_DEPENDENCIES = libevent
 MEMCACHED_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 MEMCACHED_CONF_OPTS = --disable-coverage
 MEMCACHED_LICENSE = BSD-3-Clause
 MEMCACHED_LICENSE_FILES = COPYING
-# 0001-configure-Fix-cross-compilation-errors.patch
-# 0002-configure-Simplify-pointer-size-check.patch
-MEMCACHED_AUTORECONF = YES
 
 ifeq ($(BR2_ENDIAN),"BIG")
 MEMCACHED_CONF_ENV += ac_cv_c_endian=big
diff --git a/buildroot/package/mesa3d/Config.in b/buildroot/package/mesa3d/Config.in
index ade13ec03..f65ccbb1f 100644
--- a/buildroot/package/mesa3d/Config.in
+++ b/buildroot/package/mesa3d/Config.in
@@ -320,6 +320,7 @@ config BR2_PACKAGE_MESA3D_XVMC
 	depends on BR2_PACKAGE_XORG7
 	depends on BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_NOUVEAU \
 		|| BR2_PACKAGE_MESA3D_GALLIUM_DRIVER_R600
+	select BR2_PACKAGE_MESA3D_NEEDS_X11
 	select BR2_PACKAGE_XLIB_LIBXV
 	select BR2_PACKAGE_XLIB_LIBXVMC
 	help
@@ -369,7 +370,13 @@ config BR2_PACKAGE_MESA3D_DRI_DRIVER_NOUVEAU
 	  Support for Nvidia-based GPUs.
 
 config BR2_PACKAGE_MESA3D_DRI_DRIVER_RADEON
-	bool "DRI radeon driver"
+	bool "DRI radeon r100 driver"
+	depends on BR2_i386 || BR2_x86_64
+	# libdrm's radeon option depends on LIBDRM_HAS_ATOMIC. Propagating
+	# that dependency here causes a circular dependency that Kconfig
+	# can't see is just spurious. However, that dependency is about
+	# the toolchain having sync4 primitives, which is always a given
+	# for i386 and x86_64.
 	select BR2_PACKAGE_MESA3D_DRI_DRIVER
 	select BR2_PACKAGE_LIBDRM_RADEON
 	help
diff --git a/buildroot/package/meson/meson.mk b/buildroot/package/meson/meson.mk
index d782ee086..aa4ef5cd0 100644
--- a/buildroot/package/meson/meson.mk
+++ b/buildroot/package/meson/meson.mk
@@ -25,6 +25,10 @@ else ifeq ($(BR2_aarch64)$(BR2_aarch64_be),y)
 HOST_MESON_TARGET_CPU_FAMILY = aarch64
 else ifeq ($(BR2_i386),y)
 HOST_MESON_TARGET_CPU_FAMILY = x86
+else ifeq ($(BR2_m68k),y)
+HOST_MESON_TARGET_CPU_FAMILY = m68k
+else ifeq ($(BR2_microblazeel)$(BR2_microblazebe),y)
+HOST_MESON_TARGET_CPU_FAMILY = microblaze
 else ifeq ($(BR2_mips)$(BR2_mipsel),y)
 HOST_MESON_TARGET_CPU_FAMILY = mips
 else ifeq ($(BR2_mips64)$(BR2_mips64el),y)
@@ -35,6 +39,8 @@ else ifeq ($(BR2_powerpc64)$(BR2_powerpc64le),y)
 HOST_MESON_TARGET_CPU_FAMILY = ppc64
 else ifeq ($(BR2_riscv),y)
 HOST_MESON_TARGET_CPU_FAMILY = riscv64
+else ifeq ($(BR2_sh4)$(BR2_sh4eb)$(BR2_sh4a)$(BR2_sh4aeb),y)
+HOST_MESON_TARGET_CPU_FAMILY = sh4
 else ifeq ($(BR2_sparc),y)
 HOST_MESON_TARGET_CPU_FAMILY = sparc
 else ifeq ($(BR2_sparc64),y)
diff --git a/buildroot/package/minidlna/0001-fix-build-with-gcc-10.patch b/buildroot/package/minidlna/0001-fix-build-with-gcc-10.patch
new file mode 100644
index 000000000..521d17f0c
--- /dev/null
+++ b/buildroot/package/minidlna/0001-fix-build-with-gcc-10.patch
@@ -0,0 +1,49 @@
+From 90e88764f0fb3d981cd0c3cfd07d63323cc64090 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Tue, 1 Sep 2020 22:55:24 +0200
+Subject: [PATCH] fix build with gcc 10
+
+Define setjmp_buffer as static to avoid the following build failure with
+gcc 10 (which defaults to -fno-common):
+
+/home/buildroot/autobuild/instance-1/output-1/host/lib/gcc/arm-buildroot-linux-gnueabihf/10.2.0/../../../../arm-buildroot-linux-gnueabihf/bin/ld: image_utils.o:(.bss+0x0): multiple definition of `setjmp_buffer'; metadata.o:(.bss+0x0): first defined here
+collect2: error: ld returned 1 exit status
+
+Fixes:
+ - http://autobuild.buildroot.org/results/8754bb4f7d749f999d5f8ddfec587470ceec4476
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ image_utils.c | 2 +-
+ metadata.c    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/image_utils.c b/image_utils.c
+index 24cfd08..e8d9635 100644
+--- a/image_utils.c
++++ b/image_utils.c
+@@ -190,7 +190,7 @@ jpeg_memory_src(j_decompress_ptr cinfo, const unsigned char * buffer, size_t buf
+ 	src->pub.bytes_in_buffer = bufsize;
+ }
+ 
+-jmp_buf setjmp_buffer;
++static jmp_buf setjmp_buffer;
+ /* Don't exit on error like libjpeg likes to do */
+ static void
+ libjpeg_error_handler(j_common_ptr cinfo)
+diff --git a/metadata.c b/metadata.c
+index 9cd86dc..4781db7 100644
+--- a/metadata.c
++++ b/metadata.c
+@@ -502,7 +502,7 @@ GetAudioMetadata(const char *path, const char *name)
+ }
+ 
+ /* For libjpeg error handling */
+-jmp_buf setjmp_buffer;
++static jmp_buf setjmp_buffer;
+ static void
+ libjpeg_error_handler(j_common_ptr cinfo)
+ {
+-- 
+2.28.0
+
diff --git a/buildroot/package/minidlna/0002-upnphttp.c-fix-CallStranger-a.k.a.-CVE-2020-12695.patch b/buildroot/package/minidlna/0002-upnphttp.c-fix-CallStranger-a.k.a.-CVE-2020-12695.patch
new file mode 100644
index 000000000..7406ce2e9
--- /dev/null
+++ b/buildroot/package/minidlna/0002-upnphttp.c-fix-CallStranger-a.k.a.-CVE-2020-12695.patch
@@ -0,0 +1,133 @@
+From 51bfbee51fd0376b5a66c944134af3e9972d8592 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+Date: Sun, 6 Sep 2020 11:22:48 +0200
+Subject: [PATCH] upnphttp.c: fix CallStranger a.k.a. CVE-2020-12695
+
+Import CheckCallback function from miniupnpd source code:
+https://github.com/miniupnp/miniupnp/commit/0d9634658860c3c8c209e466cc0ef7002bad3b0a
+
+IPv6 code was kept even if minidlna does not support it currently.
+
+This code is licensed under BSD-3-Clause like minidlna.
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Upstream status:
+https://sourceforge.net/p/minidlna/support-requests/71]
+---
+ upnphttp.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 82 insertions(+), 10 deletions(-)
+
+diff --git a/upnphttp.c b/upnphttp.c
+index 974434e..3be793e 100644
+--- a/upnphttp.c
++++ b/upnphttp.c
+@@ -742,6 +742,70 @@ check_event(struct upnphttp *h)
+ 	return type;
+ }
+ 
++/**
++ * returns 0 if the callback header value is not valid
++ * 1 if it is valid.
++ */
++static int
++checkCallbackURL(struct upnphttp * h)
++{
++	char addrstr[48];
++	int ipv6;
++	const char * p;
++	int i;
++
++	if(!h->req_Callback || h->req_CallbackLen < 8)
++		return 0;
++	if(memcmp(h->req_Callback, "http://", 7) != 0)
++		return 0;
++	ipv6 = 0;
++	i = 0;
++	p = h->req_Callback + 7;
++	if(*p == '[') {
++		p++;
++		ipv6 = 1;
++		while(*p != ']' && i < (sizeof(addrstr)-1)
++		      && p < (h->req_Callback + h->req_CallbackLen))
++			addrstr[i++] = *(p++);
++	} else {
++		while(*p != '/' && *p != ':' && i < (sizeof(addrstr)-1)
++		      && p < (h->req_Callback + h->req_CallbackLen))
++			addrstr[i++] = *(p++);
++	}
++	addrstr[i] = '\0';
++	if(ipv6) {
++		struct in6_addr addr;
++		if(inet_pton(AF_INET6, addrstr, &addr) <= 0)
++			return 0;
++#ifdef ENABLE_IPV6
++		if(!h->ipv6
++		  || (0!=memcmp(&addr, &(h->clientaddr_v6), sizeof(struct in6_addr))))
++			return 0;
++#else
++		return 0;
++#endif
++	} else {
++		struct in_addr addr;
++		if(inet_pton(AF_INET, addrstr, &addr) <= 0)
++			return 0;
++#ifdef ENABLE_IPV6
++		if(h->ipv6) {
++			if(!IN6_IS_ADDR_V4MAPPED(&(h->clientaddr_v6)))
++				return 0;
++			if(0!=memcmp(&addr, ((const char *)&(h->clientaddr_v6) + 12), 4))
++				return 0;
++		} else {
++			if(0!=memcmp(&addr, &(h->clientaddr), sizeof(struct in_addr)))
++				return 0;
++		}
++#else
++		if(0!=memcmp(&addr, &(h->clientaddr), sizeof(struct in_addr)))
++			return 0;
++#endif
++	}
++	return 1;
++}
++
+ static void
+ ProcessHTTPSubscribe_upnphttp(struct upnphttp * h, const char * path)
+ {
+@@ -759,17 +823,25 @@ ProcessHTTPSubscribe_upnphttp(struct upnphttp * h, const char * path)
+ 		 * - respond HTTP/x.x 200 OK 
+ 		 * - Send the initial event message */
+ 		/* Server:, SID:; Timeout: Second-(xx|infinite) */
+-		sid = upnpevents_addSubscriber(path, h->req_Callback,
+-		                               h->req_CallbackLen, h->req_Timeout);
+-		h->respflags = FLAG_TIMEOUT;
+-		if (sid)
+-		{
+-			DPRINTF(E_DEBUG, L_HTTP, "generated sid=%s\n", sid);
+-			h->respflags |= FLAG_SID;
+-			h->req_SID = sid;
+-			h->req_SIDLen = strlen(sid);
++		/* Check that the callback URL is on the same IP as
++		 * the request, and not on the internet, nor on ourself (DOS attack ?) */
++		if(checkCallbackURL(h)) {
++			sid = upnpevents_addSubscriber(path, h->req_Callback,
++				                       h->req_CallbackLen, h->req_Timeout);
++			h->respflags = FLAG_TIMEOUT;
++			if (sid)
++			{
++				DPRINTF(E_DEBUG, L_HTTP, "generated sid=%s\n", sid);
++				h->respflags |= FLAG_SID;
++				h->req_SID = sid;
++				h->req_SIDLen = strlen(sid);
++			}
++			BuildResp_upnphttp(h, 0, 0);
++		} else {
++			DPRINTF(E_WARN, L_HTTP, "Invalid Callback in SUBSCRIBE %.*s",
++	       		       h->req_CallbackLen, h->req_Callback);
++			BuildResp2_upnphttp(h, 412, "Precondition Failed", 0, 0);
+ 		}
+-		BuildResp_upnphttp(h, 0, 0);
+ 	}
+ 	else if (type == E_RENEW)
+ 	{
+-- 
+2.28.0
+
diff --git a/buildroot/package/minidlna/minidlnad.service b/buildroot/package/minidlna/minidlnad.service
index f69476b30..4e968d385 100644
--- a/buildroot/package/minidlna/minidlnad.service
+++ b/buildroot/package/minidlna/minidlnad.service
@@ -5,7 +5,7 @@ After=network.target
 [Service]
 Type=forking
 ExecStart=/usr/sbin/minidlnad
-PIDFile=/var/run/minidlna/minidlna.pid
+PIDFile=/run/minidlna/minidlna.pid
 
 [Install]
 WantedBy=multi-user.target
diff --git a/buildroot/package/mosquitto/mosquitto.hash b/buildroot/package/mosquitto/mosquitto.hash
index ab3f7aeb2..13f0c8de2 100644
--- a/buildroot/package/mosquitto/mosquitto.hash
+++ b/buildroot/package/mosquitto/mosquitto.hash
@@ -1,6 +1,6 @@
 # Locally calculated after checking gpg signature
-# from https://mosquitto.org/files/source/mosquitto-1.6.9.tar.gz.asc
-sha256  412979b2db0a0020bd02fa64f0a0de9e7000b84462586e32b67f29bb1f6c1685  mosquitto-1.6.9.tar.gz
+# from https://mosquitto.org/files/source/mosquitto-1.6.12.tar.gz.asc
+sha256  548d73d19fb787dd0530334e398fd256ef3a581181678488a741a995c4f007fb  mosquitto-1.6.12.tar.gz
 
 # License files
 sha256  cc77e25bafd40637b7084f04086d606f0a200051b61806f97c93405926670bc1  LICENSE.txt
diff --git a/buildroot/package/mosquitto/mosquitto.mk b/buildroot/package/mosquitto/mosquitto.mk
index ea57d7693..8cee0d7b0 100644
--- a/buildroot/package/mosquitto/mosquitto.mk
+++ b/buildroot/package/mosquitto/mosquitto.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-MOSQUITTO_VERSION = 1.6.9
+MOSQUITTO_VERSION = 1.6.12
 MOSQUITTO_SITE = https://mosquitto.org/files/source
 MOSQUITTO_LICENSE = EPL-1.0 or EDLv1.0
 MOSQUITTO_LICENSE_FILES = LICENSE.txt epl-v10 edl-v10
@@ -41,7 +41,8 @@ else
 MOSQUITTO_MAKE_OPTS += WITH_ADNS=no
 endif
 
-ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
+# threaded API uses pthread_setname_np
+ifeq ($(BR2_TOOLCHAIN_HAS_THREADS_NPTL),y)
 MOSQUITTO_MAKE_OPTS += WITH_THREADING=yes
 else
 MOSQUITTO_MAKE_OPTS += WITH_THREADING=no
diff --git a/buildroot/package/mpv/Config.in b/buildroot/package/mpv/Config.in
index 32910f224..697ad57ba 100644
--- a/buildroot/package/mpv/Config.in
+++ b/buildroot/package/mpv/Config.in
@@ -3,7 +3,7 @@ config BR2_PACKAGE_MPV
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_5
-	depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8
+	depends on BR2_TOOLCHAIN_HAS_ATOMIC
 	select BR2_PACKAGE_LIBICONV if !BR2_ENABLE_LOCALE
 	select BR2_PACKAGE_FFMPEG
 	select BR2_PACKAGE_FFMPEG_SWSCALE
@@ -25,6 +25,6 @@ config BR2_PACKAGE_MPV
 
 comment "mpv needs a toolchain w/ threads, gcc >= 4.5"
 	depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS
-	depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8
+	depends on BR2_TOOLCHAIN_HAS_ATOMIC
 	depends on !BR2_TOOLCHAIN_HAS_THREADS || \
 		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_5
diff --git a/buildroot/package/mpv/mpv.mk b/buildroot/package/mpv/mpv.mk
index 8619de5a8..6801a0468 100644
--- a/buildroot/package/mpv/mpv.mk
+++ b/buildroot/package/mpv/mpv.mk
@@ -235,4 +235,8 @@ else
 MPV_CONF_OPTS += --disable-x11
 endif
 
+ifeq ($(BR2_TOOLCHAIN_HAS_LIBATOMIC),y)
+MPV_CONF_ENV += LDFLAGS="$(TARGET_LDFLAGS) -latomic"
+endif
+
 $(eval $(waf-package))
diff --git a/buildroot/package/nginx/nginx.service b/buildroot/package/nginx/nginx.service
index 320df9a80..9fd215fd3 100644
--- a/buildroot/package/nginx/nginx.service
+++ b/buildroot/package/nginx/nginx.service
@@ -4,7 +4,7 @@ After=syslog.target network.target
 
 [Service]
 Type=forking
-PIDFile=/var/run/nginx.pid
+PIDFile=/run/nginx.pid
 ExecStartPre=/usr/bin/mkdir -p /var/log/nginx /var/tmp/nginx
 ExecStartPre=/usr/sbin/nginx -t -q -g 'pid /var/run/nginx.pid; daemon on; master_process on;'
 ExecStart=/usr/sbin/nginx -g 'pid /var/run/nginx.pid; daemon on; master_process on;'
diff --git a/buildroot/package/nodejs/nodejs.hash b/buildroot/package/nodejs/nodejs.hash
index 60d69a863..33fb40788 100644
--- a/buildroot/package/nodejs/nodejs.hash
+++ b/buildroot/package/nodejs/nodejs.hash
@@ -1,5 +1,5 @@
-# From https://nodejs.org/dist/v12.18.0/SHASUMS256.txt
-sha256  d4688636a378367f5157f02bd5c13902f5c193356f8f7a35c99dfa383b03b13f  node-v12.18.0.tar.xz
+# From https://nodejs.org/dist/v12.18.4/SHASUMS256.txt
+sha256  25f03cb18e53b6d0959d0c219e701a85eb4693f526bdda7c72bc6199b364f609  node-v12.18.4.tar.xz
 
 # Hash for license file
-sha256  cd2e5817a25d7d28efba927b01056cae04a616b673014159f9eafeb008a0e747  LICENSE
+sha256  0dc03af08b95ea0c1e27f8fd591dee4383eb6f2c304db6eb6cdfb6751f7da87b  LICENSE
diff --git a/buildroot/package/nodejs/nodejs.mk b/buildroot/package/nodejs/nodejs.mk
index 3f35ac7c3..b159b1025 100644
--- a/buildroot/package/nodejs/nodejs.mk
+++ b/buildroot/package/nodejs/nodejs.mk
@@ -4,13 +4,13 @@
 #
 ################################################################################
 
-NODEJS_VERSION = 12.18.0
+NODEJS_VERSION = 12.18.4
 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
 NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
 NODEJS_DEPENDENCIES = host-python host-nodejs c-ares \
 	libuv zlib nghttp2 \
 	$(call qstrip,$(BR2_PACKAGE_NODEJS_MODULES_ADDITIONAL_DEPS))
-HOST_NODEJS_DEPENDENCIES = host-libopenssl host-python host-zlib
+HOST_NODEJS_DEPENDENCIES = host-icu host-libopenssl host-python host-zlib
 NODEJS_INSTALL_STAGING = YES
 NODEJS_LICENSE = MIT (core code); MIT, Apache and BSD family licenses (Bundled components)
 NODEJS_LICENSE_FILES = LICENSE
@@ -66,7 +66,7 @@ define HOST_NODEJS_CONFIGURE_CMDS
 		--shared-openssl-libpath=$(HOST_DIR)/lib \
 		--shared-zlib \
 		--no-cross-compiling \
-		--with-intl=small-icu \
+		--with-intl=system-icu \
 	)
 endef
 
@@ -77,10 +77,13 @@ NODEJS_HOST_TOOLS_V8 = \
 NODEJS_HOST_TOOLS_NODE = mkcodecache
 NODEJS_HOST_TOOLS = $(NODEJS_HOST_TOOLS_V8) $(NODEJS_HOST_TOOLS_NODE)
 
+HOST_NODEJS_CXXFLAGS = $(HOST_CXXFLAGS) -DU_DISABLE_RENAMING=1
+
 define HOST_NODEJS_BUILD_CMDS
 	$(HOST_MAKE_ENV) PYTHON=$(HOST_DIR)/bin/python2 \
 		$(MAKE) -C $(@D) \
 		$(HOST_CONFIGURE_OPTS) \
+		CXXFLAGS="$(HOST_NODEJS_CXXFLAGS)" \
 		LDFLAGS.host="$(HOST_LDFLAGS)" \
 		NO_LOAD=cctest.target.mk \
 		PATH=$(@D)/bin:$(BR_PATH)
@@ -90,6 +93,7 @@ define HOST_NODEJS_INSTALL_CMDS
 	$(HOST_MAKE_ENV) PYTHON=$(HOST_DIR)/bin/python2 \
 		$(MAKE) -C $(@D) install \
 		$(HOST_CONFIGURE_OPTS) \
+		CXXFLAGS="$(HOST_NODEJS_CXXFLAGS)" \
 		LDFLAGS.host="$(HOST_LDFLAGS)" \
 		NO_LOAD=cctest.target.mk \
 		PATH=$(@D)/bin:$(BR_PATH)
diff --git a/buildroot/package/nss-pam-ldapd/nslcd.service b/buildroot/package/nss-pam-ldapd/nslcd.service
index 6c0d71b24..5a000a8e4 100644
--- a/buildroot/package/nss-pam-ldapd/nslcd.service
+++ b/buildroot/package/nss-pam-ldapd/nslcd.service
@@ -4,7 +4,7 @@ After=syslog.target network.target
 
 [Service]
 Type=forking
-PIDFile=/var/run/nslcd/nslcd.pid
+PIDFile=/run/nslcd/nslcd.pid
 ExecStart=/usr/sbin/nslcd
 
 [Install]
diff --git a/buildroot/package/nvidia-driver/nvidia-driver.mk b/buildroot/package/nvidia-driver/nvidia-driver.mk
index baf2ba2be..44e34cb7b 100644
--- a/buildroot/package/nvidia-driver/nvidia-driver.mk
+++ b/buildroot/package/nvidia-driver/nvidia-driver.mk
@@ -35,7 +35,7 @@ NVIDIA_DRIVER_PROVIDES += libgl libegl libgles
 # NVidia extensions (which is deemed bad now), while the former follows
 # the newly-introduced vendor-neutral "dispatching" API/ABI:
 #   https://github.com/aritger/linux-opengl-abi-proposal/blob/master/linux-opengl-abi-proposal.txt
-# However, this is not very usefull to us, as we don't support multiple
+# However, this is not very useful to us, as we don't support multiple
 # GL providers at the same time on the system, which this proposal is
 # aimed at supporting.
 #
@@ -84,7 +84,7 @@ endef
 # Those libraries are 'private' libraries requiring an agreement with
 # NVidia to develop code for those libs. There seems to be no restriction
 # on using those libraries (e.g. if the user has such an agreement, or
-# wants to run a third-party program developped under such an agreement).
+# wants to run a third-party program developed under such an agreement).
 ifeq ($(BR2_PACKAGE_NVIDIA_DRIVER_PRIVATE_LIBS),y)
 NVIDIA_DRIVER_LIBS += \
 	libnvidia-ifr.so.$(NVIDIA_DRIVER_VERSION) \
diff --git a/buildroot/package/opencv/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch b/buildroot/package/opencv/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch
new file mode 100644
index 000000000..683dd95d9
--- /dev/null
+++ b/buildroot/package/opencv/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch
@@ -0,0 +1,37 @@
+From f66fc199a20882c546fa31142e9c0f5a8b3cf983 Mon Sep 17 00:00:00 2001
+From: Florian Jung <flo@windfis.ch>
+Date: Wed, 29 Jul 2020 18:51:55 +0200
+Subject: [PATCH] Fix build of grfmt_jpeg2000.cpp
+
+libjasper has recently changed `jas_matrix_get` from a macro to an inline function
+(389951d071 in https://github.com/jasper-software/jasper), causing the build to fail.
+
+[Retrieved (and backported) from:
+https://github.com/opencv/opencv/commit/f66fc199a20882c546fa31142e9c0f5a8b3cf983]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ modules/imgcodecs/src/grfmt_jpeg2000.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/modules/highgui/src/grfmt_jpeg2000.cpp b/modules/highgui/src/grfmt_jpeg2000.cpp
+index fe69f80c86f..0f4d28d6f4d 100644
+--- a/modules/highgui/src/grfmt_jpeg2000.cpp
++++ b/modules/highgui/src/grfmt_jpeg2000.cpp
+@@ -377,7 +377,7 @@ bool  Jpeg2KDecoder::readComponent8u( uchar *data, void *_buffer,
+ 
+     for( y = 0; y < yend - ystart; )
+     {
+-        jas_seqent_t* pix_row = &jas_matrix_get( buffer, y / ystep, 0 );
++        jas_seqent_t* pix_row = jas_matrix_getref( buffer, y / ystep, 0 );
+         uchar* dst = data + (y - yoffset) * step - xoffset;
+ 
+         if( xstep == 1 )
+@@ -443,7 +443,7 @@ bool  Jpeg2KDecoder::readComponent16u( unsigned short *data, void *_buffer,
+ 
+     for( y = 0; y < yend - ystart; )
+     {
+-        jas_seqent_t* pix_row = &jas_matrix_get( buffer, y / ystep, 0 );
++        jas_seqent_t* pix_row = jas_matrix_getref( buffer, y / ystep, 0 );
+         ushort* dst = data + (y - yoffset) * step - xoffset;
+ 
+         if( xstep == 1 )
diff --git a/buildroot/package/opencv3/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch b/buildroot/package/opencv3/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch
new file mode 100644
index 000000000..e54fab852
--- /dev/null
+++ b/buildroot/package/opencv3/0001-Fix-build-of-grfmt_jpeg2000-cpp.patch
@@ -0,0 +1,37 @@
+From f66fc199a20882c546fa31142e9c0f5a8b3cf983 Mon Sep 17 00:00:00 2001
+From: Florian Jung <flo@windfis.ch>
+Date: Wed, 29 Jul 2020 18:51:55 +0200
+Subject: [PATCH] Fix build of grfmt_jpeg2000.cpp
+
+libjasper has recently changed `jas_matrix_get` from a macro to an inline function
+(389951d071 in https://github.com/jasper-software/jasper), causing the build to fail.
+
+[Retrieved from:
+https://github.com/opencv/opencv/commit/f66fc199a20882c546fa31142e9c0f5a8b3cf983]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ modules/imgcodecs/src/grfmt_jpeg2000.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/modules/imgcodecs/src/grfmt_jpeg2000.cpp b/modules/imgcodecs/src/grfmt_jpeg2000.cpp
+index fe69f80c86f..0f4d28d6f4d 100644
+--- a/modules/imgcodecs/src/grfmt_jpeg2000.cpp
++++ b/modules/imgcodecs/src/grfmt_jpeg2000.cpp
+@@ -377,7 +377,7 @@ bool  Jpeg2KDecoder::readComponent8u( uchar *data, void *_buffer,
+ 
+     for( y = 0; y < yend - ystart; )
+     {
+-        jas_seqent_t* pix_row = &jas_matrix_get( buffer, y / ystep, 0 );
++        jas_seqent_t* pix_row = jas_matrix_getref( buffer, y / ystep, 0 );
+         uchar* dst = data + (y - yoffset) * step - xoffset;
+ 
+         if( xstep == 1 )
+@@ -443,7 +443,7 @@ bool  Jpeg2KDecoder::readComponent16u( unsigned short *data, void *_buffer,
+ 
+     for( y = 0; y < yend - ystart; )
+     {
+-        jas_seqent_t* pix_row = &jas_matrix_get( buffer, y / ystep, 0 );
++        jas_seqent_t* pix_row = jas_matrix_getref( buffer, y / ystep, 0 );
+         ushort* dst = data + (y - yoffset) * step - xoffset;
+ 
+         if( xstep == 1 )
diff --git a/buildroot/package/openjpeg/0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch b/buildroot/package/openjpeg/0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch
new file mode 100644
index 000000000..4c1b3eb2a
--- /dev/null
+++ b/buildroot/package/openjpeg/0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch
@@ -0,0 +1,43 @@
+From e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 Mon Sep 17 00:00:00 2001
+From: Even Rouault <even.rouault@spatialys.com>
+Date: Sun, 28 Jun 2020 14:19:59 +0200
+Subject: [PATCH] opj_decompress: fix double-free on input directory with mix
+ of valid and invalid images (CVE-2020-15389)
+
+Fixes #1261
+
+Credits to @Ruia-ruia for reporting and analysis.
+
+[Retrieved from:
+https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/bin/jp2/opj_decompress.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/bin/jp2/opj_decompress.c b/src/bin/jp2/opj_decompress.c
+index 7eeb0952f..2634907f0 100644
+--- a/src/bin/jp2/opj_decompress.c
++++ b/src/bin/jp2/opj_decompress.c
+@@ -1316,10 +1316,6 @@ static opj_image_t* upsample_image_components(opj_image_t* original)
+ int main(int argc, char **argv)
+ {
+     opj_decompress_parameters parameters;           /* decompression parameters */
+-    opj_image_t* image = NULL;
+-    opj_stream_t *l_stream = NULL;              /* Stream */
+-    opj_codec_t* l_codec = NULL;                /* Handle to a decompressor */
+-    opj_codestream_index_t* cstr_index = NULL;
+ 
+     OPJ_INT32 num_images, imageno;
+     img_fol_t img_fol;
+@@ -1393,6 +1389,10 @@ int main(int argc, char **argv)
+ 
+     /*Decoding image one by one*/
+     for (imageno = 0; imageno < num_images ; imageno++)  {
++        opj_image_t* image = NULL;
++        opj_stream_t *l_stream = NULL;              /* Stream */
++        opj_codec_t* l_codec = NULL;                /* Handle to a decompressor */
++        opj_codestream_index_t* cstr_index = NULL;
+ 
+         if (!parameters.quiet) {
+             fprintf(stderr, "\n");
diff --git a/buildroot/package/openjpeg/openjpeg.mk b/buildroot/package/openjpeg/openjpeg.mk
index 1ff3111d6..b65dbce80 100644
--- a/buildroot/package/openjpeg/openjpeg.mk
+++ b/buildroot/package/openjpeg/openjpeg.mk
@@ -20,6 +20,9 @@ OPENJPEG_IGNORE_CVES += CVE-2020-6851
 # 0007-opj_tcd_init_tile-avoid-integer-overflow.patch
 OPENJPEG_IGNORE_CVES += CVE-2020-8112
 
+# 0008-opj_decompress-fix-double-free-on-input-directory-with-mix-of-valid.patch
+OPENJPEG_IGNORE_CVES += CVE-2020-15389
+
 OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
 OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_LIBPNG),libpng)
 OPENJPEG_DEPENDENCIES += $(if $(BR2_PACKAGE_TIFF),tiff)
diff --git a/buildroot/package/openvmtools/vmtoolsd.service b/buildroot/package/openvmtools/vmtoolsd.service
index cb97357ec..1d2a3566c 100644
--- a/buildroot/package/openvmtools/vmtoolsd.service
+++ b/buildroot/package/openvmtools/vmtoolsd.service
@@ -5,8 +5,8 @@ ConditionVirtualization=vmware
 
 [Service]
 Type=forking
-PIDFile=/var/run/vmtoolsd.pid
-ExecStart=/usr/bin/vmtoolsd -b /var/run/vmtoolsd.pid
+PIDFile=/run/vmtoolsd.pid
+ExecStart=/usr/bin/vmtoolsd -b /run/vmtoolsd.pid
 Restart=on-failure
 KillMode=process
 KillSignal=SIGKILL
diff --git a/buildroot/package/paho-mqtt-c/Config.in b/buildroot/package/paho-mqtt-c/Config.in
index 3560d8c08..0f4b2a29b 100644
--- a/buildroot/package/paho-mqtt-c/Config.in
+++ b/buildroot/package/paho-mqtt-c/Config.in
@@ -1,11 +1,10 @@
 config BR2_PACKAGE_PAHO_MQTT_C
 	bool "paho-mqtt-c"
-	depends on !BR2_STATIC_LIBS  # dlopen()
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	help
 	  MQTT client C library
 
 	  https://eclipse.org/paho/clients/c/
 
-comment "paho-mqtt-c needs a toolchain w/ threads and dynamic library support"
-	depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS
+comment "paho-mqtt-c needs a toolchain w/ threads"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS
diff --git a/buildroot/package/paho-mqtt-c/paho-mqtt-c.hash b/buildroot/package/paho-mqtt-c/paho-mqtt-c.hash
index bbfa2da38..3c1a27084 100644
--- a/buildroot/package/paho-mqtt-c/paho-mqtt-c.hash
+++ b/buildroot/package/paho-mqtt-c/paho-mqtt-c.hash
@@ -1,5 +1,5 @@
 # Locally computed:
-sha256  1ae9b657b693254ed0710350df3dcf5232d1f479409a52861b5e5bb5cc3da046  paho-mqtt-c-1.3.4.tar.gz
+sha256  996eef9e498519da79108f58a887a34abc50cd76770b19b0300b27783706c71f  paho-mqtt-c-1.3.5.tar.gz
 sha256  83bbba033dc985487e321b6dfde111772affb73460be48726299fed3da684b1c  edl-v10
 sha256  0becf16567beb77fa252b7664631dd177c8f9a1889e48995b45379c7130e5303  epl-v20
 sha256  99d3a5c5cc2812f0593a85ec7c1b6dd83e8477b5090c01d9de0d49d49f367a4a  LICENSE
diff --git a/buildroot/package/paho-mqtt-c/paho-mqtt-c.mk b/buildroot/package/paho-mqtt-c/paho-mqtt-c.mk
index aa2a0b026..e11f0687d 100644
--- a/buildroot/package/paho-mqtt-c/paho-mqtt-c.mk
+++ b/buildroot/package/paho-mqtt-c/paho-mqtt-c.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PAHO_MQTT_C_VERSION = 1.3.4
+PAHO_MQTT_C_VERSION = 1.3.5
 PAHO_MQTT_C_SITE = $(call github,eclipse,paho.mqtt.c,v$(PAHO_MQTT_C_VERSION))
 PAHO_MQTT_C_LICENSE = EPL-2.0 or BSD-3-Clause
 PAHO_MQTT_C_LICENSE_FILES = epl-v20 edl-v10 LICENSE
@@ -22,4 +22,18 @@ else
 PAHO_MQTT_C_CONF_OPTS += -DPAHO_WITH_SSL=FALSE
 endif
 
+ifeq ($(BR2_SHARED_LIBS),y)
+PAHO_MQTT_C_CONF_OPTS += \
+	-DPAHO_BUILD_SHARED=TRUE \
+	-DPAHO_BUILD_STATIC=FALSE
+else ifeq ($(BR2_STATIC_LIBS),y)
+PAHO_MQTT_C_CONF_OPTS += \
+	-DPAHO_BUILD_SHARED=FALSE \
+	-DPAHO_BUILD_STATIC=TRUE
+else ifeq ($(BR2_SHARED_STATIC_LIBS),y)
+PAHO_MQTT_C_CONF_OPTS += \
+	-DPAHO_BUILD_SHARED=TRUE \
+	-DPAHO_BUILD_STATIC=TRUE
+endif
+
 $(eval $(cmake-package))
diff --git a/buildroot/package/patchelf/0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch b/buildroot/package/patchelf/0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch
index feec62768..f9f2537a6 100644
--- a/buildroot/package/patchelf/0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch
+++ b/buildroot/package/patchelf/0003-Add-option-to-make-the-rpath-relative-under-a-specif.patch
@@ -167,7 +167,7 @@ index 1d9a772..35b4a33 100644
      if (op == rpShrink && !rpath) {
          debug("no RPATH to shrink\n");
          return;
-@@ -1120,26 +1196,86 @@ void ElfFile<ElfFileParamNames>::modifyRPath(RPathOp op, string newRPath)
+@@ -1120,26 +1196,80 @@ void ElfFile<ElfFileParamNames>::modifyRPath(RPathOp op, string newRPath)
                  continue;
              }
  
@@ -250,12 +250,6 @@ index 1d9a772..35b4a33 100644
 +                }
 +            }
 +
-+            if (!libFoundInRPath(canonicalPath, neededLibs, neededLibFound)) {
-+                debug("removing directory '%s' from RPATH because it does not contain needed libs\n",
-+                      dirName.c_str());
-+                continue;
-+            }
-+
 +            /* Finally make "canonicalPath" relative to "filedir" in "rootDir" */
 +            if (relativeToFile)
 +                concatToRPath(newRPath, makePathRelative(canonicalPath, fileDir));
@@ -268,7 +262,7 @@ index 1d9a772..35b4a33 100644
      if (op == rpRemove) {
          if (!rpath) {
              debug("no RPATH to delete\n");
-@@ -1413,7 +1549,9 @@ static bool shrinkRPath = false;
+@@ -1413,7 +1543,9 @@ static bool shrinkRPath = false;
  static bool removeRPath = false;
  static bool setRPath = false;
  static bool printRPath = false;
@@ -278,7 +272,7 @@ index 1d9a772..35b4a33 100644
  static set<string> neededLibsToRemove;
  static map<string, string> neededLibsToReplace;
  static set<string> neededLibsToAdd;
-@@ -1438,14 +1576,16 @@ static void patchElf2(ElfFile & elfFile)
+@@ -1438,14 +1570,16 @@ static void patchElf2(ElfFile & elfFile)
          elfFile.setInterpreter(newInterpreter);
  
      if (printRPath)
@@ -299,7 +293,7 @@ index 1d9a772..35b4a33 100644
  
      if (printNeeded) elfFile.printNeededLibs();
  
-@@ -1508,6 +1648,9 @@ void showHelp(const string & progName)
+@@ -1508,6 +1642,9 @@ void showHelp(const string & progName)
    [--set-rpath RPATH]\n\
    [--remove-rpath]\n\
    [--shrink-rpath]\n\
@@ -309,7 +303,7 @@ index 1d9a772..35b4a33 100644
    [--print-rpath]\n\
    [--force-rpath]\n\
    [--add-needed LIBRARY]\n\
-@@ -1564,6 +1707,17 @@ int main(int argc, char * * argv)
+@@ -1564,6 +1701,17 @@ int main(int argc, char * * argv)
              setRPath = true;
              newRPath = argv[i];
          }
diff --git a/buildroot/package/perl/perl.hash b/buildroot/package/perl/perl.hash
index 7c153fedb..ba3a39d43 100644
--- a/buildroot/package/perl/perl.hash
+++ b/buildroot/package/perl/perl.hash
@@ -1,10 +1,10 @@
-# Hashes from: http://www.cpan.org/src/5.0/perl-5.30.2.tar.xz.{md5,sha1,sha256}.txt
-md5  4bfa12b528522a50de0470b8b70b9b3b  perl-5.30.2.tar.xz
-sha1  d82cdaa610a3e749e821fc77004b1b4bfd5ebd28  perl-5.30.2.tar.xz
-sha256  a1aa88bd6fbbdc2e82938afbb76c408b0ea847317737b712dc196cc7907a5259  perl-5.30.2.tar.xz
+# Hashes from: http://www.cpan.org/src/5.0/perl-5.30.3.tar.xz.{md5,sha1,sha256}.txt
+md5  0af2ab0f01ec13e37cc13a27de930936  perl-5.30.3.tar.xz
+sha1  1003c6aa71d8966501038178459a9fa4e9aba747  perl-5.30.3.tar.xz
+sha256  6967595f2e3f3a94544c35152f9a25e0cb8ea24ae45f4bf1882f2e33f4a400f4  perl-5.30.3.tar.xz
 
-# Hashes from: https://github.com/arsv/perl-cross/releases/download/1.3.2/perl-cross-1.3.2.hash
-sha256  defa12f0ad7be0b6c48b4f76e2fb5b37c1b37fbeb6e9ebe938279cd539a0c20c  perl-cross-1.3.2.tar.gz
+# Hashes from: https://github.com/arsv/perl-cross/releases/download/1.3.4/perl-cross-1.3.4.hash
+sha256  755aa0ca8141a942188a269564f86c3c82349f82c346ed5c992495d7f35138ba  perl-cross-1.3.4.tar.gz
 
 # Locally calculated
 sha256  dd90d4f42e4dcadf5a7c09eea0189d93c7b37ae560c91f0f6d5233ed3b9292a2  Artistic
diff --git a/buildroot/package/perl/perl.mk b/buildroot/package/perl/perl.mk
index c865fc768..2f82e1d6d 100644
--- a/buildroot/package/perl/perl.mk
+++ b/buildroot/package/perl/perl.mk
@@ -6,14 +6,14 @@
 
 # When updating the version here, also update utils/scancpan
 PERL_VERSION_MAJOR = 30
-PERL_VERSION = 5.$(PERL_VERSION_MAJOR).2
+PERL_VERSION = 5.$(PERL_VERSION_MAJOR).3
 PERL_SITE = http://www.cpan.org/src/5.0
 PERL_SOURCE = perl-$(PERL_VERSION).tar.xz
 PERL_LICENSE = Artistic or GPL-1.0+
 PERL_LICENSE_FILES = Artistic Copying README
 PERL_INSTALL_STAGING = YES
 
-PERL_CROSS_VERSION = 1.3.2
+PERL_CROSS_VERSION = 1.3.4
 # DO NOT refactor with the github helper (the result is not the same)
 PERL_CROSS_SITE = https://github.com/arsv/perl-cross/releases/download/$(PERL_CROSS_VERSION)
 PERL_CROSS_SOURCE = perl-cross-$(PERL_CROSS_VERSION).tar.gz
diff --git a/buildroot/package/php/0002-iconv-tweak-iconv-detection.patch b/buildroot/package/php/0002-iconv-tweak-iconv-detection.patch
index 1aa840013..a12041603 100644
--- a/buildroot/package/php/0002-iconv-tweak-iconv-detection.patch
+++ b/buildroot/package/php/0002-iconv-tweak-iconv-detection.patch
@@ -15,6 +15,8 @@ Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 [Gustavo: update for 5.6.10]
 Signed-off-by: Adam Duskett <aduskett@gmail.com>
 [aduskett@gmail.com: Update for 7.3.0]
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+[Bernd: rebased for 7.4.10]
 ---
  build/php.m4        |  2 +-
  ext/iconv/config.m4 | 22 ----------------------
@@ -24,7 +26,7 @@ diff --git a/build/php.m4 b/build/php.m4
 index 9586c490..8b3d47ed 100644
 --- a/build/php.m4
 +++ b/build/php.m4
-@@ -1971,7 +1971,7 @@ AC_DEFUN([PHP_SETUP_ICONV], [
+@@ -1965,7 +1965,7 @@ AC_DEFUN([PHP_SETUP_ICONV], [
    dnl Check external libs for iconv funcs.
    if test "$found_iconv" = "no"; then
  
diff --git a/buildroot/package/php/0003-configure-disable-the-phar-tool.patch b/buildroot/package/php/0003-configure-disable-the-phar-tool.patch
index 7cc363797..aface92d7 100644
--- a/buildroot/package/php/0003-configure-disable-the-phar-tool.patch
+++ b/buildroot/package/php/0003-configure-disable-the-phar-tool.patch
@@ -12,6 +12,8 @@ Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 [Gustavo: update for autoreconf/configure.in]
 Signed-off-by: Adam Duskett <aduskett@gmail.com>
 [Aduskett: update for 7.3.0]
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+[Bernd: rebased for 7.4.10]
 ---
  configure.ac | 9 ++-------
  1 file changed, 2 insertions(+), 7 deletions(-)
@@ -20,7 +22,7 @@ diff --git a/configure.ac b/configure.ac
 index 0dfab302..6026fb66 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1430,13 +1430,8 @@ CFLAGS="\$(CFLAGS_CLEAN) $standard_libtool_flag"
+@@ -1453,13 +1453,8 @@ CFLAGS="\$(CFLAGS_CLEAN) $standard_libtool_flag"
  INLINE_CFLAGS="$INLINE_CFLAGS $standard_libtool_flag"
  CXXFLAGS="$CXXFLAGS $standard_libtool_flag \$(PROF_FLAGS)"
  
diff --git a/buildroot/package/php/php.hash b/buildroot/package/php/php.hash
index 47879eecc..77a0feb55 100644
--- a/buildroot/package/php/php.hash
+++ b/buildroot/package/php/php.hash
@@ -1,5 +1,5 @@
 # From https://www.php.net/downloads.php
-sha256  642843890b732e8af01cb661e823ae01472af1402f211c83009c9b3abd073245  php-7.4.8.tar.xz
+sha256  5d31675a9b9c21b5bd03389418218c30b26558246870caba8eb54f5856e2d6ce  php-7.4.11.tar.xz
 
 # License file
 sha256  0967ad6cf4b7fe81d38709d7aaef3fecb3bd685be7eebb37b864aa34c991baa7  LICENSE
diff --git a/buildroot/package/php/php.mk b/buildroot/package/php/php.mk
index 48af0f6fd..011c9019c 100644
--- a/buildroot/package/php/php.mk
+++ b/buildroot/package/php/php.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-PHP_VERSION = 7.4.8
+PHP_VERSION = 7.4.11
 PHP_SITE = http://www.php.net/distributions
 PHP_SOURCE = php-$(PHP_VERSION).tar.xz
 PHP_INSTALL_STAGING = YES
diff --git a/buildroot/package/pkg-kconfig.mk b/buildroot/package/pkg-kconfig.mk
index e2d52ee8e..2aecf2e20 100644
--- a/buildroot/package/pkg-kconfig.mk
+++ b/buildroot/package/pkg-kconfig.mk
@@ -28,12 +28,12 @@ define kconfig-package-update-config
 endef
 
 PKG_KCONFIG_COMMON_OPTS = \
-	HOSTCC=$(HOSTCC_NOCCACHE)
+	HOSTCC="$(HOSTCC_NOCCACHE)"
 
 # Macro to save the defconfig file
 # $(1): the name of the package in upper-case letters
 define kconfig-package-savedefconfig
-	$($(1)_MAKE_ENV) $(MAKE) -C $($(1)_DIR) \
+	$($(1)_MAKE_ENV) $($(1)_MAKE) -C $($(1)_DIR) \
 		$(PKG_KCONFIG_COMMON_OPTS) $($(1)_KCONFIG_OPTS) savedefconfig
 endef
 
@@ -89,6 +89,7 @@ $(2)_DEPENDENCIES += $$($(2)_KCONFIG_DEPENDENCIES)
 $(call inner-generic-package,$(1),$(2),$(3),$(4))
 
 # Default values
+$(2)_MAKE ?= $$(MAKE)
 $(2)_KCONFIG_EDITORS ?= menuconfig
 $(2)_KCONFIG_OPTS ?=
 $(2)_KCONFIG_FIXUP_CMDS ?=
@@ -122,7 +123,7 @@ $$($(2)_KCONFIG_FILE) $$($(2)_KCONFIG_FRAGMENT_FILES): | $(1)-patch
 	done
 
 $(2)_KCONFIG_MAKE = \
-	$$($(2)_MAKE_ENV) $$(MAKE) -C $$($(2)_DIR) \
+	$$($(2)_MAKE_ENV) $$($(2)_MAKE) -C $$($(2)_DIR) \
 		$$(PKG_KCONFIG_COMMON_OPTS) $$($(2)_KCONFIG_OPTS)
 
 # $(2)_KCONFIG_MAKE may already rely on shell expansion. As the $() syntax
@@ -166,6 +167,7 @@ define $(2)_FIXUP_DOT_CONFIG
 	$$(Q)touch $$($(2)_DIR)/.stamp_kconfig_fixup_done
 endef
 
+$$($(2)_DIR)/.stamp_kconfig_fixup_done: PKG=$(2)
 $$($(2)_DIR)/.stamp_kconfig_fixup_done: $$($(2)_DIR)/$$($(2)_KCONFIG_STAMP_DOTCONFIG)
 	$$($(2)_FIXUP_DOT_CONFIG)
 
@@ -223,8 +225,9 @@ $(2)_CONFIGURATOR_MAKE_ENV = \
 # end up having a valid @D.
 #
 $$(addprefix $(1)-,$$($(2)_KCONFIG_EDITORS)): $(1)-%: $$($(2)_DIR)/.kconfig_editor_%
+$$($(2)_DIR)/.kconfig_editor_%: PKG=$(2)
 $$($(2)_DIR)/.kconfig_editor_%: $$($(2)_DIR)/.stamp_kconfig_fixup_done
-	$$($(2)_CONFIGURATOR_MAKE_ENV) $$(MAKE) -C $$($(2)_DIR) \
+	$$($(2)_CONFIGURATOR_MAKE_ENV) $$($(2)_MAKE) -C $$($(2)_DIR) \
 		$$(PKG_KCONFIG_COMMON_OPTS) $$($(2)_KCONFIG_OPTS) $$(*)
 	rm -f $$($(2)_DIR)/.stamp_{kconfig_fixup_done,configured,built}
 	rm -f $$($(2)_DIR)/.stamp_{target,staging,images}_installed
diff --git a/buildroot/package/pkg-meson.mk b/buildroot/package/pkg-meson.mk
index 97129d808..185832bd0 100644
--- a/buildroot/package/pkg-meson.mk
+++ b/buildroot/package/pkg-meson.mk
@@ -193,7 +193,7 @@ define PKG_MESON_INSTALL_CROSS_CONF
 	    -e 's%@TARGET_CXXFLAGS@%$(call make-comma-list,$(TARGET_CXXFLAGS))@PKG_TARGET_CFLAGS@%g' \
 	    -e 's%@HOST_DIR@%$(HOST_DIR)%g' \
 	    -e 's%@STAGING_DIR@%$(STAGING_DIR)%g' \
-	    -e 's%@STATIC@%$$(if $$(BR2_STATIC_LIBS),true,false)%g' \
+	    -e 's%@STATIC@%$(if $(BR2_STATIC_LIBS),true,false)%g' \
 	    $(HOST_MESON_PKGDIR)/cross-compilation.conf.in \
 	    > $(HOST_DIR)/etc/meson/cross-compilation.conf.in
 	sed -e 's%@PKG_TARGET_CFLAGS@%%g' \
@@ -203,4 +203,4 @@ define PKG_MESON_INSTALL_CROSS_CONF
 	    > $(HOST_DIR)/etc/meson/cross-compilation.conf
 endef
 
-TOOLCHAIN_POST_INSTALL_STAGING_HOOKS += PKG_MESON_INSTALL_CROSS_CONF
+TOOLCHAIN_TARGET_FINALIZE_HOOKS += PKG_MESON_INSTALL_CROSS_CONF
diff --git a/buildroot/package/pkg-utils.mk b/buildroot/package/pkg-utils.mk
index d324934db..c4cafeeee 100644
--- a/buildroot/package/pkg-utils.mk
+++ b/buildroot/package/pkg-utils.mk
@@ -11,20 +11,27 @@
 # package, and more.
 #
 
-define KCONFIG_ENABLE_OPT # (option, file)
-	$(SED) "/\\<$(1)\\>/d" $(2)
-	echo '$(1)=y' >> $(2)
+# KCONFIG_DOT_CONFIG ([file])
+# Returns the path to the .config file that should be used, which will
+# be $(1) if provided, or the current package .config file otherwise.
+KCONFIG_DOT_CONFIG = $(strip \
+	$(if $(strip $(1)), $(1), \
+		$($(PKG)_BUILDDIR)/$($(PKG)_KCONFIG_DOTCONFIG) \
+	) \
+)
+
+# KCONFIG_MUNGE_DOT_CONFIG (option, newline [, file])
+define KCONFIG_MUNGE_DOT_CONFIG
+	$(SED) "/\\<$(strip $(1))\\>/d" $(call KCONFIG_DOT_CONFIG,$(3))
+	echo '$(strip $(2))' >> $(call KCONFIG_DOT_CONFIG,$(3))
 endef
 
-define KCONFIG_SET_OPT # (option, value, file)
-	$(SED) "/\\<$(1)\\>/d" $(3)
-	echo '$(1)=$(2)' >> $(3)
-endef
-
-define KCONFIG_DISABLE_OPT # (option, file)
-	$(SED) "/\\<$(1)\\>/d" $(2)
-	echo '# $(1) is not set' >> $(2)
-endef
+# KCONFIG_ENABLE_OPT (option [, file])
+KCONFIG_ENABLE_OPT  = $(call KCONFIG_MUNGE_DOT_CONFIG, $(1), $(1)=y, $(2))
+# KCONFIG_SET_OPT (option, value [, file])
+KCONFIG_SET_OPT     = $(call KCONFIG_MUNGE_DOT_CONFIG, $(1), $(1)=$(2), $(3))
+# KCONFIG_DISABLE_OPT  (option [, file])
+KCONFIG_DISABLE_OPT = $(call KCONFIG_MUNGE_DOT_CONFIG, $(1), $(SHARP_SIGN) $(1) is not set, $(2))
 
 # Helper functions to determine the name of a package and its
 # directory from its makefile directory, using the $(MAKEFILE_LIST)
diff --git a/buildroot/package/postgresql/pg_config b/buildroot/package/postgresql/pg_config
index 642252f27..59a9e6cfa 100644
--- a/buildroot/package/postgresql/pg_config
+++ b/buildroot/package/postgresql/pg_config
@@ -11,12 +11,18 @@ case "$1" in
   --includedir)
 	echo "$prefix/include"
 	;;
+  --includedir-server)
+	echo "$prefix/include/postgresql/server"
+	;;
   --libdir)
 	echo "$prefix/lib"
 	;;
   --version)
 	echo "PostgreSQL @POSTGRESQL_VERSION@"
 	;;
+  --configure)
+	echo "@POSTGRESQL_CONF_OPTIONS@"
+	;;
   *)
-	echo "Usage: $0 {--includedir|--libdir|--version}"
+	echo "Usage: $0 {--includedir|--includedir-server|--libdir|--version|--configure}"
 esac
diff --git a/buildroot/package/postgresql/postgresql.hash b/buildroot/package/postgresql/postgresql.hash
index 7cb0c67d6..4e410d187 100644
--- a/buildroot/package/postgresql/postgresql.hash
+++ b/buildroot/package/postgresql/postgresql.hash
@@ -1,7 +1,7 @@
-# From https://ftp.postgresql.org/pub/source/v12.2/postgresql-12.2.tar.bz2.md5
-md5  a88ceea8ecf2741307f663e4539b58b7  postgresql-12.2.tar.bz2
-# From https://ftp.postgresql.org/pub/source/v12.2/postgresql-12.2.tar.bz2.sha256
-sha256  ad1dcc4c4fc500786b745635a9e1eba950195ce20b8913f50345bb7d5369b5de  postgresql-12.2.tar.bz2
+# From https://ftp.postgresql.org/pub/source/v12.4/postgresql-12.4.tar.bz2.md5
+md5  80ebbf0e55193b123760e5f8e48c6cff  postgresql-12.4.tar.bz2
+# From https://ftp.postgresql.org/pub/source/v12.4/postgresql-12.4.tar.bz2.sha256
+sha256  bee93fbe2c32f59419cb162bcc0145c58da9a8644ee154a30b9a5ce47de606cc  postgresql-12.4.tar.bz2
 
 # License file, Locally calculated
-sha256	739e5d454d81d31a482469338b7c856f1f5c6b4cdda1551cea6f0f6d18eef62c  COPYRIGHT
+sha256  739e5d454d81d31a482469338b7c856f1f5c6b4cdda1551cea6f0f6d18eef62c  COPYRIGHT
diff --git a/buildroot/package/postgresql/postgresql.mk b/buildroot/package/postgresql/postgresql.mk
index 378197d33..3630b5a38 100644
--- a/buildroot/package/postgresql/postgresql.mk
+++ b/buildroot/package/postgresql/postgresql.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-POSTGRESQL_VERSION = 12.2
+POSTGRESQL_VERSION = 12.4
 POSTGRESQL_SOURCE = postgresql-$(POSTGRESQL_VERSION).tar.bz2
 POSTGRESQL_SITE = https://ftp.postgresql.org/pub/source/v$(POSTGRESQL_VERSION)
 POSTGRESQL_LICENSE = PostgreSQL
@@ -115,6 +115,7 @@ POSTGRESQL_POST_INSTALL_TARGET_HOOKS += POSTGRESQL_INSTALL_TARGET_FIXUP
 define POSTGRESQL_INSTALL_CUSTOM_PG_CONFIG
 	$(INSTALL) -m 0755 -D package/postgresql/pg_config \
 		$(STAGING_DIR)/usr/bin/pg_config
+	$(SED) "s|@POSTGRESQL_CONF_OPTIONS@|$(POSTGRESQL_CONF_OPTS)|g" $(STAGING_DIR)/usr/bin/pg_config
 	$(SED) "s|@POSTGRESQL_VERSION@|$(POSTGRESQL_VERSION)|g" $(STAGING_DIR)/usr/bin/pg_config
 endef
 
diff --git a/buildroot/package/postgresql/postgresql.service b/buildroot/package/postgresql/postgresql.service
index 53e6f84f0..539eea896 100644
--- a/buildroot/package/postgresql/postgresql.service
+++ b/buildroot/package/postgresql/postgresql.service
@@ -15,7 +15,6 @@ Group=postgres
 StandardOutput=syslog
 StandardError=syslog
 SyslogIdentifier=postgres
-PIDFile=/var/lib/pgsql/postmaster.pid
 
 ExecStartPre=/bin/sh -c "if [ ! -f /var/lib/pgsql/PG_VERSION ]; then /usr/bin/pg_ctl initdb -D /var/lib/pgsql; fi"
 ExecStart=/usr/bin/postgres -D /var/lib/pgsql
diff --git a/buildroot/package/python-aenum/python-aenum.mk b/buildroot/package/python-aenum/python-aenum.mk
index 1d5322ef4..97fcbb5e8 100644
--- a/buildroot/package/python-aenum/python-aenum.mk
+++ b/buildroot/package/python-aenum/python-aenum.mk
@@ -11,4 +11,13 @@ PYTHON_AENUM_SETUP_TYPE = setuptools
 PYTHON_AENUM_LICENSE = BSD-3-Clause
 PYTHON_AENUM_LICENSE_FILES = aenum/LICENSE
 
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+# only needed/valid for python 3.x
+define PYTHON_AENUM_RM_PY3_FILE
+	rm -f $(TARGET_DIR)/usr/lib/python*/site-packages/aenum/test_v3.py
+endef
+
+PYTHON_AENUM_POST_INSTALL_TARGET_HOOKS += PYTHON_AENUM_RM_PY3_FILE
+endif
+
 $(eval $(python-package))
diff --git a/buildroot/package/python-autobahn/python-autobahn.mk b/buildroot/package/python-autobahn/python-autobahn.mk
index 6c5c608b9..4b367177a 100644
--- a/buildroot/package/python-autobahn/python-autobahn.mk
+++ b/buildroot/package/python-autobahn/python-autobahn.mk
@@ -11,4 +11,15 @@ PYTHON_AUTOBAHN_LICENSE = MIT
 PYTHON_AUTOBAHN_LICENSE_FILES = LICENSE
 PYTHON_AUTOBAHN_SETUP_TYPE = setuptools
 
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+# only needed/valid for python 3.x
+define PYTHON_AUTOBAHN_RM_PY3_FILES
+	rm -rf $(TARGET_DIR)/usr/lib/python*/site-packages/autobahn/asyncio \
+		$(TARGET_DIR)/usr/lib/python*/site-packages/autobahn/xbr \
+		$(TARGET_DIR)/usr/lib/python*/site-packages/autobahn/twisted/xbr.py
+endef
+
+PYTHON_AUTOBAHN_POST_INSTALL_TARGET_HOOKS += PYTHON_AUTOBAHN_RM_PY3_FILES
+endif
+
 $(eval $(python-package))
diff --git a/buildroot/package/python-cycler/Config.in b/buildroot/package/python-cycler/Config.in
index 854873c96..813bc69dd 100644
--- a/buildroot/package/python-cycler/Config.in
+++ b/buildroot/package/python-cycler/Config.in
@@ -1,6 +1,5 @@
 config BR2_PACKAGE_PYTHON_CYCLER
 	bool "python-cycler"
-	depends on BR2_PACKAGE_PYTHON || BR2_PACKAGE_PYTHON3
 	help
 	  Creates a Cycler objects much like cycler, but
 	  includes input validation.
diff --git a/buildroot/package/python-django/python-django.hash b/buildroot/package/python-django/python-django.hash
index af5e4bb6e..8aebe6216 100644
--- a/buildroot/package/python-django/python-django.hash
+++ b/buildroot/package/python-django/python-django.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/django/json
-md5	0b0299419770eaff86ff3a4af519cd6a  Django-3.0.4.tar.gz
-sha256	50b781f6cbeb98f673aa76ed8e572a019a45e52bdd4ad09001072dfd91ab07c8  Django-3.0.4.tar.gz
+md5	deec48e8713727e443a7cee6b54baaeb  Django-3.0.10.tar.gz
+sha256	2d14be521c3ae24960e5e83d4575e156a8c479a75c935224b671b1c6e66eddaf  Django-3.0.10.tar.gz
 # Locally computed sha256 checksums
 sha256	b846415d1b514e9c1dff14a22deb906d794bc546ca6129f950a18cd091e2a669  LICENSE
diff --git a/buildroot/package/python-django/python-django.mk b/buildroot/package/python-django/python-django.mk
index 0cc5749a9..97bf75320 100644
--- a/buildroot/package/python-django/python-django.mk
+++ b/buildroot/package/python-django/python-django.mk
@@ -4,10 +4,10 @@
 #
 ################################################################################
 
-PYTHON_DJANGO_VERSION = 3.0.4
+PYTHON_DJANGO_VERSION = 3.0.10
 PYTHON_DJANGO_SOURCE = Django-$(PYTHON_DJANGO_VERSION).tar.gz
 # The official Django site has an unpractical URL
-PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/1d/38/89ea18b5aeb9b56fff7430388946e8e9dfd7a451f3e6ddb8a9b637f442c1
+PYTHON_DJANGO_SITE = https://files.pythonhosted.org/packages/f4/09/d7c995b128bec61233cfea0e5fa40e442cae54c127b4b2b0881e1fdd0023
 PYTHON_DJANGO_LICENSE = BSD-3-Clause
 PYTHON_DJANGO_LICENSE_FILES = LICENSE
 PYTHON_DJANGO_SETUP_TYPE = setuptools
diff --git a/buildroot/package/python-engineio/python-engineio.mk b/buildroot/package/python-engineio/python-engineio.mk
index 62036a9c7..507a0f27f 100644
--- a/buildroot/package/python-engineio/python-engineio.mk
+++ b/buildroot/package/python-engineio/python-engineio.mk
@@ -10,4 +10,14 @@ PYTHON_ENGINEIO_SETUP_TYPE = setuptools
 PYTHON_ENGINEIO_LICENSE = MIT
 PYTHON_ENGINEIO_LICENSE_FILES = LICENSE
 
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+# only needed/valid for python 3.x
+define PYTHON_ENGINEIO_RM_PY3_FILES
+	rm -rf $(TARGET_DIR)/usr/lib/python*/site-packages/engineio/async_drivers \
+		$(TARGET_DIR)/usr/lib/python*/site-packages/engineio/asyncio_*.py
+endef
+
+PYTHON_ENGINEIO_POST_INSTALL_TARGET_HOOKS += PYTHON_ENGINEIO_RM_PY3_FILES
+endif
+
 $(eval $(python-package))
diff --git a/buildroot/package/python-fire/python-fire.mk b/buildroot/package/python-fire/python-fire.mk
index 6471a4d14..5f41a83f7 100644
--- a/buildroot/package/python-fire/python-fire.mk
+++ b/buildroot/package/python-fire/python-fire.mk
@@ -11,4 +11,13 @@ PYTHON_FIRE_SETUP_TYPE = setuptools
 PYTHON_FIRE_LICENSE = Apache-2.0
 PYTHON_FIRE_LICENSE_FILES = LICENSE
 
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+# only needed/valid for python 3.x
+define PYTHON_FIRE_RM_PY3_FILE
+	rm -f $(TARGET_DIR)/usr/lib/python*/site-packages/fire/test_components_py3.py
+endef
+
+PYTHON_FIRE_POST_INSTALL_TARGET_HOOKS += PYTHON_FIRE_RM_PY3_FILE
+endif
+
 $(eval $(python-package))
diff --git a/buildroot/package/python-gunicorn/Config.in b/buildroot/package/python-gunicorn/Config.in
index 518157bf9..b3d11cf19 100644
--- a/buildroot/package/python-gunicorn/Config.in
+++ b/buildroot/package/python-gunicorn/Config.in
@@ -1,5 +1,6 @@
 config BR2_PACKAGE_PYTHON_GUNICORN
 	bool "python-gunicorn"
+	select BR2_PACKAGE_PYTHON_SETUPTOOLS # runtime
 	select BR2_PACKAGE_PYTHON_SSL if BR2_PACKAGE_PYTHON # runtime
 	select BR2_PACKAGE_PYTHON3_SSL if BR2_PACKAGE_PYTHON3 # runtime
 	help
diff --git a/buildroot/package/python-matplotlib/0002-Merge-pull-request-11983-from-anntzer-builddepchecks.patch b/buildroot/package/python-matplotlib/0002-Merge-pull-request-11983-from-anntzer-builddepchecks.patch
new file mode 100644
index 000000000..b3a22acbb
--- /dev/null
+++ b/buildroot/package/python-matplotlib/0002-Merge-pull-request-11983-from-anntzer-builddepchecks.patch
@@ -0,0 +1,170 @@
+From 923ce72409f184bd8e8c61b196260891036ba87e Mon Sep 17 00:00:00 2001
+From: Antony Lee <anntzer.lee@gmail.com>
+Date: Thu, 30 Aug 2018 15:27:55 +0200
+Subject: [PATCH] Simplify version checks for freetype and libpng.
+
+Currently, setupext.py replicates a lot of work done by the compiler to
+check whether header files are present, and whether freetype and libpng
+have sufficiently recent versions.
+
+Instead, we can just add a small stub source file at the top of the
+extension sources which just tries to include the header and checks the
+version macros.  If the header is not found, compilation will
+immediately abort with `foo.h: No such file or directory`; if the
+version is too old, we can emit an appropriate error message (`#pragma
+message` is supported by all major compilers and allows expanding of
+macros in the error message).
+
+[Retrieved from:
+https://github.com/matplotlib/matplotlib/commit/d1060a885309ec7ac19ca912d3011a5eb1673bd5]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ setupext.py              | 83 +++++-----------------------------------
+ src/checkdep_freetype2.c | 13 +++++++
+ src/checkdep_libpng.c    |  5 +++
+ 3 files changed, 28 insertions(+), 73 deletions(-)
+ create mode 100644 src/checkdep_freetype2.c
+ create mode 100644 src/checkdep_libpng.c
+
+diff --git a/setupext.py b/setupext.py
+index d5f4b81f562..a5163e39288 100644
+--- a/setupext.py
++++ b/setupext.py
+@@ -814,6 +814,13 @@ def add_flags(self, ext, add_sources=True):
+                                for x in agg_sources)
+ 
+ 
++# For FreeType2 and libpng, we add a separate checkdep_foo.c source to at the
++# top of the extension sources.  This file is compiled first and immediately
++# aborts the compilation either with "foo.h: No such file or directory" if the
++# header is not found, or an appropriate error message if the header indicates
++# a too-old version.
++
++
+ class FreeType(SetupPackage):
+     name = "freetype"
+     pkg_names = {
+@@ -825,59 +832,8 @@ class FreeType(SetupPackage):
+         "windows_url": "http://gnuwin32.sourceforge.net/packages/freetype.htm"
+         }
+ 
+-    def check(self):
+-        if options.get('local_freetype'):
+-            return "Using local version for testing"
+-
+-        if sys.platform == 'win32':
+-            try:
+-                check_include_file(get_include_dirs(), 'ft2build.h', 'freetype')
+-            except CheckFailed:
+-                check_include_file(get_include_dirs(), os.path.join('freetype2', 'ft2build.h'), 'freetype')
+-            return 'Using unknown version found on system.'
+-
+-        status, output = subprocess.getstatusoutput(
+-            "freetype-config --ftversion")
+-        if status == 0:
+-            version = output
+-        else:
+-            version = None
+-
+-        # Early versions of freetype grep badly inside freetype-config,
+-        # so catch those cases. (tested with 2.5.3).
+-        if version is None or 'No such file or directory\ngrep:' in version:
+-            version = self.version_from_header()
+-
+-        # pkg_config returns the libtool version rather than the
+-        # freetype version so we need to explicitly pass the version
+-        # to _check_for_pkg_config
+-        return self._check_for_pkg_config(
+-            'freetype2', 'ft2build.h',
+-            min_version='2.3', version=version)
+-
+-    def version_from_header(self):
+-        version = 'unknown'
+-        ext = self.get_extension()
+-        if ext is None:
+-            return version
+-        # Return the first version found in the include dirs.
+-        for include_dir in ext.include_dirs:
+-            header_fname = os.path.join(include_dir, 'freetype.h')
+-            if os.path.exists(header_fname):
+-                major, minor, patch = 0, 0, 0
+-                with open(header_fname, 'r') as fh:
+-                    for line in fh:
+-                        if line.startswith('#define FREETYPE_'):
+-                            value = line.rsplit(' ', 1)[1].strip()
+-                            if 'MAJOR' in line:
+-                                major = value
+-                            elif 'MINOR' in line:
+-                                minor = value
+-                            else:
+-                                patch = value
+-                return '.'.join([major, minor, patch])
+-
+     def add_flags(self, ext):
++        ext.sources.insert(0, 'src/checkdep_freetype2.c')
+         if options.get('local_freetype'):
+             src_path = os.path.join(
+                 'build', 'freetype-{0}'.format(LOCAL_FREETYPE_VERSION))
+@@ -1058,30 +1014,11 @@ class Png(SetupPackage):
+         "windows_url": "http://gnuwin32.sourceforge.net/packages/libpng.htm"
+         }
+ 
+-    def check(self):
+-        if sys.platform == 'win32':
+-            check_include_file(get_include_dirs(), 'png.h', 'png')
+-            return 'Using unknown version found on system.'
+-
+-        status, output = subprocess.getstatusoutput("libpng-config --version")
+-        if status == 0:
+-            version = output
+-        else:
+-            version = None
+-
+-        try:
+-            return self._check_for_pkg_config(
+-                'libpng', 'png.h',
+-                min_version='1.2', version=version)
+-        except CheckFailed as e:
+-            if has_include_file(get_include_dirs(), 'png.h'):
+-                return str(e) + ' Using unknown version found on system.'
+-            raise
+-
+     def get_extension(self):
+         sources = [
++            'src/checkdep_libpng.c',
+             'src/_png.cpp',
+-            'src/mplutils.cpp'
++            'src/mplutils.cpp',
+             ]
+         ext = make_extension('matplotlib._png', sources)
+         pkg_config.setup_extension(
+diff --git a/src/checkdep_freetype2.c b/src/checkdep_freetype2.c
+new file mode 100644
+index 00000000000..bf9a8c94e38
+--- /dev/null
++++ b/src/checkdep_freetype2.c
+@@ -0,0 +1,13 @@
++#include <ft2build.h>
++#include FT_FREETYPE_H
++
++#define XSTR(x) STR(x)
++#define STR(x) #x
++
++#pragma message("Compiling with FreeType version " \
++  XSTR(FREETYPE_MAJOR) "." XSTR(FREETYPE_MINOR) "." XSTR(FREETYPE_PATCH) ".")
++#if FREETYPE_MAJOR << 16 + FREETYPE_MINOR << 8 + FREETYPE_PATCH < 0x020300
++    #error "FreeType version 2.3 or higher is required." \
++      "Consider setting the MPLLOCALFREETYPE environment variable to 1."
++  #error
++#endif
+diff --git a/src/checkdep_libpng.c b/src/checkdep_libpng.c
+new file mode 100644
+index 00000000000..5ebe5cbe4d7
+--- /dev/null
++++ b/src/checkdep_libpng.c
+@@ -0,0 +1,5 @@
++#include <png.h>
++#pragma message("Compiling with libpng version " PNG_LIBPNG_VER_STRING ".")
++#if PNG_LIBPNG_VER < 10200
++  #error "libpng version 1.2 or higher is required."
++#endif
diff --git a/buildroot/package/python-pymodbus/python-pymodbus.mk b/buildroot/package/python-pymodbus/python-pymodbus.mk
index d96e21a55..9135a4d0c 100644
--- a/buildroot/package/python-pymodbus/python-pymodbus.mk
+++ b/buildroot/package/python-pymodbus/python-pymodbus.mk
@@ -11,4 +11,13 @@ PYTHON_PYMODBUS_SETUP_TYPE = setuptools
 PYTHON_PYMODBUS_LICENSE = BSD-3-Clause
 PYTHON_PYMODBUS_LICENSE_FILES = doc/LICENSE
 
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+# only needed/valid for python 3.x
+define PYTHON_PYMODBUS_RM_PY3_FILES
+	rm -rf $(TARGET_DIR)/usr/lib/python*/site-packages/pymodbus/client/asynchronous/asyncio
+endef
+
+PYTHON_PYMODBUS_POST_INSTALL_TARGET_HOOKS += PYTHON_PYMODBUS_RM_PY3_FILES
+endif
+
 $(eval $(python-package))
diff --git a/buildroot/package/python-scapy/0001-Small-Python-2-fix.patch b/buildroot/package/python-scapy/0001-Small-Python-2-fix.patch
new file mode 100644
index 000000000..562838d53
--- /dev/null
+++ b/buildroot/package/python-scapy/0001-Small-Python-2-fix.patch
@@ -0,0 +1,26 @@
+From 0c3d5e417bbd923c4729d15572c3d693d58aff81 Mon Sep 17 00:00:00 2001
+From: Gabriel <gabriel@potter.fr>
+Date: Wed, 21 Aug 2019 18:18:14 +0800
+Subject: [PATCH] Small Python 2 fix
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ scapy/tools/generate_ethertypes.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scapy/tools/generate_ethertypes.py b/scapy/tools/generate_ethertypes.py
+index 5bc5cdf9..47c38c4f 100644
+--- a/scapy/tools/generate_ethertypes.py
++++ b/scapy/tools/generate_ethertypes.py
+@@ -20,7 +20,7 @@ URL = "https://raw.githubusercontent.com/openbsd/src/master/sys/net/ethertypes.h
+ with urllib.request.urlopen(URL) as stream:
+     DATA = stream.read()
+ 
+-reg = rb".*ETHERTYPE_([^\s]+)\s.0x([0-9A-Fa-f]+).*\/\*(.*)\*\/"
++reg = br".*ETHERTYPE_([^\s]+)\s.0x([0-9A-Fa-f]+).*\/\*(.*)\*\/"
+ COMPILED = b"""#
+ # Ethernet frame types
+ #       This file describes some of the various Ethernet
+-- 
+2.20.1
+
diff --git a/buildroot/package/python-semver/python-semver.hash b/buildroot/package/python-semver/python-semver.hash
index 60aaa6b8c..5c13764e5 100644
--- a/buildroot/package/python-semver/python-semver.hash
+++ b/buildroot/package/python-semver/python-semver.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/semver/json
-md5	a411b305a3f6714bca126a0b59dc4429  semver-2.9.0.tar.gz
-sha256	ed1edeaa0c27f68feb74f09f715077fd07b728446dc2bb7fc470fc0f737873a0  semver-2.9.0.tar.gz
+md5  3e11ae9782121e8ffe9f8a8b763a8cb5  semver-2.10.2.tar.gz
+sha256  c0a4a9d1e45557297a722ee9bac3de2ec2ea79016b6ffcaca609b0bc62cf4276  semver-2.10.2.tar.gz
 # Locally computed
-sha256	cda490c32e61d3884dc17791fc8078f2a3e564fba98dd18b4dc64eb2720b2b6f  LICENSE.txt
+sha256  cda490c32e61d3884dc17791fc8078f2a3e564fba98dd18b4dc64eb2720b2b6f  LICENSE.txt
diff --git a/buildroot/package/python-semver/python-semver.mk b/buildroot/package/python-semver/python-semver.mk
index 6e1faef12..32ed6b971 100644
--- a/buildroot/package/python-semver/python-semver.mk
+++ b/buildroot/package/python-semver/python-semver.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_SEMVER_VERSION = 2.9.0
+PYTHON_SEMVER_VERSION = 2.10.2
 PYTHON_SEMVER_SOURCE = semver-$(PYTHON_SEMVER_VERSION).tar.gz
-PYTHON_SEMVER_SITE = https://files.pythonhosted.org/packages/be/c8/392e3c1c4080202b99e8b3b5d0ab6cbcfc4b25d50031c2c21d130871bf88
+PYTHON_SEMVER_SITE = https://files.pythonhosted.org/packages/aa/e8/cb894f70a52887f001aff5f264f68272c21fa58268495aca17df396c161f
 PYTHON_SEMVER_SETUP_TYPE = setuptools
 PYTHON_SEMVER_LICENSE = BSD-3-Clause
 PYTHON_SEMVER_LICENSE_FILES = LICENSE.txt
diff --git a/buildroot/package/python-sentry-sdk/python-sentry-sdk.mk b/buildroot/package/python-sentry-sdk/python-sentry-sdk.mk
index dd47e7c0c..2dcf4bce0 100644
--- a/buildroot/package/python-sentry-sdk/python-sentry-sdk.mk
+++ b/buildroot/package/python-sentry-sdk/python-sentry-sdk.mk
@@ -11,4 +11,14 @@ PYTHON_SENTRY_SDK_SETUP_TYPE = setuptools
 PYTHON_SENTRY_SDK_LICENSE = BSD-2-Clause
 PYTHON_SENTRY_SDK_LICENSE_FILES = LICENSE
 
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+# only needed/valid for python 3.x
+define PYTHON_SENTRY_SDK_RM_PY3_FILES
+	rm -f $(addprefix $(TARGET_DIR)/usr/lib/python*/site-packages/sentry_sdk/integrations/,\
+		aiohttp.py asgi.py django/asgi.py sanic.py tornado.py)
+endef
+
+PYTHON_SENTRY_SDK_POST_INSTALL_TARGET_HOOKS += PYTHON_SENTRY_SDK_RM_PY3_FILES
+endif
+
 $(eval $(python-package))
diff --git a/buildroot/package/python-socketio/python-socketio.mk b/buildroot/package/python-socketio/python-socketio.mk
index ece4f65b7..73dab26f3 100644
--- a/buildroot/package/python-socketio/python-socketio.mk
+++ b/buildroot/package/python-socketio/python-socketio.mk
@@ -10,4 +10,14 @@ PYTHON_SOCKETIO_SETUP_TYPE = setuptools
 PYTHON_SOCKETIO_LICENSE = MIT
 PYTHON_SOCKETIO_LICENSE_FILES = LICENSE
 
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+# only needed/valid for python 3.x
+define PYTHON_SOCKETIO_RM_PY3_FILES
+	rm -f $(TARGET_DIR)/usr/lib/python*/site-packages/socketio/asgi.py \
+		$(TARGET_DIR)/usr/lib/python*/site-packages/socketio/asyncio_*.py
+endef
+
+PYTHON_SOCKETIO_POST_INSTALL_TARGET_HOOKS += PYTHON_SOCKETIO_RM_PY3_FILES
+endif
+
 $(eval $(python-package))
diff --git a/buildroot/package/python-texttable/python-texttable.hash b/buildroot/package/python-texttable/python-texttable.hash
index 367eb8d60..a69e8ed46 100644
--- a/buildroot/package/python-texttable/python-texttable.hash
+++ b/buildroot/package/python-texttable/python-texttable.hash
@@ -1,5 +1,5 @@
 # md5, sha256 from https://pypi.org/pypi/texttable/json
-md5	763141f0bdf598cdc5cf780ed4d2eb94  texttable-1.6.2.tar.gz
-sha256	eff3703781fbc7750125f50e10f001195174f13825a92a45e9403037d539b4f4  texttable-1.6.2.tar.gz
+md5  68e6b31d36f5c20221da7d5db3eca772  texttable-1.6.3.tar.gz
+sha256  ce0faf21aa77d806bbff22b107cc22cce68dc9438f97a2df32c93e9afa4ce436  texttable-1.6.3.tar.gz
 # Locally computed sha256 checksums
-sha256	181d0c3366cc36fd6ae7d023b23a743581003fd42974c8983ea40f7161faeaf3  LICENSE
+sha256	4ba7bdab54504a3bc44eb33ecca873a26a63ab902822101a87bb46235da63594  LICENSE
diff --git a/buildroot/package/python-texttable/python-texttable.mk b/buildroot/package/python-texttable/python-texttable.mk
index 3b173a35e..6af23917b 100644
--- a/buildroot/package/python-texttable/python-texttable.mk
+++ b/buildroot/package/python-texttable/python-texttable.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-PYTHON_TEXTTABLE_VERSION = 1.6.2
+PYTHON_TEXTTABLE_VERSION = 1.6.3
 PYTHON_TEXTTABLE_SOURCE = texttable-$(PYTHON_TEXTTABLE_VERSION).tar.gz
-PYTHON_TEXTTABLE_SITE = https://files.pythonhosted.org/packages/82/a8/60df592e3a100a1f83928795aca210414d72cebdc6e4e0c95a6d8ac632fe
+PYTHON_TEXTTABLE_SITE = https://files.pythonhosted.org/packages/f5/be/716342325d6d6e05608e3a10e15f192f3723e454a25ce14bc9b9d1332772
 PYTHON_TEXTTABLE_SETUP_TYPE = setuptools
 PYTHON_TEXTTABLE_LICENSE = MIT
 PYTHON_TEXTTABLE_LICENSE_FILES = LICENSE
diff --git a/buildroot/package/python-tinyrpc/Config.in b/buildroot/package/python-tinyrpc/Config.in
index 3c643c754..3194b7825 100644
--- a/buildroot/package/python-tinyrpc/Config.in
+++ b/buildroot/package/python-tinyrpc/Config.in
@@ -1,5 +1,6 @@
 config BR2_PACKAGE_PYTHON_TINYRPC
 	bool "python-tinyrpc"
+	depends on BR2_PACKAGE_PYTHON3
 	select BR2_PACKAGE_PYTHON_SIX # runtime
 	help
 	  A small, modular, transport and protocol neutral RPC
diff --git a/buildroot/package/python-txtorcon/python-txtorcon.mk b/buildroot/package/python-txtorcon/python-txtorcon.mk
index a01c0b251..4df400c3e 100644
--- a/buildroot/package/python-txtorcon/python-txtorcon.mk
+++ b/buildroot/package/python-txtorcon/python-txtorcon.mk
@@ -11,4 +11,13 @@ PYTHON_TXTORCON_SETUP_TYPE = setuptools
 PYTHON_TXTORCON_LICENSE = MIT
 PYTHON_TXTORCON_LICENSE_FILES = LICENSE
 
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+# only needed/valid for python 3.x
+define PYTHON_TXTORCON_RM_PY3_FILE
+	rm -f $(TARGET_DIR)/usr/lib/python*/site-packages/txtorcon/controller_py3.py
+endef
+
+PYTHON_TXTORCON_POST_INSTALL_TARGET_HOOKS += PYTHON_TXTORCON_RM_PY3_FILE
+endif
+
 $(eval $(python-package))
diff --git a/buildroot/package/python/python.mk b/buildroot/package/python/python.mk
index 532c372de..e8cad54f9 100644
--- a/buildroot/package/python/python.mk
+++ b/buildroot/package/python/python.mk
@@ -194,6 +194,7 @@ define PYTHON_REMOVE_USELESS_FILES
 	rm -f $(TARGET_DIR)/usr/bin/python2-config
 	rm -f $(TARGET_DIR)/usr/bin/python-config
 	rm -f $(TARGET_DIR)/usr/bin/smtpd.py
+	rm -f $(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/distutils/command/wininst*.exe
 	for i in `find $(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/config/ \
 		-type f -not -name pyconfig.h -a -not -name Makefile` ; do \
 		rm -f $$i ; \
@@ -255,10 +256,10 @@ endif
 define PYTHON_CREATE_PYC_FILES
 	$(PYTHON_FIX_TIME)
 	PYTHONPATH="$(PYTHON_PATH)" \
-	cd $(TARGET_DIR) && $(HOST_DIR)/bin/python$(PYTHON_VERSION_MAJOR) \
+	$(HOST_DIR)/bin/python$(PYTHON_VERSION_MAJOR) \
 		$(TOPDIR)/support/scripts/pycompile.py \
-		$(if $(BR2_REPRODUCIBLE),--force) \
-		usr/lib/python$(PYTHON_VERSION_MAJOR)
+		--strip-root $(TARGET_DIR) \
+		$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)
 endef
 
 ifeq ($(BR2_PACKAGE_PYTHON_PYC_ONLY)$(BR2_PACKAGE_PYTHON_PY_PYC),y)
diff --git a/buildroot/package/python3/python3.hash b/buildroot/package/python3/python3.hash
index 0a08d04b3..4c03293dd 100644
--- a/buildroot/package/python3/python3.hash
+++ b/buildroot/package/python3/python3.hash
@@ -1,5 +1,5 @@
-# From https://www.python.org/downloads/release/python-385/
-md5  35b5a3d0254c1c59be9736373d429db7  Python-3.8.5.tar.xz
+# From https://www.python.org/downloads/release/python-386/
+md5  69e73c49eeb1a853cefd26d18c9d069d  Python-3.8.6.tar.xz
 # Locally computed
-sha256  e3003ed57db17e617acb382b0cade29a248c6026b1bd8aad1f976e9af66a83b0  Python-3.8.5.tar.xz
-sha256  de4d1f2d2ad5ad0cfd1657a106476b31cb5db5ef9d1ff842b237c0c81f0c8a23  LICENSE
+sha256  a9e0b79d27aa056eb9cce8d63a427b5f9bab1465dee3f942dcfdb25a82f4ab8a  Python-3.8.6.tar.xz
+sha256  1dceef1677a39befa8bf0285ab2db441ba117520bb2de839547ace006a17750d  LICENSE
diff --git a/buildroot/package/python3/python3.mk b/buildroot/package/python3/python3.mk
index 31e7ca3d3..1a2edc647 100644
--- a/buildroot/package/python3/python3.mk
+++ b/buildroot/package/python3/python3.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 PYTHON3_VERSION_MAJOR = 3.8
-PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).5
+PYTHON3_VERSION = $(PYTHON3_VERSION_MAJOR).6
 PYTHON3_SOURCE = Python-$(PYTHON3_VERSION).tar.xz
 PYTHON3_SITE = https://python.org/ftp/python/$(PYTHON3_VERSION)
 PYTHON3_LICENSE = Python-2.0, others
@@ -212,6 +212,7 @@ define PYTHON3_REMOVE_USELESS_FILES
 	rm -f $(TARGET_DIR)/usr/bin/python$(PYTHON3_VERSION_MAJOR)m-config
 	rm -f $(TARGET_DIR)/usr/bin/python3-config
 	rm -f $(TARGET_DIR)/usr/bin/smtpd.py.3
+	rm -f $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/distutils/command/wininst*.exe
 	for i in `find $(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/config-$(PYTHON3_VERSION_MAJOR)m-*/ \
 		-type f -not -name Makefile` ; do \
 		rm -f $$i ; \
@@ -277,10 +278,10 @@ endif
 define PYTHON3_CREATE_PYC_FILES
 	$(PYTHON3_FIX_TIME)
 	PYTHONPATH="$(PYTHON3_PATH)" \
-	cd $(TARGET_DIR) && $(HOST_DIR)/bin/python$(PYTHON3_VERSION_MAJOR) \
+	$(HOST_DIR)/bin/python$(PYTHON3_VERSION_MAJOR) \
 		$(TOPDIR)/support/scripts/pycompile.py \
-		$(if $(BR2_REPRODUCIBLE),--force) \
-		usr/lib/python$(PYTHON3_VERSION_MAJOR)
+		--strip-root $(TARGET_DIR) \
+		$(TARGET_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)
 endef
 
 ifeq ($(BR2_PACKAGE_PYTHON3_PYC_ONLY)$(BR2_PACKAGE_PYTHON3_PY_PYC),y)
diff --git a/buildroot/package/qt5/qt5base/qt5base.mk b/buildroot/package/qt5/qt5base/qt5base.mk
index 774c771bc..f8f50530b 100644
--- a/buildroot/package/qt5/qt5base/qt5base.mk
+++ b/buildroot/package/qt5/qt5base/qt5base.mk
@@ -84,6 +84,9 @@ QT5BASE_DEPENDENCIES += gcnano-binaries
 else ifeq ($(BR2_PACKAGE_TI_SGX_LIBGBM),y)
 QT5BASE_CONFIGURE_OPTS += -gbm
 QT5BASE_DEPENDENCIES += ti-sgx-libgbm
+else ifeq ($(BR2_PACKAGE_IMX_GPU_VIV),y)
+QT5BASE_CONFIGURE_OPTS += -gbm
+QT5BASE_DEPENDENCIES += imx-gpu-viv
 else
 QT5BASE_CONFIGURE_OPTS += -no-gbm
 endif
diff --git a/buildroot/package/ripgrep/ripgrep.mk b/buildroot/package/ripgrep/ripgrep.mk
index 0bb7017a9..1500733d0 100644
--- a/buildroot/package/ripgrep/ripgrep.mk
+++ b/buildroot/package/ripgrep/ripgrep.mk
@@ -11,15 +11,20 @@ RIPGREP_LICENSE_FILES = LICENSE-MIT
 
 RIPGREP_DEPENDENCIES = host-cargo
 RIPGREP_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo
-RIPGREP_CARGO_MODE = $(if $(BR2_ENABLE_DEBUG),debug,release)
 
-RIPGREP_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(RIPGREP_CARGO_MODE)
+RIPGREP_BIN_DIR = target/$(RUSTC_TARGET_NAME)/$(RIPGREP_CARGO_BIN_SUBDIR)
 
 RIPGREP_CARGO_OPTS = \
-	--$(RIPGREP_CARGO_MODE) \
 	--target=$(RUSTC_TARGET_NAME) \
 	--manifest-path=$(@D)/Cargo.toml
 
+ifeq ($(BR2_ENABLE_DEBUG),y)
+RIPGREP_CARGO_BIN_SUBDIR = debug
+else
+RIPGREP_CARGO_OPTS += --release
+RIPGREP_CARGO_BIN_SUBDIR = release
+endif
+
 define RIPGREP_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(RIPGREP_CARGO_ENV) \
 		cargo build $(RIPGREP_CARGO_OPTS)
diff --git a/buildroot/package/rtl8188eu/rtl8188eu.hash b/buildroot/package/rtl8188eu/rtl8188eu.hash
index 88c128aa3..b16986176 100644
--- a/buildroot/package/rtl8188eu/rtl8188eu.hash
+++ b/buildroot/package/rtl8188eu/rtl8188eu.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256  cc872aa0991c044d35abfcc81543bad950c6aae487e37d5a09d1cbf8c4cb3058  rtl8188eu-4b0ecca485b9f11f58670b69aa9f90ecad7da02f.tar.gz
+sha256  24656123468506760974edf4a9087f6c77d13228fa6b6ce899c12c359a5dc1e7  rtl8188eu-0924dc8fe0845358ed5b3c4c673126069469b3fc.tar.gz
 sha256  af8067302947c01fd9eee72befa54c7e3ef8a48fecde7fd71277f2290b2bf0f7  COPYING
diff --git a/buildroot/package/rtl8188eu/rtl8188eu.mk b/buildroot/package/rtl8188eu/rtl8188eu.mk
index f292bba13..686b2ea9d 100644
--- a/buildroot/package/rtl8188eu/rtl8188eu.mk
+++ b/buildroot/package/rtl8188eu/rtl8188eu.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-RTL8188EU_VERSION = 4b0ecca485b9f11f58670b69aa9f90ecad7da02f
+RTL8188EU_VERSION = 0924dc8fe0845358ed5b3c4c673126069469b3fc
 RTL8188EU_SITE = $(call github,lwfinger,rtl8188eu,$(RTL8188EU_VERSION))
 RTL8188EU_LICENSE = GPL-2.0, proprietary (rtl8188eufw.bin firmware blob)
 RTL8188EU_LICENSE_FILES = COPYING
diff --git a/buildroot/package/rtl8821au/0001-Fix-implicit-fallthrough-comments-for-kernel-5.3.patch b/buildroot/package/rtl8821au/0001-Fix-implicit-fallthrough-comments-for-kernel-5.3.patch
index d323e8f93..00e801b6b 100644
--- a/buildroot/package/rtl8821au/0001-Fix-implicit-fallthrough-comments-for-kernel-5.3.patch
+++ b/buildroot/package/rtl8821au/0001-Fix-implicit-fallthrough-comments-for-kernel-5.3.patch
@@ -1,10 +1,11 @@
-From f41695e4069404639690d98c7aadfe72117965a6 Mon Sep 17 00:00:00 2001
+From 99f1e8bd7172ddf9613db3531a8b37921ed73351 Mon Sep 17 00:00:00 2001
 From: Jesper Skov <jb1811@jyskebank.dk>
 Date: Fri, 25 Oct 2019 10:05:41 +0200
 Subject: [PATCH] Fix implicit fallthrough comments for kernel 5.3
 
-[Upstram: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/e8a30a4c5a80efbbd5b1dbfe11b22916df4492f9.patch]
+[Upstream: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/e8a30a4c5a80efbbd5b1dbfe11b22916df4492f9.patch]
 Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+Signed-off-by: Christian Stewart <christian@paral.in>
 ---
  core/rtw_mlme_ext.c | 2 ++
  1 file changed, 2 insertions(+)
@@ -24,5 +25,5 @@ index 24565ea..380f507 100644
  		_mgt_dispatcher(padapter, ptable, precv_frame);
  #ifdef CONFIG_HOSTAPD_MLME
 -- 
-2.26.0
+2.28.0
 
diff --git a/buildroot/package/rtl8821au/0002-Fix-kernel-5.3-driver-crashes-from-aircrack-ng-rtl88.patch b/buildroot/package/rtl8821au/0002-Fix-kernel-5.3-driver-crashes-from-aircrack-ng-rtl88.patch
index 6b1b70270..213ea806b 100644
--- a/buildroot/package/rtl8821au/0002-Fix-kernel-5.3-driver-crashes-from-aircrack-ng-rtl88.patch
+++ b/buildroot/package/rtl8821au/0002-Fix-kernel-5.3-driver-crashes-from-aircrack-ng-rtl88.patch
@@ -1,10 +1,11 @@
-From b7f8f8572d5abca6e1f0163a583628c0207d0be4 Mon Sep 17 00:00:00 2001
+From cde2dbf6e94e00fcf198422b03de01d3090675d9 Mon Sep 17 00:00:00 2001
 From: Jesper Skov <jb1811@jyskebank.dk>
 Date: Fri, 25 Oct 2019 10:10:29 +0200
 Subject: [PATCH] Fix kernel 5.3 driver crashes, from aircrack-ng/rtl8812au#421
 
 [Upstream: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/822b485d36d6f72304a219c3be228f40968b542b.patch]
 Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+Signed-off-by: Christian Stewart <christian@paral.in>
 ---
  os_dep/linux/rtw_cfgvendor.c | 45 ++++++++++++++++++++++++++++++++++++
  1 file changed, 45 insertions(+)
@@ -164,5 +165,5 @@ index e7ba90a..81fc8af 100644
  	}
  };
 -- 
-2.26.0
+2.28.0
 
diff --git a/buildroot/package/rtl8821au/0003-Fix-using-sprintf-for-extending-string-which-causes-.patch b/buildroot/package/rtl8821au/0003-Fix-using-sprintf-for-extending-string-which-causes-.patch
new file mode 100644
index 000000000..2c4b595c3
--- /dev/null
+++ b/buildroot/package/rtl8821au/0003-Fix-using-sprintf-for-extending-string-which-causes-.patch
@@ -0,0 +1,339 @@
+From 5b6641978e8fa68bca05d224a61f8513b010eda8 Mon Sep 17 00:00:00 2001
+From: Coleman <omegacoleman@gmail.com>
+Date: Fri, 17 Jul 2020 08:53:00 +0800
+Subject: [PATCH] Fix using sprintf for extending string, which causes
+ undefined behavior
+
+[Upstream: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/be57045a0933d64e958878696883e9cf998e1bf3.patch]
+Signed-off-by: Coleman <omegacoleman@gmail.com>
+Signed-off-by: Christian Stewart <christian@paral.in>
+---
+ core/rtw_mp.c              |   2 +-
+ os_dep/linux/ioctl_linux.c | 108 ++++++++++++++++++-------------------
+ 2 files changed, 55 insertions(+), 55 deletions(-)
+
+diff --git a/core/rtw_mp.c b/core/rtw_mp.c
+index c2e400d..989bb3e 100644
+--- a/core/rtw_mp.c
++++ b/core/rtw_mp.c
+@@ -1871,7 +1871,7 @@ u32 mp_query_psd(PADAPTER pAdapter, u8 *data)
+ 		} else {
+ 			psd_data = rtw_GetPSDData(pAdapter, i);
+ 		}
+-		sprintf(data, "%s%x ", data, psd_data);
++		sprintf(data + strlen(data), "%x ", psd_data);
+ 		i++;
+ 	}
+ 
+diff --git a/os_dep/linux/ioctl_linux.c b/os_dep/linux/ioctl_linux.c
+index c74a153..9543fa3 100644
+--- a/os_dep/linux/ioctl_linux.c
++++ b/os_dep/linux/ioctl_linux.c
+@@ -9080,19 +9080,19 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		sprintf(extra, "\n");
+ 		for (i = 0; i < EFUSE_MAP_SIZE; i += 16) {
+ //			DBG_871X("0x%02x\t", i);
+-			sprintf(extra, "%s0x%02x\t", extra, i);
++			sprintf(extra + strlen(extra), "0x%02x\t", i);
+ 			for (j=0; j<8; j++) {
+ //				DBG_871X("%02X ", data[i+j]);
+-				sprintf(extra, "%s%02X ", extra, PROMContent[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", PROMContent[i+j]);
+ 			}
+ //			DBG_871X("\t");
+-			sprintf(extra, "%s\t", extra);
++			sprintf(extra + strlen(extra), "\t");
+ 			for (; j<16; j++) {
+ //				DBG_871X("%02X ", data[i+j]);
+-				sprintf(extra, "%s%02X ", extra, PROMContent[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", PROMContent[i+j]);
+ 			}
+ //			DBG_871X("\n");
+-			sprintf(extra,"%s\n",extra);
++			sprintf(extra + strlen(extra), "\n");
+ 		}
+ //		DBG_871X("\n");
+ 	} else if (strcmp(tmp[0], "realmap") == 0) {
+@@ -9107,19 +9107,19 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		sprintf(extra, "\n");
+ 		for (i = 0; i < EFUSE_MAP_SIZE; i += 16) {
+ //			DBG_871X("0x%02x\t", i);
+-			sprintf(extra, "%s0x%02x\t", extra, i);
++			sprintf(extra + strlen(extra), "0x%02x\t", i);
+ 			for (j=0; j<8; j++) {
+ //				DBG_871X("%02X ", data[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseInitMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseInitMap[i+j]);
+ 			}
+ //			DBG_871X("\t");
+-			sprintf(extra, "%s\t", extra);
++			sprintf(extra + strlen(extra), "\t");
+ 			for (; j<16; j++) {
+ //				DBG_871X("%02X ", data[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseInitMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseInitMap[i+j]);
+ 			}
+ //			DBG_871X("\n");
+-			sprintf(extra,"%s\n",extra);
++			sprintf(extra + strlen(extra), "\n");
+ 		}
+ //		DBG_871X("\n");
+ 	} else if (strcmp(tmp[0], "rmap") == 0) {
+@@ -9158,7 +9158,7 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		*extra = 0;
+ 		for (i=0; i<cnts; i++) {
+ //			DBG_871X("0x%02x ", data[i]);
+-			sprintf(extra, "%s0x%02X ", extra, data[i]);
++			sprintf(extra + strlen(extra), "0x%02X ", data[i]);
+ 		}
+ //		DBG_871X("}\n");
+ 	} else if (strcmp(tmp[0], "realraw") == 0) {
+@@ -9174,17 +9174,17 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		sprintf(extra, "\n0x00\t");
+ 		for (i=0; i< mapLen; i++) {
+ 			//			DBG_871X("%02X", rawdata[i]);
+-			sprintf(extra, "%s%02X", extra, rawdata[i]);
++			sprintf(extra + strlen(extra), "%02X", rawdata[i]);
+ 			if ((i & 0xF) == 0xF) {
+ 				//				DBG_871X("\n");
+-				sprintf(extra, "%s\n", extra);
+-				sprintf(extra, "%s0x%02x\t", extra, i+1);
++				sprintf(extra + strlen(extra), "\n");
++				sprintf(extra + strlen(extra), "0x%02x\t", i+1);
+ 			} else if ((i & 0x7) == 0x7) {
+ 				//				DBG_871X("\t");
+-				sprintf(extra, "%s \t", extra);
++				sprintf(extra + strlen(extra), " \t");
+ 			} else {
+ 				//				DBG_871X(" ");
+-				sprintf(extra, "%s ", extra);
++				sprintf(extra + strlen(extra), " ");
+ 			}
+ 		}
+ 		//		DBG_871X("}\n");
+@@ -9269,10 +9269,10 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		*extra = 0;
+ 		for (i=0; i<cnts; i++) {
+ //			DBG_871X("%02X", data[i]);
+-			sprintf(extra, "%s%02X", extra, data[i]);
++			sprintf(extra + strlen(extra), "%02X", data[i]);
+ 			if (i != (cnts-1)) {
+ //				DBG_871X(":");
+-				sprintf(extra,"%s:",extra);
++				sprintf(extra + strlen(extra), ":");
+ 			}
+ 		}
+ //		DBG_871X("}\n");
+@@ -9330,10 +9330,10 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		*extra = 0;
+ 		for (i=0; i<cnts; i++) {
+ //			DBG_871X("0x%02x", data[i]);
+-			sprintf(extra, "%s0x%02X", extra, data[i]);
++			sprintf(extra + strlen(extra), "0x%02X", data[i]);
+ 			if (i != (cnts-1)) {
+ //				DBG_871X(",");
+-				sprintf(extra,"%s,",extra);
++				sprintf(extra + strlen(extra), ",");
+ 			}
+ 		}
+ //		DBG_871X("}\n");
+@@ -9355,19 +9355,19 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		sprintf(extra, "\n");
+ 		for (i=0; i<512; i+=16) { // set 512 because the iwpriv's extra size have limit 0x7FF
+ //			DBG_871X("0x%03x\t", i);
+-			sprintf(extra, "%s0x%03x\t", extra, i);
++			sprintf(extra + strlen(extra), "0x%03x\t", i);
+ 			for (j=0; j<8; j++) {
+ //				DBG_871X("%02X ", pEfuseHal->BTEfuseInitMap[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]);
+ 			}
+ //			DBG_871X("\t");
+-			sprintf(extra,"%s\t",extra);
++			sprintf(extra + strlen(extra), "\t");
+ 			for (; j<16; j++) {
+ //				DBG_871X("%02X ", pEfuseHal->BTEfuseInitMap[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]);
+ 			}
+ //			DBG_871X("\n");
+-			sprintf(extra, "%s\n", extra);
++			sprintf(extra + strlen(extra), "\n");
+ 		}
+ //		DBG_871X("\n");
+ 	} else if (strcmp(tmp[0],"btbmap") == 0) {
+@@ -9384,19 +9384,19 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		sprintf(extra, "\n");
+ 		for (i=512; i<1024 ; i+=16) {
+ //			DBG_871X("0x%03x\t", i);
+-			sprintf(extra, "%s0x%03x\t", extra, i);
++			sprintf(extra + strlen(extra), "0x%03x\t", i);
+ 			for (j=0; j<8; j++) {
+ //				DBG_871X("%02X ", data[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]);
+ 			}
+ //			DBG_871X("\t");
+-			sprintf(extra,"%s\t",extra);
++			sprintf(extra + strlen(extra), "\t");
+ 			for (; j<16; j++) {
+ //				DBG_871X("%02X ", data[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]);
+ 			}
+ //			DBG_871X("\n");
+-			sprintf(extra, "%s\n", extra);
++			sprintf(extra + strlen(extra), "\n");
+ 		}
+ //		DBG_871X("\n");
+ 	} else if (strcmp(tmp[0],"btrmap") == 0) {
+@@ -9436,7 +9436,7 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ //		DBG_871X("%s: bt efuse data={", __FUNCTION__);
+ 		for (i=0; i<cnts; i++) {
+ //			DBG_871X("0x%02x ", data[i]);
+-			sprintf(extra, "%s 0x%02X ", extra, data[i]);
++			sprintf(extra + strlen(extra), " 0x%02X ", data[i]);
+ 		}
+ //		DBG_871X("}\n");
+ 		DBG_871X(FUNC_ADPT_FMT ": BT MAC=[%s]\n", FUNC_ADPT_ARG(padapter), extra);
+@@ -9445,19 +9445,19 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		sprintf(extra, "\n");
+ 		for (i=0; i<512; i+=16) {
+ //			DBG_871X("0x%03x\t", i);
+-			sprintf(extra, "%s0x%03x\t", extra, i);
++			sprintf(extra + strlen(extra), "0x%03x\t", i);
+ 			for (j=0; j<8; j++) {
+ //				DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
+ 			}
+ //			DBG_871X("\t");
+-			sprintf(extra, "%s\t", extra);
++			sprintf(extra + strlen(extra), "\t");
+ 			for (; j<16; j++) {
+ //				DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
+ 			}
+ //			DBG_871X("\n");
+-			sprintf(extra, "%s\n", extra);
++			sprintf(extra + strlen(extra), "\n");
+ 		}
+ //		DBG_871X("\n");
+ 	} else if (strcmp(tmp[0],"btbfake") == 0) {
+@@ -9465,19 +9465,19 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		sprintf(extra, "\n");
+ 		for (i=512; i<1024; i+=16) {
+ //			DBG_871X("0x%03x\t", i);
+-			sprintf(extra, "%s0x%03x\t", extra, i);
++			sprintf(extra + strlen(extra), "0x%03x\t", i);
+ 			for (j=0; j<8; j++) {
+ //				DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
+ 			}
+ //			DBG_871X("\t");
+-			sprintf(extra, "%s\t", extra);
++			sprintf(extra + strlen(extra), "\t");
+ 			for (; j<16; j++) {
+ //				DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]);
+ 			}
+ //			DBG_871X("\n");
+-			sprintf(extra, "%s\n", extra);
++			sprintf(extra + strlen(extra), "\n");
+ 		}
+ //		DBG_871X("\n");
+ 	} else if (strcmp(tmp[0],"wlrfkmap")== 0) {
+@@ -9485,19 +9485,19 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		sprintf(extra, "\n");
+ 		for (i=0; i<EFUSE_MAP_SIZE; i+=16) {
+ //			DBG_871X("\t0x%02x\t", i);
+-			sprintf(extra, "%s0x%02x\t", extra, i);
++			sprintf(extra + strlen(extra), "0x%02x\t", i);
+ 			for (j=0; j<8; j++) {
+ //				DBG_871X("%02X ", pEfuseHal->fakeEfuseModifiedMap[i+j]);
+-				sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseModifiedMap[i+j]);
++				sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseModifiedMap[i+j]);
+ 			}
+ //			DBG_871X("\t");
+-			sprintf(extra, "%s\t", extra);
++			sprintf(extra + strlen(extra), "\t");
+ 			for (; j<16; j++) {
+ //				DBG_871X("%02X ", pEfuseHal->fakeEfuseModifiedMap[i+j]);
+-				sprintf(extra, "%s %02X", extra, pEfuseHal->fakeEfuseModifiedMap[i+j]);
++				sprintf(extra + strlen(extra), " %02X", pEfuseHal->fakeEfuseModifiedMap[i+j]);
+ 			}
+ //			DBG_871X("\n");
+-			sprintf(extra, "%s\n", extra);
++			sprintf(extra + strlen(extra), "\n");
+ 		}
+ //		DBG_871X("\n");
+ 
+@@ -9523,7 +9523,7 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		*extra = 0;
+ 		for (i=0; i<cnts; i++) {
+ 			DBG_871X("wlrfkrmap = 0x%02x \n", pEfuseHal->fakeEfuseModifiedMap[addr+i]);
+-			sprintf(extra, "%s0x%02X ", extra, pEfuseHal->fakeEfuseModifiedMap[addr+i]);
++			sprintf(extra + strlen(extra), "0x%02X ", pEfuseHal->fakeEfuseModifiedMap[addr+i]);
+ 		}
+ 	} else if (strcmp(tmp[0],"btrfkrmap")== 0) {
+ 		if ((tmp[1]==NULL) || (tmp[2]==NULL)) {
+@@ -9547,7 +9547,7 @@ static int rtw_mp_efuse_get(struct net_device *dev,
+ 		*extra = 0;
+ 		for (i=0; i<cnts; i++) {
+ 			DBG_871X("wlrfkrmap = 0x%02x \n", pEfuseHal->fakeBTEfuseModifiedMap[addr+i]);
+-			sprintf(extra, "%s0x%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[addr+i]);
++			sprintf(extra + strlen(extra), "0x%02X ", pEfuseHal->fakeBTEfuseModifiedMap[addr+i]);
+ 		}
+ 	} else {
+ 		sprintf(extra, "Command not found!");
+@@ -10409,7 +10409,7 @@ static int rtw_mp_read_reg(struct net_device *dev,
+ 			pnext++;
+ 			if ( *pnext != '\0' ) {
+ 				strtout = simple_strtoul (pnext , &ptmp, 16);
+-				sprintf( extra, "%s %d" ,extra ,strtout );
++				sprintf(extra + strlen(extra), " %d"  ,strtout );
+ 			} else {
+ 				break;
+ 			}
+@@ -10443,7 +10443,7 @@ static int rtw_mp_read_reg(struct net_device *dev,
+ 			pnext++;
+ 			if ( *pnext != '\0' ) {
+ 				strtout = simple_strtoul (pnext , &ptmp, 16);
+-				sprintf( extra, "%s %d" ,extra ,strtout );
++				sprintf(extra + strlen(extra), " %d"  ,strtout );
+ 			} else {
+ 				break;
+ 			}
+@@ -10566,7 +10566,7 @@ static int rtw_mp_read_rf(struct net_device *dev,
+ 		pnext++;
+ 		if ( *pnext != '\0' ) {
+ 			strtou = simple_strtoul (pnext , &ptmp, 16);
+-			sprintf( extra, "%s %d" ,extra ,strtou );
++			sprintf(extra + strlen(extra), " %d"  ,strtou );
+ 		} else {
+ 			break;
+ 		}
+@@ -12155,14 +12155,14 @@ todo:
+ 				goto exit;
+ 
+ #ifdef CONFIG_RTL8723A
+-			sprintf(extra, "%s %d ", extra, (pMptCtx->mptOutBuf[i]& 0x3f));
++			sprintf(extra + strlen(extra), " %d ", (pMptCtx->mptOutBuf[i]& 0x3f));
+ #else
+-			sprintf(extra, "%s %d ", extra, (pMptCtx->mptOutBuf[i]& 0x1f));
++			sprintf(extra + strlen(extra), " %d ", (pMptCtx->mptOutBuf[i]& 0x1f));
+ #endif
+ 		}
+ 	} else {
+ 		for (i=4; i<pMptCtx->mptOutLen; i++) {
+-			sprintf(extra, "%s 0x%x ", extra, pMptCtx->mptOutBuf[i]);
++			sprintf(extra + strlen(extra), " 0x%x ", pMptCtx->mptOutBuf[i]);
+ 		}
+ 	}
+ 
+-- 
+2.28.0
+
diff --git a/buildroot/package/ruby/ruby.hash b/buildroot/package/ruby/ruby.hash
index d0aac6387..89cab3fcd 100644
--- a/buildroot/package/ruby/ruby.hash
+++ b/buildroot/package/ruby/ruby.hash
@@ -1,5 +1,5 @@
-# https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/
-sha256 0c4e000253ef7187feeb940a01a1c7594f28d63aa16f978e892a0e2864f58614  ruby-2.4.9.tar.xz
+# https://www.ruby-lang.org/en/news/2020/03/31/ruby-2-4-10-released/
+sha256 d5668ed11544db034f70aec37d11e157538d639ed0d0a968e2f587191fc530df  ruby-2.4.10.tar.xz
 # License files, Locally calculated
 sha256 609292a6d848ab223073944fc2d844449391a5ba2055a8b5baf1726bc13b39cb  LEGAL
 sha256 f5eb1b2956d5f7a67b2e5722a3749bc2fe86f9c580f2e3f5a08519cf073b5864  COPYING
diff --git a/buildroot/package/ruby/ruby.mk b/buildroot/package/ruby/ruby.mk
index 0ac116433..6f8cb319c 100644
--- a/buildroot/package/ruby/ruby.mk
+++ b/buildroot/package/ruby/ruby.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 RUBY_VERSION_MAJOR = 2.4
-RUBY_VERSION = $(RUBY_VERSION_MAJOR).9
+RUBY_VERSION = $(RUBY_VERSION_MAJOR).10
 RUBY_VERSION_EXT = 2.4.0
 RUBY_SITE = http://cache.ruby-lang.org/pub/ruby/$(RUBY_VERSION_MAJOR)
 RUBY_SOURCE = ruby-$(RUBY_VERSION).tar.xz
diff --git a/buildroot/package/runc/runc.hash b/buildroot/package/runc/runc.hash
index b895f6fcc..d792947d5 100644
--- a/buildroot/package/runc/runc.hash
+++ b/buildroot/package/runc/runc.hash
@@ -1,3 +1,3 @@
 # Locally computed
-sha256	6b44985023347fb9c5a2cc6f761df8c41cc2c84a7a68a6e6acf834dff6653a9a  runc-1.0.0-rc10.tar.gz
+sha256	28378df983a3c586ed3ec8c76a774a9b10f36a0c323590a284b801cce95cc61f  runc-1.0.0-rc92.tar.gz
 sha256  552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243  LICENSE
diff --git a/buildroot/package/runc/runc.mk b/buildroot/package/runc/runc.mk
index 5982f62c4..2e0c332fc 100644
--- a/buildroot/package/runc/runc.mk
+++ b/buildroot/package/runc/runc.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-RUNC_VERSION = 1.0.0-rc10
+RUNC_VERSION = 1.0.0-rc92
 RUNC_SITE = $(call github,opencontainers,runc,v$(RUNC_VERSION))
 RUNC_LICENSE = Apache-2.0
 RUNC_LICENSE_FILES = LICENSE
diff --git a/buildroot/package/samba4/0001-libreplace-disable-libbsd-support.patch b/buildroot/package/samba4/0001-libreplace-disable-libbsd-support.patch
index a303fa666..79216860d 100644
--- a/buildroot/package/samba4/0001-libreplace-disable-libbsd-support.patch
+++ b/buildroot/package/samba4/0001-libreplace-disable-libbsd-support.patch
@@ -9,7 +9,7 @@ This causes redefinition conflicts for link(2) when both standard
 unistd.h and bsd/unistd.h get included.
 
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
-[Bernd: rebased for versions 4.7.3, 4.8.0 & 4.8.5]
+[Bernd: rebased for versions 4.7.3, 4.8.0, 4.8.5 & 4.11.13]
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 ---
  lib/replace/wscript | 15 ---------------
@@ -19,7 +19,7 @@ diff --git a/lib/replace/wscript b/lib/replace/wscript
 index 240d730cbee..c6d8df43c74 100644
 --- a/lib/replace/wscript
 +++ b/lib/replace/wscript
-@@ -381,21 +381,6 @@ def configure(conf):
+@@ -406,21 +406,6 @@ def configure(conf):
  
      strlcpy_in_bsd = False
  
diff --git a/buildroot/package/samba4/0002-build-find-pre-built-heimdal-build-tools-in-case-of-.patch b/buildroot/package/samba4/0002-build-find-pre-built-heimdal-build-tools-in-case-of-.patch
index 563b274d5..b8636958e 100644
--- a/buildroot/package/samba4/0002-build-find-pre-built-heimdal-build-tools-in-case-of-.patch
+++ b/buildroot/package/samba4/0002-build-find-pre-built-heimdal-build-tools-in-case-of-.patch
@@ -33,6 +33,7 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14164
 
 Signed-off-by: Uri Simchoni <uri@samba.org>
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+[Bernd: rebased for version 4.11.13]
 ---
  wscript_configure_embedded_heimdal | 11 +++++++++++
  wscript_configure_system_heimdal   | 11 -----------
@@ -59,7 +60,7 @@ diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal
 index 0ff6dad2f55..f77c177442f 100644
 --- a/wscript_configure_system_heimdal
 +++ b/wscript_configure_system_heimdal
-@@ -36,14 +36,6 @@ def check_system_heimdal_lib(name, functions='', headers='', onlyif=None):
+@@ -37,14 +37,6 @@ def check_system_heimdal_lib(name, functions='', headers='', onlyif=None):
      conf.define('USING_SYSTEM_%s' % name.upper(), 1)
      return True
  
@@ -74,7 +75,7 @@ index 0ff6dad2f55..f77c177442f 100644
  check_system_heimdal_lib("com_err", "com_right_r com_err", "com_err.h")
  
  if check_system_heimdal_lib("roken", "rk_socket_set_reuseaddr", "roken.h"):
-@@ -88,7 +88,4 @@
+@@ -96,7 +96,4 @@
  #if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'):
  #    conf.define('USING_SYSTEM_TOMMATH', 1)
  
diff --git a/buildroot/package/samba4/samba4.hash b/buildroot/package/samba4/samba4.hash
index 34ae6f84b..4d47871fc 100644
--- a/buildroot/package/samba4/samba4.hash
+++ b/buildroot/package/samba4/samba4.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking pgp signature
-# https://download.samba.org/pub/samba/stable/samba-4.11.10.tar.asc
-sha256  4346ed80c90132a4117fe2dd3e846954f44f006f4d057de3a3544116364e012f  samba-4.11.10.tar.gz
+# https://download.samba.org/pub/samba/stable/samba-4.11.13.tar.asc
+sha256  e71ed29ae01c5ce7be8cee1f53e0530db86dd19b911accb08fae60224e686ba1  samba-4.11.13.tar.gz
 sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
diff --git a/buildroot/package/samba4/samba4.mk b/buildroot/package/samba4/samba4.mk
index b6fe1a827..48ac48c18 100644
--- a/buildroot/package/samba4/samba4.mk
+++ b/buildroot/package/samba4/samba4.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SAMBA4_VERSION = 4.11.10
+SAMBA4_VERSION = 4.11.13
 SAMBA4_SITE = https://download.samba.org/pub/samba/stable
 SAMBA4_SOURCE = samba-$(SAMBA4_VERSION).tar.gz
 SAMBA4_INSTALL_STAGING = YES
diff --git a/buildroot/package/shadowsocks-libev/shadowsocks-libev.hash b/buildroot/package/shadowsocks-libev/shadowsocks-libev.hash
index 76928ebb4..cc7993a54 100644
--- a/buildroot/package/shadowsocks-libev/shadowsocks-libev.hash
+++ b/buildroot/package/shadowsocks-libev/shadowsocks-libev.hash
@@ -1,7 +1,7 @@
 # Locally computed
-sha256 677356a5ed6b5ae9e32a898061db2587158ff27e245db03f4bde9b006ef12dc9 shadowsocks-libev-3.3.3.tar.gz
+sha256  fce47a956fad0c30def9c71821bcec450a40d3f881548e31e66cedf262b89eb1  shadowsocks-libev-3.3.4.tar.gz
 
 # License files, locally calculated
-sha256 736883f97d44dbec288bb82819f18f4f86d02ae3192f6a9abefa00db76bace41  COPYING
-sha256 c41a4bc2c4c43e4daa3051e77e31b2d5c8500498afaeac6d831d55a4bb8de3fb  libbloom/LICENSE
-sha256 4fa2ada54f8c0410ec243265378242ffe862386d5ac517f8dd30a1911d25ae93  libcork/COPYING
+sha256  736883f97d44dbec288bb82819f18f4f86d02ae3192f6a9abefa00db76bace41  COPYING
+sha256  c41a4bc2c4c43e4daa3051e77e31b2d5c8500498afaeac6d831d55a4bb8de3fb  libbloom/LICENSE
+sha256  4fa2ada54f8c0410ec243265378242ffe862386d5ac517f8dd30a1911d25ae93  libcork/COPYING
diff --git a/buildroot/package/shadowsocks-libev/shadowsocks-libev.mk b/buildroot/package/shadowsocks-libev/shadowsocks-libev.mk
index 4b0b963ee..3ba4cb875 100644
--- a/buildroot/package/shadowsocks-libev/shadowsocks-libev.mk
+++ b/buildroot/package/shadowsocks-libev/shadowsocks-libev.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SHADOWSOCKS_LIBEV_VERSION = 3.3.3
+SHADOWSOCKS_LIBEV_VERSION = 3.3.4
 SHADOWSOCKS_LIBEV_SITE = https://github.com/shadowsocks/shadowsocks-libev/releases/download/v$(SHADOWSOCKS_LIBEV_VERSION)
 SHADOWSOCKS_LIBEV_LICENSE = GPL-3.0+, BSD-2-Clause (libbloom), BSD-3-Clause (libcork, libipset)
 SHADOWSOCKS_LIBEV_LICENSE_FILES = COPYING libbloom/LICENSE libcork/COPYING
diff --git a/buildroot/package/squid/squid.hash b/buildroot/package/squid/squid.hash
index a3ef65518..b7e051960 100644
--- a/buildroot/package/squid/squid.hash
+++ b/buildroot/package/squid/squid.hash
@@ -1,6 +1,6 @@
-# From http://www.squid-cache.org/Versions/v4/squid-4.12.tar.xz.asc
-md5  ad7a4a8a0031cae3435717a759173829  squid-4.12.tar.xz
-sha1  316b8a343aa542b5e7469d33b9d726bee00679c6  squid-4.12.tar.xz
+# From http://www.squid-cache.org/Versions/v4/squid-4.13.tar.xz.asc
+md5  492e54afc15821141ff1d1d9903854d6  squid-4.13.tar.xz
+sha1  cac95c18789e9ecd6620c2f278fc3900498c065b  squid-4.13.tar.xz
 # Locally calculated
-sha256  f42a03c8b3dc020722c88bf1a87da8cb0c087b2f66b41d8256c77ee1b527e317  squid-4.12.tar.xz
+sha256  6891a0f540e60779b4f24f1802a302f813c6f473ec7336a474ed68c3e2e53ee0  squid-4.13.tar.xz
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/buildroot/package/squid/squid.mk b/buildroot/package/squid/squid.mk
index 6bce74b7d..1ba375e54 100644
--- a/buildroot/package/squid/squid.mk
+++ b/buildroot/package/squid/squid.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SQUID_VERSION = 4.12
+SQUID_VERSION = 4.13
 SQUID_SOURCE = squid-$(SQUID_VERSION).tar.xz
 SQUID_SITE = http://www.squid-cache.org/Versions/v4
 SQUID_LICENSE = GPL-2.0+
diff --git a/buildroot/package/strace/strace.mk b/buildroot/package/strace/strace.mk
index 5ad249b13..3dd650f01 100644
--- a/buildroot/package/strace/strace.mk
+++ b/buildroot/package/strace/strace.mk
@@ -9,15 +9,7 @@ STRACE_SOURCE = strace-$(STRACE_VERSION).tar.xz
 STRACE_SITE = https://strace.io/files/$(STRACE_VERSION)
 STRACE_LICENSE = LGPL-2.1+
 STRACE_LICENSE_FILES = COPYING LGPL-2.1-or-later
-STRACE_CONF_OPTS = --enable-mpers=check
-
-# strace bundle some kernel headers to build libmpers, this mixes userspace
-# headers and kernel headers which break the build with musl.
-# The stddef.h from gcc is used instead of the one from musl.
-ifeq ($(BR2_TOOLCHAIN_USES_MUSL),y)
-STRACE_CONF_OPTS += st_cv_m32_mpers=no \
-	st_cv_mx32_mpers=no
-endif
+STRACE_CONF_OPTS = --enable-mpers=no
 
 ifeq ($(BR2_PACKAGE_LIBUNWIND),y)
 STRACE_DEPENDENCIES += libunwind
diff --git a/buildroot/package/supertux/0001-CMakeLists.txt-compile-squirrel-with-fPIC.patch b/buildroot/package/supertux/0001-CMakeLists.txt-compile-squirrel-with-fPIC.patch
new file mode 100644
index 000000000..9fac20a3f
--- /dev/null
+++ b/buildroot/package/supertux/0001-CMakeLists.txt-compile-squirrel-with-fPIC.patch
@@ -0,0 +1,35 @@
+From 23d0bb0ef0fde52d1cffe235edead09287326fb4 Mon Sep 17 00:00:00 2001
+From: Romain Naour <romain.naour@gmail.com>
+Date: Sun, 4 Oct 2020 01:11:30 +0200
+Subject: [PATCH] CMakeLists.txt: compile squirrel with -fPIC
+
+Ensure that squirrel is compiled with -fPIC to allow linking the static
+libraries with dynamically linked programs. This is not a requirement
+for most architectures but is mandatory for ARM.
+
+Fixes:
+x86_64-buildroot-linux-musl/bin/ld: CMakeFiles/sq_static.dir/sq.c.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be used when making a PIE object; recompile with -fPIC
+x86_64-buildroot-linux-musl/bin/ld: final link failed: nonrepresentable section on output
+
+Signed-off-by: Romain Naour <romain.naour@gmail.com>
+---
+ CMakeLists.txt | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 8b1dafa1e..07c603cce 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -412,7 +412,8 @@ ExternalProject_Add(squirrel
+   -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER}
+   -DCMAKE_CXX_FLAGS=${CMAKE_CXX_FLAGS}
+   -DCMAKE_INSTALL_PREFIX=${SQUIRREL_PREFIX}
+-  -DINSTALL_INC_DIR=include)
++  -DINSTALL_INC_DIR=include
++  -DCMAKE_POSITION_INDEPENDENT_CODE=ON)
+ 
+ if(WIN32)
+   add_library(squirrel_lib SHARED IMPORTED)
+-- 
+2.25.4
+
diff --git a/buildroot/package/suricata/suricata.hash b/buildroot/package/suricata/suricata.hash
index 05e3593c3..9e79f3a96 100644
--- a/buildroot/package/suricata/suricata.hash
+++ b/buildroot/package/suricata/suricata.hash
@@ -1,5 +1,5 @@
 # Locally computed:
-sha256  c8a83a05f57cedc0ef81d833ddcfdbbfdcdb6f459a91b1b15dc2d5671f1aecbb  suricata-4.1.8.tar.gz
+sha256  3440cd1065b1b3999dc101a37c49321fab2791b38f16e2f7fe27369dd007eea7  suricata-4.1.9.tar.gz
 
 # Hash for license files:
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/buildroot/package/suricata/suricata.mk b/buildroot/package/suricata/suricata.mk
index 8dd23bf2f..d6ae48c1f 100644
--- a/buildroot/package/suricata/suricata.mk
+++ b/buildroot/package/suricata/suricata.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SURICATA_VERSION = 4.1.8
+SURICATA_VERSION = 4.1.9
 SURICATA_SITE = https://www.openinfosecfoundation.org/download
 SURICATA_LICENSE = GPL-2.0
 SURICATA_LICENSE_FILES = COPYING LICENSE
diff --git a/buildroot/package/systemd/0001-Fix-build-with-libmicrohttpd-0.9.71.patch b/buildroot/package/systemd/0001-Fix-build-with-libmicrohttpd-0.9.71.patch
deleted file mode 100644
index 7c1cfe939..000000000
--- a/buildroot/package/systemd/0001-Fix-build-with-libmicrohttpd-0.9.71.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From d17eabb1052e7c8c432331a7a782845e36164f01 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 30 Jun 2020 09:56:10 +0200
-Subject: [PATCH] =?UTF-8?q?Fix=20build=20with=20=C2=B5httpd=200.9.71?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The return type of callbacks was changed from int to an enum.
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-[downloaded from upstream commit
- https://github.com/systemd/systemd/commit/d17eabb1052e7c8c432331a7a782845e36164f01]
----
- src/journal-remote/journal-gatewayd.c    | 4 ++--
- src/journal-remote/journal-remote-main.c | 2 +-
- src/journal-remote/microhttpd-util.h     | 6 ++++++
- 3 files changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c
-index 5177e0d1577..3ab7c98b0b5 100644
---- a/src/journal-remote/journal-gatewayd.c
-+++ b/src/journal-remote/journal-gatewayd.c
-@@ -349,7 +349,7 @@ static int request_parse_range(
-         return 0;
- }
- 
--static int request_parse_arguments_iterator(
-+static mhd_result request_parse_arguments_iterator(
-                 void *cls,
-                 enum MHD_ValueKind kind,
-                 const char *key,
-@@ -796,7 +796,7 @@ static int request_handler_machine(
-         return MHD_queue_response(connection, MHD_HTTP_OK, response);
- }
- 
--static int request_handler(
-+static mhd_result request_handler(
-                 void *cls,
-                 struct MHD_Connection *connection,
-                 const char *url,
-diff --git a/src/journal-remote/journal-remote-main.c b/src/journal-remote/journal-remote-main.c
-index 69a111afead..f82d188a8c6 100644
---- a/src/journal-remote/journal-remote-main.c
-+++ b/src/journal-remote/journal-remote-main.c
-@@ -253,7 +253,7 @@ static int process_http_upload(
-         return mhd_respond(connection, MHD_HTTP_ACCEPTED, "OK.");
- };
- 
--static int request_handler(
-+static mhd_result request_handler(
-                 void *cls,
-                 struct MHD_Connection *connection,
-                 const char *url,
-diff --git a/src/journal-remote/microhttpd-util.h b/src/journal-remote/microhttpd-util.h
-index d90c6bbd4f1..4ca9a5c4f16 100644
---- a/src/journal-remote/microhttpd-util.h
-+++ b/src/journal-remote/microhttpd-util.h
-@@ -47,6 +47,12 @@
- #  define MHD_create_response_from_fd_at_offset64 MHD_create_response_from_fd_at_offset
- #endif
- 
-+#if MHD_VERSION >= 0x00097002
-+#  define mhd_result enum MHD_Result
-+#else
-+#  define mhd_result int
-+#endif
-+
- void microhttpd_logger(void *arg, const char *fmt, va_list ap) _printf_(2, 0);
- 
- /* respond_oom() must be usable with return, hence this form. */
diff --git a/buildroot/package/systemd/0001-random-seed-add-missing-header-for-GRND_NONBLOCK.patch b/buildroot/package/systemd/0001-random-seed-add-missing-header-for-GRND_NONBLOCK.patch
deleted file mode 100644
index e74df10e9..000000000
--- a/buildroot/package/systemd/0001-random-seed-add-missing-header-for-GRND_NONBLOCK.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 806e2011a0ea684b10a07b74c4ee0f817437e8c6 Mon Sep 17 00:00:00 2001
-From: Romain Naour <romain.naour@smile.fr>
-Date: Sun, 1 Mar 2020 15:19:01 +0100
-Subject: [PATCH] random-seed: add missing header for GRND_NONBLOCK
-
-GRND_NONBLOCK has been introduced with the 3.17 kernel version [1]
-while adding getrandom(2) system call.
-
-The header missing_random.h is needed for random-seed.c when building
-with old toolchain, such Sourcery CodeBench ARM 2014.05.
-
-Fixes:
-https://gitlab.com/buildroot.org/buildroot/-/jobs/454255917
-
-[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c6e9d6f38894798696f23c8084ca7edbf16ee895
-
-Upstream status:
-https://github.com/systemd/systemd/pull/14988
-
-Signed-off-by: Romain Naour <romain.naour@smile.fr>
----
- src/random-seed/random-seed.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/random-seed/random-seed.c b/src/random-seed/random-seed.c
-index 2fcbcb281a..596bff98f1 100644
---- a/src/random-seed/random-seed.c
-+++ b/src/random-seed/random-seed.c
-@@ -19,6 +19,7 @@
- #include "io-util.h"
- #include "log.h"
- #include "main-func.h"
-+#include "missing_random.h"
- #include "missing_syscall.h"
- #include "mkdir.h"
- #include "parse-util.h"
--- 
-2.24.1
-
diff --git a/buildroot/package/systemd/systemd.hash b/buildroot/package/systemd/systemd.hash
index 4ab514d67..db8f0193b 100644
--- a/buildroot/package/systemd/systemd.hash
+++ b/buildroot/package/systemd/systemd.hash
@@ -1,5 +1,5 @@
 # sha256 locally computed
-sha256	e6b463733da5eb37075352a64112d030b8612935a54e5b3468279a4f15a4cec4	systemd-244.3.tar.gz
+sha256	d526f217450f98c695d0a20285436e48f1f1b3f31fe76aa4d6211ec60fee33c4	systemd-244.5.tar.gz
 sha256	ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6	LICENSE.GPL2
 sha256	dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551	LICENSE.LGPL2.1
 sha256	f7299f5f5e8bdffd347dce1bed888b1cea6ddaf27de521c307265098bcbeae92	README
diff --git a/buildroot/package/systemd/systemd.mk b/buildroot/package/systemd/systemd.mk
index d9ebd5db7..c01e8c9a3 100644
--- a/buildroot/package/systemd/systemd.mk
+++ b/buildroot/package/systemd/systemd.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SYSTEMD_VERSION = 244.3
+SYSTEMD_VERSION = 244.5
 SYSTEMD_SITE = $(call github,systemd,systemd-stable,v$(SYSTEMD_VERSION))
 SYSTEMD_LICENSE = LGPL-2.1+, GPL-2.0+ (udev), Public Domain (few source files, see README), BSD-3-Clause (tools/chromiumos)
 SYSTEMD_LICENSE_FILES = LICENSE.GPL2 LICENSE.LGPL2.1 README tools/chromiumos/LICENSE
@@ -498,7 +498,7 @@ endef
 define SYSTEMD_PRESET_ALL
 	$(HOST_DIR)/bin/systemctl --root=$(TARGET_DIR) preset-all
 endef
-SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_PRESET_ALL
+SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_PRESET_ALL
 
 SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
 SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
diff --git a/buildroot/package/tovid/Config.in b/buildroot/package/tovid/Config.in
index d5b7a2831..f4ddcfa4a 100644
--- a/buildroot/package/tovid/Config.in
+++ b/buildroot/package/tovid/Config.in
@@ -7,7 +7,7 @@ config BR2_PACKAGE_TOVID
 	depends on BR2_PACKAGE_PYTHON || BR2_PACKAGE_PYTHON3
 	depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_5 # mpv
-	depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8 # mpv
+	depends on BR2_TOOLCHAIN_HAS_ATOMIC # mpv
 	depends on !BR2_TOOLCHAIN_EXTERNAL_SYNOPSYS_ARC # mpv
 	# The below dependencies are runtime dependencies only
 	select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS # procps_ng
@@ -31,7 +31,7 @@ config BR2_PACKAGE_TOVID
 comment "tovid needs a toolchain w/ threads, C++, wchar, gcc >= 4.5"
 	depends on BR2_USE_MMU
 	depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS
-	depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8
+	depends on BR2_TOOLCHAIN_HAS_ATOMIC
 	depends on !BR2_TOOLCHAIN_HAS_THREADS \
 		|| !BR2_TOOLCHAIN_GCC_AT_LEAST_4_5 \
 		|| !BR2_INSTALL_LIBSTDCPP \
@@ -41,7 +41,7 @@ comment "tovid needs a toolchain w/ threads, C++, wchar, gcc >= 4.5"
 comment "tovid depends on python or python3"
 	depends on !BR2_PACKAGE_PYTHON && !BR2_PACKAGE_PYTHON3
 	depends on BR2_PACKAGE_FFMPEG_ARCH_SUPPORTS
-	depends on BR2_TOOLCHAIN_HAS_ATOMIC || BR2_TOOLCHAIN_HAS_SYNC_8
+	depends on BR2_TOOLCHAIN_HAS_ATOMIC
 	depends on !BR2_TOOLCHAIN_HAS_THREADS || \
 		!BR2_TOOLCHAIN_GCC_AT_LEAST_4_5
 	depends on !BR2_TOOLCHAIN_EXTERNAL_SYNOPSYS_ARC
diff --git a/buildroot/package/tpm2-abrmd/tpm2-abrmd.hash b/buildroot/package/tpm2-abrmd/tpm2-abrmd.hash
index cff3266bc..1c6e73905 100644
--- a/buildroot/package/tpm2-abrmd/tpm2-abrmd.hash
+++ b/buildroot/package/tpm2-abrmd/tpm2-abrmd.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256 63cb59be1fd21e6ae233c37a0aa4a59883a4885a7bfd2c7e69979c5048518d50  tpm2-abrmd-2.3.0.tar.gz
-sha256 18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448  LICENSE
+sha256  1e587808c6739079d59f124d9c1a0058f8d34dd84f1f656c946667fa0a181c48  tpm2-abrmd-2.3.3.tar.gz
+sha256  18c1bf4b1ba1fb2c4ffa7398c234d83c0d55475298e470ae1e5e3a8a8bd2e448  LICENSE
diff --git a/buildroot/package/tpm2-abrmd/tpm2-abrmd.mk b/buildroot/package/tpm2-abrmd/tpm2-abrmd.mk
index e92fda252..0584ba928 100644
--- a/buildroot/package/tpm2-abrmd/tpm2-abrmd.mk
+++ b/buildroot/package/tpm2-abrmd/tpm2-abrmd.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-TPM2_ABRMD_VERSION = 2.3.0
+TPM2_ABRMD_VERSION = 2.3.3
 TPM2_ABRMD_SITE = https://github.com/tpm2-software/tpm2-abrmd/releases/download/$(TPM2_ABRMD_VERSION)
 TPM2_ABRMD_LICENSE = BSD-2-Clause
 TPM2_ABRMD_LICENSE_FILES = LICENSE
diff --git a/buildroot/package/tpm2-tools/tpm2-tools.hash b/buildroot/package/tpm2-tools/tpm2-tools.hash
index 16059627a..dd5583482 100644
--- a/buildroot/package/tpm2-tools/tpm2-tools.hash
+++ b/buildroot/package/tpm2-tools/tpm2-tools.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256 40b9263d8b949bd2bc03a3cd60fa242e27116727467f9bbdd0b5f2539a25a7b1  tpm2-tools-4.1.1.tar.gz
-sha256 e10dce74279166bf7bc463eb6e462c2025bceb3e50cadfe865d92c1c3dc0bb21  LICENSE
+sha256  175472b63d1e047c2ad38314d06c36bd734ae37e0c6abfa2a804c0d6eb3f2936  tpm2-tools-4.1.2.tar.gz
+sha256  e10dce74279166bf7bc463eb6e462c2025bceb3e50cadfe865d92c1c3dc0bb21  LICENSE
diff --git a/buildroot/package/tpm2-tools/tpm2-tools.mk b/buildroot/package/tpm2-tools/tpm2-tools.mk
index 4ebca0f90..83be53d54 100644
--- a/buildroot/package/tpm2-tools/tpm2-tools.mk
+++ b/buildroot/package/tpm2-tools/tpm2-tools.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-TPM2_TOOLS_VERSION = 4.1.1
+TPM2_TOOLS_VERSION = 4.1.2
 TPM2_TOOLS_SITE = https://github.com/tpm2-software/tpm2-tools/releases/download/$(TPM2_TOOLS_VERSION)
 TPM2_TOOLS_LICENSE = BSD-3-Clause
 TPM2_TOOLS_LICENSE_FILES = LICENSE
diff --git a/buildroot/package/trousers/0003-Correct-multiple-security-issues-that-are-present-if.patch b/buildroot/package/trousers/0003-Correct-multiple-security-issues-that-are-present-if.patch
new file mode 100644
index 000000000..609245dad
--- /dev/null
+++ b/buildroot/package/trousers/0003-Correct-multiple-security-issues-that-are-present-if.patch
@@ -0,0 +1,90 @@
+From e74dd1d96753b0538192143adf58d04fcd3b242b Mon Sep 17 00:00:00 2001
+From: Matthias Gerstner <mgerstner@suse.de>
+Date: Fri, 14 Aug 2020 22:14:36 -0700
+Subject: [PATCH] Correct multiple security issues that are present if the tcsd
+ is started by root instead of the tss user.
+
+Patch fixes the following 3 CVEs:
+
+CVE-2020-24332
+If the tcsd daemon is started with root privileges,
+the creation of the system.data file is prone to symlink attacks
+
+CVE-2020-24330
+If the tcsd daemon is started with root privileges,
+it fails to drop the root gid after it is no longer needed
+
+CVE-2020-24331
+If the tcsd daemon is started with root privileges,
+the tss user has read and write access to the /etc/tcsd.conf file
+
+Authored-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Debora Velarde Babb <debora@linux.ibm.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/tcs/ps/tcsps.c   |  2 +-
+ src/tcsd/svrside.c   |  1 +
+ src/tcsd/tcsd_conf.c | 10 +++++-----
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/tcs/ps/tcsps.c b/src/tcs/ps/tcsps.c
+index e47154b..85d45a9 100644
+--- a/src/tcs/ps/tcsps.c
++++ b/src/tcs/ps/tcsps.c
+@@ -72,7 +72,7 @@ get_file()
+ 	}
+ 
+ 	/* open and lock the file */
+-	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR, 0600);
++	system_ps_fd = open(tcsd_options.system_ps_file, O_CREAT|O_RDWR|O_NOFOLLOW, 0600);
+ 	if (system_ps_fd < 0) {
+ 		LogError("system PS: open() of %s failed: %s",
+ 				tcsd_options.system_ps_file, strerror(errno));
+diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
+index 1ae1636..1c12ff3 100644
+--- a/src/tcsd/svrside.c
++++ b/src/tcsd/svrside.c
+@@ -473,6 +473,7 @@ main(int argc, char **argv)
+ 		}
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
++	setgid(pwd->pw_gid);
+ 	setuid(pwd->pw_uid);
+ #endif
+ #endif
+diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
+index a31503d..ea8ea13 100644
+--- a/src/tcsd/tcsd_conf.c
++++ b/src/tcsd/tcsd_conf.c
+@@ -743,7 +743,7 @@ conf_file_init(struct tcsd_config *conf)
+ #ifndef SOLARIS
+ 	struct group *grp;
+ 	struct passwd *pw;
+-	mode_t mode = (S_IRUSR|S_IWUSR);
++	mode_t mode = (S_IRUSR|S_IWUSR|S_IRGRP);
+ #endif /* SOLARIS */
+ 	TSS_RESULT result;
+ 
+@@ -798,15 +798,15 @@ conf_file_init(struct tcsd_config *conf)
+ 	}
+ 
+ 	/* make sure user/group TSS owns the conf file */
+-	if (pw->pw_uid != stat_buf.st_uid || grp->gr_gid != stat_buf.st_gid) {
++	if (stat_buf.st_uid != 0 || grp->gr_gid != stat_buf.st_gid) {
+ 		LogError("TCSD config file (%s) must be user/group %s/%s", tcsd_config_file,
+-				TSS_USER_NAME, TSS_GROUP_NAME);
++				"root", TSS_GROUP_NAME);
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+ 
+-	/* make sure only the tss user can manipulate the config file */
++	/* make sure only the tss user can read (but not manipulate) the config file */
+ 	if (((stat_buf.st_mode & 0777) ^ mode) != 0) {
+-		LogError("TCSD config file (%s) must be mode 0600", tcsd_config_file);
++		LogError("TCSD config file (%s) must be mode 0640", tcsd_config_file);
+ 		return TCSERR(TSS_E_INTERNAL_ERROR);
+ 	}
+ #endif /* SOLARIS */
+-- 
+2.20.1
+
diff --git a/buildroot/package/trousers/trousers.mk b/buildroot/package/trousers/trousers.mk
index 1d5364959..5e6161ce4 100644
--- a/buildroot/package/trousers/trousers.mk
+++ b/buildroot/package/trousers/trousers.mk
@@ -13,6 +13,9 @@ TROUSERS_INSTALL_STAGING = YES
 TROUSERS_AUTORECONF = YES
 TROUSERS_DEPENDENCIES = host-pkgconf openssl
 
+# 0003-Correct-multiple-security-issues-that-are-present-if.patch
+TROUSERS_IGNORE_CVES += CVE-2020-24330 CVE-2020-24331 CVE-2020-24332
+
 ifeq ($(BR2_PACKAGE_LIBICONV),y)
 TROUSERS_DEPENDENCIES += libiconv
 endif
diff --git a/buildroot/package/uacme/Config.in b/buildroot/package/uacme/Config.in
index ea9babfda..d69343611 100644
--- a/buildroot/package/uacme/Config.in
+++ b/buildroot/package/uacme/Config.in
@@ -5,7 +5,7 @@ config BR2_PACKAGE_UACME
 	select BR2_PACKAGE_LIBCURL
 	help
 	  uacme is a client for the ACMEv2 protocol described in
-	  RFC8555, written in plain C code with minimal dependencies
+	  RFC8555, written in plain C with minimal dependencies
 	  (libcurl and either of GnuTLS, OpenSSL or mbedTLS). The
 	  ACMEv2 protocol allows a Certificate Authority
 	  (https://letsencrypt.org is a popular one) and an applicant
@@ -13,3 +13,22 @@ config BR2_PACKAGE_UACME
 	  issuance.
 
 	  https://github.com/ndilieto/uacme
+
+if BR2_PACKAGE_UACME
+
+config BR2_PACKAGE_UACME_UALPN
+	bool "enable ualpn"
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS
+	select BR2_PACKAGE_LIBEV
+	help
+	  Build and install ualpn, the transparent proxying tls-alpn-01
+	  challenge responder.
+
+comment "ualpn needs a toolchain w/ threads"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS
+
+comment "ualpn needs either OpenSSL or GnuTLS"
+	depends on !(BR2_PACKAGE_OPENSSL || BR2_PACKAGE_GNUTLS)
+
+endif
diff --git a/buildroot/package/uacme/uacme.hash b/buildroot/package/uacme/uacme.hash
index b8d631d50..b3ec7ed6f 100644
--- a/buildroot/package/uacme/uacme.hash
+++ b/buildroot/package/uacme/uacme.hash
@@ -1,3 +1,3 @@
 # Locally computed:
-sha256	c80bbee3c2ac3a64f70abe23be3b7768039785863170ac062625407a0b61e635        uacme-1.0.21.tar.gz
-sha256	8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903	COPYING
+sha256  7757883ffc305018d3d181a26d0b82a8a0c1f1d5eea21a14979b2c69750b595e  uacme-1.2.4.tar.gz
+sha256  8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903  COPYING
diff --git a/buildroot/package/uacme/uacme.mk b/buildroot/package/uacme/uacme.mk
index 5813399c5..be2aa6081 100644
--- a/buildroot/package/uacme/uacme.mk
+++ b/buildroot/package/uacme/uacme.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-UACME_VERSION = 1.0.21
+UACME_VERSION = 1.2.4
 # Released versions are on branch upstream/latest, tagged as
 # upstream/X.Y.Z Do not use vX.Y.Z tags from master, as they do not
 # include .tarball-version
@@ -18,12 +18,19 @@ UACME_CONF_ENV = ac_cv_prog_cc_c99='-std=gnu99'
 ifeq ($(BR2_PACKAGE_GNUTLS),y)
 UACME_CONF_OPTS += --with-gnutls
 UACME_DEPENDENCIES += gnutls
-else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
-UACME_CONF_OPTS += --with-mbedtls
-UACME_DEPENDENCIES += mbedtls
 else ifeq ($(BR2_PACKAGE_OPENSSL),y)
 UACME_CONF_OPTS += --with-openssl
 UACME_DEPENDENCIES += openssl
+else ifeq ($(BR2_PACKAGE_MBEDTLS),y)
+UACME_CONF_OPTS += --with-mbedtls
+UACME_DEPENDENCIES += mbedtls
+endif
+
+ifeq ($(BR2_PACKAGE_UACME_UALPN),y)
+UACME_DEPENDENCIES += libev
+UACME_CONF_OPTS += --with-ualpn
+else
+UACME_CONF_OPTS += --without-ualpn
 endif
 
 $(eval $(autotools-package))
diff --git a/buildroot/package/uclibc/uclibc.mk b/buildroot/package/uclibc/uclibc.mk
index 2af666c20..7df446194 100644
--- a/buildroot/package/uclibc/uclibc.mk
+++ b/buildroot/package/uclibc/uclibc.mk
@@ -31,8 +31,13 @@ endif
 UCLIBC_KCONFIG_FILE = $(UCLIBC_CONFIG_FILE)
 UCLIBC_KCONFIG_FRAGMENT_FILES = $(call qstrip,$(BR2_UCLIBC_CONFIG_FRAGMENT_FILES))
 
+# UCLIBC_MAKE_FLAGS set HOSTCC to the default HOSTCC, which may be
+# wrapped with ccache. However, host-ccache may not already be built
+# and installed when we apply the configuration, so we override that
+# to use the non-ccached host compiler.
 UCLIBC_KCONFIG_OPTS = \
 	$(UCLIBC_MAKE_FLAGS) \
+	HOSTCC="$(HOSTCC_NOCCACHE)" \
 	PREFIX=$(STAGING_DIR) \
 	DEVEL_PREFIX=/usr/ \
 	RUNTIME_PREFIX=$(STAGING_DIR)/
diff --git a/buildroot/package/usb_modeswitch/usb_modeswitch.mk b/buildroot/package/usb_modeswitch/usb_modeswitch.mk
index 7e9ed422b..064e1960b 100644
--- a/buildroot/package/usb_modeswitch/usb_modeswitch.mk
+++ b/buildroot/package/usb_modeswitch/usb_modeswitch.mk
@@ -17,12 +17,11 @@ USB_MODESWITCH_BUILD_TARGETS = all
 USB_MODESWITCH_INSTALL_TARGETS = install-script
 else
 USB_MODESWITCH_DEPENDENCIES += jimtcl
+USB_MODESWITCH_INSTALL_TARGETS = install-common
 ifeq ($(BR2_STATIC_LIBS),y)
 USB_MODESWITCH_BUILD_TARGETS = all-with-statlink-dispatcher
-USB_MODESWITCH_INSTALL_TARGETS = install-statlink
 else
 USB_MODESWITCH_BUILD_TARGETS = all-with-dynlink-dispatcher
-USB_MODESWITCH_INSTALL_TARGETS = install-dynlink
 endif
 endif
 
diff --git a/buildroot/package/vlc/vlc.mk b/buildroot/package/vlc/vlc.mk
index 38d975169..ccaaa6cd6 100644
--- a/buildroot/package/vlc/vlc.mk
+++ b/buildroot/package/vlc/vlc.mk
@@ -440,6 +440,9 @@ endif
 ifeq ($(BR2_PACKAGE_LIVE555),y)
 VLC_CONF_OPTS += --enable-live555
 VLC_DEPENDENCIES += live555
+ifneq ($(BR2_PACKAGE_OPENSSL),y)
+VLC_CONF_ENV += CXXFLAGS="$(TARGET_CXXFLAGS) -DNO_OPENSSL"
+endif
 else
 VLC_CONF_OPTS += --disable-live555
 endif
diff --git a/buildroot/package/vsftpd/0003-fix-CVE-2015-1419.patch b/buildroot/package/vsftpd/0002-fix-CVE-2015-1419.patch
similarity index 100%
rename from buildroot/package/vsftpd/0003-fix-CVE-2015-1419.patch
rename to buildroot/package/vsftpd/0002-fix-CVE-2015-1419.patch
diff --git a/buildroot/package/vsftpd/0004-Prevent-hang-in-SIGCHLD-handler.patch b/buildroot/package/vsftpd/0003-Prevent-hang-in-SIGCHLD-handler.patch
similarity index 100%
rename from buildroot/package/vsftpd/0004-Prevent-hang-in-SIGCHLD-handler.patch
rename to buildroot/package/vsftpd/0003-Prevent-hang-in-SIGCHLD-handler.patch
diff --git a/buildroot/package/wayland-protocols/wayland-protocols.mk b/buildroot/package/wayland-protocols/wayland-protocols.mk
index fbfa99558..20a933087 100644
--- a/buildroot/package/wayland-protocols/wayland-protocols.mk
+++ b/buildroot/package/wayland-protocols/wayland-protocols.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 WAYLAND_PROTOCOLS_VERSION = 1.18
-WAYLAND_PROTOCOLS_SITE = http://wayland.freedesktop.org/releases
+WAYLAND_PROTOCOLS_SITE = https://wayland.freedesktop.org/releases
 WAYLAND_PROTOCOLS_SOURCE = wayland-protocols-$(WAYLAND_PROTOCOLS_VERSION).tar.xz
 WAYLAND_PROTOCOLS_LICENSE = MIT
 WAYLAND_PROTOCOLS_LICENSE_FILES = COPYING
diff --git a/buildroot/package/webkitgtk/webkitgtk.hash b/buildroot/package/webkitgtk/webkitgtk.hash
index 44263745e..cdca65a5a 100644
--- a/buildroot/package/webkitgtk/webkitgtk.hash
+++ b/buildroot/package/webkitgtk/webkitgtk.hash
@@ -1,7 +1,7 @@
-# From https://webkitgtk.org/releases/webkitgtk-2.28.3.tar.xz.sums
-md5  a03a4dcd2819baca14fdec5af68b4356  webkitgtk-2.28.3.tar.xz
-sha1  af1d845d373e67fd666105e798a44e2cadaef83c  webkitgtk-2.28.3.tar.xz
-sha256  f0898ac072c220e13a4aee819408421a6cb56a6eb89170ceafe52468b0903522  webkitgtk-2.28.3.tar.xz
+# From https://webkitgtk.org/releases/webkitgtk-2.28.4.tar.xz.sums
+md5  10e0cce27208dfbd4cf63dd68a9a47d7  webkitgtk-2.28.4.tar.xz
+sha1  70e9dd80647b30eaaf8a7f5b30d8869cd1254056  webkitgtk-2.28.4.tar.xz
+sha256  821952e8c9303ed752f1fb1d4283f612c25249d00d705d2b79c2db1bc49c9464  webkitgtk-2.28.4.tar.xz
 
 # Hashes for license files:
 sha256  0b5d3a7cc325942567373b0ecd757d07c132e0ebd7c97bfc63f7e1a76094edb4  Source/WebCore/LICENSE-APPLE
diff --git a/buildroot/package/webkitgtk/webkitgtk.mk b/buildroot/package/webkitgtk/webkitgtk.mk
index f38ea5d20..65a443983 100644
--- a/buildroot/package/webkitgtk/webkitgtk.mk
+++ b/buildroot/package/webkitgtk/webkitgtk.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WEBKITGTK_VERSION = 2.28.3
+WEBKITGTK_VERSION = 2.28.4
 WEBKITGTK_SITE = https://www.webkitgtk.org/releases
 WEBKITGTK_SOURCE = webkitgtk-$(WEBKITGTK_VERSION).tar.xz
 WEBKITGTK_INSTALL_STAGING = YES
diff --git a/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.hash b/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.hash
index ac160cdf9..833e1af2f 100644
--- a/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.hash
+++ b/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.hash
@@ -1,4 +1,4 @@
-# https://lists.zx2c4.com/pipermail/wireguard/2020-June/005597.html
-sha256  130937724515799edf05ff8216bc837df8acda879428f3a7f96a3287758f9445  wireguard-linux-compat-1.0.20200623.tar.xz
+# https://lists.zx2c4.com/pipermail/wireguard/2020-September/005817.html
+sha256  ad33b2d2267a37e0f65c97e65e7d4d926d5aef7d530c251b63fbf919048eead9  wireguard-linux-compat-1.0.20200908.tar.xz
 # Locally calculated
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
diff --git a/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.mk b/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.mk
index bc155a1aa..7239da6d8 100644
--- a/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.mk
+++ b/buildroot/package/wireguard-linux-compat/wireguard-linux-compat.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WIREGUARD_LINUX_COMPAT_VERSION = 1.0.20200623
+WIREGUARD_LINUX_COMPAT_VERSION = 1.0.20200908
 WIREGUARD_LINUX_COMPAT_SITE = https://git.zx2c4.com/wireguard-linux-compat/snapshot
 WIREGUARD_LINUX_COMPAT_SOURCE = wireguard-linux-compat-$(WIREGUARD_LINUX_COMPAT_VERSION).tar.xz
 WIREGUARD_LINUX_COMPAT_LICENSE = GPL-2.0
diff --git a/buildroot/package/wireshark/wireshark.hash b/buildroot/package/wireshark/wireshark.hash
index b74b69244..16866d96b 100644
--- a/buildroot/package/wireshark/wireshark.hash
+++ b/buildroot/package/wireshark/wireshark.hash
@@ -1,6 +1,6 @@
-# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-3.2.5.txt
-sha1  468c547ad13df805322e0979b348dcc602904017  wireshark-3.2.5.tar.xz
-sha256  bd89052a5766cce08b1090df49628567e48cdd24bbaa47667c851bac6aaac940  wireshark-3.2.5.tar.xz
+# From https://www.wireshark.org/download/src/all-versions/SIGNATURES-3.2.7.txt
+sha1  b564c2e729066cb7c952463fef6163e23a5fea1e  wireshark-3.2.7.tar.xz
+sha256  be832fb86d9c455c5be8b225a755cdc77cb0e92356bdfc1fe4b000d93f7d70da  wireshark-3.2.7.tar.xz
 
 # Locally calculated
 sha256  7cdbed2b697efaa45576a033f1ac0e73cd045644a91c79bbf41d4a7d81dac7bf  COPYING
diff --git a/buildroot/package/wireshark/wireshark.mk b/buildroot/package/wireshark/wireshark.mk
index 638a8a249..354f00825 100644
--- a/buildroot/package/wireshark/wireshark.mk
+++ b/buildroot/package/wireshark/wireshark.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WIRESHARK_VERSION = 3.2.5
+WIRESHARK_VERSION = 3.2.7
 WIRESHARK_SOURCE = wireshark-$(WIRESHARK_VERSION).tar.xz
 WIRESHARK_SITE = https://www.wireshark.org/download/src/all-versions
 WIRESHARK_LICENSE = wireshark license
diff --git a/buildroot/package/wolfssl/0001-Make-ByteReverseWords-available-for-big-and-little-endian.patch b/buildroot/package/wolfssl/0001-Make-ByteReverseWords-available-for-big-and-little-endian.patch
new file mode 100644
index 000000000..48a318d53
--- /dev/null
+++ b/buildroot/package/wolfssl/0001-Make-ByteReverseWords-available-for-big-and-little-endian.patch
@@ -0,0 +1,32 @@
+From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001
+From: Tesfa Mael <tesfa@wolfssl.com>
+Date: Wed, 26 Aug 2020 10:13:06 -0700
+Subject: [PATCH] Make ByteReverseWords available for big and little endian
+
+[Retrieved from:
+https://github.com/wolfSSL/wolfssl/pull/3255/commits/b90acc91d0cd276befe7f08f87ba2dc5ee7122ff]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ wolfcrypt/src/misc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c
+index fe66ee0a1a..23bfa1adc5 100644
+--- a/wolfcrypt/src/misc.c
++++ b/wolfcrypt/src/misc.c
+@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWord32(word32 value)
+     return rotlFixed(value, 16U);
+ #endif
+ }
+-#if defined(LITTLE_ENDIAN_ORDER)
+ /* This routine performs a byte swap of words array of a given count. */
+ WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
+                                     word32 byteCount)
+@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
+         out[i] = ByteReverseWord32(in[i]);
+ 
+ }
+-#endif /* LITTLE_ENDIAN_ORDER */
+ 
+ #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS)
+ 
diff --git a/buildroot/package/wolfssl/wolfssl.hash b/buildroot/package/wolfssl/wolfssl.hash
index 5509552ca..0ee55276d 100644
--- a/buildroot/package/wolfssl/wolfssl.hash
+++ b/buildroot/package/wolfssl/wolfssl.hash
@@ -1,6 +1,6 @@
 # Locally computed:
-sha256 6896f8ad6c44aff3e583006eeee839600848a0e37118ebbb7514eca9409ae08b  wolfssl-4.3.0-stable.tar.gz
+sha256  7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c  wolfssl-4.5.0-stable.tar.gz
 
 # Hash for license files:
-sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
-sha256 74adaaef40b96c71378b6daa3feb8ccd4a1bfd9b76debf3f3f29cf3a0e86c9a0  LICENSING
+sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
+sha256  b23c1da1f85d699d3288d73c952b4cd02760d23dc1ddc1b221cbb8be82387189  LICENSING
diff --git a/buildroot/package/wolfssl/wolfssl.mk b/buildroot/package/wolfssl/wolfssl.mk
index 8834a0f46..e2833144f 100644
--- a/buildroot/package/wolfssl/wolfssl.mk
+++ b/buildroot/package/wolfssl/wolfssl.mk
@@ -4,11 +4,11 @@
 #
 ################################################################################
 
-WOLFSSL_VERSION = 4.3.0-stable
+WOLFSSL_VERSION = 4.5.0-stable
 WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION))
 WOLFSSL_INSTALL_STAGING = YES
 
-WOLFSSL_LICENSE = GPL-2.0
+WOLFSSL_LICENSE = GPL-2.0+
 WOLFSSL_LICENSE_FILES = COPYING LICENSING
 
 WOLFSSL_DEPENDENCIES = host-pkgconf
@@ -17,6 +17,8 @@ WOLFSSL_DEPENDENCIES = host-pkgconf
 # script, so we need autoreconf
 WOLFSSL_AUTORECONF = YES
 
+WOLFSSL_CONF_OPTS = --disable-examples --disable-crypttests
+
 ifeq ($(BR2_PACKAGE_WOLFSSL_ALL),y)
 WOLFSSL_CONF_OPTS += --enable-all
 else
diff --git a/buildroot/package/wpa_supplicant/wpa_supplicant.mk b/buildroot/package/wpa_supplicant/wpa_supplicant.mk
index 8e7b9c3a6..7170db0d0 100644
--- a/buildroot/package/wpa_supplicant/wpa_supplicant.mk
+++ b/buildroot/package/wpa_supplicant/wpa_supplicant.mk
@@ -115,7 +115,7 @@ WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf libopenssl
 WPA_SUPPLICANT_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl`
 WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/'
 else
-WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_PWD
+WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP
 WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/'
 endif
 
diff --git a/buildroot/package/wpewebkit/wpewebkit.hash b/buildroot/package/wpewebkit/wpewebkit.hash
index fcc35c502..1a6fbc8b9 100644
--- a/buildroot/package/wpewebkit/wpewebkit.hash
+++ b/buildroot/package/wpewebkit/wpewebkit.hash
@@ -1,7 +1,7 @@
-# From https://wpewebkit.org/releases/wpewebkit-2.28.3.tar.xz.sums
-md5  0b3655598f340a5c83cc26423fefcf36  wpewebkit-2.28.3.tar.xz
-sha1  ea03d365584ef5e86ca28cec6ca072a4674e9312  wpewebkit-2.28.3.tar.xz
-sha256  2539263a4d73c00abfe0205f54770dc1f6d2b635edbe41e748b507254f21e98b  wpewebkit-2.28.3.tar.xz
+# From https://wpewebkit.org/releases/wpewebkit-2.28.4.tar.xz.sums
+md5  6ab041f6ebdb2e053981de5980c864e7  wpewebkit-2.28.4.tar.xz
+sha1  b31739a86a269eac4ddd5e537cdf954224672450  wpewebkit-2.28.4.tar.xz
+sha256  785d83b99cd45cedb7c4f1f697db773a5a81eb0a42aeeafa3c623053f6fde87a  wpewebkit-2.28.4.tar.xz
 
 # Hashes for license files:
 sha256  0b5d3a7cc325942567373b0ecd757d07c132e0ebd7c97bfc63f7e1a76094edb4  Source/WebCore/LICENSE-APPLE
diff --git a/buildroot/package/wpewebkit/wpewebkit.mk b/buildroot/package/wpewebkit/wpewebkit.mk
index 22c3d9646..646bdd938 100644
--- a/buildroot/package/wpewebkit/wpewebkit.mk
+++ b/buildroot/package/wpewebkit/wpewebkit.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-WPEWEBKIT_VERSION = 2.28.3
+WPEWEBKIT_VERSION = 2.28.4
 WPEWEBKIT_SITE = http://www.wpewebkit.org/releases
 WPEWEBKIT_SOURCE = wpewebkit-$(WPEWEBKIT_VERSION).tar.xz
 WPEWEBKIT_INSTALL_STAGING = YES
diff --git a/buildroot/package/x11r7/xlib_libX11/xlib_libX11.hash b/buildroot/package/x11r7/xlib_libX11/xlib_libX11.hash
index defaa4c98..142e4505d 100644
--- a/buildroot/package/x11r7/xlib_libX11/xlib_libX11.hash
+++ b/buildroot/package/x11r7/xlib_libX11/xlib_libX11.hash
@@ -1,7 +1,6 @@
-# From https://lists.x.org/archives/xorg-announce/2019-October/003025.html
-md5 55adbfb6d4370ecac5e70598c4e7eed2  libX11-1.6.9.tar.bz2
-sha1 62456536411f2540fbd4a3f59ed8af94967124c2  libX11-1.6.9.tar.bz2
-sha256 9cc7e8d000d6193fa5af580d50d689380b8287052270f5bb26a5fb6b58b2bed1  libX11-1.6.9.tar.bz2
-sha512 fc18f0dc17ade1fc37402179f52e1f2b9c7b7d3a1a9590fea13046eb0c5193b4796289431cd99388eac01e8e59de77db45d2c9675d4f05ef8cf3ba6382c3dd31  libX11-1.6.9.tar.bz2
+# From https://lists.x.org/archives/xorg-announce/2020-August/003057.html
+sha256  f108227469419ac04d196df0f3b80ce1f7f65059bb54c0de811f4d8e03fd6ec7  libX11-1.6.12.tar.bz2
+sha512  79df7d61d9009b0dd3b65f67a62189aa0a43799c01026b3d2d534092596a0b67f246af5e398a89eb1ccc61a27335f81be8262b8a39768a76f62d862cd7415a47  libX11-1.6.12.tar.bz2
+
 # Locally computed
-sha256 2daec087a88e7c9b8082557cdeebad5bbb8155a4137472f0b22e269cd99d0c1e  COPYING
+sha256  2daec087a88e7c9b8082557cdeebad5bbb8155a4137472f0b22e269cd99d0c1e  COPYING
diff --git a/buildroot/package/x11r7/xlib_libX11/xlib_libX11.mk b/buildroot/package/x11r7/xlib_libX11/xlib_libX11.mk
index 18949c604..ba9fcef25 100644
--- a/buildroot/package/x11r7/xlib_libX11/xlib_libX11.mk
+++ b/buildroot/package/x11r7/xlib_libX11/xlib_libX11.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-XLIB_LIBX11_VERSION = 1.6.9
+XLIB_LIBX11_VERSION = 1.6.12
 XLIB_LIBX11_SOURCE = libX11-$(XLIB_LIBX11_VERSION).tar.bz2
 XLIB_LIBX11_SITE = https://xorg.freedesktop.org/archive/individual/lib
 XLIB_LIBX11_LICENSE = MIT
diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0002-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0002-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch
deleted file mode 100644
index c5f04bf25..000000000
--- a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0002-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-Discover monotonic clock using compile-time check
-
-monotonic clock check does not work when cross-compiling.
-
-Upstream-Status: Denied [Does not work on OpenBSD]
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
-
-
-
-Original patch follows:
-
-When xorg-xserver is being cross-compiled, there is currently no way
-for us to detect whether the monotonic clock is available on the
-target system, because we aren't able to run a test program on the host
-system. Currently, in this situation, we default to not use the
-monotonic clock. One problem with this situation is that the user will
-be treated as idle when the date is updated.
-
-To fix this situation, we now use a compile-time check to detect whether the
-monotonic clock is available. This check can run just fine when we are
-cross-compiling.
-
-Signed-off-by: David James <davidjames at google.com>
-
-Downloaded from
-https://github.com/openembedded/openembedded-core/blob/master/meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-configure.ac-Fix-check-for-CLOCK_MONOTONIC.patch
-
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
----
- configure.ac | 17 +++++++----------
- 1 file changed, 7 insertions(+), 10 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index f7ab48c..26e85cd 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1048,19 +1048,16 @@ if ! test "x$have_clock_gettime" = xno; then
-         CPPFLAGS="$CPPFLAGS -D_POSIX_C_SOURCE=200112L"
-     fi
- 
--    AC_RUN_IFELSE([AC_LANG_SOURCE([
-+    AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
- #include <time.h>
--
--int main(int argc, char *argv[[]]) {
--    struct timespec tp;
--
--    if (clock_gettime(CLOCK_MONOTONIC, &tp) == 0)
-+#include <unistd.h>
-+int main() {
-+#if !(defined(_POSIX_MONOTONIC_CLOCK) && _POSIX_MONOTONIC_CLOCK >= 0 && defined(CLOCK_MONOTONIC))
-+        #error No monotonic clock
-+#endif
-         return 0;
--    else
--        return 1;
- }
--    ])], [MONOTONIC_CLOCK=yes], [MONOTONIC_CLOCK=no],
--       [MONOTONIC_CLOCK="cross compiling"])
-+]])],[MONOTONIC_CLOCK=yes], [MONOTONIC_CLOCK=no])
- 
-     LIBS="$LIBS_SAVE"
-     CPPFLAGS="$CPPFLAGS_SAVE"
--- 
-2.1.4
-
diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0001-modesettings-needs-dri2.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0001-modesettings-needs-dri2.patch
similarity index 97%
rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0001-modesettings-needs-dri2.patch
rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0001-modesettings-needs-dri2.patch
index 97ec29d04..74917720c 100644
--- a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0001-modesettings-needs-dri2.patch
+++ b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0001-modesettings-needs-dri2.patch
@@ -9,7 +9,7 @@ Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 diff -uNr xorg-server-1.17.2.org/configure.ac xorg-server-1.17.2/configure.ac
 --- xorg-server-1.17.2.org/configure.ac	2015-06-16 17:42:40.000000000 +0200
 +++ xorg-server-1.17.2/configure.ac	2015-08-08 10:44:59.702382624 +0200
-@@ -2036,7 +2036,7 @@
+@@ -1962,7 +1962,7 @@
  	        XORG_SYS_LIBS="$XORG_SYS_LIBS $XORG_MODULES_LIBS"
  	fi
  
diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0003-Remove-check-for-useSIGIO-option.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0002-Remove-check-for-useSIGIO-option.patch
similarity index 96%
rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0003-Remove-check-for-useSIGIO-option.patch
rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0002-Remove-check-for-useSIGIO-option.patch
index d4f0cca67..68a9d7fc7 100644
--- a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0003-Remove-check-for-useSIGIO-option.patch
+++ b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0002-Remove-check-for-useSIGIO-option.patch
@@ -38,7 +38,7 @@ index 884a71c..be76498 100644
      for (i = 0; i < MAX_FUNCS; i++) {
          if (!xf86SigIOFuncs[i].f) {
              if (xf86IsPipe(fd))
-@@ -256,9 +253,6 @@ xf86RemoveSIGIOHandler(int fd)
+@@ -257,9 +256,6 @@ xf86RemoveSIGIOHandler(int fd)
      int max;
      int ret;
  
diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0004-include-misc.h-fix-uClibc-build.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0003-include-misc.h-fix-uClibc-build.patch
similarity index 100%
rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0004-include-misc.h-fix-uClibc-build.patch
rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0003-include-misc.h-fix-uClibc-build.patch
diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0005-hw-xwayland-Makefile.am-fix-build-without-glx.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0004-hw-xwayland-Makefile.am-fix-build-without-glx.patch
similarity index 100%
rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0005-hw-xwayland-Makefile.am-fix-build-without-glx.patch
rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0004-hw-xwayland-Makefile.am-fix-build-without-glx.patch
diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0006-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0005-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch
similarity index 97%
rename from buildroot/package/x11r7/xserver_xorg-server/1.20.8/0006-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch
rename to buildroot/package/x11r7/xserver_xorg-server/1.20.9/0005-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch
index f1fdfe3e3..de086fb66 100644
--- a/buildroot/package/x11r7/xserver_xorg-server/1.20.8/0006-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch
+++ b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0005-hw-xfree86-common-xf86Init.c-fix-build-without-glx.patch
@@ -32,8 +32,8 @@ diff --git a/hw/xfree86/common/xf86Init.c b/hw/xfree86/common/xf86Init.c
 index 0631c7237..e6fb11398 100644
 --- a/hw/xfree86/common/xf86Init.c
 +++ b/hw/xfree86/common/xf86Init.c
-@@ -74,7 +74,6 @@
- #include "xf86Crtc.h"
+@@ -78,7 +78,6 @@
+ #include "xf86InPriv.h"
  #include "picturestr.h"
  #include "randrstr.h"
 -#include "glxvndabi.h"
diff --git a/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0006-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0006-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
new file mode 100644
index 000000000..7802fd96c
--- /dev/null
+++ b/buildroot/package/x11r7/xserver_xorg-server/1.20.9/0006-Fix-segfault-on-probing-a-non-PCI-platform-device-on.patch
@@ -0,0 +1,33 @@
+From e50c85f4ebf559a3bac4817b41074c43d4691779 Mon Sep 17 00:00:00 2001
+From: Eric Anholt <eric@anholt.net>
+Date: Fri, 26 Oct 2018 17:47:30 -0700
+Subject: [PATCH] Fix segfault on probing a non-PCI platform device on a system
+ with PCI.
+
+Some Broadcom set-top-box boards have PCI busses, but the GPU is still
+probed through DT.  We would dereference a null busid here in that
+case.
+
+Signed-off-by: Eric Anholt <eric@anholt.net>
+Backported from: e50c85f4ebf559a3bac4817b41074c43d4691779
+Signed-off-by: Joseph Kogut <joseph.kogut@gmail.com>
+---
+ hw/xfree86/common/xf86platformBus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/xfree86/common/xf86platformBus.c b/hw/xfree86/common/xf86platformBus.c
+index cef47da03..dadbac6c8 100644
+--- a/hw/xfree86/common/xf86platformBus.c
++++ b/hw/xfree86/common/xf86platformBus.c
+@@ -289,7 +289,7 @@ xf86platformProbe(void)
+     for (i = 0; i < xf86_num_platform_devices; i++) {
+         char *busid = xf86_platform_odev_attributes(i)->busid;
+
+-        if (pci && (strncmp(busid, "pci:", 4) == 0)) {
++        if (pci && busid && (strncmp(busid, "pci:", 4) == 0)) {
+             platform_find_pci_info(&xf86_platform_devices[i], busid);
+         }
+
+--
+2.24.1
+
diff --git a/buildroot/package/x11r7/xserver_xorg-server/Config.in b/buildroot/package/x11r7/xserver_xorg-server/Config.in
index 79968ea97..87f1b37da 100644
--- a/buildroot/package/x11r7/xserver_xorg-server/Config.in
+++ b/buildroot/package/x11r7/xserver_xorg-server/Config.in
@@ -61,7 +61,7 @@ choice
 	bool "X Window System server version"
 
 config BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_20
-	bool "1.20.8"
+	bool "1.20.9"
 	select BR2_PACKAGE_XSERVER_XORG_SERVER_VIDEODRV_ABI_24
 	select BR2_PACKAGE_XLIB_LIBXFONT2
 
@@ -79,7 +79,7 @@ endchoice
 
 config BR2_PACKAGE_XSERVER_XORG_SERVER_VERSION
 	string
-	default "1.20.8" if BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_20
+	default "1.20.9" if BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_20
 	default "1.17.4" if BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_17
 	default "1.14.7" if BR2_PACKAGE_XSERVER_XORG_SERVER_V_1_14
 
diff --git a/buildroot/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash b/buildroot/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash
index f7b1bc14b..930900c5e 100644
--- a/buildroot/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash
+++ b/buildroot/package/x11r7/xserver_xorg-server/xserver_xorg-server.hash
@@ -1,11 +1,11 @@
 # From http://lists.x.org/archives/xorg-announce/2014-June/002440.html
-sha1   7a95765e56b124758fcd7b609589e65b8870880b                                xorg-server-1.14.7.tar.bz2
-sha256 fcf66fa6ad86227613d2d3e8ae13ded297e2a1e947e9060a083eaf80d323451f        xorg-server-1.14.7.tar.bz2
+sha1  7a95765e56b124758fcd7b609589e65b8870880b  xorg-server-1.14.7.tar.bz2
+sha256  fcf66fa6ad86227613d2d3e8ae13ded297e2a1e947e9060a083eaf80d323451f  xorg-server-1.14.7.tar.bz2
 # From https://lists.x.org/archives/xorg-announce/2015-October/002650.html
-sha256 0c4b45c116a812a996eb432d8508cf26c2ec8c3916ff2a50781796882f8d6457        xorg-server-1.17.4.tar.bz2
-# From https://lists.x.org/archives/xorg-announce/2020-March/003041.html
-sha256 d17b646bee4ba0fb7850c1cc55b18e3e8513ed5c02bdf38da7e107f84e2d0146  xorg-server-1.20.8.tar.bz2
-sha512 ab0ec0fcbf490c61558b9297f61b58fd2dedb676c78bef6431dc9166054743b43a0091b88a8b3f4e81d1f539909440ee7e188a298cefabe13ea89159639cd805  xorg-server-1.20.8.tar.bz2
+sha256  0c4b45c116a812a996eb432d8508cf26c2ec8c3916ff2a50781796882f8d6457  xorg-server-1.17.4.tar.bz2
+# From https://lists.x.org/archives/xorg-announce/2020-August/003059.html
+sha256  e219f2e0dfe455467939149d7cd2ee53b79b512cc1d2094ae4f5c9ed9ccd3571  xorg-server-1.20.9.tar.bz2
+sha512  d9b5f93e1b9763a89187d8b272aa7d4ce9709641b8539f4536708af153310e5a4931bffd4229c51a3b0e3b12da7838750aa71b635751fb4c0bb27438cce4e5e6  xorg-server-1.20.9.tar.bz2
 
 # Locally calculated
-sha256 4cc0447a22635c7b2f1a93fec4aa94f1970fadeb72a063de006b51cf4963a06f  COPYING
+sha256  4cc0447a22635c7b2f1a93fec4aa94f1970fadeb72a063de006b51cf4963a06f  COPYING
diff --git a/buildroot/package/xen/xen.hash b/buildroot/package/xen/xen.hash
index ab5f9d908..0dd2f571a 100644
--- a/buildroot/package/xen/xen.hash
+++ b/buildroot/package/xen/xen.hash
@@ -1,3 +1,4 @@
 # Locally computed
 sha256  b97ce363e55b12c992063f4466c43cba0a6386ceb7a747b4dc670311f337ef01  xen-4.13.1.tar.gz
+sha256  1d057695d5b74ce2857204103e943caeaf773bc4fb9d91ea78016e01a9147ed7  xsa327.patch
 sha256  36b91794c6d4a678137c70c41e384c03b552c7efba82c0d73e6be842e41ab3d3  COPYING
diff --git a/buildroot/package/xen/xen.mk b/buildroot/package/xen/xen.mk
index 15742b512..ee5e9847f 100644
--- a/buildroot/package/xen/xen.mk
+++ b/buildroot/package/xen/xen.mk
@@ -6,6 +6,8 @@
 
 XEN_VERSION = 4.13.1
 XEN_SITE = https://downloads.xenproject.org/release/xen/$(XEN_VERSION)
+XEN_PATCH = \
+	https://xenbits.xenproject.org/xsa/xsa327.patch
 XEN_LICENSE = GPL-2.0
 XEN_LICENSE_FILES = COPYING
 XEN_DEPENDENCIES = host-acpica host-python3
diff --git a/buildroot/package/ympd/0002-only-c-language.patch b/buildroot/package/ympd/0001-only-c-language.patch
similarity index 100%
rename from buildroot/package/ympd/0002-only-c-language.patch
rename to buildroot/package/ympd/0001-only-c-language.patch
diff --git a/buildroot/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch b/buildroot/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch
deleted file mode 100644
index 49f753b27..000000000
--- a/buildroot/package/zeromq/0001-acinclude.m4-add-latomic-to-PKGCFG_LIBS_PRIVATE.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From d59dcbcaebd91ca30a0f866403c383177a4843f8 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Sun, 12 Jan 2020 10:10:15 +0100
-Subject: [PATCH] acinclude.m4: add -latomic to PKGCFG_LIBS_PRIVATE
-
-Add -latomic to PKGCFG_LIBS_PRIVATE so applications linking statically
-with libzmq (such czmq) will know that they have to link with -latomic
-and the following build failure will be avoided:
-
-  CCLD     src/czmq_selftest
-/home/buildroot/autobuild/run/instance-3/output-1/host/opt/ext-toolchain/bin/../lib/gcc/sparc-buildroot-linux-uclibc/7.4.0/../../../../sparc-buildroot-linux-uclibc/bin/ld: /home/buildroot/autobuild/run/instance-3/output-1/host/sparc-buildroot-linux-uclibc/sysroot/usr/lib/libzmq.a(src_libzmq_la-ctx.o): in function `zmq::ctx_t::create_socket(int)':
-ctx.cpp:(.text+0x1710): undefined reference to `__atomic_fetch_add_4'
-
-Fixes:
- - http://autobuild.buildroot.org/results/4a12f1ede260cd956a0b5ccb4eec6ca8b44cb04f
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-[Retrieved from:
-https://github.com/zeromq/libzmq/commit/d59dcbcaebd91ca30a0f866403c383177a4843f8]
----
- acinclude.m4 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/acinclude.m4 b/acinclude.m4
-index 8c042ca50..387a3d2a1 100644
---- a/acinclude.m4
-+++ b/acinclude.m4
-@@ -691,7 +691,7 @@ int main (int, char **)
-             return t;
-         }
-         ])],
--        [AC_MSG_RESULT(yes) ; libzmq_cv_has_atomic_instrisics="yes" ; $1],
-+        [AC_MSG_RESULT(yes) ; libzmq_cv_has_atomic_instrisics="yes" PKGCFG_LIBS_PRIVATE="$PKGCFG_LIBS_PRIVATE -latomic" ; $1],
-         [AC_MSG_RESULT(no) ; libzmq_cv_has_atomic_instrisics="no" LIBS=$save_LIBS ; $2])
-     fi
- }])
diff --git a/buildroot/package/zeromq/zeromq.hash b/buildroot/package/zeromq/zeromq.hash
index 689d960b2..17ffff876 100644
--- a/buildroot/package/zeromq/zeromq.hash
+++ b/buildroot/package/zeromq/zeromq.hash
@@ -1,7 +1,7 @@
 # From https://github.com/zeromq/libzmq/releases
-md5  2047e917c2cc93505e2579bcba67a573 zeromq-4.3.2.tar.gz
-sha1 e5253bff214f77621b3d29443f1aa6e5a106ffe5  zeromq-4.3.2.tar.gz
+md5  78acc277d95e10812d71b2b3c3c3c9a9  zeromq-4.3.3.tar.gz
+sha1  d78bc504194d6908df40a2b9e41849b181b02491  zeromq-4.3.3.tar.gz
 # Locally computed
-sha256 ebd7b5c830d6428956b67a0454a7f8cbed1de74b3b01e5c33c5378e22740f763  zeromq-4.3.2.tar.gz
-sha256 4fd86507c9b486764343065a9e035222869a27b5789efeb4fd93edc85412d7a3  COPYING
-sha256 83f32abe61ee58ffb1b007412c08415168c052501dbf56d7a47aaaac52b03ef6  COPYING.LESSER
+sha256  9d9285db37ae942ed0780c016da87060497877af45094ff9e1a1ca736e3875a2  zeromq-4.3.3.tar.gz
+sha256  4fd86507c9b486764343065a9e035222869a27b5789efeb4fd93edc85412d7a3  COPYING
+sha256  83f32abe61ee58ffb1b007412c08415168c052501dbf56d7a47aaaac52b03ef6  COPYING.LESSER
diff --git a/buildroot/package/zeromq/zeromq.mk b/buildroot/package/zeromq/zeromq.mk
index 04f7e7d3f..7840d0362 100644
--- a/buildroot/package/zeromq/zeromq.mk
+++ b/buildroot/package/zeromq/zeromq.mk
@@ -4,15 +4,13 @@
 #
 ################################################################################
 
-ZEROMQ_VERSION = 4.3.2
+ZEROMQ_VERSION = 4.3.3
 ZEROMQ_SITE = https://github.com/zeromq/libzmq/releases/download/v$(ZEROMQ_VERSION)
 ZEROMQ_INSTALL_STAGING = YES
 ZEROMQ_DEPENDENCIES = util-linux
 ZEROMQ_CONF_OPTS = --without-documentation
 ZEROMQ_LICENSE = LGPL-3.0+ with exceptions
 ZEROMQ_LICENSE_FILES = COPYING COPYING.LESSER
-# We're patching acinclude.m4
-ZEROMQ_AUTORECONF = YES
 
 # Assume these flags are always available. It is true, at least for
 # SOCK_CLOEXEC, since linux v2.6.27.
diff --git a/buildroot/package/zstd/zstd.mk b/buildroot/package/zstd/zstd.mk
index e2ba12b05..35002da33 100644
--- a/buildroot/package/zstd/zstd.mk
+++ b/buildroot/package/zstd/zstd.mk
@@ -71,7 +71,7 @@ endef
 # note: no 'HAVE_...' options for host library build only
 define HOST_ZSTD_BUILD_CMDS
 	$(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) \
-		-C $(@D)/lib
+		-C $(@D)/lib libzstd.a libzstd
 	$(HOST_MAKE_ENV) $(HOST_CONFIGURE_OPTS) $(MAKE) \
 		-C $(@D) zstd
 endef
diff --git a/buildroot/support/dependencies/dependencies.sh b/buildroot/support/dependencies/dependencies.sh
index 98469bd70..891e23404 100755
--- a/buildroot/support/dependencies/dependencies.sh
+++ b/buildroot/support/dependencies/dependencies.sh
@@ -180,6 +180,12 @@ if test "${missing_progs}" = "yes" ; then
 	exit 1
 fi
 
+# apply-patches.sh needs patch with --no-backup-if-mismatch support (GNU, busybox w/DESKTOP)
+if ! patch --no-backup-if-mismatch </dev/null 2>/dev/null; then
+	echo "Your patch program does not support the --no-backup-if-mismatch option. Install GNU patch"
+	exit 1
+fi
+
 if grep ^BR2_NEEDS_HOST_UTF8_LOCALE=y $BR2_CONFIG > /dev/null; then
 	if ! which locale > /dev/null ; then
 		echo
diff --git a/buildroot/support/docker/Dockerfile b/buildroot/support/docker/Dockerfile
index 03acde85d..a9bacca3a 100644
--- a/buildroot/support/docker/Dockerfile
+++ b/buildroot/support/docker/Dockerfile
@@ -36,10 +36,8 @@ RUN apt-get install -y --no-install-recommends \
         libncurses5-dev \
         locales \
         mercurial \
-        python-flake8 \
-        python-nose2 \
-        python-pexpect \
         python3 \
+        python3-flake8 \
         python3-nose2 \
         python3-pexpect \
         qemu-system-arm \
diff --git a/buildroot/support/misc/Vagrantfile b/buildroot/support/misc/Vagrantfile
index bbb66a5c2..f08806df9 100644
--- a/buildroot/support/misc/Vagrantfile
+++ b/buildroot/support/misc/Vagrantfile
@@ -5,7 +5,7 @@
 ################################################################################
 
 # Buildroot version to use
-RELEASE='2020.02'
+RELEASE='2020.02.7'
 
 ### Change here for more memory/cores ###
 VM_MEMORY=2048
diff --git a/buildroot/support/scripts/apply-patches.sh b/buildroot/support/scripts/apply-patches.sh
index 66fef262e..2d39d63da 100755
--- a/buildroot/support/scripts/apply-patches.sh
+++ b/buildroot/support/scripts/apply-patches.sh
@@ -119,7 +119,7 @@ function apply_patch {
         exit 1
     fi
     echo "${path}/${patch}" >> ${builddir}/.applied_patches_list
-    ${uncomp} "${path}/$patch" | patch -g0 -p1 -E -d "${builddir}" -t -N $silent
+    ${uncomp} "${path}/$patch" | patch -g0 -p1 -E --no-backup-if-mismatch -d "${builddir}" -t -N $silent
     if [ $? != 0 ] ; then
         echo "Patch failed!  Please fix ${patch}!"
         exit 1
@@ -168,6 +168,3 @@ if [ "`find $builddir/ '(' -name '*.rej' -o -name '.*.rej' ')' -print`" ] ; then
     echo "Aborting.  Reject files found."
     exit 1
 fi
-
-# Remove backup files
-find $builddir/ '(' -name '*.orig' -o -name '.*.orig' ')' -exec rm -f {} \;
diff --git a/buildroot/support/scripts/pkg-stats b/buildroot/support/scripts/pkg-stats
index 8a67e509e..e642147b9 100755
--- a/buildroot/support/scripts/pkg-stats
+++ b/buildroot/support/scripts/pkg-stats
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 
 # Copyright (C) 2009 by Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
 #
@@ -16,23 +16,25 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 
+import aiohttp
 import argparse
+import asyncio
 import datetime
 import fnmatch
 import os
 from collections import defaultdict
 import re
 import subprocess
-import requests  # URL checking
+import requests  # NVD database download
 import json
 import ijson
-import certifi
 import distutils.version
 import time
 import gzip
-from urllib3 import HTTPSConnectionPool
-from urllib3.exceptions import HTTPError
-from multiprocessing import Pool
+import sys
+
+sys.path.append('utils/')
+from getdeveloperlib import parse_developers  # noqa: E402
 
 NVD_START_YEAR = 2002
 NVD_JSON_VERSION = "1.0"
@@ -46,32 +48,68 @@ RM_API_STATUS_FOUND_BY_DISTRO = 2
 RM_API_STATUS_FOUND_BY_PATTERN = 3
 RM_API_STATUS_NOT_FOUND = 4
 
-# Used to make multiple requests to the same host. It is global
-# because it's used by sub-processes.
-http_pool = None
+CVE_AFFECTS = 1
+CVE_DOESNT_AFFECT = 2
+CVE_UNKNOWN = 3
+
+
+class Defconfig:
+    def __init__(self, name, path):
+        self.name = name
+        self.path = path
+        self.developers = None
+
+    def set_developers(self, developers):
+        """
+        Fills in the .developers field
+        """
+        self.developers = [
+            developer.name
+            for developer in developers
+            if developer.hasfile(self.path)
+        ]
+
+
+def get_defconfig_list():
+    """
+    Builds the list of Buildroot defconfigs, returning a list of Defconfig
+    objects.
+    """
+    return [
+        Defconfig(name[:-len('_defconfig')], os.path.join('configs', name))
+        for name in os.listdir('configs')
+        if name.endswith('_defconfig')
+    ]
 
 
 class Package:
-    all_licenses = list()
+    all_licenses = dict()
     all_license_files = list()
     all_versions = dict()
     all_ignored_cves = dict()
+    # This is the list of all possible checks. Add new checks to this list so
+    # a tool that post-processeds the json output knows the checks before
+    # iterating over the packages.
+    status_checks = ['cve', 'developers', 'hash', 'license',
+                     'license-files', 'patches', 'pkg-check', 'url', 'version']
 
     def __init__(self, name, path):
         self.name = name
         self.path = path
+        self.pkg_path = os.path.dirname(path)
         self.infras = None
+        self.license = None
         self.has_license = False
         self.has_license_files = False
         self.has_hash = False
-        self.patch_count = 0
+        self.patch_files = []
         self.warnings = 0
         self.current_version = None
         self.url = None
-        self.url_status = None
         self.url_worker = None
         self.cves = list()
-        self.latest_version = (RM_API_STATUS_ERROR, None, None)
+        self.latest_version = {'status': RM_API_STATUS_ERROR, 'version': None, 'id': None}
+        self.status = {}
 
     def pkgvar(self):
         return self.name.upper().replace("-", "_")
@@ -80,19 +118,32 @@ class Package:
         """
         Fills in the .url field
         """
-        self.url_status = "No Config.in"
+        self.status['url'] = ("warning", "no Config.in")
         for filename in os.listdir(os.path.dirname(self.path)):
             if fnmatch.fnmatch(filename, 'Config.*'):
                 fp = open(os.path.join(os.path.dirname(self.path), filename), "r")
                 for config_line in fp:
                     if URL_RE.match(config_line):
                         self.url = config_line.strip()
-                        self.url_status = "Found"
+                        self.status['url'] = ("ok", "found")
                         fp.close()
                         return
-                self.url_status = "Missing"
+                self.status['url'] = ("error", "missing")
                 fp.close()
 
+    @property
+    def patch_count(self):
+        return len(self.patch_files)
+
+    @property
+    def has_valid_infra(self):
+        try:
+            if self.infras[0][1] == 'virtual':
+                return False
+        except IndexError:
+            return False
+        return True
+
     def set_infra(self):
         """
         Fills in the .infras field
@@ -112,29 +163,55 @@ class Package:
 
     def set_license(self):
         """
-        Fills in the .has_license and .has_license_files fields
+        Fills in the .status['license'] and .status['license-files'] fields
         """
+        if not self.has_valid_infra:
+            self.status['license'] = ("na", "no valid package infra")
+            self.status['license-files'] = ("na", "no valid package infra")
+            return
+
         var = self.pkgvar()
+        self.status['license'] = ("error", "missing")
+        self.status['license-files'] = ("error", "missing")
         if var in self.all_licenses:
-            self.has_license = True
+            self.license = self.all_licenses[var]
+            self.status['license'] = ("ok", "found")
         if var in self.all_license_files:
-            self.has_license_files = True
+            self.status['license-files'] = ("ok", "found")
 
     def set_hash_info(self):
         """
-        Fills in the .has_hash field
+        Fills in the .status['hash'] field
         """
+        if not self.has_valid_infra:
+            self.status['hash'] = ("na", "no valid package infra")
+            self.status['hash-license'] = ("na", "no valid package infra")
+            return
+
         hashpath = self.path.replace(".mk", ".hash")
-        self.has_hash = os.path.exists(hashpath)
+        if os.path.exists(hashpath):
+            self.status['hash'] = ("ok", "found")
+        else:
+            self.status['hash'] = ("error", "missing")
 
     def set_patch_count(self):
         """
-        Fills in the .patch_count field
+        Fills in the .patch_count, .patch_files and .status['patches'] fields
         """
-        self.patch_count = 0
+        if not self.has_valid_infra:
+            self.status['patches'] = ("na", "no valid package infra")
+            return
+
         pkgdir = os.path.dirname(self.path)
         for subdir, _, _ in os.walk(pkgdir):
-            self.patch_count += len(fnmatch.filter(os.listdir(subdir), '*.patch'))
+            self.patch_files = fnmatch.filter(os.listdir(subdir), '*.patch')
+
+        if self.patch_count == 0:
+            self.status['patches'] = ("ok", "no patches")
+        elif self.patch_count < 5:
+            self.status['patches'] = ("warning", "some patches")
+        else:
+            self.status['patches'] = ("error", "lots of patches")
 
     def set_current_version(self):
         """
@@ -146,10 +223,11 @@ class Package:
 
     def set_check_package_warnings(self):
         """
-        Fills in the .warnings field
+        Fills in the .warnings and .status['pkg-check'] fields
         """
         cmd = ["./utils/check-package"]
         pkgdir = os.path.dirname(self.path)
+        self.status['pkg-check'] = ("error", "Missing")
         for root, dirs, files in os.walk(pkgdir):
             for f in files:
                 if f.endswith(".mk") or f.endswith(".hash") or f == "Config.in" or f == "Config.in.host":
@@ -160,6 +238,10 @@ class Package:
             m = re.match("^([0-9]*) warnings generated", line.decode())
             if m:
                 self.warnings = int(m.group(1))
+                if self.warnings == 0:
+                    self.status['pkg-check'] = ("ok", "no warnings")
+                else:
+                    self.status['pkg-check'] = ("error", "{} warnings".format(self.warnings))
                 return
 
     def is_cve_ignored(self, cve):
@@ -168,6 +250,24 @@ class Package:
         """
         return cve in self.all_ignored_cves.get(self.pkgvar(), [])
 
+    def set_developers(self, developers):
+        """
+        Fills in the .developers and .status['developers'] field
+        """
+        self.developers = [
+            dev.name
+            for dev in developers
+            if dev.hasfile(self.path)
+        ]
+
+        if self.developers:
+            self.status['developers'] = ("ok", "{} developers".format(len(self.developers)))
+        else:
+            self.status['developers'] = ("warning", "no developers")
+
+    def is_status_ok(self, name):
+        return self.status[name][0] == 'ok'
+
     def __eq__(self, other):
         return self.path == other.path
 
@@ -176,7 +276,8 @@ class Package:
 
     def __str__(self):
         return "%s (path='%s', license='%s', license_files='%s', hash='%s', patches=%d)" % \
-            (self.name, self.path, self.has_license, self.has_license_files, self.has_hash, self.patch_count)
+            (self.name, self.path, self.is_status_ok('license'),
+             self.is_status_ok('license-files'), self.status['hash'], self.patch_count)
 
 
 class CVE:
@@ -233,7 +334,7 @@ class CVE:
             filename = CVE.download_nvd_year(nvd_dir, year)
             try:
                 content = ijson.items(gzip.GzipFile(filename), 'CVE_Items.item')
-            except:
+            except:  # noqa: E722
                 print("ERROR: cannot read %s. Please remove the file then rerun this script" % filename)
                 raise
             for cve in content:
@@ -261,7 +362,7 @@ class CVE:
         by this CVE.
         """
         if br_pkg.is_cve_ignored(self.identifier):
-            return False
+            return CVE_DOESNT_AFFECT
 
         for product in self.each_product():
             if product['product_name'] != br_pkg.name:
@@ -270,7 +371,7 @@ class CVE:
             for v in product['version']['version_data']:
                 if v["version_affected"] == "=":
                     if br_pkg.current_version == v["version_value"]:
-                        return True
+                        return CVE_AFFECTS
                 elif v["version_affected"] == "<=":
                     pkg_version = distutils.version.LooseVersion(br_pkg.current_version)
                     if not hasattr(pkg_version, "version"):
@@ -280,10 +381,17 @@ class CVE:
                     if not hasattr(cve_affected_version, "version"):
                         print("Cannot parse CVE affected version '%s'" % v["version_value"])
                         continue
-                    return pkg_version <= cve_affected_version
+                    try:
+                        affected = pkg_version <= cve_affected_version
+                    except TypeError:
+                        return CVE_UNKNOWN
+                    if affected:
+                        return CVE_AFFECTS
+                    else:
+                        return CVE_DOESNT_AFFECT
                 else:
                     print("version_affected: %s" % v['version_affected'])
-        return False
+        return CVE_DOESNT_AFFECT
 
 
 def get_pkglist(npackages, package_list):
@@ -370,7 +478,7 @@ def package_init_make_info():
             if value == "unknown":
                 continue
             pkgvar = pkgvar[:-8]
-            Package.all_licenses.append(pkgvar)
+            Package.all_licenses[pkgvar] = value
 
         elif pkgvar.endswith("_LICENSE_FILES"):
             if pkgvar.endswith("_MANIFEST_LICENSE_FILES"):
@@ -389,82 +497,140 @@ def package_init_make_info():
             Package.all_ignored_cves[pkgvar] = value.split()
 
 
-def check_url_status_worker(url, url_status):
-    if url_status != "Missing" and url_status != "No Config.in":
-        try:
-            url_status_code = requests.head(url, timeout=30).status_code
-            if url_status_code >= 400:
-                return "Invalid(%s)" % str(url_status_code)
-        except requests.exceptions.RequestException:
-            return "Invalid(Err)"
-        return "Ok"
-    return url_status
+check_url_count = 0
 
 
-def check_package_urls(packages):
-    pool = Pool(processes=64)
-    for pkg in packages:
-        pkg.url_worker = pool.apply_async(check_url_status_worker, (pkg.url, pkg.url_status))
-    for pkg in packages:
-        pkg.url_status = pkg.url_worker.get(timeout=3600)
-        del pkg.url_worker
-    pool.terminate()
+async def check_url_status(session, pkg, npkgs, retry=True):
+    global check_url_count
 
-
-def release_monitoring_get_latest_version_by_distro(pool, name):
     try:
-        req = pool.request('GET', "/api/project/Buildroot/%s" % name)
-    except HTTPError:
-        return (RM_API_STATUS_ERROR, None, None)
+        async with session.get(pkg.url) as resp:
+            if resp.status >= 400:
+                pkg.status['url'] = ("error", "invalid {}".format(resp.status))
+                check_url_count += 1
+                print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name))
+                return
+    except (aiohttp.ClientError, asyncio.TimeoutError):
+        if retry:
+            return await check_url_status(session, pkg, npkgs, retry=False)
+        else:
+            pkg.status['url'] = ("error", "invalid (err)")
+            check_url_count += 1
+            print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name))
+            return
 
-    if req.status != 200:
-        return (RM_API_STATUS_NOT_FOUND, None, None)
+    pkg.status['url'] = ("ok", "valid")
+    check_url_count += 1
+    print("[%04d/%04d] %s" % (check_url_count, npkgs, pkg.name))
 
-    data = json.loads(req.data)
 
-    if 'version' in data:
-        return (RM_API_STATUS_FOUND_BY_DISTRO, data['version'], data['id'])
+async def check_package_urls(packages):
+    tasks = []
+    connector = aiohttp.TCPConnector(limit_per_host=5)
+    async with aiohttp.ClientSession(connector=connector, trust_env=True) as sess:
+        packages = [p for p in packages if p.status['url'][0] == 'ok']
+        for pkg in packages:
+            tasks.append(check_url_status(sess, pkg, len(packages)))
+        await asyncio.wait(tasks)
+
+
+def check_package_latest_version_set_status(pkg, status, version, identifier):
+    pkg.latest_version = {
+        "status": status,
+        "version": version,
+        "id": identifier,
+    }
+
+    if pkg.latest_version['status'] == RM_API_STATUS_ERROR:
+        pkg.status['version'] = ('warning', "Release Monitoring API error")
+    elif pkg.latest_version['status'] == RM_API_STATUS_NOT_FOUND:
+        pkg.status['version'] = ('warning', "Package not found on Release Monitoring")
+
+    if pkg.latest_version['version'] is None:
+        pkg.status['version'] = ('warning', "No upstream version available on Release Monitoring")
+    elif pkg.latest_version['version'] != pkg.current_version:
+        pkg.status['version'] = ('error', "The newer version {} is available upstream".format(pkg.latest_version['version']))
     else:
-        return (RM_API_STATUS_FOUND_BY_DISTRO, None, data['id'])
+        pkg.status['version'] = ('ok', 'up-to-date')
 
 
-def release_monitoring_get_latest_version_by_guess(pool, name):
+async def check_package_get_latest_version_by_distro(session, pkg, retry=True):
+    url = "https://release-monitoring.org//api/project/Buildroot/%s" % pkg.name
     try:
-        req = pool.request('GET', "/api/projects/?pattern=%s" % name)
-    except HTTPError:
-        return (RM_API_STATUS_ERROR, None, None)
+        async with session.get(url) as resp:
+            if resp.status != 200:
+                return False
 
-    if req.status != 200:
-        return (RM_API_STATUS_NOT_FOUND, None, None)
+            data = await resp.json()
+            version = data['version'] if 'version' in data else None
+            check_package_latest_version_set_status(pkg,
+                                                    RM_API_STATUS_FOUND_BY_DISTRO,
+                                                    version,
+                                                    data['id'])
+            return True
 
-    data = json.loads(req.data)
-
-    projects = data['projects']
-    projects.sort(key=lambda x: x['id'])
-
-    for p in projects:
-        if p['name'] == name and 'version' in p:
-            return (RM_API_STATUS_FOUND_BY_PATTERN, p['version'], p['id'])
-
-    return (RM_API_STATUS_NOT_FOUND, None, None)
+    except (aiohttp.ClientError, asyncio.TimeoutError):
+        if retry:
+            return await check_package_get_latest_version_by_distro(session, pkg, retry=False)
+        else:
+            return False
 
 
-def check_package_latest_version_worker(name):
-    """Wrapper to try both by name then by guess"""
-    print(name)
-    res = release_monitoring_get_latest_version_by_distro(http_pool, name)
-    if res[0] == RM_API_STATUS_NOT_FOUND:
-        res = release_monitoring_get_latest_version_by_guess(http_pool, name)
-    return res
+async def check_package_get_latest_version_by_guess(session, pkg, retry=True):
+    url = "https://release-monitoring.org/api/projects/?pattern=%s" % pkg.name
+    try:
+        async with session.get(url) as resp:
+            if resp.status != 200:
+                return False
+
+            data = await resp.json()
+            # filter projects that have the right name and a version defined
+            projects = [p for p in data['projects'] if p['name'] == pkg.name and 'version' in p]
+            projects.sort(key=lambda x: x['id'])
+
+            if len(projects) > 0:
+                check_package_latest_version_set_status(pkg,
+                                                        RM_API_STATUS_FOUND_BY_DISTRO,
+                                                        projects[0]['version'],
+                                                        projects[0]['id'])
+                return True
+
+    except (aiohttp.ClientError, asyncio.TimeoutError):
+        if retry:
+            return await check_package_get_latest_version_by_guess(session, pkg, retry=False)
+        else:
+            return False
 
 
-def check_package_latest_version(packages):
+check_latest_count = 0
+
+
+async def check_package_latest_version_get(session, pkg, npkgs):
+    global check_latest_count
+
+    if await check_package_get_latest_version_by_distro(session, pkg):
+        check_latest_count += 1
+        print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name))
+        return
+
+    if await check_package_get_latest_version_by_guess(session, pkg):
+        check_latest_count += 1
+        print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name))
+        return
+
+    check_package_latest_version_set_status(pkg,
+                                            RM_API_STATUS_NOT_FOUND,
+                                            None, None)
+    check_latest_count += 1
+    print("[%04d/%04d] %s" % (check_latest_count, npkgs, pkg.name))
+
+
+async def check_package_latest_version(packages):
     """
     Fills in the .latest_version field of all Package objects
 
-    This field has a special format:
-      (status, version, id)
-    with:
+    This field is a dict and has the following keys:
+
     - status: one of RM_API_STATUS_ERROR,
       RM_API_STATUS_FOUND_BY_DISTRO, RM_API_STATUS_FOUND_BY_PATTERN,
       RM_API_STATUS_NOT_FOUND
@@ -473,16 +639,17 @@ def check_package_latest_version(packages):
     - id: string containing the id of the project corresponding to this
       package, as known by release-monitoring.org
     """
-    global http_pool
-    http_pool = HTTPSConnectionPool('release-monitoring.org', port=443,
-                                    cert_reqs='CERT_REQUIRED', ca_certs=certifi.where(),
-                                    timeout=30)
-    worker_pool = Pool(processes=64)
-    results = worker_pool.map(check_package_latest_version_worker, (pkg.name for pkg in packages))
-    for pkg, r in zip(packages, results):
-        pkg.latest_version = r
-    worker_pool.terminate()
-    del http_pool
+
+    for pkg in [p for p in packages if not p.has_valid_infra]:
+        pkg.status['version'] = ("na", "no valid package infra")
+
+    tasks = []
+    connector = aiohttp.TCPConnector(limit_per_host=5)
+    async with aiohttp.ClientSession(connector=connector, trust_env=True) as sess:
+        packages = [p for p in packages if p.has_valid_infra]
+        for pkg in packages:
+            tasks.append(check_package_latest_version_get(sess, pkg, len(packages)))
+        await asyncio.wait(tasks)
 
 
 def check_package_cves(nvd_path, packages):
@@ -491,12 +658,13 @@ def check_package_cves(nvd_path, packages):
 
     for cve in CVE.read_nvd_dir(nvd_path):
         for pkg_name in cve.pkg_names:
-            if pkg_name in packages and cve.affects(packages[pkg_name]):
+            if pkg_name in packages and cve.affects(packages[pkg_name]) == CVE_AFFECTS:
                 packages[pkg_name].cves.append(cve.identifier)
 
 
 def calculate_stats(packages):
     stats = defaultdict(int)
+    stats['packages'] = len(packages)
     for pkg in packages:
         # If packages have multiple infra, take the first one. For the
         # vast majority of packages, the target and host infra are the
@@ -507,25 +675,25 @@ def calculate_stats(packages):
             stats["infra-%s" % infra] += 1
         else:
             stats["infra-unknown"] += 1
-        if pkg.has_license:
+        if pkg.is_status_ok('license'):
             stats["license"] += 1
         else:
             stats["no-license"] += 1
-        if pkg.has_license_files:
+        if pkg.is_status_ok('license-files'):
             stats["license-files"] += 1
         else:
             stats["no-license-files"] += 1
-        if pkg.has_hash:
+        if pkg.is_status_ok('hash'):
             stats["hash"] += 1
         else:
             stats["no-hash"] += 1
-        if pkg.latest_version[0] == RM_API_STATUS_FOUND_BY_DISTRO:
+        if pkg.latest_version['status'] == RM_API_STATUS_FOUND_BY_DISTRO:
             stats["rmo-mapping"] += 1
         else:
             stats["rmo-no-mapping"] += 1
-        if not pkg.latest_version[1]:
+        if not pkg.latest_version['version']:
             stats["version-unknown"] += 1
-        elif pkg.latest_version[1] == pkg.current_version:
+        elif pkg.latest_version['version'] == pkg.current_version:
             stats["version-uptodate"] += 1
         else:
             stats["version-not-uptodate"] += 1
@@ -658,30 +826,30 @@ def dump_html_pkg(f, pkg):
 
     # License
     td_class = ["centered"]
-    if pkg.has_license:
+    if pkg.is_status_ok('license'):
         td_class.append("correct")
     else:
         td_class.append("wrong")
     f.write("  <td class=\"%s\">%s</td>\n" %
-            (" ".join(td_class), boolean_str(pkg.has_license)))
+            (" ".join(td_class), boolean_str(pkg.is_status_ok('license'))))
 
     # License files
     td_class = ["centered"]
-    if pkg.has_license_files:
+    if pkg.is_status_ok('license-files'):
         td_class.append("correct")
     else:
         td_class.append("wrong")
     f.write("  <td class=\"%s\">%s</td>\n" %
-            (" ".join(td_class), boolean_str(pkg.has_license_files)))
+            (" ".join(td_class), boolean_str(pkg.is_status_ok('license-files'))))
 
     # Hash
     td_class = ["centered"]
-    if pkg.has_hash:
+    if pkg.is_status_ok('hash'):
         td_class.append("correct")
     else:
         td_class.append("wrong")
     f.write("  <td class=\"%s\">%s</td>\n" %
-            (" ".join(td_class), boolean_str(pkg.has_hash)))
+            (" ".join(td_class), boolean_str(pkg.is_status_ok('hash'))))
 
     # Current version
     if len(pkg.current_version) > 20:
@@ -691,29 +859,29 @@ def dump_html_pkg(f, pkg):
     f.write("  <td class=\"centered\">%s</td>\n" % current_version)
 
     # Latest version
-    if pkg.latest_version[0] == RM_API_STATUS_ERROR:
+    if pkg.latest_version['status'] == RM_API_STATUS_ERROR:
         td_class.append("version-error")
-    if pkg.latest_version[1] is None:
+    if pkg.latest_version['version'] is None:
         td_class.append("version-unknown")
-    elif pkg.latest_version[1] != pkg.current_version:
+    elif pkg.latest_version['version'] != pkg.current_version:
         td_class.append("version-needs-update")
     else:
         td_class.append("version-good")
 
-    if pkg.latest_version[0] == RM_API_STATUS_ERROR:
+    if pkg.latest_version['status'] == RM_API_STATUS_ERROR:
         latest_version_text = "<b>Error</b>"
-    elif pkg.latest_version[0] == RM_API_STATUS_NOT_FOUND:
+    elif pkg.latest_version['status'] == RM_API_STATUS_NOT_FOUND:
         latest_version_text = "<b>Not found</b>"
     else:
-        if pkg.latest_version[1] is None:
+        if pkg.latest_version['version'] is None:
             latest_version_text = "<b>Found, but no version</b>"
         else:
             latest_version_text = "<a href=\"https://release-monitoring.org/project/%s\"><b>%s</b></a>" % \
-                (pkg.latest_version[2], str(pkg.latest_version[1]))
+                (pkg.latest_version['id'], str(pkg.latest_version['version']))
 
         latest_version_text += "<br/>"
 
-        if pkg.latest_version[0] == RM_API_STATUS_FOUND_BY_DISTRO:
+        if pkg.latest_version['status'] == RM_API_STATUS_FOUND_BY_DISTRO:
             latest_version_text += "found by <a href=\"https://release-monitoring.org/distro/Buildroot/\">distro</a>"
         else:
             latest_version_text += "found by guess"
@@ -732,12 +900,12 @@ def dump_html_pkg(f, pkg):
 
     # URL status
     td_class = ["centered"]
-    url_str = pkg.url_status
-    if pkg.url_status == "Missing" or pkg.url_status == "No Config.in":
+    url_str = pkg.status['url'][1]
+    if pkg.status['url'][0] in ("error", "warning"):
         td_class.append("missing_url")
-    elif pkg.url_status.startswith("Invalid"):
+    if pkg.status['url'][0] == "error":
         td_class.append("invalid_url")
-        url_str = "<a href=%s>%s</a>" % (pkg.url, pkg.url_status)
+        url_str = "<a href=%s>%s</a>" % (pkg.url, pkg.status['url'][1])
     else:
         td_class.append("good_url")
         url_str = "<a href=%s>Link</a>" % pkg.url
@@ -832,7 +1000,7 @@ def dump_html(packages, stats, date, commit, output):
         f.write(html_footer)
 
 
-def dump_json(packages, stats, date, commit, output):
+def dump_json(packages, defconfigs, stats, date, commit, output):
     # Format packages as a dictionnary instead of a list
     # Exclude local field that does not contains real date
     excluded_fields = ['url_worker', 'name']
@@ -843,6 +1011,12 @@ def dump_json(packages, stats, date, commit, output):
             if k not in excluded_fields
         } for pkg in packages
     }
+    defconfigs = {
+        d.name: {
+            k: v
+            for k, v in d.__dict__.items()
+        } for d in defconfigs
+    }
     # Aggregate infrastructures into a single dict entry
     statistics = {
         k: v
@@ -853,6 +1027,8 @@ def dump_json(packages, stats, date, commit, output):
     # The actual structure to dump, add commit and date to it
     final = {'packages': pkgs,
              'stats': statistics,
+             'defconfigs': defconfigs,
+             'package_status_checks': Package.status_checks,
              'commit': commit,
              'date': str(date)}
 
@@ -861,12 +1037,16 @@ def dump_json(packages, stats, date, commit, output):
         f.write('\n')
 
 
+def resolvepath(path):
+    return os.path.abspath(os.path.expanduser(path))
+
+
 def parse_args():
     parser = argparse.ArgumentParser()
     output = parser.add_argument_group('output', 'Output file(s)')
-    output.add_argument('--html', dest='html', action='store',
+    output.add_argument('--html', dest='html', type=resolvepath,
                         help='HTML output file')
-    output.add_argument('--json', dest='json', action='store',
+    output.add_argument('--json', dest='json', type=resolvepath,
                         help='JSON output file')
     packages = parser.add_mutually_exclusive_group()
     packages.add_argument('-n', dest='npackages', type=int, action='store',
@@ -874,7 +1054,7 @@ def parse_args():
     packages.add_argument('-p', dest='packages', action='store',
                           help='List of packages (comma separated)')
     parser.add_argument('--nvd-path', dest='nvd_path',
-                        help='Path to the local NVD database')
+                        help='Path to the local NVD database', type=resolvepath)
     args = parser.parse_args()
     if not args.html and not args.json:
         parser.error('at least one of --html or --json (or both) is required')
@@ -892,6 +1072,12 @@ def __main__():
                                       'HEAD']).splitlines()[0].decode()
     print("Build package list ...")
     packages = get_pkglist(args.npackages, package_list)
+    print("Getting developers ...")
+    developers = parse_developers()
+    print("Build defconfig list ...")
+    defconfigs = get_defconfig_list()
+    for d in defconfigs:
+        d.set_developers(developers)
     print("Getting package make info ...")
     package_init_make_info()
     print("Getting package details ...")
@@ -903,10 +1089,13 @@ def __main__():
         pkg.set_check_package_warnings()
         pkg.set_current_version()
         pkg.set_url()
+        pkg.set_developers(developers)
     print("Checking URL status")
-    check_package_urls(packages)
+    loop = asyncio.get_event_loop()
+    loop.run_until_complete(check_package_urls(packages))
     print("Getting latest versions ...")
-    check_package_latest_version(packages)
+    loop = asyncio.get_event_loop()
+    loop.run_until_complete(check_package_latest_version(packages))
     if args.nvd_path:
         print("Checking packages CVEs")
         check_package_cves(args.nvd_path, {p.name: p for p in packages})
@@ -917,7 +1106,7 @@ def __main__():
         dump_html(packages, stats, date, commit, args.html)
     if args.json:
         print("Write JSON")
-        dump_json(packages, stats, date, commit, args.json)
+        dump_json(packages, defconfigs, stats, date, commit, args.json)
 
 
 __main__()
diff --git a/buildroot/support/scripts/pycompile.py b/buildroot/support/scripts/pycompile.py
index 9192a7016..8399d5793 100644
--- a/buildroot/support/scripts/pycompile.py
+++ b/buildroot/support/scripts/pycompile.py
@@ -1,69 +1,85 @@
 #!/usr/bin/env python
 
-'''Wrapper for python2 and python3 around compileall to raise exception
-when a python byte code generation failed.
+"""
+Byte compile all .py files from provided directories. This script is an
+alternative implementation of compileall.compile_dir written with
+cross-compilation in mind.
+"""
 
-Inspired from:
-   http://stackoverflow.com/questions/615632/how-to-detect-errors-from-compileall-compile-dir
-'''
 from __future__ import print_function
-import sys
-import py_compile
-import compileall
+
 import argparse
+import os
+import py_compile
+import re
+import sys
 
 
-def check_for_errors(comparison):
-    '''Wrap comparison operator with code checking for PyCompileError.
-    If PyCompileError was raised, re-raise it again to abort execution,
-    otherwise perform comparison as expected.
-    '''
-    def operator(self, other):
-        exc_type, value, traceback = sys.exc_info()
-        if exc_type is not None and issubclass(exc_type,
-                                               py_compile.PyCompileError):
-            print("Cannot compile %s" % value.file)
-            raise value
+def compile_one(host_path, strip_root=None):
+    """
+    Compile a .py file into a .pyc file located next to it.
 
-        return comparison(self, other)
+    :arg host_path:
+        Absolute path to the file to compile on the host running the build.
+    :arg strip_root:
+        Prefix to remove from the original source paths encoded in compiled
+        files.
+    """
+    if os.path.islink(host_path) or not os.path.isfile(host_path):
+        return  # only compile real files
 
-    return operator
+    if not re.match(r"^[_A-Za-z][_A-Za-z0-9]+\.py$",
+                    os.path.basename(host_path)):
+        return  # only compile "importable" python modules
+
+    if strip_root is not None:
+        # determine the runtime path of the file (i.e.: relative path to root
+        # dir prepended with "/").
+        runtime_path = os.path.join("/", os.path.relpath(host_path, strip_root))
+    else:
+        runtime_path = host_path
+
+    # will raise an error if the file cannot be compiled
+    py_compile.compile(host_path, cfile=host_path + "c",
+                       dfile=runtime_path, doraise=True)
 
 
-class ReportProblem(int):
-    '''Class that pretends to be an int() object but implements all of its
-    comparison operators such that it'd detect being called in
-    PyCompileError handling context and abort execution
-    '''
-    VALUE = 1
-
-    def __new__(cls, *args, **kwargs):
-        return int.__new__(cls, ReportProblem.VALUE, **kwargs)
-
-    @check_for_errors
-    def __lt__(self, other):
-        return ReportProblem.VALUE < other
-
-    @check_for_errors
-    def __eq__(self, other):
-        return ReportProblem.VALUE == other
-
-    def __ge__(self, other):
-        return not self < other
-
-    def __gt__(self, other):
-        return not self < other and not self == other
-
-    def __ne__(self, other):
-        return not self == other
+def existing_dir_abs(arg):
+    """
+    argparse type callback that checks that argument is a directory and returns
+    its absolute path.
+    """
+    if not os.path.isdir(arg):
+        raise argparse.ArgumentTypeError('no such directory: {!r}'.format(arg))
+    return os.path.abspath(arg)
 
 
-parser = argparse.ArgumentParser(description='Compile Python source files in a directory tree.')
-parser.add_argument("target", metavar='DIRECTORY',
-                    help='Directory to scan')
-parser.add_argument("--force", action='store_true',
-                    help="Force compilation even if alread compiled")
+def main():
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("dirs", metavar="DIR", nargs="+", type=existing_dir_abs,
+                        help="Directory to recursively scan and compile")
+    parser.add_argument("--strip-root", metavar="ROOT", type=existing_dir_abs,
+                        help="""
+                        Prefix to remove from the original source paths encoded
+                        in compiled files
+                        """)
 
-args = parser.parse_args()
+    args = parser.parse_args()
 
-compileall.compile_dir(args.target, force=args.force, quiet=ReportProblem())
+    try:
+        for d in args.dirs:
+            if args.strip_root and ".." in os.path.relpath(d, args.strip_root):
+                parser.error("DIR: not inside ROOT dir: {!r}".format(d))
+            for parent, _, files in os.walk(d):
+                for f in files:
+                    compile_one(os.path.join(parent, f), args.strip_root)
+
+    except Exception as e:
+        print("error: {}".format(e))
+        return 1
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/buildroot/support/scripts/setlocalversion b/buildroot/support/scripts/setlocalversion
index b39b751f0..d492f2db2 100755
--- a/buildroot/support/scripts/setlocalversion
+++ b/buildroot/support/scripts/setlocalversion
@@ -19,19 +19,14 @@ cd "${1:-.}" || usage
 # Check for git and a git repo.
 if head=`git rev-parse --verify --short HEAD 2>/dev/null`; then
 
-	# If we are at a tagged commit (like "v2.6.30-rc6"), we ignore it,
-	# because this version is defined in the top level Makefile.
-	if [ -z "`git describe --exact-match 2>/dev/null`" ]; then
+	atag="`git describe 2>/dev/null`"
 
-		# If we are past a tagged commit (like "v2.6.30-rc5-302-g72357d5"),
-		# we pretty print it.
-		if atag="`git describe 2>/dev/null`"; then
-			echo "$atag" | awk -F- '{printf("-%05d-%s", $(NF-1),$(NF))}'
-
-		# If we don't have a tag at all we print -g{commitish}.
-		else
-			printf '%s%s' -g $head
-		fi
+	# Show -g<commit> if we have no tag, or just the tag
+	# otherwise.
+	if [ -z "${atag}" ] ; then
+		printf "%s%s" -g ${head}
+	else
+		printf ${atag}
 	fi
 
 	# Is this git on svn?
@@ -53,13 +48,29 @@ if head=`git rev-parse --verify --short HEAD 2>/dev/null`; then
 fi
 
 # Check for mercurial and a mercurial repo.
+# In the git case, 'git describe' will show the latest tag, and unless we are
+# exactly on that tag, the number of commits since then, and last commit id.
+# Mimic something similar in the Mercurial case.
 if hgid=`HGRCPATH= hg id --id --tags 2>/dev/null`; then
 	tag=`printf '%s' "$hgid" | cut -d' ' -f2 --only-delimited`
 
 	# Do we have an untagged version?
 	if [ -z "$tag" -o "$tag" = tip ]; then
+		# current revision is not tagged, determine latest tag
+		latesttag=`HGRCPATH= hg log -r. -T '{latesttag}' 2>/dev/null`
+		# In case there is more than one tag on the latest tagged commit,
+		# 'latesttag' will separate them by colon (:). We'll retain this.
+		# In case there is no tag at all, 'null' will be returned.
+		if [ "$latesttag" = "null" ]; then
+			latesttag=''
+		fi
+
+		# add the commit id
 		id=`printf '%s' "$hgid" | sed 's/[+ ].*//'`
-		printf '%s%s' -hg "$id"
+		printf '%s%s%s' "${latesttag}" -hg "$id"
+	else
+		# current revision is tagged, just print the tag
+		printf ${tag}
 	fi
 
 	# Are there uncommitted changes?
diff --git a/buildroot/support/testing/infra/__init__.py b/buildroot/support/testing/infra/__init__.py
index 6392aa679..6522a265f 100644
--- a/buildroot/support/testing/infra/__init__.py
+++ b/buildroot/support/testing/infra/__init__.py
@@ -78,7 +78,7 @@ def get_elf_arch_tag(builddir, prefix, fpath, tag):
     cmd = ["host/bin/{}-readelf".format(prefix),
            "-A", os.path.join("target", fpath)]
     out = run_cmd_on_host(builddir, cmd)
-    regexp = re.compile("^  {}: (.*)$".format(tag))
+    regexp = re.compile(r"^  {}: (.*)$".format(tag))
     for line in out.splitlines():
         m = regexp.match(line)
         if not m:
@@ -105,7 +105,7 @@ def get_elf_prog_interpreter(builddir, prefix, fpath):
     cmd = ["host/bin/{}-readelf".format(prefix),
            "-l", os.path.join("target", fpath)]
     out = run_cmd_on_host(builddir, cmd)
-    regexp = re.compile("^ *\[Requesting program interpreter: (.*)\]$")
+    regexp = re.compile(r"^ *\[Requesting program interpreter: (.*)\]$")
     for line in out.splitlines():
         m = regexp.match(line)
         if not m:
diff --git a/buildroot/support/testing/tests/core/test_timezone.py b/buildroot/support/testing/tests/core/test_timezone.py
index 050624e0a..f66151919 100644
--- a/buildroot/support/testing/tests/core/test_timezone.py
+++ b/buildroot/support/testing/tests/core/test_timezone.py
@@ -4,10 +4,10 @@ import infra.basetest
 
 
 def boot_armv5_cpio(emulator, builddir):
-        img = os.path.join(builddir, "images", "rootfs.cpio")
-        emulator.boot(arch="armv5", kernel="builtin",
-                      options=["-initrd", img])
-        emulator.login()
+    img = os.path.join(builddir, "images", "rootfs.cpio")
+    emulator.boot(arch="armv5", kernel="builtin",
+                  options=["-initrd", img])
+    emulator.login()
 
 
 class TestNoTimezone(infra.basetest.BRTest):
diff --git a/buildroot/support/testing/tests/package/test_docker_compose.py b/buildroot/support/testing/tests/package/test_docker_compose.py
index f12e2a6a3..67ee795f2 100644
--- a/buildroot/support/testing/tests/package/test_docker_compose.py
+++ b/buildroot/support/testing/tests/package/test_docker_compose.py
@@ -20,7 +20,6 @@ class TestDockerCompose(infra.basetest.BRTest):
         BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
         BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="{}"
         BR2_PACKAGE_CA_CERTIFICATES=y
-        BR2_PACKAGE_CGROUPFS_MOUNT=y
         BR2_PACKAGE_DOCKER_CLI=y
         BR2_PACKAGE_DOCKER_COMPOSE=y
         BR2_PACKAGE_DOCKER_ENGINE=y
diff --git a/buildroot/utils/check-package b/buildroot/utils/check-package
index 52317e02f..dd18d19c2 100755
--- a/buildroot/utils/check-package
+++ b/buildroot/utils/check-package
@@ -46,24 +46,24 @@ def parse_args():
     return parser.parse_args()
 
 
-CONFIG_IN_FILENAME = re.compile("Config\.\S*$")
-DO_CHECK_INTREE = re.compile("|".join([
-    "Config.in",
-    "arch/",
-    "boot/",
-    "fs/",
-    "linux/",
-    "package/",
-    "system/",
-    "toolchain/",
+CONFIG_IN_FILENAME = re.compile(r"Config\.\S*$")
+DO_CHECK_INTREE = re.compile(r"|".join([
+    r"Config.in",
+    r"arch/",
+    r"boot/",
+    r"fs/",
+    r"linux/",
+    r"package/",
+    r"system/",
+    r"toolchain/",
     ]))
-DO_NOT_CHECK_INTREE = re.compile("|".join([
-    "boot/barebox/barebox\.mk$",
-    "fs/common\.mk$",
-    "package/doc-asciidoc\.mk$",
-    "package/pkg-\S*\.mk$",
-    "toolchain/helpers\.mk$",
-    "toolchain/toolchain-external/pkg-toolchain-external\.mk$",
+DO_NOT_CHECK_INTREE = re.compile(r"|".join([
+    r"boot/barebox/barebox\.mk$",
+    r"fs/common\.mk$",
+    r"package/doc-asciidoc\.mk$",
+    r"package/pkg-\S*\.mk$",
+    r"toolchain/helpers\.mk$",
+    r"toolchain/toolchain-external/pkg-toolchain-external\.mk$",
     ]))
 
 
diff --git a/buildroot/utils/checkpackagelib/lib_config.py b/buildroot/utils/checkpackagelib/lib_config.py
index 55c8589d7..c348eec39 100644
--- a/buildroot/utils/checkpackagelib/lib_config.py
+++ b/buildroot/utils/checkpackagelib/lib_config.py
@@ -152,8 +152,8 @@ class CommentsMenusPackagesOrder(_CheckFunction):
 
 
 class HelpText(_CheckFunction):
-    HELP_TEXT_FORMAT = re.compile("^\t  .{,62}$")
-    URL_ONLY = re.compile("^(http|https|git)://\S*$")
+    HELP_TEXT_FORMAT = re.compile(r"^\t  .{,62}$")
+    URL_ONLY = re.compile(r"^(http|https|git)://\S*$")
 
     def before(self):
         self.help_text = False
diff --git a/buildroot/utils/checkpackagelib/lib_mk.py b/buildroot/utils/checkpackagelib/lib_mk.py
index a0caf8463..45e37e459 100644
--- a/buildroot/utils/checkpackagelib/lib_mk.py
+++ b/buildroot/utils/checkpackagelib/lib_mk.py
@@ -20,12 +20,12 @@ end_conditional = ["endif"]
 
 
 class Indent(_CheckFunction):
-    COMMENT = re.compile("^\s*#")
-    CONDITIONAL = re.compile("^\s*({})\s".format("|".join(start_conditional + end_conditional)))
+    COMMENT = re.compile(r"^\s*#")
+    CONDITIONAL = re.compile(r"^\s*({})\s".format("|".join(start_conditional + end_conditional)))
     ENDS_WITH_BACKSLASH = re.compile(r"^[^#].*\\$")
-    END_DEFINE = re.compile("^\s*endef\s")
-    MAKEFILE_TARGET = re.compile("^[^# \t]+:\s")
-    START_DEFINE = re.compile("^\s*define\s")
+    END_DEFINE = re.compile(r"^\s*endef\s")
+    MAKEFILE_TARGET = re.compile(r"^[^# \t]+:\s")
+    START_DEFINE = re.compile(r"^\s*define\s")
 
     def before(self):
         self.define = False
@@ -76,17 +76,17 @@ class Indent(_CheckFunction):
 
 
 class OverriddenVariable(_CheckFunction):
-    CONCATENATING = re.compile("^([A-Z0-9_]+)\s*(\+|:|)=\s*\$\(\\1\)")
-    END_CONDITIONAL = re.compile("^\s*({})".format("|".join(end_conditional)))
+    CONCATENATING = re.compile(r"^([A-Z0-9_]+)\s*(\+|:|)=\s*\$\(\\1\)")
+    END_CONDITIONAL = re.compile(r"^\s*({})".format("|".join(end_conditional)))
     OVERRIDING_ASSIGNMENTS = [':=', "="]
-    START_CONDITIONAL = re.compile("^\s*({})".format("|".join(start_conditional)))
-    VARIABLE = re.compile("^([A-Z0-9_]+)\s*((\+|:|)=)")
-    USUALLY_OVERRIDDEN = re.compile("^[A-Z0-9_]+({})".format("|".join([
-        "_ARCH\s*=\s*",
-        "_CPU\s*=\s*",
-        "_SITE\s*=\s*",
-        "_SOURCE\s*=\s*",
-        "_VERSION\s*=\s*"])))
+    START_CONDITIONAL = re.compile(r"^\s*({})".format("|".join(start_conditional)))
+    VARIABLE = re.compile(r"^([A-Z0-9_]+)\s*((\+|:|)=)")
+    USUALLY_OVERRIDDEN = re.compile(r"^[A-Z0-9_]+({})".format("|".join([
+        r"_ARCH\s*=\s*",
+        r"_CPU\s*=\s*",
+        r"_SITE\s*=\s*",
+        r"_SOURCE\s*=\s*",
+        r"_VERSION\s*=\s*"])))
 
     def before(self):
         self.conditional = 0
@@ -174,7 +174,7 @@ class RemoveDefaultPackageSourceVariable(_CheckFunction):
         package_upper = package.replace("-", "_").upper()
         self.package = package
         self.FIND_SOURCE = re.compile(
-            "^{}_SOURCE\s*=\s*{}-\$\({}_VERSION\)\.tar\.gz"
+            r"^{}_SOURCE\s*=\s*{}-\$\({}_VERSION\)\.tar\.gz"
             .format(package_upper, package, package_upper))
 
     def check_line(self, lineno, text):
@@ -222,7 +222,7 @@ class TrailingBackslash(_CheckFunction):
 
 
 class TypoInPackageVariable(_CheckFunction):
-    ALLOWED = re.compile("|".join([
+    ALLOWED = re.compile(r"|".join([
         "ACLOCAL_DIR",
         "ACLOCAL_HOST_DIR",
         "ACLOCAL_PATH",
@@ -241,7 +241,7 @@ class TypoInPackageVariable(_CheckFunction):
         "TARGET_FINALIZE_HOOKS",
         "TARGETS_ROOTFS",
         "XTENSA_CORE_NAME"]))
-    VARIABLE = re.compile("^([A-Z0-9_]+_[A-Z0-9_]+)\s*(\+|)=")
+    VARIABLE = re.compile(r"^([A-Z0-9_]+_[A-Z0-9_]+)\s*(\+|)=")
 
     def before(self):
         package, _ = os.path.splitext(os.path.basename(self.filename))
@@ -251,9 +251,9 @@ class TypoInPackageVariable(_CheckFunction):
         # linux extensions do not use LINUX_EXT_ prefix for variables
         package = package.replace("LINUX_EXT_", "")
         self.package = package
-        self.REGEX = re.compile("^(HOST_|ROOTFS_)?({}_[A-Z0-9_]+)".format(package))
+        self.REGEX = re.compile(r"^(HOST_|ROOTFS_)?({}_[A-Z0-9_]+)".format(package))
         self.FIND_VIRTUAL = re.compile(
-            "^{}_PROVIDES\s*(\+|)=\s*(.*)".format(package))
+            r"^{}_PROVIDES\s*(\+|)=\s*(.*)".format(package))
         self.virtual = []
 
     def check_line(self, lineno, text):
@@ -281,16 +281,16 @@ class TypoInPackageVariable(_CheckFunction):
 
 
 class UselessFlag(_CheckFunction):
-    DEFAULT_AUTOTOOLS_FLAG = re.compile("^.*{}".format("|".join([
-        "_AUTORECONF\s*=\s*NO",
-        "_LIBTOOL_PATCH\s*=\s*YES"])))
-    DEFAULT_GENERIC_FLAG = re.compile("^.*{}".format("|".join([
-        "_INSTALL_IMAGES\s*=\s*NO",
-        "_INSTALL_REDISTRIBUTE\s*=\s*YES",
-        "_INSTALL_STAGING\s*=\s*NO",
-        "_INSTALL_TARGET\s*=\s*YES"])))
-    END_CONDITIONAL = re.compile("^\s*({})".format("|".join(end_conditional)))
-    START_CONDITIONAL = re.compile("^\s*({})".format("|".join(start_conditional)))
+    DEFAULT_AUTOTOOLS_FLAG = re.compile(r"^.*{}".format("|".join([
+        r"_AUTORECONF\s*=\s*NO",
+        r"_LIBTOOL_PATCH\s*=\s*YES"])))
+    DEFAULT_GENERIC_FLAG = re.compile(r"^.*{}".format("|".join([
+        r"_INSTALL_IMAGES\s*=\s*NO",
+        r"_INSTALL_REDISTRIBUTE\s*=\s*YES",
+        r"_INSTALL_STAGING\s*=\s*NO",
+        r"_INSTALL_TARGET\s*=\s*YES"])))
+    END_CONDITIONAL = re.compile(r"^\s*({})".format("|".join(end_conditional)))
+    START_CONDITIONAL = re.compile(r"^\s*({})".format("|".join(start_conditional)))
 
     def before(self):
         self.conditional = 0
diff --git a/buildroot/utils/checkpackagelib/lib_patch.py b/buildroot/utils/checkpackagelib/lib_patch.py
index 438353ad3..e4e914b7f 100644
--- a/buildroot/utils/checkpackagelib/lib_patch.py
+++ b/buildroot/utils/checkpackagelib/lib_patch.py
@@ -11,7 +11,7 @@ from checkpackagelib.lib import NewlineAtEof           # noqa: F401
 
 
 class ApplyOrder(_CheckFunction):
-    APPLY_ORDER = re.compile("\d{1,4}-[^/]*$")
+    APPLY_ORDER = re.compile(r"\d{1,4}-[^/]*$")
 
     def before(self):
         if not self.APPLY_ORDER.match(os.path.basename(self.filename)):
@@ -21,7 +21,7 @@ class ApplyOrder(_CheckFunction):
 
 
 class NumberedSubject(_CheckFunction):
-    NUMBERED_PATCH = re.compile("Subject:\s*\[PATCH\s*\d+/\d+\]")
+    NUMBERED_PATCH = re.compile(r"Subject:\s*\[PATCH\s*\d+/\d+\]")
 
     def before(self):
         self.git_patch = False
@@ -44,7 +44,7 @@ class NumberedSubject(_CheckFunction):
 
 
 class Sob(_CheckFunction):
-    SOB_ENTRY = re.compile("^Signed-off-by: .*$")
+    SOB_ENTRY = re.compile(r"^Signed-off-by: .*$")
 
     def before(self):
         self.found = False
diff --git a/buildroot/utils/getdeveloperlib.py b/buildroot/utils/getdeveloperlib.py
index 239ffa340..dc0cc07cc 100644
--- a/buildroot/utils/getdeveloperlib.py
+++ b/buildroot/utils/getdeveloperlib.py
@@ -10,7 +10,7 @@ import unittest
 # Patch parsing functions
 #
 
-FIND_INFRA_IN_PATCH = re.compile("^\+\$\(eval \$\((host-)?([^-]*)-package\)\)$")
+FIND_INFRA_IN_PATCH = re.compile(r"^\+\$\(eval \$\((host-)?([^-]*)-package\)\)$")
 
 
 def analyze_patch(patch):
@@ -33,7 +33,7 @@ def analyze_patch(patch):
     return (files, infras)
 
 
-FIND_INFRA_IN_MK = re.compile("^\$\(eval \$\((host-)?([^-]*)-package\)\)$")
+FIND_INFRA_IN_MK = re.compile(r"^\$\(eval \$\((host-)?([^-]*)-package\)\)$")
 
 
 def fname_get_package_infra(fname):
@@ -178,7 +178,7 @@ def parse_arches_from_config_in(fname):
                 parsing_arches = True
                 continue
             if parsing_arches:
-                m = re.match("^\s*default \"([^\"]*)\".*", line)
+                m = re.match(r"^\s*default \"([^\"]*)\".*", line)
                 if m:
                     arches.add(m.group(1))
                 else:
@@ -192,7 +192,7 @@ def parse_developer_architectures(fnames):
     developer is working on."""
     arches = set()
     for fname in fnames:
-        if not re.match("^.*/arch/Config\.in\..*$", fname):
+        if not re.match(r"^.*/arch/Config\.in\..*$", fname):
             continue
         arches = arches | parse_arches_from_config_in(fname)
     return arches
@@ -201,7 +201,7 @@ def parse_developer_architectures(fnames):
 def parse_developer_infras(fnames):
     infras = set()
     for fname in fnames:
-        m = re.match("^package/pkg-([^.]*).mk$", fname)
+        m = re.match(r"^package/pkg-([^.]*).mk$", fname)
         if m:
             infras.add(m.group(1))
     return infras
diff --git a/buildroot/utils/scanpypi b/buildroot/utils/scanpypi
index 387755bbb..dfbf8131c 100755
--- a/buildroot/utils/scanpypi
+++ b/buildroot/utils/scanpypi
@@ -96,10 +96,10 @@ def pkg_buildroot_name(pkg_name):
     Keyword arguments:
     pkg_name -- String to rename
     """
-    name = re.sub('[^\w-]', '', pkg_name.lower())
+    name = re.sub(r'[^\w-]', '', pkg_name.lower())
     name = name.replace('_', '-')
     prefix = 'python-'
-    pattern = re.compile('^(?!' + prefix + ')(.+?)$')
+    pattern = re.compile(r'^(?!' + prefix + ')(.+?)$')
     name = pattern.sub(r'python-\1', name)
     return name
 
@@ -337,7 +337,7 @@ class BuildrootPackage():
             self.pkg_req = None
             return set()
         self.pkg_req = self.setup_metadata['install_requires']
-        self.pkg_req = [re.sub('([-.\w]+).*', r'\1', req)
+        self.pkg_req = [re.sub(r'([-.\w]+).*', r'\1', req)
                         for req in self.pkg_req]
 
         # get rid of commented lines and also strip the package strings
@@ -451,7 +451,7 @@ class BuildrootPackage():
                 "Mozilla Public License 2.0": "MPL-2.0",
                 "Zope Public License": "ZPL"
                 }
-            regexp = re.compile('^License :* *.* *:+ (.*)( \(.*\))?$')
+            regexp = re.compile(r'^License :* *.* *:+ (.*)( \(.*\))?$')
             classifiers_licenses = [regexp.sub(r"\1", lic)
                                     for lic in self.metadata['info']['classifiers']
                                     if regexp.match(lic)]