Merge pull request #2388 from flatcar/buildbot/weekly-portage-stable-package-updates-2024-10-21

Weekly portage-stable package updates 2024-10-21

Author: krnowak

.github/workflows/portage-stable-packages-list

@@ -624,7 +624,7 @@ sys-devel/gnuconfig
 sys-devel/m4
 sys-devel/patch
 
-sys-firmware/edk2-ovmf-bin
+sys-firmware/edk2-bin
 sys-firmware/intel-microcode
 sys-firmware/ipxe
 sys-firmware/seabios-bin

changelog/security/2024-10-28-weekly-updates.md

@@ -0,0 +1,3 @@
+- containers-common ([CVE-2024-9341](https://nvd.nist.gov/vuln/detail/CVE-2024-9341))
+- containers-image ([CVE-2024-3727](https://nvd.nist.gov/vuln/detail/CVE-2024-3727))
+- podman ([CVE-2024-9407](https://nvd.nist.gov/vuln/detail/CVE-2024-9407))

changelog/updates/2024-10-28-weekly-updates.md

@@ -0,0 +1,30 @@
+- SDK: catalyst ([4.0.0](https://gitweb.gentoo.org/proj/catalyst.git/log/?h=4.0.0))
+- SDK: crossdev ([20240921](https://gitweb.gentoo.org/proj/crossdev.git/log/?h=20240921))
+- SDK: edk2-bin ([202408](https://github.com/tianocore/edk2/releases/tag/edk2-stable202408) (includes [202405](https://github.com/tianocore/edk2/releases/tag/edk2-stable202405), [202402](https://github.com/tianocore/edk2/releases/tag/edk2-stable202402), [202311](https://github.com/tianocore/edk2/releases/tag/edk2-stable202311), [202308](https://github.com/tianocore/edk2/releases/tag/edk2-stable202308), [202305](https://github.com/tianocore/edk2/releases/tag/edk2-stable202305), [202302](https://github.com/tianocore/edk2/releases/tag/edk2-stable202302), [202211](https://github.com/tianocore/edk2/releases/tag/edk2-stable202211), [202208](https://github.com/tianocore/edk2/releases/tag/edk2-stable202208), [202205](https://github.com/tianocore/edk2/releases/tag/edk2-stable202205)))
+- SDK: meson ([1.5.2](https://github.com/mesonbuild/meson/commits/1.5.2/))
+- SDK: rust ([1.81.0](https://blog.rust-lang.org/2024/09/05/Rust-1.81.0.html))
+- base, dev: ldb ([2.8.1](https://gitlab.com/samba-team/samba/-/commit/6ca4df6374136d1d205de689618dc8fce5177d14) (includes [2.8.0](https://gitlab.com/samba-team/samba/-/commit/94f11c3c21bc3b8a34d376ab99becd2c6260af62)))
+- base, dev: libgcrypt ([1.11.0](https://dev.gnupg.org/T7165))
+- base, dev: samba ([4.19.7](https://gitlab.com/samba-team/samba/-/blob/bce5c475d12fb75619bc85d176bfd40420b4fce8/WHATSNEW.txt))
+- base, dev: selinux-base ([2.20240916](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916))
+- base, dev: selinux-base-policy ([2.20240916](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916))
+- base, dev: selinux-container ([2.20240916](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916))
+- base, dev: selinux-dbus ([2.20240916](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916))
+- base, dev: selinux-policykit ([2.20240916](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916))
+- base, dev: selinux-sssd ([2.20240916](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916))
+- base, dev: selinux-unconfined ([2.20240916](https://github.com/SELinuxProject/refpolicy/releases/tag/RELEASE_2_20240916))
+- base, dev: socat ([1.8.0.0](https://repo.or.cz/socat.git/blob/2da070164d454971d5c970b5278e645051f0d0f7:/CHANGES))
+- base, dev: talloc ([2.4.2](https://gitlab.com/samba-team/samba/-/commit/f28966c1638806a5af1fa4e451b668af638491ce))
+- base, dev: tdb ([1.4.10](https://gitlab.com/samba-team/samba/-/commit/5032ab712c6e9d6562cd10b1d840d2ee052d1d16))
+- base, dev: tevent ([0.16.1](https://gitlab.com/samba-team/samba/-/commit/0ba05d5bbb1788b0b8cee26748bcda0c90c48baa) (includes [0.16.0](https://gitlab.com/samba-team/samba/-/commit/acd9248b13cba06d5b748f17aa9bc5d62079d9cc)))
+- dev: gdb ([15.2](https://lists.gnu.org/archive/html/info-gnu/2024-09/msg00011.html))
+- sysext-podman: aardvark-dns ([1.12.2](https://github.com/containers/aardvark-dns/releases/tag/v1.12.2) (includes [1.12.1](https://github.com/containers/aardvark-dns/releases/tag/v1.12.1), [1.12.0](https://github.com/containers/aardvark-dns/releases/tag/v1.12.0)))
+- sysext-podman: containers-common ([0.60.4](https://github.com/containers/common/releases/tag/v0.60.4) (includes [0.60.3](https://github.com/containers/common/releases/tag/v0.60.3), [0.60.2](https://github.com/containers/common/releases/tag/v0.60.2), [0.60.1](https://github.com/containers/common/releases/tag/v0.60.1), [0.60.0](https://github.com/containers/common/releases/tag/v0.60.0), [0.59.2](https://github.com/containers/common/releases/tag/v0.59.2)))
+- sysext-podman: containers-image ([5.32.2](https://github.com/containers/image/releases/tag/v5.32.2) (includes [5.32.1](https://github.com/containers/image/releases/tag/v5.32.1), [5.32.0](https://github.com/containers/image/releases/tag/v5.32.0), [5.31.0](https://github.com/containers/image/releases/tag/v5.31.0), [5.30.2](https://github.com/containers/image/releases/tag/v5.30.2), [5.30.1](https://github.com/containers/image/releases/tag/v5.30.1)))
+- sysext-podman: containers-storage ([1.55.0](https://github.com/containers/storage/releases/tag/v1.55.0) (includes [1.54.0](https://github.com/containers/storage/releases/tag/v1.54.0)))
+- sysext-podman: crun ([1.17](https://github.com/containers/crun/releases/tag/1.17) (includes [1.16.1](https://github.com/containers/crun/releases/tag/1.16.1), [1.16](https://github.com/containers/crun/releases/tag/1.16), [1.15](https://github.com/containers/crun/releases/tag/1.15), [1.14.4](https://github.com/containers/crun/releases/tag/1.14.4)))
+- sysext-podman: fuse-overlayfs ([1.14](https://github.com/containers/fuse-overlayfs/releases/tag/v1.14))
+- sysext-podman: netavark ([1.12.2](https://github.com/containers/netavark/releases/tag/v1.12.2) (includes [1.12.1](https://github.com/containers/netavark/releases/tag/v1.12.1), [1.12.0](https://github.com/containers/netavark/releases/tag/v1.12.0), [1.11.0](https://github.com/containers/netavark/releases/tag/v1.11.0)))
+- sysext-podman: passt ([2024.09.06](https://archives.passt.top/passt-user/20240906171530.763b3179@elisabeth/T/#u))
+- sysext-podman: podman ([5.2.4](https://github.com/containers/podman/releases/tag/v5.2.4) (includes [5.2.3](https://github.com/containers/podman/releases/tag/v5.2.3), [5.2.2](https://github.com/containers/podman/releases/tag/v5.2.2), [5.2.1](https://github.com/containers/podman/releases/tag/v5.2.1), [5.2.0](https://github.com/containers/podman/releases/tag/v5.2.0), [5.1.2](https://github.com/containers/podman/releases/tag/v5.1.2), [5.1.1](https://github.com/containers/podman/releases/tag/v5.1.1), [5.1.0](https://github.com/containers/podman/releases/tag/v5.1.0)))
+- sysext-python: setuptools ([74.1.3](https://github.com/pypa/setuptools/blob/v74.1.3/NEWS.rst))

sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1-r50.ebuild renamed to sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1-r51.ebuild

@@ -43,7 +43,7 @@ DEPEND="
 	sys-apps/seismograph
 	sys-boot/grub
 	amd64? ( sys-boot/shim )
-	sys-firmware/edk2-ovmf-bin
+	sys-firmware/edk2-bin
 	sys-fs/btrfs-progs
 	sys-fs/cryptsetup
 	dev-perl/Parse-Yapp

sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild

@@ -1,4 +1,4 @@
-From 07cf1b05c8b3b9460b4afc2998a9f170881faa16 Mon Sep 17 00:00:00 2001
+From b4725fecc9298279266ecfd842536b1b1c03cdb0 Mon Sep 17 00:00:00 2001
 From: Krzesimir Nowak <[email protected]>
 Date: Mon, 4 Dec 2023 12:17:25 +0100
 Subject: [PATCH] Flatcar modifications
@@ -8,16 +8,16 @@ Subject: [PATCH] Flatcar modifications
  policy/modules/kernel/corenetwork.if.in |  26 ++++
  policy/modules/kernel/corenetwork.te.in |  12 +-
  policy/modules/kernel/files.if          |  45 +++++++
- policy/modules/kernel/kernel.te         |  84 ++++++++++++
+ policy/modules/kernel/kernel.te         | 125 +++++++++++++++++
  policy/modules/services/container.fc    |   6 +
  policy/modules/services/container.te    | 170 +++++++++++++++++++++++-
  policy/modules/system/init.te           |   8 ++
  policy/modules/system/locallogin.te     |   9 +-
  policy/modules/system/logging.te        |   9 ++
- 10 files changed, 386 insertions(+), 3 deletions(-)
+ 10 files changed, 427 insertions(+), 3 deletions(-)
 
 diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
-index 3c43a1d84..429c67220 100644
+index 63d2f9cb8..62dff5f94 100644
 --- a/refpolicy/policy/modules/admin/netutils.te
 +++ b/refpolicy/policy/modules/admin/netutils.te
 @@ -128,6 +128,16 @@ corenet_raw_sendrecv_generic_if(ping_t)
@@ -37,7 +37,7 @@ index 3c43a1d84..429c67220 100644
 
  dev_read_urand(ping_t)
 
-@@ -212,6 +222,16 @@ corenet_udp_bind_traceroute_port(traceroute_t)
+@@ -213,6 +223,16 @@ corenet_udp_bind_traceroute_port(traceroute_t)
  corenet_tcp_connect_all_ports(traceroute_t)
  corenet_sendrecv_all_client_packets(traceroute_t)
  corenet_sendrecv_traceroute_server_packets(traceroute_t)
@@ -55,7 +55,7 @@ index 3c43a1d84..429c67220 100644
  dev_read_rand(traceroute_t)
  dev_read_urand(traceroute_t)
 diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
-index d1038d742..a675c8e28 100644
+index bc1535469..d057c4031 100644
 --- a/refpolicy/policy/modules/kernel/corenetwork.if.in
 +++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
 @@ -877,6 +877,32 @@ interface(`corenet_sctp_bind_generic_node',`
@@ -92,7 +92,7 @@ index d1038d742..a675c8e28 100644
  ## <summary>
  ##	Bind TCP sockets to generic nodes.
 diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
-index 53bf7849c..9edac05e8 100644
+index b1649ec3a..ca612de44 100644
 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in
 +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
 @@ -381,7 +381,17 @@ allow corenet_unconfined_type port_type:sctp_socket { name_connect };
@@ -115,10 +115,10 @@ index 53bf7849c..9edac05e8 100644
  # Infiniband
  corenet_ib_access_all_pkeys(corenet_unconfined_type)
 diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
-index b9c451321..104dc1e3e 100644
+index 778e82713..d1bd353e0 100644
 --- a/refpolicy/policy/modules/kernel/files.if
 +++ b/refpolicy/policy/modules/kernel/files.if
-@@ -8023,3 +8023,48 @@ interface(`files_relabel_all_pidfiles',`
+@@ -8065,3 +8065,48 @@ interface(`files_relabel_all_pidfiles',`
  	relabel_files_pattern($1, pidfile, pidfile)
  	relabel_lnk_files_pattern($1, pidfile, pidfile)
  ')
@@ -168,10 +168,10 @@ index b9c451321..104dc1e3e 100644
 +	relabelfrom_chr_files_pattern($1, { file_type -policy_config_t $2 }, { file_type -policy_config_t $2 })
 +')
 diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
-index a3dbeeeda..69d6bc9f0 100644
+index b791ebc71..c80159473 100644
 --- a/refpolicy/policy/modules/kernel/kernel.te
 +++ b/refpolicy/policy/modules/kernel/kernel.te
-@@ -376,6 +376,90 @@ files_mounton_default(kernel_t)
+@@ -377,6 +377,131 @@ files_mounton_default(kernel_t)
 
  mcs_process_set_categories(kernel_t)
 
@@ -258,6 +258,47 @@ index a3dbeeeda..69d6bc9f0 100644
 +optional_policy(`
 +	mount_watch_reads_runtime_files(kernel_t)
 +')
++
++#
++# FLATCAR:
++#
++# This one happens in cl.update.docker-btrfs-compat, cl.update.oem and cl.update.payload.
++#
++# avc:  denied  { perfmon } for  pid=[0-9]* comm="systemd" capability=38  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
++# avc:  denied  { perfmon } for  pid=[0-9]* comm="systemd" capability=38  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
++# avc:  denied  { perfmon } for  pid=[0-9]* comm="runc" capability=38  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
++#
++allow kernel_t self:capability2 { perfmon };
++
++#
++# FLATCAR:
++#
++# This one happens in sysext.zfs.reboot. The kernel module is a part
++# of sysext, and it probably is labeled wrong.
++#
++# avc:  denied  { module_load } for  pid=[0-9]* comm="modprobe" path="/usr/lib/modules/6.6.56-flatcar/extra/spl.ko" dev="overlay" ino=[0-9]* scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=system permissive=1
++#
++allow kernel_t unlabeled_t:system { module_load };
++
++#
++# FLATCAR:
++#
++# This one happens in cl.update.docker-btrfs-compat, cl.update.oem and cl.update.payload.
++#
++# avc:  denied  { confidentiality } for  pid=[0-9]* comm="systemd-udevd" lockdown_reason="use of tracefs" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=lockdown permissive=1
++#
++allow kernel_t self:lockdown { confidentiality };
++
++#
++# FLATCAR:
++#
++# This one happens in cl.update.docker-btrfs-compat, cl.update.oem and cl.update.payload.
++#
++# avc:  denied  { bpf } for  pid=[0-9]* comm="systemd" capability=39  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=1
++# avc:  denied  { bpf } for  pid=[0-9]* comm="systemd" capability=39  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
++# avc:  denied  { bpf } for  pid=[0-9]* comm="runc" capability=39  scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=capability2 permissive=0
++#
++allow kernel_t self:capability2 { bpf };
 +
  mls_process_read_all_levels(kernel_t)
  mls_process_write_all_levels(kernel_t)
@@ -280,7 +321,7 @@ index f98e68ba0..045b1b5b2 100644
  /run/containers(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
  /run/crun(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 diff --git a/refpolicy/policy/modules/services/container.te b/refpolicy/policy/modules/services/container.te
-index 095308a13..7cd6e45e4 100644
+index 8fcd88e1e..ab16ff8b7 100644
 --- a/refpolicy/policy/modules/services/container.te
 +++ b/refpolicy/policy/modules/services/container.te
 @@ -58,6 +58,52 @@ gen_tunable(container_use_dri, false)
@@ -345,7 +386,7 @@ index 095308a13..7cd6e45e4 100644
 
  ## <desc>
  ##	<p>
-@@ -1192,3 +1238,125 @@ optional_policy(`
+@@ -1247,3 +1293,125 @@ optional_policy(`
         unconfined_domain_noaudit(spc_user_t)
         domain_ptrace_all_domains(spc_user_t)
  ')
@@ -472,10 +513,10 @@ index 095308a13..7cd6e45e4 100644
 +#
 +allow container_t tmp_t:file { read };
 diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
-index 03d0de8ed..16b75d04d 100644
+index 796426508..e1761f8fd 100644
 --- a/refpolicy/policy/modules/system/init.te
 +++ b/refpolicy/policy/modules/system/init.te
-@@ -1678,3 +1678,11 @@ optional_policy(`
+@@ -1686,3 +1686,11 @@ optional_policy(`
  	userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
  	userdom_dontaudit_write_user_tmp_files(systemprocess)
  ')
@@ -488,12 +529,12 @@ index 03d0de8ed..16b75d04d 100644
 +require { type unconfined_t; }
 +allow init_t unconfined_t:file exec_file_perms;
 diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
-index 4dc9981bc..ee68ba624 100644
+index 9534db006..e60eb7b59 100644
 --- a/refpolicy/policy/modules/system/locallogin.te
 +++ b/refpolicy/policy/modules/system/locallogin.te
 @@ -34,7 +34,14 @@ role system_r types sulogin_t;
 
- allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+ allow local_login_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
  dontaudit local_login_t self:capability net_admin;
 -allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
 +#
@@ -508,7 +549,7 @@ index 4dc9981bc..ee68ba624 100644
  allow local_login_t self:fifo_file rw_fifo_file_perms;
  allow local_login_t self:sock_file read_sock_file_perms;
 diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
-index a7b6173d8..343ef1abc 100644
+index ed01f0e4a..9504b6e72 100644
 --- a/refpolicy/policy/modules/system/logging.te
 +++ b/refpolicy/policy/modules/system/logging.te
 @@ -507,6 +507,15 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)

sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sec-policy/flatcar-selinux-patches/0001-Flatcar-modifications.patch

@@ -1 +1 @@
-DIST samba-4.18.9.tar.gz 41332779 BLAKE2B 8a0769c73d42b941b6f69d62243dd2b93d66748231465b853320cf1bf4b3dd8a912ac7bddfaa9c8b1941788951c2ccd630dabb23cf94965bc1d1e4cb5d74d123 SHA512 93a6c878bca583f59208df2a7865bbd453f7a65dc2f39a863797ef807bdeced4d632c5edd4579e341f8cf3b0b2fbe41e68a815a1510518bdd43e9a25a973c94c
+DIST samba-4.19.7.tar.gz 41851647 BLAKE2B 9bd58363d4cd30f900b286be7c7e172ed0308c4527308d15309a5f3881ba9b1d4c3dd2a37f19d63fdf80a36bd89c9b6001ab2a5aefb724f10721e3a0dc09fa94 SHA512 a837a6255be6268a48c9f41ccad5db040c69b596936a37b011a4c8e3ec68f27ebd1947b86d26b544a7b546ed426dadc450353dff9553698ca4e6e0a3af162ad3

sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest

@@ -16,8 +16,9 @@
 		<flag name="cluster">Enable support for clustering</flag>
 		<flag name="glusterfs">Enable support for Glusterfs filesystem via <pkg>sys-cluster/glusterfs</pkg></flag>
 		<flag name="gpg">Use <pkg>app-crypt/gpgme</pkg> for AD DC</flag>
-		<flag name="json">Enable json audit support through <pkg>dev-libs/jansson</pkg></flag>
 		<flag name="iprint">Enabling iPrint technology by Novell</flag>
+		<flag name="json">Enable json audit support through <pkg>dev-libs/jansson</pkg></flag>
+		<flag name="lmdb">Enable LMDB backend for bundled ldb</flag>
 		<flag name="profiling-data">Enables support for collecting profiling data</flag>
 		<flag name="quota">Enables support for user quotas</flag>
 		<flag name="regedit">Enable support for regedit command-line tool</flag>

sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml

@@ -3,7 +3,7 @@
 
 EAPI=8
 
-PYTHON_COMPAT=( python3_{10..11} )
+PYTHON_COMPAT=( python3_{10..12} )
 PYTHON_REQ_USE="threads(+),xml(+)"
 TMPFILES_OPTIONAL=1
 inherit python-single-r1 flag-o-matic waf-utils multilib-minimal linux-info systemd pam tmpfiles
@@ -17,13 +17,13 @@ if [[ ${PV} == *_rc* ]]; then
 	SRC_URI="https://download.samba.org/pub/samba/rc/${MY_P}.tar.gz"
 else
 	SRC_URI="https://download.samba.org/pub/samba/stable/${MY_P}.tar.gz"
-	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ppc ppc64 ~riscv sparc x86"
+	KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ppc ppc64 ~riscv sparc x86"
 fi
 S="${WORKDIR}/${MY_P}"
 
 LICENSE="GPL-3"
 SLOT="0"
-IUSE="acl addc ads ceph client cluster cpu_flags_x86_aes cups debug fam glusterfs gpg"
+IUSE="acl addc ads ceph client cluster cups debug fam glusterfs gpg"
 IUSE+=" iprint json ldap llvm-libunwind pam profiling-data python quota +regedit selinux"
 IUSE+=" snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test unwind winbind"
 IUSE+=" zeroconf"
@@ -57,9 +57,9 @@ MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/samba-4.0/ctdb_version.h
 )
 
-TALLOC_VERSION="2.4.0"
-TDB_VERSION="1.4.8"
-TEVENT_VERSION="0.14.1"
+TALLOC_VERSION="2.4.1"
+TDB_VERSION="1.4.9"
+TEVENT_VERSION="0.15.0"
 
 # Flatcar: exclude perl, icu, libtasn1, Parse-Yapp from DEPEND
 COMMON_DEPEND="
@@ -70,8 +70,8 @@ COMMON_DEPEND="
 	dev-libs/popt[${MULTILIB_USEDEP}]
 	>=net-libs/gnutls-3.4.7:=[${MULTILIB_USEDEP}]
 	>=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}]
-	>=sys-libs/ldb-2.7.2:=[ldap(+)?,${MULTILIB_USEDEP}]
-	<sys-libs/ldb-2.8.0:=[ldap(+)?,${MULTILIB_USEDEP}]
+	>=sys-libs/ldb-2.8.1:=[ldap(+)?,${MULTILIB_USEDEP}]
+	<sys-libs/ldb-2.9.0:=[ldap(+)?,${MULTILIB_USEDEP}]
 	sys-libs/libcap[${MULTILIB_USEDEP}]
 	sys-libs/liburing:=[${MULTILIB_USEDEP}]
 	sys-libs/ncurses:=
@@ -111,6 +111,7 @@ COMMON_DEPEND="
 	snapper? ( sys-apps/dbus )
 	system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl(-),${MULTILIB_USEDEP}] )
 	system-mitkrb5? ( >=app-crypt/mit-krb5-1.19[${MULTILIB_USEDEP}] )
+	!system-heimdal? ( !system-mitkrb5? ( sys-apps/keyutils[${MULTILIB_USEDEP}] ) )
 	systemd? ( sys-apps/systemd:= )
 	unwind? (
 		llvm-libunwind? ( sys-libs/llvm-libunwind:= )
@@ -269,7 +270,6 @@ multilib_src_configure() {
 		--nopyc
 		--nopyo
 		--without-winexe
-		--accel-aes=$(usex cpu_flags_x86_aes intelaesni none)
 		$(multilib_native_use_with acl acl-support)
 		$(multilib_native_usex addc '' '--without-ad-dc')
 		$(multilib_native_use_with ads)
@@ -377,6 +377,8 @@ multilib_src_install() {
 		dosym nmb.service "$(systemd_get_systemunitdir)/nmbd.service"
 		dosym smb.service "$(systemd_get_systemunitdir)/smbd.service"
 		dosym winbind.service "$(systemd_get_systemunitdir)/winbindd.service"
+
+		use python && python_optimize
 	fi
 
 	if use pam && use winbind ; then