From 98a178f6e3b08d19c87430df5d027d2aa6070d2c Mon Sep 17 00:00:00 2001
From: Hua Liu <58683130+liuh-80@users.noreply.github.com>
Date: Wed, 5 Feb 2025 00:59:14 +0800
Subject: [PATCH 1/5] Update sonic_debian_extension.j2 (#21610)

---
 .../build_templates/sonic_debian_extension.j2 | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
index a0651c2efb03..97e803093bbb 100644
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@@ -747,6 +747,26 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}} || sudo LANG=C DEBIAN_FRONTEND=noni
 {% endfor %}
 {% endif %}
 
+{% if installer_debs.strip() -%}
+{% for deb in installer_debs.strip().split(' ') -%}
+
+# For some SONiC patch packages, Debian offcial version may higher than SONiC version
+# When install SONiC packages, fix broken install by 'apt-get -y install -f' may upgrade some installed SONiC packages to Debian offical version
+# Check and install upgraded SONiC package again, if install failed, need manually check and fix SONiC package version issue
+PACKAGE_NAME=$(dpkg-deb -f {{deb}} Package)
+PACKAGE_VERSION=$(dpkg-deb -f {{deb}} Version)
+INSTALLED_VERSION=$(dpkg-query --showformat='${Version}' --show $PACKAGE_NAME || true)
+if [ "$INSTALLED_VERSION" != "" ] && [ "$INSTALLED_VERSION" != "$PACKAGE_VERSION" ]; then
+    sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}}
+fi
+
+## SONiC packages may have lower version than Debian offical package, install offical Debian package will break feature
+## Hold installed packages to prevent these packages be upgrade by apt commands in this file
+sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-mark hold $PACKAGE_NAME
+
+{% endfor %}
+{% endif %}
+
 ## Run depmod command for target kernel modules
 sudo LANG=C chroot $FILESYSTEM_ROOT depmod -a {{kversion}}
 
@@ -1133,3 +1153,11 @@ sudo rm -rf $FILESYSTEM_ROOT/tmp/mask_disabled_services.py
 
 
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install python3-dbus
+
+{% if installer_debs.strip() -%}
+{% for deb in installer_debs.strip().split(' ') -%}
+## Unhold installed packages to allow these packages be upgrade after SONiC installed
+PACKAGE_NAME=$(dpkg-deb -f {{deb}} Package)
+sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-mark unhold $PACKAGE_NAME
+{% endfor %}
+{% endif %}

From b413e89f8db46ab48d96486ac4b0a67b4b72a820 Mon Sep 17 00:00:00 2001
From: bingwang-ms <66248323+bingwang-ms@users.noreply.github.com>
Date: Tue, 4 Feb 2025 11:52:26 -0800
Subject: [PATCH 2/5] Revert "Update cisco-8000.ini to 202405.1.1.4 release
 (#21601)" (#21607)

This reverts commit c99c123ef238053065d08f92d66a2b8275d00a98.
---
 platform/checkout/cisco-8000.ini | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/platform/checkout/cisco-8000.ini b/platform/checkout/cisco-8000.ini
index ade0d40998a4..8cbdb2491f16 100644
--- a/platform/checkout/cisco-8000.ini
+++ b/platform/checkout/cisco-8000.ini
@@ -1,3 +1,3 @@
 [module]
 repo=git@github.com:Cisco-8000-sonic/platform-cisco-8000.git
-ref=202405.1.1.4
+ref=202405.1.1.3

From 1985b327c4e9346811cdf8740592aff7274771d6 Mon Sep 17 00:00:00 2001
From: bingwang-ms <66248323+bingwang-ms@users.noreply.github.com>
Date: Tue, 4 Feb 2025 14:33:51 -0800
Subject: [PATCH 3/5] Update submodule sonic-utility to the latest HEAD
 (#21608)

---
 src/sonic-utilities | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sonic-utilities b/src/sonic-utilities
index 6a959e6842e6..01a9ddeed2c7 160000
--- a/src/sonic-utilities
+++ b/src/sonic-utilities
@@ -1 +1 @@
-Subproject commit 6a959e6842e667fbf4a22a1940ededa3a79bce79
+Subproject commit 01a9ddeed2c7a58f1146c068b2abdb1571a32109

From 250b6d2663558b16be62924f38a17a62cab0dd89 Mon Sep 17 00:00:00 2001
From: mssonicbld <79238446+mssonicbld@users.noreply.github.com>
Date: Wed, 5 Feb 2025 07:45:08 +0800
Subject: [PATCH 4/5] [sonic-py-common] Strip the MAC before returning from
 get_system_mac() (#21602)

<!--
     Please make sure you've read and understood our contributing guidelines:
     https://github.com/Azure/SONiC/blob/gh-pages/CONTRIBUTING.md

     ** Make sure all your commits include a signature generated with `git commit -s` **

     If this is a bug fix, make sure your description includes "fixes #xxxx", or
     "closes #xxxx" or "resolves #xxxx"

     Please provide the following information:
-->

#### Why I did it
There is a corner case where the MAC address includes a trailing "\n" character in the config_db.json file, leading to switch configuration failure.

##### Work item tracking
- Microsoft ADO **(number only)**: 28355624

#### How I did it
To prevent this issue, the final return statement now explicitly strips the MAC in all cases from get_system_mac().

#### How to verify it

<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->
Load the new image to verify the mac does not contain any trailing unnecessary characters in the config_db.json file/

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106
- [ ] 202111
- [ ] 202205
- [ ] 202211
- [ ] 202305
- [x] 202311
- [x] 202405
- [x] 202411

#### Tested branch (Please provide the tested image version)

<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->

- [ ] <!-- image version 1 -->
- [ ] <!-- image version 2 -->

#### Description for the changelog
<!--
Write a short (one line) summary that describes the changes in this
pull request for inclusion in the changelog:
-->

<!--
 Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
-->

#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->

#### A picture of a cute animal (not mandatory but encouraged)
---
 src/sonic-py-common/sonic_py_common/device_info.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sonic-py-common/sonic_py_common/device_info.py b/src/sonic-py-common/sonic_py_common/device_info.py
index a5f982130484..e9b55d7622db 100644
--- a/src/sonic-py-common/sonic_py_common/device_info.py
+++ b/src/sonic-py-common/sonic_py_common/device_info.py
@@ -803,7 +803,7 @@ def get_system_mac(namespace=None, hostname=None):
         mac_tmp = "{:012x}".format(int(mac_tmp, 16) + 1)
         mac_tmp = re.sub("(.{2})", "\\1:", mac_tmp, 0, re.DOTALL)
         mac = mac_tmp[:-1]
-    return mac
+    return mac.strip() if mac else None
 
 
 def get_system_routing_stack():

From 882c527ef508d2219543fdb203c239ba39375e26 Mon Sep 17 00:00:00 2001
From: mssonicbld <79238446+mssonicbld@users.noreply.github.com>
Date: Wed, 5 Feb 2025 07:46:22 +0800
Subject: [PATCH 5/5] Upgrade SymCrypt version to 1.5.2 (#21622)

Upgrade SymCrypt version to 1.5.2

#### Why I did it
SymCrypt release new version:

upstream SymCrypt upgrade to v103.8.0
upstream SymCrypt-Openssl upgrade to1.7.0

##### Work item tracking
- Microsoft ADO: 31063369

#### How I did it
Upgrade SymCrypt and SymCrypt-Openssl to latest version

#### How to verify it
Pass all UT.

<!--
If PR needs to be backported, then the PR must be tested against the base branch and the earliest backport release branch and provide tested image version on these two branches. For example, if the PR is requested for master, 202211 and 202012, then the requester needs to provide test results on master and 202012.
-->

#### Which release branch to backport (provide reason below if selected)

<!--
- Note we only backport fixes to a release branch, *not* features!
- Please also provide a reason for the backporting below.
- e.g.
- [x] 202006
-->

- [ ] 201811
- [ ] 201911
- [ ] 202006
- [ ] 202012
- [ ] 202106
- [ ] 202111
- [ ] 202205
- [ ] 202211
- [ ] 202305

#### Tested branch (Please provide the tested image version)

<!--
- Please provide tested image version
- e.g.
- [x] 20201231.100
-->

- []

#### Description for the changelog
Upgrade SymCrypt version to 1.5.2

#### Link to config_db schema for YANG module changes
<!--
Provide a link to config_db schema for the table for which YANG model
is defined
Link should point to correct section on https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/doc/Configuration.md
-->

#### A picture of a cute animal (not mandatory but encouraged)
---
 rules/sonic-fips.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/sonic-fips.mk b/rules/sonic-fips.mk
index 5ab8f1a64063..6adb95c57dc0 100644
--- a/rules/sonic-fips.mk
+++ b/rules/sonic-fips.mk
@@ -1,7 +1,7 @@
 # fips packages
 
 ifeq ($(BLDENV), bookworm)
-FIPS_VERSION = 1.4.3-1
+FIPS_VERSION = 1.5.2
 FIPS_OPENSSL_VERSION = 3.0.11-1~deb12u2+fips
 FIPS_OPENSSH_VERSION = 9.2p1-2+deb12u3+fips
 FIPS_PYTHON_MAIN_VERSION = 3.11