diff --git a/debian/changelog b/debian/changelog
index 906493178cc338d5fb4136895e243baffb3617cd..3c8178420b32a9d22f12220513b1602cd976194a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,34 @@
+systemd (241-7~deb10u6co1) UNRELEASED; urgency=medium
+
+ * PLEASE SUMMARIZE remaining Apertis changes
+
+ -- Apertis CI <devel@lists.apertis.org> Fri, 19 Feb 2021 14:34:31 +0000
+
+systemd (241-7~deb10u6) buster; urgency=medium
+
+ * journal: do not trigger assertion when journal_file_close() get NULL
+ (Closes: #975561)
+ * test-bpf: skip test when run inside containers.
+ The test reliably fails inside LXC and Docker when run on a new enough
+ kernel. It's unclear whether this is a kernel, LXC/Docker or systemd
+ issue and apparently there is no real interest to get this fixed, so
+ let's skip this test.
+ * autopkgtest: mark networkd-test.py as flaky.
+ See https://github.com/systemd/systemd/issues/18357
+ and https://github.com/systemd/systemd/issues/18196
+
+ -- Michael Biebl <biebl@debian.org> Fri, 29 Jan 2021 15:16:06 +0100
+
+systemd (241-7~deb10u5) buster; urgency=medium
+
+ * basic/cap-list: parse/print numerical capabilities (Closes: #964926)
+ * missing: add new Linux capabilities.
+ Linux kernel v5.8 adds two new capabilities. Make sure we can recognize
+ them even when built with an older kernel.
+ * networkd: do not generate MAC for bridge device (Closes: #963488)
+
+ -- Michael Biebl <biebl@debian.org> Sat, 24 Oct 2020 20:44:48 +0200
+
systemd (241-7~deb10u4co5) apertis; urgency=medium
* Force the call of systemd-journal-flush before `/var` unmount.
diff --git a/debian/patches/basic-cap-list-parse-print-numerical-capabilities.patch b/debian/patches/basic-cap-list-parse-print-numerical-capabilities.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3b9eb09a73cab6d8c954ac947ac828bee810ce25
--- /dev/null
+++ b/debian/patches/basic-cap-list-parse-print-numerical-capabilities.patch
@@ -0,0 +1,87 @@
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Thu, 9 Jul 2020 23:15:47 +0200
+Subject: basic/cap-list: parse/print numerical capabilities
+
+We would refuse to print capabilities which were didn't have a name
+for. The kernel adds new capabilities from time to time, most recently
+cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with
+"Failed to parse bus message: Invalid argument" because
+capability_set_to_string_alloc() would fail with -EINVAL. So let's
+print such capabilities in hexadecimal:
+
+CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search
+ cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap
+ cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin
+ cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15 0x16
+ 0x17 0x18 0x19 0x1a ...
+
+For symmetry, also allow capabilities that we don't know to be specified.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.
+
+(cherry picked from commit 417770f3033c426ca848b158d0bf057cd8ad1329)
+---
+ src/basic/cap-list.c | 10 +++++++---
+ src/test/test-cap-list.c | 4 +++-
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
+index 29a17d9..b72b037 100644
+--- a/src/basic/cap-list.c
++++ b/src/basic/cap-list.c
+@@ -10,6 +10,7 @@
+ #include "macro.h"
+ #include "missing.h"
+ #include "parse-util.h"
++#include "stdio-util.h"
+ #include "util.h"
+
+ static const struct capability_name* lookup_capability(register const char *str, register GPERF_LEN_TYPE len);
+@@ -37,7 +38,7 @@ int capability_from_name(const char *name) {
+ /* Try to parse numeric capability */
+ r = safe_atoi(name, &i);
+ if (r >= 0) {
+- if (i >= 0 && (size_t) i < ELEMENTSOF(capability_names))
++ if (i >= 0 && i < 64)
+ return i;
+ else
+ return -EINVAL;
+@@ -65,11 +66,14 @@ int capability_set_to_string_alloc(uint64_t set, char **s) {
+ for (i = 0; i < cap_last_cap(); i++)
+ if (set & (UINT64_C(1) << i)) {
+ const char *p;
++ char buf[2 + 16 + 1];
+ size_t add;
+
+ p = capability_to_name(i);
+- if (!p)
+- return -EINVAL;
++ if (!p) {
++ xsprintf(buf, "0x%lx", i);
++ p = buf;
++ }
+
+ add = strlen(p);
+
+diff --git a/src/test/test-cap-list.c b/src/test/test-cap-list.c
+index de5fa72..84bbb7b 100644
+--- a/src/test/test-cap-list.c
++++ b/src/test/test-cap-list.c
+@@ -30,6 +30,8 @@ static void test_cap_list(void) {
+ assert_se(capability_from_name("cAp_aUdIt_rEAd") == CAP_AUDIT_READ);
+ assert_se(capability_from_name("0") == 0);
+ assert_se(capability_from_name("15") == 15);
++ assert_se(capability_from_name("63") == 63);
++ assert_se(capability_from_name("64") == -EINVAL);
+ assert_se(capability_from_name("-1") == -EINVAL);
+
+ for (i = 0; i < capability_list_length(); i++) {
+@@ -64,7 +66,7 @@ static void test_capability_set_one(uint64_t c, const char *t) {
+
+ free(t1);
+ assert_se(t1 = strjoin("'cap_chown cap_dac_override' \"cap_setgid cap_setuid\"", t,
+- " hogehoge foobar 12345 3.14 -3 ", t));
++ " hogehoge foobar 18446744073709551616 3.14 -3 ", t));
+ assert_se(capability_set_from_string(t1, &c1) == 0);
+ assert_se(c1 == c_masked);
+ }
diff --git a/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch b/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
index 231158c078f9881380583665f10eb6c32064e76f..78c2d011d7929bcbe00876dd4202015d26734126 100644
--- a/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
+++ b/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
@@ -30,7 +30,7 @@ index 2791678..3a9e20a 100644
<literal>systemd.journald.forward_to_syslog</literal>,
<literal>systemd.journald.forward_to_kmsg</literal>,
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
-index 2a960eb..7fe0f82 100644
+index ba0b35d..cd45212 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -1835,6 +1835,7 @@ int server_init(Server *s) {
diff --git a/debian/patches/journal-do-not-trigger-assertion-when-journal_file_close-.patch b/debian/patches/journal-do-not-trigger-assertion-when-journal_file_close-.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9cb536b773c08be78e14002c23ce74e494b6ce66
--- /dev/null
+++ b/debian/patches/journal-do-not-trigger-assertion-when-journal_file_close-.patch
@@ -0,0 +1,46 @@
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Tue, 28 May 2019 12:40:17 +0900
+Subject: journal: do not trigger assertion when journal_file_close() get NULL
+
+We generally expect destructors to not complain if a NULL argument is passed.
+
+Closes #12400.
+
+(cherry picked from commit c377a6f3ad3d9bed4ce7e873e8e9ec6b1650c57d)
+---
+ src/journal/journal-file.c | 3 ++-
+ src/journal/journald-server.c | 7 ++-----
+ 2 files changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
+index 56827f9..04cf1ef 100644
+--- a/src/journal/journal-file.c
++++ b/src/journal/journal-file.c
+@@ -335,7 +335,8 @@ bool journal_file_is_offlining(JournalFile *f) {
+ }
+
+ JournalFile* journal_file_close(JournalFile *f) {
+- assert(f);
++ if (!f)
++ return NULL;
+
+ #if HAVE_GCRYPT
+ /* Write the final tag */
+diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
+index 2a960eb..ba0b35d 100644
+--- a/src/journal/journald-server.c
++++ b/src/journal/journald-server.c
+@@ -2037,11 +2037,8 @@ void server_done(Server *s) {
+
+ client_context_flush_all(s);
+
+- if (s->system_journal)
+- (void) journal_file_close(s->system_journal);
+-
+- if (s->runtime_journal)
+- (void) journal_file_close(s->runtime_journal);
++ (void) journal_file_close(s->system_journal);
++ (void) journal_file_close(s->runtime_journal);
+
+ ordered_hashmap_free_with_destructor(s->user_journals, journal_file_close);
+
diff --git a/debian/patches/missing-Add-new-Linux-capabilities.patch b/debian/patches/missing-Add-new-Linux-capabilities.patch
new file mode 100644
index 0000000000000000000000000000000000000000..324e0247ece953ee4e1398151d6dc5677ab1bfa8
--- /dev/null
+++ b/debian/patches/missing-Add-new-Linux-capabilities.patch
@@ -0,0 +1,36 @@
+From: =?utf-8?q?Michal_Koutn=C3=BD?= <mkoutny@suse.com>
+Date: Wed, 24 Jun 2020 12:43:22 +0200
+Subject: missing: Add new Linux capabilities
+
+Linux kernel v5.8 adds two new capabilities. Make sure we can recognize
+them even when built with an older kernel.
+
+(cherry picked from commit e41de5e491942b5391b1efb71c82ffd329b3d23d)
+---
+ src/basic/missing_capability.h | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/basic/missing_capability.h b/src/basic/missing_capability.h
+index 1308a3d..dd6bccd 100644
+--- a/src/basic/missing_capability.h
++++ b/src/basic/missing_capability.h
+@@ -10,3 +10,19 @@
+ #undef CAP_LAST_CAP
+ #define CAP_LAST_CAP CAP_AUDIT_READ
+ #endif
++
++/* 980737282232b752bb14dab96d77665c15889c36 (5.8) */
++#ifndef CAP_PERFMON
++#define CAP_PERFMON 38
++
++#undef CAP_LAST_CAP
++#define CAP_LAST_CAP CAP_PERFMON
++#endif
++
++/* a17b53c4a4b55ec322c132b6670743612229ee9c (5.8) */
++#ifndef CAP_BPF
++#define CAP_BPF 39
++
++#undef CAP_LAST_CAP
++#define CAP_LAST_CAP CAP_BPF
++#endif
diff --git a/debian/patches/networkd-do-not-generate-MAC-for-bridge-device.patch b/debian/patches/networkd-do-not-generate-MAC-for-bridge-device.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b8788fbdc388fef5933e4fbb22d7522befcaaefd
--- /dev/null
+++ b/debian/patches/networkd-do-not-generate-MAC-for-bridge-device.patch
@@ -0,0 +1,24 @@
+From: Susant Sahani <ssahani@gmail.com>
+Date: Tue, 14 May 2019 11:45:23 +0200
+Subject: networkd: do not generate MAC for bridge device.
+
+closes https://github.com/systemd/systemd/issues/12558
+
+(cherry picked from commit deb2cfa4c6885d448eb1f17e5ef1b139106b7e86)
+---
+ src/network/netdev/netdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c
+index ecd6cf4..6ef1631 100644
+--- a/src/network/netdev/netdev.c
++++ b/src/network/netdev/netdev.c
+@@ -720,7 +720,7 @@ int netdev_load_one(Manager *manager, const char *filename) {
+ if (!netdev->filename)
+ return log_oom();
+
+- if (!netdev->mac && netdev->kind != NETDEV_KIND_VLAN) {
++ if (!netdev->mac && !IN_SET(netdev->kind, NETDEV_KIND_VLAN, NETDEV_KIND_BRIDGE)) {
+ r = netdev_get_mac(netdev->ifname, &netdev->mac);
+ if (r < 0)
+ return log_error_errno(r, "Failed to generate predictable MAC address for %s: %m", netdev->ifname);
diff --git a/debian/patches/series b/debian/patches/series
index 0df46ac3e5fb9c58f0bc3ce92c647f22c5ad0df7..ead655095d9d89e50504beaae77000f148ab7ccb 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -52,6 +52,12 @@ polkit-use-structured-initialization.patch
sd-bus-introduce-API-for-re-enqueuing-incoming-messages.patch
polkit-when-authorizing-via-PK-let-s-re-resolve-callback-.patch
Fix-typo-in-function-name.patch
+basic-cap-list-parse-print-numerical-capabilities.patch
+missing-Add-new-Linux-capabilities.patch
+networkd-do-not-generate-MAC-for-bridge-device.patch
+journal-do-not-trigger-assertion-when-journal_file_close-.patch
+test-bpf-skip-test-when-run-inside-containers.patch
+tests-skip-test-bpf-only-when-we-re-100-sure-it-s-run-in-.patch
debian/Use-Debian-specific-config-files.patch
debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
debian/Make-run-lock-tmpfs-an-API-fs.patch
diff --git a/debian/patches/test-bpf-skip-test-when-run-inside-containers.patch b/debian/patches/test-bpf-skip-test-when-run-inside-containers.patch
new file mode 100644
index 0000000000000000000000000000000000000000..874daa2c4c1497b4233844d5cc8fb9c5a89e60e8
--- /dev/null
+++ b/debian/patches/test-bpf-skip-test-when-run-inside-containers.patch
@@ -0,0 +1,41 @@
+From: Michael Biebl <biebl@debian.org>
+Date: Sun, 19 May 2019 20:57:07 +0200
+Subject: test-bpf: skip test when run inside containers
+
+The test reliably fails inside LXC and Docker when run on a new enough
+kernel. It's unclear whether this is a kernel, LXC/Docker or systemd
+issue and apparently there is no real interest to get this fixed, so
+let's skip this test.
+As this also covers Travis CI, there is no need for this additional
+check anymore.
+
+See https://github.com/systemd/systemd/issues/9666
+
+(cherry picked from commit 98a3c188a1511caae422b2c891f3cc016824eb81)
+---
+ src/test/test-bpf.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/test/test-bpf.c b/src/test/test-bpf.c
+index cd8d68f..eb1d8d7 100644
+--- a/src/test/test-bpf.c
++++ b/src/test/test-bpf.c
+@@ -14,6 +14,7 @@
+ #include "test-helper.h"
+ #include "tests.h"
+ #include "unit.h"
++#include "virt.h"
+
+ /* We use the same limit here that PID 1 bumps RLIMIT_MEMLOCK to if it can */
+ #define CAN_MEMLOCK_SIZE (64U*1024U*1024U)
+@@ -56,8 +57,8 @@ int main(int argc, char *argv[]) {
+
+ test_setup_logging(LOG_DEBUG);
+
+- if (is_run_on_travis_ci())
+- return log_tests_skipped("test-bpf fails on Travis CI: https://github.com/systemd/systemd/issues/9666");
++ if (detect_container())
++ return log_tests_skipped("test-bpf fails inside LXC and Docker containers: https://github.com/systemd/systemd/issues/9666");
+
+ assert_se(getrlimit(RLIMIT_MEMLOCK, &rl) >= 0);
+ rl.rlim_cur = rl.rlim_max = MAX3(rl.rlim_cur, rl.rlim_max, CAN_MEMLOCK_SIZE);
diff --git a/debian/patches/tests-skip-test-bpf-only-when-we-re-100-sure-it-s-run-in-.patch b/debian/patches/tests-skip-test-bpf-only-when-we-re-100-sure-it-s-run-in-.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c7a9bc829297a26e60a5b159b7a644069ece16f5
--- /dev/null
+++ b/debian/patches/tests-skip-test-bpf-only-when-we-re-100-sure-it-s-run-in-.patch
@@ -0,0 +1,25 @@
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Thu, 30 May 2019 03:29:50 +0200
+Subject: tests: skip test-bpf only when we're 100% sure it's run in
+ containers
+
+This is just a follow-up to https://github.com/systemd/systemd/pull/12617.
+
+(cherry picked from commit 6bd1457afe396864cc4b9884157a6126027ed85e)
+---
+ src/test/test-bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/test/test-bpf.c b/src/test/test-bpf.c
+index eb1d8d7..9252c60 100644
+--- a/src/test/test-bpf.c
++++ b/src/test/test-bpf.c
+@@ -57,7 +57,7 @@ int main(int argc, char *argv[]) {
+
+ test_setup_logging(LOG_DEBUG);
+
+- if (detect_container())
++ if (detect_container() > 0)
+ return log_tests_skipped("test-bpf fails inside LXC and Docker containers: https://github.com/systemd/systemd/issues/9666");
+
+ assert_se(getrlimit(RLIMIT_MEMLOCK, &rl) >= 0);
diff --git a/debian/tests/control b/debian/tests/control
index 0ae1c8be2c16b4aee3a770e46fd269db02f147f6..f7ea7cd1edaab55f292f0828a1f96635e8aae0c0 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -52,7 +52,7 @@ Depends: systemd,
systemd-sysv,
policykit-1,
dnsmasq-base
-Restrictions: needs-root, isolation-container
+Restrictions: needs-root, isolation-container, flaky
Tests: build-login
Depends: systemd,