Chapter 4. New features

The aide package, which provides the Advanced Intrusion Detection Environment (AIDE) utility, has been rebased to upstream version 0.19.2. This version provides important fixes and enhancements, most notably the following:

For more information on all detailed changes, including other bug fixes and improvements, see the installed documentation file at /usr/share/doc/aide/NEWS.

Jira:RHEL-83776

The p11-kit-client.so module moves from the p11-kit-server subpackage to the new p11-kit-client subpackage. With the separated subpackages, you can install only the required parts and avoid redundant content on host systems or in containers.

Jira:RHEL-91952

RHEL 9.8 provides OpenSSH in version 9.9, which introduces many fixes and improvements over OpenSSH 8.7, which was provided in RHEL 9.7. For the complete list of changes, see the openssh-9.9p1/ChangeLog file. The most important changes are as follows:

Jira:RHEL-108912^[1]

Before this update, Valkey processes did not use the redis_t SELinux type. This caused behavioral inconsistencies with Redis in RHEL 9. With this update, the SELinux policy has been enhanced to run Valkey as redis_t. As a result, Valkey processes align with Redis behavior, providing a consistent security context for these services in RHEL 9 environments.

Jira:RHEL-108982^[1]

The fapolicyd packages are rebased to upstream version 1.4.3 and provide many enhancements and bug fixes over the previous version. Most notably:

Jira:RHEL-118363

This update of the openssh packages introduces the CanonicalMatchUser directive for the sshd_config configuration file. With the new directive, you can configure Match User blocks so that sshd first attempts to obtain the username from a password database instead of using an alias. As a result, Active Directory (AD) users can no longer bypass chroot restrictions when using capital letters in their usernames, which might lead to privilege escalation.

Jira:RHEL-118372^[1]

The gnutls package is rebased to upstream version 3.8.10. This update introduces several enhancements and bug fixes. Most notably:

Jira:RHEL-125971

This update of the system-wide cryptographic policies adds support for hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) and pure ML-DSA (Module-Lattice-Based Digital Signature) post-quantum (PQ) algorithms in GnuTLS. As a result, you can use GnuTLS in RHEL 9.8 to negotiate TLS connections that use hybrid ML-KEM or pure ML-DSA as long as the other side supports them, and the PQ system-wide cryptographic subpolicy is applied.

Jira:RHEL-127829

With this update of the selinux-policy packages, the following devices have more specific SELinux labels:

This aligns with the addition of new character device interfaces to the kernel, providing user-space application binary interface (ABI) access to the Power Architecture Platform Reference (PAPR) system parameters, in addition to the existing kernel-internal API.

As a result, the SELinux policy assigns distinct labels to these devices so that different permissions can apply to various services accessing them.

Jira:RHEL-129879

The p11-kit packages have been upgraded to upstream version 0.26.1. The new version provides many enhancements and bug fixes, most notably:

Jira:RHEL-139075^[1]

The clevis-pin-trustee package provides a new Clevis pin trustee that enables automated encryption and decryption of LUKS-encrypted volumes by using remote attestation through the Trustee Key Broker Service (KBS). The trustee pin integrates with the standard Clevis framework through the clevis-encrypt-trustee and clevis-decrypt-trustee commands, and it includes a Dracut module 60clevis-pin-trustee for automated root volume unlocking during early boot.

In scenarios such as confidential clusters for OpenShift and confidential virtual machines with OpenShift Virtualization, the Trustee server acts as the policy enforcement point, releasing the disk encryption key only when the requesting platform’s attestation evidence validates against a set of reference values.

As a result, you can bind LUKS-encrypted volumes to one or more Trustee servers by using a clevis luks bind -d <device> trustee '<config>' command. You can also combine the trustee pin with other Clevis pins, such as tang and tpm2, for multi-factor or multi-policy unlock configurations.

Jira:RHEL-139790^[1]

This update of the system-wide cryptographic policies adds support for the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) post-quantum (PQ) key exchange mlkem768x25519-sha256 algorithm for OpenSSH. This aligns with support for ML-KEM in OpenSSH, providing a quantum-resistant key exchange method for your SSH sessions when you use the PQ system-wide cryptographic policy.

Jira:RHEL-151499

The OpenSCAP packages have been rebased to upstream version 1.4.3. This version provides bug fixes and various enhancements. For additional information, see the OpenSCAP release notes.

Jira:RHEL-133976

For additional information, see the SCAP Security Guide release notes.

Jira:RHEL-136121

The librepo packages are rebased to upstream version 1.19.0. This version provides the following important fixes and enhancements:

Jira:RHEL-62033

The openwsman package has been updated to version 2.8.1 with the following improvements:

Jira:RHEL-97643^[1]

The openCryptoki packages are updated to upstream version 3.26.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-100059^[1]

With this update, the snmpcmd man page documents the supported privProtocol for SNMPv3 messages. As a result, administrators have access to the necessary reference details to create SNMPv3 users with specific authentication and privacy protocols.

Jira:RHEL-101614^[1]

The --help output and manual page for the net-snmp-create-v3-user script have been updated to include the complete list of supported authentication and encryption algorithms. This update improves clarity when configuring authentication and encryption passwords.

Jira:RHEL-103557^[1]

This update enables post-quantum key exchange by default in the tog-pegasus packages if the peer supports it. Two new files, /etc/pki/Pegasus/server-fallback.pem and /etc/pki/Pegasus/file-fallback.pem, for tog-pegasus servers provide a mechanism to support a classic certificate chain and an ML-DSA certificate at the same time. . As a result, you can use these new files to enable the loading of a classic certificate and key when you need to use an ML-DSA certificate and a classic certificate chain simultaneously.

Jira:RHEL-127514^[1]

This update enables post-quantum key exchange by default in the sblim-sfcb package if the peer supports it. This update also introduces two new configuration options, sslKeyFallbackFilePath and sslCertificateFallbackFilePath, in the sblim-sfcb server configuration file.

Before this update, there was no mechanism to support a classic certificate chain and an ML-DSA certificate at the same time. As a result, you can use these new options to enable the loading of a classic certificate and key when you need to use an ML-DSA certificate and a classic certificate chain simultaneously.

Jira:RHEL-127515^[1]

Previously, the package did not use post-quantum key exchange by default if the peer supports it. Also, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.

With this update, two new configuration options ssl_cert_fallback_file and ssl_key_fallback_file are introduced in openwsman server configuration file. These options are disabled by default, but can be used to enable loading of classic certificate and key when there is a requirement to use an ML-DSA certificate and classic certificate chain at the same time.

As a result, the outdated SSL initialization which prevents post-quantum key exchange by default was removed from the openwsman server.

Jira:RHEL-127516^[1]

Red Hat build of OpenJDK 25 and the maven-openjdk25 subpackages are available in Red Hat Enterprise Linux 9. This version provides the latest long-term support (LTS) release of the Open Java Development Kit (OpenJDK). As a result, you can leverage the latest Java features and performance improvements for your applications.

Jira:RHEL-127952^[1]

The chrony packages are rebased to upstream version 4.8, which includes the following notable enhancements and bug fixes:

Jira:RHEL-112598

The upgrade to the upstream version 3.26.0 provides the following notable enhancements:

Jira:RHEL-120965

SystemTap is rebased to version 5.4. The notable changes in this update include:

Jira:RHEL-121662

The upgrade to the upstream version 0.194 provides the following notable enhancements:

Jira:RHEL-121664

The sscg packages are rebased to upstream version 4.0.3. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-124447

With this update, Apache’s ErrorLogFormat supports millisecond timestamps. Millisecond-level timestamps in error logs improve log filtering, troubleshooting efficiency, and cross-system traceability. You can configure this, for example, by using the %{m}t format specifier. As a result, you can correlate and filter logs across systems with millisecond precision.

Jira:RHEL-129692^[1]

The iproute package has been updated to upstream version 6.17.0.

Notable enhancements:

Jira:RHEL-98272

With this enhancement, you can configure High-availability Seamless Redundancy (HSR) interfaces as a Redundancy Box (RedBox). This mode provides a communication path between standard Ethernet devices and an HSR ring. By designating an interlink port on the HSR interface, external devices connected to the interlink port reside within the same layer-2 domain as the ring participants. The interlink port operates in High-availability Seamless Redundancy to Singly Attached Node (HSR-SAN) mode, which handles the insertion and removal of HSR tags as traffic passes between the redundant network and the connected devices.

Jira:RHEL-100940^[1]

The hsr kernel module provides the following protocols:

Jira:RHEL-100941^[1]

With this enhancement, you can use the Nmstate API to set alternative names on network interfaces to simplify configuration management and support processes. For example, to assign LAN as an alternative name to enp1s0 and remove the name internal-LAN, use:

interfaces:
  - name: enp1s0
    alt-names:
      - name: LAN
      - name: internal-LAN
        state: absent

Jira:RHEL-110781^[1]

With this enhancement, NetworkManager can enable and disable IPv4 forwarding per network interface. This enables granular control directly in NetworkManager connection profiles, and updating sysctl kernel settings is no longer required. If you enable the ipv4.forwarding parameter in a profile, the corresponding interface acts as a router and forwards IPv4 packets. With the default value auto, NetworkManager enables IPv4 forwarding if any shared connection is active and, in other cases, it uses the kernel default value.

This feature is also available in Nmstate.

Jira:RHEL-110793^[1]

With this enhancement, you can set a lower maximum TCP retransmission timeout value than the default 120000 ms to reduce network latency. Note that changing this setting can require tuning other kernel settings as well.

You can configure this limit either through the tcp_rto_max_ms kernel sysctl setting or the TCP_RTO_MAX_MS socket option. If you set both, the socket option has a higher priority.

Jira:RHEL-115191^[1]

With this update, users can now set the DHCP client ID as a kernel argument. Certain DHCP servers require this ID to identify a client correctly. By setting the rd.net.dhcp.client-id kernel argument, the client ID is already available during early boot operations.

Jira:RHEL-122166^[1]

With this update, RHEL users can configure an interlink interface for High-availability Seamless Redundancy (HSR) connections. Users can now use the hsr.interlink property to specify the interlink interface name. As a result, you can configure RHEL as a Redundancy Box (RedBox).

Jira:RHEL-122175^[1]

This update enhances the NetworkManager Libreswan client plugin to configure multiple subnets in IPsec policies. This corresponds to the use of multiple subnets in the leftsubnets and rightsubnets parameters in the Libreswan configuration. As a result, users can connect to multiple subnets by using a single IPsec tunnel.

Jira:RHEL-124258^[1]

A new package, frr10, is available in the RHEL 9 AppStream repository. This package provides FRRouting (FRR) version 10 alongside the existing frr version 8 package. You can now access newer routing features without replacing the earlier version. By introducing frr10 as a separate package, this update enables flexible adoption and testing of the latest FRR capabilities while maintaining compatibility with existing deployments.

Jira:RHEL-125957

On certain hardware platforms with onboard Intel E8xx network controllers, the BIOS lists all ports of the network controllers as the same device because they have the same Type Instance value in the desktop management interface (DMI) tables. Consequently, the udev service fails to rename the interfaces when RHEL boots. On these platforms, the phys_port_name sysfs attribute is the only attribute to distinguish the ports from each other.

With this enhancement, the ice and i40e drivers can make the phys_port_name sysfs attribute available to udev. By default, this behavior is disabled on RHEL 9 to not break existing configurations. To enable the feature, add ice.rh_phys_port_name=1 i40e.rh_phys_port_name=1 to the kernel command line. As a result, the drivers make the phys_port_name attribute available, and udev correctly renames the interfaces. The interfaces have the np_<number_> suffix.

Jira:RHEL-126034^[1]

With this enhancement, you can create VLAN interfaces on top of High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) interfaces to enable network traffic segmentation. When configured, the kernel adds a VLAN tag to all packets transmitted through the VLAN interface. This provides greater control over traffic isolation. Note that supervision frames remain unaffected by this configuration and are always transmitted without a VLAN tag.

Jira:RHEL-130476^[1]

With this update, the iproute package includes the dpll utility which you can use to manage and monitor digital phase-locked loop (DPLL) devices. The utility uses libmnl to communicate with the kernel through the netlink interface, providing a configuration tool for DPLL devices and pins.

Jira:RHEL-131661

The Unbound packages have been rebased to version 1.24.2. This update provides several enhancements and a security fix:

Jira:RHEL-132717^[1]

The K1 state reduces power consumption on ICH-family network interface controllers (NIC) during idle periods. However, on Intel Meteor Lake and later platforms, enabling K1 state on NICs that use the e1000e driver can cause packet loss due to firmware misconfiguration, interoperability with certain link partners, and other conditions.

Default:

Jira:RHEL-134986^[1]

This update adds the fou and fou6 modules to the kernel-modules-extra package. With these modules, you can configure connections that use the following protocols:

Jira:RHEL-138741^[1]

Due to missing upstream support for passing Qualcomm wireless cards to VMs by using the PCI pass through feature, these cards do not work correctly in VMs. With this update, the ath11k and ath12k drivers use certain kernel parameters to work around the problem. As a result, Qualcomm wireless cards that use these drivers work if you pass the devices to VMs. Note that the solution is only an unsupported workaround.

Jira:RHEL-141399^[1]

By default, the NMstate API uses NetworkManager to send configurations to Libreswan service. In this case, NetworkManager defines default values, which are different from Libreswan’s defaults. With this enhancement, you can set nm-auto-defaults: false in the YAML file and Nmstate does not inject any extra settings. In this case, Libreswan uses this configuration and also its own default values.

For backward compatibility, the default value of nm-auto-defaults is true.

Jira:RHEL-141605^[1]

Before this update, BPF trampoline and associated functionality, including BPF STRUCT_OPS features such as sched_ext, were not available on the IBM PowerPC (ppc64le) architecture in Red Hat Enterprise Linux 9.

With this update, Red Hat Enterprise Linux 9.8 running on ppc64le can use BPF trampoline and BPF STRUCT_OPS-based features, such as sched_ext, for advanced tracing and scheduling use cases.

Jira:RHEL-14156^[1]

With this update, PerfMon support is added for Clearwater Forest, a hardware or software platform, on the CentOS Stream kernel. This enhancement enables performance monitoring for the Clearwater Forest platform, improving overall system efficiency and stability.

Jira:RHEL-45067^[1]

The EDAC driver is updated to add platform support for Intel Clearwater Forest (CWF) servers, enhancing RAS capabilities for this hardware. This change improves error detection and correction functionality specific to the Intel platform.

Jira:RHEL-45085^[1]

With this update, you can use uncore events counters on the Panther Lake platform to monitor system performance.

Jira:RHEL-47456^[1]

The perf tool now provides full support for Intel Core Ultra Series 2 and Intel Core Ultra Series 3 processors. This update enables the complete range of perf functionality, including performance counters and C-state events. As a result, you can perform comprehensive hardware profiling, power-management analysis, and performance tuning on these Intel platforms.

Jira:RHEL-74193^[1]

The Intel QAT crypto device driver is updated to support QAT GEN6 devices through the new qat_6xxx driver. GEN6 devices enable concurrent use of symmetric encryption, asymmetric encryption, and data compression. This was not available in earlier generations.

Jira:RHEL-94929^[1]

The tpm2-tools package is updated to ensure compatibility with modern TPM 2.0 hardware and improve security tooling support. This update enables enhanced TPM-based operations and aligns with upstream security and feature developments.

Jira:RHEL-94933^[1]

With this update, the IAA is now moved from a Technology Preview to the supported state and the device IDs are added for In-memory Analytics Accelerator (IAA). As a result, devices on the Wildcat Lake platform are now supported.

Jira:RHEL-95629^[1]

With this update, Perfmon drivers now support the Wildcat Lake CPU platform, enhancing performance monitoring on compatible hardware.

Jira:RHEL-95671^[1]

With this update, you can use uncore events counter for the Intel Wildcat Lake platform to monitor system performance. As a result, you can analyze performance on Intel-based systems.

Jira:RHEL-95673^[1]

kpatch reports which kernel CVEs are patched by live patches for the currently running base kernel. With this update, administrators can verify that specific CVEs are remediated, even if the on-disk kernel version appears vulnerable.

By listing CVEs that are patched only by kpatch, this enhancement improves security reporting and supports compliance workflows and external scanners that must account for live-patched vulnerabilities.

Jira:RHEL-103845^[1]

With this update, you can pass the LUKS volume key to the kdump kernel, to save vmcore data to a LUKS-encrypted disk volume. This enhancement secures vmcore data on RHEL systems, as sensitive data remains protected in the event of system crashes. To activate this optional feature, you must use the kdumpctl setup-crypttab command. This update is available for the x86_64 architecture in RHEL 9.8.

Jira:RHEL-104939^[1]

With this update, the Perf tool now supports Load Latency (LdLat) filtering for 5th Generation AMD EPYC processors (also known as Turin). This enhances Instruction-Based Sampling (IBS) capabilities of perf. This improvement aims to provide more accurate and efficient performance analysis on AMD systems.

Jira:RHEL-106898^[1]

This update adds support for the AMD Venice CCP crypto device with PCI device ID 0x17D8 (PCIID 1002:17D8) in the kernel CCP driver. With this change, systems equipped with Venice CCP hardware can use the device’s enhanced cryptographic offload capabilities.

Jira:RHEL-106910^[1]

With this update, the rtla tool now supports triggering userspace actions either when a latency threshold is reached or when tracing concludes. This allows you to execute diagnostic commands immediately or extract trace data before the instance is removed, regardless of whether a threshold violation occurred.

Jira:RHEL-113482^[1]

The crash package, which provides a kernel analysis utility for live systems and various types of dump files, is rebased to upstream version 9.0.1. This version provides a number of fixes and enhancements, most notably the following:

Jira:RHEL-114658

With this update, you can select the measurement module for the rteval utility. This overrides the default setting in the rteval.conf file. This new feature, 'measurement-module', provides greater flexibility and control over performance testing, which enhances the precision and customization.

Jira:RHEL-114928^[1]

With this update, advanced performance analysis is enabled using the perf utility with debuginfod client support in RHEL-9. This enhancement enables debugging and probing performance issues. The feature introduces new runtime dependencies and is currently limited to probing.

Jira:RHEL-124984^[1]

The cryptsetup package has been upgraded to version 2.8.0. This update provides the following feature enhancements:

Jira:RHEL-100089^[1]

The io_uring interface supports asynchronous I/O operations. With this update, applications use this interface to submit multiple I/O requests without blocking the calling process. io_uring uses shared ring buffers between user space and kernel space to reduce system call overhead and avoid buffer copying. This interface is more efficient and supports more asynchronous system calls than Linux AIO.

Jira:RHEL-120699^[1]

The snapm package has been rebased to upstream version 0.7.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-137377^[1]

Before this update, multipath devices remained in the system if you did not remove SCSI devices before disconnecting a LUN. This sometimes resulted in queued I/O or incorrect writes if the LUN was repurposed.

With this update, the purge_disconnected option is available in the defaults, devices, and multipaths sections of the multipath.conf file. When you set this option to yes, the multipathd daemon automatically removes disconnected SCSI devices from the system.

Jira:RHEL-141291

The HAProxy package has been rebased to the upstream Long-Term Support (LTS) version 2.8. The notable changes in this update include:

For a complete list of changes, see the HAProxy webpage.

Jira:RHEL-74039^[1]

RHEL 9.8 introduces PostgreSQL 18 as the postgresql:18 module stream.

Notable changes:

Jira:RHEL-90852^[1]

MariaDB 11.8 is available as a new module stream, mariadb:11.8.

Notable changes over the previously available version 10.11 include:

Notable breaking differences:

For more information about MariaDB, see Using MariaDB.

To install the mariadb:11.8 stream, enter:

# dnf module install mariadb:11.8

If you want to upgrade from MariaDB 10.11, see Upgrading from a RHEL 9 version of MariaDB 10.11 to MariaDB 11.8.

For information about the length of support for the mariadb module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-96956^[1]

The ruby module provides a new Ruby 4.0 runtime, including database connector support. As a result, Red Hat Enterprise Linux 9.8 users can use Ruby 4.0 alongside existing Ruby streams to develop and run Ruby applications with supported database connectivity.

Jira:RHEL-142278^[1]

This update adds the perl-DBD-MySQL package to the mysql:8.4 module. Starting with Red Hat Enterprise Linux (RHEL) 9.7, the perl-DBD-MySQL package is linked against libmysqlclient instead of libmariadb. To ensure compatibility, perl-DBD-MySQL is included within mysql:8.4. As a result, the perl-DBD-MySQL package is fully compatible with the mysql:8.4 module, which resolves dependency conflicts and installation failures.

Jira:RHEL-144470

Red Hat Enterprise Linux 9.8 now includes the python3.14 stack. This new alternative stack provides Python 3.14 for developing and running applications.

Jira:RHEL-120823^[1]

On x86-64 systems that support the x86-64-v3 microarchitecture level, the glibc math library now provides additional IFUNC-optimized implementations of selected functions. The functions atanh, expm1, log1p, log2, sincos, sinh, and tanh now have optimized variants that use x86-64-v3 instructions, improving execution efficiency for workloads that rely on these operations.

As a result, the execution time for workloads that perform large volumes of these mathematical computations might be reduced.

Jira:RHEL-1063

The glibc memstream documentation describes the implementation behavior of open_memstream when you use SEEK_END to change the file position. This clarification aligns the documentation with the new requirement to document glibc behavior, introduced in POSIX.1-2024, and helps you understand how seeking affects the current position and buffer contents.

Jira:RHEL-61087

Before this update, gcov function summaries only reported the number of lines executed and did not include details about branch or call coverage within the function.

With this enhancement, requesting function summaries using the -f option now includes data on branches taken and function calls made within the profiled function. This provides a more comprehensive view of function-level test coverage.

Jira:RHEL-105416^[1]

This enhancement adds the GLIBC_ABI_DT_X86_64_PLT symbol version to glibc on x86_64 systems, so programs that require this symbol at startup no longer fail to start and instead run as expected.

Jira:RHEL-109622^[1]

In RHEL 9.8, rust-toolset is rebased to version 1.92.0 from version 1.88.0. This update delivers multiple improvements to debugging, systems programming features, memory safety diagnostics, and Rust workflow tooling for RHEL developers.

Notable enhancements include:

Jira:RHEL-111847

With this update, the Red Hat Build of OpenJDK 25 for RHEL integrates with the RHEL crypto-policies package. This enhancement ensures secure system property handling and improves the security of Java applications running on RHEL by loading additional configuration files based on Red Hat system properties. This change also adds FIPS support using NSS.

Jira:RHEL-128412^[1]

The glibc package now uses the euro currency symbol for the bg_BG locale, reflecting Bulgaria’s adoption of the euro as of 2026-01-01.

As a result, applications using the bg_BG locale display currency values with the updated euro symbol, ensuring consistency with the current official currency.

Jira:RHEL-137186

The llvm toolset has been rebased to version 21 in RHEL 9.8. This rebase provides updated compiler and tooling features for building and optimizing applications that depend on llvm.

As part of this change, dependent packages in RHEL 9 have been rebuilt against llvm 21 to ensure compatibility with the updated toolset.

The notable changes are:

Jira:RHEL-100898

With this enhancement, the glibc package optimizes the trylock implementation for workloads with high thread counts on multi-core systems, improving trylock throughput under heavy contention.

Jira:RHEL-141072

With this enhancement, glibc adds tracing support for Thread-Local Storage (TLS) and Thread Control Block (TCB) operations through the tls category of the LD_DEBUG environment variable. You can use LD_DEBUG=tls to track TLS and TCB related events in the dynamic linker and improve analysis of complex runtime issues.

LD_DEBUG also supports excluding specific debug categories by prefixing the category name with a dash, for example, LD_DEBUG=all, -tls, so that you can refine the debug output.

Jira:RHEL-49785^[1]

The glibc package now uses the euro currency symbol for the hr_HR locale in RHEL. This change aligns Croatian locale data with the country’s current official currency.

As a result, applications that rely on glibc locale information for the hr_HR locale now display the up-to-date euro currency symbol instead of the former Croatian kuna.

Jira:RHEL-140105^[1]

The RTLD_DI_ORIGIN_PATH dlinfo request type in glibc accepts the size of the destination buffer when retrieving the shared object origin path. This request type helps avoid buffer overflows when obtaining the shared object origin path.

The behavior of the existing RTLD_DI_ORIGIN request type remains unchanged.

Jira:RHEL-54450

Identity Management (IdM) password policies support four new options (--dcredit, --ucredit, --lcredit, and --ocredit) based on the libpwquality credit system. A negative value sets the minimum number of characters of that type required in a password; a positive value provides a credit toward the minimum password length. These options are mutually exclusive with --minclasses and offer a more granular way to enforce per-class character requirements. As a result, administrators can configure specific character type minimums in IdM password policies, for example, to satisfy DISA STIG compliance requirements.

For more information, see Additional password policy options in IdM.

Jira:RHEL-73399^[1]

The samba packages, which provide file and print services using the SMB protocol, have been rebased to upstream version 4.23.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-114548

The ipa packages have been rebased to upstream version 4.13.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-120954

The cepces package, which provides a certificate enrollment client for Microsoft Active Directory Certificate Services (AD CS), has been rebased to upstream version 0.3.12. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-121787^[1]

The dsctl dbverify command, used to verify the integrity of a Directory Server database, provides explicit feedback depending on the database backend type. For Berkeley Database (BDB) backends, the command now returns an error when the specified backend does not exist, instead of incorrectly reporting a successful verification. For LMDB backends, the command displays a warning that the verification is always reported as successful because LMDB has built-in integrity protection. As a result, administrators can distinguish between a missing backend and a genuinely successful verification when running dsctl dbverify.

Jira:RHEL-123893^[1]

When integrating Identity Management (IdM) with a third-party application that does not support Kerberos authentication, you can define a dedicated system account for the application to securely reset user passwords. Notably, these resets do not trigger the "password change required" flag, ensuring a seamless login experience for the end user. The system account authenticates by using LDAP.

As a result, organizations can integrate their own secure password management solutions directly with IdM.

Jira:RHEL-126515^[1]

For installations using a hardware security module (HSM), Lightweight CA (LWCA) certificates and private keys are now generated on the HSM. This provides the same hardware-level security for the private keys as the root CA private key. The LWCA private key is generated on the HSM with the HSM token name as the prefix, for example mytoken:lwca.

Jira:RHEL-128238^[1]

The pki packages have been rebased to upstream version 11.7.1. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-129092

This update ensures that automated services like crond and systemd-user are prevented from unlocking accounts locked by faillock. Previously, these services would automatically clear the "failed login" counter when they ran, which could allow a malicious actor to keep guessing passwords without being permanently locked out. With this release, once an account is locked by a security policy, it remains locked until the timeout expires or an administrator intervenes, regardless of any background system activity.

Jira:RHEL-130875

The ansible-freeipa packages, which provide Ansible modules and roles for Identity Management (IdM), have been rebased to upstream version 1.16.0. This version provides important fixes and enhancements, most notably the following:

The sysaccount module (ipasysaccount) creates and manages system accounts in IdM. The role module (iparole) supports system accounts as role members, so you can assign privileges such as user password management to those accounts in playbooks. You can, for example, use system accounts to integrate IdM with an external password reset management solution. For more information, refer to the sysaccount and role module READMEs.

The ipapasskeyconfig module is available in the ansible-freeipa collection. You can use this module to configure whether passkey authentication in IdM requires user verification, such as a PIN, when users authenticate with a passkey device. Additionally, the ipauser module supports passkey as a user authentication type, and the ipaservice and ipahost modules support passkey as an authentication indicator.

Jira:RHEL-139144

With this update, the ipaconfig, ipahost, ipaservice, and ipauser modules support the passkey authentication type for IdM resources. This enables you to manage Passkey device authentication directly through your Ansible playbooks by setting the authentication type to passkey.

Jira:RHEL-139257

The 389-ds-base package, which provides an enterprise-class LDAP server, has been rebased to upstream version 2.8.0.

Jira:RHEL-139825

With this update, the ipa-certupdate tool includes a new --force-server <server_fqdn> option. Before this update, an Identity Management (IdM) client only connected to its default IdM server, specified in the /etc/ipa/default.conf file, when updating the local CA trust store. If this default server was down or unreachable, the ipa-certupdate command failed. As a result, administrators can ensure successful trust store updates and maintain service continuity, even if the primary server is unavailable.

Jira:RHEL-141446^[1]

The sudo packages have been rebased to upstream version 1.9.17p2, which includes the following notable bug fixes and enhancements:

Jira:RHEL-128623

The adcli delete-computer command supports the --recursive option to delete computer objects from Active Directory, including their child objects. Previously, attempting to delete a computer object that contained child objects, such as metadata for BitLocker drive recovery, failed with a CANT_ON_NON_LEAF error in AD. With this update, users can cleanly delete computer objects that contain child objects using adcli.

Jira:RHEL-134951^[1]

The cockpit packages have been rebased to version 356, which provides many improvements and fixes compared to version 344 in RHEL 9.7, most notably:

Jira:RHEL-112866

With this update, you can manage disk partitions by using the storage role, streamlining storage management. With this unified approach you can add, remove, resize, and format partitions, ensuring consistent and repeatable results.

Jira:RHEL-112772^[1]

With this update, you can create bootable snapshot sets on platforms that support snapm, such as RHEL 9.6 and Fedora 41 or later. You can now set a bootable flag when requesting snapshots and boot the system directly from a snapshot.

Jira:RHEL-120325^[1]

The postgresql RHEL system role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 18.

For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL system role.

Jira:RHEL-122958^[1]

With this enhancement, you can now use IPv6 addresses within the ipset_entries variable when utilizing hash:ip or hash:net types in playbooks that use the firewall RHEL system role. You can also specify additional <key>:<value> pairs of options for ipset by using the ipset_options variable. pairs

Due to a limitation of the underlying firewalld implementation, you cannot mix IPv4, IPv6, and MAC addresses in the same ipset_entries list.

Jira:RHEL-123040^[1]

Previously, the ha_cluster RHEL System Role provided limited visibility into the current cluster configuration.

With this update, the ha_cluster role has been expanded to include cluster properties and resource defaults.

As a result, the following variables are now exported, allowing for easier auditing and configuration mirroring:

Jira:RHEL-123041^[1]

To provide more granular control over conditional configurations, the sshd system role supports the sshd_CanonicalMatchUser variable. You can specify whether to evaluate OpenSSH Match blocks against a user’s initial login name or their final canonical username after the server rewrites it.

As a result, you can consistently apply security policies in environments where external identity providers or local configuration rules modify usernames. This ensures that Match blocks accurately reflect the user’s identity once the server determines the final canonical username.

Jira:RHEL-127973^[1]

Previously, the ha_cluster RHEL System Role did not include detailed constraint information in its exported data.

With this enhancement, the ha_cluster role now includes variables for location, colocation, order, and ticket constraints.

As a result, the following variables are now available in the module output, facilitating better configuration management and role-based automation:

Jira:RHEL-128436^[1]

Before this update, the high-availability stack primarily supported the stonith-watchdog-timeout property for managing watchdog-based fencing. However, future Pacemaker versions replace this property with fencing-watchdog-timeout.

With this update, the role handles both the legacy and new property names consistently.

As a result, the role supports future Pacemaker versions and ensures that watchdog-related cluster properties remain functional regardless of which property name you use. The role preserves both stonith-watchdog-timeout and fencing-watchdog-timeout when creating or pushing CIB configurations.

Jira:RHEL-136599^[1]

With this update, you can configure the VersionAddendum option in SSH settings for match blocks, host blocks, and global client configurations. This enhancement ensures compatibility with the latest OpenSSH versions and provides granular control over your SSH connections.

Jira:RHEL-138279^[1]

The new GSSAPIDelegateCredentials parameter provides Generic Security Services Application Programming Interface (GSSAPI) credential delegation in Kerberos environments and enables a seamless single sign-on experience.

As a result, you can automate the configuration of GSSAPI credential delegation to simplify network authentication.

Jira:RHEL-144496^[1]

With this enhancement, you can use the metrics RHEL system role to configure TLS-encrypted connections to Grafana. To use this feature, specify the following variables in your playbook:

Jira:RHEL-144592^[1]

With this update, you can manage SELinux port types for Datagram Congestion Control Protocol (DCCP) and Stream Control Transmission Protocol (SCTP). By configuring SELinux port labels for these protocols, you can apply granular access controls and improve system security.

Jira:RHEL-145215^[1]

You can use RHEL system roles to build and manage immutable operating systems. This provides a consistent management interface across different backend technologies, including ostree.

As a result, you can deploy and configure immutable systems using the same roles used for traditional systems, ensuring environment consistency. Note: This feature is currently not compatible with the nbde_client role.

Jira:RHELDOCS-21216

With this release, you can use the analysis, remediate, and upgrade Ansible roles to automate the pre-upgrade and upgrade phases of the in-place upgrade. By using these Ansible roles, you can quickly and efficiently upgrade large numbers of systems, saving you time.

For more information, see Upgrading large deployments by using Ansible roles.

Jira:RHEL-117252

This update introduces the virt-secrets-init-encryption service, which encrypts libvirt secrets, such as keys for the virtual Trusted Platform Module (vTPM). By default, this encryption uses systemd credentials sealing. However, you can use the new /etc/libvirt/secret.conf file to specify a custom key for encrypting secrets, as well as to disable automatic encryption of secrets. As a result, critical vTPM metadata is protected from unauthorized access on the host file system. This also hardens the overall security of the virtualization environment.

Jira:RHEL-7125^[1]

After using the virsh nodedev-update command to update a cryptograpic coprocessor (vfio-ap) device on an IBM Z host, the new configuration now takes effect significantly faster.

Jira:RHEL-73001^[1]

Virtual machines (VMs) on RHEL 9 hosts that use IBM Z hardware can now use the control program identification (CPI) feature. By using CPI, you can obtain system information about VMs without accessing them. For more information about CPI, see IBM documentation.

Note that on VMs that use IBM Secure Execution, CPI is disabled by default to ensure confidentiality, and must be enabled manually. For instructions, see Setting up IBM Secure Execution on IBM Z.

Jira:RHEL-73009^[1]

With this update, you can enable both multifd (multiple file descriptor) precopy and postcopy virtual machine live migration strategies. multifd uses multiple parallel TCP channels during the precopy phase to maximize network bandwidth usage and reduce migration time. As a result, you can configure both migration strategies and switch from precopy to postcopy live migration without disruption. Note that, postcopy migration does not use multifd.

Jira:RHEL-97465^[1]

The updated qemu-kvm package provides a new s390-ccw-virtio-rhel9.8.0 machine type for IBM Z virtual machines (VMs). This machine type enables Control Program Identification (CPI) and performance-enhanced PCI translation for passthrough PCI devices by default. As a result, IBM Z VMs that use the s390-ccw-virtio-rhel9.8.0 machine type benefit from improved performance with passthrough PCI devices and CPI without additional configuration.

Jira:RHEL-104005^[1]

The libvirt package provides a new host-model mode for Hyper-V Enlightenments, which automatically enables all Hyper-V enlightenments supported on the host. This mode eliminates the need for separate configuration templates for Intel and AMD hosts. As a result, you can configure <hyperv mode='host-model'/> in the XML definition of a virtual machine to automatically apply all host-supported Hyper-V Enlightenments without maintaining separate configurations for each vendor.

Jira:RHEL-114003

With this update, the QEMU emulator no longer needs to emulate the Forced Unit Access (FUA) I/O method, and instead can use FUA natively. This can improve the overall performance of virtual storage, particularly in database workloads.

Jira:RHEL-118197

This update introduces the Provisioning Caching Certification Service (PCCS) for Intel Trust Domain Extensions (TDX). This provides the local caching required to use Intel hosted Provisioning Certification Services (PCS) at scale, and also makes it possible to perform TDX attestation on host systems that are isolated from the public internet.

Jira:RHEL-127046

With this update, RHEL now supports SCSI passthrough for virtual machines (VMs). With this feature, VMs can directly access host SCSI devices, such as tape drives and Storage Area Network (SAN) Logical Unit Numbers (LUNs).

As a result, you can configure VMs to use specialized storage devices that require direct SCSI access, including support for both single-path and multipathed vDisks.

Note that for SCSI passthrough to work, the host must use a supported RHEL and kernel version. For details, see: Required RHEL versions for SGIO support in Virtual Machines

Jira:RHELDOCS-21410^[1]

With this update, RHEL supports SCSI3 Persistent Reservation (S3-PR) for virtual machines (VMs). This feature makes it possible for multiple VMs to coordinate access to shared storage devices, which is essential for Linux clustering solutions, such as Pacemaker, and for Windows Server Failover Clustering.

As a result, VMs can register and manage persistent reservations on storage devices, which prevent conflicts when multiple VMs access the same storage. S3-PR support is available for both single-path and multipathed vDisks.

Note that for S3-PR to work, the host must use a supported RHEL and kernel version. For details, see: Required RHEL versions for SGIO support in Virtual Machines

Jira:RHELDOCS-21467

Before this update, the sos report was collected on AAP. With this update, the notable enhancements to the following AAP plugins are:

Jira:RHEL-121524

With this update, you can manage SSL/TLS certificates that contain sensitive data during the SOS clean process. The new --treat-certificates option provides the option to remove, obfuscate, or maintain the original binary format of these certificates ensuring that no sensitive data persists.

As a result, you can enhance data security and privacy by selecting the treatment for SSL/TLS certificates during the SOS clean process.

Jira:RHEL-142619

With this update, the sos utility automatically detects the user running containers for Ansible Application Platform (AAP) deployments. This eliminates the need for manual specification, ensuring the collection of all necessary AAP data.

Jira:RHEL-140738

You can specify a custom log-location option in the containers.conf file for per-user configurations using podman-kube systemd. Previously, logs were restricted to a default location and could not be customized. With this release, you can define custom log paths directly in the configuration file, reducing the need to specify them manually in the podman run command.

Jira:RHEL-3114^[1]

With this update, the Aardvark-DNS process now dynamically reloads DNS configurations in the Podman 5.x stack on Red Hat Enterprise Linux (RHEL). This eliminates the need to stop and restart the entire process when changes are made to the DNS configuration file, resulting in improved efficiency and reduced downtime for end users.

Jira:RHEL-85839^[1]

The container-selinux package, which provides necessary SELinux policies, types, and rules to confine and secure container runtimes, has been rebased to version 2.244.0-1. This version provides important enhancements, most notably, it streamlines the process, enhances data protection, and ensures confidentiality in deployments, while reducing potential security risks associated with public storage endpoints.

Jira:RHEL-112187

The runc package, which serves as the low-level, CLI tool for spawning and running containers, is rebased to upstream version 1.3.3. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-124800

With this update, a unified system-wide configuration file is introduced for rootless Podman, enabling centralized policy management, a consistent security baseline, and operational standardization across all users.

As a result, you can inherit sensible defaults without manual configuration, while still maintaining the flexibility to override system settings through personal configuration files. Additionally, this update ensures backward compatibility, meaning existing user workflows and configurations remain unchanged.

Jira:RHEL-126643

The updated Container Tools RPM meta-package, which includes the Podman, Buildah, Skopeo, crun, and runc tools, is available. The Buildah package has been updated to version 1.43.1, and Skopeo has been updated to version 1.22.2. Podman release 5.8.2 contains the following notable bug fixes and enhancements over the previous version:

Jira:RHEL-127908

This update introduces air-gapped and disconnected updates for RHEL deployments, enabling edge deployments to perform updates without internet connectivity. As a result, you can benefit from greater flexibility and reliability for offline updates, improving deployment management in remote or secure environments.

Jira:RHELDOCS-20708^[1]

The rhel9/ruby-40, rhel9/postgresql-18, rhel9/python-314-minimal, rhel9/mariadb-118 and rhel9/python-314 container images are now available in the Red Hat Container Registry. The notable enhancements for each image are:

Jira:RHELDOCS-22067^[1]

With this update, the command-line assistant supports color output by default, aligning its appearance with other RHEL command-line tools. This update improves output readability through increased visual contrast.

You can disable color output by using the --plain option or by setting the NO_COLOR=1 environment variable.

Jira:RHELDOCS-21814^[1]

With this enhancement, RHEL Lightspeed includes the Red Hat Enterprise Linux for SAP Solutions documentation set in its knowledge base. You can now ask RHEL Lightspeed technical questions specific to SAP deployments on RHEL. This update provides more accurate and context-aware responses for SAP-related administrative and configuration tasks.

Jira:RHELDOCS-21815^[1]