9.8 Release Notes

The aide package, which provides the Advanced Intrusion Detection Environment (AIDE) utility, has been rebased to upstream version 0.19.2. This version provides important fixes and enhancements, most notably the following:

For more information on all detailed changes, including other bug fixes and improvements, see the installed documentation file at /usr/share/doc/aide/NEWS.

Jira:RHEL-83776

The p11-kit-client.so module moves from the p11-kit-server subpackage to the new p11-kit-client subpackage. With the separated subpackages, you can install only the required parts and avoid redundant content on host systems or in containers.

Jira:RHEL-91952

RHEL 9.8 provides OpenSSH in version 9.9, which introduces many fixes and improvements over OpenSSH 8.7, which was provided in RHEL 9.7. For the complete list of changes, see the openssh-9.9p1/ChangeLog file. The most important changes are as follows:

Jira:RHEL-108912^[1]

Before this update, Valkey processes did not use the redis_t SELinux type. This caused behavioral inconsistencies with Redis in RHEL 9. With this update, the SELinux policy has been enhanced to run Valkey as redis_t. As a result, Valkey processes align with Redis behavior, providing a consistent security context for these services in RHEL 9 environments.

Jira:RHEL-108982^[1]

The fapolicyd packages are rebased to upstream version 1.4.3 and provide many enhancements and bug fixes over the previous version. Most notably:

Jira:RHEL-118363

This update of the openssh packages introduces the CanonicalMatchUser directive for the sshd_config configuration file. With the new directive, you can configure Match User blocks so that sshd first attempts to obtain the username from a password database instead of using an alias. As a result, Active Directory (AD) users can no longer bypass chroot restrictions when using capital letters in their usernames, which might lead to privilege escalation.

Jira:RHEL-118372^[1]

The gnutls package is rebased to upstream version 3.8.10. This update introduces several enhancements and bug fixes. Most notably:

Jira:RHEL-125971

This update of the system-wide cryptographic policies adds support for hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) and pure ML-DSA (Module-Lattice-Based Digital Signature) post-quantum (PQ) algorithms in GnuTLS. As a result, you can use GnuTLS in RHEL 9.8 to negotiate TLS connections that use hybrid ML-KEM or pure ML-DSA as long as the other side supports them, and the PQ system-wide cryptographic subpolicy is applied.

Jira:RHEL-127829

With this update of the selinux-policy packages, the following devices have more specific SELinux labels:

This aligns with the addition of new character device interfaces to the kernel, providing user-space application binary interface (ABI) access to the Power Architecture Platform Reference (PAPR) system parameters, in addition to the existing kernel-internal API.

As a result, the SELinux policy assigns distinct labels to these devices so that different permissions can apply to various services accessing them.

Jira:RHEL-129879

The p11-kit packages have been upgraded to upstream version 0.26.1. The new version provides many enhancements and bug fixes, most notably:

Jira:RHEL-139075^[1]

The clevis-pin-trustee package provides a new Clevis pin trustee that enables automated encryption and decryption of LUKS-encrypted volumes by using remote attestation through the Trustee Key Broker Service (KBS). The trustee pin integrates with the standard Clevis framework through the clevis-encrypt-trustee and clevis-decrypt-trustee commands, and it includes a Dracut module 60clevis-pin-trustee for automated root volume unlocking during early boot.

In scenarios such as confidential clusters for OpenShift and confidential virtual machines with OpenShift Virtualization, the Trustee server acts as the policy enforcement point, releasing the disk encryption key only when the requesting platform’s attestation evidence validates against a set of reference values.

As a result, you can bind LUKS-encrypted volumes to one or more Trustee servers by using a clevis luks bind -d <device> trustee '<config>' command. You can also combine the trustee pin with other Clevis pins, such as tang and tpm2, for multi-factor or multi-policy unlock configurations.

Jira:RHEL-139790^[1]

This update of the system-wide cryptographic policies adds support for the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) post-quantum (PQ) key exchange mlkem768x25519-sha256 algorithm for OpenSSH. This aligns with support for ML-KEM in OpenSSH, providing a quantum-resistant key exchange method for your SSH sessions when you use the PQ system-wide cryptographic policy.

Jira:RHEL-151499

The OpenSCAP packages have been rebased to upstream version 1.4.3. This version provides bug fixes and various enhancements. For additional information, see the OpenSCAP release notes.

Jira:RHEL-133976

For additional information, see the SCAP Security Guide release notes.

Jira:RHEL-136121

The librepo packages are rebased to upstream version 1.19.0. This version provides the following important fixes and enhancements:

Jira:RHEL-62033

The openwsman package has been updated to version 2.8.1 with the following improvements:

Jira:RHEL-97643^[1]

The openCryptoki packages are updated to upstream version 3.26.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-100059^[1]

With this update, the snmpcmd man page documents the supported privProtocol for SNMPv3 messages. As a result, administrators have access to the necessary reference details to create SNMPv3 users with specific authentication and privacy protocols.

Jira:RHEL-101614^[1]

The --help output and manual page for the net-snmp-create-v3-user script have been updated to include the complete list of supported authentication and encryption algorithms. This update improves clarity when configuring authentication and encryption passwords.

Jira:RHEL-103557^[1]

This update enables post-quantum key exchange by default in the tog-pegasus packages if the peer supports it. Two new files, /etc/pki/Pegasus/server-fallback.pem and /etc/pki/Pegasus/file-fallback.pem, for tog-pegasus servers provide a mechanism to support a classic certificate chain and an ML-DSA certificate at the same time. . As a result, you can use these new files to enable the loading of a classic certificate and key when you need to use an ML-DSA certificate and a classic certificate chain simultaneously.

Jira:RHEL-127514^[1]

This update enables post-quantum key exchange by default in the sblim-sfcb package if the peer supports it. This update also introduces two new configuration options, sslKeyFallbackFilePath and sslCertificateFallbackFilePath, in the sblim-sfcb server configuration file.

Before this update, there was no mechanism to support a classic certificate chain and an ML-DSA certificate at the same time. As a result, you can use these new options to enable the loading of a classic certificate and key when you need to use an ML-DSA certificate and a classic certificate chain simultaneously.

Jira:RHEL-127515^[1]

Previously, the package did not use post-quantum key exchange by default if the peer supports it. Also, there was no mechanism to support a classic certificate chain and the ML-DSA certificate at the same time.

With this update, two new configuration options ssl_cert_fallback_file and ssl_key_fallback_file are introduced in openwsman server configuration file. These options are disabled by default, but can be used to enable loading of classic certificate and key when there is a requirement to use an ML-DSA certificate and classic certificate chain at the same time.

As a result, the outdated SSL initialization which prevents post-quantum key exchange by default was removed from the openwsman server.

Jira:RHEL-127516^[1]

Red Hat build of OpenJDK 25 and the maven-openjdk25 subpackages are available in Red Hat Enterprise Linux 9. This version provides the latest long-term support (LTS) release of the Open Java Development Kit (OpenJDK). As a result, you can leverage the latest Java features and performance improvements for your applications.

Jira:RHEL-127952^[1]

The chrony packages are rebased to upstream version 4.8, which includes the following notable enhancements and bug fixes:

Jira:RHEL-112598

The upgrade to the upstream version 3.26.0 provides the following notable enhancements:

Jira:RHEL-120965

SystemTap is rebased to version 5.4. The notable changes in this update include:

Jira:RHEL-121662

The upgrade to the upstream version 0.194 provides the following notable enhancements:

Jira:RHEL-121664

The sscg packages are rebased to upstream version 4.0.3. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-124447

With this update, Apache’s ErrorLogFormat supports millisecond timestamps. Millisecond-level timestamps in error logs improve log filtering, troubleshooting efficiency, and cross-system traceability. You can configure this, for example, by using the %{m}t format specifier. As a result, you can correlate and filter logs across systems with millisecond precision.

Jira:RHEL-129692^[1]

The iproute package has been updated to upstream version 6.17.0.

Notable enhancements:

Jira:RHEL-98272

With this enhancement, you can configure High-availability Seamless Redundancy (HSR) interfaces as a Redundancy Box (RedBox). This mode provides a communication path between standard Ethernet devices and an HSR ring. By designating an interlink port on the HSR interface, external devices connected to the interlink port reside within the same layer-2 domain as the ring participants. The interlink port operates in High-availability Seamless Redundancy to Singly Attached Node (HSR-SAN) mode, which handles the insertion and removal of HSR tags as traffic passes between the redundant network and the connected devices.

Jira:RHEL-100940^[1]

The hsr kernel module provides the following protocols:

Jira:RHEL-100941^[1]

With this enhancement, you can use the Nmstate API to set alternative names on network interfaces to simplify configuration management and support processes. For example, to assign LAN as an alternative name to enp1s0 and remove the name internal-LAN, use:

interfaces:
  - name: enp1s0
    alt-names:
      - name: LAN
      - name: internal-LAN
        state: absent

Jira:RHEL-110781^[1]

With this enhancement, NetworkManager can enable and disable IPv4 forwarding per network interface. This enables granular control directly in NetworkManager connection profiles, and updating sysctl kernel settings is no longer required. If you enable the ipv4.forwarding parameter in a profile, the corresponding interface acts as a router and forwards IPv4 packets. With the default value auto, NetworkManager enables IPv4 forwarding if any shared connection is active and, in other cases, it uses the kernel default value.

This feature is also available in Nmstate.

Jira:RHEL-110793^[1]

With this enhancement, you can set a lower maximum TCP retransmission timeout value than the default 120000 ms to reduce network latency. Note that changing this setting can require tuning other kernel settings as well.

You can configure this limit either through the tcp_rto_max_ms kernel sysctl setting or the TCP_RTO_MAX_MS socket option. If you set both, the socket option has a higher priority.

Jira:RHEL-115191^[1]

With this update, users can now set the DHCP client ID as a kernel argument. Certain DHCP servers require this ID to identify a client correctly. By setting the rd.net.dhcp.client-id kernel argument, the client ID is already available during early boot operations.

Jira:RHEL-122166^[1]

With this update, RHEL users can configure an interlink interface for High-availability Seamless Redundancy (HSR) connections. Users can now use the hsr.interlink property to specify the interlink interface name. As a result, you can configure RHEL as a Redundancy Box (RedBox).

Jira:RHEL-122175^[1]

This update enhances the NetworkManager Libreswan client plugin to configure multiple subnets in IPsec policies. This corresponds to the use of multiple subnets in the leftsubnets and rightsubnets parameters in the Libreswan configuration. As a result, users can connect to multiple subnets by using a single IPsec tunnel.

Jira:RHEL-124258^[1]

A new package, frr10, is available in the RHEL 9 AppStream repository. This package provides FRRouting (FRR) version 10 alongside the existing frr version 8 package. You can now access newer routing features without replacing the earlier version. By introducing frr10 as a separate package, this update enables flexible adoption and testing of the latest FRR capabilities while maintaining compatibility with existing deployments.

Jira:RHEL-125957

On certain hardware platforms with onboard Intel E8xx network controllers, the BIOS lists all ports of the network controllers as the same device because they have the same Type Instance value in the desktop management interface (DMI) tables. Consequently, the udev service fails to rename the interfaces when RHEL boots. On these platforms, the phys_port_name sysfs attribute is the only attribute to distinguish the ports from each other.

With this enhancement, the ice and i40e drivers can make the phys_port_name sysfs attribute available to udev. By default, this behavior is disabled on RHEL 9 to not break existing configurations. To enable the feature, add ice.rh_phys_port_name=1 i40e.rh_phys_port_name=1 to the kernel command line. As a result, the drivers make the phys_port_name attribute available, and udev correctly renames the interfaces. The interfaces have the np_<number_> suffix.

Jira:RHEL-126034^[1]

With this enhancement, you can create VLAN interfaces on top of High-availability Seamless Redundancy (HSR) and Parallel Redundancy Protocol (PRP) interfaces to enable network traffic segmentation. When configured, the kernel adds a VLAN tag to all packets transmitted through the VLAN interface. This provides greater control over traffic isolation. Note that supervision frames remain unaffected by this configuration and are always transmitted without a VLAN tag.

Jira:RHEL-130476^[1]

With this update, the iproute package includes the dpll utility which you can use to manage and monitor digital phase-locked loop (DPLL) devices. The utility uses libmnl to communicate with the kernel through the netlink interface, providing a configuration tool for DPLL devices and pins.

Jira:RHEL-131661

The Unbound packages have been rebased to version 1.24.2. This update provides several enhancements and a security fix:

Jira:RHEL-132717^[1]

The K1 state reduces power consumption on ICH-family network interface controllers (NIC) during idle periods. However, on Intel Meteor Lake and later platforms, enabling K1 state on NICs that use the e1000e driver can cause packet loss due to firmware misconfiguration, interoperability with certain link partners, and other conditions.

Default:

Jira:RHEL-134986^[1]

This update adds the fou and fou6 modules to the kernel-modules-extra package. With these modules, you can configure connections that use the following protocols:

Jira:RHEL-138741^[1]

Due to missing upstream support for passing Qualcomm wireless cards to VMs by using the PCI pass through feature, these cards do not work correctly in VMs. With this update, the ath11k and ath12k drivers use certain kernel parameters to work around the problem. As a result, Qualcomm wireless cards that use these drivers work if you pass the devices to VMs. Note that the solution is only an unsupported workaround.

Jira:RHEL-141399^[1]

By default, the NMstate API uses NetworkManager to send configurations to Libreswan service. In this case, NetworkManager defines default values, which are different from Libreswan’s defaults. With this enhancement, you can set nm-auto-defaults: false in the YAML file and Nmstate does not inject any extra settings. In this case, Libreswan uses this configuration and also its own default values.

For backward compatibility, the default value of nm-auto-defaults is true.

Jira:RHEL-141605^[1]

Before this update, BPF trampoline and associated functionality, including BPF STRUCT_OPS features such as sched_ext, were not available on the IBM PowerPC (ppc64le) architecture in Red Hat Enterprise Linux 9.

With this update, Red Hat Enterprise Linux 9.8 running on ppc64le can use BPF trampoline and BPF STRUCT_OPS-based features, such as sched_ext, for advanced tracing and scheduling use cases.

Jira:RHEL-14156^[1]

With this update, PerfMon support is added for Clearwater Forest, a hardware or software platform, on the CentOS Stream kernel. This enhancement enables performance monitoring for the Clearwater Forest platform, improving overall system efficiency and stability.

Jira:RHEL-45067^[1]

The EDAC driver is updated to add platform support for Intel Clearwater Forest (CWF) servers, enhancing RAS capabilities for this hardware. This change improves error detection and correction functionality specific to the Intel platform.

Jira:RHEL-45085^[1]

With this update, you can use uncore events counters on the Panther Lake platform to monitor system performance.

Jira:RHEL-47456^[1]

The perf tool now provides full support for Intel Core Ultra Series 2 and Intel Core Ultra Series 3 processors. This update enables the complete range of perf functionality, including performance counters and C-state events. As a result, you can perform comprehensive hardware profiling, power-management analysis, and performance tuning on these Intel platforms.

Jira:RHEL-74193^[1]

The Intel QAT crypto device driver is updated to support QAT GEN6 devices through the new qat_6xxx driver. GEN6 devices enable concurrent use of symmetric encryption, asymmetric encryption, and data compression. This was not available in earlier generations.

Jira:RHEL-94929^[1]

The tpm2-tools package is updated to ensure compatibility with modern TPM 2.0 hardware and improve security tooling support. This update enables enhanced TPM-based operations and aligns with upstream security and feature developments.

Jira:RHEL-94933^[1]

With this update, the IAA is now moved from a Technology Preview to the supported state and the device IDs are added for In-memory Analytics Accelerator (IAA). As a result, devices on the Wildcat Lake platform are now supported.

Jira:RHEL-95629^[1]

With this update, Perfmon drivers now support the Wildcat Lake CPU platform, enhancing performance monitoring on compatible hardware.

Jira:RHEL-95671^[1]

With this update, you can use uncore events counter for the Intel Wildcat Lake platform to monitor system performance. As a result, you can analyze performance on Intel-based systems.

Jira:RHEL-95673^[1]

kpatch reports which kernel CVEs are patched by live patches for the currently running base kernel. With this update, administrators can verify that specific CVEs are remediated, even if the on-disk kernel version appears vulnerable.

By listing CVEs that are patched only by kpatch, this enhancement improves security reporting and supports compliance workflows and external scanners that must account for live-patched vulnerabilities.

Jira:RHEL-103845^[1]

With this update, you can pass the LUKS volume key to the kdump kernel, to save vmcore data to a LUKS-encrypted disk volume. This enhancement secures vmcore data on RHEL systems, as sensitive data remains protected in the event of system crashes. To activate this optional feature, you must use the kdumpctl setup-crypttab command. This update is available for the x86_64 architecture in RHEL 9.8.

Jira:RHEL-104939^[1]

With this update, the Perf tool now supports Load Latency (LdLat) filtering for 5th Generation AMD EPYC processors (also known as Turin). This enhances Instruction-Based Sampling (IBS) capabilities of perf. This improvement aims to provide more accurate and efficient performance analysis on AMD systems.

Jira:RHEL-106898^[1]

This update adds support for the AMD Venice CCP crypto device with PCI device ID 0x17D8 (PCIID 1002:17D8) in the kernel CCP driver. With this change, systems equipped with Venice CCP hardware can use the device’s enhanced cryptographic offload capabilities.

Jira:RHEL-106910^[1]

With this update, the rtla tool now supports triggering userspace actions either when a latency threshold is reached or when tracing concludes. This allows you to execute diagnostic commands immediately or extract trace data before the instance is removed, regardless of whether a threshold violation occurred.

Jira:RHEL-113482^[1]

The crash package, which provides a kernel analysis utility for live systems and various types of dump files, is rebased to upstream version 9.0.1. This version provides a number of fixes and enhancements, most notably the following:

Jira:RHEL-114658

With this update, you can select the measurement module for the rteval utility. This overrides the default setting in the rteval.conf file. This new feature, 'measurement-module', provides greater flexibility and control over performance testing, which enhances the precision and customization.

Jira:RHEL-114928^[1]

With this update, advanced performance analysis is enabled using the perf utility with debuginfod client support in RHEL-9. This enhancement enables debugging and probing performance issues. The feature introduces new runtime dependencies and is currently limited to probing.

Jira:RHEL-124984^[1]

The cryptsetup package has been upgraded to version 2.8.0. This update provides the following feature enhancements:

Jira:RHEL-100089^[1]

The io_uring interface supports asynchronous I/O operations. With this update, applications use this interface to submit multiple I/O requests without blocking the calling process. io_uring uses shared ring buffers between user space and kernel space to reduce system call overhead and avoid buffer copying. This interface is more efficient and supports more asynchronous system calls than Linux AIO.

Jira:RHEL-120699^[1]

The snapm package has been rebased to upstream version 0.7.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-137377^[1]

Before this update, multipath devices remained in the system if you did not remove SCSI devices before disconnecting a LUN. This sometimes resulted in queued I/O or incorrect writes if the LUN was repurposed.

With this update, the purge_disconnected option is available in the defaults, devices, and multipaths sections of the multipath.conf file. When you set this option to yes, the multipathd daemon automatically removes disconnected SCSI devices from the system.

Jira:RHEL-141291

The HAProxy package has been rebased to the upstream Long-Term Support (LTS) version 2.8. The notable changes in this update include:

For a complete list of changes, see the HAProxy webpage.

Jira:RHEL-74039^[1]

RHEL 9.8 introduces PostgreSQL 18 as the postgresql:18 module stream.

Notable changes:

Jira:RHEL-90852^[1]

MariaDB 11.8 is available as a new module stream, mariadb:11.8.

Notable changes over the previously available version 10.11 include:

Notable breaking differences:

For more information about MariaDB, see Using MariaDB.

To install the mariadb:11.8 stream, enter:

# dnf module install mariadb:11.8

If you want to upgrade from MariaDB 10.11, see Upgrading from a RHEL 9 version of MariaDB 10.11 to MariaDB 11.8.

For information about the length of support for the mariadb module streams, see Red Hat Enterprise Linux Application Streams Life Cycle.

Jira:RHEL-96956^[1]

The ruby module provides a new Ruby 4.0 runtime, including database connector support. As a result, Red Hat Enterprise Linux 9.8 users can use Ruby 4.0 alongside existing Ruby streams to develop and run Ruby applications with supported database connectivity.

Jira:RHEL-142278^[1]

This update adds the perl-DBD-MySQL package to the mysql:8.4 module. Starting with Red Hat Enterprise Linux (RHEL) 9.7, the perl-DBD-MySQL package is linked against libmysqlclient instead of libmariadb. To ensure compatibility, perl-DBD-MySQL is included within mysql:8.4. As a result, the perl-DBD-MySQL package is fully compatible with the mysql:8.4 module, which resolves dependency conflicts and installation failures.

Jira:RHEL-144470

Red Hat Enterprise Linux 9.8 now includes the python3.14 stack. This new alternative stack provides Python 3.14 for developing and running applications.

Jira:RHEL-120823^[1]

On x86-64 systems that support the x86-64-v3 microarchitecture level, the glibc math library now provides additional IFUNC-optimized implementations of selected functions. The functions atanh, expm1, log1p, log2, sincos, sinh, and tanh now have optimized variants that use x86-64-v3 instructions, improving execution efficiency for workloads that rely on these operations.

As a result, the execution time for workloads that perform large volumes of these mathematical computations might be reduced.

Jira:RHEL-1063

The glibc memstream documentation describes the implementation behavior of open_memstream when you use SEEK_END to change the file position. This clarification aligns the documentation with the new requirement to document glibc behavior, introduced in POSIX.1-2024, and helps you understand how seeking affects the current position and buffer contents.

Jira:RHEL-61087

Before this update, gcov function summaries only reported the number of lines executed and did not include details about branch or call coverage within the function.

With this enhancement, requesting function summaries using the -f option now includes data on branches taken and function calls made within the profiled function. This provides a more comprehensive view of function-level test coverage.

Jira:RHEL-105416^[1]

This enhancement adds the GLIBC_ABI_DT_X86_64_PLT symbol version to glibc on x86_64 systems, so programs that require this symbol at startup no longer fail to start and instead run as expected.

Jira:RHEL-109622^[1]

In RHEL 9.8, rust-toolset is rebased to version 1.92.0 from version 1.88.0. This update delivers multiple improvements to debugging, systems programming features, memory safety diagnostics, and Rust workflow tooling for RHEL developers.

Notable enhancements include:

Jira:RHEL-111847

With this update, the Red Hat Build of OpenJDK 25 for RHEL integrates with the RHEL crypto-policies package. This enhancement ensures secure system property handling and improves the security of Java applications running on RHEL by loading additional configuration files based on Red Hat system properties. This change also adds FIPS support using NSS.

Jira:RHEL-128412^[1]

The glibc package now uses the euro currency symbol for the bg_BG locale, reflecting Bulgaria’s adoption of the euro as of 2026-01-01.

As a result, applications using the bg_BG locale display currency values with the updated euro symbol, ensuring consistency with the current official currency.

Jira:RHEL-137186

The llvm toolset has been rebased to version 21 in RHEL 9.8. This rebase provides updated compiler and tooling features for building and optimizing applications that depend on llvm.

As part of this change, dependent packages in RHEL 9 have been rebuilt against llvm 21 to ensure compatibility with the updated toolset.

The notable changes are:

Jira:RHEL-100898

With this enhancement, the glibc package optimizes the trylock implementation for workloads with high thread counts on multi-core systems, improving trylock throughput under heavy contention.

Jira:RHEL-141072

With this enhancement, glibc adds tracing support for Thread-Local Storage (TLS) and Thread Control Block (TCB) operations through the tls category of the LD_DEBUG environment variable. You can use LD_DEBUG=tls to track TLS and TCB related events in the dynamic linker and improve analysis of complex runtime issues.

LD_DEBUG also supports excluding specific debug categories by prefixing the category name with a dash, for example, LD_DEBUG=all, -tls, so that you can refine the debug output.

Jira:RHEL-49785^[1]

The glibc package now uses the euro currency symbol for the hr_HR locale in RHEL. This change aligns Croatian locale data with the country’s current official currency.

As a result, applications that rely on glibc locale information for the hr_HR locale now display the up-to-date euro currency symbol instead of the former Croatian kuna.

Jira:RHEL-140105^[1]

The RTLD_DI_ORIGIN_PATH dlinfo request type in glibc accepts the size of the destination buffer when retrieving the shared object origin path. This request type helps avoid buffer overflows when obtaining the shared object origin path.

The behavior of the existing RTLD_DI_ORIGIN request type remains unchanged.

Jira:RHEL-54450

Identity Management (IdM) password policies support four new options (--dcredit, --ucredit, --lcredit, and --ocredit) based on the libpwquality credit system. A negative value sets the minimum number of characters of that type required in a password; a positive value provides a credit toward the minimum password length. These options are mutually exclusive with --minclasses and offer a more granular way to enforce per-class character requirements. As a result, administrators can configure specific character type minimums in IdM password policies, for example, to satisfy DISA STIG compliance requirements.

For more information, see Additional password policy options in IdM.

Jira:RHEL-73399^[1]

The samba packages, which provide file and print services using the SMB protocol, have been rebased to upstream version 4.23.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-114548

The ipa packages have been rebased to upstream version 4.13.0. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-120954

The cepces package, which provides a certificate enrollment client for Microsoft Active Directory Certificate Services (AD CS), has been rebased to upstream version 0.3.12. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-121787^[1]

The dsctl dbverify command, used to verify the integrity of a Directory Server database, provides explicit feedback depending on the database backend type. For Berkeley Database (BDB) backends, the command now returns an error when the specified backend does not exist, instead of incorrectly reporting a successful verification. For LMDB backends, the command displays a warning that the verification is always reported as successful because LMDB has built-in integrity protection. As a result, administrators can distinguish between a missing backend and a genuinely successful verification when running dsctl dbverify.

Jira:RHEL-123893^[1]

When integrating Identity Management (IdM) with a third-party application that does not support Kerberos authentication, you can define a dedicated system account for the application to securely reset user passwords. Notably, these resets do not trigger the "password change required" flag, ensuring a seamless login experience for the end user. The system account authenticates by using LDAP.

As a result, organizations can integrate their own secure password management solutions directly with IdM.

Jira:RHEL-126515^[1]

For installations using a hardware security module (HSM), Lightweight CA (LWCA) certificates and private keys are now generated on the HSM. This provides the same hardware-level security for the private keys as the root CA private key. The LWCA private key is generated on the HSM with the HSM token name as the prefix, for example mytoken:lwca.

Jira:RHEL-128238^[1]

The pki packages have been rebased to upstream version 11.7.1. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-129092

This update ensures that automated services like crond and systemd-user are prevented from unlocking accounts locked by faillock. Previously, these services would automatically clear the "failed login" counter when they ran, which could allow a malicious actor to keep guessing passwords without being permanently locked out. With this release, once an account is locked by a security policy, it remains locked until the timeout expires or an administrator intervenes, regardless of any background system activity.

Jira:RHEL-130875

The ansible-freeipa packages, which provide Ansible modules and roles for Identity Management (IdM), have been rebased to upstream version 1.16.0. This version provides important fixes and enhancements, most notably the following:

The sysaccount module (ipasysaccount) creates and manages system accounts in IdM. The role module (iparole) supports system accounts as role members, so you can assign privileges such as user password management to those accounts in playbooks. You can, for example, use system accounts to integrate IdM with an external password reset management solution. For more information, refer to the sysaccount and role module READMEs.

The ipapasskeyconfig module is available in the ansible-freeipa collection. You can use this module to configure whether passkey authentication in IdM requires user verification, such as a PIN, when users authenticate with a passkey device. Additionally, the ipauser module supports passkey as a user authentication type, and the ipaservice and ipahost modules support passkey as an authentication indicator.

Jira:RHEL-139144

With this update, the ipaconfig, ipahost, ipaservice, and ipauser modules support the passkey authentication type for IdM resources. This enables you to manage Passkey device authentication directly through your Ansible playbooks by setting the authentication type to passkey.

Jira:RHEL-139257

The 389-ds-base package, which provides an enterprise-class LDAP server, has been rebased to upstream version 2.8.0.

Jira:RHEL-139825

With this update, the ipa-certupdate tool includes a new --force-server <server_fqdn> option. Before this update, an Identity Management (IdM) client only connected to its default IdM server, specified in the /etc/ipa/default.conf file, when updating the local CA trust store. If this default server was down or unreachable, the ipa-certupdate command failed. As a result, administrators can ensure successful trust store updates and maintain service continuity, even if the primary server is unavailable.

Jira:RHEL-141446^[1]

The sudo packages have been rebased to upstream version 1.9.17p2, which includes the following notable bug fixes and enhancements:

Jira:RHEL-128623

The adcli delete-computer command supports the --recursive option to delete computer objects from Active Directory, including their child objects. Previously, attempting to delete a computer object that contained child objects, such as metadata for BitLocker drive recovery, failed with a CANT_ON_NON_LEAF error in AD. With this update, users can cleanly delete computer objects that contain child objects using adcli.

Jira:RHEL-134951^[1]

The cockpit packages have been rebased to version 356, which provides many improvements and fixes compared to version 344 in RHEL 9.7, most notably:

Jira:RHEL-112866

With this update, you can manage disk partitions by using the storage role, streamlining storage management. With this unified approach you can add, remove, resize, and format partitions, ensuring consistent and repeatable results.

Jira:RHEL-112772^[1]

With this update, you can create bootable snapshot sets on platforms that support snapm, such as RHEL 9.6 and Fedora 41 or later. You can now set a bootable flag when requesting snapshots and boot the system directly from a snapshot.

Jira:RHEL-120325^[1]

The postgresql RHEL system role, which installs, configures, manages, and starts the PostgreSQL server, now supports PostgreSQL 18.

For more information about this system role, see Installing and configuring PostgreSQL by using the postgresql RHEL system role.

Jira:RHEL-122958^[1]

With this enhancement, you can now use IPv6 addresses within the ipset_entries variable when utilizing hash:ip or hash:net types in playbooks that use the firewall RHEL system role. You can also specify additional <key>:<value> pairs of options for ipset by using the ipset_options variable. pairs

Due to a limitation of the underlying firewalld implementation, you cannot mix IPv4, IPv6, and MAC addresses in the same ipset_entries list.

Jira:RHEL-123040^[1]

Previously, the ha_cluster RHEL System Role provided limited visibility into the current cluster configuration.

With this update, the ha_cluster role has been expanded to include cluster properties and resource defaults.

As a result, the following variables are now exported, allowing for easier auditing and configuration mirroring:

Jira:RHEL-123041^[1]

To provide more granular control over conditional configurations, the sshd system role supports the sshd_CanonicalMatchUser variable. You can specify whether to evaluate OpenSSH Match blocks against a user’s initial login name or their final canonical username after the server rewrites it.

As a result, you can consistently apply security policies in environments where external identity providers or local configuration rules modify usernames. This ensures that Match blocks accurately reflect the user’s identity once the server determines the final canonical username.

Jira:RHEL-127973^[1]

Previously, the ha_cluster RHEL System Role did not include detailed constraint information in its exported data.

With this enhancement, the ha_cluster role now includes variables for location, colocation, order, and ticket constraints.

As a result, the following variables are now available in the module output, facilitating better configuration management and role-based automation:

Jira:RHEL-128436^[1]

Before this update, the high-availability stack primarily supported the stonith-watchdog-timeout property for managing watchdog-based fencing. However, future Pacemaker versions replace this property with fencing-watchdog-timeout.

With this update, the role handles both the legacy and new property names consistently.

As a result, the role supports future Pacemaker versions and ensures that watchdog-related cluster properties remain functional regardless of which property name you use. The role preserves both stonith-watchdog-timeout and fencing-watchdog-timeout when creating or pushing CIB configurations.

Jira:RHEL-136599^[1]

With this update, you can configure the VersionAddendum option in SSH settings for match blocks, host blocks, and global client configurations. This enhancement ensures compatibility with the latest OpenSSH versions and provides granular control over your SSH connections.

Jira:RHEL-138279^[1]

The new GSSAPIDelegateCredentials parameter provides Generic Security Services Application Programming Interface (GSSAPI) credential delegation in Kerberos environments and enables a seamless single sign-on experience.

As a result, you can automate the configuration of GSSAPI credential delegation to simplify network authentication.

Jira:RHEL-144496^[1]

With this enhancement, you can use the metrics RHEL system role to configure TLS-encrypted connections to Grafana. To use this feature, specify the following variables in your playbook:

Jira:RHEL-144592^[1]

With this update, you can manage SELinux port types for Datagram Congestion Control Protocol (DCCP) and Stream Control Transmission Protocol (SCTP). By configuring SELinux port labels for these protocols, you can apply granular access controls and improve system security.

Jira:RHEL-145215^[1]

You can use RHEL system roles to build and manage immutable operating systems. This provides a consistent management interface across different backend technologies, including ostree.

As a result, you can deploy and configure immutable systems using the same roles used for traditional systems, ensuring environment consistency. Note: This feature is currently not compatible with the nbde_client role.

Jira:RHELDOCS-21216

With this release, you can use the analysis, remediate, and upgrade Ansible roles to automate the pre-upgrade and upgrade phases of the in-place upgrade. By using these Ansible roles, you can quickly and efficiently upgrade large numbers of systems, saving you time.

For more information, see Upgrading large deployments by using Ansible roles.

Jira:RHEL-117252

This update introduces the virt-secrets-init-encryption service, which encrypts libvirt secrets, such as keys for the virtual Trusted Platform Module (vTPM). By default, this encryption uses systemd credentials sealing. However, you can use the new /etc/libvirt/secret.conf file to specify a custom key for encrypting secrets, as well as to disable automatic encryption of secrets. As a result, critical vTPM metadata is protected from unauthorized access on the host file system. This also hardens the overall security of the virtualization environment.

Jira:RHEL-7125^[1]

After using the virsh nodedev-update command to update a cryptograpic coprocessor (vfio-ap) device on an IBM Z host, the new configuration now takes effect significantly faster.

Jira:RHEL-73001^[1]

Virtual machines (VMs) on RHEL 9 hosts that use IBM Z hardware can now use the control program identification (CPI) feature. By using CPI, you can obtain system information about VMs without accessing them. For more information about CPI, see IBM documentation.

Note that on VMs that use IBM Secure Execution, CPI is disabled by default to ensure confidentiality, and must be enabled manually. For instructions, see Setting up IBM Secure Execution on IBM Z.

Jira:RHEL-73009^[1]

With this update, you can enable both multifd (multiple file descriptor) precopy and postcopy virtual machine live migration strategies. multifd uses multiple parallel TCP channels during the precopy phase to maximize network bandwidth usage and reduce migration time. As a result, you can configure both migration strategies and switch from precopy to postcopy live migration without disruption. Note that, postcopy migration does not use multifd.

Jira:RHEL-97465^[1]

The updated qemu-kvm package provides a new s390-ccw-virtio-rhel9.8.0 machine type for IBM Z virtual machines (VMs). This machine type enables Control Program Identification (CPI) and performance-enhanced PCI translation for passthrough PCI devices by default. As a result, IBM Z VMs that use the s390-ccw-virtio-rhel9.8.0 machine type benefit from improved performance with passthrough PCI devices and CPI without additional configuration.

Jira:RHEL-104005^[1]

The libvirt package provides a new host-model mode for Hyper-V Enlightenments, which automatically enables all Hyper-V enlightenments supported on the host. This mode eliminates the need for separate configuration templates for Intel and AMD hosts. As a result, you can configure <hyperv mode='host-model'/> in the XML definition of a virtual machine to automatically apply all host-supported Hyper-V Enlightenments without maintaining separate configurations for each vendor.

Jira:RHEL-114003

With this update, the QEMU emulator no longer needs to emulate the Forced Unit Access (FUA) I/O method, and instead can use FUA natively. This can improve the overall performance of virtual storage, particularly in database workloads.

Jira:RHEL-118197

This update introduces the Provisioning Caching Certification Service (PCCS) for Intel Trust Domain Extensions (TDX). This provides the local caching required to use Intel hosted Provisioning Certification Services (PCS) at scale, and also makes it possible to perform TDX attestation on host systems that are isolated from the public internet.

Jira:RHEL-127046

With this update, RHEL now supports SCSI passthrough for virtual machines (VMs). With this feature, VMs can directly access host SCSI devices, such as tape drives and Storage Area Network (SAN) Logical Unit Numbers (LUNs).

As a result, you can configure VMs to use specialized storage devices that require direct SCSI access, including support for both single-path and multipathed vDisks.

Note that for SCSI passthrough to work, the host must use a supported RHEL and kernel version. For details, see: Required RHEL versions for SGIO support in Virtual Machines

Jira:RHELDOCS-21410^[1]

With this update, RHEL supports SCSI3 Persistent Reservation (S3-PR) for virtual machines (VMs). This feature makes it possible for multiple VMs to coordinate access to shared storage devices, which is essential for Linux clustering solutions, such as Pacemaker, and for Windows Server Failover Clustering.

As a result, VMs can register and manage persistent reservations on storage devices, which prevent conflicts when multiple VMs access the same storage. S3-PR support is available for both single-path and multipathed vDisks.

Note that for S3-PR to work, the host must use a supported RHEL and kernel version. For details, see: Required RHEL versions for SGIO support in Virtual Machines

Jira:RHELDOCS-21467

Before this update, the sos report was collected on AAP. With this update, the notable enhancements to the following AAP plugins are:

Jira:RHEL-121524

With this update, you can manage SSL/TLS certificates that contain sensitive data during the SOS clean process. The new --treat-certificates option provides the option to remove, obfuscate, or maintain the original binary format of these certificates ensuring that no sensitive data persists.

As a result, you can enhance data security and privacy by selecting the treatment for SSL/TLS certificates during the SOS clean process.

Jira:RHEL-142619

With this update, the sos utility automatically detects the user running containers for Ansible Application Platform (AAP) deployments. This eliminates the need for manual specification, ensuring the collection of all necessary AAP data.

Jira:RHEL-140738

You can specify a custom log-location option in the containers.conf file for per-user configurations using podman-kube systemd. Previously, logs were restricted to a default location and could not be customized. With this release, you can define custom log paths directly in the configuration file, reducing the need to specify them manually in the podman run command.

Jira:RHEL-3114^[1]

With this update, the Aardvark-DNS process now dynamically reloads DNS configurations in the Podman 5.x stack on Red Hat Enterprise Linux (RHEL). This eliminates the need to stop and restart the entire process when changes are made to the DNS configuration file, resulting in improved efficiency and reduced downtime for end users.

Jira:RHEL-85839^[1]

The container-selinux package, which provides necessary SELinux policies, types, and rules to confine and secure container runtimes, has been rebased to version 2.244.0-1. This version provides important enhancements, most notably, it streamlines the process, enhances data protection, and ensures confidentiality in deployments, while reducing potential security risks associated with public storage endpoints.

Jira:RHEL-112187

The runc package, which serves as the low-level, CLI tool for spawning and running containers, is rebased to upstream version 1.3.3. This version provides important fixes and enhancements, most notably the following:

Jira:RHEL-124800

With this update, a unified system-wide configuration file is introduced for rootless Podman, enabling centralized policy management, a consistent security baseline, and operational standardization across all users.

As a result, you can inherit sensible defaults without manual configuration, while still maintaining the flexibility to override system settings through personal configuration files. Additionally, this update ensures backward compatibility, meaning existing user workflows and configurations remain unchanged.

Jira:RHEL-126643

The updated Container Tools RPM meta-package, which includes the Podman, Buildah, Skopeo, crun, and runc tools, is available. The Buildah package has been updated to version 1.43.1, and Skopeo has been updated to version 1.22.2. Podman release 5.8.2 contains the following notable bug fixes and enhancements over the previous version:

Jira:RHEL-127908

This update introduces air-gapped and disconnected updates for RHEL deployments, enabling edge deployments to perform updates without internet connectivity. As a result, you can benefit from greater flexibility and reliability for offline updates, improving deployment management in remote or secure environments.

Jira:RHELDOCS-20708^[1]

The rhel9/ruby-40, rhel9/postgresql-18, rhel9/python-314-minimal, rhel9/mariadb-118 and rhel9/python-314 container images are now available in the Red Hat Container Registry. The notable enhancements for each image are:

Jira:RHELDOCS-22067^[1]

With this update, the command-line assistant supports color output by default, aligning its appearance with other RHEL command-line tools. This update improves output readability through increased visual contrast.

You can disable color output by using the --plain option or by setting the NO_COLOR=1 environment variable.

Jira:RHELDOCS-21814^[1]

With this enhancement, RHEL Lightspeed includes the Red Hat Enterprise Linux for SAP Solutions documentation set in its knowledge base. You can now ask RHEL Lightspeed technical questions specific to SAP deployments on RHEL. This update provides more accurate and context-aware responses for SAP-related administrative and configuration tasks.

Jira:RHELDOCS-21815^[1]

Before this release, when starting a RHEL installation with the inst.dd kernel command-line option, the console failed to render characters typed by the user. As a consequence, the lack of visual feedback made the application appear unresponsive, even though the input was still being processed in the background. With this update, this display issue has been resolved, and user input is now visible as expected during the driver disk selection process.

Jira:RHEL-4737

Before this release, the installer did not set the display mode (text, graphical, or non-interactive) early enough during startup. As a result, the check to determine whether a selected language is supported in text mode did not run. In text mode installations, languages that are not supported in the text user interface, such as Japanese, could be used, resulting in unreadable output.

With this fix, the installer correctly detects languages that are not supported in the text mode. If an unsupported language is selected, the text user interface falls back to English. The installed system is still configured to use the originally selected language.

Jira:RHEL-144834

Before this update, AIDE terminated with an error if a file was truncated or removed while AIDE was computing its hash. With this update, AIDE detects when a file is truncated or deleted during hash calculation and handles the condition safely. As a result, AIDE successfully completes integrity checks even if a monitored file change size or is removed during processing.

Jira:RHEL-1569

Before this update, the CrackLib website URL in the cracklib and cracklib-dicts packages was outdated. As a consequence, an incorrect download of cracklib-dicts occurred. With this release, the URL in the cracklib and cracklib-dicts RPMs is updated to the new website URL. As a result, the package information is accurate.

Jira:RHEL-5215

Before this update, the clevis-pin-tpm2 command did not validate JSON field names during encryption with TPM2 and silently ignored typos and invalid fields, for example, pcrs_ids instead of pcr_ids. Consequently, users could inadvertently create LUKS bindings with incorrect TPM2 configurations due to typos. This could lead to unlock failures when TPM state changes, potentially making systems unbootable.

This update adds JSON schema validation to reject unknown fields in the TPM2 configuration during encryption. As a result, invalid field names in TPM2 JSON configuration are properly rejected with clear error messages to prevent silent misconfigurations that could cause unlock failures.

Jira:RHEL-68417

Some files, for example, /usr/lib/rpm/redhat/redhat-annobin-cc1 or /etc/selinux/targeted/policy/policy.33, owned by an RPM package, are expected to be changed during and after the installation, but they are still owned by the corresponding package. Consequently, fapolicyd cannot verify such files. With this release, the fapolicyd framework no longer adds files that do not have size or checksum information in the RPM database to the trust database. As a result, the fapolicyd-cli --check-trustdb command does not report the miscompares: size sha256 error message for such files.

Jira:RHEL-94661

Before this update, the Keylime registrar performed an unnecessary data conversion of malformed Endorsement Key (EK) certificates. This process corrupted the certificates and invalidated their signatures. Consequently, it prevented the use of the ek_check_script workaround for Trusted Platform Module (TPM) devices with non-standard certificates.

With this update, the database stores EK certificates without data corruption. As a result, you can validate TPM devices with malformed certificates by using the Keylime registrar and custom verification scripts.

Jira:RHEL-111167^[1]

Before this update, when generating signed Trusted Platform Module (TPM) quotes, the keylime-agent-rust component did not properly support Elliptic Curve Cryptography (ECC) key algorithms. This prevented the agent from generating TPM quote evidence and caused enrollment failures for the ECC key types. With this update, the keylime-agent-rust component correctly handles ECC key algorithms during TPM quote generation. As a result, agents can successfully generate TPM quotes and enroll with verifiers to provide full attestation functionality with ECC keys generated by the TPM.

Jira:RHEL-118148

Before this update, when verifying signed Trusted Platform Module (TPM) quotes from agents, the Keylime verifier component did not properly support Elliptic Curve Cryptography (ECC) key algorithms. This caused attestation failures when agents used the ECC key types ecc521, ecc384, ecc256, ecc224, or ecc192. With this update, the verifier correctly handles and verifies TPM quotes signed with ECC keys. As a result, Keylime provides full attestation functionality for these algorithms.

Jira:RHEL-118150

Before this update, the scp utility did not expand the .. parent directory indicator in a path to the directory name. Consequently, scp incorrectly handled relative paths containing ... This update adds special handling for parent directory indicators. As a result, scp now processes paths containing .. correctly.

Jira:RHEL-119515

Before this update, the ssh-pkcs11-helper binary lacked a specific SELinux security context, which prevented confined users from sending a request to the ssh-agent program. Consequently, confined users, such as user_u or staff_u, were unable to add smart-card-based keys to ssh-agent. With this update, ssh-pkcs11-helper is labeled with the ssh_agent_exec_t type, and additional rules are added to cache results. As a result, confined users can successfully use smart cards with ssh-agent, allowing the agent to correctly access PKCS #11 keys and cache the results in the user’s home cache.

Jira:RHEL-121165

Before this update, when you changed the database password, a bug in how NSS handled database re-encryption prevented the ML-DSA seed attribute from updating. As a result, the seed value was permanently lost, even if you knew the previous password.

With this update, password changes correctly update the ML-DSA seed attribute and no longer cause the permanent loss of seed values. Note that you still cannot recover the seeds lost before this update.

Jira:RHEL-127671^[1]

Before this update, user and group membership updates from package installations were not properly applied when migrating from package mode to image mode. Consequently, the clevis user was not added to the tss security group, preventing Clevis from accessing a trusted platform module (TPM) device and retrieving encryption keys during system boot. With this update, the Clevis package installation process is updated to ensure that the clevis user is properly added to the tss group during image mode updates, even when existing configuration files are preserved. As a result, Clevis can properly access the TPM device and successfully retrieve an encryption key on systems in image mode.

Jira:RHEL-132187

Before this update, the SELinux policy restricted confined users from using the Assistive Technology Service Provider Interface (AT-SPI) services. As a consequence, these services failed to operate in graphical desktop environments. This update adds the required execution and directory access permissions to the SELinux policy.

As a result, assistive technologies, such as the Orca screen reader and on-screen keyboards, function correctly for confined users in SELinux enforcing mode.

Jira:RHEL-133898^[1]

Before this update, the fapolicyd service did not add binaries from /usr/share/*/bin/ directories to the trust database. For example, the /usr/share/Modules/bin/mkroot binary was not added. Consequently, users could not run these binaries when using the trust=1 option in fapolicyd rules. With this fix, the fapolicyd-filter.conf file contains */bin/*. As a result, you can run binaries from /usr/share/*/bin/ with the fapolicyd service active.

Jira:RHEL-141670

Before this update, if you installed a protected package as a dependency required by only one other package and had the clean_requirements_on_remove configuration option enabled, DNF failed to perform any transaction that tried to remove the protected package if this package became an unused dependency. This prevented the removal of the package that depended on it, because DNF would automatically attempt to remove the protected dependency as well. With this update, DNF treats all protected packages as explicitly installed by the user. As a result, DNF no longer attempts to automatically remove protected packages, allowing the removal of the package that depends on it.

Jira:RHEL-76112

Before this update, DNF incorrectly performed comparison of the epoch-version-release (EVR) RPM package information. As a consequence, if you performed two subsequent upgrade transactions for a package that had the same epoch-version but different release, DNF identified the overall transaction as a downgrade. This update fixes the EVR comparison. As a result, DNF identifies two subsequent package upgrades with different release versions as an upgrade.

Jira:RHEL-81779

Before this update, if the dnf-automatic utility used the command_email emitter to send emails to multiple recipients and also used the /usr/bin/mail utility installed with the s-nail package, /usr/bin/mail failed to send an email. With this update, the dnf-automatic utility expands the email_to keyword in the command_format formatting string from a single argument to multiple arguments. As a result, dnf-automatic sends emails to multiple recipients with the default /usr/bin/mail utility.

Jira:RHEL-94321

Before this update, using DNF advisory filters, such as --security, to update certain packages with multiple architectures triggered a logic error in the libsolv dependency solver. As a consequence, updating packages by using advisory filters would sometimes result in a transaction that could not be resolved. This issue affected the libldb and libsmbclient packages. This update fixes the logic error in libsolv. As a result, update transactions involving multiple architectures and the forcebest and implicitobsoleteusescolors solver options resolve.

Jira:RHEL-103995

Before this update, when you verified a package with multiple signatures, pqrpm, the minimal variant of RPM with post quantum cryptography (PQC) support, did not correctly determine the overall verification result when the /usr/lib/pqrpm/bin/rpmkeys utility reported some of the package signatures as NOTTRUSTED. A signature can become NOTTRUSTED if, for example, its certificate is expired or revoked, or if its algorithm is disabled by system-wide cryptographic policies. As a consequence, pqrpm failed to verify the package even if the package had at least one valid and trusted signature.

This update fixes the verification logic in pqrpm to correctly handle packages with NOTTRUSTED signatures. This update also improves error reporting around this functionality.

As a result, pqrpm ignores NOTTRUSTED package signatures and successfully verifies a package with multiple signatures if the package has at least one valid signature and no invalid signatures. Error messages are also clearer and more accurate when verification actually fails.

Jira:RHEL-112700

Before this update, you could not install packages with signatures that used both supported and unsupported RPMv6 package signing algorithms. As a consequence, DNF rejected such packages when verifying their signatures because of the unsupported algorithms. With this update, the DNF multisig plugin ignores signatures classified as NOTTRUSTED in the rpmkeys command output. As a result, multisig can install packages that use both supported and unsupported signing algorithms.

Jira:RHEL-145372

Before this update, the volume_key utility used functions that were incompatible with Federal Information Processing Standards (FIPS) when retrieving a backup passphrase from an escrow packet. Consequently, volume_key failed and reported an error on systems with FIPS mode enabled. This update ensures that the backup passphrase retrieval function is FIPS-compliant. As a result, you can successfully retrieve backup passphrases on FIPS-enabled systems.

Jira:RHEL-113757^[1]

Before this update, RHEL did not automatically disable large receive offload (LRO) on port if you created a VLAN device. As a consequence, this could affect VLAN packet receiving because LRO merges small packets to big ones and ignores the VLAN flag. With this update, RHEL enforces disabling LRO on the port device when you add a VLAN on it. As a result, VLAN packet receiving works correctly.

Jira:RHEL-80409^[1]

Before this update, NetworkManager could not dynamically apply changes if a user changed the sriov.vfs property. As a consequence, NetworkManager connections with Single Root I/O Virtualization (SR-IOV) settings required a restart after modifications. With this release, sriov.vfs now supports the reapply operation if the total number of virtual functions (VFs) does not change. As a result, restarting a connection after modifying SR-IOV settings is no longer required in the mentioned scenario.

Jira:RHEL-113954^[1]

Before this update, if a client, such as the Nmstate API or the GNOME control center application, used the D-Bus API for changes on a global level, it was not possible to set DNS search domains without defining a DNS server. This update fixes the problem, and clients can define only a global-level DNS search domain.

Jira:RHEL-115973^[1]

Before this update, the xdp-trafficgen utility failed on ARM systems with a Missing required option '--interface' error even if you specified the -i <interface> option. As a consequence, it was not possible to probe eXpress Data Path (XDP) support on a specific interface. This update fixes the problem, and the -i <interface> option works correctly on ARM systems.

Jira:RHEL-119860

When you use nftables flowtables, connection tracking entries handled by a flowtable can be marked with an OFFLOAD status to accelerate packet processing. In previous releases, a kernel safeguard prevented the conntrack utility from deleting any entry after it was marked as offloaded. As a consequence, deleting stale entries was not possible. With this update, the kernel was modified to allow the deletion of connection tracking entries regardless of their offload status. As a result, you can use the conntrack utility to remove entries that are handled by an nftables flowtable.

Jira:RHEL-138511^[1]

Before this update, multi-page write operations to GFS2 files sometimes degenerated into page-size (typically 4 KiB) chunks. This happened after an initial multi-page segment was written, particularly when using write(2) with a large buffer that was not resident in memory. This led to reduced write efficiency for large files.

With this release, GFS2 kernel code has been updated to fix the issue. As a result, some large write workloads may see a small improvement in write efficiency.

Jira:RHEL-7971^[1]

Before this update, the libmpathpersist library, which is used by the mpathpersist command, had several issues and corner cases that affected persistent reservation handling for multipath devices. This caused the following problems:

With this release, multiple areas of libmpathpersist have been redesigned and fixed to ensure correct and consistent behavior. As a result, mpathpersist commands on multipath devices now work the same as the equivalent sg_persist commands on SCSI devices. I/O access to multipath devices also consistently reflects the device’s persistent reservation state.

Jira:RHEL-118515

Before this update, starting an operating system installation on a system that used iSCSI storage could cause the Anaconda installer to crash. This occurred when the iSCSI Logical Unit Number (LUN) ID was 256 or higher.

This update includes a fix to the LUN ID parsing logic in the blivet library. As a result, installations on systems that use iSCSI targets with LUN IDs of 256 or greater can now proceed.

Jira:RHEL-122858

Before this update, when a large number of files were deleted on a GFS2 file system, the space occupied by those files remained claimed. As a consequence, the df utility reported much higher disk usage than the du utility, which made the file system appear to have run out of space.

With this release, the logic that manages and updates free disk space counters has been corrected. As a result, disk usage information reported by df and du now remains accurate and consistent, even after mass file deletion operations.

Jira:RHEL-129403^[1]

Before this update, if multipathd started or reconfigured while a path was offline, the daemon did not print regular offline warnings for that path. This made it difficult to identify issues with uninitialized paths.

With this update, multipathd prints offline messages for uninitialized paths. As a result, you can monitor path status consistently.

Jira:RHEL-133814^[1]

Before this update, when a large number of uevents occurred, multipathd delayed processing the events for up to 30 seconds. During this time, multipathd show status incorrectly reported that there was no outstanding work. As a consequence, multipathd did not always react promptly when path devices were added or removed. This could lead to temporary hangs or I/O errors if no active paths were available.

With this update, multipathd processes uevents without delay and reports its status correctly. As a result, multipath devices no longer hang or return I/O errors after a usable path is added.

Jira:RHEL-135904^[1]

Before this update, issuing the nvme subsystem-reset command on the PowerPC platform caused the Non-volatile Memory Express (NVMe) device to enter the resetting state and it failed to recover. As a consequence, the device hung and required a system reboot to recover.

With this release, the NVMe device recovers correctly after a subsystem reset. It is temporarily inaccessible while transitioning from the resetting state to the live state.

Jira:RHEL-137435^[1]

Before this update, pcs automatically wrapped resource and stonith agent descriptions to fit within the terminal window. Consequently, any formatting done by the agents' authors-such as new lines, paragraphs, lists, or tables-was removed, often making the descriptions difficult to read.

With this update, pcs no longer reformats the description text.

As a result, pcs displays resource and stonith agent descriptions exactly as the agents' authors intended, preserving the original structure and improving readability.

Jira:RHEL-113763

Before this update, the db2 resource agent could encounter a race condition when a node was reintegrating into the cluster. Consequently, the reintegrating node could incorrectly attempt to start as a "Primary" instance.

With this update, a "reintegration" attribute has been added to the agent. This allows the agent to correctly identify whether it is expected to join as a "Primary" or not, avoiding the race condition.

As a result, reintegration works correctly. Note that in order to prevent issues during the upgrade, you must disable all db2 resources before applying the update and re-enable them only after the update is complete on all nodes.

Jira:RHEL-118624^[1]

Before this update, the ANSI_X3.110-1983 character set codec was accidentally shipped in the main glibc package. As a consequence, minimal installations and container images were slightly larger, and applications could be exposed to vulnerabilities in the ANSI_X3.110-1983 conversion code even when the glibc-gconv-extra package was not installed.

With this release, the ANSI_X3.110-1983 codec is moved from the main glibc package to the glibc-gconv-extra package. As a result, the amount of conversion code present in minimal installations is reduced, and customers who require ANSI_X3.110-1983 support can obtain it explicitly by installing the glibc-gconv-extra package.

Jira:RHEL-41205

Before this update, the glibc-locale-source package provided character maps in gzip compressed format but did not declare a dependency on the gzip package. As a consequence, using localedef with a character map provided by glibc-locale-source could fail if gzip was not installed on the system because the compressed archive could not be uncompressed.

With this release, glibc-locale-source now depends on the gzip package to ensure that the required compression utility is installed with the character map data. As a result, using localedef with character maps provided by glibc-locale-source now works as expected even on systems where gzip was previously missing.

Jira:RHEL-111005^[1]

Before this update, on systems where Name Service Switch (NSS) merged groups from more than two sources, if merging two groups failed because the internal buffer was too small, glibc skipped that merge result instead of retrying with a larger buffer.

As a consequence, on such systems, running commands like getent group sometimes returned incomplete or empty group lists.

With this update, glibc no longer skips merge failures that are caused by an insufficient internal buffer and instead retries the merge with a larger buffer as intended.

As a result, group membership lookups on systems with multiple group database sources now return complete and correct group membership data.

Jira:RHEL-112149

Before this update, integer deserialization in Boost.JSON was not endian-aware on big-endian systems, and integer fields were interpreted with the wrong byte order. As a consequence, applications that used Boost.JSON to deserialize integer values on big-endian architectures obtained incorrect integer results and could behave unexpectedly.

With this release, the boost package updates Boost.JSON to handle integer deserialization in an endian-aware manner on big-endian systems. As a result, the library returns correct integer values on big-endian systems, ensuring predictable application behavior

Jira:RHEL-116553^[1]

Before this update, missing checks in the __nss_database_get function in the glibc package could cause null pointer dereferences and assertion failures during Name Service Switch (NSS) database lookups. As a consequence, applications relying on NSS could terminate unexpectedly, or the C library could crash under specific lookup conditions.

With this release, additional validation checks are added to the NSS database lookup path in glibc to handle invalid or unexpected internal states safely. As a result, NSS database lookups are more robust, and system stability is improved.

Jira:RHEL-150269

Before this update, when the Domain Name System (DNS) search path in /etc/resolv.conf file contained a single . entry, the glibc DNS stub resolver queried both the original domain name and the same domain name with a trailing dot.

As a consequence, DNS queries for non-existent domains were duplicated, increasing the load on DNS servers.

After this update, the glibc DNS stub resolver no longer appends a trailing dot to domain names when the search path contains only a single . entry.

As a result, DNS queries are no longer duplicated in this configuration, reducing unnecessary DNS traffic and server load.

Jira:RHEL-153056

Before this update, one of the replication functions did not call a required function. As a result, when you ran dsconf <instance_name> replication get-ruv --suffix dc=example,dc=com, an error was displayed. With this update, the command returns a Replica Update Vector (RUV) value as expected.

Jira:RHEL-112727^[1]

Before this update, the numSubordinates and numTombstoneSubordinates attributes were wrongly computed during import. Consequently, when you compared the number of child entries under a specific node, the wrong values were displayed.

With this update, Directory Server computes numSubordinates and numTombstoneSubordinates correctly.

Jira:RHEL-117748^[1]

Before this update, the memberOfDeferredUpdate configuration attribute, which is only effective for a Berkeley DB (BDB) backend, was not ignored on instances with a Lightning Memory-Mapped Database Manager (LMDB) backend. As a consequence, if memberOfDeferredUpdate was enabled on an LMDB instance, the Directory Server could become unresponsive during MemberOf plugin processing of large or complex groups.

With this update, Directory Server ignores the memberOfDeferredUpdate setting on instances with LMDB. As a result, processing large or complex groups no longer causes the server to become unresponsive.

Jira:RHEL-117782^[1]

Before this update, dscreate and dsconf used different functions to parse and display the LMDB database maximum size (nsslapd-mdb-max-size). As a consequence, dscreate create-template displayed the value as a raw floating-point number in bytes, while dsconf backend config set --mdb-max-size accepted values in bytes only, making it difficult to configure consistent values across the two tools.

With this update, both tools use the same parsing functions and accept values with unit suffixes (k, m, g, t), automatically aligning the result to the nearest page boundary. As a result, administrators can use human-readable size values consistently across dscreate and dsconf when setting the LMDB database maximum size.

Jira:RHEL-121170^[1]

Before this update, asynchronous requests that exceeded the maximum number of threads per connection caused server unresponsiveness without identification in the Directory Server access logs. As a consequence, it was difficult to diagnose server unresponsiveness.

With this release, Directory Server uses the new search indicators in the access logs to identify such requests: notes=N defines that the operation is not synchronous. notes=B defines that the operation blocks other new incoming operations: pending operations, not the read operations, are delayed.

In both cases, you might need to increase the nsslapd-maxthreadsperconn attribute value to allow a connection to use more threads.

Jira:RHEL-123231^[1]

Before this update, when the MemberOf plugin completed a global fixup task, the plugin freed its configuration structure before logging the completion message. As a consequence, the completion log message displayed (null) instead of the membership attribute name.

With this update, the MemberOf plugin logs the fixup task completion message before freeing its configuration structure, ensuring the attribute name is available when the message is written. As a result, the completion log message displays the correct membership attribute name, making it easier for administrators to verify fixup operations and troubleshoot issues.

Jira:RHEL-123258^[1]

Before this update, when enabling replication on a consumer, the dsconf utility printed a warning about changelogs to the stdout stream instead of stderr. As a consequence, the textual warning broke JSON parsing in the Directory Server web console, which expects pure JSON on stdout.

With this update, dsconf utility was updated so that the warning about changelogs on consumer replicas is written to stderr. As a result, the Directory Server web console successfully loads the Replication tab after enabling replication on a consumer or changing a role to consumer.

Jira:RHEL-123897^[1]

Before this update, a regression in the handling of filters containing distinguished name (DN) caused LDAP searches with spaces inside DN values in the filter, such as (member=uid=user, ou=people,dc=example,dc=com), to be evaluated incorrectly. As a consequence, applications received incomplete group membership and search results.

With this update, Directory Server normalizes and correctly compares DN values in the filter, accepting filters both with and without spaces in DN components. As a result, LDAP searches that include spaces in DN values return the same, complete results as in earlier RHDS versions, restoring expected application behavior.

Jira:RHEL-126552^[1]

Before this update, the replication agreement could send entries faster than the consumer was able to import during online initialization. In that situation, the consumer responded with an LDAP_BUSY error. As a consequence, the replication agreement did not handle this error and terminated the online initialization.

With this update, the replication agreement handles received LDAP_BUSY responses by retrying the operation after a delay. As a result, online initialization completes successfully even when the consumer temporarily cannot keep up with the rate of incoming entries.

Jira:RHEL-129559^[1]

Before this update, the ipadnsrecord module in ansible-freeipa ignored the create_reverse parameter. As a consequence, when users attempted to add A or AAAA records, the module incorrectly always required an existing reverse DNS zone and the task failed with a "DNS zone not found" error.

With this release, the module logic verifies the status of the create_reverse flag before attempting to validate or locate a reverse zone and skips the check entirely if it is set to false. As a result, the ipadnsrecord module successfully adds A and AAAA records to IdM-managed zones without requiring an existing reverse zone when create_reverse is set to false.

Jira:RHEL-140607

Before this update, when initializing replication with very large databases, especially after major subtree moves, the initialization could appear stalled after sending the initial suffix entry, because it spent excessive time building and checking large internal ID lists. As a consequence, the server experienced long CPU spikes, initialization was delayed or incomplete, and replicas remained outdated for an extended period.

With this update, the internal ID list lookup logic used during online initialization was optimized, making it scalable even with very large datasets. As a result, replication online initialization progresses as expected on large databases.

Jira:RHEL-142980^[1]

Before this update, when access log compression was enabled, the log rotation logic failed to correctly recognize .gz-suffixed rotated access log filenames while rebuilding the internal rotation information, so compressed logs were not associated with their corresponding rotation entries. As a consequence, the nsslapd-accesslog-list did not contain the actual files on disk, and access logs accumulated until manual cleanup was required to prevent disks from filling.

With this update, the log rotation logic was updated to correctly parse and match rotated access log filenames regardless of whether they are compressed (with a .gz suffix) or uncompressed, ensuring compressed logs are included when rebuilding rotation information and validating previous log files. As a result, compressed rotated access logs are properly tracked and removed according to the configured rotation settings.

Jira:RHEL-147212^[1]

Before this update, a defect in the concread dependency used by the Named Data Networking (NDN) cache caused LinCowCell chain drops to incorrectly free shared links when multiple references existed to the same chain. As a consequence, under heavy operations involving the NDN cache, the server could hit a use-after-free condition and fail with a segmentation fault in atomic_compare_exchange(), leading to erratic downtime.

With this update, the 389-ds-base package uses concread version 0.5.10, which correctly stops freeing data when a shared cache link is detected. As a result, NDN cache operations are handled safely, preventing the segmentation fault.

Jira:RHEL-152338^[1]

Before this update, user creation with, for example, a User Principal Name (UPN) format that includes the @ character instead of a sAMAccountName attribute, caused adcli to create user objects with a sAMAccountName which contained invalid characters. As a consequence, Active Directory (AD) operations involving that user could break. With this release, adcli validates the input string for user creation against a list of illegal characters before attempting to create the entry. As a result, adcli terminates user creation if the input is not a valid sAMAccountName value. This prevents the creation of malformed user objects and ensures smoother AD operation.

Jira:RHEL-134945^[1]

Before this update, when connecting to a domain to update a password, adcli always used the Kerberos realm of the first entry in the keytab file. As a consequence, on systems where the keytab contained multiple realms, the renewal process failed with a "no suitable keys" error if the required realm was not listed first. With this release, adcli searches the keytab for a principal that matches the target domain. As a result, machine account password renewals now succeed regardless of the order of entries in the keytab.

Jira:RHEL-134948^[1]

Before this update, the adcli testjoin command unconditionally used the domain or realm from the first entry found in the keytab file to perform its diagnostic test. As a consequence, on systems where the keytab contained principals from multiple domains, adcli testjoin would often attempt to connect to an incorrect domain and fail with a "Realm not local to KDC" error.

With this release, adcli uses the realm from the keytab as the domain name when the domain is not explicitly specified. As a result, users can reliably verify domain connectivity without encountering false authentication failures.

Jira:RHEL-134950^[1]

Before this update, when the nbde_client system role failed to add a required binding to a LUKS-encrypted volume, the rollback mechanism did not always function correctly. This led to idempotence issues, where subsequent attempts to run the role would fail or produce unexpected results because the system was left in a partially modified state.

With this update, the role performs a backup of the LUKS header before initiating any binding operations. If an operation fails, the role uses this backup to restore the header to its original state. As a result, the role correctly maintains idempotence and ensures the system remains in a consistent state even if a binding fails to be added.

Jira:RHEL-84891

The /usr/share/iproute2/rt_tables file contains certain built-in routing table names, such as main. Before this update, if an administrator used the network RHEL system role to modify the routing table and specified a routing table by its name in a playbook, the role failed with the following error:

cannot find route table main in /etc/iproute2/rt_tables or /etc/iproute2/rt_tables.d/

With this update, the network RHEL system role no longer fails to look up routing tables by name in /etc/iproute2/rt_tables and files in the /etc/iproute2/rt_tables.d/ directory.

Jira:RHEL-112805^[1]

Before this update, external configuration files were not loaded first, which prevented overrides of all options in the sshd_config file. Consequently, users experienced incorrect OpenSSH daemon configuration. With this update, external configuration files take priority. As a result, users can override all options in the sshd_config file.

Jira:RHEL-123018^[1]

Before this release, when you used the network RHEL system role with the persistent_state: absent setting to remove undefined profiles, the role attempted to delete the loopback interface profile. Because the system automatically recreates this profile immediately, Ansible incorrectly reported a changed state. This bug fix adds the loopback device to the role-internal black_list_names variable. As a result, the network RHEL system role ignores the loopback interface. This prevents unnecessary changes and the role reports an ok state.

Jira:RHEL-123028^[1]

Before this update, the storage role crashed on systems where /etc/fstab was absent. As a consequence, systems without a file system table configuration experienced failures.

With this update, the storage role checks whether /etc/fstab exists before attempting to parse it. As a result, systems without this file no longer experience a crash when using the storage role.

Jira:RHEL-123044^[1]

Before this update, the aide system role used the deprecated database variable in its templates. On systems running Advanced Intrusion Detection Environment (AIDE) version 0.17 or later, including RHEL 10.2, RHEL 9.8, and CentOS Stream 9, this caused the AIDE service to fail during configuration parsing.

With this update, the role introduces the database_in and aide_version variables to dynamically detect the installed AIDE version and apply the appropriate configuration syntax automatically.

As a result, the aide system role provides consistent file integrity monitoring across different releases without requiring manual configuration changes.

Jira:RHEL-129416^[1]

Before this update, the code failed to check if the disks list was empty before accessing disks[0] in the blivet module. As a consequence, an unhandled IndexError caused playbook failures, leading to poor performance.

With this update, the module checks whether the disk list is empty before accessing it. If no disks are available, a clear error message is displayed instead of triggering an exception.

Jira:RHEL-138058^[1]

Before this update, when you tried to generate an ipsec.conf file for VPN connection between managed and unmanaged hosts, a logic error in the Ansible Playbook caused the task to fail. With this update, the Ansible Playbook references the host and subnet information correctly.

As a result, the vpn system role generates a valid ipsec.conf file for this scenario.

Jira:RHEL-145220^[1]

Before this update, undefined variables, such as module paths, caused the selinux system role to fail during template expansion if the import_role directive was used. This occurred because Ansible attempts to resolve variables in task name fields immediately, even if those tasks are within a block with a when condition that evaluates to false.

With this update, task names use the default, or d, filter to provide a fallback value for potentially undefined variables. This ensures that static imports succeed without error, and dynamic usage with the include_role module still provides detailed task information when variables are present.

As a result, the selinux role functions correctly in playbooks that use the import_role directive even when no specific module path is defined.

Jira:RHEL-145248^[1]

Before this update, creating an LVM volume without specifying a size could cause a ZeroDivisionError. This occurred because the blivet module treated a volume with no specified size as zero.

With this release, if you do not specify size, the volume uses all available space in the pool. As a result, LVM volumes are created successfully even when a size is omitted.

Jira:RHEL-147823^[1]

Previously, if you wanted to look up the interface name by specifying the PCI id for the interface by using the interface_pci_id parameter, and NetworkManager was not installed, the firewall RHEL system role was unable to look up the interface by PCI ID and displayed a warning. As a consequence, the role failed to configure the firewalld service by using the specified interface_pci_id variable. With this update, the role ensures that NetworkManager is installed, and the firewall RHEL system role works as expected.

Jira:RHEL-150782^[1]

Before this update, if you used import_role with modules that had no path set, the role issued undefined variable errors. This occurred because Ansible attempted to expand templates in task names within a block regardless of the when conditions.

With this update, the d filter provides a default value for these variables. As a result, the role no longer errors with import_role and modules without a defined path, and continues to provide additional context in task names when used with include_role.

Jira:RHEL-150789^[1]

Before this update, the blivet module called an undefined function during loop mounts on Red Hat Enterprise Linux 7 because the libblockdev-loop package was missing. As a consequence, the role failed with the "The function 'bd_loop_get_backing_file' called, but not implemented" error.

With this update, the libblockdev-loop package is installed, which prevents blivet errors during loop mounts on RHEL 7.

Jira:RHEL-151438^[1]

Previously, virtual machines (VMs) could not boot on hosts that used a 4th Generation AMD EPYC processor (also known as Genoa) and had the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature enabled. Instead of booting, a kernel panic occurred in the VM. This issue has now been fixed.

Jira:RHEL-32892^[1]

After migrating a virtual machine (VM) between IBM Z hosts by using post-copy migration, the VM previously in some cases lost network connection and required resetting its network interface to reconnect. With this update, the kernel handles post-copy initiation properly, and the problem no longer occurs.

Jira:RHEL-43214^[1]

Before this update, when a virtual Trusted Platform Module (vTPM) data directory was stored on a shared file system, such as NFS, the system failed to create the directory on the destination host during migration, even if it did not exist. This caused virtual machine (VM) migrations to fail. With this update, the system correctly identifies missing vTPM data directories on the destination host and creates them as needed. As a result, virtual machines with a vTPM on shared storage now migrate successfully.

Jira:RHEL-108915

Previously, virtual machines (VMs) could not boot on hosts that used a 4th Generation AMD EPYC processor (also known as Genoa) and had the AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) feature enabled. Instead of booting, a kernel panic occurred in the VM. This issue has now been fixed.

Jira:RHEL-121983^[1]

Previously, after you installed the linux-sgx packages on your host, Intel Trust Domain Extensions (TDX) attestation on your virtual machines (VMs) only worked after you rebooted the host. Now, the /dev/sgx_provision device has correct correct ownership configured after installing linux-sgx, and you can proceed with TDX attestation without rebooting the host.

Jira:RHEL-129059^[1]

Previously, attempting to create a memory dump of a running VM by using the virsh dump --live command on an IBM Z host sometimes caused the VM to become unresponsive. In rare cases, creating a snapshot of a running VM can also caused the VM to become unresponsive. With this update, this issue has been fixed, and VMs on IBM Z work as expected in the described scenarios.

Jira:RHELDOCS-21707^[1]

Before this update, password detection was strict for obfuscating non-alphanumeric characters. With this release, password scrubbing now accepts non-alphanumeric characters. As a result, password detection no longer rejects non-alphanumeric characters, improving password input flexibility.

Jira:RHEL-121515

Before this update, the netmask portion of IPv6 addresses remained visible during the data cleaning process. With this release, both the address and the netmask are properly obfuscated, preventing the accidental exposure of network topology.

Jira:RHEL-121517

Before this update, the obfuscate_file function overwrote the file content with the filename, causing issues with the main archive population in the cleaner. Consequently, incorrectly overwritten file content in sos caused user data corruption. This update introduces the following notable enhancements:

Jira:RHEL-121531

Before this update, the passwords were never scrubbed. With this update, the obfuscation is applied only to the /var/lib/openstack/config/nova directory and obfuscating passwords from transport URLs, not the entire URL.

Jira:RHEL-121534

Before this update, the unscrubbed passwords were collected from containerized AAP deployments because of the improper scrubbing in the aap_containerized plugin. As a consequence, a password leak occurred in these deployments.

With this release, secret obfuscation has been added to the plugin. As a result, sensitive data is properly obfuscated in the containerized AAP deployments, reducing the risk of password leaks.

Jira:RHEL-142618

Before this update, the sos report inadvertently started rhsm.service service even when it was stopped. This caused the service to run in scenarios where there was no internet connection, generating error messages.

With this fix, the sos report no longer starts rhsm.service service when it is disabled, improving system stability in offline environments.

Jira:RHEL-112563

In Podman version 5.8, the container restart policy was not enforced during RHEL system reboot due to an issue in Podman v5.6 and earlier.

With this fix, the issue regarding container restart with -restart=unless-stopped and Podman-restart.service has been addressed. As a result, containers with these settings can start at boot in RHEL 9.8 and later versions.

Jira:RHEL-157746^[1]

Previously, the Buildah and Podman utilities repeatedly requested tokens during each operation. This sometimes caused a race condition in the hosted repository manager.

This update fixes the issue, which improves the performance and stability of the hosted repository manager.

Jira:RHEL-95964

Before this update, the lightspeed keyword was missing from the command-line assistant (CLA) package summary. As a consequence, users could not easily find the package when performing a dnf search. With this update, the keyword is added to the package metadata. As a result, users can now find the package by searching for lightspeed, which makes the CLA easier to install.

Jira:RHEL-129825

With this update, Identity Management (IdM) provides the Modern Web UI as a Technology Preview. This new interface features updated design and is available at the /ipa/modern-ui endpoint. You can access the new interface through a link on the IdM Web UI login screen.

As a Technology Preview, the Modern Web UI is under active development and intended for experimentation in non-production environments. Provide feedback at the FreeIPA Web UI community project to help improve the interface.

Jira:RHEL-134542^[1]

As a Technology Preview, you can now live migrate a virtual machine (VM) with enabled SCSI3-Persistent Reservation (S3-PR), with the reservation state being preserved after the migration. To do this, you must use the following XML configuration for the VM:

<reservations managed="no" migration="yes">

Note, however, that migrating a VM with S3-PR and this configuration to a host that uses a previous version of QEMU fails.

Jira:RHEL-140614^[1]

This Developer Preview introduces the linux-mcp-server for Red Hat Enterprise Linux (RHEL), which is designed to bridge the gap between RHEL systems and large language models (LLMs). By using this Model Context Protocol (MCP) server, you can enable AI applications to perform context-aware troubleshooting on RHEL systems, including log and performance analysis. For more details, see Using the MCP server for RHEL to enable AI assistants to run, discover, and troubleshoot complex issues.

Jira:RHELDOCS-21153^[1]

Previously, the knet transport protocol in Corosync allowed the selection of Stream Control Transmission Protocol (SCTP), although this specific transport was not officially supported in RHEL.

With this update, using SCTP for knet transport is officially deprecated. The option to use SCTP might be removed in a future release.

As a result, users are advised to transition to supported transport protocols. The pcs cluster setup, pcs cluster link add, and pcs cluster link update commands now display a warning if SCTP is specified for knet transport.

Jira:RHEL-126842

The MySQL80, Python 3.11, Node.js 20 and Nodejs 20 Minimal container images are now deprecated and will no longer receive feature updates. To maintain support and receive new features, migrate to the MySQL84 and Python 3.12. Migrate to Node.js22 to stay on a maintained and secure version. Alternatively, migrate to Node.js24 to receive new features for the container images.

Jira:RHELDOCS-22087^[1]