The aide package, which provides the Advanced Intrusion Detection Environment (AIDE) utility, has been rebased to upstream version 0.19.2.

The p11-kit-client.so module moves from the p11-kit-server subpackage to the new p11-kit-client subpackage. With the separated subpackages, you can install only the required parts and avoid redundant content on host systems or in containers.

Oracle Linux 9.8 provides OpenSSH in version 9.9, which introduces many fixes and improvements over OpenSSH 8.7, which was provided in Oracle Linux 9.7.

Before this update, Valkey processes did not use the redis_t SELinux type. This caused behavioral inconsistencies with Redis in Oracle Linux 9. With this update, the SELinux policy has been enhanced to run Valkey as redis_t. As a result, Valkey processes align with Redis behavior, providing a consistent security context for these services in Oracle Linux 9 environments.

The fapolicyd packages are rebased to upstream version 1.4.5 and provide many enhancements and bug fixes over the previous version.

This update of the openssh packages introduces the CanonicalMatchUser directive for the sshd_config configuration file. With the new directive, you can configure Match User blocks so that sshd first attempts to obtain the username from a password database instead of using an alias. As a result, Active Directory (AD) users can no longer bypass chroot restrictions when using capital letters in their usernames, which might lead to privilege escalation.

The gnutls package is rebased to upstream version 3.8.10. This update introduces several enhancements and bug fixes.

This update of the system-wide cryptographic policies adds support for hybrid ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) and pure ML-DSA (Module-Lattice-Based Digital Signature) post-quantum (PQ) algorithms in GnuTLS. As a result, you can use GnuTLS in Oracle Linux 9.8 to negotiate TLS connections that use hybrid ML-KEM or pure ML-DSA as long as the other side supports them, and the PQ system-wide cryptographic subpolicy is applied.

With this update of the selinux-policy packages, the following devices have more specific SELinux labels:

• /dev/papr-indices
• /dev/papr-physical-attestation
• /dev/papr-platform-dump

This aligns with the addition of new character device interfaces to the kernel, providing user-space application binary interface (ABI) access to the Power Architecture Platform Reference (PAPR) system parameters, in addition to the existing kernel-internal API.

As a result, the SELinux policy assigns distinct labels to these devices so that different permissions can apply to various services accessing them.

The p11-kit packages have been upgraded to upstream version 0.26.1.

The clevis-pin-trustee package provides a new Clevis pin trustee that enables automated encryption and decryption of LUKS-encrypted volumes by using remote attestation through the Trustee Key Broker Service (KBS). The trustee pin integrates with the standard Clevis framework through the clevis-encrypt-trustee and clevis-decrypt-trustee commands, and it includes a Dracut module 60clevis-pin-trustee for automated root volume unlocking during early boot.

In scenarios such as confidential clusters for OpenShift and confidential virtual machines with OpenShift Virtualization, the Trustee server acts as the policy enforcement point, releasing the disk encryption key only when the requesting platform’s attestation evidence validates against a set of reference values.

As a result, you can bind LUKS-encrypted volumes to one or more Trustee servers by using a clevis luks bind -d <device> trustee '<config>' command. You can also combine the trustee pin with other Clevis pins, such as tang and tpm2, for multi-factor or multi-policy unlock configurations.

This update of the system-wide cryptographic policies adds support for the ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) post-quantum (PQ) key exchange mlkem768x25519-sha256 algorithm for OpenSSH. This aligns with support for ML-KEM in OpenSSH, providing a quantum-resistant key exchange method for your SSH sessions when you use the PQ system-wide cryptographic policy.

The OpenSCAP packages have been rebased to upstream version 1.3.13.

For additional information, see the