diff --git a/SOURCES/chrony-cmac.patch b/SOURCES/chrony-cmac.patch
new file mode 100644
index 0000000..b8884d3
--- /dev/null
+++ b/SOURCES/chrony-cmac.patch
@@ -0,0 +1,56 @@
+commit 8eb5dd54efd13aa0209aea38dbad2a7904377f75
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Tue Sep 17 13:00:43 2024 +0200
+
+    configure: enable AES-CMAC using gnutls
+    
+    Allow gnutls to be used for AES-CMAC when nettle doesn't support it
+    without switching also hashing.
+
+diff --git a/configure b/configure
+index eefe5de8..0fb3aa38 100755
+--- a/configure
++++ b/configure
+@@ -937,14 +937,26 @@ if [ $feat_sechash = "1" ] && [ "x$HASH_LINK" = "x" ] && [ $try_gnutls = "1" ];
+     HASH_LINK="$test_link"
+     MYCPPFLAGS="$MYCPPFLAGS $test_cflags"
+     add_def FEAT_SECHASH
++  fi
++fi
+ 
+-    if test_code 'CMAC in gnutls' 'gnutls/crypto.h' "$test_cflags" "$test_link" \
+-      'return gnutls_hmac_init((void *)1, GNUTLS_MAC_AES_CMAC_128, (void *)2, 0);'
+-    then
+-      add_def HAVE_CMAC
+-      EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_gnutls.o"
+-      EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_gnutls.o"
+-    fi
++if [ $feat_sechash = "1" ] && [ $try_gnutls = "1" ] &&
++    ! grep '#define HAVE_CMAC' config.h > /dev/null; then
++  if [ "$HASH_OBJ" = "hash_gnutls.o" ]; then
++    test_cflags=""
++    test_link=""
++  else
++    test_cflags="`pkg_config --cflags gnutls`"
++    test_link="`pkg_config --libs gnutls`"
++  fi
++  if test_code 'CMAC in gnutls' 'gnutls/crypto.h' "$test_cflags" "$test_link" \
++    'return gnutls_hmac_init((void *)1, GNUTLS_MAC_AES_CMAC_128, (void *)2, 0);'
++  then
++    add_def HAVE_CMAC
++    EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_gnutls.o"
++    EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_gnutls.o"
++    LIBS="$LIBS $test_link"
++    MYCPPFLAGS="$MYCPPFLAGS $test_cflags"
+   fi
+ fi
+ 
+@@ -978,7 +990,7 @@ EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS $HASH_OBJ"
+ LIBS="$LIBS $HASH_LINK"
+ 
+ if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ]; then
+-  if [ "$HASH_OBJ" = "hash_gnutls.o" ]; then
++  if echo "$HASH_OBJ $EXTRA_OBJECTS" | grep "_gnutls\.o" > /dev/null; then
+     test_cflags=""
+     test_link=""
+   else
diff --git a/SOURCES/chrony-reload.patch b/SOURCES/chrony-reload.patch
new file mode 100644
index 0000000..b8ac742
--- /dev/null
+++ b/SOURCES/chrony-reload.patch
@@ -0,0 +1,86 @@
+commit f49be7f06343ee27fff2950937d7f6742f53976f
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Tue Mar 12 14:30:27 2024 +0100
+
+    conf: don't load sourcedir during initstepslew and RTC init
+    
+    If the reload sources command was received in the chronyd start-up
+    sequence with initstepslew and/or RTC init (-s option), the sources
+    loaded from sourcedirs caused a crash due to failed assertion after
+    adding sources specified in the config.
+    
+    Ignore the reload sources command until chronyd enters the normal
+    operation mode.
+    
+    Fixes: 519796de3756 ("conf: add sourcedirs directive")
+
+diff --git a/conf.c b/conf.c
+index 6eae11c9..8849bdce 100644
+--- a/conf.c
++++ b/conf.c
+@@ -298,6 +298,8 @@ static ARR_Instance ntp_sources;
+ static ARR_Instance ntp_source_dirs;
+ /* Array of uint32_t corresponding to ntp_sources (for sourcedirs reload) */
+ static ARR_Instance ntp_source_ids;
++/* Flag indicating ntp_sources and ntp_source_ids are used for sourcedirs */
++static int conf_ntp_sources_added = 0;
+ 
+ /* Array of RefclockParameters */
+ static ARR_Instance refclock_sources;
+@@ -1689,8 +1691,12 @@ reload_source_dirs(void)
+   NSR_Status s;
+   int d, pass;
+ 
++  /* Ignore reload command before adding configured sources */
++  if (!conf_ntp_sources_added)
++    return;
++
+   prev_size = ARR_GetSize(ntp_source_ids);
+-  if (prev_size > 0 && ARR_GetSize(ntp_sources) != prev_size)
++  if (ARR_GetSize(ntp_sources) != prev_size)
+     assert(0);
+ 
+   /* Save the current sources and their configuration IDs */
+@@ -1859,7 +1865,10 @@ CNF_AddSources(void)
+     Free(source->params.name);
+   }
+ 
++  /* The arrays will be used for sourcedir (re)loading */
+   ARR_SetSize(ntp_sources, 0);
++  ARR_SetSize(ntp_source_ids, 0);
++  conf_ntp_sources_added = 1;
+ 
+   reload_source_dirs();
+ }
+diff --git a/test/simulation/203-initreload b/test/simulation/203-initreload
+new file mode 100755
+index 00000000..cf7924b8
+--- /dev/null
++++ b/test/simulation/203-initreload
+@@ -0,0 +1,26 @@
++#!/usr/bin/env bash
++
++. ./test.common
++
++check_config_h 'FEAT_CMDMON 1' || test_skip
++
++# Test fix "conf: don't load sourcedir during initstepslew and RTC init"
++
++test_start "reload during initstepslew"
++
++client_conf="initstepslew 5 192.168.123.1
++sourcedir tmp"
++client_server_conf="#"
++chronyc_conf="reload sources"
++chronyc_start=4
++
++echo 'server 192.168.123.1' > tmp/sources.sources
++
++run_test || test_fail
++check_chronyd_exit || test_fail
++check_source_selection || test_fail
++check_sync || test_fail
++
++check_log_messages "Added source 192\.168\.123\.1" 1 1 || test_fail
++
++test_pass
diff --git a/SPECS/chrony.spec b/SPECS/chrony.spec
index 1cff070..be64a73 100644
--- a/SPECS/chrony.spec
+++ b/SPECS/chrony.spec
@@ -6,7 +6,7 @@
 
 Name:           chrony
 Version:        4.5
-Release:        1%{?dist}.inferit.1
+Release:        2%{?dist}.inferit
 Summary:        An NTP client/server
 
 Group:          System Environment/Daemons
@@ -34,6 +34,10 @@ Patch2:         chrony-service-helper.patch
 Patch3:         chrony-defconfig.patch
 # fix serverstats to correctly count authenticated packets
 Patch4:         chrony-serverstats.patch
+# fix crash on reload command during start
+Patch5:         chrony-reload.patch
+# enable AES-CMAC support using gnutls (but keep nettle for hashing)
+Patch6:         chrony-cmac.patch
 # MSVSphere
 Patch100:       0001-Synchronize-time-via-Russian-NTP-servers.patch
 
@@ -62,7 +66,7 @@ can also operate as an NTPv4 (RFC 5905) server and peer to provide a time
 service to other computers in the network.
 
 %if 0%{!?vendorzone:1}
-%global vendorzone ru.
+%global vendorzone %(source /etc/os-release && echo ${ID}.)
 %endif
 
 %prep
@@ -73,6 +77,8 @@ service to other computers in the network.
 %patch2 -p1 -b .service-helper
 %patch3 -p1 -b .defconfig
 %patch4 -p1 -b .serverstats
+%patch5 -p1
+%patch6 -p1 -b .cmac
 %patch100 -p1
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
@@ -222,6 +228,13 @@ fi
 %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
 
 %changelog
+* Wed Nov 06 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 4.5-2.inferit
+- Update to 4.5-2
+
+* Wed Sep 18 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.5-2.el8_10
+- fix crash on reload command during start (RHEL-59112)
+- enable AES-CMAC support using gnutls (RHEL-59032)
+
 * Mon Jun 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 4.5-1.inferit.1
 - Update to 4.5-1
 - Use more servers instead of pool
@@ -234,6 +247,9 @@ fi
 * Wed Jan 10 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.5-1
 - update to 4.5 (RHEL-21069 RHEL-10701)
 
+* Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 4.2-1
+- Rebuilt for MSVSphere 8.8
+
 * Thu Jul 14 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
 - update to 4.2 (#2062356)
 - fix chrony-helper to delete sources by their original name (#2061660)