diff --git a/chrony-cmac.patch b/chrony-cmac.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b8884d3825f5a82949593c5b400fa764f332bba6
--- /dev/null
+++ b/chrony-cmac.patch
@@ -0,0 +1,56 @@
+commit 8eb5dd54efd13aa0209aea38dbad2a7904377f75
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Tue Sep 17 13:00:43 2024 +0200
+
+    configure: enable AES-CMAC using gnutls
+    
+    Allow gnutls to be used for AES-CMAC when nettle doesn't support it
+    without switching also hashing.
+
+diff --git a/configure b/configure
+index eefe5de8..0fb3aa38 100755
+--- a/configure
++++ b/configure
+@@ -937,14 +937,26 @@ if [ $feat_sechash = "1" ] && [ "x$HASH_LINK" = "x" ] && [ $try_gnutls = "1" ];
+     HASH_LINK="$test_link"
+     MYCPPFLAGS="$MYCPPFLAGS $test_cflags"
+     add_def FEAT_SECHASH
++  fi
++fi
+ 
+-    if test_code 'CMAC in gnutls' 'gnutls/crypto.h' "$test_cflags" "$test_link" \
+-      'return gnutls_hmac_init((void *)1, GNUTLS_MAC_AES_CMAC_128, (void *)2, 0);'
+-    then
+-      add_def HAVE_CMAC
+-      EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_gnutls.o"
+-      EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_gnutls.o"
+-    fi
++if [ $feat_sechash = "1" ] && [ $try_gnutls = "1" ] &&
++    ! grep '#define HAVE_CMAC' config.h > /dev/null; then
++  if [ "$HASH_OBJ" = "hash_gnutls.o" ]; then
++    test_cflags=""
++    test_link=""
++  else
++    test_cflags="`pkg_config --cflags gnutls`"
++    test_link="`pkg_config --libs gnutls`"
++  fi
++  if test_code 'CMAC in gnutls' 'gnutls/crypto.h' "$test_cflags" "$test_link" \
++    'return gnutls_hmac_init((void *)1, GNUTLS_MAC_AES_CMAC_128, (void *)2, 0);'
++  then
++    add_def HAVE_CMAC
++    EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_gnutls.o"
++    EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_gnutls.o"
++    LIBS="$LIBS $test_link"
++    MYCPPFLAGS="$MYCPPFLAGS $test_cflags"
+   fi
+ fi
+ 
+@@ -978,7 +990,7 @@ EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS $HASH_OBJ"
+ LIBS="$LIBS $HASH_LINK"
+ 
+ if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ]; then
+-  if [ "$HASH_OBJ" = "hash_gnutls.o" ]; then
++  if echo "$HASH_OBJ $EXTRA_OBJECTS" | grep "_gnutls\.o" > /dev/null; then
+     test_cflags=""
+     test_link=""
+   else
diff --git a/chrony-reload.patch b/chrony-reload.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b8ac742eec45e0ebc89a32814f84975e06b74203
--- /dev/null
+++ b/chrony-reload.patch
@@ -0,0 +1,86 @@
+commit f49be7f06343ee27fff2950937d7f6742f53976f
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Tue Mar 12 14:30:27 2024 +0100
+
+    conf: don't load sourcedir during initstepslew and RTC init
+    
+    If the reload sources command was received in the chronyd start-up
+    sequence with initstepslew and/or RTC init (-s option), the sources
+    loaded from sourcedirs caused a crash due to failed assertion after
+    adding sources specified in the config.
+    
+    Ignore the reload sources command until chronyd enters the normal
+    operation mode.
+    
+    Fixes: 519796de3756 ("conf: add sourcedirs directive")
+
+diff --git a/conf.c b/conf.c
+index 6eae11c9..8849bdce 100644
+--- a/conf.c
++++ b/conf.c
+@@ -298,6 +298,8 @@ static ARR_Instance ntp_sources;
+ static ARR_Instance ntp_source_dirs;
+ /* Array of uint32_t corresponding to ntp_sources (for sourcedirs reload) */
+ static ARR_Instance ntp_source_ids;
++/* Flag indicating ntp_sources and ntp_source_ids are used for sourcedirs */
++static int conf_ntp_sources_added = 0;
+ 
+ /* Array of RefclockParameters */
+ static ARR_Instance refclock_sources;
+@@ -1689,8 +1691,12 @@ reload_source_dirs(void)
+   NSR_Status s;
+   int d, pass;
+ 
++  /* Ignore reload command before adding configured sources */
++  if (!conf_ntp_sources_added)
++    return;
++
+   prev_size = ARR_GetSize(ntp_source_ids);
+-  if (prev_size > 0 && ARR_GetSize(ntp_sources) != prev_size)
++  if (ARR_GetSize(ntp_sources) != prev_size)
+     assert(0);
+ 
+   /* Save the current sources and their configuration IDs */
+@@ -1859,7 +1865,10 @@ CNF_AddSources(void)
+     Free(source->params.name);
+   }
+ 
++  /* The arrays will be used for sourcedir (re)loading */
+   ARR_SetSize(ntp_sources, 0);
++  ARR_SetSize(ntp_source_ids, 0);
++  conf_ntp_sources_added = 1;
+ 
+   reload_source_dirs();
+ }
+diff --git a/test/simulation/203-initreload b/test/simulation/203-initreload
+new file mode 100755
+index 00000000..cf7924b8
+--- /dev/null
++++ b/test/simulation/203-initreload
+@@ -0,0 +1,26 @@
++#!/usr/bin/env bash
++
++. ./test.common
++
++check_config_h 'FEAT_CMDMON 1' || test_skip
++
++# Test fix "conf: don't load sourcedir during initstepslew and RTC init"
++
++test_start "reload during initstepslew"
++
++client_conf="initstepslew 5 192.168.123.1
++sourcedir tmp"
++client_server_conf="#"
++chronyc_conf="reload sources"
++chronyc_start=4
++
++echo 'server 192.168.123.1' > tmp/sources.sources
++
++run_test || test_fail
++check_chronyd_exit || test_fail
++check_source_selection || test_fail
++check_sync || test_fail
++
++check_log_messages "Added source 192\.168\.123\.1" 1 1 || test_fail
++
++test_pass
diff --git a/chrony.spec b/chrony.spec
index 83e9adb690a71b7f039fc3370bd819aab9e0d4f1..e26db3e7abe9eac74f7e4cd989676197d5b1634c 100644
--- a/chrony.spec
+++ b/chrony.spec
@@ -1,4 +1,4 @@
-%define anolis_release .0.2
+%define anolis_release .0.1
 %global vendorzone ntp.aliyun.com
 %global _hardened_build 1
 %global clknetsim_ver 5d1dc0
@@ -8,7 +8,7 @@
 
 Name:           chrony
 Version:        4.5
-Release:        1%{anolis_release}%{?dist}
+Release:        2%{anolis_release}%{?dist}
 Summary:        An NTP client/server
 
 Group:          System Environment/Daemons
@@ -36,6 +36,10 @@ Patch2:         chrony-service-helper.patch
 Patch3:         chrony-defconfig.patch
 # fix serverstats to correctly count authenticated packets
 Patch4:         chrony-serverstats.patch
+# fix crash on reload command during start
+Patch5:         chrony-reload.patch
+# enable AES-CMAC support using gnutls (but keep nettle for hashing)
+Patch6:         chrony-cmac.patch
 
 BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
 %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x
@@ -73,6 +77,8 @@ service to other computers in the network.
 %patch2 -p1 -b .service-helper
 %patch3 -p1 -b .defconfig
 %patch4 -p1 -b .serverstats
+%patch5 -p1
+%patch6 -p1 -b .cmac
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
 
@@ -224,11 +230,13 @@ fi
 %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
 
 %changelog
-* Thu Jul 11 2024 Wenlong Zhang <zhangwenlong@loongson.cn> - 4.5-1.0.2
-- skip test error for loongarch64
-
-* Tue Jun 25 2024 Weitao Zhou <zhouweitao@openanolis.org> 4.5-1.0.1
+* Mon Nov 11 2024 Weitao Zhou <zhouweitao@openanolis.org> 4.5-2.0.1
 - Fix unavailable time server for Anolis OS
+- skip test error for loongarch64 (zhangwenlong@loongson.cn)
+
+* Wed Sep 18 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.5-2.el8_10
+- fix crash on reload command during start (RHEL-59112)
+- enable AES-CMAC support using gnutls (RHEL-59032)
 
 * Wed Jan 10 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.5-1
 - update to 4.5 (RHEL-21069 RHEL-10701)
diff --git a/dist b/dist
index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..1fe92cf0fdf9c2625d878a2ace258f64c1e8ca44 100644
--- a/dist
+++ b/dist
@@ -1 +1 @@
-an8
+an8_10