diff --git a/build-scripts/labels.txt b/build-scripts/labels.txt
index 01b45ef52..b6f880e9f 100644
--- a/build-scripts/labels.txt
+++ b/build-scripts/labels.txt
@@ -4,10 +4,14 @@ PACKAGES_HUB_x86_64_linux_debian_11
 PACKAGES_HUB_arm_64_linux_debian_11
 PACKAGES_HUB_x86_64_linux_debian_12
 PACKAGES_HUB_arm_64_linux_debian_12
+PACKAGES_HUB_x86_64_linux_debian_13
+PACKAGES_HUB_arm_64_linux_debian_13
 
 PACKAGES_HUB_x86_64_linux_redhat_7
 PACKAGES_HUB_x86_64_linux_redhat_8
 PACKAGES_HUB_x86_64_linux_redhat_9
+PACKAGES_HUB_x86_64_linux_redhat_10
+PACKAGES_HUB_arm_64_linux_redhat_10
 
 PACKAGES_HUB_x86_64_linux_ubuntu_20
 PACKAGES_HUB_x86_64_linux_ubuntu_22
@@ -19,11 +23,15 @@ PACKAGES_x86_64_linux_debian_11
 PACKAGES_arm_64_linux_debian_11
 PACKAGES_x86_64_linux_debian_12
 PACKAGES_arm_64_linux_debian_12
+PACKAGES_x86_64_linux_debian_13
+PACKAGES_arm_64_linux_debian_13
 
 PACKAGES_x86_64_linux_redhat_6
 PACKAGES_x86_64_linux_redhat_7
 PACKAGES_x86_64_linux_redhat_8
 PACKAGES_x86_64_linux_redhat_9
+PACKAGES_x86_64_linux_redhat_10
+PACKAGES_arm_64_linux_redhat_10
 
 PACKAGES_x86_64_linux_suse_12
 PACKAGES_x86_64_linux_suse_15
diff --git a/build-scripts/package b/build-scripts/package
index a026cdaca..a6589179b 100755
--- a/build-scripts/package
+++ b/build-scripts/package
@@ -178,6 +178,8 @@ case "$PACKAGING" in
     #     - argv[2] = a b
     # Also note that $RPMBUILD_OPTIONS might have spaces
     # which must be preserved
+    # rhel-10 rpmbuild is more picky about /var/cfengine/lib RPATH we need
+    export QA_RPATHS=2 # this is a set of bit flags, we just want 0x0002 here
     eval "$RPMBUILD_CMD" -bb \
       --define "'_topdir $BASEDIR/$PKG'" \
       --define "'buildprefix $BUILDPREFIX'" \
diff --git a/deps-packaging/apache/cfbuild-apache.spec b/deps-packaging/apache/cfbuild-apache.spec
index b04405a42..7db73d125 100644
--- a/deps-packaging/apache/cfbuild-apache.spec
+++ b/deps-packaging/apache/cfbuild-apache.spec
@@ -8,6 +8,7 @@ Release: 1
 Source0: httpd-%{apache_version}.tar.gz
 Source1: httpd.conf
 Patch0:  apachectl.patch
+Patch1: fixed-implicit-decl-gettid.patch
 License: MIT
 Group: Other
 Url: https://cfengine.com
@@ -21,7 +22,8 @@ AutoReqProv: no
 mkdir -p %{_builddir}
 %setup -q -n httpd-%{apache_version}
 
-%patch0 -p0
+%patch -P 0
+%patch -P 1 -p1
 
 CPPFLAGS=-I%{buildprefix}/include
 
diff --git a/deps-packaging/libyaml/cfbuild-libyaml.spec b/deps-packaging/libyaml/cfbuild-libyaml.spec
index b2de6669f..8ad3ebe70 100644
--- a/deps-packaging/libyaml/cfbuild-libyaml.spec
+++ b/deps-packaging/libyaml/cfbuild-libyaml.spec
@@ -33,6 +33,7 @@ $MAKE
 %install
 rm -rf ${RPM_BUILD_ROOT}
 $MAKE DESTDIR=${RPM_BUILD_ROOT} install
+rm -rf ${RPM_BUILD_ROOT}%{prefix}/lib/libyaml.la
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -65,7 +66,6 @@ CFEngine Build Automation -- lmdb -- development files
 %dir %{prefix}/lib
 %{prefix}/lib/pkgconfig
 %{prefix}/lib/*.a
-%{prefix}/lib/*.la
 
 %changelog
 
diff --git a/deps-packaging/openssl/0010-Update-sha512-x86_64-pl.patch b/deps-packaging/openssl/0010-Update-sha512-x86_64-pl.patch
new file mode 100644
index 000000000..bb86d6074
--- /dev/null
+++ b/deps-packaging/openssl/0010-Update-sha512-x86_64-pl.patch
@@ -0,0 +1,44 @@
+commit 241d4826f8ee39c92d9b3233146c3e12314871ec
+Author: rainerjung <rainer.jung@kippdata.de>
+Date:   Tue Sep 9 00:10:40 2025 +0200
+
+    Update sha512-x86_64.pl
+    
+    Do not use new assembler code for CPUs with SHA512 support in case the assembler only supports avx but not avx2.
+    
+    Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+    Reviewed-by: Paul Dale <paul.dale@oracle.com>
+    (Merged from https://github.com/openssl/openssl/pull/28488)
+
+diff --git a/crypto/sha/asm/sha512-x86_64.pl b/crypto/sha/asm/sha512-x86_64.pl
+index cdc585c..029468d 100755
+--- a/crypto/sha/asm/sha512-x86_64.pl
++++ b/crypto/sha/asm/sha512-x86_64.pl
+@@ -574,7 +574,9 @@ $TABLE:
+ 	.quad	0x0001020304050607,0x08090a0b0c0d0e0f
+ 	.quad	0x0001020304050607,0x08090a0b0c0d0e0f
+ 	.asciz	"SHA512 block transform for x86_64, CRYPTOGAMS by <https://github.com/dot-asm>"
++___
+ 
++$code.=<<___ if ($avx>1);
+ # $K512 duplicates data every 16 bytes.
+ # The Intel(R) SHA512 implementation requires reads of 32 consecutive bytes.
+ .align 64
+@@ -620,6 +622,8 @@ ${TABLE}_single:
+     .quad 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c
+     .quad 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a
+     .quad 0x5fcb6fab3ad6faec, 0x6c44198c4a475817
++___
++$code.=<<___;
+ .previous
+ ___
+ }
+@@ -2379,7 +2383,7 @@ ___
+ }}
+ }}}}}
+ 
+-if ($SZ==8) {
++if ($SZ==8 && $avx>1) {
+ $code.=<<___;
+ .type ${func}_sha512ext,\@function,3
+ .align 64
diff --git a/deps-packaging/openssl/cfbuild-openssl.spec b/deps-packaging/openssl/cfbuild-openssl.spec
index 2cce6d7ab..25b818f64 100644
--- a/deps-packaging/openssl/cfbuild-openssl.spec
+++ b/deps-packaging/openssl/cfbuild-openssl.spec
@@ -7,6 +7,7 @@ Release: 1
 Source0: openssl-%{openssl_version}.tar.gz
 Patch0: 0006-Add-latomic-on-AIX-7.patch
 Patch1: 0008-Define-_XOPEN_SOURCE_EXTENDED-as-1.patch
+Patch2: 0010-Update-sha512-x86_64-pl.patch
 License: MIT
 Group: Other
 Url: https://cfengine.com
@@ -22,6 +23,7 @@ mkdir -p %{_builddir}
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 
diff --git a/deps-packaging/pkg-build-rpm b/deps-packaging/pkg-build-rpm
index 6dba9a512..6f55e0317 100755
--- a/deps-packaging/pkg-build-rpm
+++ b/deps-packaging/pkg-build-rpm
@@ -76,11 +76,15 @@ if [ $TARGET != native ]; then
   exit 42
 fi
 
+# deps packages may result in binaries without debug symbols even when debugsym=yes aka BUILD_TYPE=DEBUG
+# to avoid rpmbuild errors when this occurs, allow empties
+RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define '_empty_manifest_terminate_build 0'"
+
 case "$TESTS" in
   no)
-    RPMBUILD_OPTIONS="--define 'with_testsuite 0'";;
+    RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define 'with_testsuite 0'";;
   yes)
-    RPMBUILD_OPTIONS="--define 'with_testsuite 1'";;
+    RPMBUILD_OPTIONS="$RPMBUILD_OPTIONS --define 'with_testsuite 1'";;
   *)
     fatal "Unknown tests option: $TESTS";;
 esac
@@ -112,6 +116,12 @@ fi
 # example cmd --define 'a b':
 #     - argv[1] = --define
 #     - argv[2] = a b
+
+# We have /var/cfengine/lib in RPATHS which should be OK
+# We asked in https://github.com/rpm-software-management/rpm/issues/3982, and it seems allowing this is OK
+# 0x0002 - contains an invalid RPATH - in our case /var/cfengine/lib is OK so allow it as an exception
+# Here we only want to specify this one flag: 0x0002. Sadly these scripts run on POSIX shell (especially e.g. aix71 runs as /bin/sh which is ksh) so no bitwise operators. Add them together manually to a decimal integer.
+export QA_RPATHS=2 # 0x0002 all by itself, no &(ands)
 eval $RPMBUILD_CMD -bb \
   --define "'_system_ssl $SYSTEM_SSL'" \
   --define "'_topdir $BASEDIR/$PKGNAME'" \