diff --git a/moby.spec b/moby.spec
index 5a94f4dbc4b3f09b72751706f29154a108066c64..92d7cad368f59e1c71e01c451efd6994e0db8730 100644
--- a/moby.spec
+++ b/moby.spec
@@ -2,15 +2,17 @@
 %bcond_with fish
 
 %global tini_version 0.19.0
-%global __bindir %_builddir/%{name}-%{version}
-%global goipath github.com/docker
+%global __bindir %_builddir/%{name}-docker-v%{version}
+%global goipath github.com/moby/moby/v2
 %global mobycommit a98f8012
 %global clicommit ab35867b
 
+%global debug_package %{nil}
+
 Summary:       The open-source application container engine
 Name:          moby
-Version:       28.4.0
-Release:       3%{?dist}
+Version:       29.3.1
+Release:       1%{?dist}
 License:       ASL 2.0
 URL:           https://mobyproject.org
 Source0:       https://github.com/%{name}/%{name}/archive/refs/tags/v%{version}.tar.gz
@@ -24,9 +26,9 @@ Source6:       generate-docs.sh
 
 Patch0001: bridge-Reapply-endpoint-iptables-rules-on-firewalld-.patch
 
-BuildRequires: pkgconfig(systemd) golang >= 1.19-1 btrfs-progs-devel device-mapper-devel glibc-static
+BuildRequires: pkgconfig(systemd) golang >= 1.25 btrfs-progs-devel device-mapper-devel glibc-static
 BuildRequires: libselinux-devel libtool-ltdl-devel pkgconfig selinux-policy selinux-policy-devel sqlite-devel
-BuildRequires: systemd-devel libseccomp-devel tar git cmake firewalld-filesystem go-md2man go-rpm-macros
+BuildRequires: systemd-devel libseccomp-devel tar git cmake firewalld-filesystem go-md2man go-rpm-macros nftables-devel
 
 Requires: container-selinux containerd runc systemd pigz iptables tar xz
 Requires: systemd-units shadow-utils device-mapper-libs
@@ -76,7 +78,7 @@ Requires:      nano
 This package installs the open-source application container engine.
 
 %prep
-%setup -q -a 1 -a 2 -n %{name}-%{version}
+%setup -q -a 1 -a 2 -n %{name}-docker-v%{version}
 
 # correct rpmlint errors for bash completion
 sed -i '/env bash/d' cli-%{version}/contrib/completion/bash/docker
@@ -93,10 +95,7 @@ mkdir -p %{__bindir}
 
 # build docker-proxy
 (
-    export GOPATH="$PWD/.gopath"
-    mkdir -p $GOPATH/src/%{goipath}
-    ln -sfn $PWD $GOPATH/src/%{goipath}/docker
-    %gobuild -o %{__bindir}/docker-proxy %{goipath}/docker/cmd/docker-proxy
+    go build -mod=vendor -buildmode=pie -o %{__bindir}/docker-proxy ./cmd/docker-proxy
 )
 
 # build docker-init
@@ -107,26 +106,22 @@ popd
 
 # build docker engine
 (
-    export GOPATH="$PWD/.gopath"
-    mkdir -p $GOPATH/src/%{goipath}
-    ln -sfn $PWD $GOPATH/src/%{goipath}/docker
     export LDFLAGS="-w"
-    export LDFLAGS+=" -X github.com/docker/docker/dockerversion.Version=%{version}"
-    export LDFLAGS+=" -X github.com/docker/docker/dockerversion.GitCommit=%{mobycommit}"
-    export LDFLAGS+=" -X github.com/docker/docker/dockerversion.BuildTime=$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
-    export LDFLAGS+=" -X github.com/docker/docker/dockerversion.IAmStatic=false"
+    export LDFLAGS+=" -X %{goipath}/dockerversion.Version=%{version}"
+    export LDFLAGS+=" -X %{goipath}/dockerversion.GitCommit=%{mobycommit}"
+    export LDFLAGS+=" -X %{goipath}/dockerversion.BuildTime=$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+    export LDFLAGS+=" -X %{goipath}/dockerversion.IAmStatic=false"
     export DOCKER_BUILDTAGS="seccomp selinux journald"
     export BUILDTAGS="${DOCKER_BUILDTAGS}"
     export GOBUILDTAGS="${BUILDTAGS}"
-    export GO111MODULE=off
-    go build -buildmode=pie -tags "${GOBUILDTAGS}" -ldflags "${LDFLAGS}" -o %{__bindir}/dockerd %{goipath}/docker/cmd/dockerd
+    go build -mod=vendor -buildmode=pie -tags "${GOBUILDTAGS}" -ldflags "${LDFLAGS}" -o %{__bindir}/dockerd ./cmd/dockerd
 )
 
-# buid docker cli
+# build docker cli
 pushd cli-%{version}
     export GOPATH="$PWD/.gopath"
-    mkdir -p $GOPATH/src/%{goipath}
-    ln -sfn $PWD $GOPATH/src/%{goipath}/cli
+    mkdir -p $GOPATH/src/github.com/docker
+    ln -sfn $PWD $GOPATH/src/github.com/docker/cli
     export LDFLAGS="-w"
     export LDFLAGS+=" -X github.com/docker/cli/cli/version.Version=%{version}"
     export LDFLAGS+=" -X github.com/docker/cli/cli/version.GitCommit=%{clicommit}"
@@ -134,7 +129,7 @@ pushd cli-%{version}
     export BUILDTAGS="pkcs11"
     export GOBUILDTAGS="${BUILDTAGS}"
     export GO111MODULE=off
-    go build -buildmode=pie -tags "${GOBUILDTAGS}" -ldflags "${LDFLAGS}" -o %{__bindir}/docker %{goipath}/cli/cmd/docker
+    go build -buildmode=pie -tags "${GOBUILDTAGS}" -ldflags "${LDFLAGS}" -o %{__bindir}/docker github.com/docker/cli/cmd/docker
     scripts/docs/generate-man.sh
 popd
 
@@ -151,9 +146,6 @@ install -Dpm 755 %{__bindir}/docker-proxy -t %{buildroot}%{_libexecdir}/docker/
 # install docker-init
 install -Dpm 755 tini-%{tini_version}/%{__cmake_builddir}/tini-static %{buildroot}%{_libexecdir}/docker/docker-init
 
-# install udev rules
-install -Dpm 644 contrib/udev/80-docker.rules -t %{buildroot}%{_usr}/lib/udev/rules.d/
-
 # add init scripts
 install -Dpm 644 contrib/init/systemd/docker.socket -t %{buildroot}%{_unitdir}/
 install -p -m 644 %{SOURCE3} %{buildroot}/%{_unitdir}/docker.service
@@ -171,10 +163,6 @@ install -Dpm 644 cli-%{version}/contrib/completion/zsh/_docker -t %{buildroot}%{
 install -Dpm 644 cli-%{version}/contrib/completion/fish/docker.fish -t %{buildroot}%{_datadir}/fish/vendor_completions.d/
 %endif
 
-# add nano
-install -d %{buildroot}/usr/share/nano
-install -p -m 644 contrib/syntax/nano/Dockerfile.nanorc %{buildroot}/usr/share/nano/Dockerfile.nanorc
-
 # install manpages
 install -Dpm 644 cli-%{version}/man/man1/*.1 -t %{buildroot}%{_mandir}/man1/
 install -Dpm 644 cli-%{version}/man/man5/*.5 -t %{buildroot}%{_mandir}/man5/
@@ -203,7 +191,6 @@ install -Dpm 644 man/man8/*.8 -t %{buildroot}%{_mandir}/man8/
 %dir %{_libexecdir}/docker/
 %{_libexecdir}/docker/docker-proxy
 %{_libexecdir}/docker/docker-init
-%{_usr}/lib/udev/rules.d/80-docker.rules
 %{_unitdir}/docker.service
 %{_unitdir}/docker.socket
 %{_sysusersdir}/moby-engine.conf
@@ -221,10 +208,14 @@ install -Dpm 644 man/man8/*.8 -t %{buildroot}%{_mandir}/man8/
 %endif
 
 %files nano
-%dir %{_datadir}/nano
-%{_datadir}/nano/Dockerfile.nanorc
+%license LICENSE
+%license NOTICE
 
 %changelog
+* Thu Apr 02 2026 hudsonzhu <hudsonzhu@tencent.com> - 29.3.1-1
+- [Type] security
+- [DESC] Fix CVE-2026-34040
+
 * Wed Feb 04 2026 hudsonzhu <hudsonzhu@tencent.com> - 28.4.0-3
 - [Type] bugfix
 - [DESC] pass -ldflags to gobuild to fix docker version showing as unknown
diff --git a/sources b/sources
index 334ce62be8aa59f036a1274247cc80cc32ed9fc8..bfe260c24da3c2ad0eb59c33d7ef62a05ee67c5f 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-SHA512 (v28.4.0.tar.gz) = a98f8012547dc1e61e6a4f420355d29fbd6f6ddb5642601d8762099768e0b284fcf129ee31af155049731f61f43ff4efe42313467055dae32337dc5cc8c8cf78
-SHA512 (cli-28.4.0.tar.gz) = ab35867bdcaa07909cfd24e9bc4f5cde10b6930fa42e87d61d4544bb20b365fff146713239483169ef989cacfae7d7493d7f42d269b0f37f86c0c14a9373b445
+SHA512 (v29.3.1.tar.gz) = 0e2cb5ad394301324a0cc83011504181ceeddd2eb2d952627d431a0ced3796c4fcb114097b0832d6b66bf72faa9ec61405c7eaebcc014c9abb9d6ed97d0128c4
+SHA512 (cli-29.3.1.tar.gz) = c4db794c51bdfafb41eab7edd0d64a25745932d08dceea22083407c5e2d5be790df7a6d4e9b0ffb87ae8a34806e524b1d87c719de3d19516e19f9395319d1af6
 SHA512 (v0.19.0.tar.gz) = 1fa85b56e2c6085ea474f251928e7a40510d92aeef60b3c145b0496969c1b5df86835d143cb91ef5b4bf4da63fa8a56947cc39a4276e4b72faa57276d432b292