Alibaba Cloud regularly updates the Alibaba Cloud Linux 4 image to provide the latest OS features and security patches. This document lists the updates for each available image version.
Background
Unless otherwise specified, these updates apply to ECS in all regions.
2026
Alibaba Cloud Linux 4.0.2
Version number | Image id | Release date | Description |
Alibaba Cloud Linux 4.0.2 | aliyun_4_x64_20G_alibase_20260120.vhd | 2026-01-20 |
For more information, see Updates. |
aliyun_4_arm64_20G_alibase_20260120.vhd | 2026-01-20 |
For more information, see Updates. | |
aliyun_4_x64_20G_container_optimized_alibase_20260120.vhd | 2026-01-20 |
For more information, see Updates. | |
aliyun_4_arm64_20G_container_optimized_alibase_20260120.vhd | 2026-01-20 |
For more information, see Updates. |
Updates
Important updates
Kernel
The Kernel is updated tokernel-6.6.102-5.2.alnx4.
Memory
Fixes the tmpfs Large Page allocation policy to ensure compatibility with previous versions.
Adds an atomic mode for RSS stats collection.
Optimizes maple tree copying and VMA (virtual memory area) replacement in
dup_mmap()to improvefork()performance.Backports optimization patches for vfs and ext4 block allocation from the upstream community to enhance performance in specific scenarios.
Other BaseOS updates
Breaking changes with controlled impact:
The default root file system for images continues to be ext4. After a comprehensive evaluation, Alinux 4, starting with version 4.0.2, will continue to use ext4 as the default root file system, consistent with Alinux 3, and will no longer use xfs. This decision is based on several key factors: ext4 has demonstrated higher stability in long-term production environments and through maintenance in the community's stable branch, delivered better performance in certain key scenarios, and provided a smoother migration path for users of Alinux 3 and earlier versions. Additionally, with the latest ANCK-6.6 Kernel's native support for ext4 Large folio, ext4's capabilities for Large Page memory usage are now comparable to those of xfs. This change is transparent to most users and does not affect daily use or O&M experience.
The auditd service starts automatically on boot. Thealinux-base-setup package is updated from alinux-base-setup-4.1-6.alnx4 to alinux-base-setup-4.1-7.alnx4, adding a configuration to enable the auditd service at boot. This provides continuous security monitoring and reliable data support for troubleshooting, compliance auditing, and security protection. The configuration uses
-a task,never, which prevents the recording of audit events related to process creation or execution. This conserves system resources, prevents system overload, and ensures a controlled impact.
New features:
New distributed middleware components. Adds the rabbitmq-server component (rabbitmq-server-3.13.0-1.alnx4) and its runtime dependencies (erlang-26.2.5.15-2.alnx4, wxGTK3-3.2.4-1.alnx4, erlang-rpm-macros-0.3.6-1.alnx4, elixir-1.16.1-1.alnx4, erlang-rebar-2.6.1-1.alnx4, python-httpbin-0.7.0-1.alnx4, and python-raven-6.10.0-1.alnx4). These components provide a distributed message queue service to enhance ecosystem support.
Enhancements:
The qemu component is updated from qemu-8.2.0-34.alnx4 to qemu-8.2.0-36.alnx4. This update fixes an initialization issue in the VFIO HCT module, updates ACPI tables for RISC-V virtual machines to support new hardware features (such as SRAT, SLIT, PLIC, APLIC, and IMSIC), optimizes memory management, enhances security to prevent ROP attacks, and improves code reusability.
erofs-utils is updated from erofs-utils-1.8.4-1.alnx4 to erofs-utils-1.8.10-1.alnx4. This update optimizes build performance for
-Efragmentsand-Eall-fragmentsand further enhances mkfs.erofs metadata build performance. dump.erofs supports outputting file content with the--catoption, and tarerofs adds support for pre-1970 timestamps. Several stability bug fixes are also included.glibc is updated from glibc-2.38-13.alnx4 to glibc-2.38-16.alnx4, enhancing system performance by changing the memory allocation policy and adjusting default thresholds.
alinux-release is updated from alinux-release-4-11.alnx4 to alinux-release-4-12.alnx4 to mark the release of Alinux 4.0.2.
Security fixes
CVE ID | Severity | Affected component |
CVE-2025-10230 | Critical | samba |
CVE-2025-9640 | High | samba |
CVE-2025-8677 | High | bind |
CVE-2025-8067 | High | udisks2 |
CVE-2025-66293 | High | libpng |
CVE-2025-64459 | High | python-django |
CVE-2025-64458 | High | python-django |
CVE-2025-6395 | High | gnutls |
CVE-2025-62168 | High | squid |
CVE-2025-6020 | High | pam |
CVE-2025-5994 | High | unbound |
CVE-2025-59682 | High | python-django |
CVE-2025-59681 | High | python-django |
CVE-2025-59088 | High | python-kdcproxy |
CVE-2025-58098 | High | httpd |
CVE-2025-57833 | High | python-django |
CVE-2025-57803 | High | ImageMagick |
CVE-2025-55780 | High | mupdf |
CVE-2025-55753 | High | httpd |
CVE-2025-55752 | High | tomcat |
CVE-2025-55298 | High | ImageMagick |
CVE-2025-55154 | High | ImageMagick |
CVE-2025-52881 | High | runc |
CVE-2025-50420 | High | poppler |
CVE-2025-49844 | High | redis |
CVE-2025-49809 | High | mtr |
CVE-2025-48989 | High | tomcat |
CVE-2025-40908 | High | perl-YAML-LibYAML |
CVE-2025-40780 | High | bind |
CVE-2025-40778 | High | bind |
CVE-2025-31133 | High | runc |
CVE-2025-26625 | High | git-lfs |
CVE-2025-13699 | High | mariadb |
CVE-2025-13016 | High | firefox |
CVE-2025-13012 | High | firefox |
CVE-2025-11715 | High | firefox |
CVE-2025-11714 | High | firefox |
CVE-2025-11711 | High | firefox |
CVE-2025-11710 | High | firefox |
CVE-2025-11709 | High | firefox |
CVE-2025-11708 | High | firefox |
CVE-2025-11561 | High | sssd |
CVE-2025-11230 | High | haproxy |
CVE-2025-11021 | High | libsoup3 |
CVE-2025-11021 | High | libsoup |
CVE-2025-0686 | High | grub2 |
CVE-2025-0624 | High | grub2 |
CVE-2024-45779 | High | grub2 |
CVE-2024-4467 | High | qemu |
CVE-2024-31082 | High | tigervnc |
CVE-2024-31082 | High | xorg-x11-server |
CVE-2024-25621 | High | containerd |
CVE-2024-10963 | High | pam |
CVE-2023-50387 | High | systemd |
CVE-2025-14330 | High | firefox |
CVE-2025-14324 | High | firefox |
CVE-2025-14321 | High | firefox |
CVE-2025-9230 | Medium | openssl |
CVE-2025-8291 | Medium | python3.11 |
CVE-2025-8114 | Medium | libssh |
CVE-2025-7462 | Medium | ghostscript |
CVE-2025-7345 | Medium | gdk-pixbuf2 |
CVE-2025-66004 | Medium | usbmuxd |
CVE-2025-65018 | Medium | libpng |
CVE-2025-64506 | Medium | libpng |
CVE-2025-64505 | Medium | libpng |
CVE-2025-64329 | Medium | containerd |
CVE-2025-64181 | Medium | OpenEXR |
CVE-2025-62689 | Medium | libmicrohttpd |
CVE-2025-62594 | Medium | ImageMagick |
CVE-2025-62231 | Medium | xorg-x11-server-Xwayland |
CVE-2025-62231 | Medium | tigervnc |
CVE-2025-62231 | Medium | xorg-x11-server |
CVE-2025-62230 | Medium | xorg-x11-server-Xwayland |
CVE-2025-62230 | Medium | tigervnc |
CVE-2025-62230 | Medium | xorg-x11-server |
CVE-2025-62229 | Medium | xorg-x11-server-Xwayland |
CVE-2025-62229 | Medium | tigervnc |
CVE-2025-62229 | Medium | xorg-x11-server |
CVE-2025-62171 | Medium | ImageMagick |
CVE-2025-61985 | Medium | openssh |
CVE-2025-61984 | Medium | openssh |
CVE-2025-61915 | Medium | cups |
CVE-2025-61723 | Medium | golang |
CVE-2025-61664 | Medium | grub2 |
CVE-2025-61663 | Medium | grub2 |
CVE-2025-61662 | Medium | grub2 |
CVE-2025-61661 | Medium | grub2 |
CVE-2025-60753 | Medium | libarchive |
CVE-2025-59800 | Medium | ghostscript |
CVE-2025-59799 | Medium | ghostscript |
CVE-2025-59798 | Medium | ghostscript |
CVE-2025-59777 | Medium | libmicrohttpd |
CVE-2025-59362 | Medium | squid |
CVE-2025-59089 | Medium | python-kdcproxy |
CVE-2025-58436 | Medium | cups |
CVE-2025-58189 | Medium | golang |
CVE-2025-58188 | Medium | golang |
CVE-2025-58185 | Medium | golang |
CVE-2025-58183 | Medium | golang |
CVE-2025-58068 | Medium | python-eventlet |
CVE-2025-57812 | Medium | libcupsfilters |
CVE-2025-57807 | Medium | ImageMagick |
CVE-2025-54771 | Medium | grub2 |
CVE-2025-54770 | Medium | grub2 |
CVE-2025-5455 | Medium | qt5-qtbase |
CVE-2025-53101 | Medium | ImageMagick |
CVE-2025-53069 | Medium | mysql |
CVE-2025-53062 | Medium | mysql |
CVE-2025-53054 | Medium | mysql |
CVE-2025-53053 | Medium | mysql |
CVE-2025-53045 | Medium | mysql |
CVE-2025-53044 | Medium | mysql |
CVE-2025-53042 | Medium | mysql |
CVE-2025-53040 | Medium | mysql |
CVE-2025-52886 | Medium | poppler |
CVE-2025-52885 | Medium | poppler |
CVE-2025-5222 | Medium | icu |
CVE-2025-5187 | Medium | kubernetes |
CVE-2025-50949 | Medium | fontforge |
CVE-2025-47906 | Medium | golang |
CVE-2025-47219 | Medium | gstreamer1-plugins-good |
CVE-2025-47183 | Medium | gstreamer1-plugins-good |
CVE-2025-46819 | Medium | redis |
CVE-2025-46818 | Medium | redis |
CVE-2025-46817 | Medium | redis |
CVE-2025-4673 | Medium | golang |
CVE-2025-46400 | Medium | transfig |
CVE-2025-4432 | Medium | rust |
CVE-2025-40929 | Medium | perl-Cpanel-JSON-XS |
CVE-2025-32990 | Medium | gnutls |
CVE-2025-32989 | Medium | gnutls |
CVE-2025-32988 | Medium | gnutls |
CVE-2025-32464 | Medium | haproxy |
CVE-2025-24495 | Medium | microcode_ctl |
CVE-2025-23050 | Medium | qt5-qtconnectivity |
CVE-2025-21490 | Medium | mysql |
CVE-2025-20623 | Medium | microcode_ctl |
CVE-2025-20103 | Medium | microcode_ctl |
CVE-2025-20054 | Medium | microcode_ctl |
CVE-2025-20012 | Medium | microcode_ctl |
CVE-2025-14104 | Medium | util-linux |
CVE-2025-13946 | Medium | wireshark |
CVE-2025-13601 | Medium | glib2 |
CVE-2025-13499 | Medium | wireshark |
CVE-2025-13193 | Medium | libvirt |
CVE-2025-13020 | Medium | firefox |
CVE-2025-13019 | Medium | firefox |
CVE-2025-13018 | Medium | firefox |
CVE-2025-13017 | Medium | firefox |
CVE-2025-13014 | Medium | firefox |
CVE-2025-13013 | Medium | firefox |
CVE-2025-12818 | Medium | postgresql |
CVE-2025-12818 | Medium | libpq |
CVE-2025-12748 | Medium | libvirt |
CVE-2025-11712 | Medium | firefox |
CVE-2025-11683 | Medium | perl-YAML-Syck |
CVE-2025-11626 | Medium | wireshark |
CVE-2025-11568 | Medium | luksmeta |
CVE-2025-11411 | Medium | unbound |
CVE-2025-1125 | Medium | grub2 |
CVE-2025-1118 | Medium | grub2 |
CVE-2025-11082 | Medium | gdb |
CVE-2025-10911 | Medium | libxslt |
CVE-2025-10158 | Medium | rsync |
CVE-2025-0838 | Medium | abseil-cpp |
CVE-2025-0690 | Medium | grub2 |
CVE-2025-0689 | Medium | grub2 |
CVE-2025-0685 | Medium | grub2 |
CVE-2025-0678 | Medium | grub2 |
CVE-2025-0677 | Medium | grub2 |
CVE-2025-0622 | Medium | grub2 |
CVE-2024-8176 | Medium | xmlrpc-c |
CVE-2024-56738 | Medium | grub2 |
CVE-2024-56737 | Medium | grub2 |
CVE-2024-47081 | Medium | python-pip |
CVE-2024-45783 | Medium | grub2 |
CVE-2024-45782 | Medium | grub2 |
CVE-2024-45781 | Medium | grub2 |
CVE-2024-45780 | Medium | grub2 |
CVE-2024-45778 | Medium | grub2 |
CVE-2024-45777 | Medium | grub2 |
CVE-2024-45776 | Medium | grub2 |
CVE-2024-45775 | Medium | grub2 |
CVE-2024-45774 | Medium | grub2 |
CVE-2024-45332 | Medium | microcode_ctl |
CVE-2024-43420 | Medium | microcode_ctl |
CVE-2024-38805 | Medium | edk2 |
CVE-2024-28956 | Medium | microcode_ctl |
CVE-2024-22365 | Medium | pam |
CVE-2024-12243 | Medium | gnutls |
CVE-2024-12133 | Medium | libtasn1 |
CVE-2024-0567 | Medium | gnutls |
CVE-2024-0553 | Medium | gnutls |
CVE-2023-46048 | Medium | texlive-base |
CVE-2018-17828 | Medium | zziplib |
CVE-2025-9403 | Low | jq |
CVE-2025-9230 | Low | openssl1.1 |
CVE-2025-8277 | Low | libssh |
CVE-2025-66418 | Low | python-urllib3 |
CVE-2025-64720 | Low | libpng |
CVE-2025-64524 | Low | cups-filters |
CVE-2025-6199 | Low | gdk-pixbuf2 |
CVE-2025-6075 | Low | python3.10 |
CVE-2025-6075 | Low | python3.11 |
CVE-2025-55212 | Low | ImageMagick |
CVE-2025-53019 | Low | ImageMagick |
CVE-2025-53014 | Low | ImageMagick |
CVE-2025-4945 | Low | libsoup3 |
CVE-2025-4945 | Low | libsoup |
CVE-2025-46394 | Low | busybox |
CVE-2025-46393 | Low | ImageMagick |
CVE-2025-43965 | Low | ImageMagick |
CVE-2025-30258 | Low | gnupg2 |
CVE-2025-13015 | Low | firefox |
CVE-2025-11731 | Low | libxslt |
CVE-2025-0684 | Low | grub2 |
CVE-2024-58251 | Low | busybox |
CVE-2024-57360 | Low | binutils |
CVE-2024-25177 | Low | luajit |
CVE-2024-13176 | Low | openssl |
Bug fixes
Key fixes
Updated
glibcfromglibc-2.38-13.alnx4toglibc-2.38-15.alnx4to resolve a MySQL performance regression.Updated
kexec-toolsfromkexec-tools-2.0.26-10.alnx4tokexec-tools-2.0.26-12.alnx4to fix avmcoregeneration failure on the x86 architecture for theecs.ebmg8i.48xlargeinstance type.Updated
python-blivetfrompython-blivet-3.10.0-2.alnx4topython-blivet-3.10.0-3.alnx4to fix a UUID error during ISO installation when multiple NVMe disks are present.Updated
systemdfromsystemd-255-9.alnx4tosystemd-255-12.alnx4, resolving a device recognition issue after hot-plugging and fixing a load failure of thesgdriver module.
General fixes:
Updated
python-rtslibfrompython-rtslib-2.1.75-2.alnx4topython-rtslib-2.1.75-3.alnx4, fixing an error intargetcli.Updated
libcgroupfromlibcgroup-3.0.0-2.alnx4tolibcgroup-3.1.0-2.alnx4to align the package with its upstream version.Updated
gdmfromgdm-44.1-3.alnx4togdm-44.1-4.alnx4, fixing a screen corruption issue on Inspur systems caused by a conflict between Inspur's proprietary HAM chip and Wayland.
Miscellaneous updates and fixes:
Updated
junit5fromjunit5-5.10.2-1.alnx4tojunit5-5.10.2-2.alnx4, fixing an inconsistent source MD5 checksum.Updated
mariadb-connector-cfrommariadb-connector-c-3.4.4-1.alnx4tomariadb-connector-c-3.4.4-2.alnx4, fixing an inconsistent source MD5 checksum.Updated
inkscapefrominkscape-1.4.2-1.alnx4toinkscape-1.4.2-2.alnx4, rebuilt after an update topoppler.Updated
valafromvala-0.56.9-1.alnx4tovala-0.56.17-1.alnx4, fixing agtksourceview5build failure.Updated
qemufromqemu-8.2.0-34.alnx4toqemu-8.2.0-37.alnx4, adjusting the Obsoletes declaration to resolve upgrade errors caused by the removal of certain binary packages in newer versions.Updated
cups-filtersfromcups-filters-2.0.0-1.alnx4tocups-filters-2.0.1-2.alnx4, adjusting the Obsoletes declaration to resolve upgrade errors caused by the removal of certain binary packages in newer versions.
Known issues
2025
Alibaba Cloud Linux 4 LTS 64 bit Deb Edition
Version number | Image ID | Release date | Release details |
4.2404.0 | alinux_4_deb_x64_20G_alibase_20251223.vhd | 2025-12-30 |
For more information, see Updates. |
Updates
Alibaba Cloud Linux 4 LTS 64 bit Deb Edition provides improved training and inference performance compared to Ubuntu 24.04. The following results are from benchmarks that use the openclip and bevformer models:
Bevformer_base training
The average throughput per step increases by ~6% at FP32 precision and by ~4% at FP16 precision.
Openclip (RN50) training and inference
The average training throughput per step increases by ~13%, and the average inference throughput increases by ~30%.
Important updates
Kernel 6.8.0-1036-aiext_6.8.0-1036.39.100
New features
This update adds support for the large folio feature to address performance bottlenecks in CPFS-fuse.
Compatibility
Based on nvidia-ubuntu version 1036.39.
Changes virtio-related kconfig options to
mto simplify future stability fixes for virtio module issues.
Stability
Fixed a virtio net
hdrlenissue in DPU scenarios.Fixed a
vblk iohangissue in DPU scenarios.
Packages
Pre-installed
kmod-fuse_6.8.0-1036-aiext-1.0.5.2-2enhances support forfuse over io_uringmode and large folio, delivering performance of up to 1 million IOPS and 40 GB/s for cache read/write bandwidth.Keentune 3.4.1-1, a proprietary Alibaba Cloud product that uses expert knowledge and AI algorithms to optimize performance for AI workloads, is pre-installed.Memboost, a user mode memory optimization component available from the apt repository, uses configurable policies to balance memory performance, cost, and stability to help AI and high-concurrency workloads run efficiently.
Alibaba Cloud Linux 4.0.1
Version | Image ID | Release date | Description |
Alibaba Cloud Linux 4.0.1 | aliyun_4_x64_20G_alibase_20251011.vhd | 2025-10-11 |
For details, see Updates. |
aliyun_4_arm64_20G_alibase_20251011.vhd | 2025-10-11 |
For details, see Updates. | |
aliyun_4_x64_20G_container_optimized_alibase_20251106.vhd | 2025-11-24 |
For details, see Updates. | |
aliyun_4_arm64_20G_container_optimized_alibase_20251106.vhd | 2025-11-24 |
For details, see Updates. |
Updates
Important updates
Kernel
The kernel has been updated to kernel-6.6.102-5.alnx4.
Memory
Enabled huge page optimization for code by default in the cmdline.
Optimized the
mremap()system call.Optimized the folio move system call.
Optimized contiguous PTE operations.
Optimized the creation of tmpfs huge page mappings.
Optimized the
mincore()system call.Fixed the check for shmem large-order support.
Enabled creation of the entire large mapping on a tmpfs fault.
Fixed a performance issue caused by a semantic change in
huge=always.Optimized the batch size for 64K kernel memory statistics.
Backported mTHP support for
madvise_free.Ported the low-power container feature.
Architecture
X86
Added support for EDAC, ISST, PMU-Core, PMU-Uncore, and PMU-CWF-events for the Intel CFW architecture.
Added support for AMD Fire Range CPUs.
RISC-V
Added support for the rva23 mandatory instruction set.
Added support for multi-level page tables: SV32 (32-bit), SV39, SV48, and SV57 (64-bit).
Added support for HugeTLB and huge pages (NAPOT extension).
Added support for CPU hot-plug management through the SBI Hart State Management (HSM) extension.
Added support for atomic operation extensions (Zabha and Zacas).
Added support for the performance monitoring unit (PMU).
CVE fixes
CVE-2024-56775: The AMD display driver failed to correctly maintain plane reference counts when backing up and restoring plane state. This failure can cause a memory leak or illegal memory access, affecting display system stability and performance.
CVE-2024-21927: The nvme driver did not validate the NVMe-over-TCP PDU header length.
CVE-2024-38264: The nvme-tcp driver did not validate the request list, potentially causing a request-processing loop.
CVE-2024-39702: The ipv6/sr module did not use constant-time comparison for MAC addresses.
CVE-2024-39711: A missing mei_cldev_disable call can cause a use-after-free vulnerability.
CVE-2024-39746: Improper handling of unreliable hardware conditions can cause a system crash.
CVE-2024-39790: Failure to detect an event pointing to an unexpected TRE can cause a buffer double-free.
CVE-2024-39833: Deleting an uninitialized timer could cause debug warnings and system instability.
CVE-2024-39866: The __mark_inode_dirty function contained a use-after-free vulnerability.
Package updates
The BaseOS baseline for Alibaba Cloud Linux 4.0.1 is an updated release of Anolis OS 23.3.
Switched the default file system in ECS environments from
ext4toxfs, which significantly improves performance with the 6.6 kernel.Switched the Docker provider to
moby. The legacydockercomponent will no longer be updated but is retained in the repository. Its configuration prevents simultaneous installation withmoby.Disabled the
rpcbindservice by default to reduce open ports and enhance the security of public images.Added the
ossfs-1.91.7component, a command-line interface (CLI) for Alibaba Cloud OSS. This tool mounts OSS buckets to your local file system, which simplifies object management and data sharing.Added
vtoa-2.1.1, which lets an instance retrieve the client's real IP address in FullNAT scenarios.Added
idlemd-2.5.2, a tool for monitoring and scheduling memory to manage idle resources.Added
fuse317-3.17, which provides the latest community support for FUSE overio_uring. This version also introduces theusrbioengine to support interfaces similar to DeepSeek-3FS.Added
tongsuo3-8.5.0to support post-quantum cryptography and Guomi (Chinese commercial cryptographic algorithms).
Security updates
Package name | CVE ID | Updated version |
tigervnc | CVE-2024-21885, CVE-2025-49175, CVE-2025-49176, CVE-2025-49178, CVE-2025-49179, CVE-2025-49180 | tigervnc-1.13.1-5.alnx4 |
systemd | CVE-2025-4598 | systemd-255-9.alnx4 |
redis | CVE-2025-27151, CVE-2025-32023, CVE-2025-48367 | redis-7.2.10-1.alnx4 |
qemu | CVE-2024-26327 CVE-2024-26328 CVE-2024-3446 CVE-2024-3567 CVE-2024-7409 | qemu-8.2.0-34.alnx4 |
python-paramiko | CVE-2023-48795 | python-paramiko-3.4.0-1.alnx4 |
postgresql | CVE-2025-4207, CVE-2025-8713, CVE-2025-8714, CVE-2025-8715 | postgresql-15.14-1.alnx4 |
openssl1.1 | CVE-2022-4450 CVE-2023-0215 | openssl1.1-1.1.1q-7.alnx4 |
openssh | CVE-2024-39894, CVE-2024-6387, CVE-2025-26466 | openssh-9.6p1-3.alnx4 |
openjpeg2 | CVE-2023-39327, CVE-2023-39328, CVE-2025-54874 | openjpeg2-2.5.3-2.alnx4 |
nginx | CVE-2025-23419, CVE-2025-53859 | nginx-1.26.2-3.alnx4 |
libxml2 | CVE-2025-24928, CVE-2025-49794, CVE-2025-49795, CVE-2025-49796, CVE-2025-6021, CVE-2025-6170, CVE-2025-7425 | libxml2-2.11.5-15.alnx4 |
libssh2 | CVE-2023-48795 | libssh2-1.11.0-3.alnx4 |
libssh | CVE-2025-5318, CVE-2025-5351, CVE-2025-5372, CVE-2025-5987 | libssh-0.10.5-10.alnx4 |
krb5 | CVE-2025-24528 | krb5-1.21.2-5.alnx4 |
jupyterlab | CVE-2024-43805 | jupyterlab-4.3.2-1.alnx4 |
httpd | CVE-2024-42516, CVE-2024-43204, CVE-2024-47252, CVE-2025-49630, CVE-2025-49812, CVE-2025-53020 | httpd-2.4.64-1.alnx4 |
firefox | CVE-2025-0247, CVE-2025-1943, CVE-2025-4918, CVE-2025-5283, CVE-2025-6965, CVE-2025-8027, CVE-2025-8028, CVE-2025-8034, CVE-2025-8035, CVE-2025-9179, CVE-2025-9180, CVE-2025-9181, CVE-2025-9185 | firefox-140.3.0-1.alnx4 |
expat | CVE-2024-28757, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492, CVE-2024-50602, CVE-2024-8176 | expat-2.5.0-6.alnx4 |
aide | CVE-2025-54389 | aide-0.19.2-1.alnx4 |
NetworkManager | CVE-2024-3661 CVE-2024-6501 | NetworkManager-1.44.2-4.alnx4 |
yasm | CVE-2023-31975, CVE-2024-22653 | yasm-1.3.0-11.alnx4 |
xorg-x11-server-Xwayland | CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 | xorg-x11-server-Xwayland-23.2.5-4.alnx4 |
xorg-x11-server | CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 | xorg-x11-server-1.20.14-15.alnx4 |
unbound | CVE-2024-43167 | unbound-1.17.1-7.alnx4 |
tomcat | CVE-2025-46701, CVE-2025-48988, CVE-2025-49125, CVE-2025-52434, CVE-2025-52520, CVE-2025-53506 | tomcat-9.0.107-1.alnx4 |
sqlite | CVE-2025-6965 | sqlite-3.42.0-5.alnx4 |
ruby | CVE-2025-25186 CVE-2025-27219 CVE-2025-27221 | ruby-3.3.9-5.alnx4 |
python3.11 | CVE-2023-27043 CVE-2024-0397 CVE-2024-0450 CVE-2024-3219 CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 CVE-2024-7592 CVE-2024-8088 CVE-2024-9287 CVE-2025-4516 CVE-2025-4517 CVE-2025-6069 CVE-2025-8194 | python3.11-3.11.6-9.alnx4 |
python-virtualenv | CVE-2024-53899 | python-virtualenv-20.28.0-1.alnx4 |
python-setuptools | CVE-2024-6345 CVE-2025-47273 | python-setuptools-68.0.0-3.alnx4 |
python-black | CVE-2024-21503 | python-black-24.3.0-1.alnx4 |
protobuf | CVE-2025-4565 | protobuf-3.19.6-7.alnx4 |
polkit | CVE-2025-7519 | polkit-123-2.alnx4 |
php | CVE-2024-11235, CVE-2025-1735, CVE-2025-6491 | php-8.3.19-2.alnx4 |
perl | CVE-2024-56406, CVE-2025-40909 | perl-5.36.3-18.alnx4 |
nodejs | CVE-2025-23084 | nodejs-22.16.0-1.alnx4 |
ncurses | CVE-2025-6141 | ncurses-6.4-5.20240127.alnx4 |
mercurial | CVE-2025-2361 | mercurial-6.9.4-1.alnx4 |
libtiff | CVE-2025-8534 | libtiff-4.7.1-1.alnx4 |
libsoup | CVE-2025-32052 CVE-2025-4476 CVE-2025-46421 CVE-2025-4948 | libsoup-2.74.3-18.alnx4 |
libpq | CVE-2025-4207 | libpq-15.13-1.alnx4 |
libarchive | CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918 | libarchive-3.7.1-8.alnx4 |
keepalived | CVE-2024-41184 | keepalived-2.3.2-1.alnx4 |
iputils | CVE-2025-47268 CVE-2025-48964 | iputils-20221126-3.alnx4 |
iperf3 | CVE-2025-54349 CVE-2025-54350 | iperf3-3.19.1-1.alnx4 |
gstreamer1-plugins-bad-free | CVE-2025-3887 CVE-2025-6663 | gstreamer1-plugins-bad-free-1.26.4-1.alnx4 |
gstreamer1 | CVE-2025-6663 | gstreamer1-1.26.4-1.alnx4 |
gnome-remote-desktop | CVE-2025-5024 | gnome-remote-desktop-47.3-2.alnx4 |
gnome-control-center | CVE-2023-5616 | gnome-control-center-47.3-1.alnx4 |
glibc | CVE-2025-8058 | glibc-2.38-13.alnx4 |
glib2 | CVE-2024-34397 CVE-2025-4056 CVE-2025-6052 | glib2-2.78.3-8.alnx4 |
edk2 | CVE-2024-1298, CVE-2024-38796, CVE-2024-38797 | edk2-202402-19.alnx4 |
dpkg | CVE-2025-6297 | dpkg-1.22.21-1.alnx4 |
djvulibre | CVE-2025-53367 | djvulibre-3.5.28-4.alnx4 |
dav1d | CVE-2024-1580 | dav1d-1.4.0-1.alnx4 |
coreutils | CVE-2024-0684 CVE-2025-5278 | coreutils-9.4-6.alnx4 |
containerd | CVE-2024-40635 | containerd-1.6.38-1.alnx4 |
ceph | CVE-2025-52555 | ceph-18.2.1-5.alnx4 |
binutils | CVE-2024-53589 CVE-2025-3198 CVE-2025-5244 CVE-2025-5245 CVE-2025-7545 CVE-2025-7546 | binutils-2.41-12.alnx4 |
augeas | CVE-2025-2588 | augeas-1.14.2-2.alnx4 |
python-requests | CVE-2024-47081 | python-requests-2.32.3-2.alnx4 |
fish | CVE-2023-49284 | fish-3.6.0-3.alnx4 |
git | CVE-2024-52005 CVE-2025-48384 CVE-2025-48385 CVE-2025-48386 | git-2.47.3-1.alnx4 |
jq | CVE-2025-49014 | jq-1.8.1-1.alnx4 |
vim | CVE-2024-43374 CVE-2024-43802 | vim-9.0.2092-8.alnx4 |
sudo | CVE-2025-32462 CVE-2025-32463 | sudo-1.9.15p5-3.alnx4 |
perl-Module-ScanDeps | CVE-2024-10224 | perl-Module-ScanDeps-1.31-3.alnx4 |
exiv2 | CVE-2025-26623 | exiv2-0.28.7-1.alnx4 |
apache-commons-io | CVE-2024-47554 | apache-commons-io-2.16.1-1.alnx4 |
taglib | CVE-2023-47466 | taglib-1.13-2.alnx4 |
iniparser | CVE-2025-0633 | iniparser-4.1-6.alnx4 |
ppp | CVE-2024-58250 | ppp-2.5.2-1.alnx4 |
transfig | CVE-2025-31162 CVE-2025-31163 CVE-2025-31164 CVE-2025-46397 CVE-2025-46398 CVE-2025-46399 | transfig-3.2.9-3.alnx4 |
net-tools | CVE-2025-46836 | net-tools-2.10-4.alnx4 |
yelp | CVE-2025-3155 | yelp-42.2-5.alnx4 |
perl-Mojolicious | CVE-2024-58134 | perl-Mojolicious-9.40-1.alnx4 |
Bug fixes
Fixed errors that occurred when running the
mvncommand after installing Maven.Resolved warnings in the environment log about a missing
pam_fprintd.sofile.Corrected an inconsistency between the version of the
lcovpackage reported byrpm -qiand its actual version.Ensured
cmdlinesettings configured inalinux-base-setuptake effect.Fixed an incorrect time zone path in the
tzdatapackage.Fixed failures that occurred when installing the
nvidia-driverpackage.
Known issues
On an ECS instance of the
ebmhfr7.48xlargeinstance type, theNetworkManager-wait-onlineservice fails to start during boot. This instance type includes a USB network device that increases the startup time for theNetworkManagerservice. As a result, theNetworkManager-wait-onlineservice times out and fails to start. If you do not use the USB network device, you can configureNetworkManagernot to manageusb0. To do so, edit the/etc/NetworkManager/conf.d/99-unmanaged-device.conffile and add the following content:[device-usb0-unmanaged] match-device=interface-name:usb0 managed=0After you edit the file, restart the
NetworkManagerservice for the changes to take effect.NetworkManagerwill no longer manage theusb0device. Restart the system and verify that theNetworkManager-wait-onlineservice starts normally.After installing a desktop environment from an ISO, the Sharing Settings menu is missing.
This issue occurs because of a change in version 47 of
gnome-control-center. The Sharing Settings menu now requiresgnome-remote-desktopto enable the remote desktop protocol. This feature is currently unsupported but is planned for a future release.After installing a desktop environment from an ISO, setting the time zone to Automatic in Date & Time Settings fails to disable manual region selection.
After installing a desktop environment from an ISO, changing the user avatar in User Settings fails.
On the x86 architecture, after installing a desktop environment from an ISO, changing the Display Orientation in Display Settings fails.
Alibaba Cloud Linux 4.0
Version | Image ID | Release date | Details |
Alibaba Cloud Linux 4.0 | aliyun_4_x64_20G_alibase_20250728.vhd | 2025-07-28 |
|
Updates
Security updates
Package | CVE ID | Updated version |
udisks2 libblockdev | CVE-2025-6019 | udisks2-2.10.90-2.alnx4 |
python-tornado | CVE-2025-47287 | python-tornado-6.4.2-2.alnx4 |
libsoup | CVE-2025-2784 CVE-2025-46420 CVE-2025-32914 CVE-2025-32913 CVE-2025-32912 CVE-2025-32911 CVE-2025-32910 CVE-2025-32909 CVE-2025-32907 CVE-2025-32906 CVE-2025-32053 CVE-2025-32050 CVE-2025-32049 | libsoup-2.74.3-14.alnx4 |
xz | CVE-2025-31115 | xz-5.4.7-3.alnx4 |
python-jinja2 | CVE-2025-27516 CVE-2024-34064 | python-jinja2-3.1.3-4.alnx4 |
wireshark | CVE-2025-1492 | wireshark-4.4.2-3.alnx4 |
emacs | CVE-2025-1244 CVE-2024-53920 | emacs-29.4-5.alnx4 |
curl | CVE-2025-0725 CVE-2025-0665 CVE-2025-0167 CVE-2024-11053 CVE-2024-9681 CVE-2024-8096 CVE-2024-7264 CVE-2024-2398 CVE-2024-2004 CVE-2023-46218 CVE-2023-46219 | curl-8.4.0-11.alnx4 |
openssl | CVE-2024-13176 CVE-2024-9143 CVE-2024-6119 CVE-2024-4741 CVE-2024-4603 CVE-2024-2511 CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 | openssl-3.0.12-13.alnx4 |
docker | CVE-2024-41110 CVE-2024-36623 | docker-24.0.9-6.alnx4 |
libxml2 | CVE-2025-49794 CVE-2025-49796 CVE-2025-32415 CVE-2025-32414 CVE-2025-27113 CVE-2025-24928 CVE-2025-7425 CVE-2025-6170 CVE-2025-6021 CVE-2024-56171 CVE-2024-40896 CVE-2024-34459 CVE-2024-25062 | libxml2-2.11.5-11.alnx4 |
krb5 | CVE-2024-37371 CVE-2024-37370 CVE-2024-26462 CVE-2024-26461 CVE-2024-26458 | krb5-1.21.2-4.alnx4 |
libcdio | CVE-2024-36600 | libcdio-2.1.0-2.alnx4 |
unbound | CVE-2024-43168 CVE-2024-33655 CVE-2024-8508 CVE-2023-50868 CVE-2023-50387 | unbound-1.17.1-6.alnx4 |
kubernetes | CVE-2024-10220 CVE-2024-3177 | kubernetes-1.27.8-4.alnx4 |
libtiff | CVE-2024-7006 CVE-2023-52356 CVE-2023-52355 | libtiff-4.6.0-2.alnx4 |
libsass | CVE-2022-43358 | libsass-3.6.4-2.alnx4 |
uboot-tools | CVE-2022-34835 CVE-2022-33967 CVE-2022-2347 | uboot-tools-2022.04-5.alnx4 |
djvulibre | CVE-2021-46312 CVE-2021-46310 CVE-2021-32493 CVE-2021-32491 CVE-2021-32490 | djvulibre-3.5.28-3.alnx4 |
Important updates
Kernel
This release is based on the long-term support (LTS) Linux kernel 6.6: kernel-6.6.88-4.2.alnx4.x86_64.
Scheduling
Adds support for the sched_ext feature.
Supports the jbd2 lock handoff feature.
Improved EEVDF stability.
Memory
Supports the fast Out-of-Memory (OOM) feature.
Supports the page table page reclaim feature.
Supports the slab lockless shrink feature to improve the concurrent performance of slab shrinkers.
Supports the async fork feature to optimize the performance of the fork system call.
Supports the duptext feature, which is extended to support large folio.
The mmap() system call supports the THP align feature to increase the success rate of Transparent Huge Pages (THP) allocations.
Network
Maintains compatibility with numerous features from earlier 5.10-based kernels, including eRDMA, SMCv2, completion queue (CQ) optimization, sysctl optimizations, various stability fixes, the Write-with-Imm feature, link/lgr count optimization, packet capture, and memory watermark limits.
Supports the virtio-net XDP zerocopy feature.
BPF
Supports creating bpf timers with BPF_F_TIMER_CPU_PIN.
Supports __nullable configuration for struct_ops input parameters.
Allows bpf skel to directly access members of struct_ops maps.
Supports calling subroutines while holding a spinlock or rculock.
Supports bits iterators.
Storage
Supports the experimental ext4 large folio feature. This feature significantly improves buffered I/O performance. It is marked as EXPERIMENTAL and is disabled by default. To use this feature, enable it with the -o buffered_iomap option.
Addresses an issue with d2c latency statistics. Due to an upstream evolution, QUEUE_FLAG_STATS is no longer set by default, which disables d2c latency statistics by default. Because calling ktime_get_ns() can degrade performance on high-speed devices, a new sysfs interface is available to control these statistics.
Driver
The NVMe driver now supports Reservation and cloud disk activation.
Upgrades the hct driver module to support HCT version 2.1.
Userspace components
Core component updates
GCC toolchain: 12.3.0
binutils: 2.41
systemd: 255
grub2: 2.12
glibc: 2.38
util-linux: 2.39
LLVM: 17.0.6 (default). An llvm18 compatibility package is also available (requires the devel repository to be enabled).
OpenSSH: 9.6p1
python3: 3.11.6
glib2: 2.78.3
OpenSSL: 3.0.12 (default)
Common application component updates
qemu: 8.2.0 (default)
libvirt: 9.10.0 (default)
MySQL: 8.0.42 (default)
mariadb: 10.6.22 (default)
postgresql: 15.12 (default)
sqlite: 3.42.0
Rust version 1.84 is available.
Golang version 1.24
Nginx provides version 1.26.
Apache (httpd) provides version 2.4.62.
bind provides version 9.18.34.
php version 8.3.19 is available.
rpm provides version 4.18.
The
dnfpackage manager offers version 4.16.xfsprogs provides version 6.6.0.
Docker defaults to version 24.09, and Podman is no longer supported.
Kubernetes supports version 1.27.8.
Ruby provides version 3.3.7.
Samba version 4.19.5 is available.
Provides gcc-toolset-14 compilation tools (the devel repository must be enabled).
Core configuration changes
Alibaba Cloud Linux 4 enables cgroup v2 by default. To switch to cgroup v1, see How to switch to cgroup v1 in Alibaba Cloud Linux 4.
The system disk for Alibaba Cloud Linux 4 uses the xfs file system by default. Because of newer features in xfs, systems with older kernel versions may not be able to read the disk's contents.
Notes
The current kernel version does not support Group Identity co-location technology.