Alibaba Cloud regularly releases updated versions of the Alibaba Cloud Linux 3 image to provide users with the latest operating system features, capabilities, and security patches. This topic details the latest available versions and updates for the Alibaba Cloud Linux 3 image.
Background information
Unless otherwise specified, updates apply to all available regions for Elastic Compute Service (ECS) instances.
Most instance families are compatible with Alibaba Cloud Linux 3 images. However, some instance families can only use specific public images, as detailed below:
ARM images with _arm64_ in their image IDs are compatible with all ARM instances on Alibaba Cloud.
2025
Alibaba Cloud Linux 3.2104 U12.1
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U12.1 | aliyun_3_x64_20G_alibase_20251030.vhd | 2025-11-30 |
|
aliyun_3_x64_20G_dengbao_alibase_20251030.vhd | 2025-11-30 |
| |
aliyun_3_x64_20G_container_optimized_alibase_202510309.vhd | 2025-11-30 |
| |
aliyun_3_arm64_20G_alibase_20251030.vhd | 2025-11-30 |
| |
aliyun_3_arm64_20G_dengbao_alibase_20251030.vhd | 2025-11-30 |
| |
aliyun_3_arm64_20G_container_optimized_alibase_20251030.vhd | 2025-11-30 |
|
Content updates
Important updates
This update replaces the kernel with the kernel-5.10.134-19.2.al8 package and fixes the following issues:
Fixed an issue where microcode hot upgrades incorrectly attempted to address Zenbleed vulnerabilities on non-Zen2 architectures.
Added the
swiotlb_any cmdlineparameter to allow the system to allocate high addresses as bounce buffers for confidential computing.Fixed an issue where memory was not correctly accepted during the EFI stub phase when booting TDX virtual machines (VMs) through EFI.
Fixed an issue where downstream devices might be used before initialization is complete after a PCIe secondary bus reset, which caused errors or put devices in an offline state.
Fixed several DWC_PMU driver issues to prevent kernel boot failures on Yitian instances during hardware link anomalies.
Fixed a potential crash issue in Group Balancer.
Fixed unexpected packet loss in specific scenarios with virtio_net and vhost.
For more information, see https://openanolis.cn/sig/Cloud-Kernel/doc/1388258453605187661
Package updates
New features
Updated secure CAI series components to support remote device attestation and Hygon CSV. These capabilities are delivered through yum repo updates:
Updated trustee to trustee-1.7.0-1.al8.
Updated trustiflux to trustiflux-1.4.4-1.al8.
Updated cryptpilot to cryptpilot-0.2.7-1.al8.
Updated trusted-network-gateway to trusted-network-gateway-2.2.6-1.al8.
Released gocryptfs-2.4.0-2.al8.
Updated tee-primitives to tee-primitives-1.0-2.al8.
Enhanced system operations and maintenance (O&M):
Updated sysak to sysak-3.8.0-1 to provide improved system O&M capabilities through yum repo updates.
Enhanced OS-level foundational capabilities:
Updated alinux-base-setup to alinux-release-3.2104.12-2.al8. For security reasons, the rpcbind service is disabled by default. This component is updated in the image.
Updated alinux-release to alinux-release-3.2104.12-2.al8, which represents the release of Alibaba Cloud Linux 3.12.1. This component is updated in the image.
Updated NetworkManager to NetworkManager-1.40.16-19.0.1.1.al8 to enable the ipvlan capability. This component is updated in the image.
Updated systemd to systemd-239-82.0.4.3.al8.5 to support the NetworkNamespacePath feature of Systemd. This new feature is included in the image.
Updated logrotate to logrotate-3.14.0-6.0.1.1.al8 to optimize system memory usage by compressing system logs. This component is updated in the image.
Updated tpm2-tss to tpm2-tss-2.4.6-1.0.2.al8 to provide runtime dependency libraries for confidential computing through yum repo updates.
Updated tpm2-tools to tpm2-tools-4.1.1-5.0.6.al8 to provide runtime dependency libraries for confidential computing through yum repo updates.
Updated tengine to tengine-3.1.0-3.al8 to integrate the nginx-module-vts plugin for better performance on Yitian 710 processors. This component is updated through yum repo updates.
Updated gcc-toolset-12-gcc to gcc-toolset-12-gcc-12.3.0-1.2.al8 to provide new GCC capabilities through yum repo updates.
Updated rasdaemon to rasdaemon-0.6.7-16.5.al8 to provide RAS diagnostic self-healing solutions through yum repo updates.
Updated tracker to tracker-3.1.2-3.0.1.1.al8 to modify compilation options and disable SQLite version checks. This component is updated through yum repo updates.
Updated ostree to ostree-2022.2-11.al8 to implement secure updates in ContainerOS. This component is updated in the yum repo.
Enhanced system tuning capabilities:
Released keentuned and keentune-target version 3.2.0 through yum repo updates.
Updated kernel companion components:
Updated smc-tools to smc-tools-1.8.3-1.0.4.al8. This minor version provides monitoring and packet capture capabilities and is delivered through yum repo updates.
Updated vtoa to vtoa-2.1.1-1.al8 to provide backward and forward compatibility through yum repo updates.
Updated erofs-utils to erofs-utils-1.8.10-1.al8. This is a bugfix version delivered through yum repo updates.
Updated cloud application components:
Updated aliyun-cli to aliyun-cli-3.0.305-1.al8. This component is updated in the image.
Updated ossfs to ossfs-1.91.8-1.al8 to fix foundational functionality issues. This component is updated through yum repo updates.
Updated the OS intelligent assistant:
Updated os-copilot to os-copilot-0.9.1-1.al8 through yum repo updates.
Synchronized feature updates from Anolis OS 8, including 11 components. 3 components are updated in the image and 8 are updated through the yum repo. The following table lists the components and the reasons for the updates.
Component name | Previous version | New version | Update reason | Update method |
libsemanage | libsemanage-2.9-10.0.1.al8 | libsemanage-2.9-12.0.1.al8 | Feature enhancement improves storage and rebuild performance in semanage, with forward compatibility. Optimization adds detection conditions to reduce function call frequency during reuse phases, achieving performance gains. | Updated in image |
tzdata | tzdata-2024b-1.0.1.2.al8 | tzdata-2025b-1.0.1.1.al8 | Feature update includes regular timezone updates. | Updated in image |
linux-firmware | linux-firmware-20241014-125.git06bad2f1.al8 | linux-firmware-20250325-129.git710a336b.al8 | Feature addition supports more hardware types. | Updated in image |
gnome-control-center | gnome-control-center-40.0-31.1.al8 | gnome-control-center-40.0-32.1.al8 | Feature addition enables API-based querying of device group information. | Updated via yum repo |
java-1.8.0-openjdk-portable | java-1.8.0-openjdk-portable-1.8.0.432.b06-1.0.2.1.al8 | java-1.8.0-openjdk-portable-1.8.0.462.b08-1.0.1.1.al8 | Feature update enhances Java component functionality for building and installing higher-version Java components. | Updated via yum repo |
java-17-openjdk-portable | java-17-openjdk-portable-17.0.13.0.11-1.0.2.1.al8 | java-17-openjdk-portable-17.0.16.0.8-1.0.1.1.al8 | Feature update enhances Java component functionality for building and installing higher-version Java components. | Updated via yum repo |
motif | motif-2.3.4-20.al8 | motif-2.3.4-21.al8 | Feature enhancement adds multi-screen support. | Updated via yum repo |
mysql-selinux | mysql-selinux-1.0.10-1.al8 | mysql-selinux-1.0.13-1.al8 | Feature addition includes new functional features and bug fixes. | Updated via yum repo |
scap-security-guide | scap-security-guide-0.1.75-1.0.1.al8 | scap-security-guide-0.1.77-1.0.1.al8 | Feature enhancement adds user namespace rules. | Updated via yum repo |
sos | sos-4.8.1-1.0.1.1.al8 | sos-4.8.2-1.0.1.1.al8 | Feature enhancement adds support for the walrus operator (:=) in Python 3.6 environments. | Updated via yum repo |
tzdata | tzdata-2024b-1.0.1.2.al8 | tzdata-2025b-1.0.1.1.al8 | Feature update includes regular timezone updates. | Updated in image |
xorg-x11-drv-libinput | xorg-x11-drv-libinput-1.0.1-3.al8 | xorg-x11-drv-libinput-1.0.1-4.al8 | Feature addition maps specific high keycodes to the FK20-FK23 range. | Updated via yum repo |
Synchronized bug fixes from Anolis OS 8, including 27 components. 12 components are updated in the image and 15 are updated through the yum repo. The following table lists the components and the reasons for the updates.
Component name | Previous version | New version | Fix reason | Update method |
device-mapper-multipath | device-mapper-multipath-0.8.4-41.0.1.al8 | device-mapper-multipath-0.8.4-42.0.1.al8 | Fixed memory leak in NVMe external handler. | Updated in image |
dnf | dnf-4.7.0-20.0.1.1.al8 | dnf-4.7.0-21.0.1.1.al8 | Fixed dnf-automatic functionality and dnf execution issues. | Updated in image |
firewalld | firewalld-0.9.11-9.0.1.al8 | firewalld-0.9.11-10.0.1.al8 | Updated Ceph port numbers in service to prevent port conflicts. | Updated in image |
libdnf | libdnf-0.63.0-20.0.1.2.al8 | libdnf-0.63.0-21.0.1.1.al8 | Fixed invalid memory access issues. | Updated in image |
libselinux | libselinux-2.9-9.1.al8 | libselinux-2.9-10.1.al8 | Fixed null pointer usage issues. | Updated in image |
lvm2 | lvm2-2.03.14-14.0.1.al8 | lvm2-2.03.14-15.0.1.al8 | Fixed thread blocking issues in dmeventd module during shutdown and added pre-check capability to force exit when /run/nologin parameter is detected. | Updated in image |
nfs-utils | nfs-utils-2.3.3-59.0.4.al8 | nfs-utils-2.3.3-64.0.1.al8 | Introduced multiple patches to fix and improve GSSD authentication, READDIRPLUS functionality, and mountstats tool behavior, along with related documentation adjustments. | Updated in image |
nftables | nftables-1.0.4-4.al8 | nftables-1.0.4-7.al8 | Fixed and optimized how nftables handles compatibility expressions, such as iptables-nft rules. The fixes include correcting translation error paths, improving the fallback printing mechanism, enhancing warning messages for unsupported expressions, and optimizing memory management. | Updated in image |
openldap | openldap-2.4.46-20.al8 | openldap-2.4.46-21.al8 | Fixed file descriptor leaks during LDAP over SSL connection failures and duplicate file closure issues during initial TLS connection failures. | Updated in image |
sssd | sssd-2.9.4-5.al8.1 | sssd-2.9.4-5.al8.2 | Fixed a memory leak in sssd_kcm. Resolved issues when handling large databases in the disk cache. Improved the use of correct names when updating cache groups to prevent failures from case mismatches. Added support for the `ignore_group_members` configuration option to determine whether to add group members. | Updated in image |
tar | tar-1.30-9.0.2.al8 | tar-1.30-11.0.1.al8 | Fixed regression issues in --no-overwrite-dir option (1.30-7 upstream commit), reduced frequency of "file changed as we read it" warnings, and added downstream patches to fix related failures in filerem01 tests. | Updated in image |
tuned | tuned-2.22.1-5.0.1.1.al8 | tuned-2.22.1-6.0.1.1.al8 | Fixed making hdparm device checks lazy-loaded and disabled the amd.scheduler plugin instance in PostgreSQL configurations. | Updated in image |
389-ds-base | 389-ds-base-1.4.3.39-9.0.1.al8 | 389-ds-base-1.4.3.39-15.0.1.al8 | Fixed two functional issues in str2filter and uiduniq modules. | Updated via yum repo |
autofs | autofs-5.1.4-114.0.1.al8.1 | autofs-5.1.4-114.0.1.al8.2 | Fixed deadlock issues. | Updated via yum repo |
cups-filters | cups-filters-1.20.0-35.0.1.al8 | cups-filters-1.20.0-36.0.1.al8 | Fixed image rotation by 90 degrees during printing. | Updated via yum repo |
curl | curl-7.61.1-35.0.2.al8 | curl-7.61.1-35.0.2.al8.3 | Follow-up update for CVE-2023-28321 and created a waiting opportunity in asynchronous threads to resolve asynchronous issues. | Updated via yum repo |
haproxy | haproxy-2.4.22-3.0.1.al8 | haproxy-2.4.22-3.0.1.al8.1 | Cleared retry flags in read/write functions to prevent CPU usage spikes and resolved certificate loading issues from files. | Updated via yum repo |
jasper | jasper-2.0.14-5.0.1.al8 | jasper-2.0.14-6.0.1.al8 | Modified configuration items in jasper's configuration file. | Updated via yum repo |
libisoburn | libisoburn-1.5.4-4.al8 | libisoburn-1.5.4-5.al8 | Modified post scripts to resolve script error issues during upgrades. | Updated via yum repo |
mod_security_crs | mod_security_crs-3.3.4-3.al8 | mod_security_crs-3.3.4-3.al8.2 | Bug fix resolves issues where specific city and street names in forms were blocked. | Updated via yum repo |
mutter | mutter-40.9-22.0.1.al8 | mutter-40.9-23.0.1.al8 | Fixed issues caused by rapid and repeated window switching. | Updated via yum repo |
portreserve | portreserve-0.0.5-19.2.al8 | portreserve-0.0.5-20.0.1.al8 | Updated tmpfiles.d configuration to fix issues where systemd temporary files for portreserve referenced the outdated directory /var/run/ instead of /run. | Updated via yum repo |
samba | samba-4.19.4-6.1.al8 | samba-4.19.4-9.1.al8 | Fixed domain controller discovery after Windows netlogon hardening, resolved winbind memory leaks, and fixed potential kernel panics in smbd_smb2_close() due to fd_handle_destructor(). | Updated via yum repo |
squid | squid-4.15-13.al8.3 | squid-4.15-13.al8.5 | Fixed issue where squid caches DNS entries even when TTL is set to 0. | Updated via yum repo |
strace | strace-5.18-2.0.4.al8 | strace-5.18-2.1.0.1.al8 | Added support for loongarch64 architecture. Fixed incorrect system call name reporting for restart_syscall() when attaching processes using PTRACE_GET_SYSCALL_INFO. Updated net-yy-inet*, linkat--secontext_mismatch, and prctl-sve test cases. | Updated via yum repo |
traceroute | traceroute-2.1.0-6.2.0.3.al8 | traceroute-2.1.0-9.0.1.al8 | Fixed polling handling logic in poll.c to improve robustness. | Updated via yum repo |
unzip | unzip-6.0-47.0.1.al8 | unzip-6.0-48.0.1.al8 | Fixed issues where specific ZIP files couldn't be decompressed properly. | Updated via yum repo |
Addressed 116 CVEs. The following table lists the CVEs.
Component | Previous version | New version | Fixed CVE-ID |
aide | aide-0.16-102.al8 | aide-0.16-103.al8.2 | CVE-2025-54389 |
bind | bind-9.11.36-16.0.1.al8 | bind-9.11.36-16.0.1.al8.4 | CVE-2024-11187 |
bind-dyndb-ldap | bind-dyndb-ldap-11.6-5.al8 | bind-dyndb-ldap-11.6-6.al8 | CVE-2025-4404 |
bluez | bluez-5.63-3.0.1.al8 | bluez-5.63-5.0.1.al8 | CVE-2023-27349 CVE-2023-51589 |
buildah | buildah-1.33.11-1.al8 | buildah-1.33.12-2.al8 | CVE-2025-22871 CVE-2025-6032 |
bzip2 | bzip2-1.0.6-27.al8 | bzip2-1.0.6-28.al8 | CVE-2019-12900 |
compat-libtiff3 | compat-libtiff3-3.9.4-13.2.al8 | compat-libtiff3-3.9.4-14.0.1.al8 | CVE-2025-9900 |
compat-openssl10 | compat-openssl10-1.0.2o-4.0.1.al8 | compat-openssl10-1.0.2o-4.0.1.al8.1 | CVE-2023-0286 |
containernetworking-plugins | containernetworking-plugins-1.4.0-5.0.1.al8 | containernetworking-plugins-1.4.0-6.0.1.al8 | CVE-2025-22871 CVE-2025-6032 |
corosync | corosync-3.1.8-2.al8 | corosync-3.1.9-2.al8 | CVE-2025-30472 |
cups | cups-2.2.6-62.0.1.al8 | cups-2.2.6-63.0.1.al8 | CVE-2025-58060 |
delve | delve-1.22.1-1.0.2.al8 | delve-1.24.1-1.0.2.al8 | CVE-2025-22871 CVE-2025-4673 |
doxygen | doxygen-1.8.14-12.1.al8 | doxygen-1.8.14-13.al8 | CVE-2020-11023 |
emacs | emacs-27.2-10.0.1.al8 | emacs-27.2-14.0.1.al8.2 | CVE-2024-53920 |
expat | expat-2.2.5-16.al8 | expat-2.2.5-17.al8 | CVE-2024-8176 |
fence-agents | fence-agents-4.10.0-76.0.1.al8.1 | fence-agents-4.10.0-86.0.1.al8.7 | CVE-2025-47273 |
freetype | freetype-2.10.4-9.al8 | freetype-2.10.4-10.al8 | CVE-2025-27363 |
galera | galera-26.4.14-1.al8 | galera-26.4.20-1.al8 | CVE-2023-22084 CVE-2024-21096 |
gcc-toolset-13-gcc | gcc-toolset-13-gcc-13.3.1-2.1.0.1.1.al8 | gcc-toolset-13-gcc-13.3.1-2.2.0.1.1.al8 | CVE-2020-11023 |
gdk-pixbuf2 | gdk-pixbuf2-2.42.6-4.0.1.al8 | gdk-pixbuf2-2.42.6-6.0.1.al8 | CVE-2025-7345 |
ghostscript | ghostscript-9.54.0-18.al8 | ghostscript-9.54.0-19.al8 | CVE-2025-27832 |
gimp | gimp-2.8.22-25.al8 | gimp-2.8.22-26.al8.2 | CVE-2025-48797 CVE-2025-48798 CVE-2025-5473 |
git | git-2.43.5-2.0.1.al8 | git-2.43.7-1.0.1.al8 | CVE-2024-50349 CVE-2024-52006 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 |
git-lfs | git-lfs-3.4.1-3.0.1.al8 | git-lfs-3.4.1-5.0.1.al8 | CVE-2025-22871 |
glib2 | glib2-2.68.4-14.0.2.al8 | glib2-2.68.4-16.0.1.al8.2 | CVE-2024-52533 CVE-2025-4373 |
glibc | glibc-2.32-1.16.al8 | glibc-2.32-1.21.al8 | CVE-2025-0395 CVE-2025-4802 CVE-2025-8058 |
gnome-remote-desktop | gnome-remote-desktop-0.1.8-3.1.al8 | gnome-remote-desktop-0.1.8-4.0.1.al8 | CVE-2025-5024 |
gnutls | gnutls-3.6.16-8.0.2.al8.3 | gnutls-3.6.16-8.0.2.al8.4 | CVE-2025-32988 CVE-2025-32990 CVE-2025-6395 |
go-toolset | go-toolset-1.22.9-1.al8 | go-toolset-1.24.6-1.al8 | CVE-2025-4674 |
golang | golang-1.22.9-1.0.1.al8 | golang-1.24.6-1.0.1.al8 | CVE-2025-4674 |
grafana | grafana-9.2.10-20.0.1.al8 | grafana-9.2.10-25.0.1.al8 | CVE-2025-22871 |
grafana-pcp | grafana-pcp-5.1.1-9.0.1.al8 | grafana-pcp-5.1.1-10.al8 | CVE-2025-22871 |
gstreamer1 | gstreamer1-1.22.1-2.0.1.al8 | gstreamer1-1.22.12-3.0.1.al8 | CVE-2024-0444 CVE-2024-4453 |
gstreamer1-plugins-bad-free | gstreamer1-plugins-bad-free-1.22.1-4.0.1.al8 | gstreamer1-plugins-bad-free-1.16.1-1.1.al8 | #N/A |
gstreamer1-plugins-base | gstreamer1-plugins-base-1.22.1-3.0.1.al8 | gstreamer1-plugins-base-1.22.12-4.0.1.al8 | CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47835 |
httpd | httpd-2.4.37-65.0.1.al8.2 | httpd-2.4.37-655.0.1.al8.5 | CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812 |
ipa | ipa-4.9.13-14.0.1.1.al8 | ipa-4.9.13-20.0.1.1.al8 | CVE-2025-7493 |
ipa-healthcheck | ipa-healthcheck-0.12-4.al8 | ipa-healthcheck-0.12-6.al8 | CVE-2025-7493 |
jackson-annotations | jackson-annotations-2.14.2-1.al8 | jackson-annotations-2.19.1-1.al8 | CVE-2025-52999 |
jackson-core | jackson-core-2.14.2-1.al8 | jackson-core-2.19.1-1.al8 | CVE-2025-52999 |
jackson-databind | jackson-databind-2.14.2-1.al8 | jackson-databind-2.19.1-1.al8 | CVE-2025-52999 |
jackson-jaxrs-providers | jackson-jaxrs-providers-2.14.2-1.al8 | jackson-jaxrs-providers-2.19.1-1.al8 | CVE-2025-52999 |
java-1.8.0-openjdk | java-1.8.0-openjdk-1.8.0.432.b06-2.0.2.1.al8 | java-1.8.0-openjdk-1.8.0.462.b08-2.0.1.1.al8 | CVE-2025-30749 CVE-2025-30754 CVE-2025-30761 CVE-2025-50106 |
java-17-openjdk | java-17-openjdk-17.0.13.0.11-3.0.2.1.al8 | java-17-openjdk-17.0.16.0.8-2.0.1.1.al8 | CVE-2025-30749 CVE-2025-30754 CVE-2025-50059 CVE-2025-50106 |
jq | jq-1.6-17.al8 | jq-1.6-17.al8.2 | CVE-2024-23337 CVE-2025-48060 |
keepalived | keepalived-2.2.8-3.al8 | keepalived-2.2.8-4.al8 | CVE-2024-41184 |
krb5 | krb5-1.18.2-30.0.1.al8 | krb5-1.18.2-32.0.1.al8 | CVE-2025-3576 |
libarchive | libarchive-3.5.3-4.al8 | libarchive-3.5.3-6.al8 | CVE-2025-5914 |
libblockdev | libblockdev-2.28-6.al8 | libblockdev-2.28-7.al8 | CVE-2025-6019 |
libcap | libcap-2.48-6.0.1.al8 | libcap-2.48-6.0.2.al8 | CVE-2025-1390 |
libpq | libpq-13.11-1.0.1.al8 | libpq-13.20-1.0.1.al8 | CVE-2025-1094 |
libreoffice | libreoffice-7.1.8.1-12.0.2.1.al8.1 | libreoffice-7.1.8.1-15.0.1.1.al8.1 | CVE-2025-1080 |
libsoup | libsoup-2.62.3-6.0.1.al8 | libsoup-2.62.3-9.0.1.al8 | CVE-2025-2784 CVE-2025-4948 CVE-2025-32049 CVE-2025-32914 |
libtasn1 | libtasn1-4.13-4.0.1.al8 | libtasn1-4.13-5.0.1.al8 | CVE-2024-12133 |
libtpms | libtpms-0.9.1-2.20211126git1ff6fe1f43.al8 | libtpms-0.9.1-3.20211126git1ff6fe1f43.al8 | CVE-2025-49133 |
libvirt | libvirt-8.0.0-23.3.0.2.al8 | libvirt-8.0.0-23.4.0.1.al8 | CVE-2025-49133 |
libvpx | libvpx-1.7.0-11.0.1.al8 | libvpx-1.7.0-12.0.1.al8 | CVE-2025-5283 |
libxml2 | libxml2-2.9.7-18.0.3.1.al8 | libxml2-2.9.7-21.0.1.1.al8.3 | CVE-2025-32415 |
libxslt | libxslt-1.1.32-6.1.al8 | libxslt-1.1.32-6.2.0.1.al8 | CVE-2023-40403 |
mariadb | mariadb-10.5.22-1.0.1.al8 | mariadb-10.5.27-1.0.1.al8 | CVE-2023-22084 CVE-2024-21096 |
mecab-ipadic | mecab-ipadic-2.7.0.20070801-16.2.al8 | mecab-ipadic-2.7.0.20070801-17.0.1.al8 | CVE-2024-11053 CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21201 CVE-2024-21203 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21247 CVE-2024-37371 CVE-2024-5535 CVE-2024-7264 CVE-2025-21490 CVE-2025-21491 CVE-2025-21494 CVE-2025-21497 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21504 CVE-2025-21505 CVE-2025-21518 CVE-2025-21519 CVE-2025-21520 CVE-2025-21521 CVE-2025-21522 CVE-2025-21523 CVE-2025-21525 CVE-2025-21529 CVE-2025-21531 CVE-2025-21534 CVE-2025-21536 CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21555 CVE-2025-21559 |
microcode_ctl | microcode_ctl-20240910-1.0.1.al8 | microcode_ctl-20250512-1.0.1.al8 | CVE-2024-28956 CVE-2024-43420 CVE-2024-45332 CVE-2025-20012 CVE-2025-20623 CVE-2025-24495 |
mingw-freetype | mingw-freetype-2.8-3.1.al8 | mingw-freetype-2.8-3.1.al8.1 | CVE-2025-27363 CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-32906 CVE-2025-32907 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32913 |
mingw-sqlite | mingw-sqlite-3.26.0.0-1.1.al8 | mingw-sqlite-3.26.0.0-2.al8 | CVE-2025-6965 |
mod_auth_openidc | mod_auth_openidc-2.4.9.4-6.al8 | mod_auth_openidc-2.4.9.4-8.al8 | CVE-2025-3891 |
mod_http2 | mod_http2-1.15.7-10.al8.1 | mod_http2-1.15.7-10.al8.4 | CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812 |
mod_security | mod_security-2.9.6-1.al8 | mod_security-2.9.6-2.al8 | CVE-2025-47947 |
mysql | mysql-8.0.36-1.0.1.1.al8 | mysql-8.0.43-1.0.1.1.al8 | CVE-2025-21574 CVE-2025-21575 CVE-2025-21577 CVE-2025-21579 CVE-2025-21580 CVE-2025-21581 CVE-2025-21584 CVE-2025-21585 CVE-2025-30681 CVE-2025-30682 CVE-2025-30683 CVE-2025-30684 CVE-2025-30685 CVE-2025-30687 CVE-2025-30688 CVE-2025-30689 CVE-2025-30693 CVE-2025-30695 CVE-2025-30696 CVE-2025-30699 CVE-2025-30703 CVE-2025-30704 CVE-2025-30705 CVE-2025-30715 CVE-2025-30721 CVE-2025-30722 CVE-2025-50077 CVE-2025-50078 CVE-2025-50079 CVE-2025-50080 CVE-2025-50081 CVE-2025-50082 CVE-2025-50083 CVE-2025-50084 CVE-2025-50085 CVE-2025-50086 CVE-2025-50087 CVE-2025-50088 CVE-2025-50091 CVE-2025-50092 CVE-2025-50093 CVE-2025-50094 CVE-2025-50096 CVE-2025-50097 CVE-2025-50098 CVE-2025-50099 CVE-2025-50100 CVE-2025-50101 CVE-2025-50102 CVE-2025-50104 CVE-2025-53023 |
nodejs | nodejs-20.16.0-1.1.al8 | nodejs-20.19.2-1.1.al8 | CVE-2025-23165 CVE-2025-23166 CVE-2025-23167 |
nodejs-nodemon | nodejs-nodemon-2.0.20-3.al8 | nodejs-nodemon-3.0.1-1.al8 | CVE-2025-22150 CVE-2025-23083 CVE-2025-23085 |
nodejs-packaging | nodejs-packaging-23-3.1.al8 | nodejs-packaging-2021.06-4.al8 | CVE-2025-22150 CVE-2025-23083 CVE-2025-23085 |
open-vm-tools | open-vm-tools-12.3.5-2.al8 | open-vm-tools-12.3.5-2.al8.1 | CVE-2025-41244 |
opendnssec | opendnssec-2.1.7-1.1.al8 | opendnssec-2.1.7-2.al8 | CVE-2025-4404 |
openssh | openssh-8.0p1-25.0.1.1.al8 | openssh-8.0p1-26.0.1.1.al8 | CVE-2025-26465 |
osbuild | osbuild-126-1.0.1.al8 | osbuild-141.2-1.0.1.al8 | CVE-2024-34158 CVE-2024-9355 CVE-2024-1394 |
osbuild-composer | osbuild-composer-118-2.0.1.al8 | osbuild-composer-132.2-2.0.1.al8 | CVE-2025-22871 |
pam | pam-1.3.1-36.al8 | pam-1.3.1-38.al8 | CVE-2025-6020 |
pcs | pcs-0.10.18-2.0.1.1.al8.3 | pcs-0.10.18-2.0.1.1.al8.6 | CVE-2024-49761 |
perl | perl-5.26.3-422.0.1.al8 | perl-5.26.3-423.0.1.al8 | CVE-2025-40909 |
perl-CPAN | perl-CPAN-2.18-397.1.0.2.al8 | perl-CPAN-2.18-402.0.1.al8 | CVE-2020-16156 |
perl-FCGI | perl-FCGI-0.78-11.2.al8 | perl-FCGI-0.78-12.al8 | CVE-2025-40907 |
perl-File-Find-Rule | perl-File-Find-Rule-0.34-8.1.al8 | perl-File-Find-Rule-0.34-9.al8 | CVE-2011-10007 |
perl-JSON-XS | perl-JSON-XS-3.04-3.2.al8 | perl-JSON-XS-3.04-4.al8 | CVE-2025-40928 |
perl-YAML-LibYAML | perl-YAML-LibYAML-0.70-1.1.al8 | perl-YAML-LibYAML-0.70-2.al8 | CVE-2025-40908 |
podman | podman-4.9.4-18.0.1.al8 | podman-4.9.4-23.0.1.al8 | CVE-2025-9566 |
postgresql | postgresql-13.18-1.0.1.al8 | postgresql-13.22-1.0.1.al8 | CVE-2025-8714 CVE-2025-8715 |
python-cryptography | python-cryptography-3.2.1-7.al8 | python-cryptography-3.2.1-8.al8 | CVE-2023-49083 |
python-jinja2 | python-jinja2-2.10.1-3.0.3.al8 | python-jinja2-2.10.1-7.0.1.al8 | CVE-2025-27516 |
python-requests | python-requests-2.20.0-5.al8 | python-requests-2.20.0-6.al8 | CVE-2024-47081 |
python-setuptools | python-setuptools-39.2.0-8.al8.1 | python-setuptools-39.2.0-9.al8 | CVE-2025-47273 |
python3 | python3-3.6.8-69.0.1.1.al8 | python3-3.6.8-71.0.1.1.al8 | CVE-2025-8194 |
python3.11 | python3.11-3.11.11-1.0.1.al8 | python3.11-3.11.13-2.0.1.al8 | CVE-2025-8194 |
python3.11-setuptools | python3.11-setuptools-65.5.1-3.al8 | python3.11-setuptools-65.5.1-4.al8 | CVE-2025-47273 |
qemu-kvm | qemu-kvm-6.2.0-53.0.1.al8.2 | qemu-kvm-6.2.0-53.0.8.al8.4 | CVE-2025-49133 |
redis | redis-6.2.7-1.0.3.al8 | redis-6.2.19-1.0.1.1.al8 | CVE-2025-32023 CVE-2025-48367 |
resource-agents | resource-agents-4.9.0-54.al8.6 | resource-agents-4.9.0-54.al8.16 | CVE-2024-47081 |
rsync | rsync-3.1.3-20.0.1.al8 | rsync-3.1.3-23.0.1.al8 | CVE-2016-9840 |
runc | runc-1.1.12-5.0.1.al8 | runc-1.1.12-6.0.1.al8 | CVE-2025-22869 |
skopeo | skopeo-1.14.5-3.0.1.al8 | skopeo-1.14.5-4.0.1.al8 | CVE-2025-22871 CVE-2025-6032 |
socat | socat-1.7.4.1-1.0.1.al8 | socat-1.7.4.1-2.0.1.al8 | CVE-2024-54661 |
spice-client-win | spice-client-win-8.8-1.al8 | spice-client-win-8.10-1.al8 | CVE-2025-27363 CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-32906 CVE-2025-32907 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32913 |
sqlite | sqlite-3.26.0-19.al8 | sqlite-3.26.0-20.al8 | CVE-2025-6965 |
sudo | sudo-1.9.5p2-1.0.2.al8 | sudo-1.9.5p2-1.0.2.al8.1 | CVE-2025-32462 |
tbb | tbb-2018.2-9.2.al8 | tbb-2018.2-10.al8.1 | CVE-2020-11023 |
tigervnc | tigervnc-1.13.1-14.al8 | tigervnc-1.15.0-7.al8 | CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 |
tomcat | tomcat-9.0.87-1.al8.2 | tomcat-9.0.87-1.al8.6 | CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 CVE-2025-49125 CVE-2025-52434 CVE-2025-52520 CVE-2025-53506 |
udisks2 | udisks2-2.9.0-16.0.1.1.al8 | udisks2-2.9.0-16.0.4.al8.1 | CVE-2025-8067 |
unbound | unbound-1.16.2-7.al8 | unbound-1.16.2-9.al8 | CVE-2025-5994 |
varnish | varnish-6.0.13-1.0.1.1.al8 | varnish-6.0.13-1.1.al8.1 | CVE-2025-47905 |
vim | vim-8.0.1763-19.0.2.al8.5 | vim-8.0.1763-21.0.1.al8 | CVE-2025-53905 CVE-2025-53906 |
webkit2gtk3 | webkit2gtk3-2.46.5-1.0.1.al8 | webkit2gtk3-2.46.6-2.0.1.al8 | CVE-2025-24201 |
xdg-utils | xdg-utils-1.1.3-11.al8 | xdg-utils-1.1.3-13.al8 | CVE-2022-4055 |
xmlrpc-c | xmlrpc-c-1.51.0-10.0.1.al8 | xmlrpc-c-1.51.0-11.0.1.al8 | CVE-2024-8176 |
xorg-x11-server | xorg-x11-server-1.20.11-25.0.1.al8 | xorg-x11-server-1.20.11-26.0.1.al8 | CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 |
xorg-x11-server-Xwayland | xorg-x11-server-Xwayland-23.2.7-1.al8 | xorg-x11-server-Xwayland-23.2.7-4.al8 | CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 |
yelp | yelp-40.3-2.al8 | yelp-40.3-2.al8.1 | CVE-2025-3155 |
yelp-xsl | yelp-xsl-40.2-1.0.1.al8 | yelp-xsl-40.2-1.0.1.al8.1 | CVE-2025-3155 |
Bug fixes
Fixed an issue in qemu-kvm version qemu-kvm-6.2.0-53.0.8.al8.4 where spice was not supported on arm64.
In anaconda version anaconda-33.16.7.12-1.0.7.4.al8, changed /etc/timezone from a symbolic link to a text file.
Fixed an issue in cloud-init version cloud-init-23.2.2-9.0.1.1.al8 where a symbolic link remained after uninstallation.
Fixed an issue in kexec-tools version kexec-tools-2.0.26-14.0.1.7.al8.2 where Normal memory was not reserved on Node0 for c9i instances.
Fixed an issue in fuse version fuse-2.9.7-19.1.al8 where the ossfs mount point was lost.
Fixed an issue in gcc-toolset-12 version gcc-toolset-12-12.0-6.1.al8 where installing the pcp software would rebuild into the gcc-toolset-12 directory and affect functionality.
Resolved an invalid parameter issue in util-linux version util-linux-2.32.1-46.0.4.1.al8 when setting the hardware clock.
Known issues
The NetworkManager-wait-online service fails to start on ebmhfr7.48xlarge16 ECS Bare Metal instances. This is because the instance type has a usb0 interface that is not managed by NetworkManager, which causes the service to fail. To resolve this issue, you must manually configure and restart the service.
Solution
Create the /etc/NetworkManager/conf.d/99-unmanaged-device.conf file with the following content:
[device-usb0-unmanaged] match-device=interface-name:usb0 managed=0After you edit the file, reboot the system. The NetworkManager-wait-online service will start normally.
Alibaba Cloud Linux 3 AI Extension Edition 0.5.4
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3 AI Extension ARM Edition 0.5.4 | aliyun_3_0_arm64_20G_alibase_aiext_0.5.4_20251031.vhd | 2025-11-30 |
|
Content updates
Important updates
Upgraded the kernel to 5.10.134-19.2.al8.aarch64.
Kernel updates:
Fixed an issue where microcode hot upgrades incorrectly attempted to address Zenbleed vulnerabilities on non-Zen2 architectures.
Added the swiotlb_any cmdline parameter, which allows the system to allocate high addresses (> 2 GB) as bounce buffers for confidential computing.
Fixed an issue where memory was not correctly accepted during the EFI stub phase when booting TDX VMs through EFI.
Fixed an issue where downstream devices might be used before initialization is complete after a PCIe secondary bus reset, which caused errors or put devices in an offline state.
Fixed several DWC_PMU driver issues to prevent kernel boot failures on Yitian instances during hardware link anomalies.
Fixed a potential crash issue in Group Balancer.
Fixed unexpected packet loss in specific scenarios with virtio_net and vhost.
Image updates
Provided and installed
python3.12-3.12.7-1.al8by default and set it as the default Python 3 version.Provided intelligent tuning for AI scenarios through
keentuned-3.4.1-1.al8.Installed
kmod-fuse-5.10.134~19.2-1.2.5~1.al8by default to enhance support for fuse over io_uring mode. This achieves a dual improvement of millions of IOPS and 40 GB/s cache read/write bandwidth.
Alibaba Cloud Linux 3 AI Extension Edition 0.5.3
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3 AI Extension Edition 0.5.3 | aliyun_3_0_x64_20G_alibase_aiext_0.5.3_20251011.vhd | 2025-10-11 |
|
Content updates
Important updates
Kernel
Upgraded the kernel to version
5.10.134-19.103.al8.x86_64.New features
Added support for five-level page tables to enable petabyte-level memory management. For compatibility, user mode must explicitly specify a high address as a hint during mmap to enable five-level page table space allocation.
Added the PCIe Resize Bar feature, which lets you adjust the PCIe device BAR size without modifying BIOS settings.
Enabled page table page reclamation by default by adding reclaim_pt to the cmdline. This reclaims page table pages in the MADV_DONTNEED path to save memory and prevent premature out of memory (OOM) issues.
Enhanced mixed deployment: Optimized load balancing policies for mixed deployment scenarios. Refactored absolute suppression policies in mixed deployment scenarios to achieve absolute suppression of offline tasks by online tasks. This effectively prevents offline tasks from preempting online tasks.
Compatibility
This patch merges back UPI support for GNR.
The kernel kABI is consistent with previous versions.
Modified the cmdline: pci_quirk is on by default and can be disabled by adding pci_quirk=disable. drv_quirk is off by default and can be enabled by adding drv_quirk=enable.
Stability
Fixed checksum error issues in virtio-net for both large and small packets.
Fixed a use-after-free issue in the group balancer.
Fixed a null pointer dereference issue in the NVMe drive during reboot or shutdown.
Fixed vhost thread anomalies.
Image
Added the
update-grubenvservice. This service automatically detects the current boot mode (UEFI or Legacy BIOS) at system startup and dynamically updates the/boot/grub2/grubenvconfiguration file to ensure that GRand Unified Bootloader (GRUB) environment variables are consistent with the actual boot method. This service is enabled by default and runs automatically at system startup.Upgraded keentuned to the latest version
keentuned-3.4.0-1.al8.x86_64.Upgraded kmod-fuse to
kmod-fuse-5.10.134~19.103-1.2.4.5~2.al8.x86_64.Removed
drv_quirk=disableanddrv_link_quirk=disablefrom the cmdline and addedreclaim_pt.
Security updates
Package name | CVE ID | New version |
bind-export-libs | CVE-2024-11187 | 9.11.36-16.0.1.al8.4 |
bzip2 | CVE-2019-12900 | 1.0.6-28.al8 |
bzip2-libs | 1.0.6-28.al8 | |
cups-client | CVE-2025-58060 | 2.2.6-63.0.1.al8 |
cups-libs | 2.2.6-63.0.1.al8 | |
expat | CVE-2024-8176 | 2.2.5-17.al8 |
freetype | CVE-2025-27363 | 2.10.4-10.al8 |
glib2 | CVE-2024-52533 CVE-2025-4373 | 2.68.4-16.0.1.al8.2 |
glibc | CVE-2025-0395 CVE-2025-4802 CVE-2025-8058 | 2.32-1.21.al8 |
glibc-all-langpacks | 2.32-1.21.al8 | |
glibc-common | 2.32-1.21.al8 | |
glibc-devel | 2.32-1.21.al8 | |
glibc-headers-x86 | 2.32-1.21.al8 | |
grub2-common | CVE-2025-0624 | 2.02-165.0.1.al8 |
grub2-efi-x64 | 2.02-165.0.1.al8 | |
grub2-pc | 2.02-165.0.1.al8 | |
grub2-pc-modules | 2.02-165.0.1.al8 | |
grub2-tools | 2.02-165.0.1.al8 | |
grub2-tools-efi | 2.02-165.0.1.al8 | |
grub2-tools-extra | 2.02-165.0.1.al8 | |
grub2-tools-minimal | 2.02-165.0.1.al8 | |
krb5-libs | CVE-2025-3576 | 1.18.2-32.0.1.al8 |
libarchive | CVE-2025-5914 | 3.5.3-6.al8 |
libblockdev | CVE-2025-6019 | 2.28-7.al8 |
libblockdev-crypto | 2.28-7.al8 | |
libblockdev-fs | 2.28-7.al8 | |
libblockdev-loop | 2.28-7.al8 | |
libblockdev-mdraid | 2.28-7.al8 | |
libblockdev-part | 2.28-7.al8 | |
libblockdev-swap | 2.28-7.al8 | |
libblockdev-utils | 2.28-7.al8 | |
libcap | CVE-2025-1390 | 2.48-6.0.2.al8 |
libtasn1 | CVE-2024-12133 | 4.13-5.0.1.al8 |
libudisks2 | CVE-2025-8067 | 2.9.0-16.0.4.al8.1 |
libxml2 | CVE-2025-32415 | 2.9.7-21.0.1.1.al8.3 |
nscd | CVE-2025-0395 CVE-2025-4802 CVE-2025-8058 | 2.32-1.21.al8 |
pam | CVE-2025-6020 CVE-2025-8941 | 1.3.1-38.al8 |
perl-Errno | CVE-2025-40909 | 1.28-423.0.1.al8 |
perl-interpreter | 5.26.3-423.0.1.al8 | |
perl-IO | 1.38-423.0.1.al8 | |
perl-libs | 5.26.3-423.0.1.al8 | |
perl-macros | 5.26.3-423.0.1.al8 | |
platform-python | CVE-2025-8194 | 3.6.8-71.0.1.1.al8 |
platform-python-devel | 3.6.8-71.0.1.1.al8 | |
platform-python-setuptools | CVE-2025-47273 | 39.2.0-9.al8 |
python3-cryptography | CVE-2023-49083 | 3.2.1-8.al8 |
python3-libs | CVE-2025-8194 | 3.6.8-71.0.1.1.al8 |
python3-libxml2 | CVE-2025-32415 | 2.9.7-21.0.1.1.al8.3 |
python3-requests | CVE-2024-47081 | 2.20.0-6.al8 |
python3-setuptools | CVE-2025-47273 | 39.2.0-9.al8 |
python3-setuptools-wheel | 39.2.0-9.al8 | |
python3-unbound | CVE-2025-5994 | 1.16.2-9.al8 |
socat | CVE-2024-54661 | 1.7.4.1-2.0.1.al8 |
sqlite | CVE-2025-6965 | 3.26.0-20.al8 |
sqlite-libs | 3.26.0-20.al8 | |
tuned | CVE-2024-52337 | 2.22.1-5.0.1.1.al8 |
udisks2 | CVE-2025-8067 | 2.9.0-16.0.4.al8.1 |
unbound-libs | CVE-2025-5994 | 1.16.2-9.al8 |
Alibaba Cloud Linux 3 AI Extension Edition 0.5.2
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3 AI Extension Edition 0.5.2 | aliyun_3_0_x64_20G_alibase_aiext_0.5.2_20250714.vhd | 2025-07-14 |
|
Content updates
Important updates
Compared with Ubuntu 22.04, Alibaba Cloud Linux 3 AI Extension Edition 0.5.2 shows performance improvements in training and inference when used with standard community openclip/bevformer AI container images (AC2):
bevformer_base training: The average throughput per step increased by 13% for FP32 precision and 12% to 18% for FP6 precision.
openclip (RN50) training: The average throughput per step increased by 26%. The average inference throughput increased by 26%.
By replacing the community openclip/bevformer AI container images with Alibaba Cloud's optimized openclip/bevformer AI container images, the following final performance improvements are achieved:
bevformer_base training: The average throughput per step increased by 22% for FP32 precision and 17% to 20% for FP16 precision.
openclip (RN50) training: The average throughput per step increased by 46%. The average inference throughput increased by 26%.
Kernel
Upgraded the kernel to version 5.10.134-19.101.al8.x86_64.
Scheduling
Round-robin scheduling attribute for clusters.
Added support for configuring bvt for non-movable threads in the root group.
Core sched supports independent configuration of special attributes for each
cookie.Allows sharing a core with normal tasks that do not have a
cookie.Prevents load balancing from automatically grouping tasks with the same
cookie. This results in tasks being spread across different cores.
Memory
mmap()supports THP-aligned address space allocation.virtio-memsupports thememmap_on_memoryfeature, which helps with rapid container memory scaling.Added a temporary file optimization feature, which is expected to improve performance in model training scenarios.
Added the
pagecache limitsmooth reclamation feature to improve memory usage efficiency. This is expected to improve performance in model training scenarios.Added a page table page reclamation feature to improve memory usage efficiency. This feature requires you to add
reclaim_ptto thecmdlineto enable it and is expected to improve performance in model training scenarios.Added a switch to control the delayed release of shmem file pages.
Fixed various bugs, such as
kfencestability issues and code enormous page THP counting issues.
Network
Fixed various smc bugs, such as
link groupandlink use-after-freeissues, andsmc-rdevice lookup failures in container scenarios.
Storage
erofs:
Reverted several mainline erofs file system fixes.
Added file backup mount and 48-bit layout support.
Added sub-page block support for compressed files.
Reverted mainline stable branch patches for ext4, block, blk-mq, and io_uring.
Added the
virtio-blk passthroughfeature, which adds passthrough capability support for virtio-blk devices.
Driver
The NVMe drive supports batch processing of completed polled I/O commands.
Added support for differentiated configuration of NVMe drive-related parameters for cloud disks and local disks.
Merged PCIe driver bugfix patches to fix issues such as incorrect space size calculation and root bus allocation.
BPF
Merged stable community bugfix and CVE fix patches.
Packages
Provided and installed
python3.12-3.12.7-1.al8.x86_64by default and set it as the default Python 3 version.Provided intelligent tuning for AI scenarios through
keentuned-3.2.4-2.al8.x86_64.
Known issues
The NetworkManager-wait-online service fails to start during the startup process of ecs.ebmgn8t.32xlarge instances.
The instance includes a USB network device, which extends the startup time of the NetworkManager service. This causes the NetworkManager-wait-online service to time out and fail to start. If the USB network device is not used, you can configure NetworkManager to not manage usb0. To do this, edit the
/etc/NetworkManager/conf.d/99-unmanaged-device.conffile and add the following content:[device-usb0-unmanaged] match-device=interface-name:usb0 managed=0After you edit the file, restart the NetworkManager service for the changes to take effect immediately. NetworkManager will no longer manage the usb0 device. Reboot the system to verify that the NetworkManager-wait-online service starts normally.
Using
vhost-netmay intermittently trigger high CPU usage and network unavailability. You can resolve this by installing the following hotfix:yum install kernel-hotfix-22577883-5.10.134-19.101 -yAfter an NVMe hardware exception, executing a reboot may cause a null pointer dereference. You can resolve this by installing the following hotfix:
yum install kernel-hotfix-22584571-5.10.134-19.101 -y
Alibaba Cloud Linux 3.2104 U12
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U12 | aliyun_3_x64_20G_alibase_20250629.vhd | 2025-06-29 |
|
aliyun_3_x64_20G_dengbao_alibase_20250629.vhd | 2025-06-29 |
| |
aliyun_3_x64_20G_container_optimized_alibase_20250629.vhd | 2025-06-29 |
| |
aliyun_3_arm64_20G_alibase_20250629.vhd | 2025-06-29 |
| |
aliyun_3_arm64_20G_dengbao_alibase_20250629.vhd | 2025-06-29 |
| |
aliyun_3_arm64_20G_container_optimized_alibase_20250629.vhd | 2025-06-29 |
|
Content updates
Security updates
Package name | CVE ID | New version |
buildah | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | buildah-1.33.8-4.al8 |
containernetworking-plugins | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | containernetworking-plugins-1.4.0-5.0.1.al8 |
containers-common | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | containers-common-1-82.0.1.al8 |
podman | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | podman-4.9.4-12.0.1.al8 |
python-podman | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | python-podman-4.9.0-2.al8 |
runc | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | runc-1.1.12-4.0.1.al8 |
skopeo | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | skopeo-1.14.5-3.0.1.al8 |
httpd | CVE-2023-27522 | httpd-2.4.37-65.0.1.al8.2 |
git-lfs | CVE-2023-45288 CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 | git-lfs-3.4.1-2.0.1.al8 |
bind | CVE-2024-1975 CVE-2024-1737 | bind-9.11.36-16.0.1.al8 |
python-setuptools | CVE-2024-6345 | python-setuptools-39.2.0-8.al8.1 |
less | CVE-2022-48624 CVE-2024-32487 | less-530-3.0.1.al8 |
java-17-openjdk | CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147 | java-17-openjdk-17.0.12.0.7-2.0.2.1.al8 |
java-11-openjdk | CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147 | java-11-openjdk-11.0.24.0.8-3.0.2.1.al8 |
postgresql | CVE-2024-7348 | postgresql-13.16-1.0.1.al8 |
flatpak | CVE-2024-42472 | flatpak-1.12.9-3.al8 |
bubblewrap | CVE-2024-42472 | bubblewrap-0.4.0-2.2.al8 |
java-1.8.0-openjdk | CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147 | java-1.8.0-openjdk-1.8.0.422.b05-2.0.2.1.al8 |
fence-agents | CVE-2024-6345 | fence-agents-4.10.0-62.0.2.al8.4 |
pcp | CVE-2024-45769 CVE-2024-45770 | pcp-5.3.7-22.0.1.al8 |
delve | CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158 | delve-1.21.2-4.0.1.al8 |
golang | CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158 | golang-1.21.13-2.0.1.al8 |
go-toolset | CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158 | go-toolset-1.21.13-1.al8 |
edk2 | CVE-2023-45236 CVE-2023-45237 CVE-2024-1298 | edk2-20220126gitbb1bba3d77-13.0.1.al8.2 |
curl | CVE-2024-2398 | curl-7.61.1-35.0.2.al8 |
libvpx | CVE-2023-6349 CVE-2024-5197 | libvpx-1.7.0-11.0.1.al8 |
resource-agents | CVE-2024-37891 CVE-2024-6345 | resource-agents-4.9.0-54.al8.4 |
389-ds-base | CVE-2024-5953 | 389-ds-base-1.4.3.39-8.0.1.al8 |
python-urllib3 | CVE-2024-37891 | python-urllib3-1.24.2-8.al8 |
pcs | CVE-2024-41123 CVE-2024-41946 CVE-2024-43398 | pcs-0.10.18-2.0.1.1.al8.2 |
grafana | CVE-2024-24788 CVE-2024-24789 CVE-2024-24790 | grafana-9.2.10-17.0.1.al8 |
libuv | CVE-2024-24806 | libuv-1.42.0-2.al8 |
c-ares | CVE-2024-25629 | c-ares-1.13.0-11.al8 |
xmlrpc-c | CVE-2023-52425 | xmlrpc-c-1.51.0-9.0.1.al8 |
yajl | CVE-2022-24795 CVE-2023-33460 | yajl-2.1.0-13.0.1.al8 |
wpa_supplicant | CVE-2023-52160 | wpa_supplicant-2.10-2.al8 |
cups | CVE-2024-35235 | cups-2.2.6-60.0.1.al8 |
linux-firmware | CVE-2023-31346 | linux-firmware-20240610-122.git90df68d2.al8 |
wget | CVE-2024-38428 | wget-1.19.5-12.0.1.al8 |
poppler | CVE-2024-6239 | poppler-20.11.0-12.0.1.al8 |
krb5 | CVE-2024-37370 CVE-2024-37371 | krb5-1.18.2-29.0.1.al8 |
git-lfs | CVE-2024-34156 | git-lfs-3.4.1-3.0.1.al8 |
libreoffice | CVE-2024-3044 CVE-2024-6472 | libreoffice-7.1.8.1-12.0.2.1.al8.1 |
orc | CVE-2024-40897 | orc-0.4.28-4.al8 |
jose | CVE-2023-50967 CVE-2024-28176 | jose-10-2.3.al8.3 |
openssh | CVE-2020-15778 CVE-2023-48795 CVE-2023-51385 | openssh-8.0p1-25.0.1.1.al8 |
libnbd | CVE-2024-3446 CVE-2024-7383 CVE-2024-7409 | libnbd-1.6.0-6.0.1.al8 |
qemu-kvm | CVE-2024-3446 CVE-2024-7383 CVE-2024-7409 | qemu-kvm-6.2.0-53.0.1.al8 |
libvirt | CVE-2024-3446 CVE-2024-7383 CVE-2024-7409 | libvirt-8.0.0-23.2.0.2.al8 |
osbuild-composer | CVE-2024-34156 | osbuild-composer-101-2.0.1.al8 |
libreswan | CVE-2024-3652 | libreswan-4.12-2.0.2.al8.4 |
mod_auth_openidc | CVE-2024-24814 | mod_auth_openidc-2.4.9.4-6.al8 |
podman | CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24788 CVE-2024-24791 | podman-4.9.4-13.0.1.al8 |
ghostscript | CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 | ghostscript-9.54.0-18.al8 |
emacs | CVE-2024-39331 | emacs-27.2-9.0.3.al8 |
dovecot | CVE-2024-23184 CVE-2024-23185 | dovecot-2.3.16-5.0.1.al8 |
expat | CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 | expat-2.2.5-13.0.1.al8 |
glib2 | CVE-2024-34397 | glib2-2.68.4-14.0.2.al8 |
python-idna | CVE-2024-3651 | python-idna-2.5-7.al8 |
openldap | CVE-2023-2953 | openldap-2.4.46-19.al8 |
python-pillow | CVE-2024-28219 | python-pillow-5.1.1-21.al8 |
nghttp2 | CVE-2024-28182 | nghttp2-1.33.0-6.0.1.al8.1 |
python-jinja2 | CVE-2024-34064 | python-jinja2-2.10.1-3.0.3.al8 |
opencryptoki | CVE-2024-0914 | opencryptoki-3.22.0-3.al8 |
gdk-pixbuf2 | CVE-2021-44648 CVE-2021-46829 CVE-2022-48622 | gdk-pixbuf2-2.42.6-4.0.1.al8 |
rear | CVE-2024-23301 | rear-2.6-13.0.1.al8 |
grub2 | CVE-2023-4692 CVE-2023-4693 CVE-2024-1048 | grub2-2.02-150.0.2.al8 |
nss | CVE-2023-5388 CVE-2023-6135 | nss-3.101.0-7.0.1.al8 |
gnutls | CVE-2024-0553 CVE-2024-28834 | gnutls-3.6.16-8.0.1.al8.3 |
python3 | CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 | python3-3.6.8-67.0.1.2.al8 |
grafana | CVE-2024-24791 | grafana-9.2.10-18.0.1.al8 |
cups-filters | CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47850 | cups-filters-1.20.0-35.0.1.al8 |
linux-firmware | CVE-2023-20584 CVE-2023-31315 CVE-2023-31356 | linux-firmware-20240827-124.git3cff7109.al8 |
golang | CVE-2024-9355 | golang-1.21.13-3.0.1.al8 |
openssl | CVE-2024-5535 | openssl-1.1.1k-14.0.1.al8 |
nano | CVE-2024-5742 | nano-2.9.8-2.0.1.al8 |
runc | CVE-2023-45290 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158 | runc-1.1.12-5.0.1.al8 |
OpenIPMI | CVE-2024-42934 | OpenIPMI-2.0.32-5.0.1.al8 |
grafana | CVE-2024-47875 CVE-2024-9355 | grafana-9.2.10-20.0.1.al8 |
java-11-openjdk | CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 | java-11-openjdk-11.0.25.0.9-2.0.1.1.al8 |
java-1.8.0-openjdk | CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 | java-1.8.0-openjdk-1.8.0.432.b06-2.0.2.1.al8 |
java-17-openjdk | CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 | java-17-openjdk-17.0.13.0.11-3.0.2.1.al8 |
NetworkManager-libreswan | CVE-2024-9050 | NetworkManager-libreswan-1.2.10-7.0.1.al8 |
ansible-core | CVE-2024-0690 | ansible-core-2.16.3-2.0.1.al8 |
libtiff | CVE-2023-52356 | libtiff-4.4.0-12.0.2.al8 |
krb5 | CVE-2024-3596 | krb5-1.18.2-30.0.1.al8 |
xorg-x11-server | CVE-2024-9632 | xorg-x11-server-1.20.11-25.0.1.al8 |
xmlrpc-c | CVE-2024-45491 | xmlrpc-c-1.51.0-10.0.1.al8 |
bzip2 | CVE-2019-12900 | bzip2-1.0.6-27.al8 |
bcc | CVE-2024-2314 | bcc-0.25.0-9.0.1.al8 |
python3.11 | CVE-2024-6232 | python3.11-3.11.10-1.0.1.al8 |
buildah | CVE-2024-9341 CVE-2024-9407 CVE-2024-9675 | buildah-1.33.10-1.al8 |
podman | CVE-2024-9341 CVE-2024-9407 CVE-2024-9675 | podman-4.9.4-15.0.1.al8 |
libtiff | CVE-2024-7006 | libtiff-4.4.0-12.0.3.al8 |
libsoup | CVE-2024-52530 CVE-2024-52532 | libsoup-2.62.3-6.0.1.al8 |
gtk3 | CVE-2024-6655 | gtk3-3.24.31-5.0.2.1.al8 |
tigervnc | CVE-2024-9632 | tigervnc-1.13.1-14.al8 |
emacs | CVE-2024-30203 CVE-2024-30204 CVE-2024-30205 | emacs-27.2-10.0.1.al8 |
squid | CVE-2024-23638 CVE-2024-45802 | squid-4.15-13.al8.3 |
gnome-shell-extensions | CVE-2024-36472 | gnome-shell-extensions-40.7-19.0.1.al8 |
gnome-shell | CVE-2024-36472 | gnome-shell-40.10-21.al8 |
osbuild-composer | CVE-2024-34156 | osbuild-composer-118-2.0.1.al8 |
expat | CVE-2024-50602 | expat-2.2.5-16.al8 |
iperf3 | CVE-2023-7250 CVE-2024-26306 | iperf3-3.9-13.al8 |
lldpd | CVE-2020-27827 CVE-2021-43612 CVE-2023-41910 | lldpd-1.0.18-4.0.1.al8 |
xorg-x11-server-Xwayland | CVE-2024-31080 CVE-2024-31081 CVE-2024-31083 | xorg-x11-server-Xwayland-23.2.7-1.al8 |
bpftrace | CVE-2024-2313 | bpftrace-0.16.0-8.al8 |
perl-Convert-ASN1 | CVE-2013-7488 | perl-Convert-ASN1-0.27-17.1.0.1.al8 |
podman | CVE-2021-33198 CVE-2021-4024 CVE-2024-9676 | podman-4.9.4-18.0.1.al8 |
grafana-pcp | CVE-2024-9355 | grafana-pcp-5.1.1-9.0.1.al8 |
buildah | CVE-2021-33198 CVE-2021-4024 CVE-2024-9676 | buildah-1.33.11-1.al8 |
python-podman | CVE-2021-33198 CVE-2021-4024 CVE-2024-9676 | python-podman-4.9.0-3.al8 |
golang | CVE-2024-24790 | golang-1.22.7-1.0.2.al8 |
delve | CVE-2024-24790 | delve-1.22.1-1.0.2.al8 |
go-toolset | CVE-2024-24790 | go-toolset-1.22.7-1.al8 |
pam | CVE-2024-10041 CVE-2024-10963 | pam-1.3.1-36.al8 |
perl-App-cpanminus | CVE-2024-45321 | perl-App-cpanminus-1.7044-6.al8 |
postgresql | CVE-2024-10976 CVE-2024-10978 CVE-2024-10979 | postgresql-13.18-1.0.1.al8 |
python3 | CVE-2024-11168 CVE-2024-9287 | python3-3.6.8-69.0.1.1.al8 |
python3.11-cryptography | CVE-2023-49083 | python3.11-cryptography-37.0.2-6.0.1.al8 |
python3.11-setuptools | CVE-2024-6345 | python3.11-setuptools-65.5.1-3.al8 |
python3.11-pip | CVE-2007-4559 | python3.11-pip-22.3.1-5.al8 |
python3.11 | CVE-2024-9287 | python3.11-3.11.11-1.0.1.al8 |
php | CVE-2023-0567 CVE-2023-0568 CVE-2023-3247 CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096 CVE-2024-5458 CVE-2024-8925 CVE-2024-8927 CVE-2024-9026 | php-7.4.33-2.0.1.al8 |
pcs | CVE-2024-21510 | pcs-0.10.18-2.0.1.1.al8.3 |
gstreamer1-plugins-good | CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47606 CVE-2024-47613 | gstreamer1-plugins-good-1.16.1-5.al8 |
gstreamer1-plugins-base | CVE-2024-47538 CVE-2024-47607 CVE-2024-47615 | gstreamer1-plugins-base-1.22.1-3.0.1.al8 |
libsndfile | CVE-2024-50612 | libsndfile-1.0.28-16.0.1.al8 |
tuned | CVE-2024-52337 | tuned-2.22.1-5.0.1.1.al8 |
edk2 | CVE-2024-38796 | edk2-20220126gitbb1bba3d77-13.0.1.al8.4 |
bluez | CVE-2023-45866 | bluez-5.63-3.0.1.al8 |
fontforge | CVE-2024-25081 CVE-2024-25082 | fontforge-20200314-6.0.1.al8 |
mpg123 | CVE-2024-10573 | mpg123-1.32.9-1.al8 |
webkit2gtk3 | CVE-2024-23271 CVE-2024-27820 CVE-2024-27838 CVE-2024-27851 CVE-2024-40779 CVE-2024-40780 CVE-2024-40782 CVE-2024-40789 CVE-2024-40866 CVE-2024-44185 CVE-2024-44187 CVE-2024-44244 CVE-2024-44296 CVE-2024-4558 | webkit2gtk3-2.46.3-2.0.1.al8 |
python-requests | CVE-2024-35195 | python-requests-2.20.0-5.al8 |
cups-filters | CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47850 | cups-filters-1.20.0-35.0.2.al8 |
openssh | CVE-2020-15778 CVE-2023-48795 CVE-2023-51385 | openssh-8.0p1-25.0.1.2.al8 |
pam | CVE-2024-10041 CVE-2024-10963 | pam-1.3.1-36.1.al8 |
webkit2gtk3 | CVE-2024-23271 CVE-2024-27820 CVE-2024-27838 CVE-2024-27851 CVE-2024-40779 CVE-2024-40780 CVE-2024-40782 CVE-2024-40789 CVE-2024-40866 CVE-2024-44185 CVE-2024-44187 CVE-2024-44244 CVE-2024-44296 CVE-2024-44309 CVE-2024-4558 | webkit2gtk3-2.46.5-1.0.1.al8 |
dpdk | CVE-2024-11614 | dpdk-23.11-2.al8 |
cups | CVE-2024-47175 | cups-2.2.6-62.0.1.al8 |
iperf3 | CVE-2024-53580 | iperf3-3.9-13.al8.1 |
cups | CVE-2024-47175 | cups-2.2.6-62.0.2.al8 |
NetworkManager | CVE-2024-3661 | NetworkManager-1.40.16-18.0.1.al8 |
raptor2 | CVE-2024-57823 | raptor2-2.0.15-17.0.1.al8 |
rsync | CVE-2024-12085 | rsync-3.1.3-20.0.1.al8 |
fence-agents | CVE-2024-56201 CVE-2024-56326 | fence-agents-4.10.0-76.0.1.al8.4 |
glibc | CVE-2022-23218 CVE-2022-23219 | glibc-2.32-1.19.al8 |
glibc | CVE-2024-33602 CVE-2024-33601 CVE-2024-33600 CVE-2024-33599 | glibc-2.32-1.20.al8 |
grafana | CVE-2025-21613 CVE-2025-21614 | grafana-9.2.10-21.0.1.al8 |
redis | CVE-2022-24834 CVE-2022-35977 CVE-2022-36021 CVE-2023-22458 CVE-2023-25155 CVE-2023-28856 CVE-2023-45145 CVE-2024-31228 CVE-2024-31449 CVE-2024-46981 | redis-6.2.17-1.0.1.1.al8 |
python-jinja2 | CVE-2024-56326 | python-jinja2-2.10.1-3.0.4.al8 |
bzip2 | CVE-2019-12900 | bzip2-1.0.6-28.al8 |
libsoup | CVE-2024-52531 | libsoup-2.62.3-7.0.1.al8 |
git-lfs | CVE-2024-53263 | git-lfs-3.4.1-4.0.1.al8 |
keepalived | CVE-2024-41184 | keepalived-2.2.8-4.al8 |
unbound | CVE-2024-1488 CVE-2024-8508 | unbound-1.16.2-8.al8 |
java-17-openjdk | CVE-2025-21502 | java-17-openjdk-17.0.14.0.7-3.0.1.1.al8 |
galera | CVE-2023-22084 CVE-2024-21096 | galera-26.4.20-1.al8 |
mariadb | CVE-2023-22084 CVE-2024-21096 | mariadb-10.5.27-1.0.1.al8 |
doxygen | CVE-2020-11023 | doxygen-1.8.14-13.al8 |
tbb | CVE-2020-11023 | tbb-2018.2-10.al8.1 |
gcc-toolset-13-gcc | CVE-2020-11023 | gcc-toolset-13-gcc-13.3.1-2.2.0.1.1.al8 |
nodejs | CVE-2025-22150 CVE-2025-23083 CVE-2025-23085 | nodejs-20.18.2-1.1.al8 |
nodejs-packaging | CVE-2025-22150 CVE-2025-23083 CVE-2025-23085 | nodejs-packaging-2021.06-4.al8 |
nodejs-nodemon | CVE-2025-22150 CVE-2025-23083 CVE-2025-23085 | nodejs-nodemon-3.0.1-1.al8 |
podman | CVE-2024-11218 | podman-4.9.4-19.0.1.al8 |
buildah | CVE-2024-11218 | buildah-1.33.12-1.al8 |
libcap | CVE-2025-1390 | libcap-2.48-6.0.2.al8 |
libxml2 | CVE-2022-49043 | libxml2-2.9.7-18.0.4.1.al8 |
bind | CVE-2024-11187 | bind-9.11.36-16.0.1.al8.4 |
postgresql | CVE-2025-1094 | postgresql-13.20-1.0.1.al8 |
libpq | CVE-2025-1094 | libpq-13.20-1.0.1.al8 |
mecab-ipadic | CVE-2024-11053 CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21201 CVE-2024-21203 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21247 CVE-2024-37371 CVE-2024-5535 CVE-2024-7264 CVE-2025-21490 CVE-2025-21491 CVE-2025-21494 CVE-2025-21497 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21504 CVE-2025-21505 CVE-2025-21518 CVE-2025-21519 CVE-2025-21520 CVE-2025-21521 CVE-2025-21522 CVE-2025-21523 CVE-2025-21525 CVE-2025-21529 CVE-2025-21531 CVE-2025-21534 CVE-2025-21536 CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21555 CVE-2025-21559 | mecab-ipadic-2.7.0.20070801-17.0.1.al8 |
mysql | CVE-2024-11053 CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21201 CVE-2024-21203 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21247 CVE-2024-37371 CVE-2024-5535 CVE-2024-7264 CVE-2025-21490 CVE-2025-21491 CVE-2025-21494 CVE-2025-21497 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21504 CVE-2025-21505 CVE-2025-21518 CVE-2025-21519 CVE-2025-21520 CVE-2025-21521 CVE-2025-21522 CVE-2025-21523 CVE-2025-21525 CVE-2025-21529 CVE-2025-21531 CVE-2025-21534 CVE-2025-21536 CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21555 CVE-2025-21559 | mysql-8.0.41-1.0.1.1.al8 |
emacs | CVE-2025-1244 | emacs-27.2-11.0.1.al8.1 |
webkit2gtk3 | CVE-2024-54543 CVE-2025-24143 CVE-2025-24150 CVE-2025-24158 CVE-2025-24162 | webkit2gtk3-2.46.6-1.0.1.al8 |
tigervnc | CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601 | tigervnc-1.13.1-15.al8 |
rsync | CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 | rsync-3.1.3-21.0.1.al8 |
libxml2 | CVE-2024-56171 CVE-2025-24928 | libxml2-2.9.7-19.0.1.1.al8 |
krb5 | CVE-2025-24528 | krb5-1.18.2-31.0.1.al8 |
pcs | CVE-2024-52804 | pcs-0.10.18-2.0.1.1.al8.4 |
webkit2gtk3 | CVE-2025-24201 | webkit2gtk3-2.46.6-2.0.1.al8 |
fence-agents | CVE-2025-27516 | fence-agents-4.10.0-76.0.1.al8.6 |
podman | CVE-2025-22869 | podman-4.9.4-20.0.1.al8 |
runc | CVE-2025-22869 | runc-1.1.12-6.0.1.al8 |
grub2 | CVE-2025-0624 | libreoffice-7.1.8.1-15.0.1.1.al8.1 |
libreoffice | CVE-2025-1080 | libreoffice-7.1.8.1-15.0.1.1.al8.1 |
freetype | CVE-2025-27363 | freetype-2.10.4-10.al8 |
python-jinja2 | CVE-2025-27516 | python-jinja2-2.10.1-7.0.1.al8 |
libxslt | CVE-2024-55549 CVE-2025-24855 | libxslt-1.1.32-6.1.0.1.al8 |
tomcat | CVE-2024-50379 CVE-2025-24813 | tomcat-9.0.87-1.al8.3 |
expat | CVE-2024-8176 | expat-2.2.5-17.al8 |
mod_auth_openidc | CVE-2025-31492 | mod_auth_openidc-2.4.9.4-7.al8 |
xmlrpc-c | CVE-2024-8176 | xmlrpc-c-1.51.0-11.0.1.al8 |
libtasn1 | CVE-2024-12133 | libtasn1-4.13-5.0.1.al8 |
bluez | CVE-2023-27349 CVE-2023-51589 | bluez-5.63-5.0.1.al8 |
Package updates
New features
Added Confidential AI, which provides enhanced data security for AI model training and inference scenarios based on confidential computing.
Added support for PCIe fault injection through
ras-tools.Added 26 external device drivers to meet hardware support needs. By default, these drivers are not installed.
kmod-ast-5.10.134~19-1.14.4~1.al8.src.rpmkmod-bnxt-5.10.134~19-1.10.3_231.0.162.0~2.al8.src.rpmkmod-fic2-5.10.134~19-1.2.6~1.al8.src.rpmkmod-hinic-5.10.134~19-1.0~1.al8.src.rpmkmod-hns3-5.10.134~19-1.0~1.al8.src.rpmkmod-i40e-5.10.134~19-2.23.17~1.al8.src.rpmkmod-iavf-5.10.134~19-4.9.4~1.al8.src.rpmkmod-ice-5.10.134~19-1.12.13.4~2.al8.src.rpmkmod-igb-5.10.134~19-5.14.16~1.al8.src.rpmkmod-intel-QAT20-5.10.134~19-L.0.9.4__00004~1.al8.src.rpmkmod-irdma-5.10.134~19-1.13.43~1.al8.src.rpmkmod-ixgbe-5.10.134~19-5.19.6~1.al8.src.rpmkmod-ixgbevf-5.10.134~19-4.18.7~1.al8.src.rpmkmod-ixgbevf-5.10.134~19-4.18.7~1.al8.src.rpmkmod-kvdo-6.2.8.7-94.0.1.al8.src.rpmkmod-lpfc-5.10.134~19-14.2.673.37~1.al8.src.rpmkmod-mellanox-5.10.134~19-23.10~2.al8.src.rpmkmod-mpi3mr-5.10.134~19-8.11.1.0.0~1.al8.src.rpmkmod-mpt3sas-5.10.134~19-47.00.00.00~1.al8.src.rpmkmod-ngbevf-5.10.134~19-1.2.2~2.al8.src.rpmkmod-ps3stor-5.10.134~19-2.3.1.24~1.al8.src.rpmkmod-ps3stor-5.10.134~19-2.3.1.24~1.al8.src.rpmkmod-qla2xxx-5.10.134~19-10.02.09.00_k~1.al8.src.rpmkmod-sfc-5.10.134~19-5.3.16.1004~2.al8.src.rpmkmod-smartpqi-5.10.134~19-2.1.22_040~1.al8.src.rpmkmod-sxe-5.10.134~19-1.3.1.1~1.al8.src.rpmkmod-txgbevf-5.10.134~19-1.3.1~2.al8.src.rpmkmod-xscale-5.10.134~19-1.2.0_367~2.al8.src.rpm
Important updates
Kernel
Upgraded the kernel to version kernel-5.10.134-19.1.al8.
Scheduling
Merged the cluster scheduling feature.
Added support for configuring bvt for non-movable threads in the root group.
Core sched supports independent configuration of special properties for each cookie.
Lets you share a core with normal tasks that do not have a cookie.
Prevents load balancing from automatically grouping tasks with the same cookie. This spreads tasks across different cores.
Memory
Fixed
kfencestability issues.Fixed Transparent Enormous Page (THP) counting issues for code.
mmap()supports THP-aligned address space allocation.virtio-memsupports thememmap_on_memoryfeature to enable rapid container memory scaling.Merged other memory-related CVE patches.
Network
Fixed
link groupandlink use-after-freeissues.Fixed
smc-rdevice lookup failures in container scenarios.
Storage
erofs
Merged several mainline fixes for the erofs file system.
Added support for file backup mount and 48-bit layout.
Added sub-page block support for compressed files.
Merged mainline stable branch patches for components such as ext4, block, blk-mq, and io_uring.
Added the
virtio-blk passthroughfeature to support passthrough for virtio-blk devices.Added a generic character device named
/dev/vdXc0for each virtio-blk block device. This device lets you use theuring_cmdmethod from the io_uring framework to send read and write commands directly to the virtio-blk driver layer.Added bidirectional command support for virtio-blk devices. On the same sector base address, you can specify the number of write and read buffers in vector-like read and write operations. This completes read and write operations with a single I/O instruction. Currently, only write-then-read is supported.
Introduced a virtio_ring extension for virtio-blk named ring_pair. In this mode, each virtio-blk request hardware queue corresponds to two virtio_ring queues: a submission queue (SQ) and a completion queue (CQ). After a request is sent, the driver can actively reclaim the slots that are occupied by the sent I/O commands to send other requests. When the I/O operation is complete, the backend fills the CQ, and the driver reaps the responses. This feature requires the backend to support the ring_pair operation mode. Currently, only the
vring split_queue+Indirect descriptormode is supported.
Drivers
The NVMe driver supports batch processing of completed polled I/O commands.
Fixed numerous issues in the SCSI HiSilicon SAS driver and libsas.
Merged PCIe driver bugfix patches to fix issues such as incorrect space size calculation and root bus allocation.
BPF
Merged stable community bugfix and CVE fix patches.
Architecture
Fixed CVEs related to the x86 architecture.
Bug fixes
Updated
alinux-base-setupto versionalinux-base-setup-3.2-8.al8to fix issues whereKdumpcould not be generated and grubby parameters were not effective on the ARM architecture.Updated
gdmto versiongdm-40.0-27.0.1.1.al8to fix an issue where the desktop could not be woken up after the screen was locked.Updated
alinux-releaseto versionalinux-release-3.2104.12-1.al8to update the EULA file for Alibaba Cloud Linux.Updated
dumpto versiondump-0.4-0.36.b46.3.al8to fix an issue where a restore operation would fail after an incrementaldumpbackup.Updated
mavento versionmaven-3.6.2-9.1.al8to fix an issue where themvncommand could not be used out-of-the-box on Alibaba Cloud Linux 3.Updated
grub2to versiongrub2-2.02-165.0.2.al8to fix agrub2error that occurred intdxscenarios on Alibaba Cloud Linux 3.
Known issues
Because virtio-blk passthrough introduces a generic character device for virtio-blk devices, it can cause device detection errors in user components.
For a device such as /dev/vda, partitions are numbered starting from 1. Therefore, /dev/vdac0 represents the character device for /dev/vda and is not associated with /dev/vdac. Additionally, /dev/vdac0 is a character device, not a block device. This is another way to tell them apart. If you do not need this character channel, upgrade the kernel to version kernel-5.10.134-19.1.al8. This prevents the interface from being exposed for virtio-blk disks.
Alibaba Cloud Linux 3.2104 U11.1
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U11.1 | aliyun_3_x64_20G_alibase_20250117.vhd | 2025-01-17 |
|
aliyun_3_x64_20G_dengbao_alibase_20250117.vhd | 2025-01-17 |
| |
aliyun_3_arm64_20G_alibase_20250117.vhd | 2025-01-17 |
| |
aliyun_3_arm64_20G_dengbao_alibase_20250117.vhd | 2025-01-17 |
| |
aliyun_3_x64_20G_container_optimized_20250117.vhd | 2025-01-17 |
|
Content updates
Security updates
Package name | CVE ID |
python-requests | CVE-2024-35195 |
cups | CVE-2024-47175 |
NetworkManager | CVE-2024-3661 |
Image
Enabled the
loadmodulesservice by default.Enabled the
timedatexservice by default.
2024
Alibaba Cloud Linux 3.2104 U11
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U11 | aliyun_3_x64_20G_alibase_20241218.vhd | 2024-12-18 |
|
aliyun_3_x64_20G_dengbao_alibase_20241218.vhd | 2024-12-18 |
| |
aliyun_3_arm64_20G_alibase_20241218.vhd | 2024-12-18 |
| |
aliyun_3_arm64_20G_dengbao_alibase_20241218.vhd | 2024-12-18 |
| |
aliyun_3_x64_20G_container_optimized_20241226.vhd | 2024-12-26 |
|
Content updates
Security updates
Package name | CVE ID | Version |
grafana | CVE-2024-47875 CVE-2024-9355 | grafana-9.2.10-20.0.1.al8 |
java-11-openjdk | CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 | java-11-openjdk-11.0.25.0.9-2.0.1.1.al8 |
java-1.8.0-openjdk | CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 | java-1.8.0-openjdk-1.8.0.432.b06-2.0.2.1.al8 |
java-17-openjdk | CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235 | java-17-openjdk-17.0.13.0.11-3.0.2.1.al8 |
NetworkManager-libreswan | CVE-2024-9050 | NetworkManager-libreswan-1.2.10-7.0.1.al8 |
ansible-core | CVE-2024-0690 | ansible-core-2.16.3-2.0.1.al8 |
krb5 | CVE-2024-3596 | krb5-1.18.2-30.0.1.al8 |
xorg-x11-server | CVE-2024-9632 | xorg-x11-server-1.20.11-25.0.1.al8 |
xmlrpc-c | CVE-2024-45491 | xmlrpc-c-1.51.0-10.0.1.al8 |
bzip2 | CVE-2019-12900 | bzip2-1.0.6-27.al8 |
bcc | CVE-2024-2314 | bcc-0.25.0-9.0.1.al8 |
buildah | CVE-2024-9341 CVE-2024-9407 CVE-2024-9675 | buildah-1.33.10-1.al8 |
libtiff | CVE-2024-7006 | libtiff-4.4.0-12.0.3.al8 |
libsoup | CVE-2024-52530 CVE-2024-52532 | libsoup-2.62.3-6.0.1.al8 |
gtk3 | CVE-2024-6655 | gtk3-3.24.31-5.0.2.1.al8 |
tigervnc | CVE-2024-9632 | tigervnc-1.13.1-14.al8 |
emacs | CVE-2024-30203 CVE-2024-30204 CVE-2024-30205 | emacs-27.2-10.0.1.al8 |
squid | CVE-2024-23638 CVE-2024-45802 | squid-4.15-13.al8.3 |
gnome-shell-extensions | CVE-2024-36472 | gnome-shell-extensions-40.7-19.0.1.al8 |
gnome-shell | CVE-2024-36472 | gnome-shell-40.10-21.al8 |
osbuild-composer | CVE-2024-34156 | osbuild-composer-118-2.0.1.al8 |
expat | CVE-2024-50602 | expat-2.2.5-16.al8 |
iperf3 | CVE-2023-7250 CVE-2024-26306 | iperf3-3.9-13.al8 |
lldpd | CVE-2020-27827 CVE-2021-43612 CVE-2023-41910 | lldpd-1.0.18-4.0.1.al8 |
xorg-x11-server-Xwayland | CVE-2024-31080 CVE-2024-31081 CVE-2024-31083 | xorg-x11-server-Xwayland-23.2.7-1.al8 |
bpftrace | CVE-2024-2313 | bpftrace-0.16.0-8.al8 |
perl-Convert-ASN1 | CVE-2013-7488 | perl-Convert-ASN1-0.27-17.1.0.1.al8 |
podman | CVE-2021-33198 CVE-2021-4024 CVE-2024-9676 | podman-4.9.4-18.0.1.al8 |
grafana-pcp | CVE-2024-9355 | grafana-pcp-5.1.1-9.0.1.al8 |
buildah | CVE-2021-33198 CVE-2021-4024 CVE-2024-9676 | buildah-1.33.11-1.al8 |
python-podman | CVE-2021-33198 CVE-2021-4024 CVE-2024-9676 | python-podman-4.9.0-3.al8 |
golang | CVE-2024-24790 | golang-1.22.7-1.0.2.al8 |
delve | CVE-2024-24790 | delve-1.22.1-1.0.2.al8 |
go-toolset | CVE-2024-24790 | go-toolset-1.22.7-1.al8 |
pam | CVE-2024-10041 CVE-2024-10963 | pam-1.3.1-36.al8 |
perl-App-cpanminus | CVE-2024-45321 | perl-App-cpanminus-1.7044-6.al8 |
postgresql | CVE-2024-10976 CVE-2024-10978 CVE-2024-10979 | postgresql-13.18-1.0.1.al8 |
python3 | CVE-2024-11168 CVE-2024-9287 | python3-3.6.8-69.0.1.1.al8 |
python3.11-cryptography | CVE-2023-49083 | python3.11-cryptography-37.0.2-6.0.1.al8 |
python3.11-setuptools | CVE-2024-6345 | python3.11-setuptools-65.5.1-3.al8 |
python3.11-pip | CVE-2007-4559 | python3.11-pip-22.3.1-5.al8 |
python3.11 | CVE-2024-9287 | python3.11-3.11.11-1.0.1.al8 |
php | CVE-2023-0567 CVE-2023-0568 CVE-2023-3247 CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096 CVE-2024-5458 CVE-2024-8925 CVE-2024-8927 CVE-2024-9026 | php-7.4.33-2.0.1.al8 |
pcs | CVE-2024-21510 | pcs-0.10.18-2.0.1.1.al8.3 |
Package updates
New features
Added support for AMD GPU and NVIDIA GPU-based confidential computing features.
Optimized the performance of the
lscpucommand on ultra-large-scalepciedevices inutil-linux-2.32.1-46.0.3.al8.Container storage is implemented using
erofs-utils-1.8.2-1.al8.Updated
java-11-alibaba-dragonwell-11.0.24.21.21-1.1.al8to optimize the BigDecimal class, improving performance in big data scenarios.Updated
java-21-alibaba-dragonwell-21.0.4.0.4-1.1.al8to improve Java performance.Added the
system-rpm-config-129-1.0.2.1.al8component to provide system macro variable configuration.
Important updates
Kernel
Upgraded the kernel to version 5.10.134-18.al8.
New hardware support
Officially supports the Intel GNR platform.
Officially supports the AMD Turin platform.
Scheduling
Supports
cpu slioncgroup v2, including container-granularity data such ascpuusageandloadavg.Memory
Fixed multiple memory-related issues and backported several memory
bugfixesfrom thekernel-5.10 stablebranch.The
pgtable_sharefeature is disabled by default.Code segment enormous pages support the
direct collapsemode, which allows for rapid consolidation into enormous pages during apage fault.Backported the
percpu chunkrelease optimization patch set to preventchunkrelease failures due topercpufragmentation.
Network
Optimized the RSS logic of
virtio_netto align RSS configuration with the device and update it correctly with the number of queues.Added support for 200 G and 400 G speeds for bond 3ad mode.
Storage
io_uring
Fixed a
racecondition during the concurrent creation ofpercpu sqthread.Checks the validity of the CPU configuration for enabling
percpu sqthread.Backported community
stablebranch patches to enhance code quality.
fuse/virtio-fs
Supports
resend pendingrequests.Supports multiple queues to optimize
fuseperformance.Optimized read/write splitting to prevent many write requests from blocking read requests.
Supports the
failoverfeature. This feature allows thefuse daemonto reconnect to the originalfuse connectionthrough anattachoperation after an abnormal recovery and resend requests to complete fault recovery.Supports 4 MB write alignment to optimize performance.
Fixed an
IO hangissue when loading modules larger than 4 MB invirtio-fs.Added
tagandqueue mapping sysfsinterfaces tovirtio-fs.Backported community
stablebranch patches to enhance code quality.
erofs
Fixed a UUID issue in
erofs_statfs()and optimized the DEFLATE stream allocation logic.Backported community
stablebranch patches to enhance code quality.
ext4
Optimized the clearing logic for EXT4_GROUP_INFO_WAS_TRIMMED_BIT.
Backported community
stablebranch patches to enhance code quality.
xfs
Optimized
reflinkperformance fluctuations caused by potential tens of milliseconds of blocking inxfs_log_force().Fixed a compilation error caused by disabling CONFIG_FS_DAX.
Correctly checks
i_blockswhen the atomic write feature is enabled.
block
Fixed an
IO hangin themq-deadlinescheduler on devices with multiple hardware queues.Fixed an issue where updating
blockthrottling configurations could lead to unexpected throttling behavior due to negative values when calculatingbpslimits.Removed the
blk-mq "running from the wrong CPU"warning.Backported community
stablebranch patches to enhance code quality.
misc
Backported community
stablebranch patches for modules such asvfs,quota,overlayfs,nfs,cifs,ceph,dm/md,null_blk,nbd,loop, andvirtio-blkto enhance code quality.
Driver
Backported
watchdogdriver-related fix patches fromkernel-5.10 LTSto enhance stability.The NVMe driver supports the latest Alibaba Cloud disk activation solution.
Backported NVMe driver-related fix patches from
kernel-5.10 LTSto enhance stability.Backported SCSI-related fix patches from
kernel-5.10 LTSto enhance stability.Backported ATA-related fix patches from
kernel-5.10 LTSto enhance stability.Introduced the
sig_enforce_subsysparameter to support mandatory signature verification for modules in theblock,net, and GPU domains.Merged many patches for the NetXen network interface card driver to fix
txgbeandtxgbevf, which enhances code quality and stability.
Perf
Fixed a pointer memory leak issue in the
perftool caused by backportingstablebranch patches. This resolvescoredumpfailures.BPF
Added support for using atomic operations in Berkeley Packet Filter (BPF) programs.
Backported community
stableandbugfixpatches.
Architecture x86
Added support for C-state for the Intel GNR platform.
Added support for p-state for the EMR and GNR platform.
Updated
intel-speed-selectto versionv1.20to support new platforms.Added support for passing PEBS functionality to virtual machines.
Applied
x86bugfixfor ACPI, APIC, power consumption, and PMU to other architectures or systems.Upgraded
turbostateto version2023.11.07to support more features.Added support for SPR and EMR CXL PMON.
Added support for AMD c2c.
Added support for AMD HSMP.
Added AMD IBRS enhancement.
Added support for AMD ABMC.
Bug fixes
Packages
Fixed an issue where PODs exited abnormally and non-
device cgroupsubgroups were reclaimed bysystemdwithin 20 seconds whenDelegate=yes. This issue, which caused deployment failures, was fixed throughsystemd-239-82.0.3.4.al8.2.Fixed a memory leak issue through
ledmon-0.97-1.0.2.al8.Improved data access efficiency on the Yitian platform through
tuned-2.22.1-5.0.1.1.al8.Fixed several component installation failures on the
mirror.
Image
Modified the
crashkernelvalue for thex86image to resolve the issue wherevmcorecould not be generated.Changed the default parameter in
/sys/kernel/mm/transparent_hugepage/defragtodeferto improve memory reclamation speed in Transparent Enormous Pages scenarios.
Alibaba Cloud Linux 3.2104 U10.1
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U10.1 | aliyun_3_x64_20G_alibase_20241103.vhd | 2024-11-03 |
|
aliyun_3_x64_20G_dengbao_alibase_20241103.vhd | 2024-11-03 |
| |
aliyun_3_arm64_20G_alibase_20241103.vhd | 2024-11-03 |
| |
aliyun_3_arm64_20G_dengbao_alibase_20241103.vhd | 2024-11-03 |
|
Content updates
Security updates
Package name | CVE ID | Version |
buildah | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | buildah-1.33.8-4.al8 |
containernetworking-plugins | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | containernetworking-plugins-1.4.0-5.0.1.al8 |
containers-common | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | containers-common-1-82.0.1.al8 |
podman | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | podman-4.9.4-12.0.1.al8 |
python-podman | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | python-podman-4.9.0-2.al8 |
runc | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | runc-1.1.12-4.0.1.al8 |
skopeo | CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298 | skopeo-1.14.5-3.0.1.al8 |
httpd | CVE-2023-27522 | httpd-2.4.37-65.0.1.al8.2 |
git-lfs | CVE-2023-45288 CVE-2023-45289 CVE-2023-45290 CVE-2024-24783 | git-lfs-3.4.1-2.0.1.al8 |
bind | CVE-2024-1975 CVE-2024-1737 | bind-9.11.36-16.0.1.al8 |
python-setuptools | CVE-2024-6345 | python-setuptools-39.2.0-8.al8.1 |
less | CVE-2022-48624 CVE-2024-32487 | less-530-3.0.1.al8 |
java-17-openjdk | CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147 | java-17-openjdk-17.0.12.0.7-2.0.2.1.al8 |
java-11-openjdk | CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147 | java-11-openjdk-11.0.24.0.8-3.0.2.1.al8 |
postgresql | CVE-2024-7348 | postgresql-13.16-1.0.1.al8 |
flatpak | CVE-2024-42472 | flatpak-1.12.9-3.al8 |
bubblewrap | CVE-2024-42472 | bubblewrap-0.4.0-2.2.al8 |
java-1.8.0-openjdk | CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147 | java-1.8.0-openjdk-1.8.0.422.b05-2.0.2.1.al8 |
fence-agents | CVE-2024-6345 | fence-agents-4.10.0-62.0.2.al8.4 |
pcp | CVE-2024-45769 CVE-2024-45770 | pcp-5.3.7-22.0.1.al8 |
delve | CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158 | delve-1.21.2-4.0.1.al8 |
golang | CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158 | golang-1.21.13-2.0.1.al8 |
go-toolset | CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158 | go-toolset-1.21.13-1.al8 |
edk2 | CVE-2023-45236 CVE-2023-45237 CVE-2024-1298 | edk2-20220126gitbb1bba3d77-13.0.1.al8.2 |
curl | CVE-2024-2398 | curl-7.61.1-35.0.2.al8 |
libvpx | CVE-2023-6349 CVE-2024-5197 | libvpx-1.7.0-11.0.1.al8 |
resource-agents | CVE-2024-37891 CVE-2024-6345 | resource-agents-4.9.0-54.al8.4 |
389-ds-base | CVE-2024-5953 | 389-ds-base-1.4.3.39-8.0.1.al8 |
python-urllib3 | CVE-2024-37891 | python-urllib3-1.24.2-8.al8 |
pcs | CVE-2024-41123 CVE-2024-41946 CVE-2024-43398 | pcs-0.10.18-2.0.1.1.al8.2 |
grafana | CVE-2024-24788 CVE-2024-24789 CVE-2024-24790 | grafana-9.2.10-17.0.1.al8 |
libuv | CVE-2024-24806 | libuv-1.42.0-2.al8 |
c-ares | CVE-2024-25629 | c-ares-1.13.0-11.al8 |
xmlrpc-c | CVE-2023-52425 | xmlrpc-c-1.51.0-9.0.1.al8 |
yajl | CVE-2022-24795 CVE-2023-33460 | yajl-2.1.0-13.0.1.al8 |
wpa_supplicant | CVE-2023-52160 | wpa_supplicant-2.10-2.al8 |
cups | CVE-2024-35235 | cups-2.2.6-60.0.1.al8 |
linux-firmware | CVE-2023-31346 | linux-firmware-20240610-122.git90df68d2.al8 |
wget | CVE-2024-38428 | wget-1.19.5-12.0.1.al8 |
poppler | CVE-2024-6239 | poppler-20.11.0-12.0.1.al8 |
krb5 | CVE-2024-37370 CVE-2024-37371 | krb5-1.18.2-29.0.1.al8 |
git-lfs | CVE-2024-34156 | git-lfs-3.4.1-3.0.1.al8 |
libreoffice | CVE-2024-3044 CVE-2024-6472 | libreoffice-7.1.8.1-12.0.2.1.al8.1 |
orc | CVE-2024-40897 | orc-0.4.28-4.al8 |
jose | CVE-2023-50967 CVE-2024-28176 | jose-10-2.3.al8.3 |
openssh | CVE-2020-15778 CVE-2023-48795 CVE-2023-51385 | openssh-8.0p1-25.0.1.1.al8 |
libnbd | CVE-2024-3446 CVE-2024-7383 CVE-2024-7409 | libnbd-1.6.0-6.0.1.al8 |
qemu-kvm | CVE-2024-3446 CVE-2024-7383 CVE-2024-7409 | qemu-kvm-6.2.0-53.0.1.al8 |
libvirt | CVE-2024-3446 CVE-2024-7383 CVE-2024-7409 | libvirt-8.0.0-23.2.0.2.al8 |
osbuild-composer | CVE-2024-34156 | osbuild-composer-101-2.0.1.al8 |
libreswan | CVE-2024-3652 | libreswan-4.12-2.0.2.al8.4 |
mod_auth_openidc | CVE-2024-24814 | mod_auth_openidc-2.4.9.4-6.al8 |
podman | CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24788 CVE-2024-24791 | podman-4.9.4-13.0.1.al8 |
ghostscript | CVE-2024-29510 CVE-2024-33869 CVE-2024-33870 | ghostscript-9.54.0-18.al8 |
emacs | CVE-2024-39331 | emacs-27.2-9.0.3.al8 |
dovecot | CVE-2024-23184 CVE-2024-23185 | dovecot-2.3.16-5.0.1.al8 |
expat | CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 | expat-2.2.5-13.0.1.al8 |
glib2 | CVE-2024-34397 | glib2-2.68.4-14.0.2.al8 |
python-idna | CVE-2024-3651 | python-idna-2.5-7.al8 |
openldap | CVE-2023-2953 | openldap-2.4.46-19.al8 |
python-pillow | CVE-2024-28219 | python-pillow-5.1.1-21.al8 |
nghttp2 | CVE-2024-28182 | nghttp2-1.33.0-6.0.1.al8.1 |
python-jinja2 | CVE-2024-34064 | python-jinja2-2.10.1-3.0.3.al8 |
opencryptoki | CVE-2024-0914 | opencryptoki-3.22.0-3.al8 |
gdk-pixbuf2 | CVE-2021-44648 CVE-2021-46829 CVE-2022-48622 | gdk-pixbuf2-2.42.6-4.0.1.al8 |
rear | CVE-2024-23301 | rear-2.6-13.0.1.al8 |
grub2 | CVE-2023-4692 CVE-2023-4693 CVE-2024-1048 | grub2-2.02-150.0.2.al8 |
nss | CVE-2023-5388 CVE-2023-6135 | nss-3.101.0-7.0.1.al8 |
gnutls | CVE-2024-0553 CVE-2024-28834 | gnutls-3.6.16-8.0.1.al8.3 |
python3 | CVE-2024-4032 CVE-2024-6232 CVE-2024-6923 | python3-3.6.8-67.0.1.2.al8 |
grafana | CVE-2024-24791 | grafana-9.2.10-18.0.1.al8 |
cups-filters | CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47850 | cups-filters-1.20.0-35.0.1.al8 |
linux-firmware | CVE-2023-20584 CVE-2023-31315 CVE-2023-31356 | linux-firmware-20240827-124.git3cff7109.al8 |
golang | CVE-2024-9355 | golang-1.21.13-3.0.1.al8 |
openssl | CVE-2024-5535 | openssl-1.1.1k-14.0.1.al8 |
nano | CVE-2024-5742 | nano-2.9.8-2.0.1.al8 |
runc | CVE-2023-45290 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158 | runc-1.1.12-5.0.1.al8 |
OpenIPMI | CVE-2024-42934 | OpenIPMI-2.0.32-5.0.1.al8 |
Software package updates
What's new
Added the
libyang2component.keentunedandkeentune-targetupdated to version 3.1.1.Added a tuning option to modify the number of network interface card queues.
Added a tuning option to modify priority control.
Removed the
file-maxandschedulertuning options.Removed the execution of unsafe commands.
Added four API components for
keentuned:keentune-bench,keentune-brain,keentune-ui, andkeenopt.Updated
tcprtto version 1.1.0 to enhance TCP monitoring capabilities.Updated
Node.jsto 20.16 to provide version 20 baseline capabilities for ACR.Upgraded
erofs-utilsto 1.8.2. This version fixes some issues and provides a better EROFS.
Important updates
Kernel
Upgraded the kernel to version 5.10.134-17.3.al8.
Anolis-developed features
SMC
Introduced the
AutoSplitfeature to optimize the transmission delay for large packets.Allowed connections in an SMC Link Group to exclusively occupy an RDMA QP.
Introduced shared memory water level control.
Introduced data
dumpat the SMC layer.
swiotlb
Introduced
swiotlb=any cmdlineto support reservingswiotlbin the entire memory space.
Community features
sysctlparameters for SMC Limited Handshake.Backported shared memory usage statistics broken down by the SMC LGR and net namespace dimensions.
TDX
Introduced the TDX Guest RTMR update interface. You can add custom measurement values for remote attestation.
Introduced the ECDSA algorithm module.
Bug fixes
Fixed an issue in
util-linux-2.32.1-46.0.3.al8where thelscpucommand took a long time to run when searching for manypcidevices in a cluster.Fixed an issue in
tzdata-2024a-1.0.1.6.al8where some time zone files were missing during migration.Fixed division-by-zero errors, memory leaks, and other issues in the SMC module.
Fixed a bug in the
ftracesubsystem that could cause the system to break down when multiple security software products coexist.Fixed a potential out-of-bounds memory access issue when using
uprobe.
Alibaba Cloud Linux 3.2104 U10
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U10 | aliyun_3_x64_20G_alibase_20240819.vhd | 2024-08-19 |
|
aliyun_3_x64_20G_dengbao_alibase_20240819.vhd | 2024-08-19 |
| |
aliyun_3_arm64_20G_alibase_20240819.vhd | 2024-08-19 |
| |
aliyun_3_arm64_20G_dengbao_alibase_20240819.vhd | 2024-08-19 |
|
Content updates
Security updates
Package name | CVE ID | Version |
adwaita-qt |
| 1.4.2-1.al8 |
apr | CVE-2022-24963 | 1.7.0-12.al8 |
avahi |
| 0.7-21.0.1.al8.1 |
bind |
| 9.11.36-14.0.1.al8 |
c-ares |
| 1.13.0-9.al8.1 |
cockpit | CVE-2024-2947 | 310.4-1.al8 |
cups |
| 2.2.6-54.0.1.al8 |
cups-filters | CVE-2023-24805 | 1.20.0-32.0.1.al8 |
curl | CVE-2023-38546 | 7.61.1-34.0.1.al8 |
device-mapper-multipath | CVE-2022-41973 | 0.8.4-39.0.2.al8 |
dhcp |
| 4.3.6-50.0.1.al8 |
dnsmasq |
| 2.79-32.0.1.al8 |
edk2 |
| 20220126gitbb1bba3d77-13.0.1.al8 |
expat | CVE-2023-52425 | 2.2.5-13.al8 |
evolution-mapi |
| 3.40.1-6.al8 |
flatpak |
| 1.12.9-1.al8 |
frr |
| 7.5.1-16.0.4.al8 |
fwupd | CVE-2022-3287 | 1.7.8-2.0.1.al8 |
ghostscript | CVE-2024-33871 | 9.54.0-16.al8 |
git |
| 2.43.5-1.0.1.al8 |
glib2 |
| 2.68.4-11.al8 |
gmp | CVE-2021-43618 | 6.2.0-13.0.1.al8 |
gnutls | CVE-2023-5981 | 3.6.16-8.0.2.al8 |
grafana |
| 9.2.10-16.0.1.al8 |
grafana-pcp | CVE-2024-1394 | 5.1.1-2.0.1.al8 |
gstreamer1-plugins-bad-free |
| 1.22.1-4.0.1.al8 |
gstreamer1-plugins-base | CVE-2023-37328 | 1.22.1-2.0.1.al8 |
gstreamer1-plugins-good | CVE-2023-37327 | 1.16.1-4.al8 |
harfbuzz | CVE-2023-25193 | 2.7.4-10.0.1.al8 |
httpd |
| 2.4.37-64.0.1.al8 |
mod_http2 |
| 1.15.7-10.al8 |
java-1.8.0-openjdk |
| 1.8.0.412.b08-2.0.1.1.al8 |
java-11-openjdk |
| 11.0.23.0.9-3.0.1.1.al8 |
libfastjson | CVE-2020-12762 | 0.99.9-5.al8 |
libjpeg-turbo | CVE-2021-29390 | 2.0.90-7.0.1.al8 |
liblouis |
| 3.16.1-5.al8 |
libmicrohttpd | CVE-2023-27371 | 0.9.59-3.al8 |
libpq | CVE-2022-41862 | 13.11-1.0.1.al8 |
librabbitmq | CVE-2023-35789 | 0.11.0-7.0.1.al8 |
libreoffice |
| 7.1.8.1-12.0.1.1.al8.1 |
libreswan |
| 4.12-2.0.2.al8 |
libsndfile | CVE-2022-33065 | 1.0.28-13.0.2.al8 |
libssh |
| 0.9.6-12.al8 |
libtiff |
| 4.4.0-12.0.1.al8 |
libvirt |
| 8.0.0-23.1.0.1.al8 |
qemu-kvm |
| 6.2.0-49.0.1.al8 |
libX11 |
| 1.7.0-9.al8 |
libxml2 |
| 2.9.7-18.0.3.al8 |
libXpm |
| 3.5.13-10.0.1.al8 |
linux-firmware |
| 20240111-121.gitb3132c18.al8 |
motif |
| 2.3.4-20.al8 |
openchange |
| 2.3-32.0.1.al8 |
opensc |
| 0.20.0-7.0.1.al8 |
openssh | CVE-2023-51385 | 8.0p1-20.0.1.al8 |
openssl |
| 1.1.1k-12.0.1.al8 |
pam | CVE-2024-22365 | 1.3.1-28.al8 |
pcp | CVE-2024-3019 | 5.3.7-20.0.1.al8 |
perl-HTTP-Tiny | CVE-2023-31486 | 0.074-2.0.1.al8.1 |
pixman | CVE-2022-44638 | 0.40.0-6.al8 |
pmix | CVE-2023-41915 | 3.2.3-5.al8 |
poppler | CVE-2020-36024 | 20.11.0-10.0.2.al8 |
postgresql-jdbc | CVE-2024-1597 | 42.2.14-3.al8 |
procps-ng | CVE-2023-4016 | 3.3.15-14.0.1.al8 |
protobuf-c | CVE-2022-48468 | 1.3.0-7.al8 |
python-cryptography | CVE-2023-23931 | 3.2.1-7.al8 |
python-dns | CVE-2023-29483 | 1.15.0-12.al8 |
python-pillow |
| 5.1.1-20.al8 |
python-pip | CVE-2007-4559 | 9.0.3-23.0.1.al8.1 |
python3 |
| 3.6.8-62.0.1.2.al8 |
qt5-qtbase |
| 5.15.3-5.0.3.al8 |
qt5-qtsvg | CVE-2023-32573 | 5.15.3-2.al8 |
rpm |
| 4.14.3-27.0.5.2.al8 |
samba |
| 4.18.6-3.0.1.1.al8 |
shadow-utils | CVE-2023-4641 | 4.6-19.0.1.al8 |
shim |
| 15.8-2.0.1.1.al8 |
sqlite | CVE-2023-7104 | 3.26.0-19.al8 |
squashfs-tools |
| 4.3-20.1.0.3.al8 |
sssd | CVE-2023-3758 | 2.9.4-3.al8 |
sudo |
| 1.9.5p2-1.0.1.al8 |
sysstat | CVE-2023-33204 | 11.7.3-11.0.1.al8 |
tang | CVE-2023-1672 | 7-8.al8 |
tcpdump | CVE-2021-41043 | 4.9.3-4.0.1.al8 |
tigervnc |
| 1.13.1-10.0.1.al8 |
tpm2-tss | CVE-2023-22745 | 2.3.2-5.0.2.al8 |
traceroute | CVE-2023-46316 | 2.1.0-6.2.0.3.al8 |
unbound | CVE-2024-1488 | 1.16.2-7.al8 |
util-linux | CVE-2024-28085 | 2.32.1-45.0.1.1.al8.1 |
webkit2gtk3 |
| 2.42.5-1.0.1.al8 |
wireshark |
| 2.6.2-17.al8 |
xorg-x11-server |
| 1.20.11-16.0.4.al8 |
xorg-x11-server-Xwayland |
| 22.1.9-5.al8 |
yajl | CVE-2023-33460 | 2.1.0-12.0.1.al8 |
zziplib | CVE-2020-18770 | 0.13.71-11.al8 |
buildah |
| 1.33.7-2.al8 |
cockpit-podman |
| 84.1-1.al8 |
conmon |
| 2.1.10-1.al8 |
container-selinux |
| 2.229.0-2.al8 |
containernetworking-plugins |
| 1.4.0-2.0.1.al8 |
containers-common |
| 1-81.0.1.al8 |
criu |
| 3.18-5.0.1.al8 |
fuse-overlayfs |
| 1.13-1.0.1.al8 |
podman |
| 4.9.4-3.0.1.al8 |
runc |
| 1.1.12-1.0.1.al8 |
slirp4netns |
| 1.2.3-1.al8 |
libslirp |
| 4.4.0-2.al8 |
Package updates
New features
rdma-core enables the eRDMA feature.
rasdaemon supports memory CE error isolation.
nginx uses OpenSSL 3.
aliyun-cli is upgraded to 3.0.210.
Important updates
Kernel
Upgraded the kernel to version 5.10.134-17.2.al8.
New features
Added support for fuse failover. This feature provides native kernel-level fuse fault recovery to ensure uninterrupted file access services.
Added support for the dynamic kernel preemption feature. This backports the upstream community's dynamic kernel preemption design, which lets you switch preemption models through cmdline or sysfs: none or voluntary. The full mode is not yet supported.
Enhanced perf functionality to support perf metrics for CMN and DDR PMU.
New BPF features
Added new BPF helpers.
bpf_for_each_map_elem: A helper to traverse BPF maps.
bpf_snprintf: A string formatting helper.
bpf_timer: A timer that triggers a callback function after a specified time.
bpf_loop: Removes the limitation of constant finite loops to let you write loops freely.
bpf_strncmp: A string comparison helper.
bpf_ktime_get_tai_ns: Obtains time of the CLOCK_TAI type.
bpf_skb_load_bytes: Added support for the raw_tp type. This lets you read skb data, including data in non-linear areas, in raw_tp type programs.
The arm64 architecture now supports attaching trampoline-related features, such as fentry, fexit, fmod_ret, and bpf_lsm. This provides more powerful tracing, diagnostics, and security capabilities.
bpf_trampoline now supports coexistence with livepatch.
Added support for virtio-net features.
Added support for virtio-net device statistics. This implements kernel-level acquisition of device statistics to improve fault localization and diagnostics capabilities.
Introduced a queue reset feature. This feature lets you adjust the size of virtual machine queues to reduce packet loss and optimize latency.
Added support for dynamic interrupt moderation (netdim). This feature intelligently adjusts interrupt aggregation parameters based on real-time traffic to optimize data reception performance.
Optimized the virtio checksum. This fixes checksum verification issues on virtio network interface cards (NICs) under specific feature controls. In XDP application scenarios, you do not need to re-verify the checksum in the guest operating system. This significantly reduces CPU usage.
Added support for failover in erofs on-demand loading mode.
Fixed an O_DIRECT + O_SYNC semantics issue in ext4. This issue has existed since the iomap framework was introduced. It was caused by generic_write_sync() being called within the iomap framework, while i_disksize is updated after iomap_dio_rw(). In append-write scenarios, this prevented the on-disk file length from being updated promptly. As a result, the written data could not be read after an abnormal power loss.
The XFS file system now supports the delayed inode invalidation feature. This feature moves the reclamation operation to a background kworker process. This reduces stuttering in foreground applications caused by delete operations.
Added fuse-related support.
Added support for shared memory mapping (mmap) in `cache=none` mode.
Added a dynamic switch for the strict limit feature. The fuse module sets a strict limit, which can cause very slow write-back or stuttering in specific scenarios. This sysfs knob lets you dynamically resolve such issues.
Optimized kernfs global lock contention to reduce the higher load average caused by concurrent access from monitoring programs.
Added GroupIdentity-related features.
Added the Group Identity 2.0 fine-grained priority feature.
Added support for the smc_pnet feature in SMC-R and elastic Remote Direct Memory Access (eRDMA) application scenarios.
Optimized reachability checks in SMC and eRDMA scenarios to fix a low-probability kernel crash issue.
Calibrated the Group Identity 2.0 CPU share ratio.
Added the Group Identity 2.0 force idled time metric.
Optimized Group Identity to enhance load control for tasks with different priorities.
Added basic Group Balancer features.
Added support for passing a zero-length iovec in `rafsv6` mode.
In `rafsv6` mode, you can now reclaim dax mappings to avoid potential out-of-memory (OOM) and fuse hang issues caused by pinning.
Restricted `rafsv6` to secure container scenarios through kconfig.
Added SMC-related optimizations and support.
virtio now supports a timeout mechanism for the control vq. This prevents high CPU polling load on the virtual machine when a device is unresponsive. The default timeout is 7 days.
Added a feature to isolate slab memory used by out-of-tree (OOT) modules. This helps isolate problems when OOT module memory corruption occurs.
Added a fast OOM feature. This feature prevents long periods of machine unresponsiveness due to memory pressure in multi-core, large-memory environments. It helps you increase memory deployment density and improve the stability of online services during high-load periods.
Added erofs-related support and optimizations.
xfs now supports fsdax reflink and dedupe, with targeted optimizations for Tair PMEM instances. The optimizations include improving the continuity of snapshot source files, enhancing dirty page write-back efficiency, and removing the dependency on the reverse map btree to optimize page fault latency.
Added support for cgroup writeback. This fixes an issue where memory cgroups are not released for a long time when lazytime is enabled. This issue can cause the number of memory cgroups in containerized deployment environments to remain high. This occupies memory and causes high sys CPU usage when traversing cgroups.
Added I/O Service Level Indicators (SLIs) for cgroup v2. This adds SLIs for blkio cgroup v2, including wait time, service time, complete time, I/O queued, and bytes queued.
In extreme cases, when supporting 2 MB I/O, each bio_vec contains only one 4 KB page. Therefore, the current 5.10 kernel supports only up to 1 MB I/O. The extra processing and splitting logic can affect performance in some scenarios.
Fixed an ABBA deadlock issue caused by a race condition when setting blk-iocost qos rules.
The tcmu_loop device now supports configurable parameters, including `can_queue`, `nr_hw_queues`, `cmd_per_lun`, and `sg_tablesize`. If the backend device is powerful enough, increasing these parameters can significantly improve performance.
Image updates
Operating system image
Added the spec_rstack_overflow=off boot parameter.
Added the kfence.sample_interval=100 kfence.booting_max=0-2G:0,2G-32G:2M,32G-:32M boot parameter.
Changed net.ipv4.tcp_retries2 to 8.
Changed net.ipv4.tcp_syn_retries to 4.
Removed the NTP server configuration for classic networks.
Container image
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.2104U10
Bug fixes
Kernel
Fixed a linked list corruption issue caused by incorrect scheduling of the credits_announce_work work element in the smc kernel module.
Fixed a perf_cgroup_switch race condition.
Fixed an issue where Group Identity 2.0 Queue other time statistics could be negative.
Fixed a cfs_rq runtime statistics issue.
Fixed an issue where cfs_rq->core could be NULL.
Enabled sound card related drivers (CONFIG_SND).
Fixed a kernel down issue caused by kfence when cgroup kmem statistics counting is enabled.
Fixed Loongson architecture related issues.
Fixed erofs compression mode stability issues.
Fixed erofs over fscache stability issues.
Fixed SMC related stability issues.
Fixed a write back performance degradation issue when BDI uses the STRICTLIMIT attribute and the BDI share is 0.
Fixed a seccomp memory leak.
Fixed an issue where user operations could lead to an incorrect ZERO_PAGE reference count.
Fixed a potential recursive memory revoke issue in TCMU.
Fixed a kernel crash issue when migrating kernel threads in the ioasids subsystem.
Fixed an I/O repeat statistics issue when no throttling rules are configured.
Fixed an unexpected hardware signal hang issue when Phytium S2500 and some BMC chips communicate frequently in a short period.
Fixed a kernel panic issue when Group Identity and core scheduling are enabled simultaneously.
Changed the CFS bandwidth control throttling mechanism from synchronous mode to asynchronous mode to optimize bandwidth control efficiency in scenarios with many CPUs.
Fixed a potential race condition when disabling the core sched master switch.
Fixed inaccurate SIB Idle statistics in high interrupt request (IRQ) payload scenarios.
Backported fix patches for higher versions of NVMe over RDMA to improve system stability.
Fixed a deadlock hang issue when nvme_reset and nvme_rescan are executed concurrently.
Fixed a kernel crash caused by a UAF issue triggered by the PCIe driver ASPM.
Fixed a display corruption issue on the Phytium S5000C with an AST2600 graphics card device.
Fixed a warning caused by asynchronous unthrottle, preventing potential scheduling deadlocks.
CVE-2023-52445
CVE-2023-6817
CVE-2024-0646
CVE-2023-20569
CVE-2023-51042
CVE-2023-6915
CVE-2023-6546
CVE-2022-38096
CVE-2024-0565
CVE-2024-26589
CVE-2024-23307
CVE-2024-22099
CVE-2024-24860
CVE-2024-1086
CVE-2023-51779
CVE-2024-26597
CVE-2024-24855
CVE-2023-52438
CVE-2023-4622
CVE-2023-6932
CVE-2023-20588
CVE-2023-5717
CVE-2023-6931
CVE-2023-28464
CVE-2023-39192
CVE-2023-6176
CVE-2023-45863
CVE-2023-5178
CVE-2023-45871
CVE-2023-4155
CVE-2023-20593
CVE-2023-3567
CVE-2023-3358
CVE-2023-0615
CVE-2023-31083
CVE-2023-4015
CVE-2023-42753
CVE-2023-4623
CVE-2023-4921
CVE-2023-2860
CVE-2023-1206
CVE-2023-3772
CVE-2023-42755
CVE-2023-3863
CVE-2022-3114
CVE-2023-31085
CVE-2023-4132
CVE-2022-3424
CVE-2022-3903
CVE-2022-45887
CVE-2023-3006
CVE-2023-42754
CVE-2023-0160
Image
Unified the debuginfo repository name. Use the
dnf debuginfo-install <package_name>command to install the corresponding debuginfo.The dnf-makecache service's active interval has been extended from 1 hour to 1 day to reduce its impact on the disk and network.
Because virtio_blk is in-tree in the kernel, the related configuration for the virtio_blk module has been removed from initramfs.
Packages
Fixed a bug where dnf-plugin-releasever-adapter could cause the dnf command to fail.
Alibaba Cloud Linux 3.2104 U9.1
Version number | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U9.1 | aliyun_3_x64_20G_alibase_20240528.vhd | 2024-05-28 |
|
aliyun_3_arm64_20G_alibase_20240528.vhd | 2024-05-28 |
|
Content updates
Security updates
Package name | CVE ID | Package version |
kernel |
| 5.10.134-16.3.al8 |
bind | CVE-2022-3094 | 9.11.36-11.0.1.al8 |
buildah |
| 1.31.3-1.al8 |
dnsmasq | CVE-2023-28450 | 2.79-31.0.1.al8 |
edk2-20220126gitbb1bba3d77 | CVE-2019-14560 | 6.0.2.al8 |
frr |
| 7.5.1-16.0.2.al8 |
grafana |
| 9.2.10-7.0.1.al8 |
grafana | CVE-2024-1394 | 9.2.10-7.0.1.al8 |
grafana-pcp | 5.1.1-1.0.1.al8 | |
gstreamer1-plugins-bad-free | CVE-2023-44429 | 1.22.1-2.0.1.al8 |
tigervnc | CVE-2023-44446 | 1.13.1-2.al8 |
unbound |
| 1.16.2-6.al8 |
webkit2gtk3 | CVE-2023-42917 | 2.40.5-1.0.2.al8.1 |
glibc | CVE-2024-2961 | 2.32-1.16.al8 |
python2-setuptools | CVE-2022-40897 | 39.0.1-13.1.module+al8+9+77049424 |
Package updates
Package name | Release version |
cloud-init | 23.2.2 |
container-selinux | 2.229.0 |
ethtool | 6.6 |
iproute | 6.2.0 |
iptables | 1.8.5 |
keentuned | 2.4.0 |
keentune-target | 2.4.0 |
rng-tools | 6.16 |
sssd | 2.9.1 |
sudo | 1.9.5p2 |
sysak | 2.4.0 |
Important updates
Kernel updates
The kernel is upgraded to 5.10.134-16.3.al8.
Added support for the smc_pnet feature in SMC-R and elastic Remote Direct Memory Access (eRDMA) scenarios.
Added support for HWDRC, a dynamic memory bandwidth control technology based on Resource Director Technology (RDT), for more precise control over resources such as memory bandwidth and Cache.
Optimized Group Identity for enhanced load control of tasks with different priorities.
New package features
aliyun-cli is upgraded to 3.0.204 and can now be installed and updated using yum or dnf commands.
cloud-init is upgraded to 23.2.2 and supports instance metadata access in hardened mode.
ethtool is upgraded to 6.6 and supports the CMIS protocol.
sysak is upgraded to 2.4.0. This version optimizes diagnostic functions, provides node monitoring, adapts to sysom observability features on the node side, and includes some bug fixes.
keentune is upgraded to 2.4.0.
Image updates
Container images
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9.1
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
NoteAfter the new version is released, the latest tag can no longer be used to obtain the 3.9.1 version of the image.
Virtual machine images
The image boot mode is switched to UEFI-Preferred and now supports both UEFI and Legacy boot modes.
Bug fixes
Kernel
Fixed erofs compression mode stability issues.
Fixed erofs over fscache stability issues.
Fixed SMC-related stability issues.
Fixed a write-back performance degradation issue that occurs when BDI uses the STRICTLIMIT feature and the BDI share is 0.
Fixed a seccomp memory leak.
Fixed an issue where user operations could lead to an incorrect ZERO_PAGE reference count.
Fixed a potential recursive memory reclamation issue in TCMU.
Fixed a kernel crash issue that occurs when kernel threads are migrated in the ioasids subsystem.
Fixed an I/O repeat statistics issue that occurs when no throttling rules are configured.
Fixed an unexpected hardware signal hang issue that occurs when Phytium S2500 and some BMC chips communicate frequently in a short period.
Fixed a kernel panic issue that occurs when Group Identity and core scheduling are enabled at the same time.
Changed the CFS bandwidth control unthrottling from synchronous to asynchronous to optimize bandwidth control efficiency in scenarios with many CPUs.
Fixed a potential race condition that occurs when the core sched master switch is disabled.
Fixed inaccurate sibidle statistics in high irq scenarios.
Image
Fixed an issue where installing other kernel versions does not take effect after a restart.
2023
Alibaba Cloud Linux 3.2104 U9
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U9 | aliyun_3_9_x64_20G_alibase_20231219.vhd | 2023-12-19 |
|
aliyun_3_9_arm64_20G_alibase_20231219.vhd | 2023-12-19 |
| |
aliyun_3_9_x64_20G_uefi_alibase_20231219.vhd | 2023-12-19 |
|
Content updates
Security updates
Package name | CVE ID | Package version |
kernel |
| 5.10.134-16.1.al8 |
java-1.8.0-openjdk |
| 1.8.0.392.b08-4.0.3.al8 |
java-11-openjdk | CVE-2023-22081 | 11.0.21.0.9-2.0.3.al8 |
mariadb |
| 10.5.22-1.0.1.al8 |
open-vm-tools |
| 12.2.5-3.al8.1 |
bind | CVE-2023-3341 | 9.11.36-8.al8.2 |
dmidecode-doc | CVE-2023-30630 | 3.3-5.0.2.al8 |
frr | CVE-2023-38802 | 7.5.1-8.0.1.al8 |
ghostscript |
| 9.54.0-14.al8 |
glibc | CVE-2023-4911 | 2.32-1.12.al8 |
grafana |
| 7.5.15-5.0.1 |
libvpx |
| 1.7.0-10.0.1.al8 |
linux-firmware | CVE-2023-20593 | 20230404-117.git2e92a49f.al8 |
ncurses | CVE-2023-29491 | 6.1-10.20180224.0.1.al8 |
nghttp2 | CVE-2023-44487 | 1.33.0-4.0.1.al8.1 |
|
|
|
tracker-miners | CVE-2023-5557 | 3.1.2-4.0.1.al8 |
Package updates
Package name | Release version |
ca-certificates | 2023.2.60_v7.0.306 |
firewalld | 0.9.11 |
java-1.8.0-openjdk | 1.8.0.392.b08 |
java-11-openjdk | 11.0.21.0.9 |
libbpf | 0.6.0 |
lz4 | 1.9.4 |
mariadb | 10.5.22 |
nmstate | 2.2.15 |
nspr | 4.35.0 |
nss | 3.90.0 |
open-vm-tools | 12.2.5 |
openscap | 1.3.8 |
scap-security-guide | 0.1.69 |
sos | 4.6.0 |
xz | 5.4.4 |
Important updates
Kernel
New features
Supports core scheduling
Backports the core scheduling security feature from the upstream community. This feature allows only trusted processes from the same group to run simultaneously on the hyper-threads of the same physical core. This feature is incompatible with group identity. Do not enable them at the same time. This feature is disabled by default. To enable it, run the
sysctl -w kernel.sched_core=1command.Supports the eBPF trampoline feature in Arm64
Backports the eBPF trampoline feature on Arm64 to support the bpf struct ops feature. Note that because the Arm64 ftrace-related features are not backported, the bpf fentry series of features are still unavailable.
Supports the mglru feature
Supports mglru, which improves memory page reclamation. This feature enhances the rate and accuracy of memory reclamation in big data scenarios and improves end-to-end performance.
Supports batch TLB flushing
The Batch migration feature implements batch TLB flushing and page copy operations during memory page migration, which improves the performance of kernel page migration operations.
This version refactors and optimizes the original batch migration feature in the previous kernel based on upstream code. The main changes after refactoring include removing the `batch_migrate` cmdline parameter, removing the
/sys/kernel/mm/migrate/batch_migrate_enabledinterface, and making batch migration the default configuration for page migration.Added the /sys/kernel/mm/migrate/dma_migration_min_pages interface, with a default value of 32. This interface is only for scenarios where the DMA page copy feature is enabled. The DMA page copy feature is used only when
/sys/kernel/mm/migrate/dma_migrate_enabledis enabled and the number of migrated pages reaches the value of/sys/kernel/mm/migrate/dma_migration_min_pages.Backports the cachestat feature
Introduced the `cachestat` system call in the kernel. You can use this system call to view detailed page cache statistics for a specified file.
Enhanced RAS event triggering in Arm64 kernel mode
Added error recovery capabilities for RAS issues in different scenarios, such as `copy_{from/to}_user`, `{get/put}_user`, Copy on Write (COW), and pagecache reading.
Supports SMC-D loopback feature (self-developed)
Introduced the SMC-D loopback feature to accelerate inter-process TCP communication and inter-container TCP communication on the local machine.
Supports page table core affinity and provides cross-die page table statistics (self-developed)
The page table core affinity feature can, under memory pressure, allocate the page tables of QoS-sensitive services to the current NUMA node. This reduces memory access latency and achieves faster and more effective memory access.
Enhanced code multi-copy (self-developed)
Uses an asynchronous task to retry cases where code multi-copy did not take effect during process startup. Added the `memory.duptext_nodes` kernel interface to limit the memory allocation nodes for duptext.
kfence enhancement (self-developed)
Added a self-developed kfence enhancement for the Arm64 architecture. This allows for flexible dynamic enabling and disabling of kfence and full capture of memory corruption issues, which accommodates both online detection and offline debugging.
Added a feature to immediately crash the system when a memory issue is captured to help developers better analyze problems in a debugging environment. Enable it by setting the boot cmdline to
"kfence.fault=panic"or runningecho panic > /sys/module/kfence/parameters/fault. The default value isreport, which only outputs logs without crashing the system.
Provides memcg THP control interface (self-developed)
Provides a memcg THP control interface to prohibit THP allocation for a specified memcg.
Supports ACPU (Assess CPU) (self-developed)
ACPU can count the idle time of the HT peer during task execution and provide per-cgroup statistics. This can be used to evaluate hardware resource competition on shared CPU cores during task execution.
Supports HT-aware-quota feature (self-developed)
A computing power stability solution based on CFS bandwidth control and core scheduling. In mixed deployment scenarios, it calibrates the quota by sensing whether the HT peer is idle so that tasks can obtain relatively stable computing power in each scheduling cycle. It is suitable for compute-intensive tasks.
Supports group identity 2.0 (self-developed)
Introduced a cgroup-level SCHED_IDLE feature. By setting the `cpu.idle` attribute of the target cgroup, you can set the scheduling policy of that cgroup to SCHED_IDLE. This is suitable for batch management of offline tasks.
Behavior changes
Module signing
Added signing for kernel modules to make it easier for developers to identify and reject unsigned kernel modules.
Spectre-BHB and Variant 4 vulnerability fixes disabled by default on Arm64
After analysis, the Spectre-BHB and Variant 4 vulnerabilities have been addressed by fixing the Spectre v2 security vulnerability, disabling unprivileged eBPF, using Site-Isolation technology, and disabling SharedArrayBuffer. No additional fixes for Spectre-BHB and Variant 4 are needed. Therefore, the Arm64 default cmdline adds the `nospectre_bhb ssbd=force-off` parameters to reduce unnecessary overhead and improve performance while ensuring security.
Enabled TDX guest-related configurations to support TDX confidential virtual machine scenarios.
New package features
Provided erofs-utils-1.7.1 through the software repository.
erofs-utils is a tool for creating, checking, and compressing EROFS. It supports compression algorithms such as LZ4, LZMA, and DEFLATE, and supports converting the tar format to the erofs format.
Provided stress-ng-0.15.00 through the software repository.
Provided alibaba-cloud-compiler-13.0.1.4 through the software repository.
Alibaba Cloud Compiler is a C/C++ compiler created by Alibaba Cloud. It is developed based on the open source Clang/LLVM-13 community version and inherits all options and parameters supported by the open source version. In addition, Alibaba Cloud Compiler is deeply optimized based on Alibaba Cloud infrastructure to provide unique features and optimizations. This gives Alibaba Cloud users a better C/C++ compiler experience.
glibc adds a patch to support GB18030-2022 encoding.
dragonwell17 updated to 17.0.9.0.10.9: The JIT compiler improves inline performance by removing the logic that determines inlining based on the absolute number of calls.
dragonwell8 updated to 8.15.16.372: Supports multiple coroutines waiting for the read and write events of the same socket, and fixes a bug in the okhttp scenario.
Provided plugsched-1.3 through the software repository.
plugsched is an SDK for hot-upgrading the scheduler, aimed at kernel scheduler developers. You can install this tool to develop scheduler modules.
sysak updated to 2.2.0: Added an application observation feature that supports metric observation and diagnosis for MySQL and Java applications. Added monitoring metrics related to container monitoring and cluster monitoring. Added a local monitoring feature.
keentune updated to 2.3.0: Updated x264/265 related scripts to support the latest ffmpeg. Resolved XPS and RPS core affinity error issues. Updated the default settings for eRDMA in the profile.
Intel QAT/DLB/IAA accelerator software chain update: QAT driver bug fixes, DLB driver upgrade, QAT and IAA user-space bug fixes, and a new unified management solution for cross-architecture accelerator user-space DMA memory.
smc-tools update: Added the `smc-ebpf` command, which supports port-granularity control of the `smc_run` effective scope. The control mode supports whitelist and blacklist modes, and intelligent scheduling.
Bug fixes
Fixed an issue where netfilter-related features were unavailable because RPM packages such as `kernel-modules-extra` and `kernel-modules-internal` were not automatically installed when the kernel was updated.
Fixed an issue where the
/proc/sys/kernel/sched_group_identity_enabledinterface could not be disabled sometimes due to incorrect reference counting of group identity during cgroup creation or deletion.
Image updates
Container images
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
NoteAfter the new version is released, you can no longer use `latest` to obtain the 3.9 version of the image.
Virtual machine images
The rpmdb format is switched to sqlite by default.
The keentune service is installed but not enabled by default.
The nfs-server service is not enabled by default.
Known issues
The kdump service may not work properly on ecs.g6r.large instances due to memory size. Adjust the crash parameters, such as `0M-2G:0M,2G-128G:256M,128G-:384M`, to avoid this issue.
On the nfsv3 file system, after you add S permission to a file, the group's S permission is lost after you change the file's owner in special cases.
The fix for this issue is the patch `2d8ae8c417("db nfsd: use vfs setgid helper")`, but the helper function required for the fix has significant code changes from the 5.10 kernel version. This is a known issue and the fix is temporarily postponed.
After you replace TCP with SMC, netperf tests may exit prematurely.
Because SMC uses a fixed-size ring buffer, the remaining buffer space may be smaller than the data size specified by `send()` during transmission. In this case, SMC returns the number of bytes that can be sent, which is usually less than the amount specified by the user in `send()`. In netperf, this behavior is judged as an exception and causes an exit. The upstream maintainer strongly recommends keeping the current design to avoid connection stalled issues. Therefore, this issue will not be fixed.
Alibaba Cloud Linux 3.2104 U8
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U8 | aliyun_3_arm64_20G_alibase_20230731.vhd | 2023-07-31 |
|
aliyun_3_x64_20G_alibase_20230727.vhd | 2023-07-27 |
| |
aliyun_3_x64_20G_qboot_alibase_20230727.vhd | 2023-07-27 |
| |
aliyun_3_x64_20G_uefi_alibase_20230727.vhd | 2023-07-27 |
|
Content updates
Security updates
Package name | CVE ID | Package version |
ctags | CVE-2022-4515 | 5.8-23.0.1.al8 |
gssntlmssp |
| 1.2.0-1.0.1.al8 |
libtar |
| 1.2.20-17.0.1.al8 |
device-mapper-multipath | CVE-2022-41973 | 0.8.4-37.0.1.al8 |
postgresql-jdbc | CVE-2022-41946 | 42.2.14-2.al8 |
freerdp |
| 2.2.0-10.0.1.al8 |
tigervnc |
| 1.12.0-15.al8 |
xorg-x11-server |
| 1.20.11-15.0.1.al8 |
poppler | CVE-2022-38784 | 20.11.0-6.0.1.al8 |
wayland | CVE-2021-3782 | 1.21.0-1.al8 |
net-snmp |
| 5.8-27.0.1.al8 |
dhcp |
| 4.3.6-49.0.1.al8 |
python-mako | CVE-2022-40023 | 1.0.6-14.al8 |
curl | CVE-2023-27535 | 7.61.1-30.0.2.al8.2 |
|
|
|
dnsmasq | CVE-2023-28450 | 2.79-27.al8 |
qt5 | CVE-2022-25255 | 5.15.3-1.0.1.al8 |
autotrace | CVE-2022-32323 | 0.31.1-55.al8 |
bind | CVE-2023-2828 | 9.11.36-8.al8.1 |
|
|
|
mysql |
| 8.0.32-1.0.2.al8 |
ruby |
| 2.7.8-139.0.1.al8 |
kernel |
| 5.10.134-15.al8 |
webkit2gtk3 |
| 2.38.5-1.0.1.al8.5 |
libssh |
| 0.9.6-7.al8 |
open-vm-tools | CVE-2023-20867 | 12.1.5-2.al8 |
grafana |
| 7.5.15-4.0.2.al8 |
grafana-pcp | CVE-2022-27664 | 3.2.0-3.0.1.al8 |
frr | CVE-2022-37032 | 7.5.1-7.0.1.al8 |
sqlite | CVE-2020-24736 | 3.26.0-18.al8 |
git-lfs |
| 3.2.0-2.0.1.al8 |
sysstat | CVE-2022-39377 | 11.7.3-9.0.1.al8 |
python3 | CVE-2023-24329 | 3.6.8-51.0.1.al8.1 |
c-ares | CVE-2023-32067 | 1.13.0-6.al8.2 |
cups-filters | CVE-2023-24805 | 1.20.0-29.0.1.al8.2 |
webkit2gtk3 |
| 2.38.5-1.0.1.al8.4 |
delve go-toolset golang | CVE-2023-24540 | delve-1.9.1-1.0.1.al8 go-toolset-1.19.9-1.al8 golang-1.19.9-1.0.1.al8 |
kernel |
| 5.10.134-14.1.al8 |
git |
| 2.39.3-1.1.al8 |
apr-util | CVE-2022-25147 | 1.6.1-6.2.al8.1 |
webkit2gtk3 | CVE-2023-2203 | 2.38.5-1.0.1.al8.3 |
edk2 |
| 20220126gitbb1bba3d77-4.al8 |
mingw-expat | CVE-2022-40674 | 2.4.8-2.al8 |
Package updates
Package name | Release version |
at | at-3.1.20-12.0.1.al8 |
audit | audit-3.0.7-2.0.1.al8.2 |
authselect | authselect-1.2.6-1.al8 |
bind | bind-9.11.36-8.al8.1 |
checkpolicy | checkpolicy-2.9-1.2.al8 |
cloud-utils-growpart | cloud-utils-growpart-0.33-0.0.1.al8 |
container-selinux | container-selinux-2.189.0-1.al8 |
coreutils | coreutils-8.30-13.al8 |
crypto-policies | crypto-policies-20221215-1.gitece0092.al8 |
cups | cups-2.2.6-51.0.1.al8 |
dbus | dbus-1.12.8-24.0.1.al8 |
ding-libs | ding-libs-0.6.1-40.al8 |
dnf | dnf-4.7.0-16.0.1.al8 |
dnf-plugins-core | dnf-plugins-core-4.0.21-14.1.al8 |
dracut | dracut-049-223.git20230119.al8 |
elfutils | elfutils-0.188-3.0.1.al8 |
emacs | emacs-27.2-8.0.3.al8.1 |
expat | expat-2.2.5-11.al8 |
file | file-5.33-24.al8 |
freetype | freetype-2.10.4-9.al8 |
fuse | fuse-2.9.7-16.al8 |
gmp | gmp-6.2.0-10.0.1.al8 |
gnupg2 | gnupg2-2.2.20-3.al8 |
graphite2 | graphite2-1.3.10-10.2.al8 |
grub2 | grub2-2.02-148.0.1.al8 |
harfbuzz | harfbuzz-1.7.5-3.2.al8 |
hwdata | hwdata-0.314-8.16.al8 |
iproute | iproute-5.18.0-1.al8 |
iptables | iptables-1.8.4-24.0.1.al8 |
kernel | kernel-5.10.134-15.al8 |
kernel-hotfix-13383560-5.10.134-15 | kernel-hotfix-13383560-5.10.134-15-1.0-20230724161633.al8 |
kexec-tools | kexec-tools-2.0.25-5.0.1.al8 |
kmod | kmod-25-19.0.2.al8 |
kpatch | kpatch-0.9.7-2.0.1.al8 |
libarchive | libarchive-3.5.3-4.al8 |
libffi | libffi-3.1-24.0.1.al8 |
libteam | libteam-1.31-4.0.1.al8 |
libuser | libuser-0.62-25.0.1.al8 |
libxml2 | libxml2-2.9.7-16.0.1.al8 |
linux-firmware | linux-firmware-20230404-114.git2e92a49f.al8 |
logrotate | logrotate-3.14.0-6.0.1.al8 |
NetworkManager | NetworkManager-1.40.16-1.0.1.al8 |
nfs-utils | nfs-utils-2.3.3-59.0.2.al8 |
nftables | nftables-0.9.3-26.al8 |
oddjob | oddjob-0.34.7-3.0.1.al8 |
openssh | openssh-8.0p1-17.0.2.al8 |
openssl-pkcs11 | openssl-pkcs11-0.4.10-3.0.1.al8 |
pam | pam-1.3.1-25.0.1.al8 |
pciutils | pciutils-3.7.0-3.0.1.al8 |
python-linux-procfs | python-linux-procfs-0.7.1-1.al8 |
python-rpm-generators | python-rpm-generators-5-8.al8 |
python-slip | python-slip-0.6.4-13.al8 |
rng-tools | rng-tools-6.15-3.0.1.al8 |
rpcbind | rpcbind-1.2.5-10.0.1.al8 |
rpm | rpm-4.14.3-26.0.1.al8 |
rsyslog | rsyslog-8.2102.0-13.al8 |
selinux-policy | selinux-policy-3.14.3-117.0.1.al8 |
setools | setools-4.3.0-3.al8 |
setup | setup-2.12.2-9.0.1.al8 |
sg3_utils | sg3_utils-1.44-6.0.1.al8 |
shared-mime-info | shared-mime-info-2.1-5.0.1.al8 |
sssd | sssd-2.8.2-2.0.1.al8 |
tpm2-tss | tpm2-tss-2.3.2-4.0.2.al8 |
unbound | unbound-1.16.2-5.al8 |
util-linux | util-linux-2.32.1-42.0.1.al8 |
virt-what | virt-what-1.25-3.al8 |
wget | wget-1.19.5-11.0.1.al8 |
which | which-2.21-18.0.1.al8 |
xfsprogs | xfsprogs-5.0.0-10.0.6.al8 |
Important updates
Kernel updates
Community tracking
devlink supports subfunction management.
A subfunction is a lightweight function. Compared to a PCIe virtual function, a subfunction is more lightweight. Unlike a virtual function, a subfunction is not an independent PCI device but shares the resources of its parent PCI device. However, a subfunction has all the resources related to network card communication, such as send queues, receive queues, and completion queues. A subfunction is presented as a complete network card device in the Linux system. This update supports managing subfunctions on a network card through devlink. By coordinating with the driver, you can create, destroy, and query subfunctions on network cards that support subfunctions.
io_uring supports NVMe passthrough.
In the storage device access process, the overhead of the complex storage stack has a significant impact on latency and IOPS. As the speed of storage devices increases, this software stack overhead becomes a larger proportion. Accessing NVMe disks requires passing through multiple layers of abstraction, such as the file system, block layer, and NVMe driver, to finally reach the target device. This update backports the io_uring uring_cmd feature from the mainline v5.19, which passes the actual file operation to the kernel through io_uring. This operation is not parsed at the io_uring layer but is directly submitted to the NVMe driver layer, which bypasses the file system and block layers. In addition, to support this feature, io_uring support for the CQE32 data structure and the creation of NVMe character devices are introduced.
Supports fine-grained NVMe/SCSI Persistent Reservation permission control.
Previously, processes that performed Persistent Reservation operations had to have CAP_SYS_ADMIN privileges, which prevented their use in some non-privileged scenarios such as containers. This feature allows non-privileged processes without CAP_SYS_ADMIN privileges to perform Persistent Reservation operations as long as they have write permissions to the block device. This expands its use cases.
Optimized IOPS throttling for large block I/O.
The IOPS throttling capability of the current 5.10 kernel does not work well in large block I/O scenarios, such as 1 M. The main reason is that large block I/O may be split, and the block throttle's IOPS throttling logic did not handle this well. This phenomenon is particularly evident in buffer I/O scenarios because buffer I/O first writes to the page cache and then writes back after a period of time. This process usually merges into large block I/O. The mainline community refactored and optimized this issue in v5.18. This update optimizes the IOPS throttling for large block I/O by backporting the mainline community's patches and also fixes a BPS repeat statistics bug.
bpf backports community support for lookup_and_delete_elem for hashmaps and the bloom filter feature.
Previously, the bpf lookup_and_delete_elem (find and delete) operation supported only queue and stack type maps. It now supports hash type maps.
Added a new map type, bloom filter, which is an efficient set lookup tool.
Supports CPU and memory hot-plug for QEMU Arm64 virtual machine Guest OS.
Supports hot-upgrading the number of vCPUs in the Guest OS using the virsh setvcpus command.
By enabling the CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE configuration by default, it avoids the "memhp_default_online_type" being in an offline state. This way, when memory is hot-plugged, it can be used automatically. This avoids memory hot-plug failure issues caused by insufficient memory when creating corresponding Page descriptors for newly inserted memory.
Enables Intel HWP boost for all Intel chips.
HWP I/O boost technology can improve I/O performance, but the previous kernel enabled this feature only for some Skylake platforms and enterprise servers. This patch removes the CPU type check and enables HWP boost for all CPUs by default.
HVO attribute for the Round Community
HVO, which stands for HugeTLB Vmemmap Optimization, can reduce the vmemmap memory footprint that corresponds to enormous pages. Its principle is to map the virtual addresses of all struct pages in a enormous page in vmemmap to the same physical address, which releases the physical memory occupied by the struct pages.
Backports the memcg lru lock optimization feature.
This feature optimizes scenarios in the kernel that require operating on the global lru lock by instead operating on the lock of the page's memcg. These scenarios include page movement, memcg movement, and swap-in and swap-out. This feature significantly reduces the contention introduced by the global lru lock. In multi-memcg test scenarios, performance is improved by about 50%.
Intel TDX guest kernel support
Supports running the Linux kernel in an Intel tdx guest, which provides memory encryption, memory integrity protection, CPU register protection, and remote attestation for the trusted environment.
EMR platform adaptation.
Adds the EMR CPU ID to the PMU driver to enable PMU capabilities on the EMR platform.
Enables IFS Array BIST capability. IFS is used to capture CPU errors that are difficult to detect with ECC and can check each core during operation.
Self-developed features
Supports the ability to transparently accelerate TCP with the kernel network protocol stack SMC.
SMC is a high-performance kernel network protocol stack contributed by IBM to the Linux upstream, which can be used with various shared memory operation technologies, such as RDMA, to transparently accelerate TCP. ANCK has fixed many stability issues on top of the upstream version, supports SMCv2 by default, supports SMCv2.1 protocol negotiation, supports max_link/max_conn/Alibaba vendor ID features, optimizes the number of link connections, supports RQ flow control, supports RDMA Write With Immediate operations, adds various diagnostic information, supports using the SMC protocol stack through the PF_INET protocol family, and supports transparent replacement through BPF and other key features.
Enhances the fuse cache consistency model and adds statistical interfaces.
Adds a debugging interface under sysfs to print all requests sent to the user-space daemon for a specific fuse file system that are waiting to be processed.
Adds a data statistics interface under sysfs to count and output the number of requests of each type and their processing time for a specific fuse file system.
Enhances cache consistency in cache (cache=always|auto) mode to be suitable for distributed file system backends that rely on strong consistency, such as NFS.
The user-space daemon can notify the fuse client to invalidate all direct dentries in a directory.
Implements the Close-To-Open (CTO) cache consistency model, including flush-on-close and invalidate-on-open semantics for data and metadata.
Enhances the cache consistency model in fuse failover mode.
EROFS supports direct mounting of tar files and uses 4k block size EROFS non-compressed images on arm64 platforms with 16k/64k page configurations.
Supports mounting 4k block size EROFS non-compressed images on arm64 platforms with 16k/64k page configurations.
Supports directly using tar files as a data source and using EROFS metadata to mount and access the tar data.
Supports passing fuse mount points across namespaces.
Supports propagating fuse mount points from a non-privileged sidecar container to an app container, which provides a solution for fuse-based remote storage in cloud-native scenarios.
Resolves memory bloat issues caused by Transparent Enormous Pages (THP).
While THP brings performance improvements, it can also cause memory bloat, which may lead to OOM. For example, an application may actually need to use 2 small pages, or 8 KiB of memory, but the kernel allocates 1 transparent enormous page. In this case, excluding the memory actually needed by the application (2 small pages), the remaining memory of the transparent enormous page (510 small pages) is all zero. This can eventually lead to OOM due to increased RSS memory usage.
THP ZSR is designed to solve this memory bloat issue. When the kernel reclaims memory, this feature splits the transparent enormous page into small pages and reclaims the all-zero pages (zero subpage). This prevents rapid memory bloat from causing OOM.
System configuration updates
The tcp_max_tw_buckets value is changed to 5000.
The default mount character set for the vfat file system is changed to iso8859-1.
Package feature updates
aliyun_cli is integrated by default.
container-selinux is integrated by default.
Added the anolis-epao-release package, which allows Alibaba Cloud Linux 3 to use the Anolis OS epao source to install AI and other applications.
Bug fixes
Fixed the issue where the rngd.service failed to start on Alibaba Cloud Linux 3 arm64 images.
Backported a bugfix from the mainline community for a cgroup leak that occurred when a process fork failed.
Fixed a permission issue in overlayfs. When all upperdir and lowerdir are on the same file system and the accessed file or directory does not have read permission, due to a logic error in a previous performance optimization of overlayfs, ovl_override_creds() was not executed correctly, so the actual execution permission was not elevated to that of the mounter. This resulted in a permission denied error when copy up required read permission.
Backported several bugfixes for fuse from the mainline community to further enhance the stability of fuse.
Backported several bugfixes for ext4 with the bigalloc feature enabled and significantly optimized the time taken for online resizing in this scenario.
Potential data consistency issues arising from Round Community CONT-PTE/PMD.
Fixed an issue where resctrl could not be used normally on AMD models.
Fixed stability issues with the IAX hardware compression/decompression accelerator.
Fixed a CRC check failure issue with the IAX hardware compression/decompression accelerator.
Fixed a memory corruption issue caused by improper use of the swap_info_struct lock during concurrent swapoff-swapon operations. The bugfix for this issue has been merged into the community.
Fixed an issue where the self-developed zombie memcg reaper feature did not take effect in one-shot mode.
Fixed a potential stability issue with the Yitian 710 MPAM memory bandwidth monitoring feature.
Image updates
Container images
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.8
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
NoteAfter the new version is released, you can no longer use latest to obtain the 3.8 version of the image.
Known issues
Due to ANCK 5.10-015 synchronizing a scheduling wakeup optimization with the upstream community's implementation, performance may regress in some extreme scenarios. This scenario occurs only in benchmarks with extremely high load pressure and will not affect normal user scenarios.
Alibaba Cloud Linux 3.2104 U7
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U7 | aliyun_3_x64_20G_alibase_20230516.vhd | 2023-05-16 |
|
aliyun_3_arm64_20G_alibase_20230515.vhd | 2023-05-15 |
|
Content updates
Fixed kernel bugs (Bugfix) and important security vulnerabilities (CVE).
Supports the multi-pcp feature, which bypasses the buddy system's large lock to improve network packet reception capability.
multi-pcp supports reserving memory pages with an order greater than 0 in the per-core list. This avoids allocation through the zone buddy system when allocating high-order memory pages. This bypasses the buddy system's large lock and improves network packet reception capability.
Enabled the Intel IAA accelerator driver to improve compression and decompression performance.
The In-Memory Analytics Accelerator (IAA) is a hardware accelerator that combines basic data analytics functions and provides high-throughput compression and decompression. The driver code is from the Intel code repository and has been adapted and bug-fixed for the ANCK kernel.
Fixed silent data loss in shmem/hugetlb file systems due to page cache truncation.
Faulty shmem and hugetlb pages are removed from the page cache, so subsequent access to the faulty page offset in the file results in the allocation of a new zero page, which leads to silent data loss. This feature fixes the silent data loss issue in shmem/tmpfs and hugetlb file systems caused by page faults.
Added support for the coresight ETE driver and tools/perf tool.
Enhanced the KVM module signal handling mechanism on the ARM 64 platform, which fixes crash issues in scenarios such as RAS.
Before the CPU enters Guest mode, if the TIF_NOTIFY_RESUME flag is not handled, frequent RAS event triggers can cause a crash. Therefore, a complete generic entry infrastructure is supported on the ARM 64 platform to correctly handle pending task work.
Synchronized Linux community CMN/DRW drivers, added debugfs support, and fixed related bugs.
The CMN/DRW drivers in versions before 5.10-014 deviated from the Linux community. To reduce future maintenance costs, version 5.10-014 synchronized the Linux community's CMN/DRW drivers and is compatible with Yitian 710's CMN700. At the same time, debugfs support and fixes were added, which allows users to view the CMN topology in user mode.
Supports X86 kernel-mode Copy on Write triggering MCE error recovery.
If an uncorrectable error is triggered during kernel-mode Copy on Write (COW), the system will crash because there is no recovery handler for kernel consumption of uncorrectable errors. This feature adds support for a recovery handler by sending SIGBUS to the application to avoid a system crash.
Supports top-down analysis of performance issues in the form of perf metrics, which improves the usability of CPU PMU.
Versions before 5.10-014 did not support perf metric functionality and lacked top-down performance analysis tools. To improve the usability of CPU PMU and help users locate CPU performance bottlenecks, version 5.10-014 added perf metric functionality and supports top-down metrics for platforms such as Yitian 710, Kunpeng, and x86.
virtio-net supports uso offloading.
Compared to ufo offloading, it can improve packet reception performance and the forwarding performance of forwarding components in complex network environments. Starting from virtio-net 5.10-014, UDP segment offloading (USO) is supported. Compared to UDP fragment offloading (UFO), USO can effectively reduce the packet loss rate caused by fragment reassembly in business scenarios with unstable network conditions, incast, and significant bursts, and reduce the overhead of fragment reassembly on the receiving side. At the same time, packet loss and out-of-order packets can cause fragment reassembly in forwarding components, which reduces their efficiency, and USO can effectively alleviate this problem.
Fixed an issue on the aarch64 architecture where the virtual address space was exhausted because pci_iounmap was not implemented.
In versions before 5.10-014, because CONFIG_GENERIC_IOMAP was not configured for pci_iounmap, the pci_iounmap function was implemented as empty. This prevented the normal release of mapped memory and caused the virtual address space to be exhausted. Version 5.10-014 fixed this issue by properly implementing the pci_iounmap function.
Supports high-performance ublk.
ublk is a high-performance user-space block device based on the io_uring passthrough mechanism, which can be used for efficient access by agents in distributed storage.
Supports the following self-developed Alibaba Cloud technologies:
Supports code segment locking at the whole-machine/memcg level.
When the memory watermark is low, memory reclamation is triggered. During the memory release process, the memory that belongs to the code segments of core business programs may be reclaimed. As the business programs run, this part of the memory is read from the disk and loaded back into memory. Frequent I/O operations cause delays in the response of core business, which results in performance fluctuations. This feature can prevent the problem of frequent swapping in and out of memory that belongs to code segments by selecting the cgroup where the core business program whose code segment memory needs to be locked is located, so that it cannot be reclaimed. In addition, this feature adds a quota limit, which can set the proportion of locked code segment memory in percentage.
Provides a page cache usage limit feature to resolve OOM issues caused by the page cache reclamation speed being slower than the production speed.
For container scenarios, the available memory of a container is limited. When the pagecache occupies a large amount of memory and triggers memory reclamation, if the pagecache reclamation speed is slower than the increasing memory demand of the business, it is easy to encounter OOM issues, which seriously affects business performance. To address this type of issue, ANCK introduces this feature, which limits the usage size of the container's pagecache and performs early memory reclamation for pagecache that exceeds the limit to solve the problem of memory shortage and OOM. This solution supports cgroup-granularity and global pagecache usage limits, and also supports synchronous and asynchronous reclamation methods, which provides high flexibility.
Supports dynamic CPU isolation.
CPU isolation can assign different CPU cores or CPU sets to different tasks to avoid competition for CPU resources between different tasks, which improves overall system performance and stability. CPU isolation technology can isolate a part of the CPU for use by critical tasks, while non-critical tasks share the non-isolated CPUs. This ensures that the operation of critical tasks is not affected. However, the number of critical tasks in the system is not fixed during operation. Isolating too many CPUs will lead to a waste of CPU resources and increase resource costs. Therefore, it is necessary to dynamically isolate CPU resources and modify the CPU isolation range at any time to better utilize CPU resources, save costs, and improve overall business performance.
Supports CPU Burst and memory minimum watermark classification on cgroup v2.
To promote the use of cgroup v2, it is necessary to complete the interfaces of various self-developed ANCK technologies on the cgroup v2 version, including CPU Burst and memory minimum watermark classification functions.
xdp socket supports allocating virtual memory for queues to avoid xdp socket allocation failure due to memory fragmentation.
By default, xdp socket uses __get_free_pages() to allocate contiguous physical memory. If the machine's memory is severely fragmented, it is easy for the allocation to fail, which causes the xdp socket creation to fail. This feature uses vmalloc() to allocate memory, which reduces the possibility of xdp socket creation failure.
Alibaba Cloud Linux 3.2104 U6.1
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U6.1 | aliyun_3_x64_20G_alibase_20230424.vhd | 2023-04-24 |
|
aliyun_3_arm64_20G_alibase_20230424.vhd | 2023-04-24 |
| |
aliyun_3_x64_20G_alibase_20230327.vhd | 2023-03-27 |
| |
aliyun_3_arm64_20G_alibase_20230327.vhd | 2023-03-27 |
|
Alibaba Cloud Linux 3.2104 U6
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2104 U6 | aliyun_3_x64_20G_qboot_alibase_20230214.vhd | 2023-02-14 |
|
aliyun_3_x64_20G_uefi_alibase_20230214.vhd | 2023-02-14 |
| |
aliyun_3_x64_20G_alibase_20230110.vhd | 2023-01-10 |
| |
aliyun_3_arm64_20G_alibase_20230110.vhd | 2023-01-10 |
|
2022
Version | Image ID | Release date | Release notes |
Alibaba Cloud Linux 3.5.2 | aliyun_3_x64_20G_alibase_20221118.vhd | 2022-11-18 | Updated the |
aliyun_3_arm64_20G_alibase_20221118.vhd | 2022-11-18 | Updated the | |
aliyun_3_x64_20G_alibase_20221102.vhd | 2022-11-02 |
| |
aliyun_3_arm64_20G_alibase_20221102.vhd | 2022-11-02 |
| |
Alibaba Cloud Linux 3.5 | aliyun_3_x64_20G_alibase_20220907.vhd | 2022-09-07 |
|
aliyun_3_arm64_20G_alibase_20220907.vhd | 2022-09-07 |
| |
aliyun_3_x64_20G_qboot_alibase_20220907.vhd | 2022-09-07 |
| |
aliyun_3_x64_20G_uefi_alibase_20220907.vhd | 2022-09-07 |
| |
Alibaba Cloud Linux 3.4.2 | aliyun_3_arm64_20G_alibase_20220819.vhd | 2022-08-19 |
|
aliyun_3_x64_20G_alibase_20220815.vhd | 2022-08-15 |
| |
Alibaba Cloud Linux 3.4.1 | aliyun_3_x64_20G_alibase_20220728.vhd | 2022-07-28 |
|
aliyun_3_arm64_20G_alibase_20220728.vhd | 2022-07-28 |
| |
Alibaba Cloud Linux 3.4 | aliyun_3_x64_20G_alibase_20220527.vhd | 2022-05-27 |
|
aliyun_3_x64_20G_qboot_alibase_20220527.vhd | 2022-05-27 |
| |
aliyun_3_x64_20G_uefi_alibase_20220527.vhd | 2022-05-27 |
| |
aliyun_3_arm64_20G_alibase_20220526.vhd | 2022-05-26 |
| |
Alibaba Cloud Linux 3.3.4 | aliyun_3_x64_20G_alibase_20220413.vhd | 2022-04-13 |
|
aliyun_3_arm64_20G_alibase_20220413.vhd | 2022-04-13 |
| |
Alibaba Cloud Linux 3.3.3 | aliyun_3_x64_20G_alibase_20220315.vhd | 2022-03-15 |
|
aliyun_3_arm64_20G_alibase_20220315.vhd | 2022-03-15 |
| |
Alibaba Cloud Linux 3.3.2 | aliyun_3_x64_20G_alibase_20220225.vhd | 2022-02-25 |
|
aliyun_3_x64_20G_qboot_alibase_20220225.vhd | 2022-02-25 |
| |
aliyun_3_arm64_20G_alibase_20220225.vhd | 2022-02-25 |
| |
aliyun_3_x64_20G_uefi_alibase_20220225.vhd | 2022-02-25 |
|
2021
Version | Image ID | Release date | Release content |
Alibaba Cloud Linux 3.2 | aliyun_3_x64_20G_qboot_alibase_20211214.vhd | 2021-12-14 |
|
aliyun_3_x64_20G_alibase_20210910.vhd | 2021-09-10 |
| |
aliyun_3_arm64_20G_alibase_20210910.vhd | 2021-09-10 |
| |
aliyun_3_x64_20G_uefi_alibase_20210910.vhd | 2021-09-10 |
| |
Alibaba Cloud Linux 3.1 | aliyun_3_arm64_20G_alibase_20210709.vhd | 2021-07-09 |
|
aliyun_3_x64_20G_alibase_20210425.vhd | 2021-04-25 |
| |
aliyun_3_x64_20G_uefi_alibase_20210425.vhd | 2021-04-25 |
| |
Alibaba Cloud Linux 3.0 | aliyun_3_x64_20G_alibase_20210415.vhd | 2021-04-15 |
|
References
For more information, see the Alibaba Cloud Linux 2 image release notes.
For more information, see the third-party and open source public image release notes.
Use the latest Alibaba Cloud Linux 3 image to create an instance.