Alibaba Cloud Linux 3 image release notes - Alibaba Cloud Linux

Alibaba Cloud regularly releases updated versions of the Alibaba Cloud Linux 3 image to ensure users have access to the latest operating system (OS) features, capabilities, and security patches. This topic lists the latest versions of the Alibaba Cloud Linux 3 image and their updates.

Background information

Unless otherwise specified, updates apply to Elastic Compute Service (ECS) in all available regions.
Alibaba Cloud Linux 3 images are compatible with most instance families. However, some images support only specific instance families that require designated public images, as follows:
ARM images (image IDs that contain _arm64_) are compatible with all ARM-based instances on Alibaba Cloud.

2026

Alibaba Cloud Linux 3.2104 U12.3

Version	Image ID	Release date	Published content
Alibaba Cloud Linux 3.2104 U12.2	aliyun_3_x64_20G_alibase_20260122.vhd	2026-01-22	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image with the latest packages.
	aliyun_3_x64_20G_dengbao_alibase_20260122.vhd	2026-01-22	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit MLPS 2.0 Level 3` base image with the latest packages.
	aliyun_3_x64_20G_container_optimized_alibase_20260122.vhd	2026-01-22	Updates the `Alibaba Cloud Linux 3 64-bit Container Optimized Edition` base image with the latest packages.
	aliyun_3_arm64_20G_alibase_20260122.vhd	2026-01-22	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image with the latest packages.
	aliyun_3_arm64_20G_dengbao_alibase_20260122.vhd	2026-01-22	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM MLPS 2.0 Level 3` base image with the latest packages.
	aliyun_3_arm64_20G_container_optimized_alibase_20260122.vhd	2026-01-22	Updates the `Alibaba Cloud Linux 3 64-bit Container Optimized Edition for ARM` base image with the latest packages.

Package updates

New features

Cloud application component updates:
- Upgraded the aliyun-cli component from aliyun-cli-3.1.3-1.al8 to aliyun-cli-3.2.0-1.al8.
OS-level capability enhancements:
- Upgraded the alinux-release component from alinux-release-3.2104.12.2-4.al8 to alinux-release-3.2104.12.3-1.al8, which marks the release of Alibaba Cloud Linux 3.2104 U12.3.

Bug Fixes

Compatibility changes:

Upgraded the kexec-tools component from kexec-tools-2.0.26-14.0.1.7.al8.2 to kexec-tools-2.0.26-14.0.1.9.al8.2. This update adds pcie_ports=compat to the kdump cmdline configuration on x86 to resolve an issue where kdump hangs on 8th-generation instances.
Upgraded the alinux-base-setup component from alinux-base-setup-3.2-9.al8 to alinux-base-setup-3.2-10.al8. This update adds UUID support to /boot/efi/EFI/alinux/grub.cfg to bind the initial boot disk, which resolves boot issues on Bare Metal systems.

Component	Previous version	Updated version	Update method
glibc	glibc-2.32-1.21.al8	glibc-2.32-1.22.al8	Updated in image
alinux-base-setup	alinux-base-setup-3.2-9.al8	alinux-base-setup-3.2-10.al8	Updated in image
grub2	grub2-2.02-165.0.2.al8	grub2-2.02-165.0.2.1.al8	Updated in image
kexec-tools	kexec-tools-2.0.26-14.0.1.7.al8.2	kexec-tools-2.0.26-14.0.1.9.al8.2	Updated in image
systemd	systemd-239-82.0.4.4.al8.5	systemd-239-82.0.4.5.al8.5	Updated in image
grubby	grubby-8.40-49.0.1.al8	grubby-8.40-49.0.1.1.al8	Updated in image
kpatch	kpatch-0.9.7-2.0.1.al8	kpatch-0.9.7-2.0.4.al8	Updated through yum repository

The following bug fixes are synchronized from Anolis OS 8:

Component	Previous version	Updated version	Reason	Update method
quota	quota-4.09-2.0.1.al8	quota-4.09-4.0.1.al8	Fixes a memory leak.	Updated in image
intel-ipp-crypto-mb	intel-ipp-crypto-mb-1.0.6-4.al8	intel-ipp-crypto-mb-1.0.6-5.al8	Fixes a qatengine installation failure when an EPEL repository is configured.	Updated through yum repository
qatengine	qatengine-1.2.0-3.al8	qatengine-1.2.0-4.al8		Updated through yum repository
gnome-shell-extensions	gnome-shell-extensions-40.7-19.0.1.al8	gnome-shell-extensions-40.7-29.0.1.al8	Fixes an error in the window list reordering backport, resolves an issue with the application grid and the dash-to-panel extension, and makes workspace names more prominent.	Updated through yum repository
geoclue2	geoclue2-2.6.0-7.al8	geoclue2-2.6.0-8.al8.1	Migrates user and group management for geoclue2 from manual scripts to a sysusers.d file.	Updated through yum repository
evolution-data-server	evolution-data-server-3.40.4-9.0.1.al8	evolution-data-server-3.40.4-10.0.1.al8	Prevents runtime warnings about assertion failures when the signal handler runs.	Updated through yum repository
gsettings-desktop-schemas	gsettings-desktop-schemas-40.0-7.0.1.al8	gsettings-desktop-schemas-40.0-8.0.1.al8	Adds an option to disable the password input display on the login or lock screen.	Updated through yum repository
pulseaudio	pulseaudio-15.0-2.0.1.al8	pulseaudio-15.0-3.0.1.al8	Fixes an auto-start issue.	Updated through yum repository

The following table lists the CVEs fixed in this release.

Component	Previous version	Updated version	Fixed CVE ID	Update method
cups	cups-2.2.6-63.0.2.al8	cups-2.2.6-64.0.1.al8	CVE-2025-58364	Updated in image
curl	curl-7.61.1-35.0.2.al8.3	curl-7.61.1-35.0.2.al8.9	CVE-2025-9086	Updated in image
openssh	openssh-8.0p1-26.0.1.1.al8	openssh-8.0p1-27.0.1.1.al8	CVE-2025-61984 CVE-2025-61985	Updated in image
gimp	gimp-2.8.22-26.al8.2	gimp-2.8.22-26.al8.3	CVE-2025-10920 CVE-2025-10921 CVE-2025-10922 CVE-2025-10923 CVE-2025-10924 CVE-2025-10925 CVE-2025-10934	Updated through yum repository
abrt	abrt-2.10.9-24.0.1.al8	abrt-2.10.9-25.0.1.1.al8	CVE-2025-12744	Updated through yum repository
tomcat	tomcat-9.0.87-1.al8.6	tomcat-9.0.87-1.al8.7	CVE-2025-31651 CVE-2025-55752	Updated through yum repository
luksmeta	luksmeta-9-4.1.al8	luksmeta-9-4.2.al8.1	CVE-2025-11568	Updated through yum repository
webkit2gtk3	webkit2gtk3-2.46.6-2.0.1.al8	webkit2gtk3-2.50.4-1.0.1.al8	CVE-2025-43501 CVE-2025-43529 CVE-2025-43531 CVE-2025-43535 CVE-2025-43536 CVE-2025-43541 CVE-2024-44192 CVE-2024-54467 CVE-2024-54551 CVE-2025-13502 CVE-2025-13947 CVE-2025-24189 CVE-2025-24208 CVE-2025-24209 CVE-2025-24216 CVE-2025-30427 CVE-2025-31205 CVE-2025-31257 CVE-2025-31273 CVE-2025-31278 CVE-2025-43211 CVE-2025-43212 CVE-2025-43216 CVE-2025-43227 CVE-2025-43240 CVE-2025-43265 CVE-2025-43272 CVE-2025-43342 CVE-2025-43343 CVE-2025-43356 CVE-2025-43368 CVE-2025-43392 CVE-2025-43419 CVE-2025-43421 CVE-2025-43425 CVE-2025-43427 CVE-2025-43429 CVE-2025-43430 CVE-2025-43431 CVE-2025-43432 CVE-2025-43434 CVE-2025-43440 CVE-2025-43443 CVE-2025-43458 CVE-2025-6558 CVE-2025-66287	Updated through yum repository
golang	golang-1.24.6-1.0.1.al8	golang-1.25.3-2.0.2.al8	CVE-2025-47906 CVE-2025-58183	Updated through yum repository
delve	delve-1.24.1-1.0.2.al8	delve-1.25.2-1.0.2.al8	CVE-2025-47906 CVE-2025-58183	Updated through yum repository
httpd	httpd-2.4.37-655.0.1.al8.5	httpd-2.4.37-655.0.1.al8.6	CVE-2025-55753 CVE-2025-58098 CVE-2025-65082 CVE-2025-66200	Updated through yum repository
mysql	mysql-8.0.43-1.0.1.1.al8	mysql-8.0.44-1.0.1.1.al8	CVE-2025-53040 CVE-2025-53042 CVE-2025-53044 CVE-2025-53045 CVE-2025-53053 CVE-2025-53054 CVE-2025-53062 CVE-2025-53069	Updated through yum repository

Known Issues

Refer to the Known issues for Alibaba Cloud Linux 3.2104 U12.1.

2025

Alibaba Cloud Linux 3.2104 U12.2

Version	Image ID	Release date	Release summary
Alibaba Cloud Linux 3.2104 U12.2	aliyun_3_x64_20G_alibase_20251215.vhd	2026-01-05	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image to the latest software version.
	aliyun_3_x64_20G_dengbao_alibase_20251215.vhd	2026-01-05	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit MLPS 2.0 Level 3` base image to the latest software version.
	aliyun_3_x64_20G_container_optimized_alibase_20251215.vhd	2026-01-05	Updates the `Alibaba Cloud Linux 3 64-bit Container Optimized Edition` base image to the latest software version.
	aliyun_3_arm64_20G_alibase_20251215.vhd	2026-01-05	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image to the latest software version.
	aliyun_3_arm64_20G_dengbao_alibase_20251215.vhd	2026-01-05	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM MLPS 2.0 Level 3` base image to the latest software version.
	aliyun_3_arm64_20G_container_optimized_alibase_20251215.vhd	2026-01-05	Updates the `Alibaba Cloud Linux 3 64-bit Container Optimized Edition for ARM` base image to the latest software version.

Updates

Major updates

Kernel: No changes. This release uses the kernel-5.10.134-19.2.al8 package.
Driver: The kmod-udma driver is updated to kmod-udma-5.10.134~19.2-0.1.0~1.al8 for compatibility with kmod-intel-QAT20-5.10.134~19.2-L.0.9.4__00004~1.al8.

Package updates

New features

Updates to cloud application components:
- aliyun-cli is updated from aliyun-cli-3.0.305-1.al8 to aliyun-cli-3.1.3-1.al8. This component is updated in the image.
Core OS enhancements:
- alinux-release is updated to alinux-release-3.2104.12-4.al8 to mark the release of Alibaba Cloud Linux 3.2104.12.2. This component is updated in the image.
- intel-QAT20 is updated to intel-QAT20-L.0.9.4-00004.15.al8 to recognize the QAT VF device ID of 9th-generation GNR instances. This component is updated in the yum repository.

Bug fixes

Fixes for Alibaba Cloud Linux 3:
- systemd is updated from systemd-239-82.0.4.3.al8.5 to systemd-239-82.0.4.4.al8.5. This update backports a fix for a race condition between mount and reload operations. This component is updated in the image.
- glibc is updated from glibc-2.32-1.21.al8 to glibc-2.32-1.22.al8. This update resolves an issue where pthread_cond_wait could miss a wakeup signal. This component is updated in the image.
- tee-primitives is updated from tee-primitives-1.0-2.al8 to tee-primitives-1.0-3.al8. This update resolves an issue caused by a source code md5sum change. This component is updated in the yum repository.
- qt5-qtmultimedia is updated from qt5-qtmultimedia-5.15.3-1.al8 to qt5-qtmultimedia-5.15.3-1.1.al8. This update resolves a dependency issue. This component is updated in the yum repository.
- dracut is updated from dracut-049-233.git20240115.0.2.al8 to dracut-049-233.git20240115.0.2.1.al8. This update fixes an error that occurs when installing a 6.x kernel on Alibaba Cloud Linux 3. This component is updated in the yum repository.
- intel-QAT20 is updated from intel-QAT20-L.0.9.4-00004.12.al8 to intel-QAT20-L.0.9.4-00004.15.al8. This update resolves an installation dependency issue with OpenSSL 3.0 that caused TLS v1.0 and v1.1 to be unsupported. This component is updated in the yum repository.
- qatengine is updated from qatengine-1.2.0-3.al8 to qatengine-1.2.0-4.al8. This update resolves an installation dependency issue with OpenSSL 3.0 that caused TLS v1.0 and v1.1 to be unsupported. This component is updated in the yum repository.
- intel-ipp-crypto-mb is updated from intel-ipp-crypto-mb-1.0.6-4.al8 to intel-ipp-crypto-mb-1.0.6-5.al8. This update resolves an installation dependency issue with OpenSSL 3.0 that caused TLS v1.0 and v1.1 to be unsupported. This component is updated in the yum repository.

This release incorporates bug fixes from Anolis OS 8, updating 12 components. One is updated in the image and 11 in the yum repository, as detailed in the table below:

Component	Previous version	New version	Description	Update method
which	which-2.21-20.0.1.al8	which-2.21-21.0.1.al8	Adds a check to ensure `/proc/$$/exe` is readable.	Updated in the image
dnsmasq	dnsmasq-2.79-33.al8	dnsmasq-2.79-35.al8	Changes the behavior of repeated DNS queries.	Updated in the yum repository
gnome-session	gnome-session-40.1.1-9.0.1.al8	gnome-session-40.1.1-10.0.1.al8	Reduces excessive logging during debugging to improve efficiency.	Updated in the yum repository
gnome-settings-daemon	gnome-settings-daemon-40.0.1-17.0.1.al8	gnome-settings-daemon-40.0.1-19.0.1.al8	Fixes the default power button action for servers. Fixes an issue where smart cards only worked on cold plug.	Updated in the yum repository
java-1.8.0-openjdk-portable	java-1.8.0-openjdk-portable-1.8.0.462.b08-1.0.1.1.al8	java-1.8.0-openjdk-portable-1.8.0.472.b08-1.0.1.1.al8	Fixes the JDK-8202369 issue.	Updated in the yum repository
ksh	ksh-20120801-267.0.1.al8	ksh-20120801-269.0.1.al8	Fixes an issue with pasting long multi-byte characters via SSH.	Updated in the yum repository
libdrm	libdrm-2.4.121-1.0.1.al8	libdrm-2.4.123-2.0.1.al8	Fixes an issue where the `libpciaccess` library was unavailable for the aarch64, ppc64le, and s390x architectures on RHEL 9.	Updated in the yum repository
motif	motif-2.3.4-21.al8	motif-2.3.4-24.al8	Fixes a memory leak related to UTF-8 strings.	Updated in the yum repository
mysql-selinux	mysql-selinux-1.0.13-1.al8	mysql-selinux-1.0.14-1.al8	Resolves Red Hat Bugzilla issue rhbz#2380217 by upgrading the package and updating its hash and release information.	Updated in the yum repository
net-snmp	net-snmp-5.8-30.0.1.al8	net-snmp-5.8-31.0.1.al8	Fixes a use-after-free vulnerability in a callback function.	Updated in the yum repository
intel-ipp-crypto-mb	intel-ipp-crypto-mb-1.0.6-4.al8	intel-ipp-crypto-mb-1.0.6-5.al8	Resolves an installation dependency issue with OpenSSL 3.0 that caused TLS v1.0 and v1.1 to be unsupported.	Updated in the yum repository
qatengine	qatengine-1.2.0-3.al8	qatengine-1.2.0-4.al8	Resolves an installation dependency issue with OpenSSL 3.0 that caused TLS v1.0 and v1.1 to be unsupported.	Updated in the yum repository

This release addresses 24 CVEs. 4 are patched in the image and 20 are available in the yum repository, as detailed in the table below:

Component	Previous version	New version	CVE ID	Update method
bind	bind-9.11.36-16.0.1.al8.4	bind-9.11.36-16.0.1.al8.6	CVE-2025-40778	Updated in the image
expat	expat-2.2.5-17.al8	expat-2.5.0-1.al8	CVE-2025-59375	Updated in the image
libssh	libssh-0.9.6-12.al8	libssh-0.9.6-16.0.1.al8	CVE-2025-5318	Updated in the image
sssd	sssd-2.9.4-5.al8.2	sssd-2.9.4-5.al8.3	CVE-2025-11561	Updated in the image
galera	galera-26.4.20-1.al8	galera-26.4.22-1.al8	CVE-2023-52969 CVE-2023-52970 CVE-2025-21490 CVE-2025-30693 CVE-2025-30722	Updated in the yum repository
haproxy	haproxy-2.4.22-3.0.1.al8.1	haproxy-2.8.14-1.0.1.al8.1	CVE-2025-11230	Updated in the yum repository
java-1.8.0-openjdk	java-1.8.0-openjdk-1.8.0.462.b08-2.0.1.1.al8	java-1.8.0-openjdk-1.8.0.472.b08-1.0.1.1.al8	CVE-2025-53057 CVE-2025-53066	Updated in the yum repository
java-17-openjdk	java-17-openjdk-17.0.16.0.8-2.0.1.1.al8	java-17-openjdk-17.0.17.0.10-1.0.2.1.al8	CVE-2025-53057 CVE-2025-53066	Updated in the yum repository
lasso	lasso-2.6.0-13.0.1.al8	lasso-2.6.0-14.0.1.al8	CVE-2025-47151	Updated in the yum repository
libsoup	libsoup-2.62.3-9.0.1.al8	libsoup-2.62.3-10.0.1.al8	CVE-2025-11021 CVE-2025-4945	Updated in the yum repository
libtiff	libtiff-4.4.0-12.0.3.al8	libtiff-4.4.0-15.0.1.al8	CVE-2025-8176 CVE-2025-9900	Updated in the yum repository
mariadb	mariadb-10.5.27-1.0.1.al8	mariadb-10.5.29-2.0.1.al8	CVE-2023-52969 CVE-2023-52970 CVE-2025-21490 CVE-2025-30693 CVE-2025-30722	Updated in the yum repository
mingw-expat	mingw-expat-2.4.8-2.al8	mingw-expat-2.5.0-1.al8	CVE-2025-59375	Updated in the yum repository
mingw-libtiff	mingw-libtiff-4.0.9-2.1.al8	mingw-libtiff-4.0.9-3.al8	CVE-2025-8176 CVE-2025-9900	Updated in the yum repository
osbuild-composer	osbuild-composer-132.2-2.0.1.al8	osbuild-composer-132.2-3.0.1.al8	CVE-2025-27144	Updated in the yum repository
pcs	pcs-0.10.18-2.0.1.1.al8.6	pcs-0.10.18-2.0.1.1.al8.7	CVE-2025-59830 CVE-2025-61770 CVE-2025-61771 CVE-2025-61772 CVE-2025-61919	Updated in the yum repository
python-kdcproxy	python-kdcproxy-0.4-5.3.al8.1	python-kdcproxy-0.4-5.3.al8.2	CVE-2025-59088 CVE-2025-59089	Updated in the yum repository
redis	redis-6.2.19-1.0.1.1.al8	redis-6.2.20-1.0.1.1.al8	CVE-2025-46817 CVE-2025-46818 CVE-2025-46819 CVE-2025-49844	Updated in the yum repository
runc	runc-1.1.12-6.0.1.al8	runc-1.2.5-2.al8	CVE-2025-31133 CVE-2025-52565 CVE-2025-52881	Updated in the yum repository
squid	squid-4.15-13.al8.5	squid-4.15-13.al8.6	CVE-2025-62168	Updated in the yum repository
tigervnc	tigervnc-1.15.0-7.al8	tigervnc-1.15.0-8.al8	CVE-2025-62229 CVE-2025-62230 CVE-2025-62231	Updated in the yum repository
xorg-x11-server	xorg-x11-server-1.20.11-26.0.1.al8	xorg-x11-server-1.20.11-27.0.1.al8	CVE-2025-62229 CVE-2025-62230 CVE-2025-62231	Updated in the yum repository
xorg-x11-server-Xwayland	xorg-x11-server-Xwayland-23.2.7-4.al8	xorg-x11-server-Xwayland-23.2.7-5.al8	CVE-2025-62229 CVE-2025-62230 CVE-2025-62231	Updated in the yum repository
zziplib	zziplib-0.13.71-11.0.1.al8	zziplib-0.13.71-12.0.1.al8	CVE-2018-17828	Updated in the yum repository

Known issues

See the Known issues for Alibaba Cloud Linux 3.2104 U12.1.

Alibaba Cloud Linux (Alinux) 3.2104 U12.1

Version	Image ID	Release date	Updates
Alibaba Cloud Linux 3.2104 U12.1	aliyun_3_x64_20G_alibase_20251030.vhd	2025-11-30	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image with the latest packages. Updated the kernel to `kernel-5.10.134-19.2.al8.x86_64`.
	aliyun_3_x64_20G_dengbao_alibase_20251030.vhd	2025-11-30	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit MLPS 2.0 Level 3` base image with the latest packages. Updated the kernel to `kernel-5.10.134-19.2.al8.x86_64`.
	aliyun_3_x64_20G_container_optimized_alibase_20251030.vhd	2025-11-30	Updated the `Alibaba Cloud Linux 3 64-bit Container Optimized Edition` base image with the latest packages. Updated the kernel to `kernel-5.10.134-19.2.al8.x86_64`.
	aliyun_3_arm64_20G_alibase_20251030.vhd	2025-11-30	Updated the Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM base image with the latest packages. Updated the kernel to `kernel-5.10.134-19.2.al8.aarch64`.
	aliyun_3_arm64_20G_dengbao_alibase_20251030.vhd	2025-11-30	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM MLPS 2.0 Level 3` base image with the latest packages. Updated the kernel to `kernel-5.10.134-19.2.al8.aarch64`.
	aliyun_3_arm64_20G_container_optimized_alibase_20251030.vhd	2025-11-30	Updated the `Alibaba Cloud Linux 3 64-bit Container Optimized Edition for ARM` base image with the latest packages. Updated the kernel to `kernel-5.10.134-19.2.al8.aarch64`.

Updates

Important updates

This release updates the Kernel to kernel-5.10.134-19.2.al8 and resolves the following issues:

Fixed an issue that incorrectly applied the Zenbleed Vulnerability patch to non-Zen2 architectures during a Microcode hot-upgrade.
Added the swiotlb_any cmdline parameter, enabling the system to allocate high-memory addresses as bounce buffers for Confidential Computing scenarios.
Fixed an issue where Memory was not correctly accepted during the EFI stub phase when booting a TDX VM.
Fixed a race condition following a PCIe secondary bus reset that allowed a downstream device to be used before its initialization was complete, potentially causing errors or taking the device offline.
Fixed issues in the DWC_PMU driver that caused kernel startup failures on Yitian-based instance models when hardware link anomalies occur.
Fixed a potential crash in the Group Balancer.
Fixed unexpected packet loss that occurred when using virtio_net with vhost under certain conditions.

For more information, see https://openanolis.cn/sig/Cloud-Kernel/doc/1388258453605187661

Package updates

New features

Updated Confidential Computing CAI components to support Remote Device Attestation and Hygon CSV. These components are available from the yum repository.
- Updated trustee to trustee-1.7.0-1.al8.
- Updated trustiflux to trustiflux-1.4.4-1.al8.
- Updated cryptpilot to cryptpilot-0.2.7-1.al8.
- Updated trusted-network-gateway to trusted-network-gateway-2.2.6-1.al8.
- Released gocryptfs-2.4.0-2.al8.
- Updated tee-primitives to tee-primitives-1.0-2.al8.
System O&M enhancements:
- Updated sysak to sysak-3.8.0-1 to enhance System O&M capabilities. This update is available from the yum repository.
Base OS Enhancements:
- Updated alinux-base-setup to alinux-release-3.2104.12-2.al8. For security reasons, this update disables the rpcbind service by default. This update is included in the Image.
- Updated alinux-release to alinux-release-3.2104.12-2.al8, introducing Alibaba Cloud Linux (Alinux) 3.12.1. This update is included in the Image.
- Updated NetworkManager to NetworkManager-1.40.16-19.0.1.1.al8 to enable ipvlan support. This update is included in the Image.
- Updated systemd to systemd-239-82.0.4.3.al8.5 to support the Systemd NetworkNamespacePath feature. This update is included in the Image.
- Updated logrotate to logrotate-3.14.0-6.0.1.1.al8. This update optimizes memory usage by compressing system logs. This update is included in the Image.
- Updated tpm2-tss to tpm2-tss-2.4.6-1.0.2.al8 to provide runtime dependencies for Confidential Computing. This update is available from the yum repository.
- Updated tpm2-tools to tpm2-tools-4.1.1-5.0.6.al8 to provide runtime dependencies for Confidential Computing. This update is available from the yum repository.
- Updated tengine to tengine-3.1.0-3.al8. This version integrates the nginx-module-vts Plugin and improves performance on the Yitian Processor. This update is available from the yum repository.
- Updated gcc-toolset-12-gcc to gcc-toolset-12-gcc-12.3.0-1.2.al8 to provide a newer version of the GCC toolset. This update is available from the yum repository.
- Updated rasdaemon to rasdaemon-0.6.7-16.5.al8 for RAS diagnostic and self-healing capabilities. This update is available from the yum repository.
- Updated tracker to tracker-3.1.2-3.0.1.1.al8, modifying compilation options to disable the SQLite version check. This update is available from the yum repository.
- Updated ostree to ostree-2022.2-11.al8 to apply security updates in ContainerOS. This update is available from the yum repository.
System Tuning Enhancements:
- Released keentuned and keentune-target version 3.2.0. These updates are available from the yum repository.
Kernel-related component updates:
- Updated smc-tools to smc-tools-1.8.3-1.0.4.al8. This minor version adds monitoring and packet capture capabilities. This update is available from the yum repository.
- Updated vtoa to vtoa-2.1.1-1.al8 to provide forward and backward compatibility. This update is available from the yum repository.
- Updated erofs-utils to erofs-utils-1.8.10-1.al8. This is a bug-fix release and is available from the yum repository.
Cloud application component updates:
- Updated aliyun-cli to aliyun-cli-3.0.305-1.al8. This update is included in the Image.
- Updated ossfs to ossfs-1.91.8-1.al8. This version resolves basic functionality issues and is available from the yum repository.
OS Copilot updates:
- Updated os-copilot to os-copilot-0.9.1-1.al8. This update is available from the yum repository.
In total, this release updates 11 components synchronized from Anolis OS 8: three in the Image and eight in the yum repository.

Component	Previous version	Updated version	Description	Update method
libsemanage	libsemanage-2.9-10.0.1.al8	libsemanage-2.9-12.0.1.al8	Feature Enhancement. Improves storage and rebuild performance in semanage by adding detection conditions to reduce function calls during the reuse phase. This update is forward-compatible.	Updated via the image
tzdata	tzdata-2024b-1.0.1.2.al8	tzdata-2025b-1.0.1.1.al8	Feature Update. Routine time zone data update.	Updated via the image
linux-firmware	linux-firmware-20241014-125.git06bad2f1.al8	linux-firmware-20250325-129.git710a336b.al8	New Feature. Adds support for additional hardware types.	Updated via the image
gnome-control-center	gnome-control-center-40.0-31.1.al8	gnome-control-center-40.0-32.1.al8	New Feature. Adds an API to query device group information.	Updated through the yum repository
java-1.8.0-openjdk-portable	java-1.8.0-openjdk-portable-1.8.0.432.b06-1.0.2.1.al8	java-1.8.0-openjdk-portable-1.8.0.462.b08-1.0.1.1.al8	Feature Update. The component now serves as a build and installation dependency for newer Java components.	Updated through the yum repository
java-17-openjdk-portable	java-17-openjdk-portable-17.0.13.0.11-1.0.2.1.al8	java-17-openjdk-portable-17.0.16.0.8-1.0.1.1.al8	Feature Update. The component now serves as a build and installation dependency for newer Java components.	Updated through the yum repository
motif	motif-2.3.4-20.al8	motif-2.3.4-21.al8	Feature Enhancement. Adds multi-screen support.	Updated through the yum repository
mysql-selinux	mysql-selinux-1.0.10-1.al8	mysql-selinux-1.0.13-1.al8	New Feature. Introduces new features and bug fixes.	Updated through the yum repository
scap-security-guide	scap-security-guide-0.1.75-1.0.1.al8	scap-security-guide-0.1.77-1.0.1.al8	Feature Enhancement. Adds rules for User Namespaces.	Updated through the yum repository
sos	sos-4.8.1-1.0.1.1.al8	sos-4.8.2-1.0.1.1.al8	Feature Enhancement. Adds support for the walrus operator (`:=`) in Python 3.8 environments.	Updated through the yum repository
tzdata	tzdata-2024b-1.0.1.2.al8	tzdata-2025b-1.0.1.1.al8	Feature Update. Routine time zone data update.	Updated via the image
xorg-x11-drv-libinput	xorg-x11-drv-libinput-1.0.1-3.al8	xorg-x11-drv-libinput-1.0.1-4.al8	New Feature. Adds a mapping for specific high keycodes to the FK20–FK23 range.	Updated through the yum repository

This release includes bug fixes synchronized from Anolis OS 8 and updates a total of 27 components: 12 are updated in the image, and 15 are available through the yum repository. The following list details the updated components and the reason for each update:

Component	Previous version	New version	Description	Update method
device-mapper-multipath	device-mapper-multipath-0.8.4-41.0.1.al8	device-mapper-multipath-0.8.4-42.0.1.al8	Fixed a memory leak in the external NVMe handler.	Updated in the image
dnf	dnf-4.7.0-20.0.1.1.al8	dnf-4.7.0-21.0.1.1.al8	Fixed functional and runtime issues in `dnf-automatic` and `dnf`.	Updated in the image
firewalld	firewalld-0.9.11-9.0.1.al8	firewalld-0.9.11-10.0.1.al8	Updated the Ceph port number in the service definition to prevent port conflicts.	Updated in the image
libdnf	libdnf-0.63.0-20.0.1.2.al8	libdnf-0.63.0-21.0.1.1.al8	Fixed an invalid memory access issue.	Updated in the image
libselinux	libselinux-2.9-9.1.al8	libselinux-2.9-10.1.al8	Fixed a null pointer dereference issue.	Updated in the image
lvm2	lvm2-2.03.14-14.0.1.al8	lvm2-2.03.14-15.0.1.al8	Fixed a thread-blocking issue in the `dmeventd` module during system shutdown. This update also adds a pre-check that forces an exit if the `/run/nologin` file is detected.	Updated in the image
nfs-utils	nfs-utils-2.3.3-59.0.4.al8	nfs-utils-2.3.3-64.0.1.al8	Applied patches to fix and improve GSSD authentication, `READDIRPLUS` functionality, and `mountstats` tool behavior. Related documentation has also been updated.	Updated in the image
nftables	nftables-1.0.4-4.al8	nftables-1.0.4-7.al8	This update optimizes the handling of compatibility expressions (such as `iptables-nft` rules) by fixing incorrect translation paths, improving the fallback printing mechanism, enhancing warnings for unsupported expressions, and optimizing memory management.	Updated in the image
openldap	openldap-2.4.46-20.al8	openldap-2.4.46-21.al8	Fixed a file descriptor leak on failed LDAP over SSL connections and resolved an error where a file was closed multiple times after an initial TLS connection failure.	Updated in the image
sssd	sssd-2.9.4-5.al8.1	sssd-2.9.4-5.al8.2	Fixed a memory leak in `sssd_kcm`, improved large database handling in the disk cache, and now ensures correct names are used when updating cache groups to prevent case-mismatch failures. This update also adds support for the `ignore_group_members` option to control whether group members are added.	Updated in the image
tar	tar-1.30-9.0.2.al8	tar-1.30-11.0.1.al8	Fixed a regression introduced by a previous fix for the `--no-overwrite-dir` option from an upstream commit (1.30-7). Reduced the frequency of the "file changed as we read it" warning. Added a downstream patch to fix a related failure in the `filerem01` test.	Updated in the image
tuned	tuned-2.22.1-5.0.1.1.al8	tuned-2.22.1-6.0.1.1.al8	This update enables lazy loading for the `hdparm` device check and disables the `amd.scheduler` plugin instance in the PostgreSQL configuration.	Updated in the image
389-ds-base	389-ds-base-1.4.3.39-9.0.1.al8	389-ds-base-1.4.3.39-15.0.1.al8	Fixed functional issues in the `str2filter` and `uiduniq` modules.	Updated in the yum repository
autofs	autofs-5.1.4-114.0.1.al8.1	autofs-5.1.4-114.0.1.al8.2	Fixed a deadlock issue.	Updated in the yum repository
cups-filters	cups-filters-1.20.0-35.0.1.al8	cups-filters-1.20.0-36.0.1.al8	Fixed an issue that incorrectly rotated images 90 degrees during printing.	Updated in the yum repository
curl	curl-7.61.1-35.0.2.al8	curl-7.61.1-35.0.2.al8.3	Applied a follow-up fix for `CVE-2023-28321`. This update resolves an asynchronous timing issue by creating a wait condition in the thread.	Updated in the yum repository
haproxy	haproxy-2.4.22-3.0.1.al8	haproxy-2.4.22-3.0.1.al8.1	Cleared the retry flag in read and write functions to prevent CPU usage spikes. Fixed an error that prevented certificates from loading from a file.	Updated in the yum repository
jasper	jasper-2.0.14-5.0.1.al8	jasper-2.0.14-6.0.1.al8	Updated settings in the `jasper` configuration file.	Updated in the yum repository
libisoburn	libisoburn-1.5.4-4.al8	libisoburn-1.5.4-5.al8	Modified the post-installation script to fix an upgrade error.	Updated in the yum repository
mod_security_crs	mod_security_crs-3.3.4-3.al8	mod_security_crs-3.3.4-3.al8.2	Fixed rules that incorrectly blocked certain city and street names in forms.	Updated in the yum repository
mutter	mutter-40.9-22.0.1.al8	mutter-40.9-23.0.1.al8	Fixed an issue caused by rapidly and repeatedly switching windows.	Updated in the yum repository
portreserve	portreserve-0.0.5-19.2.al8	portreserve-0.0.5-20.0.1.al8	Updated the `tmpfiles.d` configuration to correct the `systemd` temporary file path for `portreserve` from the obsolete `/var/run/` to `/run`.	Updated in the yum repository
samba	samba-4.19.4-6.1.al8	samba-4.19.4-9.1.al8	Fixed domain controller discovery after Windows `netlogon` hardening, resolved a memory leak in `winbind`, and addressed a potential kernel panic in `fd_handle_destructor()` within `smbd_smb2_close()`.	Updated in the yum repository
squid	squid-4.15-13.al8.3	squid-4.15-13.al8.5	Fixed an issue that caused `squid` to add DNS entries to the cache even when the TTL was set to 0.	Updated in the yum repository
strace	strace-5.18-2.0.4.al8	strace-5.18-2.1.0.1.al8	Added support for the `loongarch64` architecture. Fixed incorrect system call name reporting in `restart_syscall()` when attaching to a process with `PTRACE_GET_SYSCALL_INFO` (RHEL-8570). Updated `net-yy-inet*`, `linkat--secontext_mismatch`, and `prctl-sve` test cases.	Updated in the yum repository
traceroute	traceroute-2.1.0-6.2.0.3.al8	traceroute-2.1.0-9.0.1.al8	Fixed the polling logic in `poll.c` to improve robustness.	Updated in the yum repository
unzip	unzip-6.0-47.0.1.al8	unzip-6.0-48.0.1.al8	Fixed an extraction error affecting certain ZIP files.	Updated in the yum repository

This update addresses the following 116 CVEs.

Component	Previous version	Updated version	Addressed CVEs
aide	aide-0.16-102.al8	aide-0.16-103.al8.2	CVE-2025-54389
bind	bind-9.11.36-16.0.1.al8	bind-9.11.36-16.0.1.al8.4	CVE-2024-11187
bind-dyndb-ldap	bind-dyndb-ldap-11.6-5.al8	bind-dyndb-ldap-11.6-6.al8	CVE-2025-4404
bluez	bluez-5.63-3.0.1.al8	bluez-5.63-5.0.1.al8	CVE-2023-27349 CVE-2023-51589
buildah	buildah-1.33.11-1.al8	buildah-1.33.12-2.al8	CVE-2025-22871 CVE-2025-6032
bzip2	bzip2-1.0.6-27.al8	bzip2-1.0.6-28.al8	CVE-2019-12900
compat-libtiff3	compat-libtiff3-3.9.4-13.2.al8	compat-libtiff3-3.9.4-14.0.1.al8	CVE-2025-9900
compat-openssl10	compat-openssl10-1.0.2o-4.0.1.al8	compat-openssl10-1.0.2o-4.0.1.al8.1	CVE-2023-0286
containernetworking-plugins	containernetworking-plugins-1.4.0-5.0.1.al8	containernetworking-plugins-1.4.0-6.0.1.al8	CVE-2025-22871 CVE-2025-6032
corosync	corosync-3.1.8-2.al8	corosync-3.1.9-2.al8	CVE-2025-30472
cups	cups-2.2.6-62.0.1.al8	cups-2.2.6-63.0.1.al8	CVE-2025-58060
delve	delve-1.22.1-1.0.2.al8	delve-1.24.1-1.0.2.al8	CVE-2025-22871 CVE-2025-4673
doxygen	doxygen-1.8.14-12.1.al8	doxygen-1.8.14-13.al8	CVE-2020-11023
emacs	emacs-27.2-10.0.1.al8	emacs-27.2-14.0.1.al8.2	CVE-2024-53920
expat	expat-2.2.5-16.al8	expat-2.2.5-17.al8	CVE-2024-8176
fence-agents	fence-agents-4.10.0-76.0.1.al8.1	fence-agents-4.10.0-86.0.1.al8.7	CVE-2025-47273
freetype	freetype-2.10.4-9.al8	freetype-2.10.4-10.al8	CVE-2025-27363
galera	galera-26.4.14-1.al8	galera-26.4.20-1.al8	CVE-2023-22084 CVE-2024-21096
gcc-toolset-13-gcc	gcc-toolset-13-gcc-13.3.1-2.1.0.1.1.al8	gcc-toolset-13-gcc-13.3.1-2.2.0.1.1.al8	CVE-2020-11023
gdk-pixbuf2	gdk-pixbuf2-2.42.6-4.0.1.al8	gdk-pixbuf2-2.42.6-6.0.1.al8	CVE-2025-7345
ghostscript	ghostscript-9.54.0-18.al8	ghostscript-9.54.0-19.al8	CVE-2025-27832
gimp	gimp-2.8.22-25.al8	gimp-2.8.22-26.al8.2	CVE-2025-48797 CVE-2025-48798 CVE-2025-5473
git	git-2.43.5-2.0.1.al8	git-2.43.7-1.0.1.al8	CVE-2024-50349 CVE-2024-52006 CVE-2025-27613 CVE-2025-27614 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385
git-lfs	git-lfs-3.4.1-3.0.1.al8	git-lfs-3.4.1-5.0.1.al8	CVE-2025-22871
glib2	glib2-2.68.4-14.0.2.al8	glib2-2.68.4-16.0.1.al8.2	CVE-2024-52533 CVE-2025-4373
glibc	glibc-2.32-1.16.al8	glibc-2.32-1.21.al8	CVE-2025-0395 CVE-2025-4802 CVE-2025-8058
gnome-remote-desktop	gnome-remote-desktop-0.1.8-3.1.al8	gnome-remote-desktop-0.1.8-4.0.1.al8	CVE-2025-5024
gnutls	gnutls-3.6.16-8.0.2.al8.3	gnutls-3.6.16-8.0.2.al8.4	CVE-2025-32988 CVE-2025-32990 CVE-2025-6395
go-toolset	go-toolset-1.22.9-1.al8	go-toolset-1.24.6-1.al8	CVE-2025-4674
golang	golang-1.22.9-1.0.1.al8	golang-1.24.6-1.0.1.al8	CVE-2025-4674
grafana	grafana-9.2.10-20.0.1.al8	grafana-9.2.10-25.0.1.al8	CVE-2025-22871
grafana-pcp	grafana-pcp-5.1.1-9.0.1.al8	grafana-pcp-5.1.1-10.al8	CVE-2025-22871
gstreamer1	gstreamer1-1.22.1-2.0.1.al8	gstreamer1-1.22.12-3.0.1.al8	CVE-2024-0444 CVE-2024-4453
gstreamer1-plugins-bad-free	gstreamer1-plugins-bad-free-1.22.1-4.0.1.al8	gstreamer1-plugins-bad-free-1.16.1-1.1.al8	N/A
gstreamer1-plugins-base	gstreamer1-plugins-base-1.22.1-3.0.1.al8	gstreamer1-plugins-base-1.22.12-4.0.1.al8	CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47835
httpd	httpd-2.4.37-65.0.1.al8.2	httpd-2.4.37-655.0.1.al8.5	CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812
ipa	ipa-4.9.13-14.0.1.1.al8	ipa-4.9.13-20.0.1.1.al8	CVE-2025-7493
ipa-healthcheck	ipa-healthcheck-0.12-4.al8	ipa-healthcheck-0.12-6.al8	CVE-2025-7493
jackson-annotations	jackson-annotations-2.14.2-1.al8	jackson-annotations-2.19.1-1.al8	CVE-2025-52999
jackson-core	jackson-core-2.14.2-1.al8	jackson-core-2.19.1-1.al8	CVE-2025-52999
jackson-databind	jackson-databind-2.14.2-1.al8	jackson-databind-2.19.1-1.al8	CVE-2025-52999
jackson-jaxrs-providers	jackson-jaxrs-providers-2.14.2-1.al8	jackson-jaxrs-providers-2.19.1-1.al8	CVE-2025-52999
java-1.8.0-openjdk	java-1.8.0-openjdk-1.8.0.432.b06-2.0.2.1.al8	java-1.8.0-openjdk-1.8.0.462.b08-2.0.1.1.al8	CVE-2025-30749 CVE-2025-30754 CVE-2025-30761 CVE-2025-50106
java-17-openjdk	java-17-openjdk-17.0.13.0.11-3.0.2.1.al8	java-17-openjdk-17.0.16.0.8-2.0.1.1.al8	CVE-2025-30749 CVE-2025-30754 CVE-2025-50059 CVE-2025-50106
jq	jq-1.6-17.al8	jq-1.6-17.al8.2	CVE-2024-23337 CVE-2025-48060
keepalived	keepalived-2.2.8-3.al8	keepalived-2.2.8-4.al8	CVE-2024-41184
krb5	krb5-1.18.2-30.0.1.al8	krb5-1.18.2-32.0.1.al8	CVE-2025-3576
libarchive	libarchive-3.5.3-4.al8	libarchive-3.5.3-6.al8	CVE-2025-5914
libblockdev	libblockdev-2.28-6.al8	libblockdev-2.28-7.al8	CVE-2025-6019
libcap	libcap-2.48-6.0.1.al8	libcap-2.48-6.0.2.al8	CVE-2025-1390
libpq	libpq-13.11-1.0.1.al8	libpq-13.20-1.0.1.al8	CVE-2025-1094
libreoffice	libreoffice-7.1.8.1-12.0.2.1.al8.1	libreoffice-7.1.8.1-15.0.1.1.al8.1	CVE-2025-1080
libsoup	libsoup-2.62.3-6.0.1.al8	libsoup-2.62.3-9.0.1.al8	CVE-2025-2784 CVE-2025-4948 CVE-2025-32049 CVE-2025-32914
libtasn1	libtasn1-4.13-4.0.1.al8	libtasn1-4.13-5.0.1.al8	CVE-2024-12133
libtpms	libtpms-0.9.1-2.20211126git1ff6fe1f43.al8	libtpms-0.9.1-3.20211126git1ff6fe1f43.al8	CVE-2025-49133
libvirt	libvirt-8.0.0-23.3.0.2.al8	libvirt-8.0.0-23.4.0.1.al8	CVE-2025-49133
libvpx	libvpx-1.7.0-11.0.1.al8	libvpx-1.7.0-12.0.1.al8	CVE-2025-5283
libxml2	libxml2-2.9.7-18.0.3.1.al8	libxml2-2.9.7-21.0.1.1.al8.3	CVE-2025-32415
libxslt	libxslt-1.1.32-6.1.al8	libxslt-1.1.32-6.2.0.1.al8	CVE-2023-40403
mariadb	mariadb-10.5.22-1.0.1.al8	mariadb-10.5.27-1.0.1.al8	CVE-2023-22084 CVE-2024-21096
mecab-ipadic	mecab-ipadic-2.7.0.20070801-16.2.al8	mecab-ipadic-2.7.0.20070801-17.0.1.al8	CVE-2024-11053 CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21201 CVE-2024-21203 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21247 CVE-2024-37371 CVE-2024-5535 CVE-2024-7264 CVE-2025-21490 CVE-2025-21491 CVE-2025-21494 CVE-2025-21497 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21504 CVE-2025-21505 CVE-2025-21518 CVE-2025-21519 CVE-2025-21520 CVE-2025-21521 CVE-2025-21522 CVE-2025-21523 CVE-2025-21525 CVE-2025-21529 CVE-2025-21531 CVE-2025-21534 CVE-2025-21536 CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21555 CVE-2025-21559
microcode_ctl	microcode_ctl-20240910-1.0.1.al8	microcode_ctl-20250512-1.0.1.al8	CVE-2024-28956 CVE-2024-43420 CVE-2024-45332 CVE-2025-20012 CVE-2025-20623 CVE-2025-24495
mingw-freetype	mingw-freetype-2.8-3.1.al8	mingw-freetype-2.8-3.1.al8.1	CVE-2025-27363 CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-32906 CVE-2025-32907 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32913
mingw-sqlite	mingw-sqlite-3.26.0.0-1.1.al8	mingw-sqlite-3.26.0.0-2.al8	CVE-2025-6965
mod_auth_openidc	mod_auth_openidc-2.4.9.4-6.al8	mod_auth_openidc-2.4.9.4-8.al8	CVE-2025-3891
mod_http2	mod_http2-1.15.7-10.al8.1	mod_http2-1.15.7-10.al8.4	CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812
mod_security	mod_security-2.9.6-1.al8	mod_security-2.9.6-2.al8	CVE-2025-47947
mysql	mysql-8.0.36-1.0.1.1.al8	mysql-8.0.43-1.0.1.1.al8	CVE-2025-21574 CVE-2025-21575 CVE-2025-21577 CVE-2025-21579 CVE-2025-21580 CVE-2025-21581 CVE-2025-21584 CVE-2025-21585 CVE-2025-30681 CVE-2025-30682 CVE-2025-30683 CVE-2025-30684 CVE-2025-30685 CVE-2025-30687 CVE-2025-30688 CVE-2025-30689 CVE-2025-30693 CVE-2025-30695 CVE-2025-30696 CVE-2025-30699 CVE-2025-30703 CVE-2025-30704 CVE-2025-30705 CVE-2025-30715 CVE-2025-30721 CVE-2025-30722 CVE-2025-50077 CVE-2025-50078 CVE-2025-50079 CVE-2025-50080 CVE-2025-50081 CVE-2025-50082 CVE-2025-50083 CVE-2025-50084 CVE-2025-50085 CVE-2025-50086 CVE-2025-50087 CVE-2025-50088 CVE-2025-50091 CVE-2025-50092 CVE-2025-50093 CVE-2025-50094 CVE-2025-50096 CVE-2025-50097 CVE-2025-50098 CVE-2025-50099 CVE-2025-50100 CVE-2025-50101 CVE-2025-50102 CVE-2025-50104 CVE-2025-53023
nodejs	nodejs-20.16.0-1.1.al8	nodejs-20.19.2-1.1.al8	CVE-2025-23165 CVE-2025-23166 CVE-2025-23167
nodejs-nodemon	nodejs-nodemon-2.0.20-3.al8	nodejs-nodemon-3.0.1-1.al8	CVE-2025-22150 CVE-2025-23083 CVE-2025-23085
nodejs-packaging	nodejs-packaging-23-3.1.al8	nodejs-packaging-2021.06-4.al8	CVE-2025-22150 CVE-2025-23083 CVE-2025-23085
open-vm-tools	open-vm-tools-12.3.5-2.al8	open-vm-tools-12.3.5-2.al8.1	CVE-2025-41244
opendnssec	opendnssec-2.1.7-1.1.al8	opendnssec-2.1.7-2.al8	CVE-2025-4404
openssh	openssh-8.0p1-25.0.1.1.al8	openssh-8.0p1-26.0.1.1.al8	CVE-2025-26465
osbuild	osbuild-126-1.0.1.al8	osbuild-141.2-1.0.1.al8	CVE-2024-34158 CVE-2024-9355 CVE-2024-1394
osbuild-composer	osbuild-composer-118-2.0.1.al8	osbuild-composer-132.2-2.0.1.al8	CVE-2025-22871
pam	pam-1.3.1-36.al8	pam-1.3.1-38.al8	CVE-2025-6020
pcs	pcs-0.10.18-2.0.1.1.al8.3	pcs-0.10.18-2.0.1.1.al8.6	CVE-2024-49761
perl	perl-5.26.3-422.0.1.al8	perl-5.26.3-423.0.1.al8	CVE-2025-40909
perl-CPAN	perl-CPAN-2.18-397.1.0.2.al8	perl-CPAN-2.18-402.0.1.al8	CVE-2020-16156
perl-FCGI	perl-FCGI-0.78-11.2.al8	perl-FCGI-0.78-12.al8	CVE-2025-40907
perl-File-Find-Rule	perl-File-Find-Rule-0.34-8.1.al8	perl-File-Find-Rule-0.34-9.al8	CVE-2011-10007
perl-JSON-XS	perl-JSON-XS-3.04-3.2.al8	perl-JSON-XS-3.04-4.al8	CVE-2025-40928
perl-YAML-LibYAML	perl-YAML-LibYAML-0.70-1.1.al8	perl-YAML-LibYAML-0.70-2.al8	CVE-2025-40908
podman	podman-4.9.4-18.0.1.al8	podman-4.9.4-23.0.1.al8	CVE-2025-9566
postgresql	postgresql-13.18-1.0.1.al8	postgresql-13.22-1.0.1.al8	CVE-2025-8714 CVE-2025-8715
python-cryptography	python-cryptography-3.2.1-7.al8	python-cryptography-3.2.1-8.al8	CVE-2023-49083
python-jinja2	python-jinja2-2.10.1-3.0.3.al8	python-jinja2-2.10.1-7.0.1.al8	CVE-2025-27516
python-requests	python-requests-2.20.0-5.al8	python-requests-2.20.0-6.al8	CVE-2024-47081
python-setuptools	python-setuptools-39.2.0-8.al8.1	python-setuptools-39.2.0-9.al8	CVE-2025-47273
python3	python3-3.6.8-69.0.1.1.al8	python3-3.6.8-71.0.1.1.al8	CVE-2025-8194
python3.11	python3.11-3.11.11-1.0.1.al8	python3.11-3.11.13-2.0.1.al8	CVE-2025-8194
python3.11-setuptools	python3.11-setuptools-65.5.1-3.al8	python3.11-setuptools-65.5.1-4.al8	CVE-2025-47273
qemu-kvm	qemu-kvm-6.2.0-53.0.1.al8.2	qemu-kvm-6.2.0-53.0.8.al8.4	CVE-2025-49133
redis	redis-6.2.7-1.0.3.al8	redis-6.2.19-1.0.1.1.al8	CVE-2025-32023 CVE-2025-48367
resource-agents	resource-agents-4.9.0-54.al8.6	resource-agents-4.9.0-54.al8.16	CVE-2024-47081
rsync	rsync-3.1.3-20.0.1.al8	rsync-3.1.3-23.0.1.al8	CVE-2016-9840
runc	runc-1.1.12-5.0.1.al8	runc-1.1.12-6.0.1.al8	CVE-2025-22869
skopeo	skopeo-1.14.5-3.0.1.al8	skopeo-1.14.5-4.0.1.al8	CVE-2025-22871 CVE-2025-6032
socat	socat-1.7.4.1-1.0.1.al8	socat-1.7.4.1-2.0.1.al8	CVE-2024-54661
spice-client-win	spice-client-win-8.8-1.al8	spice-client-win-8.10-1.al8	CVE-2025-27363 CVE-2025-32050 CVE-2025-32052 CVE-2025-32053 CVE-2025-32906 CVE-2025-32907 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32913
sqlite	sqlite-3.26.0-19.al8	sqlite-3.26.0-20.al8	CVE-2025-6965
sudo	sudo-1.9.5p2-1.0.2.al8	sudo-1.9.5p2-1.0.2.al8.1	CVE-2025-32462
tbb	tbb-2018.2-9.2.al8	tbb-2018.2-10.al8.1	CVE-2020-11023
tigervnc	tigervnc-1.13.1-14.al8	tigervnc-1.15.0-7.al8	CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180
tomcat	tomcat-9.0.87-1.al8.2	tomcat-9.0.87-1.al8.6	CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 CVE-2025-49125 CVE-2025-52434 CVE-2025-52520 CVE-2025-53506
udisks2	udisks2-2.9.0-16.0.1.1.al8	udisks2-2.9.0-16.0.4.al8.1	CVE-2025-8067
unbound	unbound-1.16.2-7.al8	unbound-1.16.2-9.al8	CVE-2025-5994
varnish	varnish-6.0.13-1.0.1.1.al8	varnish-6.0.13-1.1.al8.1	CVE-2025-47905
vim	vim-8.0.1763-19.0.2.al8.5	vim-8.0.1763-21.0.1.al8	CVE-2025-53905 CVE-2025-53906
webkit2gtk3	webkit2gtk3-2.46.5-1.0.1.al8	webkit2gtk3-2.46.6-2.0.1.al8	CVE-2025-24201
xdg-utils	xdg-utils-1.1.3-11.al8	xdg-utils-1.1.3-13.al8	CVE-2022-4055
xmlrpc-c	xmlrpc-c-1.51.0-10.0.1.al8	xmlrpc-c-1.51.0-11.0.1.al8	CVE-2024-8176
xorg-x11-server	xorg-x11-server-1.20.11-25.0.1.al8	xorg-x11-server-1.20.11-26.0.1.al8	CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180
xorg-x11-server-Xwayland	xorg-x11-server-Xwayland-23.2.7-1.al8	xorg-x11-server-Xwayland-23.2.7-4.al8	CVE-2025-49175 CVE-2025-49176 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180
yelp	yelp-40.3-2.al8	yelp-40.3-2.al8.1	CVE-2025-3155
yelp-xsl	yelp-xsl-40.2-1.0.1.al8	yelp-xsl-40.2-1.0.1.al8.1	CVE-2025-3155

Bug fixes

qemu-kvm Version 6.2.0-53.0.8.al8.4 fixes an issue that prevented SPICE support on the arm64 architecture.
anaconda Version 33.16.7.12-1.0.7.4.al8 changes /etc/timezone from a symbolic link to a regular text file.
cloud-init Version 23.2.2-9.0.1.1.al8 fixes an issue where symbolic links were left behind after uninstallation.
kexec-tools Version 2.0.26-14.0.1.7.al8.2 fixes an issue that prevented Normal memory from being reserved for Node0 on c9i instances.
fuse Version 2.9.7-19.1.al8 fixes an issue where OSS mount points were lost.
gcc-toolset-12 Version 12.0-6.1.al8 fixes an issue where installing the pcp software incorrectly triggered a rebuild into the gcc-toolset-12 directory, impairing functionality.
util-linux Version 2.32.1-46.0.4.1.al8 fixes an "invalid parameter" error when setting the hardware clock.

Known issue

The NetworkManager-wait-online service fails to start on ebmhfr7.48xlarge16 ECS Bare Metal Instances. This issue occurs because the instance has a usb0 interface that NetworkManager does not manage. Resolving this issue requires manual configuration.

Resolution

Create the file /etc/NetworkManager/conf.d/99-unmanaged-device.conf with the following content:
```
[device-usb0-unmanaged]
match-device=interface-name:usb0
managed=0
```
After saving the file, restart the system and verify that the NetworkManager-wait-online service starts correctly.

Alibaba Cloud Linux 3 AI Extension Edition 0.5.4

Version	Image ID	Release date	Updates
Alibaba Cloud Linux 3 AI Extension ARM Edition 0.5.4	aliyun_3_0_arm64_20G_alibase_aiext_0.5.4_20251031.vhd	2025-11-30	Base image: Alibaba Cloud Linux 3 U12.1 Updated the kernel to version 5.10.134-19.2.al8 For details, see Updates.

Updates

Important updates

Upgraded the kernel to 5.10.134-19.2.al8.aarch64.

Kernel updates:
- Fixed an issue where a microcode hot patch for the Zenbleed vulnerability was incorrectly applied to non-Zen2 architectures.
- Added the swiotlb_any command-line parameter. This parameter enables the system to allocate high-memory addresses (> 2 GB) as bounce buffers for Confidential Computing scenarios.
- Fixed an issue where the EFI stub did not correctly accept memory when booting a TDX VM.
- Fixed an issue where a downstream device could be used before its initialization was complete after a PCIe secondary bus reset, which could cause errors or force the device offline.
- Fixed issues in the DWC_PMU driver to prevent kernel boot failures on Yitian-based instance models when hardware links are abnormal.
- Fixed a potential crash in the Group Balancer.
- Fixed an issue that caused unexpected packet loss in virtio_net when used with vhost under specific conditions.
Image updates:
- Installed python3.12-3.12.7-1.al8 by default and configured it as the default Python 3 version.
- Added keentuned-3.4.1-1.al8 to provide Intelligent Tuning for AI workloads.
- Installed kmod-fuse-5.10.134~19.2-1.2.5~1.al8 by default, which enhances support for the fuse over io_uring mode and increases performance to millions of IOPS and a cache read/write bandwidth of 40 GB/s.

Alibaba Cloud Linux 3 AI Extension Edition 0.5.3

Version	Image ID	Release date	Published content
Alibaba Cloud Linux 3 AI Extension Edition 0.5.3	aliyun_3_0_x64_20G_alibase_aiext_0.5.3_20251011.vhd	2025-10-11	Kernel upgraded to 5.10.134-19.103.al8.x86_64 Updates: For details, see Updates

Updates

Important updates

Kernel
1. Upgraded the kernel to version 5.10.134-19.103.al8.x86_64.
2. New features
  1. Supports five-level page tables, enabling petabyte-scale memory management. For compatibility reasons, user-mode applications must explicitly specify a high address as a hint during the mmap phase to enable allocation from the five-level page table space.
  2. Introduces the PCIe Resizable BAR feature, which lets you adjust the BAR size of PCIe devices without modifying BIOS settings.
  3. Enables the page table page reclaim feature by default by adding reclaim_pt to the kernel command line. This feature reclaims page table pages in the MADV_DONTNEED path to save memory and prevent premature out-of-memory (OOM) errors.
  4. Hybrid deployment enhancement: This update optimizes the load balancing policy for hybrid deployment scenarios and refactors the absolute preemption policy to ensure that online tasks have absolute priority over offline tasks, preventing offline tasks from preempting the resources of online tasks.
3. Compatibility
  1. Backports patches for GNR to support UPI.
  2. The kernel kABI remains consistent with previous versions.
  3. cmdline changes: pci_quirk is enabled by default and can be disabled by adding pci_quirk=disable. The drv_quirk is disabled by default and can be enabled by adding drv_quirk=enable.
4. Stability improvements
  1. Fixes a checksum error issue in virtio-net that occurred with both large and small packets.
  2. Fixes a use-after-free issue in the group balancer.
  3. Fixes a null pointer dereference issue in the nvme driver during system reboot or shutdown.
  4. Fixes a vhost thread exception issue.
Image
1. Introduces the update-grubenv service, which automatically detects the current boot mode (UEFI or Legacy BIOS) at system startup. This service dynamically updates the /boot/grub2/grubenv configuration file to ensure the GRUB environment variable matches the actual boot mode. This service runs automatically at startup by default.
2. Upgraded keentuned to the latest version: keentuned-3.4.0-1.al8.x86_64.
3. Upgraded kmod-fuse to kmod-fuse-5.10.134~19.103-1.2.4.5~2.al8.x86_64.
4. Removed drv_quirk=disable and drv_link_quirk=disable from the kernel command line and added reclaim_pt.

Security updates

Package name	CVE ID	Updated version
bind-export-libs	CVE-2024-11187	9.11.36-16.0.1.al8.4
bzip2	CVE-2019-12900	1.0.6-28.al8
bzip2-libs	CVE-2019-12900	1.0.6-28.al8
cups-client	CVE-2025-58060	2.2.6-63.0.1.al8
cups-libs	CVE-2025-58060	2.2.6-63.0.1.al8
expat	CVE-2024-8176	2.2.5-17.al8
freetype	CVE-2025-27363	2.10.4-10.al8
glib2	CVE-2024-52533 CVE-2025-4373	2.68.4-16.0.1.al8.2
glibc	CVE-2025-0395 CVE-2025-4802 CVE-2025-8058	2.32-1.21.al8
glibc-all-langpacks		2.32-1.21.al8
glibc-common		2.32-1.21.al8
glibc-devel		2.32-1.21.al8
glibc-headers-x86		2.32-1.21.al8
grub2-common	CVE-2025-0624	2.02-165.0.1.al8
grub2-efi-x64		2.02-165.0.1.al8
grub2-pc		2.02-165.0.1.al8
grub2-pc-modules		2.02-165.0.1.al8
grub2-tools		2.02-165.0.1.al8
grub2-tools-efi		2.02-165.0.1.al8
grub2-tools-extra		2.02-165.0.1.al8
grub2-tools-minimal		2.02-165.0.1.al8
krb5-libs	CVE-2025-3576	1.18.2-32.0.1.al8
libarchive	CVE-2025-5914	3.5.3-6.al8
libblockdev	CVE-2025-6019	2.28-7.al8
libblockdev-crypto		2.28-7.al8
libblockdev-fs		2.28-7.al8
libblockdev-loop		2.28-7.al8
libblockdev-mdraid		2.28-7.al8
libblockdev-part		2.28-7.al8
libblockdev-swap		2.28-7.al8
libblockdev-utils		2.28-7.al8
libcap	CVE-2025-1390	2.48-6.0.2.al8
libtasn1	CVE-2024-12133	4.13-5.0.1.al8
libudisks2	CVE-2025-8067	2.9.0-16.0.4.al8.1
libxml2	CVE-2025-32415	2.9.7-21.0.1.1.al8.3
nscd	CVE-2025-0395 CVE-2025-4802 CVE-2025-8058	2.32-1.21.al8
pam	CVE-2025-6020 CVE-2025-8941	1.3.1-38.al8
perl-Errno	CVE-2025-40909	1.28-423.0.1.al8
perl-interpreter		5.26.3-423.0.1.al8
perl-IO		1.38-423.0.1.al8
perl-libs		5.26.3-423.0.1.al8
perl-macros		5.26.3-423.0.1.al8
platform-python	CVE-2025-8194	3.6.8-71.0.1.1.al8
platform-python-devel	CVE-2025-8194	3.6.8-71.0.1.1.al8
platform-python-setuptools	CVE-2025-47273	39.2.0-9.al8
python3-cryptography	CVE-2023-49083	3.2.1-8.al8
python3-libs	CVE-2025-8194	3.6.8-71.0.1.1.al8
python3-libxml2	CVE-2025-32415	2.9.7-21.0.1.1.al8.3
python3-requests	CVE-2024-47081	2.20.0-6.al8
python3-setuptools	CVE-2025-47273	39.2.0-9.al8
python3-setuptools-wheel	CVE-2025-47273	39.2.0-9.al8
python3-unbound	CVE-2025-5994	1.16.2-9.al8
socat	CVE-2024-54661	1.7.4.1-2.0.1.al8
sqlite	CVE-2025-6965	3.26.0-20.al8
sqlite-libs	CVE-2025-6965	3.26.0-20.al8
tuned	CVE-2024-52337	2.22.1-5.0.1.1.al8
udisks2	CVE-2025-8067	2.9.0-16.0.4.al8.1
unbound-libs	CVE-2025-5994	1.16.2-9.al8

Alibaba Cloud Linux 3 AI Extension Edition 0.5.2

Version	Image ID	Release date	Description
Alibaba Cloud Linux 3 AI Extension Edition 0.5.2	aliyun_3_0_x64_20G_alibase_aiext_0.5.2_20250714.vhd	2025-07-14	Base image: Alibaba Cloud Linux 3 U11.1 Kernel upgraded to 5.10.134-19.101.al8.x86_64 Updates: For more information, see Updates.

Updates

Major updates

When used with standard community openclip/bevformer AI container images (AC2), Alibaba Cloud Linux 3 AI Extension Edition 0.5.2 provides improved training and inference performance compared to Ubuntu 22.04:
- For bevformer_base training, the average throughput per step is 13% higher with FP32 precision and 12% to 18% higher with FP16 precision.
- For openclip (RN50), the average throughput per step for training is 26% higher, and the average throughput for inference is 26% higher.
Replacing the community openclip/bevformer AI container images with Alibaba Cloud's optimized versions yields the following performance gains:
- For bevformer_base training, the average throughput per step is 22% higher with FP32 precision and 17% to 20% higher with FP16 precision.
- For openclip (RN50), the average throughput per step for training is 46% higher, and the average throughput for inference is 26% higher.

The kernel is upgraded to version 5.10.134-19.101.al8.x86_64.

Scheduling
- Backported cluster scheduling features.
- Added support for configuring BVT for non-movable threads in the root group.
- Added support in Core Scheduling for independently configuring special properties for each cookie.
  - Allows sharing a core with normal tasks that do not have a cookie.
  - Prevents load balancing from packing tasks with the same cookie, ensuring they are distributed across different cores.
Memory
- Enabled Transparent Huge Pages (THP)-aligned address space allocation for mmap().
- Added support for the memmap_on_memory feature in virtio-mem for rapid container memory scaling.
- Introduced a temporary file optimization feature to improve performance in model training scenarios.
- Introduced a smooth reclamation feature for the pagecache limit to improve memory efficiency and performance in model training scenarios.
- Introduced a page table page reclamation feature to improve memory efficiency. Enabled by adding reclaim_pt to the cmdline, this feature is expected to improve performance in model training scenarios.
- Added a switch to control the delayed release of shmem file pages.
- Fixed various issues, including a stability issue in kfence and a THP counting issue for large code pages.
Network
- Fixed various SMC issues, including link group and link use-after-free problems, and resolved smc-r device lookup failures in container scenarios.
Storage
- erofs:
  - Backported several fixes for the erofs file system from the mainline branch.
  - Added support for file-backed mounting and a 48-bit layout.
  - Added support for sub-page blocks for compressed files.
- Backported patches from the mainline stable branches for components such as ext4, block, blk-mq, and io_uring.
- Introduced the virtio-blk passthrough feature for virtio-blk devices.
Drivers
- The NVMe driver supports batch processing of completed polled I/O commands.
- Added support for differential configuration of NVMe driver parameters for cloud disks and local disks.
- Merged PCIe driver bugfix patches to resolve issues such as incorrect space size calculation and root bus allocation.
BPF
- Merged bugfix and CVE fix patches from the stable community.

Packages

Provides and installs python3.12-3.12.7-1.al8.x86_64 by default, setting it as the default Python 3 version.
Includes keentuned-3.2.4-2.al8.x86_64 to provide intelligent tuning for AI scenarios.

Known issues

The NetworkManager-wait-online service fails to start during the startup of ecs.ebmgn8t.32xlarge instances.
The instance includes a USB network device, which extends the startup time of the NetworkManager service. This causes the NetworkManager-wait-online service to time out and fail. If you do not use the USB network device, you can configure NetworkManager to not manage usb0. To do this, edit the /etc/NetworkManager/conf.d/99-unmanaged-device.conf file and add the following content:
```
[device-usb0-unmanaged]
match-device=interface-name:usb0
managed=0
```
After editing the file, restart the NetworkManager service to apply the changes. NetworkManager will no longer manage the usb0 device. After rebooting the system, the NetworkManager-wait-online service will start normally.
Using vhost-net may occasionally cause high CPU usage and network outages. To resolve this issue, install the following hotfix:
```
yum install kernel-hotfix-22577883-5.10.134-19.101 -y
```
When an NVMe device encounters a hardware exception, rebooting the system may trigger a null pointer error. To resolve this issue, install the following hotfix:
```
yum install kernel-hotfix-22584571-5.10.134-19.101 -y
```

Alibaba Cloud Linux 3.2104 U12

Version	Image ID	Release date	Updates
Alibaba Cloud Linux (Alinux) 3.2104 U12	aliyun_3_x64_20G_alibase_20250629.vhd	2025-06-29	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software. Updated the kernel version to `kernel-5.10.134-19.1.al8.x86_64`. For details, see Updates.
	aliyun_3_x64_20G_dengbao_alibase_20250629.vhd	2025-06-29	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit MLPS 2.0 Level 3` Base Image with the latest software. Updated the kernel version to `kernel-5.10.134-19.1.al8.x86_64`. For details, see Updates.
	aliyun_3_x64_20G_container_optimized_alibase_20250629.vhd	2025-06-29	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit Container Optimized Edition` Base Image with the latest software. Updated the kernel version to `kernel-5.10.134-19.1.al8.x86_64`. For details, see Updates.
	aliyun_3_arm64_20G_alibase_20250629.vhd	2025-06-29	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software. Updated the kernel version to `kernel-5.10.134-19.1.al8.aarch64`. For details, see Updates.
	aliyun_3_arm64_20G_dengbao_alibase_20250629.vhd	2025-06-29	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM MLPS 2.0 Level 3` Base Image with the latest software. Updated the kernel version to `kernel-5.10.134-19.1.al8.aarch64`. For details, see Updates.
	aliyun_3_arm64_20G_container_optimized_alibase_20250629.vhd	2025-06-29	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit Container Optimized Edition for ARM` Base Image with the latest software. Updated the kernel version to `kernel-5.10.134-19.1.al8.aarch64`. For details, see Updates.

Content updates

Security updates

Package name	CVE ID	Updated version
buildah	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	buildah-1.33.8-4.al8
containernetworking-plugins	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	containernetworking-plugins-1.4.0-5.0.1.al8
containers-common	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	containers-common-1-82.0.1.al8
podman	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	podman-4.9.4-12.0.1.al8
python-podman	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	python-podman-4.9.0-2.al8
runc	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	runc-1.1.12-4.0.1.al8
skopeo	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	skopeo-1.14.5-3.0.1.al8
httpd	CVE-2023-27522	httpd-2.4.37-65.0.1.al8.2
git-lfs	CVE-2023-45288 CVE-2023-45289 CVE-2023-45290 CVE-2024-24783	git-lfs-3.4.1-2.0.1.al8
bind	CVE-2024-1975 CVE-2024-1737	bind-9.11.36-16.0.1.al8
python-setuptools	CVE-2024-6345	python-setuptools-39.2.0-8.al8.1
less	CVE-2022-48624 CVE-2024-32487	less-530-3.0.1.al8
java-17-openjdk	CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147	java-17-openjdk-17.0.12.0.7-2.0.2.1.al8
java-11-openjdk	CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147	java-11-openjdk-11.0.24.0.8-3.0.2.1.al8
postgresql	CVE-2024-7348	postgresql-13.16-1.0.1.al8
flatpak	CVE-2024-42472	flatpak-1.12.9-3.al8
bubblewrap	CVE-2024-42472	bubblewrap-0.4.0-2.2.al8
java-1.8.0-openjdk	CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147	java-1.8.0-openjdk-1.8.0.422.b05-2.0.2.1.al8
fence-agents	CVE-2024-6345	fence-agents-4.10.0-62.0.2.al8.4
pcp	CVE-2024-45769 CVE-2024-45770	pcp-5.3.7-22.0.1.al8
delve	CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158	delve-1.21.2-4.0.1.al8
golang	CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158	golang-1.21.13-2.0.1.al8
go-toolset	CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158	go-toolset-1.21.13-1.al8
edk2	CVE-2023-45236 CVE-2023-45237 CVE-2024-1298	edk2-20220126gitbb1bba3d77-13.0.1.al8.2
curl	CVE-2024-2398	curl-7.61.1-35.0.2.al8
libvpx	CVE-2023-6349 CVE-2024-5197	libvpx-1.7.0-11.0.1.al8
resource-agents	CVE-2024-37891 CVE-2024-6345	resource-agents-4.9.0-54.al8.4
389-ds-base	CVE-2024-5953	389-ds-base-1.4.3.39-8.0.1.al8
python-urllib3	CVE-2024-37891	python-urllib3-1.24.2-8.al8
pcs	CVE-2024-41123 CVE-2024-41946 CVE-2024-43398	pcs-0.10.18-2.0.1.1.al8.2
grafana	CVE-2024-24788 CVE-2024-24789 CVE-2024-24790	grafana-9.2.10-17.0.1.al8
libuv	CVE-2024-24806	libuv-1.42.0-2.al8
c-ares	CVE-2024-25629	c-ares-1.13.0-11.al8
xmlrpc-c	CVE-2023-52425	xmlrpc-c-1.51.0-9.0.1.al8
yajl	CVE-2022-24795 CVE-2023-33460	yajl-2.1.0-13.0.1.al8
wpa_supplicant	CVE-2023-52160	wpa_supplicant-2.10-2.al8
cups	CVE-2024-35235	cups-2.2.6-60.0.1.al8
linux-firmware	CVE-2023-31346	linux-firmware-20240610-122.git90df68d2.al8
wget	CVE-2024-38428	wget-1.19.5-12.0.1.al8
poppler	CVE-2024-6239	poppler-20.11.0-12.0.1.al8
krb5	CVE-2024-37370 CVE-2024-37371	krb5-1.18.2-29.0.1.al8
git-lfs	CVE-2024-34156	git-lfs-3.4.1-3.0.1.al8
libreoffice	CVE-2024-3044 CVE-2024-6472	libreoffice-7.1.8.1-12.0.2.1.al8.1
orc	CVE-2024-40897	orc-0.4.28-4.al8
jose	CVE-2023-50967 CVE-2024-28176	jose-10-2.3.al8.3
openssh	CVE-2020-15778 CVE-2023-48795 CVE-2023-51385	openssh-8.0p1-25.0.1.1.al8
libnbd	CVE-2024-3446 CVE-2024-7383 CVE-2024-7409	libnbd-1.6.0-6.0.1.al8
qemu-kvm	CVE-2024-3446 CVE-2024-7383 CVE-2024-7409	qemu-kvm-6.2.0-53.0.1.al8
libvirt	CVE-2024-3446 CVE-2024-7383 CVE-2024-7409	libvirt-8.0.0-23.2.0.2.al8
osbuild-composer	CVE-2024-34156	osbuild-composer-101-2.0.1.al8
libreswan	CVE-2024-3652	libreswan-4.12-2.0.2.al8.4
mod_auth_openidc	CVE-2024-24814	mod_auth_openidc-2.4.9.4-6.al8
podman	CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24788 CVE-2024-24791	podman-4.9.4-13.0.1.al8
ghostscript	CVE-2024-29510 CVE-2024-33869 CVE-2024-33870	ghostscript-9.54.0-18.al8
emacs	CVE-2024-39331	emacs-27.2-9.0.3.al8
dovecot	CVE-2024-23184 CVE-2024-23185	dovecot-2.3.16-5.0.1.al8
expat	CVE-2024-45490 CVE-2024-45491 CVE-2024-45492	expat-2.2.5-13.0.1.al8
glib2	CVE-2024-34397	glib2-2.68.4-14.0.2.al8
python-idna	CVE-2024-3651	python-idna-2.5-7.al8
openldap	CVE-2023-2953	openldap-2.4.46-19.al8
python-pillow	CVE-2024-28219	python-pillow-5.1.1-21.al8
nghttp2	CVE-2024-28182	nghttp2-1.33.0-6.0.1.al8.1
python-jinja2	CVE-2024-34064	python-jinja2-2.10.1-3.0.3.al8
opencryptoki	CVE-2024-0914	opencryptoki-3.22.0-3.al8
gdk-pixbuf2	CVE-2021-44648 CVE-2021-46829 CVE-2022-48622	gdk-pixbuf2-2.42.6-4.0.1.al8
rear	CVE-2024-23301	rear-2.6-13.0.1.al8
grub2	CVE-2023-4692 CVE-2023-4693 CVE-2024-1048	grub2-2.02-150.0.2.al8
nss	CVE-2023-5388 CVE-2023-6135	nss-3.101.0-7.0.1.al8
gnutls	CVE-2024-0553 CVE-2024-28834	gnutls-3.6.16-8.0.1.al8.3
python3	CVE-2024-4032 CVE-2024-6232 CVE-2024-6923	python3-3.6.8-67.0.1.2.al8
grafana	CVE-2024-24791	grafana-9.2.10-18.0.1.al8
cups-filters	CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47850	cups-filters-1.20.0-35.0.1.al8
linux-firmware	CVE-2023-20584 CVE-2023-31315 CVE-2023-31356	linux-firmware-20240827-124.git3cff7109.al8
golang	CVE-2024-9355	golang-1.21.13-3.0.1.al8
openssl	CVE-2024-5535	openssl-1.1.1k-14.0.1.al8
nano	CVE-2024-5742	nano-2.9.8-2.0.1.al8
runc	CVE-2023-45290 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158	runc-1.1.12-5.0.1.al8
OpenIPMI	CVE-2024-42934	OpenIPMI-2.0.32-5.0.1.al8
grafana	CVE-2024-47875 CVE-2024-9355	grafana-9.2.10-20.0.1.al8
java-11-openjdk	CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235	java-11-openjdk-11.0.25.0.9-2.0.1.1.al8
java-1.8.0-openjdk	CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235	java-1.8.0-openjdk-1.8.0.432.b06-2.0.2.1.al8
java-17-openjdk	CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235	java-17-openjdk-17.0.13.0.11-3.0.2.1.al8
NetworkManager-libreswan	CVE-2024-9050	NetworkManager-libreswan-1.2.10-7.0.1.al8
ansible-core	CVE-2024-0690	ansible-core-2.16.3-2.0.1.al8
libtiff	CVE-2023-52356	libtiff-4.4.0-12.0.2.al8
krb5	CVE-2024-3596	krb5-1.18.2-30.0.1.al8
xorg-x11-server	CVE-2024-9632	xorg-x11-server-1.20.11-25.0.1.al8
xmlrpc-c	CVE-2024-45491	xmlrpc-c-1.51.0-10.0.1.al8
bzip2	CVE-2019-12900	bzip2-1.0.6-27.al8
bcc	CVE-2024-2314	bcc-0.25.0-9.0.1.al8
python3.11	CVE-2024-6232	python3.11-3.11.10-1.0.1.al8
buildah	CVE-2024-9341 CVE-2024-9407 CVE-2024-9675	buildah-1.33.10-1.al8
podman	CVE-2024-9341 CVE-2024-9407 CVE-2024-9675	podman-4.9.4-15.0.1.al8
libtiff	CVE-2024-7006	libtiff-4.4.0-12.0.3.al8
libsoup	CVE-2024-52530 CVE-2024-52532	libsoup-2.62.3-6.0.1.al8
gtk3	CVE-2024-6655	gtk3-3.24.31-5.0.2.1.al8
tigervnc	CVE-2024-9632	tigervnc-1.13.1-14.al8
emacs	CVE-2024-30203 CVE-2024-30204 CVE-2024-30205	emacs-27.2-10.0.1.al8
squid	CVE-2024-23638 CVE-2024-45802	squid-4.15-13.al8.3
gnome-shell-extensions	CVE-2024-36472	gnome-shell-extensions-40.7-19.0.1.al8
gnome-shell	CVE-2024-36472	gnome-shell-40.10-21.al8
osbuild-composer	CVE-2024-34156	osbuild-composer-118-2.0.1.al8
expat	CVE-2024-50602	expat-2.2.5-16.al8
iperf3	CVE-2023-7250 CVE-2024-26306	iperf3-3.9-13.al8
lldpd	CVE-2020-27827 CVE-2021-43612 CVE-2023-41910	lldpd-1.0.18-4.0.1.al8
xorg-x11-server-Xwayland	CVE-2024-31080 CVE-2024-31081 CVE-2024-31083	xorg-x11-server-Xwayland-23.2.7-1.al8
bpftrace	CVE-2024-2313	bpftrace-0.16.0-8.al8
perl-Convert-ASN1	CVE-2013-7488	perl-Convert-ASN1-0.27-17.1.0.1.al8
podman	CVE-2021-33198 CVE-2021-4024 CVE-2024-9676	podman-4.9.4-18.0.1.al8
grafana-pcp	CVE-2024-9355	grafana-pcp-5.1.1-9.0.1.al8
buildah	CVE-2021-33198 CVE-2021-4024 CVE-2024-9676	buildah-1.33.11-1.al8
python-podman	CVE-2021-33198 CVE-2021-4024 CVE-2024-9676	python-podman-4.9.0-3.al8
golang	CVE-2024-24790	golang-1.22.7-1.0.2.al8
delve	CVE-2024-24790	delve-1.22.1-1.0.2.al8
go-toolset	CVE-2024-24790	go-toolset-1.22.7-1.al8
pam	CVE-2024-10041 CVE-2024-10963	pam-1.3.1-36.al8
perl-App-cpanminus	CVE-2024-45321	perl-App-cpanminus-1.7044-6.al8
postgresql	CVE-2024-10976 CVE-2024-10978 CVE-2024-10979	postgresql-13.18-1.0.1.al8
python3	CVE-2024-11168 CVE-2024-9287	python3-3.6.8-69.0.1.1.al8
python3.11-cryptography	CVE-2023-49083	python3.11-cryptography-37.0.2-6.0.1.al8
python3.11-setuptools	CVE-2024-6345	python3.11-setuptools-65.5.1-3.al8
python3.11-pip	CVE-2007-4559	python3.11-pip-22.3.1-5.al8
python3.11	CVE-2024-9287	python3.11-3.11.11-1.0.1.al8
php	CVE-2023-0567 CVE-2023-0568 CVE-2023-3247 CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096 CVE-2024-5458 CVE-2024-8925 CVE-2024-8927 CVE-2024-9026	php-7.4.33-2.0.1.al8
pcs	CVE-2024-21510	pcs-0.10.18-2.0.1.1.al8.3
gstreamer1-plugins-good	CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47606 CVE-2024-47613	gstreamer1-plugins-good-1.16.1-5.al8
gstreamer1-plugins-base	CVE-2024-47538 CVE-2024-47607 CVE-2024-47615	gstreamer1-plugins-base-1.22.1-3.0.1.al8
libsndfile	CVE-2024-50612	libsndfile-1.0.28-16.0.1.al8
tuned	CVE-2024-52337	tuned-2.22.1-5.0.1.1.al8
edk2	CVE-2024-38796	edk2-20220126gitbb1bba3d77-13.0.1.al8.4
bluez	CVE-2023-45866	bluez-5.63-3.0.1.al8
fontforge	CVE-2024-25081 CVE-2024-25082	fontforge-20200314-6.0.1.al8
mpg123	CVE-2024-10573	mpg123-1.32.9-1.al8
webkit2gtk3	CVE-2024-23271 CVE-2024-27820 CVE-2024-27838 CVE-2024-27851 CVE-2024-40779 CVE-2024-40780 CVE-2024-40782 CVE-2024-40789 CVE-2024-40866 CVE-2024-44185 CVE-2024-44187 CVE-2024-44244 CVE-2024-44296 CVE-2024-4558	webkit2gtk3-2.46.3-2.0.1.al8
python-requests	CVE-2024-35195	python-requests-2.20.0-5.al8
cups-filters	CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47850	cups-filters-1.20.0-35.0.2.al8
openssh	CVE-2020-15778 CVE-2023-48795 CVE-2023-51385	openssh-8.0p1-25.0.1.2.al8
pam	CVE-2024-10041 CVE-2024-10963	pam-1.3.1-36.1.al8
webkit2gtk3	CVE-2024-23271 CVE-2024-27820 CVE-2024-27838 CVE-2024-27851 CVE-2024-40779 CVE-2024-40780 CVE-2024-40782 CVE-2024-40789 CVE-2024-40866 CVE-2024-44185 CVE-2024-44187 CVE-2024-44244 CVE-2024-44296 CVE-2024-44309 CVE-2024-4558	webkit2gtk3-2.46.5-1.0.1.al8
dpdk	CVE-2024-11614	dpdk-23.11-2.al8
cups	CVE-2024-47175	cups-2.2.6-62.0.1.al8
iperf3	CVE-2024-53580	iperf3-3.9-13.al8.1
cups	CVE-2024-47175	cups-2.2.6-62.0.2.al8
NetworkManager	CVE-2024-3661	NetworkManager-1.40.16-18.0.1.al8
raptor2	CVE-2024-57823	raptor2-2.0.15-17.0.1.al8
rsync	CVE-2024-12085	rsync-3.1.3-20.0.1.al8
fence-agents	CVE-2024-56201 CVE-2024-56326	fence-agents-4.10.0-76.0.1.al8.4
glibc	CVE-2022-23218 CVE-2022-23219	glibc-2.32-1.19.al8
glibc	CVE-2024-33602 CVE-2024-33601 CVE-2024-33600 CVE-2024-33599	glibc-2.32-1.20.al8
grafana	CVE-2025-21613 CVE-2025-21614	grafana-9.2.10-21.0.1.al8
redis	CVE-2022-24834 CVE-2022-35977 CVE-2022-36021 CVE-2023-22458 CVE-2023-25155 CVE-2023-28856 CVE-2023-45145 CVE-2024-31228 CVE-2024-31449 CVE-2024-46981	redis-6.2.17-1.0.1.1.al8
python-jinja2	CVE-2024-56326	python-jinja2-2.10.1-3.0.4.al8
bzip2	CVE-2019-12900	bzip2-1.0.6-28.al8
libsoup	CVE-2024-52531	libsoup-2.62.3-7.0.1.al8
git-lfs	CVE-2024-53263	git-lfs-3.4.1-4.0.1.al8
keepalived	CVE-2024-41184	keepalived-2.2.8-4.al8
unbound	CVE-2024-1488 CVE-2024-8508	unbound-1.16.2-8.al8
java-17-openjdk	CVE-2025-21502	java-17-openjdk-17.0.14.0.7-3.0.1.1.al8
galera	CVE-2023-22084 CVE-2024-21096	galera-26.4.20-1.al8
mariadb	CVE-2023-22084 CVE-2024-21096	mariadb-10.5.27-1.0.1.al8
doxygen	CVE-2020-11023	doxygen-1.8.14-13.al8
tbb	CVE-2020-11023	tbb-2018.2-10.al8.1
gcc-toolset-13-gcc	CVE-2020-11023	gcc-toolset-13-gcc-13.3.1-2.2.0.1.1.al8
nodejs	CVE-2025-22150 CVE-2025-23083 CVE-2025-23085	nodejs-20.18.2-1.1.al8
nodejs-packaging	CVE-2025-22150 CVE-2025-23083 CVE-2025-23085	nodejs-packaging-2021.06-4.al8
nodejs-nodemon	CVE-2025-22150 CVE-2025-23083 CVE-2025-23085	nodejs-nodemon-3.0.1-1.al8
podman	CVE-2024-11218	podman-4.9.4-19.0.1.al8
buildah	CVE-2024-11218	buildah-1.33.12-1.al8
libcap	CVE-2025-1390	libcap-2.48-6.0.2.al8
libxml2	CVE-2022-49043	libxml2-2.9.7-18.0.4.1.al8
bind	CVE-2024-11187	bind-9.11.36-16.0.1.al8.4
postgresql	CVE-2025-1094	postgresql-13.20-1.0.1.al8
libpq	CVE-2025-1094	libpq-13.20-1.0.1.al8
mecab-ipadic	CVE-2024-11053 CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21201 CVE-2024-21203 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21247 CVE-2024-37371 CVE-2024-5535 CVE-2024-7264 CVE-2025-21490 CVE-2025-21491 CVE-2025-21494 CVE-2025-21497 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21504 CVE-2025-21505 CVE-2025-21518 CVE-2025-21519 CVE-2025-21520 CVE-2025-21521 CVE-2025-21522 CVE-2025-21523 CVE-2025-21525 CVE-2025-21529 CVE-2025-21531 CVE-2025-21534 CVE-2025-21536 CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21555 CVE-2025-21559	mecab-ipadic-2.7.0.20070801-17.0.1.al8
mysql	CVE-2024-11053 CVE-2024-21193 CVE-2024-21194 CVE-2024-21196 CVE-2024-21197 CVE-2024-21198 CVE-2024-21199 CVE-2024-21201 CVE-2024-21203 CVE-2024-21212 CVE-2024-21213 CVE-2024-21218 CVE-2024-21219 CVE-2024-21230 CVE-2024-21231 CVE-2024-21236 CVE-2024-21237 CVE-2024-21238 CVE-2024-21239 CVE-2024-21241 CVE-2024-21247 CVE-2024-37371 CVE-2024-5535 CVE-2024-7264 CVE-2025-21490 CVE-2025-21491 CVE-2025-21494 CVE-2025-21497 CVE-2025-21500 CVE-2025-21501 CVE-2025-21503 CVE-2025-21504 CVE-2025-21505 CVE-2025-21520 CVE-2025-21521 CVE-2025-21522 CVE-2025-21523 CVE-2025-21525 CVE-2025-21529 CVE-2025-21531 CVE-2025-21534 CVE-2025-21536 CVE-2025-21540 CVE-2025-21543 CVE-2025-21546 CVE-2025-21555 CVE-2025-21559	mysql-8.0.41-1.0.1.1.al8
emacs	CVE-2025-1244	emacs-27.2-11.0.1.al8.1
webkit2gtk3	CVE-2024-54543 CVE-2025-24143 CVE-2025-24150 CVE-2025-24158 CVE-2025-24162	webkit2gtk3-2.46.6-1.0.1.al8
tigervnc	CVE-2025-26594 CVE-2025-26595 CVE-2025-26596 CVE-2025-26597 CVE-2025-26598 CVE-2025-26599 CVE-2025-26600 CVE-2025-26601	tigervnc-1.13.1-15.al8
rsync	CVE-2024-12087 CVE-2024-12088 CVE-2024-12747	rsync-3.1.3-21.0.1.al8
libxml2	CVE-2024-56171 CVE-2025-24928	libxml2-2.9.7-19.0.1.1.al8
krb5	CVE-2025-24528	krb5-1.18.2-31.0.1.al8
pcs	CVE-2024-52804	pcs-0.10.18-2.0.1.1.al8.4
webkit2gtk3	CVE-2025-24201	webkit2gtk3-2.46.6-2.0.1.al8
fence-agents	CVE-2025-27516	fence-agents-4.10.0-76.0.1.al8.6
podman	CVE-2025-22869	podman-4.9.4-20.0.1.al8
runc	CVE-2025-22869	runc-1.1.12-6.0.1.al8
grub2	CVE-2025-0624	grub2-2.02-150.0.3.al8
libreoffice	CVE-2025-1080	libreoffice-7.1.8.1-15.0.1.1.al8.1
freetype	CVE-2025-27363	freetype-2.10.4-10.al8
python-jinja2	CVE-2025-27516	python-jinja2-2.10.1-7.0.1.al8
libxslt	CVE-2024-55549 CVE-2025-24855	libxslt-1.1.32-6.1.0.1.al8
tomcat	CVE-2024-50379 CVE-2025-24813	tomcat-9.0.87-1.al8.3
expat	CVE-2024-8176	expat-2.2.5-17.al8
mod_auth_openidc	CVE-2025-31492	mod_auth_openidc-2.4.9.4-7.al8
xmlrpc-c	CVE-2024-8176	xmlrpc-c-1.51.0-11.0.1.al8
libtasn1	CVE-2024-12133	libtasn1-4.13-5.0.1.al8
bluez	CVE-2023-27349 CVE-2023-51589	bluez-5.63-5.0.1.al8

Package updates

New features

This release introduces Confidential AI, which uses Confidential Computing to provide enhanced data security for AI model training and inference.
Adds support for PCIe error injection through ras-tools.
Adds 26 new external device drivers to expand hardware compatibility. These drivers are not installed by default.
- kmod-ast-5.10.134~19-1.14.4~1.al8.src.rpm
- kmod-bnxt-5.10.134~19-1.10.3_231.0.162.0~2.al8.src.rpm
- kmod-fic2-5.10.134~19-1.2.6~1.al8.src.rpm
- kmod-hinic-5.10.134~19-1.0~1.al8.src.rpm
- kmod-hns3-5.10.134~19-1.0~1.al8.src.rpm
- kmod-i40e-5.10.134~19-2.23.17~1.al8.src.rpm
- kmod-iavf-5.10.134~19-4.9.4~1.al8.src.rpm
- kmod-ice-5.10.134~19-1.12.13.4~2.al8.src.rpm
- kmod-igb-5.10.134~19-5.14.16~1.al8.src.rpm
- kmod-intel-QAT20-5.10.134~19-L.0.9.4__00004~1.al8.src.rpm
- kmod-irdma-5.10.134~19-1.13.43~1.al8.src.rpm
- kmod-ixgbe-5.10.134~19-5.19.6~1.al8.src.rpm
- kmod-ixgbevf-5.10.134~19-4.18.7~1.al8.src.rpm
- kmod-ixgbevf-5.10.134~19-4.18.7~1.al8.src.rpm
- kmod-kvdo-6.2.8.7-94.0.1.al8.src.rpm
- kmod-lpfc-5.10.134~19-14.2.673.37~1.al8.src.rpm
- kmod-mellanox-5.10.134~19-23.10~2.al8.src.rpm
- kmod-mpi3mr-5.10.134~19-8.11.1.0.0~1.al8.src.rpm
- kmod-mpt3sas-5.10.134~19-47.00.00.00~1.al8.src.rpm
- kmod-ngbevf-5.10.134~19-1.2.2~2.al8.src.rpm
- kmod-ps3stor-5.10.134~19-2.3.1.24~1.al8.src.rpm
- kmod-ps3stor-5.10.134~19-2.3.1.24~1.al8.src.rpm
- kmod-qla2xxx-5.10.134~19-10.02.09.00_k~1.al8.src.rpm
- kmod-sfc-5.10.134~19-5.3.16.1004~2.al8.src.rpm
- kmod-smartpqi-5.10.134~19-2.1.22_040~1.al8.src.rpm
- kmod-sxe-5.10.134~19-1.3.1.1~1.al8.src.rpm
- kmod-txgbevf-5.10.134~19-1.3.1~2.al8.src.rpm
- kmod-xscale-5.10.134~19-1.2.0_367~2.al8.src.rpm

Important updates

Kernel

The Kernel has been updated to version kernel-5.10.134-19.1.al8.

Scheduling
- Merged the cluster scheduling feature.
- Adds support for configuring BVT for non-migratable threads in the root cgroup.
- Core sched now supports independent configuration of special properties for each cookie.
  - Cores can now be shared with regular Tasks that do not have a cookie.
  - Prevents Load Balancing from automatically grouping Tasks with the same cookie, ensuring they are distributed across different cores.
Memory
- Fixed stability issues in kfence.
- Fixed a Transparent Huge Page (THP) accounting issue.
- mmap() now supports THP-aligned address space allocation.
- virtio-mem now supports the memmap_on_memory feature, which enables fast memory scaling (scale-out and scale-in) for containers.
- Merged several memory-related CVE patches.
Network
- Fixed link group and link use-after-free issues.
- Fixed an smc-r device lookup failure in container environments.
Storage
- erofs
  - Merged several upstream fixes for the erofs file system.
  - Adds support for file-backed mounting and a 48-bit layout.
  - Adds sub-page block support for compressed files.
- Merged upstream stable branch patches for components including ext4, block, blk-mq, and io_uring.
- Added the virtio-blk passthrough feature, which provides passthrough capabilities for virtio-blk devices.
  - Added a generic Character Device, named /dev/vdXc0, for each virtio-blk Block Device. This allows users to send read/write commands directly to the virtio-blk driver layer by using the uring_cmd method provided by the io_uring framework.
  - Adds support for bidirectional commands for virtio-blk devices. In a single vectored read/write operation on the same base sector address, you can specify the number of both write and read buffers. This allows a single I/O command to complete both a write and a subsequent read operation. Currently, only the write-then-read sequence is supported.
  - Introduced a virtio_ring extension for virtio-blk called 'ring_pair'. In this model, each hardware request queue for a virtio-blk device maps to two virtio_ring queues: a Submission Queue (SQ) and a Completion Queue (CQ). After a request is submitted, the driver can proactively reclaim the slots occupied by the submitted I/O command to issue new requests. When the I/O operation is complete, the backend populates the CQ, and the driver harvests the completions. This feature requires backend support for the 'ring_pair' mode and currently only supports the vring split_queue+Indirect descriptor mode.
Drivers
- The NVMe driver now supports batch completion handling for polled I/O commands.
- Fixed multiple issues in the HiSilicon SAS driver for SCSI and in libsas.
- Merged PCIe driver bugfix patches, addressing issues such as incorrect space size calculation and root bus assignment.
BPF
Merged bugfix and CVE patches from the stable community.
Architecture
Includes CVE-related fixes for the x86 architecture.

Bug fixes

Updated alinux-base-setup to alinux-base-setup-3.2-8.al8 to fix an issue where Kdump failed to generate dumps and grubby parameters had no effect on the ARM architecture.
Updated gdm to gdm-40.0-27.0.1.1.al8 to fix an issue where the desktop failed to wake up after the screen was locked.
Updated alinux-release to alinux-release-3.2104.12-1.al8 to update the End-User License Agreement (EULA) file for Alibaba Cloud Linux (Alinux).
Updated dump to dump-0.4-0.36.b46.3.al8 to fix an issue where the restore command failed after an incremental backup with dump.
Updated maven to maven-3.6.2-9.1.al8 to fix an issue where the mvn command could not be used immediately after installation on Alibaba Cloud Linux (Alinux) 3.
Updated grub2 to grub2-2.02-165.0.2.al8 to fix an issue where grub2 reported errors in tdx scenarios on Alibaba Cloud Linux (Alinux) 3.

Known issue

The virtio-blk passthrough feature introduces a generic character device for virtio-blk devices, which can cause detection issues in some user-space components.

Note

For a device such as /dev/vda, partitions start at 1. Therefore, /dev/vdac0 represents the character device for /dev/vda and is distinct from /dev/vdac. Additionally, the file type of /dev/vdac0 is a character device rather than a block device. If you do not need this character channel, you can upgrade the kernel to kernel-5.10.134-19.1.al8 or later to prevent this interface from being exposed for virtio-blk Cloud Disks.

Alibaba Cloud Linux (Alinux) 3.2104 U11.1

Version	Image id	Release date	Updates
Alibaba Cloud Linux (Alinux) 3.2104 U11.1	aliyun_3_x64_20G_alibase_20250117.vhd	2025-01-17	Updated the `Alibaba Cloud Linux (Alinux) 3.2104 LTS 64-bit` Base Image. For details, see Updates.
	aliyun_3_x64_20G_dengbao_alibase_20250117.vhd	2025-01-17	Updated the `Alibaba Cloud Linux (Alinux) 3.2104 LTS 64-bit MLPS 2.0 Level 3 Edition` Base Image. For details, see Updates.
	aliyun_3_arm64_20G_alibase_20250117.vhd	2025-01-17	Updated the `Alibaba Cloud Linux (Alinux) 3.2104 LTS 64-bit for ARM` Base Image. For details, see Updates.
	aliyun_3_arm64_20G_dengbao_alibase_20250117.vhd	2025-01-17	Updated the `Alibaba Cloud Linux (Alinux) 3.2104 LTS 64-bit for ARM MLPS 2.0 Level 3 Edition` Base Image. For details, see Updates.
	aliyun_3_x64_20G_container_optimized_20250117.vhd	2025-01-17	Updated the `Alibaba Cloud Linux (Alinux) 3.2104 64-bit Container Optimized Edition` Base Image. For details, see Updates.

Updates

Security Updates

Package name	CVE id
python-requests	CVE-2024-35195
cups	CVE-2024-47175
NetworkManager	CVE-2024-3661

Image

The loadmodules service is enabled by default.
The timedatex service is enabled by default.

2024

Alibaba Cloud Linux 3.2104 U11

Version	Image ID	Release date	Release highlights
Alibaba Cloud Linux 3.2104 U11	aliyun_3_x64_20G_alibase_20241218.vhd	2024-12-18	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image with the latest packages. Kernel updated to 5.10.134-18.al8.x86_64. For more information, see Updates.
	aliyun_3_x64_20G_dengbao_alibase_20241218.vhd	2024-12-18	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit MLPS 2.0 Level 3 Edition` base image with the latest packages. Kernel updated to 5.10.134-18.al8.x86_64. For more information, see Updates.
	aliyun_3_arm64_20G_alibase_20241218.vhd	2024-12-18	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image with the latest packages. Kernel updated to 5.10.134-18.al8.aarch64. For more information, see Updates.
	aliyun_3_arm64_20G_dengbao_alibase_20241218.vhd	2024-12-18	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM MLPS 2.0 Level 3 Edition` base image with the latest packages. Kernel updated to 5.10.134-18.al8.aarch64. For more information, see Updates.
	aliyun_3_x64_20G_container_optimized_20241226.vhd	2024-12-26	Added the `Alibaba Cloud Linux 3.2104 LTS 64-bit Container Optimized Edition` image. Kernel updated to 5.10.134-18.al8.x86_64. For more information, see Updates.

Updates

Security updates

Package name	CVE ID	Version
grafana	CVE-2024-47875 CVE-2024-9355	grafana-9.2.10-20.0.1.al8
java-11-openjdk	CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235	java-11-openjdk-11.0.25.0.9-2.0.1.1.al8
java-1.8.0-openjdk	CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235	java-1.8.0-openjdk-1.8.0.432.b06-2.0.2.1.al8
java-17-openjdk	CVE-2023-48161 CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235	java-17-openjdk-17.0.13.0.11-3.0.2.1.al8
NetworkManager-libreswan	CVE-2024-9050	NetworkManager-libreswan-1.2.10-7.0.1.al8
ansible-core	CVE-2024-0690	ansible-core-2.16.3-2.0.1.al8
krb5	CVE-2024-3596	krb5-1.18.2-30.0.1.al8
xorg-x11-server	CVE-2024-9632	xorg-x11-server-1.20.11-25.0.1.al8
xmlrpc-c	CVE-2024-45491	xmlrpc-c-1.51.0-10.0.1.al8
bzip2	CVE-2019-12900	bzip2-1.0.6-27.al8
bcc	CVE-2024-2314	bcc-0.25.0-9.0.1.al8
buildah	CVE-2024-9341 CVE-2024-9407 CVE-2024-9675	buildah-1.33.10-1.al8
libtiff	CVE-2024-7006	libtiff-4.4.0-12.0.3.al8
libsoup	CVE-2024-52530 CVE-2024-52532	libsoup-2.62.3-6.0.1.al8
gtk3	CVE-2024-6655	gtk3-3.24.31-5.0.2.1.al8
tigervnc	CVE-2024-9632	tigervnc-1.13.1-14.al8
emacs	CVE-2024-30203 CVE-2024-30204 CVE-2024-30205	emacs-27.2-10.0.1.al8
squid	CVE-2024-23638 CVE-2024-45802	squid-4.15-13.al8.3
gnome-shell-extensions	CVE-2024-36472	gnome-shell-extensions-40.7-19.0.1.al8
gnome-shell	CVE-2024-36472	gnome-shell-40.10-21.al8
osbuild-composer	CVE-2024-34156	osbuild-composer-118-2.0.1.al8
expat	CVE-2024-50602	expat-2.2.5-16.al8
iperf3	CVE-2023-7250 CVE-2024-26306	iperf3-3.9-13.al8
lldpd	CVE-2020-27827 CVE-2021-43612 CVE-2023-41910	lldpd-1.0.18-4.0.1.al8
xorg-x11-server-Xwayland	CVE-2024-31080 CVE-2024-31081 CVE-2024-31083	xorg-x11-server-Xwayland-23.2.7-1.al8
bpftrace	CVE-2024-2313	bpftrace-0.16.0-8.al8
perl-Convert-ASN1	CVE-2013-7488	perl-Convert-ASN1-0.27-17.1.0.1.al8
podman	CVE-2021-33198 CVE-2021-4024 CVE-2024-9676	podman-4.9.4-18.0.1.al8
grafana-pcp	CVE-2024-9355	grafana-pcp-5.1.1-9.0.1.al8
buildah	CVE-2021-33198 CVE-2021-4024 CVE-2024-9676	buildah-1.33.11-1.al8
python-podman	CVE-2021-33198 CVE-2021-4024 CVE-2024-9676	python-podman-4.9.0-3.al8
golang	CVE-2024-24790	golang-1.22.7-1.0.2.al8
delve	CVE-2024-24790	delve-1.22.1-1.0.2.al8
go-toolset	CVE-2024-24790	go-toolset-1.22.7-1.al8
pam	CVE-2024-10041 CVE-2024-10963	pam-1.3.1-36.al8
perl-App-cpanminus	CVE-2024-45321	perl-App-cpanminus-1.7044-6.al8
postgresql	CVE-2024-10976 CVE-2024-10978 CVE-2024-10979	postgresql-13.18-1.0.1.al8
python3	CVE-2024-11168 CVE-2024-9287	python3-3.6.8-69.0.1.1.al8
python3.11-cryptography	CVE-2023-49083	python3.11-cryptography-37.0.2-6.0.1.al8
python3.11-setuptools	CVE-2024-6345	python3.11-setuptools-65.5.1-3.al8
python3.11-pip	CVE-2007-4559	python3.11-pip-22.3.1-5.al8
python3.11	CVE-2024-9287	python3.11-3.11.11-1.0.1.al8
php	CVE-2023-0567 CVE-2023-0568 CVE-2023-3247 CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096 CVE-2024-5458 CVE-2024-8925 CVE-2024-8927 CVE-2024-9026	php-7.4.33-2.0.1.al8
pcs	CVE-2024-21510	pcs-0.10.18-2.0.1.1.al8.3

Package updates

New features

Support for confidential computing on AMD and NVIDIA GPUs.
Optimized the performance of the lscpu command on large-scale pcie devices by using util-linux-2.32.1-46.0.3.al8.
Implemented container storage by using erofs-utils-1.8.2-1.al8.
Updated java-11-alibaba-dragonwell-11.0.24.21.21-1.1.al8 to optimize the BigDecimal class for better performance in big data scenarios.
Updated java-21-alibaba-dragonwell-21.0.4.0.4-1.1.al8 to improve Java performance.
Added the system-rpm-config-129-1.0.2.1.al8 component to provide system macro variable configurations.

Important updates

Kernel

The kernel is updated to 5.10.134-18.al8.

New hardware support
- Official support for the Intel GNR platform.
- Official support for the AMD Turin platform.
Scheduling
Added support for cpu sli on cgroup v2, which includes container-level data such as cpuusage and loadavg.
Memory
- Fixed multiple memory-related issues and backported memory bugfixes from multiple kernel-5.10 stable branches.
- The pgtable_share feature is disabled by default.
- Added support for the direct collapse mode for huge pages in the code segment to quickly consolidate huge pages upon a page fault.
- Backported the percpu chunk release optimization patch set to prevent chunk release failures caused by percpu fragmentation.
Network
- Optimized the RSS logic of virtio_net to align the RSS configuration with the device and ensure correct updates as the number of queues changes.
- Added support for 200 G and 400 G rates for the bond 3ad mode.
Storage
- io_uring
  - Fixed a race condition that occurs when percpu sqthread are created concurrently.
  - Checked the validity of the CPU configured for enabling percpu sqthread.
  - Backported patches from the community stable branch to improve code quality.
- fuse/virtio-fs
  - Added support for resend pending requests.
  - Added support for multiple queues to optimize fuse performance.
  - Optimized read/write separation to prevent a large number of write requests from blocking read requests.
  - Added support for the failover feature, which allows a fuse daemon to reconnect to the original fuse connection by performing an attach operation after an exception is rectified and resend requests to complete fault recovery.
  - Added support for 4 MB write alignment to optimize performance.
  - Fixed an IO hang issue that occurs when virtio-fs loads a module that is larger than 4 MB.
  - Added tag and queue mapping sysfs interfaces to virtio-fs.
  - Backported patches from the community stable branch to improve code quality.
- erofs
  - Fixed the UUID issue in erofs_statfs() and optimized the DEFLATE stream allocation logic.
  - Backported patches from the community stable branch to improve code quality.
- ext4
  - Optimized the cleanup logic for EXT4_GROUP_INFO_WAS_TRIMMED_BIT.
  - Backported patches from the community stable branch to improve code quality.
- xfs
  - Optimized the reflink performance jitter caused by a potential blockage of tens of milliseconds in xfs_log_force().
  - Fixed a compilation error caused by disabling CONFIG_FS_DAX.
  - Correctly checked i_blocks when the atomic write feature is enabled.
- block
  - Fixed an IO hang issue that occurs on the mq-deadline scheduler in a multi-hardware queue device.
  - Fixed an issue where the block throttling did not work as expected because a negative value was generated when the bps throttling was calculated during the update of the block throttling configuration.
  - Removed the blk-mq "running from the wrong CPU" alert.
  - Backported patches from the community stable branch to improve code quality.
- misc
  Backported patches from the community stable branch for modules such as vfs, quota, overlayfs, nfs, cifs, ceph, dm/md, null_blk, nbd, loop, and virtio-blk to improve code quality.
Drivers
- Backported watchdog driver-related fixes from kernel-5.10 LTS to improve stability.
- The NVMe driver supports the latest activation solution for Alibaba Cloud disks.
- Backported NVMe driver-related fixes from kernel-5.10 LTS to improve stability.
- Backported SCSI-related fixes from kernel-5.10 LTS to improve stability.
- Backported ATA-related fixes from kernel-5.10 LTS to improve stability.
- Introduced the sig_enforce_subsys parameter to support mandatory verification of module signatures in the block, net, and GPU fields.
- Incorporated a large number of patches for fixing txgbe and txgbevf into the network card driver to improve code quality and stability.
Perf
Fixed a pointer memory leak issue in the perf tool caused by backporting patches from the stable branch to resolve a coredump failure.
BPF
- Added support for atomic operations in Berkeley Packet Filter (BPF) programs.
- Backported community stable and bugfix patches.
Architecture x86
- Added support for C-states on the Intel GNR platform.
- Added support for P-states on the EMR and GNR platforms.
- Updated intel-speed-select to v1.20 to support new platforms.
- Added support for passing through the PEBS feature to virtual machines.
- Applied x86 bugfix for ACPI, APIC, power consumption, and PMU to other architectures or systems.
- Upgraded turbostate to 2023.11.07 to support more features.
- Added support for SPR and EMR CXL PMON.
- Added support for AMD c2c.
- Added support for AMD HSMP.
- Added AMD IBRS enhancements.
- Added support for AMD ABMC.

Bug fixes

Packages

Fixed an issue where a pod unexpectedly exits and a deployment fails because a non-device cgroup subgroup is reclaimed by systemd within 20 seconds when Delegate=yes is set by using systemd-239-82.0.3.4.al8.2.
Fixed a memory leak issue by using ledmon-0.97-1.0.2.al8.
Improved data access efficiency on the Yitian platform by using tuned-2.22.1-5.0.1.1.al8.
Fixed an issue where some components failed to be installed on the mirror.

Images

Modified the crashkernel value of the x86 image to resolve an issue where vmcore cannot be generated.
Changed the default parameter in /sys/kernel/mm/transparent_hugepage/defrag to defer to improve the memory reclamation speed in transparent huge page scenarios.

Alibaba Cloud Linux 3.2104 U10.1

Version	Image ID	Release date	Release highlights
Alibaba Cloud Linux 3.2104 U10.1	aliyun_3_x64_20G_alibase_20241103.vhd	2024-11-03	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image with the latest packages. Upgrades the Kernel to `5.10.134-17.3.al8.x86_64`. For more information, see Update details.
	aliyun_3_x64_20G_dengbao_alibase_20241103.vhd	2024-11-03	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit MLPS 2.0 Level 3 Edition` base image with the latest packages. Upgrades the Kernel to `5.10.134-17.3.al8.x86_64`. For more information, see Update details.
	aliyun_3_arm64_20G_alibase_20241103.vhd	2024-11-03	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image with the latest packages. Upgrades the Kernel to `5.10.134-17.3.al8.aarch64`. For more information, see Update details.
	aliyun_3_arm64_20G_dengbao_alibase_20241103.vhd	2024-11-03	Updates the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM MLPS 2.0 Level 3 Edition` base image with the latest packages. Upgrades the Kernel to `5.10.134-17.3.al8.aarch64`. For more information, see Update details.

Update details

Security updates

Package name	CVE ID	Version
buildah	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	buildah-1.33.8-4.al8
containernetworking-plugins	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	containernetworking-plugins-1.4.0-5.0.1.al8
containers-common	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	containers-common-1-82.0.1.al8
podman	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	podman-4.9.4-12.0.1.al8
python-podman	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	python-podman-4.9.0-2.al8
runc	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	runc-1.1.12-4.0.1.al8
skopeo	CVE-2023-45290 CVE-2024-1394 CVE-2024-3727 CVE-2024-6104 CVE-2024-24783 CVE-2024-24784 CVE-2024-24789 CVE-2024-37298	skopeo-1.14.5-3.0.1.al8
httpd	CVE-2023-27522	httpd-2.4.37-65.0.1.al8.2
git-lfs	CVE-2023-45288 CVE-2023-45289 CVE-2023-45290 CVE-2024-24783	git-lfs-3.4.1-2.0.1.al8
bind	CVE-2024-1975 CVE-2024-1737	bind-9.11.36-16.0.1.al8
python-setuptools	CVE-2024-6345	python-setuptools-39.2.0-8.al8.1
less	CVE-2022-48624 CVE-2024-32487	less-530-3.0.1.al8
java-17-openjdk	CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147	java-17-openjdk-17.0.12.0.7-2.0.2.1.al8
java-11-openjdk	CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147	java-11-openjdk-11.0.24.0.8-3.0.2.1.al8
postgresql	CVE-2024-7348	postgresql-13.16-1.0.1.al8
flatpak	CVE-2024-42472	flatpak-1.12.9-3.al8
bubblewrap	CVE-2024-42472	bubblewrap-0.4.0-2.2.al8
java-1.8.0-openjdk	CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21144 CVE-2024-21145 CVE-2024-21147	java-1.8.0-openjdk-1.8.0.422.b05-2.0.2.1.al8
fence-agents	CVE-2024-6345	fence-agents-4.10.0-62.0.2.al8.4
pcp	CVE-2024-45769 CVE-2024-45770	pcp-5.3.7-22.0.1.al8
delve	CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158	delve-1.21.2-4.0.1.al8
golang	CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158	golang-1.21.13-2.0.1.al8
go-toolset	CVE-2024-24791 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158	go-toolset-1.21.13-1.al8
edk2	CVE-2023-45236 CVE-2023-45237 CVE-2024-1298	edk2-20220126gitbb1bba3d77-13.0.1.al8.2
curl	CVE-2024-2398	curl-7.61.1-35.0.2.al8
libvpx	CVE-2023-6349 CVE-2024-5197	libvpx-1.7.0-11.0.1.al8
resource-agents	CVE-2024-37891 CVE-2024-6345	resource-agents-4.9.0-54.al8.4
389-ds-base	CVE-2024-5953	389-ds-base-1.4.3.39-8.0.1.al8
python-urllib3	CVE-2024-37891	python-urllib3-1.24.2-8.al8
pcs	CVE-2024-41123 CVE-2024-41946 CVE-2024-43398	pcs-0.10.18-2.0.1.1.al8.2
grafana	CVE-2024-24788 CVE-2024-24789 CVE-2024-24790	grafana-9.2.10-17.0.1.al8
libuv	CVE-2024-24806	libuv-1.42.0-2.al8
c-ares	CVE-2024-25629	c-ares-1.13.0-11.al8
xmlrpc-c	CVE-2023-52425	xmlrpc-c-1.51.0-9.0.1.al8
yajl	CVE-2022-24795 CVE-2023-33460	yajl-2.1.0-13.0.1.al8
wpa_supplicant	CVE-2023-52160	wpa_supplicant-2.10-2.al8
cups	CVE-2024-35235	cups-2.2.6-60.0.1.al8
linux-firmware	CVE-2023-31346	linux-firmware-20240610-122.git90df68d2.al8
wget	CVE-2024-38428	wget-1.19.5-12.0.1.al8
poppler	CVE-2024-6239	poppler-20.11.0-12.0.1.al8
krb5	CVE-2024-37370 CVE-2024-37371	krb5-1.18.2-29.0.1.al8
git-lfs	CVE-2024-34156	git-lfs-3.4.1-3.0.1.al8
libreoffice	CVE-2024-3044 CVE-2024-6472	libreoffice-7.1.8.1-12.0.2.1.al8.1
orc	CVE-2024-40897	orc-0.4.28-4.al8
jose	CVE-2023-50967 CVE-2024-28176	jose-10-2.3.al8.3
openssh	CVE-2020-15778 CVE-2023-48795 CVE-2023-51385	openssh-8.0p1-25.0.1.1.al8
libnbd	CVE-2024-3446 CVE-2024-7383 CVE-2024-7409	libnbd-1.6.0-6.0.1.al8
qemu-kvm	CVE-2024-3446 CVE-2024-7383 CVE-2024-7409	qemu-kvm-6.2.0-53.0.1.al8
libvirt	CVE-2024-3446 CVE-2024-7383 CVE-2024-7409	libvirt-8.0.0-23.2.0.2.al8
osbuild-composer	CVE-2024-34156	osbuild-composer-101-2.0.1.al8
libreswan	CVE-2024-3652	libreswan-4.12-2.0.2.al8.4
mod_auth_openidc	CVE-2024-24814	mod_auth_openidc-2.4.9.4-6.al8
podman	CVE-2023-45290 CVE-2024-24783 CVE-2024-24784 CVE-2024-24788 CVE-2024-24791	podman-4.9.4-13.0.1.al8
ghostscript	CVE-2024-29510 CVE-2024-33869 CVE-2024-33870	ghostscript-9.54.0-18.al8
emacs	CVE-2024-39331	emacs-27.2-9.0.3.al8
dovecot	CVE-2024-23184 CVE-2024-23185	dovecot-2.3.16-5.0.1.al8
expat	CVE-2024-45490 CVE-2024-45491 CVE-2024-45492	expat-2.2.5-13.0.1.al8
glib2	CVE-2024-34397	glib2-2.68.4-14.0.2.al8
python-idna	CVE-2024-3651	python-idna-2.5-7.al8
openldap	CVE-2023-2953	openldap-2.4.46-19.al8
python-pillow	CVE-2024-28219	python-pillow-5.1.1-21.al8
nghttp2	CVE-2024-28182	nghttp2-1.33.0-6.0.1.al8.1
python-jinja2	CVE-2024-34064	python-jinja2-2.10.1-3.0.3.al8
opencryptoki	CVE-2024-0914	opencryptoki-3.22.0-3.al8
gdk-pixbuf2	CVE-2021-44648 CVE-2021-46829 CVE-2022-48622	gdk-pixbuf2-2.42.6-4.0.1.al8
rear	CVE-2024-23301	rear-2.6-13.0.1.al8
grub2	CVE-2023-4692 CVE-2023-4693 CVE-2024-1048	grub2-2.02-150.0.2.al8
nss	CVE-2023-5388 CVE-2023-6135	nss-3.101.0-7.0.1.al8
gnutls	CVE-2024-0553 CVE-2024-28834	gnutls-3.6.16-8.0.1.al8.3
python3	CVE-2024-4032 CVE-2024-6232 CVE-2024-6923	python3-3.6.8-67.0.1.2.al8
grafana	CVE-2024-24791	grafana-9.2.10-18.0.1.al8
cups-filters	CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47850	cups-filters-1.20.0-35.0.1.al8
linux-firmware	CVE-2023-20584 CVE-2023-31315 CVE-2023-31356	linux-firmware-20240827-124.git3cff7109.al8
golang	CVE-2024-9355	golang-1.21.13-3.0.1.al8
openssl	CVE-2024-5535	openssl-1.1.1k-14.0.1.al8
nano	CVE-2024-5742	nano-2.9.8-2.0.1.al8
runc	CVE-2023-45290 CVE-2024-34155 CVE-2024-34156 CVE-2024-34158	runc-1.1.12-5.0.1.al8
OpenIPMI	CVE-2024-42934	OpenIPMI-2.0.32-5.0.1.al8

Package updates

New features

Adds the libyang2 component.
Updates keentuned and keentune-target to version 3.1.1.
- Adds a tuning option to modify the number of network interface queues.
- Adds a tuning option to modify priority control.
- Removes the file-max and scheduler tuning options.
- Removes insecure command execution.
Adds four API components for keentuned: keentune-bench, keentune-brain, keentune-ui, and keenopt.
Updates tcprt to version 1.1.0 to enhance TCP monitoring capabilities.
Updates Node.js to 20.16, providing a version 20 baseline for the ACR Artifacts Center.
Upgrades erofs-utils to 1.8.2, fixing bugs and enhancing EROFS support.

Important updates

Kernel

The Kernel is upgraded to version 5.10.134-17.3.al8.

Anolis-specific features
- Shared Memory Communications (SMC)
  - Introduces the AutoSplit feature to optimize large-packet transmission delay.
  - Allows connections in an SMC Link Group to exclusively use an RDMA QP.
  - Introduces shared memory watermark control.
  - Introduces data dump capabilities at the SMC layer.
- swiotlb
  Introduces the swiotlb=any Kernel command-line parameter to support reserving swiotlb in the entire memory space.
Upstream features
- Backports sysctl settings related to SMC Limited Handshake.
- Backports Shared Memory usage statistics for SMC LGR and net namespaces.
TDX
- Introduces a TDX Guest RTMR update interface to add custom measurements for Remote Attestation.
- Introduces the ECDSA algorithm module.

Bug fixes

Addresses slow lscpu command execution on clusters with a large number of pci devices by updating to util-linux-2.32.1-46.0.3.al8.
Resolves an issue with missing time zone files during migration by updating tzdata to 2024a-1.0.1.6.al8.
Fixes issues in the SMC module, including division-by-zero errors and memory leaks.
Fixes a bug in the ftrace subsystem that could cause a system crash when multiple security software products were running concurrently.
Fixes a potential out-of-bounds memory access issue when using uprobe.

Alibaba Cloud Linux (Alinux) 3.2104 U10

Version	Image ID	Release date	Updates
Alibaba Cloud Linux 3.2104 U10	aliyun_3_x64_20G_alibase_20240819.vhd	2024-08-19	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image to the latest software version. Updated the kernel to 5.10.134-17.2.al8.x86_64. For details, see Updates.
	aliyun_3_x64_20G_dengbao_alibase_20240819.vhd	2024-08-19	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit MLPS 2.0 Level 3` base image to the latest software version. Updated the kernel to 5.10.134-17.2.al8.x86_64. For details, see Updates.
	aliyun_3_arm64_20G_alibase_20240819.vhd	2024-08-19	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image to the latest software version. Updated the kernel to 5.10.134-17.2.al8.aarch64. For details, see Updates.
	aliyun_3_arm64_20G_dengbao_alibase_20240819.vhd	2024-08-19	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM MLPS 2.0 Level 3` base image to the latest software version. Updated the kernel to 5.10.134-17.2.al8.aarch64. For details, see Updates.

Updates

This topic describes the updates in the 20240527 version of the Alibaba Cloud Linux 3.2104 LTS 64-bit public image.

Updates

The 20240527 version of the Alibaba Cloud Linux 3.2104 LTS 64-bit public image includes the following updates:

Security updates

The Linux Kernel has been upgraded to version 5.10.134-16.
Software packages have been updated to fix security vulnerabilities and enhance system stability.

Bug fixes

This version contains no bug fixes.

Known issues

An issue persists where Alibaba Cloud Message Queue for Apache RocketMQ 5.x clients fail to start on confidential computing virtual machines (VMs) of the g8y, c8y, and r8y Instance Families running Alibaba Cloud Linux 3. To work around this, create an Elastic Compute Service (ECS) instance from a non-confidential computing Instance Family when using the client in an aarch64 environment.

Package	CVE ID	Version
adwaita-qt	CVE-2023-32573 CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197	1.4.2-1.al8
apr	CVE-2022-24963	1.7.0-12.al8
avahi	CVE-2021-3468 CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473	0.7-21.0.1.al8.1
bind	CVE-2023-4408 CVE-2023-50387 CVE-2023-50868	9.11.36-14.0.1.al8
c-ares	CVE-2020-22217 CVE-2023-31130	1.13.0-9.al8.1
cockpit	CVE-2024-2947	310.4-1.al8
cups	CVE-2023-32324 CVE-2023-34241	2.2.6-54.0.1.al8
cups-filters	CVE-2023-24805	1.20.0-32.0.1.al8
curl	CVE-2023-38546	7.61.1-34.0.1.al8
device-mapper-multipath	CVE-2022-41973	0.8.4-39.0.2.al8
dhcp	CVE-2023-4408 CVE-2023-50387 CVE-2023-50868	4.3.6-50.0.1.al8
dnsmasq	CVE-2023-50387 CVE-2023-50868	2.79-32.0.1.al8
edk2	CVE-2022-36763 CVE-2022-36764 CVE-2022-36765 CVE-2023-3446 CVE-2023-45229 CVE-2023-45230 CVE-2023-45231 CVE-2023-45232 CVE-2023-45233 CVE-2023-45234 CVE-2023-45235	20220126gitbb1bba3d77-13.0.1.al8
expat	CVE-2023-52425	2.2.5-13.al8
evolution-mapi	CVE-2022-1615 CVE-2022-2127 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968	3.40.1-6.al8
flatpak	CVE-2023-28100 CVE-2023-28101 CVE-2024-32462	1.12.9-1.al8
frr	CVE-2023-31490 CVE-2023-41358 CVE-2023-41909 CVE-2023-46752 CVE-2023-46753	7.5.1-16.0.4.al8
fwupd	CVE-2022-3287	1.7.8-2.0.1.al8
ghostscript	CVE-2024-33871	9.54.0-16.al8
git	CVE-2024-32002 CVE-2024-32004 CVE-2024-32020 CVE-2024-32021 CVE-2024-32465	2.43.5-1.0.1.al8
glib2	CVE-2023-29499 CVE-2023-32611 CVE-2023-32665	2.68.4-11.al8
gmp	CVE-2021-43618	6.2.0-13.0.1.al8
gnutls	CVE-2023-5981	3.6.16-8.0.2.al8
grafana	CVE-2024-1313 CVE-2024-1394	9.2.10-16.0.1.al8
grafana-pcp	CVE-2024-1394	5.1.1-2.0.1.al8
gstreamer1-plugins-bad-free	CVE-2023-40474 CVE-2023-40475 CVE-2023-40476 CVE-2023-50186	1.22.1-4.0.1.al8
gstreamer1-plugins-base	CVE-2023-37328	1.22.1-2.0.1.al8
gstreamer1-plugins-good	CVE-2023-37327	1.16.1-4.al8
harfbuzz	CVE-2023-25193	2.7.4-10.0.1.al8
httpd	CVE-2023-31122 CVE-2023-45802 CVE-2024-27316	2.4.37-64.0.1.al8
mod_http2	CVE-2023-31122 CVE-2023-45802 CVE-2024-27316	1.15.7-10.al8
java-1.8.0-openjdk	CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952 CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094	1.8.0.412.b08-2.0.1.1.al8
java-11-openjdk	CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952 CVE-2024-21011 CVE-2024-21012 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094	11.0.23.0.9-3.0.1.1.al8
libfastjson	CVE-2020-12762	0.99.9-5.al8
libjpeg-turbo	CVE-2021-29390	2.0.90-7.0.1.al8
liblouis	CVE-2023-26767 CVE-2023-26768 CVE-2023-26769	3.16.1-5.al8
libmicrohttpd	CVE-2023-27371	0.9.59-3.al8
libpq	CVE-2022-41862	13.11-1.0.1.al8
librabbitmq	CVE-2023-35789	0.11.0-7.0.1.al8
libreoffice	CVE-2022-26305 CVE-2022-26306 CVE-2022-26307 CVE-2022-3140 CVE-2022-38745 CVE-2023-0950 CVE-2023-1183 CVE-2023-2255 CVE-2023-6185 CVE-2023-6186	7.1.8.1-12.0.1.1.al8.1
libreswan	CVE-2023-2295 CVE-2023-30570 CVE-2023-38710 CVE-2023-38711 CVE-2023-38712	4.12-2.0.2.al8
libsndfile	CVE-2022-33065	1.0.28-13.0.2.al8
libssh	CVE-2023-48795 CVE-2023-6004 CVE-2023-6918	0.9.6-12.al8
libtiff	CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2867 CVE-2022-2868 CVE-2022-2953 CVE-2022-3627 CVE-2022-3970 CVE-2022-48281 CVE-2023-0795 CVE-2023-0796 CVE-2023-0797 CVE-2023-0798 CVE-2023-0799 CVE-2023-0800 CVE-2023-0801 CVE-2023-0802 CVE-2023-0803 CVE-2023-0804 CVE-2023-26965 CVE-2023-26966 CVE-2023-2731 CVE-2023-3316 CVE-2023-3576 CVE-2022-40090 CVE-2023-3618 CVE-2023-40745 CVE-2023-41175 CVE-2023-6228	4.4.0-12.0.1.al8
libvirt	CVE-2021-3750 CVE-2023-3019 CVE-2023-3301 CVE-2023-3255 CVE-2023-5088 CVE-2023-6683 CVE-2023-6693 CVE-2024-2494	8.0.0-23.1.0.1.al8
qemu-kvm	CVE-2021-3750 CVE-2023-3019 CVE-2023-3301 CVE-2023-3255 CVE-2023-5088 CVE-2023-6683 CVE-2023-6693 CVE-2024-2494	6.2.0-49.0.1.al8
libX11	CVE-2023-43785 CVE-2023-43786 CVE-2023-43787 CVE-2023-3138	1.7.0-9.al8
libxml2	CVE-2023-39615 CVE-2024-25062	2.9.7-18.0.3.al8
libXpm	CVE-2023-43788 CVE-2023-43789	3.5.13-10.0.1.al8
linux-firmware	CVE-2022-46329 CVE-2023-20569 CVE-2023-20592	20240111-121.gitb3132c18.al8
motif	CVE-2023-43788 CVE-2023-43789	2.3.4-20.al8
openchange	CVE-2022-2127 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968	2.3-32.0.1.al8
opensc	CVE-2023-40660 CVE-2023-40661 CVE-2023-5992 CVE-2023-2977	0.20.0-7.0.1.al8
openssh	CVE-2023-51385	8.0p1-20.0.1.al8
openssl	CVE-2023-3446 CVE-2023-3817 CVE-2023-5678	1.1.1k-12.0.1.al8
pam	CVE-2024-22365	1.3.1-28.al8
pcp	CVE-2024-3019	5.3.7-20.0.1.al8
perl-HTTP-Tiny	CVE-2023-31486	0.074-2.0.1.al8.1
pixman	CVE-2022-44638	0.40.0-6.al8
pmix	CVE-2023-41915	3.2.3-5.al8
poppler	CVE-2020-36024	20.11.0-10.0.2.al8
postgresql-jdbc	CVE-2024-1597	42.2.14-3.al8
procps-ng	CVE-2023-4016	3.3.15-14.0.1.al8
protobuf-c	CVE-2022-48468	1.3.0-7.al8
python-cryptography	CVE-2023-23931	3.2.1-7.al8
python-dns	CVE-2023-29483	1.15.0-12.al8
python-pillow	CVE-2023-50447 CVE-2023-44271	5.1.1-20.al8
python-pip	CVE-2007-4559	9.0.3-23.0.1.al8.1
python3	CVE-2007-4559 CVE-2022-48560 CVE-2022-48564 CVE-2023-27043 CVE-2023-40217 CVE-2023-6597 CVE-2024-0450	3.6.8-62.0.1.2.al8
qt5-qtbase	CVE-2023-33285 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197 CVE-2023-51714 CVE-2024-25580	5.15.3-5.0.3.al8
qt5-qtsvg	CVE-2023-32573	5.15.3-2.al8
rpm	CVE-2021-35937 CVE-2021-35938 CVE-2021-35939	4.14.3-27.0.5.2.al8
samba	CVE-2023-3961 CVE-2023-4091 CVE-2023-42669	4.18.6-3.0.1.1.al8
shadow-utils	CVE-2023-4641	4.6-19.0.1.al8
shim	CVE-2023-40546 CVE-2023-40547 CVE-2023-40548 CVE-2023-40549 CVE-2023-40550 CVE-2023-40551	15.8-2.0.1.1.al8
sqlite	CVE-2023-7104	3.26.0-19.al8
squashfs-tools	CVE-2021-40153 CVE-2021-41072	4.3-20.1.0.3.al8
sssd	CVE-2023-3758	2.9.4-3.al8
sudo	CVE-2023-28486 CVE-2023-28487 CVE-2023-42465	1.9.5p2-1.0.1.al8
sysstat	CVE-2023-33204	11.7.3-11.0.1.al8
tang	CVE-2023-1672	7-8.al8
tcpdump	CVE-2021-41043	4.9.3-4.0.1.al8
tigervnc	CVE-2023-5380 CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886 CVE-2024-31080 CVE-2024-31081 CVE-2024-31083	1.13.1-10.0.1.al8
tpm2-tss	CVE-2023-22745	2.3.2-5.0.2.al8
traceroute	CVE-2023-46316	2.1.0-6.2.0.3.al8
unbound	CVE-2024-1488	1.16.2-7.al8
util-linux	CVE-2024-28085	2.32.1-45.0.1.1.al8.1
webkit2gtk3	CVE-2014-1745 CVE-2023-32359 CVE-2023-39928 CVE-2023-40414 CVE-2023-41983 CVE-2023-42852 CVE-2023-42883 CVE-2023-42890 CVE-2024-23206 CVE-2024-23213	2.42.5-1.0.1.al8
wireshark	CVE-2023-0666 CVE-2023-2856 CVE-2023-2858 CVE-2023-2952	2.6.2-17.al8
xorg-x11-server	CVE-2023-1393 CVE-2024-31080 CVE-2024-31081 CVE-2024-31083	1.20.11-16.0.4.al8
xorg-x11-server-Xwayland	CVE-2022-3550 CVE-2022-3551 CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344 CVE-2023-0494 CVE-2023-1393 CVE-2023-5367 CVE-2023-6377 CVE-2023-6478 CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886	22.1.9-5.al8
yajl	CVE-2023-33460	2.1.0-12.0.1.al8
zziplib	CVE-2020-18770	0.13.71-11.al8
buildah	CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180 CVE-2024-28176	1.33.7-2.al8
cockpit-podman	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	84.1-1.al8
conmon	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	2.1.10-1.al8
container-selinux	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	2.229.0-2.al8
containernetworking-plugins	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1.4.0-2.0.1.al8
containers-common	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1-81.0.1.al8
criu	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	3.18-5.0.1.al8
fuse-overlayfs	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1.13-1.0.1.al8
podman	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180 CVE-2024-28176	4.9.4-3.0.1.al8
runc	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1.1.12-1.0.1.al8
slirp4netns	CVE-2022-27191 CVE-2022-2989 CVE-2022-3064 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2023-24534 CVE-2023-24536 CVE-2023-24537 CVE-2023-24538 CVE-2023-24539 CVE-2023-24540 CVE-2023-25173 CVE-2023-25809 CVE-2023-27561 CVE-2023-28642 CVE-2023-29400 CVE-2023-29406 CVE-2023-3978 CVE-2024-21626 CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	1.2.3-1.al8
libslirp	CVE-2018-25091 CVE-2021-33198 CVE-2021-34558 CVE-2022-2879 CVE-2022-2880 CVE-2022-41715 CVE-2023-29409 CVE-2023-39318 CVE-2023-39319 CVE-2023-39321 CVE-2023-39322 CVE-2023-39326 CVE-2023-45287 CVE-2023-45803 CVE-2023-48795 CVE-2024-1753 CVE-2024-23650 CVE-2024-24786 CVE-2024-28180	4.4.0-2.al8

Package updates

New features

rdma-core adds support for eRDMA.
rasdaemon supports Memory CE Error Isolation.
Nginx uses OpenSSL 3.
aliyun-cli is now version 3.0.210.

Important updates

Kernel

The Kernel is upgraded to version 5.10.134-17.2.al8.

New features

Adds native Kernel-level failover for FUSE, ensuring uninterrupted file access.
Adds support for dynamic Kernel preemption. This feature aligns with the upstream community's design and lets you switch the preemption model by using cmdline or sysfs. The supported models are none and voluntary. The full model is not yet supported.
Enhances perf to support performance metrics for CMN and DDR PMUs.
New BPF features
- Adds new BPF helpers.
  - bpf_for_each_map_elem: Iterates over BPF map elements.
  - bpf_snprintf: Formats strings.
  - bpf_timer: Triggers a callback function after a specified time.
  - bpf_loop: Removes the limitation of constant-bounded loops, enabling flexible loop implementation.
  - bpf_strncmp: Compares strings.
  - bpf_ktime_get_tai_ns: Gets the time based on the CLOCK_TAI clock source.
  - bpf_skb_load_bytes: Adds support for the raw_tp type, enabling programs of this type to read skb data, including non-linear data.
- Adds support on the arm64 architecture for attaching BPF trampoline features, including fentry, fexit, fmod_ret, and bpf_lsm, providing more powerful tracing, diagnostics, and security.
- Allows bpf_trampoline to coexist with livepatch.
Adds support for virtio-net features.
- Supports virtio-net device statistics. This feature allows the Kernel to retrieve device statistics, improving troubleshooting and diagnostics.
- Introduces a queue reset feature. This feature resizes virtual machine queues to reduce packet loss and optimize latency.
- Supports dynamic interrupt moderation (netdim). This feature intelligently adjusts interrupt coalescing parameters based on real-time traffic to optimize data reception performance.
- Optimizes virtio checksum handling. This update fixes a checksum verification issue on virtio network interface controllers (NICs) under specific feature controls. In XDP application scenarios, the checksum no longer needs to be re-verified in the guest operating system, which significantly reduces CPU usage.
Enables failover support for the EROFS on-demand loading mode.
Fixes a semantic issue with O_DIRECT and O_SYNC in the ext4 file system. This issue has existed since the introduction of the iomap framework. The problem occurred because generic_write_sync() was called within the iomap framework, but the file size (i_disksize) was updated after iomap_dio_rw() completed. In append-write scenarios, the system did not update the on-disk file size in time. As a result, written data could become unreadable after a power failure.
Adds support for delayed inode invalidation to the XFS file system. This feature offloads inode reclamation to a background kworker process, which reduces application stuttering caused by foreground delete operations.
Adds new features and optimizations for FUSE.
- Adds support for Shared Memory Mapping (mmap) in cache=none mode.
- Adds a dynamic switch for the strict limit feature. In certain scenarios, the FUSE module's strict limit setting can cause slow write-backs or stuttering. This new sysfs switch resolves these issues dynamically.
Optimizes kernfs global lock contention to reduce load spikes caused by concurrent access from monitoring programs.
Adds features related to Group Identity.
Introduces fine-grained priority features for Group Identity 2.0.
- Adds support for the smc_pnet feature in Shared Memory Communications over RDMA (SMC-R) and elastic Remote Direct Memory Access (eRDMA) use cases.
- Improves reachability checks in Shared Memory Communications (SMC) and eRDMA scenarios to fix a rare kernel crash.
Calibrates the CPU share ratio for Group Identity 2.0.
Adds the force_idled_time metric for Group Identity 2.0.
Optimizes Group Identity to enhance load control for tasks with different priorities.
Provides the basic functionality of Group Balancer.
- Adds support for passing zero-length iovec in rafsv6 mode.
- Allows reclamation of dax mappings in rafsv6 mode. This prevents Out of Memory (OOM) errors and FUSE hangs caused by pinned memory.
- Uses kconfig to restrict rafsv6 for use only in Secure Container scenarios.
Adds optimizations and support for SMC.
Adds a timeout mechanism for the control vq in virtio. This prevents continuous polling from consuming a virtual machine's CPU when a device becomes unresponsive. The default timeout is 7 days.
Adds a feature to isolate slab memory used by Out-of-Tree (OOT) modules. This helps isolate problems when an OOT module causes memory corruption.
Introduces a fast OOM feature. This feature prevents long periods of unresponsiveness in multi-core, large-memory environments when memory is low. This increases memory deployment density and improves the stability and performance of online services under high watermarks.
Adds support and optimizations for EROFS.
XFS adds support for fsdax reflink and dedupe, with specific optimizations for Tair PMEM instances. These optimizations include ensuring the contiguity of snapshot source files, improving dirty page write-back efficiency, and removing the dependency on the reverse-map B-tree to reduce page fault latency.
Adds support for cgroup writeback to fix an issue where memory cgroups were not released for long periods when lazytime was enabled. This issue could cause the number of memory cgroups to remain high in containerized deployment environments, consuming memory and causing high sys usage when iterating through cgroups.
Extends the cgroup v2 IO SLI by adding blkio cgroup v2 metrics, including wait time, service time, complete time, io queued, and bytes queued.
In extreme cases where each bio_vec contains only a single 4 KB page, the 5.10 Kernel supports a maximum I/O size of 1 MB. The additional logic for splitting I/O operations can impact performance in some scenarios.
Fixes an ABBA deadlock caused by a race condition when setting blk-iocost qos parameters.
Allows configuration of tcmu_loop device parameters, including can_queue, nr_hw_queues, cmd_per_lun, and sg_tablesize. On powerful backend devices, increasing these parameters can significantly improve performance.

Image update

Operating system image
- Added the spec_rstack_overflow=off boot parameter.
- Added the kfence.sample_interval=100 and kfence.booting_max=0-2G:0,2G-32G:2M,32G-:32M boot parameters.
- Set the net.ipv4.tcp_retries2 parameter to 8.
- Set the net.ipv4.tcp_syn_retries parameter to 4.
- Removed the NTP server configuration for Classic Network.
Container image
alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.2104U10

Bug fixes

Kernel
- Fixed a linked list corruption issue caused by incorrect scheduling of the credits_announce_work work item in the smc kernel module.
- Fixed a race condition in perf_cgroup_switch.
- Fixed an issue where the Group Identity 2.0 Queue other time statistic could become a negative value.
- Fixed incorrect cfs_rq runtime statistics.
- Fixed an issue where cfs_rq->core could be NULL.
- Enabled sound card-related drivers (CONFIG_SND).
- Fixed a Kernel Panic caused by kfence when cgroup kmem accounting was enabled.
- Added LoongArch architecture fixes.
- Improved the stability of erofs compression mode.
- Improved stability for erofs over fscache.
- Improved SMC-related stability.
- Fixed a writeback performance regression when a backing device info (BDI) with its share set to 0 used the STRICTLIMIT feature.
- Fixed a memory leak in seccomp.
- Fixed an issue where certain user operations could lead to an incorrect reference count for ZERO_PAGE.
- Fixed a potential recursive memory reclamation issue in TCMU.
- Fixed a Kernel Crash caused by the ioasids subsystem when it migrated kernel threads.
- Fixed multiple I/O counting when no rate-limiting rules were configured.
- Fixed a hardware signal hang during frequent communication between Phytium S2500 CPUs and certain BMC chips.
- Fixed a Kernel Panic that occurred when Group Identity and core scheduling were enabled simultaneously.
- Changed the throttling mechanism for Completely Fair Scheduler (CFS) bandwidth control from synchronous to asynchronous mode to optimize bandwidth control efficiency on systems with a large number of CPUs.
- Fixed a potential race condition when disabling the global switch for core scheduling.
- Fixed inaccurate SIB Idle statistics under high Interrupt Request (IRQ) loads.
- Backported fixes for NVMe over RDMA from newer versions to improve system stability.
- Fixed a deadlock during the concurrent execution of nvme_reset and nvme_rescan.
- Fixed a Kernel Crash caused by a use-after-free (UAF) issue related to Active State Power Management (ASPM) in the PCIe driver.
- Fixed a screen corruption issue on Phytium S5000C devices equipped with an AST2600 graphics card.
- Fixed a warning, caused by asynchronous unthrottle, that could lead to a scheduling deadlock.
- CVE-2023-52445
- CVE-2023-6817
- CVE-2024-0646
- CVE-2023-20569
- CVE-2023-51042
- CVE-2023-6915
- CVE-2023-6546
- CVE-2022-38096
- CVE-2024-0565
- CVE-2024-26589
- CVE-2024-23307
- CVE-2024-22099
- CVE-2024-24860
- CVE-2024-1086
- CVE-2023-51779
- CVE-2024-26597
- CVE-2024-24855
- CVE-2023-52438
- CVE-2023-4622
- CVE-2023-6932
- CVE-2023-20588
- CVE-2023-5717
- CVE-2023-6931
- CVE-2023-28464
- CVE-2023-39192
- CVE-2023-6176
- CVE-2023-45863
- CVE-2023-5178
- CVE-2023-45871
- CVE-2023-4155
- CVE-2023-20593
- CVE-2023-3567
- CVE-2023-3358
- CVE-2023-0615
- CVE-2023-31083
- CVE-2023-4015
- CVE-2023-42753
- CVE-2023-4623
- CVE-2023-4921
- CVE-2023-2860
- CVE-2023-1206
- CVE-2023-3772
- CVE-2023-42755
- CVE-2023-3863
- CVE-2022-3114
- CVE-2023-31085
- CVE-2023-4132
- CVE-2022-3424
- CVE-2022-3903
- CVE-2022-45887
- CVE-2023-3006
- CVE-2023-42754
- CVE-2023-0160
Image
- Standardized the debuginfo repository names. Users can now install the corresponding debuginfo packages by running the command dnf debuginfo-install <package_name>.
- Extended the dnf-makecache service interval from 1 hour to 1 day to reduce its impact on disk and network usage.
- Removed the virtio_blk module configuration from initramfs as the module is now included in the kernel.
Package
Fixed a bug in dnf-plugin-releasever-adapter that could cause the dnf command to fail.

Alibaba Cloud Linux (Alinux) 3.2104 U9.1

Version	Image ID	Release date	Updates
Alibaba Cloud Linux (Alinux) 3.2104 U9.1	aliyun_3_x64_20G_alibase_20240528.vhd	2024-05-28	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image to the latest version. Updated the kernel version to 5.10.134-16.3.al8.x86_64. For details, see Updates.
Alibaba Cloud Linux (Alinux) 3.2104 U9.1	aliyun_3_arm64_20G_alibase_20240528.vhd	2024-05-28	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image to the latest version. Updated the kernel version to 5.10.134-16.3.al8.aarch64. For details, see Updates.

Updates

Security updates

Package name	CVE ID	Package version
kernel	CVE-2024-22099 CVE-2024-24860 CVE-2024-1086 CVE-2023-51779 CVE-2024-26597 CVE-2024-24855 CVE-2023-52438 CVE-2023-4622 CVE-2023-6932 CVE-2023-20588 CVE-2023-5717 CVE-2023-6931 CVE-2023-28464 CVE-2023-39192 CVE-2023-6176 CVE-2023-45863 CVE-2023-5178 CVE-2023-45871	5.10.134-16.3.al8
bind	CVE-2022-3094	9.11.36-11.0.1.al8
buildah	CVE-2023-25173 CVE-2022-41724 CVE-2022-41725 CVE-2023-24537 CVE-2023-24538 CVE-2023-24534 CVE-2023-24536 CVE-2022-41723 CVE-2023-24539 CVE-2023-24540 CVE-2023-29400	1.31.3-1.al8
dnsmasq	CVE-2023-28450	2.79-31.0.1.al8
edk2-20220126gitbb1bba3d77	CVE-2019-14560	6.0.2.al8
frr	CVE-2023-38406 CVE-2023-38407 CVE-2023-47235 CVE-2023-47234	7.5.1-16.0.2.al8
grafana	CVE-2023-3128 CVE-2023-39325 CVE-2023-44487	9.2.10-7.0.1.al8
grafana	CVE-2024-1394	9.2.10-7.0.1.al8
grafana-pcp	CVE-2024-1394	5.1.1-1.0.1.al8
gstreamer1-plugins-bad-free	CVE-2023-44429	1.22.1-2.0.1.al8
tigervnc	CVE-2023-44446	1.13.1-2.al8
unbound	CVE-2023-50387 CVE-2023-50868	1.16.2-6.al8
webkit2gtk3	CVE-2023-42917	2.40.5-1.0.2.al8.1
glibc	CVE-2024-2961	2.32-1.16.al8
python2-setuptools	CVE-2022-40897	39.0.1-13.1.module+al8+9+77049424

Package updates

Package name	Release version
cloud-init	23.2.2
container-selinux	2.229.0
ethtool	6.6
iproute	6.2.0
iptables	1.8.5
keentuned	2.4.0
keentune-target	2.4.0
rng-tools	6.16
sssd	2.9.1
sudo	1.9.5p2
sysak	2.4.0

Important updates

Kernel updates
- Upgraded the kernel to 5.10.134-16.3.al8.
- Added support for the smc_pnet feature in SMC-R and elastic Remote Direct Memory Access (eRDMA) scenarios.
- Added support for HWDRC, an RDT-based dynamic memory bandwidth control technology. This technology enables more precise control over resources such as memory bandwidth and cache.
- Optimized Group Identity to enhance workload control for tasks with different priorities.
New features
- Upgraded aliyun-cli to 3.0.204. You can now install and update aliyun-cli using yum or dnf.
- Upgraded cloud-init to 23.2.2, which now supports accessing Instance Metadata in Hardened Mode.
- Upgraded ethtool to 6.6 to support the CMIS Protocol.
- Upgraded sysak to 2.4.0. This upgrade optimizes diagnostic capabilities, adds node monitoring, provides node-side support for sysom observability, and includes several bug fixes.
- Upgraded keentune to 2.4.0.

Image updates

Container images
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9.1
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
  Note
  After this release, the latest tag will no longer point to the 3.9.1 image.
Virtual machine images
Switched the image type to UEFI-Preferred. The image now supports Dual-boot Mode (UEFI + Legacy).

Bug fixes

Kernel
- Fixed stability issues in EROFS compression mode.
- Fixed stability issues with EROFS over fscache.
- Fixed stability issues related to SMC.
- Fixed degraded writeback performance when BDI uses the STRICTLIMIT feature and the BDI share is 0.
- Fixed a memory leak in seccomp.
- Fixed an issue where user operations could cause an incorrect reference count for ZERO_PAGE.
- Fixed a potential recursive memory reclamation issue in TCMU.
- Fixed a kernel crash that occurred when the ioasids subsystem migrated a kernel thread.
- Fixed an issue with duplicate I/O statistics when no throttling rules were configured.
- Fixed a hardware signal hang that occurred when Phytium S2500 and some BMC chips communicated frequently over a short period.
- Fixed a kernel panic that occurred when Group Identity and core scheduling were enabled concurrently.
- Changed CFS bandwidth control to lift throttling asynchronously instead of synchronously, improving efficiency in scenarios with many CPUs.
- Fixed a potential race condition when disabling the main core sched switch.
- Fixed inaccurate sibidle statistics in high-IRQ scenarios.
Image
Fixed an issue that prevented the system from using a newly installed kernel after a reboot.

2023

Alibaba Cloud Linux 3.2104 U9

Version	Image ID	Release date	Updates
Alibaba Cloud Linux 3.2104 U9	aliyun_3_9_x64_20G_alibase_20231219.vhd	2023-12-19	Updates the base image for `Alibaba Cloud Linux 3.2104 LTS 64-bit` to the latest version. Updates the kernel to version 5.10.134-16.1.al8.x86_64. For more information, see Content updates.
	aliyun_3_9_arm64_20G_alibase_20231219.vhd	2023-12-19	Updates the base image for `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` to the latest version. Updates the kernel to version 5.10.134-16.1.al8.aarch64. For more information, see Content updates.
	aliyun_3_9_x64_20G_uefi_alibase_20231219.vhd	2023-12-19	Updates the base image for `Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI Edition` to the latest version. Updates the kernel to version 5.10.134-16.1.al8.x86_64. For more information, see Content updates.

Content updates

Security updates

Package name	CVE ID	Package version
kernel	CVE-2022-3108 CVE-2022-3114 CVE-2022-3424 CVE-2022-36280 CVE-2022-3903 CVE-2022-39188 CVE-2022-41850 CVE-2022-42432 CVE-2022-4379 CVE-2022-4382 CVE-2022-45887 CVE-2023-0045 CVE-2023-0160 CVE-2023-0458 CVE-2023-0459 CVE-2023-0615 CVE-2023-1078 CVE-2023-1206 CVE-2023-1382 CVE-2023-1670 CVE-2023-1829 CVE-2023-1855 CVE-2023-1859 CVE-2023-1989 CVE-2023-1990 CVE-2023-2002 CVE-2023-2006 CVE-2023-20569 CVE-2023-20593 CVE-2023-20928 CVE-2023-20938 CVE-2023-2124 CVE-2023-2156 CVE-2023-2162 CVE-2023-2177 CVE-2023-2194 CVE-2023-22995 CVE-2023-2483 CVE-2023-26607 CVE-2023-28327 CVE-2023-2860 CVE-2023-2985 CVE-2023-3006 CVE-2023-30772 CVE-2023-3090 CVE-2023-31083 CVE-2023-31084 CVE-2023-31085 CVE-2023-3111 CVE-2023-3117 CVE-2023-31248 CVE-2023-3161 CVE-2023-3212 CVE-2023-3220 CVE-2023-32269 CVE-2023-3268 CVE-2023-33288 CVE-2023-3358 CVE-2023-35001 CVE-2023-3567 CVE-2023-35788 CVE-2023-35823 CVE-2023-35824 CVE-2023-35825 CVE-2023-35828 CVE-2023-35829 CVE-2023-3609 CVE-2023-3610 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3776 CVE-2023-3812 CVE-2023-3863 CVE-2023-4004 CVE-2023-4015 CVE-2023-40283 CVE-2023-4128 CVE-2023-4132 CVE-2023-4147 CVE-2023-4155 CVE-2023-42753 CVE-2023-42754 CVE-2023-42755 CVE-2023-4563 CVE-2023-4623 CVE-2023-4921	5.10.134-16.1.al8
java-1.8.0-openjdk	CVE-2022-40433 CVE-2023-22067 CVE-2023-22081	1.8.0.392.b08-4.0.3.al8
java-11-openjdk	CVE-2023-22081	11.0.21.0.9-2.0.3.al8
mariadb	CVE-2022-32081 CVE-2022-32082 CVE-2022-32084 CVE-2022-32089 CVE-2022-32091 CVE-2022-38791 CVE-2022-47015 CVE-2023-5157	10.5.22-1.0.1.al8
open-vm-tools	CVE-2023-34058 CVE-2023-34059	12.2.5-3.al8.1
bind	CVE-2023-3341	9.11.36-8.al8.2
dmidecode-doc	CVE-2023-30630	3.3-5.0.2.al8
frr	CVE-2023-38802	7.5.1-8.0.1.al8
ghostscript	CVE-2023-28879 CVE-2023-38559 CVE-2023-4042 CVE-2023-43115	9.54.0-14.al8
glibc	CVE-2023-4911	2.32-1.12.al8
grafana	CVE-2023-39325 CVE-2023-44487	7.5.15-5.0.1
libvpx	CVE-2023-44488 CVE-2023-5217	1.7.0-10.0.1.al8
linux-firmware	CVE-2023-20593	20230404-117.git2e92a49f.al8
ncurses	CVE-2023-29491	6.1-10.20180224.0.1.al8
nghttp2	CVE-2023-44487	1.33.0-4.0.1.al8.1
qemu-kvm seabios	CVE-2022-40284 CVE-2023-3354	6.2.0-33.0.2.al8 1.16.0-4.al8
tracker-miners	CVE-2023-5557	3.1.2-4.0.1.al8

Package updates

Package name	Release version
ca-certificates	2023.2.60_v7.0.306
firewalld	0.9.11
java-1.8.0-openjdk	1.8.0.392.b08
java-11-openjdk	11.0.21.0.9
libbpf	0.6.0
lz4	1.9.4
mariadb	10.5.22
nmstate	2.2.15
nspr	4.35.0
nss	3.90.0
open-vm-tools	12.2.5
openscap	1.3.8
scap-security-guide	0.1.69
sos	4.6.0
xz	5.4.4

Important updates

Kernel

New features
- Added support for core scheduling.
  This release backports the core scheduling security feature from the upstream community. This feature restricts hyper-threads on the same physical core to running only trusted processes from the same group simultaneously. This feature is incompatible with group identity and the two features must not be enabled at the same time. The feature is disabled by default. To enable it, run the sysctl -w kernel.sched_core=1 command.
- Added support for the eBPF trampoline feature on Arm64.
  This release backports the eBPF trampoline feature on Arm64 to support the bpf struct ops feature. Note that bpf fentry-related features are still unavailable because the required Arm64 ftrace-related features have not been backported.
- Added support for the Multi-Generational LRU (MGLRU) feature.
  This feature improves the speed and accuracy of memory page reclaim, which enhances end-to-end performance in big data scenarios.
- Added support for batch TLB flushing.
  The batch migration feature improves the performance of kernel page migration by implementing batch TLB flushing and page copy operations.
  This version refactors and optimizes the original batch migration feature from the previous kernel based on upstream code. Key changes include removing the batch_migrate cmdline parameter and the /sys/kernel/mm/migrate/batch_migrate_enabled interface. Batch migration is now the default page migration behavior.
  This update adds the /sys/kernel/mm/migrate/dma_migration_min_pages interface, which has a default value of 32. This interface applies only when the DMA page copy feature is enabled. The DMA page copy feature is used only if /sys/kernel/mm/migrate/dma_migrate_enabled is enabled and the number of migrated pages reaches the value set in /sys/kernel/mm/migrate/dma_migration_min_pages.
- Backported the cachestat feature.
  This introduces the cachestat system call, allowing you to view detailed page cache statistics for a specified file.
- Enhanced kernel-mode RAS event triggering on Arm64.
  This adds error recovery capabilities for RAS issues in various scenarios, such as copy_{from/to}_user, {get/put}_user, Copy On Write (COW), and page cache reading.
- Added support for the proprietary SMC-D loopback feature.
  This introduces the SMC-D loopback feature to accelerate local inter-process and inter-container TCP communication.
- Added support for proprietary page table core binding and cross-die page table statistics.
  The page table core binding feature allocates page tables for QoS-sensitive services to the current NUMA node when memory is tight. This reduces memory access latency and enables faster, more efficient memory access.
- Enhanced the proprietary multi-copy code.
  An asynchronous task now retries if the multi-copy code fails to apply during process startup. Additionally, the new memory.duptext_nodes kernel interface restricts memory allocation nodes for duptext.
- Enhanced the proprietary kfence feature.
  - The enhanced kfence feature on Arm64 can be dynamically enabled or disabled. It fully captures memory corruption issues to facilitate both online detection and offline debugging.
  - You can now trigger an immediate system crash when a memory issue is detected, helping developers analyze problems in a debugging environment. To enable this, set the boot cmdline to "kfence.fault=panic" or run echo panic > /sys/module/kfence/parameters/fault. The default value is report, which only outputs logs without triggering a crash.
- Added a proprietary memcg THP control interface.
  This interface lets you disable THP requests for a specified memcg.
- Added support for the proprietary ACPU (Assess CPU) feature.
  ACPU calculates the idle time of the hyper-threading sibling during task execution and provides per-cgroup statistics. It can be used to evaluate hardware resource contention on shared CPU cores during task runtime.
- Added support for the proprietary HT-aware quota feature.
  This feature stabilizes computing power by using CFS bandwidth control and core scheduling. In mixed-deployment scenarios, it calibrates the quota by detecting whether the hyper-threading sibling is idle. This process ensures that a task receives consistent computing power in each scheduling period, making the feature ideal for compute-intensive tasks.
- Added support for the proprietary group identity 2.0 feature.
  This introduces a cgroup-level SCHED_IDLE feature. By setting the cpu.idle property of a target cgroup, you change its scheduling policy to SCHED_IDLE. This is ideal for managing offline tasks in batches.
Behavioral changes
- Module signing
  Kernel modules are now signed to help you identify and reject unsigned modules.
- Disabled Spectre-BHB and Variant 4 vulnerability mitigations by default on Arm64.
  Spectre-BHB and Variant 4 vulnerabilities are already addressed by other mitigations, such as the Spectre v2 fix, disabling unprivileged eBPF, Site-Isolation technology, and disabling SharedArrayBuffer, making separate fixes unnecessary. Therefore, the nospectre_bhb and ssbd=force-off parameters are added to the default cmdline for Arm64 to improve performance by reducing unnecessary overhead while maintaining security.
- Enabled TDX guest configurations to support TDX confidential virtual machine scenarios.

New features in packages

Added erofs-utils-1.7.1 to the software repository.
erofs-utils is a tool for creating, checking, and compressing EROFS file systems. It supports compression algorithms such as LZ4, LZMA, and DEFLATE, and can convert TAR archives to the EROFS format.
Added stress-ng-0.15.00 to the software repository.
Added alibaba-cloud-compiler-13.0.1.4 to the software repository.
Alibaba Cloud Compiler is a C/C++ compiler from Alibaba Cloud, based on the open-source Clang/LLVM 13. It supports all options and parameters of the community version and is deeply optimized for Alibaba Cloud infrastructure, offering unique features and optimizations for Alibaba Cloud users.
Added a patch to glibc to support GB18030-2022 encoding.
Updated Dragonwell 17 to 17.0.9.0.10.9: The JIT compiler improves inlining performance by no longer basing inlining decisions on absolute call counts.
Updated Dragonwell 8 to 8.15.16.372: Supports multiple coroutines waiting for read/write events on the same socket and fixes a bug in okhttp scenarios.
Added plugsched-1.3 to the software repository.
plugsched is an SDK for scheduler hot-swapping, designed for kernel scheduler developers. You can install this tool to develop scheduler modules.
Updated sysak to 2.2.0: Adds application observability for MySQL and Java applications (including metric monitoring and diagnostics), new monitoring metrics for containers and clusters, and local monitoring capabilities.
Updated keentune to 2.3.0: Updates x264/265 scripts to support the latest ffmpeg. Resolves core binding errors for XPS and RPS. Updates the default eRDMA settings in profiles.
Updated the software stack for Intel QAT, DLB, and IAA accelerators: Includes bug fixes for the QAT driver, an upgrade for the DLB driver, user-space bug fixes for QAT and IAA, and a new unified DMA memory management solution for cross-architecture accelerators in user space.
Updated smc-tools: Adds the smc-ebpf command to control the scope of smc_run at the port level. Control modes include allowlist/blocklist and intelligent scheduling.

Fixed issues

Fixed an issue where netfilter-related functions were unavailable because RPM packages such as kernel-modules-extra and kernel-modules-internal were not automatically installed during a kernel update.
Fixed an issue where the /proc/sys/kernel/sched_group_identity_enabled interface could not be disabled due to incorrect reference counting for group identity during cgroup creation and deletion operations.

Image updates

Container images
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.9
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
  Note
  After this release, the latest tag no longer points to the 3.9 image version.
Virtual machine (VM) images
- The default rpmdb format is now SQLite.
- The keentune service is installed but not enabled by default.
- The nfs-server service is not enabled by default.

Known issues

The kdump service may fail on ecs.g6r.large instances due to memory constraints. To work around this issue, adjust the crash parameter, for example, to 0M-2G:0M,2G-128G:256M,128G-:384M.
On an NFSv3 file system, if you add an S permission to a file, the S permission for the group is lost after you change the file owner under certain conditions.
The patch to fix this issue is 2d8ae8c417("db nfsd: use vfs setgid helper"). However, applying this fix is deferred because the required helper functions differ significantly from the 5.10 kernel code base. This remains a known issue.
When using SMC to replace TCP, netperf tests may exit prematurely.
SMC uses a fixed-size ring buffer. During transmission, the remaining buffer space may be smaller than the amount of data requested in a send() call. In this case, SMC returns the number of bytes that can be sent, which is typically less than the requested amount. In netperf, this behavior is treated as an anomaly, causing it to exit. Because the upstream maintainer recommends this design to prevent connection stalls, this issue will not be fixed.

Alibaba Cloud Linux (Alinux) 3.2104 U8

Version	Image ID	Release date	Updates
Alibaba Cloud Linux (Alinux) 3.2104 U8	aliyun_3_arm64_20G_alibase_20230731.vhd	2023-07-31	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software packages. Kernel updated to 5.10.134-15.al8.aarch64. For details, see Updates.
	aliyun_3_x64_20G_alibase_20230727.vhd	2023-07-27	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software packages. Kernel updated to 5.10.134-15.al8.x86_64. For details, see Updates.
	aliyun_3_x64_20G_qboot_alibase_20230727.vhd	2023-07-27	Added the `Alibaba Cloud Linux 3.2104 64-bit Quick Launch Edition` Image. Built on the `Alibaba Cloud Linux 3.2104 64-bit` Base Image, aliyun_3_x64_20G_alibase_20230727.vhd. Kernel updated to 5.10.134-15.al8.x86_64.
	aliyun_3_x64_20G_uefi_alibase_20230727.vhd	2023-07-27	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI Edition` Image with the latest software packages. Built on the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image, aliyun_3_x64_20G_alibase_20230727.vhd. This Image boots in UEFI mode only. Kernel updated to 5.10.134-15.al8.x86_64.

Updates

Security updates

Package name	CVE ID	Package version
ctags	CVE-2022-4515	5.8-23.0.1.al8
gssntlmssp	CVE-2023-25563 CVE-2023-25564 CVE-2023-25565 CVE-2023-25566 CVE-2023-25567	1.2.0-1.0.1.al8
libtar	CVE-2021-33643 CVE-2021-33644 CVE-2021-33645 CVE-2021-33646	1.2.20-17.0.1.al8
device-mapper-multipath	CVE-2022-41973	0.8.4-37.0.1.al8
postgresql-jdbc	CVE-2022-41946	42.2.14-2.al8
freerdp	CVE-2022-39282 CVE-2022-39283 CVE-2022-39316 CVE-2022-39317 CVE-2022-39318 CVE-2022-39319 CVE-2022-39320 CVE-2022-39347 CVE-2022-41877	2.2.0-10.0.1.al8
tigervnc	CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344	1.12.0-15.al8
xorg-x11-server	CVE-2022-3550 CVE-2022-3551 CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344 CVE-2023-0494	1.20.11-15.0.1.al8
poppler	CVE-2022-38784	20.11.0-6.0.1.al8
wayland	CVE-2021-3782	1.21.0-1.al8
net-snmp	CVE-2022-44792 CVE-2022-44793	5.8-27.0.1.al8
dhcp	CVE-2022-2928 CVE-2022-2929	4.3.6-49.0.1.al8
python-mako	CVE-2022-40023	1.0.6-14.al8
curl	CVE-2023-27535	7.61.1-30.0.2.al8.2
go-toolset golang	CVE-2023-29402 CVE-2023-29403 CVE-2023-29404 CVE-2023-29405	1.19.10-1.al8 1.19.10-1.0.1.al8
dnsmasq	CVE-2023-28450	2.79-27.al8
qt5	CVE-2022-25255	5.15.3-1.0.1.al8
autotrace	CVE-2022-32323	0.31.1-55.al8
bind	CVE-2023-2828	9.11.36-8.al8.1
libnbd libtpms libvirt nbdkit qemu-kvm supermin virt-v2v	CVE-2021-46790 CVE-2022-3165 CVE-2022-30784 CVE-2022-30786 CVE-2022-30788 CVE-2022-30789 CVE-2023-1018	libnbd-1.6.0-5.0.1.al8 libtpms-0.9.1-2.20211126git1ff6fe1f43.al8 libvirt-8.0.0-20.al8 nbdkit-1.24.0-5.al8 qemu-kvm-6.2.0-32.0.1.al8 supermin-5.2.1-2.0.2.al8 virt-v2v-1.42.0-22.al8
mysql	CVE-2022-21594 CVE-2022-21599 CVE-2022-21604 CVE-2022-21608 CVE-2022-21611 CVE-2022-21617 CVE-2022-21625 CVE-2022-21632 CVE-2022-21633 CVE-2022-21637 CVE-2022-21640 CVE-2022-39400 CVE-2022-39408 CVE-2022-39410 CVE-2023-21836 CVE-2023-21863 CVE-2023-21864 CVE-2023-21865 CVE-2023-21867 CVE-2023-21868 CVE-2023-21869 CVE-2023-21870 CVE-2023-21871 CVE-2023-21873 CVE-2023-21874 CVE-2023-21875 CVE-2023-21876 CVE-2023-21877 CVE-2023-21878 CVE-2023-21879 CVE-2023-21880 CVE-2023-21881 CVE-2023-21882 CVE-2023-21883 CVE-2023-21887 CVE-2023-21912 CVE-2023-21917	8.0.32-1.0.2.al8
ruby	CVE-2021-33621 CVE-2023-28755 CVE-2023-28756	2.7.8-139.0.1.al8
Kernel	CVE-2021-33061 CVE-2021-3759 CVE-2022-3606 CVE-2022-36280 CVE-2022-3707 CVE-2022-39188 CVE-2022-4095 CVE-2022-41849 CVE-2022-42432 CVE-2022-4379 CVE-2022-4382 CVE-2022-4662 CVE-2022-4744 CVE-2022-47521 CVE-2022-47929 CVE-2023-0045 CVE-2023-0386 CVE-2023-0458 CVE-2023-0459 CVE-2023-0461 CVE-2023-0590 CVE-2023-0597 CVE-2023-1073 CVE-2023-1074 CVE-2023-1075 CVE-2023-1076 CVE-2023-1077 CVE-2023-1078 CVE-2023-1079 CVE-2023-1095 CVE-2023-1118 CVE-2023-1281 CVE-2023-1380 CVE-2023-1382 CVE-2023-1611 CVE-2023-1670 CVE-2023-1829 CVE-2023-1855 CVE-2023-1859 CVE-2023-1989 CVE-2023-1990 CVE-2023-2002 CVE-2023-20928 CVE-2023-20938 CVE-2023-2124 CVE-2023-2162 CVE-2023-2177 CVE-2023-2194 CVE-2023-2269 CVE-2023-22995 CVE-2023-23000 CVE-2023-23004 CVE-2023-2483 CVE-2023-25012 CVE-2023-26545 CVE-2023-26607 CVE-2023-28327 CVE-2023-28466 CVE-2023-2985 CVE-2023-30456 CVE-2023-30772 CVE-2023-3117 CVE-2023-31248 CVE-2023-31436 CVE-2023-3220 CVE-2023-32233 CVE-2023-32269 CVE-2023-3268 CVE-2023-33288 CVE-2023-35001 CVE-2023-35788 CVE-2023-35825	5.10.134-15.al8
webkit2gtk3	CVE-2023-32435 CVE-2023-32439	2.38.5-1.0.1.al8.5
libssh	CVE-2023-1667 CVE-2023-2283	0.9.6-7.al8
libssh	CVE-2023-1667 CVE-2023-2283	0.9.6-7.al8
open-vm-tools	CVE-2023-20867	12.1.5-2.al8
grafana	CVE-2022-2880 CVE-2022-27664 CVE-2022-39229 CVE-2022-41715	7.5.15-4.0.2.al8
grafana-pcp	CVE-2022-27664	3.2.0-3.0.1.al8
frr	CVE-2022-37032	7.5.1-7.0.1.al8
sqlite	CVE-2020-24736	3.26.0-18.al8
git-lfs	CVE-2022-2880 CVE-2022-41715 CVE-2022-41717	3.2.0-2.0.1.al8
sysstat	CVE-2022-39377	11.7.3-9.0.1.al8
python3	CVE-2023-24329	3.6.8-51.0.1.al8.1
c-ares	CVE-2023-32067	1.13.0-6.al8.2
cups-filters	CVE-2023-24805	1.20.0-29.0.1.al8.2
webkit2gtk3	CVE-2023-28204 CVE-2023-32373	2.38.5-1.0.1.al8.4
delve go-toolset golang	CVE-2023-24540	delve-1.9.1-1.0.1.al8 go-toolset-1.19.9-1.al8 golang-1.19.9-1.0.1.al8
Kernel	CVE-2022-47929 CVE-2023-0386 CVE-2023-1075 CVE-2023-1380 CVE-2023-26545 CVE-2023-28466 CVE-2023-30456 CVE-2023-32233	5.10.134-14.1.al8
git	CVE-2023-22490 CVE-2023-23946 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007	2.39.3-1.1.al8
apr-util	CVE-2022-25147	1.6.1-6.2.al8.1
webkit2gtk3	CVE-2023-2203	2.38.5-1.0.1.al8.3
edk2	CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0286	20220126gitbb1bba3d77-4.al8
mingw-expat	CVE-2022-40674	2.4.8-2.al8

Package updates

Parameter	Release version
at	at-3.1.20-12.0.1.al8
audit	audit-3.0.7-2.0.1.al8.2
authselect	authselect-1.2.6-1.al8
bind	bind-9.11.36-8.al8.1
checkpolicy	checkpolicy-2.9-1.2.al8
cloud-utils-growpart	cloud-utils-growpart-0.33-0.0.1.al8
container-selinux	container-selinux-2.189.0-1.al8
coreutils	coreutils-8.30-13.al8
crypto-policies	crypto-policies-20221215-1.gitece0092.al8
cups	cups-2.2.6-51.0.1.al8
dbus	dbus-1.12.8-24.0.1.al8
ding-libs	ding-libs-0.6.1-40.al8
dnf	dnf-4.7.0-16.0.1.al8
dnf-plugins-core	dnf-plugins-core-4.0.21-14.1.al8
dracut	dracut-049-223.git20230119.al8
elfutils	elfutils-0.188-3.0.1.al8
emacs	emacs-27.2-8.0.3.al8.1
expat	expat-2.2.5-11.al8
file	file-5.33-24.al8
freetype	freetype-2.10.4-9.al8
fuse	fuse-2.9.7-16.al8
gmp	gmp-6.2.0-10.0.1.al8
gnupg2	gnupg2-2.2.20-3.al8
graphite2	graphite2-1.3.10-10.2.al8
grub2	grub2-2.02-148.0.1.al8
harfbuzz	harfbuzz-1.7.5-3.2.al8
hwdata	hwdata-0.314-8.16.al8
iproute	iproute-5.18.0-1.al8
iptables	iptables-1.8.4-24.0.1.al8
kernel	kernel-5.10.134-15.al8
kernel-hotfix-13383560-5.10.134-15	kernel-hotfix-13383560-5.10.134-15-1.0-20230724161633.al8
kexec-tools	kexec-tools-2.0.25-5.0.1.al8
kmod	kmod-25-19.0.2.al8
kpatch	kpatch-0.9.7-2.0.1.al8
libarchive	libarchive-3.5.3-4.al8
libffi	libffi-3.1-24.0.1.al8
libteam	libteam-1.31-4.0.1.al8
libuser	libuser-0.62-25.0.1.al8
libxml2	libxml2-2.9.7-16.0.1.al8
linux-firmware	linux-firmware-20230404-114.git2e92a49f.al8
logrotate	logrotate-3.14.0-6.0.1.al8
NetworkManager	NetworkManager-1.40.16-1.0.1.al8
nfs-utils	nfs-utils-2.3.3-59.0.2.al8
nftables	nftables-0.9.3-26.al8
oddjob	oddjob-0.34.7-3.0.1.al8
openssh	openssh-8.0p1-17.0.2.al8
openssl-pkcs11	openssl-pkcs11-0.4.10-3.0.1.al8
pam	pam-1.3.1-25.0.1.al8
pciutils	pciutils-3.7.0-3.0.1.al8
python-linux-procfs	python-linux-procfs-0.7.1-1.al8
python-rpm-generators	python-rpm-generators-5-8.al8
python-slip	python-slip-0.6.4-13.al8
rng-tools	rng-tools-6.15-3.0.1.al8
rpcbind	rpcbind-1.2.5-10.0.1.al8
rpm	rpm-4.14.3-26.0.1.al8
rsyslog	rsyslog-8.2102.0-13.al8
selinux-policy	selinux-policy-3.14.3-117.0.1.al8
setools	setools-4.3.0-3.al8
setup	setup-2.12.2-9.0.1.al8
sg3_utils	sg3_utils-1.44-6.0.1.al8
shared-mime-info	shared-mime-info-2.1-5.0.1.al8
sssd	sssd-2.8.2-2.0.1.al8
tpm2-tss	tpm2-tss-2.3.2-4.0.2.al8
unbound	unbound-1.16.2-5.al8
util-linux	util-linux-2.32.1-42.0.1.al8
virt-what	virt-what-1.25-3.al8
wget	wget-1.19.5-11.0.1.al8
which	which-2.21-18.0.1.al8
xfsprogs	xfsprogs-5.0.0-10.0.6.al8

Important updates

Kernel updates
- Upstream backports
  - Devlink subfunction management
    A subfunction is a more lightweight function than a PCIe virtual function. Unlike a virtual function, a subfunction is not an independent PCI device and shares the resources of its parent PCI device. However, a subfunction has its own resources for network communication, including a send queue, receive queue, and completion queue. In Linux, a subfunction appears as a complete network adapter. This update lets you manage subfunctions on a network adapter using devlink. In conjunction with the driver, you can create, delete, and query subfunctions on supported network adapters.
  - NVMe passthrough for io_uring
    The overhead from complex storage stacks significantly impacts latency and IOPS, especially as storage devices become faster. Accessing an NVMe disk typically requires data to pass through multiple layers, including the file system, block layer, and nvme driver. This update backports the uring_cmd feature from the upstream community's v5.19 Kernel. It allows io_uring to pass file operations directly to the NVMe driver layer for processing, bypassing the file system and block layers. To support this feature, io_uring now also supports the CQE32 data structure and the creation of NVMe character devices.
  - Fine-grained access control for NVMe/SCSI Persistent Reservations
    Previously, processes required CAP_SYS_ADMIN privilege to perform Persistent Reservation operations, which limited their use in non-privileged environments like containers. This feature lets any non-privileged process with write permissions to the block device perform these operations, expanding its use cases.
  - IOPS throttling for large block I/O
    The IOPS throttling in the 5.10 Kernel does not work effectively for large block I/O scenarios, such as 1 MB requests. This is mainly because large I/O requests may be split, and the block throttle logic does not handle this well. This issue is particularly noticeable with buffered I/O, where data is first written to the page cache and later written back to disk in merged, large blocks. The upstream community refactored this in Kernel v5.18. This update backports those patches to optimize IOPS throttling for large block I/O and also fixes a bug that caused BPS to be counted twice.
  - BPF enhancements
    - Hash map support for lookup_and_delete_elem
    - Bloom filter map type
  - CPU and memory hot-plugging
    - vCPU hot-add
    - Default online for hot-plugged memory
  - Intel HWP boost
    The HWP I/O boost technology improves I/O performance. Previously, the Kernel enabled this feature only for some Skylake platforms and enterprise servers. This patch removes the CPU type check, enabling HWP boost by default for all CPUs.
  - HugeTLB Vmemmap Optimization (HVO)
    HVO reduces the memory footprint of vmemmap for Huge Pages. It works by mapping the virtual addresses of all struct page instances within a Huge Page to the same physical address, which frees the physical memory occupied by those struct page instances.
  - Memcg LRU lock optimization
    This feature optimizes scenarios that previously required a global LRU lock. Operations like page migration, memcg moves, swap-in, and swap-out now use a per-memcg lock instead. This significantly reduces contention on the global LRU lock, improving performance by approximately 50% in tests with multiple memcgs.
  - Kernel support for Intel TDX guests
    You can now run the Linux Kernel in an Intel TDX guest. This provides the guest with features like memory encryption, memory integrity protection, CPU register protection, and remote attestation in a trusted environment.
  - EMR platform enhancements
    - PMU support for EMR platform
    - In-Field Scan (IFS) support
- Custom enhancements
  - Transparent TCP acceleration with SMC
    Shared Memory Communications (SMC) is a high-performance Kernel network protocol stack contributed by IBM to the upstream Linux Kernel. It can transparently accelerate TCP connections using shared memory technologies like RDMA. Building on the upstream version, Alibaba Cloud Kernel (ANCK) includes numerous stability fixes and adds several key features: SMCv2 is used by default, SMCv2.1 protocol negotiation is supported, max_link/max_conn and Alibaba vendor ID features are added, link connection counts are optimized, RQ flow control and RDMA Write With Immediate operations are supported, various diagnostic information is available, the SMC stack can be used via the PF_INET protocol family, and transparent replacement via BPF is supported.
  - FUSE cache consistency and statistics
    - FUSE pending requests debugging interface
    - FUSE request statistics interface
    - Enhanced cache consistency
      1. Dentry invalidation notification
      2. Close-to-Open (CTO) consistency model
      3. Cache consistency in failover mode
  - EROFS enhancements
    - Support for 4k block size on Arm64
    - Direct mounting of tar files
  - Passing FUSE mount points across namespaces
    This allows a non-privileged sidecar container to propagate its FUSE mount point into an application container, providing a FUSE-based solution for remote storage in cloud-native scenarios.
  - THP memory bloat mitigation
    While THP can improve performance, it can also cause memory bloat, which may lead to Out of Memory (OOM) errors. For example, an application might only need 8 KiB of memory (two small pages), but the Kernel allocates a single THP. In this case, the remaining 510 small pages are unused, increasing the Resident Set Size (RSS) memory usage and potentially triggering an OOM error.
    THP Zero Subpage Reclaim (ZSR) solves this problem. When the Kernel reclaims memory, this feature splits the THP into small pages and reclaims any zero subpages, which prevents rapid memory bloat and OOM errors.
System configuration updates
- The value of tcp_max_tw_buckets is now 5000.
- The default character set for mounting the vfat file system is now iso8859-1.
Package updates
- The aliyun-cli is now included by default.
- The container-selinux package is now included by default.
- Adds the anolis-epao-release package, which enables Alibaba Cloud Linux 3 to use the Anolis OS epao repository to install applications such as AI tools.

Bug fixes

Fixed an issue that prevented the rngd.service from starting on Alibaba Cloud Linux 3 arm64 images.
Backported a fix from the Community Mainline for a cgroup leak caused by a failed process fork.
Fixed a permission issue in overlayfs. This issue occurred when upperdir and lowerdir were on the same filesystem and a file or directory was accessed without read permission. A logic error in a previous performance optimization caused ovl_override_creds() to fail, preventing permissions from being elevated to those of the mounter. As a result, a copy-up operation would fail with an Insufficient Permissions error.
Backported multiple bug fixes for fuse from the Community Mainline to improve its stability.
Backported multiple bug fixes from the community for ext4 when the bigalloc feature is enabled. This update also significantly reduces the duration of online resizing in this scenario.
Backported a community fix to resolve a potential data consistency issue caused by CONT-PTE/PMD.
Fixed an issue that prevented resctrl from being used correctly on instances with AMD processors.
Resolved a stability issue with the IAX hardware compression/decompression accelerator.
Fixed CRC validation failures in the IAX hardware compression/decompression accelerator.
Fixed a memory corruption issue caused by the improper use of the swap_info_struct lock during concurrent swapoff and swapon operations. This fix has been merged into the upstream community.
Fixed an issue that made the in-house zombie memcg reaper feature ineffective in one-shot mode.
Addressed a potential stability issue in the MPAM memory bandwidth monitoring feature on Yitian 710 processors.

Image updates

Container Image
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:3.8
- alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest
  Note
  After a new version is released, the latest tag will no longer point to version 3.8.
Virtual Machine Image

Known issues

An update in ANCK 5.10-015 aligns a scheduler wakeup optimization with the upstream implementation. This change can cause a performance regression in certain edge cases, such as benchmarks under extremely high load. However, this regression does not affect typical user workloads.

Alibaba Cloud Linux 3.2104 U7

Version	Image ID	Release date	Updates
Alibaba Cloud Linux 3.2104 U7	aliyun_3_x64_20G_alibase_20230516.vhd	2023-05-16	Updated the`Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. Upgraded the kernel to version 5.10.134-14.al8.x86_64. For more information, see Updates.
Alibaba Cloud Linux 3.2104 U7	aliyun_3_arm64_20G_alibase_20230515.vhd	2023-05-15	Updated the`Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image. Upgraded the kernel to version 5.10.134-14.al8.aarch64. For more information, see Updates.

Updates

Fixed kernel bugs and addressed critical security vulnerabilities (CVEs).
Added support for the multi-pcp feature to improve network packet reception performance by bypassing the buddy system's global lock.
Multi-pcp reserves higher-order (order > 0) memory pages on a per-core basis. This avoids allocations from the zone buddy system for these pages, bypassing the global lock and improving network packet reception performance.
Enabled the Intel IAA accelerator driver, improving compression and decompression performance.
The In-Memory Analytics Accelerator (IAA) is a hardware accelerator that combines basic data analysis functions with high-throughput compression/decompression. The driver code was adapted from the Intel repository for the ANCK kernel and includes bug fixes.
Fixed silent data loss in shmem and hugetlb file systems caused by Page Cache truncation.
Previously, the kernel removed faulted pages in shmem and hugetlb from the Page Cache. Subsequent access to the offset of the faulted page would allocate a new zero page, leading to silent data loss. This feature prevents this issue in shmem/tmpfs and hugetlb file systems.
Added support for the CoreSight ETE driver and the tools/perf utility.
Enhanced the signal handling mechanism in the KVM module on ARM64 platforms, fixing a system crash issue in scenarios such as RAS events.
If the TIF_NOTIFY_RESUME flag was not processed before the CPU entered Guest mode, frequent RAS events could trigger an exception and cause a system crash. This update implements the full generic entry infrastructure on ARM64 platforms to correctly handle pending work for a task.
This update synchronizes the CMN/DRW driver with the mainline Linux community version, adds debugfs support, and fixes related defects.
Before version 5.10-014, the CMN/DRW driver diverged from the community version. To reduce future maintenance costs, version 5.10-014 synchronizes with the community driver and adds compatibility for the CMN700 in Yitian 710 processors. This update also adds debugfs support and fixes, allowing you to view the CMN topology in User Mode.
Added support for MCE error recovery during Copy on Write (COW) operations in Kernel Mode on x86 platforms.
Previously, if an uncorrectable error occurred during a kernel Copy on Write (COW) operation, the system would crash because there was no recovery handler for such errors. This feature adds a recovery handler that sends a SIGBUS signal to the application, preventing a system crash.
Added support for the perf metric feature and top-down performance analysis tools.
To improve CPU PMU usability and help users identify CPU performance bottlenecks, version 5.10-014 adds the perf metric feature and supports top-down metrics for Yitian 710, Kunpeng, and x86 platforms.
virtio-net now supports USO offloading.
Compared to UFO offloading, USO improves packet reception performance and the forwarding performance of network components in a complex network environment. In network conditions with instability, incast traffic, or significant bursts, USO effectively reduces the packet loss rate caused by fragment reassembly and lowers the overhead of reassembly at the receiving end. At the same time, packet loss and out-of-order delivery can also degrade the efficiency of forwarding components due to fragment reassembly. USO helps mitigate this problem.
Fixed an issue on the aarch64 architecture where the virtual address space was exhausted because pci_iounmap was not implemented.
Before version 5.10-014, the pci_iounmap function was empty because CONFIG_GENERIC_IOMAP was not configured. This prevented the system from releasing mapped memory, leading to virtual address space exhaustion. Version 5.10-014 fixes this issue by correctly implementing the pci_iounmap function.
Added support for high-performance ublk.
ublk is a high-performance user-space block device based on the io_uring passthrough mechanism. It provides efficient agent access in distributed storage.
Added support for the following self-developed Alibaba Cloud technologies:
- Added a feature to lock code segments at the system-wide or memcg level.
  When memory usage is high, memory reclaim is triggered. During this process, the system can reclaim the memory that holds the code segments of core business applications. As the application continues to run, these code segments are reloaded from disk into memory. Frequent I/O operations can cause response delays and performance fluctuations. To prevent this issue, this feature lets you lock the code segments of core applications within a specified cgroup, making them non-reclaimable. It also includes a quota limit, which can be set as a percentage to control the amount of locked code segment memory.
- Introduced a Page Cache usage limit to resolve Out of Memory (OOM) issues that occur when the cache grows faster than the system can reclaim it.
  In containerized environments, available memory is limited. If the Page Cache consumes too much memory and triggers memory reclaim, an OOM error can occur if the reclamation rate is slower than the application's growing memory demand, which severely impacts performance. This feature addresses the problem by limiting the Page Cache size for a container and proactively reclaiming memory that exceeds the limit. The solution supports both cgroup-level and global Page Cache usage limits and offers both synchronous and asynchronous reclamation methods for flexibility.
- Added support for dynamic CPU Isolation.
  CPU Isolation allows you to assign different CPU cores or sets of cores to different tasks, preventing them from competing for CPU resources and thereby improving overall system performance and stability. You can isolate a subset of CPUs for key tasks, while non-critical tasks share the remaining CPUs. However, the number of key tasks can change during runtime. Isolating too many CPUs wastes resources and increases costs. This feature enables dynamic CPU Isolation, which lets you modify the isolation scope at any time to better utilize CPU resources, save costs, and improve overall business performance.
- Added support for CPU Burst and tiered memory-low watermarks in cgroup v2.
  To promote the adoption of cgroup v2, we have ported interfaces for various self-developed ANCK technologies to cgroup v2, including CPU Burst and tiered memory-low watermarks.
- Enabled xdp sockets to allocate virtual memory for queues, preventing allocation failures caused by memory fragmentation.
  By default, xdp sockets use __get_free_pages() to allocate contiguous physical memory. If the machine's memory is highly fragmented, this allocation can easily fail, preventing xdp socket creation. This feature uses vmalloc() to allocate memory, reducing the likelihood of xdp socket creation failure.

Alibaba Cloud Linux 3.2104 U6.1

Version	Image ID	Release date	Updates
Alibaba Cloud Linux 3.2104 U6.1	aliyun_3_x64_20G_alibase_20230424.vhd	2023-04-24	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. Kernel updated to 5.10.134-13.1.al8.x86_64.
	aliyun_3_arm64_20G_alibase_20230424.vhd	2023-04-24	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image. Kernel updated to 5.10.134-13.1.al8.aarch64.
	aliyun_3_x64_20G_alibase_20230327.vhd	2023-03-27	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. Kernel updated to 5.10.134-13.1.al8.x86_64.
	aliyun_3_arm64_20G_alibase_20230327.vhd	2023-03-27	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` base image. Kernel updated to 5.10.134-13.1.al8.aarch64.

Alibaba Cloud Linux 3.2104 U6

Version number	Image ID	Release date	Release notes
Alibaba Cloud Linux 3.2104 U6	aliyun_3_x64_20G_qboot_alibase_20230214.vhd	2023-02-14	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit Quick Launch Edition` Image. This Image is built from the aliyun_3_x64_20G_alibase_20230110.vhd version of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image.
	aliyun_3_x64_20G_uefi_alibase_20230214.vhd	2023-02-14	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI Edition` Image to the latest software version. This Image is built from the aliyun_3_x64_20G_alibase_20230110.vhd version of the Alibaba Cloud Linux 3.2104 LTS 64-bit `Base Image.` The Image now boots exclusively in UEFI mode.
	aliyun_3_x64_20G_alibase_20230110.vhd	2023-01-10	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image to the latest software version. Added the Plus debug repository Configuration. Kernel Updates: Upgraded the Kernel to version 5.10.134-13.al8.x86_64. Fixed Kernel Bugs and addressed critical Security Vulnerabilities (CVEs). Added support for user-space /dev/ioasid. Previously, user-space pass-through frameworks like VFIO and vDPA required custom logic to isolate DMA from devices assigned directly to user space because these DMA requests are often untrusted. ANCK 5.10-013 introduces /dev/ioasid, which provides a unified interface for managing I/O page tables and simplifies VFIO and vDPA implementation. Optimized SWIOTLB performance. Prior to ANCK 5.10-013, the SWIOTLB mechanism used a single lock for memory allocation when communicating with peripherals. ANCK 5.10-013 splits this lock into multiple, user-configurable locks. This primarily benefits confidential Virtual Machines (VMs) on large-scale instances (for example, with more than 32 CPUs). For Redis and MySQL, tests show this change can increase I/O performance by up to 8x. Enabled napi.tx in virtio-net to optimize TCP Small Queue performance. In commit 3bedc5bca69d ('ck: Revert "virtio_net: enable napi_tx by default"'), this Feature was disabled due to performance degradation from high softirq usage in some scenarios. However, this prevented TCP Small Queue from working correctly, so this release re-enables it. Added support for the AST2600 PCIe 2D VGA Driver. Versions prior to ANCK 5.10-013 did not support the ASPEED AST2600 graphics card. ANCK 5.10-013 adds support for the ASPEED AST2600 graphics card, enabling proper display output on external monitors. Added support for dynamically enabling the Group Identity Feature. ANCK 5.10-013 adds a global sysctl toggle for the Group Identity Feature. It is disabled by default to reduce scheduling overhead for normal processes. To enable it, run the Command: `echo 1 > /proc/sys/kernel/sched_group_identity_enabled`. Adjusted the default Kernel boot cmdline on the ARM64 platform. Starting from version 5.10.134-013, the following parameters are added to the boot cmdline on the ARM64 platform to improve performance. `cgroup.memory=nokmem iommu.passthrough=1 iommu.strict=0` `cgroup.memory=nokmem`: Enabling `cgroup.memory` adds extra processing logic to the slab-managed page allocation and deallocation path, which affects performance. Disabling this Feature improves performance. `iommu.passthrough=1`: This enables IOMMU pass-through mode. If not specified, the setting is controlled by `CONFIG_IOMMU_DEFAULT_PASSTHROUGH`. This mode reduces page table mapping overhead and is effective on Physical Machines. `iommu.strict=0`: This sets TLB invalidation to a lazy mode. When a DMA is unmapped, the Kernel postpones the corresponding TLB invalidation to improve Throughput and speed up the unmap process. If the IOMMU driver does not support this mode, it automatically falls back to strict mode (`strict=1`), where the TLB is invalidated at the same time as the DMA unmap operation. Added support for the Compact NUMA-Aware (CNA) spinlock Feature. Starting from version 5.10.134-013, NUMA-aware functionality has been added to qspinlock. You can enable this Feature by adding `numa_spinlock=on` or `numa_spinlock=auto` to the boot cmdline. When enabled, this Feature allows qspinlock to prioritize granting the lock to a CPU on the same NUMA node when CPUs from different NUMA nodes are competing for a spinlock. This reduces cross-NUMA traffic and improves performance. In benchmark tests for use cases like sysbench and LevelDB, this Feature has shown performance gains of over 10%. Enhanced `perf mem` and `perf c2c` Features on ARM64. Starting from version 5.10.134-013, you can use these tools to display the data source of a sample, such as an L1 hit. Enhancements to `perf mem` include support for synthetic memory events, synthetic instruction events, and displaying total instruction latency. Enhancements to `perf c2c` include node information for better localization. `fsck.xfs` now supports log recovery. A system crash can leave the File System in an inconsistent state with an unrecovered log. In xfsprogs versions 5.0.0-10.0.4 and earlier, `fsck.xfs` did not support log recovery, which could cause the system to enter rescue mode upon reboot, requiring manual intervention from a System Administrator. Starting from xfsprogs version 5.0.0-10.0.5, log recovery is supported. To enable this capability, System Administrators must set the boot parameters `fsck.mode=force` and `fsck.repair=yes`. Note that this capability is currently effective only for the system disk. Introduced adaptive on-demand huge pages for hugetext. Version 5.10.134-013 introduces an adaptive processing Feature for code huge pages to address a limitation on the x86 platform where the number of 2 MB iTLB entries is very small. This Feature controls the use of code huge pages by consolidating them based on the 'heat' of PTE scans in 2 MB regions, prioritizing hotter regions. In short, this Feature primarily controls the number of code huge pages used by each application to prevent performance degradation from iTLB misses. This Feature mainly targets Java-based applications and applications with large code segments, such as OceanBase and MySQL. Added support for SGX dynamic memory management. Versions prior to ANCK 5.10 did not support SGX dynamic memory management. ANCK 5.10 adds support for the SGX EDMM Feature, enabling dynamic memory management for SGX. Enabled the `wireguard` module. The `wireguard` module was disabled in versions prior to ANCK 5.10-013. Starting from ANCK 5.10, the `wireguard` module is enabled. WireGuard is a secure, efficient, and easy-to-use alternative to IPSec. It is designed to be very general and sufficiently abstract, suitable for most scenarios, and easy to configure.
	aliyun_3_arm64_20G_alibase_20230110.vhd	2023-01-10	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit ARM Edition` Base Image to the latest software version. Added the Plus debug repository Configuration. Kernel Updates: Upgraded the Kernel to version 5.10.134-13.al8.aarch64. Fixed Kernel Bugs and addressed critical Security Vulnerabilities (CVEs).

2022

Version	Image ID	Release date	Updates
Alibaba Cloud Linux 3.5.2	aliyun_3_x64_20G_alibase_20221118.vhd	2022-11-18	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software.
	aliyun_3_arm64_20G_alibase_20221118.vhd	2022-11-18	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software.
	aliyun_3_x64_20G_alibase_20221102.vhd	2022-11-02	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software. Updated the kernel version to 5.10.134-12.2.al8.x86_64.
	aliyun_3_arm64_20G_alibase_20221102.vhd	2022-11-02	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software. Updated the kernel version to 5.10.134-12.2.al8.aarch64.
Alibaba Cloud Linux 3.5	aliyun_3_x64_20G_alibase_20220907.vhd	2022-09-07	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software. Kernel updates: Updated the version to 5.10.134-12.al8.x86_64. Fixed kernel bugs and patched critical security vulnerabilities (CVEs). Added support for the Yitian 710 processor. Added support for Panjiu M physical machines. Optimized base performance on the Yitian platform. Enabled Memory Partitioning and Monitoring (MPAM) on the ARM 64-bit architecture. Enabled datop to monitor cross-node Non-Uniform Memory Access (NUMA) access and identify hot or cold memory at the process level. Enabled crashkernel to reserve more than 4 GB of memory on the ARM 64-bit architecture. Added support for hotfixing kernel modules on the ARM 64-bit architecture. Added support for the ftrace osnoise tracer. Added support for the ext4 fast commit feature. This feature significantly improves performance for workloads with frequent fsync operations, such as MySQL and PostgreSQL. The corresponding e2fsprogs version is updated to 1.46.0. Added support for the following proprietary technologies from Alibaba Cloud: Padded the unaligned 2 MB at the end of executable binary files to improve performance by up to 2% in some scenarios. Enabled the XFS 16k atomic write feature, which improves performance by up to 50% and significantly reduces disk I/O compared to the default double-write buffer. The corresponding xfsprogs and MariaDB packages are also updated in the OpenAnolis yum repository. This software-based solution provides the following benefits over hardware-based atomic write solutions: It uses a Copy-on-Write (CoW) mechanism. It does not depend on specific hardware. It has no runtime I/O path configuration dependencies. Additionally, this optimization can be combined with the large page feature for code segments. Added support for container image acceleration by using nydus+erofs over fscache. This feature, contributed by the OpenAnolis Community, was merged into the mainline Linux kernel in version 5.19, becoming the first natively supported container image acceleration solution in the Linux community. Added support for enhanced fd passthrough and fd attach features. The fd passthrough feature reduces I/O latency by 90% in common use cases. The fd attach feature supports lossless recovery of FUSE mount point connections, improving stability in production environments. Enabled kidled to scan anonymous pages, file pages, and slab objects. Added the memory.use_priority_swap interface to support memory swapping based on cgroup priority. Enhanced SMC with support for 1-RTT and RDMA DIM. Optimized the CQ interrupt handling logic, which improves the data path QPS by 40%. Introduced SMC automated testing capabilities and fixed dozens of stability issues.
	aliyun_3_arm64_20G_alibase_20220907.vhd	2022-09-07	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software. Kernel updates: Updated the version to 5.10.134-12.al8.aarch64. Fixed kernel bugs and patched critical security vulnerabilities (CVEs). Added support for the Yitian 710 processor. Added support for Panjiu M physical machines. Optimized base performance on the Yitian platform. Enabled Memory Partitioning and Monitoring (MPAM) on the ARM 64-bit architecture. Enabled datop to monitor cross-node Non-Uniform Memory Access (NUMA) access and identify hot or cold memory at the process level. Enabled crashkernel to reserve more than 4 GB of memory on the ARM 64-bit architecture. Added support for hotfixing kernel modules on the ARM 64-bit architecture. Added support for the ftrace osnoise tracer. Added support for the ext4 fast commit feature. This feature significantly improves performance for workloads with frequent fsync operations, such as MySQL and PostgreSQL. The corresponding e2fsprogs version is updated to 1.46.0. Added support for the following proprietary technologies from Alibaba Cloud: Padded the unaligned 2 MB at the end of executable binary files to improve performance by up to 2% in some scenarios. Enabled the XFS 16k atomic write feature, which improves performance by up to 50% and significantly reduces disk I/O compared to the default double-write buffer. The corresponding xfsprogs and MariaDB packages are also updated in the OpenAnolis yum repository. This software-based solution provides the following benefits over hardware-based atomic write solutions: It uses a Copy-on-Write (CoW) mechanism. It does not depend on specific hardware. It has no runtime I/O path configuration dependencies. Additionally, this optimization can be combined with the large page feature for code segments. Added support for container image acceleration by using nydus+erofs over fscache. This feature, contributed by the OpenAnolis Community, was merged into the mainline Linux kernel in version 5.19, becoming the first natively supported container image acceleration solution in the Linux community. Added support for enhanced fd passthrough and fd attach features. The fd passthrough feature reduces I/O latency by 90% in common use cases. The fd attach feature supports lossless recovery of FUSE mount point connections, improving stability in production environments. Enabled kidled to scan anonymous pages, file pages, and slab objects. Added the memory.use_priority_swap interface to support memory swapping based on cgroup priority. Enhanced SMC with support for 1-RTT and RDMA DIM. Optimized the CQ interrupt handling logic, which improves the data path QPS by 40%. Introduced SMC automated testing capabilities and fixed dozens of stability issues.
	aliyun_3_x64_20G_qboot_alibase_20220907.vhd	2022-09-07	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit Quick Launch Edition` image. This image is based on version aliyun_3_x64_20G_alibase_20220907.vhd of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image.
	aliyun_3_x64_20G_uefi_alibase_20220907.vhd	2022-09-07	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI Edition` image with the latest software. This image is based on version aliyun_3_x64_20G_alibase_20220907.vhd of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image. Only UEFI boot mode is supported.
Alibaba Cloud Linux 3.4.2	aliyun_3_arm64_20G_alibase_20220819.vhd	2022-08-19	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software. Updated the kernel version to 5.10.112-11.2.al8.aarch64.
Alibaba Cloud Linux 3.4.2	aliyun_3_x64_20G_alibase_20220815.vhd	2022-08-15	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software. Updated the kernel version to 5.10.112-11.2.al8.x86_64.
Alibaba Cloud Linux 3.4.1	aliyun_3_x64_20G_alibase_20220728.vhd	2022-07-28	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software. Updated the kernel version to 5.10.112-11.1.al8.x86_64.
Alibaba Cloud Linux 3.4.1	aliyun_3_arm64_20G_alibase_20220728.vhd	2022-07-28	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software. Updated the kernel version to 5.10.112-11.1.al8.aarch64.
Alibaba Cloud Linux 3.4	aliyun_3_x64_20G_alibase_20220527.vhd	2022-05-27	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software. Kernel updates: Updated the version to 5.10.112-11.al8.x86_64. Fixed kernel bugs and patched critical security vulnerabilities (CVEs). Added support for the following proprietary technologies from Alibaba Cloud: Kernel code multi-copy feature. Enhancements to the kernel code large page feature. Enhanced Kfence to improve detection of issues such as memory out-of-bounds access and Use-After-Free (UAF). Added support for the Hygon CSV2 Confidential Virtual Machine feature. Increased the maximum supported CPUs in the guest OS to 256. Improved SMC throughput and latency in multiple scenarios, accelerated connection establishment, and fixed multiple stability and compatibility issues. Added support for AMX, vAMX, IPI virtualization, UINTER, Intel_idle, and TDX features for Intel SPR. Added support for ptdma, CPU frequency, k10temp, and EDAC features for AMD. Added support for Yitian 710 features: DDR PMU, PCIe PMU driver support, CMN-700, and RAS. Added support for CoreSight features. Added support for ARM SPE perf memory profiling and c2c features. Enabled file-level DAX support for virtiofs. Added support for the SMMU event polling feature.
	aliyun_3_x64_20G_qboot_alibase_20220527.vhd	2022-05-27	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit Quick Launch Edition` image. This image is based on version aliyun_3_x64_20G_alibase_20220527.vhd of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image.
	aliyun_3_x64_20G_uefi_alibase_20220527.vhd	2022-05-27	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI Edition` image with the latest software. This image is based on version aliyun_3_x64_20G_alibase_20220527.vhd of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image. Only UEFI boot mode is supported.
	aliyun_3_arm64_20G_alibase_20220526.vhd	2022-05-26	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software. Kernel updates: Updated the version to 5.10.112-11.al8.aarch64. Fixed kernel bugs and patched critical security vulnerabilities (CVEs). Added support for the following proprietary technologies from Alibaba Cloud: Kernel code multi-copy feature. Enhancements to the kernel code large page feature. Enhanced Kfence to improve detection of issues such as memory out-of-bounds access and Use-After-Free (UAF). Added support for the Hygon CSV2 Confidential Virtual Machine feature. Increased the maximum supported CPUs in the guest OS to 256. Improved SMC throughput and latency in multiple scenarios, accelerated connection establishment, and fixed multiple stability and compatibility issues. Added support for AMX, vAMX, IPI virtualization, UINTER, Intel_idle, and TDX features for Intel SPR. Added support for ptdma, CPU frequency, k10temp, and EDAC features for AMD. Added support for Yitian 710 features: DDR PMU, PCIe PMU driver support, CMN-700, and RAS. Added support for CoreSight features. Added support for ARM SPE perf memory profiling and c2c features. Enabled file-level DAX support for virtiofs. Added support for the SMMU event polling feature.
Alibaba Cloud Linux 3.3.4	aliyun_3_x64_20G_alibase_20220413.vhd	2022-04-13	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software. Kernel updates: Updated the version to 5.10.84-10.4.al8.x86_64. Patched critical security vulnerabilities CVE-2022-1016 and CVE-2022-27666.
Alibaba Cloud Linux 3.3.4	aliyun_3_arm64_20G_alibase_20220413.vhd	2022-04-13	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software. Kernel updates: Updated the version to 5.10.84-10.4.al8.aarch64. Patched critical security vulnerabilities CVE-2022-1016 and CVE-2022-27666.
Alibaba Cloud Linux 3.3.3	aliyun_3_x64_20G_alibase_20220315.vhd	2022-03-15	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software. Patched software security vulnerabilities. Kernel updates: Updated the version to 5.10.84-10.3.al8.x86_64. Patched vulnerabilities CVE-2022-0435 and CVE-2022-0847.
Alibaba Cloud Linux 3.3.3	aliyun_3_arm64_20G_alibase_20220315.vhd	2022-03-15	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit for ARM` Base Image with the latest software. Patched software security vulnerabilities. Kernel updates: Updated the version to 5.10.84-10.3.al8.aarch64. Patched vulnerabilities CVE-2022-0435 and CVE-2022-0847.
Alibaba Cloud Linux 3.3.2	aliyun_3_x64_20G_alibase_20220225.vhd	2022-02-25	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image with the latest software and patched its security vulnerabilities. The Real Time Clock (RTC) is set to Coordinated Universal Time (UTC). For more information, see Linux time and time zone. Kernel updates: Updated the version to 5.10.84-10.2.al8.x86_64. Patched vulnerabilities CVE-2022-0492, CVE-2021-4197, CVE-2022-0330, CVE-2022-22942, and CVE-2022-0185. Added support for proprietary technologies from Alibaba Cloud: Kernel code multi-copy feature. Kernel code large page feature. RDMA/SMC-R features. Added support for new features on Intel SPR, including AMX, RAS, RCEC, bus lock detection and rate limiting, and uncore. Added the MCA-R feature for Intel Ice Lake processors. Enabled the Intel Data Streaming Accelerator (DSA). Enabled XDP socket support for virtio-net. Added support for Chinese commercial cryptography in kernel KTLS. Added support for Kfence, a troubleshooting tool for detecting memory out-of-bounds access and Use-After-Free (UAF) issues. Optimized the kernel's SM4 algorithm with AVX/AVX2 instruction sets. Added support for Hygon CSV VM attestation. Added support for the perf c2c feature using the ARM Statistical Profiling Extension (SPE). Added support for the i10nm_edac feature. Backported the unevictable_pid functionality. Added support for adjusting memory watermarks. Added support for adaptive sqpoll mode in io_uring. Added support for huge vmalloc mappings.
	aliyun_3_x64_20G_qboot_alibase_20220225.vhd	2022-02-25	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit Quick Launch Edition` image. This image is based on version aliyun_3_x64_20G_alibase_20220225.vhd of the `Alibaba Cloud Linux 3.2104 LTS 64-bit` Base Image. The Real Time Clock (RTC) is set to Coordinated Universal Time (UTC). For more information, see Linux time and time zone.
	aliyun_3_arm64_20G_alibase_20220225.vhd	2022-02-25	The Real Time Clock (RTC) is set to Coordinated Universal Time (UTC). For more information, see Linux time and time zone. Kernel updates: Updated the version to 5.10.84-10.2.al8.aarch64. Patched vulnerabilities CVE-2022-0492, CVE-2021-4197, CVE-2022-0330, CVE-2022-22942, and CVE-2022-0185. Added support for proprietary technologies from Alibaba Cloud: Kernel code multi-copy feature. Kernel code large page feature. RDMA/SMC-R features. Added support for new features on Intel SPR, including AMX, RAS, RCEC, bus lock detection and rate limiting, and uncore. Added the MCA-R feature for Intel Ice Lake processors. Enabled the Intel Data Streaming Accelerator (DSA). Enabled XDP socket support for virtio-net. Added support for Chinese commercial cryptography in kernel KTLS. Added support for Kfence, a troubleshooting tool for detecting memory out-of-bounds access and Use-After-Free (UAF) issues. Optimized the kernel's SM4 algorithm with AVX/AVX2 instruction sets. Added support for Hygon CSV VM attestation. Added support for the perf c2c feature using the ARM Statistical Profiling Extension (SPE). Added support for the i10nm_edac feature. Backported the unevictable_pid functionality. Added support for adjusting memory watermarks. Added support for adaptive sqpoll mode in io_uring. Added support for huge vmalloc mappings.
	aliyun_3_x64_20G_uefi_alibase_20220225.vhd	2022-02-25	Updated the `Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI Edition` image with the latest software. This image is based on version `aliyun_3_x64_20G_alibase_20220225.vhd` of the Alibaba Cloud Linux 3.2104 LTS 64-bit Base Image. The Real Time Clock (RTC) is set to Coordinated Universal Time (UTC). For more information, see Linux time and time zone.

2021

Version	Image ID	Release date	Updates
Alibaba Cloud Linux 3.2	aliyun_3_x64_20G_qboot_alibase_20211214.vhd	2021-12-14	Added the`Alibaba Cloud Linux 3.2104 LTS 64-bit Quick Launch Edition` image. This image is based on the`Alibaba Cloud Linux 3.2104 LTS 64-bit` base image, version aliyun_3_x64_20G_alibase_20210910.vhd.
	aliyun_3_x64_20G_alibase_20210910.vhd	2021-09-10	Updated the software packages in the`Alibaba Cloud Linux 3.2104 LTS 64-bit` base image and fixed security vulnerabilities. Added the update-motd service and enabled it by default. Enabled the Kdump service by default. Enabled the atd service by default. Kernel updates: Upgraded the kernel to the mainline stable version 5.10.60 (current version: 5.10.60-9.al8.x86_64). Fixed kernel bugs and critical security vulnerabilities. Added support for the following Alibaba Cloud proprietary technologies: eRDMA and eRDMA-based SMC-R Resource isolation with OOM priority control Memory KIDLED Resource isolation: memcg zombie reaper Rich container technology Resource isolation: CPU Group Identity UKFEF Added support for Intel SPR CPUs. Added support for AMD Milan cpupower. Added support for the SEDI-based NMI watchdog on the Arm64 architecture. Added support for MPAM on the Arm64 architecture. Added support for memory hot-plugging on the Arm64 architecture. Enhanced the kernel fast boot technology. Added support for x86 SGX2. Optimized virtio-net performance. Added support for eBPF LSM. Improved KVM virtualization with hardware-software co-optimization (supports PV-qspinlock).
	aliyun_3_arm64_20G_alibase_20210910.vhd	2021-09-10	Updated the`Alibaba Cloud Linux 3.2104 LTS 64-bit ARM Edition` image to the latest software version. This image is based on the`Alibaba Cloud Linux 3.2104 LTS 64-bit ARM Edition` base image from a previous release (aliyun_3_arm64_20G_alibase_20210709.vhd).
	aliyun_3_x64_20G_uefi_alibase_20210910.vhd	2021-09-10	Updated the`Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI Edition` image to the latest software version. This image is based on the`Alibaba Cloud Linux 3.2104 LTS 64-bit` base image, version aliyun_3_x64_20G_alibase_20210910.vhd. Available in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Ulanqab), China (Shenzhen), China (Heyuan), and Singapore.
Alibaba Cloud Linux 3.1	aliyun_3_arm64_20G_alibase_20210709.vhd	2021-07-09	Added the`Alibaba Cloud Linux 3.2104 LTS 64-bit ARM Edition` image. Added support for Security Center integration. Available in the China (Hangzhou) region.
	aliyun_3_x64_20G_alibase_20210425.vhd	2021-04-25	Updated the`Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. Kernel update: Upgraded the kernel to 5.10.23-5.al8.x86_64.
	aliyun_3_x64_20G_uefi_alibase_20210425.vhd	2021-04-25	Added the`Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI Edition` image. This image is based on the`Alibaba Cloud Linux 3.2104 LTS 64-bit` base image, version aliyun_3_x64_20G_alibase_20210425.vhd. The image boots in UEFI Mode only. Available in the following regions: China (Beijing), China (Hangzhou), China (Shanghai), and China (Shenzhen).
Alibaba Cloud Linux 3	aliyun_3_x64_20G_alibase_20210415.vhd	2021-04-15	Initial release of the`Alibaba Cloud Linux 3.2104 LTS 64-bit` base image. Kernel: Based on the Linux 5.10 LTS kernel. The initial version is 5.10.23-4.al8.x86_64. Added support for the PV-Panic, PV-Unhalt, and PV-Preempt features on the Arm64 architecture. Added support for Kernel Live Patching on the Arm64 architecture. Added support for TCP-RT. Added support for asynchronous background reclaim for memcg. The cgroup v1 interface supports memcg Quality of Service (QoS) and Pressure Stall Information (PSI). Added support for cgroup writeback. Enhanced monitoring and statistics for block I/O throttling. Optimized the JBD2 interface for ext4. Optimized multiple kernel subsystems, including the scheduler, memory, file system, and block layer, and fixed related bugs. Added support for CPU Burst. Image: Compatible with the CentOS 8 and RHEL 8 software ecosystems. This image also addresses various package security vulnerabilities. Supports GCC 10.2.1 and glibc 2.32. Supports Python 3.6 and Python 2.7. Supports the new AppStream mechanism. Available in the China (Hangzhou) region.

Background information

2026

Alibaba Cloud Linux 3.2104 U12.3

New features

2025

Alibaba Cloud Linux 3.2104 U12.2

Updates

New features

Alibaba Cloud Linux (Alinux) 3.2104 U12.1

Updates

New features

Alibaba Cloud Linux 3 AI Extension Edition 0.5.4

Updates

Alibaba Cloud Linux 3 AI Extension Edition 0.5.3

Updates

Alibaba Cloud Linux 3 AI Extension Edition 0.5.2

Updates

Alibaba Cloud Linux 3.2104 U12

Content updates

Alibaba Cloud Linux (Alinux) 3.2104 U11.1

Updates

2024

Alibaba Cloud Linux 3.2104 U11

Updates

Alibaba Cloud Linux 3.2104 U10.1

Update details

Alibaba Cloud Linux (Alinux) 3.2104 U10

Updates

Updates

Alibaba Cloud Linux (Alinux) 3.2104 U9.1

Updates

2023

Alibaba Cloud Linux 3.2104 U9

Content updates

Alibaba Cloud Linux (Alinux) 3.2104 U8

Updates

Alibaba Cloud Linux 3.2104 U7

Updates

Alibaba Cloud Linux 3.2104 U6.1

Alibaba Cloud Linux 3.2104 U6

2022

2021

Related topics