版本选择
openUBMC 26.03 版本发布说明
2026/03/31
openUBMC 26.03 版本发布说明
版本概览
作为26年第1个创新版本,openUBMC 26.03 采用木兰宽松许可证 2.0(Mulan PSL v2),用户可以自由复制、使用、修改、分发。
版本特性
26.03版本在25.12版本基础上进行开发,特性交付范围包括:
易用性:工具链与开发体验提升
BMC Studio 与可视化配置
- 支持BMC Studio IDE独立发布和升级。
- 支持CSR编码辅助:语法高亮、引用跳转、基础语法检查、表达式计算
- 支持lockfile提交记录可视化查看
版本构建与工具链
- 支持1712芯片构建
- 支持 基于lockfile的产品级构建,解决版本冲突问题
- conan并行化构建,优化构建效率
- qemu升级到8.2.10版本
- 社区基础设施支持签名能力
开发、测试与调试体验提升
新增 社区技术文档、FAQ、接口文档、适配指南,降低新开发者上手成本
丰富度:硬件接入与功能增强
网卡接入能力扩展
- 新增对 182x系列网卡(高低档位) 的全面支持,包括标卡、OCP卡、大板网卡等形态,支持光模块信息采集、告警增强、私有NCSI/SMBUS协议支持
- 支持 Mellanox ConnectX-7网卡的适配
硬盘与存储管理增强
- 支持1880 RAID卡的升级和慢盘检测开关使能,支持1880 RAID管理的SAS/SATA硬盘的固件升级和版本信息展示
- 支持硬盘槽位号动态更新、硬盘插入/拔出日志记录SN/PN
异构与PCIe设备管理
- 支持JBOG管理,包括设备信息查看与状态监测,固件升级。
- 支持 PCIe拓扑高速线缆交叉插法、PCIe卡插入/拔出日志记录SN/PN
带外管理能力提升
- 支持 CPLD/BIOS/VRD/MCU/NPU 等多种固件的整包升级
- 支持 固件升级暂存机制(仅适用于下电生效的固件)
- 支持管理板和节点间的板间通信
- ipmb/bt性能优化
标准:规范建设与质量保障
驱动与硬件接入规范
- 推动 驱动认证规范,完成南向网卡兼容认证工具开发,明确准入用例标准
接口与协议标准化
- 支持 Redfish标准资源PCIeSlots、Assembly、Memory、Chassis 新增新属性
- 完善 Schema管理机制:支持xml/json schema独立加载、版本升级
- 支持 Redfish-Protocol/Interop/Service Validator 工具集成
源代码
26.03版本源代码已发布至社区网站:https://openubmc.cn/download
版本兼容说明
| openUBMC/BMC_SDK | 5.13.0 | 5.12.0 | 5.11.0 | 5.10.0 | 5.9.0 |
|---|---|---|---|---|---|
| 26.03 | Y | Y | N | N | N |
| 25.12 | N | Y | N | N | N |
| 25.09 | N | N | Y | N | N |
| 25.06 | N | N | N | Y | N |
| 25.03 | N | N | N | N | Y |
已知问题
本版本问题清单:
| ISSUE ID | 问题描述 | 关联仓库 |
|---|---|---|
| 3813122 | 进行硬盘暴力热插拔时,系统事件出现错误的硬盘SN信息 | frudata |
| 3812472 | 串口环境下passwd 命令修改用户密码失败, cli命令修改用户报权限不足 | account |
| 3644159 | 电源通讯异常,通过北向接口查询电源功率、电压、温度、电流等动态信息显示为0 | power_mgmt |
已修复问题
本修复问题清单:
| ISSUE ID | 问题描述 | 关联仓库 |
|---|---|---|
| 3783134 | 修复vrd下电升级失败和暂存失败的问题 | general_hardware |
| 3777594 | 修复schemasotre/en接口查询时,响应体中,自定义oem部分无法查询问题 | rackmount |
| 3789480 | 升级CPLD过程中,解除smc告警屏蔽的流程放在内层函数,防止因为fork执行导致时序异常 | general_hardware |
CVE 漏洞
| 漏洞编号 | 漏洞描述 |
|---|---|
| CVE-2022-1941 | A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures. A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3, 3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions for 3.16 and 3.17 are no longer updated. |
| CVE-2024-2410 | The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. If the input is broken up into separate chunks in a certain way, the parser will attempt to read bytes from a chunk that has already been freed. |
| CVE-2025-55131 | c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. Use after free will lead to crash / Denial of Service. This issue is fixed in version 1.34.6. |
| CVE-2022-1941 | A vulnerability, which was classified as critical, has been found in Oracle MySQL Connectors up to 8.0.31 (Database Software).Using CWE to declare the problem leads to CWE-404. The program does not release or incorrectly releases a resource before it is made available for re-use.Impacted is availability.A possible mitigation has been published immediately after the disclosure of the vulnerability. |
| CVE-2025-4565 | Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. |
| CVE-2025-53605 | The protobuf crate before version 3.7.2 for Rust contains uncontrolled recursion vulnerability in protobuf::coded_input_stream::CodedInputStream::skip_group when parsing unknown fields in untrusted input. |
| CVE-2024-7254 | Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. |
| CVE-2023-30608 | sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit e75e358. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit c457abd5f. |
OPEN SOURCE SOFTWARE NOTICE
接口 API 变更
资源协作接口变更
| 变更说明 | 变更详情 |
|---|---|
| 资源协作接口方法 bmc.kepler.AccountService 下属性 EmergencyLoginAccountId 权限变更 | >> 变更详细说明 |
北向接口变更
| 变更说明 | 变更详情 |
|---|---|
| 【WebRest】AdvancedSecurity GET请求获取EmergencyLoginUser权限变更 | >> 变更详细说明 |
| 【Redfish】AccountService GET请求获取EmergencyLoginUser权限变更 | >> 变更详细说明 |
| 【Redfish】AccountService/PrivilegeMap 中Oem//EmergencyLoginUser的GET权限变更 | >> 变更详细说明 |
| 【Redfish】PerformanceCollection资源的光模块URI变更 | >> 变更详细说明 |
| 【Redfish】光模块脏污检测资源的Start请求体以及GetResult响应体变更 | >> 变更详细说明 |
| 【Redfish】GPU处理器资源的PCI Ids属性类型变更 | >> 变更详细说明 |
| 【Redfish】Bios资源的GET操作响应体变更 | >> 变更详细说明 |
【版权声明】Copyright © 2026 openUBMC Community。本文由openUBMC社区首发,欢迎遵照CC-BY-SA 4.0协议规定转载。转载时敬请在正文注明并保留原文链接和作者信息。
【免责声明】本文仅代表作者本人观点,与本网站无关。本网站对文中陈述、观点判断保持中立,不对所包含内容的准确性、可靠性或完整性提供任何明示或暗示的保证。本文仅供读者参考,由此产生的所有法律责任均由读者本人承担。