A grave security vulnerability has been found in `apk`, the package
manager used by Adélie Linux. The vulnerability allows any attacker on
the same network as your computer run malicious code as the superuser,
if you are not using HTTPS repositories /etc/apk/repositories.
This should not affect any standard installation of Adélie Linux, as our
mirrors force HTTPS and our default repositories file uses HTTPS.
However, if you have added your own custom repositories, or replaced
'https' with 'http' for any reason, you are vulnerable. A patch has
been released in apk-tools 2.10.1 and it is critical for you to update
all of your Adélie Linux computers immediately. New ISO and root FS
images for 1.0-BETA1 went live last night.
This vulnerability was discovered in early September by Max Justicz. A
patch was written on 5 September by Alpine Linux developers and released
on 10 September; the vulnerability was disclosed publicly on 13
September. The Adélie Linux team was not notified of this vulnerability
before the public disclosure. This vulnerability was disclosed
independently to Adélie Linux by Luke Dashjr via the public disclosure
by Max Justicz.
We are deeply troubled by the lack of responsible disclosure by Alpine
Linux, and we are actively investigating steps we may take in the future
to mitigate our continued reliance on Alpine.
Best wishes for updating,
A. Wilcox (awilfox)
Project Lead, Adélie Linux