A grave security vulnerability has been found in apk, the package manager used by Adélie Linux. The vulnerability allows any attacker on the same network as your computer run malicious code as the superuser, if you are not using HTTPS repositories in /etc/apk/repositories.

This should not affect any standard installation of Adélie Linux, as our mirrors force HTTPS and our default repositories file uses HTTPS. However, if you have added your own custom repositories, or replaced ‘https’ with ‘http’ for any reason, you are vulnerable. A patch has been released in apk-tools 2.10.1 and it is critical for you to update all of your Adélie Linux computers immediately. New ISO and root FS images for 1.0-BETA1 went live this morning UTC (around 11 hours ago).

This vulnerability was discovered in early September by Max Justicz. A patch was written on 5 September by Alpine Linux developers and released on 10 September; the vulnerability was disclosed publicly on 13 September. The Adélie Linux team was not notified of this vulnerability before the public disclosure. This vulnerability was disclosed independently to Adélie Linux by Luke Dashjr via the public disclosure by Max Justicz.

We are deeply troubled by the lack of responsible disclosure by Alpine Linux, and we are actively investigating steps we may take in the future to mitigate our continued reliance on Alpine.