A grave security vulnerability has been found in `apk`[1], the package manager used by Adélie Linux. The vulnerability allows any attacker on the same network as your computer run malicious code as the superuser, if you are not using HTTPS repositories /etc/apk/repositories.
This should not affect any standard installation of Adélie Linux, as our mirrors force HTTPS and our default repositories file uses HTTPS. However, if you have added your own custom repositories, or replaced 'https' with 'http' for any reason, you are vulnerable. A patch has been released in apk-tools 2.10.1 and it is critical for you to update all of your Adélie Linux computers immediately. New ISO and root FS images for 1.0-BETA1 went live last night. This vulnerability was discovered in early September by Max Justicz. A patch was written on 5 September by Alpine Linux developers and released on 10 September; the vulnerability was disclosed publicly on 13 September. The Adélie Linux team was not notified of this vulnerability before the public disclosure. This vulnerability was disclosed independently to Adélie Linux by Luke Dashjr via the public disclosure by Max Justicz. We are deeply troubled by the lack of responsible disclosure by Alpine Linux, and we are actively investigating steps we may take in the future to mitigate our continued reliance on Alpine. [1]: https://justi.cz/security/2018/09/13/alpine-apk-rce.html Best wishes for updating, --arw -- A. Wilcox (awilfox) Project Lead, Adélie Linux https://www.adelielinux.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Adélie Development mailing list -- adelie-devel@lists.adelielinux.org To unsubscribe send an email to adelie-devel-le...@lists.adelielinux.org
