diff --git a/swift-ci/sdks/static-linux/resources/patches/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch b/swift-ci/sdks/static-linux/resources/patches/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
new file mode 100644
index 00000000..e62d28d4
--- /dev/null
+++ b/swift-ci/sdks/static-linux/resources/patches/musl/0001-iconv-fix-erroneous-input-validation-in-EUC-KR-decod.patch
@@ -0,0 +1,38 @@
+>From e5adcd97b5196e29991b524237381a0202a60659 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Sun, 9 Feb 2025 10:07:19 -0500
+Subject: [PATCH] iconv: fix erroneous input validation in EUC-KR decoder
+
+as a result of incorrect bounds checking on the lead byte being
+decoded, certain invalid inputs which should produce an encoding
+error, such as "\xc8\x41", instead produced out-of-bounds loads from
+the ksc table.
+
+in a worst case, the loaded value may not be a valid unicode scalar
+value, in which case, if the output encoding was UTF-8, wctomb would
+return (size_t)-1, causing an overflow in the output pointer and
+remaining buffer size which could clobber memory outside of the output
+buffer.
+
+bug report was submitted in private by Nick Wellnhofer on account of
+potential security implications.
+---
+ src/locale/iconv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 9605c8e9..008c93f0 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -502,7 +502,7 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 			if (c >= 93 || d >= 94) {
+ 				c += (0xa1-0x81);
+ 				d += 0xa1;
+-				if (c >= 93 || c>=0xc6-0x81 && d>0x52)
++				if (c > 0xc6-0x81 || c==0xc6-0x81 && d>0x52)
+ 					goto ilseq;
+ 				if (d-'A'<26) d = d-'A';
+ 				else if (d-'a'<26) d = d-'a'+26;
+-- 
+2.21.0
+
diff --git a/swift-ci/sdks/static-linux/resources/patches/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch b/swift-ci/sdks/static-linux/resources/patches/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
new file mode 100644
index 00000000..9b64508c
--- /dev/null
+++ b/swift-ci/sdks/static-linux/resources/patches/musl/0002-iconv-harden-UTF-8-output-code-path-against-input-de.patch
@@ -0,0 +1,38 @@
+>From c47ad25ea3b484e10326f933e927c0bc8cded3da Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Wed, 12 Feb 2025 17:06:30 -0500
+Subject: [PATCH] iconv: harden UTF-8 output code path against input decoder
+ bugs
+
+the UTF-8 output code was written assuming an invariant that iconv's
+decoders only emit valid Unicode Scalar Values which wctomb can encode
+successfully, thereby always returning a value between 1 and 4.
+
+if this invariant is not satisfied, wctomb returns (size_t)-1, and the
+subsequent adjustments to the output buffer pointer and remaining
+output byte count overflow, moving the output position backwards,
+potentially past the beginning of the buffer, without storing any
+bytes.
+---
+ src/locale/iconv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/locale/iconv.c b/src/locale/iconv.c
+index 008c93f0..52178950 100644
+--- a/src/locale/iconv.c
++++ b/src/locale/iconv.c
+@@ -545,6 +545,10 @@ size_t iconv(iconv_t cd, char **restrict in, size_t *restrict inb, char **restri
+ 				if (*outb < k) goto toobig;
+ 				memcpy(*out, tmp, k);
+ 			} else k = wctomb_utf8(*out, c);
++			/* This failure condition should be unreachable, but
++			 * is included to prevent decoder bugs from translating
++			 * into advancement outside the output buffer range. */
++			if (k>4) goto ilseq;
+ 			*out += k;
+ 			*outb -= k;
+ 			break;
+-- 
+2.21.0
+
+
diff --git a/swift-ci/sdks/static-linux/scripts/build.sh b/swift-ci/sdks/static-linux/scripts/build.sh
index b7da4346..73e8795b 100755
--- a/swift-ci/sdks/static-linux/scripts/build.sh
+++ b/swift-ci/sdks/static-linux/scripts/build.sh
@@ -97,7 +97,7 @@ function declare_package
 }
 
 declare_package static_linux_sdk \
-                "Swift statically linked SDK for Linux" \
+                "Swift Static SDK for Linux" \
                 "Apache-2.0" "https://swift.org/install/sdk"
 declare_package swift "swift" "Apache-2.0" "https://swift.org"
 declare_package musl "musl" "MIT" "https://musl.org"
@@ -109,9 +109,13 @@ declare_package curl "curl" "MIT" "https://curl.se"
 declare_package boringssl "boringssl" "OpenSSL AND ISC AND MIT" \
                 "https://boringssl.googlesource.com/boringssl/"
 declare_package zlib "zlib" "Zlib" "https://zlib.net"
+declare_package bzip2 "bzip2" "bzip2-1.0.6" "https://sourceware.org/bzip2/"
+declare_package xz "XZ Utils" "0BSD" "https://tukaani.org/xz"
+declare_package libarchive "libarchive" "BSD-2-Clause" "https://www.libarchive.org"
+declare_package mimalloc "mimalloc" "MIT" "https://microsoft.github.io/mimalloc/"
 
 # Parse command line arguments
-static_linux_sdk_version=0.0.1
+static_linux_sdk_version=0.1.0
 sdk_name=
 archs=x86_64,aarch64
 build_type=RelWithDebInfo
@@ -208,6 +212,15 @@ boringssl_version=$(describe ${source_dir}/boringssl)
 
 zlib_version=$(versionFromTag ${source_dir}/zlib)
 
+bzip2_desc=$(describe ${source_dir}/bzip2)
+bzip2_version=${bzip2_desc#bzip2-}
+
+libarchive_version=$(versionFromTag ${source_dir}/libarchive)
+
+mimalloc_version=$(versionFromTag ${source_dir}/mimalloc)
+
+xz_version=$(versionFromTag ${source_dir}/xz)
+
 function quiet_pushd {
     pushd "$1" >/dev/null 2>&1
 }
@@ -233,6 +246,10 @@ echo "  - libxml2 ${libxml2_version}"
 echo "  - curl ${curl_version}"
 echo "  - BoringSSL ${boringssl_version}"
 echo "  - zlib ${zlib_version}"
+echo "  - bzip2 ${bzip2_version}"
+echo "  - xz ${xz_version}"
+echo "  - libarchive ${libarchive_version}"
+echo "  - mimalloc ${mimalloc_version}"
 
 function run() {
     echo "$@"
@@ -268,6 +285,19 @@ else
     exit 1
 fi
 
+echo "Applying Musl security patches... "
+for patch in $(realpath "${resource_dir}/patches/musl")/*; do
+    echo -n "  $(basename $patch)..."
+    if git -C ${source_dir}/musl apply --reverse --check "$patch" >/dev/null 2>&1; then
+        echo "already patched"
+    elif git -C ${source_dir}/musl apply "$patch" >/dev/null 2>&1; then
+        echo "done"
+    else
+        echo "failed"
+        exit 1
+    fi
+done
+
 for arch in $archs; do
 
     # Fix architecture names
@@ -299,7 +329,7 @@ for arch in $archs; do
     cat > $sdk_root/SDKSettings.json <<EOF
 {
   "DisplayName": "Swift SDK for Statically Linked Linux ($arch)",
-  "Version": "0.0.1",
+  "Version": "${static_linux_sdk_version}",
   "VersionMap": {},
   "CanonicalName": "${arch}-swift-linux-musl"
 }
@@ -499,6 +529,37 @@ EOF
 
     # -----------------------------------------------------------------------
 
+    header "Building mimalloc for $arch"
+
+    run cmake -G Ninja -S ${source_dir}/mimalloc \
+        -B ${build_dir}/$arch/mimalloc \
+        -DCMAKE_TOOLCHAIN_FILE=${build_dir}/$arch/toolchain.cmake \
+        -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+        -DCMAKE_INSTALL_PREFIX="$sdk_root/usr" \
+        -DMI_LIBC_MUSL=ON \
+        -DMI_BUILD_SHARED=OFF \
+        -DMI_BUILD_STATIC=ON \
+        -DMI_BUILD_TESTS=OFF \
+        -DMI_INSTALL_TOPLEVEL=ON
+
+    quiet_pushd ${build_dir}/$arch/mimalloc
+    run ninja -j$parallel_jobs
+    quiet_popd
+
+    header "Installing mimalloc for ${arch}"
+
+    quiet_pushd ${build_dir}/$arch/mimalloc
+    run ninja -j$parallel_jobs install
+    quiet_popd
+
+    # Make sure we link mimalloc
+    ldflags="-lmimalloc $ldflags"
+    cxxldflags="-lmimalloc $cxxldflags"
+    sed -i -e 's/-lc++ /-lmimalloc -lc++ /g' \
+        ${build_dir}/${arch}/toolchain.cmake 
+
+    # -----------------------------------------------------------------------
+
     header "Building zlib for $arch"
 
     mkdir -p $build_dir/$arch/zlib
@@ -524,17 +585,67 @@ EOF
 
     # -----------------------------------------------------------------------
 
+    header "Building bzip2 for $arch"
+
+    rm -rf ${build_dir}/$arch/bzip2
+    cp -R ${source_dir}/bzip2 ${build_dir}/$arch/bzip2
+    quiet_pushd $build_dir/$arch/bzip2
+    run make \
+        CC="$cc" \
+        CXX="$cxx" \
+        LDFLAGS="$ldflags" \
+        CXXLDFLAGS="$cxxldflags" \
+        AS="$as" \
+        AR="ar" RANLIB="ranlib" \
+        PREFIX=$sdk_root/usr
+    quiet_popd
+
+    header "Installing bzip2 for $arch"
+
+    quiet_pushd $build_dir/$arch/bzip2
+    run make install \
+        CC="$cc" \
+        CXX="$cxx" \
+        LDFLAGS="$ldflags" \
+        CXXLDFLAGS="$cxxldflags" \
+        AS="$as" \
+        AR="ar" RANLIB="ranlib" \
+        PREFIX=$sdk_root/usr
+    quiet_popd
+
+    # -----------------------------------------------------------------------
+
+    header "Building xz for $arch"
+
+    run cmake -G Ninja -S ${source_dir}/xz -B ${build_dir}/$arch/xz \
+        -DCMAKE_TOOLCHAIN_FILE=${build_dir}/$arch/toolchain.cmake \
+        -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+        -DCMAKE_INSTALL_PREFIX=$sdk_root/usr \
+        -DBUILD_SHARED_LIBS=NO
+
+    quiet_pushd ${build_dir}/$arch/xz
+    run ninja -j$parallel_jobs
+    quiet_popd
+
+    header "Installing xz for $arch"
+
+    quiet_pushd ${build_dir}/$arch/xz
+    run ninja -j$parallel_jobs install
+    quiet_popd
+
+    # -----------------------------------------------------------------------
+
     header "Building libxml2 for $arch"
 
     run cmake -G Ninja -S ${source_dir}/libxml2 -B ${build_dir}/$arch/libxml2 \
           -DCMAKE_TOOLCHAIN_FILE=${build_dir}/$arch/toolchain.cmake \
-          -DCMAKE_EXTRA_LINK_FLAGS="-rtlib=compiler-rt -unwindlib=libunwind -stdlib=libc++ -fuse-ld=lld -lc++ -lc++abi" \
+          -DCMAKE_EXTRA_LINK_FLAGS="-rtlib=compiler-rt -unwindlib=libunwind -stdlib=libc++ -fuse-ld=lld -lmimalloc -lc++ -lc++abi" \
           -DCMAKE_BUILD_TYPE=RelWithDebInfo \
           -DCMAKE_INSTALL_PREFIX=$sdk_root/usr \
           -DBUILD_SHARED_LIBS=NO \
           -DLIBXML2_WITH_PYTHON=NO \
           -DLIBXML2_WITH_ICU=NO \
-          -DLIBXML2_WITH_LZMA=NO
+          -DLIBXML2_WITH_LZMA=YES
 
     quiet_pushd ${build_dir}/$arch/libxml2
     run ninja -j$parallel_jobs
@@ -548,6 +659,29 @@ EOF
 
     # -----------------------------------------------------------------------
 
+    header "Building libarchive for $arch"
+
+    run cmake -G Ninja -S ${source_dir}/libarchive \
+        -B ${build_dir}/$arch/libarchive \
+        -DCMAKE_TOOLCHAIN_FILE=${build_dir}/$arch/toolchain.cmake \
+        -DCMAKE_BUILD_TYPE=RelWithDebInfo \
+        -DCMAKE_INSTALL_PREFIX=$sdk_root/usr \
+        -DCMAKE_INSTALL_LIBDIR=$sdk_root/usr/lib \
+        -DBUILD_SHARED_LIBS=NO \
+        -DENABLE_OPENSSL=NO
+
+    quiet_pushd ${build_dir}/$arch/libarchive
+    run ninja -j$parallel_jobs
+    quiet_popd
+
+    header "Installing libarchive for $arch"
+
+    quiet_pushd ${build_dir}/$arch/libarchive
+    run ninja -j$parallel_jobs install
+    quiet_popd
+
+    # -----------------------------------------------------------------------
+
     header "Building BoringSSL for $arch"
 
     run cmake -G Ninja -S ${source_dir}/boringssl -B ${build_dir}/$arch/boringssl \
@@ -576,7 +710,9 @@ EOF
         -DCMAKE_INSTALL_PREFIX=$sdk_root/usr \
         -DBUILD_SHARED_LIBS=NO \
         -DBUILD_STATIC_LIBS=YES \
-        -DBUILD_CURL_EXE=NO
+        -DBUILD_CURL_EXE=NO \
+        -DCURL_USE_PKGCONFIG=OFF \
+        -DCURL_USE_LIBPSL=OFF
 
     quiet_pushd ${build_dir}/$arch/curl
     ninja -j$parallel_jobs
@@ -619,6 +755,7 @@ EOF
 -stdlib=libc++
 -fuse-ld=lld
 -unwindlib=libunwind
+-lmimalloc
 -lc++abi
 -static
 EOF
@@ -750,7 +887,7 @@ header "Bundling SDK"
 
 spdx_uuid=$(uuidgen)
 spdx_doc_uuid=$(uuidgen)
-spdx_timestamp=$(date -Iseconds)
+spdx_timestamp=$(date -Iseconds -z Z | sed 's/\+00:00$/Z/g')
 
 sdk_name=swift-${swift_version}_static-linux-${static_linux_sdk_version}
 bundle="${sdk_name}.artifactbundle"
@@ -771,7 +908,7 @@ cat > info.json <<EOF
           "path": "$sdk_name/swift-linux-musl"
         }
       ],
-      "version": "0.0.1",
+      "version": "${static_linux_sdk_version}",
       "type": "swiftSDK"
     }
   }
diff --git a/swift-ci/sdks/static-linux/scripts/fetch-source.sh b/swift-ci/sdks/static-linux/scripts/fetch-source.sh
index 3aa8121f..5410d5d1 100755
--- a/swift-ci/sdks/static-linux/scripts/fetch-source.sh
+++ b/swift-ci/sdks/static-linux/scripts/fetch-source.sh
@@ -52,9 +52,14 @@ function usage {
     cat <<EOF
 usage: fetch-source.sh [--swift-scheme <scheme>|--swift-tag <tag>
                                                |--swift-version <version>]
-                       [--musl-version <version>] [--libxml2-version <version>]
-                       [--curl-version <version>]
                        [--boringssl-version <version>]
+                       [--bzip2-version <version>]
+                       [--curl-version <version>]
+                       [--libarchive-version <version>]
+                       [--libxml2-version <version>]
+                       [--mimalloc-version <version>]
+                       [--musl-version <version>]
+                       [--xz-version <version>]
                        [--zlib-version <version>]
                        [--clone-with-ssh]
                        [--source-dir <path>]
@@ -72,10 +77,14 @@ SDK for Swift.  Options are:
                       If <version> starts with "scheme:" or "tag:", it will
                       select a scheme or tag; otherwise it will be treated as
                       a version number.
-  --musl-version <version>
-  --libxml2-version <version>
-  --curl-version <version>
   --boringssl-version <version>
+  --bzip2-version <version>
+  --curl-version <version>
+  --libarchive-version <version>
+  --libxml2-version <version>
+  --mimalloc-version <version>
+  --musl-version <version>
+  --xz-version <version>
   --zlib-version <version>
                       Select the versions of other dependencies.
 EOF
@@ -89,17 +98,29 @@ if [[ -z "${MUSL_VERSION}" ]]; then
     MUSL_VERSION=1.2.5
 fi
 if [[ -z "${LIBXML2_VERSION}" ]]; then
-    LIBXML2_VERSION=2.12.7
+    LIBXML2_VERSION=2.14.5
 fi
 if [[ -z "${CURL_VERSION}" ]]; then
-    CURL_VERSION=8.7.1
+    CURL_VERSION=8.15.0
 fi
 if [[ -z "${BORINGSSL_VERSION}" ]]; then
-    BORINGSSL_VERSION=fips-20220613
+    BORINGSSL_VERSION=817ab07ebb53da35afea409ab9328f578492832d
 fi
 if [[ -z "${ZLIB_VERSION}" ]]; then
     ZLIB_VERSION=1.3.1
 fi
+if [[ -z "${BZIP2_VERSION}" ]]; then
+    BZIP2_VERSION=1.0.8
+fi
+if [[ -z "${LIBARCHIVE_VERSION}" ]]; then
+    LIBARCHIVE_VERSION=3.8.1
+fi
+if [[ -z "${MIMALLOC_VERSION}" ]]; then
+    MIMALLOC_VERSION=2.2.4
+fi
+if [[ -z "${XZ_VERSION}" ]]; then
+    XZ_VERSION=5.8.1
+fi
 
 clone_with_ssh=false
 while [ "$#" -gt 0 ]; do
@@ -120,6 +141,14 @@ while [ "$#" -gt 0 ]; do
             BORINGSSL_VERSION="$2"; shift ;;
         --zlib-version)
             ZLIB_VERSION="$2"; shift ;;
+        --bzip2-version)
+            BZIP2_VERSION="$2"; shift ;;
+        --libarchive-version)
+            LIBARCHIVE_VERSION="$2"; shift ;;
+        --mimalloc-version)
+            MIMALLOC_VERSION="$2"; shift ;;
+        --xz-version)
+            XZ_VERSION="$2"; shift ;;
         --clone-with-ssh)
             clone_with_ssh=true ;;
         --source-dir)
@@ -208,3 +237,35 @@ header "Fetching zlib"
 pushd zlib >/dev/null 2>&1
 git checkout v${ZLIB_VERSION}
 popd >/dev/null 2>&1
+
+# Fetch bzip2
+header "Fetching bzip2"
+
+[[ -d bzip2 ]] | git clone git://sourceware.org/git/bzip2.git
+pushd bzip2 >/dev/null 2>&1
+git checkout bzip2-${BZIP2_VERSION}
+popd >/dev/null 2>&1
+
+# Fetch libarchive
+header "Fetching libarchive"
+
+[[ -d libarchive ]] | git clone ${github}libarchive/libarchive.git
+pushd libarchive >/dev/null 2>&1
+git checkout v${LIBARCHIVE_VERSION}
+popd >/dev/null 2>&1
+
+# Fetch mimalloc
+header "Fetching mimalloc"
+
+[[ -d mimalloc ]]  | git clone ${github}microsoft/mimalloc.git
+pushd mimalloc >/dev/null 2>&1
+git checkout v${MIMALLOC_VERSION}
+popd
+
+# Fetch xz-utils
+header "Fetching xz"
+
+[[ -d xz ]] | git clone ${github}tukaani-project/xz.git
+pushd xz >/dev/null 2>&1
+git checkout v${XZ_VERSION}
+popd