CVE-2019-15795

NameCVE-2019-15795
Descriptionpython-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2074-1, DSA-4609-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-apt (PTS)buster, buster (security)1.8.4.3fixed
bullseye2.2.1fixed
bookworm2.6.0fixed
trixie2.7.6fixed
sid2.8.0fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-aptsourcejessie0.9.3.13DLA-2074-1
python-aptsourcestretch1.4.1DSA-4609-1
python-aptsourcebuster1.8.4.1DSA-4609-1
python-aptsource(unstable)1.8.5

Notes

https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24 (1.8.5)
Search for package or bug name: Reporting problems