CVE-2019-15796

NameCVE-2019-15796
DescriptionPython-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2074-1, DSA-4609-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-apt (PTS)jessie0.9.3.12vulnerable
jessie (security)0.9.3.13fixed
stretch (security), stretch1.4.1fixed
buster, buster (security)1.8.4.1fixed
bullseye, sid1.9.10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-aptsource(unstable)1.8.5
python-aptsourcebuster1.8.4.1DSA-4609-1
python-aptsourcejessie0.9.3.13DLA-2074-1
python-aptsourcestretch1.4.1DSA-4609-1

Notes

https://salsa.debian.org/apt-team/python-apt/commit/b4eef110b7ba4fb21cc0dd92585756f50e0100c9 (1.8.5)
https://salsa.debian.org/apt-team/python-apt/commit/e3321eb9792bf3b4cace4cee47dc6da00fbee929 (1.8.5)

Search for package or bug name: Reporting problems