CVE-2019-15796: 
Python vulnerability analysis and mitigation

CVE-2019-15796 affects python-apt versions 1.9.3ubuntu2 and earlier, where the software fails to verify if hashes are signed in Version.fetch_binary() and Version.fetch_source() of apt/package.py or in _fetch_archives() of apt/cache.py. The vulnerability was discovered in August 2019 and patches were released in January 2020 (CVE MITRE, Ubuntu Security).

The vulnerability has a CVSS 3.1 Base Score of 4.7 (Medium), with the following characteristics: Network attack vector, High attack complexity, No privileges required, User interaction required, Changed scope, Low confidentiality impact, Low integrity impact, and No availability impact. The vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N (Ubuntu Security).

The vulnerability allows downloads from unsigned repositories which shouldn't be allowed, potentially compromising system security by enabling the installation of packages from untrusted sources (Ubuntu Security Notice).

The vulnerability has been fixed in multiple versions including 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5. Users are advised to update their systems through standard system updates to apply the necessary patches (Ubuntu Security Notice).