Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:9 relevant versions.
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
apt to version 1.0.9 or higher.