This bug was fixed in the package apt - 1.2.15

---------------
apt (1.2.15) xenial; urgency=medium

  New micro release with bug fixes up to (and including) 1.3.1 (LP: #1638021)

  [ Julian Andres Klode ]
  * methods/ftp: Cope with weird PASV responses.
    Thanks to Lukasz Stelmach for the initial patch (Closes: #420940)
  * Fix buffer overflow in debListParser::VersionHash() (Closes: #828812)
  * cache: Bump minor version to 6
  * indextargets: Check that cache could be built before using it
    (Closes: #829651)
  * gpgv: Unlink the correct temp file in error case
  * fileutl: empty file support: Avoid fstat() on -1 fd and check result
  * Ignore SIGINT and SIGQUIT for Pre-Install hooks
  * install-progress: Call the real ::fork() in our fork() method
  * Accept --autoremove as alias for --auto-remove
  * apt-inst: debfile: Pass comp. Name to ExtractTar, not Binary
  * changelog: Respect Dir setting for local changelog getting
  * Fix segfault and out-of-bounds read in Binary fields
  * Merge translations from 1.3~rc3
  * TagFile: Fix off-by-one errors in comment stripping
  * Base256ToNum: Fix uninitialized value
  * VersionHash: Do not skip too long dependency lines
  * Do not read stderr from proxy autodetection scripts

  [ Nicolas Le Cam ]
  * Use the ConditionACPower feature of systemd in the apt-daily service
    (Closes: #827930)

  [ David Kalnischkies ]
  * close server if parsing of header field failed
  * don't do atomic overrides with failed files (Closes: 828908)
  * if reading of autobit state failed, let write fail
  * write auto-bits before calling dpkg & again after if needed
  * factor out Pkg/DepIterator prettyprinters into own header
  * protect only the latest same-source providers from autoremove
  * reinstalling local deb file is no downgrade
  * do not treat same-version local debs as downgrade
  * avoid 416 response teardown binding to null pointer
  * don't change owner/perms/times through file:// symlinks
  * report all instead of first error up the acquire chain
  * keep trying with next if connection to a SRV host failed
  * call flush on the wrapped writebuffered FileFd
  * verify hash of input file in rred
  * use proper warning for automatic pipeline disable
  * rred: truncate result file before writing to it (Closes: #831762)
  * if the FileFd failed already following calls should fail, too
  * pass --force-remove-essential to dpkg only if needed
  * allow user@host (aka: no password) in URI parsing
  * drop incorrect const attribute from DirectoryExists (LP: 1473674)
  * http(s): allow empty values for header fields (Closes: 834048)
  * don't try pipelining if server closes connections (Closes: #832113)
  * don't loop on pinning pkgs from absolute debs by regex (Closes: 835818)
  * try not to call memcpy with length 0 in hash calculations
  * abort connection on '.' target replies in SRV

  [ Andrew Patterson ]
  * Add kernels with "+" in the package name to APT::NeverAutoRemove
    (Closes: #830159)

  [ Mert Dirik ]
  * Turkish program translation update (Closes: 832039)

  [ Zhou Mo ]
  * zh_CN.po: update simplified chinese translation

 -- Julian Andres Klode <email address hidden>  Mon, 31 Oct 2016 15:29:08 +0100