diff --git a/apt/files/50debconf-exec-tmp b/apt/files/50debconf-exec-tmp
new file mode 100644
index 0000000000000000000000000000000000000000..ed2f4bc0568b6610d7fb0e424175a042dd950b7d
--- /dev/null
+++ b/apt/files/50debconf-exec-tmp
@@ -0,0 +1,4 @@
+# several packages execute scripts written to /tmp
+# this is officially a bug and /tmp is usually noexec on our systems
+DPkg::Pre-Invoke {"mount -o remount,exec /tmp";};
+DPkg::Post-Invoke {"mount -o remount,noexec /tmp";};
diff --git a/apt/tasks/main.yml b/apt/tasks/main.yml
index 7894c93e01d1716df28ecf2de2c3301323d19fd9..10a384940507a47a4f4878ddaf3539f3c99e0566 100644
--- a/apt/tasks/main.yml
+++ b/apt/tasks/main.yml
@@ -2,3 +2,9 @@
 
 - include: repositories.yml
 - meta: flush_handlers
+
+- name: ensure fix of /tmp script bug
+  copy: src=50debconf-exec-tmp dest=/etc/apt/apt.conf.d/ owner=root group=root mode=0644
+  tags:
+    - config
+    - apt