So, Debian and Ubuntu are basically safe. The only attack vector is that if a malicious person controls the mirror you are updating from, he can stop updating his mirror so that you would not get patches with a hope that an exploitable bug would be found and patched.
Which will fail anyway because security patches are provided via a separate, centralized repository, such as security.debian.org and the attacker would have to repeatedly intercept http requests to that mirror and replay you the old package status to prevent you from updating.
Very weak attack vector.
If the attacker has such control over your infrastructure he could just as well block you from connecting to update sites completely (if you can forge DNS, you can return 0 entries as well) preventing any possible update system from working.