Which will fail anyway because security patches are provided via a separate, centralized repository, such as security.debian.org and the attacker would have to repeatedly intercept http requests to that mirror and replay you the old package status to prevent you from updating.
Very weak attack vector.
If the attacker has such control over your infrastructure he could just as well block you from connecting to update sites completely (if you can forge DNS, you can return 0 entries as well) preventing any possible update system from working.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds