There is a flaw in the apt package manager which would allow an attacker to get root privileges on a machine.
Here is the mitigation from the Debian Mailing List
https://lists.debian.org/debian-security-announce/2019/msg00010.html
Since you are updating the package manager itself you can use these commands to update without the risk of a redirect.
apt -o Acquire::http::AllowRedirect=false update
apt -o Acquire::http::AllowRedirect=false upgrade
1 Like