Operating System Software and Updates
Using onion sources may or may not protect from this vulnerability.
Debian’s security announcement does not mention Debian onion sources. Redirects might also be used by onion mirrors. Debian has to the knowledge of Whonix not released information where Debian onion sources are hosted. Onion sources are also just a mirror. And mirrors may also be in a position to attempt a man-in-the-middle attack.
Building Whonix is currently not safe. Will elaborate soon.