The attack scenario is as follows:
1. A user creates a new Ubuntu installation with debootstrap.
2. The user assumes that, because they're fetching all the packages online
from the server, they're getting the latest versions and don't need to
upgrade immediately.
3. The user is attacked via
*** This bug is a security vulnerability ***
Public security bug reported:
It doesn't really make sense that when using debootstrap to create an
Ubuntu chroot|container|directory|installation|whatever, old versions
of packages will be installed, rather than the latest versions from the
archives.