I use 2 Olimex A20 Micro with Debian stable as personal servers (Web, Email, Backup). One of them had already installed the toxic update via unattended-upgrades. Fortunately I did not configure automatic reboot. So I had the chance to read about the issue here on Hacker News and reinstall the old version:

$ wget https://snapshot.debian.org/archive/debian/20181028T150508Z/...

$ dpkg -i linux-image-4.9.0-8-armmp-lpae_4.9.130-2_armhf.deb

and set the version on hold:

$ apt-mark hold linux-image-4.9.0-8-armmp-lpae