Debian 13.6 Released: Secure Boot CA Transition Headlines the Sixth “Trixie” Point Update

The Debian project has released Debian 13.6, the sixth point update to the stable “trixie” release, on July 11, 2026. As with all point releases, this isn’t a new version — it rolls up existing security fixes and a handful of corrections for serious problems. Existing installs simply upgrade from a Debian mirror; there’s no need to reinstall or discard old media.

The Headline: Secure Boot CA Expiry

The most consequential change is a fix for an industry-wide UEFI Secure Boot certificate transition. The 2013 UEFI Secure Boot CA — installed by default on most PCs and used to sign bootloaders — has now expired. Left unaddressed, future updates to shim-signed could leave systems unable to boot with Secure Boot enabled.

To handle this, fwupd has been updated to upstream 2.0.20, which can update the Secure Boot certificate authority (CA), Key Exchange Key (KEK), and revocation (DBX) databases. Debian strongly advises users to apply the CA, KEK, and DBX updates from their system OEM, following the official Secure Boot CA guidance. This is the one item every trixie user should act on.

geoip-database Reverted for Licensing

For licensing reasons, geoip-database has been reverted to a version dated roughly December 2019. Newer GeoLite versions are not compatible with the Debian Free Software Guidelines and can’t be distributed. As a result, applications relying on this package may use out-of-date allocation data — Debian encourages consumers to obtain a GeoLite license directly and stop depending on the packaged database.

A Broad Sweep of Security Fixes

The bulk of 13.6 is security hardening across a large set of packages. Some of the more notable corrections:

  • apache2 — use-after-free, XSS, buffer overflow, DoS, and out-of-bounds read fixes (a dozen-plus CVEs).
  • curl — a large batch covering bearer-token redirect leaks, STARTTLS clear-text reuse, SMB use-after-free, and stale cookie/credential leaks.
  • qemu — new stable release with two dozen-plus security fixes.
  • python3.13 — HTTP header injection (CVE-2026-1502), path traversal, SSRF, and multiple DoS fixes.
  • shim / shim-signed — updated for the 2023 Microsoft UEFI CA compatibility and SBAT revocation level, tied to the Secure Boot transition above.
  • sshfs-fuse — new contain_symlinks option to block symlink-escape attacks, plus hostname-injection hardening.
  • mutt, libxml2, protobuf, pyopenssl, rsync, wireshark, samba, postfix — all received stable/security updates.

Separately, the update folds in a long list of Debian Security Advisories (DSA-6250 through DSA-6384) already issued for packages like chromium, the Linux kernel, firefox-esr, thunderbird, openssl, nginx, samba, and many more.

Upgrading

Users who regularly install updates from security.debian.org will already have most of these packages and won’t see many changes. Everyone else can upgrade by pointing their package manager at an up-to-date Debian mirror:

sudo apt update && sudo apt full-upgrade

New installation images will appear at the usual locations shortly. The Debian Installer has also been refreshed to include the point-release fixes.

Bottom Line

Debian 13.6 is a maintenance release, but not a routine one — the expired 2013 Secure Boot CA makes the fwupd and shim updates genuinely important for anyone running Secure Boot. Apply your OEM’s CA/KEK/DBX updates alongside the package upgrade to avoid a future unbootable system.

Related Reading

Avatar photo
David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Articles: 682

Leave a Reply

Your email address will not be published. Required fields are marked *