The Debian project has released Debian 13.6, the sixth point update to the stable “trixie” release, on July 11, 2026. As with all point releases, this isn’t a new version — it rolls up existing security fixes and a handful of corrections for serious problems. Existing installs simply upgrade from a Debian mirror; there’s no need to reinstall or discard old media.
Table of Contents
The Headline: Secure Boot CA Expiry
The most consequential change is a fix for an industry-wide UEFI Secure Boot certificate transition. The 2013 UEFI Secure Boot CA — installed by default on most PCs and used to sign bootloaders — has now expired. Left unaddressed, future updates to shim-signed could leave systems unable to boot with Secure Boot enabled.
To handle this, fwupd has been updated to upstream 2.0.20, which can update the Secure Boot certificate authority (CA), Key Exchange Key (KEK), and revocation (DBX) databases. Debian strongly advises users to apply the CA, KEK, and DBX updates from their system OEM, following the official Secure Boot CA guidance. This is the one item every trixie user should act on.
geoip-database Reverted for Licensing
For licensing reasons, geoip-database has been reverted to a version dated roughly December 2019. Newer GeoLite versions are not compatible with the Debian Free Software Guidelines and can’t be distributed. As a result, applications relying on this package may use out-of-date allocation data — Debian encourages consumers to obtain a GeoLite license directly and stop depending on the packaged database.
A Broad Sweep of Security Fixes
The bulk of 13.6 is security hardening across a large set of packages. Some of the more notable corrections:
- apache2 — use-after-free, XSS, buffer overflow, DoS, and out-of-bounds read fixes (a dozen-plus CVEs).
- curl — a large batch covering bearer-token redirect leaks, STARTTLS clear-text reuse, SMB use-after-free, and stale cookie/credential leaks.
- qemu — new stable release with two dozen-plus security fixes.
- python3.13 — HTTP header injection (CVE-2026-1502), path traversal, SSRF, and multiple DoS fixes.
- shim / shim-signed — updated for the 2023 Microsoft UEFI CA compatibility and SBAT revocation level, tied to the Secure Boot transition above.
- sshfs-fuse — new
contain_symlinksoption to block symlink-escape attacks, plus hostname-injection hardening. - mutt, libxml2, protobuf, pyopenssl, rsync, wireshark, samba, postfix — all received stable/security updates.
Separately, the update folds in a long list of Debian Security Advisories (DSA-6250 through DSA-6384) already issued for packages like chromium, the Linux kernel, firefox-esr, thunderbird, openssl, nginx, samba, and many more.
Upgrading
Users who regularly install updates from security.debian.org will already have most of these packages and won’t see many changes. Everyone else can upgrade by pointing their package manager at an up-to-date Debian mirror:
sudo apt update && sudo apt full-upgrade
New installation images will appear at the usual locations shortly. The Debian Installer has also been refreshed to include the point-release fixes.
Bottom Line
Debian 13.6 is a maintenance release, but not a routine one — the expired 2013 Secure Boot CA makes the fwupd and shim updates genuinely important for anyone running Secure Boot. Apply your OEM’s CA/KEK/DBX updates alongside the package upgrade to avoid a future unbootable system.




