Debian 13.6 Released With Security Fixes and Secure Boot Updates
Debian 13.6 is now available with security patches, important bug fixes, installer updates, and changes that prepare supported computers for the ongoing UEFI Secure Boot certificate transition.
The Debian Project released the sixth update to Debian 13 “trixie” on July 11, 2026. It updates packages included with the stable distribution but does not introduce a new major version of Debian.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Existing Debian 13 users do not need to reinstall the operating system. They can receive the latest packages through Debian’s regular repositories, while the project is also publishing updated installation images for new deployments.
Debian 13.6 focuses on security and stability
The official Debian 13.6 release announcement describes the update as a collection of security corrections and fixes for serious problems.
Users who regularly install packages from Debian’s security repository may already have many of the included patches. The point release combines those previously issued updates with additional package corrections and refreshed installation media.
Debian updated a wide range of packages used on desktops, servers, development systems, and virtualization hosts.
| Update area | Examples |
|---|---|
| Web servers | Apache HTTP Server, nginx, and related components |
| Browsers and email | Chromium, Firefox ESR, and Thunderbird |
| Security and networking | OpenSSL, curl, OpenVPN, Samba, and rsync |
| Virtualization | QEMU and supporting libraries |
| Databases | PostgreSQL and associated packages |
| Media and documents | ImageMagick, FFmpeg, LibreOffice, and PDF tools |
| Operating system | Linux kernel, firmware tools, and Debian Installer |
Apache and curl receive major security fixes
Apache received patches for several classes of vulnerabilities, including use-after-free bugs, buffer overflows, out-of-bounds reads, denial-of-service conditions, cross-site scripting, and unintended file access.
The curl package also received an extensive collection of corrections. These address credential leaks during redirects, stale cookie exposure, unsafe connection reuse, and memory safety problems involving the SMB protocol.
Some curl fixes prevent authentication data from remaining available when a connection changes hosts, proxies, or protocols. Such weaknesses can expose tokens or credentials to an unintended destination.
- Bearer token leaks during redirects
- Credentials retained after host or proxy changes
- Stale cookies sent to the wrong destination
- Unsafe reuse of TLS and authentication connections
- SMB use-after-free and incorrect share reuse
- Improper handling of proxy authentication state
Debian updates browsers, Linux, and server packages
The point release incorporates previously published Debian security advisories for Chromium, Firefox ESR, Thunderbird, OpenSSL, nginx, Linux, ImageMagick, LibreOffice, OpenVPN, and other widely installed software.
Debian also updated packages used in cloud and server environments. These include OpenStack components, networking services, mail servers, web frameworks, and virtualization tools.
The security fixes cover many vulnerability types:
- Memory corruption and use-after-free flaws
- Buffer overflows and out-of-bounds access
- Command and code injection
- Cross-site scripting
- Server-side request forgery
- Path traversal and arbitrary file access
- Credential disclosure
- Authentication and authorization bypasses
- Denial-of-service conditions
Administrators can review the full package history through the Debian 13 errata and point release information.
Secure Boot certificate changes require attention
One of the most important changes in Debian 13.6 concerns the UEFI Secure Boot certificate transition.
The update moves fwupd to upstream version 2.0.20. This version can update the Secure Boot certificate authority database, Key Exchange Key database, and forbidden signature database, commonly called the CA, KEK, and DBX.
The Microsoft UEFI Secure Boot certificate authority introduced in 2013 has expired. Many computers have used this certificate to verify operating system bootloaders.
| Secure Boot component | Purpose |
|---|---|
| CA | Establishes trust for bootloader signing certificates |
| KEK | Authorizes changes to Secure Boot signature databases |
| DB | Stores signatures and certificates trusted by the firmware |
| DBX | Stores revoked or blocked signatures |
Future shim updates could cause boot problems
Debian warns that future shim-signed updates could prevent some computers from starting with Secure Boot enabled when their firmware lacks the necessary replacement certificates.
The risk does not mean that installing Debian 13.6 will automatically make a computer unbootable. It concerns later bootloader changes and devices that have not received updated Secure Boot databases from their manufacturers.
Debian recommends following its Secure Boot certificate transition guidance and installing applicable firmware updates from the computer or motherboard manufacturer.
Users should check for BIOS or UEFI updates and firmware updates delivered through fwupd. Enterprise administrators should test the transition on representative hardware before deploying related changes widely.
fwupd 2.0.20 expands firmware update support
Beyond the certificate transition, the fwupd update corrects UEFI certificate database enumeration and several firmware update regressions.
It also improves hardware support and fixes issues involving Thunderbolt controller deployment. These changes can help compatible systems receive firmware updates more reliably.
Users can check for supported firmware updates with the following commands:
sudo fwupdmgr refresh
sudo fwupdmgr get-updates
sudo fwupdmgr update
Not every computer manufacturer distributes updates through the Linux Vendor Firmware Service. Users may need to obtain firmware directly from their hardware vendor.
Linux kernel and installer packages are refreshed
Debian rebuilt the installer for the point release and increased its Linux application binary interface to 6.12.94+deb13.
The refreshed installer includes fixes accepted into Debian stable since the previous installation images. This makes the new media more suitable for fresh installations because users need fewer immediate updates after setup.
The release also updates wireless-regdb, which provides regulatory information governing wireless frequencies, channels, and transmission limits in different countries.
| Component | Debian 13.6 change |
|---|---|
| Debian Installer | Rebuilt with fixes included in the point release |
| Linux ABI | Updated to 6.12.94+deb13 |
| wireless-regdb | Updated regulatory information for multiple regions |
| fwupd | Updated to version 2.0.20 |
| Installation images | Refreshed for new Debian 13 installations |
GeoIP database rolls back to 2019 data
Debian 13.6 reverts the geoip-database package to a version containing data from approximately December 2019.
This change results from licensing restrictions. Debian says newer GeoLite database releases do not comply with the Debian Free Software Guidelines and therefore cannot ship in the distribution.
Applications that rely on the packaged database may now report outdated locations or network ownership information. IP address allocations and geolocation records can change considerably over several years.
Organizations that need accurate and current GeoIP data should obtain a GeoLite license directly from the provider instead of relying on Debian’s geoip-database package.
Debian 13 users can upgrade without reinstalling
Debian 13.6 does not require users to replace existing installation media or perform a clean installation. A standard system upgrade will install the packages appropriate for the computer.
Users should confirm that their APT configuration points to current Debian 13 repositories and the trixie-security repository. They can then refresh package information and apply the available upgrades.
The basic upgrade commands are:
sudo apt update
sudo apt full-upgrade
Debian’s stable release information confirms that Debian 13.6 became the sixth trixie point release on July 11, 2026.
Administrators should plan the update carefully
Desktop users can generally install the update through their normal package management tools. Server administrators should first review the packages scheduled for replacement and determine whether any services require a restart.
Systems running Apache, nginx, databases, virtualization software, or other business-critical services may need a maintenance window. Administrators should also verify that enough disk space remains in the boot partition before updating kernel packages.
A practical update process includes:
- Back up important data and system configurations.
- Refresh the package index with apt update.
- Review packages held back or scheduled for removal.
- Apply the full upgrade.
- Restart affected services or reboot the system when required.
- Confirm that the expected kernel started successfully.
- Check Secure Boot status and firmware update availability.
- Review logs for failed services or package configuration errors.
Debian 13.6 is a maintenance release, not Debian 14
Point releases package together fixes that Debian has approved for its stable branch. They do not replace the distribution with a new generation or introduce the large software changes normally associated with a major Debian release.
Debian 13 remains the stable distribution, and “trixie” remains its codename. Computers that already run Debian 13 will continue using the same repositories after updating to version 13.6.
The complete Debian 13.6 update details include the package corrections, security advisories, installer changes, removals, and Secure Boot notices included in the release.
For most users, the main action is straightforward: install current package updates. Owners of Secure Boot systems should also check their manufacturer’s firmware guidance before future shim and certificate changes arrive.
Debian provides additional instructions through its UEFI Secure Boot CA change documentation.
FAQ
Debian 13.6 is the sixth maintenance update for Debian 13 “trixie.” It combines security patches, serious bug fixes, installer updates, and selected hardware-related improvements.
No. Existing Debian 13 systems can upgrade through the regular APT repositories. Users do not need to perform a clean installation or download new installation media.
Users can run sudo apt update followed by sudo apt full-upgrade. They should review the proposed package changes and reboot if the update installs a new kernel or requires a restart.
The 2013 UEFI Secure Boot certificate authority has expired. Some computers may eventually fail to load newer signed boot components unless their manufacturers provide updated CA, KEK, and DBX databases.
Debian reverted geoip-database to an approximately December 2019 version because newer GeoLite releases do not meet the Debian Free Software Guidelines. Users who need current data should obtain a separate GeoLite license.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages