Debian 13.6 Released With Security Fixes and Secure Boot Updates


Debian 13.6 is now available with security patches, important bug fixes, installer updates, and changes that prepare supported computers for the ongoing UEFI Secure Boot certificate transition.

The Debian Project released the sixth update to Debian 13 “trixie” on July 11, 2026. It updates packages included with the stable distribution but does not introduce a new major version of Debian.

Existing Debian 13 users do not need to reinstall the operating system. They can receive the latest packages through Debian’s regular repositories, while the project is also publishing updated installation images for new deployments.

Debian 13.6 focuses on security and stability

The official Debian 13.6 release announcement describes the update as a collection of security corrections and fixes for serious problems.

Users who regularly install packages from Debian’s security repository may already have many of the included patches. The point release combines those previously issued updates with additional package corrections and refreshed installation media.

Debian updated a wide range of packages used on desktops, servers, development systems, and virtualization hosts.

Update areaExamples
Web serversApache HTTP Server, nginx, and related components
Browsers and emailChromium, Firefox ESR, and Thunderbird
Security and networkingOpenSSL, curl, OpenVPN, Samba, and rsync
VirtualizationQEMU and supporting libraries
DatabasesPostgreSQL and associated packages
Media and documentsImageMagick, FFmpeg, LibreOffice, and PDF tools
Operating systemLinux kernel, firmware tools, and Debian Installer

Apache and curl receive major security fixes

Apache received patches for several classes of vulnerabilities, including use-after-free bugs, buffer overflows, out-of-bounds reads, denial-of-service conditions, cross-site scripting, and unintended file access.

The curl package also received an extensive collection of corrections. These address credential leaks during redirects, stale cookie exposure, unsafe connection reuse, and memory safety problems involving the SMB protocol.

Some curl fixes prevent authentication data from remaining available when a connection changes hosts, proxies, or protocols. Such weaknesses can expose tokens or credentials to an unintended destination.

  • Bearer token leaks during redirects
  • Credentials retained after host or proxy changes
  • Stale cookies sent to the wrong destination
  • Unsafe reuse of TLS and authentication connections
  • SMB use-after-free and incorrect share reuse
  • Improper handling of proxy authentication state

Debian updates browsers, Linux, and server packages

The point release incorporates previously published Debian security advisories for Chromium, Firefox ESR, Thunderbird, OpenSSL, nginx, Linux, ImageMagick, LibreOffice, OpenVPN, and other widely installed software.

Debian also updated packages used in cloud and server environments. These include OpenStack components, networking services, mail servers, web frameworks, and virtualization tools.

The security fixes cover many vulnerability types:

  • Memory corruption and use-after-free flaws
  • Buffer overflows and out-of-bounds access
  • Command and code injection
  • Cross-site scripting
  • Server-side request forgery
  • Path traversal and arbitrary file access
  • Credential disclosure
  • Authentication and authorization bypasses
  • Denial-of-service conditions

Administrators can review the full package history through the Debian 13 errata and point release information.

Secure Boot certificate changes require attention

One of the most important changes in Debian 13.6 concerns the UEFI Secure Boot certificate transition.

The update moves fwupd to upstream version 2.0.20. This version can update the Secure Boot certificate authority database, Key Exchange Key database, and forbidden signature database, commonly called the CA, KEK, and DBX.

The Microsoft UEFI Secure Boot certificate authority introduced in 2013 has expired. Many computers have used this certificate to verify operating system bootloaders.

Secure Boot componentPurpose
CAEstablishes trust for bootloader signing certificates
KEKAuthorizes changes to Secure Boot signature databases
DBStores signatures and certificates trusted by the firmware
DBXStores revoked or blocked signatures

Future shim updates could cause boot problems

Debian warns that future shim-signed updates could prevent some computers from starting with Secure Boot enabled when their firmware lacks the necessary replacement certificates.

The risk does not mean that installing Debian 13.6 will automatically make a computer unbootable. It concerns later bootloader changes and devices that have not received updated Secure Boot databases from their manufacturers.

Debian recommends following its Secure Boot certificate transition guidance and installing applicable firmware updates from the computer or motherboard manufacturer.

Users should check for BIOS or UEFI updates and firmware updates delivered through fwupd. Enterprise administrators should test the transition on representative hardware before deploying related changes widely.

fwupd 2.0.20 expands firmware update support

Beyond the certificate transition, the fwupd update corrects UEFI certificate database enumeration and several firmware update regressions.

It also improves hardware support and fixes issues involving Thunderbolt controller deployment. These changes can help compatible systems receive firmware updates more reliably.

Users can check for supported firmware updates with the following commands:

sudo fwupdmgr refresh
sudo fwupdmgr get-updates
sudo fwupdmgr update

Not every computer manufacturer distributes updates through the Linux Vendor Firmware Service. Users may need to obtain firmware directly from their hardware vendor.

Linux kernel and installer packages are refreshed

Debian rebuilt the installer for the point release and increased its Linux application binary interface to 6.12.94+deb13.

The refreshed installer includes fixes accepted into Debian stable since the previous installation images. This makes the new media more suitable for fresh installations because users need fewer immediate updates after setup.

The release also updates wireless-regdb, which provides regulatory information governing wireless frequencies, channels, and transmission limits in different countries.

ComponentDebian 13.6 change
Debian InstallerRebuilt with fixes included in the point release
Linux ABIUpdated to 6.12.94+deb13
wireless-regdbUpdated regulatory information for multiple regions
fwupdUpdated to version 2.0.20
Installation imagesRefreshed for new Debian 13 installations

GeoIP database rolls back to 2019 data

Debian 13.6 reverts the geoip-database package to a version containing data from approximately December 2019.

This change results from licensing restrictions. Debian says newer GeoLite database releases do not comply with the Debian Free Software Guidelines and therefore cannot ship in the distribution.

Applications that rely on the packaged database may now report outdated locations or network ownership information. IP address allocations and geolocation records can change considerably over several years.

Organizations that need accurate and current GeoIP data should obtain a GeoLite license directly from the provider instead of relying on Debian’s geoip-database package.

Debian 13 users can upgrade without reinstalling

Debian 13.6 does not require users to replace existing installation media or perform a clean installation. A standard system upgrade will install the packages appropriate for the computer.

Users should confirm that their APT configuration points to current Debian 13 repositories and the trixie-security repository. They can then refresh package information and apply the available upgrades.

The basic upgrade commands are:

sudo apt update
sudo apt full-upgrade

Debian’s stable release information confirms that Debian 13.6 became the sixth trixie point release on July 11, 2026.

Administrators should plan the update carefully

Desktop users can generally install the update through their normal package management tools. Server administrators should first review the packages scheduled for replacement and determine whether any services require a restart.

Systems running Apache, nginx, databases, virtualization software, or other business-critical services may need a maintenance window. Administrators should also verify that enough disk space remains in the boot partition before updating kernel packages.

A practical update process includes:

  1. Back up important data and system configurations.
  2. Refresh the package index with apt update.
  3. Review packages held back or scheduled for removal.
  4. Apply the full upgrade.
  5. Restart affected services or reboot the system when required.
  6. Confirm that the expected kernel started successfully.
  7. Check Secure Boot status and firmware update availability.
  8. Review logs for failed services or package configuration errors.

Debian 13.6 is a maintenance release, not Debian 14

Point releases package together fixes that Debian has approved for its stable branch. They do not replace the distribution with a new generation or introduce the large software changes normally associated with a major Debian release.

Debian 13 remains the stable distribution, and “trixie” remains its codename. Computers that already run Debian 13 will continue using the same repositories after updating to version 13.6.

The complete Debian 13.6 update details include the package corrections, security advisories, installer changes, removals, and Secure Boot notices included in the release.

For most users, the main action is straightforward: install current package updates. Owners of Secure Boot systems should also check their manufacturer’s firmware guidance before future shim and certificate changes arrive.

Debian provides additional instructions through its UEFI Secure Boot CA change documentation.

FAQ

What is Debian 13.6?

Debian 13.6 is the sixth maintenance update for Debian 13 “trixie.” It combines security patches, serious bug fixes, installer updates, and selected hardware-related improvements.

Do Debian 13 users need to reinstall the operating system?

No. Existing Debian 13 systems can upgrade through the regular APT repositories. Users do not need to perform a clean installation or download new installation media.

How can users upgrade to Debian 13.6?

Users can run sudo apt update followed by sudo apt full-upgrade. They should review the proposed package changes and reboot if the update installs a new kernel or requires a restart.

Why is the Secure Boot update important?

The 2013 UEFI Secure Boot certificate authority has expired. Some computers may eventually fail to load newer signed boot components unless their manufacturers provide updated CA, KEK, and DBX databases.

Why does Debian 13.6 include old GeoIP data?

Debian reverted geoip-database to an approximately December 2019 version because newer GeoLite releases do not meet the Debian Free Software Guidelines. Users who need current data should obtain a separate GeoLite license.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages