Debian 13.6 "trixie" released, with a fix for your broken Secure Boot and a GeoIP rollback
The sixth point release for Debian's current stable cycle has dropped, and it carries a firmware-level patch that directly impacts how modern PCs handle Secure Boot. Debian has updated fwupd to version 2.0.20 to address the long-overdue expiration of the 2013 UEFI Secure Boot certificate authority. Without this update, systems relying on that legacy CA could eventually refuse to install shim-signed bootloaders. Point releases for Debian stable do not introduce new features. They are strictly for stacking stability and security fixes. This one lands at a particularly inconvenient time for firmware maintainers.
The 2013 UEFI Secure Boot CA has finally expired, leaving a gap that OEMs and downstream distributors have been slowly patching for years. Debian is closing that loop by updating the CA, KEK, and DBX databases through fwupd. The project has also bumped shim, shim-signed, and shim-helpers-* to stay compatible with Microsoft's 2023 UEFI CA. If you're running an x86 or ARM64 machine with Secure Boot enabled, you will want to pull these updates fast. The Secure Boot compliance headache has been one of those slow-burning operational headaches since UEFI went mainstream. Back in 2023, when Microsoft announced the CA expiry, it gave the industry roughly three years to adjust. Debian is finally catching up.
Keep in mind that the geoip-database package has taken a hit alongside the firmware fixes. Debian has reverted the package to a snapshot from roughly December 2019. Recent upstream versions of GeoIP data violate the Debian Free Software Guidelines. The project cannot legally distribute them. If your software depends on it, you will need to grab a GeoLite license directly and stop treating the Debian package as a permanent dependency. That is after DFSG enforcement.
Security patches and kernel updates
The rest of the release covers a massive surface area. The Linux kernel gets patched through multiple DSA advisories, with the debian-installer bumped to ABI 6.12.94+deb13. Browser and email clients are not spared either. chromium, firefox-esr, and thunderbird all receive security fixes across a dozen separate advisories. Head here to the official Debian news page if you need the full mirror list and advisory breakdown.
If you are managing infrastructure, nginx, apache2, squid, haproxy, and tomcat10/11 are all patched against known RCE and denial-of-service flaws. You are looking at QEMU getting hammered for code execution and memory disclosure vulnerabilities. curl receives fixes for bearer token redirect leaks and stale cookie exposure. Several OpenStack components like keystone and neutron get attention for authorization bypasses. Not exactly the kind of headline-grabbing issues, but the kind that keep compliance audits clean.
It is a dense release for a point update. You will likely notice more in your package manager than in your daily workflow. The Secure Boot fix is the only component that actively breaks things if ignored, and even then, it is mostly a firmware-level nudge. The rest is routine hygiene. Debian does not do flashy rollouts, and this one plays right into that tradition.
How to update
If you are already running trixie, updating is straightforward. Point apt at one of Debian's official mirrors. Run apt update && apt upgrade and let it do its thing. New installation images will show up at the standard download locations shortly. If you are already pulling from security.debian.org, you are probably only a few hundred megabytes behind. The gap is narrower than it was six months ago, but it still exists.
Point releases do not constitute a new version. They only update selected packages. Old trixie installation media remain perfectly valid. You can upgrade to the current package set after installation. Keep in mind that the geoip-database revert will likely trigger dependency warnings for a handful of niche tools. If you see a conflict, switch the backend to a direct GeoLite feed before chasing the package.
Head here for the full announcement.
