Tech News

Debian 13.6 Is Out: Here Are the Key Changes

Debian 13.6 has been available since July 8, 2026. This sixth maintenance update for Debian 13 Trixie brings no new features, but it does include a long list of security patches and bug fixes. It also addresses Secure Boot certificate expiration. Here’s what you need to know.

Debian 13.6: a maintenance release first and foremost

As with all minor Debian updates, 13.6 does not introduce any new features. Its main purpose is to consolidate security fixes and bug fixes. The developers also make it clear that this is not a new Debian 13 release, but a package update.

In fact, if your machine already receives its patches regularly through the security.debian.org repository, you have probably already received most of these fixes. Debian 13.6 simply brings them together. Given the many security flaws disclosed and patched in recent weeks (DirtyClone (CVE-2026-43503) is one example among many), it would not be surprising if you had already visited the security-focused repository mentioned above.

This release consolidates around a hundred security updates and just as many bug fixes across the packages used by Debian. Affected packages include tools such as Apache, Curl, QEMU, Samba, Wireshark, XZ Utils, Postfix, and Python 3.13.

On the installation side, the Debian installer has been rebuilt to rely on Linux kernel 6.12.94. Netinstall images are still available for six architectures: amd64, arm64, armhf, ppc64el, riscv64, and s390x.

If you are already using Debian 13, the update procedure is the usual one. Open a terminal and run:

sudo apt update && sudo apt upgrade

Secure Boot: fwupd prepares the transition to new certificates

Debian 13.6 also comes with an update to the fwupd package, which moves to version 2.0.20. This update now allows it to update the Secure Boot certification authority (CA), the Key Exchange Key (KEK), and the revocation database (DBX).

Why now? Because the historical UEFI Secure Boot certification authority, installed by default on most PCs and used to sign bootloaders, has expired. This refers to Microsoft’s CA, whose certificates expired in June 2026. Future shim-signed updates could prevent some machines from booting when Secure Boot is enabled if the required firmware updates have not been applied.

It is therefore necessary to apply this update to ensure compatibility with the Microsoft UEFI CA 2023 certificate, since it is the one taking over. This issue is not limited to the Linux world by any means. It is part of the broader move toward Secure Boot certificate expiration in 2026, which I have been documenting on the Windows side for several months. We have also seen other ecosystem tools adapt, such as Ventoy with version 1.1.14, which anticipates the UEFI CA 2023 challenge.

geoip-database rolls back: be careful!

If you use GeoIP, you need to be careful with Debian 13.6: the geoip-database package has been rolled back to a version dating back to around December 2019. But why such a change? The reason is purely legal. Newer versions of the GeoLite database are not compatible with the Debian Free Software Guidelines (DFSG) and therefore cannot be distributed.

This is not without consequences: applications relying on this database packaged by Debian may use outdated address allocation information. Debian recommends that users who need up-to-date data obtain a GeoLite license instead of relying on the package included with Debian.

Alongside Debian 13.6, the development team also released Debian 12.15: a release presented as the fifteenth and final minor update for Bookworm. If you have not done so already, users still on Bookworm are encouraged to migrate to Trixie. If that applies to you, our Debian 12 to Debian 13 upgrade guide will walk you through the process step by step.

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.