Debian 13 "Trixie" just picked up its sixth point release, and if you run production servers on it, the short version is this: 120 security advisories and 124 stability fixes are now bundled into one update, plus a Secure Boot fix you genuinely need to pay attention to.
Highlights
| 1 | Debian 13.6 landed on July 11, 2026 as the sixth stable point release for "Trixie," combining 124 stability corrections with 120 previously issued security advisories into a single update. |
| 2 | If you already run automatic updates pointed at security.debian.org, most of these fixes already reached your system. 13.6 is mainly a convenience checkpoint. |
| 3 | fwupd jumps to version 2.0.20, adding the ability to push Secure Boot CA, KEK, and DBX updates to address the Recent Expiration of the 2013 Microsoft UEFI certificate. |
| 4 | geoip-database has been rolled back to a build from around December 2019 for licensing reasons, so anything relying on it for geolocation is working with old data again. |
| 5 | Big-name packages getting patched include Apache, Curl, Samba, QEMU, Python 3.13, Wireshark, and Dolphin, closing off a long list of CVEs across the stack. |
| 6 | Debian 12.15 "Bookworm" shipped the same day as its final scheduled point release, marking its formal transition to Long Term Support (LTS) and signaling users to migrate to Trixie. |
None of this is a new Debian version, so nobody needs to reinstall or throw away existing Trixie media. What matters here is timing: the Secure Boot certificate change is the part with a real deadline attached, and the geoip rollback is the part that quietly changes behavior without anyone asking for it. A few packages still carry open questions about downstream rebuild timing that Debian has not fully detailed yet.
| Release Date | July 11, 2026 |
| Security Fixes | 120 advisories folded in |
| Stability Fixes | 124 packages corrected |
| Secure Boot | fwupd 2.0.20 adds CA / KEK / DBX support |
What Actually Changed in 13.6
This is a point release, not a new Trixie. Debian describes it as adding corrections for security issues along with a handful of fixes for serious bugs, nothing more dramatic than that. You upgrade the same way you always have, by pointing apt at a current Debian mirror and running the normal update commands.
The package list is long, but a few names stand out for anyone running real workloads. Apache picked up fixes for use-after-free bugs, a cross-site scripting issue, and several buffer overflows. Curl closed holes around bearer-token leaks and stale cookie exposure. Samba got a fresh upstream stable release, and if you're running it for file sharing, it's worth checking our Samba 4.24 coverage for what changed underneath.
The Secure Boot Deadline Nobody Can Ignore
Here's the part that actually forces action. The 2013 UEFI Secure Boot certificate authority baked into most PCs has now expired. Future updates to shim-signed, which will target the new 2026 DB certificates, could leave some machines unable to boot at all with Secure Boot switched on if the hardware's onboard databases aren't updated. Debian's fix is an fwupd bump to 2.0.20, which can now push CA, KEK, and DBX updates from your hardware vendor.
This isn't unique to Debian. We covered the broader problem in our piece on the Secure Boot key expiration hitting the whole Linux ecosystem, and the advice is the same here: check for CA, KEK, and DBX updates from your OEM before you find out the hard way during a reboot.
Debian describes 13.6 as "the sixth update of its stable distribution Debian 13."
— Debian Project, July 2026 announcement
Why geoip-database Just Got Older
Debian reverted geoip-database to a build from roughly December 2019. The reason is licensing, not a bug. Newer GeoLite releases no longer fit the Debian Free Software Guidelines, so the project can't ship them. If your scripts or apps lean on this package for location lookups, expect stale allocation data and go get a direct GeoLite license from the source if accuracy matters to you.
Security Patches Worth Knowing About
Past the headline items, this release quietly fixes real attack surface. Dolphin got a sandbox escape patch. GIMP closed integer overflow bugs. Mesa fixed a WebGPU and SPIR-V allocation issue. Python 3.13 alone picked up half a dozen CVE fixes, including a server-side request forgery bug and a path traversal issue. QEMU's list of patched CVEs runs long enough that virtualization admins should treat this as a priority update, not a routine one.
If you've been tracking Linux vulnerability disclosures generally, this fits the pattern we've seen elsewhere this year, including the recent Dirty Frag vulnerability and the Ubuntu desktop vulnerability disclosed earlier this year. Security teams have not been short of work lately, and kernel-level hardening efforts like the ones described in our piece on Rust in kernel security are part of the same broader push.
Debian 12.15 and the End of Bookworm
Debian 12.15 shipped the same day as 13.6, and it's the last scheduled point release for Bookworm from the regular Release, Security, and Backports teams. Some architectures will keep getting patches under Debian's long-term support arrangement, similar to what we outlined when covering extended lifecycle support on RHEL, but the official line now is clear: move to Trixie.
If you're weighing that move alongside a kernel refresh, it's worth reading up on what's landed in Linux kernel 7.1 before you plan the upgrade window, since Debian's installer for 13.6 already bumps its bundled kernel ABI to 6.12.94.
What This Means for Your Update Routine
If your boxes already track security.debian.org closely, 13.6 will feel uneventful, most of the work already happened in the background. The parts that need a deliberate look are the Secure Boot certificate updates and anything reading geoip-database for location data. Everything else is standard apt hygiene: update your package lists, upgrade, and reboot if the kernel or shim packages changed.
For anyone still deciding between distributions before a fresh install, this kind of steady, predictable patch cadence is part of what we weighed in our Ubuntu 26.04 LTS breakdown and our roundup of the best Linux distros for 2026, since a boring, reliable point release is exactly what production systems want.
Sources & References
LinuxTeck - A Complete Learning Blog
Tech News Stay updated with the latest Linux and open-source news, covering new releases, distro updates, security patches, and enterprise developments, delivered in plain language for sysadmins and developers.