Debian 13.6 security update patches over a hundred advisories in trixie
Most PCs still run with a UEFI Secure Boot certificate authority, installed by default since 2013, that has now expired. That certificate signed the bootloaders letting machines start with Secure Boot turned on. Its expiry sits at the center of the sixth update to Debian 13, codenamed “trixie.” The point release carries mostly security corrections along with a few fixes for serious problems.

The Secure Boot problem gets handled through fwupd, updated to upstream version 2.0.20. The new build can update the Secure Boot certificate authority, the Key Exchange Key, and the revocation database on affected machines. Systems that skip these updates risk a specific failure. Future updates to “shim-signed” could leave them unable to boot with Secure Boot enabled. Debian advises users to apply the CA, KEK, and DBX updates supplied by their system OEM.
The shim package received its own attention. It moved to a new upstream release built with the default compiler, and its SBAT revocation level was set to 2025021800. The signed shim binaries were rebuilt to keep Secure Boot working with the 2023 Microsoft UEFI certificate, and the installer now checks for likely boot problems before it proceeds.
Licensing drove a second change. The “geoip-database” package reverted to a build dated around December 2019, because recent GeoLite versions conflict with the Debian Free Software Guidelines and cannot be shipped. Software reading the database may return stale network allocation data as a result. Debian encourages anyone depending on this data to obtain a GeoLite license directly.
Web tooling saw heavy patching. The curl package alone took 13 fixes covering bearer token leaks on redirects, reuse of the wrong cached certificate authority, connection reuse across HTTP Negotiate and proxy sessions, reuse of plaintext STARTTLS connections, a use-after-free in its SMB code, and leaked credentials during redirects. rsync gained a limit on overly long HTTP proxy response lines. python-urllib3, nginx, and squid each received separate advisories from the Security Team.
The apache2 web server received corrections for 13 tracked flaws. These covered use-after-free bugs, a cross-site scripting hole, several buffer overflows, denial-of-service conditions, out-of-bounds reads, and a file read issue. A further advisory, DSA-6323, covered additional apache2 work.
Virtualization users have a large batch to apply. The qemu emulator moved to a new upstream stable release carrying 25 security fixes. The Python interpreter shipped as python3.13 gained fixes for CR/LF injection in proxy tunnel headers, denial-of-service conditions, a path traversal, and a server-side request forgery.
Cryptographic libraries received targeted hardening. The libcrypt-pbkdf2-perl module changed its default hashing to HMAC-SHA256 and raised its default iteration count to 600,000, and it adopted constant-time comparison to close a timing attack. The nss library improved its handling of escape sequences during URI parsing. Separate advisories addressed openssl, gnutls28, libgcrypt20, and krb5.
The Security Team released more than a hundred advisories folded into this revision. Chromium accounted for close to a dozen of them, reflecting the browser’s steady stream of upstream releases. The Linux kernel appeared across several advisories covering its amd64 and arm64 signed builds. Firefox ESR, Thunderbird, Samba, PostgreSQL, and BIND rounded out the roster of widely deployed software with named fixes.
Several fixes targeted media and document handling, a common source of memory-safety bugs. giflib, libvncserver, graphite2, and rlottie all gained corrections for out-of-bounds access and memory corruption. The openslide library received a fix for a possible code execution flaw, and poppler corrected invalid signature creation.
Upgrading an existing installation can be achieved by pointing the package management system at one of Debian’s many mirrors.