VYPR
patchPublished Jul 12, 2026· 1 source

Debian 13.6 Security Update Addresses Expired Secure Boot Certificate and Over 100 Advisories

Debian 13.6 (trixie) has been released, fixing an expired UEFI Secure Boot certificate issue and patching more than a hundred security advisories across various software packages.

Debian 13.6, codenamed "trixie," has been released, bringing a significant security update that addresses over a hundred advisories, including a critical fix for an expired UEFI Secure Boot certificate authority. This expired certificate, installed by default on most PCs since 2013, could prevent systems from booting with Secure Boot enabled, a vital security feature.

The update leverages the fwupd tool, now at version 2.0.20, to manage this crucial component. The new fwupd build can update the Secure Boot certificate authority, the Key Exchange Key (KEK), and the revocation database (DBX) on affected machines. Without these updates, future "shim-signed" package updates could render systems unbootable with Secure Boot active. Debian strongly advises users to apply these CA, KEK, and DBX updates provided by their system's Original Equipment Manufacturer (OEM).

In addition to the Secure Boot fix, the "shim-signed" package itself has been updated. It now uses the default compiler for its build and has its SBAT revocation level set to 2025021800. The signed shim binaries have been rebuilt to ensure compatibility with the 2023 Microsoft UEFI certificate, and the installer now includes checks for potential boot problems before proceeding with installations.

Another notable change addresses licensing concerns with the "geoip-database" package. To comply with Debian Free Software Guidelines, this package has reverted to a build from December 2019. Consequently, recent GeoLite versions cannot be shipped, and software relying on this database may return outdated network allocation data. Debian recommends that users dependent on this data obtain a GeoLite license directly from the provider.

The release also includes extensive patching for web tooling and server software. The curl package alone received 13 fixes, addressing issues such as bearer token leaks, incorrect certificate authority reuse, credential leaks during redirects, and use-after-free vulnerabilities in its SMB code. rsync has been updated with a limit for overly long HTTP proxy response lines, and separate advisories cover fixes for python-urllib3, nginx, and squid.

Web servers also saw significant attention, with the apache2 server receiving corrections for 13 tracked flaws. These included use-after-free bugs, cross-site scripting vulnerabilities, buffer overflows, denial-of-service conditions, out-of-bounds reads, and a file read issue, with additional fixes detailed in advisory DSA-6323.

Virtualization users will benefit from a large batch of updates, including a move to a new upstream stable release for the qemu emulator, which carries 25 security fixes. The python3.13 interpreter has also been updated to address CR/LF injection, denial-of-service conditions, path traversal, and server-side request forgery vulnerabilities.

Cryptographic libraries have received targeted hardening. The libcrypt-pbkdf2-perl module now defaults to HMAC-SHA256 with an increased iteration count of 600,000 and employs constant-time comparison to mitigate timing attacks. The nss library has improved its URI parsing, and separate advisories cover updates for openssl, gnutls28, libgcrypt20, and krb5. The Security Team's efforts have consolidated over a hundred advisories into this release, impacting widely deployed software such as Chromium, the Linux kernel, Firefox ESR, Thunderbird, Samba, PostgreSQL, and BIND, alongside fixes for media and document handling libraries like giflib, libvncserver, and poppler.

Synthesized by Vypr AI