Debian 13.6 "Trixie" was released on July 11, 2026 as the sixth point release of the current Debian stable series. It bundles 120 security updates and 124 bug fixes for packages across the distribution. Alongside it, Debian 12.15 "Bookworm" was also published today – and carries a significant milestone: it is the final point release from the Debian project for the 12.x series.
But the headline number this time is not 120 or 124. It is the Secure Boot CA expiry – a time-sensitive infrastructure issue that affects all Debian systems with Secure Boot enabled, and requires action beyond a standard apt upgrade.
2013 UEFI Secure Boot CA Expiry
Debian 13.6 includes a critical warning about the expiry of the 2013 Microsoft UEFI Secure Boot certificate authority. If you have Secure Boot enabled and do not apply OEM firmware updates, future shim-signed package updates could prevent your system from booting. Read the Secure Boot section below before updating.
What Is a Debian Point Release?
For readers less familiar with Debian's release model: Debian stable does not roll out individual package updates continuously the way rolling distributions do. Instead, security fixes flow through security.debian.org between point releases, while point releases bundle those fixes into updated installation media.
Already running security updates?
If your Debian 13 system is configured to pull from security.debian.org – which is the default – most of the 120 security fixes in Debian 13.6 are already installed on your system. The point release does not add new fixes; it consolidates what has already been published since Debian 13.5. Running sudo apt update && sudo apt upgrade is still recommended to ensure nothing was missed.
The practical value of a point release is twofold: updated installation ISOs for fresh deployments (so you are not downloading months of updates after install), and a clear audit marker showing your system is current.
The Secure Boot CA Expiry – Action Required
This is the most operationally significant change in Debian 13.6, and the one most likely to be glossed over in routine update workflows.
The UEFI Secure Boot certificate authority issued by Microsoft in 2013 – installed by default on most PCs and used to sign Linux bootloaders including Debian's shim – has now expired. As a result, future updates to the shim-signed package could cause systems with Secure Boot enabled to fail to boot.
Risk of unbootable systems after future updates
If your system has Secure Boot enabled and you do not apply the necessary firmware certificate updates from your hardware manufacturer, a future shim-signed update could leave your machine unable to boot. This is not a theoretical risk – Debian has explicitly warned users about it in the release announcement.
Debian 13.6 addresses this by updating fwupd to version 2.0.20, which adds the ability to update the Secure Boot certificate authority (CA), Key Exchange Key (KEK), and DBX revocation databases directly. The shim-signed package has also been updated to ensure compatibility with the 2023 Microsoft UEFI CA.
What you need to do:
-
Check whether your system has Secure Boot enabled:
mokutil --sb-state -
If Secure Boot is enabled, apply any available CA, KEK, and DBX firmware updates from your system's OEM (motherboard or laptop manufacturer). Debian's guidance is here: https://wiki.debian.org/SecureBoot/CAChanges
-
Run the standard update to get the updated
fwupdandshim-signedpackages:
sudo apt update && sudo apt upgrade
Server environments
Many servers run with Secure Boot disabled. Run mokutil --sb-state to confirm your status before acting. If Secure Boot is off, the CA expiry does not affect your boot process, though keeping fwupd updated is still good practice.
Notable Security Fixes in Debian 13.6
Among the 120 security advisories consolidated in this release, several are particularly relevant for server and infrastructure operators:
Apache HTTP Server
The same CVE batch from USN-8516-1 covered in Ubuntu this week has been patched in Debian 13.6 as well. This includes use-after-free issues (CVE-2026-29167, CVE-2026-48913), cross-site scripting (CVE-2026-29170), buffer overflow fixes (CVE-2026-34355, CVE-2026-34356, CVE-2026-42536), and denial-of-service flaws across multiple modules.
curl
Eight CVEs fixed covering bearer token redirect leaks, improper connection reuse, SMB use-after-free, stale cookie exposure, and proxy credential mishandling. If your systems use curl for scripted HTTP operations, webhooks, or API calls, this is directly relevant.
Python 3.13
Several of the same CVEs patched in USN-8509-1 are present here, including CVE-2026-1502 (HTTP header injection), CVE-2026-3276 and CVE-2026-9669 (denial of service), CVE-2026-6019 (JavaScript injection), CVE-2026-7774 (path traversal), and CVE-2026-8328 (SSRF via ftplib).
Linux kernel (DSA-6274, DSA-6295, DSA-6305, DSA-6355)
The kernel received four separate DSA advisories in this cycle. The installer ABI was also bumped to Linux 6.12.94 for fresh installations.
Also added in this point release
OpenSSL (DSA-6335), nginx (DSA-6278, DSA-6326, DSA-6374), PostgreSQL 17 (DSA-6270), OpenVPN (DSA-6289, DSA-6376), Samba (DSA-6297), Exim (DSA-6309), Dovecot (DSA-6313), Varnish (DSA-6303), Bind9 (DSA-6285).
Debian 12.15 – Final Point Release in 12.x Series
Debian 12.15 "Bookworm" was also published today with 88 bug fixes and 97 security updates. More significantly, this marks the end of point releases from the Debian Release Team, Security Team, and Backports Team for Bookworm.
Debian 12 Users: Plan your migration
Debian 12 is not immediately end of life – selected architectures will continue receiving updates through Debian's Long Term Support (LTS) program. However, the primary security team support has ended. If you are running Debian 12 in a production environment, now is the time to plan and schedule your upgrade to Debian 13.
How to Upgrade from Debian 12 to Debian 13
If you are still on Debian 12 "Bookworm" and want to upgrade to Debian 13 "Trixie," the process follows Debian's standard dist-upgrade path.
Before starting, back up your data and configuration files. Then:
# Update your current Debian 12 system fully first
sudo apt update && sudo apt full-upgrade
# Edit your sources.list to point to trixie
sudo sed -i 's/bookworm/trixie/g' /etc/apt/sources.list
sudo sed -i 's/bookworm/trixie/g' /etc/apt/sources.list.d/*.list
# Update and upgrade to Debian 13
sudo apt update
sudo apt full-upgrade
Reboot after the upgrade completes, then verify:
cat /etc/debian_version
uname -r
You should see 13.x and a 6.12.x kernel.
Test before upgrading production systems
Always test Debian major version upgrades on a staging system or VM before applying to production. Configuration file conflicts, deprecated packages, and dependency changes are common across major versions and should be resolved in a controlled environment first.
What Kernel Does Debian 13 Use?
Debian 13 ships with the Linux 6.12 LTS kernel series. The Debian 13.6 installer was updated to Linux ABI 6.12.94. This is an LTS kernel branch supported upstream until December 2028, making it a stable and long-supported foundation for the Debian 13 series.
To check your current kernel version:
uname -r
Output:
6.12.38+deb13-amd64
How to Update to Debian 13.6
For existing Debian 13 users, updating to 13.6 is a standard upgrade:
sudo apt update && sudo apt full-upgrade
This is all that is needed. There is no version number to target manually – Debian stable tracks the current point release automatically through its package repositories.