An expired UEFI Secure Boot certificate authority is the most urgent item in Debian 12.15, released 2026-07-11. The 2013 Secure Boot CA installed on most PCs has now lapsed, and future updates to the shim bootloader could leave systems unable to boot with Secure Boot enabled. To address this, the release ships fwupd 2.0.20, which can update the Secure Boot CA, Key Exchange Key, and revocation databases directly. The Debian project strongly recommends applying CA, KEK, and DBX updates from your system's OEM. This is particularly relevant for anyone running Debian on mini PCs or single-board computers with UEFI firmware, where Secure Boot configurations may not receive automatic vendor updates.
This fifteenth point release is also the last. The Debian Release Team, Security Team, and Backports team are ending their support for Bookworm, with ongoing maintenance for some architectures shifting to the Debian Long Term Support team backed by Freexian. The project is directing users to upgrade to Debian 13 "trixie", which reached stable status in June 2025 and ships with Linux kernel 6.12, GNOME 47, KDE Plasma 6.2, and Python 3.13.
The security payload in 12.15 is substantial. curl received fixes for cache poisoning and data leak vulnerabilities. Apache2 patches address HTTP/2 request denial of service, file handle exhaustion, and a proxy FTP directory listing XSS flaw. MariaDB gets a new upstream stable release closing code execution, SQL injection, and path traversal bugs. Mesa fixes a WebGPU/SPIR-V allocation issue, and xz-utils patches a buffer overflow. Self-hosters running Bookworm should pay particular attention to fixes in OpenVPN, nginx, Samba, Dovecot, and Redis, all of which received dedicated security advisories.
One quirk worth noting for anyone relying on IP geolocation: the geoip-database package has been reverted to data from approximately December 2019. More recent versions of the GeoLite database are incompatible with the Debian Free Software Guidelines, so the project recommends obtaining a GeoLite license directly from MaxMind and dropping the packaged version entirely. Existing Bookworm installations can upgrade to 12.15 through any Debian mirror, and new installation images will be available shortly.