An expired certificate authority is the headline concern in Debian 13.6, released 2026-07-11. The 2013 UEFI Secure Boot CA that ships by default on most PCs has now lapsed, and the Debian project is warning that future updates to shim-signed could leave systems unable to boot with Secure Boot enabled. To get ahead of the problem, this point release updates fwupd to upstream version 2.0.20, which can now write new CA, Key Exchange Key, and revocation database entries directly. Shim itself has been bumped to 16.1 with a new SBAT revocation level, and the signed shim binaries have been rebuilt to ensure compatibility with the 2023 Microsoft UEFI CA. The project is urging users to apply OEM firmware updates alongside the package-level fixes, a step that matters especially for anyone running Debian on mini PCs or custom-built hardware where BIOS updates are less automatic.

The security patch count in this release is substantial. curl alone closes more than ten CVEs spanning bearer token leaks, connection reuse flaws, and credential handling bugs. Apache2 receives fixes for use-after-free, buffer overflow, and denial-of-service issues across thirteen separate CVEs. QEMU ships a new upstream stable release addressing over twenty CVEs, a significant update for anyone running virtual machines or emulating hardware. Python 3.13 patches path traversal, SSRF, and denial-of-service vulnerabilities, while libxml2 plugs recursion and resource exhaustion holes in its RelaxNG and catalog handling.

On the graphics side, Mesa gets a fix for a WebGPU/SPIR-V allocation handling vulnerability (CVE-2026-40393). The qtmir package picks up rendering, scaling, and focus handling fixes for the Lomiri desktop environment, and notably improves rendering provider selection on Asahi Linux, a welcome refinement for anyone running Debian on Apple Silicon hardware. libass, the subtitle rendering library used by mpv and other media players, receives fixes for out-of-bounds read and write issues.

One update highlights the tension between software freedom and practical utility. The geoip-database package has been reverted to a version dated approximately December 2019 because newer GeoLite releases are incompatible with the Debian Free Software Guidelines. Applications relying on the bundled database will now use allocation data that is over six years old. The project recommends obtaining a GeoLite license directly from MaxMind and dropping the packaged version entirely.

The installer has been rebuilt against Linux kernel ABI 6.12.94. Existing Trixie installations can pull the full set of updates from any Debian mirror. Users who have been tracking security.debian.org will find that most of these fixes are already installed, but the Secure Boot certificate situation is worth verifying manually, particularly on systems where the firmware update path is not straightforward.