NewsOpen SourceSecurity

Debian 13.6 Trixie: Secure Boot CA Fix and 120 Patches

Debian 13.6 Trixie secure boot and security fixes illustration

Debian 13.6 dropped on July 11 with 244 fixes. But the number that actually matters is 2013 — the year of the Secure Boot certificate authority that has now expired on most x86 systems. That CA signed the shim bootloader that lets Linux start with Secure Boot enabled. Future shim-signed updates will target the new 2026 UEFI cert chain. If your firmware databases have not been rotated, the next shim update may leave you staring at a boot failure. The patch is here. Run it now.

The Secure Boot Time Bomb

The expired CA is a slow-burn problem, not an immediate one. Nothing breaks on your system today. The failure mode is deferred: the next time shim-signed receives an update targeting the 2026 Microsoft UEFI CA, machines with stale firmware-side databases — the CA store, Key Exchange Key (KEK), and revocation list (DBX) — will fail to boot with Secure Boot active. Developers running Trixie on laptops or bare-metal servers with Secure Boot enabled should treat this as urgent.

Debian 13.6 ships fwupd upgraded to 2.0.20, which can now update all three firmware databases. The shim, shim-signed, and shim-helpers-* packages have been bumped to stay compatible with the 2023 Microsoft UEFI CA. After running apt upgrade, fire off the firmware update:

sudo fwupdmgr refresh
sudo fwupdmgr update

Then apply any available OEM firmware updates for your hardware. Dell, Lenovo, HP, and most major vendors publish fwupd-compatible packages that include the UEFI database updates. The apt upgrade alone is not enough — the firmware-side CA rotation requires this second step.

curl Got 13 CVE Fixes. Check Your Version.

curl is in virtually every container, CI pipeline, and API integration. Debian 13.6 patches 13 curl CVEs, and several are the subtle kind that live undetected in codebases for months.

The most technically interesting is CVE-2026-3805, a use-after-free in the SMB handler. When a second SMB transfer reuses an existing connection, the file path for the new request is a dangling pointer to freed heap memory. curl reads it via strlen() and copies the result — potentially including sensitive heap contents — into the outgoing SMB packet. Affected versions: 8.13.0 through 8.18.0. Fixed in 8.19.0.

Also patched: bearer token leaks across HTTP redirects (Authorization headers forwarded to redirect targets on different hosts), STARTTLS plaintext connection reuse, and credential leakage through proxy authentication state. These are hard to spot in traffic logs but straightforward to exploit with a malicious redirect in place. After updating, verify your curl version:

curl --version

You want 8.19.0 or later.

apache2, QEMU, and 120 More Fixes

Apache2 takes 13 CVE fixes covering use-after-free bugs, a cross-site scripting hole, buffer overflows, denial-of-service conditions, out-of-bounds reads, and a file read vulnerability. If you serve anything over Apache on a Trixie box, reload after upgrading:

sudo systemctl reload apache2

QEMU moved to a new upstream stable release carrying 25 security fixes — relevant for any CI setup running KVM-based runners or local dev VMs. Beyond these headline packages, the release folds in over 130 Debian Security Advisories (DSA-6250 through DSA-6384), covering the Linux kernel, nginx, Redis, OpenSSL, PostgreSQL, Samba, OpenVPN, bind9, Chromium (nine separate advisories), Firefox ESR, Thunderbird, Exim, and Dovecot. If your production stack runs on Trixie, you are touching nearly every layer of it with this update.

The GeoIP Rollback: Silent and Potentially Impactful

One change in 13.6 that will not make noise immediately but may cause quiet breakage: Debian reverted the geoip-database package to a December 2019 snapshot. Newer versions of MaxMind’s GeoLite databases are no longer compatible with the Debian Free Software Guidelines because post-GDPR/CCPA restrictions prevent redistribution under the Creative Commons license Debian requires.

The practical effect: any application using Debian’s packaged GeoIP database now gets seven-year-old IP range data. IP-based geo-blocking rules, log enrichment, analytics, and IP reputation checks will silently use stale mappings. The package upgrades without complaint and there is no error output. You will not know unless you check.

If you need current data, pull it directly from MaxMind via the geoipupdate tool. A free account at maxmind.com is sufficient for GeoLite2 access. Check whether you are affected:

dpkg -l geoip-database

If the package is installed and your application depends on it for live data, set up a direct feed before this creates a silent data quality problem downstream.

How to Update

If you are already tracking security.debian.org, most of these fixes arrived through normal security updates. Debian 13.6 consolidates them onto standard mirrors. The standard upgrade path applies:

sudo apt update && sudo apt upgrade

Then handle the Secure Boot firmware update separately with fwupdmgr as described above. For Docker images based on Debian Trixie, rebuild to pick up updated packages — especially curl and apache2 if your image includes them.

Debian 13.6 is a routine point release with a non-routine headline. The 244 fixes are table stakes. The Secure Boot CA rotation is the one that bites you later if you skip it. The full DSA list is in the Help Net Security breakdown if you want to audit every affected package. Do the apt upgrade, run fwupdmgr update, and check your GeoIP situation. That covers it.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News