Debian 13.6 Released, GeoIP Database Rolled Back to 2019 Version
Debian 13.6 point release is now available, featuring numerous security updates for Linux kernel, Nginx, and more. GeoIP database rolled back due to non-compliance with DFSG, and fwupd 2.0.20 addresses expired UEFI Secure Boot CA.
According to a report by Michael Larabel of Phoronix, the Debian project released Debian 13.6, the sixth point release of Debian 13 “Trixie,” on July 11, 2026. This release incorporates numerous security fixes and maintenance updates, making it a noteworthy update.
Wide-Ranging Security Fixes
Debian 13.6 includes a host of patches addressing the latest security advisories. Notably, several critical security vulnerabilities related to the Linux kernel have been addressed. Given that the kernel is the foundation of the entire system, fixing these vulnerabilities is of utmost importance for all users.
Additionally, updates have been made to widely used packages such as Nginx, Redis, FFmpeg, Thunderbird, Chromium, and PHP. These software packages, including the web server Nginx, the database caching system Redis, the media processing tool FFmpeg, the email client Thunderbird, the browser Chromium, and the scripting language PHP, are all potential targets for attackers. Therefore, prompt upgrades are highly recommended.
As noted in an article explaining the Microsoft Defender privilege escalation vulnerability “RoguePlanet,” the application of security patches to operating systems and middleware is a fundamental practice to reduce the attack surface. Stable distributions like Debian ease this burden by offering bulk updates in point releases.
Rollback of GeoIP Database
One of the significant changes in this release is the rollback of the GeoIP database package (geoip-database) to its December 2019 version.
The GeoIP database is used to derive geographical location information based on IP addresses. Historically, the GeoLite database provided by MaxMind has been widely used for this purpose. However, its newer versions have been deemed non-compliant with the Debian Free Software Guidelines (DFSG). The DFSG is a set of criteria used by Debian to determine whether software qualifies as “free,” and any non-compliant data cannot be included in the main repository.
This decision serves as a prime example of how the Debian community balances open-source licensing policies with practical data quality considerations. Although geolocation data is crucial for various applications like web analytics, access control, and content distribution, licensing restrictions have clashed with the principles of free software, prompting Debian to prioritize its ideals.
UEFI Secure Boot Support with fwupd 2.0.20
Debian 13.6 also updates the firmware update tool fwupd to version 2.0.20. This version introduces updated support for Secure Boot CA (Certificate Authority), KEK (Key Exchange Key), and DBX (Revoked Signature Database).
This comes in response to the expiration of the UEFI Secure Boot CA certificates, which are used by most PCs by default. Secure Boot protects systems against malware and rootkits by allowing only signed code to execute at boot time. The expiration of CA certificates could potentially disrupt the authentication of new hardware or firmware. With fwupd 2.0.20, users can update these databases to maintain the integrity of the Secure Boot trust chain.
Editorial Opinion
In the short term, the security fixes included in Debian 13.6, particularly those addressing vulnerabilities in the Linux kernel, Nginx, and Redis, should be prioritized by system administrators managing servers. Although the rollback of the GeoIP database may reduce the accuracy of location data for some applications, alternatives such as the GeoLite2 free version or third-party repositories provide viable solutions, making the actual impact limited.
From a long-term perspective, the issue of DFSG non-compliance extends beyond a mere licensing debate. As high-quality datasets for AI training and geolocation services increasingly come with proprietary or non-free licenses, Debian’s commitment to its principles strengthens community trust but also risks creating a gap between its values and practical use cases.
The update to fwupd for Secure Boot CA renewal is critical for maintaining the security foundation at the firmware level. Other Linux distributions should follow suit to address this issue promptly.
References
- “Debian 13.6 Released To Ship All The Latest Security Fixes, Reverts GeoIP Database”, by Michael Larabel — Phoronix, 2026-07-11T14:31:23.000Z (ARR)
- Source URL: https://www.phoronix.com/news/Debian-13.6-Released
Frequently Asked Questions
- How can I upgrade to Debian 13.6?
- Existing Debian 13 users can run `sudo apt update && sudo apt upgrade` or use their package manager to get the latest packages. New installations can be performed using the ISO image. It's recommended to back up your data before upgrading.
- What are the implications of rolling back the GeoIP database to the 2019 version?
- The precision of geolocation data might decrease, potentially causing some countries or regions to be incorrectly identified, especially for newer IP allocations. Users can install the free version of GeoLite2 separately or use alternative databases.
- How do I update the Secure Boot CA with fwupd 2.0.20?
- Generally, the `fwupdmgr update` command will automatically apply the update. Secure Boot must be enabled in the UEFI firmware settings. A system reboot may be required after the update. Consult the official fwupd documentation for more details.
Comments