Linux Kernel Updates  Image © DALL-ELinux Kernel Updates (Image © DALL-E)

A key part of this release addresses a potential boot failure for some users. The 2013 UEFI Secure Boot CA, which most PCs use to sign bootloaders, has officially expired. If the system is not updated, future shim-signed updates could prevent computers from booting if Secure Boot is enabled. To address this, Debian has updated fwupd to version 2.0.20. With this tool, users can now directly update the certificate authority and key exchange key databases.

Licensing issues forced a rollback regarding geodata. The geoip-database package now uses a version from December 2019. Newer versions of this data do not comply with Debian’s guidelines for free software. This is a delicate situation. Applications that rely on this package will likely use outdated or incorrect IP assignment data. The project recommends that anyone who needs up-to-date data obtain a GeoLite license on their own.

The list of other bug fixes is long. apache2 has patched several security vulnerabilities, including buffer overflows and cross-site scripting vulnerabilities. Extensive work has also been done on curl to prevent Bearer tokens from expiring during redirects. Even the Linux kernel received several updates for various architectures.

Other notable changes affect the developer toolchain and system utilities. qemu and samba were both updated to new stable upstream versions. Python 3.13 received patches to prevent crashes during SSL callbacks. These aren’t just minor optimizations; many address CVEs related to memory corruption and denial-of-service attacks.

Security considerations are the main reason for this release. The version includes dozens of DSAs. These include critical updates for Chromium, Firefox-ESR, and Nginx. Even though those who regularly download from the security mirror may already have some of these fixes, this point release bundles them all together to provide a cleaner base.