Fabre

#1140955 trixie-pu: package golang-github-containers-buildah/1.39.3+ds1-1 #1140955

Package:: release.debian.org

Source:: release.debian.org

Submitter:: Reinhard Tartler

Date:: 2026-06-28 17:23:02 UTC

Severity:: normal

Tags:

#1140955#5

Date:: 2026-06-28 17:22:14 UTC

From:

To:

[ Reason ]

This is to fix a security vulnerability in the podman package present in Debian
Trixie. The current podman package (version 5.4.2+ds1-2) vendors and compiles
Buildah (prior to v1.43.2, probably v1.39.4) directly into its binary to handle
container builds. Upstream has recently disclosed CVE-2026-44517, a
high-severity flaw affecting buildah. Because podman statically embeds the
vulnerable Buildah (>= v1.38.1) Go modules, the podman package inherits this
vulnerability despite the flaw fundamentally existing within the buildah
codebase.

I've backported the upstream commits and want to upload both buildah, and once
accepted, podman to fix this CVE

[ Impact ]
CVE-2026-44517 remains open

[ Tests ]
automated e2e autopkgtests

[ Risks ]
Bad code change can lead to other bugs or regressions

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

<#part type="text/x-patch" filename="/tmp/buildah-1.39-3+ds1-1+deb13u1.debdiff" disposition=inline>
<#/part>

#1140955 trixie-pu: package golang-github-containers-buildah/1.39.3+ds1-1 #1140955

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)