Package: podman Version: 5.4.2+ds1-2 Severity: grave Tags: security Dear Maintainer,
I am writing to report a security vulnerability in the podman package present in Debian Trixie. The current podman package (version 5.4.2+ds1-2) vendors and compiles Buildah (prior to v1.43.2, probably v1.39.4) directly into its binary to handle container builds. Upstream has recently disclosed CVE-2026-44517, a high-severity flaw affecting buildah. Because podman statically embeds the vulnerable Buildah (>= v1.38.1) Go modules, the podman package inherits this vulnerability despite the flaw fundamentally existing within the buildah codebase. Upstream has mitigated this issue in Buildah v1.43.2 (and v1.44), which has been integrated into Podman v5.8.3. Could you please look into backporting the upstream fix for CVE-2026-44517 into the Trixie package, or upgrading the podman package to a secure upstream release? Thank you for your hard work maintaining these container tools in Debian. Regards, Magus
