Your message dated Sun, 28 Jun 2026 07:53:56 +0000
with message-id <[email protected]>
and subject line Bug#1140619: fixed in golang-github-containers-buildah
1.43.2+ds1-1
has caused the Debian Bug report #1140619,
regarding podman: CVE-2026-44517 vulnerability via vendored buildah v1.39.4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140619
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: podman
Version: 5.4.2+ds1-2
Severity: grave
Tags: security
Dear Maintainer,
I am writing to report a security vulnerability in the podman package present
in Debian Trixie. The current podman package (version 5.4.2+ds1-2) vendors and
compiles Buildah (prior to v1.43.2, probably v1.39.4) directly into its binary
to handle container builds. Upstream has recently disclosed CVE-2026-44517, a
high-severity flaw affecting buildah. Because podman statically embeds the
vulnerable Buildah (>= v1.38.1) Go modules, the podman package inherits this
vulnerability despite the flaw fundamentally existing within the buildah
codebase. Upstream has mitigated this issue in Buildah v1.43.2 (and v1.44),
which has been integrated into Podman v5.8.3. Could you please look into
backporting the upstream fix for CVE-2026-44517 into the Trixie package, or
upgrading the podman package to a secure upstream release?
Thank you for your hard work maintaining these container tools in Debian.
Regards,
Magus
--- End Message ---
--- Begin Message ---
Source: golang-github-containers-buildah
Source-Version: 1.43.2+ds1-1
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-containers-buildah, which is due to be installed in the Debian
FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated
golang-github-containers-buildah package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 Jun 2026 03:24:47 -0400
Source: golang-github-containers-buildah
Architecture: source
Version: 1.43.2+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1140619
Changes:
golang-github-containers-buildah (1.43.2+ds1-1) unstable; urgency=medium
.
* New upstream version
* Fixes CVE-2026-44517, Closes: #1140619
Checksums-Sha1:
f41ff2f72d363dd4534a5945e20664fa685c08ef 4513
golang-github-containers-buildah_1.43.2+ds1-1.dsc
afc348d6d1d860dc805cdf53c3fd1dd52da869e8 1006036
golang-github-containers-buildah_1.43.2+ds1.orig.tar.xz
52180fb434aee2945963f84ddd1826bd5c4da5a6 12812
golang-github-containers-buildah_1.43.2+ds1-1.debian.tar.xz
f2f80be83abf32ddcd3209d1be50cfee3c7c8a1e 1964604
golang-github-containers-buildah_1.43.2+ds1-1.git.tar.xz
e058c6e2203490f978039f5430b36324c1cd29b5 17616
golang-github-containers-buildah_1.43.2+ds1-1_source.buildinfo
Checksums-Sha256:
473ce4263d7cdb8c7beaa1d1211422663ea7cdb1b90206529a94a5c9c0cb0c29 4513
golang-github-containers-buildah_1.43.2+ds1-1.dsc
48f01025e0942fc536356b10c8e2171c8748efabb053abf1f2870a56b6562344 1006036
golang-github-containers-buildah_1.43.2+ds1.orig.tar.xz
48acecb4138d3a1f38584df121b0cf79d6fe5cc08cf97840b5f807967b7c4b9c 12812
golang-github-containers-buildah_1.43.2+ds1-1.debian.tar.xz
b0edcc074ae25b0101c3567fc3378f3a869ebd49151a15541ff10133975dd926 1964604
golang-github-containers-buildah_1.43.2+ds1-1.git.tar.xz
62c1b6ac48af6e073ce8853f70bdded71374cc64149347ea3e21a41c6663c3ee 17616
golang-github-containers-buildah_1.43.2+ds1-1_source.buildinfo
Files:
ca72bd48911673781cea15d0e2304ef1 4513 golang optional
golang-github-containers-buildah_1.43.2+ds1-1.dsc
8eebf4f55bc419c6ee4ad419de6c805b 1006036 golang optional
golang-github-containers-buildah_1.43.2+ds1.orig.tar.xz
7057ade41e1571e8e263adfcf6188eb8 12812 golang optional
golang-github-containers-buildah_1.43.2+ds1-1.debian.tar.xz
ebc3ac925d60408a6118f290af86e41f 1964604 golang None
golang-github-containers-buildah_1.43.2+ds1-1.git.tar.xz
a6c0eb23d9c7bebb46d1eda6571b3b19 17616 golang optional
golang-github-containers-buildah_1.43.2+ds1-1_source.buildinfo
Git-Tag-Info: tag=812fef693ba6c904961ebc40b91480df03088b35
fp=30de7d1763ab9452c7e0825049a76977942826cb
Git-Tag-Tagger: Reinhard Tartler <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmpAzKkACgkQYG0ITkaD
wHlmkg/9EaAW/EVDI3GjxZMEtYF41ug2XHAx133RvV6Wcao/SXTgyyAi5OrUQ87+
3N+47vG0ebHyi87eIrGMKJRxjgPTxnTC24dhbrXhb4Rb5hSbM8sslIrYW4Xmfs9n
ZkpcGRLNjsxJVZ+Gii9yNDng+U0koOrGrkq30Bx8jbFvYuJkZo0iXGwoIuYCR0+r
V2LCiVqF1MWrVaCXP1UIS+qd4EECXCgOWjH0fjnrHH2SAImlyXimv8rLW4/6gDM6
DYIkBFBVjl067pcqQissUu84Y344cjQnP2kpJmYUhKTZtjhoyD3mrAcbr4VC12Gw
m4tnBuYHclH+WEAC8mcFeBx52rk18puGr1ovdsyn5VdMY91UbQlzo9zB0OoL80fh
MMO0sTEquD7FO/ECaAz4f0t5YK6M1xZX4DmNB8RYFawl2s0F+wCSVLXQLs0RY3hn
7+xHUOInDOK6bFmsmLMt5yDVVxaLBBn+kJi34BJrQ95NNzo1hTXN0D4aCLCX3JiY
ND21MqAq33LWrjCkyZX8qS+ZzOLjLPluilRlWo2gKUUsyqfwD2/fHjJWvoSwggix
JLtwBsCaNYHcEsO7xJnJkEwjunM44FeOZKFC7IlFZOubMikl0ys+K5VYsUBj82ap
/a41m/c2RcJqOzQ1HVCjq9ZCjAo1197H7KLrWQgow8695wECLzo=
=Kz+N
-----END PGP SIGNATURE-----
pgpihRY8J956x.pgp
Description: PGP signature
--- End Message ---
