Your message dated Mon, 29 Jun 2026 06:48:50 +0000
with message-id <[email protected]>
and subject line Bug#1140619: fixed in podman 5.8.3+ds1-1
has caused the Debian Bug report #1140619,
regarding podman: CVE-2026-44517 vulnerability via vendored buildah v1.39.4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140619
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: podman
Version: 5.4.2+ds1-2
Severity: grave
Tags: security
Dear Maintainer,
I am writing to report a security vulnerability in the podman package present
in Debian Trixie. The current podman package (version 5.4.2+ds1-2) vendors and
compiles Buildah (prior to v1.43.2, probably v1.39.4) directly into its binary
to handle container builds. Upstream has recently disclosed CVE-2026-44517, a
high-severity flaw affecting buildah. Because podman statically embeds the
vulnerable Buildah (>= v1.38.1) Go modules, the podman package inherits this
vulnerability despite the flaw fundamentally existing within the buildah
codebase. Upstream has mitigated this issue in Buildah v1.43.2 (and v1.44),
which has been integrated into Podman v5.8.3. Could you please look into
backporting the upstream fix for CVE-2026-44517 into the Trixie package, or
upgrading the podman package to a secure upstream release?
Thank you for your hard work maintaining these container tools in Debian.
Regards,
Magus
--- End Message ---
--- Begin Message ---
Source: podman
Source-Version: 5.8.3+ds1-1
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
podman, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated podman package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Jun 2026 02:31:35 -0400
Source: podman
Architecture: source
Version: 5.8.3+ds1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team
<[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1140115 1140619
Changes:
podman (5.8.3+ds1-1) unstable; urgency=medium
.
* build against buildah 1.42.3, Closes: #1140619
* This release addresses CVE-2026-44517, GHSA-49p4-px3h-rq49.
* Fix build failure with opencontainers-cgroups < 0.0.6
* Bump Standards Version, dropped Priorty: optional field
* normalize with wrap-and-sort
* build against containerd/platforms 1.0, Closes: #1140115
Checksums-Sha1:
66ec1cec03efccaa41aac8520559da65d5328310 5097 podman_5.8.3+ds1-1.dsc
b9fd25456c204235c1441e2b5cb5a2f2b16991ed 3003708 podman_5.8.3+ds1.orig.tar.xz
26a136dd19afd9ace44696d4fd83851f2ab4603a 27248 podman_5.8.3+ds1-1.debian.tar.xz
5986a83db0abe3afd870db77d8cef67c19228d70 22174008 podman_5.8.3+ds1-1.git.tar.xz
80f6056f41791d0687d74b62a52547c5f6c5e2af 17508
podman_5.8.3+ds1-1_source.buildinfo
Checksums-Sha256:
27a878cb7c17c62b2eeb7b2ecefac59a0718ad150f5b032eb43de7cbeeea0de1 5097
podman_5.8.3+ds1-1.dsc
0f1c745721262bb6ed8f6a1387d4110d8c4eaae3ced236d6ed7b3b063719e52d 3003708
podman_5.8.3+ds1.orig.tar.xz
5848f0e52c274ac18fb3d0970fb69612cd644f03912e28418edc799870b294a0 27248
podman_5.8.3+ds1-1.debian.tar.xz
c2f88a51b9f581c9306ab5073adb670abe1b04abcf5dbac12b58fb8e2886bed4 22174008
podman_5.8.3+ds1-1.git.tar.xz
a0b23f2f2b1841dc526836d28b78d7dbc9685cc484a7b7e1d30f5b8dd461c518 17508
podman_5.8.3+ds1-1_source.buildinfo
Files:
9297d118e3e2083b36952be1977a9bac 5097 admin optional podman_5.8.3+ds1-1.dsc
b1f7176e8f2e8504a14da96c3662a7de 3003708 admin optional
podman_5.8.3+ds1.orig.tar.xz
5fcfc5ee2167b67f31a9d59d2fc29e39 27248 admin optional
podman_5.8.3+ds1-1.debian.tar.xz
a3925a3b06c1b5f97412089010561c68 22174008 admin None
podman_5.8.3+ds1-1.git.tar.xz
7f21426fcf149117d4d13f56fc5b67f4 17508 admin optional
podman_5.8.3+ds1-1_source.buildinfo
Git-Tag-Info: tag=7cc9f9d6289b8e21da931c2619c9be30f1d8f55a
fp=30de7d1763ab9452c7e0825049a76977942826cb
Git-Tag-Tagger: Reinhard Tartler <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmpCEfoACgkQYG0ITkaD
wHnE8RAAjPEuDiUqSgo63Kh5Vpnx/EKGhveXYq+vkYvHPfodGM8KWwfQtsrPTcRX
1XOgNKSr0IKB8nSHJp5J/QOVRP2hltBdPmBG9QepHz8FusS9P8B/Z1jiK62c8+by
20djzc850LQ098bJ1djA01xDEWOKamtZIEztgbC+dvdbAJvkj+BcJIJcbddFBrZC
RrVKdTos+IvYCn9ZqpoyJCnIbCv83e9SFXiOM9s4zi888YhjI0H/TwzYLJwyoAdh
Fbfcv215sprmchgKrs16RMB7tUh8wZGV0pLELX5VViZjJTp21zgXxgQVPnHBlup5
SfsTUpfdccH9aQQeuCxvjxjTEpM/bYK3tYDIStzG1yNuGarDHVNR2KhQFOYsuoX9
PWylka7BukhI+sCGp3O6J2eWLAmUI8gFPxCJe2fkYGyzBVeFRb0M8gLmp5jWMGBF
KilycDkdT+VE7Iwzi0+PFw/LroLWsiZwSTOVineDuo4rfW1X3kVjEfhDBl+2n2lu
KfuRJ8RO/sg0GRqVGqI/Pqz2osdWxCF9K7MVbjelr/waaDemQFtNPXmCfrH8x68m
ryGwnPPJwaxIyZX0K3BcWYPXi87/iX4S9XlfDSkYQVI2otbtzY59KxMnN8EELioG
3UYInihaUmI1fXb7js/iIZsXjqJXAoFA8UjNnOzOVFyJgMBuCms=
=tpF3
-----END PGP SIGNATURE-----
pgpikUmHp95b4.pgp
Description: PGP signature
--- End Message ---
