Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:golang-github-containers-buildah User: [email protected] Usertags: pu
[ Reason ] This is to fix a security vulnerability in the podman package present in Debian Trixie. The current podman package (version 5.4.2+ds1-2) vendors and compiles Buildah (prior to v1.43.2, probably v1.39.4) directly into its binary to handle container builds. Upstream has recently disclosed CVE-2026-44517, a high-severity flaw affecting buildah. Because podman statically embeds the vulnerable Buildah (>= v1.38.1) Go modules, the podman package inherits this vulnerability despite the flaw fundamentally existing within the buildah codebase. I've backported the upstream commits and want to upload both buildah, and once accepted, podman to fix this CVE [ Impact ] CVE-2026-44517 remains open [ Tests ] automated e2e autopkgtests [ Risks ] Bad code change can lead to other bugs or regressions [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable <#part type="text/x-patch" filename="/tmp/buildah-1.39-3+ds1-1+deb13u1.debdiff" disposition=inline> <#/part>

