[pkg-go] Bug#1140619: podman: CVE-2026-44517 vulnerability via vendored buildah v1.39.4
magus
magus1 at poczta.fm
Tue Jun 23 17:25:24 BST 2026
Package: podman
Version: 5.4.2+ds1-2
Severity: grave
Tags: security
Dear Maintainer,
I am writing to report a security vulnerability in the podman package present in Debian Trixie. The current podman package (version 5.4.2+ds1-2) vendors and compiles Buildah (prior to v1.43.2, probably v1.39.4) directly into its binary to handle container builds. Upstream has recently disclosed CVE-2026-44517, a high-severity flaw affecting buildah. Because podman statically embeds the vulnerable Buildah (>= v1.38.1) Go modules, the podman package inherits this vulnerability despite the flaw fundamentally existing within the buildah codebase. Upstream has mitigated this issue in Buildah v1.43.2 (and v1.44), which has been integrated into Podman v5.8.3. Could you please look into backporting the upstream fix for CVE-2026-44517 into the Trixie package, or upgrading the podman package to a secure upstream release?
Thank you for your hard work maintaining these container tools in Debian.
Regards,
Magus
More information about the Pkg-go-maintainers
mailing list