Missing container images for versions containing fix for CVE-2025-52881

[rutger-gerritsen]

I’m trying to pull a container image of buildah that includes the fix for CVE-2025-52881, but I’m unable to find any corresponding images on Quay:

According to the release notes, the CVE is fixed in the following versions:

• v1.39.5
• v1.41.6
• v1.42.1

[nalind]

The images are built using Fedora's packages, so I would expect a 1.42.1 image once the package update goes live. The package update is tracked at https://bodhi.fedoraproject.org/updates/FEDORA-2025-8a248ee4f4.

[nalind]

Oh, and since it's in Fedora's updates-testing repository, that means it's pulled in by the quay.io/buildah/testing image.

[TomSweeneyRedHat]

@rutger-gerritsen I wouldn't recommend it for a production environment, but only a test environment until the Fedora Images finally get through testing. The upstream image, built nightly from the GitHub repository, includes the fix for CVE-2025-52881 if you want to test sooner.

$ podman run quay.io/podman/upstream:latest podman version
Client:        Podman Engine
Version:       6.0.0-dev
API Version:   6.0.0-dev
Go Version:    go1.25.4 X:nodwarf5
Git Commit:    fb7e99786e8b38f88179b2504f1b55bb5a629d91
Built:         Tue Nov 18 00:00:00 2025
Build Origin:  Copr: rhcontainerbot/podman-next
OS/Arch:       linux/amd64

[rutger-gerritsen]

Thanks for the explanation — that helps a lot!

Good to know that the fix is already available in Fedora’s updates-testing repo. I understand that's not recommended for production use, but it’s very helpful for validating the fix ahead of time.

Also appreciate the pointer about the upstream nightly image being built directly from the GitHub source and already containing the CVE-2025-52881 fix — that will make early testing even easier.

Thanks again for the clarification!