v1.44.0

Please Note!

The Configuration File lookup behavior has changed. Callers of functions in this project that read configuration files should refer to containers-config(5) for details.

What's Changed

Notable changes

• fix(build): make --tag oci-archive:xxx.tar work with simple images by @aeijdenberg in #6284
• RPM: build with sequoia on F43+ by @lsm5 in #6395
• Bump Buildah to v1.42.0, storage v1.61.0, image v5.38.0, common v0.66.0 by @TomSweeneyRedHat in #6439
• Introduce CommitResults(), add --metadata-file by @nalind in #6442
• buildah build: use the same overlay for the context directory for the whole build by @nalind in #5975
• [CVE-2025-52881] vendor: update to github.com/opencontainers/runc@v1.3.3 by @cyphar in #6473
• internal/mkcw/embed: cross-compile using Go by @nalind in #6471
• Update VMs, linter, fix warnings, add a "fmt" target by @nalind in #6502
• Remove Cgroups v1 support (podman6) by @lsm5 in #6424
• vendor: update container-libs, and runtime-spec by @lsm5 in #6527
• vendor: update latest common, image, storage by @Luap99 in #6543
• vendor: Update container-libs with cgv1 removed by @lsm5 in #6564
• build: add --iidfile-raw CLI option by @lsm5 in #6521
• test: do not untar archive into fs when checking file names by @iTrooz in #6548
• Use cached images instead of fedoraproject.org by @IrvingMg in #6634
• Run: don't try to encode SystemContext with json by @nalind in #6650
• Bump go.podman.io/{storage,image/v5,common} to main by @nalind in #6651
• chroot.bats(chroot with overlay root): ensure we can overlay by @nalind in #6636
• feat(build): print error on build flag --output=type=something by @iTrooz in #6476
• Add --source-policy-file flag for BuildKit-compatible source policies by @tinovyatkin in #6647
• feat(build): add --mount option by @aeijdenberg in #6289
• Fix call to chown by @stilwelb in #6683
• copier: drain tar stream to prevent broken pipe errors by @Honny1 in #6678
• Add a test where a default ARG value is a quoted string by @nalind in #6679
• Handle new FROM --after flag for explicit stage dependencies by @jlebon in #6654
• test: Fix the typo in bud test by @ypu in #6685
• tree: replace various nested append calls with slices.Concat by @jlebon in #6686
• ignore ErrLayerUnknown in cache lookup by @Luap99 in #6688
• Enable building Windows container images by @sebsoto in #6592
• Stop using the old github.com/docker/docker package paths by @mtrmac in #6692
• fix: support SHELL during RUN commands in image build by @aeijdenberg in #6695
• imagebuildah.stageExecutor.Run(): pull images for transient mounts by @nalind in #6690
• feat: support --mount=type=secret,id=foo,env=bar by @aeijdenberg in #6285
• chroot: error out on --network != host when $BUILDAH_ISOLATION by @nalind in #6697
• Add a more generic "prepend or append instructions" method by @nalind in #6700
• imagebuildah: avoid empty layer in single-layer build path by @jlebon in #6699
• Add an undocumented general "run with RPC service" by @nalind in #6675
• tests: Adapt tests to run on architectures other than amd64 by @ricardobranco777 in #6701
• Builder.getSecretMount(): don't leak an fd by @nalind in #6702
• tests/from.bats "from cpu-shares test": update cgroupv2 weights by @nalind in #6674
• Do not load config files in re-exec process by @Luap99 in #6711
• Update testing VM images by @nalind in #6715
• tests: Replace cat with bash input redirection by @ricardobranco777 in #6717
• tests: some more storage.conf rewrite prep by @Luap99 in #6714
• tests: remove cgroupsv1 checks and simplify cgroupsv2 conditionals by @lsm5 in #6720
• tests: use jq to validate images --json structure by @ricardobranco777 in #6716
• fix(deps): update module google.golang.org/grpc to v1.79.3 by @renovate[bot] in #6733
• Podman6: remove CNI by @lsm5 in #6453
• feat: add support for preserving and labeling intermediate stage images by @ezopezo in #6556
• Fix COPY/ADD --from= with ARG in stage scope by @Honny1 in #6730
• New images 2026-03-19 by @Luap99 in #6742
• Add /assign command GitHub Action by @timcoding1988 in #6738
• Fix panic in --secret flag parsing when key has no value by @Honny1 in #6746
• Add additional caching diagnostics to stage executor by @celskeggs in #6758
• docs: fix build tool tutorial with correct modules by @btwotch in #6770
• internal/mkcw/embed/entrypoint_amd64.gz: rebuild with native assembler by @lsm5 in #6736
• copier: add RemoveOptions.AllowNotFound by @akca in #6782
• copier: add MkdirOptions.MakeParents by @akca in #6783
• tests/helpers.bash: when determining the OCI runtime, use temporary storage by @nalind in #6772
• Makefile: add some missing dependencies by @nalind in #6785
• Introduce deterministic network ordering - vendor c/common, c/image, c/storage main by @mheon in #6722
• Group global commands in global help output by @nalind in #6773
• CI: remove dependencies on online apt repositories by @nalind in #6791
• internal/mkcw: make errors easier to compare, update tests by @nalind in #6664
• COPY --exclude: make patterns context relative by @Honny1 in #6729
• Fix the copier:get operation to properly gather symlink information by @BenjaminSchubert in #6759
• Update to use shared configfile implementation by @jankaluza in #6787
• RUN-4547: Move buildah import paths by @baude in #6797
• manifest create: add --amend and --replace for non-list images by @c-kruse in #6676
• copier: Fix some log messages by @BenjaminSchubert in #6808
• copier: Fix the bookkeeping of the requested root by @BenjaminSchubert in #6807
• Move registries.conf files to v2 format by @Luap99 in #6801
• vendor registries.conf rework by @Luap99 in #6799
• Makefile: preserve entrypoint_amd64 and .gz in clean target by @lsm5 in #6811
• deps: switch away from runc/libct/devices by @kolyshkin in #6809
• docs: Add note about the ssh mount options for non-root users by @plaes in #6810
• Remove OWNERS file by @baude in #6812
• Remove slirp for Podman6 by @lsm5 in #6443
• Packit: Only create dist-git PRs for rawhide by @lsm5 in #6826
• Add RunOptions.ValidExitCodes and --valid-exit-codes flag by @akca in #6817
• deps: bump selinux to v1.14.1 by @kolyshkin in #6846
• tmt: archive audit and journal logs after test execution by @lsm5 in #6850
• rpm/buildah.spec tests: require xz and /usr/...

v1.39.9

What's Changed

Notable changes

• [release-1.39] CVE-2025-49713 x/crypto v0.43.0, bump to Buildah v1.39.9 by @TomSweeneyRedHat in #6612
• [release-1.39] Bump Go Jose to v4.1.4, CVE-2026-34986 by @TomSweeneyRedHat in #6795

Full Changelog: v1.39.8...v1.39.9

v1.29.8

What's Changed

• [release-1.29] Bump Go Jose to v3.0.5, CVE-2026-34986, Buildah to v1.29.8 by @TomSweeneyRedHat in #6825
• [release-1.29] CVE-2025-49713 x/crypto, Buildah to 1.29.7 by @TomSweeneyRedHat in #6633

Full Changelog: v1.29.7...v1.29.8

v1.33.15

What's Changed

• [release-1.33] Bump Go Jose v3.0.5, CVE-2026-34986 by @TomSweeneyRedHat in #6818
• [release-1.33] CVE-2025-49713 x/crypto, Buildah to 1.33.14 by @TomSweeneyRedHat in #6616

Full Changelog: v1.33.14...v1.33.15

v1.26.11

What's Changed

• [release-1.26] Bump runc up to 1.2.9 for CVE-2025-52881, CVE-2025-31133 and CVE-2025-52565 by @cevich in #6570
• [release-1.26] Fix CVE-2025-47913 with x/crypto + minimum go bump by @cevich in #6813

Full Changelog: v1.26.10...v1.26.11

v1.41.9

What's Changed

Notable changes

• [release-1.41] Bump Jose to v4.1.4, CVE-2026-34986 by @TomSweeneyRedHat in #6792
• [release-1.41] Buildah to 1.41.8 for CVE-2025-47913 by @TomSweeneyRedHat in #6620
• [release-1.41] CI config: post-branch update by @nalind in #6673
• [release-1.41] fix call to chown by @nalind in #6763

Full Changelog: v1.41.8...v1.41.9

v1.43.1

What's Changed

Notable changes

• [release-1.43] Bump to Buildah v1.43.0 by @TomSweeneyRedHat in #6671
• [release-1.43] fix call to chown by @nalind in #6761
• [release-1.43] update module github.com/go-jose/go-jose/v4 to v4.1.4 [security] by @nalind in #6775
• [release-1.43] ignore ErrLayerUnknown in cache lookup by @nalind in #6764
• [release-1.43] Bump c/common v0.67.1, c/image v5.39.2, Buildah v1.43.1 by @TomSweeneyRedHat in #6771

Full Changelog: v1.43.0...v1.43.1

v1.43.0

What's Changed

Notable changes

• [release-1.42] Bump runc to v1.3.4 by @TomSweeneyRedHat in #6560
• [release-1.42] Run: don't try to encode SystemContext with json by @nalind in #6665
• [release-1.42] tests: use cached images instead of fedoraproject.org by @nalind in #6667
• [release-1.42] test: do not untar archive into fs when checking file names by @nalind in #6668
• [release-1.42] chroot.bats(chroot with overlay root): ensure we can overlay by @nalind in #6666
• [release-1.42] fix(build): make --tag oci-archive:xxx.tar work with simple images by @nalind in #6669

Full Changelog: v1.42.2...v1.43.0

v1.21.6

What's Changed

• [release-1.21] Replace registry.centos.org by @cevich in #4854
• [release-1.21] conformance test: ignore file type bits when comparing layers by @cevich in #5265
• [release-1.21] conformance tests: don't break on trailing zeroes in layer blobs by @openshift-cherrypick-robot in #5509
• [release-1.21] tests/conformance/testdata/Dockerfile.add:... by @openshift-cherrypick-robot in #6054
• [release-1.21] Bump runc to v1.2.9 - CVE-2025-52881 by @dashea in #6522

Full Changelog: v1.21.5...v1.21.6

v1.29.7

What's Changed

• [release-1.29] CVE-2025-49713 x/crypto, Buildah to 1.29.7 by @TomSweeneyRedHat in #6633
• [release-1.29] Bump runc up to 1.2.9 for CVE-2025-52881, CVE-2025-31133 and CVE-2025-52565 by @cevich in #6538

Full Changelog: v1.29.6...v1.29.7 #6633