openSUSE-SU-2023:0374-1: moderate: Security update for yt-dlp

18 Nov 2023

      openSUSE Security Update: Security update for yt-dlp
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2023:0374-1
Rating:             moderate
References:         #1213124 #1216467 
Cross-References:   CVE-2023-35934 CVE-2023-46121
CVSS scores:
                    CVE-2023-35934 (NVD) : 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP5
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for yt-dlp fixes the following issues:

   - Update to release 2023.11.14

     * Security: [CVE-2023-46121] Patch Generic Extractor MITM Vulnerability
       via Arbitrary Proxy Injection
     * Disallow smuggling of arbitrary http_headers; extractors now
       only use specific headers

   - Make yt-dlp require the one pythonXX-yt-dlp that /usr/bin/yt-dlp was
     built with.

   - Rework Python build procedure [boo#1216467]
   - Enable Python library [boo#1216467]

   - Update to release 2023.10.13

     * youtube: fix some bug with --extractor-retries inf

   - Update to release 2023.10.07

     * yt: Fix heatmap extraction
     * yt: Raise a warning for Incomplete Data instead of an error

   - Update to release 2023.09.24

     * Extract subtitles from SMIL manifests
     * fb: Add dash manifest URL
     * crunchyroll: Remove initial state extraction
     * youtube: Add player_params extractor arg

   - remove suggests on brotlicffi - this is only for != cpython

   - Update to release 2023.07.06

     * Prevent Cookie leaks on HTTP redirect [boo#1213124] [CVE-2023-35934]
     * yt: Avoid false DRM detection
     * yt: Process post_live over 2 hours
     * yt: Support shorts-only playlists

   - Update to release 2023.06.22

      * youtube: add IOS to default clients used

   - Update to release 2023.06.21

     * Add option --compat-option playlist-match-filter
     * Add options --no-quiet, option --color, --netrc-cmd, --xff
     * Auto-select default format in -f-
     * Improve HTTP redirect handling
     * Support decoding multiple content encodings

   - Use python3.11 on Leap 15.5

     * python3.11 is the only python3 > 3.6 version would be shipped in Leap
       15.5

   - Update to release 2023.03.04

     * A bunch of extractor fixes

   - Update to release 2023.03.03

     * youtube: Construct dash formats with range query
     * yt: Detect and break on looping comments
     * yt: Extract channel view_count when /about tab is passed

   - Update to release 2023.02.17

     * Merge youtube-dl: Upto commit/2dd6c6e (Feb 17 2023)
     * Fix --concat-playlist
     * Imply --no-progress when --print
     * Improve default subtitle language selection
     * Make title completely non-fatal
     * Sanitize formats before sorting
     * [hls] Allow extractors to provide AES key
     * [extractor/generic] Avoid catastrophic backtracking in KVS regex
     * [jsinterp] Support if statements
     * [plugins] Fix zip search paths
     * [utils] Don't use Content-length with encoding
     * [utils] Fix time_seconds to use the provided TZ
     * [utils] Fix race condition in make_dir
     * [extractor/anchorfm] Add episode
     * [extractor/boxcast] Add extractor
     * [extractor/ebay] Add extractor
     * [extractor/hypergryph] Add extractor
     * [extractor/NZOnScreen] Add extractor
     * [extractor/rozhlas] Add extractor
     * [extractor/tempo] Add IVXPlayer extractor
     * [extractor/txxx] Add extractors
     * [extractor/vocaroo] Add extractor
     * [extractor/wrestleuniverse] Add extractors
     * [extractor/yappy] Add extractor
     * [extractor/youtube] Fix uploader_id extraction
     * [extractor/youtube] Add hyperpipe instances
     * [extractor/youtube] Handle consent.youtube
     * [extractor/youtube] Support /live/ URL
     * [extractor/youtube] Update invidious and piped instances
     * [extractor/91porn] Fix title and comment extraction
     * [extractor/AbemaTV] Cache user token whenever appropriate
     * [extractor/bfmtv] Support rmc prefix
     * [extractor/biliintl] Add intro and ending chapters
     * [extractor/clyp] Support wav
     * [extractor/crunchyroll] Add intro chapter
     * [extractor/crunchyroll] Better message for premium videos
     * [extractor/crunchyroll] Fix incorrect premium-only error
     * [extractor/DouyuTV] Use new API
     * [extractor/embedly] Embedded links may be for other extractors
     * [extractor/freesound] Workaround invalid URL in webpage
     * [extractor/GoPlay] Use new API
     * [extractor/Hidive] Fix subtitles and age-restriction
     * [extractor/huya] Support HD streams
     * [extractor/moviepilot] Fix extractor
     * [extractor/nbc] Fix NBC and NBCStations extractors
     * [extractor/nbc] Fix XML parsing
     * [extractor/nebula] Remove broken cookie support
     * [extractor/nfl] Add NFLPlus extractor
     * [extractor/niconico] Add support for like history
     * [extractor/nitter] Update instance list by OIRNOIR
     * [extractor/npo] Fix extractor and add HD support
     * [extractor/odkmedia] Add OnDemandChinaEpisodeIE
     * [extractor/pornez] Handle relative URLs in iframe
     * [extractor/radiko] Fix format sorting for Time Free
     * [extractor/rcs] Fix extractors
     * [extractor/reddit] Support user posts
     * [extractor/rumble] Fix format sorting
     * [extractor/servus] Rewrite extractor
     * [extractor/slideslive] Fix slides and chapters/duration
     * [extractor/SportDeutschland] Fix extractor
     * [extractor/Stripchat] Fix extractor
     * [extractor/tnaflix] Fix extractor
     * [extractor/tvp] Support stream.tvp.pl
     * [extractor/twitter] Fix --no-playlist and add media view_count when
       using GraphQL
     * [extractor/twitter] Fix graphql extraction on some tweets
     * [extractor/vimeo] Fix playerConfig extraction
     * [extractor/viu] Add ViuOTTIndonesiaIE extractor
     * [extractor/vk] Fix playlists for new API
     * [extractor/vlive] Replace with VLiveWebArchiveIE
     * [extractor/ximalaya] Update album _VALID_URL
     * [extractor/zdf] Use android API endpoint for UHD downloads
     * [youtube] Improve description extraction
     * [youtube] Prevent excess HTTP 301
     * [bellmedia] Add support for cp24.com clip URLs

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP5:

      zypper in -t patch openSUSE-2023-374=1

Package List:

   - openSUSE Backports SLE-15-SP5 (noarch):

      python311-yt-dlp-2023.11.14-bp155.3.3.1
      yt-dlp-2023.11.14-bp155.3.3.1
      yt-dlp-bash-completion-2023.11.14-bp155.3.3.1
      yt-dlp-fish-completion-2023.11.14-bp155.3.3.1
      yt-dlp-zsh-completion-2023.11.14-bp155.3.3.1

References:

   https://www.suse.com/security/cve/CVE-2023-35934.html
   https://www.suse.com/security/cve/CVE-2023-46121.html
   https://bugzilla.suse.com/1213124
   https://bugzilla.suse.com/1216467

opensuse-security＠opensuse.org

tags

participants (1)