SUSE 5047 Published by

A yt-dlp security update has been released for SUSE Linux Enterprise 15 SP5.



openSUSE-SU-2023:0374-1: moderate: Security update for yt-dlp


openSUSE Security Update: Security update for yt-dlp
_______________________________

Announcement ID: openSUSE-SU-2023:0374-1
Rating: moderate
References: #1213124 #1216467
Cross-References: CVE-2023-35934 CVE-2023-46121
CVSS scores:
CVE-2023-35934 (NVD) : 6.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes two vulnerabilities is now available.

Description:

This update for yt-dlp fixes the following issues:

- Update to release 2023.11.14

* Security: [CVE-2023-46121] Patch Generic Extractor MITM Vulnerability
via Arbitrary Proxy Injection
* Disallow smuggling of arbitrary http_headers; extractors now
only use specific headers

- Make yt-dlp require the one pythonXX-yt-dlp that /usr/bin/yt-dlp was
built with.

- Rework Python build procedure [boo#1216467]
- Enable Python library [boo#1216467]

- Update to release 2023.10.13

* youtube: fix some bug with --extractor-retries inf

- Update to release 2023.10.07

* yt: Fix heatmap extraction
* yt: Raise a warning for Incomplete Data instead of an error

- Update to release 2023.09.24

* Extract subtitles from SMIL manifests
* fb: Add dash manifest URL
* crunchyroll: Remove initial state extraction
* youtube: Add player_params extractor arg

- remove suggests on brotlicffi - this is only for != cpython

- Update to release 2023.07.06

* Prevent Cookie leaks on HTTP redirect [boo#1213124] [CVE-2023-35934]
* yt: Avoid false DRM detection
* yt: Process post_live over 2 hours
* yt: Support shorts-only playlists

- Update to release 2023.06.22

* youtube: add IOS to default clients used

- Update to release 2023.06.21

* Add option --compat-option playlist-match-filter
* Add options --no-quiet, option --color, --netrc-cmd, --xff
* Auto-select default format in -f-
* Improve HTTP redirect handling
* Support decoding multiple content encodings

- Use python3.11 on Leap 15.5

* python3.11 is the only python3 > 3.6 version would be shipped in Leap
15.5

- Update to release 2023.03.04

* A bunch of extractor fixes

- Update to release 2023.03.03

* youtube: Construct dash formats with range query
* yt: Detect and break on looping comments
* yt: Extract channel view_count when /about tab is passed

- Update to release 2023.02.17

* Merge youtube-dl: Upto commit/2dd6c6e (Feb 17 2023)
* Fix --concat-playlist
* Imply --no-progress when --print
* Improve default subtitle language selection
* Make title completely non-fatal
* Sanitize formats before sorting
* [hls] Allow extractors to provide AES key
* [extractor/generic] Avoid catastrophic backtracking in KVS regex
* [jsinterp] Support if statements
* [plugins] Fix zip search paths
* [utils] Don't use Content-length with encoding
* [utils] Fix time_seconds to use the provided TZ
* [utils] Fix race condition in make_dir
* [extractor/anchorfm] Add episode
* [extractor/boxcast] Add extractor
* [extractor/ebay] Add extractor
* [extractor/hypergryph] Add extractor
* [extractor/NZOnScreen] Add extractor
* [extractor/rozhlas] Add extractor
* [extractor/tempo] Add IVXPlayer extractor
* [extractor/txxx] Add extractors
* [extractor/vocaroo] Add extractor
* [extractor/wrestleuniverse] Add extractors
* [extractor/yappy] Add extractor
* [extractor/youtube] Fix uploader_id extraction
* [extractor/youtube] Add hyperpipe instances
* [extractor/youtube] Handle consent.youtube
* [extractor/youtube] Support /live/ URL
* [extractor/youtube] Update invidious and piped instances
* [extractor/91porn] Fix title and comment extraction
* [extractor/AbemaTV] Cache user token whenever appropriate
* [extractor/bfmtv] Support rmc prefix
* [extractor/biliintl] Add intro and ending chapters
* [extractor/clyp] Support wav
* [extractor/crunchyroll] Add intro chapter
* [extractor/crunchyroll] Better message for premium videos
* [extractor/crunchyroll] Fix incorrect premium-only error
* [extractor/DouyuTV] Use new API
* [extractor/embedly] Embedded links may be for other extractors
* [extractor/freesound] Workaround invalid URL in webpage
* [extractor/GoPlay] Use new API
* [extractor/Hidive] Fix subtitles and age-restriction
* [extractor/huya] Support HD streams
* [extractor/moviepilot] Fix extractor
* [extractor/nbc] Fix NBC and NBCStations extractors
* [extractor/nbc] Fix XML parsing
* [extractor/nebula] Remove broken cookie support
* [extractor/nfl] Add NFLPlus extractor
* [extractor/niconico] Add support for like history
* [extractor/nitter] Update instance list by OIRNOIR
* [extractor/npo] Fix extractor and add HD support
* [extractor/odkmedia] Add OnDemandChinaEpisodeIE
* [extractor/pornez] Handle relative URLs in iframe
* [extractor/radiko] Fix format sorting for Time Free
* [extractor/rcs] Fix extractors
* [extractor/reddit] Support user posts
* [extractor/rumble] Fix format sorting
* [extractor/servus] Rewrite extractor
* [extractor/slideslive] Fix slides and chapters/duration
* [extractor/SportDeutschland] Fix extractor
* [extractor/Stripchat] Fix extractor
* [extractor/tnaflix] Fix extractor
* [extractor/tvp] Support stream.tvp.pl
* [extractor/twitter] Fix --no-playlist and add media view_count when
using GraphQL
* [extractor/twitter] Fix graphql extraction on some tweets
* [extractor/vimeo] Fix playerConfig extraction
* [extractor/viu] Add ViuOTTIndonesiaIE extractor
* [extractor/vk] Fix playlists for new API
* [extractor/vlive] Replace with VLiveWebArchiveIE
* [extractor/ximalaya] Update album _VALID_URL
* [extractor/zdf] Use android API endpoint for UHD downloads
* [youtube] Improve description extraction
* [youtube] Prevent excess HTTP 301
* [bellmedia] Add support for cp24.com clip URLs

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-374=1

Package List:

- openSUSE Backports SLE-15-SP5 (noarch):

python311-yt-dlp-2023.11.14-bp155.3.3.1
yt-dlp-2023.11.14-bp155.3.3.1
yt-dlp-bash-completion-2023.11.14-bp155.3.3.1
yt-dlp-fish-completion-2023.11.14-bp155.3.3.1
yt-dlp-zsh-completion-2023.11.14-bp155.3.3.1

References:

https://www.suse.com/security/cve/CVE-2023-35934.html
https://www.suse.com/security/cve/CVE-2023-46121.html
https://bugzilla.suse.com/1213124
https://bugzilla.suse.com/1216467