SUSE Package Hub - openSUSE-2023-374

Update Info

openSUSE-2023-374

Security update for yt-dlp

Type: security
Severity: moderate
Issued: 2023-11-18
Description:
This update for yt-dlp fixes the following issues:

- Update to release 2023.11.14

  * Security: [CVE-2023-46121] Patch Generic Extractor MITM
    Vulnerability via Arbitrary Proxy Injection
  * Disallow smuggling of arbitrary http_headers; extractors now
    only use specific headers

- Make yt-dlp require the one pythonXX-yt-dlp that /usr/bin/yt-dlp
  was built with.

- Rework Python build procedure [boo#1216467]
- Enable Python library [boo#1216467]

- Update to release 2023.10.13

  * youtube: fix some bug with --extractor-retries inf

- Update to release 2023.10.07

  * yt: Fix heatmap extraction
  * yt: Raise a warning for Incomplete Data instead of an error

- Update to release 2023.09.24

  * Extract subtitles from SMIL manifests
  * fb: Add dash manifest URL
  * crunchyroll: Remove initial state extraction
  * youtube: Add player_params extractor arg

- remove suggests on brotlicffi - this is only for != cpython

- Update to release 2023.07.06

  * Prevent Cookie leaks on HTTP redirect [boo#1213124] [CVE-2023-35934]
  * yt: Avoid false DRM detection
  * yt: Process post_live over 2 hours
  * yt: Support shorts-only playlists

- Update to release 2023.06.22

   * youtube: add IOS to default clients used

- Update to release 2023.06.21

  * Add option --compat-option playlist-match-filter
  * Add options --no-quiet, option --color, --netrc-cmd, --xff
  * Auto-select default format in -f-
  * Improve HTTP redirect handling
  * Support decoding multiple content encodings

- Use python3.11 on Leap 15.5

  * python3.11 is the only python3 > 3.6 version would be shipped
    in Leap 15.5

- Update to release 2023.03.04

  * A bunch of extractor fixes

- Update to release 2023.03.03

  * youtube: Construct dash formats with range query
  * yt: Detect and break on looping comments
  * yt: Extract channel view_count when /about tab is passed

- Update to release 2023.02.17

  * Merge youtube-dl: Upto commit/2dd6c6e (Feb 17 2023)
  * Fix --concat-playlist
  * Imply --no-progress when --print
  * Improve default subtitle language selection
  * Make title completely non-fatal
  * Sanitize formats before sorting
  * [hls] Allow extractors to provide AES key
  * [extractor/generic] Avoid catastrophic backtracking in KVS regex
  * [jsinterp] Support if statements
  * [plugins] Fix zip search paths
  * [utils] Don't use Content-length with encoding
  * [utils] Fix time_seconds to use the provided TZ
  * [utils] Fix race condition in make_dir
  * [extractor/anchorfm] Add episode
  * [extractor/boxcast] Add extractor
  * [extractor/ebay] Add extractor
  * [extractor/hypergryph] Add extractor
  * [extractor/NZOnScreen] Add extractor
  * [extractor/rozhlas] Add extractor
  * [extractor/tempo] Add IVXPlayer extractor
  * [extractor/txxx] Add extractors
  * [extractor/vocaroo] Add extractor
  * [extractor/wrestleuniverse] Add extractors
  * [extractor/yappy] Add extractor
  * [extractor/youtube] Fix uploader_id extraction
  * [extractor/youtube] Add hyperpipe instances
  * [extractor/youtube] Handle consent.youtube
  * [extractor/youtube] Support /live/ URL
  * [extractor/youtube] Update invidious and piped instances
  * [extractor/91porn] Fix title and comment extraction
  * [extractor/AbemaTV] Cache user token whenever appropriate
  * [extractor/bfmtv] Support rmc prefix
  * [extractor/biliintl] Add intro and ending chapters
  * [extractor/clyp] Support wav
  * [extractor/crunchyroll] Add intro chapter
  * [extractor/crunchyroll] Better message for premium videos
  * [extractor/crunchyroll] Fix incorrect premium-only error
  * [extractor/DouyuTV] Use new API
  * [extractor/embedly] Embedded links may be for other extractors
  * [extractor/freesound] Workaround invalid URL in webpage
  * [extractor/GoPlay] Use new API
  * [extractor/Hidive] Fix subtitles and age-restriction
  * [extractor/huya] Support HD streams
  * [extractor/moviepilot] Fix extractor
  * [extractor/nbc] Fix NBC and NBCStations extractors
  * [extractor/nbc] Fix XML parsing
  * [extractor/nebula] Remove broken cookie support
  * [extractor/nfl] Add NFLPlus extractor
  * [extractor/niconico] Add support for like history
  * [extractor/nitter] Update instance list by OIRNOIR
  * [extractor/npo] Fix extractor and add HD support
  * [extractor/odkmedia] Add OnDemandChinaEpisodeIE
  * [extractor/pornez] Handle relative URLs in iframe
  * [extractor/radiko] Fix format sorting for Time Free
  * [extractor/rcs] Fix extractors
  * [extractor/reddit] Support user posts
  * [extractor/rumble] Fix format sorting
  * [extractor/servus] Rewrite extractor
  * [extractor/slideslive] Fix slides and chapters/duration
  * [extractor/SportDeutschland] Fix extractor
  * [extractor/Stripchat] Fix extractor
  * [extractor/tnaflix] Fix extractor
  * [extractor/tvp] Support stream.tvp.pl
  * [extractor/twitter] Fix --no-playlist and add media
    view_count when using GraphQL
  * [extractor/twitter] Fix graphql extraction on some tweets
  * [extractor/vimeo] Fix playerConfig extraction
  * [extractor/viu] Add ViuOTTIndonesiaIE extractor
  * [extractor/vk] Fix playlists for new API
  * [extractor/vlive] Replace with VLiveWebArchiveIE
  * [extractor/ximalaya] Update album _VALID_URL
  * [extractor/zdf] Use android API endpoint for UHD downloads
  * [youtube] Improve description extraction
  * [youtube] Prevent excess HTTP 301
  * [bellmedia] Add support for cp24.com clip URLs
References

CVE: CVE-2023-46121
CVE: CVE-2023-35934
Bugzilla: 1216467 Package "yt-dlp" does not contain the library
Bugzilla: 1213124 VUL-0: CVE-2023-35934: yt-dlp: file Downloader cookie leak
Packages

yt-dlp-2023.11.14-bp155.3.3.1