> During file downloads, yt-dlp or the external downloaders that > yt-dlp employs may leak cookies on HTTP redirects to a different > host, or leak them when the host for download fragments differs > from their parent manifest's host. > > This vulnerable behavior is present in all versions of youtube-dl, > youtube-dlc and yt-dlp released since 2015.01.25. All native and > external downloaders are affected, except for curl and httpie > (httpie version 3.1.0 or later). Summary already <Ver given bump+stable+cleanup getting pushed in a minute, typical for this package to get stabled quickly or sometimes immediately either way.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4961e69bb42ea7aed35e7bdbd09b618c880e3a4 commit b4961e69bb42ea7aed35e7bdbd09b618c880e3a4 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-07-06 21:06:28 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-07-06 21:28:36 +0000 net-misc/yt-dlp: drop vulnerable <=2023.07.06 Bug: https://bugs.gentoo.org/909780 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> net-misc/yt-dlp/Manifest | 3 -- net-misc/yt-dlp/yt-dlp-2023.03.04.ebuild | 66 -------------------------------- net-misc/yt-dlp/yt-dlp-2023.06.21.ebuild | 65 ------------------------------- net-misc/yt-dlp/yt-dlp-2023.06.22.ebuild | 65 ------------------------------- 4 files changed, 199 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=99ca877a40ce0400c0c1a931c9385e564d2d6c15 commit 99ca877a40ce0400c0c1a931c9385e564d2d6c15 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-07-06 21:05:14 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-07-06 21:28:36 +0000 net-misc/yt-dlp: stabilize 2023.07.06 for ALLARCHES Little reason to wait when there's notable fixes for this package, in this case security wrt bug #909780 and twitter access without login among other things. Bug: https://bugs.gentoo.org/909780 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> net-misc/yt-dlp/yt-dlp-2023.07.06.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f733fa77868c25a3eea687648ae13621d304d36c commit f733fa77868c25a3eea687648ae13621d304d36c Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-07-06 21:04:41 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-07-06 21:28:36 +0000 net-misc/yt-dlp: add 2023.07.06 Bug: https://bugs.gentoo.org/909780 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> net-misc/yt-dlp/Manifest | 1 + net-misc/yt-dlp/yt-dlp-2023.07.06.ebuild | 65 ++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=4ab000f476fab4cc4330333d07bcbee73a37baca commit 4ab000f476fab4cc4330333d07bcbee73a37baca Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-28 07:39:28 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-28 07:39:43 +0000 [ GLSA 202409-30 ] yt-dlp: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/909780 Bug: https://bugs.gentoo.org/917355 Bug: https://bugs.gentoo.org/935316 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-30.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+)
