Fixed version already in-tree, pending stable+cleanup. CVE-2023-46121: The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0523a83f97c3adc1eb9f9ec52a067f4619987593 commit 0523a83f97c3adc1eb9f9ec52a067f4619987593 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-11-20 05:10:18 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-11-20 05:10:21 +0000 net-misc/yt-dlp: drop vulnerable 2023.10.13 Bug: https://bugs.gentoo.org/917355 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> net-misc/yt-dlp/Manifest | 1 - net-misc/yt-dlp/yt-dlp-2023.10.13.ebuild | 71 -------------------------------- 2 files changed, 72 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2b752c52071b8b4972d27fb468960cad9b1bf79 commit f2b752c52071b8b4972d27fb468960cad9b1bf79 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2023-11-20 05:09:14 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2023-11-20 05:09:51 +0000 net-misc/yt-dlp: stabilize 2023.11.16 ALLARCHES (amd64) Bug: https://bugs.gentoo.org/917355 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> net-misc/yt-dlp/yt-dlp-2023.11.16.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
