python310-yt-dlp-2023.11.16-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13435-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python310-yt-dlp-2023.11.16-1.1 on GA media These are all security issues fixed in the python310-yt-dlp-2023.11.16-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13435 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-46121/ SUSE CVE CVE-2023-46121 page openSUSE Tumbleweed python310-yt-dlp-2023.11.16-1.1 python311-yt-dlp-2023.11.16-1.1 python39-yt-dlp-2023.11.16-1.1 yt-dlp-2023.11.16-1.1 yt-dlp-bash-completion-2023.11.16-1.1 yt-dlp-fish-completion-2023.11.16-1.1 yt-dlp-zsh-completion-2023.11.16-1.1 python310-yt-dlp-2023.11.16-1.1 as a component of openSUSE Tumbleweed python311-yt-dlp-2023.11.16-1.1 as a component of openSUSE Tumbleweed python39-yt-dlp-2023.11.16-1.1 as a component of openSUSE Tumbleweed yt-dlp-2023.11.16-1.1 as a component of openSUSE Tumbleweed yt-dlp-bash-completion-2023.11.16-1.1 as a component of openSUSE Tumbleweed yt-dlp-fish-completion-2023.11.16-1.1 as a component of openSUSE Tumbleweed yt-dlp-zsh-completion-2023.11.16-1.1 as a component of openSUSE Tumbleweed yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`. CVE-2023-46121 openSUSE Tumbleweed:python310-yt-dlp-2023.11.16-1.1 openSUSE Tumbleweed:python311-yt-dlp-2023.11.16-1.1 openSUSE Tumbleweed:python39-yt-dlp-2023.11.16-1.1 openSUSE Tumbleweed:yt-dlp-2023.11.16-1.1 openSUSE Tumbleweed:yt-dlp-bash-completion-2023.11.16-1.1 openSUSE Tumbleweed:yt-dlp-fish-completion-2023.11.16-1.1 openSUSE Tumbleweed:yt-dlp-zsh-completion-2023.11.16-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46121.html CVE-2023-46121 https://bugzilla.suse.com/1217153 SUSE Bug 1217153