SUSE alert openSUSE-SU-2025:0364-1 (yt-dlp)
| From: | opensuse-security@opensuse.org | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2025:0364-1: moderate: Security update for yt-dlp | |
| Date: | Thu, 18 Sep 2025 18:05:07 +0200 | |
| Message-ID: | <20250918160507.92D37FBA1@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE Security Update: Security update for yt-dlp ______________________________________________________________________________ Announcement ID: openSUSE-SU-2025:0364-1 Rating: moderate References: #1227305 #1242186 Cross-References: CVE-2024-38519 Affected Products: openSUSE Leap 15.6 ______________________________________________________________________________ An update that solves one vulnerability and has one errata is now available. Description: This update for yt-dlp fixes the following issues: - Update to release 2025.08.22 * cookies: Fix --cookies-from-browser with Firefox 142+ - Update to release 2025.08.20 * Warn against use of `-f mp4` * yt: Add es5 and es6 player JS variants * yt: Default to main player JS variant * yt: Extract title and description from initial data * yt: Handle required preroll waiting period - Update to release 2025.08.11 * yt: Add player params to mweb client * dash: Re-extract if using --load-info-json with --live-from-start - Update to release 2025.07.21 * Default behaviour changed from --mtime to --no-mtime * yt: Do not require PO Token for premium accounts * yt: Extract global nsig helper functions * yt: tab: Fix subscriptions feed extraction - Update to release 2025.06.30 * youtube: Fix premium formats extraction - Update to release 2025.06.25 * yt: Check any ios m3u8 formats prior to download * yt: Improve player context payloads - Update to release 2025.06.09 * adobepass: add Fubo MSO, fix Philo MSO authentication * yt: Add tv_simply player client * yt: Extract srt subtitles * yt: Rework nsig function name extraction - Update to release 2025.05.22 * yt: Add PO token support for subtitles * yt: Add web_embedded client for age-restricted videos * yt: Add a PO Token Provider Framework * yt: Extract media_type for all videos * yt: Fix --live-from-start support for premieres * yt: Fix geo-restriction error handling - Update to release 2025.04.30 [boo#1242186] * New option --preset-alias/-t has been added - Update to release 2025.03.31 * yt: add player_js_variant extractor-arg * yt/tab: Fix playlist continuation extraction - Update to release 2025.03.27 * youtube: Make signature and nsig extraction more robust - Update to release 2025.03.26 * youtube: fix signature and nsig extraction for player 4fcd6e4a - Update to release 2025.03.21 * Fix external downloader availability when using ``--ffmpeg-location`` * youtube: fix nsig and signature extraction for player 643afba4. - Update to release 2025.02.19 * NSIG workaround for tce player JS - Update to release 2025.01.26 * bilibili: Support space video list extraction without login * crunchyroll: Remove extractors * youtube: Download tv client Innertube config * youtube: Use different PO token for GVS and Player - Update to release 2025.01.15 * youtube: Do not use web_creator as a default client - Update to release 2025.01.12 * yt: fix DASH formats incorrectly skipped in some situations * yt: refactor cookie auth - Update to release 2024.12.23 * yt: add age-gate workaround for some embeddable videos - Update to release 2024.12.13 * yt: fix signature function extraction for 2f1832d2 * yt: prioritize original language over auto-dubbed audio - Update to release 2024.12.06 * yt: fix ``n`` sig extraction for player 3bb1f723 * yt: fix signature function extraction * yt: player client maintenance - Update to release 2024.12.03 * bilibili: Always try to extract HD formats * youtube: Adjust player clients for site changes - Update to release 2024.11.18 * cloudflarestream: Avoid extraction via videodelivery.net * youtube: remove broken OAuth support - Update to release 2024.11.04 * Prioritize AV1 * Remove Python <= 3.8 support * youtube: Adjust OAuth refresh token handling - Update to release 2024.10.22 * yt: Remove broken android_producer client * yt: Remove broken age-restriction workaround * yt: Support logging in with OAuth - Update to release 2024.10.07 * Fix cookie load error handling * youtube: Change default player clients to ios,mweb * patreon: Extract all m3u8 formats for locked posts - Update to release 2024.09.27 * Support excluding player_clients in extractor-arg * clip: Prioritize https formats - Update to release 2024.08.06 * youtube: Fix `n` function name extraction for player `b12cc44b` - Merge sh completion packages into main package - Add yt-dlp-youtube-dl subpackage - Update to release 2024.08.01 * youtube: * Change default player clients to ios,tv * Fix n function name extraction for player 20dfca59 * Fix age-verification workaround - Update to release 2024.07.25 * youtube: Fix n function name extraction for player 3400486c - Update to release 2024.07.16 * Support auto-tty and no_color-tty for --color * youtube: Avoid poToken experiment player responses - Update to release 2024.07.09 * youtube: Remove broken n function extraction fallback - Update to release 2024.07.01: * Properly sanitize file-extension to prevent file system modification and RCE. Unsafe extensions are now blocked from being downloaded. [CVE-2024-38519 boo#1227305] Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.6: zypper in -t patch openSUSE-2025-364=1 Package List: - openSUSE Leap 15.6 (noarch): python312-yt-dlp-2025.08.22-lp156.2.3.1 yt-dlp-2025.08.22-lp156.2.3.1 yt-dlp-youtube-dl-2025.08.22-lp156.2.3.1 References: https://www.suse.com/security/cve/CVE-2024-38519.html https://bugzilla.suse.com/1227305 https://bugzilla.suse.com/1242186