File _patchinfo of Package patchinfo.19131
<patchinfo incident="19131">
<issue tracker="bnc" id="1242186">yt-dlp is outdated</issue>
<issue tracker="bnc" id="1227305">VUL-0: CVE-2024-38519: yt-dlp: improper file extension limitations lead to to arbitrary filenames being created in the download folder</issue>
<issue tracker="cve" id="2024-38519"/>
<packager>jengelh</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for yt-dlp</summary>
<description>This update for yt-dlp fixes the following issues:
- Update to release 2025.08.22
* cookies: Fix --cookies-from-browser with Firefox 142+
- Update to release 2025.08.20
* Warn against use of `-f mp4`
* yt: Add es5 and es6 player JS variants
* yt: Default to main player JS variant
* yt: Extract title and description from initial data
* yt: Handle required preroll waiting period
- Update to release 2025.08.11
* yt: Add player params to mweb client
* dash: Re-extract if using --load-info-json with
--live-from-start
- Update to release 2025.07.21
* Default behaviour changed from --mtime to --no-mtime
* yt: Do not require PO Token for premium accounts
* yt: Extract global nsig helper functions
* yt: tab: Fix subscriptions feed extraction
- Update to release 2025.06.30
* youtube: Fix premium formats extraction
- Update to release 2025.06.25
* yt: Check any ios m3u8 formats prior to download
* yt: Improve player context payloads
- Update to release 2025.06.09
* adobepass: add Fubo MSO, fix Philo MSO authentication
* yt: Add tv_simply player client
* yt: Extract srt subtitles
* yt: Rework nsig function name extraction
- Update to release 2025.05.22
* yt: Add PO token support for subtitles
* yt: Add web_embedded client for age-restricted videos
* yt: Add a PO Token Provider Framework
* yt: Extract media_type for all videos
* yt: Fix --live-from-start support for premieres
* yt: Fix geo-restriction error handling
- Update to release 2025.04.30 [boo#1242186]
* New option --preset-alias/-t has been added
- Update to release 2025.03.31
* yt: add player_js_variant extractor-arg
* yt/tab: Fix playlist continuation extraction
- Update to release 2025.03.27
* youtube: Make signature and nsig extraction more robust
- Update to release 2025.03.26
* youtube: fix signature and nsig extraction for player 4fcd6e4a
- Update to release 2025.03.21
* Fix external downloader availability when using
``--ffmpeg-location``
* youtube: fix nsig and signature extraction for player 643afba4.
- Update to release 2025.02.19
* NSIG workaround for tce player JS
- Update to release 2025.01.26
* bilibili: Support space video list extraction without login
* crunchyroll: Remove extractors
* youtube: Download tv client Innertube config
* youtube: Use different PO token for GVS and Player
- Update to release 2025.01.15
* youtube: Do not use web_creator as a default client
- Update to release 2025.01.12
* yt: fix DASH formats incorrectly skipped in some situations
* yt: refactor cookie auth
- Update to release 2024.12.23
* yt: add age-gate workaround for some embeddable videos
- Update to release 2024.12.13
* yt: fix signature function extraction for 2f1832d2
* yt: prioritize original language over auto-dubbed audio
- Update to release 2024.12.06
* yt: fix ``n`` sig extraction for player 3bb1f723
* yt: fix signature function extraction
* yt: player client maintenance
- Update to release 2024.12.03
* bilibili: Always try to extract HD formats
* youtube: Adjust player clients for site changes
- Update to release 2024.11.18
* cloudflarestream: Avoid extraction via videodelivery.net
* youtube: remove broken OAuth support
- Update to release 2024.11.04
* Prioritize AV1
* Remove Python <= 3.8 support
* youtube: Adjust OAuth refresh token handling
- Update to release 2024.10.22
* yt: Remove broken android_producer client
* yt: Remove broken age-restriction workaround
* yt: Support logging in with OAuth
- Update to release 2024.10.07
* Fix cookie load error handling
* youtube: Change default player clients to ios,mweb
* patreon: Extract all m3u8 formats for locked posts
- Update to release 2024.09.27
* Support excluding player_clients in extractor-arg
* clip: Prioritize https formats
- Update to release 2024.08.06
* youtube: Fix `n` function name extraction for player `b12cc44b`
- Merge sh completion packages into main package
- Add yt-dlp-youtube-dl subpackage
- Update to release 2024.08.01
* youtube:
* Change default player clients to ios,tv
* Fix n function name extraction for player 20dfca59
* Fix age-verification workaround
- Update to release 2024.07.25
* youtube: Fix n function name extraction for player 3400486c
- Update to release 2024.07.16
* Support auto-tty and no_color-tty for --color
* youtube: Avoid poToken experiment player responses
- Update to release 2024.07.09
* youtube: Remove broken n function extraction fallback
- Update to release 2024.07.01:
* Properly sanitize file-extension to prevent file system
modification and RCE. Unsafe extensions are now blocked from
being downloaded. [CVE-2024-38519 boo#1227305]
</description>
</patchinfo>
