Control: severity -1 important

(CCing: the security team)

Hi,

El 24/08/24 a las 02:08, alexvong.rc...@simplelogin.com escribió:
> Subject: youtube-dl: GHSA-22fp-mf44-f2mq GHSA-9jqj-9wwh-r5mg
> Source: youtube-dl
> Version: 2021.12.17-1~bpo11+1
> X-Debbugs-Cc: debian-lts@lists.debian.org
> Severity: grave
> Justification: user security hole
> Tags: security upstream
> 
> Hi,
> 
> The following vulnerabilities were published for youtube-dl.
> 
> GHSA-22fp-mf44-f2mq[0]:
> | File system modification and remote code execution through unchecked file
> | extension

This has been triaged as unimportant since it doesn't not impact linux
issuers. The issue is only exploitable in windows.

https://security-tracker.debian.org/tracker/CVE-2024-38519

> GHSA-9jqj-9wwh-r5mg[1]:
> | File Downloader cookie leak in youtube-dl
> 

This has been triaged as a minor issue, and specifically in bullseye as
postponed. So it can be fixed along with other issues in a future
release.

> If you fix the vulnerabilities please also make sure to include the
> GHSA ids in your changelog entry.
> 
> For further information see:
> 
> [0] 
> https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq
>     https://github.com/ytdl-org/youtube-dl/issues/32832
>     https://github.com/ytdl-org/youtube-dl/pull/32830
> [1] 
> https://github.com/dirkf/youtube-dl/security/advisories/GHSA-9jqj-9wwh-r5mg
>     https://github.com/ytdl-org/youtube-dl/issues/32832
>     https://github.com/ytdl-org/youtube-dl/pull/32445
> 
> Please adjust the affected versions in the BTS as needed.

Given the above, I am reducing the severity of the issue. It doesn't
warrant to be an RC bug. (As it was the case for
https://bugs.debian.org/1040595). Security team: please let me know if
you think I am not correct.

Best regards,

 -- Santiago

Attachment: signature.asc
Description: PGP signature

Reply via email to