Control: severity -1 important (CCing: the security team)
Hi, El 24/08/24 a las 02:08, alexvong.rc...@simplelogin.com escribió: > Subject: youtube-dl: GHSA-22fp-mf44-f2mq GHSA-9jqj-9wwh-r5mg > Source: youtube-dl > Version: 2021.12.17-1~bpo11+1 > X-Debbugs-Cc: debian-lts@lists.debian.org > Severity: grave > Justification: user security hole > Tags: security upstream > > Hi, > > The following vulnerabilities were published for youtube-dl. > > GHSA-22fp-mf44-f2mq[0]: > | File system modification and remote code execution through unchecked file > | extension This has been triaged as unimportant since it doesn't not impact linux issuers. The issue is only exploitable in windows. https://security-tracker.debian.org/tracker/CVE-2024-38519 > GHSA-9jqj-9wwh-r5mg[1]: > | File Downloader cookie leak in youtube-dl > This has been triaged as a minor issue, and specifically in bullseye as postponed. So it can be fixed along with other issues in a future release. > If you fix the vulnerabilities please also make sure to include the > GHSA ids in your changelog entry. > > For further information see: > > [0] > https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq > https://github.com/ytdl-org/youtube-dl/issues/32832 > https://github.com/ytdl-org/youtube-dl/pull/32830 > [1] > https://github.com/dirkf/youtube-dl/security/advisories/GHSA-9jqj-9wwh-r5mg > https://github.com/ytdl-org/youtube-dl/issues/32832 > https://github.com/ytdl-org/youtube-dl/pull/32445 > > Please adjust the affected versions in the BTS as needed. Given the above, I am reducing the severity of the issue. It doesn't warrant to be an RC bug. (As it was the case for https://bugs.debian.org/1040595). Security team: please let me know if you think I am not correct. Best regards, -- Santiago
signature.asc
Description: PGP signature