From 2898b65c9ebba804a9aa88c2d465620bfb83e1e4 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 10 Apr 2024 08:05:44 +0200
Subject: Add CVE-2024-22423/yt-dlp

---
 data/CVE/list | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'data')

diff --git a/data/CVE/list b/data/CVE/list
index 1995ff5bfb..9594ecc08b 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -544,7 +544,11 @@ CVE-2024-23671 (A improper limitation of a pathname to a restricted directory ('
 CVE-2024-23662 (An exposure of sensitive information to an unauthorized actor in Forti ...)
 	NOT-FOR-US: FortiGuard
 CVE-2024-22423 (yt-dlp is a youtube-dl fork with additional features and fixes. The pa ...)
-	TODO: check
+	- yt-dlp <not-affected> (Windows-specific)
+	NOTE: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p
+	NOTE: Fixed by: https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a (2024.04.09)
+	NOTE: https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09
+	NOTE: Issue exists because of incomplete fix to address CVE-2023-40581
 CVE-2024-21756 (A improper neutralization of special elements used in an os command (' ...)
 	NOT-FOR-US: FortiGuard
 CVE-2024-21755 (A improper neutralization of special elements used in an os command (' ...)
-- 
cgit v1.2.3