lemmy - Link zum Originalbeitrag

Jellyfin critical security update - This is not a joke

Release 10.11.7 · jellyfin/jellyfin

🚀 Jellyfin Server 10.11.7 We are pleased to announce the latest stable release of Jellyfin, version 10.11.7! This minor release brings several bugfixes to improve your Jellyfin experience. As alway...
GitHub
#selfhosted
Als Antwort auf Mubelotix

lemmy - Link zum Originalbeitrag

varnia

There is a good reason I only have Jellyfin and other services accessible via valid Client Certificate.

Client-Side Certificate Authentication with nginx

Authentication in applications is tough. If you decide to roll your own, security issues are nearly guaranteed. Most anyone who writes software for a living will tell you to use something you didn’t write; that’s battle-tested and in wide use.
fardog.io
Als Antwort auf daniskarma

lemmy - Link zum Originalbeitrag

varnia

No, we only use Jellyfin via browser. Unfortunately even with imported Client Cert, Android apps won't work.

Edit: Client Certs need to be implemented per App. There is a feature request from 2022 features.jellyfin.org/posts/14…

Capability to specify client certificate for android client · Jellyfin Feature Requests

Allow to specify certificate to use when connecting to jellyfin in android client. This will allow to verify client on reverse proxy to ensure only al
features.jellyfin.org
Dieser Beitrag wurde bearbeitet. (1 Tag her)
Als Antwort auf tiz

lemmy - Link zum Originalbeitrag

ohshit604

Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few, that way you can expose your application to the internet knowing you have that restriction in place for those who connect to your service.

Redirecting...

doc.traefik.io
Dieser Beitrag wurde bearbeitet. (1 Tag her)
Als Antwort auf VeganCheesecake

lemmy - Link zum Originalbeitrag

ohshit604

Oh yeah I’m aware, if people don’t want to use a VPN then I suggest this but give them the advisory warning.

Actually, recently I’ve been using a fork of IPAllowList which accepts DDNS addresses, but that usually is for more technical folk who would probably rather use a VPN then purchase a domain and associate it with their network.

Dieser Beitrag wurde bearbeitet. (20 Stunden her)
Als Antwort auf douglasg14b

lemmy - Link zum Originalbeitrag

ramble81

What? No, you can do a tiny reverse proxy/vpn on a stick with something like a RPi. Configure it and give it to them. Then they point their Jellyfin client on their device to the IP of the RPi instance on their network and that creates the tunnel back to your VPN endpoint and server.

And for VPNs at a router level you can inject routes and leave th default route going out through your ISP, you don’t need to, nor want to, have all traffic going through it.

Als Antwort auf Damarus

lemmy - Link zum Originalbeitrag

WhyJiffie

much of the internet is run on simpler software or by full time employees tasked to deal with all this. but sure, ignorance is bliss, what you don't see does not exist, etc etc, keep running your Jellyfin exposed to the internet. you wouldnt even get to know when your system is compromised. but you know what? you could even remove your password for extra convenience. who would want to log in to a random jellyfin account anyway! surely no one! just don't recommend these practices to anyone, because you are putting them at risk.
Als Antwort auf ugo

lemmy - Link zum Originalbeitrag

douglasg14b

Which doesn't work for The grand majority of devices that would be used to watch said media.

Tvs game consoles rokus so on so forth typically don't support VPN clients.

The Jonathan clients for these devices also typically don't support alternative authentication methods which would allow you to put jellyfin behind a proxy and have the proxy exposed to the internet. Gating all access to jellyfin apis behind a primary authentication layer thus mitigating effectively all security vulnerabilities that are currently open.

Als Antwort auf douglasg14b

lemmy - Link zum Originalbeitrag

WhyJiffie

Tvs game consoles rokus so on so forth typically don't support VPN clients.


and that's why you set up a VPN client box on the location, set it up as a regular VPN client, and install a reverse proxy on it that the dumb clients can connect to.

the VPN box could be as simple as an old android phone no one uses, and termux

Dieser Beitrag wurde bearbeitet. (8 Stunden her)
Als Antwort auf esc

lemmy - Link zum Originalbeitrag

CompactFlax

That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.

Edit: or make note of that on their several pages with reverse proxy configuration.

Examples dating back over six years github.com/jellyfin/jellyfin/i…

Collection of potential security issues in Jellyfin · Issue #5415 · jellyfin/jellyfin

Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla...
GermanCoding (GitHub)
Dieser Beitrag wurde bearbeitet. (1 Tag her)
Als Antwort auf CompactFlax

lemmy - Link zum Originalbeitrag

IratePirate

It's not this or that. Security comes in layers. So while I would assume that the Jellyfin developers do their best to secure their application, I acknowledge the fact that bugs do exist and that Jellyfin is developed in and for hobbyist contexts, and thus not scrutinised and pentested for vulnerabilities in the way software meant for professional environments would be. Therefore I'll add an extra layer of security by putting it behind a VPN that only whitelisted clients can access. If a vulnerability is detected, I can be sure it hasn't already been exploited to compromise my server because we're all "among friends" there.
Dieser Beitrag wurde bearbeitet. (1 Tag her)
Als Antwort auf sanzky

lemmy - Link zum Originalbeitrag

FauxLiving

You only have to give them access to a specific port on a specific machine, not your entire LAN.

My VPN has a 'media' usergroup who can only access the, read-only, NFS exports of my media library.

If you're just installing Wireguard and enabling IP forwarding, yeah it would not be secure. But using a mesh VPN, like Tailscale/Headscale, gives you A LOT more tools to control access.

Als Antwort auf FauxLiving

lemmy - Link zum Originalbeitrag

Hammersamatom

Agreed, was more so referring to others. I apologize if it seemed like I was referring to myself

I'm already well and truly deep into this, myself. Two Proxmox nodes running the *Arr stack and Jellyfin in LXC containers. Bare metal TrueNAS, with scheduled LTO backups every two weeks. A few other bits and bobs, like some game servers and home automation for family.

Will need to re-map everything eventually, it's kind of grown out of hand

Dieser Beitrag wurde bearbeitet. (19 Stunden her)
Als Antwort auf WhyJiffie

lemmy - Link zum Originalbeitrag

FauxLiving

I was not actually presenting a scenario where my grandmother would use a VPN.

I was pointing out that this community is full of people who are perfectly capable of learning to use a VPN. In response to this comment:

Unfortunately, not everyone is tech-literate enough nowadays to understand how a VPN works, nor do they want to


That's a true statement about 'everyone' i.e. the entire population of the planet... but true about everyone here in this community.

Als Antwort auf CompactFlax

lemmy - Link zum Originalbeitrag

teawrecks

If I say I custom rolled my own crypto and it's designed to be deployed to the open web, and you inspect it and don't see anything wrong, should you do it?

Jellyfin is young and still in heavy development. As time goes on, more eyes have seen it, and it's been battle hardened, the security naturally gets stronger and the risk lower. I don't agree that no one should ever host a public jellyfin server for all time, but for right now, it should be clear that you're assuming obvious risk.

Technically there's no real problem here. Just like with any vulnerability in any service that's exposed in some way, as long as you update right now you're (probably) fine. I just don't want staying on top of it to be a full time job, so I limit my attack surface by using a VPN.

Dieser Beitrag wurde bearbeitet. (16 Stunden her)
Als Antwort auf CompactFlax

lemmy - Link zum Originalbeitrag

mic_check_one_two

They’ve stated that they have no intention of ever fixing some of the biggest “anyone can access your media without a login” vulnerabilities, because it would require completely divesting from the Kodi branch that they initially used to start the entire project. And they never plan on rebuilding that from scratch, so those vulnerabilities will never be fixed.
Als Antwort auf Lemmchen

piefed - Link zum Originalbeitrag

esc

The problem here - it's not me who requires access to my library, if someone isn't willing or able to do it, I'm sorry but that's just how it is. People should stop infantilize non-technical people, absolute majority of them is capable of navigating our world without much problems and I'm willing to help them if help is asked.

If my 60 y.o. mother with close to zero technical skills can do it with limited help (due to distance and other constraints) I'm pretty sure that majority of people with sound mind can.

Dieser Beitrag wurde bearbeitet. (1 Tag her)
Als Antwort auf esc

lemmy - Link zum Originalbeitrag

Lemmchen

Or you can not be arrogant towards your friends and family who have probably helped you on lots of occasions and will probably keep being there for you in the future.
Idk man, unconditional sharing feels pretty good, tbh. Making them jump through hoops isn't really my jam. To me this kinda all plays into making a stronger bond with people that are close to me, so maybe we have different reasons for why we are sharing our stuff.

Inb4 "we are not the same" meme

Als Antwort auf ohshit604

lemmy - Link zum Originalbeitrag

AllHailTheSheep

you totally can use ldap or oidc it just requires more setup. you just ensure jellyfin and your source of truth talk on their own subnet, docker can manage it all for you. ldap can be setup to be ldaps with ssl and never even leave the docker subnet anyways.

and yes I suppose you could rely on whitelists, but you'd have to manually add to the whitelist for every user, and god forbid if someone is traveling.

Als Antwort auf GatekeeperOnTurdMountain

lemmy - Link zum Originalbeitrag

psycotica0

I know you're gatekeeping from Turd Mountain, but just for completeness, the reason I use Jellyfin besides the "pretty for my wife" reason is that it keeps track of her progress between clients. She sometimes watches things on her laptop, sometimes her phone, sometimes her tablet, and sometimes the TV, and no matter which one she uses it'll remember which episode of her show is the next episode. It also highlights when a new episode of something has been added and cues her to watch the new episode that just came out.

But yeah, if I was alone and only had a pile of anime I'd already seen before, which I only watched from my Linux devices, Samba and VLC would do me fine 😛

Als Antwort auf Mubelotix

lemmy - Link zum Originalbeitrag

Decronym

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer LettersMore Letters
HTTPHypertext Transfer Protocol, the Web
IPInternet Protocol
NFSNetwork File System, a Unix-based file-sharing protocol known for performance and efficiency
PlexBrand of media server package
RPiRaspberry Pi brand of SBC
SBCSingle-Board Computer
SMBServer Message Block protocol for file and printer sharing; Windows-native
SSLSecure Sockets Layer, for transparent encryption
TLSTransport Layer Security, supersedes SSL
VPNVirtual Private Network
nginxPopular HTTP server

[Thread #203 for this comm, first seen 1st Apr 2026, 09:50]
[FAQ] [Full list] [Contact] [Source code]

Decronym: A simple Reddit bot

Decronym: A simple Reddit bot. GitHub Gist: instantly share code, notes, and snippets.
Gist
Dieser Beitrag wurde bearbeitet. (15 Minuten her)
Als Antwort auf rose56

piefed - Link zum Originalbeitrag

gigachad

I depends a bit on your threat model. If you have Jellyfin exposed to the internet I would shut it down immediately. If you are running locally and rely on it, let it run maybe? If behind a tailnet or some other VPN, I would deactivate it as well. If it is an Axios like vulnerability it may be possible your secrets are in danger, dependent on how well they are secured. Not a security expert, but I would handle this a little more conservative...
Als Antwort auf ohulancutash

lemmy - Link zum Originalbeitrag

HereIAm

Yeah this is unfortunate news for me as well. I have a primary container I use for videos, and then a 10.10 server for music. 10.11 is borderline unusable for music for me, and I've tried everything for rescanning to completely redoing the server set up (rip accidentally deleting all my music playlists).

But i shall kill off the 10.10 container and hope a performance fix is in the works.

Als Antwort auf clif

lemmy - Link zum Originalbeitrag

mrbutterscotch

Hi!

So I installed jellyfin on Bazzite as per this video.

But he didn't explain how to update the server. Could you maybe tell me how you did it with your server? Maybe it could help me figure out how to update mine as well.

How to run Plex Media Server & Jellyfin Server on Bazzite using Quadlets

Auf YouTube findest du die angesagtesten Videos und Tracks. Außerdem kannst du eigene Inhalte hochladen und mit Freunden oder gleich der ganzen Welt teilen.
Mike's Tech Tips (YouTube)
Als Antwort auf Evotech

lemmy - Link zum Originalbeitrag

greyscale

Three. Three emojis, used in headings as a bullet point.

It is perfectly plausable for someone whos job is to write technical documentation and promotional material would punch it up with a couple 'mojis.

github.com/jellyfin/jellyfin/r…

Every single release uses the same format with the same 3 emojis. You'd know that if you'd clicked "releases" and had even a modicum of curiosity.

Releases · jellyfin/jellyfin

The Free Software Media System - Server Backend & API - jellyfin/jellyfin
GitHub
Als Antwort auf Mubelotix

lemmy - Link zum Originalbeitrag

FackCurs

Is it standard practice to release the security updates on GitHub?

I am a very amateur self hoster and wouldn't go on the github of projects on my own unless I wanted to read the "read me" for install instructions.
I am realizing that I got aware I needed to update my Jellyfin container ASAP only thanks to this post. I would have never checked the GitHub.

Dieser Beitrag wurde bearbeitet. (20 Stunden her)
Als Antwort auf quick_snail

lemmy - Link zum Originalbeitrag

mic_check_one_two

Implying you have access to some major Docker 0-day exploit, or just talking out of your ass? Because a container is no more or less secure than the machine it runs on. At least if a container gets compromised, it only has access to the volumes you have specifically given it access to. It can’t just run rampant on your entire system, because you haven’t (or at least shouldn’t have) given it access to your entire system.
Dieser Beitrag wurde bearbeitet. (7 Stunden her)
Als Antwort auf quick_snail

lemmy - Link zum Originalbeitrag

SayCyberOnceMore

It's difficult to do security-only updates when the fix is contained within a package update.

Even Microsoft's security updates are a mix with secuirity updates containing feature changes and vice versa.

I usually do an update on 1 random device / VM and if that was ok (inc. watching for any .pacnew files) and then kick Ansible into action for the rest.