this post was submitted on 26 Jun 2025
483 points (97.8% liked)

Selfhosted

60210 readers
1288 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
483
Jellyfin over the internet (startrek.website)
submitted 1 year ago by TribblesBestFriend@startrek.website to c/selfhosted@lemmy.world
286 comments fedilink hide all child comments
 

What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

you are viewing a single comment's thread
view the rest of the comments
[–] lostbit@feddit.nl 5 points 1 year ago (1 children)

show me those “holes” this is just fear mongering

[–] Vanilla_PuddinFudge@infosec.pub -4 points 1 year ago* (last edited 1 year ago) (1 children)

Here, since you can't use a search engine: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html

More, because I've been around this lap before, you'll ask for more and not believe that one, here's another: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html

Do what you want. Idgaf about your install, just mine.

[–] offspec@lemmy.world 9 points 1 year ago (2 children)

I don't want to be an asshole but after checking a couple of those out they all appear to be post-authorization vulnerabilities? Like sure if you're just passing out credentials to your jellyfin instance someone could use the device log upload to wreck your container, but shouldn't most people be more worried about vulnerabilities that have surface for unauthorized attackers?

[–] ryan_harg@discuss.tchncs.de 3 points 1 year ago

plus, most of the mentioned cve's state "versions before ...". Exposing a service to the internet always has a risk to it, keeping your service up-to-date is mandatory. Running behind a vpn can protect you, sure. But it also has to be practical. I don't get why Jellyfin especially gets this kind of slaming. You'll find similar records for any other software.

[–] Vanilla_PuddinFudge@infosec.pub 1 points 1 year ago

A while back there was a situation where outsiders could get the name of the contents of your Jellyfin server, which would incriminate anyone. I believe it's patched now, but I don't think Jellyfin is winning any security awards. It's a selfhosted media server. I have no frame of reference for knowing whether or not any of my information was overkill and I'm sure there are even some out there that would say I didn't go far enough, even.