this post was submitted on 01 Apr 2026

705 points (99.0% liked)

Selfhosted

59020 readers

309 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

ruud@lemmy.world

Loki@lemmy.world

CannaVet@lemmy.world

HybridSarcasm@lemmy.world

devve@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

705

Jellyfin critical security update - This is not a joke (github.com)

submitted 1 month ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world

260 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Cyber@feddit.uk 5 points 1 month ago (2 children)

Not really.

Depending on how you install things, the package maintainers usually deal with this, so your next apt update / pacman -Syuv or ... whatever Fedora does... would capture it.

If you've installed this as a container... dunno.. whatever the container update process is (I don't use them)

[–] psoul@lemmy.world 4 points 1 month ago (3 children)

I indeed use a container. Wasn’t familiar with the update process for containers but now know how to do it.

[–] ButtDrugs@lemmy.zip 5 points 1 month ago (1 children)

There's a lot of good container management solutions out there that are worth investigating. They do things like monitor availability, resource management, as well as altering on versioning.

[–] hellequin67@piefed.social 1 points 1 month ago

Can highly recommend dockhand happily runs my full docker stack with updates and great overviews of what's happening under the hood.

[–] communism@lemmy.ml 2 points 1 month ago (1 children)

If you haven't already, I recommend Watchtower (nickfedor fork—the original is unmaintained) which automatically pulls updates to Docker containers and restarts them. Make sure to track latest, although for security updates, these should be backported to any supported versions so it's fine to track an older supported version too.

[–] psoul@lemmy.world 1 points 1 month ago

Thank you. Will look into it.

[+] quick_snail@feddit.nl -7 points 1 month ago (2 children)

Lol it's already insecure then. Don't bother.

[–] mic_check_one_two@lemmy.dbzer0.com 4 points 1 month ago* (last edited 1 month ago) (1 children)

Implying you have access to some major Docker 0-day exploit, or just talking out of your ass? Because a container is no more or less secure than the machine it runs on. At least if a container gets compromised, it only has access to the volumes you have specifically given it access to. It can’t just run rampant on your entire system, because you haven’t (or at least shouldn’t have) given it access to your entire system.

[–] quick_snail@feddit.nl -1 points 1 month ago (2 children)

Docker is known insecure. It doesn't verify any layers it pulls cryptography. The devs are aware. The tickets remain open.

[–] def@aussie.zone 1 points 1 month ago (1 children)

If that is indeed true it would only mean that the docker container is vulnerable to a supply chain attack. You are not any more vulnerable to a vulnerability in the codebase.

If you’re using the ghcr image, to post malicious code there, the attack would have already had to compromise their github infra … which would likely result in the attacker being able to push malicious code to git or publish malicious releases. Their linux distro packages are self published via a ppa/install script, which I would assume just pull from their github releases, so a bad github release would immediately be pulled as an update by users just as fast as a container.

[–] quick_snail@feddit.nl 1 points 1 month ago

No, it's also vulnerable to a targeted mitm attack. Github can be unaffected and you can get a malicious version on your server.

[–] psoul@lemmy.world 1 points 1 month ago (1 children)

I don't know if I remember correctly but I could not install Jellyfin on the latest Ubuntu server version. I had to use docker to get Jellyfin running.

[–] quick_snail@feddit.nl 1 points 1 month ago

Jellyfin has a Debian repo. Worked fine on Debian 12 and 13.

[–] mpramann@discuss.tchncs.de 3 points 1 month ago

Insane way of thinking.

[–] quick_snail@feddit.nl 3 points 1 month ago (1 children)

Unattended upgrades set to security only and never worry

[–] Cyber@feddit.uk 6 points 1 month ago (1 children)

It's difficult to do security-only updates when the fix is contained within a package update.

Even Microsoft's security updates are a mix with secuirity updates containing feature changes and vice versa.

I usually do an update on 1 random device / VM and if that was ok (inc. watching for any .pacnew files) and then kick Ansible into action for the rest.

[–] quick_snail@feddit.nl 1 points 1 month ago (1 children)

Why does unattended upgrades with security only setting not fix this?

This is literally why Debian has distinct repos for security updates.

[–] Cyber@feddit.uk 1 points 1 month ago (1 children)

Let me know which repo this update appears in.

[–] quick_snail@feddit.nl 1 points 1 month ago

The jellyfin repo