this post was submitted on 01 Apr 2026

709 points (99.0% liked)

Selfhosted

59999 readers

802 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

709

Jellyfin critical security update - This is not a joke (github.com)

submitted 2 months ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world

260 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Cyber@feddit.uk 5 points 2 months ago (2 children)

Not really.

Depending on how you install things, the package maintainers usually deal with this, so your next apt update / pacman -Syuv or ... whatever Fedora does... would capture it.

If you've installed this as a container... dunno.. whatever the container update process is (I don't use them)

[–] psoul@lemmy.world 4 points 2 months ago (3 children)

I indeed use a container. Wasn’t familiar with the update process for containers but now know how to do it.

[–] ButtDrugs@lemmy.zip 5 points 2 months ago (1 children)

There's a lot of good container management solutions out there that are worth investigating. They do things like monitor availability, resource management, as well as altering on versioning.

[–] hellequin67@piefed.social 1 points 2 months ago

Can highly recommend dockhand happily runs my full docker stack with updates and great overviews of what's happening under the hood.

[–] communism@lemmy.ml 2 points 2 months ago (1 children)

If you haven't already, I recommend Watchtower (nickfedor fork—the original is unmaintained) which automatically pulls updates to Docker containers and restarts them. Make sure to track latest, although for security updates, these should be backported to any supported versions so it's fine to track an older supported version too.

[–] psoul@lemmy.world 1 points 2 months ago

Thank you. Will look into it.

[+] quick_snail@feddit.nl -7 points 2 months ago (2 children)

Lol it's already insecure then. Don't bother.

[–] mic_check_one_two@lemmy.dbzer0.com 4 points 2 months ago* (last edited 2 months ago) (1 children)

Implying you have access to some major Docker 0-day exploit, or just talking out of your ass? Because a container is no more or less secure than the machine it runs on. At least if a container gets compromised, it only has access to the volumes you have specifically given it access to. It can’t just run rampant on your entire system, because you haven’t (or at least shouldn’t have) given it access to your entire system.

[–] quick_snail@feddit.nl -1 points 2 months ago (2 children)

Docker is known insecure. It doesn't verify any layers it pulls cryptography. The devs are aware. The tickets remain open.

[–] psoul@lemmy.world 1 points 2 months ago (1 children)

I don't know if I remember correctly but I could not install Jellyfin on the latest Ubuntu server version. I had to use docker to get Jellyfin running.

[–] quick_snail@feddit.nl 1 points 2 months ago

Jellyfin has a Debian repo. Worked fine on Debian 12 and 13.

[–] def@aussie.zone 1 points 2 months ago (1 children)

If that is indeed true it would only mean that the docker container is vulnerable to a supply chain attack. You are not any more vulnerable to a vulnerability in the codebase.

If you’re using the ghcr image, to post malicious code there, the attack would have already had to compromise their github infra … which would likely result in the attacker being able to push malicious code to git or publish malicious releases. Their linux distro packages are self published via a ppa/install script, which I would assume just pull from their github releases, so a bad github release would immediately be pulled as an update by users just as fast as a container.

[–] quick_snail@feddit.nl 1 points 2 months ago

No, it's also vulnerable to a targeted mitm attack. Github can be unaffected and you can get a malicious version on your server.

[–] mpramann@discuss.tchncs.de 3 points 2 months ago

Insane way of thinking.

[–] quick_snail@feddit.nl 3 points 2 months ago (1 children)

Unattended upgrades set to security only and never worry

[–] Cyber@feddit.uk 6 points 2 months ago (1 children)

It's difficult to do security-only updates when the fix is contained within a package update.

Even Microsoft's security updates are a mix with secuirity updates containing feature changes and vice versa.

I usually do an update on 1 random device / VM and if that was ok (inc. watching for any .pacnew files) and then kick Ansible into action for the rest.

[–] quick_snail@feddit.nl 1 points 2 months ago (1 children)

Why does unattended upgrades with security only setting not fix this?

This is literally why Debian has distinct repos for security updates.

[–] Cyber@feddit.uk 1 points 2 months ago (1 children)

Let me know which repo this update appears in.

[–] quick_snail@feddit.nl 1 points 2 months ago

The jellyfin repo