this post was submitted on 01 Apr 2026
709 points (99.0% liked)

Selfhosted

60024 readers
808 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
709
Jellyfin critical security update - This is not a joke (github.com)
submitted 2 months ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world
260 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] quick_snail@feddit.nl -1 points 2 months ago (2 children)

Docker is known insecure. It doesn't verify any layers it pulls cryptography. The devs are aware. The tickets remain open.

[–] def@aussie.zone 1 points 2 months ago (1 children)

If that is indeed true it would only mean that the docker container is vulnerable to a supply chain attack. You are not any more vulnerable to a vulnerability in the codebase.

If you’re using the ghcr image, to post malicious code there, the attack would have already had to compromise their github infra … which would likely result in the attacker being able to push malicious code to git or publish malicious releases. Their linux distro packages are self published via a ppa/install script, which I would assume just pull from their github releases, so a bad github release would immediately be pulled as an update by users just as fast as a container.

[–] quick_snail@feddit.nl 1 points 2 months ago

No, it's also vulnerable to a targeted mitm attack. Github can be unaffected and you can get a malicious version on your server.

[–] psoul@lemmy.world 1 points 2 months ago (1 children)

I don't know if I remember correctly but I could not install Jellyfin on the latest Ubuntu server version. I had to use docker to get Jellyfin running.

[–] quick_snail@feddit.nl 1 points 2 months ago

Jellyfin has a Debian repo. Worked fine on Debian 12 and 13.