Selfhosted

59850 readers

750 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam.
Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.
Don't duplicate the full text of your blog or git here. Just post the link for folks to click.
Submission headline should match the article title.
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago

MODERATORS

curbstickle@anarchist.nexus

curbstickle_lw@lemmy.world

Plex server patching required (www.bleepingcomputer.com)

submitted 10 months ago by LastYearsIrritant@sopuli.xyz to c/selfhosted@lemmy.world

57 comments fedilink hide all child comments

Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.

The company has yet to assign a CVE-ID to track the flaw and didn't provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.

you are viewing a single comment's thread
view the rest of the comments

[–] fmstrat@lemmy.nowsci.com 11 points 10 months ago* (last edited 10 months ago) (1 children)

I posted a while back, tested the biggest open endpoints and they were properly secured, the issues just weren't updated.

Note: Plex didn't have SSL, and refused to implement it, until ~6 weeks after I created a POC token exploit. Here's the GitHub repo I posted as a patch before they got their system in order: https://github.com/Fmstrat/plex-ssl. In other words, don't give them too much credit.

[–] rumba@lemmy.zip 1 points 10 months ago (1 children)

I'll go look at it again as well, their (jf) source control still had a lot of ancient open tickets last time I looked at it.

TLS for Plex was a really nice guesture. Company handling the issuing of the cert was pretty nice.

Realistically, I don't mind running a proxy for SSL unwrapping, there are enough projects out there that handle the unwrapping and renew their own keys from lets encrypt.

I just want to self-host this thing maybe run it through a single proxy product send the URL out to my extended family and forget about it. I wanted to be as secure as reasonably possible enough that I feel comfortable surfacing it.

Right now I surface Plex for the distant relations and tailscale jellyfin for my own, but it kills me I want Plex gone. But there are random TVs and kids on tablets, and honestly I don't want to be everyone's VPN endpoint or worry about onboarding everyone's new device.

[–] fmstrat@lemmy.nowsci.com 2 points 10 months ago (1 children)

Yea the catch was we were asking for TLS for a long time, and this was pre- Let's Encrypt, so those patching on their own didn't have a free (minus work) way to handle it. It took a releasable POC to get action.

All out devices just have a permanent Wireguard client since it uses basically no battery, and then a allow rules for households. If you don't want to run the client, and don't want to take the time to learn, you don't get access. But I totally get how that's not for everyone.

[–] rumba@lemmy.zip 1 points 10 months ago (1 children)

Yeah, my problem is televisions.

If it was just tablets phones and desktops I could do SSL client certificates.

For my personal use I'm using tailscale and it's wonderful.

[–] fmstrat@lemmy.nowsci.com 2 points 10 months ago

Ahhh. I put the wireguard client on the router, so it's more of a site to site setup for TVs.