From a cursory look at just the security commits. Looks like the following:
GHSA-j2hf-x4q5-47j3: Checks if a media shortcut is empty, and checks if it is remote and stores the remote protocol if so. Also prevent strm files (these are meant to contain links to a stream) from referencing local files. Indeed this might have been used to reference files jellyfin couldn't usually see?
GHSA-8fw7-f233-ffr8: Seems to be similar, except for M3U file link validation and limiting allowed protocols. It also changes the default permissions for live TV management to false.
GHSA-v2jv-54xj-h76w: When creating a structure there should be a limit of 200 characters for a string which was not enforced.
GHSA-jh22-fw8w-2v9x: Not really completely sure here. They change regex to regexstr in a lot of places and it looks like some extra validation around choosing transcoding settings.
I'm not really sure how serious any of these are, or how they could be exploited however. Well aside from the local file in stream files one.
sudoMakeUser@sh.itjust.works
on 01 Apr 12:20
collapse
Also interested how this works for mobile apps. I self host a number of services through caddy as my reverse proxy but each application is just dependent on it’s own authentication. If I exposed all my services to the internet, that’s a huge attack vector. If anyone else has some ideas I’d be happy to listen.
daniskarma@lemmy.dbzer0.com
on 01 Apr 17:33
collapse
If you are the only user and don’t need to use those apps in devices you don’t own a vpn is the way to go.
If not. Depending the number of users you could do some heavy ip geoblocking to at least reduce the exposed surface.
There are a few services I have just like 3 IPs allowed to get a response from caddy, any other ip gets 403 error.
Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.
But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.
ohshit604@sh.itjust.works
on 01 Apr 12:48
collapse
Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few, that way you can expose your application to the internet knowing you have that restriction in place for those who connect to your service.
VeganCheesecake@lemmy.blahaj.zone
on 01 Apr 16:41
collapse
If the people you want to have access have static, exclusive ip addresses. Which is pretty unusual, these days.
ohshit604@sh.itjust.works
on 01 Apr 17:31
collapse
Oh yeah I’m aware, if people don’t want to use a VPN then I suggest this but give them the advisory warning.
That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs
faercol@lemmy.blahaj.zone
on 01 Apr 13:31
collapse
Which again implies that you have a router that allows you to do so. It’s not always the case. For tech enthusiast people that’s the case. But not for everyone.
I tried to do the same thing at first, but it was a pain, there were tons of issues.
I believe your situation, that said I set up wireguard on my SO’s mac and all that is needed is to flip a switch in an app to connect. For my aunt, I’d likely set that up permanently since it only affects traffic when accessing the lan.
kbobabob@lemmy.dbzer0.com
on 01 Apr 10:43
nextcollapse
The solution is mentioned already - use vpn, it will solve 90% of the problems that you can encounter. Also you can serve multiple other services this way without exposing them.
Tailscale is a super easy vpn that gives you access to your home network from anywhere. And it’s free.
CompactFlax@discuss.tchncs.de
on 01 Apr 11:44
nextcollapse
That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
Edit: or make note of that on their several pages with reverse proxy configuration.
AHemlocksLie@lemmy.zip
on 01 Apr 13:17
nextcollapse
I mean I’m sure they’d like to just ship safe code in the first place. But if that’s not their expertise and they demonstrate that repeatedly, we gotta take steps ourselves. Secure is obviously best, but I’d rather have insecure Jellyfin behind a VPN than no Jellyfin at all.
IratePirate@feddit.org
on 01 Apr 13:19
nextcollapse
It’s not this or that. Security comes in layers. So while I would assume that the Jellyfin developers do their best to secure their application, I acknowledge the fact that bugs do exist and that Jellyfin is developed in and for hobbyist contexts, and thus not scrutinised and pentested for vulnerabilities in the way software meant for professional environments would be. Therefore I’ll add an extra layer of security by putting it behind a VPN that only whitelisted clients can access. If a vulnerability is detected, I can be sure it hasn’t already been exploited to compromise my server because we’re all “among friends” there.
Hammersamatom@lemmy.dbzer0.com
on 01 Apr 17:18
collapse
Unfortunately, not everyone is tech-literate enough nowadays to understand how a VPN works, nor do they want to
Infernal_pizza@lemmy.dbzer0.com
on 01 Apr 17:21
nextcollapse
Isn’t it easier to set up a VPN than expose it to the internet?
Hammersamatom@lemmy.dbzer0.com
on 01 Apr 17:24
nextcollapse
Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
You only have to give them access to a specific port on a specific machine, not your entire LAN.
My VPN has a ‘media’ usergroup who can only access the, read-only, NFS exports of my media library.
If you’re just installing Wireguard and enabling IP forwarding, yeah it would not be secure. But using a mesh VPN, like Tailscale/Headscale, gives you A LOT more tools to control access.
Yes, not everyone. My grandmother would struggle setting up a VPN, for example.
However, a community member of the selfhosted community is perfectly capable of reading a manual and learning the software.
That’s how you become tech literate in the first place, and you’re already on that path if you’re commenting/reading here.
Hammersamatom@lemmy.dbzer0.com
on 01 Apr 18:59
collapse
Agreed, was more so referring to others. I apologize if it seemed like I was referring to myself
I’m already well and truly deep into this, myself. Two Proxmox nodes running the *Arr stack and Jellyfin in LXC containers. Bare metal TrueNAS, with scheduled LTO backups every two weeks. A few other bits and bobs, like some game servers and home automation for family.
Will need to re-map everything eventually, it’s kind of grown out of hand
The thing is, if you have non-technical users, you have to set up the VPN connection on the client site yourself, maybe on multiple machines and more than once, if they decide to upgrade or even just reset their devices.
The problem here - it’s not me who requires access to my library, if someone isn’t willing or able to do it, I’m sorry but that’s just how it is. People should stop infantilize non-technical people, absolute majority of them is capable of navigating our world without much problems and I’m willing to help them if help is asked.
If my 60 y.o. mother with close to zero technical skills can do it with limited help (due to distance and other constraints) I’m pretty sure that majority of people with sound mind can.
IratePirate@feddit.org
on 01 Apr 12:54
nextcollapse
This. And for everyone you just can’t figure it out on their own, there’s RustDesk for remote assistance. It, too, can be self-hosted.
Or you can not be arrogant towards your friends and family who have probably helped you on lots of occasions and will probably keep being there for you in the future.
Idk man, unconditional sharing feels pretty good, tbh. Making them jump through hoops isn’t really my jam. To me this kinda all plays into making a stronger bond with people that are close to me, so maybe we have different reasons for why we are sharing our stuff.
I’m not arrogant, just don’t assume that people are dumb and inept. If they can’t or don’t want to give a bit of time to setup it, well how can someone be forced to use free service that causes momentarily inconvenience once to use. 😔
Pass. Users cause complexities. Complexities cause issues.
DreamlandLividity@lemmy.world
on 01 Apr 12:54
collapse
So use a reverse proxy with authentiacation before access to Jellyfin is allowed. I use Caddy forward_auth with Authelia for this. Unless you also want to use the apps without VPN, this works great.
inclementimmigrant@lemmy.world
on 01 Apr 14:20
nextcollapse
Got instructions or a site to point to on setting something like that up?
DreamlandLividity@lemmy.world
on 01 Apr 14:23
collapse
Honestly, I may have to write one at some point. I just used the documentation of those two tools to set it up.
Does that work for the Android and Android TV apps?
DreamlandLividity@lemmy.world
on 01 Apr 15:43
collapse
No. As I said, apps don’t work. I cobbled together an API key service that let’s you have an API key (password) in the server URL in Rust for myself. This works with Apps, but it is a bit too messy and single purpose for me to open source it right now. Maybe one day.
atzanteol@sh.itjust.works
on 01 Apr 12:28
nextcollapse
Y’all are assuming the security issue is something exploitable without authentication or has something to do with auth.
But it it could be a supply chain issue which a VPN won’t protect you from.
maplesaga@lemmy.world
on 01 Apr 14:19
nextcollapse
AllHailTheSheep@sh.itjust.works
on 01 Apr 18:01
collapse
ldap auth will work on tvs
AllHailTheSheep@sh.itjust.works
on 01 Apr 18:00
collapse
or use the ldap auth plugin with your source of truth, put it behind a reverse proxy, protect it with fail2ban and anubis. there are ways of exposing it safely.
ohshit604@sh.itjust.works
on 01 Apr 18:35
collapse
Do not rely on an OIDC/LDAP provider with Jellyfin, you cannot run these in front of your proxy otherwise Jellyfin applications will not be able to communicate with the server.
Blacklist all IP address and whitelist the known few, no need for Fail2Ban or a WAF.
AllHailTheSheep@sh.itjust.works
on 01 Apr 18:54
collapse
you totally can use ldap or oidc it just requires more setup. you just ensure jellyfin and your source of truth talk on their own subnet, docker can manage it all for you. ldap can be setup to be ldaps with ssl and never even leave the docker subnet anyways.
and yes I suppose you could rely on whitelists, but you’d have to manually add to the whitelist for every user, and god forbid if someone is traveling.
GatekeeperOnTurdMountain@programming.dev
on 01 Apr 09:48
nextcollapse
I know you’re gatekeeping from Turd Mountain, but just for completeness, the reason I use Jellyfin besides the “pretty for my wife” reason is that it keeps track of her progress between clients. She sometimes watches things on her laptop, sometimes her phone, sometimes her tablet, and sometimes the TV, and no matter which one she uses it’ll remember which episode of her show is the next episode. It also highlights when a new episode of something has been added and cues her to watch the new episode that just came out.
But yeah, if I was alone and only had a pile of anime I’d already seen before, which I only watched from my Linux devices, Samba and VLC would do me fine 😛
But yeah, if I was alone and only had a pile of anime I’d already seen before, which I only watched from my Linux devices, Samba and VLC would do me fine 😛
Use NFS for your sanity. Linux samba/CIFS is annoying to deal with.
Also, mpv
Decronym@lemmy.decronym.xyz
on 01 Apr 09:50
nextcollapse
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters
More Letters
HTTP
Hypertext Transfer Protocol, the Web
IP
Internet Protocol
NFS
Network File System, a Unix-based file-sharing protocol known for performance and efficiency
Plex
Brand of media server package
VPN
Virtual Private Network
nginx
Popular HTTP server
5 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.
I depends a bit on your threat model. If you have Jellyfin exposed to the internet I would shut it down immediately. If you are running locally and rely on it, let it run maybe? If behind a tailnet or some other VPN, I would deactivate it as well. If it is an Axios like vulnerability it may be possible your secrets are in danger, dependent on how well they are secured. Not a security expert, but I would handle this a little more conservative…
somehacker@lemmy.world
on 01 Apr 11:22
nextcollapse
No need to shut it down if it’s not exposed to the internet. Tailnet/VPN is fine.
If it’s a supply chain compromise shutting it down wouldn’t matter. The damage is already done.
There was a regression that caused Jellyfin to be a LOT more restrictive regarding the structured filesystem format. But this could be something else
Edit: Maintainers told me they were gonna fix it
entropicdrift@lemmy.sdf.org
on 01 Apr 16:27
collapse
It’s probably database performance related. There’s a massive PR undergoing round after round of reviews that, when merged, will be a change to 10.12 and will resolve all of the new database performance issues experienced in certain edge cases (book libraries, large music libraries, large collections, etc)
Yeah this is unfortunate news for me as well. I have a primary container I use for videos, and then a 10.10 server for music. 10.11 is borderline unusable for music for me, and I’ve tried everything for rescanning to completely redoing the server set up (rip accidentally deleting all my music playlists).
But i shall kill off the 10.10 container and hope a performance fix is in the works.
The update rolled out perfectly for my Kubernetes setup (using the Docker image). 👍
catlover@sh.itjust.works
on 01 Apr 14:21
nextcollapse
I forgot that it’s April first, and was wondering what catasthropic event had happend in order that it had to be stated in the title that its not a joke
Thank you for posting this. I tend to get a lot of my opensource project info from Lemmy so people who take the time to post it are awesome.
Just updated my home instance. Can confirm that 10.11.7 is available in the Debian repos and the update went perfect. I got a new kernel in the same update : D
Is it standard practice to release the security updates on GitHub?
I am a very amateur self hoster and wouldn’t go on the github of projects on my own unless I wanted to read the “read me” for install instructions.
I am realizing that I got aware I needed to update my Jellyfin container ASAP only thanks to this post. I would have never checked the GitHub.
Depending on how you install things, the package maintainers usually deal with this, so your next apt update / pacman -Syuv or … whatever Fedora does…
would capture it.
If you’ve installed this as a container… dunno… whatever the container update process is (I don’t use them)
I don’t run the arr stack, but this is key. You really should do your due diligence before you update anything. Personally, I wait unless it’s a security issue, and use all the early adopters as beta testers.
threaded - newest
Wonder if it’s the Axios one. Sounds like it isn’t from their description though hmm
I don’t think so, the previous release 10.11.6 is a few months old and the axios supply chain attack happened yesterday.
So lets hope this 10.11.7 is not subject to the axios one. :)
Diff agrees, not likely. Might be permisson related, elevation of privileges.
From a cursory look at just the security commits. Looks like the following:
I'm not really sure how serious any of these are, or how they could be exploited however. Well aside from the local file in stream files one.
.
Axios is a Javascript library and Jellyfin is written in C#.
True, but there is a web frontend. Possible it could be using npm and axios.
I still doubt it. But it could happen.
The web server is in C#. It’s open source lol, I’m looking at the code and there’s no JavaScript.
.
Look better github.com/jellyfin/jellyfin-web
That’s awkward. I didn’t know that was in a separate repo.
In the raspian repos, just updated, thanks.
also in the docker repository.
There is a good reason I only have Jellyfin and other services accessible via valid Client Certificate.
Does it work with android and TV apps?
I tried long ago and failed.
No, we only use Jellyfin via browser. Unfortunately even with imported Client Cert, Android apps won’t work.
Edit: Client Certs need to be implemented per App. There is a feature request from 2022 …jellyfin.org/…/capability-to-specify-client-cert…
> No, we only use Jellyfin via browser.
Also interested how this works for mobile apps. I self host a number of services through caddy as my reverse proxy but each application is just dependent on it’s own authentication. If I exposed all my services to the internet, that’s a huge attack vector. If anyone else has some ideas I’d be happy to listen.
If you are the only user and don’t need to use those apps in devices you don’t own a vpn is the way to go.
If not. Depending the number of users you could do some heavy ip geoblocking to at least reduce the exposed surface.
There are a few services I have just like 3 IPs allowed to get a response from caddy, any other ip gets 403 error.
Don’t expose jellyfin to the internet is a golden rule.
Yeah, i have my 30 docker containers behind Headscale (Tailscale).
NetBird is coming for you
I have been planning to check out Netbird for couple of days. Is it a good alternative for headscale and pangolin?
Kinda defeats the purpose of a media server built to be used by multiple people
Use a VPN, it’s not ideal but it’s secure.
Don’t reverse proxies like pangolin just do the job? Does it have to be VPN in this particular concept? VPN isn’t like immune to vulnerabilities.
Reverse proxy doesn’t really get you much security. If there is an application level issue a reverse proxy will not help
I see thanks. I’ll think about it more.
Hmmm, I’m a bit rusty on this but can’t one put an auth gate in front of the application, handled by the reverse proxy?
You can, that would actually give you security. Not sure how many people do that. I assumed a straight reverse proxy without any auth
Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.
But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.
Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few, that way you can expose your application to the internet knowing you have that restriction in place for those who connect to your service.
If the people you want to have access have static, exclusive ip addresses. Which is pretty unusual, these days.
Oh yeah I’m aware, if people don’t want to use a VPN then I suggest this but give them the advisory warning.
Actually, recently I’ve been using a fork of IPAllowList which accepts DDNS addresses, but that usually is for more technical folk who would probably rather use a VPN then purchase a domain and associate it with their network.
Yahnlets see a roku use a VPN.
Somehow difficult to install on a TV though.
That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs
Which again implies that you have a router that allows you to do so. It’s not always the case. For tech enthusiast people that’s the case. But not for everyone.
I tried to do the same thing at first, but it was a pain, there were tons of issues.
No need to expose jellyfin to the internet if you selectively allow peers on your lan via wireguard.
I’d rather just not use it at that point
Fair, you do you, I get a lot of value out of it instead.
The difference is that my friends get a lot of value out of my server, as they don’t need to use any technology they’re unfamiliar with.
This attitude is why Plex remains popular.
Easy for me but not my aunts, cousins or father in law to setup and use.
I believe your situation, that said I set up wireguard on my SO’s mac and all that is needed is to flip a switch in an app to connect. For my aunt, I’d likely set that up permanently since it only affects traffic when accessing the lan.
So don’t use it outside your house? Pass
Nothing stops you from using it outside of your house.
It kind of does. Whatever and yes I’m aware of the list people keep posting and I’ve looked at it.
I just love it when people post one sentence rebuttals without actually including any usable information what they are talking about.
The solution is mentioned already - use vpn, it will solve 90% of the problems that you can encounter. Also you can serve multiple other services this way without exposing them.
Tailscale is a super easy vpn that gives you access to your home network from anywhere. And it’s free.
That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
Edit: or make note of that on their several pages with reverse proxy configuration.
Examples dating back over six years github.com/jellyfin/jellyfin/issues/5415
I mean I’m sure they’d like to just ship safe code in the first place. But if that’s not their expertise and they demonstrate that repeatedly, we gotta take steps ourselves. Secure is obviously best, but I’d rather have insecure Jellyfin behind a VPN than no Jellyfin at all.
It’s not this or that. Security comes in layers. So while I would assume that the Jellyfin developers do their best to secure their application, I acknowledge the fact that bugs do exist and that Jellyfin is developed in and for hobbyist contexts, and thus not scrutinised and pentested for vulnerabilities in the way software meant for professional environments would be. Therefore I’ll add an extra layer of security by putting it behind a VPN that only whitelisted clients can access. If a vulnerability is detected, I can be sure it hasn’t already been exploited to compromise my server because we’re all “among friends” there.
Unfortunately, not everyone is tech-literate enough nowadays to understand how a VPN works, nor do they want to
Isn’t it easier to set up a VPN than expose it to the internet?
Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
It’s just not convenient enough
and then you are giving access to your lan to people whose computer you don’t control and might be full of malware.
Tbh I forgot about giving access to others, my homelab is for me only lol
You only have to give them access to a specific port on a specific machine, not your entire LAN.
My VPN has a ‘media’ usergroup who can only access the, read-only, NFS exports of my media library.
If you’re just installing Wireguard and enabling IP forwarding, yeah it would not be secure. But using a mesh VPN, like Tailscale/Headscale, gives you A LOT more tools to control access.
Yes, not everyone. My grandmother would struggle setting up a VPN, for example.
However, a community member of the selfhosted community is perfectly capable of reading a manual and learning the software.
That’s how you become tech literate in the first place, and you’re already on that path if you’re commenting/reading here.
Agreed, was more so referring to others. I apologize if it seemed like I was referring to myself
I’m already well and truly deep into this, myself. Two Proxmox nodes running the *Arr stack and Jellyfin in LXC containers. Bare metal TrueNAS, with scheduled LTO backups every two weeks. A few other bits and bobs, like some game servers and home automation for family.
Will need to re-map everything eventually, it’s kind of grown out of hand
Look at Tailscale (or self-host headscale)
It’s a bit of learning (like all of these other things) but it’s a very powerful tool.
I do agree with the general point that Jellyfin shouldn’t require a VPN.
The thing is, if you have non-technical users, you have to set up the VPN connection on the client site yourself, maybe on multiple machines and more than once, if they decide to upgrade or even just reset their devices.
The problem here - it’s not me who requires access to my library, if someone isn’t willing or able to do it, I’m sorry but that’s just how it is. People should stop infantilize non-technical people, absolute majority of them is capable of navigating our world without much problems and I’m willing to help them if help is asked.
If my 60 y.o. mother with close to zero technical skills can do it with limited help (due to distance and other constraints) I’m pretty sure that majority of people with sound mind can.
This. And for everyone you just can’t figure it out on their own, there’s RustDesk for remote assistance. It, too, can be self-hosted.
Or you can not be arrogant towards your friends and family who have probably helped you on lots of occasions and will probably keep being there for you in the future.
Idk man, unconditional sharing feels pretty good, tbh. Making them jump through hoops isn’t really my jam. To me this kinda all plays into making a stronger bond with people that are close to me, so maybe we have different reasons for why we are sharing our stuff.
Inb4 “we are not the same” meme
I’m not arrogant, just don’t assume that people are dumb and inept. If they can’t or don’t want to give a bit of time to setup it, well how can someone be forced to use free service that causes momentarily inconvenience once to use. 😔
Pass. Users cause complexities. Complexities cause issues.
So use a reverse proxy with authentiacation before access to Jellyfin is allowed. I use Caddy forward_auth with Authelia for this. Unless you also want to use the apps without VPN, this works great.
Got instructions or a site to point to on setting something like that up?
Honestly, I may have to write one at some point. I just used the documentation of those two tools to set it up.
Does that work for the Android and Android TV apps?
No. As I said, apps don’t work. I cobbled together an API key service that let’s you have an API key (password) in the server URL in Rust for myself. This works with Apps, but it is a bit too messy and single purpose for me to open source it right now. Maybe one day.
Y’all are assuming the security issue is something exploitable without authentication or has something to do with auth.
But it it could be a supply chain issue which a VPN won’t protect you from.
Utilize authelia perhaps?
Doesn’t work with TVs
ldap auth will work on tvs
or use the ldap auth plugin with your source of truth, put it behind a reverse proxy, protect it with fail2ban and anubis. there are ways of exposing it safely.
Do not rely on an OIDC/LDAP provider with Jellyfin, you cannot run these in front of your proxy otherwise Jellyfin applications will not be able to communicate with the server.
Blacklist all IP address and whitelist the known few, no need for Fail2Ban or a WAF.
you totally can use ldap or oidc it just requires more setup. you just ensure jellyfin and your source of truth talk on their own subnet, docker can manage it all for you. ldap can be setup to be ldaps with ssl and never even leave the docker subnet anyways.
and yes I suppose you could rely on whitelists, but you’d have to manually add to the whitelist for every user, and god forbid if someone is traveling.
samba vlc solved… you are welcome
Nope? how about fancy stuff GUI and plot?
IMDB on your phone I guess…
Am I having a stroke?
At the time off writing you made a few more comments, so either “no” or “yes but your life is Lemmy”.
I know you’re gatekeeping from Turd Mountain, but just for completeness, the reason I use Jellyfin besides the “pretty for my wife” reason is that it keeps track of her progress between clients. She sometimes watches things on her laptop, sometimes her phone, sometimes her tablet, and sometimes the TV, and no matter which one she uses it’ll remember which episode of her show is the next episode. It also highlights when a new episode of something has been added and cues her to watch the new episode that just came out.
But yeah, if I was alone and only had a pile of anime I’d already seen before, which I only watched from my Linux devices, Samba and VLC would do me fine 😛
Use NFS for your sanity. Linux samba/CIFS is annoying to deal with.
Also, mpv
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.
[Thread #203 for this comm, first seen 1st Apr 2026, 09:50] [FAQ] [Full list] [Contact] [Source code]
Pretty flawless update from the apt repo on my end.
Im on fedora and I have installed through dnf, no updates with the dnf update… should I wait?
I depends a bit on your threat model. If you have Jellyfin exposed to the internet I would shut it down immediately. If you are running locally and rely on it, let it run maybe? If behind a tailnet or some other VPN, I would deactivate it as well. If it is an Axios like vulnerability it may be possible your secrets are in danger, dependent on how well they are secured. Not a security expert, but I would handle this a little more conservative…
No need to shut it down if it’s not exposed to the internet. Tailnet/VPN is fine.
If it’s a supply chain compromise shutting it down wouldn’t matter. The damage is already done.
It’s on my home, which is not 24/7 open. Will see check later.
If only 10.11 were usable for me at all.
What’s the issue?
There was a regression that caused Jellyfin to be a LOT more restrictive regarding the structured filesystem format. But this could be something else
Edit: Maintainers told me they were gonna fix it
It’s probably database performance related. There’s a massive PR undergoing round after round of reviews that, when merged, will be a change to 10.12 and will resolve all of the new database performance issues experienced in certain edge cases (book libraries, large music libraries, large collections, etc)
In addition to the other comment, it currently has some pretty rough performance issues with big libraries.
Yeah this is unfortunate news for me as well. I have a primary container I use for videos, and then a 10.10 server for music. 10.11 is borderline unusable for music for me, and I’ve tried everything for rescanning to completely redoing the server set up (rip accidentally deleting all my music playlists).
But i shall kill off the 10.10 container and hope a performance fix is in the works.
The update rolled out perfectly for my Kubernetes setup (using the Docker image). 👍
I forgot that it’s April first, and was wondering what catasthropic event had happend in order that it had to be stated in the title that its not a joke
Thank you for posting this. I tend to get a lot of my opensource project info from Lemmy so people who take the time to post it are awesome.
Just updated my home instance. Can confirm that 10.11.7 is available in the Debian repos and the update went perfect. I got a new kernel in the same update : D
Just updated, thanks for the info <3
That changelog just screams AI lol. All the emojis
No worries. We’ve been communicating with pictures since ancient cave men scrawled pictographs on cave walls with a piece of burnt firewood.
Three. Three emojis, used in headings as a bullet point.
It is perfectly plausable for someone whos job is to write technical documentation and promotional material would punch it up with a couple 'mojis.
github.com/jellyfin/jellyfin/releases
Every single release uses the same format with the same 3 emojis. You’d know that if you’d clicked “releases” and had even a modicum of curiosity.
It isn’t, not that I would care anyways
Thanks for this post, i would have updated mine next semester…
thanks for posting this!
Is it standard practice to release the security updates on GitHub?
I am a very amateur self hoster and wouldn’t go on the github of projects on my own unless I wanted to read the “read me” for install instructions. I am realizing that I got aware I needed to update my Jellyfin container ASAP only thanks to this post. I would have never checked the GitHub.
Not really.
Depending on how you install things, the package maintainers usually deal with this, so your next
apt update/pacman -Syuvor … whatever Fedora does… would capture it.If you’ve installed this as a container… dunno… whatever the container update process is (I don’t use them)
I indeed use a container. Wasn’t familiar with the update process for containers but now know how to do it.
Yes.
And then the maintainers of the package on the package repository you use will release the patch there. Completely standard operation.
I recommend younto read up on package repositories on Linux and package maintainers etc.
I don’t run the arr stack, but this is key. You really should do your due diligence before you update anything. Personally, I wait unless it’s a security issue, and use all the early adopters as beta testers.