this post was submitted on 01 Apr 2026

691 points (99.1% liked)

Selfhosted

58148 readers

1131 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

691

Jellyfin critical security update - This is not a joke (github.com)

submitted 2 days ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world

249 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Cyber@feddit.uk 5 points 2 days ago (2 children)

Not really.

Depending on how you install things, the package maintainers usually deal with this, so your next apt update / pacman -Syuv or ... whatever Fedora does... would capture it.

If you've installed this as a container... dunno.. whatever the container update process is (I don't use them)

[–] quick_snail@feddit.nl 3 points 1 day ago (1 children)

Unattended upgrades set to security only and never worry

[–] Cyber@feddit.uk 5 points 1 day ago (1 children)

It's difficult to do security-only updates when the fix is contained within a package update.

Even Microsoft's security updates are a mix with secuirity updates containing feature changes and vice versa.

I usually do an update on 1 random device / VM and if that was ok (inc. watching for any .pacnew files) and then kick Ansible into action for the rest.

[–] quick_snail@feddit.nl 1 points 1 day ago (1 children)

Why does unattended upgrades with security only setting not fix this?

This is literally why Debian has distinct repos for security updates.

[–] Cyber@feddit.uk 1 points 20 hours ago

Let me know which repo this update appears in.

[–] psoul@lemmy.world 4 points 2 days ago (3 children)

I indeed use a container. Wasn’t familiar with the update process for containers but now know how to do it.

[–] communism@lemmy.ml 2 points 1 day ago (1 children)

If you haven't already, I recommend Watchtower (nickfedor fork—the original is unmaintained) which automatically pulls updates to Docker containers and restarts them. Make sure to track latest, although for security updates, these should be backported to any supported versions so it's fine to track an older supported version too.

[–] psoul@lemmy.world 1 points 23 hours ago

Thank you. Will look into it.

[–] ButtDrugs@lemmy.zip 5 points 1 day ago

There's a lot of good container management solutions out there that are worth investigating. They do things like monitor availability, resource management, as well as altering on versioning.

[+] quick_snail@feddit.nl -7 points 1 day ago (2 children)

Lol it's already insecure then. Don't bother.

[–] mpramann@discuss.tchncs.de 3 points 1 day ago

Insane way of thinking.

[–] mic_check_one_two@lemmy.dbzer0.com 4 points 1 day ago* (last edited 1 day ago) (1 children)

Implying you have access to some major Docker 0-day exploit, or just talking out of your ass? Because a container is no more or less secure than the machine it runs on. At least if a container gets compromised, it only has access to the volumes you have specifically given it access to. It can’t just run rampant on your entire system, because you haven’t (or at least shouldn’t have) given it access to your entire system.

[–] quick_snail@feddit.nl -1 points 1 day ago (2 children)

Docker is known insecure. It doesn't verify any layers it pulls cryptography. The devs are aware. The tickets remain open.

[–] psoul@lemmy.world 1 points 23 hours ago

I don't know if I remember correctly but I could not install Jellyfin on the latest Ubuntu server version. I had to use docker to get Jellyfin running.

[–] def@aussie.zone 1 points 1 day ago

If that is indeed true it would only mean that the docker container is vulnerable to a supply chain attack. You are not any more vulnerable to a vulnerability in the codebase.

If you’re using the ghcr image, to post malicious code there, the attack would have already had to compromise their github infra … which would likely result in the attacker being able to push malicious code to git or publish malicious releases. Their linux distro packages are self published via a ppa/install script, which I would assume just pull from their github releases, so a bad github release would immediately be pulled as an update by users just as fast as a container.