this post was submitted on 01 Apr 2026
705 points (99.0% liked)

Selfhosted

59343 readers
185 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
705
Jellyfin critical security update - This is not a joke (github.com)
submitted 1 month ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world
260 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] quick_snail@feddit.nl 3 points 1 month ago (1 children)

If only they would fix the htaccess bug

[–] yannic@lemmy.ca 1 points 1 month ago (1 children)

You've piqued my interest. Where can I read about it?

I did a quick search on their github and came up empty. Maybe no one mentioned "htaccess" in the issue.

[–] quick_snail@feddit.nl 1 points 1 month ago* (last edited 1 month ago) (1 children)

Search for "basic auth"

Its the only software project I know of that you can't put behind http basic auth. They mark this bug as "wontfix" every time someone points it out to them

[–] yannic@lemmy.ca 1 points 1 month ago (1 children)

Basic auth? The insecure authentication method?

Ok, I'll look it up anyway. Under the jellyfin repository, there were eight results, none of which seemed to describe what you meant, and under the jellyfin-web repository, there were none. Using a web crawler search, I was able to find Issue #123 for jellyfin-android

Is that it?

[–] quick_snail@feddit.nl 1 points 1 month ago* (last edited 1 month ago) (1 children)

Basic auth is very secure.

Unlike custom implemented logins. So it's common to use basic auth in front of custom auth implementations. So even when the app has a login vuln, you're safe.

Yes that ticket is one of many.

Try searching the repo. Make sure to backspace out the prefix that ignores closed tickets.

[–] yannic@lemmy.ca 1 points 1 month ago* (last edited 1 month ago)

That's exactly how I searched. If you want security, it's probably best to follow the Unix philosophy of do one thing and do it well. In other words, don't trust someone building a media server to handle auth and instead use the OIDC or LDAP plugins.