Jellyfin Forum
New Server/Web Hotfix Release: 10.8.13 - Printable Version

+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Announcements (https://forum.jellyfin.org/f-announcements)
+--- Forum: Project Announcements (https://forum.jellyfin.org/f-project-announcements)
+--- Thread: New Server/Web Hotfix Release: 10.8.13 (/t-new-server-web-hotfix-release-10-8-13)

Pages: 1 2 3


RE: New Server/Web Hotfix Release: 10.8.13 - Representing_all_cats - 2023-11-30

I happened to install the update this morning when troubleshooting a separate issue. While it didn't fix the other issue I was having, the Windows installation exe installed without any trouble. Thanks JF team for taking action on this and getting it released ASAP!


RE: New Server/Web Hotfix Release: 10.8.13 - I-G-1-1 - 2023-12-01

(2023-11-29, 04:14 AM)joshuaboniface Wrote: ... with this version, you are now unable to edit the FFmpeg binary path in the Jellyfin WebUI. This has been done for security reasons ...

can you please explain how to edit the FFmpeg path using the command line in Debian? 
I don't find any file containing jellyfin configuration in any of these directory: "/var/lib/jellyfin/" "/etc/jellyfin"
I found these lines in the file "/etc/default/jellyfin":

Code:
# ffmpeg binary paths, overriding the system values
JELLYFIN_FFMPEG_OPT="--ffmpeg=/usr/lib/jellyfin-ffmpeg/ffmpeg"

but it's not the path that my jellyfin installation is using at the moment.
any help would be appreciated, thanks


RE: New Server/Web Hotfix Release: 10.8.13 - tmsrxzar - 2023-12-01

(2023-12-01, 05:02 PM)I-G-1-1 Wrote:
(2023-11-29, 04:14 AM)joshuaboniface Wrote: ... with this version, you are now unable to edit the FFmpeg binary path in the Jellyfin WebUI. This has been done for security reasons ...

can you please explain how to edit the FFmpeg path using the command line in Debian? 
I don't find any file containing jellyfin configuration in any of these directory: "/var/lib/jellyfin/" "/etc/jellyfin"
I found these lines in the file "/etc/default/jellyfin":

Code:
# ffmpeg binary paths, overriding the system values
JELLYFIN_FFMPEG_OPT="--ffmpeg=/usr/lib/jellyfin-ffmpeg/ffmpeg"

but it's not the path that my jellyfin installation is using at the moment.
any help would be appreciated, thanks

per the article from the first post you change it in encoding.xml - https://jellyfin.org/posts/jellyfin-security-and-you
if you cannot locate your jellyfin config directory then that's a completely different issue unrelated to the topic and you should start a new thread

mine is in a docker and it's config is /config which does not help a bare metal install that you indicate you have


RE: New Server/Web Hotfix Release: 10.8.13 - I-G-1-1 - 2023-12-01

my fault I didn't read the article and just searched directly on jellyfin documentation how to change FFmpeg path.

as you suggested I found the file encoding.xml in "/etc/jellyfin", thanks


RE: New Server/Web Hotfix Release: 10.8.13 - pixel24 - 2023-12-05

Hi@all,

Thank you for the update. It was installed on my Ubuntu server without any problems.

Unfortunately, the bug with playlists from multiple users (each user sees all playlists and can also edit them) still exists :-(

Is there a rough idea when this bug will be fixed?

with best
pixel24


RE: New Server/Web Hotfix Release: 10.8.13 - niels - 2023-12-05

(2023-12-05, 10:54 AM)pixel24 Wrote: Unfortunately, the bug with playlists from multiple users (each user sees all playlists and can also edit them) still exists :-(

This was technically intended behavior but obviously not expected behavior for most users. It is already fixed and will be available in 10.9.


RE: New Server/Web Hotfix Release: 10.8.13 - pixel24 - 2023-12-05

ok, too bad. Would love to use Jellyfin with friends & family, which is unfortunately not possible at the moment :-(

I'm waiting for 10.9 :-)


RE: New Server/Web Hotfix Release: 10.8.13 - MegaUltraGigaChad - 2023-12-05

Good thing the exploits are getting patched
And there's me still waiting for 10.9 and lyrics support


RE: New Server/Web Hotfix Release: 10.8.13 - FireSale - 2023-12-05

The new Jellyfin 10.8.13 update is good for keeping things safe, especially with security fixes. But, stopping the edit of the FFmpeg thing might make it tricky for some people who like to change things. It'd be helpful to explain more about why this change happened and how it affects people who manage things. Adding tips or guides for those affected could make it easier to handle. It's good to see a focus on safety, but it'd be great to understand this change better.


RE: New Server/Web Hotfix Release: 10.8.13 - joshuaboniface - 2023-12-06

(2023-12-05, 11:37 PM)FireSale Wrote: The new Jellyfin 10.8.13 update is good for keeping things safe, especially with security fixes. But, stopping the edit of the FFmpeg thing might make it tricky for some people who like to change things. It'd be helpful to explain more about why this change happened and how it affects people who manage things. Adding tips or guides for those affected could make it easier to handle. It's good to see a focus on safety, but it'd be great to understand this change better.

The change really is exactly what it sounds like. Previously, there were 3 ways to set your FFmpeg binary path: in the UI (via the API), in the encoding.xml configuration file, or via the CLI flag --ffmpeg. We've removed the first one because it's possible for a malicious administrator to use it to set any arbitrary binary path on the system as the FFmpeg binary, including a malicious one. Further using that API endpoint, Jellyfin will immediately *execute* the binary to test if it's FFmpeg. It's hopefully easy to see how a malicious administrator (either explicitly granted or privilege escalated from another user) could abuse that to execute arbitrary code on the host Jellyfin system.

From the blog article, this feature comes from the very old days of Emby 3.x and Jellyfin 10.0 (our first release). Back in those days, every system (and version, for Debian/Ubuntu/other distro packages) used its own FFmpeg, and changing them was something administrators did frequently to get new features, hardware encoding, etc. These days, since at least 10.6.0, we've published our own FFmpeg binary along with the server, to provide full hardware encoding support and the latest features, which means that ultimately most people shouldn't need to be changing this with so much frequency that a UI option is really worth it. You still can of course, but doing so just requires the extra steps of SSH/shell login and a restart.

We ultimately decided, after close to 3 months of discussion, that the risk of this endpoint massively outweighs its potential benefits. Effectively, it was an endstage for multiple other vulnerabilities, and was its own risk from malicious Administrators. An administrator can still change their FFmpeg binary if they want using the other 2 options, but it requires (existing) shell access and a server restart to apply, providing some additional safety against malicious remote attackers.