• Login
  • Register
    • Login Register
    Login
    Username/Email:
    Password:
    Or login with a social network below
  • Forum
  • Website
  • GitHub
  • Status
  • Translation
  • Features
  • Team
  • Rules
  • Help
  • Feeds
User Links
  • Login
  • Register
    • Login Register
    Login
    Username/Email:
    Password:
    Or login with a social network below

    Useful Links Forum Website GitHub Status Translation Features Team Rules Help Feeds
    Jellyfin Forum Announcements Project Announcements New Server/Web Hotfix Release: 10.8.13

     
    • 0 Vote(s) - 0 Average

    New Server/Web Hotfix Release: 10.8.13

    Stable 10.8.z hotfix release
    joshuaboniface
    Offline

    Project Leader
    Posts: 110
    Threads: 25
    Joined: 2023 Jun
    Reputation: 13
    Country:Canada
    #20
    2023-12-06, 05:29 AM (This post was last modified: 2023-12-06, 05:51 AM by joshuaboniface. Edited 6 times in total.)
    (2023-12-05, 11:37 PM)FireSale Wrote: The new Jellyfin 10.8.13 update is good for keeping things safe, especially with security fixes. But, stopping the edit of the FFmpeg thing might make it tricky for some people who like to change things. It'd be helpful to explain more about why this change happened and how it affects people who manage things. Adding tips or guides for those affected could make it easier to handle. It's good to see a focus on safety, but it'd be great to understand this change better.

    The change really is exactly what it sounds like. Previously, there were 3 ways to set your FFmpeg binary path: in the UI (via the API), in the encoding.xml configuration file, or via the CLI flag --ffmpeg. We've removed the first one because it's possible for a malicious administrator to use it to set any arbitrary binary path on the system as the FFmpeg binary, including a malicious one. Further using that API endpoint, Jellyfin will immediately *execute* the binary to test if it's FFmpeg. It's hopefully easy to see how a malicious administrator (either explicitly granted or privilege escalated from another user) could abuse that to execute arbitrary code on the host Jellyfin system.

    From the blog article, this feature comes from the very old days of Emby 3.x and Jellyfin 10.0 (our first release). Back in those days, every system (and version, for Debian/Ubuntu/other distro packages) used its own FFmpeg, and changing them was something administrators did frequently to get new features, hardware encoding, etc. These days, since at least 10.6.0, we've published our own FFmpeg binary along with the server, to provide full hardware encoding support and the latest features, which means that ultimately most people shouldn't need to be changing this with so much frequency that a UI option is really worth it. You still can of course, but doing so just requires the extra steps of SSH/shell login and a restart.

    We ultimately decided, after close to 3 months of discussion, that the risk of this endpoint massively outweighs its potential benefits. Effectively, it was an endstage for multiple other vulnerabilities, and was its own risk from malicious Administrators. An administrator can still change their FFmpeg binary if they want using the other 2 options, but it requires (existing) shell access and a server restart to apply, providing some additional safety against malicious remote attackers.
    « Next Oldest | Next Newest »

    Users browsing this thread: 5 Guest(s)


    Messages In This Thread
    New Server/Web Hotfix Release: 10.8.13 - by joshuaboniface - 2023-11-29, 04:14 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by crobibero - 2023-11-29, 04:40 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by Connected3809 - 2023-11-29, 05:26 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by anthonylavado - 2023-11-29, 05:52 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by paulc - 2023-11-29, 06:11 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by Connected3809 - 2023-11-29, 02:53 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by joshuaboniface - 2023-11-29, 09:58 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by vitalessandro - 2023-11-29, 01:45 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by TaliaDias - 2023-11-29, 08:59 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by anthonylavado - 2023-11-29, 10:07 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by Representing_all_cats - 2023-11-30, 02:05 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by I-G-1-1 - 2023-12-01, 05:02 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by tmsrxzar - 2023-12-01, 05:34 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by I-G-1-1 - 2023-12-01, 06:24 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by pixel24 - 2023-12-05, 10:54 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by niels - 2023-12-05, 11:04 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by pixel24 - 2023-12-05, 11:13 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by MegaUltraGigaChad - 2023-12-05, 07:54 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by FireSale - 2023-12-05, 11:37 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by joshuaboniface - 2023-12-06, 05:29 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by tmsrxzar - 2023-12-06, 02:30 PM
    RE: New Server/Web Hotfix Release: 10.8.13 - by Perseverant - 2023-12-20, 02:22 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by JasonThai - 2024-02-15, 01:09 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by TheDreadPirate - 2024-02-15, 03:15 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by gzowner - 2024-03-08, 04:01 AM
    RE: New Server/Web Hotfix Release: 10.8.13 - by TheDreadPirate - 2024-03-08, 04:17 AM

    • View a Printable Version
    • Subscribe to this thread
    Forum Jump:

    Home · Team · Help · Contact
    © Designed by D&D - Powered by MyBB
    L


    Jellyfin

    The Free Software Media System

    Linear Mode
    Threaded Mode