2023-11-29, 04:14 AM
(This post was last modified: 2023-12-06, 05:33 AM by joshuaboniface. Edited 6 times in total.)
We're pleased to announce a new hotfix release for the Jellyfin server and web client, 10.8.13!
This release mainly focuses on two major security vulnerabilities found over the previous couple weeks, as well as a few minor bugfixes. We strongly recommend that all users update to this release as soon as possible, as the details of these vulnerabilities will be made public on December 5th 2023 (and one of them is quite a doozie).
This release does make a functional change to Jellyfin: with this version, you are now unable to edit the FFmpeg binary path in the Jellyfin WebUI. This has been done for security reasons, the full reasoning for which as well as some reminders for all Jellyfin administrators can be found in our new blog post over on the main website.
10.8.13 should be a seamless upgrade, but of course if you notice any problems please open a thread in the Troubleshooting forum for assistance!
The release on GitHub, including changelog, is at: https://github.com/jellyfin/jellyfin/rel...g/v10.8.13
Binaries are available in all the usual places: Docker Hub, Our Official OS Repos, and Our Main Repository Page. MacOS and Windows installers will be available shortly are up (someone always asks; they're a manual process that must be done by Anthony after the main builds finish and usually take ~1 hour to complete ).
Happy watching!
EDIT 2023-11-29 17:00 EST: Due to a regression in our Jellyfin FFmpeg (https://github.com/jellyfin/jellyfin/issues/10654), we've pushed a new combined Docker image at version
EDIT 2023-12-06 00:31 EST: The GHSA advisories for the two aforementioned security issues have been published as "Possible Remote Code Execution via custom FFmpeg binary" (CVE-2023-48702) and "Argument Injection in FFmpeg codec parameters" (CVE-2023-49096).
This release mainly focuses on two major security vulnerabilities found over the previous couple weeks, as well as a few minor bugfixes. We strongly recommend that all users update to this release as soon as possible, as the details of these vulnerabilities will be made public on December 5th 2023 (and one of them is quite a doozie).
This release does make a functional change to Jellyfin: with this version, you are now unable to edit the FFmpeg binary path in the Jellyfin WebUI. This has been done for security reasons, the full reasoning for which as well as some reminders for all Jellyfin administrators can be found in our new blog post over on the main website.
10.8.13 should be a seamless upgrade, but of course if you notice any problems please open a thread in the Troubleshooting forum for assistance!
The release on GitHub, including changelog, is at: https://github.com/jellyfin/jellyfin/rel...g/v10.8.13
Binaries are available in all the usual places: Docker Hub, Our Official OS Repos, and Our Main Repository Page. MacOS and Windows installers will be available shortly are up (someone always asks; they're a manual process that must be done by Anthony after the main builds finish and usually take ~1 hour to complete ).
Happy watching!
EDIT 2023-11-29 17:00 EST: Due to a regression in our Jellyfin FFmpeg (https://github.com/jellyfin/jellyfin/issues/10654), we've pushed a new combined Docker image at version
10.8.13-1
. All the server and web code is identical, it just has the updated jellyfin-ffmpeg
package included. latest
has been updated to match.EDIT 2023-12-06 00:31 EST: The GHSA advisories for the two aforementioned security issues have been published as "Possible Remote Code Execution via custom FFmpeg binary" (CVE-2023-48702) and "Argument Injection in FFmpeg codec parameters" (CVE-2023-49096).