New Server/Web Hotfix Release: 10.8.13

[joshuaboniface]

We're pleased to announce a new hotfix release for the Jellyfin server and web client, 10.8.13!

This release mainly focuses on two major security vulnerabilities found over the previous couple weeks, as well as a few minor bugfixes. We strongly recommend that all users update to this release as soon as possible, as the details of these vulnerabilities will be made public on December 5th 2023 (and one of them is quite a doozie).

This release does make a functional change to Jellyfin: with this version, you are now unable to edit the FFmpeg binary path in the Jellyfin WebUI. This has been done for security reasons, the full reasoning for which as well as some reminders for all Jellyfin administrators can be found in our new blog post over on the main website.

10.8.13 should be a seamless upgrade, but of course if you notice any problems please open a thread in the Troubleshooting forum for assistance!

The release on GitHub, including changelog, is at: https://github.com/jellyfin/jellyfin/rel...g/v10.8.13

Binaries are available in all the usual places: Docker Hub, Our Official OS Repos, and Our Main Repository Page. MacOS and Windows installers will be available shortly are up (someone always asks; they're a manual process that must be done by Anthony after the main builds finish and usually take ~1 hour  to complete ).

Happy watching!

EDIT 2023-11-29 17:00 EST: Due to a regression in our Jellyfin FFmpeg (https://github.com/jellyfin/jellyfin/issues/10654), we've pushed a new combined Docker image at version 10.8.13-1. All the server and web code is identical, it just has the updated jellyfin-ffmpeg package included. latest has been updated to match.

EDIT 2023-12-06 00:31 EST: The GHSA advisories for the two aforementioned security issues have been published as "Possible Remote Code Execution via custom FFmpeg binary" (CVE-2023-48702) and "Argument Injection in FFmpeg codec parameters" (CVE-2023-49096).

[crobibero]

cool

[Connected3809]

Microsoft Defender SmartScreen is blocking the installer EXE from running entirely (has not been a problem in the past).

[anthonylavado]

Microsoft Defender SmartScreen is blocking the installer EXE from running entirely (has not been a problem in the past).

Does it give you any additional information? The code for the installer part of it is unchanged from previous 10.8.x releases. Just the server code package is updated.

[paulc]

Microsoft Defender SmartScreen is blocking the installer EXE from running entirely (has not been a problem in the past).

Does it give you any additional information? The code for the installer part of it is unchanged from previous 10.8.x releases. Just the server code package is updated.

You can Run Anyway. SmartScreen says Windows protected your PC

Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.

Code:

Windows protected your PC
Microsoft Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.

App:
jellyfin_10.8.13_windows-x64.exe
Publisher: 
Unknown publisher

SmartScreen event Log

Code:

EventData

  FilePath jellyfin_10.8.13_windows-x64.exe
  FullFileHash REDACTED BY POSTER
  AuthenticodeHash 
  AuthenticodeAlgorithm 
  MarkOfTheWeb {"HostUrl":"https://nyc1.mirror.jellyfin.org/releases/server/windows/versions/stable/installer/10.8.13/jellyfin_10.8.13_windows-x64.exe","ReferrerUrl":"https://repo.jellyfin.org/","ZoneId":"3"}
  CallingProcessId 8776
  CallingProcessCreationTime 133456324145468095
  Sid 
  ActivityId 
  Enforcement warn
  Experience Untrusted

App:

[vitalessandro]

There is an issue in Jellyfin 10.8.12 with the OpenCL drivers used dropping support for older versions of the Linux kernel, affecting Synology users, breaking tone mapping. Any chance that has been fixed?

Edit: Doesn't seem to be fixed yet. That's a shame, especially considering the security vulnerabilities... seems my only options are disabling tone mapping, or having an unsafe release facing the internet

[Connected3809]

You can Run Anyway. SmartScreen says

Option not available.

Besides, there is an undisclosed CVE being patched, no way I'm going to jusy "Run Anyway" on this, I feel that would be incredibly foolish.

[TaliaDias]

I had the same issue with SmartScreen as the above person, and it was due to being an unknown publisher. Continuing anyway worked fine.

I also had the install fail near the end, when it started the service. I went to Services and it appeared to be started, but I was unable to get into the server. When I clicked abort on the error in the install the service went away. I ran the install again, and this time clicked Ignore on the service startup error. The install then said it was completed, and the service still looked like it was started. It didn't actually work though. I then set the service to run as a domain administrator account and restarted it, and still wasn't able to get in. I then ran the tray icon, I don't remember why other than I think I saw it in another troubleshooting step I found on this forum, and clicked the link on that to open the console, which defaults to the http port rather than https port. I then noticed the server was running correctly, so I reselected my SSL certificate and clicked Save (not a new certificate, the same one it was using half an hour beforehand). I then tried going to the https site and it is working correctly too.

I know that is a lot of random steps, I am just not sure which one of those things fixed it. I am sure a lot of them were pointless. I think setting the service to run as a domain user account rather than the built in local Network Service account was the fix in my situation. The rest of it was problems with the cache on my web browser, I think if I cleared it or tried private browsing it would have been fine.

EDIT: Should also mention that I was updating from 10.8.10, missed a few. All the other updates I have done in the past have been smooth, just run the installer and it takes care of everything.

[joshuaboniface]

Besides, there is an undisclosed CVE being patched, no way I'm going to jusy "Run Anyway" on this, I feel that would be incredibly foolish.

I have to say, that seems like a weird roundabout take. You're concerned about bypassing SmartScreen's very-likely-false-positive warning, because this is a patch to a security issue that isn't public, and therefore the code might be a security issue? You're free to review the patches and code that changed, it's in the release notes linked in the first post.

What we have not released are the full details of the security threats that necessitated these patches. Those will come on the 5th. And the reason we don't release the details immediately is quite simple: the last time we did so, people got very upset with us because they did not have time to patch their servers before the full details were released into the wild. And frankly, I agree with that; we don't want to be like some (most?) projects that will throw our users to the wolves with zero time between publishing a patch and publishing the full details of the vulnerability. So, for these and all future security issues, we will wait (roughly) one week to give everyone ample time to update before we publicly disclose them. If you disagree with that, then suit yourself; we're damned if we do and damned if we don't, so we'll err on the side of "wait a bit first".

[anthonylavado]

I have a comment on the SmartScreen side of things. Basically, it's impossible to easily get things verified unless we spend $300+/year and build + sign only on one dedicated machine for hardware key purposes. The alternative is making the installer a file loader that downloads the package to install from the web. I'd rather continue to ship it as is, with the provided SHA256 hash for reference.

The short form - smartscreen is both code sign + reputation based, and unless you're a megacorp or the initial execution file never changes, the reputation starts at 0 for every new build.

Edit: https://github.com/jellyfin/jellyfin-ser.../issues/42