ElectricVocalist@jlai.lu to Selfhosted@lemmy.worldEnglish · 2 months agoJellyfin critical security update - This is not a jokegithub.comexternal-linkmessage-square234fedilinkarrow-up10arrow-down10 cross-posted to: jellyfin@lemmy.mljellyfin@lemmy.ml
arrow-up10arrow-down1external-linkJellyfin critical security update - This is not a jokegithub.comElectricVocalist@jlai.lu to Selfhosted@lemmy.worldEnglish · 2 months agomessage-square234fedilink cross-posted to: jellyfin@lemmy.mljellyfin@lemmy.ml
minus-squarerumba@lemmy.ziplinkfedilinkEnglisharrow-up0·2 months agoBiggest worry is someone finding an uncaught RCE. Of course plugins also have surface area. We know they can anon pull video. You can sandbox it to limit exposure. But if they modify the web client with an RCE, then you hit your own server as a trusted site and that delivers a payload…
Biggest worry is someone finding an uncaught RCE.
Of course plugins also have surface area.
We know they can anon pull video. You can sandbox it to limit exposure.
But if they modify the web client with an RCE, then you hit your own server as a trusted site and that delivers a payload…