You can always tell who does real IT work in these threads lol
Just a reminder that you should never expose Jellyfin to the internet
The worst part of enthusiast threads are the “I am very smart” takes like this
You objectively shouldn’t expose Jellyfin to the internet. It has a rather large attack surface and isn’t designed with security in mind.
Pretending everything is fine won’t solve the problem
Sounds like a great reason to use Plex instead!
edit: to add something constructive to my snarky comment, what kind of attack surface are we talkin here? Multiple ports? Lots of separate services running?
Plex has its own set of problems
yeah okay let me just connect grandma’s tv to a vpn.
There are plenty of ways around this
A cheap minipc is only like 20-40 USD and would solve the problem overnight
I can set it up, and you can set it up, but for the average user?
The average user isn’t using Jellyfin
All you need is a little Linux knowledge in order to setup Netbird with Caddy
I’m talking average enough to see an article, or hear about it from a friend/coworker, then follow the insanely easy setup directions for Windows. I know plenty of people who aren’t really “computer people” but know enough to open a port because they had to to get a game working at some point or another. Those people probably wouldnt notice “hey this thing is going to http maybe i should rethink this…”
These are going to be the people who think it’s smart to just open up RDP and SSH to the wide web though…they shouldn’t be forwarding ports…they should use a VPN.
I had to explain to one of them why RDP is a bad idea lol. Thats kind of my point - average people tend to only know enough to be dangerous, not to do things safely. Or as Shakespeare said - "The fool doth think he is wise, but the wise man knows himself to be a fool.”
Setup a VPN gateway at Grandma’s house. Works fine for me.
I think you’re missing the point - that’s neither simple nor easy for most people. I’m a network engineer and I don’t wanna deal with setting up and (being responsible for troubleshooting) a bunch of VPNs! Nevermind the additional power/CPU usage from the tunnels. My parents just got fiber and they don’t even have a public address (ipv4 or v6) which just adds another layer of headache. thanks west virginia…
I’d much rather deal with setting up a few VPN gateways which is trivial at most…than securing a public web service. I deal with that crap enough at work.
There are a lot less variables to contend with with a single VPN endpoint which undergoes considerably more security auditing than N public web services. Many of which I don’t have the time to review myself and mitigate if they decide to suck at coding.
Edit: I share my services with less than 5 households though.
Edit2: I’m not sure what public ipv4 or ipv6 has to do with this. My remote sites use starlink ipv4. I haven’t setup ipv6 on those internally at all. They all tunnel via wireguard to my homesite.
also fyi starlink has public ipv6 available if you DO wan’t to set it up. been hosting a minecraft server off a starlink connection lol.
When I set up wireguard it was just more complicated when one side didn’t have a public IP. Whyyyy can’t we adopt ipv6 already.
Are you singling out Jellyfin for a particular reason? Or are also going to advise just never opening ports in general?
For the vast majority of users? Yes. They shouldn’t forward ports.
Setup a VPN gateway at Grandma’s house.
jellyfin people just always spout this advice as some sort of copium and i dont even know why. ALL software will have security issues at some point or another. just update and move on with your life.
Definitely.
But I think more than copium it’s them understanding their users. It’s advice for people that will figure out how to run Jellyfin but won’t stay on top of updates, setup a waf, use a firewall/reverseproxy to limit access, etc. There are surely a lot of those that just one clicked an installer etc and for them it’s good advice.
that’s fair, does it not have any kind of encryption by default?
Standard TLS, I think, but what else would you need?
None really, just wondering what the issue with opening it up is if it has TLS? In 10+ years I’ve never had my Plex server compromised and it just uses TLS. I do change the default port but that’s it.
Plex logins go through their login server so you’ll also have login throttling and probably other bot protections.
That’s kinda my perspective on it to. I mean, how do they think websites work? Gotta expose ports to make all the internet things happen. Sure commercial stuff will have more devices to protect it, but there are things you can do to mitigate issues at home too.
Is it standard practice to release the security updates on GitHub?
I am a very amateur self hoster and wouldn’t go on the github of projects on my own unless I wanted to read the “read me” for install instructions. I am realizing that I got aware I needed to update my Jellyfin container ASAP only thanks to this post. I would have never checked the GitHub.
I am realizing that I got aware
I don’t run the arr stack, but this is key. You really should do your due diligence before you update anything. Personally, I wait unless it’s a security issue, and use all the early adopters as beta testers.
Is it standard practice to release the security updates on GitHub?
Yes.
And then the maintainers of the package on the package repository you use will release the patch there. Completely standard operation.
I recommend younto read up on package repositories on Linux and package maintainers etc.
Not really.
Depending on how you install things, the package maintainers usually deal with this, so your next
apt update/pacman -Syuvor … whatever Fedora does… would capture it.If you’ve installed this as a container… dunno… whatever the container update process is (I don’t use them)
Unattended upgrades set to security only and never worry
It’s difficult to do security-only updates when the fix is contained within a package update.
Even Microsoft’s security updates are a mix with secuirity updates containing feature changes and vice versa.
I usually do an update on 1 random device / VM and if that was ok (inc. watching for any
.pacnewfiles) and then kick Ansible into action for the rest.
I indeed use a container. Wasn’t familiar with the update process for containers but now know how to do it.
If you haven’t already, I recommend Watchtower (nickfedor fork—the original is unmaintained) which automatically pulls updates to Docker containers and restarts them. Make sure to track latest, although for security updates, these should be backported to any supported versions so it’s fine to track an older supported version too.
Lol it’s already insecure then. Don’t bother.
Insane way of thinking.
Implying you have access to some major Docker 0-day exploit, or just talking out of your ass? Because a container is no more or less secure than the machine it runs on. At least if a container gets compromised, it only has access to the volumes you have specifically given it access to. It can’t just run rampant on your entire system, because you haven’t (or at least shouldn’t have) given it access to your entire system.
Docker is known insecure. It doesn’t verify any layers it pulls cryptography. The devs are aware. The tickets remain open.
If that is indeed true it would only mean that the docker container is vulnerable to a supply chain attack. You are not any more vulnerable to a vulnerability in the codebase.
If you’re using the ghcr image, to post malicious code there, the attack would have already had to compromise their github infra … which would likely result in the attacker being able to push malicious code to git or publish malicious releases. Their linux distro packages are self published via a ppa/install script, which I would assume just pull from their github releases, so a bad github release would immediately be pulled as an update by users just as fast as a container.
There’s a lot of good container management solutions out there that are worth investigating. They do things like monitor availability, resource management, as well as altering on versioning.
thanks for posting this!
Thanks for this post, i would have updated mine next semester…
That changelog just screams AI lol. All the emojis
It isn’t, not that I would care anyways
Three. Three emojis, used in headings as a bullet point.
It is perfectly plausable for someone whos job is to write technical documentation and promotional material would punch it up with a couple 'mojis.
https://github.com/jellyfin/jellyfin/releases
Every single release uses the same format with the same 3 emojis. You’d know that if you’d clicked “releases” and had even a modicum of curiosity.
No worries. We’ve been communicating with pictures since ancient cave men scrawled pictographs on cave walls with a piece of burnt firewood.
Just updated, thanks for the info <3
Thank you for posting this. I tend to get a lot of my opensource project info from Lemmy so people who take the time to post it are awesome.
Just updated my home instance. Can confirm that 10.11.7 is available in the Debian repos and the update went perfect. I got a new kernel in the same update : D
Hi!
So I installed jellyfin on Bazzite as per this video.
But he didn’t explain how to update the server. Could you maybe tell me how you did it with your server? Maybe it could help me figure out how to update mine as well.
The video uses quadlets, which afaik, is just using systemd units to run containers via podman. Therefore, you can just run
podman stop jellyfin (podman ps to get the actual name of the jellyfin container)
podman rm jellyfin
podman pull docker.io/jellyfin/jellyfin:latest
systemctl restart jellyfin.container (or whatever you called your unit when you set it up)
Quick google says you can setup auto updates if you want: https://major.io/p/podman-quadlet-automatic-updates/
Caveat: I am a docker compose user, I may have missed something due to lack of familiarity with quadlets/podman
It worked! Thanks so much!
I suppose I’ll start looking into docker/containers/quadlets etc, so I actually understand what I am using lol
Poke around through the dash. I imagine it’s in the GUI there. Probably under a menu like ‘system’ or ‘about’.
Thanks for the reply!
Sadly I can’t find anything, unless I am super blind.
I forgot that it’s April first, and was wondering what catasthropic event had happend in order that it had to be stated in the title that its not a joke
The update rolled out perfectly for my Kubernetes setup (using the Docker image). 👍
If only 10.11 were usable for me at all.
Yeah this is unfortunate news for me as well. I have a primary container I use for videos, and then a 10.10 server for music. 10.11 is borderline unusable for music for me, and I’ve tried everything for rescanning to completely redoing the server set up (rip accidentally deleting all my music playlists).
But i shall kill off the 10.10 container and hope a performance fix is in the works.
What’s the issue?
In addition to the other comment, it currently has some pretty rough performance issues with big libraries.
There was a regression that caused Jellyfin to be a LOT more restrictive regarding the structured filesystem format. But this could be something else
It’s probably database performance related. There’s a massive PR undergoing round after round of reviews that, when merged, will be a change to 10.12 and will resolve all of the new database performance issues experienced in certain edge cases (book libraries, large music libraries, large collections, etc)
I don’t have books, moved music to navidrome, and have a relatively small library and it just will not play nice. Library scans lasting for days kind of nasty. RAM and CPU domination.
Im on fedora and I have installed through dnf, no updates with the dnf update… should I wait?
I depends a bit on your threat model. If you have Jellyfin exposed to the internet I would shut it down immediately. If you are running locally and rely on it, let it run maybe? If behind a tailnet or some other VPN, I would deactivate it as well. If it is an Axios like vulnerability it may be possible your secrets are in danger, dependent on how well they are secured. Not a security expert, but I would handle this a little more conservative…
It’s on my home, which is not 24/7 open. Will see check later.
No need to shut it down if it’s not exposed to the internet. Tailnet/VPN is fine.
If it’s a supply chain compromise shutting it down wouldn’t matter. The damage is already done.
I don’t believe it a supply chain compromise
Pretty flawless update from the apt repo on my end.
Server version 10.11.7Yeah, I think what went wrong and now everything is installed through Docker.
Docker feels like a huge security problem to me.
Why?
Docker makes everything so much easier
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web VPN Virtual Private Network nginx Popular HTTP server
[Thread #203 for this comm, first seen 1st Apr 2026, 09:50] [FAQ] [Full list] [Contact] [Source code]
samba vlc solved… you are welcome
I know you’re gatekeeping from Turd Mountain, but just for completeness, the reason I use Jellyfin besides the “pretty for my wife” reason is that it keeps track of her progress between clients. She sometimes watches things on her laptop, sometimes her phone, sometimes her tablet, and sometimes the TV, and no matter which one she uses it’ll remember which episode of her show is the next episode. It also highlights when a new episode of something has been added and cues her to watch the new episode that just came out.
But yeah, if I was alone and only had a pile of anime I’d already seen before, which I only watched from my Linux devices, Samba and VLC would do me fine 😛
But yeah, if I was alone and only had a pile of anime I’d already seen before, which I only watched from my Linux devices, Samba and VLC would do me fine 😛
Use NFS for your sanity. Linux samba/CIFS is annoying to deal with.
Also, mpv
Honestly, I’m not a big fan if Microsoft generally, but I found NFS to be surprisingly not great for non-permanent infrastructure, whereas SMB took a few minutes and works great, at least in my use cases. Maybe I’m just a loser, though.
Nope? how about fancy stuff GUI and plot?
IMDB on your phone I guess…Am I having a stroke?
Do you smell burning fish?
At the time off writing you made a few more comments, so either “no” or “yes but your life is Lemmy”.
