Selfhosted

53204 readers

2197 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

462

Plex’s crackdown on free remote streaming access starts this week - Ars Technica (arstechnica.com)

submitted 1 day ago by otters_raft@lemmy.ca to c/selfhosted@lemmy.world

238 comments fedilink hide all child comments

Plex is starting to enforce its new rules, which prevent users from remotely accessing a personal media server without a subscription fee.

If anyone needs it: https://jellyfin.org/

you are viewing a single comment's thread
view the rest of the comments

[–] tyler@programming.dev 17 points 1 day ago (3 children)

Aside from most of those being “potential issues”, which weren’t proven, the rest are GETs of things that do not need to be secret, things like album art and list of installed plugins. Besides the one plugin issue, which was an actual security issue, which was fixed over a year and a half ago. https://github.com/jellyfin/jellyfin/pull/11436

Contrast that with Plex which has numerous high severity CVEs that include things like remote code execution, directory traversal, and more.

[–] MaggiWuerze@feddit.org 5 points 1 day ago (1 children)

And you think if Jellyfin were a comparable size, there wouldn't be just as many or more?

[–] tyler@programming.dev 0 points 14 hours ago

No… because more people would be working on it.

[–] fartsparkles@lemmy.world 3 points 21 hours ago (2 children)

You’re aware those CVEs are only relevant for ancient versions of Plex and were fixed long ago?

[–] tyler@programming.dev 1 points 14 hours ago (1 children)

They are not marked as resolved.

[–] fartsparkles@lemmy.world 1 points 11 hours ago* (last edited 11 hours ago)

CVEs don’t get issued “resolved” statuses… They are either reserved, published, or rejected (technically NVD have a few extra for published). That’s just junk data in that tool you’re using. Use authoritative sources like cve.org or nvd.nist.gov.

You can see the CPEs on NVD and they’re old versions of Plex (and were old when the vulns were published).

[–] Mondez@lemdro.id 1 points 11 hours ago

Those are the the ones that somone has managed to find in closed source software...

[–] Cocodapuf@lemmy.world 3 points 21 hours ago (1 children)

list of installed plugins.

Yeah, as you said, that's a pretty serious security issue. That's a data leak that explicitly lays out the shape of your attack surface. It tells the attacker exactly what additional software your server is running and if any of it includes known vulnerabilities, the attacker now knows how to gain access.

[–] tyler@programming.dev 1 points 14 hours ago

That only works if the plugins are somehow accessible through an api controller, which as far as I’m aware, is not how jellyfin plugins work. So no, it wouldn’t increase your attack surface at all.