"CRITICAL SECURITY ADVISORY: GHSA-9p5f-5x8v-x65m and GHSA-89hp-h43h-r5pq can be combined to allow remote code execution for any authenticated Jellyfin user including non-admin users. While the particular execution mechanism of the former dates to the 10.8.0 release, the latter was present for all Jellyfin releases before this point. It is thus absolutely critical for all Jellyfin administrators, regardless of version, to upgrade to this version if they allow any untrusted users and/or expose their instance to the Internet." Please bump to 10.8.0 ASAP.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=716469a223ccf98b568c8bc5f9c041b80b6657d6 commit 716469a223ccf98b568c8bc5f9c041b80b6657d6 Author: Craig Andrews <candrews@gentoo.org> AuthorDate: 2023-04-23 18:12:34 +0000 Commit: Craig Andrews <candrews@gentoo.org> CommitDate: 2023-04-23 18:14:32 +0000 www-apps/jellyfin: add 10.8.10 Bug: https://bugs.gentoo.org/904891 Signed-off-by: Craig Andrews <candrews@gentoo.org> www-apps/jellyfin/Manifest | 2 + www-apps/jellyfin/jellyfin-10.8.10.ebuild | 67 +++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+)
New, fixed version added. Old, impacted versions have been cleaned up.
Thanks! All done.
