Comment on Plex’s crackdown on free remote streaming access starts this week - Ars Technica
roofuskit@lemmy.world 12 hours agoJellyfin is notoriously full of security holes. It’s recommended to no expose it to the Internet. It’s also easy easier on Plex, at least until this bullshit, to have a random non-techie family member sign in to your Plex server from anywhere. I never liked Plex and never got into it, but I see why people used to prefer it.
I think Emby is a good middle ground for people looking to jump ship from Plex. But I switched to jellyfin from my lifetime Emby sub because the plug-in community there feels dead and Emby development felt dead in the water.
tyler@programming.dev 12 hours ago
Please do explain or link sources to what you think are “security holes”.
roofuskit@lemmy.world 12 hours ago
It has several unsecured endpoints.
github.com/jellyfin/jellyfin/issues/5415
tyler@programming.dev 11 hours ago
Aside from most of those being “potential issues”, which weren’t proven, the rest are GETs of things that do not need to be secret, things like album art and list of installed plugins. Besides the one plugin issue, which was an actual security issue, which was fixed over a year and a half ago. github.com/jellyfin/jellyfin/pull/11436
Contrast that with Plex which has numerous high severity CVEs that include things like remote code execution, directory traversal, and more.
Cocodapuf@lemmy.world 5 hours ago
Yeah, as you said, that’s a pretty serious security issue. That’s a data leak that explicitly lays out the shape of your attack surface. It tells the attacker exactly what additional software your server is running and if any of it includes known vulnerabilities, the attacker now knows how to gain access.
MaggiWuerze@feddit.org 8 hours ago
And you think if Jellyfin were a comparable size, there wouldn’t be just as many or more?
fartsparkles@lemmy.world 6 hours ago
You’re aware those CVEs are only relevant for ancient versions of Plex and were fixed long ago?
warm@kbin.earth 11 hours ago
Isn't that the point of major version upgrades? To make breaking changes?
MaggiWuerze@feddit.org 8 hours ago
Its also possible for a webserver to offer two versions of an API. Add a new one that needs authentication, mark the old one as deprecated and add a checkbox to disable it. Then clients can update to use the secure one and if you use and unmaintained client you can enable the old insecure api