cross-posted from: aussie.zone/post/19146681
Important Notes
Configurations behind a reverse proxy that did not explicitly configure trusted proxies will not work after this release. This was never a supported configuration, so please ensure you correct your configuration before upgrading. See the updated docs here for more information.
Security
- Fix validation of API parameters to FFmpeg [GHSA-2c3c-r7gp-q32m], by @Shadowghost
- Fix trusting forward headers if none are configured [GHSA-qcmf-gmhm-rfv9], by @JPVenson
Note: GHSAs will be published seven (7) days after this release.
General Changes
- Fix regression where “Search for missing metadata” not handling cast having multiple roles [PR #13720], by @Lampan-git
- Clone fallback audio tags instead of use ATL.Track.set [PR #13694], by @gnattu
- Backport 10.11 API enum changes [PR #13835], by @nielsvanvelzen
- Support more rating formats [PR #13639], by @IDisposable
- Fix stackoverflow in MediaSourceCount [PR #12907], by @JPVenson
- Upgrade LrcParser to 2025.228.1 [PR #13659], by @congerh
- Include Role and SortOrder in MergePeople to fix “Search for missing metadata” [PR #13618], by @Lampan-git
- Delete children from cache on parent delete [PR #13601], by @Bond-009
- Fix overwrite of PremierDate with a year-only value [PR #13598], by @IDisposable
- Wait for ffmpeg to exit on Windows before we try deleting the concat file [PR #13593], by @Bond-009
- Fix 4K filtering when grouping movies into collections [PR #13594], by @theguymadmax
- Remove empty ParentIndexNumber workaround [PR #13611], by @Shadowghost
- Update dependency z440.atl.core to 6.20.0 [PR #13845], by @Shadowghost
General Changes
- Fix parsing minor version of Tizen [PR #6661], by @dmitrylyzo
- Fix re-focusing on pause button when displaying OSD [PR #6510], by @dmitrylyzo
- Fix skip button not displaying correctly with OSD [PR #6583], by @rlauuzo
- Fix catalog plugin page not setting page title [PR #6570], by @nielsvanvelzen
renegadespork@lemmy.jelliefrontier.net 1 day ago
Well I’m glad I read that before upgrading!
sugar_in_your_tea@sh.itjust.works 1 day ago
It’s odd to throw that into a patch release. I guess we’ll find out if I did it correctly.
jonne@infosec.pub 19 hours ago
I mean, it’s patching a security issue caused by trusting headers it shouldn’t, so I don’t think they should wait for a big number release.
N0x0n@lemmy.ml 23 hours ago
I mean, where else should they show that warning? It’s also posted in the forum. They also edited the documentation page.
Maybe you’re more into mailing list or the like? I’m genuine curious on what and how you expected getting this kind of information.
486@lemmy.world 21 hours ago
Thanks for pointing this out! I probably would have missed this, since I didn’t expect such a change for a patch release.
Their documentation mentions:
Does this really mean, that the only way to configure this is through the web UI? This is kind of a problem when deploying it, since without the reverse proxy I can’t reach the Jellyfin server. Is there no way of doing this outside the web UI, via a config file or something?
jagged_circle@feddit.nl 14 hours ago
Yeah the lack of info in the docs on how to configure jellyfin in the CLI is pathetic
Lem453@lemmy.ca 10 hours ago
If I in traefik and jellyfin in docker, so I add the docker IP of traefik as the trusted proxy?
slazer2au@lemmy.world 22 hours ago
Do you not normally read patch notes before patching?
kata1yst@sh.itjust.works 16 hours ago
Fuck no, ain’t nobody got time for that! My self hosted stack has 40+ services. I lock them to minor releases (where semvers are used), deploy blind with automation, and fire alerts when breakages occur, which is thankfully rarely.
What you’re suggesting works for small, very carefully curated environments. I grew past that years ago and doubly so when I had kids.