But for complete other reasons than RCEs or similar.
As an FOSS project that inherited lots of shitty code this is basically the best thing they could do.
Not sure why, but you get specific about once RCE but not about other problems and keep vague about them. Is it the lack of understanding or disingenuousness?
It has had a pretty high number of RCE exploits including one recently the architecture of the web service is just very poor and leads to a lot of basic problems.
So they had an RCE that got fixed therefore the software is bad and insecure. Therefore every OS and basically any enterprise software that was ever used is insecure.
Got it.
And Plex doesn’t require any. It’s okay to accept that one product can be more polished than the other, and Plex has a lot of stuff that “just works”
And it is ok to accept that Plex is getting worse and worse. Only reason why ppl use it these days is because they still have an old lifetime pass. As soon as they take it away or introduce a new tier of features or even removing features of it, they will swarming away from Plex.
And they will!
OC never said anything to do with your comment, you seem to be really offended by recommending an alternative to a tool that you use.
AI is the perfectly fine umbrella term for it. It was used forever in terms of ML. Just go back to the first entry in the linked Wikipedia entry and you will find that its literally the first sentence.
Just because you feel to have negative feelings about a scientific term, does not make it ok to claim it does not belong to the same or a related group.
As I said, when you know the exact path of a media item on the server then you can check if the item exists.
If you choose a none standard filepath its not an issue.
Should that be fixed yes.
Whats the scenario? A law firm could brute force check all media items on open jellyfin servers? Highly illegal to exploit something like this in a lot of jurisdiction. And would also not proof the existence of the media on the server, just a file named like it.
Mitigation? Just add another random letter in the docker-compose mount path.
Machine Learning IS AI! You got yourself confused with marketing schemes yourself.
https://en.wikipedia.org/wiki/Machine_learning
And yes it was called AI before. It was just not in everyone’s mouth.
Have you even read the issues and understood them?
Yes, those should be fixed, but unless you are worried about someone hijacking a video stream when you use a generic media path, there is not that much to worry about.
deleted by creator
Sure in the gigantic wall of text. Also it doesn’t tell you why, or what to do about it. All they’d have to do is say “run dist-upgrade to update these packages.”
It is literally in the summary that gets presented in the last few lines before you have to press Y to continue.
Since you are already overwhelmed by the wall of text, you would probably not read the suggestion antways.
Nothing of what you said is on topic. I never said linux is for everyone and so on…
First, its about server administration. Second, I am neither saying that this behavior is good or bad.
I am saying that the behavior is clearly stated in the output. Or what else does “packages were held back” mean.
Blaming ignorance in reading the output prompt on the tools is really childish.
But it is clearly stated in the output that it holds back packages.
When a kernel update requires a change in dependencies, something Proxmox kernels do frequently, apt just quietly “keeps back” the package. It doesn’t fail, it doesn’t break the system, and it doesn’t trigger a rollback. It just waits for me to notice.
This should save a click for hopefully everyone.
Yes obviously, if you do not update the packages then they do not get updated.
If you do not read the output of a command then you will not notuce that.
7.0-rc7 is probably due to the 7.0 release early mid april. So the fix was in the mainline on 1st of April. The commit on 11th from GKH was probably due to the release.
I am not that familiar with the commit and release structure to get more into detail. But to me it clearly looks like the statement on copy.fail is correct, that the fix was in mainline on 1st of April.
From my point of view, I would suggest that maybe the communication downstream to the distros was not handled that well? But who would be to blaim? The researches that would need to communicate this issue to most existing distros? Linux maintainers? Distro maintainers?
Hard to say, without knowing the communication of the related mailinglists and disclousre etc.
Honestly, thats a really bad take. Yes obviously, you should not let attackers access the terminal, but there are linux servers that rely on multiuser operations, like Servers that are meant for terminal access, like HPC.
Then services get hosted via container these days, so even with rootless containers you get root access if you only get RCE on one service. And even if there are additional VMs for more isolation between host, you still get root on the whole VM.
Looking at the CVE on NIST,i found following commit which dates to 30.03
The patches where proposed over a month ago and the patch to the kernel was commited on 1th of April.
Either the Vulnerability was not proper communicated to the distro maintainers or they were the ones sleeping.
This was probably executed as a responsible discllsure where clear timelines and release dates get communicated from the beginning.
I find it hard to blame the security team here when there was 1 month of time between first commited patch and release of the PoC.
I heard the wisdom once that you should self host everything except for email. I’m sure there are great tools to make it manageable but the effort/gain is just very high.
I find it irretating that you speak on the matter with hearsay without having even tried it with modern tools or project.
With projects like Mailcow its a simple setup. Rspamd handles spam better than many professional industry spam filters i have encountered.
Yes there are some pitfalls someone should be aware of and some know how required, but as of right know, it very easy with very little maintenance.
No one ever said that the new model would not be usefull. But Anthropic hyped it up to a 0-Day machine, who finds 0-Days in every project with easy and in places they could not have been found by humans.
I have q xyz Domain as my main Domain. And there are basically no issues here. But in 1 or 2 places i noticed that the domain gets blocked, a couple of free/open wifis or a couple of DNS servers. But nothing major imho.
It absolutely makes sense, otherwise they would have had to throw everything away.
The EFcore refacotring was like 6 years in the making.
And all that from just a few single ppl. Look at the ckntributer list, and how many contribution. Not many active devs are working on jellyfin on their free time. The problems that jellyfin has, is not from a lack of trying but a from a lack of finger and arms.
And you need to take it like it is.