Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.
The company has yet to assign a CVE-ID to track the flaw and didn’t provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.
Patch it to Jellyfin 10.10.7.
I did this a few months back.
Some things aren’t as great, but you get full control and your server idles way better on JellyFin.
Yeah, as long as you have a decently supported client the entire platform is very serviceable. I do wish they would get rid of the unprotected endpoints and officially support 2FA on the server and clients.
For all their anti-consumer practices Plex does at least take their security very seriously.
I posted a while back, tested the biggest open endpoints and they were properly secured, the issues just weren’t updated.
Note: Plex didn’t have SSL, and refused to implement it, until ~6 weeks after I created a POC token exploit. Here’s the GitHub repo I posted as a patch before they got their system in order: https://github.com/Fmstrat/plex-ssl. In other words, don’t give them too much credit.
I’ll go look at it again as well, their (jf) source control still had a lot of ancient open tickets last time I looked at it.
TLS for Plex was a really nice guesture. Company handling the issuing of the cert was pretty nice.
Realistically, I don’t mind running a proxy for SSL unwrapping, there are enough projects out there that handle the unwrapping and renew their own keys from lets encrypt.
I just want to self-host this thing maybe run it through a single proxy product send the URL out to my extended family and forget about it. I wanted to be as secure as reasonably possible enough that I feel comfortable surfacing it.
Right now I surface Plex for the distant relations and tailscale jellyfin for my own, but it kills me I want Plex gone. But there are random TVs and kids on tablets, and honestly I don’t want to be everyone’s VPN endpoint or worry about onboarding everyone’s new device.
Yea the catch was we were asking for TLS for a long time, and this was pre- Let’s Encrypt, so those patching on their own didn’t have a free (minus work) way to handle it. It took a releasable POC to get action.
All out devices just have a permanent Wireguard client since it uses basically no battery, and then a allow rules for households. If you don’t want to run the client, and don’t want to take the time to learn, you don’t get access. But I totally get how that’s not for everyone.
Yeah, my problem is televisions.
If it was just tablets phones and desktops I could do SSL client certificates.
For my personal use I’m using tailscale and it’s wonderful.
Ahhh. I put the wireguard client on the router, so it’s more of a site to site setup for TVs.
I’m on Jellyfin as they banned Hetzner.
Should clarify Plex banned using Hetzner :)
i’m ootl; how was plex able to ban them? isn’t hetzner just a vps provider? (not questioning you; just curious)
Plex blocked Hetzner IPs, so servers hosted there can’t reach plex.tv to auth users or validate plex pass.
that’s wild :o
That’s what you get for using anything that doesn’t work fully offline. Seriously people still defending Plex and not seeing that it will bite them back sooner or later are delusional.
Given that hardware doesn’t die, my Jellyfin will probably work until the heat death of the universe.
I’ve been using a reverse proxy on a Hetzner VPS pointing at my home plex server for years without issue. Maybe this only applies to people running the actual Plex software on a Hetzner VPS?
Yeah, your home server is still able to reach plex.tv so there’s no problem there.
It’s people actually hosting there that got screwed over.
Basically it’s possible by checkin IP of the server.
https://torrentfreak.com/plex-will-block-media-servers-at-prevalent-hosting-company-230915/
There’s the story but there’s not much tea.
I’m guessing there were just enough complaints and Hetzner refused to take anything down.
Really bizarre to license people self-hosting software and then refuse them from hosting it in certain places over what content they choose to put up.
I wonder if they’ll just roll through all the VPS now.
Who the fuck still uses plex?
I’m still using Plex because Jellyfin refuses to play surround sound on my Nvidia Shield. I do have a Jellyfin server running alongside Plex, with synchronized progress, for the inevitable point where I will have to jump ship.
I still use Plex because I have a lifetime pass from many years ago and Jellyfin isn’t yet as feature-rich and accessible on all of my family’s devices.
I expect to someday migrate fully to Jellyfin once Plex is enshittified to the point is being a worse experience, but that hasn’t happened yet (with the Plex pass anyway)
I’ve never used Plex. What are some of the features that you’re missing in Jellyfin? Genuinely curious.
Honestly the primary reason is some specific device support, eg. my TV has a built in Plex app but not a Jellyfin app, so switching also probably involves new hardware. I also couldn’t get Jellyfin to work with another TV using Chromecast, but I’m getting rid of that anyway.
Otherwise, maybe you can update me on these since it’s been a few since I last tried Jellyfin, some of the things that come to mind are:
- Smart collections & playlists
- Skip intros and credits
- Overall slick UI
Client availability is valid. I use an android tv, that’s been easy for me. There are mobile clients for every phone and tablet.
- I don’t know what smart collections are, but I do get automatic collections for franchises (like all “28 x later”) via a plugin. I don’t have playlists, but I guess I never felt the need for one… What would you use them for, binge watching franchises?
- skip intro and credits is a thing, built in since a few versions (used to be a plugin)
- the UI is subjective, and I don’t know any other one… I personally like how it looks, I customized quite a bit, easy to do via CSS.
I like Emby too, personally.
Skip intros and credits is available on Jellyfin.
I think the Plex UI is still better than Jellyfin, but I’ve gotten used to it.
Never used the smart collections when I was on plex, so can’t speak to that.
Plex4kodi there is a jellyfin like one but it is not even close.
How is this a useful comment?
People who bought the lifetime Plex pass, and have a huge group of friends and family already connected to their servers.
Didn’t stop me.
Nice anecdote.
Didn’t stop me, either.
In fact, Jellyseerr is a game changer. Wanna talk about it?
You do realize that Jellyseerr is a fork of Overseerr which was created for Plex. So this is in no way a unique feature or even an advantage of Jellyfin over Plex…
Sure! What does it do?
https://docs.jellyseerr.dev/getting-started
tldr: searches metadata websites for movies and TV shows, and then adds thing to Jellyfin.
You can even then tell your *arrrr stack
to report things that succeed/fail to external services like Telegram.
https://files.catbox.moe/6758vv.jpg
What I do find weird is actually searching the Plex server I have access to for media
https://files.catbox.moe/rugpx0.jpg
Like, I could? But what I like doing is abusing another family members fibre connection to request things for both of us, that then appears in their Jellyfin magically.
Neat.
I have no issues with downloading stuff as I usually just download boxsets once a season has finished. All that is manual for me and I have no issues with that side of things. I think Jellyseer honestly wouldn’t really help my issues with Jellyfin. Jellyfin has:
- Poor design (by comparison)
- Poor/inconsistent UI navigation in certain cases
- Seemingly no deduplication/combining duplicates
- Maybe something else I’m missing from Plex
But since Plex is so bad on my TV, Jellyfin is still better sometimes. 😅
deleted by creator
if it’s just family and friends you care about, it was pretty easy for me to set up a jellyfin server at home and point a really small virtualhost on a server mapped to a domain name with a reverse proxy to my home ip and then just opening up the jellyfin port on my router. this was literally just for my mum and dad and brother so ymmv.
deleted by creator
Oh, it’s actually 0-click (though a couple dozen key presses)
sorry i thought you meant one click for family and friends to get on not initial setup.
LMAO. Those are all words I’ve heard before, but that sounds waaaaay over my head!
Use wireguard or Tailscale.
This really isn’t viable as WireGuard clients are just that, single device per client connection, what if someone started watching/listening content on their phone then all of sudden wanted to switch over to their TV or streaming device without having to go through a lot of hoops?
I opted to reverse proxy Jellyfin with Traefik however have fail2ban setup blocking every IP and only whitelisting the known users, added bonus of hiding Jellyfin’s default login form and required Keycloak for SSO.
What if they watch from their phones cell data or while traveling?
Jellyfin thankfully lets you download content offline alternatively they just text me the IP and I whitelist it then blacklist it a week later, granted if I remember.
deleted by creator
deleted by creator
What’s the app/smart device adoption like for jellyfin these days? Plex usage for clients is really smooth. Plex comes preloaded on so many smart devices and the app ecosystem is dead simple. I can’t imagine having to walk my family and friends through setting up jellyfin.
From what I’ve gathered in other posts regarding Plex and jellyfin, the ones that never learned how to port forward or any other alternative solution for getting external traffic to their internal server. All the complaints I’ve read here regarding jellyfin boiled down to them relying on the Plex relay to handle the traffic for them.
