this post was submitted on 25 Mar 2026
1 points (100.0% liked)

Jellyfin: The Free Software Media System

9073 readers
1 users here now

Current stable release: 10.11.11

Community Standards

Website

Forum

GitHub

Documentation

Feature Requests

Matrix (General Information & Help)

Matrix (Announcements)

Matrix (General Development)

Matrix (Off-Topic) - Come get to know the team and blow off steam!

Matrix Space - List of all the available rooms on Matrix.

Discord - Bridged to our Matrix rooms

founded 6 years ago
MODERATORS
 

Strange that there was no comms whatsover from the team about this

top 6 comments
sorted by: hot top controversial new old
[–] renegadespork@lemmy.jelliefrontier.net 0 points 3 months ago (3 children)

Everyone might want to freeze your Jellyfin versions until this gets sorted. As far as we know, nothing has been hijacked, but safer sit on your local copies for now.

[–] Link@rentadrunk.org 0 points 3 months ago* (last edited 3 months ago)

Hasn’t it already been patched? https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh

Patches

CI workflows have been modified in all affected repositories, and secrets have been rotated.

Furthermore, OPs post seems to link to the patch: https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8

[–] slacktoid@lemmy.ml 0 points 3 months ago

This doesn't affect the code or jellyfin. Its a problem with how github does CI that needs to be fixed.

[–] noodle@aus.social 0 points 3 months ago

@renegadespork @le_throosh

"Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions."

[–] slacktoid@lemmy.ml 0 points 3 months ago* (last edited 3 months ago)

Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.

From the article

However maybe it's time to going back to build from source.

[–] le_throosh@lemmy.dbzer0.com 0 points 3 months ago

To clarify: This is about a possible supply chain attack. The possibility of it. Not about unsafe code in the app or anywhere else. It means that an attacker could have gained access to the ios repo and possibly any other repo. It is fixed now.

I imagine that hostile commits would have been caught by now, as would compromised releases. But the main issue for me is that we are pretty much left in the dark about this. Maybe the team checked everything well and came to the conclusion that this was nothing worry about and was catched before it could do any harm. Which is the most probable scenario I think. Still leaves a bit of a sour taste.