New Jellyfin Server/Web release: 10.11.10
(forum.jellyfin.org)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 24 May 2026
107 points (98.2% liked)
Jellyfin: The Free Software Media System
8982 readers
1 users here now
Current stable release: 10.11.10
Matrix (General Information & Help)
Matrix (Off-Topic) - Come get to know the team and blow off steam!
Matrix Space - List of all the available rooms on Matrix.
Discord - Bridged to our Matrix rooms
founded 5 years ago
MODERATORS
Should I worry that this is essentially a security update for vulnerabilities that are (intentionally?) not explained?
Why should you? They got fixed?
Often security vulnabilities do not go public the moment the got discovered. There are often wirhheld to only the researcher and the team or only a few ppl of the team the vulnabilitie related to.
This is to give system admins time to update and patch their systems before more details and the research gets released.
Responsible disclosure is one of those procedures.
I would update. In a few months those will be published I’m sure.
It’s disappointing that we’ve come to this because when you deal with pcidss or some other regulation frameworks you need to patch or eliminate vulnerabilities and when patching is not feasible you can generally make tweaks to eliminate the attack. I like to apply the same level of hardening to all of my servers and services anyway.. but without details published I have no idea what the vector is or if the vulnerability even applies in my environment - it’s not uncommon for one to require very specific configuration to either be vulnerable or protected.
Easy enough to smash update in this case but still.
I mean the patches themself are there and visible. The only thing that is not there is the explenation on what the vulnabilitie is/was.