I’ve heard jellyfin has a lot of security issues, which I don’t know if that’s accurate or not. But the BIGGEST issue is lack of a proper tvOS app. I really don’t feel like using Infuse or some other app just to use my library. Year after year I hear about people switching and yet, the gap is simply still there.
I am also not up to date on Jellyfin security issues but the biggest one I care about is that its clients don’t support OIDC. There’s a neat plugin for OIDC, but without client support it only works with the web client and I’m not a fan of leaving login pages open to the internet.
if you use the oidc connection and apps that support quick connect you can do it. you basically end up doing things like the plex link process that got implemented when they forced everyone into their authentication service. i almost went that route but opted to leave the password auth from ldap in. its the kind of log in process most people are used too and i’ve got a few elderly users. i disabled password reset in authentik though and everyone gets a 3 word 24 char minimum password.
To be fair there is a tvOS app in development but progress is slow because the whole project is maintained by a small handful of volunteers. They’ve put out a call for help and the maintainers post updates here
https://github.com/jellyfin/Swiftfin is available for tvOS. works great for me with one bug. since i have homepods connected to one of my apple tv’s as it’s speakers. i had to change the setting to use the native video player instead of vlc to avoid and audio delay bug. that cost me the auto play next episode function. i though not auto playing the next episode would annoy me, but it’s turned out to not be a issue at all. but infuse doesn’t include that bug if you want both homepod tv speakers and auto play next episode with jellyfin. as for security, since jellyfin is more modifiable it has a lot more room for misconfiguration for sure. plex had plenty of it’s own security issues, we just only heard about them when some security blogger discovered it.
I just validated that the latest version of the LDAP privilege escalation issue is not an issue anymore. The curl script is in the ticket.
This was the one where a standard user could get plugin credentials, such as the LDAP bind user, and change the LDAP endpoint. I.E., bad.
I chose this one because after going through all of them, it was the only one that allowed access to something that wasn’t just data in Jellyfin.
So for me, security is less of an issue knowing that, as only family use the service, and the remaining issues all require a logged in user (hit admin endpoint with user token).
Plus, I tried a few of those and they were also fixed, just not documented yet. I didn’t add to those tickets because I was not as formal with my testing.
Yeah, Samsung TVs don’t have a native Jellyfin app either. You can sideload it, but good luck walking your “you touched my computer six months ago and now it’s broken. This is your fault” grandmother through that over the phone.
I’ve heard jellyfin has a lot of security issues, which I don’t know if that’s accurate or not. But the BIGGEST issue is lack of a proper tvOS app. I really don’t feel like using Infuse or some other app just to use my library. Year after year I hear about people switching and yet, the gap is simply still there.
I am also not up to date on Jellyfin security issues but the biggest one I care about is that its clients don’t support OIDC. There’s a neat plugin for OIDC, but without client support it only works with the web client and I’m not a fan of leaving login pages open to the internet.
if you use the oidc connection and apps that support quick connect you can do it. you basically end up doing things like the plex link process that got implemented when they forced everyone into their authentication service. i almost went that route but opted to leave the password auth from ldap in. its the kind of log in process most people are used too and i’ve got a few elderly users. i disabled password reset in authentik though and everyone gets a 3 word 24 char minimum password.
Use an LDAP to OIDC bridge?
To be fair there is a tvOS app in development but progress is slow because the whole project is maintained by a small handful of volunteers. They’ve put out a call for help and the maintainers post updates here
https://github.com/jellyfin/Swiftfin is available for tvOS. works great for me with one bug. since i have homepods connected to one of my apple tv’s as it’s speakers. i had to change the setting to use the native video player instead of vlc to avoid and audio delay bug. that cost me the auto play next episode function. i though not auto playing the next episode would annoy me, but it’s turned out to not be a issue at all. but infuse doesn’t include that bug if you want both homepod tv speakers and auto play next episode with jellyfin. as for security, since jellyfin is more modifiable it has a lot more room for misconfiguration for sure. plex had plenty of it’s own security issues, we just only heard about them when some security blogger discovered it.
I just validated that the latest version of the LDAP privilege escalation issue is not an issue anymore. The
curlscript is in the ticket.This was the one where a standard user could get plugin credentials, such as the LDAP bind user, and change the LDAP endpoint. I.E., bad.
I chose this one because after going through all of them, it was the only one that allowed access to something that wasn’t just data in Jellyfin.
So for me, security is less of an issue knowing that, as only family use the service, and the remaining issues all require a logged in user (hit admin endpoint with user token).
Plus, I tried a few of those and they were also fixed, just not documented yet. I didn’t add to those tickets because I was not as formal with my testing.
@EncryptKeeper@lemmy.world
Yeah, Samsung TVs don’t have a native Jellyfin app either. You can sideload it, but good luck walking your “you touched my computer six months ago and now it’s broken. This is your fault” grandmother through that over the phone.