CHBMB 10 Posted Tuesday at 05:40 PM Posted Tuesday at 05:40 PM (edited) With the public announcement of pixelsmash (see CVE report here) Could we get some clarity regarding where we stand with Emby and this vulnerability please? It appears Jellyfin have already fixed it and were notified about t he vulnerability before it was made public, and Plex isn't vulnerable due to their customisation of ffmpeg. I couldn't find any information regarding where Emby sits with regard to this and would appreciate some clarity. Thanks Edited Tuesday at 05:43 PM by CHBMB Improve title 2 5
Pejamas 64 Posted Tuesday at 08:26 PM Posted Tuesday at 08:26 PM Came here straight after seeing the jellyfin post on reddit expecting to see an update. 2
CHBMB 10 Posted Tuesday at 08:30 PM Author Posted Tuesday at 08:30 PM I've sent a PM to the Emby devs as well, but, whilst it's been read by one of them, no reply as of yet.
CHBMB 10 Posted Tuesday at 10:06 PM Author Posted Tuesday at 10:06 PM Reading here it doesn't sound like Emby got a heads up, and it doesn't sound like a remote code execution can happen on Emby either, like it could on Jellyfin, but an Emby server could be crashed. Less than ideal, but far less worrying than a RCE. They also tested v4.8.11 rather than the current release. 1
cowdoy 0 Posted yesterday at 04:28 AM Posted yesterday at 04:28 AM Yeah I would love to see some sort of communication from the team about this. Doesn't make me feel great about running this on my system.
Luke 42619 Posted yesterday at 05:25 AM Posted yesterday at 05:25 AM Hi, we are currently reviewing this. Thanks. 2
xe` 47 Posted yesterday at 09:40 AM Posted yesterday at 09:40 AM It would helpful if we could get as early a notice as possible if we need to shutdown Emby in the short term. Please dont wait until you have completed every in depth review, development, compilation and blog post step before giving that heads up. Let people make early decisions on their own even working with imperfect information. 2
me@jackbenda.com 12 Posted yesterday at 03:00 PM Posted yesterday at 03:00 PM Just bumping this with some concern. Cheers team Emby! 1
RanmaCanada 545 Posted 1 hour ago Posted 1 hour ago It appears Emby is affected as per all the documentation, but it's "just" DOS attack, and possible code execution if you have weak memory protections. Jellyfin was full on remotely exploitable. If you use any of the messaging and social media apps listed, you are at far greater risk as you have no control over those. Hopefully we get an update. Frustrating they told Jellyfin devs and no one else before releasing it..
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now