Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.
The company has yet to assign a CVE-ID to track the flaw and didn’t provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.
I’ll go look at it again as well, their (jf) source control still had a lot of ancient open tickets last time I looked at it.
TLS for Plex was a really nice guesture. Company handling the issuing of the cert was pretty nice.
Realistically, I don’t mind running a proxy for SSL unwrapping, there are enough projects out there that handle the unwrapping and renew their own keys from lets encrypt.
I just want to self-host this thing maybe run it through a single proxy product send the URL out to my extended family and forget about it. I wanted to be as secure as reasonably possible enough that I feel comfortable surfacing it.
Right now I surface Plex for the distant relations and tailscale jellyfin for my own, but it kills me I want Plex gone. But there are random TVs and kids on tablets, and honestly I don’t want to be everyone’s VPN endpoint or worry about onboarding everyone’s new device.
Yea the catch was we were asking for TLS for a long time, and this was pre- Let’s Encrypt, so those patching on their own didn’t have a free (minus work) way to handle it. It took a releasable POC to get action.
All out devices just have a permanent Wireguard client since it uses basically no battery, and then a allow rules for households. If you don’t want to run the client, and don’t want to take the time to learn, you don’t get access. But I totally get how that’s not for everyone.
Yeah, my problem is televisions.
If it was just tablets phones and desktops I could do SSL client certificates.
For my personal use I’m using tailscale and it’s wonderful.
Ahhh. I put the wireguard client on the router, so it’s more of a site to site setup for TVs.