Consider the 10.y.z simply to be 0.y.z and everything works out.
Jellyfin inherited a lot of shitty code and architecture from emby. They simply cannot guarantee anything across patches until it is sorted out.
imho much better then releasing major version after major version because the break stuff regularly.
Also for internal use. The original emby source used not within the code base standardized database access.
Basically changes to the database were not possible since finding references across the code base which part uses which values was impossible.
Note however that the 10.Y.Z release chain represents the “cleanup” of the codebase, so it should be accepted that 10.Y.Z breaks all compatibility,
Its right there at the link you posted.
Tailscale offers way more then just wireguard. ACLs, NAT traversal etc. etc.
While some use cases can be replaced with traditional wireguard, others not.
Really surprised about this. I am using syncthing now for many years on various devices and never encountered issues with it. And also, file sync is not a backup solution.
cve-2021-3156 heap overflow in sudo. roughly 10 years long in sudo. Allowed privilege escalation. It was huge.
Still the same but afaik they now somewhat support running zfs
There are many ways to harden against it, but “just disable root auth” is not really it, since it in itself does not add much.
No you can alias that command and hijack the password promt via bashrc and then you have the root password as soon as the user enters it.
With aliases in the bashrc you can hijack any command and execute instead of the command any arbitrary commands. So the command can be extracted, as already stated above, this is not a weakness of sudo but a general one.
And how would you not be able to hijack the password when you have control over the user session?
And what do you suggest to use otherwise to maintain a server? I am not aware of a solution that would help here? As an attacker you could easily alias any command or even start a modified shell that logs ever keystroke and simulates the default bash/zsh or whatever.
The scenario OC stated is that if the attacker has access to the user on the server then the attacker would still need the sudo password in order to get root privileges, contrary to direct root login where the attack has direct access to root privileges.
So, now i am looking into this scenario where the attack is on the server with the user privileges: the attacker now modifies for example the bashrc to alias sudo to extract the password once the user runs sudo.
So the sudo password does not have any meaningful protection, other then maybe adding a time variable which is when the user accesses the server and runs sudo
The attacker that is currently with user privileges on the server?
Most comments here suggest 3 things
An actual person from the pen testing world: https://youtu.be/fKuqYQdqRIs
The sudo password can be easily extracted by modifying the bashrc.
Nope, not really. The only reason ppl recommend it is, because “you have then to guess the username too”. Which is just not relevant if you use strong authentication method like keys or only strong passwords.
deleted by creator
Do you want to prevent brute forcing or do you want to prevent the attack getting in?
If you want to prevent brute forcing then software like fail2ban helps a little, but this is only a IP based block, so with IPv6 this is not really helpfull against a real attack, since rotating IP addresses is trivial. But still can slow down the attacker. Also limiting the amount of sessions and auth tries does significantly slow down the attacker.
If you just want to not worry about it set strong passwords, and when it is a multi user system where other ppl might access it, configure Public Key Auth so you can be sure the other users have strong passwords (or keys in this case) to authenticate.
With strong passwords or keys it is basically impossible to brute force your way in with ssh.
If you read through the whole paragraph, it is clear that they mean the compatibility of previous jellyfin versions.
Also, again:
That means that the code is not cleaned up with that release.
If you would release 11 before the code is considered cleaned up, you would basically break your own defined versioning convention. That is best decided by the active maintainers.