Yeah, I saw those as well. I'll have an update ready tomorrow.

Comment 2 Fernando Apesteguía 2023-04-24 16:35:26 UTC

^Triage: reporter is committer, assign accordingly

This will also need entries in security/vuxml.

Comment 3 Daniel Ebdrup Jensen 2023-04-24 19:29:01 UTC

(In reply to Fernando Apesteguía from comment #2)
I'm not a ports committer.

Created attachment 241736 [details]
0001-multimedia-jellyfin-Update-to-10.8.10.patch

poudriere ok
Runs in production on my setup (13.2-RELEASE amd64)

Added vuxml entry as well (first time I did this, hope I did it correctly)

Comment 5 Fernando Apesteguía 2023-04-25 12:20:52 UTC

It seems there are a couple of CVEs registered now. I'll modify the vuxml entry accordingly.

CVE-2023-30626
CVE-2023-30627

Thanks!

Comment 6 commit-hook 2023-04-25 13:25:06 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c679dca3048800dd1e60f7a81ddcd6b15d20822b

commit c679dca3048800dd1e60f7a81ddcd6b15d20822b
Author:     Michiel van Baak Jansen <michiel@vanbaak.eu>
AuthorDate: 2023-04-25 11:42:59 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-04-25 13:19:53 +0000

    multimedia/jellyfin: update to 10.8.10

    ChangeLog: https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10

    jellyfin:

     * Throw exception on path traversal in WriteDocumentAsync
     * Fix the canvas size for DVBSUB and DVDSUB subtitles
     * Fix the brightness of VPP tonemap and add the tonemap mode
     * Fix nvenc preset order
     * Fix Live TV hardware decoding
     * Fix stream map when using filter_complex with unlabeled output
     * Fix codec checking in CodecProfiles conditions
     * Multiple HLS codec and bitrate fixes (10.8.z)
     * Fix H.264 baseline hwaccel and enable enhanced Nvdec by default
     * Some VAAPI VPP and OpenCL fixes
     * Fix EqualsAny condition check for int and double

    jellyfin-web

     * Escape device id in raw HTML
     * Add the tonemap mode options
     * Fix dead documentation link
     * Fix installed plugin version html
     * Drop progressive transcoding in web client
     * Fix subtitle offset reset when seeking progressive stream
     * Babelify @jellyfin/libass-wasm
     * Fix navigation for some types of INPUT
     * Backport PR #4150 to 10.8.z branch
     * Backport PR #4147 to 10.8.z branch

    PR:             271041
    Reported by:    debdrup@freebsd.org
    MFH:            2023Q2 (security fixes)
    Security:       CVE-2023-30626 CVE-2023-30627

 multimedia/jellyfin/Makefile  |  3 +--
 multimedia/jellyfin/distinfo  |  6 +++---
 multimedia/jellyfin/pkg-plist | 20 ++++++++++----------
 3 files changed, 14 insertions(+), 15 deletions(-)

Comment 7 commit-hook 2023-04-25 13:26:08 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f06a561fd29c851169fa8aad89494429c6efb9ba

commit f06a561fd29c851169fa8aad89494429c6efb9ba
Author:     Fernando Apesteguía <fernape@FreeBSD.org>
AuthorDate: 2023-04-25 12:20:24 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-04-25 13:20:40 +0000

    security/vuxml: jellyfin multiple vulnerabilities

    CVE-2023-30626 - directory traversal vulnerability
    CVE-2023-30627 - XSS vulnerability

    PR:             271041
    Reported by:    debdrup@

 security/vuxml/vuln/2023.xml | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

Comment 8 commit-hook 2023-04-25 13:28:09 UTC

A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1db2ba82e255607b33159f904fc198fbb71ca79d

commit 1db2ba82e255607b33159f904fc198fbb71ca79d
Author:     Michiel van Baak Jansen <michiel@vanbaak.eu>
AuthorDate: 2023-04-25 11:42:59 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2023-04-25 13:23:08 +0000

    multimedia/jellyfin: update to 10.8.10

    ChangeLog: https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10

    jellyfin:

     * Throw exception on path traversal in WriteDocumentAsync
     * Fix the canvas size for DVBSUB and DVDSUB subtitles
     * Fix the brightness of VPP tonemap and add the tonemap mode
     * Fix nvenc preset order
     * Fix Live TV hardware decoding
     * Fix stream map when using filter_complex with unlabeled output
     * Fix codec checking in CodecProfiles conditions
     * Multiple HLS codec and bitrate fixes (10.8.z)
     * Fix H.264 baseline hwaccel and enable enhanced Nvdec by default
     * Some VAAPI VPP and OpenCL fixes
     * Fix EqualsAny condition check for int and double

    jellyfin-web

     * Escape device id in raw HTML
     * Add the tonemap mode options
     * Fix dead documentation link
     * Fix installed plugin version html
     * Drop progressive transcoding in web client
     * Fix subtitle offset reset when seeking progressive stream
     * Babelify @jellyfin/libass-wasm
     * Fix navigation for some types of INPUT
     * Backport PR #4150 to 10.8.z branch
     * Backport PR #4147 to 10.8.z branch

    PR:             271041
    Reported by:    debdrup@freebsd.org
    MFH:            2023Q2 (security fixes)
    Security:       CVE-2023-30626 CVE-2023-30627

    (cherry picked from commit c679dca3048800dd1e60f7a81ddcd6b15d20822b)

 multimedia/jellyfin/Makefile  |  2 +-
 multimedia/jellyfin/distinfo  |  6 +++---
 multimedia/jellyfin/pkg-plist | 20 ++++++++++----------
 3 files changed, 14 insertions(+), 14 deletions(-)

Comment 9 Fernando Apesteguía 2023-04-25 13:28:25 UTC

Committed and merged to 2023Q2,

Thanks!

Thank you very much for providing the info etc that I did not provide with the patch.
Will be more precise the next time. Sorry.