cross-posted from: https://aussie.zone/post/19146681

Jellyfin Server 10.10.7

Important Notes

Configurations behind a reverse proxy that did not explicitly configure trusted proxies will not work after this release. This was never a supported configuration, so please ensure you correct your configuration before upgrading. See the updated docs here for more information.

Security

  • Fix validation of API parameters to FFmpeg [GHSA-2c3c-r7gp-q32m], by @Shadowghost
  • Fix trusting forward headers if none are configured [GHSA-qcmf-gmhm-rfv9], by @JPVenson

Note: GHSAs will be published seven (7) days after this release.

General Changes

  • Fix regression where “Search for missing metadata” not handling cast having multiple roles [PR #13720], by @Lampan-git
  • Clone fallback audio tags instead of use ATL.Track.set [PR #13694], by @gnattu
  • Backport 10.11 API enum changes [PR #13835], by @nielsvanvelzen
  • Support more rating formats [PR #13639], by @IDisposable
  • Fix stackoverflow in MediaSourceCount [PR #12907], by @JPVenson
  • Upgrade LrcParser to 2025.228.1 [PR #13659], by @congerh
  • Include Role and SortOrder in MergePeople to fix “Search for missing metadata” [PR #13618], by @Lampan-git
  • Delete children from cache on parent delete [PR #13601], by @Bond-009
  • Fix overwrite of PremierDate with a year-only value [PR #13598], by @IDisposable
  • Wait for ffmpeg to exit on Windows before we try deleting the concat file [PR #13593], by @Bond-009
  • Fix 4K filtering when grouping movies into collections [PR #13594], by @theguymadmax
  • Remove empty ParentIndexNumber workaround [PR #13611], by @Shadowghost
  • Update dependency z440.atl.core to 6.20.0 [PR #13845], by @Shadowghost

Jellyfin Web 10.10.7

General Changes

  • Fix parsing minor version of Tizen [PR #6661], by @dmitrylyzo
  • Fix re-focusing on pause button when displaying OSD [PR #6510], by @dmitrylyzo
  • Fix skip button not displaying correctly with OSD [PR #6583], by @rlauuzo
  • Fix catalog plugin page not setting page title [PR #6570], by @nielsvanvelzen
  • jonne@infosec.pub
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    7 months ago

    I mean, it’s patching a security issue caused by trusting headers it shouldn’t, so I don’t think they should wait for a big number release.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      16
      ·
      7 months ago

      Why wait? Just release it as a big number release. The version number doesn’t define the size or cadence of a release, it just says whether there’s a breaking change.

      • mac@lemm.ee
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        1
        ·
        edit-2
        7 months ago

        At least in my org we use semantic versioning ( Major.Minor.patch) where patch must either be a new feature, a fix, or something that is backwards compatible

        Minor can be breaking

        Major is basically something you’re proud of lol

            • Yog-Sothoth@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              7 months ago

              everyone does their own thing, but semantic versioning is specifically:

              • Major: Incompatible changes (breaks existing code).
              • Minor: New, compatible features.
              • Patch: Bug fixes, small improvements.
              • mac@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                Lol, our OLTP repo does semver 99 - > Dev/stg semver 100 - > prod

                No clue why they don’t adopt better branch names