Plex Users Urged To Update Media Server After Security Flaw Exposed

BrianFagioli shares a report from NERDS.xyz: If you run Plex Media Server, it's time to drop everything and update. The company has quietly patched a security issue that affects recent versions of its software, and users are being told to upgrade as soon as possible. According to an email Plex sent to affected customers, versions 1.41.7.x through 1.42.0.x are vulnerable. The newly released build, 1.42.1.10060 or later, contains the fix. Plex says the flaw was found through its bug bounty program, but sadly, it has not publicly shared details about how severe the issue is or whether it could be exploited remotely.

Think I'll stay where I am, thanks.

[SeaFox]

There have been multiple bugs that have cropped up in the 1.41.7.x betas through 1.41.9, and I'm not positive they have all been fixed now. I think I'll continue with 1.41.6.9685 for now, since that would pre-date the venerable versions.

Re: Think I'll stay where I am, thanks.

[BytePusher]

I've noticed across many apps that obvious bugs are making it to production. I think we're witnessing the impact of "AI" coding. Catastrophic software bugs at AI scale! Yay!

Re:

[buck-yar]

Is it that or is it that update-addicted developers now use the general public as beta testers? Look at the version number, it looks like a kernel release nomenclature. Where they release patches to fix their previous patch bugs. Unsure of untested code? Push it out anyway, it can be fixed with yet another update.

Re: Think I'll stay where I am, thanks.

[BytePusher]

Well tested small updates are a good thing. You can quickly roll them back if an unexpected issue arises with little consequence. The key being, well tested, and having a contingency plan.

Re:

[PDXNerd]

How is this any different than in the past, prior to AI? There's always been 'obvious bugs that make it to production', which is why there is always an increasing emphasis on testing and Q/A as the code base grows.

In fact I would posit that LESS obvious bugs are making it to production with AI, but we're trading them for unnecessary complexity and other crap code issues.

Re: Think I'll stay where I am, thanks.

[BytePusher]

That doesn't align with my experience. LLMs don't understand code, they infer it. The best effort at computational bug checking so far is Rust's analyzer. A model written by deep human thought.

Re:

[tlhIngan]

I've noticed across many apps that obvious bugs are making it to production. I think we're witnessing the impact of "AI" coding. Catastrophic software bugs at AI scale! Yay!

I think its a symptom of the Elon Musk development model of "Move quickly and break things". The market simply has no patience - you didn't update your app today? Outdated! You didn't update in a week? Obsolete! If you're not pushing 10 updates daily what are your developers doing?

So basically everyone is forced to update frequently and

quietly patched?

[Vomitgod]

How was it quietly patched, when everyone running an outdated server, received an email?
That is the opposite of quiet.

Re:

[Vomitgod]

https://gifyu.com/image/bNRbh [gifyu.com]

Re:

[SeaFox]

I think the point is they patched it and released a fixed version prior to the venerability becoming public knowledge, instead of users discovering the issue being exploited and then having to wait for a solution from the vendor.

Re:

[plate_o_shrimp]

Not everyone. I get emails from Plex but never got an email about this

Patched

[spacegraysurfer]

Patched, life moves on, next?

Re:

[MachineShedFred]

Exactly.

And if you are running the linuxserver.io container, all you have to do is stop / start the container and it updates itself.

Gee that took me all of 30 seconds. Oh no!

No, thanks

[RUs1729]

I ditched Plex for Jellyfin and couldn't be happier. The Plex Pass is not worth anything to me, and when the Plex executive^H^H^H^H^Hmorons decided that I would have to pay for streaming outside my LAN they crossed the final red line and pushed me to look for alternatives.

Re:

[CRC'99]

Good for you - but make sure you don't have ports forwarded to Jellyfin. There are well known exploits for user enumeration, unauthenticated playback etc etc that have been open for years.

Only use Jellyfin from remote via a VPN.

Re:

[wwphx]

I was looking into Plex, and the more I learned the more I started looking into and liking Jellyfin. Now I just need to commit to some form of SAN and start ripping.

Have stayed on earlier version

[gabrieltss]

I have stayed on version 1.40.x on my NAS for a while now. When I upgraded Plex to 1.41.x it no longer saw all my imported media and wouldn't play them. I was not about to go back and re-do everything I had and re-create all my media in Plex.Thanks but I'll stay were I'm at.

I still don't like that Plex forces you to login to THEIR system before you can access YOUR local server. Total crock of crap!

Anyone know a work around for this that -works-?

Re:

[the_skywise]

https://www.howtogeek.com/3032... [howtogeek.com]

I used this so I could keep playing my content during an extended internet outage