Previously, all configuration and state data was accessible to all
users on the system running jellyfin. This included user passwords in
the Jellyfin database, as well as credentials for LDAP if configured.
The exact set of accessible data depends on system configuration.
Thanks to Sofie Finnes Øvrelid for reporting this issue.
Fixes: CVE-2022-32198
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
Handling of the string length condition in should_update
was broken, as evident with the log message
> leaving systemd-boot 246 in place (250.4 is not newer)
Discussion with @mweinelt came to the conclusion
that Python's "<" operator already does what we need,
so the should_update function can be dropped.
Fixes a30de3b849
Raw logs are stored in a versioned binary format and must be update with
atopconvert(1) upon atop version updates.
Failure to do so results in atop.service startup failure as I found out
the hard way after the "atop: 2.6.0 -> 2.7.1"[0] bump:
```
May 31 01:49:25 <hostname> sh[2269709]: existing file /var/log/atop/atop_20220531 has incompatible header
May 31 01:49:25 <hostname> sh[2269709]: (created by version 2.6 - current version 2.7)
May 31 01:49:25 <hostname> systemd[1]: atop.service: Main process exited, code=exited, status=7/NOTRUNNING
```
Convert logs in `ExecStartPre` and replace them iff updated.
This is to avoid changing original modification times upon every service
start and thus work against atop's log rotation (see existing
`ExecStartPre`).
0: https://github.com/NixOS/nixpkgs/pull/175180#issuecomment-1141546487
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
Some options in config.yaml need values to be strings, which currently
can be used with environmentFile but not loadCredential. But it's
possible to use loadCredential for those options, e.g. we can
substitute their values in ExecStart, but not in ExecStartPre due to
[1].
[1]: https://github.com/systemd/systemd/issues/19604
Prior to this patch:
$ nix-instantiate --eval -E '
> with import ./. {
> localSystem.config = "aarch64-unknown-linux-musl";
> };
> (nixos {}).config.nixpkgs.localSystem.config
> '
"aarch64-unknown-linux-gnu"
Because only the system triple was being passed through, the Musl part
of the system specification was lost. This patch fixes various
occurrences of NixOS evaluation when a Nixpkgs evaluation is already
available, to pass through the full elaborated system attribute set,
to avoid this loss of precision.