le_throoshCVE: Possible Organization/Secret Compromise from dangerous CI implementation
renegadesporkEveryone might want to freeze your Jellyfin versions until this gets sorted. As far as we know, nothing has been hijacked, but safer sit on your local copies for now.
noodle@renegadespork @le_throosh
"Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions."
Edit: This is just for context to save others looking up the CVE. 'wait and see' makes sense, particularly when a major update is potentially in the near future.
I know. My comment stands. Though apparently it was already patched.