C0: review jellyfin, upgrade indri to 10.11.11 (security fixes)

Jellyfin was 5 patch releases behind (10.11.6 -> 10.11.11). 10.11.7 and 10.11.10 contain disclosed CVE/GHSA security fixes. Upgraded via brew upgrade --cask jellyfin on indri; service verified healthy and externally reachable (HTTPS 200). Documented the recurring Gatekeeper gotcha: cask upgrades re-quarantine the .app and the launchd service hangs silently until the first-launch dialog is approved on indri's GUI console (xattr removal over SSH is blocked by macOS TCC). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-08 06:35:23 -07:00 · 2026-06-08 06:35:23 -07:00 · 8072cd21d7
commit 8072cd21d7
parent bc34b601be
3 changed files with 29 additions and 4 deletions
--- a/docs/changelog.d/+jellyfin-10-11-11.bugfix.md
+++ b/docs/changelog.d/+jellyfin-10-11-11.bugfix.md
@ -0,0 +1 @@
+Upgraded Jellyfin on indri from 10.11.6 to 10.11.11, picking up the security fixes in 10.11.7 (disclosed CVEs/GHSAs, flagged "upgrade immediately") and 10.11.10 (three further GHSAs). Noted the recurring gotcha in the service-versions tracking: after a `brew upgrade --cask jellyfin`, the re-quarantined `.app` makes the launchd-spawned process hang silently until the Gatekeeper first-launch dialog is approved on indri's GUI console — removing the quarantine xattr over SSH is blocked by macOS TCC.
--- a/docs/reference/services/jellyfin.md
+++ b/docs/reference/services/jellyfin.md
@ -1,7 +1,7 @@
 ---
 title: Jellyfin
-modified: 2026-02-07
-last-reviewed: 2026-03-23
+modified: 2026-06-08
+last-reviewed: 2026-06-08
 tags:
  - service
  - media
@ -41,6 +41,24 @@ Dashboard > Playback:
 2. Allow hardware encoding: Enabled
 3. VPP Tone mapping: Enabled

+## Upgrades
+
+Installed via Homebrew cask (`state: present`, unpinned), so the Ansible role
+won't bump an already-installed cask. To upgrade, run on indri:
+
+```bash
+brew upgrade --cask jellyfin
+```
+
+**Gatekeeper gotcha:** a cask upgrade replaces `/Applications/Jellyfin.app` and
+re-applies the `com.apple.quarantine` xattr. When launchd respawns the service,
+the new binary hangs silently — process alive but ~0 CPU, no logs, no listening
+socket — because Gatekeeper is holding the first launch pending approval.
+Removing the xattr over SSH fails (`xattr -dr com.apple.quarantine ...` →
+"Operation not permitted", blocked by macOS TCC). Approve the first-launch
+dialog on indri's GUI console (or run the `xattr` removal from a local Terminal
+with Full Disk Access), then reload the LaunchAgent.
+
 ## Observability

 - Metrics: `jellyfin_metrics` ansible role
--- a/service-versions.yaml
+++ b/service-versions.yaml
@ -440,9 +440,15 @@ services:

  - name: jellyfin
    type: ansible
-    last-reviewed: 2026-03-17
-    current-version: "10.11.6"
+    last-reviewed: 2026-06-08
+    current-version: "10.11.11"
    upstream-source: https://github.com/jellyfin/jellyfin/releases
+    notes: >-
+      Homebrew cask (state: present, unpinned). Upgrade with
+      `brew upgrade --cask jellyfin` on indri. After upgrade the .app is
+      re-quarantined; launchd-spawned launch hangs silently until the
+      Gatekeeper first-launch dialog is approved on indri's GUI console
+      (xattr removal over SSH is blocked by TCC).

  - name: automounter
    type: ansible
				`@ -0,0 +1 @@`
				Upgraded Jellyfin on indri from 10.11.6 to 10.11.11, picking up the security fixes in 10.11.7 (disclosed CVEs/GHSAs, flagged "upgrade immediately") and 10.11.10 (three further GHSAs). Noted the recurring gotcha in the service-versions tracking: after a `brew upgrade --cask jellyfin`, the re-quarantined `.app` makes the launchd-spawned process hang silently until the Gatekeeper first-launch dialog is approved on indri's GUI console — removing the quarantine xattr over SSH is blocked by macOS TCC.