Subsonic Forum

I've seen some mention of the log4j exploit in other threads, however does anyone have a patch for Subsonic for it? Will the admin/dev issue a patch?

A lot of us, including myself are paying for the subscription, but there doesn't seem to be much traction on resolving this issue. I've tried pretty much everything else out there, nothing really compares to Subsonic when it comes to organizing your music.

I think this will officially become abandonware once the next cycle of subscription renewals come about, you'd think that would be enough to motivate the devs to issue a patch?

Subsonic is basically abandonware; it isn't open-source and there is no development by the owner. You might consider moving off to a newer implementation. Both below suggestions run on multiple platforms, I'm a Windows guy so some of my supplemental info isn't as useful to non-Windows users.

If you're looking for a very lateral move, consider Airsonic Advanced https://github.com/airsonic-advanced/airsonic-advanced - It is in active development with frequent snapshot updates https://github.com/airsonic-advanced/airsonic-advanced/releases . Same feature set as Subsonic (API, Sonos, etc.) with updated code. As it is open source, you also get all the features Subsonic Premium gives you, but for free. Minimal effort for installation (latest Java installed, then a command line shortcut to the war file - upgrades even easier with just a fast war file change).

If you're really more API focused, and looking just for a music streaming service, you might consider moving off the Subsonic family of servers altogether. Check out Navidrome https://www.navidrome.org/ . That product is primarily to supply the API with a completely new back-end, and refocuses to just support for audio (no video, podcast, internet radio, etc.). There is not yet built in support for Sonos, but you can find easy linking with something like Bonob https://github.com/simojenki/bonob. As with Airsonic Advanced, no subscription or fee to access the API. Navidrome does have a simplified web UI if desired.

Both products support running as a service with something like NSSM https://nssm.cc/ and IIS works great as a reverse proxy if you wish to run them as SSL.

I'll give Airsonic Advanced a try, thanks.

Subsonic is not affected by the Log4J2 "Log2Shell" vulnerability. It uses Log4j1, not Log4j2.

Glenn

i'm absolutely no expert in this, but isn't Log4j1 not depreciated because of other vulnerabilities back in 2015? this recent log4shell situation does make me look different at subsonic and how responsible it is to run abandoned internet facing applications.