v2.4.3
v2.4.3
Supply-chain + fuzz-testing release. No behavior changes — passkey, TOTP, OIDC, lockout, sessions, audit log all unchanged. In-place upgrade.
Build provenance (SLSA)
Release artifacts now ship with a signed in-toto provenance attestation generated by GitHub's first-party actions/attest-build-provenance action. The attestation cryptographically links each Jellyfin.Plugin.TwoFactorAuthv2.4.3.0.zip to:
- the exact commit SHA it was built from,
- the GitHub Actions workflow run that built it,
- the runner image and time.
Downstream consumers can verify origin without trusting the maintainer's signature alone:
gh attestation verify --owner ZL154 Jellyfin.Plugin.TwoFactorAuthv2.4.3.0.zip
This is the SLSA build-provenance layer on top of the Sigstore zip signing we've shipped since v2.3.1, and brings the OpenSSF Scorecard Signed-Releases check to full credit.
Fuzz testing (ClusterFuzzLite + SharpFuzz)
New tests/Jellyfin.Plugin.TwoFactorAuth.Fuzz/ project drives libFuzzer against BypassEvaluator.PickRealClientIp — the parser that walks X-Forwarded-For headers right-to-left through a trusted-proxy chain. This is the highest-value parser surface in the plugin (attacker-controlled HTTP header + non-trivial logic: IPv6 bracket stripping, :port suffix removal, comma-split, CIDR matching).
Runs in CI on every PR that touches src/, tests/Jellyfin.Plugin.TwoFactorAuth.Fuzz/, or .clusterfuzzlite/ via .github/workflows/cflite_pr.yml (google/clusterfuzzlite/actions/build_fuzzers + run_fuzzers, 5-minute fuzz budget per PR, AddressSanitizer). Crashes surface as SARIF in the Security tab.
Run locally:
dotnet build -c Release
sharpfuzz Jellyfin.Plugin.TwoFactorAuth.dll BypassEvaluator
What downstream users see
- A new
*.intoto.jsonlattestation file on the GitHub Release page alongside*.zip,*.md5,*.sha256,*.sig,*.pem. - Nothing else — the plugin DLL and runtime behavior are identical to v2.4.2.
Upgrade
In-place upgrade. No config or behavior changes.
Package checksums
- MD5: see
Jellyfin.Plugin.TwoFactorAuthv2.4.3.0.md5 - SHA256: see
Jellyfin.Plugin.TwoFactorAuthv2.4.3.0.sha256
Sigstore-signed + SLSA-attested. Verify with cosign verify-blob or gh attestation verify.