Skip to content

v2.4.3

Choose a tag to compare

@github-actions github-actions released this 21 May 01:55

v2.4.3

Supply-chain + fuzz-testing release. No behavior changes — passkey, TOTP, OIDC, lockout, sessions, audit log all unchanged. In-place upgrade.

Build provenance (SLSA)

Release artifacts now ship with a signed in-toto provenance attestation generated by GitHub's first-party actions/attest-build-provenance action. The attestation cryptographically links each Jellyfin.Plugin.TwoFactorAuthv2.4.3.0.zip to:

  • the exact commit SHA it was built from,
  • the GitHub Actions workflow run that built it,
  • the runner image and time.

Downstream consumers can verify origin without trusting the maintainer's signature alone:

gh attestation verify --owner ZL154 Jellyfin.Plugin.TwoFactorAuthv2.4.3.0.zip

This is the SLSA build-provenance layer on top of the Sigstore zip signing we've shipped since v2.3.1, and brings the OpenSSF Scorecard Signed-Releases check to full credit.

Fuzz testing (ClusterFuzzLite + SharpFuzz)

New tests/Jellyfin.Plugin.TwoFactorAuth.Fuzz/ project drives libFuzzer against BypassEvaluator.PickRealClientIp — the parser that walks X-Forwarded-For headers right-to-left through a trusted-proxy chain. This is the highest-value parser surface in the plugin (attacker-controlled HTTP header + non-trivial logic: IPv6 bracket stripping, :port suffix removal, comma-split, CIDR matching).

Runs in CI on every PR that touches src/, tests/Jellyfin.Plugin.TwoFactorAuth.Fuzz/, or .clusterfuzzlite/ via .github/workflows/cflite_pr.yml (google/clusterfuzzlite/actions/build_fuzzers + run_fuzzers, 5-minute fuzz budget per PR, AddressSanitizer). Crashes surface as SARIF in the Security tab.

Run locally:

dotnet build -c Release
sharpfuzz Jellyfin.Plugin.TwoFactorAuth.dll BypassEvaluator

What downstream users see

  • A new *.intoto.jsonl attestation file on the GitHub Release page alongside *.zip, *.md5, *.sha256, *.sig, *.pem.
  • Nothing else — the plugin DLL and runtime behavior are identical to v2.4.2.

Upgrade

In-place upgrade. No config or behavior changes.

Package checksums

  • MD5: see Jellyfin.Plugin.TwoFactorAuthv2.4.3.0.md5
  • SHA256: see Jellyfin.Plugin.TwoFactorAuthv2.4.3.0.sha256

Sigstore-signed + SLSA-attested. Verify with cosign verify-blob or gh attestation verify.