Fixes and improvements
General
- fix authentication failure reason not being displayed (#5007)
- fix reading JWT when it is passed through the password field (#5009) Usernames and passwords must be requested explicitly to clients, but they were not requested when JWT is meant to be passed as password. This fixes the issue.
- stop accepting JWTs from query parameters unless allowed in conf (#5010) This is the first step into removing support for JWTs in query parameters, which is a security flaw.
- docs: explain how to decrease JWT length in Keycloak (#5012) this prevents errors when passing JWT with FFmpeg and GStreamer.
- log authentication errors of API, metrics, pprof (#4641) (#5015)
- allow changing record parameters without disconnecting readers (#4663) (#5018)
API
- fix crash in rtspsessions/list and /rtspsessions/get (#5030) (#5031) sometimes sessions have an empty associated path, and this caused a crash.
RTSP
- log authentication failure reason (#4641) (#5017)
- sdp: fix compatibility with a Uniview camera (#5008) (bluenviron/gortsplib#903)
Dependencies
- code.cloudfoundry.org/bytefmt updated from v0.51.0 to v0.52.0
- github.com/MicahParks/jwkset updated from v0.10.0 to v0.11.0
- github.com/MicahParks/keyfunc/v3 updated from v3.6.1 to v3.6.2
- github.com/bluenviron/gortsplib/v5 updated from v5.0.0 to v5.0.1
- github.com/gin-gonic/gin updated from v1.10.1 to v1.11.0
- github.com/bytedance/sonic updated from v1.13.2 to v1.14.0
- github.com/bytedance/sonic/loader updated from v0.2.4 to v0.3.0
- github.com/cloudwego/base64x updated from v0.1.5 to v0.1.6
- github.com/gin-contrib/sse updated from v1.0.0 to v1.1.0
- github.com/go-playground/validator/v10 updated from v10.26.0 to v10.27.0
- github.com/klauspost/cpuid/v2 updated from v2.2.10 to v2.3.0
- github.com/pelletier/go-toml/v2 updated from v2.2.3 to v2.2.4
- github.com/ugorji/go/codec updated from v1.2.12 to v1.3.0
- golang.org/x/arch updated from v0.16.0 to v0.20.0
- google.golang.org/protobuf updated from v1.36.6 to v1.36.9
- github.com/goccy/go-yaml v1.18.0 added
- github.com/quic-go/qpack v0.5.1 added
- github.com/quic-go/quic-go v0.54.0 added
- go.uber.org/mock v0.5.0 added
- golang.org/x/mod v0.28.0 added
- golang.org/x/sync v0.17.0 added
- golang.org/x/tools v0.37.0 added
- hls.js updated from v1.6.12 to v1.6.13
Security
Binaries are compiled from source through the Release workflow without human intervention, preventing any external interference.
You can verify that binaries have been produced by the workflow by using GitHub Attestations:
ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx
You can verify the binaries checksum by downloading checksums.sha256 and running:
cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check