| GH | https://github.com/matmair |
| Backup | https://codeberg.org/matmair |
| Website | https://mjmair.com |
If you want to test out software that recommends to not expose it to the internet:
- do not expose it to the internet without need
- put some rate limiting in front
- disable self-registration
- do not forget to update for 4 years
Unrelated: I just rescanned my known list of public, unsecured instances of a software that is dear to my heart
Unrelated: loosing my mind over here
Attention all sysadmins / selfhosters of #inventree instances:
We will publish a critical security vulnerability and patched version on 2026-04-08 21:00 UTC
Read https://inventree.org/blog/2026/03/25/security-release for more details - there are several recommended steps to keep your instance safe in the meantime.
Please prepare to update as soon as we release. #inventreedb #opensource
The InvenTree core development team has received a report of a critical security vulnerability affecting a large range of releases since 2024. We will release a disclosure and a fixed release for the 1.2.x release series on 2026-04-08 21:00 UTC. The vulnerability allows for lateral movement and privilege escalation within an InvenTree instance. It has a low attack complexity.
InvenTree 1.2.6 contains fixes for new security advisories
Updating to 1.2.6 is strongly advised. See GHSA-rhc5-7c3r-c769 and GHSA-m8j2-vfmq-p6qg for details.
Every admin should be aware of the assumed trust in our threat model. If you followed it you are not vulnerable see https://docs.inventree.org/en/latest/concepts/threat_model/
many thanks to patelhettt (x2) and alonaki for their research and responsible disclosure
„leider muss ich den Termin absagen, da die Thematik außerhalb meines definierten Zuständigkeitsbereiches liegt.“
Leider war das die einzige Person, die sich kümmerte und kompetente Antworten gab.
Willkommen im agilen Konzern.
Das Zitat ist nicht weniger als ein Rücktrittsgrund. Abgesehen von der Abstrahierung (mehr Risikoexperimente ohne Safeguards, weniger Datenschutz), die Wahnsinn genug ist (vom Staatssekreatär für Digitalisierung!).
Wo bitte kommen wir hin, wenn ein Regierungspolitiker einen Bürger und Bürgerrechtsaktivisten wie Max Schrems persönlich für verzichtbar erklärt?
Q: https://www.diepresse.com/20662631?giftcode=5fe619472b55cac4290e30a2561b20869ee5bf1d
Deprecate confusing APIs like “os.path.commonprefix()”. After fixing a vulnerability in #pip, I started digging into the confusing API and found more than I expected.
👉 https://sethmlarson.dev/deprecate-confusing-apis-like-os-path-commonprefix
GitHub: here are immutable releases. Let's make things safer![1]
GH: here we documented recommended usage [2]; use drafts
Also GH: No we don't provide a way in our CI product to trigger for published drafts; yes we will ignore feedback on this [3]
This also landed this unfinished in GHES. The pretty expensive enterprise offering
#github #supplychain #opensourcesecurity
links:
1: https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/
2: https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases#best-practices-for-publishing-immutable-releases
3: https://github.com/orgs/community/discussions/7118
Kumpel von mir löst seine Werkstatt auf und hat ne Menge Zeug, das spätestens im März in neue Hände muss – oder den Container.
Plasmaschneider, Schweißgerät, Formatkreissäge ca. 180×180, Elektro(nik)geraffel, diverses Zeug.
Am liebsten würde er alles komplett abgeben, also eher nicht einzeln rauspicken. Hackspaces, offene Werkstätten evtl.?
Standort ist bei #Hennef (Sieg) aufm Dorf, Preis VHB aber günstig.
Fotos:
https://cloud.scy.name/s/H92FcYWeqFgXemE
Kontakt über mich, schreibt mir ne DM. Gerne Boosts.
InvenTree
IT_Fettchen
Hynek Schlawack
Tom Schaffer
Kenneth Finnegan
Seth Larson
scy