Monthly Archives: August 2024

Application Development, Potential Risk of CVE

RHSA-2024-4982 -Security Advisory- OpenShift API for Data Protection (OADP) – Security Fix – golang: net/netip – CVE-2024-24790 (2nd Aug 2024)

Leave a comment

Preface: The IPv4-mapped IPv6 address format allows the IPv4 address of an IPv4 node to be represented as an IPv6 address. The IPv4 address is encoded into the low-order 32 bits of the IPv6 address, and the high-order 96 bits hold the fixed prefix 0:0:0:0:0:FFFF.

Background: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Package netip defines an IP address type that’s a small value type. Building on that Addr type, the package also defines AddrPort (an IP address and a port) and Prefix (an IP address and a bit length prefix).

Compared to the net.IP type, Addr type takes less memory, is immutable, and is comparable (supports == and being a map key).

Vulnerability details: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fixes from Bugzilla: golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses (CVE-2024-24790)

Official announcement: Please refer to the website for details – https://access.redhat.com/errata/RHSA-2024:4982

Potential Risk of CVE

CVE-2024-40782 – Nullptr crash due to `display:ruby block` and continuations. (1st Aug 2024)

Leave a comment

Preface: Apple doesn’t allow third party developers to use any other browser engine other than the WebKit which is the engine developed by Apple.

Background: The browser parses HTML into DOM and css into CSSOM and combines them to create a render tree. Once each node from the DOM has its style assigned, the rendering engine computes the size of each node and its position on the screen.

The process that goes from interpreting HTML, CSS, and Javascript to pixel conversion can be grouped in 4 (four) general steps:

  1. Parsing of the HTML document to DOM (Document Object Model).
  2. CSS file interpretation (CSSOM – Cascading Style Sheets Object Model) for each of the DOM nodes.
  3. Creation of the new tree that includes the DOM, and each node’s style and layout.
  4. A render tree is rendered.

Vulnerability details: A use-after-free issue was addressed with improved memory management. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to an unexpected process crash.

Official announcement: Please refer to the official announcement for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-40782