Add CVEs

Author: boreq

moooodotfarm-backend/src/ports/http/mod.rs

@@ -54,6 +54,7 @@ where
             .route("/", get(handle_get_index::<D>))
             .route("/rfc", get(handle_get_rfc))
             .route("/new", get(handle_get_new))
+            .route("/cves", get(handle_get_cves))
             .route("/metrics", get(handle_get_metrics::<D>))
             .route("/api/herd", get(handle_get_herd::<D>))
             .fallback(handle_static)
@@ -92,6 +93,11 @@ async fn handle_get_new() -> std::result::Result<Html<String>, AppError> {
     Ok(Html(template.render()?))
 }
 
+async fn handle_get_cves() -> std::result::Result<Html<String>, AppError> {
+    let template = CvesTemplate {};
+    Ok(Html(template.render()?))
+}
+
 async fn handle_static(uri: axum::http::Uri) -> impl IntoResponse {
     let path = uri.path().trim_start_matches('/');
 
@@ -187,6 +193,10 @@ struct RfcTemplate {}
 #[template(path = "new.html")]
 struct NewTemplate {}
 
+#[derive(Template)]
+#[template(path = "cves.html")]
+struct CvesTemplate {}
+
 struct TemplateCowName {
     name: String,
     kind: TemplateCowNameKind,

moooodotfarm-backend/src/ports/http/templates/base.html

@@ -56,6 +56,30 @@
             pointer-events: none;
         }
 
+        pre {
+            background: rgba(93, 64, 55, 0.05);
+            padding: 1rem;
+            border-radius: 8px;
+            overflow-x: auto;
+            border: 1px solid var(--grass-light);
+            z-index: 0;
+            text-transform: none;
+        }
+
+        pre code {
+            background: transparent;
+            padding: 0;
+        }
+
+        code {
+            background: rgba(161, 136, 127, 0.1);
+            padding: 0.2rem 0.4rem;
+            border-radius: 4px;
+            font-family: monospace;
+            font-size: 0.95em;
+            color: var(--grass-dark);
+        }
+
         .back-link-container {
             text-align: center;
             margin-bottom: 1.5rem;
@@ -81,27 +105,63 @@
             color: white;
         }
 
-        pre {
-            background: rgba(93, 64, 55, 0.05);
-            padding: 1rem;
-            border-radius: 8px;
-            overflow-x: auto;
-            border: 1px solid var(--grass-light);
+        .subpage-header {
+            .cow {
+                text-align: center;
+                margin: 1rem 0;
+            }
+
+            .cow img {
+                width: 120px;
+                height: auto;
+                image-rendering: pixelated;
+            }
+
+            h1 {
+                text-align: center;
+                font-size: 2rem;
+                font-weight: 700;
+                color: var(--text);
+                margin-bottom: 0.8rem;
+            }
+
+            .subtitle {
+                text-align: center;
+                font-size: 1.2rem;
+                color: var(--warm-brown);
+                margin-bottom: 1.8rem;
+                font-weight: 700;
+            }
+        }
+
+        .content {
+            max-width: 760px;
+            margin: 0 auto;
+            padding: 2rem 1.5rem 4rem;
+            position: relative;
+        }
+
+        section {
+            border: 3px solid var(--grass);
+            background: white;
+            border-radius: 16px;
+            padding: 1.5rem 1.8rem;
+            margin: 1.6rem 0;
+            box-shadow: 0 4px 12px rgba(93, 64, 55, 0.08);
             z-index: 0;
-            text-transform: none;
         }
 
-        pre code {
-            background: transparent;
-            padding: 0;
+        p {
+            margin: 0.8rem 0;
+            line-height: 1.6;
         }
 
-        code {
-            background: rgba(161, 136, 127, 0.1);
-            padding: 0.2rem 0.4rem;
-            border-radius: 4px;
-            font-family: monospace;
-            font-size: 0.95em;
+        a {
+            color: var(--grass);
+            text-decoration: underline;
+        }
+
+        a:hover {
             color: var(--grass-dark);
         }
 

moooodotfarm-backend/src/ports/http/templates/common.html

@@ -0,0 +1,12 @@
+{% macro common_header(title, subtitle_text) %}
+<header class="subpage-header">
+    <div class="back-link-container">
+        <a href="/" class="back-link">← go back to admiring all cows</a>
+    </div>
+    <div class="cow">
+        <img src="/cow.png" alt="a very round cow">
+    </div>
+    <h1>{{ title }}</h1>
+    <div class="subtitle">{{ subtitle_text }}</div>
+</header>
+{% endmacro %}

moooodotfarm-backend/src/ports/http/templates/cves.html

@@ -0,0 +1,109 @@
+{% extends "base.html" %}
+
+{% import "common.html" as common %}
+
+{% block title %}Cow Vulnerabilities and Exposures (CVEs){% endblock %}
+
+{% block extra_styles %}
+    .cve-header {
+        display: flex;
+        flex-wrap: wrap;
+        align-items: baseline;
+        gap: 1.2em;
+        margin-bottom: 0.7em;
+    }
+    .cve-id {
+        font-size: 1.5rem;
+        font-weight: bold;
+        color: var(--grass-dark);
+        letter-spacing: 0.04em;
+    }
+    .cve-date {
+        color: #888;
+        font-size: 0.98em;
+    }
+    .cve-title {
+        font-size: 1.5rem;
+        font-weight: 700;
+        margin: 0.5rem 0 1rem 0;
+        color: var(--warm-brown);
+    }
+    .cve-section {
+        margin: 1.2em 0 0.7em 0;
+    }
+    .cve-section-title {
+        font-weight: 600;
+        color: var(--grass-dark);
+        margin-bottom: 0.2em;
+        font-size: 1.08em;
+    }
+
+    .cve-severity, .cve-status {
+        font-weight: bold;
+        border-radius: 6px;
+        padding: 0.2em 0.5em;
+        margin-left: .2em;
+    }
+
+    .cve-severity {
+        color: #b71c1c;
+        background: #ffeaea;
+    }
+
+    .cve-status {
+        color: var(--grass-dark);
+        background: var(--grass-light);
+    }
+{% endblock %}
+
+{% block content %}
+    <main class="content">
+        {{ common::common_header("Cow Vulnerabilities and Exposures (CVEs)", "Security incidents affecting the herd") }}
+
+        <section>
+            <div class="cve-header">
+                <span class="cve-id">CVE-2026-1</span>
+                <span class="cve-date">2026-02-10</span>
+                <span class="cve-severity">Severity: HIGH</span>
+                <span class="cve-status">Status: PATCHED</span>
+            </div>
+            <div class="cve-title">Side Channel Attack on Shy Cows' Censored Names</div>
+            <div class="cve-section">
+                <div class="cve-section-title">Description</div>
+                <p>
+                    A side channel vulnerability in the handling of shy cows' names allowed an attacker to deduce the shy cow's name by submitting crafted names and analyzing the position of the shy cow in the herd. By observing how the position of a newly submitted cow related to other cows in the herd, the attacker could perform a binary search to reveal censored names of shy cows. This could violate the privacy expectations of shy cows in the herd.
+                </p>
+            </div>
+            <div class="cve-section">
+                <div class="cve-section-title">Severity & Impact</div>
+                <p>
+                    Successful exploitation could result in the exposure of shy cows' names that were intended to remain private. No data corruption or denial of service is possible via this vector, but the privacy of the herd is at risk.
+                </p>
+            </div>
+            <div class="cve-section">
+                <div class="cve-section-title">Affected Versions</div>
+                <p>
+                    All versions before the fix commit and after the cow characters were introduced.
+                </p>
+            </div>
+            <div class="cve-section">
+                <div class="cve-section-title">Patched Version</div>
+                <p>
+                    Patched in commit <a href="https://github.com/FREESIDE-HOLDINGS-LTD/moooodotfarm/commit/c23046b80b14eca192e1574b7a97fd2934208e2b"><code>c23046b80b14eca192e1574b7a97fd2934208e2b</code></a>.
+                </p>
+            </div>
+            <div class="cve-section">
+                <div class="cve-section-title">Mitigation</div>
+                <p>
+                    The patch ensures that the sorting logic no longer leaks information about the shy cows' names via the cows' position in the list, making such side channel attacks infeasible. No action is required for existing cows or new cows.
+                </p>
+            </div>
+            <div class="cve-section">
+                <div class="cve-section-title">Exploitation Status</div>
+                <p>
+                    As of the date of this advisory, there is no evidence that this vulnerability was ever exploited in the wild or at the farm. The issue was discovered internally during a routine code review and has only theoretical impact. No user-reported incidents or suspicious activity related to this vulnerability have been observed.
+                </p>
+            </div>
+        </section>
+    </main>
+{% endblock %}

moooodotfarm-backend/src/ports/http/templates/index.html

@@ -61,13 +61,6 @@
             }
         }
 
-        .main-content {
-            max-width: 700px;
-            margin: 0 auto;
-            padding: 2rem 1.5rem 4rem;
-            position: relative;
-        }
-
         .herd-subtitle {
             font-size: 1.5rem;
             font-weight: 700;
@@ -230,7 +223,7 @@
         </ul>
     </header>
 
-    <main class="main-content">
+    <main class="content">
         <p class="herd-subtitle">all known cow.txt files and their status</p>
 
         <div class="legend">