Dwayne C. Litzenberger

**Name of the Vulnerable Software and Affected Versions** PyCrypto versions prior to 2.6.1 **Description** The issue is related to the Crypto.Random.atfork function, which does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it. This makes it easier for attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process. **Recommendations** For versions prior to 2.6.1, update to version 2.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the PRNG in child processes to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DAR versions prior to 2.3.4 **Description** The issue concerns the use of weak Blowfish-CBC cryptography in the blowfish mode. This is due to two main factors: (1) the `blowfish::make ivec` function in `libdar/crypto.cpp` discards random bits, resulting in predictable and repeating IV values, and (2) the direct use of a password for keying, which simplifies the decryption process for context-dependent attackers. **Recommendations** For versions prior to 2.3.4, update to version 2.3.4 or later to resolve the issue.