Richard Kettlewell

**Name of the Vulnerable Software and Affected Versions** Crypt::DSA versions prior to 1.21 **Description** The software reuses the nonce across signatures, which can lead to the recovery of the private key. The `sign()` function in the `Crypt::DSA::sign` module caches the per-signature nonce material within the Key object and fails to clear it. Consequently, the first call to `sign()` on a Key object selects a nonce, and all subsequent calls to `sign()` on that same object reuse it, resulting in an identical "r" value. Any keys used to sign more than once using an affected version are considered compromised. **Recommendations** Update to version 1.21 or later.

**Name of the Vulnerable Software and Affected Versions** zlib version 1.1.4 **Description** The issue is related to a buffer overflow in the gzprintf function in zlib. This can occur when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf. The exploitation of this issue may lead to a denial of service or possibly the execution of arbitrary code. It can also result in the violation of confidentiality, integrity, and availability of protected information. The exploitation can be carried out remotely. **Recommendations** For zlib version 1.1.4, consider updating to a newer version that addresses the buffer overflow issue in the gzprintf function. As a temporary workaround, consider restricting the use of the gzprintf function until a patch is available.