Robrwo

**Name of the Vulnerable Software and Affected Versions** Text::LineFold versions prior to 2019.002 **Description** Text::LineFold splits input strings into segments using specific line break characters, such as Vertical Tab (VT) and Form Feed (FF). However, the break function is applied to the entire string instead of individual segments, causing the full input to be duplicated for every segment identified. This behavior can result in excessive resource consumption and a potential denial of service. **Recommendations** Update to a version later than 2019.001.

**Name of the Vulnerable Software and Affected Versions** Plack::Middleware::Statsd versions prior to 0.9.0 **Description** Plack::Middleware::Statsd for Perl may leak user IP addresses. This occurs if the communication channel to the statsd daemon is not secured, such as when sending UDP packets to a host on another network. **Recommendations** Update to version 0.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** Catalyst::Plugin::Statsd versions prior to 0.10.0 **Description** Catalyst::Plugin::Statsd for Perl may leak session ids. This occurs if the communication channel to the statsd daemon is not secured, such as when sending UDP packets to a host on another network. An attacker could potentially use these leaked session ids as authentication tokens. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Text::Minify::XS versions 0.3.0 through 0.7.7 **Description** A heap overflow occurs when processing certain malformed UTF-8 characters. The `minify()` function and its alias `minify utf8()` mishandle these characters, which leads to heap corruption. **Recommendations** Update to version 0.7.8 or later.

**Name of the Vulnerable Software and Affected Versions** Authen::SASL::Perl::DIGEST MD5 versions 2.04 through 2.1800 **Description** The `cnonce` (client nonce) is generated insecurely from an MD5 hash of the PID, the epoch time, and the built-in `rand` function. The PID originates from a limited set of numbers, and the epoch time may be predictable. The `rand` function is unsuitable for cryptographic purposes. According to RFC 2831, the `cnonce` should contain at least 64 bits of entropy to prevent chosen plaintext attacks and ensure mutual authentication. **Recommendations** Versions prior to 2.1800 are affected. Update to a version later than 2.1800.

Name of the Vulnerable Software and Affected Versions: Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier Description: The software generates nonces using the Perl Data::UUID library, which does not employ a strong cryptographic source for UUID generation. Data::UUID returns v3 UUIDs, which are derived from known information and are unsuitable for security purposes, as defined in RFC 9562. Nonces should be generated using a strong cryptographic source, as specified in RFC 7616. Recommendations: Update Catalyst::Authentication::Credential::HTTP to a version later than 1.018.

Name of the Vulnerable Software and Affected Versions: Mojolicious module versions 1.74 through 8.64 Description: The issue is related to a timing attack vulnerability in the `secure compare()` function of the Mojolicious module for Perl. This vulnerability allows an attacker to manipulate unknown input, leading to a timing discrepancy that can be exploited to guess the length of a secret string. The attacker can act remotely to exploit this issue. Recommendations: For versions 1.74 through 8.64, update to version 8.65 or later to resolve the issue. As a temporary workaround, consider restricting access to the `secure compare()` function until a patch is available.