McSec:
> A Veracode scan reported the following vulnerabilites in postfix 3.0.1:
>
> vulnerability module source
> Buffer Over Flow dnsblog home/.../src/dns/dns_rr.c
> Buffer Over Flow smtpd home/.../src/tls/tls_scache.c
There is no line number information, therefore this information is
not actionable.
> Numeric Errors dnsblog home/.../src/dns/dns_rr.c 262
> Numeric Errors dnsblog home/.../src/dns/dns_rr.c 302
Both are not a vulnerability, because DNS replies don't contain 268
million responses. The DNS reply count is a 16-bit number, and is
therefore limited to 0..65535.
> Numeric Errors dnsblog home/.../src/dns/dns_strtype.c 207
Not a vulnerability, because the dns_type_map[] table with symbolic
names for DNS record types is much smaller than 2 billion. The DNS
record type is a 16-bit number, therefore there can be only 65536
different record types.
> Numeric Errors smtpd home/.../src/tls/tls_dane.c 1291
Not a vulnerability, because the trust anchor file is owned by a
trusted local user (root), and because that file will contain fewer
than 2 billion entries.
Wietse
