Wietse: Thank you very much for the response. I will look at the remaining two items to see if they are also false positives based on the information you provided for the other items. If I can't, I will try to get the lines numbers at least for those two.
Thanks Mc. On Wed, Nov 16, 2016 at 7:54 PM, Wietse Venema <wie...@porcupine.org> wrote: > McSec: > > A Veracode scan reported the following vulnerabilites in postfix 3.0.1: > > > > vulnerability module source > > Buffer Over Flow dnsblog home/.../src/dns/dns_rr.c > > Buffer Over Flow smtpd home/.../src/tls/tls_scache.c > > There is no line number information, therefore this information is > not actionable. > > > Numeric Errors dnsblog home/.../src/dns/dns_rr.c 262 > > Numeric Errors dnsblog home/.../src/dns/dns_rr.c 302 > > Both are not a vulnerability, because DNS replies don't contain 268 > million responses. The DNS reply count is a 16-bit number, and is > therefore limited to 0..65535. > > > Numeric Errors dnsblog home/.../src/dns/dns_strtype.c 207 > > Not a vulnerability, because the dns_type_map[] table with symbolic > names for DNS record types is much smaller than 2 billion. The DNS > record type is a 16-bit number, therefore there can be only 65536 > different record types. > > > Numeric Errors smtpd home/.../src/tls/tls_dane.c 1291 > > Not a vulnerability, because the trust anchor file is owned by a > trusted local user (root), and because that file will contain fewer > than 2 billion entries. > > Wietse >
