Here are the line numbers for the remaining two items: 1. Buffer overflow Sourcefile: dns_rr.c, Line: 129, Module: dnsblog
2. Buffer oevrflow Sourcefile: tls_scache.c, Line: 208, Module: smtpd Thanks, Mc. On Wed, Nov 16, 2016 at 9:40 PM, Mc Secuirty <mcs...@gmail.com> wrote: > Wietse: > > Thank you very much for the response. I will look at the remaining two > items to see if they are also false positives based on the information you > provided for the other items. If I can't, I will try to get the lines > numbers at least for those two. > > Thanks > Mc. > > On Wed, Nov 16, 2016 at 7:54 PM, Wietse Venema <wie...@porcupine.org> > wrote: > >> McSec: >> > A Veracode scan reported the following vulnerabilites in postfix 3.0.1: >> > >> > vulnerability module source >> > Buffer Over Flow dnsblog home/.../src/dns/dns_rr.c >> > Buffer Over Flow smtpd home/.../src/tls/tls_scache.c >> >> There is no line number information, therefore this information is >> not actionable. >> >> > Numeric Errors dnsblog home/.../src/dns/dns_rr.c 262 >> > Numeric Errors dnsblog home/.../src/dns/dns_rr.c 302 >> >> Both are not a vulnerability, because DNS replies don't contain 268 >> million responses. The DNS reply count is a 16-bit number, and is >> therefore limited to 0..65535. >> >> > Numeric Errors dnsblog home/.../src/dns/dns_strtype.c >> 207 >> >> Not a vulnerability, because the dns_type_map[] table with symbolic >> names for DNS record types is much smaller than 2 billion. The DNS >> record type is a 16-bit number, therefore there can be only 65536 >> different record types. >> >> > Numeric Errors smtpd home/.../src/tls/tls_dane.c 1291 >> >> Not a vulnerability, because the trust anchor file is owned by a >> trusted local user (root), and because that file will contain fewer >> than 2 billion entries. >> >> Wietse >> > >
