Mc Security:
> Here are the line numbers for the remaining two items:
>
> 1. Buffer overflow Sourcefile: dns_rr.c, Line: 129, Module: dnsblog
False positive. Veracode does not understand how the code works.
> 2. Buffer oevrflow Sourcefile: tls_scache.c, Line: 208, Module: smtpd
Same thi
> On Nov 21, 2016, at 5:44 PM, Mc Security wrote:
>
> I see that there is careful memory allocation done for DNS_RR and
> TLS_SCACHE_ENTRY in in dns_rr.c and tls_scache.c respectively so that buffer
> overflow is not caused. However, a confirmation would be great.
I think the correct protoco
I see that there is careful memory allocation done for DNS_RR and
TLS_SCACHE_ENTRY in in dns_rr.c and tls_scache.c respectively so that
buffer overflow is not caused. However, a confirmation would be great.
On Mon, Nov 21, 2016 at 1:51 PM, Mc Security wrote:
> Here are the line numbers for the
Here are the line numbers for the remaining two items:
1. Buffer overflow Sourcefile: dns_rr.c, Line: 129, Module: dnsblog
2. Buffer oevrflow Sourcefile: tls_scache.c, Line: 208, Module: smtpd
Thanks,
Mc.
On Wed, Nov 16, 2016 at 9:40 PM, Mc Secuirty wrote:
> Wietse:
>
> Thank you ver
Wietse:
Thank you very much for the response. I will look at the remaining two
items to see if they are also false positives based on the information you
provided for the other items. If I can't, I will try to get the lines
numbers at least for those two.
Thanks
Mc.
On Wed, Nov 16, 2016 at 7:54
McSec:
> A Veracode scan reported the following vulnerabilites in postfix 3.0.1:
>
> vulnerabilitymodulesource
> Buffer Over Flowdnsblog home/.../src/dns/dns_rr.c
> Buffer Over Flowsmtpd home/.../src/tls/tls_scache.c
There is no line number information, t
While scanners are a great tool, blindly taking their results as
inquestionable true can lead to disasters. The Debian SSL keys
generation disaster is a proof of that.
Em 16/11/16 13:38, McSec escreveu:
A Veracode scan reported the following vulnerabilites in postfix 3.0.1:
vulnerabilit
I checked the source code for the reported Numeric Errors in the latest
release, the source code at the identified lines hasn't changed from 3.0.1.
I also checked the release notes for 3.0.2 and later. The reported
vulnerabilities are not addressed as per the notes.
We will upgrade to the latest
On 16 Nov 2016, at 10:38, McSec wrote:
A Veracode scan reported the following vulnerabilites in postfix
3.0.1:
Just curious: why bother with analyzing an obsolete version? Latest
releases are 3.1.3 and 3.0.7.
Also, have you read the release notes for 3.0.{2..7}?