Re: Veracode reported vulnerabilities

2016-11-21 Thread Wietse Venema
Mc Security: > Here are the line numbers for the remaining two items: > > 1. Buffer overflow Sourcefile: dns_rr.c, Line: 129, Module: dnsblog False positive. Veracode does not understand how the code works. > 2. Buffer oevrflow Sourcefile: tls_scache.c, Line: 208, Module: smtpd Same thi

Re: Veracode reported vulnerabilities

2016-11-21 Thread Viktor Dukhovni
> On Nov 21, 2016, at 5:44 PM, Mc Security wrote: > > I see that there is careful memory allocation done for DNS_RR and > TLS_SCACHE_ENTRY in in dns_rr.c and tls_scache.c respectively so that buffer > overflow is not caused. However, a confirmation would be great. I think the correct protoco

Re: Veracode reported vulnerabilities

2016-11-21 Thread Mc Security
I see that there is careful memory allocation done for DNS_RR and TLS_SCACHE_ENTRY in in dns_rr.c and tls_scache.c respectively so that buffer overflow is not caused. However, a confirmation would be great. On Mon, Nov 21, 2016 at 1:51 PM, Mc Security wrote: > Here are the line numbers for the

Re: Veracode reported vulnerabilities

2016-11-21 Thread Mc Security
Here are the line numbers for the remaining two items: 1. Buffer overflow Sourcefile: dns_rr.c, Line: 129, Module: dnsblog 2. Buffer oevrflow Sourcefile: tls_scache.c, Line: 208, Module: smtpd Thanks, Mc. On Wed, Nov 16, 2016 at 9:40 PM, Mc Secuirty wrote: > Wietse: > > Thank you ver

Re: Veracode reported vulnerabilities

2016-11-16 Thread Mc Secuirty
Wietse: Thank you very much for the response. I will look at the remaining two items to see if they are also false positives based on the information you provided for the other items. If I can't, I will try to get the lines numbers at least for those two. Thanks Mc. On Wed, Nov 16, 2016 at 7:54

Re: Veracode reported vulnerabilities

2016-11-16 Thread Wietse Venema
McSec: > A Veracode scan reported the following vulnerabilites in postfix 3.0.1: > > vulnerabilitymodulesource > Buffer Over Flowdnsblog home/.../src/dns/dns_rr.c > Buffer Over Flowsmtpd home/.../src/tls/tls_scache.c There is no line number information, t

Re: Veracode reported vulnerabilities

2016-11-16 Thread Leonardo Rodrigues
While scanners are a great tool, blindly taking their results as inquestionable true can lead to disasters. The Debian SSL keys generation disaster is a proof of that. Em 16/11/16 13:38, McSec escreveu: A Veracode scan reported the following vulnerabilites in postfix 3.0.1: vulnerabilit

Re: Veracode reported vulnerabilities

2016-11-16 Thread McSec
I checked the source code for the reported Numeric Errors in the latest release, the source code at the identified lines hasn't changed from 3.0.1. I also checked the release notes for 3.0.2 and later. The reported vulnerabilities are not addressed as per the notes. We will upgrade to the latest

Re: Veracode reported vulnerabilities

2016-11-16 Thread Bill Cole
On 16 Nov 2016, at 10:38, McSec wrote: A Veracode scan reported the following vulnerabilites in postfix 3.0.1: Just curious: why bother with analyzing an obsolete version? Latest releases are 3.1.3 and 3.0.7. Also, have you read the release notes for 3.0.{2..7}?