Just to not make everybody freak out: we are talking about possible
buffer overflows here (e.g. it flags use of strcpy() instead of strlcpy()).
Such uses are bugfree if used correctly, but they can create bugs and in
the utmost consequence security bugs if used carelessly (most of the
time it will "just" be a occasional segfault, though).
So in order for it to be a security vulnerability, it must be a bug
caused by this and it must be exploitable (e.g. privilege escalation, etc.).
There aren't any such known cases (not even bugs), but please let the
team at
secu...@cfengine.com asap if you know about such a case. If you
can provide the report you're looking at that might also help if you
can't confirm any issue.
--
Eystein