[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[netCDFJava #SIA-494597]: Java netCDF Security Issues
- Subject: [netCDFJava #SIA-494597]: Java netCDF Security Issues
- Date: Mon, 28 Jan 2013 14:49:34 -0700
Hi Jeff,
Both libpng and zlib are not directly used by the netCDF-Java library but are
libraries already on most systems that are called by one of the java libraries
included with netCDF-Java. From their web pages, it looks like current versions
are libpng 1.5.14 and zlib 1.2.5. Upgrading to the latest versions might clean
up some of the security issues.
Version 4.3 of the netCDF-Java library is now our stable release. Have you
considered upgrading to that version. It contains many bug fixes and new
features. It currently uses Spring Framework 3.1.1 rather than 2.5.4 so might
also fix the security issue. Though it looks like we are a bit behind in terms
of Spring which is at 2.5.6 and 3.1.4 (or even 3.2.1).
Let us know if you get any details about the issues your folks are having with
these libraries. I'm not familiar with the Palamida tool it looks like they are
using. However, from thePalamida web site (http://www.palamida.com/) it looks
like it can look for both security and IP/licensing issues and can be
configured according to a particular sites policies.
Hope that helps,
Ethan
Jeffrey Ethridge wrote:
> Greetings,
>
> I have gotten a cry of "Foul" from our Security people on the some of
> the libraries used in netCDF.
>
> Jeff - These results show that there are 30 known security
> vulnerabilities in netCDF, specifically these componenets - libpng 1.2.1
> (28 vulnerabilities), zlib 1.1.4 (1 vulnerability) and springframework
> 2.5.4 (1 vulnerability.
>
> We were trying to get netCDF version 4.2 approved. I am still trying
> to get the details out of them, other than just a count under the red
> shield in the screen capture below.
>
> Now that I look at it, not sure if this was just netCDF or if it was
> the UI tools.
>
> Either way, does the more recent release get rid of some of these issues?
>
> Thanks,
>
> Jeffrey Noel Ethridge
> Advisory Software Engineer
> Undersea Systems
> Northrop Grumman Corporation
Ticket Details
===================
Ticket ID: SIA-494597
Department: Support netCDF Java
Priority: Normal
Status: Closed