[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[netCDFJava #SIA-494597]: Java netCDF Security Issues



Hi Jeff,

Both libpng and zlib are not directly used by the netCDF-Java library but are 
libraries already on most systems that are called by one of the java libraries 
included with netCDF-Java. From their web pages, it looks like current versions 
are libpng 1.5.14 and zlib 1.2.5. Upgrading to the latest versions might clean 
up some of the security issues.

Version 4.3 of the netCDF-Java library is now our stable release. Have you 
considered upgrading to that version. It contains many bug fixes and new 
features. It currently uses Spring Framework 3.1.1 rather than 2.5.4 so might 
also fix the security issue. Though it looks like we are a bit behind in terms 
of Spring which is at 2.5.6 and 3.1.4 (or even 3.2.1).

Let us know if you get any details about the issues your folks are having with 
these libraries. I'm not familiar with the Palamida tool it looks like they are 
using. However, from thePalamida web site (http://www.palamida.com/) it looks 
like it can look for both security and IP/licensing issues and can be 
configured according to a particular sites policies.

Hope that helps,

Ethan

Jeffrey Ethridge wrote:
> Greetings,
> 
> I have gotten a cry of "Foul" from our Security people on the some of
> the libraries used in netCDF.
> 
> Jeff - These results show that there are 30 known security
> vulnerabilities in netCDF, specifically these componenets - libpng 1.2.1
> (28 vulnerabilities), zlib 1.1.4 (1 vulnerability) and springframework
> 2.5.4 (1 vulnerability.
> 
> We were trying to get netCDF version 4.2 approved.  I am still trying
> to get the details out of them, other than just a count under the red
> shield in the screen capture below.
> 
> Now that I look at it, not sure if this was just netCDF or if it was
> the UI tools.
> 
> Either way, does the more recent release get rid of some of these issues?
> 
> Thanks,
> 
> Jeffrey Noel Ethridge
> Advisory Software Engineer
> Undersea Systems
> Northrop Grumman Corporation


Ticket Details
===================
Ticket ID: SIA-494597
Department: Support netCDF Java
Priority: Normal
Status: Closed