[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[netCDFJava #SIA-494597]: Java netCDF Security Issues

To: address@hidden
Subject: [netCDFJava #SIA-494597]: Java netCDF Security Issues
From: "Unidata netCDF Java Support" <address@hidden>
Date: Mon, 28 Jan 2013 14:49:34 -0700

Hi Jeff,

Both libpng and zlib are not directly used by the netCDF-Java library but are 
libraries already on most systems that are called by one of the java libraries 
included with netCDF-Java. From their web pages, it looks like current versions 
are libpng 1.5.14 and zlib 1.2.5. Upgrading to the latest versions might clean 
up some of the security issues.

Version 4.3 of the netCDF-Java library is now our stable release. Have you 
considered upgrading to that version. It contains many bug fixes and new 
features. It currently uses Spring Framework 3.1.1 rather than 2.5.4 so might 
also fix the security issue. Though it looks like we are a bit behind in terms 
of Spring which is at 2.5.6 and 3.1.4 (or even 3.2.1).

Let us know if you get any details about the issues your folks are having with 
these libraries. I'm not familiar with the Palamida tool it looks like they are 
using. However, from thePalamida web site (http://www.palamida.com/) it looks 
like it can look for both security and IP/licensing issues and can be 
configured according to a particular sites policies.

Hope that helps,

Ethan

Jeffrey Ethridge wrote:
> Greetings,
> 
> I have gotten a cry of "Foul" from our Security people on the some of
> the libraries used in netCDF.
> 
> Jeff - These results show that there are 30 known security
> vulnerabilities in netCDF, specifically these componenets - libpng 1.2.1
> (28 vulnerabilities), zlib 1.1.4 (1 vulnerability) and springframework
> 2.5.4 (1 vulnerability.
> 
> We were trying to get netCDF version 4.2 approved.  I am still trying
> to get the details out of them, other than just a count under the red
> shield in the screen capture below.
> 
> Now that I look at it, not sure if this was just netCDF or if it was
> the UI tools.
> 
> Either way, does the more recent release get rid of some of these issues?
> 
> Thanks,
> 
> Jeffrey Noel Ethridge
> Advisory Software Engineer
> Undersea Systems
> Northrop Grumman Corporation

Ticket Details
===================
Ticket ID: SIA-494597
Department: Support netCDF Java
Priority: Normal
Status: Closed

Prev by Date: [LibCF #WGL-196445]: Plz help for install libcf
Next by Date: [netCDF #PFU-753378]: Error in closing netCDF file (due to presence of user-defined type)
Previous by thread: [LibCF #WGL-196445]: Plz help for install libcf
Next by thread: [netCDFJava #FSL-422087]: Java INFO
Index(es):
- Date
- Thread

NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.