Hi Jeff, Both libpng and zlib are not directly used by the netCDF-Java library but are libraries already on most systems that are called by one of the java libraries included with netCDF-Java. From their web pages, it looks like current versions are libpng 1.5.14 and zlib 1.2.5. Upgrading to the latest versions might clean up some of the security issues. Version 4.3 of the netCDF-Java library is now our stable release. Have you considered upgrading to that version. It contains many bug fixes and new features. It currently uses Spring Framework 3.1.1 rather than 2.5.4 so might also fix the security issue. Though it looks like we are a bit behind in terms of Spring which is at 2.5.6 and 3.1.4 (or even 3.2.1). Let us know if you get any details about the issues your folks are having with these libraries. I'm not familiar with the Palamida tool it looks like they are using. However, from thePalamida web site (http://www.palamida.com/) it looks like it can look for both security and IP/licensing issues and can be configured according to a particular sites policies. Hope that helps, Ethan Jeffrey Ethridge wrote: > Greetings, > > I have gotten a cry of "Foul" from our Security people on the some of > the libraries used in netCDF. > > Jeff - These results show that there are 30 known security > vulnerabilities in netCDF, specifically these componenets - libpng 1.2.1 > (28 vulnerabilities), zlib 1.1.4 (1 vulnerability) and springframework > 2.5.4 (1 vulnerability. > > We were trying to get netCDF version 4.2 approved. I am still trying > to get the details out of them, other than just a count under the red > shield in the screen capture below. > > Now that I look at it, not sure if this was just netCDF or if it was > the UI tools. > > Either way, does the more recent release get rid of some of these issues? > > Thanks, > > Jeffrey Noel Ethridge > Advisory Software Engineer > Undersea Systems > Northrop Grumman Corporation Ticket Details =================== Ticket ID: SIA-494597 Department: Support netCDF Java Priority: Normal Status: Closed
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.