Security Vulnerability found in Aspose dependency

alexey.maslov · June 22, 2023, 1:30pm

As I said earlier, of the dependencies you described that were found to have vulnerabilities, Aspose.Words for Java only includes org.bouncycastle:bc-fips and com.fasterxml.woodstox:woodstox-core, which have been updated to versions 1.0.2.4 and 6.5.2 respectively in the latest Aspose.Words for Java 23.6 update.

Relevant updates (tickets WORDSJAVA 2812 and WORDSJAVA 2863) have been posted in the Release Notes.

ask4dhananjay · June 22, 2023, 6:32pm

Hi @alexey.maslov
I understand that tickets WORDSJAVA 2812 and WORDSJAVA 2863 have been addressed in recent versions.

My question from previous thread was -

I don’t see the details of third party / open source products like org.bouncycastle:bc-fips used by Aspose products.

Where can I see all the third party products including open source used in Aspose products ? This will help us in populating pom.xml properly.

Can you please help me to populate all the 3rd party libraries with version details as I cannot list all from installation guide ? (like org.bouncycastle:bc-fips which is confirmed as vulnerability but not listed in installation guide)

Regards
Dhananjay

asad.ali · June 22, 2023, 10:51pm

@ask4dhananjay

We have logged a ticket as PDFJAVA-42901 in our issue management system to address your above concerns. We will let you know as soon as the ticket is resolved. Please spare us some time.

A ticket as OMRJAVA-76 has also been logged to address above concerns. We will look into its details and let you know as soon as it is resolved. We apologize for the inconvenience.

alexey.maslov · June 23, 2023, 12:47pm

@ask4dhananjay,

we are use the folowing 3rd party libs in Aspose.Words for Java:

org.ow2.asm:asm (version 9.2)
org.bouncycastle:bc-fips (version 1.0.2.4)
org.hsqldb:hsqldb (version 2.2.8)
javax.media:jai_codec (version 1.1.3)
javax.media:jai_core (version 1.1.3)
javax.media:jai_imageio (version 1.1)
org.im4java:im4java (version 1.4.0)
org.codehaus.woodstox:stax2-api (version 4.2.1)
com.fasterxml.woodstox:woodstox-core (version 6.5.2)

In addition, pngencoder-2.0.2, xmlunit-1.2, opentk-via-jogl-1.0 and jogamp-fat-2.3.2 are used.

These third-party libraries are repackaged and contained inside aspose-words-XX.X-jdkXX.jar, and thus you do not need to additionally write dependencies inside your project’s pom or install additional libraries on your computer (except as described in System Requirements).

ask4dhananjay · June 27, 2023, 7:13am

@asad.ali
@alexey.maslov

Hi Everyone. Thank you for the details.

You may close this ticket once outstanding tickets that are pending is addressed.

amjad.sahi · June 27, 2023, 8:01am

@ask4dhananjay,

You are welcome.

Once we have updates on any of the logged tickets, we will let you know here.

asad.ali · November 6, 2023, 12:55am

@ask4dhananjay

Vulnerability fixed in new version of Aspose OMR for Java 23.11.
Release notes: Aspose.OMR for Java 23.11.0 - Release Notes

aspose.notifier · November 16, 2023, 2:59pm

The issues you have found earlier (filed as SLIDESJAVA-39217) have been fixed in this update. This message was posted using Bugs notification tool.

aspose.notifier · April 1, 2024, 6:01pm

The issues you have found earlier (filed as PDFJAVA-42406) have been fixed in Aspose.PDF for Java 24.3.