DYNA25: Spring Edition is taking place on 7 April in New York City. More info

Contents

Dyalog and Security-related Vulnerabilities

Last updated 2024-04-02

We occasionally receive enquiries as to the susceptibility of Dyalog, or applications implemented in Dyalog, to security‑related vulnerabilities. This page lists vulnerabilities that we have either responded to or been asked to comment on.

XZ Utils

Last updated 2024-04-02

CVE-2024-3094: No part of Dyalog or its associated features makes use of XZ in any form. We have verified that none of our internal or outward-facing servers are affected.


GnuTLS

Last updated 2022-07-04

Our secure TCP layer, known as Conga, uses GnuTLS to implement secure communications. We monitor security bulletins related to GnuTLS, and re-compile and make new versions of Conga available as required.

CVE-2014-0092: On all platforms, Conga v2.4 and earlier are exposed to the security bug described in CVE-2014-0092. This affects the use of Conga with secure communications (SSL and TLS) only. Conga v2.5 was recompiled in March 2014 against GnuTLS 3.2.12, which contains a fix for this issue.


OpenSSL

Last updated 2022-12-14

The Dyalog interpreter does not make any use of OpenSSL. The Dyalog Cryptographic Library provides APL applications with access to cryptographical functions supplied by OpenSSL, but does not use OpenSSL 3.0 or provide access to TLS/SSL features of the library.

CVE-2022-3786, CVE-2022-3602 and CVE-2022-3996: No part of Dyalog, nor any libraries shipped by Dyalog Ltd, make use of the affected versions of OpenSSL. We have verified that none of our internal or outward-facing servers are affected.


zlib

Last updated 2023-01-20

Both the Dyalog interpreter and Conga make use of zlib.

CVE-2022-37434: Although all currently released versions make use of various versions up to and including 1.2.12, neither the interpreter nor Conga make use of the affected function inflateGetHeader and thus neither are open to the vulnerability.


Java

Last updated 2022-07-04

Dyalog is not vulnerable to any Java-related security issues: No part of Java is required or included with Dyalog itself. Examples of recent vulnerabilities are:

Dyalog uses the Jenkins automation server internally, to schedule jobs which build Dyalog. Our use of Jenkins only relies on the Java runtime engine.




Andy Shiers

Any Questions?

If you’ve got a technical query, you might find the answer in our documentation or on our forums. Otherwise, please email us at support@dyalog.com, call +44 1256 830030, or send us a message.

Andy, Operations Manager

Get Support

Technical advice and assistance on all aspects of Dyalog usage is available by e-mail (support@dyalog.com) and/or telephone (+44 1256 830030 – limited to U.K. office hours). Limited advice on design and coding is available, but is not intended to replace the use of the printed and on-line documentation. Except when reporting an issue with the software, users are encouraged to seek advice from the user community via the Dyalog Forum (reading the content of the forums does not require membership).

Search our website...