Cool Solutions

GroupWise: 8.0.2 Ships!

Dean Lythgoe

By:

July 14, 2010 5:43 pm

Reads: 11317

Comments:11

Score:0

Today, Novell announced immediate availability of GroupWise 8.0.2. The latest update to the GroupWise 8 product line that not only adds stability, reliability and quality, but also adds specific features and enhancements!

GroupWise 8.0.2 is now available!

Download here.

This support pack includes a number of new features designed to enhance integration with Novell Teaming and the new Novell Conferencing. Please note that GroupWise 8 SP2 is also required to enable full functionality for Novell Data Synchronizer, also released to Public BETA today!. See related blog.

Security Alert

Finally, this support pack includes fixes that address recent GroupWise security issues. Details about these security fixes are provided below. GroupWise 8 SP2 is available to all GroupWise customers with current maintenance. Please note that these security fixes are also publicly available in a GroupWise 7.0.4 Field-Test File (FTF) that can be accessed here.

Security Issue Details

  • The memory stack can overflow when passing a long argument to the NWDSLogout functions in netwin32.dll.

    Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006432
  • The gwcma1.dll GroupWise module is vulnerable to a stack overflow exploit.

    Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006431
  • The HTTP interfaces for GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are susceptible to cross-site scripting (XSS) attacks, which could potentially be used by an attacker to steal sensitive information from application users, including parameters such as session credentials.

    Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006371
  • The HTTP interfaces for GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are vulnerable to an HTTP Header Injection attack that may be used to redirect users to arbitrary sites, perform HTTP Request Smuggling, and execute other attacks against the user’s browser.

    Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006372
  • Under certain circumstances, parameters passed to GroupWise WebAccess could potentially expose authentication information in the user’s web browser.

    Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006373
  • The GroupWise Internet Agent is vulnerable to an exploit whereby an authenticated user could potentially cause a stack overflow, which would allow them to execute arbitrary code.

    Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006374
  • GroupWise WebAccess is vulnerable to a Javascript XSS exploit in which viewing a specially formatted message could cause users to be redirected to a malicious website.

    Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006375
  • GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit in which replying to a specially formatted message could cause users to be redirected to a malicious website.

    Affected Versions: GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006376
  • GroupWise WebAccess is vulnerable to cross-site scripting (XSS) via header injection into certain form parameters, which could potentially be used to redirect users to a malicious website, perform HTTP request smuggling, and execute other attacks against the user’s browser.

    Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1

    Related TID: 7006377
  • GroupWise WebAccess is vulnerable to a Javascript/HTML injection cross-site scripting (XSS) exploit which could potentially be used to redirect users to a malicious website.

    Affected Versions: GroupWise 8.0, 8.01x

    Related TID: 7006379
  • The User Proxy feature of GroupWise WebAccess is vulnerable to a stack overflow exploit whereby an authenticated user could potentially trigger a stack overflow and execute arbitrary code.

    Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1

    Related TID 7006380

We recommend that you deploy the 7.0.4 FTF, if you are running 7.0.x code and we recommend you deploy the 8.0.2 code if you are running 8.0. This will ensure your system has all currently available fixes.

As stated in previous blog posts:

“Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best.

We do not disclose the exact details of any security defect so that ample time is provided to administrators to update their systems without malicious individuals having all of the knowledge to exploit any affected areas. Even after a patch is provided and sufficient time has been given to update, not every administrator will be able to act immediately. Some may decide not to act at all and simply follow their own update/deployment schedules.

We do stress – All security issues should be taken seriously and patches applied.
Please follow Best Practices guidelines for updating your system when applying this patch.”

GroupWise 6.x customers should upgrade to GroupWise 8.0.2.

Let us know how it goes!

Dean

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

11 Comments

  1. By:swoc

    either I’m blind or there is no 8.0.2 available for download from download.novell.com

    can you provide a direct link to the download?

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  2. By:hardie77

    I am not seeing a download either

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  3. By:johnstonrd

    I am applying an update today 8.0.1 and would like to apply the 8.0.2 if provided we get the download link in time.

    Thanks

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • By:rvanherk

      As mentioned above, on the main download page you will need to click on Search Patches if you are searching for a patch. That’s where the GroupWise SP 2 can be found.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  4. By:jmarton

    The 802 patch status says “open” which I’m assuming is because it contains security fixes, so it should be available I believe to everyone and not just those with maintenance. Can anyone verify that it is indeed available to all customers?

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • By:dlythgoe

      In general, support packs do require that customers be on maintenance. However, this particular support pack has several components that contain security fixes. The components that do have security fixes are available to everyone.

      Helpful?

      Dean

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  5. By:MrockaSM

    the link is confusing, you have to search for the version you want under patches
    search for 8.02 (not the version you have installed but the patch you want to install) and then you will see the links to download

    http://download.novell.com/patch/finder/#familyId=114&productId=33444&dateRange=&startDate=&endDate=&priority=&distribution=&architecture=&keywords=

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  6. By:grimlock

    http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5073911.html#

    7.04 broke soap and thus GMS. The new security release says that it’s security patches only, implying that the previous fix is not in there and applying it would in turn break soap and GMS again.

    Can we get some clarification as to iff the fixes in the doc provided above are included in the new release?

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • By:probello

      I just had our build manager check the source code for the currently posted
      704 patch and the fixes for both defects, 592389 – SOAP requests fail to a 7.0.4
      POA and 585899 – POA TCP-Handler Abend, are in there.
      Pam

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      • By:grimlock

        Thanks Pam, I appreciate the quick response.

        VN:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)

Comment

RSS