Novell announces a new Hot Patch for GroupWise 8.0.2. This Hot Patch is the latest update for our flag ship product.
The Hot Patch is now available and can be downloaded here!
This Hot Patch, build #96395, includes about 200 fixes that have been reported by customers since we released GroupWise 8.0.2 HP2 in January. These fixes are across all GroupWise components, but are more concentrated in the agents in order to provide greater stability and reliability. The Mac client build is #96219.
The main driver for this release was to make sure we continue to have well tested solutions available to our customers on a consistent basis. This release contains a few security related changes. We will continue to disclose and communicate all security issues that are reported to us and that we have fixed in a particular release of our product. Many of the security fixes are related to GWIA and WebAccess. A few of the security fixes were discovered and resolved in the viewer technology that we license from Oracle.
This Hot Patch also contains an updated Mac/Linux client. We discovered that later versions of the Mac OS, including Lion caused our client some stability issues. Those issues have been resolved and are part of this release of the product.
Novell bugs 586821,657121, CVE-2011-2218, CVE-2011-2219- The GroupWise Internet Agent (GWIA) is vulnerable to a DoS exploit whereby an attacker could potentially cause the application to crash by inputting certain data.
Related TID: 7006378
Novell bugs 658401,671490, A vulnerability exists in the Oracle “Outside In” technology used by GroupWise to view a Microsoft DOCX file attachment that could potentially allow an unauthenticated attacker could execute arbitrary code.
Related TID: 7009207
See also Oracle’s July 2011 “Critical Patch Update Advisory”
Novell bug 678715, CVE-2011-0333 – The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses the time zone description (TZNAME) variable within a received VCALENDAR message, which could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA.
Related TID: 7009208
Novell bug 678939, CVE-2011-0334. The HTTP interface of the GroupWise Internet Agent (GWIA) is vulnerable to an exploit whereby an attacker could potentially trigger a stack overflow and execute arbitrary code.
Related TID: 7009210
Novell bug 685304, CVE-2010-4325 – The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses a weekday calendar recurrence (RRULE) variable within a received VCALENDAR message, which could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA.
Related TID: 7009212
Novell bugs 688803,695166 – Vulnerabilities exist in the Oracle “Outside In” technology used by GroupWise to view Lotus 123 and Microsoft CAB file attachments that could potentially allow an unauthenticated attacker could execute arbitrary code.
Related TID: 7009213
See also Oracle’s April 2011 “Critical Patch Update Advisory”
Novell bug 702786, CVE-2011-2661 – GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit in the “Directory.Item.name” parameter whereby an attacker could potentially insert arbitrary HTML and script code that will be executed in a user’s browser session.
Related TID: 7009214
Novell bug 707527, CVE-2011-2662 – The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses a weekly calendar recurrence (RRULE) variable within a received VCALENDAR message. The vulnerability could potentially trigger a write operation beyond the bounds of an allocated heap buffer, which could lead to the corruption of memory and the execution of arbitrary code on vulnerable installations of GWIA.
Related TID: 7009215
Novell bug 705917,CVE-2011-2663 – The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses yearly calendar recurrence (RRULE) variables within a received VCALENDAR message. The vulnerability could potentially trigger a write operation beyond the bounds of an allocated heap buffer, which could lead to the corruption of memory and the execution of arbitrary code on vulnerable installations of GWIA.
Related TID: 7009216
GroupWise 8.0x, 8.01x, 8.02HP1, 8.02HP2. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP3 in order to secure their system.
These vulnerabilities were discovered and reported by the following parties:
- James Ogden with Salford Software.
- Anonymous working with TippingPoint’s Zero Day Initiative, ZDI-CAN-1187
- Carsten Eiram with Secunia Research. Secunia advisory SA43513, SA43513#2 and also by Anonymous working with Verisign’s iDefense Labs, V-njhf06jlo, V-yl5u7zhuzu
- Will Dormann at US-CERT.
- Joshua Tiago, Cirosec via Secunia Cirosec via Secunia, Secunia advisory SA44328).
- Anonymous working with Verisign’s iDefense Labs, V-0r6xx5bqyc, ), V-t0ml0ufzg6, V-1idu9rzv8d
As stated in previous blog posts:
“Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best.
We do stress – All security issues should be taken seriously and patches applied.
Please follow Best Practices guidelines for updating your system when applying this patch.”
For a list of the issues resolved in this Hot Patch, please refer to the release notes, which can be found as part of the download.
Data Synchronizer Mobility Pack 1.2
I’m sure you are all aware thanks to product announcements and Alex Evan’s blog on the topic. However, it never hurts to over communicate. Please be aware that the Novell Data Synchronizer Mobility Pack, version 1.2 released on August 5th. It is now available and ready for deployment. We have had several hundred downloads already and our support department confirms that this release is the best yet.
We want to show case and high light two major improvements in this release. First, the availability and support for HTML email on all IOS devices. Second, the increased scalability to 500 users per server.
This is build 579
There are multiple ways to get the latest update. See this previous blog post for those details.
BrainShare 2011 – October 10-14 in Salt Lake City
I hope you are all coming to BrainShare. We have over 20 sessions dedicated specifically to GroupWise and Mobility. We are very excited to have expert presenters, deep content and great engineering representation. We will talking a lot about GroupWise….GroupWise Ascot Windows Client, WebAccess and iPad will be the highlights. Installing, trouble shooting and configuring Data Synchronizer are sure to be popular sessions. All good things for sure! However, we will also be spending keynotes, sessions and time talking about the roadmap, quicker release cycles, and the new commitment and focus from Attachmate on GroupWise and Collaboration!
We will be showing demos of the Windermere Administration solution. We will also be listening! We want to meet with you, strategize with you and learn your businesses. It is important to us that we make our products and solutions meet your business objectives.