Novell Cool Solutions

Novell Info: GroupWise Security Alert



By:

September 16, 2009 11:19 am

Reads:6,453

Comments:2

Score:Unrated

Print/PDF

A new Hot Patch for 7.0.3 was released today that contains fixes for security related issues. That Hot Patch is 7.0.3 HP4. The same fixes for 8.0 were provided on August 31st with the 8.0.1 release. We recommend that you deploy the 7.0.3 HP4, if you are running 7.0.x code and we recommend you deploy the 8.0.1 code if you are running 8.0. This will ensure your system has all currently available fixes.

You can download these patches from here:

Here are the details surrounding these latest changes.

There are roughly 35 total fixes/changes available in this Hot Patch. There is just one security related issue to call out. This is a WebAccess security issue that is very similar to the issues that were reported and resolved with in 7.0.3 HP3. We refer to them as cross-scripting vulnerabilities.

See this TID for more details: 7004410

There are a couple other fixes to highlight.

– Merging text from two outbound messages or Mixing pieces of the log file into message files and then marking them as bad – this has been fixed.

– Notify can connect to the wrong mailbox in rare circumstances bypassing authentication, this can only occur in situations where identical userid’s exist in different PO’s AND NGWNAMESERVER is deployed – this has been fixed.

For details on all of the changes, please see the ‘changelog’ that is available with the download image.

Novell communicated Hot Patch availability for both GroupWise 7 and GroupWise 8 via NGWList, NOVTTP, PSE-DSE lists, blog entries, FaceBook Pages and Twitter.

We have sent communications to every PSE/DSE explaining the details associated with this security issue. NTS, Marketing, Technical Sales specialists and Product Management have all been notified and are available to assist and answer questions.

As stated in previous blog posts:

“Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best.

We do not disclose the exact details of any security defect so that ample time is provided to administrators to update their systems without malicious individuals having all of the knowledge to exploit any affected areas. Even after a patch is provided and sufficient time has been given to update, not every administrator will be able to act immediately. Some may decide not to act at all and simply follow their own update/deployment schedules.

We do stress – All security issues should be taken seriously and patches applied.

Please follow Best Practices guidelines for updating your system when applying this patch.”

GroupWise 6.x customers should upgrade to GroupWise 8.0.1.

Dean

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Categories: GroupWise Blog

2

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

2 Comments

  1. By:mbt

    Dean can you tell us where we might find a document that details the best practices referred to here:

    “Please follow Best Practices guidelines for updating your system when applying this patch.”

    I’d love to know what Novell’s stated best practice procedures are …

  2. By:dlythgoe

    Almost all of the data for best practices can be found in the GroupWise documentation.

    Here is the link to the ‘Install’ area of our documentation.

    https://www.novell.com/documentation/gw8/gw8_install/?page=/documentation/gw8/gw8_install/data/a8sdpxb.html

    In addition, there are links in the documentation to our ‘Best Practices’ WIKI, where you and others can share their own experiences and update this document for the benefit of everyone.

    Hope you find what you are looking for – let me know if you don’t.

    Dean

Comment

Novell Info: GroupWise Security Alert



By:

May 21, 2009 12:00 am

Reads:9,614

Comments:2

Score:5

Print/PDF

Hot Patches were released today for 7.0.3 and 8.0.0. They are 7.0.3 HP3 and 8.0.0 HP2. Included in these hot patches are code changes to address security related problems.

Download Here

Four of the issues are with WebAccess and two of the issues are with GWIA (GroupWise Internet Agent)

For your reference the TIDs are:

7003266
7003267
7003268
7003271
7003272
7003273

On May 29, VUPEN Security S.A. plans to release notice of security vulnerabilities in GWIA. In anticipation of these notices, Novell communicated Hot Patch availability for both GroupWise 7 and GroupWise 8 via NGWList, NOVTTP, PSE-DSE lists, blog entries, FaceBook Pages and Twitter.

We also sent communications to every PSE/DSE yesterday explaining the details associated with each of these security issues. NTS, Marketing, Technical Sales specialists and Product Management have all been notified and are available to assist and answer questions.

These WebAccess security issues are very much like issues that were reported and resolved with the last set of hot patches. The GWIA issues have to do with buffer overflows.

Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best.

We do not disclose the exact details of any security defect so that ample time is provided to administrators to update their systems without malicious individuals having all of the knowledge to exploit any affected areas. Even after a patch is provided and sufficient time has been given to update, not every administrator will be able to act immediately and some may decide not to act at all and simply follow their own update/deployment schedules.

We do stress – All security issues should be taken seriously and patches applied.

Please follow ‘upgrading’ best practices guidelines when applying this patch. The affected components are GWIA and the WebAccess application.

GroupWise 6.x customers will need to upgrade to GroupWise 8 and apply the hot patches to resolve these security related reports.

In addition, the 7.0.3 HP3 code has a total of 64 defect fixes in this release. The GroupWise 8.0.0 HP2 includes 101 defect fixes. Please refer to the corresponding readme for further details on these code changes.

One more thing…an updated IDM driver for GroupWise 8 was also posted this week:
GroupWise 8 IDM Driver

Dean

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Categories: GroupWise Blog

2

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

2 Comments

  1. By:penguin_roar

    This patch also fixed our problems with international åöä characters in our webaccess. Theres nothing bad that doesnt bring some good with it =)

    One thing i dont understand tough is why updates for Linux installations of Groupwise arent distributed with rpms?

    • By:dlythgoe

      Glad you found some solutions with the patch!

      I am a little confused by your question about rpms…We do distribute the updates for LInux installations as rpms. They are contained within the image tar ball. The tar ball is an image that would be similar to what you would see on a DVD/CD, if we actually shipped media.

      Are you looking for individual rpms?

      Dean

Comment

RSS