A new Hot Patch for 7.0.3 was released today that contains fixes for security related issues. That Hot Patch is 7.0.3 HP4. The same fixes for 8.0 were provided on August 31st with the 8.0.1 release. We recommend that you deploy the 7.0.3 HP4, if you are running 7.0.x code and we recommend you deploy the 8.0.1 code if you are running 8.0. This will ensure your system has all currently available fixes.
Here are the details surrounding these latest changes.
There are roughly 35 total fixes/changes available in this Hot Patch. There is just one security related issue to call out. This is a WebAccess security issue that is very similar to the issues that were reported and resolved with in 7.0.3 HP3. We refer to them as cross-scripting vulnerabilities.
See this TID for more details: 7004410
There are a couple other fixes to highlight.
– Merging text from two outbound messages or Mixing pieces of the log file into message files and then marking them as bad – this has been fixed.
– Notify can connect to the wrong mailbox in rare circumstances bypassing authentication, this can only occur in situations where identical userid’s exist in different PO’s AND NGWNAMESERVER is deployed – this has been fixed.
For details on all of the changes, please see the ‘changelog’ that is available with the download image.
Novell communicated Hot Patch availability for both GroupWise 7 and GroupWise 8 via NGWList, NOVTTP, PSE-DSE lists, blog entries, FaceBook Pages and Twitter.
We have sent communications to every PSE/DSE explaining the details associated with this security issue. NTS, Marketing, Technical Sales specialists and Product Management have all been notified and are available to assist and answer questions.
As stated in previous blog posts:
“Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best.
We do not disclose the exact details of any security defect so that ample time is provided to administrators to update their systems without malicious individuals having all of the knowledge to exploit any affected areas. Even after a patch is provided and sufficient time has been given to update, not every administrator will be able to act immediately. Some may decide not to act at all and simply follow their own update/deployment schedules.
We do stress – All security issues should be taken seriously and patches applied.
Please follow Best Practices guidelines for updating your system when applying this patch.”
GroupWise 6.x customers should upgrade to GroupWise 8.0.1.