Patch up !

There are hotpatches (client + server) for GW7 (GW7 SP3 HP2) and GW8 (GW8 HP1), which contain numerous fixes (see below), and also security fixes concerning a WebAccess vulnerability, which is, according to Dean Lythgoe’s blog, a ” very low ” severity threat/concern. But an issue nonetheless.

Download
GW7 SP3 HP2.
or
GW8 HP1.

For info on the vulnerability, check out TID’s …
7002319,
7002320,
7002321,
7002322,
7002502.

FYI – the fixes for GW7 …

security fixes
Novell GroupWise WebAccess is vulnerable to a Cross-Site Request Forgery attack, where an attacker could compromise a GroupWise account, through a user visiting a malicious web page or clicking on a link containing a forged HTTP request. (bug 436690). This vulnerability was discovered and reported by Adrian Pastor – ProCheckUp, Ltd (http://www.procheckup.com/), CVE-2009-0272.

Novell GroupWise WebAccess is vulnerable to a *persistent* Cross-site Scripting attack, which could allow an attacker to cause execution of malicious scripting code in the browser of an end-user, resulting in a persistent defacement of the target site, or the redirection of confidential information to unauthorized third parties. (bug 436687). This vulnerability was discovered and reported by Adrian Pastor – ProCheckUp, Ltd (http://www.procheckup.com/), CVE-2009-0273

Novell GroupWise WebAccess is vulnerable to Cross-site Scripting (XSS) via POST requests, which could result in non-persistent defacement of the target site, or the redirection of confidential information to unauthorized third parties. (bug 436680). This vulnerability was discovered and reported by Adrian Pastor – ProCheckUp, Ltd (http://www.procheckup.com/), CVE-2009-0273

Novell GroupWise WebAccess is vulnerable to an issue whereby requests submitted as “POST” requests can be converted to “GET” requests, thereby potentially allowing an attacker to gain access to GroupWise information using a specially crafted URL. (bug 436691). This vulnerability was discovered and reported by Adrian Pastor – ProCheckUp, Ltd (http://www.procheckup.com/), CVE-2009-0274

A vulnerability exists in the Novell GroupWise Internet Agent (GWIA) that could potentially allow a remote attacker to use malformed arguments to execute arbitrary code on a server running GWIA. This vulnerability was discovered and reported by Nick DeBaggis working with TippingPoint’s Zero Day Initiative (http://www.zerodayinitiative.com), ZDI-CAN-384

change log

Admin
448797 Locking out old snapins puts an incorrect date in the box
464605 Plain Text global signatures are getting cut off
458466 D105 Directory Services Error when syncing caching mailbox after a mailbox was moved
465046 Setting for CalPub Subscription should always be enabled

Calendar Publisher
463977 Calendar publishing agent throwing an exception when trying to access the published calendar in caching mode
448828 Calendars are not published

Linux Client
458467 Crashing in Linux when doing some things with an IMAP account connected to a GW mailbox through IMAP
463961 Day String in Mail Item is Garbled
447352 Meeting participants change after doing busy search if you have more than one appointment open
464523 When other parts of world have made time adjustments, but the US hasn’t, the additional time zone in Cal is wrong
464674 Folder names missing in Linux Client
464609 Cal – Additional TZs are incorrect – EST and IST should be 10.5 hrs but according to GW midnight EST is 8:30 AM IST
458101 FW of HTML eMails changes font size

Macintosh Client
457796 Newest client fails to load – Cannot launch Java application

Windows Client
457481 Sharing address book with additional users in caching mode revokes and reinvites already shared users
458463 Using the Client LDAP address book more than once crashes the client
463959 Can not add contacts to CC and BCC when selected from Address Book while composing new mail in Chinese version of the client
465066 Address book only shows partial list of names
329880 Mark Holidays in the GW Calendar as non working day
463681 Attaching a vCard from the Address book causes client to crash
463680 Server certificate is not validated when connecting
447234 Users are not seeing the “Subscribe” option when it should be available
464544 Calendar publishing agent throwing an exception when trying to access the published calendar in caching mode
457483 GroupWise crashes when closing with Month or with Month and Calendar view
458458 Version list does not work
458461 GroupWise users moved to a different Post Office does not see new items in the Shared Folders
447853 Shared folder rights modifications does not get synchronized to caching/remote mailboxes
464167 Properties dialog on find results folder moves behind main window when a poll hits causing client to lock up
465052 Broken Hungarian characters in reply
444634 A picture added in a message body is stripped off
464607 Using OpenOffice 3 as the mail editor results in a C++ runtime error
458495 Client crashes after replying to an email with non available image
463956 Crash in Autosave when sending to large distribution list
457476 When sending mail through Mail Merge in MS Office, resending through client will resend to incorrect user
464611 Client hangs when getting a poll in the calendar
463955 Crash printing calendar
464296 Client hangs when replying to certain plan text message with default HTML compose
464264 Deleted signatures reappear after proxying to another mailbox
458469 JPG Images in Signatures get Cut off in the Sig editor and when they are attached to emails
463679 Switching writing tools language causes the client to crash on WTWLE16.DLL
456139 D11B errors using the tasklist
458451 D11B errors using the tasklist

Engine
457686 POA PFPE in gwenn5.nlm processing a file

GWIA
457680 Relayed “Forward as Attachment” messages getting messed up
444224 Core file generated in Linux
458482 General Failure FF01 on GWIA Screen
457683 GWIA abends on incoming messages
429475 GWIA sends undeliverable messages to wrong sender
458456 flatfwd deletes the mail
457797 Multiple abends in GWIA
466232 IMAP on the GWIA does not release memory on a no-op
458470 GWIA.NLM – Memory Leak
465053 Abend freeing memory
457479 GWIA crashes every 10 – 20 minutes truncating logs
447290 GWIA is mixing pieces of the log file into message files and then marking them as bad
457689 Gwia.nlm freeing memory that has the rtag nulled out
446155 GWIA Command Buffer Overflow
463686 GWIA memory leak

Time Stamp Utility
463954 Error 930D in the logger screen running GWTMSTMP.NLM

POA
457473 Page Fault Processor Exception, GWTCP-Monitor Process
458483 Handle new X-GW-CalHost-Ip information from the web publishing host
459635 GWDCA errors when running in a cluster
457468 POA abend GWENN5.NLM
458889 Delegate a recurring appointment crashed
445760 POA CPU Hog Detected by Timer abend
464535 SizeOfAllocBlock detected corrupt trailing redzone, GWTCP–Handle Process
459940 Post office agent keeps randomly dropping
458526 Display queue info from http console crashed
456588 Scheduled Events for Mailbox Statistics produce inaccurate reports
457470 Rules not firing on an IMAP Append command

SOAP and API’s
463958 Invalid object returned in getting a SAB Group
448914 Data corruption doing stubbing
446564 Changed COM methods
456073 Double free crash in getting events
459203 Crash and data corruption using AddressBook.ProviderID

MTA
448358 ABEND in NGWROUTER PROCESS on the MTA
467013 NSS volumes go unresponsive when running GW agents on volume

Webaccess
449822 Can’t drag and drop items to a shared folder
456304 Page Fault Processor Exception, Running Process GWINTER
457451 Security vulnerability report – WebAccess discloses version information
457452 Security report – WebAccess vulnerable to persistent XSS / HTML Injection
457453 Security report – Cross-site Request Forgery on WebAccess allows email theft and other attacks
457661 The Advanced Find template shows an error when loading…
460361 Calendar Tab takes over 3 minutes to load – High Load on POA agent
459571 Autosave does not work
458774 Notes Tab takes you to login page
462065 After clicking Print View button a login page is displayed
462594 Can’t delete items from a shared calendar when you are in Day view
462612 Can’t delete an item from a shared folder
462620 Name completion is not working when selecting “Last, First name sort order” option
463151 Can’t expand or reduce the duration of an appointment in a shared calendar with edit rights
464516 Post Message button doesn’t appear in toolbar when you have a folder with add and edit rights

FYI – the fixes for GW8 …

security fixes
Novell GroupWise WebAccess is vulnerable to a Cross-Site Request Forgery attack, where an attacker could compromise a GroupWise account, through a user visiting a malicious web page or clicking on a link containing a forged HTTP request. (bug 436690). This vulnerability was discovered and reported by Adrian Pastor – ProCheckUp, Ltd (http://www.procheckup.com/), CVE-2009-0272.

Novell GroupWise WebAccess is vulnerable to a *persistent* Cross-site Scripting attack, which could allow an attacker to cause execution of malicious scripting code in the browser of an end-user, resulting in a persistent defacement of the target site, or the redirection of confidential information to unauthorized third parties. (bug 436687). This vulnerability was discovered and reported by Adrian Pastor – ProCheckUp, Ltd (http://www.procheckup.com/), CVE-2009-0273

Novell GroupWise WebAccess is vulnerable to Cross-site Scripting (XSS) via POST requests, which could result in non-persistent defacement of the target site, or the redirection of confidential information to unauthorized third parties. (bug 436680). This vulnerability was discovered and reported by Adrian Pastor – ProCheckUp, Ltd (http://www.procheckup.com/), CVE-2009-0273

Novell GroupWise WebAccess is vulnerable to an issue whereby requests submitted as “POST” requests can be converted to “GET” requests, thereby potentially allowing an attacker to gain access to GroupWise information using a specially crafted URL. (bug 436691). This vulnerability was discovered and reported by Adrian Pastor – ProCheckUp, Ltd (http://www.procheckup.com/), CVE-2009-0274

A vulnerability exists in the Novell GroupWise Internet Agent (GWIA) that could potentially allow a remote attacker to use malformed arguments to execute arbitrary code on a server running GWIA. This vulnerability was discovered and reported by Nick DeBaggis working with TippingPoint’s Zero Day Initiative (http://www.zerodayinitiative.com), ZDI-CAN-384

change log

Admin
448797 Locking out old snapins puts an incorrect date in the box
464605 Plain Text global signatures are getting cut off
458466 D105 Directory Services Error when syncing caching mailbox after a mailbox was moved
465046 Setting for CalPub Subscription should always be enabled

Calendar Publisher
463977 Calendar publishing agent throwing an exception when trying to access the published calendar in caching mode
448828 Calendars are not published

Linux Client
458467 Crashing in Linux when doing some things with an IMAP account connected to a GW mailbox through IMAP
463961 Day String in Mail Item is Garbled
447352 Meeting participants change after doing busy search if you have more than one appointment open
464523 When other parts of world have made time adjustments, but the US hasn’t, the additional time zone in Cal is wrong
464674 Folder names missing in Linux Client
464609 Cal – Additional TZs are incorrect – EST and IST should be 10.5 hrs but according to GW midnight EST is 8:30 AM IST
458101 FW of HTML eMails changes font size

Macintosh Client
457796 Newest client fails to load – Cannot launch Java application

Windows Client
457481 Sharing address book with additional users in caching mode revokes and reinvites already shared users
458463 Using the Client LDAP address book more than once crashes the client
463959 Can not add contacts to CC and BCC when selected from Address Book while composing new mail in Chinese version of the client
465066 Address book only shows partial list of names
329880 Mark Holidays in the GW Calendar as non working day
463681 Attaching a vCard from the Address book causes client to crash
463680 Server certificate is not validated when connecting
447234 Users are not seeing the “Subscribe” option when it should be available
464544 Calendar publishing agent throwing an exception when trying to access the published calendar in caching mode
457483 GroupWise crashes when closing with Month or with Month and Calendar view
458458 Version list does not work
458461 GroupWise users moved to a different Post Office does not see new items in the Shared Folders
447853 Shared folder rights modifications does not get synchronized to caching/remote mailboxes
464167 Properties dialog on find results folder moves behind main window when a poll hits causing client to lock up
465052 Broken Hungarian characters in reply
444634 A picture added in a message body is stripped off
464607 Using OpenOffice 3 as the mail editor results in a C++ runtime error
458495 Client crashes after replying to an email with non available image
463956 Crash in Autosave when sending to large distribution list
457476 When sending mail through Mail Merge in MS Office, resending through client will resend to incorrect user
464611 Client hangs when getting a poll in the calendar
463955 Crash printing calendar
464296 Client hangs when replying to certain plan text message with default HTML compose
464264 Deleted signatures reappear after proxying to another mailbox
458469 JPG Images in Signatures get Cut off in the Sig editor and when they are attached to emails
463679 Switching writing tools language causes the client to crash on WTWLE16.DLL
456139 D11B errors using the tasklist
458451 D11B errors using the tasklist

Engine
457686 POA PFPE in gwenn5.nlm processing a file

GWIA
457680 Relayed “Forward as Attachment” messages getting messed up
444224 Core file generated in Linux
458482 General Failure FF01 on GWIA Screen
457683 GWIA abends on incoming messages
429475 GWIA sends undeliverable messages to wrong sender
458456 flatfwd deletes the mail
457797 Multiple abends in GWIA
466232 IMAP on the GWIA does not release memory on a no-op
458470 GWIA.NLM – Memory Leak
465053 Abend freeing memory
457479 GWIA crashes every 10 – 20 minutes truncating logs
447290 GWIA is mixing pieces of the log file into message files and then marking them as bad
457689 Gwia.nlm freeing memory that has the rtag nulled out
446155 GWIA Command Buffer Overflow
463686 GWIA memory leak

Time Stamp Utility
463954 Error 930D in the logger screen running GWTMSTMP.NLM

POA
457473 Page Fault Processor Exception, GWTCP-Monitor Process
458483 Handle new X-GW-CalHost-Ip information from the web publishing host
459635 GWDCA errors when running in a cluster
457468 POA abend GWENN5.NLM
458889 Delegate a recurring appointment crashed
445760 POA CPU Hog Detected by Timer abend
464535 SizeOfAllocBlock detected corrupt trailing redzone, GWTCP–Handle Process
459940 Post office agent keeps randomly dropping
458526 Display queue info from http console crashed
456588 Scheduled Events for Mailbox Statistics produce inaccurate reports
457470 Rules not firing on an IMAP Append command

SOAP and API’s
463958 Invalid object returned in getting a SAB Group
448914 Data corruption doing stubbing
446564 Changed COM methods
456073 Double free crash in getting events
459203 Crash and data corruption using AddressBook.ProviderID

MTA
448358 ABEND in NGWROUTER PROCESS on the MTA
467013 NSS volumes go unresponsive when running GW agents on volume

Webaccess
449822 Can’t drag and drop items to a shared folder
456304 Page Fault Processor Exception, Running Process GWINTER
457451 Security vulnerability report – WebAccess discloses version information
457452 Security report – WebAccess vulnerable to persistent XSS / HTML Injection
457453 Security report – Cross-site Request Forgery on WebAccess allows email theft and other attacks
457661 The Advanced Find template shows an error when loading…
460361 Calendar Tab takes over 3 minutes to load – High Load on POA agent
459571 Autosave does not work
458774 Notes Tab takes you to login page
462065 After clicking Print View button a login page is displayed
462594 Can’t delete items from a shared calendar when you are in Day view
462612 Can’t delete an item from a shared folder
462620 Name completion is not working when selecting “Last, First name sort order” option
463151 Can’t expand or reduce the duration of an appointment in a shared calendar with edit rights
464516 Post Message button doesn’t appear in toolbar when you have a folder with add and edit rights
_