GroupWise 8 SP2 is available for download.

Dean Lythgoe published the following on his blog, concerning a security alert that comes with the support pack:

Security Alert

Finally, this support pack includes fixes that address recent GroupWise security issues. Details about these security fixes are provided below. GroupWise 8 SP2 is available to all GroupWise customers with current maintenance. Please note that these security fixes are also publicly available in a GroupWise 7.0.4 Field-Test File (FTF) (…).

Security Issue Details

* The memory stack can overflow when passing a long argument to the NWDSLogout functions in netwin32.dll.
Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
Related TID: 7006432

* The gwcma1.dll GroupWise module is vulnerable to a stack overflow exploit.
Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
Related TID: 7006431

* The HTTP interfaces for GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are susceptible to cross-site scripting (XSS) attacks, which could potentially be used by an attacker to steal sensitive information from application users, including parameters such as session credentials.
Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1
Related TID: 7006371

* The HTTP interfaces for GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are vulnerable to an HTTP Header Injection attack that may be used to redirect users to arbitrary sites, perform HTTP Request Smuggling, and execute other attacks against the user’s browser.
Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1
Related TID: 7006372

* Under certain circumstances, parameters passed to GroupWise WebAccess could potentially expose authentication information in the user’s web browser.
Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
Related TID: 7006373

* The GroupWise Internet Agent is vulnerable to an exploit whereby an authenticated user could potentially cause a stack overflow, which would allow them to execute arbitrary code.
Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
Related TID: 7006374

* GroupWise WebAccess is vulnerable to a Javascript XSS exploit in which viewing a specially formatted message could cause users to be redirected to a malicious website.
Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
Related TID: 7006375

* GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit in which replying to a specially formatted message could cause users to be redirected to a malicious website.
Affected Versions: GroupWise 8.0 up to 8.01 HP1
Related TID: 7006376

* GroupWise WebAccess is vulnerable to cross-site scripting (XSS) via header injection into certain form parameters, which could potentially be used to redirect users to a malicious website, perform HTTP request smuggling, and execute other attacks against the user’s browser.
Affected Versions: GroupWise 7.0 up to 7.03 HP4, GroupWise 8.0 up to 8.01 HP1
Related TID: 7006377

* GroupWise WebAccess is vulnerable to a Javascript/HTML injection cross-site scripting (XSS) exploit which could potentially be used to redirect users to a malicious website.
Affected Versions: GroupWise 8.0, 8.01x
Related TID: 7006379

* The User Proxy feature of GroupWise WebAccess is vulnerable to a stack overflow exploit whereby an authenticated user could potentially trigger a stack overflow and execute arbitrary code.
Affected Versions: GroupWise 7.0 up to 7.04, GroupWise 8.0 up to 8.01 HP1
Related TID 7006380

We recommend that you deploy the 7.0.4 FTF, if you are running 7.0.x code and we recommend you deploy the 8.0.2 code if you are running 8.0. This will ensure your system has all currently available fixes.

_