GroupWise 7 SP3 Windows Client US and MULTI 703

This document (5008982) is provided subject to the disclaimer at the end of this document.

patches this patch supersedes

File	Product	Status	Patch
gw702cmulti.exe	GroupWise 7.0.2	Obsolete	GroupWise 7 SP2 Windows Client US and MULTI 7.0.2
gw702HP1acmulti.exe	GroupWise 7.0.2	Obsolete	FTF: GroupWise 7.0.2 Hot Patch 2 Windows client Rev 1 702HP1a
gw703cmulti.exe	GroupWise 7.0.3	Obsolete	GroupWise 703 Windows Clients

patches that supersede this patch

This patch is not superseded by any other patches.

patch attributes

Architecture: x86

Security patch: Yes

Priority: Mandatory

Distribution Type: Public

http://download.novell.com/Download?buildid=i_kvYsjao3E~

document

Revision: 4

Document ID: 5008982

Creation Date: 2008-03-14 09:07:34

Modified Date: 2008-03-25 12:56:27

abstract

Service Pack 3 for GW 7.0 has been released. Please view the readme for specific instructions and included bug fixes.

details

Full readme found at:
http://www.novell.com/documentation/gw7/readmeusgw7sp3/readmeusgw7sp3.html

security fixes

Description:

A security vulnerability exists in the GroupWise Windows client API that can allow programmatic access to non-authorized email under certain conditions. The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user. The attacker could then exploit the vulnerability to gain unauthorized access to non-shared email in the mailbox of the sharer.

Cause: An unspecified error in the Windows client API
CVE-2008-1330

Workaround:

Users that have shared folders with other users can protect their email by removing shared access until remedial steps have been completed. It is not necessary to delete the contents of the shared folders and they can be re-shared after the administrator has locked out older client versions.

To remove shared access to a folder select the shared folder, click File > Sharing, then select Not shared.

Remedy:

For GroupWise 7 - Customers running GroupWise 7.0 clients should immediately upgrade all clients to GroupWise 7 SP3 (dated 09 Mar 2008) and lock out older clients via ConsoleOne.

GroupWise 6.5 Windows - Customers running GroupWise 6.5 Windows clients should immediately upgrade all Windows clients to the GroupWise 6.5 SP6 client Update 3 (dated 11 Mar 2008), or upgrade to GroupWise 7 SP3. Older clients must be locked out via ConsoleOne.

GroupWise 6.5 Linux - Customers running GroupWise 6.5 Linux or Mac clients should immediately upgrade to GroupWise 7 SP3 (dated 09 Mar 2008).

For GroupWise 6.0 and previous - Customers still running unsupported GroupWise client versions (5.x and 6) should immediately upgrade clients and servers to either GroupWise 6.5 SP6 Update 3 or to GroupWise 7 SP3. Older clients must be locked out via ConsoleOne.

If Blackberry Enterprise Server (BES) is installed in a GroupWise 7 environment then upgrade the BES to a version which supports the GroupWise 7 client (BES 4.0 SP 7 or BES 4.1 SP4), and upgrade the GW client installed on the machine to 7.0 SP3 (dated 09 Mar 2008).

If Blackberry Enterprise Server (BES) is installed in a GroupWise 6.5 environment then upgrade the GW client installed on the machine to 6.5 SP6 Client Update 3 (dated 11 Mar 2008).

Special Instructions and Notes:

For instructions on locking out older client versions please refer to GroupWise documentation for your GroupWise version:
GroupWise 7: http://www.novell.com/documentation/gw7/gw7_admin/index.html?page=/documentation/gw7/gw7_admin/data/adqaf1n.html

GroupWise 6.5: http://www.novell.com/documentation/gw65/index.html?page=/documentation/gw65/gw65_admin/data/adqaf1n.html

If running a mixed environment of 6.5 and 7.0 clients then make sure to lock out based on client release date rather than client version. The recommended date should be 08 Mar 2008 in order to ensure the system is not vulnerable.

change log

Included in Readme.

file contents

Files Included	Size	Date
gw703_client_win_us.exe	91.2 MB (95632430)	2008-03-11 13:35:05
gw703_client_win_multi.exe	197.1 MB (206712515)	2008-03-11 13:34:54
readme_5008982.html	N/A	2008-03-25 12:56:28

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.