Novell

This is Your Open EnterpriseTM

GroupWise 7 SP3 Hot Patch 3 Full for Windows and NLM US and MULTI

This document (5049801) is provided subject to the disclaimer at the end of this document.

patches this patch supersedes

FileProductStatusPatch
gw703hp2_full_nlmwin_multi.exeGroupWise 7ObsoleteGroupWise 7 SP3 Hot Patch 2 Full for Windows and NLM US and MULTI
gw703hp2_full_nlmwin_multi.exeGroupWise 7.0.3ObsoleteGroupWise 7 SP3 Hot Patch 2 Full for Windows and NLM US and MULTI

patches that supersede this patch

ProductStatusNext Superceded ByLast Superceded By
Novell GroupWise 7.0.3ObsoleteGroupWise 7 SP3 Hot Patch 4 Full for Windows and NLM US and MULTIGroupWise 7 SP3 Hot Patch 4 Full for Windows and NLM US and MULTI
Novell GroupWise 7ObsoleteGroupWise 7 SP3 Hot Patch 4 Full for Windows and NLM US and MULTIGroupWise 7 SP3 Hot Patch 4 Full for Windows and NLM US and MULTI

patch attributes

Architecture: x86
Security patch: Yes
Priority: Mandatory
Distribution Type: Public

document

Revision: 2
Document ID: 5049801
Creation Date: 2009-05-19 10:14:15
Modified Date: 2009-09-16 11:15:16

abstract

Service Pack 3 Hot Patch 3 for GW 7.0 has been released. There are security fixes included in the Windows Client, Webaccess and GWIA components. Please view the security section for additional information on the areas addressed.

details

System Requirements:

# 32-bit/x86 processor or 64-bit/x86 processor in 32-bit mode
# Any of the following server operating systems, plus the latest Support Pack:

Novell Open Enterprise Server 1 or Open Enterprise Server 2 (NetWare or Linux version)
NetWare 5.1, NetWare 6, or NetWare 6.5
Windows Server 2000, Windows Server 2003, or Windows 2003 R2

# eDirectory 8.7 or later, plus the latest Support Pack
# ConsoleOne 1.3.6 or later

Windows 2000/XP/2003/2003 R2 and the Novell Client on any administrator machine where you run ConsoleOne or the GroupWise Installation program

Installation:

For installation instructions, please see the documentation for installing Support Pack 3 found here:

http://www.novell.com/documentation/gw7/readmeusgw7sp3/readmeusgw7sp3.html#b2xi1dr

NOTE: The filenames in the Readme will be different that the files for Hot Patch 3. The Hot Patch 3 filenames are:

gw703HP3_client_linux_multi.tar.gz - GroupWise 7.03 Hot Patch 3 Multilingual Linux Client
gw703HP3_client_linux_us.tar.gz - GroupWise 7.03 Hot Patch 3 US Linux Client
gw703HP3_client_mac_intel_multi.dmg - GroupWise 7.03 Hot Patch 3 Multilingual Mac Intel Platform Client
gw703HP3_client_mac_intel_us.dmg - GroupWise 7.03 Hot Patch 3 US Mac Intel Platform Client
gw703HP3_client_mac_ppc_multi.dmg - GroupWise 7.03 Hot Patch 3 Multilingual Power PC Platform Client
gw703HP3_client_mac_ppc_us.dmg - GroupWise 7.03 Hot Patch 3 US Mac Power PC Platform Client
gw703HP3_client_win_multi.exe - GroupWise 7.03 Hot Patch 3 Multilingual Windows Client
gw703HP3_client_win_us.exe - GroupWise 7.03 Hot Patch 3 US Windows Client
gw703HP3_full_linux_multi.tar.gz - GroupWise 7.03 Hot Patch 3 Multilingual Linux Client and Agents
gw703HP3_full_linux_us.tar.gz - GroupWise 7.03 Hot Patch 3 US Linux Client and Agents
gw703HP3_full_nlmwin_multi.exe - GroupWise 7.03 Hot Patch 3 Multlingual Windows and NLM Client and Agents
gw703HP3_full_nlmwin_us.exe - GroupWise 7.03 Hot Patch 3 US Windows and NLM Client and Agents

security fixes

Novell GroupWise WebAccess is vulnerable to weaknesses within the session management mechanisms that could potentially allow an attacker to gain access to an authenticated user's account.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 472979, CVE-2009-1634)

Novell GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit via unfiltered style expressions, which could potentially allow an attacker to send a message with an HTML file that contains malicious scripts, which could redirect a user and/or forward data & requests to a malicious site.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 472987, CVE-2009-1635)

A vulnerability exists in Novell GroupWise WebAccess in the that way it blocks scripting. Exploitation of this vulnerability could potentially allow an attacker to gain access to an authenticated user's mailbox and forward data & requests to a malicious site.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 474500, CVE-2009-1635)

A vulnerability exists in Novell GroupWise WebAccess that could allow an attacker to use Javascript to deface the login page, which could potentially prevent users from logging in to WebAccess.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 484942, CVE-2009-1635)

A vulnerability exists in Novell GroupWise Internet Agent, in the way it processes certain SMTP requests. Exploitation of this vulnerability could lead to arbitrary code execution with SYSTEM privileges.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 478892, CVE-2009-1636)

A vulnerability exists in the Novell GroupWise Internet Agent, in the way it processes email addresses in the SMTP protocol. Exploitation of this vulnerability could lead to arbitrary code execution with SYSTEM privileges.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 482914, CVE-2009-1636)

Bug 501443 - Notify connects to the wrong mailbox, bypassing authentication in unique configurations

CVE information will be added when received

change log

Windows Client

480457 Un-archiving mail in caching mode changes the status to unread in online mode
437085 When attaching a file to a GW message, screen freezes and client hangs
501443 Notify connects to the wrong mailbox, bypassing authentication
473958 Unable to create caching mailbox if the MailboxID includes ß
489510 No HTML View for the message when using the GroupWise 7/8Client
396597 Random Crash on GroupWise Multi-user Calander
472350 Quick correct word list empty and unable to add new words
477869 Reply doesn't show all users on the original message
281728 Deleted signatures reappear after proxying to another mailbox
471070 Unable to save certificate permanently from ActiveID PIV card
502010 GW Client on Citrix loses focus when multiple emails are open
433616 “Work in Progress” email duplicates attachments

Engine

490869 Extended character in the password string caused crash Engine

GWIA

474075 Allow Nicknamed Distribution Lists (Groups) to be expanded
474516 Reply to all causes address in CC to change into the domain used in the from field
475397 Excel Attachment Appears to be Corrupt for Incoming Internet Message
475401 Groupwise server damages SMTP messages
475409 GWIA receiving .txt file with Russian characters incorrectly
478893 GroupWise Internet Agent (GWIA) SMTP Security Issue
482595 GWIA 7.03 HP2 causing a Mailer-daemon Looping issue
484984 Security vulnerability report: GWIA
483519 7.x GWIA sends message in upd@domain.com
489490 Some attachments coming through GWIA 703hp2 or ealier are not shown

GWCheck

484068 Forwarded messages in archived mailboxes are deleted when a contents check is run

Install

495976 GroupWise Client 7.0.3 HP3 client will not auto update
496601 Crash installing windows client on Japanese OS

MTA

490868 Message crashes the Linux GW8 and GW7 gwmta
494109 Allocate larger stack variable size
501122 Linux MTA is only delivering to 8 post offices
495675 MTA is using primary ip address instead of secondary ip address

POA

429982 GW freeing kernel memory in useraddress space
440338 Post office agent randomly dropping
469264 POA crashes on AMD 64-bit OES2 SP1 after receiving mail from the MTA
471034 GW POA crash on OES 2 Linux
472138 Page Fault abend in GWTCP-CLKL-Handler thread
477468 Abend in GWENN5 on POA
488421 Page Fault Processor Abend
488422 POA's application keeps climbing faster than usual
497779 Server abending in GWTCP-GCS—Handler Process

SOAP

470593 Data corruption getting PAB items
484327 Attribute ItemReference not returned
484982 Can't modify a PAB entry
493189 Problems sending extended characters

SDK

486171 D107 errors attempting to forward an embedded message with C3PO registered.
473052 OAPI does not handle reading attachments that have incorrect size on attachment record
484980 Busy search external users should not be allowed
497036 Call fails with DN longer than 97 characters in length
500569 Crash accessing a phone message

Webaccess

362270 GWDVA not respawning worker threads immediately after they die
482416 All day event is showing two days in the WebAccess week/month view calendar
476498 Unable to Compose Message in Simple Template: "Compile Error: seltime.inc: Line 36: ) was encountered. } was expected. Cannot load file: send.htt"
472990 Security report: WebAccess vulnerable to "Unfiltered style expression"
472991 Security vulnerability report: WebAccess session tokens are "weak"
474501 Security vulnerability report - WebAccess security filters fail to block scripting
474510 Webaccess Abend
475315 GWDVA does not use secondary IP address
475322 Webaccess does not use secondary IP address
488423 Security vulnerability report: Phishing/XSS issue in WebAccess User.lang field on login page
490875 A compile error is displayed in login page of WebAccess
491706 GWDVA is not working on Linux
498855 Special characters (Japanese, Chinese, Korean, Arabic, ) are displayed incorrectly

file contents

Files IncludedSizeDate
gw7.0.3HP3_full_nlmwin_multi.zip767.7 MB (805058653)2009-05-15 08:37:04
gw7.0.3HP3_full_nlmwin_us.zip481.0 MB (504375236)2009-05-15 08:37:40
readme_5049801.htmlN/A2009-09-16 11:15:26

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.

© 2007 Novell, Inc. All Rights Reserved.