Novell

This is Your Open EnterpriseTM

GroupWise 8.0 Hot Patch 2 Full for Windows and NLM US and MULTI

This document (5050000) is provided subject to the disclaimer at the end of this document.

patches this patch supersedes

FileProductStatusPatch
gw800hp1_full_nlmwin_multi.exeGroupWise 8ObsoleteGroupWise 8.0 Hot Patch 1 Full for Windows and NLM US and MULTI

patches that supersede this patch

ProductStatusNext Superceded ByLast Superceded By
Novell GroupWise 8ObsoleteGroupWise 8.0 SP1 Full for Windows and NLM US and MULTIGroupWise 8.0 SP1 Full for Windows and NLM US and MULTI

patch attributes

Architecture: x86
Security patch: Yes
Priority: Mandatory
Distribution Type: Public

document

Revision: 4
Document ID: 5050000
Creation Date: 2009-05-19 09:22:33
Modified Date: 2009-08-31 15:12:11

abstract

Hot Patch 2 for GW 8.0 has been released. There are security fixes included in the Windows Client, Webaccess and GWIA components. Please view the security section for additional information on the areas addressed.

details

System Requirements:

GroupWise System Requirements
32-bit/x86 processor or 64-bit/x86 processor in 32-bit mode

Any of the following server operating systems for the GroupWise agents, plus the latest Support Pack:

Novell Open Enterprise Server (OES) 2 (NetWare or Linux version), plus the latest Support Pack

NetWare 6.5, plus the latest Support Pack

SUSE® Linux Enterprise Server (SLES) 10, plus the latest Support Pack

Windows Server* 2003, Windows 2003 R2, or Windows Server 2008, plus the latest Service Pack

eDirectory™ 8.7 or later, plus the latest Support Pack, with LDAP enabled

ConsoleOne® 1.3.6h or later, with the LDAP snap-in installed

GroupWise 8 includes ConsoleOne 1.3.6h for Windows and for Linux on the DVD.

ConsoleOne requires Java* Virtual Machine (JVM*) 1.5.11 or later. On Windows, ConsoleOne also requires the Novell Client™. On Linux, ConsoleOne also requires the X Window System*, version X11R6 or later.

Any of the following environments for running the GroupWise Installation program:

Windows XP, Windows 2003, or Windows 2003 R2, plus the latest Service Pack for your version of Windows, plus the Novell Client

Windows Server 2003, Windows Server 2003 R2, or Windows Server 2008, plus the latest Service Pack, plus the Novell Client

Novell Open Enterprise Server (OES) 2 (Linux version), plus the latest Support Pack

SUSE Linux Enterprise Server (SLES) 10, plus the latest Support Pack

The X Window System is required by the GUI GroupWise Installation program that steps you through the process of creating a new GroupWise system. A text-based Installation program is also available for installing individual components


Installation:

If upgrading from a previous version of GroupWise, please read the documentation at this link for installation instructions.

http://www.novell.com/documentation/gw8/gw8_install/data/a8t9nzp.html

If updating from GroupWise 8.0 to GroupWise 8.0 Hot Patch 2. Update each component individuallly. Please make backups of your startup files and any configuration files you deem important.

security fixes

Novell GroupWise WebAccess is vulnerable to weaknesses within the session management mechanisms that could potentially allow an attacker to gain access to an authenticated user's account.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 472979, CVE-2009-1634)

Novell GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit via unfiltered style expressions, which could potentially allow an attacker to send a message with an HTML file that contains malicious scripts, which could redirect a user and/or forward data & requests to a malicious site.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 472987, CVE-2009-1635)

A vulnerability exists in Novell GroupWise WebAccess in the that way it blocks scripting. Exploitation of this vulnerability could potentially allow an attacker to gain access to an authenticated user's mailbox and forward data & requests to a malicious site.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 474500, CVE-2009-1635)

A vulnerability exists in Novell GroupWise WebAccess that could allow an attacker to use Javascript to deface the login page, which could potentially prevent users from logging in to WebAccess.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 484942, CVE-2009-1635)

A vulnerability exists in Novell GroupWise Internet Agent, in the way it processes certain SMTP requests. Exploitation of this vulnerability could lead to arbitrary code execution with SYSTEM privileges.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 478892, CVE-2009-1636)

A vulnerability exists in the Novell GroupWise Internet Agent, in the way it processes email addresses in the SMTP protocol. Exploitation of this vulnerability could lead to arbitrary code execution with SYSTEM privileges.
Affected versions:
GroupWise 7.0 up to 7.03 HP2
GroupWise 8.0 up to 8.0.0 HP1
(Novell bug 482914, CVE-2009-1636)


Bug 501443 - Notify connects to the wrong mailbox, bypassing authentication in unique configurations.

CVE information will be added to this readme once received.

change log

Admin

501986 Cannot restore user's mailbox through Backup/Restore Mailbox option in ConsoleOne  

Linux/Mac Client

447352 Meeting participants change after doing busy search if you have more than one appointment open  
472132 Second instance of GW started when mailing from another application  
472199 GroupWise throws NullPointerException using mailto:  
473056 Notify ignores Options settings on "Notify" and "Alarms" tabs  
473057 Caching mailbox path is not remembered  
480148 GroupWise client crashes when converting Mail to Posted Appointment of a Proxied user  
488428 Linux client does not recognize charset ISO-8859-2 encoding.  
491650 Getting RTF codes in message replies  
493289 Client hangs on "accept certificate" dialog  

Windows Client

479461 Unable to dial contact from addressbook  
484970 Address Book is not accessible when logged in as user without administrative privileges.  
479257 Name completion does not handle the ß character correctly.
495685 GroupWise client hangs up when create new group in address book selector  
481230 Un-archiving mail in caching mode changes the status to unread in online mode  
469642 Can't send attachments with "open view after send" enabled.  
503188 Crash in C3PO on shared folder  
501948 Crash when editing shared folder membership  
493756 Crash if your computer goes into hibernation while on the home folder with web panels  
493284 NNTP items posted with Word 2007 as Editor and in HTML mode to a newsgroup that only displays in Plain Text, will not display any text  
479656 GroupWise Client Integrations Are not Enabled in Excel with NAL application  
480147 Windows Client will not install on Vista Ultimate  
493290 Language setting in setup.cfg being ignored by setup.exe  
489509 No HTML View for the message when using the GroupWise 7/8Client  
494860 Crashing when opening an existing Note in calendar, editing it and then posting it  
477489 Random crash on GroupWise Multi-user Calendar  
491644 User crashes when clicking on her multi-user calendar
501442 Notify connects to the wrong mailbox, bypassing authentication  
481643 Private items will show up to proxy account when marked as free  
472349 Quick Correct word list empty and unable to add new words  
479255 Reply doesn't show all users on the original message  
497782 If a rule has over 101 conditions , then a crash will occur when editing the conditions of that rule  
474518 Deleted signatures reappear after proxying to another mailbox  
482128 Tasks with more than 122 characters in the subject cause a stack corruption  
502009 GW client on Citrix loses focus when multiple emails are open  

Engine

472136 Prevent handing off .pdf (and other potentially troublesome files) to Stellent to prevent crashes  
490871 Extended character in the password string caused crash

GWIA

474517 Reply to all causes address in CC to change into the domain used in the from field  
475396 GroupWise server damages SMTP messages  
479260 Mails that are forwarded as attachments are not readable  
479324 GroupWise Internet Agent (GWIA) SMTP "AUTH LOGIN" Stack Overflow Vulnerability  
482886 MTA link to GWIA cycling open and closed with error 8209 reported in the MTA log
484977 Security vulnerability report: GWIA SMTP “MAIL FROM “ Stack Overflow  
493288 GWIA decodes the same UUencoded attachment twice  
493761 GWIA on w2k3 crash with certain incoming messages  
494092 GWIA core correction
494863 Global signature not working when using HTML signature  
495704 No bounce back for relayed messages  
501949 GWIA Abend on GWIA.NLM

GWCheck

484064 Forwarded messages in archived mailboxes are deleted when a contents check is run  
489506 GWCheck, Expire/Reduce, "items larger than" is disregarded unless it is 1024.  

DBCopy

490874 Added an option for DBCopy to allow in place upgrade option for volumes on shared storage  

Install

499325 Abend error is displayed after Update installation.  
503187 Missing files installing 80 HP2 via Zenworks  

MTA

484975 GWMTA PFPE Abend
490870 Message crashes the Linux GW8 and GW7
494106 Allocating larger stack variable size  
498904 SOAP protocol enabled on MTA by default on 7161 causes port conflict on failover  
501120 Linux MTA is only delivering to 8 post offices.  

Monitor

490876 Monitor Application upgrade on Windows is broken  
490877 Monitor authentication does not work  

POA

472151 GW POA crash on OES 2 Linux
474522 POA crashes on AMD 64-bit OES2 SP1 after receiving mail from the MTA  
479728 Abend in GWTCP handler  
481651 GW freeing kernel memory in user address space
482602 Abend in GWENN5 on POA (8.0.0 HP).  
488430 Page Fault in OpcGetIFP
488431 Abend in WpfGetUserDSInfo
488435 Web calendar component in the POA will break if the application connection exceeds 4096  
488436 POA's application keeps climbing faster than usual  
493280 Core file created
493282 Abend in gwcheck thread in POA  
497780 Server abending in GWTCP-GCS—Handler_7

IMAP POA/GWIA

484116 Any application that connects using IMAP cannot see attachments that were sent using the GroupWise client.  

SOAP/SDK

471952 Can't modify a PAB entry  
493187 Problems sending extended characters  
497032 Call fails with DN longer than 97 characters in length  
486173 D107 errors attempting to forward an embedded message with C3PO registered.  
493768 C3PO command.Validate no longer working in Calendar view  
473055 OAPI does not handle reading attachments that have incorrect size on attachment record  
484972 GroupWise attempts to busy search external users  
495686 "Attempt to use undefined field name on item" error on a AddressBookEntry.fields.add call  

Webaccess

479263 GWDVA not respawning worker threads immediately after they die  
477875 Extended characters are garbled after an Autosave, Save, Attach ...  
472486 Get Error 404 when click on the link sent by “Send Publish Location” button.  
472690 Unable to Compose Message in Simple Template: "Compile Error: seltime.inc: Line 36: ) was encountered. } was expected. Cannot load file: send.htt"  
472944 "Find" returns compile error in Webaccess Simple Templates  
474512 Webaccess Abend  
474521 Security vulnerability report: WebAccess session tokens are "weak"  
477873 Security vulnerability report - WebAccess security filters fail to block scripting  
479264 Security report: WebAccess vulnerable to "Unfiltered style expression"  
484062 Missing Resend option in WebAccess.  
484973 Abend - GWINTER  
488429 IINTL: JP: Frequently received unreadable Japan, Chinese characters in WebAccess  
488432 Core file. Webaccess process dies.  
488434 After upgrade to GroupWise 8.0, POA not updating user databases on login via WebAccess  
488437 GWINTER and DVA Crashing in Linux  
488440 Security vulnerability report: Phishing/XSS issue in WebAccess User.lang field on login page  
498984 GroupWise 8 Webaccess Agent crashes when OPENING documents in Webpublisher  

file contents

Files IncludedSizeDate
gw800hp2_full_nlmwin_en.zip607.3 MB (636890632)2009-05-18 17:52:44
gw800hp2_full_nlmwin_multi.zip831.8 MB (872231491)2009-05-18 17:53:30
readme_5050000.htmlN/A2009-08-31 15:12:16

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.

© 2007 Novell, Inc. All Rights Reserved.