Novell

This is Your Open EnterpriseTM

GroupWise 2012 SP1 Hot Patch 1 - Windows Client English and Multilingual

This document (5155931) is provided subject to the disclaimer at the end of this document.

patches this patch supersedes

This patch does not supersede any other patches.

patches that supersede this patch

This patch is not superseded by any other patches.

patch attributes

Architecture: x86, x86-64
Security patch: Yes
Priority: Mandatory
Distribution Type: Public

document

Revision: 3
Document ID: 5155931
Creation Date: 2013-01-22 14:40:59
Modified Date: 2013-01-29 15:52:57

abstract

GroupWise 2012 SP1 Hot Patch 1 Windows Client has been released. Please be aware that this release contains only security fixes for the client and does not include any additional bug fixes.  This client is designed to run against  a GroupWise 2012 Service Pack 1 backend.  An agent update is not required.

If you have been provided a Field Test File (FTF) Windows Client code since the release of GW 2012 Service Pack 1, please contact Novell Technical Support for code that will address the security issue and any issues fixed in the FTF.

An updated SetupIP is provided to distribute this release.  Please follow the instructions listed below if using SetupIP to distribute the client.

details

GroupWise System Requirements

GroupWise 2012 system requirements are listed in the "GroupWise 2012 Installation
Guide" (http://www.novell.com/documentation/groupwise2012/).


Windows Client Software Installation Instructions

1. Download the GroupWise 2012 SP1 Hot Patch 1 Windows Client compressed executable file to a temporary directory on your workstation:

gw12.0.1_hp1_client_win_en.exe
gw12.0.1_hp1_client_win_multi.exe

2. In Windows, click Start > Run > Browse, then locate the directory where you downloaded the GroupWise 2012 SP1 Hot Patch 1 Client compressed executable file.

3. Double-click the downloaded file, then click Yes to extract the GroupWise client software and start the GroupWise client Setup program.

4. Follow the on-screen instructions to install the GroupWise 2012 SP1 Hot Patch 1 client software on your workstation.

The GroupWise Setup Progress dialog box displays a green bar during the installation process. Occasionally, long pauses might occur.

You can also check the activity of the GroupWise client Setup program by viewing the Performance tab of the Windows Task Manager to observe CPU usage.

 

Steps for using the provided SetupIP to distribute the client

1.  Download the English or Multilingual version of the SetupIP files and place them in an empty directory

2.  Unzip the file and then copy the SETUPIP.FIL and SETUPIP.XX (language specific file) file to the webserser as directed in the section "Preparing for Windows Client Installation from a Webserver" found at http://www.novell.com/documentation/groupwise2012/gw2012_guide_admin/data/bv4v0uy.html

security fixes

===================
Description: The GroupWise Client for Windows is vulnerable to multiple untrusted pointer dereference vulnerabilities, which could be exploited by a remote attacker to compromise a vulnerable system.

Affected versions:
GroupWise Client for Windows 8.0x up to and including 8.03 HP1
GroupWise Client for Windows 2012 up to and including 12.0 SP1
Previous versions of the GroupWise Client for Windows are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise clients to version 8.0.3 HP2 or 2012 SP1 Hot Patch 1 in order to secure their system.

Novell would like to thank High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/HTB23131) for discovery and responsible disclosure of this vulnerability.

Novell bug 792535, CVE-2013-0804

Related TID:
http://www.novell.com/support/kb/doc.php?id=7011687

===================================================
Description: The GroupWise Client for Windows is vulnerable to an ActiveX Control exploit where by enticing a target user to open a malicious file or visit a malicious page, a remote attacker could execute arbitrary code on vulnerable installations of Novell GroupWise.

Affected versions:
GroupWise Client for Windows 8.0x up to and including 8.03 HP1
GroupWise Client for Windows 2012 up to and including 12.0 SP1
Previous versions of the GroupWise Client for Windows are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise Windows clients to version 8.0.3 Hot Patch 2 or 2012 SP1 Hot Patch 1 in order to secure their systems.

This vulnerability was discovered by Andrea Micalizzi aka rgod working with HP Enterprise Security's Zero Day Initiative (http://www.zerodayinitiative.com), ZDI-CAN-1329

Novell bugs 712144, 743674, CVE-2012-0439

Related TID:
http://www.novell.com/support/kb/doc.php?id=7011688

change log

743674 - gwcls1.dll ActiveX Control Remote Code Execution Vulnerability
792535 - Untrusted pointer dereference vulnerabilities in GroupWise 12.x client for Windows

file contents

Files IncludedSizeDate
gw12.0.1_hp1_client_win_en.exe65.6 MB (68851133)2013-01-22 14:38:21
gw12.0.1_hp1_client_win_multi.exe110.2 MB (115575571)2013-01-22 14:38:23
gw12.0.1_hp1_setupip_en.zip86.1 MB (90304369)2013-01-24 11:49:36
gw12.0.1_hp1_setupip_multi.zip179.2 MB (187947080)2013-01-24 11:49:37
readme_5155931.htmlN/A2013-01-30 10:48:17

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.

© 2007 Novell, Inc. All Rights Reserved.