Novell

This is Your Open EnterpriseTM

GroupWise 8.0 SP3 Hot Patch 2 - Windows Client English and Multilingual

This document (5155932) is provided subject to the disclaimer at the end of this document.

patches this patch supersedes

This patch does not supersede any other patches.

patches that supersede this patch

ProductStatusNext Superceded ByLast Superceded By
Novell GroupWise 8.0.3ActiveGroupWise 8.0 SP3 Hot Patch 3 Windows Client EN and MultiGroupWise 8.0 SP3 Hot Patch 3 Windows Client EN and Multi
Novell GroupWise 8ActiveGroupWise 8.0 SP3 Hot Patch 3 Windows Client EN and MultiGroupWise 8.0 SP3 Hot Patch 3 Windows Client EN and Multi

patch attributes

Architecture: x86, x86-64
Security patch: Yes
Priority: Mandatory
Distribution Type: Public

document

Revision: 4
Document ID: 5155932
Creation Date: 2013-01-22 14:55:58
Modified Date: 2013-04-16 09:32:20

abstract

GroupWise 8.0 SP3 Hot Patch 2 Windows Client has been released. Please be aware that this release contains only security fixes for the client and does not include any additional bug fixes.  This client is designed to run against  a GroupWise 8.0 Service Pack 3 Hot Patch 1 backend.  An agent update is not required.

If you have been provided a Field Test File (FTF) Windows Client code since the release of GW 8.0 Service Pack 3 Hot Patch 1, please contact Novell Technical Support for code that will address the security issue and any issues fixed in the FTF.

An updated SetupIP is provided to distribute this release.  Please follow the instructions listed below if using SetupIP to distribute the client.

details

GroupWise System Requirements

GroupWise 8 system requirements are listed in the "GroupWise 8 Installation
Guide" (http://www.novell.com/documentation/gw8).

Windows Client Software Installation Instructions

1. Download the GroupWise 8 Support Pack 3 Hot Patch 2 Windows Client compressed
executable file to a temporary directory on your workstation:

gw8.0.3_hp2_client_win_en.exe
gw8.0.3_hp2_client_win_multi.exe


2. In Windows, click Start > Run > Browse, then locate the directory
where you downloaded the GroupWise 8 Support Pack 3 Hot Patch 2 Client
compressed executable file.

3. Double-click the downloaded file, then click Yes to extract the
GroupWise client software and start the GroupWise client Setup
program.


4. Follow the on-screen instructions to install the GroupWise 8
Support Pack 3 Hot Patch 2 client software on your workstation.

The GroupWise Setup Progress dialog box displays a green bar during
the installation process. Occasionally, long pauses might occur.
You can also check the activity of the GroupWise client Setup
program by viewing the Performance tab of the Windows Task Manager
to observe CPU usage.

 

Steps for using the provided SetupIP to distribute the client

1.  Download the English or Multilingual version of the SetupIP files and place them in an empty directory

2.  Unzip the file and then copy the SETUPIP.FIL and SETUPIP.XX (language specific file) file to the webserser as directed in the section "preparining for Client Software Installation from a Web Server" found at http://www.novell.com/documentation/gw8/gw8_admin/?page=/documentation/gw8/gw8_admin/data/bv4v0uy.html


security fixes

===================
Description: The GroupWise Client for Windows is vulnerable to multiple untrusted pointer dereference vulnerabilities, which could be exploited by a remote attacker to compromise a vulnerable system.

Affected versions:
GroupWise Client for Windows 8.0x up to and including 8.03 HP1
GroupWise Client for Windows 2012 up to and including 12.0 SP1
Previous versions of the GroupWise Client for Windows are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise clients to version 8.0.3 HP2 or 2012 SP1 Hot Patch 1 in order to secure their system.

Novell would like to thank High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/HTB23131) for discovery and responsible disclosure of this vulnerability.

Novell bug 792535, CVE-2013-0804

Related TID:
http://www.novell.com/support/kb/doc.php?id=7011687

===================================================
Description: The GroupWise Client for Windows is vulnerable to an ActiveX Control exploit where by enticing a target user to open a malicious file or visit a malicious page, a remote attacker could execute arbitrary code on vulnerable installations of Novell GroupWise.

Affected versions:
GroupWise Client for Windows 8.0x up to and including 8.03 HP1
GroupWise Client for Windows 2012 up to and including 12.0 SP1
Previous versions of the GroupWise Client for Windows are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise Windows clients to version 8.0.3 Hot Patch 2 or 2012 SP1 Hot Patch 1 in order to secure their systems.

This vulnerability was discovered by Andrea Micalizzi aka rgod working with HP Enterprise Security's Zero Day Initiative (http://www.zerodayinitiative.com), ZDI-CAN-1329

Novell bugs 712144, 743674, CVE-2012-0439

Related TID:
http://www.novell.com/support/kb/doc.php?id=7011688

change log

743674 - gwcls1.dll ActiveX Control Remote Code Execution Vulnerability
792535 - Untrusted pointer dereference vulnerabilities

file contents

Files IncludedSizeDate
gw8.0.3_hp2_client_win_multi.exe126.4 MB (132612658)2013-01-22 14:45:03
gw8.0.3_hp2_client_win_en.exe67.0 MB (70313449)2013-01-22 14:44:57
gw8.0.3_hp2_setupip_multi.zip196.9 MB (206545096)2013-01-24 13:42:55
gw8.0.3_hp2_setupip_en.zip99.6 MB (104510342)2013-01-24 13:42:54
readme_5155932.htmlN/A2013-04-16 09:32:20

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.

© 2007 Novell, Inc. All Rights Reserved.