copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2006.0434 -- [Win][Linux][NetWare] -- Novell Security Announcement Novell-SA:2006:001 - GroupWise

Date: 29 June 2006

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                  ESB-2006.0434 -- [Win][Linux][NetWare]
        Novell Security Announcement Novell-SA:2006:001 - GroupWise
                               29 June 2006

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Novell GroupWise 5.x, 6.0, 6.5 and 7
                      Novell GroupWise 32-bit Client
Publisher:            Novell
Operating System:     Windows
                      Linux variants
                      Novell NetWare
Impact:               Access Confidential Data
Access:               Existing Account
CVE Names:            CVE-2006-3268

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

                   Novell Security Announcement

Product Name:		Novell GroupWise
Announcement ID:        NOVELL-SA:2006:001
Date:                   Wed Jun 28 13:00:00 MDT 2006
Affected Products:	Novell GroupWise 5.x
			Novell GroupWise 6.0
			Novell GroupWise 6.5
			Novell GroupWise 7
			Novell GroupWise 32-bit Client
Vulnerability Type:     Unauthorized access to email
Severity (1-10):        8
Cross-References:       CVE-2006-3268

Content of This Advisory:
        1) Problem Description
        2) Solution or Work-Around
        3) Special Instructions and Notes
        4) Patch Location
        5) Authenticity Verification and Additional Information
        6) Disclaimer
        7) Novell Security Public Key


________________________________________________________________________

1) Problem Description and Brief Discussion

   A security vulnerability exists in the GroupWise Windows Client API
   that can allow random programmatic access to non-authorized email
   within the same authenticated post office.

2) Solution or Work-Around

   There is no known workaround.  Please follow the instructions below
   to install the patch.

   For GroupWise 7 - Customers running GroupWise 7.0 Windows Clients
   should immediately upgrade all Windows clients to GroupWise 7 SP1
   (dated 19 Jun 2006) and lock out older Windows clients via
   ConsoleOne.

   For GroupWise 6.5 - Customers running GroupWise 6.5.x Windows Clients
   should immediately upgrade all Windows clients to the GroupWise 6.5
   SP6 Client Update 1 (dated 27 Jun 2006), or upgrade to GroupWise 7
   SP1.  Older Windows clients must be locked out via ConsoleOne.

   For GroupWise 6.0 and previous - Customers still running unsupported
   GroupWise versions (5.x and 6) of the Windows Clients should
   immediately upgrade clients and servers to either GroupWise 6.5 SP6
   Update 1 or to GroupWise 7 SP1.  Older Windows clients must be
   locked out via ConsoleOne.
   
   If Blackberry Enterprise Server (BES) is installed in a GroupWise 7
   environment then make sure to lock out based on client date rather
   than client version, as the recommended BES configuration is still
   to use the GroupWise 6.5 client.  The recommended date should be
   June 13 2006 in order to ensure that the system is not vulnerable.

3) Special Instructions and Notes

   For instructions on locking out older client versions and other
   details please refer to Novell Support TID# 1480
   @ http://www.novell.com/support. (Check box to search by TID ID).
   
4) Patch Location

   GroupWise 6.5
   http://support.novell.com/filefinder/16963/index.html

   GroupWise 7
   http://support.novell.com/filefinder/20641/index.html


________________________________________________________________________

5) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    Novell security announcements are published via a mailing list and
    on a Novell web site.  The authenticity and integrity of a Novell
    security announcement is guaranteed by a cryptographic signature in
    each announcement.  All Novell security announcements are published
    with a valid signature.

    To verify the signature of the announcement, save it as text into a
    file and run the command

      gpg --verify <file>

    replacing <file> with the name of the file where you saved the
    announcement.  The output for a valid signature looks like:

      gpg: Signature made <DATE> using RSA key ID 6AE6EC98
      gpg: Good signature from "Novell Security (Primary Contact
      Address) <security@novell.com>"

    where <DATE> is replaced by the date the document was signed.

    If the Novell Security key is not contained in your key ring, you
    can import it from 
      http://support.novell.com/security-alerts/keypage.txt.
    The <security@novell.com> public key is also included below.

    To import the key, use the command

      gpg --import keypage.txt

  - Novell publishes security announcements to the mailing list
    security-alerts@lists.novell.com.  Any interested party may
    subscribe at http://www.novell.com/company/subscribe/.

    Novell's security contact is security@novell.com.  

  - The information in this advisory may be distributed or reproduced,
    provided that the advisory is not modified in any way. In
    particular, the clear text signature should show proof of the
    authenticity of the text.
________________________________________________________________________

6) Disclaimer

    The content of this document is believed to be accurate at the time
    of publishing based on currently available information. However, the
    information is provided "AS IS" without any warranty or
    representation.  Your use of the document constitutes acceptance of
    this disclaimer.  Novell disclaims all warranties, express or
    implied, regarding this document, including the warranties of
    merchantability and fitness for a particular purpose. Novell is not
    liable for any direct, indirect, or consequential loss or damage
    arising from use of, or reliance on, this document or any security
    alert, even if Novell has been advised of the possibility of such
    damages and even if such damages are foreseeable.

________________________________________________________________________

7) Novell Security Public Key

Type Bits/KeyID      Date        User ID
pub  4096R/6AE6EC98 2006-04-25  Novell Security <security@novell.com>

- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2.2 (MingW32)

mQIMBERONjUBEAC5H4aewrbcL0unOHLVCPGozbenAoRKORyhtWCO81Jup0Qg7B94
Thn5RXECLlKB+vzXhONGlGoBKTcVKsLeNM54Da2WLDkVCEb++fo791LZkfpzLiWw
znp5sStS3kZxgeUrS9aUfdhIhls/rs5i1Rh/YUp3K3/1d0SE0Zfc5qGKsmmpDYzv
hFnbsqHESD9skXkuvcCFdsK6y24myUz6AsNrcMVMcJrJkcew/t/j6I5rUBW08CIu
GBkYJqJ61UsQVZz/lkXeqz8lmIAvyNt8jtQSVqEHbYf54GkP+D4CMxN1+hup1o1J
nMyKCjurDKaN1zThW0GUtWpH1dAkXjbX4IKe4noHPb1413R/Nzc/rhBWh8Rf207f
kxL65z6EVr8SoxGJ3yykAY55mpfXcMFqapsqGpwvxVsT1EigeLShJ2/G1NBm8OO9
mHMHEFUrYcPcM0R9WRwWnuizimRcfIQnbQ1aRxe+C+UULGT/OzEVWHmvedFUitng
zHdP2ygg9IiIl+zqaWiNzsu0SqvCP8V4Sb/Bs2of7O1NxuB/VolP4DIqhjLCEg9s
BpAY6UMZ3IWDxvVBtSNlyZYpNGWKre0ElsA6+xWqnW2RdtI7aM2l6qjpykBADIiI
n0QHHLftZTxL5oTH0Qqk5RxVgrcRRLtI2IUJ5UzP465W5qHU1FWZfuElNQAJAQG0
P05vdmVsbCBTZWN1cml0eSAoUHJpbWFyeSBDb250YWN0IEFkZHJlc3MpIDxzZWN1
cml0eUBub3ZlbGwuY29tPokCNAQTAQIAHgUCRE42NQIbDwYLCQgHAwIDFQIDAxYC
AQIeAQIXgAAKCRAugUlDaubsmAN5D/9E2nfqvfSTDrXuytEN99teCUiayO8UC+kW
cDnY7Xl1fWFjtrQrEowhmFlXryQDBBnLqowMrlpOGe6Tn/PiuCgVYfYZs/mQ/OzM
VfWRtt1hhCRAykPZbSU73qebxwpH56iiYuEelAzfM6g2SWJpNdRj+s3K2qSHaXXN
p7jLWsDEmYMW6v6UYc2OhLnyzS3gwGvKwAZhhswfLiqNygEIbLfxwGdzTUv7xgmr
n/TiAHc9OeHZB3SdXnWQ8nwHb9AfwRner37IDk8G+QxJWDA57h06ECFWTwyHODDc
g4BjxxnAMgMQ8vhXLgo6jYk0FTIoEv6AlZ8bcwBBXOJey0EsNANsYo30zAfBQ6E7
7q11bHNx/FoyU08smySNI2+PWpYJ1hmTZySsIeC0U5aAETxUON10Z6Aqlw0KmXxt
QXCHTgZZM/VgvRZgkPG3a3TFaKaOel6fJhLuF9NGYoS5XG30MmrLH9D6R2NiSIfa
0tBJFp4RSXhHei2ZFJmtAX67fN8PPX9DOmVAo/pAm4ar0Otcvvu1eimpogHkI4JM
/F2MOXqmt+C6cbh51ejYWeA2INa+LJ+fPbPrRYuK7pMzeMtpZBRakWEtWmnT3FJC
WNFbggpk1T+7IU3AMbRpPJllTVqPH0xXZsifO0OEPwWoIZ04D13r+RYAD8OhYSnt
+Rhucrrc3IkBHAQQAQIABgUCRE447gAKCRB3suYAPSXT2fPsB/9vPcZvcJuf0uy0
HsGmHYtlI8m4Pz0b77UqAIxbJUx/DbGUEVmo3xXuSrXMghVLu9l9UTRqSSZAS89Y
BRGC7qKw86VLGZ5VDUHCEhLax3JtaV0wjrmy/1/FSBSeFrDxhZ69bhSXVER7832L
0zs4tAV/vFlODpXNdoOt6LnBWNq9ZgHjeqt4erbRdzKdora27joMfvkvqLUMn53R
KGKMU8hXw9u31J2n0sR5V8T847xfc3wyGWdCyGVA8CPnhkSdhwndqOvscsUOz6fZ
4ONL79vbLPvRWjGiVQNY+sux4alBoWwJqmOxdIg+cF6boeVDdMew7A1gJc/fwjK1
LyG+xCbU
=h2ya
- - -----END PGP PUBLIC KEY BLOCK-----

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQIVAwUBRKLIIC6BSUNq5uyYAQJqtw/+P/IHemCfiJr5NY8gbZJ/kTYpxlB1aQDv
nGPe+spwz37OBICo8P0yg//7eT6ismFF8TGZTRQf8pHi1nmx8b7XfuDiUpYTSIzO
MkRGcEjpNLmFX+wKjxdwjj37azxWmQkEJDP17fh6/sBKO/Husg8Z7sSglZZ78pIH
YynQeUBqMYOigHZlsUVpbSqErIH6hA5LpqCtW6/YV11CRUvg1pJEow8iuK5KrCYE
PslieQRuOQe6I0SMKs6cGm16b1tJ+hkATIn1d5T5VQ5bfylCQHxI2UAgKUBCgTzA
DStPffypZ1vbH0PriWOELdiNHBSWtwB7mTVt//hvatpws2PW2TQ6I9726+Zr0dBB
0QpYAWqL8p1pkTEpUzq9XRnFLPb4IQ7Lz9n3Bkba4VAGxu9HWbI7j7Y9RgR4wVXL
svR3AnJoKlL7z+8tJy/o7zU2r7kDGPDEsl+yjdcJPCbuwA6mSN/VVX5oA7zW8sEp
cOHiiFVU4uWDbh8XM9IP+xcbTR529ekrIJL7KVkqrm0LxIfHXHdBAd+EQxag010l
aCbxnrr+ilJry2PO2E+lgJI0lbGvWlGqnAYMARPuy1eI+QLT5D5utjiRo4C3li38
6KhlKGBN/HTEXoOKo7KfZN+GuxXrqwE2Jsu5f4K5fE/geDaDVrgE23l9NyGWEXl0
fIXbAAKD8Tk=
=5avL
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRKMvmyh9+71yA2DNAQLMbwP/X9/0engmjt1lJZKpfAXCrZRi4UnYN8fp
zKG71EM2HfzwoEedM0Gv4HIY//+08DYczg6dD1FAIZ62/cAFDVOPZHmX0qUsmrxp
8+XlGYL2Uzo/VCsTfBo86Ngw+KYZrM4/JD3ztd1Nx4CljoCmtPKKzTV8QK4VXhkK
iip0iN8SUhE=
=qAjc
-----END PGP SIGNATURE-----