what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NOVELL-SA-2006-001.txt

NOVELL-SA-2006-001.txt
Posted Jul 2, 2006
Site novell.com

Novell Security Announcement - A security vulnerability exists in the GroupWise Windows Client API that can allow random programmatic access to non-authorized email within the same authenticated post office. Affected Products: Novell GroupWise 5.x, Novell GroupWise 6.0, Novell GroupWise 6.5, Novell GroupWise 7, Novell GroupWise 32-bit Client.

tags | advisory
systems | windows
advisories | CVE-2006-3268
SHA-256 | 6658eb77abb7d3e6b4e2686bc733dc0e41b332b2f8cc43e5d0387dc1cd8ea2e4

NOVELL-SA-2006-001.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

Novell Security Announcement

Product Name: Novell GroupWise
Announcement ID: NOVELL-SA:2006:001
Date: Wed Jun 28 13:00:00 MDT 2006
Affected Products: Novell GroupWise 5.x
Novell GroupWise 6.0
Novell GroupWise 6.5
Novell GroupWise 7
Novell GroupWise 32-bit Client
Vulnerability Type: Unauthorized access to email
Severity (1-10): 8
Cross-References: CVE-2006-3268

Content of This Advisory:
1) Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Patch Location
5) Authenticity Verification and Additional Information
6) Disclaimer
7) Novell Security Public Key


________________________________________________________________________

1) Problem Description and Brief Discussion

A security vulnerability exists in the GroupWise Windows Client API
that can allow random programmatic access to non-authorized email
within the same authenticated post office.

2) Solution or Work-Around

There is no known workaround. Please follow the instructions below
to install the patch.

For GroupWise 7 - Customers running GroupWise 7.0 Windows Clients
should immediately upgrade all Windows clients to GroupWise 7 SP1
(dated 19 Jun 2006) and lock out older Windows clients via
ConsoleOne.

For GroupWise 6.5 - Customers running GroupWise 6.5.x Windows Clients
should immediately upgrade all Windows clients to the GroupWise 6.5
SP6 Client Update 1 (dated 27 Jun 2006), or upgrade to GroupWise 7
SP1. Older Windows clients must be locked out via ConsoleOne.

For GroupWise 6.0 and previous - Customers still running unsupported
GroupWise versions (5.x and 6) of the Windows Clients should
immediately upgrade clients and servers to either GroupWise 6.5 SP6
Update 1 or to GroupWise 7 SP1. Older Windows clients must be
locked out via ConsoleOne.

If Blackberry Enterprise Server (BES) is installed in a GroupWise 7
environment then make sure to lock out based on client date rather
than client version, as the recommended BES configuration is still
to use the GroupWise 6.5 client. The recommended date should be
June 13 2006 in order to ensure that the system is not vulnerable.

3) Special Instructions and Notes

For instructions on locking out older client versions and other
details please refer to Novell Support TID# 1480
@ http://www.novell.com/support. (Check box to search by TID ID).

4) Patch Location

GroupWise 6.5
http://support.novell.com/filefinder/16963/index.html

GroupWise 7
http://support.novell.com/filefinder/20641/index.html


________________________________________________________________________

5) Authenticity Verification and Additional Information

- Announcement authenticity verification:

Novell security announcements are published via a mailing list and
on a Novell web site. The authenticity and integrity of a Novell
security announcement is guaranteed by a cryptographic signature in
each announcement. All Novell security announcements are published
with a valid signature.

To verify the signature of the announcement, save it as text into a
file and run the command

gpg --verify <file>

replacing <file> with the name of the file where you saved the
announcement. The output for a valid signature looks like:

gpg: Signature made <DATE> using RSA key ID 6AE6EC98
gpg: Good signature from "Novell Security (Primary Contact
Address) <security@novell.com>"

where <DATE> is replaced by the date the document was signed.

If the Novell Security key is not contained in your key ring, you
can import it from
http://support.novell.com/security-alerts/keypage.txt.
The <security@novell.com> public key is also included below.

To import the key, use the command

gpg --import keypage.txt

- Novell publishes security announcements to the mailing list
security-alerts@lists.novell.com. Any interested party may
subscribe at http://www.novell.com/company/subscribe/.

Novell's security contact is security@novell.com.

- The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In
particular, the clear text signature should show proof of the
authenticity of the text.
________________________________________________________________________

6) Disclaimer

The content of this document is believed to be accurate at the time
of publishing based on currently available information. However, the
information is provided "AS IS" without any warranty or
representation. Your use of the document constitutes acceptance of
this disclaimer. Novell disclaims all warranties, express or
implied, regarding this document, including the warranties of
merchantability and fitness for a particular purpose. Novell is not
liable for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this document or any security
alert, even if Novell has been advised of the possibility of such
damages and even if such damages are foreseeable.

________________________________________________________________________

7) Novell Security Public Key

Type Bits/KeyID Date User ID
pub 4096R/6AE6EC98 2006-04-25 Novell Security <security@novell.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2.2 (MingW32)

mQIMBERONjUBEAC5H4aewrbcL0unOHLVCPGozbenAoRKORyhtWCO81Jup0Qg7B94
Thn5RXECLlKB+vzXhONGlGoBKTcVKsLeNM54Da2WLDkVCEb++fo791LZkfpzLiWw
znp5sStS3kZxgeUrS9aUfdhIhls/rs5i1Rh/YUp3K3/1d0SE0Zfc5qGKsmmpDYzv
hFnbsqHESD9skXkuvcCFdsK6y24myUz6AsNrcMVMcJrJkcew/t/j6I5rUBW08CIu
GBkYJqJ61UsQVZz/lkXeqz8lmIAvyNt8jtQSVqEHbYf54GkP+D4CMxN1+hup1o1J
nMyKCjurDKaN1zThW0GUtWpH1dAkXjbX4IKe4noHPb1413R/Nzc/rhBWh8Rf207f
kxL65z6EVr8SoxGJ3yykAY55mpfXcMFqapsqGpwvxVsT1EigeLShJ2/G1NBm8OO9
mHMHEFUrYcPcM0R9WRwWnuizimRcfIQnbQ1aRxe+C+UULGT/OzEVWHmvedFUitng
zHdP2ygg9IiIl+zqaWiNzsu0SqvCP8V4Sb/Bs2of7O1NxuB/VolP4DIqhjLCEg9s
BpAY6UMZ3IWDxvVBtSNlyZYpNGWKre0ElsA6+xWqnW2RdtI7aM2l6qjpykBADIiI
n0QHHLftZTxL5oTH0Qqk5RxVgrcRRLtI2IUJ5UzP465W5qHU1FWZfuElNQAJAQG0
P05vdmVsbCBTZWN1cml0eSAoUHJpbWFyeSBDb250YWN0IEFkZHJlc3MpIDxzZWN1
cml0eUBub3ZlbGwuY29tPokCNAQTAQIAHgUCRE42NQIbDwYLCQgHAwIDFQIDAxYC
AQIeAQIXgAAKCRAugUlDaubsmAN5D/9E2nfqvfSTDrXuytEN99teCUiayO8UC+kW
cDnY7Xl1fWFjtrQrEowhmFlXryQDBBnLqowMrlpOGe6Tn/PiuCgVYfYZs/mQ/OzM
VfWRtt1hhCRAykPZbSU73qebxwpH56iiYuEelAzfM6g2SWJpNdRj+s3K2qSHaXXN
p7jLWsDEmYMW6v6UYc2OhLnyzS3gwGvKwAZhhswfLiqNygEIbLfxwGdzTUv7xgmr
n/TiAHc9OeHZB3SdXnWQ8nwHb9AfwRner37IDk8G+QxJWDA57h06ECFWTwyHODDc
g4BjxxnAMgMQ8vhXLgo6jYk0FTIoEv6AlZ8bcwBBXOJey0EsNANsYo30zAfBQ6E7
7q11bHNx/FoyU08smySNI2+PWpYJ1hmTZySsIeC0U5aAETxUON10Z6Aqlw0KmXxt
QXCHTgZZM/VgvRZgkPG3a3TFaKaOel6fJhLuF9NGYoS5XG30MmrLH9D6R2NiSIfa
0tBJFp4RSXhHei2ZFJmtAX67fN8PPX9DOmVAo/pAm4ar0Otcvvu1eimpogHkI4JM
/F2MOXqmt+C6cbh51ejYWeA2INa+LJ+fPbPrRYuK7pMzeMtpZBRakWEtWmnT3FJC
WNFbggpk1T+7IU3AMbRpPJllTVqPH0xXZsifO0OEPwWoIZ04D13r+RYAD8OhYSnt
+Rhucrrc3IkBHAQQAQIABgUCRE447gAKCRB3suYAPSXT2fPsB/9vPcZvcJuf0uy0
HsGmHYtlI8m4Pz0b77UqAIxbJUx/DbGUEVmo3xXuSrXMghVLu9l9UTRqSSZAS89Y
BRGC7qKw86VLGZ5VDUHCEhLax3JtaV0wjrmy/1/FSBSeFrDxhZ69bhSXVER7832L
0zs4tAV/vFlODpXNdoOt6LnBWNq9ZgHjeqt4erbRdzKdora27joMfvkvqLUMn53R
KGKMU8hXw9u31J2n0sR5V8T847xfc3wyGWdCyGVA8CPnhkSdhwndqOvscsUOz6fZ
4ONL79vbLPvRWjGiVQNY+sux4alBoWwJqmOxdIg+cF6boeVDdMew7A1gJc/fwjK1
LyG+xCbU
=h2ya
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQIVAwUBRKLIIC6BSUNq5uyYAQJqtw/+P/IHemCfiJr5NY8gbZJ/kTYpxlB1aQDv
nGPe+spwz37OBICo8P0yg//7eT6ismFF8TGZTRQf8pHi1nmx8b7XfuDiUpYTSIzO
MkRGcEjpNLmFX+wKjxdwjj37azxWmQkEJDP17fh6/sBKO/Husg8Z7sSglZZ78pIH
YynQeUBqMYOigHZlsUVpbSqErIH6hA5LpqCtW6/YV11CRUvg1pJEow8iuK5KrCYE
PslieQRuOQe6I0SMKs6cGm16b1tJ+hkATIn1d5T5VQ5bfylCQHxI2UAgKUBCgTzA
DStPffypZ1vbH0PriWOELdiNHBSWtwB7mTVt//hvatpws2PW2TQ6I9726+Zr0dBB
0QpYAWqL8p1pkTEpUzq9XRnFLPb4IQ7Lz9n3Bkba4VAGxu9HWbI7j7Y9RgR4wVXL
svR3AnJoKlL7z+8tJy/o7zU2r7kDGPDEsl+yjdcJPCbuwA6mSN/VVX5oA7zW8sEp
cOHiiFVU4uWDbh8XM9IP+xcbTR529ekrIJL7KVkqrm0LxIfHXHdBAd+EQxag010l
aCbxnrr+ilJry2PO2E+lgJI0lbGvWlGqnAYMARPuy1eI+QLT5D5utjiRo4C3li38
6KhlKGBN/HTEXoOKo7KfZN+GuxXrqwE2Jsu5f4K5fE/geDaDVrgE23l9NyGWEXl0
fIXbAAKD8Tk=
=5avL
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close