-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For Immediate Disclosure ============================== Summary ============================== Security Alert: NOVL-2005-10098073 Title: GroupWise Password Caching Date: 16-August-2005 Revision: Original Product Name: GroupWise 5.x, 6.x OS/Platform(s): Windows and NetWare Reference URL: http://support.novell.com/servlet/tidfinder/10098073 Vendor Name: Novell, Inc. Vendor URL: http://www.novell.com Security Alerts: http://support.novell.com/security-alerts Affects: GroupWise Windows Clients & Proxies Identifiers: Bugtraq:13997, CVE:CAN-2005-2620, SECTRACK:1014247 Credits: securityteam@truedson.com ============================ Description ============================ The GroupWise client sometimes caches the user name and password in memory while it is running. ============================== Impact =============================== A hostile user with administrative access to the machine where a user is logged in may dump memory and find username/password pairs of logged in users. ======================== Recommended Actions ======================== GW 7 was released with these fixes already applied, so no further action is required for GroupWise 7 users. Until the official release of GroupWise 6.5 SP5 in mid-September, customers wishing to apply Field Test Files (FTF) can download these from http://support.novell.com/filefinder/ and locate the latest GroupWise Agents and GroupWise Client FTFs. Currently as of August 16, 2005 the filenames are fgw655h.exe for Agents and f32655f7e.exe for GW Client. Both, FTFs will need to be applied to get the full fix. See detailed instructions in the referenced Technical Information Document (TID): http://support.novell.com/servlet/tidfinder/10098073 ============================ DISCLAIMER ============================= The content of this document is believed to be accurate at the time of publishing based on currently available information. However, the information is provided "AS IS" without any warranty or representation. Your use of the document constitutes acceptance of this disclaimer. Novell disclaims all warranties, express or implied, regarding this document, including the warranties of merchantability and fitness for a particular purpose. Novell is not liable for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this document or any security alert, even if Novell has been advised of the possibility of such damages and even if such damages are foreseeable. ============================ Appendices ============================= None ================ Contacting Novell Security Alerts ================== To report suspected security vulnerabilities in Novell products, send email to secure@novell.com PGP users may send signed/encrypted information to us using our PGP key, available from the our website at: http://support.novell.com/security-alerts Novell Security Alerts, Novell, Inc. PGP Key Fingerprint: 3C6B 3F26 4E34 1ADF E27B D6C4 1AC8 9184 34D1 9739 ========================= Revision History ========================== Original: 16-Aug-2005 - Original Publication -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDA4GUGsiRhDTRlzkRAhDnAKCrwSIzonYqwbKjxmsm+CSlvwsqiwCg+Qdn gK8fuk3uLS6wUY1S97pV36E= =U6IQ -----END PGP SIGNATURE-----