Novell Security Announcement NOVELL-SA:2006:001

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

               Novell Security Announcement

Product Name: Novell GroupWise
Announcement ID: NOVELL-SA:2006:001
Date: Wed Jun 28 13:00:00 MDT 2006
Affected Products: Novell GroupWise 5.x
Novell GroupWise 6.0
Novell GroupWise 6.5
Novell GroupWise 7
Novell GroupWise 32-bit Client
Vulnerability Type: Unauthorized access to email
Severity (1-10): 8
Cross-References: CVE-2006-3268

Content of This Advisory:
1) Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Patch Location
5) Authenticity Verification and Additional Information
6) Disclaimer
7) Novell Security Public Key

1) Problem Description and Brief Discussion

A security vulnerability exists in the GroupWise Windows Client API
that can allow random programmatic access to non-authorized email
within the same authenticated post office.

2) Solution or Work-Around

There is no known workaround. Please follow the instructions below
to install the patch.

For GroupWise 7 - Customers running GroupWise 7.0 Windows Clients
should immediately upgrade all Windows clients to GroupWise 7 SP1
(dated 19 Jun 2006) and lock out older Windows clients via
ConsoleOne.

For GroupWise 6.5 - Customers running GroupWise 6.5.x Windows Clients
should immediately upgrade all Windows clients to the GroupWise 6.5
SP6 Client Update 1 (dated 27 Jun 2006), or upgrade to GroupWise 7
SP1. Older Windows clients must be locked out via ConsoleOne.

For GroupWise 6.0 and previous - Customers still running unsupported
GroupWise versions (5.x and 6) of the Windows Clients should
immediately upgrade clients and servers to either GroupWise 6.5 SP6
Update 1 or to GroupWise 7 SP1. Older Windows clients must be
locked out via ConsoleOne.

If Blackberry Enterprise Server (BES) is installed in a GroupWise 7
environment then make sure to lock out based on client date rather
than client version, as the recommended BES configuration is still
to use the GroupWise 6.5 client. The recommended date should be
June 13 2006 in order to ensure that the system is not vulnerable.

3) Special Instructions and Notes

For instructions on locking out older client versions and other
details please refer to Novell Support TID# 1480
@ http://www.novell.com/support. (Check box to search by TID ID).

4) Patch Location

GroupWise 6.5
http://support.novell.com/filefinder/16963/index.html

GroupWise 7
http://support.novell.com/filefinder/20641/index.html

5) Authenticity Verification and Additional Information

• Announcement authenticity verification:

  Novell security announcements are published via a mailing list and
  on a Novell web site. The authenticity and integrity of a Novell
  security announcement is guaranteed by a cryptographic signature in
  each announcement. All Novell security announcements are published
  with a valid signature.

  To verify the signature of the announcement, save it as text into a
  file and run the command

  gpg --verify <file>

  replacing <file> with the name of the file where you saved the
  announcement. The output for a valid signature looks like:

  gpg: Signature made <DATE> using RSA key ID 6AE6EC98
  gpg: Good signature from "Novell Security (Primary Contact
  Address) <[email protected]>"

  where <DATE> is replaced by the date the document was signed.

  If the Novell Security key is not contained in your key ring, you
  can import it from
  http://support.novell.com/security-alerts/keypage.txt.
  The <[email protected]> public key is also included below.

  To import the key, use the command

  gpg --import keypage.txt

• Novell publishes security announcements to the mailing list
  [email protected]. Any interested party may
  subscribe at http://www.novell.com/company/subscribe/.

  Novell's security contact is [email protected].

• The information in this advisory may be distributed or reproduced,
  provided that the advisory is not modified in any way. In
  particular, the clear text signature should show proof of the
  authenticity of the text.

6) Disclaimer

The content of this document is believed to be accurate at the time
of publishing based on currently available information. However, the
information is provided "AS IS" without any warranty or
representation.  Your use of the document constitutes acceptance of
this disclaimer.  Novell disclaims all warranties, express or
implied, regarding this document, including the warranties of
merchantability and fitness for a particular purpose. Novell is not
liable for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this document or any security
alert, even if Novell has been advised of the possibility of such
damages and even if such damages are foreseeable.

7) Novell Security Public Key

Type Bits/KeyID Date User ID
pub 4096R/6AE6EC98 2006-04-25 Novell Security <[email protected]>

• -----BEGIN PGP PUBLIC KEY BLOCK-----
  Version: GnuPG v1.4.2.2 (MingW32)

mQIMBERONjUBEAC5H4aewrbcL0unOHLVCPGozbenAoRKORyhtWCO81Jup0Qg7B94
Thn5RXECLlKB+vzXhONGlGoBKTcVKsLeNM54Da2WLDkVCEb++fo791LZkfpzLiWw
znp5sStS3kZxgeUrS9aUfdhIhls/rs5i1Rh/YUp3K3/1d0SE0Zfc5qGKsmmpDYzv
hFnbsqHESD9skXkuvcCFdsK6y24myUz6AsNrcMVMcJrJkcew/t/j6I5rUBW08CIu
GBkYJqJ61UsQVZz/lkXeqz8lmIAvyNt8jtQSVqEHbYf54GkP+D4CMxN1+hup1o1J
nMyKCjurDKaN1zThW0GUtWpH1dAkXjbX4IKe4noHPb1413R/Nzc/rhBWh8Rf207f
kxL65z6EVr8SoxGJ3yykAY55mpfXcMFqapsqGpwvxVsT1EigeLShJ2/G1NBm8OO9
mHMHEFUrYcPcM0R9WRwWnuizimRcfIQnbQ1aRxe+C+UULGT/OzEVWHmvedFUitng
zHdP2ygg9IiIl+zqaWiNzsu0SqvCP8V4Sb/Bs2of7O1NxuB/VolP4DIqhjLCEg9s
BpAY6UMZ3IWDxvVBtSNlyZYpNGWKre0ElsA6+xWqnW2RdtI7aM2l6qjpykBADIiI
n0QHHLftZTxL5oTH0Qqk5RxVgrcRRLtI2IUJ5UzP465W5qHU1FWZfuElNQAJAQG0
P05vdmVsbCBTZWN1cml0eSAoUHJpbWFyeSBDb250YWN0IEFkZHJlc3MpIDxzZWN1
cml0eUBub3ZlbGwuY29tPokCNAQTAQIAHgUCRE42NQIbDwYLCQgHAwIDFQIDAxYC
AQIeAQIXgAAKCRAugUlDaubsmAN5D/9E2nfqvfSTDrXuytEN99teCUiayO8UC+kW
cDnY7Xl1fWFjtrQrEowhmFlXryQDBBnLqowMrlpOGe6Tn/PiuCgVYfYZs/mQ/OzM
VfWRtt1hhCRAykPZbSU73qebxwpH56iiYuEelAzfM6g2SWJpNdRj+s3K2qSHaXXN
p7jLWsDEmYMW6v6UYc2OhLnyzS3gwGvKwAZhhswfLiqNygEIbLfxwGdzTUv7xgmr
n/TiAHc9OeHZB3SdXnWQ8nwHb9AfwRner37IDk8G+QxJWDA57h06ECFWTwyHODDc
g4BjxxnAMgMQ8vhXLgo6jYk0FTIoEv6AlZ8bcwBBXOJey0EsNANsYo30zAfBQ6E7
7q11bHNx/FoyU08smySNI2+PWpYJ1hmTZySsIeC0U5aAETxUON10Z6Aqlw0KmXxt
QXCHTgZZM/VgvRZgkPG3a3TFaKaOel6fJhLuF9NGYoS5XG30MmrLH9D6R2NiSIfa
0tBJFp4RSXhHei2ZFJmtAX67fN8PPX9DOmVAo/pAm4ar0Otcvvu1eimpogHkI4JM
/F2MOXqmt+C6cbh51ejYWeA2INa+LJ+fPbPrRYuK7pMzeMtpZBRakWEtWmnT3FJC
WNFbggpk1T+7IU3AMbRpPJllTVqPH0xXZsifO0OEPwWoIZ04D13r+RYAD8OhYSnt
+Rhucrrc3IkBHAQQAQIABgUCRE447gAKCRB3suYAPSXT2fPsB/9vPcZvcJuf0uy0
HsGmHYtlI8m4Pz0b77UqAIxbJUx/DbGUEVmo3xXuSrXMghVLu9l9UTRqSSZAS89Y
BRGC7qKw86VLGZ5VDUHCEhLax3JtaV0wjrmy/1/FSBSeFrDxhZ69bhSXVER7832L
0zs4tAV/vFlODpXNdoOt6LnBWNq9ZgHjeqt4erbRdzKdora27joMfvkvqLUMn53R
KGKMU8hXw9u31J2n0sR5V8T847xfc3wyGWdCyGVA8CPnhkSdhwndqOvscsUOz6fZ
4ONL79vbLPvRWjGiVQNY+sux4alBoWwJqmOxdIg+cF6boeVDdMew7A1gJc/fwjK1
LyG+xCbU
=h2ya

• -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQIVAwUBRKLIIC6BSUNq5uyYAQJqtw/+P/IHemCfiJr5NY8gbZJ/kTYpxlB1aQDv
nGPe+spwz37OBICo8P0yg//7eT6ismFF8TGZTRQf8pHi1nmx8b7XfuDiUpYTSIzO
MkRGcEjpNLmFX+wKjxdwjj37azxWmQkEJDP17fh6/sBKO/Husg8Z7sSglZZ78pIH
YynQeUBqMYOigHZlsUVpbSqErIH6hA5LpqCtW6/YV11CRUvg1pJEow8iuK5KrCYE
PslieQRuOQe6I0SMKs6cGm16b1tJ+hkATIn1d5T5VQ5bfylCQHxI2UAgKUBCgTzA
DStPffypZ1vbH0PriWOELdiNHBSWtwB7mTVt//hvatpws2PW2TQ6I9726+Zr0dBB
0QpYAWqL8p1pkTEpUzq9XRnFLPb4IQ7Lz9n3Bkba4VAGxu9HWbI7j7Y9RgR4wVXL
svR3AnJoKlL7z+8tJy/o7zU2r7kDGPDEsl+yjdcJPCbuwA6mSN/VVX5oA7zW8sEp
cOHiiFVU4uWDbh8XM9IP+xcbTR529ekrIJL7KVkqrm0LxIfHXHdBAd+EQxag010l
aCbxnrr+ilJry2PO2E+lgJI0lbGvWlGqnAYMARPuy1eI+QLT5D5utjiRo4C3li38
6KhlKGBN/HTEXoOKo7KfZN+GuxXrqwE2Jsu5f4K5fE/geDaDVrgE23l9NyGWEXl0
fIXbAAKD8Tk=
=5avL
-----END PGP SIGNATURE-----