Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

OT - Groupwise Protocol(s) (was Re: Operating Systems Security, 'Microsoft Security, baby steps')
From: "Ian Latter" <Ian.Latter () mq edu au>
Date: Sun, 21 Mar 2004 19:34:21 +1000


Hello Daniele,

  I'm catching up on email and saw this -- are you (or anyone else 
here) familiar with the notify protocol running under the fat-client
verison of Groupwise?  If so can you email me off list .. I want to
know if there's a way around the UDP->TCP flip that it does mid-
stream (can be seen on a decent sized Busy Search in the 
Schedule/Calendar) -- or predict the outbound port used to notify
on new email, prior the inbount poll done by the client every 8 
minutes.

  We've been burnt by these oddities in the protocol and aren't
getting anywhere with Novell (apparently they were reporting a
52 hour wait on their support queue last week  ;-)


Thanks,


----- Original Message -----
From: "Daniele Muscetta" <daniele () muscetta com>
To: <todd () hostopia com>
Subject:  Re: [Full-disclosure] Operating Systems Security, 'Microsoft Security, baby steps'
Date: Thu, 18 Mar 2004 11:18:51 +0100

Todd Burroughs said:
Kudos to SuSE, keep up the good work!  We're getting nervous with the
Novell thing, but keep security first.


Yeah..... tell Novell, indeed:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/2968352.htm

for their propreitary Groupwise Webmail interface I have been waiting for
MONTHS for this fix.... it has been in BETA for months now, looks like
forever.... and it says:
[...] This patch also addresses OpenSSL security vulnerabilities described
in CERT® Advisories CAN-2003-0543 (VU#255484), CAN-2003-0544 (VU#380864),
VU#686224, and VU#732952 [...]
.....which is not yesterday's bug. But a much older one.
It's kept very quiet though. Any other distro/vendor has had it fixed for
ages now.
I believe that the known exploits for linux/unix don't work on Netware so
they think it is safe to take that long to fix it.....
Yeah, this BETA fix is there.... but:
[...] Groupwise 6.5 WebAccess SP2 Field Test File revision E. This patch
should be used to verify bug fixes prior to the official release of
GroupWise 6.5 Support Pack 2. Fixes in this FTF are not guaranteed to be
included in the shipping release of Groupwise 6.5 SP2. [...]
So.... is one supposed to install it or not ?

Good that SuSE *still* works indipendently enough.

Daniele



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


--
Ian Latter
Internet and Networking Security Officer
Macquarie University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • OT - Groupwise Protocol(s) (was Re: Operating Systems Security, 'Microsoft Security, baby steps') Ian Latter (Mar 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]