GroupWise 2014 R2 SP1 HP1 (14.2.1.1) has been released.

Security Fixes
- This Hot Patch updates the Oracle Outside in technology to version 8.5.3, which includes security fixes. For more information on the specific bug fixes included in this release of the Outside in technology, please see http://www.oracle.com/technetwork/se...6-2881720.html

- This Hot Patch updates the version of Java included with GroupWise to 8.0.102, which included some security-related fixes from Oracle. For more information on the specific bug fixes in this release of Java, please see http://www.oracle.com/technetwork/ja...s-3021768.html

- Resolved a vulnerability in the user authorization code in the Linux POA that may allow a user with valid Kerberos credentials to access the mailbox of another user on the same post office if the post office and user were configured to allow Kerberos authentication.

- Resolved a vulnerability in the GroupWise Administration Console that may allow an attacker to execute javascript in the context of an authenticated user by tricking the user into clicking on a specially crafted link. This could lead to session compromise or enable other browser based attacks. The vulnerability was discovered and reported by Wolfgang Ettlinger working with SEC Consult. MicroFocus Bug 987681, CVE-2016-5760. Related TID: http://www.novell.com/support/kb/doc.php?id=7017973

- Resolved a vulnerability in the GroupWise WebAccess message viewer that may allow an attacker to execute javascript in the context of an authenticated user by getting the user to interact with a malicious mail message sent by the attacker. This could lead to session compromise or enable other browser based attacks. Novell Bug 987682, CVE-2016-5761. Related TID: http://www.novell.com/support/kb/doc.php?id=7017974

- Resolved a vulnerability in the GroupWise Post Office Agent that may allow a remote unauthenticated attacker to write past the end of a heap buffer with up to 64K of attacker controlled data via undisclosed vectors involving an integer overflow. This is likely to affect the availability of the post office agent and could possibly be used to achieve remote code execution if other protection mechanisms are bypassed. This vulnerability was discovered and reported by Wolfgang Ettlinger working with SEC Consult. MicroFocus Bug 987683, CVE-2016-5762. Related TID: http://www.novell.com/support/kb/doc.php?id=7017975


Change Log

990955, 990647, 991264, 991737 - Client hangs when opening large plain text email
988318 - New mail flag on shared folder shows regardless of new mail or not
984925 - Groupwise is unable to index pdf files created with pdf creator version 1.6
931680 - DVA image conversion too long causing errors in WebAccess
990954, 988979 - Reply to users not in user's address book can generate D027 errors and fail
991528 - Fixed problem with WebAccess authentication timeout
990715 - Fixed problem with viewing SVG attachments