Dagelijkse archieven: 17 maart 2008

VMware Server 1.0.5 build 80187

Geplaatst op door

Vmware heeft een nieuwe versie van Vmware Server beschikbaar gesteld. Het programma is aangekomen bij versienummer 1.0.5 build 80187 en kan vanaf deze pagina voor Windows en Linux gedownload worden. Vmware Server is een virtualisatieprogramma voor servers waarmee meerdere en verschillende besturingssystemen in een virtuele omgeving gedraaid kunnen worden. Meer informatie over dit programma kan op de website gevonden worden. De ontwikkelaars hebben in Vmware Server 1.05 de volgende veranderingen doorgevoerd:

Security Issues Resolved in VMware Server 1.0.5

  • A security vulnerability in OpenSSL 0.9.7j could make it possible to forge a RSA key signature. VMware Server 1.0.5 upgrades OpenSSL to version 0.9.7l to avoid this vulnerability. bug 216497), RSA Signature Forgery (CVE-2006-4339)
  • An internal security audit determined that a malicious user could attain and exploit LocalSystem privileges by causing the authd process to connect to a named pipe that is opened and controlled by the malicious user. In this situation, the malicious user could successfully impersonate authd and attain privileges under which authd is executing. bug 235420, (Foundstone CODE-BUG-H-001)
  • An internal security audit determined that a malicious user could exploit an insecurely created named pipe object to escalate priviliges or create a denial-of-service attack. bug 235833, (Foundstone CODE-BUG-H-002)
  • This release updates the libpng library to version 1.2.22 to remove various security vulnerabilities. bug 237049
  • A vulnerability in VMware Workstation running on Windows allowed complete access to the host’s file system from a guest machine. This access included the ability to create and modify executable files in sensitive locations. bug 240000, (CORE-2007-0930)
  • The authd process read and honored the vmx.fullpath variable in the user-writable file config.ini, creating a security vulnerability. bug 241648
  • The config.ini file could be modified by non-administrator to change the VMX launch path. This created a vulnerability that could be exploited to escalate a user’s privileges. bug 241677

In addition, Version 1.0.5 improves Remote Console performance and screen refreshing.

Vmware Server draait Windows op een Linux-server
Website Vmware
Download http://register.vmware.com/content/download.html

VMware Player 2.0.3 build 80004

Geplaatst op door

Het virtualisatieprogramma Vmware Player heeft een upgrade naar versie 2.0.3 gekregen. De nieuwe versie kan voor Windows en Linux gedownload worden nadat deze pagina ingevuld is. Met behulp van Vmware Player is het mogelijk om virtual machines te draaien die gemaakt zijn via Vmware Workstation, Vmware Server en Vmware ESX Server. Ook worden virtual machines van Microsoft en Symantec LiveState Recovery ondersteund.

VMware Player 2.0.3 addresses the following security issues:

  • On Windows hosts, if you have configured and enabled a shared folder, it is possible for an attacker to write arbitrary content from a guest system to arbitrary locations on the host system (CORE-2007-0930). (bug 200360)
  • This release updates the libpng library to version 1.2.22 to remove various security vulnerabilities. (bug 224453)

Vmware Player tijdens de installatie van Windows XP
Website Vmware
Download http://www.vmware.com/download/player/player_reg.html

GW7 SP3, GW65 SP6 update 3

Geplaatst op door

GW7 SP3 and GW65 SP6 update 3 are out.

GroupWise 7 SP3 Windows and NLM US and MULTI 703
GroupWise 7 SP3 Linux Full US and MULTI 703
GroupWise 7 SP3 Windows Client US and MULTI 703
GroupWise 7 SP3 Linux Client US and MULTI 703
GroupWise 7 SP3 Mac Client US and Multi 703

GroupWise 6.5.6 Update 3 Windows client 656up3

GW7 SP3 Readme

Read Dean Lythgoe’s blog on this SP.

About the security issue :

Description:

A security vulnerability exists in the GroupWise Windows client API that can allow programmatic access to non-authorized email under certain conditions. The attacker must first authenticate to GroupWise and be a recipient of a shared folder from another user. The attacker could then exploit the vulnerability to gain unauthorized access to non-shared email in the mailbox of the sharer.

Cause: An unspecified error in the Windows client API

Workaround:

Users that have shared folders with other users can protect their email by removing shared access until remedial steps have been completed. It is not necessary to delete the contents of the shared folders and they can be re-shared after the administrator has locked out older client versions.

To remove shared access to a folder select the shared folder, click File > Sharing, then select Not shared.

Remedy:

For GroupWise 7 – Customers running GroupWise 7.0 clients
should immediately upgrade all clients to GroupWise 7 SP3 (dated 09 Mar 2008) and lock out older clients via ConsoleOne.

GroupWise 6.5 Windows – Customers running GroupWise 6.5 Windows clients should immediately upgrade all Windows clients to the GroupWise 6.5 SP6 client Update 3 (dated 11 Mar 2008), or upgrade to GroupWise 7 SP3. Older clients must be locked out via ConsoleOne.

GroupWise 6.5 Linux – Customers running GroupWise 6.5 Linux or Mac clients should immediately upgrade to GroupWise 7 SP3 (dated 09 Mar 2008).

For GroupWise 6.0 and previous – Customers still running unsupported GroupWise client versions (5.x and 6) should immediately upgrade clients and servers to either GroupWise 6.5 SP6 Update 3 or to GroupWise 7 SP3. Older clients must be locked out via ConsoleOne.

If Blackberry Enterprise Server (BES) is installed in a GroupWise 7 environment then upgrade the BES to a version which supports the GroupWise 7 client (BES 4.0 SP 7 or BES 4.1 SP4), and upgrade the GW client installed on the machine to 7.0 SP3 (dated 09 Mar 2008).

If Blackberry Enterprise Server (BES) is installed in a GroupWise 6.5 environment then upgrade the GW client installed on the machine to 6.5 SP6 Client Update 3 (dated 11 Mar 2008).

Special Instructions and Notes:

For instructions on locking out older client versions please refer to GroupWise documentation for your GroupWise version:
GroupWise 7: http://www.novell.com/documentation/gw7/gw7_admin/index.html?page=/documentation/gw7/gw7_admin/data/adqaf1n.html

GroupWise 6.5: http://www.novell.com/documentation/gw65/index.html?page=/documentation/gw65/gw65_admin/data/adqaf1n.html

If running a mixed environment of 6.5 and 7.0 clients then make sure to lock out based on client release date rather than client version. The recommended date should be 08 Mar 2008 in order to ensure the system is not vulnerable.

RIM BES 4.1 SP5 for GroupWise

Geplaatst op door

Posted by Jay Parker (NTS) in the NGW List :

I pinged my contacts at RIM and got the following info.

During the last GWAVA one of the presenters from RIM communicated that RIM is targeting SP5 for mid-year. It will include HTML and email rendering support along with some additional features. RIM is targeting feature parity with other platforms around the same time.

In email my RIM contact also mentioned that SP5 for the other platforms has not yet officially shipped. So now that BES for GroupWise 4.1.4 has shipped, all platforms are at the same SP level (at least for a little while). This seems to be confirmed by the link <…> provided from RIM which says that SP5 is “Coming Soon”.

I agree that it’s not good that BES SPs for GroupWise ship behind the Exchange SPs. In RIM’s defense I’ll state that we’re pushing them very hard to move their architecture away from the client API to SOAP. And as they make incremental steps to this effect with each release it can introduce bugs which cause delays.

We work very close with their dev team. From my interactions with that team and other contacts at RIM, I’m convinced they have a very talented and committed team working on GroupWise. I think you’ll see improvement in quality with each release as well as Exchange SP vs. GroupWise SP availability window shorten.