=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN179
_____________________________________________________________________

DATE                      : 03/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Novell Vibe OnPrem version 3.0.

======================================================================
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5088845.html
______________________________________________________________________

Vibe OnPrem 3.0 Hot Patch 1

This document (5088845) is provided subject to the disclaimer at the end
of this document.

patches this patch supersedes
  This patch does not supersede any other patches.
patches that supersede this patch
  This patch is not superseded by any other patches.

patch attributes
Architecture: x86-64
Security patch: Yes
Priority: Mandatory
Distribution Type: Public
http://download.novell.com/Download?buildid=Z_FwQ7nw4uw~

document
Revision: 1
Document ID: 5088845
Creation Date: 2011-02-25 13:43:21

abstract

This patch addresses a security vulnerability as well as a few other
general bug fixes to Novell Vibe OnPrem 3.0.

details

System Requirements:

This patch is provided as a complete Vibe OnPrem 3.0 installer and
can be used for a new Vibe OnPrem 3.0 installation as well as for
updating an existing Vibe OnPrem 3.0 or a Teaming 2.x installation.

Installation:

Scenario I - For a new Novell Vibe OnPrem 3.0 install, please follow
the installation steps listed in the Novell Vibe OnPrem 3.0
installation guide located here.

Scenario II - If you are updating from Novell Teaming 2.x to Vibe OnPrem 3.0,
please follow the installation steps listed in the Novell Vibe OnPrem 3.0
installation update guide located here.

Scenario III - If you are currently running Novell Vibe OnPrem 3.0,
execute the installer for your respective Operating System
(Linux/Windows) and when prompted choose the option to "Update
software and settings".

Please ensure that you have copied the installer.xml file from the
directory where the Novell Vibe OnPrem 3.0 installation is located
to the directory where you have extracted the patch installer. By
default, your site's installer.xml is stored in a folder called
teaming-config located at the same level as your Vibe OnPrem 3.0
install.

You will also need to copy your 'license-key.xml' file to the
directory where you have extracted the patch installer.

Technical Support Information:
If you need help or have questions about this Hot Patch, please
contact Novell Technical Support.

security fixes

A security vulnerability was found in Novell Vibe OnPrem 3.0 which
allows remote attackers to execute arbitrary code on vulnerable
installations of Novell Vibe OnPrem. Authentication is not required
to exploit this vulnerability.

CVE Number:
CVE-2011-0464

Reporter Credits:
anonymous


change log

This patch also addresses the following general product defects:

1. Not possible to log-out of Vibe OnPrem on a mobile device.
2. Workflow notifications are not working.
3. Reduce number of audit trail records created from stateless services.

file contents
Files Included	Size	Date
novell-vibe-3.0.0-linux.tar	147.5 MB (154746880)	2011-02-25 13:45:48
novell-vibe-3.0.0-windows.zip	145.4 MB (152545128)	2011-02-25 13:28:28
readme_5088845.html	N/A	2011-02-25 13:52:46

disclaimer

The Origin of this information may be internal or external to Novell.
Novell makes all reasonable efforts to verify this information. However,
the information provided in this document is for your information only.
Novell makes no explicit or implied claims to the validity of this
information. Any trademarks referenced in this document are the
property of their respective owners. Consult your product manuals
for complete trademark information.

Novell is a registered trademark of Novell, Inc. in the United States
and other countries. SUSE is a registered trademark of SUSE Linux AG,
a Novell business. *All third-party trademarks are the property of
their respective owners.

© 2007 Novell, Inc. All Rights Reserved.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================