On Aug. 14, Novell issued an urgent request to all users of GroupWise 5.5e prior to SP3a or GroupWise 6.0 prior to SP1 to immediately apply a "padlock" patch (info | download) to their servers and clients. While Novell said that the client side can wait and contains only changes that enhance performance, the server portion is reported to be very important and Novell recommended that users apply it within hours of the notice.
The perplexing part of this issue is that Novell refuses to discuss any reasoning behind this patch or the security problem it solves. In a FAQ issued on Aug. 17, Novell said that it wants to give its customers time to apply this patch before releasing details about the problems surrounding it. The FAQ also indicates that Novell has been working on this patch since finding a security problem on Aug. 6.
Sources inside Novell stated that a departmental meeting was held for all support engineers on Aug. 17 detailing the patch's application. However, while they were told that they were to provide free support (something I can never recall happening at Novell) to any callers for this issue, they were told not to discuss why the patch is needed or offer any speculation about it. The engineers themselves were also apparently kept in the dark about the issue, and it seems that only a handful of people at Novell know the actual issues involved with the patch.
The people at Novell who are privy to this information simply told the support engineers in this meeting that all of the current speculation out on the Web was wrong. However, they went on to say that when the truth does get out, those who have not yet patched their GroupWise servers will be in a big rush to do so once they understand the severity of the problem.
This strange behavior is something new from the usually open Novell. It indicates either a shift toward other companies’ tactics regarding security issues or a problem of such magnitude that Novell feels it’s utterly important to keep the flaw a secret as long as possible. Novell claims that its actions are designed to give administrators time to patch their systems before the security flaw is announced on security sites across the Web, which will open the door for large numbers of hackers to target GroupWise servers.
Whatever the case, it is clear that anyone who has not made this patch should do so immediately. Only time may reveal the ultimate reasoning behind this strange event. However, this situation raises a larger question about how Novell and other vendors interact with their clients in relation to security flaws, software defects, and releasing software patches. Do you feel that Novell is properly protecting its customers by withholding information about the issue? Post a comment in the discussion below and tell us what you think.
Packratt’s Network Tips
David Packman is a longtime member of TechRepublic. He has been well known under his TechRepublic screen name, packratt, for his frequent contributions to discussions in various parts of our site. His posts are renowned for being insightful and candid, so we talked him into doing some formal writing for our site. He now regularly shares his network tips as part of this column.