In association with heise online

20 August 2007, 15:39

Security vulnerability in Mercury Mail [Update]

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A security vulnerability in Mercury/32, the free mail server program from the developer of Pegasus Mail can be exploited by attackers to inject and execute arbitrary code. Sending a very long string in an AUTH CRAM-MD5 query for authentication to the mail server can cause a buffer overflow to occur in the mercurys.dll file.

The bug affects the current version of the server, version 4.51. Older versions may also be vulnerable. The developer has not yet released a security update. Until a patch becomes available, Mercury mail server administrators should restrict access to trusted persons and computers.

Updates for the Mercury Server are now available. Mercury/32 4.52 replaces the faulty Version 4.51. For users still running Version 4.01b the Update to Version 4.01c fixes the error. The developer has also made a patch available for the Novell-Version of Mercury/32.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit