Last update 05-Dec-2004.

Changes and additions for version 4.01b

This patch version is released on 05-December-2004.

The following changes have been made after the release of the former 4.01a version:

Added between the pre-release and the final release:

  • Get the patch on
  • A user has just pointed out that the SEARCH command is broken in the v4.01b IMAP server - it no longer accepts *any* CHARSET parameter. This is a bug introduced during the frenzy of exploit patching, and it's fixed now.
In the pre-release version (released on 02-Dec-04):
  • The primary change in this code is a general tightening-up of buffer-length conditions in the MercuryI IMAP server. here is now added comprehensive buffer overflow detection to all IMAP commands, not just those executed in the not-logged-in state.
  • You can now set the thread limit in MercuryE. The default value is 10, but you can set it to any value from 1 upwards.
  • There is a new MercuryS transaction processing rule, the "M" command, which can be used to check the MAIL FROM: command. The syntax is the same as the "R" command. I don't know if this is new or not, but there is now also a new "F" action you can take in a transaction filter, which simply fails the command with whatever diagnostic you supply. This is handy for temporarily disabling certain addresses if you come under DDOS attack.
    This command differs from the "R" action in that it does not prevent further commands from succeeding - it simply fails the current command.
  • MercuryS is now much more stringent about checking buffer lengths. There weren't any buffer overflows in the code, but it's tightened up even further so that more abnormal length commands will be regarded as attempted attacks.

Han van den Bogaerde
e-mail  Homepage