---------------------------------------------------------------------
                        Mercury/32 v4, May 2007
                  Patch for MercuryI (IMAP4 server)

                     Mercury Mail Transport System,
       Copyright (c) 1993-2007, David Harris, all rights reserved
---------------------------------------------------------------------


This ZIP file contains a version of MercuryI that addresses a security
vulnerability associated with the use of IMAP4 "literals". While the
vulnerability can (as best we can tell) only be used to crash Mercury,
it does not require authentication and is therefore considered serious.

This build also contains fixes for two serious memory leaks in MercuryI.
These memory leaks were the most serious found during an extensive memory
usage audit during the development of Mercury/32 v4.5 (also due for
release in May 2007); other leaks were found that could not easily be
corrected without holding up the release of the patch, and we felt that
the security considerations overrode issues of memory efficiency. The
memory leaks remaining in this patched version are not considered major
impediments to normal operation of the server.

All sites running Mercury/32 v4.01b should consider this a mandatory
upgrade. Note that you can only apply this patch to Mercury/32 v4.01b -
you should not attempt to apply it to raw v4.01a or earlier systems.

To install this patch, simply exit from Mercury/32 if it is currently
running, then copy the file MERCURYI.DLL from this archive into the
same directory as MERCURY.EXE, overwriting any existing DLLs there
with the same name. All existing configuration and operating parameters
will be preserved.

David Harris
Author, Mercury/32 Mail Transport System
May 2007.

