A fix is available
Closed as program error.
Ostensibly secure connections with a sendmail server enabled for TLS (i.e. the binary originally shipped and installed on AIX systems as /usr/sbin/sendmail_ssl) are vulnerable as described in Common Vulnerabilities and Exposures report CVE-2009-4565, quoted below. This applies to sendmail versions below 8.14.4; the version and presence of TLS support can be checked with either the command /usr/sbin/sendmail -d0.10 < /dev/null and examination of the list of "Compiled with" modules produced for "STARTTLS". Whether the version running is the one enabled for TLS can also be checked by looking for a message "250 STARTTLS" in the output of a connection to the sendmail server established by either of the following two ways: 1) send "ehlo <your-domain-name>" followed by "quit" over a connection to the sendmail server host with: telnet <server-address> smtp 2) echo test | mail -v <username>@<server-address> CVE-2009-4565 notice: "sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which " (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and " (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority," ...
The vulnerability does not apply if TLS is not being supported. Switching to sendmail_nonssl would prevent a false assumption of a secure connection.
Secure connections with a sendmail server enabled for TLS (i.e. the binary originally shipped and installed on AIX systems as /usr/sbin/sendmail_ssl) are vulnerable as described in Common Vulnerabilities and Exposures report CVE-2009-4565
Code is modified to handle correctly the '0' character in the Common Name (CN) field of an X.509 certificate
5300-08 - use AIX APAR IZ72834 5300-09 - use AIX APAR IZ72835 5300-10 - use AIX APAR IZ72836 5300-11 - use AIX APAR IZ72837 5300-12 - use AIX APAR IZ72526 6100-01 - use AIX APAR IZ72528 6100-02 - use AIX APAR IZ72515 6100-03 - use AIX APAR IZ72510 6100-05 - use AIX APAR IZ72539 6100-04 - use AIX APAR IZ70637 6100-05 - use AIX APAR IZ72539 6100-06 - use AIX APAR IZ72602 7100-00 - use AIX APAR IZ89860
Reported component name
AIX 610 STD EDI
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
AIX 610 STD EDI
Fixed component ID
Applicable component levels
R610 PSY U825316
UP10/04/19 I 1000
PTF to Fileset Mapping
U825316 bos.net.tcp.client 188.8.131.52