Launchpad.net

CVE 2009-4565

sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Related bugs and status

CVE-2009-4565 (Candidate) is related to these bugs:

Bug #521760: Please merge sendmail 8.14.3-9.1(main) from debian squeeze(main)

Summary				In	Importance	Status
	521760	Please merge sendmail 8.14.3-9.1(main) from debian squeeze(main)		sendmail (Ubuntu)	Undecided	Fix Released

Bug #604996: Update sendmail due to vulnerability in 8.14.3

Summary				In	Importance	Status
	604996	Update sendmail due to vulnerability in 8.14.3		sendmail (Ubuntu)	Undecided	Invalid

Bug #673814: Sync sendmail 8.14.4-2 (main) from Debian unstable (main)

Summary				In	Importance	Status
	673814	Sync sendmail 8.14.4-2 (main) from Debian unstable (main)		sendmail (Ubuntu)	Wishlist	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://www.sendmail.or...
BID: 37543
SECUNIA: 37998
VUPEN: ADV-2009-3661
DEBIAN: DSA-1985
SECUNIA: 38314
SUSE: SUSE-SR:2010:006
SECUNIA: 38915
SECUNIA: 39088
SUNALERT: 1021797
SECUNIA: 40109
VUPEN: ADV-2010-1386
VUPEN: ADV-2010-0719
REDHAT: RHSA-2011:0262
SECUNIA: 43366
VUPEN: ADV-2011-0415
GENTOO: GLSA-201206-30
HP: HPSBUX02508
HP: SSRT100007
OVAL: oval:org.mitre.oval:de...
OVAL: oval:org.mitre.oval:de...