The security problem occurs because the environment that the "sendmail" program is run with comes from the user (with some potentially dangerous variables removed). It is thus possible for an attacker to influence the mail program via environment variables. This is compounded by the fact that since Sudo runs the mail program with both real and effective uids set to 0 (root) the mailer cannot tell that it has been called from a setuid process and thus treat the environment with suspicion.
Currently, the only sendmail replacement known to be affected is Postfix but others may be as well. I did a quick check of the current version of Sendmail and it does not appear to trust the environment in any significant manner so it is probably safe. However, to be on the safe side I recommend that people upgrade to Sudo 1.6.4 or higher which runs the mail program with a clean environment. Admins wishing to run the mailer as the invoking user and not as root should use the --disable-root-mailer configure option in Sudo 1.6.5.
import_environment = TZ