CVE-2005-3539

Name	CVE-2005-3539
Description	Multiple eval injection vulnerabilities in HylaFAX 4.2.3 and earlier allow remote attackers to execute arbitrary commands via (1) the notify script in HylaFAX 4.2.0 to 4.2.3 and (2) crafted CallID parameters to the faxrcvd script in HylaFAX 4.2.2 and 4.2.3.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-933-1
Debian Bugs	347298

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
hylafax (PTS)	jessie, jessie (lts)	3:6.0.6-6+deb8u1	fixed
	stretch (security), stretch (lts), stretch	3:6.0.6-7+deb9u1	fixed
	buster	3:6.0.6-8.1	fixed
	bullseye	3:6.0.7-3.1	fixed
	bookworm	3:6.0.7-5	fixed
	sid, trixie	3:6.0.7-11	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
hylafax	source	woody	4.1.1-4woody1	DSA-933-1
hylafax	source	sarge	1:4.2.1-5sarge3	DSA-933-1
hylafax	source	(unstable)	2:4.2.4-2		347298

First patch had regressions