New turba upstream version 2.2.1 was released to address XSS issue in the contact view. Note in upstream changelog: SECURITY: Escape contact names in the contact display view. Upstream patch: http://cvs.horde.org/diff.php/turba/contact.php?r1=1.11&r2=1.12 2.2.1 announcement: http://lists.horde.org/archives/announce/2008/000414.html http://cvs.horde.org/diff.php/turba/docs/CHANGES?r1=1.181.2.165&r2=1.181.2.170&ty=h Other references: http://secunia.com/advisories/30697/ Rawhide already has 2.2.1 (turba-2.2.1-1.fc10). There's no contact.php in 2.1.7 currently in F8 and F9, and I failed to find this code elsewhere. Double-check is appreciated though.
turba-2.2.1-1.fc9 has been submitted as an update for Fedora 9
turba-2.2.1-1.fc8 has been submitted as an update for Fedora 8
(In reply to comment #0) > Rawhide already has 2.2.1 (turba-2.2.1-1.fc10). There's no contact.php in 2.1.7 > currently in F8 and F9, and I failed to find this code elsewhere. Double-check > is appreciated though. Thanks, my plan was already to update F-8/F-9 to 2.2.1. Feel free to untag the updates as security though. Also EPEL-5 now has an updated version (2.2.1).
turba-2.2.1-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update turba'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-5652
(In reply to comment #3) > Thanks, my plan was already to update F-8/F-9 to 2.2.1. Feel free to untag the > updates as security though. Given the information in comment #0, I changed them to enhancement. Feel free to request stable as needed. Sorry for the delay.
No further action needed here, closing.
CVE-2008-6746: Cross-site scripting (XSS) vulnerability in the contact display view in Turba Contact Manager H3 before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the contact name.