[announce] Turba H3 (2.0.5) (final)

chuck@horde.org chuck at horde.org
Sun Dec 11 11:36:52 PST 2005

The Horde Team is pleased to announce the final release of the Turba Contact
Manager version H3 (2.0.5).

This is a security release that fixes cross site scripting
vulnerabilities in several of the address book name and contact data
fields. None of the vulnerabilities can be exploited by
unauthenticated users; however, we strongly recommend that all users
of Turba 2.0.4 upgrade to 2.0.5 as soon as possible.

Many thanks to Johannes Greil of SEC Consult
(http://www.sec-consult.com/) for reporting these problems and working
with us to test the fixes.

Turba is the Horde contact management application. It is a production level
address book, and makes heavy use of the Horde framework to provide
integration with IMP and other Horde applications.

Major changes compared to the Turba version H3 (2.0.4) are:
    * Close several XSS vulnerabilities with address book and contact data.

The full list of changes (from version H3 (2.0.4)) can be viewed here:


The Turba H3 (2.0.5) distribution is available from the following locations:


Patches against version H3 (2.0.4) are available at:


Or, for quicker access, download from your nearest mirror:


MD5 sums for the packages are as follows:

    6e051d636308f0efcc70addb9a40e651  turba-h3-2.0.5.tar.gz
    b58e976be6a33c0efe83baec3c9919aa  patch-turba-h3-2.0.4-h3-2.0.5.gz

Have fun!

The Horde Team.

More information about the announce mailing list