We are delighted to announce VisualSVN Server patch releases based on Apache HTTP Server 2.2.25. These releases address the following vulnerabilities: CVE-2013-1896, CVE-2013-1862 and CVE-2013-4131. Upgrade to newer VisualSVN Server builds is recommended for all users.
Up-to-date VisualSVN Server installations are partially affected by the CVE-2013-1896 security vulnerability that allows remote attackers to cause a denial of service (segmentation fault). Exploiting this vulnerability does require write access to the repository, so the risks are relatively low. Please choose appropriate patch build that corresponds to your current version.
If you are using VisualSVN Server 2.5, please update to VisualSVN Server 2.5.12 that is available for download at the version 2.5 download page.
If you are using VisualSVN Server 2.1, please update to VisualSVN Server 2.1.15 that is available for download at the version 2.1 download page.
If you have already upgraded to VisualSVN Server 2.6, please update to VisualSVN Server 2.6.2 that is available for download at the main download page.
Comparing to the previous version, there are the following changes in the VisualSVN Server 2.6.2:
- Updated to Apache HTTP Server 2.2.25 with fixes for the following vulnerabilities: CVE-2013-1896, CVE-2013-1862.
- Updated to Apache Subversion 1.8.1 with fix for
For further details please see http://svn.apache.org/repos/asf/subversion/tags/1.8.1/CHANGES
- Updated to zlib 1.2.8.
- Enable SVNAllowBulkUpdates prefer option to force all-inclusive responses to update-style HTTP requests.
- 'svnmucc' command-line tool is included into the installation package.
Nevertheless that VisualSVN Server 2.6 based on the recently released Subversion 1.8 is already available for download, it is still not officially announced in our RSS channel and mailing lists. We recommend upgrading to the version 2.5.12 if you currently use VisualSVN Server 2.5. Please upgrade to version 2.6.2 only if you have already upgraded your production servers to VisualSVN Server 2.6.