We are glad to announce the availability of VisualSVN Server patch releases based on Apache HTTP Server 2.2.27. These releases address the following vulnerabilities: CVE-2013-6438, CVE-2014-0098. Upgrade to newer VisualSVN Server builds is recommended for all users.
Up-to-date VisualSVN Server installations are partially affected by the CVE-2013-6438 security vulnerability that allows remote attackers to cause a denial of service (daemon crash). Exploiting this vulnerability does require write access to the repository, so the risks are relatively low. Please choose appropriate patch build that corresponds to your current version.
If you are using VisualSVN Server 2.5, please update to VisualSVN Server 2.5.18 that is available for download at the version 2.5 download page.
If you are using VisualSVN Server 2.6 or 2.7, please upgrade to VisualSVN Server 2.7.5 that is available for download at the main download page.
Note that VisualSVN Server 2.6 product family is no longer supported and we encourage all VisualSVN Server 2.6 users to upgrade to the version 2.7. The upgrade process from version 2.6 to version 2.7 is straightforward and upgrade issues are not expected.
Comparing to the previous version, there are the following changes in the VisualSVN Server 2.7.5: