Four new vulnerabilities have recently been identified in the OpenSSL library. The most critical among them is CVE-2014-3566 which is a vulnerability in the SSL 3.0 cryptographic protocol. The vulnerability is known as the "POODLE" and can be exploited by a Man-in-the-Middle (MITM) attack.
We disabled SSL 3.0 protocol in the new VisualSVN Server and VisualSVN builds in order to mitigate the vulnerability. Please note that very old Subversion clients that do not support TLS 1.0 might be unable to connect to VisualSVN Server after the upgrade.
VisualSVN Server users should choose the appropriate patch build that corresponds to their currently installed version:
- If you are using VisualSVN Server 3.0, please upgrade to VisualSVN Server 3.0.1 that is available from the main download page.
- If you are using VisualSVN Server 2.7, please upgrade to VisualSVN Server 2.7.10 that is available from the version 2.7 download page.
- If you are using VisualSVN Server 2.5, please upgrade to VisualSVN Server 2.5.23 that is available from the version 2.5 download page.
Users of VisualSVN for Visual Studio should update to VisualSVN 4.0.10 that is available on its main download page.