VisualSVN Server 2.5.15 and VisualSVN Server 2.6.5 released

We are delighted to announce that VisualSVN Server 2.5.15 and VisualSVN Server 2.6.5 patch releases are available. These releases are based on Apache Subversion versions 1.7.13 and 1.8.3 respectively and address the following vulnerabilities:

• CVE-2013-4277 is fixed in Subversion 1.7.13;
• CVE-2013-4246, CVE-2013-4262 and CVE-2013-4277 are fixed in Subversion 1.8.3.

Upgrade to newer VisualSVN Server builds is recommended for all users.

If you are using VisualSVN Server 2.5, please update to VisualSVN Server 2.5.15 that is available for download at the version 2.5 download page.

If you are using VisualSVN Server 2.6, please update to VisualSVN Server 2.6.5 that is available for download at the main download page.

Changes in VisualSVN Server 2.5.15

Up-to-date VisualSVN Server 2.5 installations are not affected by CVE-2013-4277. However, it’s recommended to upgrade to VisualSVN Server 2.5.15 because it provides hotfixes for other significant issues. The changelog for VisualSVN Server 2.5.15 is the following:

• Updated to Apache Subversion 1.7.13 with a fix for the following vulnerability: CVE-2013-4277.
  For further details please see http://svn.apache.org/repos/asf/subversion/tags/1.7.13/CHANGES
• Updated to zlib 1.2.8.
• Hotfix: 'svn copy' operation fails if the copied subtree contains locked files.

Changes in VisualSVN Server 2.6.5

Up-to-date VisualSVN Server 2.6 installations are partially affected by CVE-2013-4246 vulnerability that allows remote attackers to corrupt a repository by editing packed revision properties. The risk is relatively low for VisualSVN Server users because of the following facts:

• revision properties packing is currently disabled by default;
• exploiting this vulnerability requires write access to the repository.

VisualSVN Server 2.6.5 also provides the following fixes and improvements:

• Updated to Apache Subversion 1.8.3 with fixes for the following vulnerabilities: CVE-2013-4246, CVE-2013-4262, CVE-2013-4277.
  For further details please see http://svn.apache.org/repos/asf/subversion/tags/1.8.3/CHANGES
• Updated to Serf 1.3.1.
• Hotfix: 'svn copy' operation fails if the copied subtree contains locked files.
• Fixed: migration of authorization settings fails if there are repositories without the 'conf' subdirectory.

Should I upgrade my production server to VisualSVN Server 2.6?

VisualSVN Server 2.6 that is based on the recently released Subversion 1.8 is already available for download. However, it is still not officially announced in our RSS channel and mailing lists. The current version of VisualSVN Server 2.6 works fine for the new customers, but we are currently working to solve technical issues that affect customers who upgrade from VisualSVN Server 2.5 and older versions.

We recommend upgrading to the version 2.5.15 if you currently use VisualSVN Server 2.5. Please upgrade to version 2.6.5 only if you have already upgraded your production servers to VisualSVN Server 2.6.