We are glad to announce the availability of VisualSVN Server patch releases based on Apache HTTP Server 2.4.41. These updates address the following vulnerabilities: CVE-2019-10081, CVE-2019-9517, CVE-2019-10098, CVE-2019-10092, CVE-2019-10097 and CVE-2019-10082.
Up-to-date VisualSVN Server installations are potentially affected by the CVE-2019-10098 vulnerability. This is a low-risk vulnerability and it has no security impact in VisualSVN Server. Nevertheless, the upgrade to newer VisualSVN Server builds is recommended for all users.
Note that the Apache HTTP Server 2.4.41 patch release also addresses the CVE-2019-10092 and CVE-2019-10097 vulnerabilities found in the mod_proxy and mod_remoteip Apache modules, respectively. Both affected modules are shipped with VisualSVN Server, but they are not loaded or enabled by default. Therefore, these vulnerabilities do not affect VisualSVN Server installations unless the modules were manually enabled by an administrator.
Choose an appropriate maintenance patch update if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.9.7 if you have version 3.9.x installed.
- VisualSVN Server 3.8.9 if you have version 3.8.x installed.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 4.0.x if you are using any version family older than 3.8.x. Read the KB149: Upgrading to VisualSVN Server 4.0 article before upgrading.