We are glad to announce VisualSVN Server patch releases that contain an update to Apache HTTP Server 2.4.54 and OpenSSL 1.1.1q and fix several issues.
The Apache HTTP Server 2.4.54 patch release addresses the CVE-2022-31813 and CVE-2022-26377 vulnerabilities found in the mod_proxy and mod_proxy_ajp Apache modules, respectively. Both affected modules are shipped with VisualSVN Server, but they are not loaded or enabled by default. Therefore, these vulnerabilities do not affect VisualSVN Server installations unless the modules were manually enabled by an administrator.
Other vulnerabilities fixed in Apache HTTP Server 2.4.54 and OpenSSL 1.1.1q do not affect up-to-date VisualSVN Server installations. Nevertheless, upgrading to the new builds is recommended for all users.
Update for VisualSVN Server
Choose an appropriate maintenance build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 4.3.10 if you have version 4.3.x installed.
- VisualSVN Server 4.2.13 if you have version 4.2.x installed.
Other version families of VisualSVN Server are not supported, and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 5.0.x if you are using any version family older than 4.2.x. Read the article KB174: Upgrading to VisualSVN Server 5.0 before upgrading.