We are glad to announce the new VisualSVN Server 5.1.4 patch release that contains an update to Apache HTTP Server 2.4.57 and to APR Util 1.6.3.
The update to Apache HTTP Server 2.4.57 fixes the critical-level CVE-2023-25690 vulnerability found in the mod_proxy module. Although this module is shipped with VisualSVN Server, it is not loaded or enabled by default. Therefore, this vulnerability does not affect VisualSVN Server installations unless the module was manually enabled by the administrator. Another vulnerability fixed in this update—CVE-2023-27522—is related to the mod_proxy_uwsgi module, which is not shipped with VisualSVN Server.
The update to APR Util 1.6.3 fixes the critical-level CVE-2022-25147 vulnerability. This vulnerability also does not affect non-customized installations of VisualSVN Server, because VisualSVN Server does not use the functions provided by APR Util in a way that would allow this vulnerability to be exploited.
Although these vulnerabilities do not affect non-customized installations of VisualSVN Server, it is nevertheless strongly recommended that you update to the new VisualSVN Server 5.1.4 build.
Update for VisualSVN Server
You can get this latest VisualSVN Server version from the official download page.
VisualSVN Server version families earlier than 5.1.x are not supported, and maintenance updates are not available for them. If you are using any version family earlier than 5.1.x, it is strongly recommended that you upgrade to VisualSVN Server 5.1.4. When upgrading from a version family earlier than 5.1.x, please read the KB204: Upgrading to VisualSVN Server 5.1 article before the upgrade.