We are glad to announce the release of VisualSVN Server updates linked with OpenSSL 1.1.1g. The OpenSSL 1.1.1g contains a fix for a high severity CVE-2020-1967 vulnerability, which potentially affects up-to-date VisualSVN Server installations. Update to the newest builds is therefore recommended to all users.
Note that the CVE-2020-1967 vulnerability does not affect the VisualSVN Server 4.0.x family. That is because the previous build of this version family gets updated from OpenSSL 1.1.1c, which is not vulnerable to the CVE-2020-1967.
New builds also include the update to Apache HTTP Server 2.4.43 which fixes two CVEs: CVE-2020-1934 and CVE-2020-1927. Up-to-date VisualSVN Server installations are potentially affected by the CVE-2020-1927, which is a medium severity vulnerability.
Upgrade is also recommended for users of earlier VisualSVN Server version families. Please, read VisualSVN Server 4.2 Release Notes to find out what's new in the latest release. For detailed upgrade instructions please see the KB161: Upgrading to VisualSVN Server 4.2 knowledge base article.
If you are not ready to proceed with a significant upgrade, choose an appropriate patch build:
- VisualSVN Server 4.1.4 if you have version 4.1.x installed.
- VisualSVN Server 4.0.5 if you have version 4.0.x installed.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 4.2.x if you are using any version family older than 4.0.x. Read the KB161: Upgrading to VisualSVN Server 4.2 article before upgrade.