Update to Apache Subversion 1.14.4
We are pleased to announce the release of new patch updates for all VisualSVN products, now based on Apache Subversion 1.14.4. In addition, relevant products have been updated to Apache HTTP Server 2.4.62, OpenSSL 3.0.15 and Expat XML parser 2.6.2. These updates also include several other fixes.
This update fixes multiple high-severity security vulnerabilities, some of which affect both the VisualSVN plug-in and VisualSVN Server. Therefore, updating to the new builds is strongly recommended for all users.
The update to Apache Subversion 1.14.4 fixes a high-severity vulnerability CVE-2024-45720. This vulnerability affects Windows-based Subversion command-line tools (e.g., svn.exe) and can result in remote code execution via command-line argument injection. Command line tools packaged with VisualSVN Server and with versions 5.x of the VisualSVN plug-in are affected by this vulnerability.
The update to Apache HTTP Server 2.4.62 and OpenSSL 3.0.15 cumulatively fixes 15 vulnerabilities. Most notable among them are CVE-2024-40898, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 and CVE-2024-5535, which have critical CVSS scores. Default VisualSVN Server installations are not affected by any of these vulnerabilities. VisualSVN for Visual Studio is potentially affected by CVE-2024-6119 which has a high severity score and can lead to a denial of service.
The update to Expat XML parser 2.6.2 cumulatively fixes 3 vulnerabilities, two of which, CVE-2023-52426 and CVE-2023-52425, affect up-to-date installations of VisualSVN Server and VisualSVN for Visual Studio and can potentially lead to a denial of service.
Update for VisualSVN Server
You can get the latest VisualSVN Server 5.4.1 version from the official download page.
For the full list of changes, see the VisualSVN Server 5.4.1 changelog.
Alternatively, choose an appropriate patch build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 5.3.4 if you have version 5.3.x installed.
Version families older than VisualSVN Server 5.3.x are no longer supported, and patch-level updates are not available for them. It is strongly recommended that you upgrade to VisualSVN Server 5.4.1 if you are using any version family older than 5.3.x. Please read the article KB233: Upgrading to VisualSVN Server 5.4 before beginning the upgrade.
Update for VisualSVN (a plug-in for Visual Studio)
On the official download page, please select an appropriate VisualSVN plug-in version with respect to your Visual Studio version:
- If you use Visual Studio 2022, update to VisualSVN 8.3.4
- If you use Visual Studio 2019, update to VisualSVN 7.4.4
- If you use Visual Studio 2017, update to VisualSVN 6.8.4
- If you use Visual Studio 2015 or older, update to VisualSVN 5.7.4
For the full list of changes, see the corresponding changelog entries for these plug-in versions: VisualSVN 8.3.4, VisualSVN 7.4.4, VisualSVN 6.8.4 and VisualSVN 5.7.4.