We are glad to announce the availability of patch releases for VisualSVN products based on Apache Subversion 1.8.11. Besides various client side and server side improvements, the Subversion 1.8.11 patch release addresses the CVE-2014-3580 and CVE-2014-8108 security vulnerabilities. Maintenance builds based on Subversion 1.7.19 with similar fixes are available too.
Up-to-date VisualSVN Server installations are potentially affected by both CVE-2014-3580 and CVE-2014-8108 security vulnerabilities that could lead to a DoS attack. In order to exploit these vulnerabilities an attacker must have read access to a repository so the overall risks for VisualSVN users are relatively low (because VisualSVN Server in its default configuration does not support anonymous access to repositories). Nevertheless, we highly recommend upgrading to the new builds.
Update for VisualSVN Server
Users of VisualSVN Server should upgrade to VisualSVN Server 3.2.2.
It is also recommended to upgrade to version 3.2.2 if you are using an earlier release of VisualSVN Server. Please read VisualSVN Server 3.2 Release Notes to find out what's new in the latest release. For detailed upgrade instructions please consider the KB82: Upgrading to VisualSVN Server 3.2 knowledge base article.
Choose the appropriate patch build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.0.2 if you have version 3.0.x installed.
- VisualSVN Server 2.7.11 if you have version 2.7.x installed.
- VisualSVN Server 2.5.24 if you have version 2.5.x installed.
Older releases of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 3.2.2 if you are using a version earlier than 2.5.x. Cumulative upgrade instructions are given in the KB82: Upgrading to VisualSVN Server 3.2 knowledge base article.
Update for VisualSVN
Users of VisualSVN (for Visual Studio) should update to VisualSVN 4.0.11.