We are glad to announce the availability of patch releases for VisualSVN products based on Apache Subversion 1.8.13. Besides various client side and server side improvements, the Subversion 1.8.13 patch release addresses the CVE-2015-0202, CVE-2015-0248 and CVE-2015-0251 security vulnerabilities.
Up-to-date VisualSVN Server installations are potentially affected by the CVE-2015-0202, CVE-2015-0248 and CVE-2015-0251 security vulnerabilities. Both CVE-2015-0202 and CVE-2015-0248 vulnerabilities could lead to a DoS attack. The CVE-2015-0251 vulnerability allows spoofing svn:author property values for new revisions. At least read access is required to exploit the mentioned vulnerabilities, so the overall risks for VisualSVN Server users are relatively low. Nevertheless, we highly recommend upgrading to the new builds.
There is also an update to OpenSSL 1.0.1m that addresses another bunch of security vulnerabilities but none of them affects up-to-date VisualSVN Server installations.
VisualSVN Server maintenance builds based on Subversion 1.7.20 and OpenSSL 0.9.8zf with similar fixes are availble too.
Update for VisualSVN Server
Users of VisualSVN Server should upgrade to VisualSVN Server 3.3.1.
It is also recommended to upgrade to version 3.3.1 if you are using an earlier release of VisualSVN Server. Please read VisualSVN Server 3.3 Release Notes to find out what's new in the latest release. For detailed upgrade instructions please consider the KB85: Upgrading to VisualSVN Server 3.3 knowledge base article.
Choose the appropriate patch build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.2.3 if you have version 3.2.x installed.
- VisualSVN Server 2.7.12 if you have version 2.7.x installed.
- VisualSVN Server 2.5.25 if you have version 2.5.x installed.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 3.3.1 if you are using a 3.0.x or any of the older versions.
Update for VisualSVN (a plug-in for Visual Studio)
Installations of VisualSVN (for Visual Studio) are not affected by any of the security vulnerabilities mentioned in this announcement. Nevertheless, we recommend upgrading to the the latest VisualSVN 4.0.12 build.