We are glad to announce the availability of patch releases for VisualSVN products based on Apache Subversion 1.8.14. Besides various client side and server side improvements, the Subversion 1.8.14 patch release addresses CVE-2015-3184 and CVE-2015-3187 security vulnerabilities.
Up-to-date VisualSVN Server installations are potentially affected by CVE-2015-3187 vulnerability only. The vulnerability could reveal hidden repository paths, but not their contents. Moreover, at least read access is required to exploit the vulnerability, therefore overall risks for VisualSVN Server users are low. Nevertheless, we highly recommend to upgrade to the new builds.
There is also an update to OpenSSL 1.0.1p that addresses CVE-2015-1793 client side vulnerability that affects Apache Subversion command-line client tools packaged with VisualSVN Server ('svn.exe', 'svnsync.exe', 'svnrdump.exe').
In addition to the above updates, there is an update to Apache HTTP Server 2.2.31 with a fix for CVE-2015-3183 vulnerability that does not affect VisualSVN Server installations.
VisualSVN Server 2.5.26 maintenance build based on Subversion 1.7.21 with similar fixes is availble too.
Update for VisualSVN Server
Users of VisualSVN Server should upgrade to VisualSVN Server 3.3.2.
It is also recommended to upgrade to version 3.3.2 if you are using an earlier release of VisualSVN Server. Please read VisualSVN Server 3.3 Release Notes to find out what's new in the latest release. For detailed upgrade instructions please consider the KB85: Upgrading to VisualSVN Server 3.3 knowledge base article.
Choose the appropriate patch build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.2.4 if you have version 3.2.x installed.
- VisualSVN Server 2.7.13 if you have version 2.7.x installed.
- VisualSVN Server 2.5.26 if you have version 2.5.x installed.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 3.3.2 if you are using a 3.0.x or any of the older versions.
Update for VisualSVN (a plug-in for Visual Studio)
Up to date VisualSVN 5.0.x builds are not affected by any of the security vulnerabilities mentioned in this announcement. However, VisualSVN 4.0.x or older builds are potentially affected by CVE-2015-1793 vulnerability in OpenSSL. Therefore, we recommend to upgrade to an up to date VisualSVN 5.0.x build.
You can download the latest VisualSVN 5.0.2 build based on Apache Subversion 1.8.14 at the official download page.
Please note that you may be required to purchase an upgrade to VisualSVN 5.0.x in case you are using VisualSVN 4.0.x or older versions. The upgrade is free if you are using VisualSVN under the Community License. However, Commercial licenses issued before June 3rd, 2014 have to be upgraded. For further details please check our online upgrade form.