We are glad to announce the availability of patch releases for VisualSVN products based on Apache Subversion 1.9.3. Besides important client side and server side improvements, the Subversion 1.9.3 patch release addresses CVE-2015-5259 and CVE-2015-5343 security vulnerabilities. Up-to-date VisualSVN Server installations are not affected by any of those vulnerabilities. Nevertheless, we highly recommend to upgrade to the new builds.
There is also an update to OpenSSL 1.0.1q that addresses CVE-2015-3194 and CVE-2015-3195. These vulnerabilities partially affect Apache Subversion client tools packaged with VisualSVN Server ('svn.exe','svnsync.exe', 'svnrdump.exe'). Exploiting these vulnerabilities requires the client tools to connect to a malicious server.
VisualSVN Server maintenance builds based on Subversion 1.8.13 and OpenSSL 0.9.8zh with similar fixes are available too. Among the supported version families of VisualSVN Server, only VisualSVN Server 2.7.x is affected by CVE-2015-5343. The vulnerability could lead to a DoS and gives an attacker a way to execute arbitrary code. At least write access is required to exploit the mentioned vulnerabilities, so the overall risks for VisualSVN Server 2.7.x users are relatively low. Nevertheless, we highly recommend upgrading to the new maintenance builds.
Update for VisualSVN Server
Users of VisualSVN Server should upgrade to VisualSVN Server 3.4.3.
It is also recommended to upgrade to version 3.4.3 if you are using an earlier release of VisualSVN Server. Please read VisualSVN Server 3.4 Release Notes to find out what's new in the latest release. For detailed upgrade instructions please consider the KB89: Upgrading to VisualSVN Server 3.4 knowledge base article.
Choose the appropriate patch build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.3.3 if you have version 3.3.x installed.
- VisualSVN Server 2.7.14 if you have version 2.7.x installed.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 3.4.3 if you are using a 3.2.x or any of the older versions.
Update for VisualSVN (a plug-in for Visual Studio)
Up to date VisualSVN 5.1.x builds are partially affected by CVE-2015-3194 and CVE-2015-3195 vulnerabilities fixed in OpenSSL 1.0.1q. Exploiting these vulnerabilities requires the client tools to connect to a malicious server. In any case, we recommend to upgrade to an up to date VisualSVN 5.1.x build.
You can download the latest VisualSVN 5.1.3 build based on Apache Subversion 1.9.3 at the official download page.
Please note that you may be required to purchase an upgrade to VisualSVN 5.1.x in case you are using VisualSVN 4.0.x or older versions. The upgrade is free if you are using VisualSVN under the Community License. However, Commercial licenses issued before June 3rd, 2014 have to be upgraded. For further details please check our online upgrade form.