Several new vulnerabilities have recently been identified and fixed in the Expat XML parser that is bundled with VisualSVN Server. Some of these vulnerabilities affect up-to-date VisualSVN Server installations. Among those, the vulnerability CVE-2016-0718 with a critical level of severity and that potentially allows context-dependent attackers to execute arbitrary code via a malformed input document. Exploiting this vulnerability requires the attacker to be authenticated on the target server.
The upgrade to the VisualSVN Server 3.5.4 is strongly recommended for all existing VisualSVN Server users. You can get the latest version of VisualSVN Server at the official download page. See the changelog for the complete list of changes in VisualSVN Server 3.5.4.
Choose the appropriate maintenance build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.4.6 if you have version 3.4.x installed.
- VisualSVN Server 3.3.6 if you have version 3.3.x installed.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 3.5.4 if you are using a 3.2.x or any of the older versions. Read the KB95: Upgrading to VisualSVN Server 3.5 article before upgrading.