We are glad to announce the availability of VisualSVN Server 3.5.6 patch release that incorporates the upgrade to OpenSSL 1.0.2j and Apache Serf 1.3.9.
For the complete list of changes, see the VisualSVN Server 3.5.6 changelog
Comparing to the OpenSSL 1.0.2h that was used in the previous VisualSVN Server 3.5.x build, the OpenSSL 1.0.2j provides fixes for eleven CVEs. Up-to-date VisualSVN Server installations are affected by the CVE-2016-6304 security vulnerability that allows remote attackers to cause a denial of service (unbounded memory usage). Exploiting this vulnerability does not require the attacker to be authenticated on the target server, so upgrade to VisualSVN Server 3.5.6 is highly recommended for all users. You can get the latest version of VisualSVN Server on the official download page.
Choose the appropriate maintenance build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.4.7 if you have version 3.4.x installed.
- VisualSVN Server 3.3.7 if you have version 3.3.x installed.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 3.5.4 if you are using a 3.2.x or any of the older versions. Read the KB95: Upgrading to VisualSVN Server 3.5 article before upgrading.