We are glad to announce the availability of VisualSVN Server 3.6.3 patch release that incorporates the upgrade to Apache HTTP Server 2.2.34 with fixes for a number of security vulnerabilities.
For the complete list of changes, see the VisualSVN Server 3.6.3 changelog.
Comparing to the Apache HTTP Server 2.2.32 that was used in the previous VisualSVN Server 3.6.x build, the Apache HTTP Server 2.2.34 provides fixes for five CVEs. Up-to-date VisualSVN Server installations are affected by the CVE-2017-7668 and CVE-2017-7679 security vulnerabilities that potentially allow remote attackers to cause remote code execution. Exploiting these vulnerabilities does not require the attacker to be authenticated on the target server, so upgrade to VisualSVN Server 3.6.3 is highly recommended for all users.
You can get the latest version of VisualSVN Server on the official download page.
Choose the appropriate maintenance build if you do not want to perform a significant upgrade right now:
- VisualSVN Server 3.5.11 if you have version 3.5.x installed.
Other version families of VisualSVN Server are not supported and maintenance updates are not available for them. It is strongly recommended to upgrade to VisualSVN Server 3.6.3 if you are using a 3.4.x or any of the older versions. Read the KB103: Upgrading to VisualSVN Server 3.6 article before upgrading.