Update to Apache HTTP Server 2.2.29
We are glad to announce the availability of VisualSVN Server patch releases based on Apache HTTP Server 2.2.29. These releases address the following vulnerabilities: CVE-2014-0118, CVE-2014-0231, CVE-2014-0226, CVE-2013-5704.
Up-to-date VisualSVN Server installations are potentially affected by CVE-2013-5704 security vulnerability that allows remote attackers to replace HTTP headers using HTTP trailers. Despite the fact that CVE-2013-5704 is considered as a low-risk vulnerability, the upgrade to newer VisualSVN Server builds is recommended for all users. Please choose the appropriate patch build that corresponds to your current version.
If you are using VisualSVN Server 2.7, please upgrade to VisualSVN Server 2.7.9 that is available for download at the main download page.
If you are using VisualSVN Server 2.5, please upgrade to VisualSVN Server 2.5.22 that is available for download at the version 2.5 download page.
Comparing to the previous version, there are the following changes in the VisualSVN Server 2.7.9:
- Updated to Apache HTTP Server 2.2.29 with fixes for the following vulnerabilities: CVE-2014-0118, CVE-2014-0231, CVE-2014-0226, CVE-2013-5704.
- Disable SNI (Server Name Indication) extension to workaround non-compliant Subversion clients that incorrectly handle SSL handshake alerts.