The POODLE attack: updates for VisualSVN products are available
Four new vulnerabilities have recently been identified in the OpenSSL library. The most critical among them is CVE-2014-3566 which is a vulnerability in the SSL 3.0 cryptographic protocol. The vulnerability is known as the "POODLE" and can be exploited by a Man-in-the-Middle (MITM) attack.
VisualSVN Server installations are theoretically affected by the POODLE attack. However the risk for VisualSVN Server users is quite low, because the known attack scenario requires an attacker to be able to run JavaScript injection and have MITM access to communication between the client and the server. Nevertheless, we strongly recommend that users of our products update to the new builds.
We disabled SSL 3.0 protocol in the new VisualSVN Server and VisualSVN builds in order to mitigate the vulnerability. Please note that very old Subversion clients that do not support TLS 1.0 might be unable to connect to VisualSVN Server after the upgrade.
VisualSVN Server users should choose the appropriate patch build that corresponds to their currently installed version:
- If you are using VisualSVN Server 3.0, please upgrade to VisualSVN Server 3.0.1 that is available from the main download page.
- If you are using VisualSVN Server 2.7, please upgrade to VisualSVN Server 2.7.10 that is available from the version 2.7 download page.
- If you are using VisualSVN Server 2.5, please upgrade to VisualSVN Server 2.5.23 that is available from the version 2.5 download page.
Users of VisualSVN for Visual Studio should update to VisualSVN 4.0.10 that is available on its main download page.