http://bugzilla.opensuse.org/show_bug.cgi?id=1042644 Bug ID: 1042644 Summary: git: un-bundle sha1 collision detection code Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Development Assignee: tiwai@suse.com Reporter: astieger@suse.com QA Contact: qa-bugs@suse.de Found By: Security Response Team Blocker: --- +++ This bug was initially created as a clone of Bug #1042640 +++ git from 2.13.0 started using a hardened SHA1 implementation with can detect one side of a SHA1 collision generated using cryptanalytic attacks. The implementation was taken from https://github.com/cr-marcstevens/sha1collisiondetection It is currently bundled in the upstream git tree: https://github.com/git/git/commits/master/sha1dc https://github.com/git/git/commit/2281b8a36288a13ba17eb908ee7be366843c84f5 https://github.com/git/git/commit/e6b07da2780f349c29809bd75d3eca6ad3c35d19 https://github.com/git/git/commit/8325e43b82dd0bd00c37abed45861bb8c155b022 It is also the default SHA1 implementation, so git 2.13.0 no longer links against openSSL for SHA1. We have this code in a separate library package in Tumbleweed and from openSUSE Leap 42.3. Should be unbundled in git to use the system library: sha1collisiondetection libsha1detectcoll1 libsha1detectcoll-devel -- You are receiving this mail because: You are on the CC list for the bug.