| Bug ID | 1042644 |
|---|---|
| Summary | git: un-bundle sha1 collision detection code |
| Classification | openSUSE |
| Product | openSUSE Tumbleweed |
| Version | Current |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Development |
| Assignee | tiwai@suse.com |
| Reporter | astieger@suse.com |
| QA Contact | qa-bugs@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
+++ This bug was initially created as a clone of Bug #1042640 +++ git from 2.13.0 started using a hardened SHA1 implementation with can detect one side of a SHA1 collision generated using cryptanalytic attacks. The implementation was taken from https://github.com/cr-marcstevens/sha1collisiondetection It is currently bundled in the upstream git tree: https://github.com/git/git/commits/master/sha1dc https://github.com/git/git/commit/2281b8a36288a13ba17eb908ee7be366843c84f5 https://github.com/git/git/commit/e6b07da2780f349c29809bd75d3eca6ad3c35d19 https://github.com/git/git/commit/8325e43b82dd0bd00c37abed45861bb8c155b022 It is also the default SHA1 implementation, so git 2.13.0 no longer links against openSSL for SHA1. We have this code in a separate library package in Tumbleweed and from openSUSE Leap 42.3. Should be unbundled in git to use the system library: sha1collisiondetection libsha1detectcoll1 libsha1detectcoll-devel