#864001 git-annex: Possible SHA-1 vulnerability: fixed in newer releases

Package:
git-annex
Source:
git-annex
Description:
manage files with git, without checking their contents into git
Submitter:
Philipp Kaluza
Date:
2024-02-19 03:33:02 UTC
Severity:
minor
#864001#5
Date:
2017-06-02 23:42:59 UTC
From:
To:
Hi Richi, hi All,

on 2017-02-25, Joey found two corner cases in git-annex where the
newly demonstrated SHA-1 collision weakness (as used in git) could
also impact git-annex, *even when used with signed commits*.

https://git-annex.branchable.com/devblog/day_450__hardening_against_SHA_attacks/

Of course he promptly fixed it. I am keenly aware that it's quite late
in the game, but could you manage to roll a deb of 6.20170301 or newer
for the stretch release ?

Strech is going to be around for a while and the SHA-1 attacks will only
increase in potency during its lifetime. I'll help convince the release
team. ;-)

Cheers,
Philipp

#864001#10
Date:
2024-02-19 03:19:41 UTC
From:
To:
Control: fixed -1 7.20190129-3

Seems to me this should be closed; the fixed version has shipped in
Debian eons ago.