Bug#864001: git-annex: Possible SHA-1 vulnerability: fixed in newer releases
Source: git-annex Followup-For: Bug #864001 Control: fixed -1 7.20190129-3 Seems to me this should be closed; the fixed version has shipped in Debian eons ago. -- System Information: Debian Release: 12.5 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable'), (1, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-0.deb12.4-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information
Bug#864001: git-annex: Possible SHA-1 vulnerability: fixed in newer releases
Package: git-annex Version: 6.20170101-1+b1 Severity: minor Hi Richi, hi All, on 2017-02-25, Joey found two corner cases in git-annex where the newly demonstrated SHA-1 collision weakness (as used in git) could also impact git-annex, *even when used with signed commits*. https://git-annex.branchable.com/devblog/day_450__hardening_against_SHA_attacks/ Of course he promptly fixed it. I am keenly aware that it's quite late in the game, but could you manage to roll a deb of 6.20170301 or newer for the stretch release ? Strech is going to be around for a while and the SHA-1 attacks will only increase in potency during its lifetime. I'll help convince the release team. ;-) Cheers, Philipp
