Author: stefan2
Date: Tue May 16 18:55:14 2017
New Revision: 1795354
URL: http://svn.apache.org/viewvc?rev=1795354&view=rev
Log:
Add to website FAQ around SHA-1 vulnerability.
Patch by: Jacek Materna <jacek{_AT_}assembla.com> (with tweaks by me)
* publish/faq.html
(General questions): Add Q about SHA-1 and refer to the answer section.
(shatterd-sha1): New section.
Modified:
subversion/site/publish/faq.html
Modified: subversion/site/publish/faq.html
URL:
http://svn.apache.org/viewvc/subversion/site/publish/faq.html?rev=1795354&r1=1795353&r2=1795354&view=diff
==============================================================================
--- subversion/site/publish/faq.html (original)
+++ subversion/site/publish/faq.html Tue May 16 18:55:14 2017
@@ -61,6 +61,8 @@ For older questions, see <a href="#depre
list?</a></li>
<li><a href="#dst-2007">How is Subversion affected by changes
in Daylight Savings Time (DST)?</a></li>
+<li><a href="#shatterd-sha1">How do I protect my repository from the SHA-1
+ Shattered vulnerability?</a></li>
</ul>
<h4>How-to:</h4>
@@ -743,6 +745,48 @@ for DST.</p>
</div>
+<div class="h3" id="shatterd-sha1">
+<h3>How do I protect my repository from the SHA-1 Shattered vulnerability?
+ <a class="sectionlink" href="#shatterd-sha1"
+ title="Link to this section">¶</a>
+</h3>
+
+<p>Subversion's use of SHA-1 in how it processes content is subject to hashing
+collisions as identified by <a href="https://shattered.io/";>Google</a>. One of
+Subversions's key assumptions in processing content is that SHA-1 is unique
for
+all objects.</p>
+Subversion has two main areas of vulnerability.
+<br/>
+<ul>
+<li>The FS backend (repository) uses SHA-1.</li>
+<li>The Working Copy/RA layers use SHA-1.</li>
+</ul>
+<p>
+The FS layer uses SHA-1 when identifying objects to store in the repository.
+To prevent different content with idential SHA-1 from being stored, upgrade
+to 1.9.6 (which, by default, prevents storing data with such collisions) or
+install the pre-commit hook found <a
href="https://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/reject-known-sha1-collisions.sh";>
+here</a>. As an aside, we welcome Windows developers to submit a pre-commit
+script for the Windows platform. More information on submission can be found
<a
href="https://subversion.apache.org/docs/community-guide/general.html#patches";>
+here</a>.
+</p>
+<p>
+The working copy/RA layer uses SHA-1 for de-duplication of content stored in
+the working copy, and for performance reasons clients using the HTTP protocol
+will avoid fetching content with a SHA-1 checksum which has been fetched
+previously. There is no known workaround for this vector except to prevent
+storage of the colliding objects in the first place, via upgrade to 1.9.6 or
+installation of the aforementioned pre-commit script.
+</p>
+<p>
+Storing content with SHA1 collisions it not a supported use case. If you have
+repositories with colliding SHA-1 content, we suggest you transform it via
+gzip before committing it to avoid the collision altogether. Moreover an
+upgrade to 1.9.6 to prevent future insertion of duplicates is highly
+recommended.</p>
+
+</div>
+
</div>
<div class="h2" id="how-to">
