From e15c234c87b84d0cab29f62a40c8c3efc401aae8 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Wed, 17 May 2017 19:14:52 -0400 Subject: [PATCH] Use default, collision-detecting SHA1 implementation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upstream changed the default SHA1 implementation in 2.13.0 to one which detects collisions¹. It may be slightly slower than BLK_SHA1 in some cases, but the added safety it provides in the face of the SHAttered² attack should be worth the cost. We overrode the default SHA1 implementation in b796934 (Update to git-1.6.5.rc2 - Enable Linus' block-sha1 implementation.) The main reason was to avoid linking against openssl's libcrypto for most binaries, which saved a measurable amount of space. Using the new DC_SHA1 default provides the same benefit. ¹ https://github.com/git/git/commit/e6b07da278 ² https://shattered.io/ --- git.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/git.spec b/git.spec index ddba10f..82b81fa 100644 --- a/git.spec +++ b/git.spec @@ -70,7 +70,7 @@ Name: git Version: 2.13.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast Version Control System License: GPLv2 Group: Development/Tools @@ -420,7 +420,6 @@ cat << \EOF > config.mak V = 1 CFLAGS = %{optflags} LDFLAGS = %{__global_ldflags} -BLK_SHA1 = 1 NEEDS_CRYPTO_WITH_SSL = 1 USE_LIBPCRE = 1 ETC_GITCONFIG = %{_sysconfdir}/gitconfig @@ -784,6 +783,9 @@ rm -rf %{buildroot} # No files for you! %changelog +* Wed May 17 2017 Todd Zullinger - 2.13.0-2 +- Use default, collision-detecting SHA1 implementation + * Tue May 09 2017 Todd Zullinger - 2.13.0-1 - Update to 2.13.0 (resolves CVE-2017-8386)