Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Apache Subversion System Affected by SHA-1 Collision

The successful SHA-1 collision attack announced last week by Google and CWI appears to have a serious impact on repositories that use the Apache Subversion (SVN) software versioning and revision control system.

The successful SHA-1 collision attack announced last week by Google and CWI appears to have a serious impact on repositories that use the Apache Subversion (SVN) software versioning and revision control system.

Developers of the WebKit web browser engine noticed severe problems after attempting to add a test for the SHA-1 collision to their project. Uploading the example collision PDF files provided by Google caused their SVN repository to become corrupted and prevent further commits.

Google has posted an update to the SHAttered website to warn SVN users of the risks, and Apache Subversion developers have created a tool designed to prevent PDF files such as the ones provided by Google from being committed.

The search giant has so far only published two PDF documents that prove SHA-1 collisions are possible (i.e. the files have the same SHA-1 hash, but different content). However, after 90 days, the company will release the code that allows anyone to create such PDFs.

Finding SHA-1 collisions still requires significant resources – it would cost an attacker at least $110,000 worth of computing power via Amazon’s cloud services – but it’s still 100,000 times faster compared to a brute-force attack.

The SHAttered attack also impacts the Git distributed version control system, which relies on SHA-1 for identifying and checking the integrity of file objects and commits.

However, “the sky isn’t falling,” according to Linux kernel creator Linus Torvalds. Torvalds pointed out that there is a big difference between using SHA-1 for security and using it for generating identifiers for systems such as Git.

Nevertheless, steps have already been taken to mitigate these types of attacks, and Torvalds says Git will eventually transition to a more secure cryptographic hash function.

“There’s a plan, it doesn’t look all that nasty, and you don’t even have to convert your repository,” Torvalds said in a post on Google+. “There’s a lot of details to this, and it will take time, but because of the issues above, it’s not like this is a critical ‘it has to happen now thing’.”

In addition to version control systems, collision attacks pose a serious threat to digital certificates, email signatures, software updates, vendor signatures, backup systems and ISO checksums. Major vendors have already started moving away from SHA-1, including Google, Facebook, Microsoft and Mozilla.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.