Subversion's use of SHA-1 in how it processes content is subject to hashing +collisions as identified by Google). One of +Subversions's key assumptions in processing content is that SHA-1 is unique for +all objects.
+Subversion has two main areas of vulnerability. ++The FS layer uses SHA-1 when identifying objects to store in the repository. To +prevent non duplicate content from being stored that has identical SHA-1, +upgrade to 1.9.6 (where would prevent storage of duplicates) or install the +pre-commit hook found +here. As an aside, we welcome Windows developers to submit a pre-commit +script for the Windows platform. More information on submission can be found +here. +
++The working copy/RA layer uses SHA-1 for de-duplication of content stored in +the working copy, and for performance reasons clients using the HTTP protocol +will avoid fetching content with a SHA-1 checksum which has been fetched +previously. There is no known workaround for this vector except to prevent +storage of the colliding objects in the first place, via upgrade to 1.9.6 or +installation of the aforementioned pre-commit script. +
++Storing content with SHA1 collisions it not a supported use case. If you have +repositories with colliding SHA-1 content we suggest you transform it via gzip +before storage to avoid the collision altogether. Moreover an upgrade to 1.9.6 +to prevent future insertion duplicates is highly recommended.
+ +