Subversion's use of SHA-1 in how it processes content is subject to hashing collisions as identified by Google). One of it's key assumptions in processing content is that SHA-1 is unique for all objects.
< Subversion has two main areas of vulnerability. << The FS layer uses SHA-1 when identifying objects to store in the repository. To prevent non duplicate content from being stored that has identical SHA-1, upgrade to 1.9.6 (where would prevent storage of duplicates) or install the pre-commit hook found here. As an aside, we welcome Windows developers to submit a pre-commit script for the Windows platform to the Developer List. <
<< The working copy/RA layer uses SHA-1 for de-duplication of content stored in the working copy, and for performance reasons < clients using the HTTP protocol will avoid fetching content with a SHA-1 checksum which has been fetched previously. There is no known workaround for this vector except to prevent storage of the colliding objects in the first place, via upgrade to 1.9.6 or installation of the aforementioned pre-commit script. <
<< Storing content with SHA1 collisions it not a supported use case. If you have repositories with colliding SHA-1 content we suggest you remove the content from you repository and upgrade to 1.9.6 to prevent future insertion.
< <