I haven't put on my curmudgeon's hat in way too long. This isn't going to be a very long post, and if you don't know what a hash function is and what it's used for, all you need to do is make sure you're keeping up with security upgrades. Modern web browsers are already safe, and have been for the last three years or so; if you're still using a browser older than that, you should upgrade it. Some other programs in common use are not safe yet, so watch for security upgrades in the coming months.
If you're still with me, I just wanted to point the people who worry about such things at the latest vulnerability-with-a-catchy-name: SHA-1 is a Shambles. Tl;dr: the cost to construct a pair of different messages with the same SHA-1 hash has dropped to well under $100K worth of rented GPU time. Attacks still aren't exactly practical -- they used 900 GPUs for a couple of months -- but it's only a matter of time.
Section 7 of the paper
[PDF] goes into detail on current usage of SHA-1 and what is being
done about it. SHA-1 has been deprecated since 2011, and is no longer
allowed in digital signatures. There are, however, still some older
programs and protocols where it's an option, and X.509 certificates are
still being issued with SHA-1 signatures (although modern browsers will
reject them). They're being fixed, but you should make sure
ssh, and web browsers are up to date, and
if you're a developer, please stop using or accepting keys or certificates
with SHA-1 signatures.
Git uses SHA-1 hashes to identify objects, and indirectly to sign commits. The developers are working on using longer hashes, and it now includes collision-detection; I'll be particularly interested in that work going forward.