As someone who runs a non-WMF MediaWiki installation and might set up at least one more, it's something that I want to know about. :) More info at https://phabricator.wikimedia.org/T158986, although if I understand the conversation on the Phabricator task correctly, the consensus is that migration off of SHA-1 for MediaWiki software is important but doesn't need to happen overnight because the attack is difficult to execute; however, possible attacks on other software that still runs SHA-1 should be considered. Is that correct, Brian?
Pine On Fri, Feb 24, 2017 at 1:01 PM, Brian Wolff <bawo...@gmail.com> wrote: > Before anyone panics, this is not something that people who run mediawiki > wikis have to worry about. > > -- > Brian > > On Friday, February 24, 2017, Pine W <wiki.p...@gmail.com> wrote: > > Forwarding info that may be of interest. > > > > Pine > > > > > > ---------- Forwarded message ---------- > > From: Brion Vibber <bvib...@wikimedia.org> > > Date: Fri, Feb 24, 2017 at 9:56 AM > > Subject: [Wikitech-l] SHA-1 hash officially broken > > To: Wikimedia-tech list <wikitec...@lists.wikimedia.org> > > > > > > Google security have announced that they have a working collision attack > > against the SHA-1 hash: > > > > > https://security.googleblog.com/2017/02/announcing-first- > sha1-collision.html > > > > It's highly recommended to move to sha-256 where doable. > > > > Note that MediaWiki uses sha-1 in a number of places; in some such as > > revision hashes it's advisory for tools only, but in other places like > > deleted files (filearchive table) we use it for addressing, and should > > consider steps to mitigate attacks swapping in alternate files during > > deletion/undeletion. > > > > -- brion > > _______________________________________________ > > Wikitech-l mailing list > > wikitec...@lists.wikimedia.org > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > _______________________________________________ > > MediaWiki-l mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
