https://bugzilla.wikimedia.org/show_bug.cgi?id=35894
--- Comment #26 from Daniel Friesen <mediawiki-b...@nadir-seen-fire.com> ---
(In reply to comment #20)
> I managed to pass this bug by stop the call to mcrypt_create_iv in
> CryptRand.php
> Changae the following line , line no:306
> if ( function_exists( 'mcrypt_create_iv' )) {
> To
> if ( function_exists( 'mcrypt_create_iv' ) && 1==2 ) {
>
> Try to run install proces, It will complate, And you may have to change some
> settings manually
+1 This is a reasonable workaround till this bug is finished. MW will safely
fall back to our clock drift based cryptographic random number generator which
is still relatively ok.
I'm just mentioning it because it looks like in duplicate bug reports people
are picking really bad ways of working around this bug. MCRYPT_DEV_URANDOM
should NEVER EVER EVER be changed to MCRYPT_RAND.
Doing that bypasses every cryptographic fallback we have available (including
our clock drift code which is still more secure than MCRYPT_RAND) replacing
MWCryptRand with an insecure PRNG and directly opening you up to every attack
MWCryptRand was created to protect your wiki from.
Quite frankly MCRYPT_RAND should have NEVER been included in PHP. If you look
up the PHP source code you'll find that MCRYPT_RAND is a plain wrapper right
around PHP's rand().
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
