Incident i20150115.1

History Log

1. Incident Response Team

Internal Auditor

2. Incident Description

During tests with the patch for bug 1345 it was discovered that the CAcert Community Agreement (CCA) version present on the live system was the policy version from 2009 instead of the draft version of 2014.

Further investigations by the Software Team showed that the mistake happened as part of deployment of bug 1131. When bringing the patch for bug 1131 up-to-date (by merging the release branch to include all latest changes of the live system) multiple (4) merge conflicts arose. While 3 of them could be resolved correctly the fourth change (the update of the CCA which should have been moved from .php to .html) was accidentally missed and overwritten by the version present when bug bug 1131 had been branched from the release around 2011.

3. Containment Actions

Due to the time, the incident was reported (Jan 14 21:22 UTC), the internal auditor handling the incident ordered:

Everyone, who registered at CAcert, did an assurance or issued a certificate since the change gone active accepted the wrong CCA. To keep this amount of people small, I hereby order a workaround to fix the situation immediately without following the formal processes.

That means:
1) create a proper diff using CCA version p20141008
Done. Both included the raw document as well as a patch; asked Crit to
use the raw file in case of problems with the diff.
2) let Crit replace the current displayed CCA version p20080109 with the
latest version p20141008.
3) confirm the change after deployment
4) notify me and board about the change done.

The containment action was finished on 15.01.2015 10:48 UTC.

One Software Team member, one Critical Team member, Board and PolO have been informed about the order.

4. Root Causes

The root cause is described in the initial incident description, a merge of a patch has overwritten the current CCA version with an older version during the deployment of a patch to the live system.

5. Permanent Corrective Actions

The containment actions are permanent in this case. There is no further need for permanent corrective actions.

6. Verify Corrective Actions


7. Preventive Actions

The Policy Group respectively the Policy Officer should be enabled to publish the "moved" policies to CAcert's website without using the software publishing process. The process used should be documented.

8. Approval & Closure


by Arbitration a20150114.2

Date closed


Audit/Incidents/i20150115.1 (last edited 2015-02-21 16:43:56 by BenediktHeintel)