- Incident Number: i20150115.1
- Status: closed
- Incident Manager: Benedikt Heintel
- Date of incident opened: 2015-01-15
- Date of incident closed: 2015-01-25
- Incident title: Wrong Version of CCA deployed from 08.01.2015 14:29 UTC - 15.01.2015 10:48 UTC
- 2015-01-15: Incident i20150115.1 created
- 2015-01-18: Incident updated and asked board for authorization of containment and preventive actions
- 2015-02-11: Documented closure
1. Incident Response Team
2. Incident Description
During tests with the patch for bug 1345 it was discovered that the CAcert Community Agreement (CCA) version present on the live system was the policy version from 2009 instead of the draft version of 2014.
Further investigations by the Software Team showed that the mistake happened as part of deployment of bug 1131. When bringing the patch for bug 1131 up-to-date (by merging the release branch to include all latest changes of the live system) multiple (4) merge conflicts arose. While 3 of them could be resolved correctly the fourth change (the update of the CCA which should have been moved from .php to .html) was accidentally missed and overwritten by the version present when bug bug 1131 had been branched from the release around 2011.
3. Containment Actions
Due to the time, the incident was reported (Jan 14 21:22 UTC), the internal auditor handling the incident ordered:
Everyone, who registered at CAcert, did an assurance or issued a certificate since the change gone active accepted the wrong CCA. To keep this amount of people small, I hereby order a workaround to fix the situation immediately without following the formal processes. That means: 1) create a proper diff using CCA version p20141008 Done. Both included the raw document as well as a patch; asked Crit to use the raw file in case of problems with the diff. 2) let Crit replace the current displayed CCA version p20080109 with the latest version p20141008. 3) confirm the change after deployment 4) notify me and board about the change done.
The containment action was finished on 15.01.2015 10:48 UTC.
One Software Team member, one Critical Team member, Board and PolO have been informed about the order.
4. Root Causes
The root cause is described in the initial incident description, a merge of a patch has overwritten the current CCA version with an older version during the deployment of a patch to the live system.
5. Permanent Corrective Actions
The containment actions are permanent in this case. There is no further need for permanent corrective actions.
6. Verify Corrective Actions
7. Preventive Actions
The Policy Group respectively the Policy Officer should be enabled to publish the "moved" policies to CAcert's website without using the software publishing process. The process used should be documented.
8. Approval & Closure
by Arbitration a20150114.2