LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-12-2016, 07:37 AM   #1
Michael Uplawski
Member
 
Registered: Dec 2015
Location: Normandy, France
Distribution: Debian buster/sid
Posts: 691
Blog Entries: 22

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Arrow mcrypt: what is the problem ?


Hello again.

In my previous posting concerning mcrypt I have not been specific enough. Second attempt, then.

I read in the documentation of the Debian installation package that mcrypt were dysfunctional and the original developers had abandoned the project. “Strong read“ but not very informative.

Can you enlighten me or refer me to a web-page that conveys some more insight? After a few attempts to find some, I give up. If you know the details, is the library affected or only the mcrypt executable? And of course.., affected by what?

TIA.

The other thread has been moved to “General”. It is here: YAD (ex zenity) front-end for mcrypt and mdecrypt

Last edited by Michael Uplawski; 02-12-2016 at 02:21 PM. Reason: case and orthography
 
Old 02-13-2016, 08:20 AM   #2
titopoquito
Senior Member
 
Registered: Jul 2004
Location: Lower Rhine region, Germany
Distribution: Slackware64 14.2 and current, SlackwareARM current
Posts: 1,603

Rep: Reputation: 128Reputation: 128
I just did a short google search and am stunned that you didn't find anything.

I suggest to read the Wikipedia entry, to take a look at the CVS code base and for example the linked diff, where the only active developer removed the reference to his maintainership:

https://en.m.wikipedia.org/wiki/Mcrypt
http://mcrypt.cvs.sourceforge.net/vi...?r1=1.2&r2=1.3

I cannot say anything about how secure it is, but looking at the release history the term "abandonware" seems reasonable to me.
 
Old 02-13-2016, 09:29 AM   #3
Michael Uplawski
Member
 
Registered: Dec 2015
Location: Normandy, France
Distribution: Debian buster/sid
Posts: 691
Blog Entries: 22

Original Poster
Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Originally Posted by titopoquito View Post
I just did a short google search and am stunned that you didn't find anything.
I do not use google, but swisscows, ixquick and a bunch of other search engines do provide the same results, I guess..

Quote:
I suggest to read the Wikipedia entry, to take a look at the CVS code base and for example the linked diff, where the only active developer removed the reference to his maintainership:

https://en.m.wikipedia.org/wiki/Mcrypt
Quote:
The last update to libmcrypt was in 2007,[1] despite years of unmerged patches.[2] These facts have led security experts to declare mcrypt abandonware and discourage its use in new development.
Curiously, they name 1 fact and call it “these facts”. Apart from that, a security-risk is not mentioned.
Quote:
http://mcrypt.cvs.sourceforge.net/vi...?r1=1.2&r2=1.3
I cannot say anything about how secure it is, but looking at the release history the term "abandonware" seems reasonable to me.
Okay, let us assume, that that is all the information there is.
I might then continue to use mcrypt and not feel bad about it... surely an acceptable result of my enquiry. ;-)

Last edited by Michael Uplawski; 02-22-2016 at 01:45 AM. Reason: odd wording replaced by less odd wording.
 
Old 02-13-2016, 03:53 PM   #4
titopoquito
Senior Member
 
Registered: Jul 2004
Location: Lower Rhine region, Germany
Distribution: Slackware64 14.2 and current, SlackwareARM current
Posts: 1,603

Rep: Reputation: 128Reputation: 128
Quote:
Originally Posted by Michael Uplawski View Post
Curiously, they name 1 fact and tell it “these facts”. Apart from that, a security-risk is not mentioned.

Okay, let us assume, that that is all the information there is.
I might then continue to use mcrypt and not feel bad about it... surely an acceptable result of my enquiry. ;-)
Yes, I think so. Although I would at least look at the (in the Wikipedia article mentioned) merge requests at sourceforge.net to see if there might be something security related. I have not checked that. Otherwise you should of course feel free to use any program you want, however old or maintained it is as long as it provides the functionality you want (no irony intended).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
apt-get install php5-mcrypt does not create php5/conf.d/mcrypt.ini: Can't continue Kgeil Linux - Server 5 09-04-2015 12:57 PM
Problem installing mcrypt johniem Linux - Newbie 3 07-03-2012 02:30 PM
Live CD with mcrypt Marel Linux - Software 3 07-02-2007 01:08 PM
problem installing mcrypt marvelade Linux - General 3 03-30-2007 10:28 AM
using mcrypt Hano Linux - Software 0 12-06-2004 03:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration