libmcrypt is a dead project, unmaintained for ~8 years, last version 2.5.8 was released in February 2007!... and despite lot of open tickets, no acitvity.

Cryptography is a very important part of security management. Looking at the past, and issue discovered / fixed in various software, and the need to always increase security standards, and to drop old algorithms, how can we imagine using an 8 years old software ?

Various well maintained alternative libraries exist:

And for PHP, various other solutions are also available

A RFC have been proposed to drop mcrypt extension from PHP 7, but, shame on us, it didn't pass (15-18), so it will stay available.

Chicken and eggs: the extension is used, because available, and is kept available because used in lot of projects.

We really need to spread information about this issue, and we already do it for a long time in Fedora, and most projects understand this issue and agree to fix it and switch to some more secure implementation, some examples:

Some other Framework still provide a wrapper to mcrypt (ex Zend\Crypt\Symmetric\MCrypt, issue #3), but chicken and eggs issue again, with applications using such framework which rely on this feature.

This explain why some enterprise distribution, like RHEL, don't provide libmcrypt or php-mcrypt. Probably we should discuss with other Linux distributions (Debian, Fedora...) to stop providing this awfull library.

Do you use mcrypt ? Do you understand you MUST switch as soon as possible, or at least report this issue to your software provider.