Infineon firmware security issues

Eyal Edri eedri at redhat.com
Tue Oct 17 10:36:44 UTC 2017 

On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <mscherer at redhat.com>
wrote:

> Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a écrit :
> > Quack,
> >
> > So the news (thanks Misc for the alert):
> >
> > https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac
> > kground
> >
> > This affects Yubikeys and other hardware:
> >   https://www.yubico.com/support/security-advisories/ysa-2017-01/
> >
> > There's a nice tool to test if a key is vulnerable:
> >   https://github.com/crocs-muni/roca
> >
> > I tested keys in the oVirt Puppet repository and none are affected.
> >
> > You may check your other keys and ensure keys are checked in other
> > projects.
>
> Ideally, if someone could verify the key in Gerrit, it would be
> helpful. I removed mine, but I suspect i am not the only one who tried
> to follow best practices :)
>

If you run the tool locally on your .ssh/ dir, it should include already
the public key you have on Gerrit no?
We'll need to check if its possible to run that tool on Gerrit and if the
keys are even stored on the fs and not inside the Gerrit DB.


>
>
> Debian, Github and Fedora did sent alert to people affected, and I am
> in the process of changing my key from the 50 to 60 place where I used
> it and I assume most affected people will be aware somehow, but
> automated removal from vulnerable systems would surely help.
>
> --
> Michael Scherer
> Sysadmin, Community Infrastructure and Platform, OSAS
>
>
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>
>


-- 

Eyal edri


MANAGER

RHV DevOps

EMEA VIRTUALIZATION R&D


Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
phone: +972-9-7692018
irc: eedri (on #tlv #rhev-dev #rhev-integ)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20171017/4d64ff1e/attachment.html>

More information about the Infra mailing list