<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <span dir="ltr"><<a href="mailto:mscherer@redhat.com" target="_blank">mscherer@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a écrit :<br>
> Quack,<br>
><br>
> So the news (thanks Misc for the alert):<br>
><br>
> <a href="https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac" rel="noreferrer" target="_blank">https://www.infineon.com/cms/<wbr>en/product/promopages/rsa-<wbr>update/rsa-bac</a><br>
> kground<br>
><br>
> This affects Yubikeys and other hardware:<br>
> <a href="https://www.yubico.com/support/security-advisories/ysa-2017-01/" rel="noreferrer" target="_blank">https://www.yubico.com/<wbr>support/security-advisories/<wbr>ysa-2017-01/</a><br>
><br>
> There's a nice tool to test if a key is vulnerable:<br>
> <a href="https://github.com/crocs-muni/roca" rel="noreferrer" target="_blank">https://github.com/crocs-muni/<wbr>roca</a><br>
><br>
> I tested keys in the oVirt Puppet repository and none are affected.<br>
><br>
> You may check your other keys and ensure keys are checked in other<br>
> projects.<br>
<br>
</span>Ideally, if someone could verify the key in Gerrit, it would be<br>
helpful. I removed mine, but I suspect i am not the only one who tried<br>
to follow best practices :)<br></blockquote><div><br></div><div>If you run the tool locally on your .ssh/ dir, it should include already the public key you have on Gerrit no?</div><div>We'll need to check if its possible to run that tool on Gerrit and if the keys are even stored on the fs and not inside the Gerrit DB.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
Debian, Github and Fedora did sent alert to people affected, and I am<br>
in the process of changing my key from the 50 to 60 place where I used<br>
it and I assume most affected people will be aware somehow, but<br>
automated removal from vulnerable systems would surely help.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Michael Scherer<br>
Sysadmin, Community Infrastructure and Platform, OSAS<br>
<br>
</font></span><br>______________________________<wbr>_________________<br>
Infra mailing list<br>
<a href="mailto:Infra@ovirt.org">Infra@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/infra" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/infra</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><p style="font-family:overpass,sans-serif;margin:0px;padding:0px;font-size:14px;text-transform:uppercase;font-weight:bold"><font color="#cc0000">Eyal edri</font></p><p style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:uppercase"><br></p><p style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px;margin:0px 0px 4px;text-transform:uppercase">MANAGER</p><p style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px;margin:0px 0px 4px;text-transform:uppercase">RHV DevOps</p><p style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px;margin:0px 0px 4px;text-transform:uppercase">EMEA VIRTUALIZATION R&D</p><p style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:10px;margin:0px 0px 4px;text-transform:uppercase"><br></p><p style="font-family:overpass,sans-serif;margin:0px;font-size:10px;color:rgb(153,153,153)"><a href="https://www.redhat.com/" style="color:rgb(0,136,206);margin:0px" target="_blank">Red Hat EMEA</a></p><table border="0" style="color:rgb(0,0,0);font-family:overpass,sans-serif;font-size:medium"><tbody><tr><td width="100px"><a href="https://red.ht/sig" style="color:rgb(17,85,204)" target="_blank"><img src="https://www.redhat.com/profiles/rh/themes/redhatdotcom/img/logo-red-hat-black.png" width="90" height="auto"></a></td><td style="font-size:10px"><a href="https://redhat.com/trusted" style="color:rgb(204,0,0);font-weight:bold" target="_blank">TRIED. TESTED. TRUSTED.</a></td></tr></tbody></table></div><div>phone: +972-9-7692018<br>irc: eedri (on #tlv #rhev-dev #rhev-integ)</div></div></div></div></div></div></div></div></div></div></div>
</div></div>