Re: Infineon firmware security issues
--=-FuYD2a40/Hlxr4npoJoN
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le mardi 17 octobre 2017 =C3=A0 18:56 +0900, Marc Dequ=C3=A8nes (Duck) a =
=C3=A9crit=C2=A0:
Quack,
=20
So the news (thanks Misc for the alert):
=20
https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac
kground
=20
This affects Yubikeys and other hardware:
=C2=A0 https://www.yubico.com/support/security-advisories/ysa-2017-01/
=20
There's a nice tool to test if a key is vulnerable:
=C2=A0 https://github.com/crocs-muni/roca
=20
I tested keys in the oVirt Puppet repository and none are affected.
=20
You may check your other keys and ensure keys are checked in other
projects.
Ideally, if someone could verify the key in Gerrit, it would be
helpful. I removed mine, but I suspect i am not the only one who tried
to follow best practices :)
Debian, Github and Fedora did sent alert to people affected, and I am
in the process of changing my key from the 50 to 60 place where I used
it and I assume most affected people will be aware somehow, but
automated removal from vulnerable systems would surely help.=20
--=20
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
--=-FuYD2a40/Hlxr4npoJoN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJZ5dv3AAoJEE89Wa+PrSK9Gh8P/jUcyZitOFfiAcUKRvzJ7q2L
6kL6JwoFNCfYfVX5nW2Snsrchjn8ASRf+iVifmoYd+1Au3Z7/3NCGLKmf9fclE5J
B1K+JPYxRraffJ2X9tT27optNHhzwXYPNF8NXNjA34SX6fASxqkClvX9sp/le2q8
VSQ6QXHu00MKnQYBIuEyeOgB0LDbe+Mcd0e9SD6eONB5IVGBcz1h5gMwybVydFvR
v967eN1qmiwHvqao4aadjinouFojw9D6MwUpyklHvYbhbtrh5LEOgZAjgE2nKQqq
GeE09521ujpXIQjSMtn4yQf91CPmqOTc+o7tpTDMWSyHHVvaxnxBbGFH/tvl2SEg
AWAJbjJHwp+LxfgGYcKd+ewup8wpw9e74uWDXIgtKN+TH3OQN81OWa6+UOWVa9wW
XzZzHLC7u398EM86w3xDKrq/wDymCpoOss3lbDkB9b49la7iCG1gkvbSuN5rbiIi
dWD0InzUn6GcG1Nvdyhwr1MGuU0AyUC2KyrxWM4CUJqmJ74jT9ruBlQIAwYlhWOR
BpSEC9LBsJy6hXjkCgbgz+tM5HJMF2c/uoPSkPfq8pZ7eKRLtqRadRDSI1E/jypo
pKUBaML7WIr3YtfL/fAfrOMoLaBboatQ57m/A8TZvNjP2C03IDtzXeBYqYuP1n+5
P6FmokgWtAgGGZkOcbQp
=JyOr
-----END PGP SIGNATURE-----
--=-FuYD2a40/Hlxr4npoJoN--
Attachments:
- attachment.bin (multipart/signed — 2.2 KB)