On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <mscherer@redhat.com> wrote:
Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a écrit :
Quack,
So the news (thanks Misc for the alert):
https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac kground
This affects Yubikeys and other hardware: https://www.yubico.com/support/security-advisories/ysa-2017-01/
There's a nice tool to test if a key is vulnerable: https://github.com/crocs-muni/roca
I tested keys in the oVirt Puppet repository and none are affected.
You may check your other keys and ensure keys are checked in other projects.
Ideally, if someone could verify the key in Gerrit, it would be helpful. I removed mine, but I suspect i am not the only one who tried to follow best practices :)
If you run the tool locally on your .ssh/ dir, it should include already the public key you have on Gerrit no? We'll need to check if its possible to run that tool on Gerrit and if the keys are even stored on the fs and not inside the Gerrit DB.
Debian, Github and Fedora did sent alert to people affected, and I am in the process of changing my key from the 50 to 60 place where I used it and I assume most affected people will be aware somehow, but automated removal from vulnerable systems would surely help.
-- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
_______________________________________________ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
-- Eyal edri MANAGER RHV DevOps EMEA VIRTUALIZATION R&D Red Hat EMEA <https://www.redhat.com/> <https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted> phone: +972-9-7692018 irc: eedri (on #tlv #rhev-dev #rhev-integ)