On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <mscherer@redhat.com> wrote:
Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a écrit :
> Quack,
>
> So the news (thanks Misc for the alert):
>
> https://www.infineon.com/cms/en/product/promopages/rsa- update/rsa-bac
> kground
>
> This affects Yubikeys and other hardware:
> https://www.yubico.com/support/security-advisories/ ysa-2017-01/
>
> There's a nice tool to test if a key is vulnerable:
> https://github.com/crocs-muni/roca
>
> I tested keys in the oVirt Puppet repository and none are affected.
>
> You may check your other keys and ensure keys are checked in other
> projects.
Ideally, if someone could verify the key in Gerrit, it would be
helpful. I removed mine, but I suspect i am not the only one who tried
to follow best practices :)
If you run the tool locally on your .ssh/ dir, it should include already the public key you have on Gerrit no?
We'll need to check if its possible to run that tool on Gerrit and if the keys are even stored on the fs and not inside the Gerrit DB.
Debian, Github and Fedora did sent alert to people affected, and I am
in the process of changing my key from the 50 to 60 place where I used
it and I assume most affected people will be aware somehow, but
automated removal from vulnerable systems would surely help.
--
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
_______________________________________________
Infra mailing list
Infra@ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
phone: +972-9-7692018
irc: eedri (on #tlv #rhev-dev #rhev-integ)
irc: eedri (on #tlv #rhev-dev #rhev-integ)