4:56 a.m.
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Jo6QvEJXJfQCfDxTQMptqAWL0Ku1cee9q
Content-Type: multipart/mixed; boundary="euwd0OP654GGNcLdW6Guf5oX9JOBAWw2A";
protected-headers="v1"
From: =?UTF-8?B?TWFyYyBEZXF1w6huZXMgKER1Y2sp?= <duck(a)redhat.com>
To: oVirt Infra <infra(a)ovirt.org>
Message-ID: <5ca02ec3-9742-187e-9a93-ca50b03778aa(a)redhat.com>
Subject: Infineon firmware security issues
--euwd0OP654GGNcLdW6Guf5oX9JOBAWw2A
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Quack,
So the news (thanks Misc for the alert):
https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-backgro=
und
This affects Yubikeys and other hardware:
https://www.yubico.com/support/security-advisories/ysa-2017-01/
There's a nice tool to test if a key is vulnerable:
https://github.com/crocs-muni/roca
I tested keys in the oVirt Puppet repository and none are affected.
You may check your other keys and ensure keys are checked in other
projects.
\_o<
--euwd0OP654GGNcLdW6Guf5oX9JOBAWw2A--
--Jo6QvEJXJfQCfDxTQMptqAWL0Ku1cee9q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAlnl08cACgkQVen596wc
RD+oEg/+PFTrAc13zzF6ldhn/U1oq1wzh2HYaGQ62vw2nmC3BHeXVUqAUIUbWsSs
UaQxDZRiuXxCnFgM45rWyiAjZiXg9Lgpt5gcCHOWJ6TsSzJh0j/gQFq75FPKYtrQ
Lob1v8KMv2bF7jEF7QgwaIj/BwEDnZ+XN53/2fg4lQ97wb6WBb3caSjejhPzcR6+
zg14uZHAe9bvMUk7qMn8ybCrb5TjQEeepV40mpRLvtY5tyLBzxs9ho1UmL4w3BL7
9Grdr2r2shKiWYPdUIP/F6OAavKR1MNmW2N8ZIYaHKFaN19YXAc71w4h9nHeD18Q
lM4p3hzT2/cHY/fnsmS5Y7jtUyXgPHJvlyi2AkMht9gfI2xn27yyQuaSh0JjU1M7
2NAW/h2Gssf3rAmmuc3P7Kbq6wEY+krWgJSlefjzeOTYrPMlPtij6DieMVwlyRhG
ct4buRHRlRFku1SFeYSoTNGieCamIVSQ9VH3Iyk0/tNwL9mdrOLv91VT/L8WUpvl
vV4qY8Vbh+8OF3lNhGHFPWhQkFW46yoBrbK4S/jxK+fIsy/h72+ZI8Nc3omw5t80
eKTb6FWLysDG0MJoYhl2zaP9wq86e9fIwXPfF75uO1z4w/5T0qbITnnCGReFgvVK
rq5gs4J4/S3qCQVZ45aaz0DNdvfNnOKBLN89x5gwtaXDYq/+8wE=
=+KxX
-----END PGP SIGNATURE-----
--Jo6QvEJXJfQCfDxTQMptqAWL0Ku1cee9q--
5:31 a.m.
--=-FuYD2a40/Hlxr4npoJoN
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le mardi 17 octobre 2017 =C3=A0 18:56 +0900, Marc Dequ=C3=A8nes (Duck) a =
=C3=A9crit=C2=A0:
Quack,
=20
So the news (thanks Misc for the alert):
=20
https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac
kground
=20
This affects Yubikeys and other hardware:
=C2=A0 https://www.yubico.com/support/security-advisories/ysa-2017-01/
=20
There's a nice tool to test if a key is vulnerable:
=C2=A0 https://github.com/crocs-muni/roca
=20
I tested keys in the oVirt Puppet repository and none are affected.
=20
You may check your other keys and ensure keys are checked in other
projects.
Ideally, if someone could verify the key in Gerrit, it would be
helpful. I removed mine, but I suspect i am not the only one who tried
to follow best practices :)
Debian, Github and Fedora did sent alert to people affected, and I am
in the process of changing my key from the 50 to 60 place where I used
it and I assume most affected people will be aware somehow, but
automated removal from vulnerable systems would surely help.=20
--=20
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
--=-FuYD2a40/Hlxr4npoJoN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJZ5dv3AAoJEE89Wa+PrSK9Gh8P/jUcyZitOFfiAcUKRvzJ7q2L
6kL6JwoFNCfYfVX5nW2Snsrchjn8ASRf+iVifmoYd+1Au3Z7/3NCGLKmf9fclE5J
B1K+JPYxRraffJ2X9tT27optNHhzwXYPNF8NXNjA34SX6fASxqkClvX9sp/le2q8
VSQ6QXHu00MKnQYBIuEyeOgB0LDbe+Mcd0e9SD6eONB5IVGBcz1h5gMwybVydFvR
v967eN1qmiwHvqao4aadjinouFojw9D6MwUpyklHvYbhbtrh5LEOgZAjgE2nKQqq
GeE09521ujpXIQjSMtn4yQf91CPmqOTc+o7tpTDMWSyHHVvaxnxBbGFH/tvl2SEg
AWAJbjJHwp+LxfgGYcKd+ewup8wpw9e74uWDXIgtKN+TH3OQN81OWa6+UOWVa9wW
XzZzHLC7u398EM86w3xDKrq/wDymCpoOss3lbDkB9b49la7iCG1gkvbSuN5rbiIi
dWD0InzUn6GcG1Nvdyhwr1MGuU0AyUC2KyrxWM4CUJqmJ74jT9ruBlQIAwYlhWOR
BpSEC9LBsJy6hXjkCgbgz+tM5HJMF2c/uoPSkPfq8pZ7eKRLtqRadRDSI1E/jypo
pKUBaML7WIr3YtfL/fAfrOMoLaBboatQ57m/A8TZvNjP2C03IDtzXeBYqYuP1n+5
P6FmokgWtAgGGZkOcbQp
=JyOr
-----END PGP SIGNATURE-----
--=-FuYD2a40/Hlxr4npoJoN--
5:36 a.m.
On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <mscherer(a)redhat.com>
wrote:
Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a écrit
:
> Quack,
>
> So the news (thanks Misc for the alert):
>
> https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-bac
> kground
>
> This affects Yubikeys and other hardware:
> https://www.yubico.com/support/security-advisories/ysa-2017-01/
>
> There's a nice tool to test if a key is vulnerable:
> https://github.com/crocs-muni/roca
>
> I tested keys in the oVirt Puppet repository and none are affected.
>
> You may check your other keys and ensure keys are checked in other
> projects.
Ideally, if someone could verify the key in Gerrit, it would be
helpful. I removed mine, but I suspect i am not the only one who tried
to follow best practices :)
If you run the tool locally on your .ssh/ dir, it should include already
the public key you have on Gerrit no?
We'll need to check if its possible to run that tool on Gerrit and if the
keys are even stored on the fs and not inside the Gerrit DB.
Debian, Github and Fedora did sent alert to people affected, and I am
in the process of changing my key from the 50 to 60 place where I used
it and I assume most affected people will be aware somehow, but
automated removal from vulnerable systems would surely help.
--
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
--
Eyal edri
MANAGER
RHV DevOps
EMEA VIRTUALIZATION R&D
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
phone: +972-9-7692018
irc: eedri (on #tlv #rhev-dev #rhev-integ)
5:43 a.m.
--=-qS1V/lnImcC+8p0p3+ll
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le mardi 17 octobre 2017 =C3=A0 13:36 +0300, Eyal Edri a =C3=A9crit=C2=A0:
On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer
<mscherer(a)redhat.com
>
wrote:
=20
> Le mardi 17 octobre 2017 =C3=A0 18:56 +0900, Marc Dequ=C3=A8nes (Duck) =
a
> =C3=A9crit :
> > Quack,
> >=20
> > So the news (thanks Misc for the alert):
> >=20
> > https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa
> > -bac
> > kground
> >=20
> > This affects Yubikeys and other hardware:
> > =C2=A0 https://www.yubico.com/support/security-advisories/ysa-2017-01=
/
> >=20
> > There's a nice tool to test if a key is vulnerable:
> > =C2=A0 https://github.com/crocs-muni/roca
> >=20
> > I tested keys in the oVirt Puppet repository and none are
> > affected.
> >=20
> > You may check your other keys and ensure keys are checked in
> > other
> > projects.
>=20
> Ideally, if someone could verify the key in Gerrit, it would be
> helpful. I removed mine, but I suspect i am not the only one who
> tried
> to follow best practices :)
>=20
=20
If you run the tool locally on your .ssh/ dir, it should include
already
the public key you have on Gerrit no?
Well, I know my key is vulnerable, got notified by Fedora and Github.
But I just do not know where I used it exactly, because I have account
everywhere, and that's likely that I may forget it in some place.
We'll need to check if its possible to run that tool on Gerrit
and if
the
keys are even stored on the fs and not inside the Gerrit DB.
If they are in the DB, we can extract it with a sql request ILMHO.
I plan to look at Gluster's gerrit instance once I finish my own
cleanup and key generation, which is a rather tedious task (cause I
also found out that my backup key is not working anymore for a unknown
reason).
--=20
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
--=-qS1V/lnImcC+8p0p3+ll
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJZ5d7yAAoJEE89Wa+PrSK9QMsQAJhB3Dr8eQTOco4huKrFCDr8
YFTC3wEEQj4ZNPSBcuwQ7Kf/SZOEsHsWUSL3xlPZxq7kWPk1dduu2146Pzw7drZf
xHzn/jscRs5UPnSgy9KbaCpZUdQ+vS1EMtSwd+2HSO2Uq98ZiSSuQ5gbXvOMQO8h
aEuXiWkdc8wRsKfi9nwheiCTohLqWVb+aCKxjJGfB2ycKXRVhd4LRsotGS+3Jq5x
8Th4/axJlBawUdr+5rLBZ1OE9tdrYIZ/thVI6NhGuOPI9frLNO+qITsxMcNERm0I
TT6zdEmZBpt6eXNSJYEttqf49js9cxI7B2CZHTe+xqX+/KSWEEjCkkSoKmN8iHi4
dCD1QM/uSZaGv9q6IcbQmO0wKwavRVJnvC9dRdSEHm3Icf3eXWqsz+tnFemTjkB8
kvlBB0/Tx8nEfc38wPnl4tPYNJtb56CxPd0QiAqIDjSUe+n01LcS1LOk5xqR2L44
vqMhZXOAsBEcoc50GkZRlnT2LiBpkGZsL5kv/Mx6bY7aP0bYMoLvATEezh7G1EVn
+gGnvZdhBMURDBQctgMlPd0qUrrU4hcEy0lY9uK4x1tkF0lUqqcq3OYax3jyjk6+
e50TW4bX+igGaehqz52sWWRMOcy+aQFJ3NAnNIjtho3YBlL9al/jhPcVY49GX0UT
XKr3VHZ270XVg4Ndklui
=BmGJ
-----END PGP SIGNATURE-----
--=-qS1V/lnImcC+8p0p3+ll--
5:33 a.m.
Thanks,
So if I have an old YubiKey ( 2.43 ) I shouldn't be affected right? only V4
is ?
On Tue, Oct 17, 2017 at 12:56 PM, Marc Dequènes (Duck) <duck(a)redhat.com>
wrote:
Quack,
So the news (thanks Misc for the alert):
https://www.infineon.com/cms/en/product/promopages/rsa-
update/rsa-background
This affects Yubikeys and other hardware:
https://www.yubico.com/support/security-advisories/ysa-2017-01/
There's a nice tool to test if a key is vulnerable:
https://github.com/crocs-muni/roca
I tested keys in the oVirt Puppet repository and none are affected.
You may check your other keys and ensure keys are checked in other
projects.
\_o<
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
--
Eyal edri
MANAGER
RHV DevOps
EMEA VIRTUALIZATION R&D
Red Hat EMEA <https://www.redhat.com/>
<https://red.ht/sig> TRIED. TESTED. TRUSTED. <https://redhat.com/trusted>
phone: +972-9-7692018
irc: eedri (on #tlv #rhev-dev #rhev-integ)
5:53 a.m.
--=-MN1YiBFHlv1TjrbX85/D
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Le mardi 17 octobre 2017 =C3=A0 13:33 +0300, Eyal Edri a =C3=A9crit=C2=A0:
Thanks,
=20
So if I have an old YubiKey ( 2.43 ) I shouldn't be affected right?
only V4
is ?
That's what the post on yubico.com seems to imply. We do not know what
chipset is used in the key, so I can't give a educated guess. But I
hear people using yubikey neo weren't affected.
Now, only the CCID function is problematic, and only if you did
generate the ssh key on the chip (e.g., followed official doc on https
://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and
used "yubico-piv-tool -s 9a -a generate -o public.pem" )
If you imported the key, then that should be ok.
If you use the yubikey for non smartcard use (e.g. U2F, 2FA for RH VPN
or similar system ), that's ok too.
On Tue, Oct 17, 2017 at 12:56 PM, Marc Dequ=C3=A8nes (Duck)
<duck(a)redhat.com>
wrote:
=20
> Quack,
>=20
> So the news (thanks Misc for the alert):
>=20
> https://www.infineon.com/cms/en/product/promopages/rsa-
> update/rsa-background
>=20
> This affects Yubikeys and other hardware:
> =C2=A0 https://www.yubico.com/support/security-advisories/ysa-2017-01/
>=20
> There's a nice tool to test if a key is vulnerable:
> =C2=A0 https://github.com/crocs-muni/roca
>=20
> I tested keys in the oVirt Puppet repository and none are affected.
>=20
> You may check your other keys and ensure keys are checked in other
> projects.
>=20
> \_o<
>=20
>=20
> _______________________________________________
> Infra mailing list
> Infra(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>=20
>=20
=20
=20
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra
--=20
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
--=-MN1YiBFHlv1TjrbX85/D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABAgAGBQJZ5eENAAoJEE89Wa+PrSK9PvAP/2/FVqtHxod/zaLsmiKDANam
BZbEAVN/wlggHkVDot6lexDqu386om21lp0ctcv0GbECbJ7sSY2+IIgyCUR/iofP
7xYQ+swKO0H2k3Rnl7Ur5tU1Rk/tiy8MI3ikJObULUDzawQ3icSHYSspo4EaiS75
n5ov3rrmIR//jk/3ZnZ+IZYZfGjjqq6FuyKa453/KF1vaJqy0STdqbm7h6HkY7Oc
aSaFMQDYnmlYlziKrxwlhV1tqkL032ppWnshVi8Y90gr17WdIAFLFZLyfS0X1UZD
bccBt4940Y1RxEVWfsORetp3C2iSNWLyGrlJzaI9hOmpB62if7EEH6CowphPq9dQ
O04pvph//vyNogTVCFXv0dJcJaveWN12nUftpcrQ1kDje66P3Zda+zlLuuscM5y3
3F2QYZt9qKlQzBOM97XFxSDJbLZA9/rxfXYH3LHP/iuQ1cCk6MIUwaKPQfmss933
FinMxzsuEbYxGQAA8a+a6bAYoBOJEZmkZ+G9IPuCOhlZSVoAdQ9tAE0/mG9KtdRw
DD1WJXKgEB75POxZYhZ8gM+bnlh5C95jD+js4EjS+gtwnFbpxDtV5TDq68A2m5v2
qWH0oXn31l4DaSEabuJ5XO6RzKjhveAzWzcYHNpL+7iu0rJ3svQ5uE7jZzxA/V3n
4qOyDkm7YruevKz6sB6N
=LCGh
-----END PGP SIGNATURE-----
--=-MN1YiBFHlv1TjrbX85/D--
2648
days inactive
2648
days old
5 comments
3 participants
participants (3)
-
Eyal Edri -
Marc Dequènes (Duck) -
Michael Scherer