Infineon firmware security issues

Michael Scherer mscherer at redhat.com
Tue Oct 17 10:43:54 UTC 2017


Le mardi 17 octobre 2017 à 13:36 +0300, Eyal Edri a écrit :
> On Tue, Oct 17, 2017 at 1:31 PM, Michael Scherer <mscherer at redhat.com
> >
> wrote:
> 
> > Le mardi 17 octobre 2017 à 18:56 +0900, Marc Dequènes (Duck) a
> > écrit :
> > > Quack,
> > > 
> > > So the news (thanks Misc for the alert):
> > > 
> > > https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa
> > > -bac
> > > kground
> > > 
> > > This affects Yubikeys and other hardware:
> > >   https://www.yubico.com/support/security-advisories/ysa-2017-01/
> > > 
> > > There's a nice tool to test if a key is vulnerable:
> > >   https://github.com/crocs-muni/roca
> > > 
> > > I tested keys in the oVirt Puppet repository and none are
> > > affected.
> > > 
> > > You may check your other keys and ensure keys are checked in
> > > other
> > > projects.
> > 
> > Ideally, if someone could verify the key in Gerrit, it would be
> > helpful. I removed mine, but I suspect i am not the only one who
> > tried
> > to follow best practices :)
> > 
> 
> If you run the tool locally on your .ssh/ dir, it should include
> already
> the public key you have on Gerrit no?

Well, I know my key is vulnerable, got notified by Fedora and Github.
But I just do not know where I used it exactly, because I have account
everywhere, and that's likely that I may forget it in some place.

> We'll need to check if its possible to run that tool on Gerrit and if
> the
> keys are even stored on the fs and not inside the Gerrit DB.

If they are in the DB, we can extract it with a sql request ILMHO.

I plan to look at Gluster's gerrit instance once I finish my own
cleanup and key generation, which is a rather tedious task (cause I
also found out that my backup key is not working anymore for a unknown
reason).

-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20171017/22e46844/attachment.sig>


More information about the Infra mailing list