On Tue, Apr 21, 2015 at 1:49 PM Jose Castillo <jose.casti...@gmail.com> wrote:
> I haven’t seen this posted to the list yet, and thought it would be > important for people who use the Yubikey NEO's OpenPGP functionality with > GnuPG. It regards a vulnerability in the Yubikey NEO implementation of the > OpenPGP smart card application: > > > https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html > > Yubikeys running the vulnerable software will generate signatures and > decrypt session keys unconditionally, i.e. without verifying the user’s > PIN. I reported this vulnerability to Yubico on 4/11, and to their credit > it was quickly fixed. Still, if you are using a Yubikey that you obtained > prior to the fix being issued, you should be aware that this vulnerability > could affect your security. > > This issue also affected the upstream javacardopenpgp project [1], which > has been updated with a fix as well. > > [1]: http://sourceforge.net/projects/javacardopenpgp/ > > -- > > Joey Castillo > www.joeycastillo.com > Thanks for the notice and the fix! :)
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
