Yubikey NEO OpenPGP advisory

Thomas Harning Jr. harningt at gmail.com
Tue Apr 21 20:15:25 CEST 2015

On Tue, Apr 21, 2015 at 1:49 PM Jose Castillo <jose.castillo at gmail.com>

> I haven’t seen this posted to the list yet, and thought it would be
> important for people who use the Yubikey NEO's OpenPGP functionality with
> GnuPG. It regards a vulnerability in the Yubikey NEO implementation of the
> OpenPGP smart card application:
> https://developers.yubico.com/ykneo-openpgp/SecurityAdvisory%202015-04-14.html
> Yubikeys running the vulnerable software will generate signatures and
> decrypt session keys unconditionally, i.e. without verifying the user’s
> PIN. I reported this vulnerability to Yubico on 4/11, and to their credit
> it was quickly fixed. Still, if you are using a Yubikey that you obtained
> prior to the fix being issued, you should be aware that this vulnerability
> could affect your security.
> This issue also affected the upstream javacardopenpgp project [1], which
> has been updated with a fix as well.
> [1]: http://sourceforge.net/projects/javacardopenpgp/
> --
> Joey Castillo
> www.joeycastillo.com

Thanks for the notice and the fix! :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150421/d1ab4c6b/attachment-0001.html>

More information about the Gnupg-users mailing list