{"id":564796,"date":"2023-01-18T18:52:30","date_gmt":"2023-01-18T20:52:30","guid":{"rendered":"https:\/\/teknomers.com\/fr\/les-utilisateurs-de-git-sont-invites-a-mettre-a-jour-le-logiciel-pour-empecher-les-attaques-dexecution-de-code-a-distance\/"},"modified":"2023-01-18T18:52:31","modified_gmt":"2023-01-18T20:52:31","slug":"les-utilisateurs-de-git-sont-invites-a-mettre-a-jour-le-logiciel-pour-empecher-les-attaques-dexecution-de-code-a-distance","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/les-utilisateurs-de-git-sont-invites-a-mettre-a-jour-le-logiciel-pour-empecher-les-attaques-dexecution-de-code-a-distance\/","title":{"rendered":"Les utilisateurs de Git sont invit\u00e9s \u00e0 mettre \u00e0 jour le logiciel pour emp\u00eacher les attaques d&#8217;ex\u00e9cution de code \u00e0 distance"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">18 janvier 2023<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><\/span><span class=\"p-tags\">DevOpsSec \/ S\u00e9curit\u00e9 logicielle<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><\/div>\n<p>Les mainteneurs de la <a rel=\"nofollow noopener\" href=\"https:\/\/git-scm.com\/\" target=\"_blank\">Gite<\/a> Le syst\u00e8me de contr\u00f4le de version du code source a publi\u00e9 des mises \u00e0 jour pour rem\u00e9dier \u00e0 deux vuln\u00e9rabilit\u00e9s critiques qui pourraient \u00eatre exploit\u00e9es par un acteur malveillant pour r\u00e9aliser l&#8217;ex\u00e9cution de code \u00e0 distance.<\/p>\n<p>Les d\u00e9fauts, suivis comme <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/git\/git\/security\/advisories\/GHSA-c738-c5qq-xg89\" target=\"_blank\"><strong>CVE-2022-23521<\/strong><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/git\/git\/security\/advisories\/GHSA-475x-2q3q-hvwq\" target=\"_blank\"><strong>CVE-2022-41903<\/strong><\/a>affecte les versions suivantes de Git\u00a0: v2.30.6, v2.31.5, v2.32.4, v2.33.5, v2.34.5, v2.35.5, v2.36.3, v2.37.4, v2.38.2 et v2.39.0.<\/p>\n<p>Les versions corrig\u00e9es incluent v2.30.7, v2.31.6, v2.32.5, v2.33.6, v2.34.6, v2.35.6, v2.36.4, v2.37.5, v2.38.3 et v2.39.1.  Les chercheurs en s\u00e9curit\u00e9 X41 D-Sec Markus Vervier et Eric Sesterhenn ainsi que Joern Schneeweisz de GitLab ont \u00e9t\u00e9 cr\u00e9dit\u00e9s d&#8217;avoir signal\u00e9 les bogues.<\/p>\n<p>&#8220;Le probl\u00e8me le plus grave d\u00e9couvert permet \u00e0 un attaquant de d\u00e9clencher une corruption de m\u00e9moire bas\u00e9e sur le tas lors d&#8217;op\u00e9rations de clonage ou d&#8217;extraction, ce qui peut entra\u00eener l&#8217;ex\u00e9cution de code&#8221;, a d\u00e9clar\u00e9 la soci\u00e9t\u00e9 allemande de cybers\u00e9curit\u00e9. <a rel=\"nofollow noopener\" href=\"https:\/\/x41-dsec.de\/security\/research\/news\/2023\/01\/17\/git-security-audit-ostif\/\" target=\"_blank\">m&#8217;a dit<\/a> de CVE-2022-23521.<\/p>\n<p>CVE-2022-41903, \u00e9galement une vuln\u00e9rabilit\u00e9 critique, est d\u00e9clench\u00e9e lors d&#8217;une op\u00e9ration d&#8217;archivage, entra\u00eenant l&#8217;ex\u00e9cution de code via une faille de d\u00e9bordement d&#8217;entier qui survient lors du formatage des journaux de validation.<\/p>\n<p>&#8220;En outre, un grand nombre de probl\u00e8mes li\u00e9s aux nombres entiers ont \u00e9t\u00e9 identifi\u00e9s, ce qui peut entra\u00eener des situations de d\u00e9ni de service, des lectures hors limites ou simplement des cas d&#8217;angle mal g\u00e9r\u00e9s sur des entr\u00e9es volumineuses&#8221;, a not\u00e9 X41 D-Sec.<\/p>\n<p>Bien qu&#8217;il n&#8217;y ait pas de solution de contournement pour CVE-2022-23521, Git recommande aux utilisateurs de d\u00e9sactiver &#8220;git archive&#8221; dans les r\u00e9f\u00e9rentiels non approuv\u00e9s comme att\u00e9nuation pour CVE-2022-41903 dans les sc\u00e9narios o\u00f9 la mise \u00e0 jour vers la derni\u00e8re version n&#8217;est pas une option.<\/p>\n<p>GitLab, dans un conseil coordonn\u00e9, <a rel=\"nofollow noopener\" href=\"https:\/\/about.gitlab.com\/releases\/2023\/01\/17\/critical-security-release-gitlab-15-7-5-released\/\" target=\"_blank\">m&#8217;a dit<\/a> il a publi\u00e9 les versions 15.7.5, 15.6.6 et 15.5.9 pour GitLab Community Edition (CE) et Enterprise Edition (EE) pour rem\u00e9dier aux lacunes, exhortant les clients \u00e0 appliquer les correctifs avec effet imm\u00e9diat.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2023\/01\/git-users-urged-to-update-software-to.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80218 janvier 2023\ue804Ravie LakshmananDevOpsSec \/ S\u00e9curit\u00e9 logicielle Les mainteneurs de la Gite Le syst\u00e8me de contr\u00f4le de version du code source a publi\u00e9 des mises \u00e0 jour pour rem\u00e9dier \u00e0 deux vuln\u00e9rabilit\u00e9s critiques qui pourraient \u00eatre exploit\u00e9es par un acteur malveillant pour r\u00e9aliser l&#8217;ex\u00e9cution de code \u00e0 distance. Les d\u00e9fauts, suivis comme CVE-2022-23521 et CVE-2022-41903affecte [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":564797,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[8074,5597,4168,4158,4165,4161,28640,2526,5017,67531,23629,3995,4157,4159,4171,4170,65,6816,4167,6454,4160,4163,4162,185,4172,4169,317,7529,4166,4164],"class_list":["post-564796","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-attaques","tag-code","tag-comment-pirater","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-dexecution","tag-distance","tag-empecher","tag-git","tag-invites","tag-jour","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-les","tag-logiciel","tag-logiciel-malveillant-de-ransomware","tag-mettre","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-pour","tag-securite-informatique","tag-securite-internet","tag-sont","tag-utilisateurs","tag-violation-de-donnees","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/564796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=564796"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/564796\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/564797"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=564796"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=564796"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=564796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}