

Technical Analysis Of The GnuTLS Hello Vulnerability - xvilka
http://radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/

======
ElliotRodger
> Two weeks ago, an interesting commit appeared in the GnuTLS repository.

This statement gives the impression that the code was quietly fixed without
disclosing the vulnerability. In reality, the fix was done on 5/23, but it was
not rebased and committed to the public repo until the bug was formally
announced and the updated releases were ready:

    
    
        commit 688ea6428a432c39203d00acd1af0e7684e5ddfd
        Author:     Nikos Mavrogiannopoulos <nmav@gnutls.org>
        AuthorDate: Fri May 23 19:50:31 2014 +0200
        Commit:     Nikos Mavrogiannopoulos <nmav@gnutls.org>
        CommitDate: Thu May 29 19:00:01 2014 +0200
        
        Prevent memory corruption due to server hello parsing.

~~~
kcbanner
Thanks for the clarification, I was wondering about this!

------
jmgrosen
I hope to someday reach the level of expertise the author of this post has...
for now, though, I think I'll stick to playing CTFs.

Fantastic work, even if (s)he didn't find the vulnerability her-/himself.

------
gwern
404 not found now?

------
jvoisin
Awesome!

