> Two weeks ago, an interesting commit appeared in the GnuTLS repository.
This statement gives the impression that the code was quietly fixed without disclosing the vulnerability. In reality, the fix was done on 5/23, but it was not rebased and committed to the public repo until the bug was formally announced and the updated releases were ready:
commit 688ea6428a432c39203d00acd1af0e7684e5ddfd
Author: Nikos Mavrogiannopoulos <nmav@gnutls.org>
AuthorDate: Fri May 23 19:50:31 2014 +0200
Commit: Nikos Mavrogiannopoulos <nmav@gnutls.org>
CommitDate: Thu May 29 19:00:01 2014 +0200
Prevent memory corruption due to server hello parsing.
5 comments
[ 4.2 ms ] story [ 19.1 ms ] threadFantastic work, even if (s)he didn't find the vulnerability her-/himself.
This statement gives the impression that the code was quietly fixed without disclosing the vulnerability. In reality, the fix was done on 5/23, but it was not rebased and committed to the public repo until the bug was formally announced and the updated releases were ready: