"Fossies" - the Fresh Open Source Software Archive

Member "incubator-pagespeed-mod-1.14.36.1/html/doc/CVE-2012-4001.html" (28 Feb 2020, 2368 Bytes) of package /linux/www/apache_httpd_modules/incubator-pagespeed-mod-1.14.36.1.tar.gz:


Caution: In this restricted "Fossies" environment the current HTML page may not be correctly presentated and may have some non-functional links. You can here alternatively try to browse the pure source code or just view or download the uninterpreted raw source code. If the rendering is insufficient you may try to find and view the page on the incubator-pagespeed-mod-1.14.36.1.tar.gz project site itself.

mod_pagespeed Security Advisory: Insufficient Hostname Verification

CVE Identifier:
CVE-2012-4001
Disclosed:
September 12, 2012
Versions Affected:
All versions of mod_pagespeed up to and including 0.10.22.4.
Summary:
mod_pagespeed performs insufficient verification of its own host name, which makes it possible to trick it into doing HTTP fetches and resource processing from arbitrary host names, including potentially bypassing firewalls.
Solution:
mod_pagespeed 0.10.22.6 has been released with a fix.
Workaround:
If you are unable to upgrade to the new version, you can avoid this issue by changing your Apache httpd configuration. Give any virtual host that enables mod_pagespeed (and the global configuration, if it also enables mod_pagespeed) an accurate explicit ServerName, and set the options UseCanonicalName and UseCanonicalPhysicalPort to On in each. Please be aware, however, that depending on the version, CVE-2012-4360 may also apply.