"Fossies" - the Fresh Open Source Software Archive

Member "incubator-pagespeed-mod-1.14.36.1/html/doc/announce-sec-update-201601.html" (28 Feb 2020, 4338 Bytes) of package /linux/www/apache_httpd_modules/incubator-pagespeed-mod-1.14.36.1.tar.gz:


Caution: In this restricted "Fossies" environment the current HTML page may not be correctly presentated and may have some non-functional links. You can here alternatively try to browse the pure source code or just view or download the uninterpreted raw source code. If the rendering is insufficient you may try to find and view the page on the incubator-pagespeed-mod-1.14.36.1.tar.gz project site itself.

January 2016 PageSpeed Security Update.

Overview

All released versions of PageSpeed are subject to HTTPS-fetching vulnerability, CVE-2016-2092. This permits a hostile third party who can man-in-the-middle the connection between PageSpeed and an HTTPS server to substitute arbitrary content in responses. This could allow the attacker to execute JavaScript in users' browsers in context of the domain running PageSpeed, which could permit theft of users' cookies or data on the site.

To be notified of further security updates subscribe to the announcements mailing list.

Affected versions

Affected configurations

Sites using the default configuration are not vulnerable, because by default PageSpeed will only use HTTPS to fetch from itself. To be vulnerable a site needs to have configured either:

Solution

You can resolve this problem by updating to the latest version of either stable or beta channels.

Upgrading to the latest version

The easiest way to resolve the vulnerability is to update to the latest versions on whatever channel (stable or beta) are you currently using.

If you installed the .rpm package, you can update with:

sudo yum update
sudo /etc/init.d/httpd restart

If you installed the .deb package, you can update with:

sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
It is also possible to build from source.

Package signing information

All of the packages above are signed with the Google Linux Package Signing Key, as described on http://www.google.com/linuxrepositories/

Workaround

If you are unable to upgrade to the new version, you can work around this vulnerability by either explicitly disabling fetching of resources over HTTPS or by removing the configuration directives that enable fetching over HTTPS from other hosts.