"Fossies" - the Fresh Open Source Software Archive

Member "incubator-pagespeed-mod-1.14.36.1/html/doc/announce-sec-update-201603.html" (28 Feb 2020, 5327 Bytes) of package /linux/www/apache_httpd_modules/incubator-pagespeed-mod-1.14.36.1.tar.gz:


Caution: In this restricted "Fossies" environment the current HTML page may not be correctly presentated and may have some non-functional links. You can here alternatively try to browse the pure source code or just view or download the uninterpreted raw source code. If the rendering is insufficient you may try to find and view the page on the incubator-pagespeed-mod-1.14.36.1.tar.gz project site itself.

March 2016 PageSpeed Security Update.

Overview

All previously released versions of PageSpeed are vulnerable to CVE-2016-3626. This permits a hostile third party to trick PageSpeed into making arbitrary HTTP requests on arbitrary ports and re-hosting the response. If the machine running PageSpeed has access to services that are not otherwise available, this can reveal those resources. Additionally, this can be exploited for cross-site scripting.

Users are strongly encouraged to update immediately.

To be notified of further security updates subscribe to the announcements mailing list.

Affected versions

Affected configurations

All configurations are affected.

Solution

You can resolve this problem by updating to the latest version of either stable or beta channels. If that is not possible, a workaround is available.

Upgrading to the latest version

If you installed the .rpm package, you can update with:

sudo yum update
sudo /etc/init.d/httpd restart

If you installed the .deb package, you can update with:

sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
It is also possible to build from source.

Package signing information

All of the packages above are signed with the Google Linux Package Signing Key, as described on http://www.google.com/linuxrepositories/

Workaround

You can work around this issue by making two changes to your server configuration: