"Fossies" - the Fresh Open Source Software Archive

Member "incubator-pagespeed-mod-1.14.36.1/html/doc/openssl-1.0.1h-fixes.html" (28 Feb 2020, 2762 Bytes) of package /linux/www/apache_httpd_modules/incubator-pagespeed-mod-1.14.36.1.tar.gz:


Caution: In this restricted "Fossies" environment the current HTML page may not be correctly presentated and may have some non-functional links. You can here alternatively try to browse the pure source code or just view or download the uninterpreted raw source code. If the rendering is insufficient you may try to find and view the page on the incubator-pagespeed-mod-1.14.36.1.tar.gz project site itself.

mod_pagespeed and ngx_pagespeed Security Advisory: SSL fetching man-in-the-middle attack.

Disclosed:

June 17th, 2014

Versions Affected:
  • mod_pagespeed 1.7.30.1 through 1.7.30.4 (fixed in 1.7.30.5)
  • mod_pagespeed and ngx_pagespeed 1.8.31.1 through 1.8.31.3 (fixed in 1.8.31.4)
Summary:

Some versions of mod_pagespeed and ngx_pagespeed, in order to support fetching of HTTPS content, link in versions of OpenSSL that are vulnerable to a man-in-the-middle attack. This attack permits an adversary that can monitor and alter traffic between a client (mod_pagespeed or ngx_pagespeed in this case) and a server to decrypt and modify encrypted transfers, as long as both are running vulnerable versions (see CVE-2014-0224 for more detail).

mod_pagespeed and ngx_pagespeed users are only vulnerable if they turn on the optional FetchHttps feature.

Solution:

For mod_pagespeed, update to one of versions 1.7.30.5-stable, 1.8.31.4-beta or newer.

For ngx_pagespeed, update to 1.8.31.4-beta or newer.

Workaround:

Use a method other than FetchHttps to fetch https content, as described in HTTP Support documentation.