Announcing mod_pagespeed security release 1.9.32.4

[Jeffrey Crowell]

Release 1.9.32.4-stable/beta security release.

Release 1.9.32.4 fixes two security issues. It is otherwise identical to the previous release (1.9.32.3). We recommend that all users upgrade to receive these fixes.

In versions between 1.7 and 1.9.32.3,  PageSpeed was built with a version of OpenSSL that was vulnerable to the issues detailed in the June 11, 2015 security advisory (http://openssl.org/news/secadv_20150611.txt).  We have updated our crypto library to fix these issues. PageSpeed now builds with Google’s BoringSSL, an OpenSSL fork which includes this fix, and is expected to be more stable in future.

In versions between 1.8.31.2 and 1.9.32.3 it was possible to cause a crash by requesting JavaScript source maps when source mapping had been turned off.

We recommend that all users upgrade. If this is not possible, however, the following workarounds are available:

• The OpenSSL vulnerability only applies if you have FetchHttps enabled and have configured PageSpeed to fetch HTTPS content over the open internet.  Disabling FetchHttps will prevent these crashes, but will also disable PageSpeed's optimizations for any content that must be fetched over HTTPS.

• Set a “Request Option Override” token, and explicitly enable Include Javascript Source Maps. This makes it impossible for attackers to disable source maps and cause these crashes.

We expect to have a bug-fix release soon after this security release.

Installation Instructions (stable channel)

If you are currently on the stable channel, you should update via the usual method:

If you installed the .rpm package, update with:

sudo yum update mod-pagespeed-stable

sudo /etc/init.d/httpd restart

If you installed the .deb package, update with:

sudo apt-get update

sudo apt-get upgrade

sudo /etc/init.d/apache2 restart

If you are currently on the beta channel and would like to switch to the stable channel, you must first uninstall mod_pagespeed and then install the stable package from: https://developers.google.com/speed/docs/mod_pagespeed/download

Instructions for building from source are available at: https://developers.google.com/speed/pagespeed/module/build_mod_pagespeed_from_source

Installation Instructions (beta channel)

If you are currently on the beta channel, you should update via the usual method:

If you installed the .rpm package, update with:

sudo yum update mod-pagespeed-beta

sudo /etc/init.d/httpd restart

If you installed the .deb package, update with:

sudo apt-get update

sudo apt-get upgrade

sudo /etc/init.d/apache2 restart

If you are currently on the stable channel and would like to switch to the beta channel, you must first uninstall mod_pagespeed and then install the beta package from: https://developers.google.com/speed/docs/mod_pagespeed/download

Instructions for building from source are available at: https://developers.google.com/speed/pagespeed/module/build_mod_pagespeed_from_source

Issues Resolved since 1.9.32.3

• OpenSSL Security Advisory Replace OpenSSL with BoringSSL.

• Issue 1094 Source map can be requested with option disabled.

Jeff Crowell

mod_pagespeed team

Google

[Robert Munteanu]

Hi,

Does the OpenSSL fix change anything when building against system libraries?

Thanks,

Robert

[Jeff Kaufman]

In 1.9.32.4 we switched from a dependency on OpenSSL to BoringSSL.  You should still be able to compile PSOL against OpenSSL, but as BoringSSL gets older its API may move away from OpenSSL's.  (Among other things, BoringSSL doesn't attempt binary compatibility between releases.)

(In direct answer to your question: that's something we didn't test but should have -- it's something we want to keep working.)

--
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/5234e823-9f9a-4832-92ce-cf937418d07e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jeffrey Crowell]

before releasing, we run the generate.sh script and build/test the unit tests.

generate.sh builds with use_system_libs=1, so at least building, running mod_pagespeed_test, and running pagespeed_automatic_test are tested.

The code uses #ifdef OPENSSL_IS_BORINGSSL in places where behavior between the two differ. If you do come across any issues, please let us know.

[Robert Munteanu]

On Thu, Jul 30, 2015 at 5:37 PM, 'Jeffrey Crowell' via
mod-pagespeed-discuss <mod-pagesp...@googlegroups.com> wrote:
> before releasing, we run the generate.sh script and build/test the unit
> tests.
>
> generate.sh builds with use_system_libs=1, so at least building, running
> mod_pagespeed_test, and running pagespeed_automatic_test are tested.
>
> The code uses #ifdef OPENSSL_IS_BORINGSSL in places where behavior between
> the two differ. If you do come across any issues, please let us know.

Good to know thanks. I get a build error with 1.9.32.4 ( 1.9.32.3 would work ):

[ 12s] + build/gyp_chromium -Duse_system_libs=1 -Duse_system_icu=1
-Dsystem_include_path_apr=/usr/include/apr-1 -Dsystem_include_pa
th_httpd=/usr/include/apache2 -Dsystem_include_path_aprutil=/usr/include/apr-1
[ 12s] Updating projects from gyp files...
[ 15s] Running build/landmines.py...
(snip...)
[ 15s] + cd modpagespeed-1.9.32.4/src
[ 15s] + make -j8 BUILDTYPE=Release
(snip...)
[ 266s] SOLINK_MODULE(target)
out/Release/obj.target/net/instaweb/libmod_pagespeed.so
[ 266s] LINK(target) out/Release/mod_pagespeed_test
[ 266s] LINK(target) out/Release/mod_pagespeed_speed_test
[ 267s] LINK(target) out/Release/pagespeed_automatic_test
[ 268s] SOLINK_MODULE(target)
out/Release/obj.target/net/instaweb/libmod_pagespeed.so: Finished
[ 268s] COPY out/Release/libmod_pagespeed.so
[ 268s] TOUCH out/Release/obj.target/build/mod_pagespeed.stamp
[ 270s] out/Release/obj.target/third_party/serf/../../serf/third_party/serf/instaweb_ssl_buckets.o:
In function `serf_bucket_ssl_cre
ate':
[ 270s] instaweb_ssl_buckets.c:(.text.serf_bucket_ssl_create+0x24e):
undefined reference to `CRYPTO_set_mem_functions'
[ 270s] instaweb_ssl_buckets.c:(.text.serf_bucket_ssl_create+0x262):
undefined reference to `OPENSSL_add_all_algorithms_conf'
[ 270s] collect2: error: ld returned 1 exit status
[ 270s] net/instaweb/mod_pagespeed_test.target.mk:416: recipe for
target 'out/Release/mod_pagespeed_test' failed
[ 270s] make: *** [out/Release/mod_pagespeed_test] Error 1
[ 270s] make: *** Waiting for unfinished jobs....
[ 272s] LINK(target) out/Release/mod_pagespeed_speed_test: Finished
[ 280s] LINK(target) out/Release/pagespeed_automatic_test: Finished
[ 280s] error: Bad exit status from /var/tmp/rpm-tmp.vOgXtQ (%build)
[ 280s]
[ 280s]
[ 280s] RPM build errors:
[ 280s] Bad exit status from /var/tmp/rpm-tmp.vOgXtQ (%build)

Does that ring any bells?

Thanks,

Robert

> You received this message because you are subscribed to a topic in the
> Google Groups "mod-pagespeed-discuss" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/mod-pagespeed-discuss/kH9Sg2BQCCU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to

> mod-pagespeed-di...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/mod-pagespeed-discuss/CA%2B7dWMG55SUXZJEogNXGK8a%3DLZGbxte471tyL5Rh4P5wG95Mfg%40mail.gmail.com.

>
> For more options, visit https://groups.google.com/d/optout.

--
http://robert.muntea.nu/

[Jeffrey Crowell]

can't say that looks familiar to me.

I just tested building like this, which works for me on ubuntu.

Ubuntu ships OpenSSL 1.0.1f, is it possible that OpenSuSE is using an incompatible SSL implementation?

What is the  script that you're using to build?

jcrowell0 modpagespeed-1.9.32.4/src » build/gyp_chromium -Duse_system_libs=1                                                           2 ↵

Updating projects from gyp files...

Running build/landmines.py...

jcrowell0 modpagespeed-1.9.32.4/src » make -j8 BUILDTYPE=Release

<snip>

  SOLINK_MODULE(target) out/Release/obj.target/net/instaweb/libmod_pagespeed.so

  LINK(target) out/Release/mod_pagespeed_test

  LINK(target) out/Release/mod_pagespeed_speed_test

  SOLINK_MODULE(target) out/Release/obj.target/net/instaweb/libmod_pagespeed.so: Finished

  COPY out/Release/libmod_pagespeed.so

  TOUCH out/Release/obj.target/build/mod_pagespeed.stamp

  LINK(target) out/Release/pagespeed_automatic_test

  LINK(target) out/Release/mod_pagespeed_test: Finished

  LINK(target) out/Release/mod_pagespeed_speed_test: Finished

  TOUCH out/Release/obj.target/build/test.stamp

  LINK(target) out/Release/pagespeed_automatic_test: Finished

  TOUCH out/Release/obj.target/build/pagespeed_automatic.stamp

  TOUCH out/Release/obj.target/build/All.stamp

To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/CAC8ULPa7FJVgfR8jpdZajPhvrinBstDokTQJn_inARhhtxSd8w%40mail.gmail.com.

[Robert Munteanu]

On Fri, Jul 31, 2015 at 6:10 PM, 'Jeffrey Crowell' via
mod-pagespeed-discuss <mod-pagesp...@googlegroups.com> wrote:
> can't say that looks familiar to me.
>
> I just tested building like this, which works for me on ubuntu.
>
> Ubuntu ships OpenSSL 1.0.1f, is it possible that OpenSuSE is using an
> incompatible SSL implementation?

$ openssl version
OpenSSL 1.0.2d-fips 9 Jul 2015

> What is the script that you're using to build?

The complete specfile ( for the .3 version ) is at

https://build.opensuse.org/package/view_file/Apache:Modules/apache2-mod_pagespeed/apache2-mod_pagespeed.spec?expand=1

but the relevant stuff is

%prep
%setup -q -n modpagespeed-%{version}/src
%patch2
build/gyp_chromium -Duse_system_libs=%{use_system_libs}
-Duse_system_icu=%{use_system_icu}
-Dsystem_include_path_apr=${BUILD_ROOT}%{_
includedir}/apr-1
-Dsystem_include_path_httpd=${BUILD_ROOT}%{apache_includedir}
-Dsystem_include_path_aprutil=${BUILD_ROOT}%{_include
dir}/apr-1
%patch1

%build
make %{?_smp_mflags} BUILDTYPE=Release

Thanks,

Robert
--
http://robert.muntea.nu/

[Jeffrey Crowell]

Robert, I just spun up a vm on ec2 of SuSE 12, which I built with the following command to generate the Makefile

./build/gyp_chromium -Duse_system_libs=1 -Dsystem_include_path_apr=/usr/include/apr-1

$ cat /etc/SuSE-release

SUSE Linux Enterprise Server 12 (x86_64)

VERSION = 12

PATCHLEVEL = 0

# This file is deprecated and will be removed in a future service pack or release.

# Please check /etc/os-release for details about this release.

As you can see, it's successfully linked against the system crypto libraries.

$ ldd out/Debug/libmod_pagespeed.so 

        linux-vdso.so.1 (0x00007fffe71fe000)

        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff7edcf0000)

        libdl.so.2 => /lib64/libdl.so.2 (0x00007ff7edaec000)

        libicui18n.so.52.1 => /usr/lib64/libicui18n.so.52.1 (0x00007ff7ed6d7000)

        libicuuc.so.52.1 => /usr/lib64/libicuuc.so.52.1 (0x00007ff7ed358000)

        libicudata.so.52.1 => /usr/lib64/libicudata.so.52.1 (0x00007ff7ed157000)

        libm.so.6 => /lib64/libm.so.6 (0x00007ff7ece55000)

        librt.so.1 => /lib64/librt.so.1 (0x00007ff7ecc4d000)

        libssl.so.1.0.0 => /lib64/libssl.so.1.0.0 (0x00007ff7ec9e5000)

        libcrypto.so.1.0.0 => /lib64/libcrypto.so.1.0.0 (0x00007ff7ec5f1000)

        libz.so.1 => /lib64/libz.so.1 (0x00007ff7ec3db000)

        libpng12.so.0 => /usr/lib64/libpng12.so.0 (0x00007ff7ec1b0000)

        libjpeg.so.8 => /usr/lib64/libjpeg.so.8 (0x00007ff7ebf5a000)

        libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007ff7ebc52000)

        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007ff7eba3b000)

        libc.so.6 => /lib64/libc.so.6 (0x00007ff7eb692000)

        /lib64/ld-linux-x86-64.so.2 (0x00007ff7eec17000)

Let me know if there's anything else that I can do to help you debug this!

Jeff

--
http://robert.muntea.nu/

--
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/CAC8ULPYLgTg56F%3DL7o%2BPCz_SsOsp7jjN15tzSQvnrdW_bA8qvw%40mail.gmail.com.

[Jeffrey Crowell]

this is also running OpenSSL 1.0.1i-fips 6 Aug 2014.

I'm not very familiar with SuSE, so I'm not sure what version comes with 1.0.2 (tumbleweed, 13, others?), but I wouldn't imagine that 1.0.2 has any breaking change there (the functions are still there that it's complaining about).

[Robert Munteanu]

On Fri, Jul 31, 2015 at 8:58 PM, 'Jeffrey Crowell' via
mod-pagespeed-discuss <mod-pagesp...@googlegroups.com> wrote:
> this is also running OpenSSL 1.0.1i-fips 6 Aug 2014.
>
> I'm not very familiar with SuSE, so I'm not sure what version comes with
> 1.0.2 (tumbleweed, 13, others?), but I wouldn't imagine that 1.0.2 has any
> breaking change there (the functions are still there that it's complaining
> about).

Argh, I should've been more precise :-) In the openSUSE open build
service instance we build this module for SLE 11 SP3, 12 and openSUSE
12.3, 13.1, 13.2 and Tumbleweed ( for all practical purposes Factory
is the same as Tumblewwed so I'll just ignore it ). In my branch I
have committed the latest version of the mod_pagespeed [1] and I can
see that openSUSE 12.x , 13.x and SLE 12 build just fine ( ignore SLE
11 SP3, it's too old ).

Tumbleweed is the only one that fails ( logs for i586 build [2], logs
for x86_64 [3] ).

For TW one difference is the openssl version. Another one is gcc ;
it's running gcc 5.1.1 at the moment, and 13.2 for instance uses gcc
4.8 .

Thanks,

Robert

[1]: https://build.opensuse.org/package/show/home:robert_munteanu:branches:Apache:Modules/apache2-mod_pagespeed
[2]: https://build.opensuse.org/package/live_build_log/home:robert_munteanu:branches:Apache:Modules/apache2-mod_pagespeed/openSUSE_Tumbleweed/i586
[3]: https://build.opensuse.org/package/live_build_log/home:robert_munteanu:branches:Apache:Modules/apache2-mod_pagespeed/openSUSE_Tumbleweed/x86_64

> You received this message because you are subscribed to a topic in the
> Google Groups "mod-pagespeed-discuss" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/mod-pagespeed-discuss/kH9Sg2BQCCU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to

> mod-pagespeed-di...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/mod-pagespeed-discuss/CA%2B7dWMHY-opZLSJPjnp_50vYpiqFWN3-oqDNMs3LJmqkTVw_NQ%40mail.gmail.com.

>
> For more options, visit https://groups.google.com/d/optout.

--
http://robert.muntea.nu/

[Jeffrey Crowell]

I think it probably has to do with running pkg-config against libssl instead of openssl. 

Just verifying something quickly first.

on suse tumbleweed

$ pkg-config --libs libssl

-lssl 

$ pkg-config --libs openssl

-lssl -lcrypto 

and on ubuntu 14.04

$ pkg-config --libs libssl

-lssl -lcrypto  

$ pkg-config --libs openssl

-lssl -lcrypto

I'll work on a patch for you.

Jeff

To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/CAC8ULPYJp9KtnVNWQJBYbM1CYC32H24Am6pmivDsvDXb3V2RLQ%40mail.gmail.com.

[Jeffrey Crowell]

Robert,

Try out this patch, I'll make sure to include this on the next release if it works for you.

Jeff

[Jeffrey Crowell]

https://gist.github.com/crowell/c9608c9265b040cb8deb

and of course the patch ^^

[Robert Munteanu]

On Sat, Aug 1, 2015 at 12:13 AM, 'Jeffrey Crowell' via mod-pagespeed-discuss <mod-pagesp...@googlegroups.com> wrote:
> https://gist.github.com/crowell/c9608c9265b040cb8deb
>
> and of course the patch ^^

That works perfectly! The package builds for Tumbleweed as well, thanks a lot for the patch.

Robert

--
http://robert.muntea.nu/

[Jeffrey Crowell]

issue here, with links to fixes on master and branch 32 (the 1.9.32.x release branch).

The next releases (stable/beta) will include the patch.

Thanks for reporting.

Robert

--
http://robert.muntea.nu/

--

You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/CAC8ULPbj1QopiOaSPjFuAWtb_MeDNiYwftHtaetrXrLVELjTnA%40mail.gmail.com.

[Robert Munteanu]

For reference, (I assume that) the issue is

https://github.com/pagespeed/mod_pagespeed/issues/1117

Thanks again,

Robert

On Mon, Aug 3, 2015 at 6:02 PM, 'Jeffrey Crowell' via

> You received this message because you are subscribed to a topic in the
> Google Groups "mod-pagespeed-discuss" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/mod-pagespeed-discuss/kH9Sg2BQCCU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to

> mod-pagespeed-di...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/mod-pagespeed-discuss/CA%2B7dWMFaZdYjSdoqtYKq8cxE5ZT67639jERyrD0WVG7R%2BekVDA%40mail.gmail.com.

>
> For more options, visit https://groups.google.com/d/optout.

--
http://robert.muntea.nu/

[Jeffrey Crowell]

correct, that's the proper issue.

To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/CAC8ULPa%3D8_pvB6huH8o0%2BW4%3DyFaSJTTsT-iTAyh%2Ba-pV4Vk96A%40mail.gmail.com.