Release 1.11.33.2 fixes a security issue. It is otherwise identical to the previous release (1.11.33.1). We recommend that all users upgrade to receive these fixes.
In versions between 1.7 and 1.11.33.1, PageSpeed was built with an SSL library that was vulnerable to the issues detailed in the May 3, 2016 security advisory ( https://www.openssl.org/news/secadv/20160503.txt ). We have updated our crypto library to fix these issues.
We recommend that all users upgrade. If this is not possible, however, the following workaround is available:
The OpenSSL vulnerability only applies if you have FetchHttps enabled and have configured PageSpeed to fetch HTTPS content over the open internet. Disabling FetchHttps will prevent these issues, but will also disable PageSpeed's optimizations for any content that must be fetched over HTTPS.
If you are currently on the stable channel, you should update via the usual method:
If you installed the .rpm package, update with:
sudo yum update mod-pagespeed-stable
sudo /etc/init.d/httpd restart
If you installed the .deb package, update with:
sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
If you are currently on the beta channel and would like to switch to the stable channel, you must first uninstall mod_pagespeed and then install the stable package from: https://developers.google.com/speed/docs/mod_pagespeed/download
Instructions for building from source are available at: https://developers.google.com/speed/pagespeed/module/build_mod_pagespeed_from_source
If you are currently on the beta channel, you should update via the usual method:
If you installed the .rpm package, update with:
sudo yum update mod-pagespeed-beta
sudo /etc/init.d/httpd restart
If you installed the .deb package, update with:
sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
If you are currently on the stable channel and would like to switch to the beta channel, you must first uninstall mod_pagespeed and then install the beta package from: https://developers.google.com/speed/docs/mod_pagespeed/download
Instructions for building from source are available at: https://developers.google.com/speed/pagespeed/module/build_mod_pagespeed_from_source
https://www.openssl.org/news/secadv/20160503.txt Update BoringSSL to pull in OpenSSL changes.
Jeff Crowell
mod_pagespeed team