Announcing PageSpeed Security release 1.11.33.2

30 views

Skip to first unread message

Jeffrey Crowell

unread,

May 12, 2016, 1:12:38 PM5/12/16

to mod-pagespe...@googlegroups.com

Release 1.11.33.2 fixes a security issue. It is otherwise identical to the previous release (1.11.33.1). We recommend that all users upgrade to receive these fixes.

In versions between 1.7 and 1.11.33.1, PageSpeed was built with an SSL library that was vulnerable to the issues detailed in the May 3, 2016 security advisory ( https://www.openssl.org/news/secadv/20160503.txt ). We have updated our crypto library to fix these issues.

We recommend that all users upgrade. If this is not possible, however, the following workaround is available:

The OpenSSL vulnerability only applies if you have FetchHttps enabled and have configured PageSpeed to fetch HTTPS content over the open internet. Disabling FetchHttps will prevent these issues, but will also disable PageSpeed's optimizations for any content that must be fetched over HTTPS.

Installation Instructions (stable channel)

If you are currently on the stable channel, you should update via the usual method:

If you installed the .rpm package, update with:

sudo yum update mod-pagespeed-stable

sudo /etc/init.d/httpd restart

If you installed the .deb package, update with:

sudo apt-get update

sudo apt-get upgrade

sudo /etc/init.d/apache2 restart

If you are currently on the beta channel and would like to switch to the stable channel, you must first uninstall mod_pagespeed and then install the stable package from: https://developers.google.com/speed/docs/mod_pagespeed/download

Instructions for building from source are available at: https://developers.google.com/speed/pagespeed/module/build_mod_pagespeed_from_source

Installation Instructions (beta channel)

If you are currently on the beta channel, you should update via the usual method:

If you installed the .rpm package, update with:

sudo yum update mod-pagespeed-beta

sudo /etc/init.d/httpd restart

If you installed the .deb package, update with:

sudo apt-get update

sudo apt-get upgrade

sudo /etc/init.d/apache2 restart

If you are currently on the stable channel and would like to switch to the beta channel, you must first uninstall mod_pagespeed and then install the beta package from: https://developers.google.com/speed/docs/mod_pagespeed/download

Instructions for building from source are available at: https://developers.google.com/speed/pagespeed/module/build_mod_pagespeed_from_source

Issues Resolved since 1.11.33.1

https://www.openssl.org/news/secadv/20160503.txt Update BoringSSL to pull in OpenSSL changes.

Jeff Crowell

mod_pagespeed team

Google

Reply all

Reply to author

Forward

0 new messages