Announcing ngx_pagespeed security release 1.11.33.2

45 views

Skip to first unread message

Jeffrey Crowell

unread,

May 12, 2016, 1:25:33 PM5/12/16

to ngx-pagespe...@googlegroups.com

Release 1.11.33.2-beta security release.

Release 1.11.33.2 fixes one security issue. It is otherwise identical to the previous release (1.11.33.1). We recommend that all users upgrade to receive these fixes.

In versions between 1.8.31.2 and 1.11.33.1, PageSpeed was built with an SSL library that was vulnerable to the issues detailed in the May 3, 2016 security advisory ( https://www.openssl.org/news/secadv/20160503.txt ). We have updated our crypto library to fix these issues.

We recommend that all users upgrade. If this is not possible, however, the following workaround is available:

The OpenSSL vulnerability only applies if you have FetchHttps enabled and have configured PageSpeed to fetch HTTPS content over the open internet. Disabling FetchHttps will prevent these issues, but will also disable PageSpeed's optimizations for any content that must be fetched over HTTPS.

Issues Resolved since 1.11.33.1

https://www.openssl.org/news/secadv/20160503.txt Update BoringSSL to pull in OpenSSL changes.

Installation Instructions

To install this update, see: https://developers.google.com/speed/pagespeed/module/build_ngx_pagespeed_from_source

The installation process remains the same, even if you've already installed a previous version.

Jeff Crowell

PageSpeed Team

Google

Reply all

Reply to author

Forward

0 new messages