ngx_pagespeed security update release 1.8.31.4-beta

Jeffrey Crowell

unread,

Jun 17, 2014, 4:51:56 PM6/17/14

to ngx-pagesp...@googlegroups.com

ngx_pagespeed version 1.8.31.4-beta fixes a major security vulnerability in HTTPS fetching. All versions of ngx_pagespeed since 1.8.31.2-beta are affected. The vulnerability only affects users that have enabled the FetchHttps feature; users that have not explicitly enabled FetchHttps are not affected.

All users running a vulnerable version of PageSpeed with FetchHttps enabled should update their pagespeed packages.

A vulnerability was found in the version of OpenSSL used by PageSpeed. CVE-2014-0224 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 ) which allowed a malicious user to perform a man-in-the middle attack on encrypted traffic.

The previous release of ngx_pagespeed (1.8.31-3-beta) used OpenSSL 1.0.1 and is impacted by CVE-2014-0224. Latest version 1.8.31.4-beta uses a version of OpenSSL in which the vulnerability has been fixed.

Upgrade instructions:

Follow the installation instructions here: https://github.com/pagespeed/ngx_pagespeed#readme

Matthew Jacobi

unread,

Jun 18, 2014, 5:45:16 AM6/18/14

to ngx-pagesp...@googlegroups.com, ngx-pagesp...@googlegroups.com

Readme still references v1.8.31.3-beta shouldn't that be v1.8.31.4-beta?

Jeff Kaufman

unread,

Jun 18, 2014, 8:45:51 AM6/18/14

to ngx-pagesp...@googlegroups.com

Fixed; thanks!

> --
> You received this message because you are subscribed to the Google Groups
> "ngx-pagespeed-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ngx-pagespeed-di...@googlegroups.com.
> Visit this group at http://groups.google.com/group/ngx-pagespeed-discuss.
> For more options, visit https://groups.google.com/d/optout.

joostv...@gmail.com

unread,

Jun 18, 2014, 9:42:32 AM6/18/14

to ngx-pagesp...@googlegroups.com

It seems to be not fixed.
Can't download v1.8.31.4-beta.zip and 1.8.31.4.tar.gz via error: Not Found
Please fix.

Thanks,

Op woensdag 18 juni 2014 14:45:51 UTC+2 schreef Jeff Kaufman:

> email to ngx-pagespeed-discuss+unsub...@googlegroups.com.

Jeff Kaufman

unread,

Jun 18, 2014, 10:22:03 AM6/18/14

to ngx-pagesp...@googlegroups.com

Sorry, now it's really fixed.

(Neither the PSOL binaries nor the release code were properly serving,
now they are.)

>> > email to ngx-pagespeed-di...@googlegroups.com.

>> > Visit this group at
>> > http://groups.google.com/group/ngx-pagespeed-discuss.
>> > For more options, visit https://groups.google.com/d/optout.
>

> --
> You received this message because you are subscribed to the Google Groups
> "ngx-pagespeed-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ngx-pagespeed-di...@googlegroups.com.

Reply all

Reply to author

Forward