ngx_pagespeed version 1.8.31.4-beta fixes a major security vulnerability in HTTPS fetching. All versions of ngx_pagespeed since 1.8.31.2-beta are affected. The vulnerability only affects users that have enabled the FetchHttps feature; users that have not explicitly enabled FetchHttps are not affected.
All users running a vulnerable version of PageSpeed with FetchHttps enabled should update their pagespeed packages.
A vulnerability was found in the version of OpenSSL used by PageSpeed. CVE-2014-0224 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224 ) which allowed a malicious user to perform a man-in-the middle attack on encrypted traffic.
The previous release of ngx_pagespeed (1.8.31-3-beta) used OpenSSL 1.0.1 and is impacted by CVE-2014-0224. Latest version 1.8.31.4-beta uses a version of OpenSSL in which the vulnerability has been fixed.
Upgrade instructions:
> email to ngx-pagespeed-discuss+unsub...@googlegroups.com.