Announcing PageSpeed Security releases 1.9.32.13 and 1.10.33.4
44 views
Skip to first unread message
Jeff Kaufman
Feb 3, 2016, 3:17:13 PM2/3/16
to mod-pagespeed-discuss
Releases 1.9.32.13 and 1.10.33.4 fix two security issues and one major
compatibility issue. They are otherwise identical to the previous
releases, 1.9.32.11 and 1.10.33.2. We recommend that all users
upgrade to receive these fixes.
* All previously released versions of PageSpeed are vulnerable to
HTTPS-fetching vulnerability CVE-2016-2092. This permits a hostile
third party who can man-in-the-middle the connection between PageSpeed
and an HTTPS server to substitute arbitrary content in responses.
PageSpeed is not vulnerable in its default configuration, but several
filters and options can enable this vulnerability. For more details
and workarounds, see:
https://developers.google.com/speed/pagespeed/module/announce-sec-update-201601
* LibPNG has been updated to 1.2.56. Previous versions had an
out-of-bounds read (CVE-2015-8540) which a hostile third party could
trigger if they were in a position to supply images for PageSpeed to
optimize.
* The latest version of Chrome for iOS (M48) switched to the WKWebView
for rendering, dropping support for WebP images. Prior versions of
PageSpeed will send WebP to Chrome on iOS, giving broken images to
these users. While this isn't a security vulnerability, this is a
serious enough breakage that we're including it in this security release.
If you installed the beta or stable .deb package, update with:
sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
If you installed the beta .rpm package, update with:
sudo yum update mod-pagespeed-beta
sudo /etc/init.d/httpd restart
If you installed the stable .rpm package, update with:
sudo yum update mod-pagespeed-stable
sudo /etc/init.d/httpd restart
Full release notes:
https://developers.google.com/speed/pagespeed/module/release_notes#release_1.9.32.13-stable
Jeff Kaufman
PageSpeed Team, Google
compatibility issue. They are otherwise identical to the previous
releases, 1.9.32.11 and 1.10.33.2. We recommend that all users
upgrade to receive these fixes.
* All previously released versions of PageSpeed are vulnerable to
HTTPS-fetching vulnerability CVE-2016-2092. This permits a hostile
third party who can man-in-the-middle the connection between PageSpeed
and an HTTPS server to substitute arbitrary content in responses.
PageSpeed is not vulnerable in its default configuration, but several
filters and options can enable this vulnerability. For more details
and workarounds, see:
https://developers.google.com/speed/pagespeed/module/announce-sec-update-201601
* LibPNG has been updated to 1.2.56. Previous versions had an
out-of-bounds read (CVE-2015-8540) which a hostile third party could
trigger if they were in a position to supply images for PageSpeed to
optimize.
* The latest version of Chrome for iOS (M48) switched to the WKWebView
for rendering, dropping support for WebP images. Prior versions of
PageSpeed will send WebP to Chrome on iOS, giving broken images to
these users. While this isn't a security vulnerability, this is a
serious enough breakage that we're including it in this security release.
If you installed the beta or stable .deb package, update with:
sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
If you installed the beta .rpm package, update with:
sudo yum update mod-pagespeed-beta
sudo /etc/init.d/httpd restart
If you installed the stable .rpm package, update with:
sudo yum update mod-pagespeed-stable
sudo /etc/init.d/httpd restart
Full release notes:
https://developers.google.com/speed/pagespeed/module/release_notes#release_1.9.32.13-stable
Jeff Kaufman
PageSpeed Team, Google
Reply all
Reply to author
Forward
0 new messages