Announcing mod_pagespeed security release 1.9.32.4
Jeffrey Crowell
Release 1.9.32.4-stable/beta security release.
Release 1.9.32.4 fixes two security issues. It is otherwise identical to the previous release (1.9.32.3). We recommend that all users upgrade to receive these fixes.
In versions between 1.7 and 1.9.32.3, PageSpeed was built with a version of OpenSSL that was vulnerable to the issues detailed in the June 11, 2015 security advisory (http://openssl.org/news/secadv_20150611.txt). We have updated our crypto library to fix these issues. PageSpeed now builds with Google’s BoringSSL, an OpenSSL fork which includes this fix, and is expected to be more stable in future.
In versions between 1.8.31.2 and 1.9.32.3 it was possible to cause a crash by requesting JavaScript source maps when source mapping had been turned off.
We recommend that all users upgrade. If this is not possible, however, the following workarounds are available:
The OpenSSL vulnerability only applies if you have FetchHttps enabled and have configured PageSpeed to fetch HTTPS content over the open internet. Disabling FetchHttps will prevent these crashes, but will also disable PageSpeed's optimizations for any content that must be fetched over HTTPS.
Set a “Request Option Override” token, and explicitly enable Include Javascript Source Maps. This makes it impossible for attackers to disable source maps and cause these crashes.
We expect to have a bug-fix release soon after this security release.
Installation Instructions (stable channel)
If you are currently on the stable channel, you should update via the usual method:
If you installed the .rpm package, update with:
sudo yum update mod-pagespeed-stable
sudo /etc/init.d/httpd restart
If you installed the .deb package, update with:
sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
If you are currently on the beta channel and would like to switch to the stable channel, you must first uninstall mod_pagespeed and then install the stable package from: https://developers.google.com/speed/docs/mod_pagespeed/download
Instructions for building from source are available at: https://developers.google.com/speed/pagespeed/module/build_mod_pagespeed_from_source
Installation Instructions (beta channel)
If you are currently on the beta channel, you should update via the usual method:
If you installed the .rpm package, update with:
sudo yum update mod-pagespeed-beta
sudo /etc/init.d/httpd restart
If you installed the .deb package, update with:
sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
If you are currently on the stable channel and would like to switch to the beta channel, you must first uninstall mod_pagespeed and then install the beta package from: https://developers.google.com/speed/docs/mod_pagespeed/download
Instructions for building from source are available at: https://developers.google.com/speed/pagespeed/module/build_mod_pagespeed_from_source
Issues Resolved since 1.9.32.3
OpenSSL Security Advisory Replace OpenSSL with BoringSSL.
Issue 1094 Source map can be requested with option disabled.
Jeff Crowell
mod_pagespeed team
Jeff Kaufman
Hi,
Does the OpenSSL fix change anything when building against system libraries?
Thanks,
Robert
To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/5234e823-9f9a-4832-92ce-cf937418d07e%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.