Various versions of mod_pagespeed are subject to critical cross-site scripting (XSS) vulnerability, CVE-2013-6111. This permits a hostile third party to execute JavaScript in users' browsers in context of the domain running mod_pagespeed, which could permit theft of users' cookies or data on the site.
Because of the severity of the problem, users of affected versions are strongly encouraged to update immediately.
To be notified of further security updates subscribe to the Google Webmaster Tools and mod-pagespeed-announce.
Affected versions
If you installed the .rpm package, you can update with:
sudo yum update sudo /etc/init.d/httpd restart
If you installed the .deb package, you can update with:
sudo apt-get update sudo apt-get upgrade sudo /etc/init.d/apache2 restartIt is also possible to build from source.
sudo apt-get update sudo apt-get install mod-pagespeed-stable=1.0.22.8-r3546On RPM based systems that use the
yum
command, you can update from older versions by using:yum install mod-pagespeed-stable-1.0.22.8
Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.2 version with the vulnerability to a fixed version of 1.0); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.
You can also download binaries directly:
Debian/Ubuntu | CentOS/Fedora | ||
32-bit .deb [Signature] | 64-bit .deb [Signature] | 32-bit .rpm | 64-bit .rpm |
sudo apt-get update sudo apt-get install mod-pagespeed-stable=1.2.24.2-r3534On RPM based systems that use the
yum
command, you can update from older versions by using:yum install mod-pagespeed-stable-1.2.24.2
Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.3 version with the vulnerability to a fixed version of 1.2); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.
You can also download binaries directly:
Debian/Ubuntu | CentOS/Fedora | ||
32-bit .deb [Signature] | 64-bit .deb [Signature] | 32-bit .rpm | 64-bit .rpm |
sudo apt-get update sudo apt-get install mod-pagespeed-stable=1.3.25.5-r3534On RPM based systems that use the
yum
command, you can update from older versions by using:yum install mod-pagespeed-stable-1.3.25.5
Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.4 version with the vulnerability to a fixed version of 1.3); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.
You can also download binaries directly:
Debian/Ubuntu | CentOS/Fedora | ||
32-bit .deb [Signature] | 64-bit .deb [Signature] | 32-bit .rpm | 64-bit .rpm |
On Debian-based systems (including Ubuntu), you can update to the patched 1.4 version by running:
sudo apt-get update sudo apt-get install mod-pagespeed-stable=1.4.26.5-r3533On RPM based systems that use the
yum
command, you can update from older versions by using:yum install mod-pagespeed-stable-1.4.26.5
Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.5 version with the vulnerability to a fixed version of 1.5); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.
You can also download binaries directly:
Debian/Ubuntu | CentOS/Fedora | ||
32-bit .deb [Signature] | 64-bit .deb [Signature] | 32-bit .rpm | 64-bit .rpm |
sudo apt-get update sudo apt-get install mod-pagespeed-beta=1.5.27.4-r3533On RPM based systems that use the
yum
command, you can update from older versions by using:yum install mod-pagespeed-beta-1.5.27.4
Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.6 version with the vulnerability to a fixed version of 1.5); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.
You can also download binaries directly:
Debian/Ubuntu | CentOS/Fedora | ||
32-bit .deb [Signature] | 64-bit .deb [Signature] | 32-bit .rpm | 64-bit .rpm |
On Debian-based systems (including Ubuntu), you can update to the patched 1.6 version by running:
sudo apt-get update sudo apt-get install mod-pagespeed-beta=1.6.29.7-r3343On RPM based systems that use the
yum
command, you can update from older versions by using:yum install mod-pagespeed-beta-1.6.29.7
You can also download binaries directly:
Debian/Ubuntu | CentOS/Fedora | ||
32-bit .deb [Signature] | 64-bit .deb [Signature] | 32-bit .rpm | 64-bit .rpm |