March 2016 PageSpeed Security Update.

    Overview

    All previously released versions of PageSpeed are vulnerable to CVE-2016-3626. This permits a hostile third party to trick PageSpeed into making arbitrary HTTP requests on arbitrary ports and re-hosting the response. If the machine running PageSpeed has access to services that are not otherwise available, this can reveal those resources. Additionally, this can be exploited for cross-site scripting.

    Users are strongly encouraged to update immediately.

    To be notified of further security updates subscribe to the announcements mailing list .

    Affected versions

    • All versions earlier than 1.9.
    • Versions 1.9.32.0 – 1.9.33.13 (fixed in 1.9.32.14).
    • Versions 1.10.33.0 – 1.10.33.6 (fixed in 1.10.33.7).

    Affected configurations

    All configurations are affected.

    Solution

    You can resolve this problem by updating to the latest version of either stable or beta channels. If that is not possible, a workaround is available.

    Upgrading to the latest version

    If you installed the .rpm package, you can update with:

    sudo yum update
sudo /etc/init.d/httpd restart

    If you installed the .deb package, you can update with:

    sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
    It is also possible to build from source.

    Package signing information

    All of the packages above are signed with the Google Linux Package Signing Key, as described on http://www.google.com/linuxrepositories/

    Workaround

    You can work around this issue by making two changes to your server configuration:
    • Set the Domain directive for each domain that resolves to this server. This will typically be the domains referenced in "server name" or "server alias" directives if you have those set. Set them both alone and with a wildcard port number, and for both http and https:
      Apache:
      ModPagespeedDomain http://www.example.com
ModPagespeedDomain http://www.example.com:*
ModPagespeedDomain https://www.example.com
ModPagespeedDomain https://www.example.com:*
      Nginx:
      pagespeed Domain http://www.example.com;
pagespeed Domain http://www.example.com:*;
pagespeed Domain https://www.example.com;
pagespeed Domain https://www.example.com:*;
      This is sufficient to prevent XSS on the referenced domains.

      There is no downside to including the https versions of the domains, even if your site is only served over http.

    • Filter requests by Host header so PageSpeed doesn't receive requests intended for unknown hosts. Combined with setting Domain , this keeps PageSpeed from being able to request arbitrary resources.

      In Apache, turn on UseCanonicalName and UseCanonicalPhysicalPort :

      UseCanonicalName on
UseCanonicalPhysicalPort on
      in all of your VirtualHost segments, and make sure they all have accurate ServerName s.

      In Nginx, set up an empty catch-all virtual host. It needs to be at the top of your config, to get highest priority:

      server {
  listen 80;
  pagespeed off;
}

      Depending on the configuration of your system, it may make sense to put Host header filtering at an earlier stage.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: