Announcing mod_pagespeed Security releases 1.9.32.14 and 1.10.33.7
56 views
Skip to first unread message
Jeff Kaufman
Mar 28, 2016, 1:15:57 PM
3/28/16
to mod-pagespeed-discuss
Releases 1.9.32.14 and 1.10.33.7 fix a major security issue. We
recommend that all users update immediately, or if that isn't possible
apply the workaround below.
All previously released versions of PageSpeed are vulnerable to
CVE-2016-3626. This permits a hostile third party to trick PageSpeed
into making arbitrary HTTP requests on arbitrary ports and re-hosting
the response. If the machine running PageSpeed has access to services
that are not otherwise available, this can reveal those resources.
Additionally, this can be exploited for cross-site scripting.
Affected versions:
* All versions earlier than 1.9
* Versions 1.9.32.0 - 1.9.32.13 (fixed in 1.9.32.14)
* Versions 1.10.33.0-1.10.33.6 (fixed in 1.10.33.7)
More details:
* https://developers.google.com/speed/pagespeed/module/release_notes#release_1.9.32.14-stable
* https://developers.google.com/speed/pagespeed/module/announce-sec-update-201603
Upgrading
If you installed the beta or stable .deb package, update with:
sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
If you installed the beta .rpm package, update with:
sudo yum update mod-pagespeed-beta
sudo /etc/init.d/httpd restart
If you installed the stable .rpm package, update with:
sudo yum update mod-pagespeed-stable
sudo /etc/init.d/httpd restart
Workaround
While we strongly recommend upgrading, we do believe this workaround
is sufficient.
1) Set the Domain directive for each domain that resolves to
the server. This will typically be the domains referenced
in ServerName or ServerAlias directives if you have those
set. Set them both alone and with a wildcard port number,
and for both http and https:
ModPagespeedDomain http://www.example.com
ModPagespeedDomain http://www.example.com:*
ModPagespeedDomain https://www.example.com
ModPagespeedDomain https://www.example.com:*
This is sufficient to prevent XSS on the referenced domain.
There is no downside to including the https versions of the
domains, even if your site is served only over http.
2) Filter requests by Host header so PageSpeed doesn't receive
requests intended for unknown hosts. Combined with setting
Domain, this keeps PageSpeed from being able to request
arbitrary resources. To do this, set:
UseCanonicalName on
UseCanonicalPhysicalPort on
in all of your VirtualHost segments, and make sure they all
have accurate ServerName settings.
Jeff Kaufman
PageSpeed Team Modules, Google
recommend that all users update immediately, or if that isn't possible
apply the workaround below.
All previously released versions of PageSpeed are vulnerable to
CVE-2016-3626. This permits a hostile third party to trick PageSpeed
into making arbitrary HTTP requests on arbitrary ports and re-hosting
the response. If the machine running PageSpeed has access to services
that are not otherwise available, this can reveal those resources.
Additionally, this can be exploited for cross-site scripting.
Affected versions:
* All versions earlier than 1.9
* Versions 1.9.32.0 - 1.9.32.13 (fixed in 1.9.32.14)
* Versions 1.10.33.0-1.10.33.6 (fixed in 1.10.33.7)
More details:
* https://developers.google.com/speed/pagespeed/module/release_notes#release_1.9.32.14-stable
* https://developers.google.com/speed/pagespeed/module/announce-sec-update-201603
Upgrading
If you installed the beta or stable .deb package, update with:
sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
If you installed the beta .rpm package, update with:
sudo yum update mod-pagespeed-beta
sudo /etc/init.d/httpd restart
If you installed the stable .rpm package, update with:
sudo yum update mod-pagespeed-stable
sudo /etc/init.d/httpd restart
Workaround
While we strongly recommend upgrading, we do believe this workaround
is sufficient.
1) Set the Domain directive for each domain that resolves to
the server. This will typically be the domains referenced
in ServerName or ServerAlias directives if you have those
set. Set them both alone and with a wildcard port number,
and for both http and https:
ModPagespeedDomain http://www.example.com
ModPagespeedDomain http://www.example.com:*
ModPagespeedDomain https://www.example.com
ModPagespeedDomain https://www.example.com:*
This is sufficient to prevent XSS on the referenced domain.
There is no downside to including the https versions of the
domains, even if your site is served only over http.
2) Filter requests by Host header so PageSpeed doesn't receive
requests intended for unknown hosts. Combined with setting
Domain, this keeps PageSpeed from being able to request
arbitrary resources. To do this, set:
UseCanonicalName on
UseCanonicalPhysicalPort on
in all of your VirtualHost segments, and make sure they all
have accurate ServerName settings.
Jeff Kaufman
PageSpeed Team Modules, Google
Reply all
Reply to author
Forward
Search
Clear search
Close search
Google apps
Main menu
