January 2016 PageSpeed Security Update.
Overview
All released versions of PageSpeed are subject to HTTPS-fetching vulnerability, CVE-2016-2092. This permits a hostile third party who can man-in-the-middle the connection between PageSpeed and an HTTPS server to substitute arbitrary content in responses. This could allow the attacker to execute JavaScript in users' browsers in context of the domain running PageSpeed, which could permit theft of users' cookies or data on the site.
To be notified of further security updates subscribe to the announcements mailing list.
Affected versions
- All versions earlier than 1.9.
- Versions 1.9.32.0 – 1.9.33.12 (fixed in 1.9.32.13).
- Versions 1.10.33.0 – 1.10.33.3 (fixed in 1.10.33.4).
Affected configurations
Sites using the default configuration are not vulnerable, because by default PageSpeed will only use HTTPS to fetch from itself. To be vulnerable a site needs to have configured either:
- Any of the following directives with an HTTPS target on another server:
DomainMapOriginDomainMapProxyDomainFetchProxy(experimental and undocumented)
- Or any of the following directives:
Solution
You can resolve this problem by updating to the latest version of either stable or beta channels.
Upgrading to the latest version
The easiest way to resolve the vulnerability is to update to the latest versions on whatever channel (stable or beta) are you currently using.
If you installed the .rpm package, you can update with:
sudo yum update sudo /etc/init.d/httpd restart
If you installed the .deb package, you can update with:
sudo apt-get update sudo apt-get upgrade sudo /etc/init.d/apache2 restartIt is also possible to build from source.