March 2016 PageSpeed Security Update.

Overview

All previously released versions of PageSpeed are vulnerable to CVE-2016-3626. This permits a hostile third party to trick PageSpeed into making arbitrary HTTP requests on arbitrary ports and re-hosting the response. If the machine running PageSpeed has access to services that are not otherwise available, this can reveal those resources. Additionally, this can be exploited for cross-site scripting.

Users are strongly encouraged to update immediately.

To be notified of further security updates subscribe to the announcements mailing list.

Affected versions

• All versions earlier than 1.9.
• Versions 1.9.32.0 – 1.9.33.13 (fixed in 1.9.32.14).
• Versions 1.10.33.0 – 1.10.33.6 (fixed in 1.10.33.7).

Affected configurations

All configurations are affected.

Solution

You can resolve this problem by updating to the latest version of either stable or beta channels. If that is not possible, a workaround is available.

Upgrading to the latest version

If you installed the .rpm package, you can update with:

sudo yum update
sudo /etc/init.d/httpd restart

If you installed the .deb package, you can update with:

sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart

It is also possible to build from source.

Package signing information

All of the packages above are signed with the Google Linux Package Signing Key, as described on http://www.google.com/linuxrepositories/

Workaround

You can work around this issue by making two changes to your server configuration:

• Set the Domain directive for each domain that resolves to this server. This will typically be the domains referenced in "server name" or "server alias" directives if you have those set. Set them both alone and with a wildcard port number, and for both http and https:

  Apache:

  ModPagespeedDomain http://www.example.com
  ModPagespeedDomain http://www.example.com:*
  ModPagespeedDomain https://www.example.com
  ModPagespeedDomain https://www.example.com:*
  

  Nginx:

  pagespeed Domain http://www.example.com;
  pagespeed Domain http://www.example.com:*;
  pagespeed Domain https://www.example.com;
  pagespeed Domain https://www.example.com:*;

  This is sufficient to prevent XSS on the referenced domains.

  There is no downside to including the https versions of the domains, even if your site is only served over http.

• Filter requests by Host header so PageSpeed doesn't receive requests intended for unknown hosts. Combined with setting Domain, this keeps PageSpeed from being able to request arbitrary resources.

  In Apache, turn on UseCanonicalName and UseCanonicalPhysicalPort:

  UseCanonicalName on
  UseCanonicalPhysicalPort on

  in all of your VirtualHost segments, and make sure they all have accurate ServerNames.

  In Nginx, set up an empty catch-all virtual host. It needs to be at the top of your config, to get highest priority:

  server {
    listen 80;
    pagespeed off;
  }

  Depending on the configuration of your system, it may make sense to put Host header filtering at an earlier stage.