January 2016 PageSpeed Security Update.
To be notified of further security updates subscribe to the announcements mailing list.
- All versions earlier than 1.9.
- Versions 220.127.116.11 – 18.104.22.168 (fixed in 22.214.171.124).
- Versions 126.96.36.199 – 188.8.131.52 (fixed in 184.108.40.206).
Sites using the default configuration are not vulnerable, because by default PageSpeed will only use HTTPS to fetch from itself. To be vulnerable a site needs to have configured either:
- Any of the following directives with an HTTPS target on another server:
- Or any of the following directives:
You can resolve this problem by updating to the latest version of either stable or beta channels.
Upgrading to the latest version
The easiest way to resolve the vulnerability is to update to the latest versions on whatever channel (stable or beta) are you currently using.
If you installed the .rpm package, you can update with:
sudo yum update sudo /etc/init.d/httpd restart
If you installed the .deb package, you can update with:
sudo apt-get update sudo apt-get upgrade sudo /etc/init.d/apache2 restartIt is also possible to build from source.