March 2016 PageSpeed Security Update.

Overview

All previously released versions of PageSpeed are vulnerable to CVE-2016-3626. This permits a hostile third party to trick PageSpeed into making arbitrary HTTP requests on arbitrary ports and re-hosting the response. If the machine running PageSpeed has access to services that are not otherwise available, this can reveal those resources. Additionally, this can be exploited for cross-site scripting.

Users are strongly encouraged to update immediately.

To be notified of further security updates subscribe to the announcements mailing list.

Affected versions

Affected configurations

All configurations are affected.

Solution

You can resolve this problem by updating to the latest version of either stable or beta channels. If that is not possible, a workaround is available.

Upgrading to the latest version

If you installed the .rpm package, you can update with:

sudo yum update
sudo /etc/init.d/httpd restart

If you installed the .deb package, you can update with:

sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart
It is also possible to build from source.

Package signing information

All of the packages above are signed with the Google Linux Package Signing Key, as described on http://www.google.com/linuxrepositories/

Workaround

You can work around this issue by making two changes to your server configuration: