mod_pagespeed and ngx_pagespeed Security Advisory: SSL fetching man-in-the-middle attack.

Disclosed:

June 17th, 2014

Versions Affected:

• mod_pagespeed 1.7.30.1 through 1.7.30.4 (fixed in 1.7.30.5)
• mod_pagespeed and ngx_pagespeed 1.8.31.1 through 1.8.31.3 (fixed in 1.8.31.4)

Summary:

Some versions of mod_pagespeed and ngx_pagespeed, in order to support fetching of HTTPS content, link in versions of OpenSSL that are vulnerable to a man-in-the-middle attack. This attack permits an adversary that can monitor and alter traffic between a client (mod_pagespeed or ngx_pagespeed in this case) and a server to decrypt and modify encrypted transfers, as long as both are running vulnerable versions (see CVE-2014-0224 for more detail).

mod_pagespeed and ngx_pagespeed users are only vulnerable if they turn on the optional FetchHttps feature.

Solution:

For mod_pagespeed, update to one of versions 1.7.30.5-stable, 1.8.31.4-beta or newer.

For ngx_pagespeed, update to 1.8.31.4-beta or newer.

Workaround:

Use a method other than FetchHttps to fetch https content, as described in HTTP Support documentation.