mod_pagespeed and ngx_pagespeed Security Advisory: SSL fetching man-in-the-middle attack.
June 17th, 2014
- Versions Affected:
- mod_pagespeed 126.96.36.199 through 188.8.131.52 (fixed in 184.108.40.206)
- mod_pagespeed and ngx_pagespeed 220.127.116.11 through 18.104.22.168 (fixed in 22.214.171.124)
Some versions of mod_pagespeed and ngx_pagespeed, in order to support fetching of HTTPS content, link in versions of OpenSSL that are vulnerable to a man-in-the-middle attack. This attack permits an adversary that can monitor and alter traffic between a client (mod_pagespeed or ngx_pagespeed in this case) and a server to decrypt and modify encrypted transfers, as long as both are running vulnerable versions (see CVE-2014-0224 for more detail).
mod_pagespeed and ngx_pagespeed users are only vulnerable if they turn on the optional
For mod_pagespeed, update to one of versions 126.96.36.199-stable, 188.8.131.52-beta or newer.
For ngx_pagespeed, update to 184.108.40.206-beta or newer.
Use a method other than
FetchHttpsto fetch https content, as described in HTTP Support documentation.