mod_pagespeed and ngx_pagespeed Security Advisory: SSL fetching man-in-the-middle attack.
June 17th, 2014
- Versions Affected:
- mod_pagespeed 18.104.22.168 through 22.214.171.124 (fixed in 126.96.36.199)
- mod_pagespeed and ngx_pagespeed 188.8.131.52 through 184.108.40.206 (fixed in 220.127.116.11)
Some versions of mod_pagespeed and ngx_pagespeed, in order to support fetching of HTTPS content, link in versions of OpenSSL that are vulnerable to a man-in-the-middle attack. This attack permits an adversary that can monitor and alter traffic between a client (mod_pagespeed or ngx_pagespeed in this case) and a server to decrypt and modify encrypted transfers, as long as both are running vulnerable versions (see CVE-2014-0224 for more detail).
mod_pagespeed and ngx_pagespeed users are only vulnerable if they turn on the optional
For mod_pagespeed, update to one of versions 18.104.22.168-stable, 22.214.171.124-beta or newer.
For ngx_pagespeed, update to 126.96.36.199-beta or newer.
Use a method other than
FetchHttpsto fetch https content, as described in HTTP Support documentation.