mod_pagespeed and ngx_pagespeed Security Advisory: SSL fetching man-in-the-middle attack.
June 17th, 2014
- Versions Affected:
- mod_pagespeed 22.214.171.124 through 126.96.36.199 (fixed in 188.8.131.52)
- mod_pagespeed and ngx_pagespeed 184.108.40.206 through 220.127.116.11 (fixed in 18.104.22.168)
Some versions of mod_pagespeed and ngx_pagespeed, in order to support fetching of HTTPS content, link in versions of OpenSSL that are vulnerable to a man-in-the-middle attack. This attack permits an adversary that can monitor and alter traffic between a client (mod_pagespeed or ngx_pagespeed in this case) and a server to decrypt and modify encrypted transfers, as long as both are running vulnerable versions (see CVE-2014-0224 for more detail).
mod_pagespeed and ngx_pagespeed users are only vulnerable if they turn on the optional
For mod_pagespeed, update to one of versions 22.214.171.124-stable, 126.96.36.199-beta or newer.
For ngx_pagespeed, update to 188.8.131.52-beta or newer.
Use a method other than
FetchHttpsto fetch https content, as described in HTTP Support documentation.