html/doc/CVE-2012-4001.html - incubator-pagespeed-mod - Git at Google

 <html>
   <head>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>mod_pagespeed Security Advisory: Insufficient Hostname Verification</title>
     <link rel="stylesheet" href="doc.css">
   </head>
   <body>
 <!--#include virtual="_header.html" -->


   <div id=content>
 <h1>mod_pagespeed Security Advisory: Insufficient Hostname Verification</h1>
 <dl>
   <dt>CVE Identifier:</dt>
     <dd>CVE-2012-4001</dd>
   <dt>Disclosed:</dt>
     <dd>September 12, 2012</dd>
   <dt>Versions Affected:</dt>
     <dd>All versions of mod_pagespeed up to and including 0.10.22.4.</dd>
   <dt>Summary:</dt>
     <dd>mod_pagespeed performs insufficient verification of its own host name,
     which makes it possible to trick it into doing HTTP fetches and resource
     processing from arbitrary host names, including potentially bypassing
     firewalls.</dd>
   <dt>Solution:</dt>
     <dd>mod_pagespeed 0.10.22.6 has been released with a fix.</dd>
   <dt>Workaround:</dt>
     <dd>If you are unable to upgrade to the new version, you can avoid this
     issue by changing your Apache httpd configuration. Give any virtual host
     that enables mod_pagespeed (and the global configuration, if it also enables
     mod_pagespeed) an accurate explicit <code>ServerName</code>, and set the
     options <code>UseCanonicalName</code> and
     <code>UseCanonicalPhysicalPort</code> to <code>On</code> in each. Please be
     aware, however, that depending on the version,
     <a href="CVE-2012-4360">CVE-2012-4360</a> may also apply.
     </dd>
   </div>
   <!--#include virtual="_footer.html" -->
   </body>
 </html>
	<html>
	<head>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>mod_pagespeed Security Advisory: Insufficient Hostname Verification</title>
	<link rel="stylesheet" href="doc.css">
	</head>
	<body>
	<!--#include virtual="_header.html" -->


	<div id=content>
	<h1>mod_pagespeed Security Advisory: Insufficient Hostname Verification</h1>
	<dl>
	<dt>CVE Identifier:</dt>
	<dd>CVE-2012-4001</dd>
	<dt>Disclosed:</dt>
	<dd>September 12, 2012</dd>
	<dt>Versions Affected:</dt>
	<dd>All versions of mod_pagespeed up to and including 0.10.22.4.</dd>
	<dt>Summary:</dt>
	<dd>mod_pagespeed performs insufficient verification of its own host name,
	which makes it possible to trick it into doing HTTP fetches and resource
	processing from arbitrary host names, including potentially bypassing
	firewalls.</dd>
	<dt>Solution:</dt>
	<dd>mod_pagespeed 0.10.22.6 has been released with a fix.</dd>
	<dt>Workaround:</dt>
	<dd>If you are unable to upgrade to the new version, you can avoid this
	issue by changing your Apache httpd configuration. Give any virtual host
	that enables mod_pagespeed (and the global configuration, if it also enables
	mod_pagespeed) an accurate explicit <code>ServerName</code>, and set the
	options <code>UseCanonicalName</code> and
	<code>UseCanonicalPhysicalPort</code> to <code>On</code> in each. Please be
	aware, however, that depending on the version,
	<a href="CVE-2012-4360">CVE-2012-4360</a> may also apply.
	</dd>
	</div>
	<!--#include virtual="_footer.html" -->
	</body>
	</html>