| <html> |
| <head> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>mod_pagespeed Security Advisory: Insufficient Hostname Verification</title> |
| <link rel="stylesheet" href="doc.css"> |
| </head> |
| <body> |
| <!--#include virtual="_header.html" --> |
| |
| |
| <div id=content> |
| <h1>mod_pagespeed Security Advisory: Insufficient Hostname Verification</h1> |
| <dl> |
| <dt>CVE Identifier:</dt> |
| <dd>CVE-2012-4001</dd> |
| <dt>Disclosed:</dt> |
| <dd>September 12, 2012</dd> |
| <dt>Versions Affected:</dt> |
| <dd>All versions of mod_pagespeed up to and including 0.10.22.4.</dd> |
| <dt>Summary:</dt> |
| <dd>mod_pagespeed performs insufficient verification of its own host name, |
| which makes it possible to trick it into doing HTTP fetches and resource |
| processing from arbitrary host names, including potentially bypassing |
| firewalls.</dd> |
| <dt>Solution:</dt> |
| <dd>mod_pagespeed 0.10.22.6 has been released with a fix.</dd> |
| <dt>Workaround:</dt> |
| <dd>If you are unable to upgrade to the new version, you can avoid this |
| issue by changing your Apache httpd configuration. Give any virtual host |
| that enables mod_pagespeed (and the global configuration, if it also enables |
| mod_pagespeed) an accurate explicit <code>ServerName</code>, and set the |
| options <code>UseCanonicalName</code> and |
| <code>UseCanonicalPhysicalPort</code> to <code>On</code> in each. Please be |
| aware, however, that depending on the version, |
| <a href="CVE-2012-4360">CVE-2012-4360</a> may also apply. |
| </dd> |
| </div> |
| <!--#include virtual="_footer.html" --> |
| </body> |
| </html> |