| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| <html> |
| <head> |
| <meta name="viewport" content="width=device-width, initial-scale=1"> |
| <title>mod_pagespeed Security Advisory: Insufficient Hostname Verification</title> |
| <link rel="stylesheet" href="doc.css"> |
| </head> |
| <body> |
| <!--#include virtual="_header.html" --> |
| |
| |
| <div id=content> |
| <h1>mod_pagespeed Security Advisory: Insufficient Hostname Verification</h1> |
| <dl> |
| <dt>CVE Identifier:</dt> |
| <dd>CVE-2012-4001</dd> |
| <dt>Disclosed:</dt> |
| <dd>September 12, 2012</dd> |
| <dt>Versions Affected:</dt> |
| <dd>All versions of mod_pagespeed up to and including 0.10.22.4.</dd> |
| <dt>Summary:</dt> |
| <dd>mod_pagespeed performs insufficient verification of its own host name, |
| which makes it possible to trick it into doing HTTP fetches and resource |
| processing from arbitrary host names, including potentially bypassing |
| firewalls.</dd> |
| <dt>Solution:</dt> |
| <dd>mod_pagespeed 0.10.22.6 has been released with a fix.</dd> |
| <dt>Workaround:</dt> |
| <dd>If you are unable to upgrade to the new version, you can avoid this |
| issue by changing your Apache httpd configuration. Give any virtual host |
| that enables mod_pagespeed (and the global configuration, if it also enables |
| mod_pagespeed) an accurate explicit <code>ServerName</code>, and set the |
| options <code>UseCanonicalName</code> and |
| <code>UseCanonicalPhysicalPort</code> to <code>On</code> in each. Please be |
| aware, however, that depending on the version, |
| <a href="CVE-2012-4360">CVE-2012-4360</a> may also apply. |
| </dd> |
| </div> |
| <!--#include virtual="_footer.html" --> |
| </body> |
| </html> |