doc/announce-sec-update-201603.html - incubator-pagespeed-website - Git at Google

 <!--
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
 distributed with this work for additional information
 regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at

   http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing,
 software distributed under the License is distributed on an
 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 KIND, either express or implied.  See the License for the
 specific language governing permissions and limitations
 under the License.
 -->

 <html>
   <head>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>March 2016 PageSpeed Security Update.</title>
     <link rel="stylesheet" href="doc.css">
   </head>
   <body>
 <!--#include virtual="_header.html" -->


   <div id=content>
 <h1>March 2016 PageSpeed Security Update.</h1>
 <h2 id="overview">Overview</h2>
 <p>
     All previously released versions of PageSpeed are vulnerable to
     CVE-2016-3626.  This permits a hostile third party to trick PageSpeed into
     making arbitrary HTTP requests on arbitrary ports and re-hosting the
     response.  If the machine running PageSpeed has access to services that are
     not otherwise available, this can reveal those resources.  Additionally,
     this can be exploited for cross-site scripting.
 </p>
 <p>
     Users are <b>strongly</b> encouraged to update immediately.
 </p>

 <p>To be notified of further security updates subscribe to the
 <a href="mailing-lists#announcements">announcements mailing list</a>.

 <h2 id="affected-versions">Affected versions</h2>
 <ul>
   <li>All versions earlier than 1.9.</li>
   <li>Versions 1.9.32.0 &ndash; 1.9.33.13 (fixed in 1.9.32.14).</li>
   <li>Versions 1.10.33.0 &ndash; 1.10.33.6 (fixed in 1.10.33.7).</li>
 </ul>

 <h2 id="affected-configurations">Affected configurations</h2>

 <p>
   All configurations are affected.
 </p>

 <h2 id="solution">Solution</h2>

 <p>
 You can resolve this problem by updating to the latest version of either stable
 or beta channels.  If that is not possible,
 a <a href="#workaround">workaround</a> is available.

 </p>

 <h3 id="latest">Upgrading to the latest version</h3>

 <p>If you installed the .rpm package, you can update with:
 <pre>
 sudo yum update
 sudo /etc/init.d/httpd restart
 </pre>

 <p>If you installed the .deb package, you can update with:
 <pre>
 sudo apt-get update
 sudo apt-get upgrade
 sudo /etc/init.d/apache2 restart
 </pre>

 It is also possible to <a href="build_mod_pagespeed_from_source">
 build from source. </a>

 <h2 id="sig">Package signing information</h2>
 All of the packages above are signed with the Google Linux Package Signing Key,
 as described on <a href="http://www.google.com/linuxrepositories/">
 http://www.google.com/linuxrepositories/</a>

 <h3 id="workaround">Workaround</h3>

 You can work around this issue by making two changes to your server
 configuration:

 <ul>
   <li>Set the <code>Domain</code> directive for each domain that resolves to
       this server.  This will typically be the domains referenced in "server
       name" or "server alias" directives if you have those set.  Set them both
       alone and with a wildcard port number, and for both http and https:
       <dl>
         <dt>Apache:<dd><pre class="prettyprint"
 >ModPagespeedDomain http://www.example.com
 ModPagespeedDomain http://www.example.com:*
 ModPagespeedDomain https://www.example.com
 ModPagespeedDomain https://www.example.com:*
 </pre>
         <dt>Nginx:<dd><pre class="prettyprint"
 >pagespeed Domain http://www.example.com;
 pagespeed Domain http://www.example.com:*;
 pagespeed Domain https://www.example.com;
 pagespeed Domain https://www.example.com:*;</pre>
       </dl>

       This is sufficient to prevent XSS on the referenced domains.

       <p>

       There is no downside to including the https versions of the domains, even
       if your site is only served over http.
   </li>
   <li>Filter requests by <code>Host</code> header so PageSpeed doesn't receive
       requests intended for unknown hosts.  Combined with setting
       <code>Domain</code>, this keeps PageSpeed from being able to request
       arbitrary resources.

       <p>

       In Apache, turn on <a
       href="http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname"
       ><code>UseCanonicalName</code></a> and <a
       href="http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport"
       ><code>UseCanonicalPhysicalPort</code></a>:

       <pre class="prettyprint"
 >UseCanonicalName on
 UseCanonicalPhysicalPort on</pre>

       in all of your <code>VirtualHost</code> segments, and make sure they all
       have accurate <code>ServerName</code>s.

       <p>

       In Nginx, set up an empty catch-all virtual host.  It needs to be at the
       top of your config, to get highest priority:

       <pre class="prettyprint"
 >server {
   listen 80;
   pagespeed off;
 }</pre>
       <p>

       Depending on the configuration of your system, it may make sense to put
       <code>Host</code> header filtering at an earlier stage.
   </li>
 </ul>


   </div>
   <!--#include virtual="_footer.html" -->
   </body>
 </html>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.
	-->

	<html>
	<head>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>March 2016 PageSpeed Security Update.</title>
	<link rel="stylesheet" href="doc.css">
	</head>
	<body>
	<!--#include virtual="_header.html" -->


	<div id=content>
	<h1>March 2016 PageSpeed Security Update.</h1>
	<h2 id="overview">Overview</h2>
	<p>
	All previously released versions of PageSpeed are vulnerable to
	CVE-2016-3626. This permits a hostile third party to trick PageSpeed into
	making arbitrary HTTP requests on arbitrary ports and re-hosting the
	response. If the machine running PageSpeed has access to services that are
	not otherwise available, this can reveal those resources. Additionally,
	this can be exploited for cross-site scripting.
	</p>
	<p>
	Users are <b>strongly</b> encouraged to update immediately.
	</p>

	<p>To be notified of further security updates subscribe to the
	<a href="mailing-lists#announcements">announcements mailing list</a>.

	<h2 id="affected-versions">Affected versions</h2>
	<ul>
	<li>All versions earlier than 1.9.</li>
	<li>Versions 1.9.32.0 – 1.9.33.13 (fixed in 1.9.32.14).</li>
	<li>Versions 1.10.33.0 – 1.10.33.6 (fixed in 1.10.33.7).</li>
	</ul>

	<h2 id="affected-configurations">Affected configurations</h2>

	<p>
	All configurations are affected.
	</p>

	<h2 id="solution">Solution</h2>

	<p>
	You can resolve this problem by updating to the latest version of either stable
	or beta channels. If that is not possible,
	a <a href="#workaround">workaround</a> is available.

	</p>

	<h3 id="latest">Upgrading to the latest version</h3>

	<p>If you installed the .rpm package, you can update with:
	<pre>
	sudo yum update
	sudo /etc/init.d/httpd restart
	</pre>

	<p>If you installed the .deb package, you can update with:
	<pre>
	sudo apt-get update
	sudo apt-get upgrade
	sudo /etc/init.d/apache2 restart
	</pre>

	It is also possible to <a href="build_mod_pagespeed_from_source">
	build from source. </a>

	<h2 id="sig">Package signing information</h2>
	All of the packages above are signed with the Google Linux Package Signing Key,
	as described on <a href="http://www.google.com/linuxrepositories/">
	http://www.google.com/linuxrepositories/</a>

	<h3 id="workaround">Workaround</h3>

	You can work around this issue by making two changes to your server
	configuration:

	<ul>
	<li>Set the <code>Domain</code> directive for each domain that resolves to
	this server. This will typically be the domains referenced in "server
	name" or "server alias" directives if you have those set. Set them both
	alone and with a wildcard port number, and for both http and https:
	<dl>
	<dt>Apache:<dd><pre class="prettyprint"
	>ModPagespeedDomain http://www.example.com
	ModPagespeedDomain http://www.example.com:*
	ModPagespeedDomain https://www.example.com
	ModPagespeedDomain https://www.example.com:*
	</pre>
	<dt>Nginx:<dd><pre class="prettyprint"
	>pagespeed Domain http://www.example.com;
	pagespeed Domain http://www.example.com:*;
	pagespeed Domain https://www.example.com;
	pagespeed Domain https://www.example.com:*;</pre>
	</dl>

	This is sufficient to prevent XSS on the referenced domains.

	<p>

	There is no downside to including the https versions of the domains, even
	if your site is only served over http.
	</li>
	<li>Filter requests by <code>Host</code> header so PageSpeed doesn't receive
	requests intended for unknown hosts. Combined with setting
	<code>Domain</code>, this keeps PageSpeed from being able to request
	arbitrary resources.

	<p>

	In Apache, turn on <a
	href="http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname"
	><code>UseCanonicalName</code></a> and <a
	href="http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport"
	><code>UseCanonicalPhysicalPort</code></a>:

	<pre class="prettyprint"
	>UseCanonicalName on
	UseCanonicalPhysicalPort on</pre>

	in all of your <code>VirtualHost</code> segments, and make sure they all
	have accurate <code>ServerName</code>s.

	<p>

	In Nginx, set up an empty catch-all virtual host. It needs to be at the
	top of your config, to get highest priority:

	<pre class="prettyprint"
	>server {
	listen 80;
	pagespeed off;
	}</pre>
	<p>

	Depending on the configuration of your system, it may make sense to put
	<code>Host</code> header filtering at an earlier stage.
	</li>
	</ul>





	</div>
	<!--#include virtual="_footer.html" -->
	</body>
	</html>