Skip to content

Mirrored documentation

This page is a faithful mirror of the original Apache mod_pagespeed documentation (Apache License 2.0). The upstream project was retired and the modpagespeed.com domain is now operated by an unrelated commercial vendor; we host the original reference so users of nginx-module-pagespeed from GetPageSpeed can rely on a stable copy.

October 2013 mod_pagespeed Security Update.

Overview

Various versions of mod_pagespeed are subject to critical cross-site scripting (XSS) vulnerability, CVE-2013-6111. This permits a hostile third party to execute JavaScript in users' browsers in context of the domain running mod_pagespeed, which could permit theft of users' cookies or data on the site.

Because of the severity of the problem, users of affected versions are strongly encouraged to update immediately.

To be notified of further security updates subscribe to the announcements mailing list.

Affected versions

  • Versions earlier than 1.0.
  • 1.0.22.7 (fixed in 1.0.22.8).
  • All 1.1 versions
  • 1.2.24.1 (fixed in 1.2.24.2)
  • 1.3.25.1 – 1.3.25.4 (fixed in 1.3.25.5)
  • 1.4.26.1 – 1.4.26.4 (fixed in 1.4.26.5)
  • 1.5.27.1 – 1.5.27.3 (fixed in 1.5.27.4)
  • 1.6.29.1 – 1.6.29.6 (fixed in 1.6.29.7)

Solution

You can resolve this problem by updating to the latest version of either stable or beta channels. If for some reason you are unable to update to a new version, patched versions to resolve the vulnerability are also available for releases 1.0 as well as 1.2 through 1.6.

Upgrading to the latest version

The easiest way to resolve the vulnerability is to update to the latest versions on whatever channel (stable or beta) are you currently using.

If you installed the .rpm package, you can update with:

sudo yum update
sudo /etc/init.d/httpd restart

If you installed the .deb package, you can update with:

sudo apt-get update
sudo apt-get upgrade
sudo /etc/init.d/apache2 restart

It is also possible to build from source.

Updating while keeping version 1.0

On Debian-based systems (including Ubuntu), you can update to the patched 1.0 version by running:

sudo apt-get update
sudo apt-get install mod-pagespeed-stable=1.0.22.8-r3546

On RPM based systems that use the yum command, you can update from older versions by using:

yum install mod-pagespeed-stable-1.0.22.8

Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.2 version with the vulnerability to a fixed version of 1.0); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.

You can also download binaries directly:

Debian/Ubuntu

CentOS/Fedora

32-bit .deb [Signature]

64-bit .deb [Signature]

32-bit .rpm

64-bit .rpm

Updating while keeping version 1.2

On Debian-based systems (including Ubuntu), you can update to the patched 1.2 version by running:

sudo apt-get update
sudo apt-get install mod-pagespeed-stable=1.2.24.2-r3534

On RPM based systems that use the yum command, you can update from older versions by using:

yum install mod-pagespeed-stable-1.2.24.2

Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.3 version with the vulnerability to a fixed version of 1.2); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.

You can also download binaries directly:

Debian/Ubuntu

CentOS/Fedora

32-bit .deb [Signature]

64-bit .deb [Signature]

32-bit .rpm

64-bit .rpm

Updating while keeping version 1.3

On Debian-based systems (including Ubuntu), you can update to the patched 1.3 version by running:

sudo apt-get update
sudo apt-get install mod-pagespeed-stable=1.3.25.5-r3534

On RPM based systems that use the yum command, you can update from older versions by using:

yum install mod-pagespeed-stable-1.3.25.5

Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.4 version with the vulnerability to a fixed version of 1.3); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.

You can also download binaries directly:

Debian/Ubuntu

CentOS/Fedora

32-bit .deb [Signature]

64-bit .deb [Signature]

32-bit .rpm

64-bit .rpm

Updating while keeping version 1.4

As of October 2013, 1.4 is the latest on the stable channel, so you may be able to just follow the latest version update instructions.

On Debian-based systems (including Ubuntu), you can update to the patched 1.4 version by running:

sudo apt-get update
sudo apt-get install mod-pagespeed-stable=1.4.26.5-r3533

On RPM based systems that use the yum command, you can update from older versions by using:

yum install mod-pagespeed-stable-1.4.26.5

Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.5 version with the vulnerability to a fixed version of 1.5); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.

You can also download binaries directly:

Debian/Ubuntu

CentOS/Fedora

32-bit .deb [Signature]

64-bit .deb [Signature]

32-bit .rpm

64-bit .rpm

Updating while keeping version 1.5

On Debian-based systems (including Ubuntu), you can update to the patched 1.5 version by running:

sudo apt-get update
sudo apt-get install mod-pagespeed-beta=1.5.27.4-r3533

On RPM based systems that use the yum command, you can update from older versions by using:

yum install mod-pagespeed-beta-1.5.27.4

Note that this command will not switch you to a lower version number (for example, it will not switch from a 1.6 version with the vulnerability to a fixed version of 1.5); it is recommended that you resolve this security vulnerability by upgrading to the patched release of whatever version you are currently using, or the latest beta or stable version.

You can also download binaries directly:

Debian/Ubuntu

CentOS/Fedora

32-bit .deb [Signature]

64-bit .deb [Signature]

32-bit .rpm

64-bit .rpm

Updating while keeping version 1.6

As of October 2013, 1.6 is the latest on the beta channel, so you may be able to just follow the latest version update instructions.

On Debian-based systems (including Ubuntu), you can update to the patched 1.6 version by running:

sudo apt-get update
sudo apt-get install mod-pagespeed-beta=1.6.29.7-r3343

On RPM based systems that use the yum command, you can update from older versions by using:

yum install mod-pagespeed-beta-1.6.29.7

You can also download binaries directly:

Debian/Ubuntu

CentOS/Fedora

32-bit .deb [Signature]

64-bit .deb [Signature]

32-bit .rpm

64-bit .rpm

Package signing information

All of the packages above are signed with the Google Linux Package Signing Key, as described on http://www.google.com/linuxrepositories/