Nginx PageSpeed ngx_pagespeed 1.9.32.13 beta security update !

eva2000 · Feb 7, 2016

ngx_pagespeed 1.9.32.13-beta security fix update has been released. Read below for instructions for updating your Centmin Mod Nginx's ngx_pagespeed module integration.

Release 1.9.32.13-stable
This security update release was made February 3rd, 2016.

All previously released versions of PageSpeed are vulnerable to HTTPS-fetching vulnerability CVE-2016-2092. This permits a hostile third party who can man-in-the-middle the connection between PageSpeed and an HTTPS server to substitute arbitrary content in responses. PageSpeed is not vulnerable in its default configuration, but several filters and options can enable this vulnerability. See our CVE-2016-2092 announcement for more details and workarounds.

LibPNG has been updated to 1.2.56. Previous versions had an out-of-bounds read (CVE-2015-8540) which a hostile third party could trigger if they were in a position to supply images for PageSpeed to optimize.

The latest version of Chrome for iOS (M48) switched to the WKWebView for rendering, dropping support for WebP images. Prior versions of PageSpeed will send WebP to Chrome on iOS, giving broken images to these users. While this isn't a security vulnerability, this is a serious enough breakage that we're including it in this security release.

Issues Resolved
Issues Affecting both Nginx and Apache

announce-sec-update-201601 HTTPS fetching vulnerability. ( 4af5e65)

CVE-2015-8540 LibPNG out-of-bounds read in png_check_keyword(). (79aaa94)

Issue 1139 Link SSL library correctly. (5b8253)

Issue 1256 Don't send WebP to Chrome on iOS (23947d)

Issues Affecting Apache

Issue 1248 Crash on very long urls (befa494)

Click to expand...

How to Update ngx_pagespeed

Best way is to also keep your Centmin Mod code updated as outlined at Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS via centmin.sh menu option 23 if possible then you won't need to play with changing version numbers if I already updated the code for the new versions. However, if I have not updated the versions, you can do that yourself using instructions below.

To update, add these variables to to persistent config at /etc/centminmod/custom_config.inc (create it if it doesn't exist)
Code (Text):
NGXPGSPEED_VER='1.9.32.13-beta'
NGINX_PAGESPEEDPSOL_VER='1.9.32.13'
or edit centmin.sh and prior to recompiling nginx via centmin.sh menu option 4

change variables

from
Code (Text):
NGXPGSPEED_VER='1.9.32.11-beta'
NGINX_PAGESPEEDPSOL_VER='1.9.32.11'
to
Code (Text):
NGXPGSPEED_VER='1.9.32.13-beta'
NGINX_PAGESPEEDPSOL_VER='1.9.32.13'
then recompile nginx via centmin.sh menu option 4

Quick sed replacement, update commands for existing Centmin Mod are outlined on official page here and below.

change to centmin mod install directory, sed replace the version numbers and grep to make sure they were replaced
Code (Text):
cmdir
sed -i 's|1.9.32.11|1.9.32.13|g' centmin.sh
grep 1.9.32 centmin.sh
i.e.
Code (Text):
grep 1.9.32 centmin.sh
NGXPGSPEED_VER='1.9.32.13-beta'
NGINX_PAGESPEEDPSOL_VER='1.9.32.13'
then run centmin.sh menu option 4 to recompile Nginx with new version.

check that ngx_pagespeed-release-1.9.32.13-beta was compiled via nginx -V command

ngx_pagespeed 1.9.32.13-beta security update

Updated both Centmin Mod 123.08stable and 123.09beta01 builds to default to ngx_pagespeed 1.9.32.13-beta for security update. You can update Centmin Mod code via centmin.sh menu option 23 submenu option 1 and then 2 and then recompile Nginx via centmin.sh menu option 4 as outlined above.

Discussion thread at Nginx PageSpeed - ngx_pagespeed 1.9.32.13 beta security update ! | Centmin Mod Community

To update your Centmin Mod builds follow instructions at centminmod.com/upgrade.html and respective version threads below:

Centmin Mod 1.2.3-eva2000.08 stable install & update thread

Centmin Mod 123.09beta thread

eva2000 · Feb 7, 2016

more info at January 2016 PageSpeed Security Update. | PageSpeed Module | Google Developers

Overview
All released versions of PageSpeed are subject to HTTPS-fetching vulnerability, CVE-2016-2092. This permits a hostile third party who can man-in-the-middle the connection between PageSpeed and an HTTPS server to substitute arbitrary content in responses. This could allow the attacker to execute JavaScript in users' browsers in context of the domain running PageSpeed, which could permit theft of users' cookies or data on the site.

To be notified of further security updates subscribe to the announcements mailing list.

Affected versions

All versions earlier than 1.9.

Versions 1.9.32.0 – 1.9.33.12 (fixed in 1.9.32.13).

Versions 1.10.33.0 – 1.10.33.3 (fixed in 1.10.33.4).

Affected configurations
Sites using the default configuration are not vulnerable, because by default PageSpeed will only use HTTPS to fetch from itself. To be vulnerable a site needs to have configured either:

Any of the following directives with an HTTPS target on another server:

Domain

MapOriginDomain

MapProxyDomain

FetchProxy (experimental and undocumented)

Or any of the following directives:

DangerPermitFetchFromUnknownHosts

InlineResourcesWithoutExplicitAuthorization

EnableFilters inline_google_font_css

Click to expand...

eva2000 · Feb 7, 2016

Disable ngx_pagespeed integration

If you do not use ngx_pagespeed and have not enabled it as per instructions outlined at centminmod.com/nginx_ngx_pagespeed.html, you can in fact totally remove ngx_pagespeed integration from Nginx server using steps outlined on official site Nginx PageSpeed - CentminMod.com LEMP Nginx web stack for CentOS and below:

The best way is to use persistent config file created or appended to at /etc/centminmod/custom_config.inc and add setting:
Code:
NGINX_PAGESPEED=n
Then run centmin.sh menu option 4 to recompile Nginx without ngx_pagespeed module integration.

eva2000 · Feb 7, 2016

ngx_pagespeed 1.10 branch also got the same security fix in 1.10.33.4 but 1.10 branch only works with Centmin Mod 123.09beta01 and not 123.08stable. So stick with 1.9.32.13 for Centmin Mod 123.08stable https://community.centminmod.com/posts/25764/

Matt · Feb 7, 2016

Upgraded

Oxide · Feb 7, 2016

i dont need to do this if i dont use pagespeed.. or dont use HTTPS?

eva2000 · Feb 7, 2016

Oxide said: ↑

i dont need to do this if i dont use pagespeed.. or dont use HTTPS?
Click to expand...

yes but then if you don't use ngx_pagespeed you can totally disable and remove the integration https://community.centminmod.com/posts/25771/

Matt said: ↑

Upgraded
Click to expand...

nice

Matt · Feb 7, 2016

eva2000 said: ↑

nice
Click to expand...

Tried the 1.10 version, but was breaking a few things, and I don't have time to figure what is going wrong, so downgraded again.

eva2000 · Feb 7, 2016

Matt said: ↑

Tried the 1.10 version, but was breaking a few things, and I don't have time to figure what is going wrong, so downgraded again.
Click to expand...

On centmin mod 123.08stable or 123.09beta01 ? ngx_pagespeed 1.10 only works on 123.09beta01 right now. It's what this forum and centminmod.com VPS clusters are on (123.09beta01 + ngxPagespeed 1.10 branch).

Actually, been thinking about it according to Centmin Mod 2106 survey Centmin Mod Survey 2016 ~45% of users are not actively using ngx_pagespeed with it enabled so wondering if disabling ngx_pagespeed integration out of box is better. And let folks enable integration if they want it as per instructions outlined at centminmod.com/nginx_ngx_pagespeed.html

Matt · Feb 7, 2016

eva2000 said: ↑

123.09beta01
Click to expand...

It was just an issue with some CSS not being displayed correctly. I probably just needed to change something in the pagespeed config, but don't have time at the minute to figure which rule it is.

eva2000 · Feb 7, 2016

Matt said: ↑

It was just an issue with some CSS not being displayed correctly. I probably just needed to change something in the pagespeed config, but don't have time at the minute to figure which rule it is.
Click to expand...

yeah might want to read up on ngx_pagespeed 1.10 branch changes and tweaks at Nginx PageSpeed - Nginx Pagespeed 1.10.x betas coming | Centmin Mod Community whenever you have the time..

dorobo · Feb 7, 2016

I really love this
Code:
/etc/centminmod/custom_config.inc

eva2000 · Feb 7, 2016

dorobo said: ↑
I really love this
Code:
/etc/centminmod/custom_config.inc
Click to expand...
yes it's outlined in Centmin Mod upgrade guide page under the section for persistent configuration settings Upgrade Centmin Mod - CentminMod.com LEMP Nginx web stack for CentOS

Persistent Settings via custom_config.inc
With auto cron updates for Centmin Mod code in place, you'll ask what about custom settings changes made in centmin.sh - will they be lost on auto updates ? Centmin Mod 1.2.3-eva2000.08+ added support for a separate and persistent custom_config.inc file to place custom centmin.sh settings/variables in which override centmin.sh defaults. This comes in handy when updating Centmin Mod but wanting your custom settings incentmin.sh to be untouched.
Click to expand...

dorobo · Feb 7, 2016

Yeah I used to maintain a fork of centminmod but these days I just use the custom config and download a new beta whenever a new version comes out.

eva2000 · Feb 7, 2016

dorobo said: ↑

Yeah I used to maintain a fork of centminmod but these days I just use the custom config and download a new beta everytime
Click to expand...

exactly what persistent config file /etc/centminmod/custom_config.inc is for

Log in / Register

Forums

Learn about Centmin Mod LEMP Stack today

Nginx PageSpeed ngx_pagespeed 1.9.32.13 beta security update !

eva2000 Administrator Staff Member

How to Update ngx_pagespeed

ngx_pagespeed 1.9.32.13-beta security update

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Disable ngx_pagespeed integration

eva2000 Administrator Staff Member

Matt Well-Known Member

Oxide Active Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

dorobo Active Member

eva2000 Administrator Staff Member

dorobo Active Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Learn about Centmin Mod LEMP Stack today

Nginx PageSpeed ngx_pagespeed 1.9.32.13 beta security update !

eva2000 Administrator Staff Member

How to Update ngx_pagespeed

ngx_pagespeed 1.9.32.13-beta security update

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Disable ngx_pagespeed integration

eva2000 Administrator Staff Member

Matt Well-Known Member

Oxide Active Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

dorobo Active Member

eva2000 Administrator Staff Member

dorobo Active Member

eva2000 Administrator Staff Member

.