ngx_pagespeed Release 1.9.32.4-beta security release

[Vidyut]

ngx_pagespeed has a security update. From their email:

Release 1.9.32.4 fixes two security issues. It is otherwise identical to the previous release (1.9.32.3). We recommend that all users upgrade to receive these fixes.

In versions between 1.8.31.2 and 1.9.32.3, PageSpeed was built with a version of OpenSSL that was vulnerable to the issues detailed in the June 11, 2015 security advisory (http://openssl.org/news/secadv_20150611.txt). We have updated our crypto library to fix these issues. PageSpeed now builds with Google’s BoringSSL, an OpenSSL fork which includes this fix and is expected to be more stable in future.

In versions between 1.8.31.2 and 1.9.32.3 it was possible to cause a crash by requesting JavaScript source maps when source mapping had been turned off.

We recommend that all users upgrade. If this is not possible, however, the following workarounds are available:

• The OpenSSL vulnerability only applies if you have FetchHttps enabled and have configured PageSpeed to fetch HTTPS content over the open internet. Disabling FetchHttps will prevent these crashes, but will also disable PageSpeed's optimizations for any content that must be fetched over HTTPS.
• Set a “Request Option Override” token, and explicitly enable Include Javascript Source Maps. This makes it impossible for attackers to disable source maps and cause these crashes.

We expect to have a bug-fix release soon after this security release.

No idea how soon "soon" is, it may be worth asking and waiting for a day or two if it means a more stable build.

[Vidyut]

Thank you.