All,
Cyrus uses libnghttp2
for its HTTP/2 support. Recently, a vulnerability
that can cause excessive CPU usage was found in that library.
Cyrus installations that compile with HTTP/2 support should upgrade to libnghttp2 v1.61 immediately, or recompile Cyrus with the --without-nghttp2 option until libnghttp2 can be upgraded.
I have verified that Cyrus compiles cleanly against v1.61+ and interoperates fine with both iOS and Thunderbird.
-- Kenneth Murchison Senior Software Developer Fastmail US LLC
