All,
Cyrus uses libnghttp2 <https://nghttp2.org/> for its HTTP/2 support.
Recently, a vulnerability
<https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q>
that can cause excessive CPU usage was found in that library.
Cyrus installations that compile with HTTP/2 support should upgrade to
libnghttp2 v1.61 immediately, or recompile Cyrus with the
--without-nghttp2 option until libnghttp2 can be upgraded.
I have verified that Cyrus compiles cleanly against v1.61+ and
interoperates fine with both iOS and Thunderbird.
--
Kenneth Murchison
Senior Software Developer
Fastmail US LLC
------------------------------------------
Cyrus: Info
Permalink:
https://cyrus.topicbox.com/groups/info/T9dd887f5dd64c203-M0c2b5e14d60dc9119c71c9a2
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
