We just released HHVM versions 3.3.7, 3.6.5, and 3.7.3 which fix CVE-2015-4663, a serious issue affecting SSL/TLS certificate validation. Note that the issue affects
file_get_contents, the stream API, etc, but does not affect anything using the cURL API directly.
Release packages are available for all supported OSes; debug packages are building and should be available shortly. Please make sure you are running one of those supported versions.
As a reminder, most HHVM releases are supported for 8 weeks, before moving on to the next stable release. For example, version 3.7.x is the current stable release, which will shortly be supplanted by 3.8.x and no longer receive updates. LTS releases are supported for a year; 3.3.x and 3.6.x are the current LTS branches. This means that if you are running 3.4.x or 3.5.x, then you are running an unsupported version of HHVM which is vulnerable to this issue and will not be receiving updates!
Thanks to Anthony Ferrara for reporting this issue.