A security update has been released for all supported HHVM versions. Please update to one of the following versions to get the update:
This security update addresses a HTTP/2 Deny-of-Service vulnerability in the Proxygen library bundled with HHVM.
More information can be found in the respective CVEs:
Note that these vulnerabilities are not specific to HHVM or Proxygen, so keep an eye out for updates to other HTTP/2 server and client packages.