If http2 is enabled in your server, you will surely need to update it:
"In an advisory today, Netflix says that all the attack vectors are variations of the same theme, where a client triggers a response from a vulnerable server and then refuses to read it. [...] The list includes big names like Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu."
"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko