There was a vulnerability in hyper where hyper would not escape newlines from header values when writing to stream. Releases now exist as 0.9.16 and 0.10.2, please cargo update immediately.
It appears there was an issue in crates.io when I published 0.9.16, such that it failed to update the index. I've published 0.9.17 which is the exact same source code, so that people can update.