An issue has been identified whereby httpd(8) could be subject to a denial of service attack. Repeated crafted requests could be made from a client using file-range requests, making the server consume excessive amounts of memory.
This issue has been fixed in current. For 5.9 and 6.0 the following errata will disable range header processing in httpd(8) to prevent the problem. Thanks to Pierre Kim <pierre.kim....@gmail.com> for reporting the issue. https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig