Looks like we have patched versions of 2.8, but on the mainstream of it (cvs), the included apache version (usr.sbin/httpd) IS VULN to the following bug: http://www.securityfocus.com/vdb/bottom.html?vid=2503 Just GO and get the latest version of Apache, nomatter (I assume) what OpenBSD ver you have, at least on the ones it is included by default. Just got confirmed on the [EMAIL PROTECTED], thath only the CURRENT is PATCHED(updated to 1.3.19). Sure, I see that the OpenBSD is the best in terms of security, I understand, that they are maybe short on people, I know that they work for free, but still, maybe the patch policy in not one of the best of it. Regards Zvz
