untrusted comment: signature from openbsd 6.0 base secret key
RWSho3oKSqgLQ3eNwKs/S5yXsFP65nKdFo1W++cCqhctN4sF1gSAws62g1SLUOm1KcCYlKzasUPxcrI4Xk4uAekDH+e/jQGpHws=

OpenBSD 6.0 errata 17, Jan 31, 2017

A bug in the processing of range headers in httpd can lead to memory
exhaustion. This patch disables range header processing.

Apply by doing:
    signify -Vep /etc/signify/openbsd-60-base.pub -x 017_httpd.patch.sig \
        -m - | (cd /usr/src && patch -p0)

And then rebuild and install httpd:
    cd /usr/src/usr.sbin/httpd
    make obj
    make depend
    make
    make install

Index: usr.sbin/httpd/server_file.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_file.c,v
retrieving revision 1.62
diff -u -p -r1.62 server_file.c
--- usr.sbin/httpd/server_file.c	17 May 2016 03:12:39 -0000	1.62
+++ usr.sbin/httpd/server_file.c	31 Jan 2017 15:04:37 -0000
@@ -65,7 +65,6 @@ server_file_access(struct httpd *env, st
 	struct http_descriptor	*desc = clt->clt_descreq;
 	struct server_config	*srv_conf = clt->clt_srv_conf;
 	struct stat		 st;
-	struct kv		*r, key;
 	char			*newpath, *encodedpath;
 	int			 ret;
 
@@ -145,13 +144,7 @@ server_file_access(struct httpd *env, st
 		goto fail;
 	}
 
-	key.kv_key = "Range";
-	r = kv_find(&desc->http_headers, &key);
-	if (r != NULL)
-		return (server_partial_file_request(env, clt, path, &st,
-		    r->kv_value));
-	else
-		return (server_file_request(env, clt, path, &st));
+	return (server_file_request(env, clt, path, &st));
 
  fail:
 	switch (errno) {