BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD errata, Jan 31, 2017

An issue has been identified whereby httpd(8) could be subject to a denial
of service attack. Repeated crafted requests could be made from a client
using file-range requests, making the server consume excessive amounts of
memory.

This issue has been fixed in current. For 5.9 and 6.0 the following errata
will disable range header processing in httpd(8) to prevent the problem.

Thanks to Pierre Kim <pierre.kim.sec@gmail.com> for reporting
the issue.

https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/017_httpd.patch.sig

https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/034_httpd.patch.sig