untrusted comment: signature from openbsd 6.2 base secret key
RWRVWzAMgtyg7muXnnH4b4wF8m2Nk6cTN+IJpH3FdrAHXKaCqqWl/urPPwC8GZfsyR40d0UAvAOvv3i3GoiKJlnXgHcSXNw5HAM=

OpenBSD 6.2 errata 012, April 21, 2018:

httpd can leak file descriptors when servicing range requests.

Apply by doing:
    signify -Vep /etc/signify/openbsd-62-base.pub -x 012_httpd.patch.sig \
	-m - | (cd /usr/src && patch -p0)

And then rebuild and install httpd:
    cd /usr/src/usr.sbin/httpd
    make obj
    make depend
    make
    make install

Index: usr.sbin/httpd/server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.117
diff -u -p -r1.117 server_http.c
--- usr.sbin/httpd/server_http.c	15 May 2017 10:40:47 -0000	1.117
+++ usr.sbin/httpd/server_http.c	18 Apr 2018 09:47:29 -0000
@@ -701,6 +701,7 @@ server_read_httprange(struct bufferevent
 		r->range_index++;
 		break;
 	case TOREAD_HTTP_NONE:
+		goto done;
 	case 0:
 		break;
 	}