untrusted comment: signature from openbsd 6.3 base secret key
RWRxzbLwAd76Zem1eMqTeUCAWTwGZCkcng677S+slSJ9uLlFB5xdZCfw2vOXudduM/CZhkjJQlatQ4xeLsCzUTAlWpb3X3tI1g4=

OpenBSD 6.3 errata 005, April 21, 2018:

httpd can leak file descriptors when servicing range requests.

Apply by doing:
    signify -Vep /etc/signify/openbsd-63-base.pub -x 005_httpd.patch.sig \
	-m - | (cd /usr/src && patch -p0)

And then rebuild and install httpd:
    cd /usr/src/usr.sbin/httpd
    make obj
    make
    make install

Index: usr.sbin/httpd/server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.118
diff -u -p -r1.118 server_http.c
--- usr.sbin/httpd/server_http.c	14 Dec 2017 21:19:47 -0000	1.118
+++ usr.sbin/httpd/server_http.c	18 Apr 2018 09:47:49 -0000
@@ -701,6 +701,7 @@ server_read_httprange(struct bufferevent
 		r->range_index++;
 		break;
 	case TOREAD_HTTP_NONE:
+		goto done;
 	case 0:
 		break;
 	}