I can see from the openbsd cvs logs that the openbsd port was updated to 1.4.18 (fixing a security issue) on Fri Oct 5 14:56:50 2007 UTC.
The 4.2 lighttpd package is 1.4.16, so did the fix occur after the 4.2 freeze? Also, I didn't see any posts on ports-security for this issue. Is the gmane listing [1] incomplete, or do some issues not make it to ports-security? Thanks, m [1] http://news.gmane.org/group/gmane.os.openbsd.ports.security/last=/force_load=t
