See all FreeBSD related FAQ
I am a new FreeBSD developer and user. I have root access to my VM running in AWS cloud. How do I update packages and apply security upgrades on FreeBSD? What is the procedure for applying security updates on FreeBSD?

FreeBSD follows the concept of a base system and packages from other vendors. One can apply security updates to the base system using the freebsd-update command. You need to use the pkg command to upgrade FreeBSD packages. Let us see step-by-step instructions for implementing security updates polices for your FreeBSD server or desktop system and update packages.
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Unix terminal
Category Package Manager
Prerequisites FreeBSD
OS compatibility FreeBSD Jai
Est. reading time 3 minutes
Advertisement

FreeBSD Applying Security Updates

The procedure is as follows:

  1. First, login from an ordinary user to the root user using the sudo command or su command.
  2. Capture a list of currently installed FreeBSD software, run:
    pkg list > file
  3. Apply all base FreeBSD OS security updates to your system, run:
    freebsd-update fetch install
  4. Install FreeBSD package security upgrades, type:
    pkg update && pkg upgrade
  5. Reboot the FreeBSD machine to apply kernel updates, run:
    reboot

Let us see all commands and examples for FreeBSD to update packages.

Save software list

Login as the root user, type:
$ su -
OR
$ sudo -i
Note down the FreeBSD version and patch level, run:
# freebsd-version
From FreeBSD 12.x or 13.x:

12.0-RELEASE-p1
## OR ## 
13.2-RELEASE-p1

Type the following command to show information about installed packages and save in a file called /root/pre-pkg-update-YYYYMMDD format:
# pkg info > "/root/pre-pkg-update-`date +%Y%m%d`"
The bash/sh users can type the following command:
# pkg info > "/root/pre-pkg-update-$(date +%Y%m%d)"
Use the cat command or less command/more command to view the file:
# ls -l /root/pre-pkg-update-*
# cat /root/pre-pkg-update-`date +%Y%m%d`
# less /root/pre-pkg-update-`date +%Y%m%d`

FreeBSD capture a list of currently installed software

Fetch FreeBSD base OS updates from server

Simply run the following FreeBSD update command:
# freebsd-update fetch
Here is what I see from my FreeBSD 13 server (it is a list of files that FreeBSD will update to patch the system):

src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 2 mirrors found.
Fetching metadata signature for 13.0-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata patches.. done.
Applying metadata patches... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 15 patches.....10.. done.
Applying patches... done.
The following files will be updated as part of updating to
13.0-RELEASE-p6:
/bin/freebsd-version
/boot/kernel/kernel
/boot/kernel/libalias.ko
/lib/libalias.so.7
/rescue/[
....
..
....
/rescue/gzip
/rescue/halt

Install downloaded updates on FreeBSD machine

Next you will apply all outstanding base OS security upgrades to your system. In other words, update FreeBSD base OS, run:
# freebsd-update install
Sample outputs from FreeBSD 13.x server:

src component not installed, skipped
Installing updates...Scanning //usr/share/certs/blacklisted for certificates...
Scanning //usr/share/certs/trusted for certificates...
Scanning //usr/local/share/certs for certificates...
 done.

How to see reports about vulnerable software packages

Execute the following command:
# pkg audit -F
# pkg audit --fetch

The -F/--fetch option fetches the database before checking. Then you see a list of vulnerable packages, run:
# pkg audit
Sample outputs indicating that I need to patch git package on FreeBSD to fix privilege escalation:

git-2.37.0 is vulnerable:
  git -- privilege escalation
  CVE: CVE-2022-29187
  WWW: https://vuxml.FreeBSD.org/freebsd/b99f99f6-021e-11ed-8c6f-000c29ffbb6c.html

1 problem(s) in 1 installed package(s) found.

Backup package database

You can dump the local package database to a file specified on the command-line:
# pkg backup -d pkg-db-`date +%Y%m%d`
Sample outputs:

Dumping database:
Backing up: 100%

By default the package database stored in /var/db/pkg/ directory:
# ls -l /var/db/pkg/pkg-db-*
Dump and save FreeBSD package database for backup purposes
One can use /var/db/pkg/pkg-db-* file in order to restore the local package database. Very useful in case of a database crash or loss, to restore your database from a previous backup using the following syntax:
# pkg backup -r pkg-db-20190912

Update all FreeBSD packages database

Type:
# pkg update
Here is how to print a list of packages needing upgrade:
$ pkg version -vRL=
It seems three package needs upgrade:

git-2.37.0                         <   needs updating (remote has 2.37.1)
libgit2-1.3.1                      <   needs updating (remote has 1.3.2)
py38-dateutil-2.8.1                ?   orphaned: devel/py-dateutil
py38-magic-5.41                    ?   orphaned: devel/py-magic
py38-s3cmd-2.2.0                   ?   orphaned: net/py-s3cmd
py38-six-1.16.0                    ?   orphaned: devel/py-six
wayland-1.20.0_3                   <   needs updating (remote has 1.21.0)

Apply all outstanding packages security upgades

Run:
# pkg upgrade
FreeBSD Applying Security Updates Using pkg command line

How to reboot the FreeBSD system

Simply run:
# reboot
OR
# shutdown -r now
After rebooting the machine verify FreeBSD version, run:
# freebsd-version
Sample outputs:

12.0-RELEASE-p10

Here is what I saw from FreeBSD 13.x machine:

13.2-RELEASE

Conclusion

This page explained how to upgade your production FreeBSD machine using various commands for applying security updates. See man pages here and here. Read man pages on your FreeBSD machine using the man command:
$ man pkg
$ man freebsd-update

This entry is 2 of 6 in the How to keep your Linux system up-to-date Tutorial series. Keep reading the rest of the series:
  1. RHEL 8 update installed packages for security
  2. FreeBSD Applying Security Updates Using pkg/freebsd-update
  3. Amazon Linux AMI update installed packages for security
  4. SUSE 15 update installed packages for security
  5. CentOS 8 update installed packages for security
  6. Ubuntu 20.04 LTS update installed packages for security

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

3 comments… add one
  • Christoph Apr 12, 2023 @ 3:10

    Thank you for sharing all these commands. It was useful for my EC2 FreeBSD 13 server.

  • Nigel Horne Jul 22, 2023 @ 15:33

    I got “pkg-update: command not found”. Yes I was as root.

    Also, freebsd-update only works on Tier 1 platforms.

    • 🛡️ Vivek Gite (Author and Admin) Vivek Gite Jul 22, 2023 @ 17:28

      It is “pkg update” and not “pkg-update

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.