How to apply patches on OpenBSD system/kernel and packages easily

Posted on in Categories , , , last updated August 23, 2017

I am a regular Linux system user. In Linux (especially CentOS), I am used to applying updates a few times a week using yum command, but how do I do that on my OpenBSD severer? How do I apply updates on OpenBSD operating system?

OpenBSD is just like Linux. However, it does not use the yum command. It depends on upon a tool called pkg_add. You can use pkg_add to apply updates or install new packages in binary format. There are three ways to keep your OpenBSD based packages, kernel and base system up to date. The first method requires applying patches and compiling the software. The second method depends on 3rd party to apply kernel and binary package patches. The third method uses the syspatch command. I recommend using 3rd method for OpenBSD version 6.1 and above users.

Method #1: Keeping your OpenBSD 6.1 up to date using source code

First download source code for OpenBSD 6.1. cd command, enter:

Step 1: Grab the source code

# cd /usr/src
Setup OpenBSD mirror to use and version number for ease of use:
# BASE="http://mirror.esc7.net/pub/OpenBSD"
# VER="6.1"

Now grabe the source code for both the OpenBSD userland/base system and kernel, using ftp command, run:
# ftp ${BASE}/${VER}/src.tar.gz \
${BASE}/${VER}/sys.tar.gz \
${BASE}/${VER}/SHA256.sig

Sample outputs:

Fig.01: Grab the source code in /usr/src
Fig.01: Grab the source code in /usr/src

Step 2: Verify downloaded files:

Use the signify command:
# signify -C -p /etc/signify/openbsd-61-base.pub -x SHA256.sig src.tar.gz
# signify -C -p /etc/signify/openbsd-61-base.pub -x SHA256.sig sys.tar.gz

Sample outputs:

Fig.02: Verify downloaded files
Fig.02: Verify downloaded files

Untar the tarballs:
# tar zxf src.tar.gz
# tar zcf sys.tar.gz
# rm SHA256.sig *.tar.gz
# ls

Sample outputs:
Fig.03: Untar the tarballs
Fig.03: Untar the tarballs

Step 3: Grab the errata for OpenBSD stable 6.1

Download the 6.1 errata patches and apply it. In this example, I’m going to fetch a tar.gz file containing all the 6.1 version patches:
# cd /tmp
# ftp https://ftp.openbsd.org/pub/OpenBSD/patches/6.1.tar.gz

Again untar all patches:
# tar -zxf 6.1.tar.gz
See all patches:
# cd /tmp/6.1/common/
# ls

Sample outputs:

Fig.04. Download the OpenBSD 5.9 errata patch
Fig.04. Download the OpenBSD 5.9 errata patch

So I have total 25 patches for my freshly installed OpenBSD 6.1 server.

Step 4: Apply the patch (kernel and base system) one-by-one:

Let us start with 001_sshd.patch.sig patch file. You need to type the following command to see the errata/path info:
# more 001_sshd.patch.sig
Sample outputs:

Fig.05: Finding more info about the patch and how to apply it on OpenBSD
Fig.05: Finding more info about the patch and how to apply it on OpenBSD

You can apply patch by doing:
# signify -Vep /etc/signify/openbsd-59-base.pub -x 001_sshd.patch.sig \
-m - | (cd /usr/src && patch -p0)

Sample outputs:

Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Signature Verified
|
|OpenBSD 5.9 errata 1, Mar 10, 2016:
|
|Lack of credential sanitization allows injection of commands to xauth(1).
|More information: http://www.openssh.com/txt/x11fwd.adv
|
|Prevent this problem immediately by not using the "X11Forwarding" feature
|(which is disabled by default).
|
|Apply by doing:
|    signify -Vep /etc/signify/openbsd-59-base.pub -x 001_sshd.patch.sig \
|        -m - | (cd /usr/src && patch -p0)
|
|And then rebuild and install sshd:
|    cd /usr/src/usr.bin/ssh
|    make obj
|    make depend
|    make
|    make install
|
|Index: usr.bin/ssh/session.c
|===================================================================
|RCS file: /cvs/src/usr.bin/ssh/session.c,v
|retrieving revision 1.280
|diff -u -p -u -r1.280 session.c
|--- usr.bin/ssh/session.c      16 Feb 2016 03:37:48 -0000      1.280
|+++ usr.bin/ssh/session.c      9 Mar 2016 17:02:44 -0000
--------------------------
Patching file usr.bin/ssh/session.c using Plan A...
Hunk #1 succeeded at 40.
Hunk #2 succeeded at 257.
Hunk #3 succeeded at 346.
Hunk #4 succeeded at 1826.
done

And then rebuild and install patched sshd:
# cd /usr/src/usr.bin/ssh
# make obj && make depend && make && make install

You may have to reboot the system for kernel updates. Please note that each errata patch will have different information on how to apply and install the patch, so you need to read them carefully using more command. You need to repeat this procedure for all patches. I suggest you subscribe to OpenBSD announce mailing list to get info about the errata. You need to repeat the procedure for rest of all of downloaded patches.

Step 5: Upgrade all 3rd party packages

Simply type the following command:
# export PKG_PATH=ftp://mirror.planetunix.net/pub/OpenBSD/`uname -r`/packages/`machine -a`/
# pkg_add -Uuv

See this page for more info.

Method #2: Keeping your OpenBSD 5.9 up to date using binary patches mode (3rd party)

Here is some info on M:Tier:

Keeping your installed OpenBSD packages up to date is hard and time-consuming. Nobody wants to read the mailing lists to spot security fixes and/or updates never mind wanting to build new packages from their ports tree and manually install them on each of their servers and/or desktops.

For this reason M:Tier is launching a new package repository which includes the latest security fixes and critical updates for OpenBSD since 5.3

It’s easy to setup and even easier to maintain…you don’t need to do anything anymore. M:Tier will even notify you by e-mail if there’s an update available (unless you opt-out).

Say hello to openup from mtier

You can use openup command. It is a small utility for OpenBSD that can be run standalone and that checks for security updates in both packages and the base system. openup uses the regular pkg tools, it does not implement anything on top. You need to trust mtier and openup maintainers to use this command. This command act like ‘yum update’ or ‘apt-get upgrade’ command. First, step is to grab the openup:
# cd /root
# ftp https://stable.mtier.org/openup
# chmod +x openup

Run it to update your system including packages:
# ./openup
Sample outputs from freshly installed OpenBSD 5.9 system:

Fig.05: Use M:Tier's OpenBSD packages and binpatches updates to keep your system up to date including 3rd party packages
Fig.05: Use M:Tier’s OpenBSD packages and binpatches updates to keep your system up to date including 3rd party packages

Here is another example. In this case I’m running openup on freshly upgraded OpenBSD from 5.9 to 6.0:
# /root/openup
===> Checking for openup update
===> Downloading and installing public key
===> Removing old release binpatch entries
===> Installing/updating binpatch(es)
quirks-2.241 signed on 2016-07-26T16:56:10Z
binpatch60-amd64-kernel-1.0: ok
binpatch60-amd64-perl-1.0: ok
binpatch60-amd64-relayd-1.0: ok
binpatch60-amd64-smtpd-1.0: ok
===> Updating package(s)
quirks-2.241 signed on 2016-07-26T16:56:10Z
!!!
!!! System must be rebooted after the last kernel update
!!!
#

Please note that M:Tier offers two service levels:

  1. LTS: binpatches, LTS package updates and support for the two most recent releases
  2. free: binpatches and stable packages for the most recent release

See this page for more info on openup and its paid and free services.

Method #3: Keeping your OpenBSD 6.1 server up to date using syspatch method on amd64/i386

OpenBSD version 6.1 comes with the syspatch command to fetch, verify, install and revert OpenBSD binary patches for base system. This is now recommended method for all OpenBSD users.

Apply all patches

Type the following command:
$ doas syspatch
Sample outputs:

Get/Verify syspatch61-007_freetyp... 100% |*************************|   732 KB    00:01    
Installing patch 007_freetype
Missing set, skipping patch 007_freetype
Get/Verify syspatch61-025_ieee802... 100% |*************************|  9356 KB    00:14    
Installing patch 025_ieee80211

To see available patches, run:

$ doas syspatch -c
Sample outputs:

007_freetype

To see all installed patches, run:

$ doas syspatch -l
Sample outputs:

001_dhcpd
002_vmmfpu
003_libressl
004_softraid_concat
005_pf_src_tracking
006_libssl
008_exec_subr
009_icmp_opts
010_perl
012_wsmux
013_icmp6_linklocal
014_libcrypto
015_sigio
016_sendsyslog
017_fuse
018_recv
019_tcp_usrreq
020_sockaddr
021_ptrace
022_fcntl
023_wsdisplay
024_sosplice
025_ieee80211

To revert the most recently installed patch, run:

$ doas syspatch -r
Sample outputs:

Reverting patch 025_ieee80211

How to update all apps

Type the following command:
$ doas pkg_add -Uuv
Sample outputs:

Update candidates: quirks-2.304 -> quirks-2.304
quirks-2.304 signed on 2017-04-02T15:01:33Z
Update candidates: bash-4.4.12 -> bash-4.4.12
Update candidates: curl-7.53.1 -> curl-7.53.1
Update candidates: gettext-0.19.8.1 -> gettext-0.19.8.1
Update candidates: libiconv-1.14p3 -> libiconv-1.14p3
Update candidates: libidn2-0.16 -> libidn2-0.16
Update candidates: libpsl-0.17.0 -> libpsl-0.17.0
Update candidates: libunistring-0.9.7 -> libunistring-0.9.7
Update candidates: nghttp2-1.21.0 -> nghttp2-1.21.0
Update candidates: pcre-8.38p0 -> pcre-8.38p0
Update candidates: pftop-0.7p15 -> pftop-0.7p15
Update candidates: wget-1.19.1 -> wget-1.19.1

For more info see syspatch man page:
$ man syspatch
$ man pkg_add

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

1 comment

Leave a Comment