How to patch Meltdown vulnerability on OpenBSD Unix

I read that OpenBSD is the first BSD family of the operating system to release updates for its stable releases to mitigate the Meltdown vulnerability. How do I patch Meltdown on OpenBSD Unix operating system?

OpenBSD is an open-source Unix-like computer operating system descended from Berkeley Software Distribution (BSD). Theo de Raadt forked it from NetBSD. A very serious security problem has been found and patched in the OpenBSD kernel.

ADVERTISEMENTS

A very serious security problem has been found in the Intel CPUs. Meltdown CPU Vulnerability CVE-2017-5754 breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. It was announced on 3rd January 2018. It was independently discovered and reported by various teams including Google Project Zero. This page shows how to protect or patch Meltdown vulnerability on OpenBSD Unix.

Patch Meltdown vulnerability on OpenBSD

The Meltdown vulnerability backported to the OpenBSD version 6.1 and 6.2 (amd64) releases, and the syspatch update for version 6.2 is now available. First, login to your OpenBSD box using the ssh command or system console:
$ ssh vivek@192.168.122.124

Find current kernel version

Type the following uname command:
$ uname -r
Sample outputs:

6.2

Become a root user using the su command or doas command:
$ su -

Apply patch

OpenBSD uses a command called syspatch. It is a utility to fetch, verify, install and revert OpenBSD binary patches. It must run as root user. When run without any options, the syspatch command should install all missing patches including meltdown. Type the following syspatch command:
# syspatch
How to patch Meltdown vulnerability on OpenBSD Unix
You can verify installed patches with the following command:
# syspatch -l
Sample outputs:

001_tcb_invalid
002_fktrace
003_mpls
004_libssl
005_ahopts
006_prevhdr
007_etherip
008_unbound
009_meltdown

See “How to apply patches on OpenBSD system/kernel and packages easily” for more info.

Reboot the box

Type the following reboot command:
# reboot
Verify it:
# dmesg | grep -i meltdown
Sample outputs:

cpu0: FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,OSXSAVE,AVX,HV,NXE,RDTSCP,LONG,LAHF,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,MELTDOWN
cpu1: FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,OSXSAVE,AVX,HV,NXE,RDTSCP,LONG,LAHF,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,MELTDOWN

You may want to upgrade packages too using the pkg_add command:
# pkg_add -Uuv
Sample outputs:

Update candidates: quirks-2.367 -> quirks-2.367
quirks-2.367 signed on 2017-10-03T11:21:28Z
Update candidates: gettext-0.19.8.1p1 -> gettext-0.19.8.1p1
Update candidates: lftp-4.7.8 -> lftp-4.7.8
Update candidates: libiconv-1.14p3 -> libiconv-1.14p3
Update candidates: libidn-1.33 -> libidn-1.33
Update candidates: readline-6.3 -> readline-6.3
Update candidates: rsync-3.1.2p0 -> rsync-3.1.2p0

See OpenBSD commit message regarding Meltdown vulnerability on OpenBSD.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.