Applying binary errata patches on OpenBSD
Maintaining OpenBSD up-to-date is quite easy using the Errata Patches. But this requires using cvs and make to download, compile and apply thoses patches. In some cases, this is also true pour ports. There is a way to deal with binary objects only: openup by M:Tier. This is how to do it.
Log on to your openbsd server and download openup
# ftp https://stable.mtier.org/openup # chmod 0755 openup
Check what would be done. This command can be run by crontab every night to let you know updates are available.
# ./openup -c --- binpatch59-amd64-crypto --- Available update(s): OpenBSD erratum 012: Correct a problem that could result in incorrect parsing/encoding of times in OCSP messages. --- binpatch59-amd64-kernel --- Available update(s): OpenBSD erratum 020: Unchecked parameters and integer overflows in the amap allocation routines could cause malloc(9) to either not allocate enough memory, leading to memory corruption, or to trigger a "malloc: allocation too large" panic. --- binpatch59-amd64-libexpat --- Available update(s): OpenBSD erratum 010: Fix issues in libepxat to prevent multiple integer and buffer overflows. --- binpatch59-amd64-smtpd --- Available update(s): OpenBSD erratum 006: Addresses multiple issues in smtpd: Fix logic issue in smtp state machine that can lead to invalid state and result in crash and plug file pointer leak that can lead to resources exhaustion and result in crash. --- binpatch59-amd64-sshd --- Available update(s): OpenBSD erratum 001: Lack of credential sanitization allows injection of commands to xauth(1). Prevent this problem immediately by not using the "X11Forwarding" feature (which is disabled by default).
If you want to apply the patches, you simply have to run:
# ./openup ===> Checking for openup update ===> Downloading and installing public key ===> Installing/updating binpatch(es) quirks-2.197 signed on 2016-02-26T22:06:23Z binpatch59-amd64-crypto-4.0: ok Multiprocessor machine; using bsd.mp instead of bsd. binpatch59-amd64-kernel-13.0: ok binpatch59-amd64-libexpat-1.0: ok binpatch59-amd64-smtpd-1.0: ok binpatch59-amd64-sshd-1.0: ok ===> Updating package(s) quirks-2.197 signed on 2016-02-26T22:06:23Z !!! !!! System must be rebooted after the last kernel update !!!
When this is done, simply reboot the server as required by kernel update.
M:Tier also provides updates for ports. I thought those were available from the OpenBSD FTP server. But according to the listing for 5.9 packages, M:Tiers provides some more up-to-date binary packages.
Before using it, I was wondering how trusty this company could be. Then I found an article on the Journal where Antoine Jacoutot (ajacoutot@) writes about this stuff and M:Tier , the company he works for.