September 3rd, 2002, 11:23
Patching your OpenBSD:

This is a little how-to to hopefully clarify all your options when it comes to
patching your OpenBSD box to the latest lists from openbsd.org. In this sample
we are going to use 3.1 as our example.

Obviously, the first thing you want to do is keep your eye on the errata and
patch list for your particular version of OBSD here:


You may also want to join security-announce mailing list offered @ openbsd.org

So, once you've determined that there are patches to be installed on your system
you've got a few choices:

1) Do nothing. (bad choice!!!)
2) Download the src.tar.gz file and each individual patch
3) Use CVS to update your src to the stable branch of your particular release
4) Use CVS to update and run -current

1) Do Nothing:

Nuff said.

2) Download src.tar.gz and patch:

I would say that this is likely the most popular method, and likely the easiest
for most scenarios.

For 3.1, grab the src.tar.gz file via ftp from /pub/OpenBSD/3.1. This will be
the src files as of the release of 3.1. Download it and then:

cd /usr/src/; tar xvfpz /path/to/src.tar.gz

Once you've got it unpacked, check for patches. If a patch is released, grab it

via ftp, the file may be in the "common" dir or in your particular architecture
(i386). Whichever, the base of these are found in /pub/OpenBSD/patches/3.1/

Download the patch and move it into /usr/src then do something like this:

rev31# head -20 001_sshafs.patch
Fix buffer overflow in AFS/Kerberos token handling.

This is the 3rd revision of the patch.

Apply by doing:
cd /usr/src
patch -p0 < 001_sshafs.patch
cd usr.bin/ssh
make obj
make cleandir
make depend
make && make install

Index: usr.bin/ssh/radix.c
================================================== =================
RCS file: /cvs/src/usr.bin/ssh/radix.c,v
retrieving revision 1.17
retrieving revision 1.20
diff -u -r1.17 -r1.20
--- usr.bin/ssh/radix.c 19 Nov 2001 19:02:16 -0000 1.17

This will show you the top 20 lines of the patch and provide you with the
instructions you need to correctly install the patch. Simply follow those
instructions and you're patched up! Depending on the patch you may need/want to
restart the patched daemon or rebuild a kernel etc, this should be obvious to
you from the patch.

3) Use CVS to update your src

This is my personal choice of method to update because it doesn't require you to
pull down each patch and apply it. If you CVS the stable branch it will provide
you with already patched src files from which you can simply rebuild the src in
question or redo the enitre build if you so desire. If you combine this option
with make release (see my other how-to) it provides you with a quick, convenient
and simple means by which you can update one or multiple boxes.

CVS can use a number of different methods of grabbing src, all of which is
detailed @ openbsd.org. The method shown below will use ssh to do it securely.

NOTE: If you're using older versions of OBSD, ssh may not be the default method
as it is in 3.1... I dunno and you need to check ;-)

First, we need to go out and grab the latest stable src. If you're doing this
for the first time the src will be patched up to that specific date so until
another patch is released you will not need to update your src. I tend to use a
small shell script like this to suit my needs:

rev31# cat /usr/CVS_get_src

rm -rf /usr/obj/*
rm -rf /usr/src
cvs -q -d anoncvs@anoncvs1.ca.openbsd.org:/cvs get -rOPENBSD_3_1 -P src

This will remove any cruft you may have in /usr/obj and remove any src you
currently have in /usr/src. It then contacts an anoncvs server (see here for a
list of mirrors: http://www.openbsd.org/anoncvs.html#CVSROOT ... be sure to
choose one which supports ssh and is updated frequently). Once you're connected
you will begin to download the current src. This can and will take a while so
be patient!

Once this is done, if there aren't to many items to patch you can do them one by
one. So, take our patch example from Method 2 above, the patch for the buffer
overflow in AFS/Kerberos. You would just:

# cd /usr/src/usr.bin/ssh
# make obj
# make cleandir
# make depend
# make && make install

Say you've got a wack of patches to install you may just want to rebuild your
kernel (always the safest bet!!!), reboot it and then:

# cd /usr/src
# rm -r /usr/obj/*
# make obj && make build

This will rebuild all binaries to the fully patched -stable branch you just
download via CVS.

When new patches are released, you can update your src via CVS by using another
shell script such as the following:

rev31# cat /usr/CVS_up_src

cd /usr/src
cvs -q up -rOPENBSD_3_1 -Pd

This will contact the the CVS server you specified/used in the CVS_get_src,
compare your src tree to it's and download anything new or that has changed.
You can then apply patches in either method desribed above. The above is also
easy to put in a cron job to automate this task for you.

4) Use CVS to update and run -current:

I would suggest that this method is not for the novice or faint of heart.
Running -current can be tricky... things change often here and aren't documented
nearly as clearly and available as actual releases.... so be forewarned :-)

That being said, I run -current on my home box and love it ;-)

Furthermore, the FAQ on openbsd.org is far more clear and detailed and precise
than I could ever be so if this is the avenue you want... have a look-see:



As I mentioned somewhere above, the patching can be used in conjunction with
"make release" to provide you with a brilliant means by which you can update
multiple boxes or build new boxes that are already fully patched. See my other
How-To for more.

If you find you're doing a lot of patching and buidling, you may find it very
beneficial to build your disks with /usr/obj and /usr/src as their own
partitions. This way, if you want to quickly remove /usr/obj/* or /usr/src/*,
instead of issuing the painfully slow rm -r you can unmount the filesystem,
issue a newfs command and then remount.

Finally, to steal a line referring to my How-To from my old mentor Bruce Walker:

"Enjoy! (No warranty; code is packed by weight, contents may settle...)"