Applying binary errata patches on OpenBSD

       399 words, 2 minutes

Maintaining OpenBSD up-to-date is quite easy using the Errata Patches. But this requires using cvs and make to download, compile and apply thoses patches. In some cases, this is also true pour ports. There is a way to deal with binary objects only: openup by M:Tier. This is how to do it.

Log on to your openbsd server and download openup

# ftp
# chmod 0755 openup

Check what would be done. This command can be run by crontab every night to let you know updates are available.

# ./openup -c
--- binpatch59-amd64-crypto ---
Available update(s): OpenBSD erratum 012: Correct a problem that
could result in incorrect parsing/encoding of times in OCSP messages.
--- binpatch59-amd64-kernel ---
Available update(s): OpenBSD erratum 020: Unchecked parameters and
integer overflows in the amap allocation routines could cause
malloc(9) to either not allocate enough memory, leading to memory
corruption, or to trigger a "malloc: allocation too large" panic.
--- binpatch59-amd64-libexpat ---
Available update(s): OpenBSD erratum 010: Fix issues in libepxat
to prevent multiple integer and buffer overflows.
--- binpatch59-amd64-smtpd ---
Available update(s): OpenBSD erratum 006: Addresses multiple issues
in smtpd: Fix logic issue in smtp state machine that can lead to
invalid state and result in crash and plug file pointer leak that
can lead to resources exhaustion and result in crash.
--- binpatch59-amd64-sshd ---
Available update(s): OpenBSD erratum 001: Lack of credential
sanitization allows injection of commands to xauth(1). Prevent this
problem immediately by not using the "X11Forwarding" feature (which
is disabled by default).

If you want to apply the patches, you simply have to run:

# ./openup
===> Checking for openup update
===> Downloading and installing public key
===> Installing/updating binpatch(es)
quirks-2.197 signed on 2016-02-26T22:06:23Z
binpatch59-amd64-crypto-4.0: ok
Multiprocessor machine; using instead of bsd.
binpatch59-amd64-kernel-13.0: ok
binpatch59-amd64-libexpat-1.0: ok
binpatch59-amd64-smtpd-1.0: ok
binpatch59-amd64-sshd-1.0: ok
===> Updating package(s)
quirks-2.197 signed on 2016-02-26T22:06:23Z
!!! System must be rebooted after the last kernel update

When this is done, simply reboot the server as required by kernel update.

M:Tier also provides updates for ports. I thought those were available from the OpenBSD FTP server. But according to the listing for 5.9 packages, M:Tiers provides some more up-to-date binary packages.

Before using it, I was wondering how trusty this company could be. Then I found an article on the Journal where Antoine Jacoutot (ajacoutot@) writes about this stuff and M:Tier , the company he works for.