Patches for the OpenBSD base system are distributed as unified diffs.
Each patch is cryptographically signed with the
signify(1) tool and contains
usage instructions.
All the following patches are also available in one
tar.gz file
for convenience.
Alternatively, the syspatch(8)
utility can be used to apply binary updates on the following architectures:
amd64, i386, arm64.
Patches for supported releases are also incorporated into the
-stable branch.
001: RELIABILITY FIX: May 3, 2019All architectures
If a userland program sets the IPv6 checksum offset on a raw socket,
an incoming packet could crash the kernel. ospf6d is such a program.
A source code patch exists which remedies this problem.
004: RELIABILITY FIX: June 10, 2019All architectures
Several issues were corrected in bgpd: "network" statements with no fixed
prefix were incorrectly removed when configuration was reloaded, "export
default-route" did not work, and "network 0.0.0.0/0" could not be used
in some cases.
A source code patch exists which remedies these problems.
005: RELIABILITY FIX: June 10, 2019All architectures
TLS handshakes fail if a client supporting TLS 1.3 tries to connect to
an OpenBSD server and sends a key share extension that does not include
X25519.
A source code patch exists which remedies this problem.
010: RELIABILITY FIX: September 2, 2019All architectures
When processing ECN bits on incoming IPv6 fragments, the kernel
could crash. Per default pf fragment reassemble prevents the crash.
A source code patch exists which remedies this problem.
018: SECURITY FIX: November 22, 2019i386 and amd64
A local user could cause the system to hang by reading specific
registers when Intel Gen8/Gen9 graphics hardware is in a low power state.
A local user could perform writes to memory that should be blocked with
Intel Gen9 graphics hardware.
A source code patch exists which remedies this problem.
024: SECURITY FIX: December 11, 2019All architectures
ld.so may fail to remove the LD_LIBRARY_PATH environment variable for
set-user-ID and set-group-ID executables in low memory conditions.
A source code patch exists which remedies this problem.
030: SECURITY FIX: January 30, 2020All architectures
An incorrect check allows an attacker to trick mbox delivery into executing
arbitrary commands as root and lmtp delivery into executing arbitrary commands
as an unprivileged user.
A source code patch exists which remedies this problem.
031: SECURITY FIX: February 24, 2020All architectures
An out of bounds read in smtpd allows an attacker to inject arbitrary
commands into the envelope file which are then executed as root.
Separately, missing privilege revocation in smtpctl allows arbitrary
commands to be run with the _smtpq group.
A source code patch exists which remedies this problem.