///
Patching OpenBSD
Patches
Patches for OpenBSD are applied to the source code, there are no binary patches available. Recompilation of the kernel or other parts of the operating system is necessary. Paches may be downloaded from the OpenBSD errata page. The following example shows patching of OpenBSD 4.4 i386 as of 03/28/2009.
To get the the system ready to be patched the OpenBSD source code must be unpacked. You can find it on the third CD-Rom or in the Internet:
# mkdir -p /home/openbsd/src # cd /home/openbsd/ # ftp -4 -V ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/4.4/src.tar.gz # ftp -4 -V ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/4.4/sys.tar.gz # ftp -4 -V ftp://openbsd.informatik.uni-erlangen.de/pub/OpenBSD/4.4/xenocara.tar.gz # cd src # tar xfz ../src.tar.gz # tar xfz ../sys.tar.gz # tar xfz ../xenocara.tar.gz # rm -rf /usr/src # ln -s /home/openbsd/src /usr/src
As of today there are 11 patches available: 4 security fixes and 7 reliablity fixes.
# cd /home/openbsd # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/001_ndp.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/002_vr.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/003_tcpinput.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/004_httpd.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/005_pglistalloc.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/006_dhcpd.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/008_bind.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/009_bgpd.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/010_bgpd.patch # ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/011_sudo.patch
It is important to read the patch instructions carefully. There are three types of patches: kernel, userland and X11. But special instructions may occur in any patch.
# cd /home/openbsd
# head -6 001*
Apply by doing:
cd /usr/src
patch -p0 < 001_ndp.patch
Then build and install a new kernel.
# head -6 002*
Apply by doing:
cd /usr/src
patch -p0 < 002_vr.patch
Then build and install a new kernel.
# head -6 003*
Apply by doing:
cd /usr/src
patch -p0 < 003_tcpinput.patch
Then build and install a new kernel.
# head -18 004*
Apply by doing:
cd /usr/src
patch -p0 < 004_httpd.patch
And then rebuild and install httpd and its modules:
cd usr.sbin/httpd
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper cleandir
make -f Makefile.bsd-wrapper depend
make -f Makefile.bsd-wrapper
make -f Makefile.bsd-wrapper install
If httpd had been started, you might want to run
apachectl stop
before running "make install", and
apachectl start
afterwards.
# head -6 005*
Apply by doing:
cd /usr/src
patch -p0 < 005_pglistalloc.patch
Then build and install a new kernel.
# head -9 006*
Apply by doing:
cd /usr/src
patch -p0 < 006_dhcpd.patch
And then rebuild and install file:
cd usr.sbin/dhcpd
make
make install
# head -9 007*
Apply by doing:
cd /usr/src
patch -p0 < 007_openssl.patch
And then rebuild and install the library:
cd lib/libssl
make
make install
# head -9 008*
Apply by doing:
cd /usr/src
patch -p0 < 008_bind.patch
And then rebuild and install bind:
cd usr.sbin/bind
make -f Makefile.bsd-wrapper
make -f Makefile.bsd-wrapper install
# head -10 009*
Apply by doing:
cd /usr/src
patch -p0 < 009_bgpd.patch
And then rebuild and install bgpd:
cd usr.sbin/bgpd
make depend
make
make install
# head -10 010*
Apply by doing:
cd /usr/src
patch -p0 < 010_bgpd.patch
And then rebuild and install bgpd:
cd usr.sbin/bgpd
make depend
make
make install
# head -10 011*
Apply by doing:
cd /usr/src
patch -p0 < 011_sudo.patch
And then rebuild and install sudo:
cd usr.bin/sudo
make depend
make
make install
Patches are being applied all in one go:
# cd /usr/src # patch -p0 < /home/openbsd/001* # patch -p0 < /home/openbsd/002* # patch -p0 < /home/openbsd/003* # patch -p0 < /home/openbsd/004* # patch -p0 < /home/openbsd/005* # patch -p0 < /home/openbsd/006* # patch -p0 < /home/openbsd/007* # patch -p0 < /home/openbsd/008* # patch -p0 < /home/openbsd/009* # patch -p0 < /home/openbsd/010* # patch -p0 < /home/openbsd/011*
A new kernel is made and installed:
# cd /usr/src/sys/arch/i386/conf # config GENERIC Don't forget to run "make depend" # cd ../compile/GENERIC # make clean && make depend && make ... # make install rm -f /obsd ln /bsd /obsd cp bsd /nbsd mv /nbsd /bsd
Some OS components and userland programs are recompiled:
# cd /usr/src/usr.sbin/httpd # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper cleandir # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install # cd /usr/src/usr.sbin/dhcpd # make # make install # cd /usr/src/lib/libssl # make # make install # cd /usr/src/usr.sbin/bind # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install # cd /usr/src/usr.sbin/bgpd # make depend # make # make install # cd /usr/src/usr.bin/sudo # make depend # make # make install
Finally the system is restarted to load the new kernel:
# reboot