For errata on a certain release, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7.0,
7.2,
7.3,
7.4.
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch is cryptographically signed with the
signify(1) tool and contains
usage instructions.
All the following patches are also available in one
tar.gz file
for convenience.
Alternatively, the syspatch(8)
utility can be used to apply binary updates on the following architectures:
amd64, i386, arm64.
Patches for supported releases are also incorporated into the
-stable branch.
-
001: RELIABILITY FIX: April 22, 2022
All architectures
Many wireless network drivers could not scan access points correctly.
A source code patch exists which remedies this problem.
Notice:
Some users will have installed a broken version of the
syspatch71-001_wifi.tgz file (which prevents future syspatch files
from installing), and must manually perform the following step to force
deletion of the old file, and then syspatch forward:
# sed -i /release/d /usr/sbin/syspatch && syspatch -R && syspatch
-
002: RELIABILITY FIX: May 5, 2022
All architectures
When using IPsec, the kernel could crash.
A source code patch exists which remedies this problem.
-
003: RELIABILITY FIX: May 16, 2022
All architectures
The kernel could crash due to a race in kqueue.
A source code patch exists which remedies this problem.
-
004: RELIABILITY FIX: May 16, 2022
All architectures
libcrypto would incorrectly decode certain ASN.1 objects.
A source code patch exists which remedies this problem.
-
005: SECURITY FIX: May 16, 2022
All architectures
Malicious PPPoE packets could corrupt kernel memory.
A source code patch exists which remedies this problem.
-
006: SECURITY FIX: July 24, 2022
All architectures
Input validation failures in the X server request parsing code can
lead to out of bounds memory accesses for authorized clients.
A source code patch exists which remedies this problem.
-
007: RELIABILITY FIX: July 24, 2022
All architectures
cron(8) aborted due to strange poll timevals.
A source code patch exists which remedies this problem.
-
008: RELIABILITY FIX: August 2, 2022
All architectures
bgpd(8) could fail to invalidate nexthops and incorrectly leave them in
the FIB or Adj-RIB-Out.
A source code patch exists which remedies this problem.
-
009: SECURITY FIX: August 12, 2022
All architectures
A missing length check in zlib could lead to a heap buffer overflow.
A source code patch exists which remedies this problem.
-
010: SECURITY FIX: September 23, 2022
All architectures
In libexpat fix heap use-after-free vulnerability CVE-2022-40674.
A source code patch exists which remedies this problem.
-
011: SECURITY FIX: September 26, 2022
All architectures
In smtpd(8), possible use-after-free if TLS handshake fails for
outbound connections.
A source code patch exists which remedies this problem.
-
012: SECURITY FIX: November 1, 2022
All architectures
In libexpat fix heap use-after-free vulnerability CVE-2022-43680.
A source code patch exists which remedies this problem.
-
013: SECURITY FIX: November 14, 2022
All architectures
CVE-2022-44638: An integer overflow in pixman may lead to an out-of-bounds
write.
A source code patch exists which remedies this problem.
-
014: SECURITY FIX: November 26, 2022
All architectures
A crafted TCP query from localhost could crash the unwind(8) daemon.
A source code patch exists which remedies this problem.
-
015: SECURITY FIX: December 14, 2022
All architectures
In X11 server fix local privileges elevation and remote code
execution for ssh X forwarding sessions. This addresses CVE-2022-46340
CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344.
A source code patch exists which remedies this problem.
-
016: RELIABILITY FIX: December 14, 2022
amd64 i386
TLB entries were not invalidated for all types of engine on
12th generation Intel graphics (Tiger Lake, Rocket Lake, Alder Lake).
A source code patch exists which remedies this problem.
-
017: RELIABILITY FIX: December 16, 2022
All architectures
Removing a domain can result in an out-of-bounds write in acme-client(8).
A source code patch exists which remedies this problem.
-
018: SECURITY FIX: January 13, 2023
All architectures
A TCP packet with destination port 0 that matches a pf divert-to
rule could crash the kernel.
A source code patch exists which remedies this problem.
-
019: SECURITY FIX: January 17, 2023
All architectures
Input validation issues and path validation issues in libXpm can lead
to infinite loops, memory corruption or arbitrary command execution.
CVE-2022-46285, CVE-2022-44617 and CVE-2022-4883
A source code patch exists which remedies this problem.
-
020: SECURITY FIX: January 21, 2023
amd64
vmm(4) exposed unsupported cpuid feature flags to guests.
A source code patch exists which remedies this problem.
-
021: SECURITY FIX: January 21, 2023
amd64
vmd(8) exposed unsupported cpuid feature flags to guests.
A source code patch exists which remedies this problem.
-
022: SECURITY FIX: February 7, 2023
All architectures
A malicious certificate revocation list or timestamp response token would
allow an attacker to read arbitrary memory.
A source code patch exists which remedies this problem.
-
023: SECURITY FIX: February 7, 2023
All architectures
CVE-2023-0494: use after free in the Xinput X server extension.
A source code patch exists which remedies this problem.
-
024: SECURITY FIX: February 7, 2023
All architectures
smtpd(8) could abort due to a connection from a local, scoped ipv6 address.
A source code patch exists which remedies this problem.
-
025: RELIABILITY FIX: February 26, 2023
All architectures
Missing bounds check in console terminal emulation could cause a kernel
crash after receiving specially crafted escape sequences.
A source code patch exists which remedies this problem.
-
026: SECURITY FIX: March 16, 2023
All architectures
Out of bounds accesses in libc resolver.
A source code patch exists which remedies this problem.
-
027: RELIABILITY FIX: March 23, 2023
All architectures
Incorrect length checks allow an out-of-bounds read in bgpd(8).
A source code patch exists which remedies this problem.
-
028: SECURITY FIX: March 29, 2023
All architectures
Xserver, CVE-2023-1393: use after free bug in the Composite server extension.
A source code patch exists which remedies this problem.