For errata on a certain release, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7.0,
7.1,
7.2,
7.3,
7.5,
7.6.
Patches for the OpenBSD base system are distributed as unified diffs.
Each patch is cryptographically signed with the
signify(1) tool and contains
usage instructions.
All the following patches are also available in one
tar.gz file
for convenience.
Alternatively, the syspatch(8)
utility can be used to apply binary updates on the following architectures:
amd64, i386, arm64.
Patches for supported releases are also incorporated into the
-stable branch.
-
001: SECURITY FIX: October 25, 2023
All architectures
Fix several input validation errors in the X server.
CVE-2023-5367 CVE-2023-5380 CVE-2023-5574
A source code patch exists which remedies this problem.
-
002: SECURITY FIX: October 25, 2023
All architectures
A network buffer that had to be split at certain length could crash
the kernel.
A source code patch exists which remedies this problem.
-
003: RELIABILITY FIX: November 21, 2023
All architectures
patch(1) with explicit patchfile did not work in 7.4 due to overeager
unveil(2) restrictions.
A source code patch exists which remedies this problem.
-
004: RELIABILITY FIX: November 21, 2023
All architectures
Simple passwords which were 8 characters long caused ospfd(8) to
send out packets with invalid checksum.
A source code patch exists which remedies this problem.
-
005: RELIABILITY FIX: November 21, 2023
All architectures
Overlong sequences of UTF-8 combining characters could crash tmux(1).
A source code patch exists which remedies this problem.
-
006: RELIABILITY FIX: November 21, 2023
All architectures
httpd(8): Avoid a NULL dereference when handling a malformed fastcgi request.
A source code patch exists which remedies this problem.
-
007: SECURITY FIX: November 29, 2023
All architectures
A crafted regular expression when compiled by perl can cause a
one-byte attacker controlled buffer overflow in a heap allocated
buffer. CVE-2023-47038
A source code patch exists which remedies this problem.
-
008: RELIABILITY FIX: December 10, 2023
amd64
vmm(4) restored stale GDTR & TR values on vm exit which could lead to
memory corruption or kernel deadlocks.
A source code patch exists which remedies this problem.
-
009: RELIABILITY FIX: December 10, 2023
All architectures
A race condition between pf(4)'s processing of packets and expiration of
packet states may cause a kernel panic.
A source code patch exists which remedies this problem.
-
010: SECURITY FIX: December 14, 2023
All architectures
Fix out of bounds memory accesses in XRandR and XKB X server extensions.
CVE-2023-6377 CVE-2023-6478
A source code patch exists which remedies this problem.
-
011: SECURITY FIX: December 18, 2023
All architectures
An SSH protocol weakness (the Terrapin Attack) exists that allows an
on-path adversary to disable keystroke timing obfuscation.
A source code patch exists which remedies this problem.
-
012: SECURITY FIX: January 16, 2024
All architectures
Fix multiple xserver heap buffer overflows, out of bounds memory accesses and
memory corruption.
CVE-2023-6816 CVE-2024-0229 CVE-2024-21885 CVE-2024-21886
CVE-2024-0408 CVE-2024-0409
A source code patch exists which remedies this problem.
-
013: SECURITY FIX: February 13, 2024
All architectures
DNSSEC protocol vulnerabilities have been discovered that render
various DNSSEC validators victims of Denial Of Service while trying
to validate specially crafted DNSSEC responses.
Fix CVE-2023-50387 and CVE-2023-50868 in unwind(8) and unbound(8).
A source code patch exists which remedies this problem.
-
014: SECURITY FIX: February 29, 2024
amd64
vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.
A source code patch exists which remedies this problem.
-
015: SECURITY FIX: March 18, 2024
All architectures
In libexpat fix billion laughs attack vulnerability CVE-2024-28757.
A source code patch exists which remedies this problem.
-
016: SECURITY FIX: April 8, 2024
All architectures
Fix multiple heap buffer overread and data leakage in the X11 server
Xi extension and use after free in the Render extension.
CVE-2024-31080 CVE-2024-31081 CVE-2024-31083
A source code patch exists which remedies this problem.
-
017: RELIABILITY FIX: June 26, 2024
All architectures
Repair a withdraw desyncronization problem in bgpd(8).
A source code patch exists which remedies this problem.
-
018: SECURITY FIX: August 2, 2024
All architectures
sndiod(8) main process could crash due to buffer overread.
A source code patch exists which remedies this problem.
-
019: SECURITY FIX: August 19, 2024
All architectures
cron(8) and crontab(1) can crash due to incorrect /step values.
CVE-2024-43688
A source code patch exists which remedies this problem.
-
020: SECURITY FIX: September 17, 2024
All architectures
In libexpat add integer range checks.
CVE-2024-45490 CVE-2024-45491 CVE-2024-45492
A source code patch exists which remedies this problem.
-
021: SECURITY FIX: September 17, 2024
All architectures
Avoid possible mbuf double free in NFS client and server implementation.
Do not use uninitialized variable in error handling of NFS server.
A source code patch exists which remedies this problem.
-
022: SECURITY FIX: September 17, 2024
All architectures
In readdir name validation exclude any '/' to avoid unexpected
directory traversal on untrusted file systems.
A source code patch exists which remedies this problem.