Security Updates

There are no regular updates for a specific OpenBSD release. However, sometimes when a critical bug is found, updates are released as so-called binary patches.


For supported versions of OpenBSD, the easiest way to get the latest security patches is to use the syspatch utility. By default, a cron will be run executing the syspatch -c command which will retrieve a list of available patches. The list will be mailed to the root user.

# syspatch -c

To apply the patches, rerun the command but without the -c option.


# syspatch
Get/Verify syspatch66-004_net8021... 100% |*****************************************************| 64839       00:00
Installing patch 004_net80211
Get/Verify syspatch66-005_sysupgr... 100% |*****************************************************|  3023       00:00
Installing patch 005_sysupgrade
Get/Verify syspatch66-006_ifioctl... 100% |*****************************************************|   381 KB    00:00
Installing patch 006_ifioctl
Relinking to create unique kernel... done; reboot to load the new kernel
Errata can be reviewed under /var/syspatch

In case the kernel has been patched, the system needs to be rebooted in order to make the changes active. As visible in the above example, if this is the case, you’ll be notified as above.


In order to update packages outside of Base, so often that would be packages in the ports collection, you can use the pkg_add tool.

The following command will update all packages that have a newer version in ports.

pkg_add -u

It’s also possible to add a specific package name to the command.

pkg_add -u nginx