Rodolfo Bandeira

Rodolfo Bandeira

software, electronics, security, devops, thoughts

How to Apply Security Patches in OpenBSD using Mtier

Are you an OpenBSD 5.9 user? Are you using LetsEncrypt Free SSL?

Guess what!? After my latest certificate renew, My server started getting this error:

This server is vulnerable to the OpenSSL Padding Oracle 
vulnerability (CVE-2016-2107) and insecure. Grade set to F.

After some research, I went to #openbsd channel at irc.freenode.net and found some nice guys there that helped to solve it so I’d like to share with you some nice lessons I learned.

This problem is generated because of a missing security patch. Ok, in ubuntu it’s easy to upgrade your system. apt-get update and apt-get upgrade and that’s it right?

In OpenBSD you can follow the security patches at this url:

http://www.openbsd.org/errata59.html

You can apply the patch using the source code diff directly in the source of the files. In this case should be LibreSSL.

Since I don’t have the source code of all my installed packages, I’m gonna show you how to apply binpatches using Mtier.

https://stable.mtier.org/

As you can see the instructions on this website is here:

1) Download M:Tier public key:

doas -s

cd /etc/signify

ftp https://stable.mtier.org/mtier-59-pkg.pub

2) Update your PKG_PATH:

PKG_PATH=https://stable.mtier.org/updates/$(uname -r)/$(arch -s):${PKG_PATH}

export PKG_PATH

And then let’s apply the patches. In my case I applied the security patch for Crypto:

pkg_add binpatch59-amd64-crypto

3) You can also upgrade all packages in your system using:

pkg_add -u

If you want to apply the security patch for SSHD, you can just replace the last word in the command for what you want to patch:

pkg_add binpatch59-amd64-sshd

I don’t need to mention that in my case the arquitecture is amd64, but in your case could be different, so keep your eyes on it.

That’s it for today! Thanks!

Last modified:

LinkedIn
WhatsApp