Security Patches
Complete list of security fixes published by OpenBSD for 2025. All these patches are applied in SecBSD by default.
Complete list of security fixes published by OpenBSD for 2025. All these patches are applied in SecBSD by default.
syspatch(8) is confused by aliased /dev/*rootdisk nodes in the database generated by dev_mkdb(8). If syspatch fails (probably because /usr is not a separate filesystem).
Use-after-free and integer overflow in the Xkb and Present X server extensions. CVE-2025-62229 CVE-2025-62230 CVE-2025-62231.
DNS cache poisoning vulnerabilities in unbound could lead to domain hijacking. CVE-2025-11411.
Ensure the group selected by a TLSv1.3 server for a HelloRetryRequest is not one for which the client has already sent a key share.
smtpd(8) can die if a malformed imsg is sent on the local socket. CVE-2025-62875.
Missing modifications to libunwind after the LLVM 19.1.7 update can cause performance regressions and missing endbr instructions.
Fix drm(4) to avoid spurious sleep errors leading to crashes.
Fix buffer overflow vulnerabilities in libpng which is part of libfreetype. CVE-2025-64505 CVE-2025-64506 CVE-2025-64720 CVE-2025-65018.
Fix incorrect handling of invalid inputs to xkbcomp(1). CVE-2018-15853 CVE-2018-15859 CVE-2018-15861 CVE-2018-15863.
Fix incomplete mitigation of DNS cache poisoning vulnerabilities in unbound. CVE-2025-11411.
Due to a race, the kernel could crash when adding IPv6 neighbor discovery entries.
Proactive tracking of OpenBSD vulnerabilities ensures fixes are incorporated into SecBSD within 24 hours of the vulnerability notification.
To update your system with the latest security fixes, run:
$ doas sysupgrade -s and then $ doas pkg_add -Dsnap -u