Do a search and you'll find very little official comprehensive tutorial-type documentation on how to apply one or more patches to OpenBSD. The information is spread among different manual pages and such. As described in [Security updates FAQ](https://www.openbsd.org/faq/faq10.html#Patches): While applying fixes from the errata page typically requires less time than a CVS checkout/update and rebuild, there is no universal set of instructions to follow. Sometimes you must patch and recompile one application, sometimes more. Here's how *I* patched an OpenBSD 6.3 system running on [Cubox i4-pro](https://www.openbsd.org/armv7.html) with 32GB MicroSD card in July of 2018. # Allow non-root user to use CVS It's not a good idea to use root to work with CVS. Add your user to the *wsrc* group. # user mod -G wsrc 'YOUR_USER_NAME' Create directories for ports and xenocara. # cd /usr # mkdir -p xenocara ports # chgrp wsrc xenocara ports # chmod 775 xenocara ports Logout and log back in to make effective your group membership. Source: https://www.openbsd.org/faq/faq5.html#wsrc # Install packages Make sure *[/etc/installurl](https://man.openbsd.org/installurl)* is configured. $ more /etc/installurl http://cloudflare.cdn.openbsd.org/pub/OpenBSD Install packages. $ su - # pkg_add curl # Download and unpack source code $ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/ports.tar.gz $ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/src.tar.gz $ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/sys.tar.gz $ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.3/xenocara.tar.gz $ tar xzf src.tar.gz -C /usr/src $ tar xzf sys.tar.gz -C /usr/src $ tar xzf ports.tar.gz -C /usr $ tar xzf xenocara.tar.gz -C /usr/xenocara Source: [https://www.openbsd.org/anoncvs.html#starting](https://www.openbsd.org/anoncvs.html#starting) # Download and unpack errata (patches) Patches are available from the release's errata page. For example, for 6.3, the latest release when this guide was written, the errata is available from [https://www.openbsd.org/errata63.html](https://www.openbsd.org/errata63.html). The patches are in individual files or a single tarball that contains all patches. I chose to download and unpack the single tarball. $ curl -O https://cloudflare.cdn.openbsd.org/pub/OpenBSD/patches/6.3.tar.gz $ tar xzf 6.3.tar.gz # Apply patches Follow the instructions of each individual patch on how to apply it. For example, for release 6.3, the first patch was *001_perl.patch.sig*. $ head -n 19 6.3/common/001_perl.patch.sig untrusted comment: signature from openbsd 6.3 base secret key RWRxzbLwAd76ZTObQY7HOmQ+VKZdvmQb1cF7qN9gqYqmrbzeLyZtd+NLMdegPgXay3/j5cn2wu4CfSvXPHNkdUzth/2N9E6IIgM= OpenBSD 6.3 errata 001, April 14, 2018: Heap overflows exist in perl which can lead to segmentation faults, crashes, and reading memory past the buffer. Embargoed by perl for 53 days. Apply by doing: signify -Vep /etc/signify/openbsd-63-base.pub -x 001_perl.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install perl: cd /usr/src/gnu/usr.bin/perl/ make -f Makefile.bsd-wrapper obj make -f Makefile.bsd-wrapper depend make -f Makefile.bsd-wrapper make -f Makefile.bsd-wrapper install Let's follow these instructions. $ cd 6.3/common/ $ signify -Vep /etc/signify/openbsd-63-base.pub -x 001_perl.patch.sig -m - | (cd /usr/src && patch -p0) $ su - # cd /usr/src/gnu/usr.bin/perl/ # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install I found that I had to build and install as the root user. I'm still not sure if this is expected or I'm doing something wrong. Once I have applied all patches, I keep track of new patches by subscribing to the announce@ openbsd.org mailing list or by periodically browsing to the errata page for the release as described above.