diff --git a/.gitignore b/.gitignore
index 649e583..00c3753 100644
--- a/.gitignore
+++ b/.gitignore
@@ -219,3 +219,4 @@
 /389-ds-base-2.4.4.tar.bz2
 /389-ds-base-2.4.5.tar.bz2
 /389-ds-base-2.5.1.tar.bz2
+/389-ds-base-2.5.2.tar.bz2
diff --git a/0001-CVE-2024-3657.patch b/0001-CVE-2024-3657.patch
deleted file mode 100644
index dba55ff..0000000
--- a/0001-CVE-2024-3657.patch
+++ /dev/null
@@ -1,213 +0,0 @@
-From 5cfa136c48c477765cb20b007ad441ed21534e86 Mon Sep 17 00:00:00 2001
-From: Pierre Rogier <progier@redhat.com>
-Date: Wed, 17 Apr 2024 18:18:04 +0200
-Subject: [PATCH] CVE-2024-3657
-
----
- .../tests/suites/filter/large_filter_test.py  |  34 +++++-
- ldap/servers/slapd/back-ldbm/index.c          | 111 ++++++++++--------
- 2 files changed, 92 insertions(+), 53 deletions(-)
-
-diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py
-index 964facae5..5390a0f9c 100644
---- a/dirsrvtests/tests/suites/filter/large_filter_test.py
-+++ b/dirsrvtests/tests/suites/filter/large_filter_test.py
-@@ -13,19 +13,29 @@ verify and testing  Filter from a search
- 
- import os
- import pytest
-+import ldap
- 
--from lib389._constants import PW_DM
-+from lib389._constants import PW_DM, DEFAULT_SUFFIX, ErrorLog
- from lib389.topologies import topology_st as topo
- from lib389.idm.user import UserAccounts, UserAccount
- from lib389.idm.account import Accounts
- from lib389.backend import Backends
- from lib389.idm.domain import Domain
-+from lib389.utils import get_ldapurl_from_serverid
- 
- SUFFIX = 'dc=anuj,dc=com'
- 
- pytestmark = pytest.mark.tier1
- 
- 
-+def open_new_ldapi_conn(dsinstance):
-+    ldapurl, certdir = get_ldapurl_from_serverid(dsinstance)
-+    assert 'ldapi://' in ldapurl
-+    conn = ldap.initialize(ldapurl)
-+    conn.sasl_interactive_bind_s("", ldap.sasl.external())
-+    return conn
-+
-+
- @pytest.fixture(scope="module")
- def _create_entries(request, topo):
-     """
-@@ -159,6 +169,28 @@ def test_large_filter(topo, _create_entries, real_value):
-     assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3
- 
- 
-+def test_long_filter_value(topo):
-+    """Exercise large eq filter with dn syntax attributes
-+
-+        :id: b069ef72-fcc3-11ee-981c-482ae39447e5
-+        :setup: Standalone
-+        :steps:
-+            1. Try to pass filter rules as per the condition.
-+        :expectedresults:
-+            1. Pass
-+    """
-+    inst = topo.standalone
-+    conn = open_new_ldapi_conn(inst.serverid)
-+    inst.config.loglevel(vals=(ErrorLog.DEFAULT,ErrorLog.TRACE,ErrorLog.SEARCH_FILTER))
-+    filter_value = "a\x1Edmin" * 1025
-+    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
-+    filter_value = "aAdmin" * 1025
-+    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
-+    filter_value = "*"
-+    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
-+    inst.config.loglevel(vals=(ErrorLog.DEFAULT,))
-+
-+
- if __name__ == '__main__':
-     CURRENT_FILE = os.path.realpath(__file__)
-     pytest.main("-s -v %s" % CURRENT_FILE)
-diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
-index 86bc825fe..bdac0a616 100644
---- a/ldap/servers/slapd/back-ldbm/index.c
-+++ b/ldap/servers/slapd/back-ldbm/index.c
-@@ -74,6 +74,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
- #define INDEX_BUFFER_FLAG_SERIALIZE 1
- #define INDEX_BUFFER_FLAG_STATS 2
- 
-+/*
-+ * space needed to encode a byte:
-+ *  0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx
-+ *  0x22 and 0x5C requires 2 bytes: \" and \\
-+ *  other requires 1 byte: c
-+ */
-+static char encode_size[] = {
-+    /* 0x00 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0x10 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0x20 */   1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-+    /* 0x30 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-+    /* 0x40 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-+    /* 0x50 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1,
-+    /* 0x60 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-+    /* 0x70 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3,
-+    /* 0x80 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0x90 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0xA0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0xB0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0xC0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0xD0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0xE0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+    /* 0xF0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
-+};
-+
-+
- /* Index buffering functions */
- 
- static int
-@@ -802,65 +828,46 @@ index_add_mods(
- 
- /*
-  * Convert a 'struct berval' into a displayable ASCII string
-+ * returns the printable string
-  */
--
--#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"')
--
- const char *
- encode(const struct berval *data, char buf[BUFSIZ])
- {
--    char *s;
--    char *last;
--    if (data == NULL || data->bv_len == 0)
--        return "";
--    last = data->bv_val + data->bv_len - 1;
--    for (s = data->bv_val; s < last; ++s) {
--        if (SPECIAL(*s)) {
--            char *first = data->bv_val;
--            char *bufNext = buf;
--            size_t bufSpace = BUFSIZ - 4;
--            while (1) {
--                /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */
--                if (bufSpace < (size_t)(s - first))
--                    s = first + bufSpace - 1;
--                if (s != first) {
--                    memcpy(bufNext, first, s - first);
--                    bufNext += (s - first);
--                    bufSpace -= (s - first);
--                }
--                do {
--                    if (bufSpace) {
--                        *bufNext++ = '\\';
--                        --bufSpace;
--                    }
--                    if (bufSpace < 2) {
--                        memcpy(bufNext, "..", 2);
--                        bufNext += 2;
--                        goto bail;
--                    }
--                    if (*s == '\\' || *s == '"') {
--                        *bufNext++ = *s;
--                        --bufSpace;
--                    } else {
--                        sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s);
--                        bufNext += 2;
--                        bufSpace -= 2;
--                    }
--                } while (++s <= last && SPECIAL(*s));
--                if (s > last)
--                    break;
--                first = s;
--                while (!SPECIAL(*s) && s <= last)
--                    ++s;
--            }
--        bail:
--            *bufNext = '\0';
--            /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */
-+    if (!data || !data->bv_val) {
-+        strcpy(buf, "<NULL>");
-+        return buf;
-+    }
-+    char *endbuff = &buf[BUFSIZ-4];  /* Reserve space to append "...\0" */
-+    char *ptout = buf;
-+    unsigned char *ptin = (unsigned char*) data->bv_val;
-+    unsigned char *endptin = ptin+data->bv_len;
-+
-+    while (ptin < endptin) {
-+        if (ptout >= endbuff) {
-+            /*
-+             * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be
-+             * truncated anyway. So there is no real interrest to test if the original
-+             * data contains no special characters and return it as is.
-+             */
-+            strcpy(endbuff, "...");
-             return buf;
-         }
-+        switch (encode_size[*ptin]) {
-+            case 1:
-+                *ptout++ = *ptin++;
-+                break;
-+            case 2:
-+                *ptout++ = '\\';
-+                *ptout++ = *ptin++;
-+                break;
-+            case 3:
-+                sprintf(ptout, "\\%02x", *ptin++);
-+                ptout += 3;
-+                break;
-+        }
-     }
--    /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */
--    return data->bv_val;
-+    *ptout = 0;
-+    return buf;
- }
- 
- static const char *
--- 
-2.44.0
-
diff --git a/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch b/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
deleted file mode 100644
index a8232ca..0000000
--- a/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From fcdeec3b876a28e06bb53a60fe502cb702403931 Mon Sep 17 00:00:00 2001
-From: Simon Pichugin <spichugi@redhat.com>
-Date: Tue, 27 Feb 2024 16:30:47 -0800
-Subject: [PATCH] Issue 3527 - Support HAProxy and Instance on the same machine
- configuration (#6107)
-
-Description: Improve how we handle HAProxy connections to work better when
-the DS and HAProxy are on the same machine.
-Ensure the client and header destination IPs are checked against the trusted IP list.
-
-Additionally, this change will also allow configuration having
-HAProxy is listening on a different subnet than the one used to forward the request.
-
-Related: https://github.com/389ds/389-ds-base/issues/3527
-
-Reviewed by: @progier389, @jchapma (Thanks!)
----
- ldap/servers/slapd/connection.c | 35 +++++++++++++++++++++++++--------
- 1 file changed, 27 insertions(+), 8 deletions(-)
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index a30511c97..07d629475 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -1187,6 +1187,8 @@ connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, int *
-     char str_ip[INET6_ADDRSTRLEN + 1] = {0};
-     char str_haproxy_ip[INET6_ADDRSTRLEN + 1] = {0};
-     char str_haproxy_destip[INET6_ADDRSTRLEN + 1] = {0};
-+    int trusted_matches_ip_found = 0;
-+    int trusted_matches_destip_found = 0;
-     struct berval **bvals = NULL;
-     int proxy_connection = 0;
- 
-@@ -1245,21 +1247,38 @@ connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, int *
-                         normalize_IPv4(conn->cin_addr, buf_ip, sizeof(buf_ip), str_ip, sizeof(str_ip));
-                         normalize_IPv4(&pr_netaddr_dest, buf_haproxy_destip, sizeof(buf_haproxy_destip),
-                                        str_haproxy_destip, sizeof(str_haproxy_destip));
-+                        size_t ip_len = strlen(buf_ip);
-+                        size_t destip_len = strlen(buf_haproxy_destip);
- 
-                         /* Now, reset RC and set it to 0 only if a match is found */
-                         haproxy_rc = -1;
- 
--                        /* Allow only:
--                        * Trusted IP == Original Client IP == HAProxy Header Destination IP */
-+                        /* 
-+                         * We need to allow a configuration where DS instance and HAProxy are on the same machine.
-+                         * In this case, we need to check if
-+                         * the HAProxy client IP (which will be a loopback address) matches one of the the trusted IP addresses,
-+                         * while still checking that
-+                         * the HAProxy header destination IP address matches one of the trusted IP addresses.
-+                         * Additionally, this change will also allow configuration having
-+                         * HAProxy listening on a different subnet than one used to forward the request.
-+                         */
-                         for (size_t i = 0; bvals[i] != NULL; ++i) {
--                            if ((strlen(bvals[i]->bv_val) == strlen(buf_ip)) &&
--                                (strlen(bvals[i]->bv_val) == strlen(buf_haproxy_destip)) &&
--                                (strncasecmp(bvals[i]->bv_val, buf_ip, strlen(buf_ip)) == 0) &&
--                                (strncasecmp(bvals[i]->bv_val, buf_haproxy_destip, strlen(buf_haproxy_destip)) == 0)) {
--                                haproxy_rc = 0;
--                                break;
-+                            size_t bval_len = strlen(bvals[i]->bv_val);
-+
-+                            /* Check if the Client IP (HAProxy's machine IP) address matches the trusted IP address */
-+                            if (!trusted_matches_ip_found) {
-+                                trusted_matches_ip_found = (bval_len == ip_len) && (strncasecmp(bvals[i]->bv_val, buf_ip, ip_len) == 0);
-+                            }
-+                            /* Check if the HAProxy header destination IP address matches the trusted IP address */
-+                            if (!trusted_matches_destip_found) {
-+                                trusted_matches_destip_found = (bval_len == destip_len) && (strncasecmp(bvals[i]->bv_val, buf_haproxy_destip, destip_len) == 0);
-                             }
-                         }
-+
-+                        if (trusted_matches_ip_found && trusted_matches_destip_found) {
-+                            haproxy_rc = 0;
-+                        }
-+
-                         if (haproxy_rc == -1) {
-                             slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", "HAProxy header received from unknown source.\n");
-                             disconnect_server_nomutex(conn, conn->c_connid, -1, SLAPD_DISCONNECT_PROXY_UNKNOWN, EPROTO);
--- 
-2.43.0
-
diff --git a/0002-CVE-2024-2199.patch b/0002-CVE-2024-2199.patch
deleted file mode 100644
index d980f8c..0000000
--- a/0002-CVE-2024-2199.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001
-From: James Chapman <jachapma@redhat.com>
-Date: Wed, 1 May 2024 15:01:33 +0100
-Subject: [PATCH] CVE-2024-2199
-
----
- .../tests/suites/password/password_test.py    | 56 +++++++++++++++++++
- ldap/servers/slapd/modify.c                   |  8 ++-
- 2 files changed, 62 insertions(+), 2 deletions(-)
-
-diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
-index 1245feb31..e4abd9907 100644
---- a/dirsrvtests/tests/suites/password/password_test.py
-+++ b/dirsrvtests/tests/suites/password/password_test.py
-@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st):
-     log.info('test_password_delete_specific_password: PASSED')
- 
- 
-+def test_password_modify_non_utf8(topology_st):
-+    """Attempt a modify of the userPassword attribute with
-+    an invalid non utf8 value
-+
-+    :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36
-+    :setup: Standalone instance
-+    :steps:
-+        1. Add a user if it doesnt exist and set its password
-+        2. Verify password with a bind
-+        3. Modify userPassword attr with invalid value
-+        4. Attempt a bind with invalid password value
-+        5. Verify original password with a bind
-+    :expectedresults:
-+        1. The user with userPassword should be added successfully
-+        2. Operation should be successful
-+        3. Server returns ldap.UNWILLING_TO_PERFORM
-+        4. Server returns ldap.INVALID_CREDENTIALS
-+        5. Operation should be successful
-+     """
-+
-+    log.info('Running test_password_modify_non_utf8...')
-+
-+    # Create user and set password
-+    standalone = topology_st.standalone
-+    users = UserAccounts(standalone, DEFAULT_SUFFIX)
-+    if not users.exists(TEST_USER_PROPERTIES['uid'][0]):
-+        user = users.create(properties=TEST_USER_PROPERTIES)
-+    else:
-+        user = users.get(TEST_USER_PROPERTIES['uid'][0])
-+    user.set('userpassword', PASSWORD)
-+
-+    # Verify password
-+    try:
-+        user.bind(PASSWORD)
-+    except ldap.LDAPError as e:
-+        log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
-+        assert False
-+
-+    # Modify userPassword with an invalid value
-+    password = b'tes\x82t-password' # A non UTF-8 encoded password
-+    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
-+        user.replace('userpassword', password)
-+
-+    # Verify a bind fails with invalid pasword
-+    with pytest.raises(ldap.INVALID_CREDENTIALS):
-+        user.bind(password)
-+
-+    # Verify we can still bind with original password
-+    try:
-+        user.bind(PASSWORD)
-+    except ldap.LDAPError as e:
-+        log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
-+        assert False
-+
-+    log.info('test_password_modify_non_utf8: PASSED')
-+
- if __name__ == '__main__':
-     # Run isolated
-     # -s for DEBUG mode
-diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
-index a20984e0b..fb65d58b3 100644
---- a/ldap/servers/slapd/modify.c
-+++ b/ldap/servers/slapd/modify.c
-@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
-      * flagged - leave mod attributes alone */
-     if (!repl_op && !skip_modified_attrs && lastmod) {
-         modify_update_last_modified_attr(pb, &smods);
-+        slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods));
-     }
- 
-+
-     if (0 == slapi_mods_get_num_mods(&smods)) {
-         /* nothing to do - no mods - this is not an error - just
-            send back LDAP_SUCCESS */
-@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
- 
-             /* encode password */
-             if (pw_encodevals_ext(pb, sdn, va)) {
--                slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
--                send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
-+                slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, "
-+                    "check value is utf8 string.\n", slapi_entry_get_dn_const(e));
-+                send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, "
-+                    "check value is utf8 string.\n", 0, NULL);
-                 valuearray_free(&va);
-                 goto free_and_return;
-             }
--- 
-2.41.0
-
diff --git a/0002-Issue-6112-RFE-add-new-operation-note-for-MFA-authen.patch b/0002-Issue-6112-RFE-add-new-operation-note-for-MFA-authen.patch
deleted file mode 100644
index ad60607..0000000
--- a/0002-Issue-6112-RFE-add-new-operation-note-for-MFA-authen.patch
+++ /dev/null
@@ -1,237 +0,0 @@
-From 3cd7d30628007f839436c417af6dd8a056c6a165 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 1 Mar 2024 11:28:17 -0500
-Subject: [PATCH 2/3] Issue 6112 - RFE - add new operation note for MFA
- authentications
-
-Add a new operation note to indicate that a MFA plugin performed the
-BIND.  This implies that the plugin must set the note itself as there is
-no other way to detect this:
-
-    slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
-
-The purpose for this is for auditing needs
-
-Fixes: https://github.com/389ds/389-ds-base/issues/6112
-
-Reviewed by: spichugi(Thanks!)
----
- ldap/admin/src/logconv.pl         | 37 ++++++++++++++++++-------------
- ldap/servers/slapd/log.c          |  6 ++++-
- ldap/servers/slapd/result.c       |  2 +-
- ldap/servers/slapd/slapi-plugin.h |  1 +
- 4 files changed, 28 insertions(+), 18 deletions(-)
-
-diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
-index 5ba91e99c..10bd5d2aa 100755
---- a/ldap/admin/src/logconv.pl
-+++ b/ldap/admin/src/logconv.pl
-@@ -2,11 +2,11 @@
- #
- # BEGIN COPYRIGHT BLOCK
- # Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
--# Copyright (C) 2022 Red Hat, Inc.
-+# Copyright (C) 2010-2024 Red Hat, Inc.
- # All rights reserved.
- #
- # License: GPL (version 3 or any later version).
--# See LICENSE for details. 
-+# See LICENSE for details.
- # END COPYRIGHT BLOCK
- #
- 
-@@ -218,6 +218,7 @@ my $sslClientFailedCount = 0;
- my $objectclassTopCount= 0;
- my $pagedSearchCount = 0;
- my $invalidFilterCount = 0;
-+my $mfaCount = 0;
- my $bindCount = 0;
- my $filterCount = 0;
- my $baseCount = 0;
-@@ -407,7 +408,7 @@ sub statusreport {
- ##########################################
- #                                        #
- #         Parse Access Logs              #
--#                                        # 
-+#                                        #
- ##########################################
- 
- if ($files[$#files] =~ m/access.rotationinfo/) {
-@@ -709,7 +710,7 @@ if($endTime){
- 
- #
- # Get the start time in seconds
--#  
-+#
- my $logStart = $start;
- my $startTotal = convertTimeToNanoseconds($logStart);
- 
-@@ -890,6 +891,7 @@ $etimeAvg = $totalEtime / $etimeCount;
- print sprintf "Average etime (elapsed time):  %.9f\n", $etimeAvg;
- 
- print "\n";
-+print "Multi-factor Authentications:  $mfaCount\n";
- print "Proxied Auth Operations:       $proxiedAuthCount\n";
- print "Persistent Searches:           $persistentSrchCount\n";
- print "Internal Operations:           $internalOpCount\n";
-@@ -1758,7 +1760,7 @@ if ($usage =~ /j/i || $verb eq "yes"){
- 		$recCount++;
- 	}
- 	if ($objectclassTopCount > ($srchCount *.25)){
--		print "\n $recCount.  You have a high number of searches that query the entire search base.  Although this is not necessarily bad, it could be resource intensive if the search base contains many entries.\n"; 
-+		print "\n $recCount.  You have a high number of searches that query the entire search base.  Although this is not necessarily bad, it could be resource intensive if the search base contains many entries.\n";
- 		$recCount++;
- 	}
- 	if ($recCount == 1){
-@@ -1792,7 +1794,7 @@ sub displayUsage {
- 
- 	print "         -h, --help         help/usage\n";
- 	print "         -d, --rootDN       <Directory Managers DN>  default is \"cn=directory manager\"\n";
--	print "         -D, --data         <Location for temporary data files>  default is \"/tmp\"\n";    
-+	print "         -D, --data         <Location for temporary data files>  default is \"/tmp\"\n";
- 	print "         -s, --sizeLimit    <Number of results to return per catagory>  default is 20\n";
- 	print "         -X, --excludeIP    <IP address to exclude from connection stats>  E.g. Load balancers\n";
- 	print "         -v, --version      show version of tool\n";
-@@ -1800,8 +1802,8 @@ sub displayUsage {
- 	print "             E.g. \"[28/Mar/2002:13:14:22 -0800]\"\n";
- 	print "         -E, --endTime      <time to stop analyzing logfile>\n";
- 	print "             E.g. \"[28/Mar/2002:13:24:62 -0800]\"\n";
--	print "         -m, --reportFileSecs  <CSV output file - per second stats>\n"; 
--	print "         -M, --reportFileMins  <CSV output file - per minute stats>\n";	
-+	print "         -m, --reportFileSecs  <CSV output file - per second stats>\n";
-+	print "         -M, --reportFileMins  <CSV output file - per minute stats>\n";
- 	print "         -B, --bind         <ALL | ANONYMOUS | \"Actual Bind DN\">\n";
- 	print "	        -T, --minEtime     <minimum etime to report unindexed searches>\n";
- 	print "         -V, --verbose      <enable verbose output - includes all stats listed below>\n";
-@@ -2288,6 +2290,9 @@ sub parseLineNormal
- 	if (m/ RESULT err=/ && m/ notes=[A-Z,]*P/){
- 		$pagedSearchCount++;
- 	}
-+	if (m/ RESULT err=/ && m/ notes=[A-Z,]*M/){
-+		$mfaCount++;
-+	}
- 	if (m/ RESULT err=/ && m/ notes=[A-Z,]*F/){
- 		$invalidFilterCount++;
- 		$con = "";
-@@ -2318,7 +2323,7 @@ sub parseLineNormal
- 			if ($vlvconn[$i] eq $con && $vlvop[$i] eq $op){ $vlvNotesACount++; $isVlvNotes="1";}
- 		}
- 		if($isVlvNotes == 0){
--			#  We don't want to record vlv unindexed searches for our regular "bad" 
-+			#  We don't want to record vlv unindexed searches for our regular "bad"
- 			#  unindexed search stat, as VLV unindexed searches aren't that bad
- 			$unindexedSrchCountNotesA++;
- 			if($reportStats){ inc_stats('notesA',$s_stats,$m_stats); }
-@@ -2345,7 +2350,7 @@ sub parseLineNormal
- 			if ($vlvconn[$i] eq $con && $vlvop[$i] eq $op){ $vlvNotesUCount++; $isVlvNotes="1";}
- 		}
- 		if($isVlvNotes == 0){
--			#  We don't want to record vlv unindexed searches for our regular "bad" 
-+			#  We don't want to record vlv unindexed searches for our regular "bad"
- 			#  unindexed search stat, as VLV unindexed searches aren't that bad
- 			$unindexedSrchCountNotesU++;
- 			if($reportStats){ inc_stats('notesU',$s_stats,$m_stats); }
-@@ -2586,7 +2591,7 @@ sub parseLineNormal
- 		if ($errcode ne "0"){ $errorCount++;}
- 		else { $successCount++;}
- 	}
--	if ($_ =~ /etime= *([0-9.]+)/ ) { 
-+	if ($_ =~ /etime= *([0-9.]+)/ ) {
- 		my $etime_val = $1;
- 		$totalEtime = $totalEtime + $1;
- 		$etimeCount++;
-@@ -2608,10 +2613,10 @@ sub parseLineNormal
- 		if ($reportStats){ inc_stats_val('optime',$optime_val,$s_stats,$m_stats); }
- 	}
- 	if ($_ =~ / tag=101 / || $_ =~ / tag=111 / || $_ =~ / tag=100 / || $_ =~ / tag=115 /){
--		if ($_ =~ / nentries= *([0-9]+)/i ){ 
-+		if ($_ =~ / nentries= *([0-9]+)/i ){
- 			my $nents = $1;
--			if ($usage =~ /n/i || $verb eq "yes"){ 
--				$hashes->{nentries}->{$nents}++; 
-+			if ($usage =~ /n/i || $verb eq "yes"){
-+				$hashes->{nentries}->{$nents}++;
- 			}
- 		}
- 	}
-@@ -2621,7 +2626,7 @@ sub parseLineNormal
- 	if (m/ EXT oid=/){
- 		$extopCount++;
- 		my $oid;
--		if ($_ =~ /oid=\" *([0-9\.]+)/i ){ 
-+		if ($_ =~ /oid=\" *([0-9\.]+)/i ){
- 			$oid = $1;
- 			if ($usage =~ /x/i || $verb eq "yes"){$hashes->{oid}->{$oid}++; }
- 		}
-@@ -2921,7 +2926,7 @@ printClients
- 	my $IPcount = "1";
- 
- 	foreach my $ip ( keys %connList ){   # Loop over all the IP addresses
--		foreach my $bc (@bindConns){ # Loop over each bind conn number and compare it 
-+		foreach my $bc (@bindConns){ # Loop over each bind conn number and compare it
- 			if($connList{$ip} =~ / $bc /){
- 				print("        [$IPcount]  $ip\n");
- 				$IPcount++;
-diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
-index 4aa905576..2c7bd933b 100644
---- a/ldap/servers/slapd/log.c
-+++ b/ldap/servers/slapd/log.c
-@@ -3892,6 +3892,7 @@ slapi_log_security(Slapi_PBlock *pb, const char *event_type, const char *msg)
-     int isroot = 0;
-     int rc = 0;
-     uint64_t conn_id = 0;
-+    uint32_t operation_notes = 0;
-     int32_t op_id = 0;
-     json_object *log_json = NULL;
- 
-@@ -3916,6 +3917,8 @@ slapi_log_security(Slapi_PBlock *pb, const char *event_type, const char *msg)
-     client_ip = pb_conn->c_ipaddr;
-     server_ip = pb_conn->c_serveripaddr;
-     ldap_version = pb_conn->c_ldapversion;
-+    operation_notes = slapi_pblock_get_operation_notes(pb);
-+
-     if (saslmech) {
-         external_bind = !strcasecmp(saslmech, LDAP_SASL_EXTERNAL);
-     }
-@@ -3982,7 +3985,8 @@ slapi_log_security(Slapi_PBlock *pb, const char *event_type, const char *msg)
-         break;
-     default:
-         /* Simple auth */
--        PR_snprintf(method_and_mech, sizeof(method_and_mech), "SIMPLE");
-+        PR_snprintf(method_and_mech, sizeof(method_and_mech), "%s",
-+                    (operation_notes & SLAPI_OP_NOTE_MFA_AUTH) ? "SIMPLE/MFA" : "SIMPLE");
-     }
- 
-     /* Get the time */
-diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
-index 56ba6db8b..97af5a2b8 100644
---- a/ldap/servers/slapd/result.c
-+++ b/ldap/servers/slapd/result.c
-@@ -1946,11 +1946,11 @@ static struct slapi_note_map notemap[] = {
-     {SLAPI_OP_NOTE_SIMPLEPAGED, "P", "Paged Search"},
-     {SLAPI_OP_NOTE_FULL_UNINDEXED, "A", "Fully Unindexed Filter"},
-     {SLAPI_OP_NOTE_FILTER_INVALID, "F", "Filter Element Missing From Schema"},
-+    {SLAPI_OP_NOTE_MFA_AUTH, "M", "Multi-factor Authentication"},
- };
- 
- #define SLAPI_NOTEMAP_COUNT (sizeof(notemap) / sizeof(struct slapi_note_map))
- 
--
- /*
-  * fill buf with a string representation of the bits present in notes.
-  *
-diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
-index 4853e143b..12bc1f0aa 100644
---- a/ldap/servers/slapd/slapi-plugin.h
-+++ b/ldap/servers/slapd/slapi-plugin.h
-@@ -7323,6 +7323,7 @@ typedef enum _slapi_op_note_t {
-     SLAPI_OP_NOTE_SIMPLEPAGED = 0x02,
-     SLAPI_OP_NOTE_FULL_UNINDEXED = 0x04,
-     SLAPI_OP_NOTE_FILTER_INVALID = 0x08,
-+    SLAPI_OP_NOTE_MFA_AUTH = 0x10,
- } slapi_op_note_t;
- 
- 
--- 
-2.44.0
-
diff --git a/0003-Issue-6133-Move-slapi_pblock_set_flag_operation_note.patch b/0003-Issue-6133-Move-slapi_pblock_set_flag_operation_note.patch
deleted file mode 100644
index f17f51b..0000000
--- a/0003-Issue-6133-Move-slapi_pblock_set_flag_operation_note.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 189e078f574f586f6cff6f80081eded2c22c8868 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Tue, 26 Mar 2024 11:19:10 -0400
-Subject: [PATCH 3/3] Issue 6133 - Move slapi_pblock_set_flag_operation_notes()
- to slapi-plugin.h
-
-Description:
-
-slapi_pblock_set_flag_operation_notes() is currently only available in slapi-private.h, but with the latest changes at add "notes=M" it needs to be available to plugins.
-
-relates: https://github.com/389ds/389-ds-base/issues/6133
-
-Reviewed by: spichugi(Thanks!)
----
- ldap/servers/slapd/slapi-plugin.h  | 10 ++++++++++
- ldap/servers/slapd/slapi-private.h |  1 -
- 2 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
-index 12bc1f0aa..5d4af7c20 100644
---- a/ldap/servers/slapd/slapi-plugin.h
-+++ b/ldap/servers/slapd/slapi-plugin.h
-@@ -7326,6 +7326,16 @@ typedef enum _slapi_op_note_t {
-     SLAPI_OP_NOTE_MFA_AUTH = 0x10,
- } slapi_op_note_t;
- 
-+/**
-+ * Set an operation note on an operation.  This will append a notes keyword
-+ * in the access log result line for this operation
-+ *
-+ * \param pb - The slapi_pblock structure
-+ * \param opnotes
-+ * \return void
-+ */
-+void slapi_pblock_set_operation_notes(Slapi_PBlock *pb, uint32_t opnotes);
-+
- 
- /* Allows controls to be passed before operation object is created */
- #define SLAPI_CONTROLS_ARG 58
-diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
-index 17eedc2de..ee7659ac0 100644
---- a/ldap/servers/slapd/slapi-private.h
-+++ b/ldap/servers/slapd/slapi-private.h
-@@ -1510,7 +1510,6 @@ struct slapi_entry *slapi_pblock_get_pw_entry(Slapi_PBlock *pb);
- void slapi_pblock_set_pw_entry(Slapi_PBlock *pb, struct slapi_entry *entry);
- 
- uint32_t slapi_pblock_get_operation_notes(Slapi_PBlock *pb);
--void slapi_pblock_set_operation_notes(Slapi_PBlock *pb, uint32_t opnotes);
- void slapi_pblock_set_flag_operation_notes(Slapi_PBlock *pb, uint32_t opflag);
- void slapi_pblock_set_result_text_if_empty(Slapi_PBlock *pb, char *text);
- 
--- 
-2.44.0
-
diff --git a/0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch b/0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch
deleted file mode 100644
index 061bc56..0000000
--- a/0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 6c7047ad75016a7b767d70813a86b9a7b03ea49b Mon Sep 17 00:00:00 2001
-From: Simon Pichugin <spichugi@redhat.com>
-Date: Wed, 5 Jun 2024 17:24:00 -0700
-Subject: [PATCH] Issue 6188 - Add nsslapd-haproxy-trusted-ip to cn=schema
- (#6201)
-
-Description: Add HAProxy trusted IP address multi-valued attribute
-to cn=schema in 01core389.ldif
-
-Related: https://github.com/389ds/389-ds-base/issues/6188
-
-Reviewed by: @progier389 (Thanks!)
----
- ldap/schema/01core389.ldif | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
-index fad8bc2f9..c98e5b34b 100644
---- a/ldap/schema/01core389.ldif
-+++ b/ldap/schema/01core389.ldif
-@@ -331,6 +331,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2390 NAME 'nsds5ReplicaKeepAliveUpdateIn
- attributeTypes: ( 2.16.840.1.113730.3.1.2391 NAME 'dsEntryDN' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION SINGLE-VALUE USAGE directoryOperation X-ORIGIN '389 Directory Server' )
- attributeTypes: ( 2.16.840.1.113730.3.1.2392 NAME 'nsslapd-return-original-entrydn' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
- attributeTypes: ( 2.16.840.1.113730.3.1.2393 NAME 'nsslapd-auditlog-display-attrs' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
-+attributeTypes: ( 2.16.840.1.113730.3.1.2398 NAME 'nsslapd-haproxy-trusted-ip' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN '389 Directory Server' )
- #
- # objectclasses
- #
--- 
-2.45.2
-
diff --git a/0004-CVE-2024-5953.patch b/0004-CVE-2024-5953.patch
deleted file mode 100644
index 37c2179..0000000
--- a/0004-CVE-2024-5953.patch
+++ /dev/null
@@ -1,145 +0,0 @@
-From 52a9ee6556a0467f5134fb6392ff1681a38f3252 Mon Sep 17 00:00:00 2001
-From: Pierre Rogier <progier@redhat.com>
-Date: Fri, 14 Jun 2024 13:27:10 +0200
-Subject: [PATCH] CVE-2024-5953
-
----
- .../tests/suites/password/regression_test.py  | 51 ++++++++++++++++++-
- ldap/servers/plugins/pwdstorage/md5_pwd.c     |  9 +++-
- ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c  |  6 +++
- 3 files changed, 64 insertions(+), 2 deletions(-)
-
-diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
-index 4876ff435..160d6f01d 100644
---- a/dirsrvtests/tests/suites/password/regression_test.py
-+++ b/dirsrvtests/tests/suites/password/regression_test.py
-@@ -8,11 +8,12 @@
- import pytest
- import time
- import glob
-+import base64
- from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX
- from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB, DEFAULT_BENAME
- from lib389 import Entry
- from lib389.topologies import topology_m1 as topo_supplier
--from lib389.idm.user import UserAccounts
-+from lib389.idm.user import UserAccounts, UserAccount
- from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer, ds_supports_new_changelog
- from lib389.topologies import topology_st as topo
- from lib389.idm.organizationalunit import OrganizationalUnits
-@@ -40,6 +41,13 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
- TEST_PASSWORDS2 = (
-     'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123')
- 
-+SUPPORTED_SCHEMES = (
-+    "{SHA}", "{SSHA}", "{SHA256}", "{SSHA256}",
-+    "{SHA384}", "{SSHA384}", "{SHA512}", "{SSHA512}",
-+    "{crypt}", "{NS-MTA-MD5}", "{clear}", "{MD5}",
-+    "{SMD5}", "{PBKDF2_SHA256}", "{PBKDF2_SHA512}",
-+    "{GOST_YESCRYPT}", "{PBKDF2-SHA256}", "{PBKDF2-SHA512}" )
-+
- def _check_unhashed_userpw(inst, user_dn, is_present=False):
-     """Check if unhashed#user#password attribute is present or not in the changelog"""
-     unhashed_pwd_attribute = 'unhashed#user#password'
-@@ -319,6 +327,47 @@ def test_unhashed_pw_switch(topo_supplier):
-         # Add debugging steps(if any)...
-         pass
- 
-+@pytest.mark.parametrize("scheme", SUPPORTED_SCHEMES )
-+def test_long_hashed_password(topo, create_user, scheme):
-+    """Check that hashed password with very long value does not cause trouble
-+
-+    :id: 252a1f76-114b-11ef-8a7a-482ae39447e5
-+    :setup: standalone Instance
-+    :parametrized: yes
-+    :steps:
-+        1. Add a test user user
-+        2. Set a long password with requested scheme
-+        3. Bind on that user using a wrong password
-+        4. Check that instance is still alive
-+        5. Remove the added user
-+    :expectedresults:
-+        1. Success
-+        2. Success
-+        3. Should get ldap.INVALID_CREDENTIALS exception
-+        4. Success
-+        5. Success
-+    """
-+    inst = topo.standalone
-+    inst.simple_bind_s(DN_DM, PASSWORD)
-+    users = UserAccounts(inst, DEFAULT_SUFFIX)
-+    # Make sure that server is started as this test may crash it
-+    inst.start()
-+    # Adding Test user (It may already exists if previous test failed)
-+    user2 = UserAccount(inst, dn='uid=test_user_1002,ou=People,dc=example,dc=com')
-+    if not user2.exists():
-+        user2 = users.create_test_user(uid=1002, gid=2002)
-+    # Setting hashed password
-+    passwd = 'A'*4000
-+    hashed_passwd = scheme.encode('utf-8') + base64.b64encode(passwd.encode('utf-8'))
-+    user2.replace('userpassword', hashed_passwd)
-+    # Bind on that user using a wrong password
-+    with pytest.raises(ldap.INVALID_CREDENTIALS):
-+        conn = user2.bind(PASSWORD)
-+    # Check that instance is still alive
-+    assert inst.status()
-+    # Remove the added user
-+    user2.delete()
-+
- 
- if __name__ == '__main__':
-     # Run isolated
-diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
-index 1e2cf58e7..b9a48d5ca 100644
---- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
-@@ -37,6 +37,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
-     unsigned char hash_out[MD5_HASH_LEN];
-     unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */
-     SECItem binary_item;
-+    size_t dbpwd_len = strlen(dbpwd);
- 
-     ctx = PK11_CreateDigestContext(SEC_OID_MD5);
-     if (ctx == NULL) {
-@@ -45,6 +46,12 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
-         goto loser;
-     }
- 
-+    if (dbpwd_len >= sizeof b2a_out) {
-+        slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
-+                      "The hashed password stored in the user entry is longer than any valid md5 hash");
-+        goto loser;
-+    }
-+
-     /* create the hash */
-     PK11_DigestBegin(ctx);
-     PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
-@@ -57,7 +64,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
-     bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
-     /* bver points to b2a_out upon success */
-     if (bver) {
--        rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd));
-+        rc = slapi_ct_memcmp(bver, dbpwd, dbpwd_len);
-     } else {
-         slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
-                       "Could not base64 encode hashed value for password compare");
-diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
-index dcac4fcdd..82b8c9501 100644
---- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
-@@ -255,6 +255,12 @@ pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd)
-     passItem.data = (unsigned char *)userpwd;
-     passItem.len = strlen(userpwd);
- 
-+    if (pwdstorage_base64_decode_len(dbpwd, dbpwd_len) > sizeof dbhash) {
-+        /* Hashed value is too long and cannot match any value generated by pbkdf2_sha256_hash */
-+        slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value. (hashed value is too long)\n");
-+        return result;
-+    }
-+
-     /* Decode the DBpwd to bytes from b64 */
-     if (PL_Base64Decode(dbpwd, dbpwd_len, dbhash) == NULL) {
-         slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value\n");
--- 
-2.44.0
-
diff --git a/0005-CVE-2024-6237.patch b/0005-CVE-2024-6237.patch
deleted file mode 100644
index 780cfa8..0000000
--- a/0005-CVE-2024-6237.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 323f74c69f84a8482413ecd73cf61d09cfc4a0a1 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Mon, 24 Jun 2024 15:51:28 +0200
-Subject: [PATCH] CVE-2024-6237
-
----
- ldap/servers/plugins/syntaxes/inchain.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/servers/plugins/syntaxes/inchain.c b/ldap/servers/plugins/syntaxes/inchain.c
-index df19c973b..0a6a04e9f 100644
---- a/ldap/servers/plugins/syntaxes/inchain.c
-+++ b/ldap/servers/plugins/syntaxes/inchain.c
-@@ -277,7 +277,7 @@ inchain_values2keys(Slapi_PBlock *pb, Slapi_Value **vals, Slapi_Value ***ivals,
-     slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &base_sdn);
- 
-     if (! slapi_attr_is_dn_syntax_type(mrTYPE)) {
--        slapi_log_err(SLAPI_LOG_ERR, "inchain", "Requires distinguishedName syntax. AttributeDescription %s is not distinguishedName\n");
-+        slapi_log_err(SLAPI_LOG_ERR, "inchain", "Requires distinguishedName syntax. AttributeDescription %s is not distinguishedName\n", mrTYPE);
-         result = (Slapi_Value **)slapi_ch_calloc(1, sizeof(Slapi_Value *));
-         *ivals = result;
-         return(0);
--- 
-2.44.0
-
diff --git a/0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch b/0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch
deleted file mode 100644
index 2486c76..0000000
--- a/0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From cf6cdd05b7ddab36a0196d614b7a28b4372cf801 Mon Sep 17 00:00:00 2001
-From: tbordaz <tbordaz@redhat.com>
-Date: Mon, 24 Jun 2024 13:41:35 +0200
-Subject: [PATCH] Issue 6227 - dsconf schema does not show inChain matching
- rule (#6228)
-
-Bug description:
-	The registered inChain MR does defined any matching rule
-	syntax (mr_syntax).
-	When dsconf reads the matching rules (read_schema_dse)
-	it only reports those which have OID and SYNTAX.
-	As a consequence InChain was not reported.
-
-Fix description:
-	The syntax defines that assersion syntax that is
-	distinguished name. Add this syntax to the register
-	struct
-
-relates: #6227
-
-Reviewed by: Pierre Rogier (Thanks !)
----
- .../tests/suites/filter/inchain_test.py       | 19 +++++++++++++++++++
- ldap/servers/plugins/syntaxes/inchain.c       |  4 ++--
- 2 files changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/dirsrvtests/tests/suites/filter/inchain_test.py b/dirsrvtests/tests/suites/filter/inchain_test.py
-index c650b9374..d1d276edf 100644
---- a/dirsrvtests/tests/suites/filter/inchain_test.py
-+++ b/dirsrvtests/tests/suites/filter/inchain_test.py
-@@ -15,6 +15,7 @@ from lib389._constants import DEFAULT_SUFFIX, PW_DM, PLUGIN_MEMBER_OF
- from lib389.topologies import topology_st as topo
- from lib389.plugins import MemberOfPlugin
- 
-+from lib389.schema import Schema
- from lib389.idm.user import UserAccount, UserAccounts
- from lib389.idm.account import Accounts
- from lib389.idm.account import Anonymous
-@@ -812,6 +813,24 @@ def test_invalid_assertion(topo):
-     memberof = topo.standalone.search_s(DEFAULT_SUFFIX, SCOPE_SUBTREE, "(member:%s:=%s)" % (INCHAIN_OID, user))
-     assert len(memberof) == 0
- 
-+def test_check_dsconf_matchingrule(topo):
-+    """Test that the matching rule 'inchain' is listed by dsconf
-+
-+    :id: b8dd4049-ccec-4316-bc9c-5aa5c5afcfbd
-+    :setup: Standalone Instance
-+    :steps:
-+        1. fetch matching rules from the schema
-+        2. Checks that matching rules contains inchaineMatch matching rule
-+    :expectedresults:
-+        1. Success
-+        2. Success
-+    """
-+    schema = Schema(topo.standalone)
-+    mrs = [ f"{mr.oid} {mr.names[0]}" for mr in schema.get_matchingrules() if len(mr.names) > 0 ]
-+    for mr in mrs:
-+        log.info("retrieved matching rules are: %s", mr)
-+    assert '1.2.840.113556.1.4.1941 inchainMatch' in mrs
-+
- if __name__ == "__main__":
-     CURRENT_FILE = os.path.realpath(__file__)
-     pytest.main("-s -v %s" % CURRENT_FILE)
-diff --git a/ldap/servers/plugins/syntaxes/inchain.c b/ldap/servers/plugins/syntaxes/inchain.c
-index 52d0c4994..df19c973b 100644
---- a/ldap/servers/plugins/syntaxes/inchain.c
-+++ b/ldap/servers/plugins/syntaxes/inchain.c
-@@ -38,7 +38,7 @@ static char *names[] = {"inchain", "inchain", LDAP_MATCHING_RULE_IN_CHAIN_OID, 0
- static Slapi_PluginDesc pdesc = {"inchain-matching-rule", VENDOR, DS_PACKAGE_VERSION,
-                                  "inchain matching rule plugin"};
- 
--static const char *inchainMatch_names[] = {"inchainMatch", "1.2.840.113556.1.4.1941", NULL};
-+static const char *inchainMatch_names[] = {"inchainMatch", LDAP_MATCHING_RULE_IN_CHAIN_OID, NULL};
- 
- static struct mr_plugin_def mr_plugin_table[] = {
-     {
-@@ -64,7 +64,7 @@ static struct mr_plugin_def mr_plugin_table[] = {
-             "the AVA comparisons evaluate to Undefined and the remaining AVA "
-             "comparisons return TRUE then the distinguishedNameMatch rule "
-             "evaluates to Undefined.",
--            NULL,
-+            DN_SYNTAX_OID,
-             0,
-             NULL /* dn only for now */
-         },       /* matching rule desc */
--- 
-2.45.2
-
diff --git a/389-ds-base.spec b/389-ds-base.spec
index 6a60120..458e84e 100644
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@@ -46,8 +46,8 @@ ExcludeArch: i686
 
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
-Version:          2.5.1
-Release:          2%{?dist}
+Version:          2.5.2
+Release:          1%{?dist}
 License:          GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
 URL:              https://www.port389.org
 Conflicts:        selinux-policy-base < 3.9.8
@@ -58,53 +58,53 @@ Obsoletes:        %{name}-legacy-tools-debuginfo < 1.4.4.6
 Provides:         ldif2ldbm >= 0
 
 ##### Bundled cargo crates list - START #####
-Provides:  bundled(crate(addr2line)) = 0.21.0
+Provides:  bundled(crate(addr2line)) = 0.22.0
 Provides:  bundled(crate(adler)) = 1.0.2
 Provides:  bundled(crate(ahash)) = 0.7.8
 Provides:  bundled(crate(atty)) = 0.2.14
 Provides:  bundled(crate(autocfg)) = 1.3.0
-Provides:  bundled(crate(backtrace)) = 0.3.71
+Provides:  bundled(crate(backtrace)) = 0.3.73
 Provides:  bundled(crate(base64)) = 0.13.1
-Provides:  bundled(crate(bitflags)) = 2.5.0
+Provides:  bundled(crate(bitflags)) = 2.6.0
 Provides:  bundled(crate(byteorder)) = 1.5.0
 Provides:  bundled(crate(cbindgen)) = 0.26.0
-Provides:  bundled(crate(cc)) = 1.0.97
+Provides:  bundled(crate(cc)) = 1.1.7
 Provides:  bundled(crate(cfg-if)) = 1.0.0
 Provides:  bundled(crate(clap)) = 3.2.25
 Provides:  bundled(crate(clap_lex)) = 0.2.4
 Provides:  bundled(crate(concread)) = 0.2.21
 Provides:  bundled(crate(crossbeam)) = 0.8.4
-Provides:  bundled(crate(crossbeam-channel)) = 0.5.12
+Provides:  bundled(crate(crossbeam-channel)) = 0.5.13
 Provides:  bundled(crate(crossbeam-deque)) = 0.8.5
 Provides:  bundled(crate(crossbeam-epoch)) = 0.9.18
 Provides:  bundled(crate(crossbeam-queue)) = 0.3.11
-Provides:  bundled(crate(crossbeam-utils)) = 0.8.19
-Provides:  bundled(crate(errno)) = 0.3.8
+Provides:  bundled(crate(crossbeam-utils)) = 0.8.20
+Provides:  bundled(crate(errno)) = 0.3.9
 Provides:  bundled(crate(fastrand)) = 2.1.0
 Provides:  bundled(crate(fernet)) = 0.1.4
 Provides:  bundled(crate(foreign-types)) = 0.3.2
 Provides:  bundled(crate(foreign-types-shared)) = 0.1.1
 Provides:  bundled(crate(getrandom)) = 0.2.15
-Provides:  bundled(crate(gimli)) = 0.28.1
+Provides:  bundled(crate(gimli)) = 0.29.0
 Provides:  bundled(crate(hashbrown)) = 0.12.3
 Provides:  bundled(crate(heck)) = 0.4.1
 Provides:  bundled(crate(hermit-abi)) = 0.1.19
 Provides:  bundled(crate(indexmap)) = 1.9.3
-Provides:  bundled(crate(instant)) = 0.1.12
+Provides:  bundled(crate(instant)) = 0.1.13
 Provides:  bundled(crate(itoa)) = 1.0.11
-Provides:  bundled(crate(jobserver)) = 0.1.31
-Provides:  bundled(crate(libc)) = 0.2.154
-Provides:  bundled(crate(linux-raw-sys)) = 0.4.13
+Provides:  bundled(crate(jobserver)) = 0.1.32
+Provides:  bundled(crate(libc)) = 0.2.155
+Provides:  bundled(crate(linux-raw-sys)) = 0.4.14
 Provides:  bundled(crate(lock_api)) = 0.4.12
-Provides:  bundled(crate(log)) = 0.4.21
+Provides:  bundled(crate(log)) = 0.4.22
 Provides:  bundled(crate(lru)) = 0.7.8
-Provides:  bundled(crate(memchr)) = 2.7.2
-Provides:  bundled(crate(miniz_oxide)) = 0.7.2
-Provides:  bundled(crate(object)) = 0.32.2
+Provides:  bundled(crate(memchr)) = 2.7.4
+Provides:  bundled(crate(miniz_oxide)) = 0.7.4
+Provides:  bundled(crate(object)) = 0.36.2
 Provides:  bundled(crate(once_cell)) = 1.19.0
-Provides:  bundled(crate(openssl)) = 0.10.64
+Provides:  bundled(crate(openssl)) = 0.10.66
 Provides:  bundled(crate(openssl-macros)) = 0.1.1
-Provides:  bundled(crate(openssl-sys)) = 0.9.102
+Provides:  bundled(crate(openssl-sys)) = 0.9.103
 Provides:  bundled(crate(os_str_bytes)) = 6.6.1
 Provides:  bundled(crate(parking_lot)) = 0.11.2
 Provides:  bundled(crate(parking_lot_core)) = 0.8.6
@@ -112,9 +112,9 @@ Provides:  bundled(crate(paste)) = 0.1.18
 Provides:  bundled(crate(paste-impl)) = 0.1.18
 Provides:  bundled(crate(pin-project-lite)) = 0.2.14
 Provides:  bundled(crate(pkg-config)) = 0.3.30
-Provides:  bundled(crate(ppv-lite86)) = 0.2.17
+Provides:  bundled(crate(ppv-lite86)) = 0.2.18
 Provides:  bundled(crate(proc-macro-hack)) = 0.5.20+deprecated
-Provides:  bundled(crate(proc-macro2)) = 1.0.82
+Provides:  bundled(crate(proc-macro2)) = 1.0.86
 Provides:  bundled(crate(quote)) = 1.0.36
 Provides:  bundled(crate(rand)) = 0.8.5
 Provides:  bundled(crate(rand_chacha)) = 0.3.1
@@ -124,38 +124,40 @@ Provides:  bundled(crate(rustc-demangle)) = 0.1.24
 Provides:  bundled(crate(rustix)) = 0.38.34
 Provides:  bundled(crate(ryu)) = 1.0.18
 Provides:  bundled(crate(scopeguard)) = 1.2.0
-Provides:  bundled(crate(serde)) = 1.0.201
-Provides:  bundled(crate(serde_derive)) = 1.0.201
-Provides:  bundled(crate(serde_json)) = 1.0.117
+Provides:  bundled(crate(serde)) = 1.0.204
+Provides:  bundled(crate(serde_derive)) = 1.0.204
+Provides:  bundled(crate(serde_json)) = 1.0.121
 Provides:  bundled(crate(smallvec)) = 1.13.2
 Provides:  bundled(crate(strsim)) = 0.10.0
-Provides:  bundled(crate(syn)) = 2.0.61
+Provides:  bundled(crate(syn)) = 2.0.72
 Provides:  bundled(crate(tempfile)) = 3.10.1
 Provides:  bundled(crate(termcolor)) = 1.4.1
 Provides:  bundled(crate(textwrap)) = 0.16.1
-Provides:  bundled(crate(tokio)) = 1.37.0
-Provides:  bundled(crate(tokio-macros)) = 2.2.0
+Provides:  bundled(crate(tokio)) = 1.39.2
+Provides:  bundled(crate(tokio-macros)) = 2.4.0
 Provides:  bundled(crate(toml)) = 0.5.11
 Provides:  bundled(crate(unicode-ident)) = 1.0.12
 Provides:  bundled(crate(uuid)) = 0.8.2
 Provides:  bundled(crate(vcpkg)) = 0.2.15
-Provides:  bundled(crate(version_check)) = 0.9.4
+Provides:  bundled(crate(version_check)) = 0.9.5
 Provides:  bundled(crate(wasi)) = 0.11.0+wasi_snapshot_preview1
 Provides:  bundled(crate(winapi)) = 0.3.9
 Provides:  bundled(crate(winapi-i686-pc-windows-gnu)) = 0.4.0
 Provides:  bundled(crate(winapi-util)) = 0.1.8
 Provides:  bundled(crate(winapi-x86_64-pc-windows-gnu)) = 0.4.0
 Provides:  bundled(crate(windows-sys)) = 0.52.0
-Provides:  bundled(crate(windows-targets)) = 0.52.5
-Provides:  bundled(crate(windows_aarch64_gnullvm)) = 0.52.5
-Provides:  bundled(crate(windows_aarch64_msvc)) = 0.52.5
-Provides:  bundled(crate(windows_i686_gnu)) = 0.52.5
-Provides:  bundled(crate(windows_i686_gnullvm)) = 0.52.5
-Provides:  bundled(crate(windows_i686_msvc)) = 0.52.5
-Provides:  bundled(crate(windows_x86_64_gnu)) = 0.52.5
-Provides:  bundled(crate(windows_x86_64_gnullvm)) = 0.52.5
-Provides:  bundled(crate(windows_x86_64_msvc)) = 0.52.5
-Provides:  bundled(crate(zeroize)) = 1.7.0
+Provides:  bundled(crate(windows-targets)) = 0.52.6
+Provides:  bundled(crate(windows_aarch64_gnullvm)) = 0.52.6
+Provides:  bundled(crate(windows_aarch64_msvc)) = 0.52.6
+Provides:  bundled(crate(windows_i686_gnu)) = 0.52.6
+Provides:  bundled(crate(windows_i686_gnullvm)) = 0.52.6
+Provides:  bundled(crate(windows_i686_msvc)) = 0.52.6
+Provides:  bundled(crate(windows_x86_64_gnu)) = 0.52.6
+Provides:  bundled(crate(windows_x86_64_gnullvm)) = 0.52.6
+Provides:  bundled(crate(windows_x86_64_msvc)) = 0.52.6
+Provides:  bundled(crate(zerocopy)) = 0.6.6
+Provides:  bundled(crate(zerocopy-derive)) = 0.6.6
+Provides:  bundled(crate(zeroize)) = 1.8.1
 Provides:  bundled(crate(zeroize_derive)) = 1.4.2
 Provides:  bundled(npm(@aashutoshrathi/word-wrap)) = 1.2.6
 Provides:  bundled(npm(@eslint-community/eslint-utils)) = 4.4.0
@@ -466,12 +468,6 @@ Source2:          %{name}-devel.README
 Source3:          https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
 %endif
 Source4:          389-ds-base.sysusers
-Patch01:          0001-CVE-2024-3657.patch
-Patch02:          0002-CVE-2024-2199.patch
-Patch03:          0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch
-Patch04:          0004-CVE-2024-5953.patch
-Patch05:          0005-CVE-2024-6237.patch
-Patch06:          0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch
 
 
 %description
@@ -915,6 +911,18 @@ exit 0
 %endif
 
 %changelog
+* Mon Aug 12 2024 Viktor Ashirov <vashirov@redhat.com> - 2.5.2-1
+- Bump version to 2.5.2-1
+- Resolves: RHEL-5108 - ns-slapd crash in referint_get_config
+- Resolves: RHEL-5113 - nsslapd-numlisteners limit is not enforced
+- Resolves: RHEL-5115 - `dscreate ds-root` accepts relative path
+- Resolves: RHEL-5131 - ldif2db can be very slow
+- Resolves: RHEL-5138 - Logconv.pl CSV file contains mismatched header and data columns
+- Resolves: RHEL-14760 - ns-slapd crash in vlvIndex_delete
+- Resolves: RHEL-17511 - nsslapd-idletimeout is ignored
+- Resolves: RHEL-49454 - perf search result investigation for many large static groups and members
+- Resolves: RHEL-49458 - subsuffix are not returned in one level scoped search
+
 * Tue Jul 09 2024 James Chapman <jachapma@redhat.com> - 2.5.1-2
 - Bump version to 2.5.1-2
 - Resolves: RHEL-44324 - unauthenticated user can trigger a DoS by sending a specific extended search request
diff --git a/sources b/sources
index f7ddc58..2dd9212 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA512 (jemalloc-5.3.0.tar.bz2) = 22907bb052096e2caffb6e4e23548aecc5cc9283dce476896a2b1127eee64170e3562fa2e7db9571298814a7a2c7df6e8d1fbe152bd3f3b0c1abec22a2de34b1
-SHA512 (389-ds-base-2.5.1.tar.bz2) = bb3c9b4f08787deccc70a653520438b386f8b45d69ab3a755ed67c6b2896fb1727a8710643e042d68af5126b3183ee6cd501816f476541566bad0727c99de36c
+SHA512 (389-ds-base-2.5.2.tar.bz2) = 20c4208c165b9a2778293f8e3111c9713775d2488e1a5adecaa5a49381768d371ba696a504f5bdac4c513579944f86111f0033818c75b7dd95f7212f7a2f1b47