Bump version to 2.5.2-1

- Resolves: RHEL-5108 - ns-slapd crash in referint_get_config - Resolves: RHEL-5113 - nsslapd-numlisteners limit is not enforced - Resolves: RHEL-5115 - `dscreate ds-root` accepts relative path - Resolves: RHEL-5131 - ldif2db can be very slow - Resolves: RHEL-5138 - Logconv.pl CSV file contains mismatched header and data columns - Resolves: RHEL-14760 - ns-slapd crash in vlvIndex_delete - Resolves: RHEL-17511 - nsslapd-idletimeout is ignored - Resolves: RHEL-49454 - perf search result investigation for many large static groups and members - Resolves: RHEL-49458 - subsuffix are not returned in one level scoped search
2024-08-12 21:14:59 +02:00 · 2024-08-12 21:14:59 +02:00 · d913cc881d
commit d913cc881d
parent c7dc9357ac
12 changed files with 55 additions and 1030 deletions
--- a/.gitignore
+++ b/.gitignore
@ -219,3 +219,4 @@
 /389-ds-base-2.4.4.tar.bz2
 /389-ds-base-2.4.5.tar.bz2
 /389-ds-base-2.5.1.tar.bz2
 /389-ds-base-2.5.2.tar.bz2
--- a/0001-CVE-2024-3657.patch
+++ b/0001-CVE-2024-3657.patch
@ -1,213 +0,0 @@
 From 5cfa136c48c477765cb20b007ad441ed21534e86 Mon Sep 17 00:00:00 2001
 From: Pierre Rogier <progier@redhat.com>
 Date: Wed, 17 Apr 2024 18:18:04 +0200
 Subject: [PATCH] CVE-2024-3657
 ---
 .../tests/suites/filter/large_filter_test.py  |  34 +++++-
 ldap/servers/slapd/back-ldbm/index.c          | 111 ++++++++++--------
 2 files changed, 92 insertions(+), 53 deletions(-)
 diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py
 index 964facae5..5390a0f9c 100644
 --- a/dirsrvtests/tests/suites/filter/large_filter_test.py
 +++ b/dirsrvtests/tests/suites/filter/large_filter_test.py
@@ -13,19 +13,29 @@ verify and testing  Filter from a search
 import os
 import pytest
 +import ldap
 -from lib389._constants import PW_DM
 +from lib389._constants import PW_DM, DEFAULT_SUFFIX, ErrorLog
 from lib389.topologies import topology_st as topo
 from lib389.idm.user import UserAccounts, UserAccount
 from lib389.idm.account import Accounts
 from lib389.backend import Backends
 from lib389.idm.domain import Domain
 +from lib389.utils import get_ldapurl_from_serverid
 SUFFIX = 'dc=anuj,dc=com'
 pytestmark = pytest.mark.tier1
 +def open_new_ldapi_conn(dsinstance):
 +    ldapurl, certdir = get_ldapurl_from_serverid(dsinstance)
 +    assert 'ldapi://' in ldapurl
 +    conn = ldap.initialize(ldapurl)
 +    conn.sasl_interactive_bind_s("", ldap.sasl.external())
 +    return conn
 +
 +
 @pytest.fixture(scope="module")
 def _create_entries(request, topo):
     """
@@ -159,6 +169,28 @@ def test_large_filter(topo, _create_entries, real_value):
     assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3
 +def test_long_filter_value(topo):
 +    """Exercise large eq filter with dn syntax attributes
 +
 +        :id: b069ef72-fcc3-11ee-981c-482ae39447e5
 +        :setup: Standalone
 +        :steps:
 +            1. Try to pass filter rules as per the condition.
 +        :expectedresults:
 +            1. Pass
 +    """
 +    inst = topo.standalone
 +    conn = open_new_ldapi_conn(inst.serverid)
 +    inst.config.loglevel(vals=(ErrorLog.DEFAULT,ErrorLog.TRACE,ErrorLog.SEARCH_FILTER))
 +    filter_value = "a\x1Edmin" * 1025
 +    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
 +    filter_value = "aAdmin" * 1025
 +    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
 +    filter_value = "*"
 +    conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
 +    inst.config.loglevel(vals=(ErrorLog.DEFAULT,))
 +
 +
 if __name__ == '__main__':
     CURRENT_FILE = os.path.realpath(__file__)
     pytest.main("-s -v %s" % CURRENT_FILE)
 diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
 index 86bc825fe..bdac0a616 100644
 --- a/ldap/servers/slapd/back-ldbm/index.c
 +++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -74,6 +74,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
 #define INDEX_BUFFER_FLAG_SERIALIZE 1
 #define INDEX_BUFFER_FLAG_STATS 2
 +/*
 + * space needed to encode a byte:
 + *  0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx
 + *  0x22 and 0x5C requires 2 bytes: \" and \\
 + *  other requires 1 byte: c
 + */
 +static char encode_size[] = {
 +    /* 0x00 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0x10 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0x20 */   1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
 +    /* 0x30 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
 +    /* 0x40 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
 +    /* 0x50 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1,
 +    /* 0x60 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
 +    /* 0x70 */   1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3,
 +    /* 0x80 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0x90 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xA0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xB0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xC0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xD0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xE0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +    /* 0xF0 */   3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
 +};
 +
 +
 /* Index buffering functions */
 static int
@@ -802,65 +828,46 @@ index_add_mods(
 /*
  * Convert a 'struct berval' into a displayable ASCII string
 + * returns the printable string
  */
 -
 -#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"')
 -
 const char *
 encode(const struct berval *data, char buf[BUFSIZ])
 {
 -    char *s;
 -    char *last;
 -    if (data == NULL || data->bv_len == 0)
 -        return "";
 -    last = data->bv_val + data->bv_len - 1;
 -    for (s = data->bv_val; s < last; ++s) {
 -        if (SPECIAL(*s)) {
 -            char *first = data->bv_val;
 -            char *bufNext = buf;
 -            size_t bufSpace = BUFSIZ - 4;
 -            while (1) {
 -                /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */
 -                if (bufSpace < (size_t)(s - first))
 -                    s = first + bufSpace - 1;
 -                if (s != first) {
 -                    memcpy(bufNext, first, s - first);
 -                    bufNext += (s - first);
 -                    bufSpace -= (s - first);
 -                }
 -                do {
 -                    if (bufSpace) {
 -                        *bufNext++ = '\\';
 -                        --bufSpace;
 -                    }
 -                    if (bufSpace < 2) {
 -                        memcpy(bufNext, "..", 2);
 -                        bufNext += 2;
 -                        goto bail;
 -                    }
 -                    if (*s == '\\' || *s == '"') {
 -                        *bufNext++ = *s;
 -                        --bufSpace;
 -                    } else {
 -                        sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s);
 -                        bufNext += 2;
 -                        bufSpace -= 2;
 -                    }
 -                } while (++s <= last && SPECIAL(*s));
 -                if (s > last)
 -                    break;
 -                first = s;
 -                while (!SPECIAL(*s) && s <= last)
 -                    ++s;
 -            }
 -        bail:
 -            *bufNext = '\0';
 -            /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */
 +    if (!data || !data->bv_val) {
 +        strcpy(buf, "<NULL>");
 +        return buf;
 +    }
 +    char *endbuff = &buf[BUFSIZ-4];  /* Reserve space to append "...\0" */
 +    char *ptout = buf;
 +    unsigned char *ptin = (unsigned char*) data->bv_val;
 +    unsigned char *endptin = ptin+data->bv_len;
 +
 +    while (ptin < endptin) {
 +        if (ptout >= endbuff) {
 +            /*
 +             * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be
 +             * truncated anyway. So there is no real interrest to test if the original
 +             * data contains no special characters and return it as is.
 +             */
 +            strcpy(endbuff, "...");
             return buf;
         }
 +        switch (encode_size[*ptin]) {
 +            case 1:
 +                *ptout++ = *ptin++;
 +                break;
 +            case 2:
 +                *ptout++ = '\\';
 +                *ptout++ = *ptin++;
 +                break;
 +            case 3:
 +                sprintf(ptout, "\\%02x", *ptin++);
 +                ptout += 3;
 +                break;
 +        }
     }
 -    /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */
 -    return data->bv_val;
 +    *ptout = 0;
 +    return buf;
 }
 static const char *
 -- 
 2.44.0
--- a/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
+++ b/0001-Issue-3527-Support-HAProxy-and-Instance-on-the-same-.patch
@ -1,83 +0,0 @@
 From fcdeec3b876a28e06bb53a60fe502cb702403931 Mon Sep 17 00:00:00 2001
 From: Simon Pichugin <spichugi@redhat.com>
 Date: Tue, 27 Feb 2024 16:30:47 -0800
 Subject: [PATCH] Issue 3527 - Support HAProxy and Instance on the same machine
 configuration (#6107)
 Description: Improve how we handle HAProxy connections to work better when
 the DS and HAProxy are on the same machine.
 Ensure the client and header destination IPs are checked against the trusted IP list.
 Additionally, this change will also allow configuration having
 HAProxy is listening on a different subnet than the one used to forward the request.
 Related: https://github.com/389ds/389-ds-base/issues/3527
 Reviewed by: @progier389, @jchapma (Thanks!)
 ---
 ldap/servers/slapd/connection.c | 35 +++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)
 diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
 index a30511c97..07d629475 100644
 --- a/ldap/servers/slapd/connection.c
 +++ b/ldap/servers/slapd/connection.c
@@ -1187,6 +1187,8 @@ connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, int *
     char str_ip[INET6_ADDRSTRLEN + 1] = {0};
     char str_haproxy_ip[INET6_ADDRSTRLEN + 1] = {0};
     char str_haproxy_destip[INET6_ADDRSTRLEN + 1] = {0};
 +    int trusted_matches_ip_found = 0;
 +    int trusted_matches_destip_found = 0;
     struct berval **bvals = NULL;
     int proxy_connection = 0;
@@ -1245,21 +1247,38 @@ connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, int *
                         normalize_IPv4(conn->cin_addr, buf_ip, sizeof(buf_ip), str_ip, sizeof(str_ip));
                         normalize_IPv4(&pr_netaddr_dest, buf_haproxy_destip, sizeof(buf_haproxy_destip),
                                        str_haproxy_destip, sizeof(str_haproxy_destip));
 +                        size_t ip_len = strlen(buf_ip);
 +                        size_t destip_len = strlen(buf_haproxy_destip);
                         /* Now, reset RC and set it to 0 only if a match is found */
                         haproxy_rc = -1;
 -                        /* Allow only:
 -                        * Trusted IP == Original Client IP == HAProxy Header Destination IP */
 +                        /* 
 +                         * We need to allow a configuration where DS instance and HAProxy are on the same machine.
 +                         * In this case, we need to check if
 +                         * the HAProxy client IP (which will be a loopback address) matches one of the the trusted IP addresses,
 +                         * while still checking that
 +                         * the HAProxy header destination IP address matches one of the trusted IP addresses.
 +                         * Additionally, this change will also allow configuration having
 +                         * HAProxy listening on a different subnet than one used to forward the request.
 +                         */
                         for (size_t i = 0; bvals[i] != NULL; ++i) {
 -                            if ((strlen(bvals[i]->bv_val) == strlen(buf_ip)) &&
 -                                (strlen(bvals[i]->bv_val) == strlen(buf_haproxy_destip)) &&
 -                                (strncasecmp(bvals[i]->bv_val, buf_ip, strlen(buf_ip)) == 0) &&
 -                                (strncasecmp(bvals[i]->bv_val, buf_haproxy_destip, strlen(buf_haproxy_destip)) == 0)) {
 -                                haproxy_rc = 0;
 -                                break;
 +                            size_t bval_len = strlen(bvals[i]->bv_val);
 +
 +                            /* Check if the Client IP (HAProxy's machine IP) address matches the trusted IP address */
 +                            if (!trusted_matches_ip_found) {
 +                                trusted_matches_ip_found = (bval_len == ip_len) && (strncasecmp(bvals[i]->bv_val, buf_ip, ip_len) == 0);
 +                            }
 +                            /* Check if the HAProxy header destination IP address matches the trusted IP address */
 +                            if (!trusted_matches_destip_found) {
 +                                trusted_matches_destip_found = (bval_len == destip_len) && (strncasecmp(bvals[i]->bv_val, buf_haproxy_destip, destip_len) == 0);
                             }
                         }
 +
 +                        if (trusted_matches_ip_found && trusted_matches_destip_found) {
 +                            haproxy_rc = 0;
 +                        }
 +
                         if (haproxy_rc == -1) {
                             slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", "HAProxy header received from unknown source.\n");
                             disconnect_server_nomutex(conn, conn->c_connid, -1, SLAPD_DISCONNECT_PROXY_UNKNOWN, EPROTO);
 -- 
 2.43.0
--- a/0002-CVE-2024-2199.patch
+++ b/0002-CVE-2024-2199.patch
@ -1,108 +0,0 @@
 From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001
 From: James Chapman <jachapma@redhat.com>
 Date: Wed, 1 May 2024 15:01:33 +0100
 Subject: [PATCH] CVE-2024-2199
 ---
 .../tests/suites/password/password_test.py    | 56 +++++++++++++++++++
 ldap/servers/slapd/modify.c                   |  8 ++-
 2 files changed, 62 insertions(+), 2 deletions(-)
 diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
 index 1245feb31..e4abd9907 100644
 --- a/dirsrvtests/tests/suites/password/password_test.py
 +++ b/dirsrvtests/tests/suites/password/password_test.py
@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st):
     log.info('test_password_delete_specific_password: PASSED')
 +def test_password_modify_non_utf8(topology_st):
 +    """Attempt a modify of the userPassword attribute with
 +    an invalid non utf8 value
 +
 +    :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36
 +    :setup: Standalone instance
 +    :steps:
 +        1. Add a user if it doesnt exist and set its password
 +        2. Verify password with a bind
 +        3. Modify userPassword attr with invalid value
 +        4. Attempt a bind with invalid password value
 +        5. Verify original password with a bind
 +    :expectedresults:
 +        1. The user with userPassword should be added successfully
 +        2. Operation should be successful
 +        3. Server returns ldap.UNWILLING_TO_PERFORM
 +        4. Server returns ldap.INVALID_CREDENTIALS
 +        5. Operation should be successful
 +     """
 +
 +    log.info('Running test_password_modify_non_utf8...')
 +
 +    # Create user and set password
 +    standalone = topology_st.standalone
 +    users = UserAccounts(standalone, DEFAULT_SUFFIX)
 +    if not users.exists(TEST_USER_PROPERTIES['uid'][0]):
 +        user = users.create(properties=TEST_USER_PROPERTIES)
 +    else:
 +        user = users.get(TEST_USER_PROPERTIES['uid'][0])
 +    user.set('userpassword', PASSWORD)
 +
 +    # Verify password
 +    try:
 +        user.bind(PASSWORD)
 +    except ldap.LDAPError as e:
 +        log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
 +        assert False
 +
 +    # Modify userPassword with an invalid value
 +    password = b'tes\x82t-password' # A non UTF-8 encoded password
 +    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
 +        user.replace('userpassword', password)
 +
 +    # Verify a bind fails with invalid pasword
 +    with pytest.raises(ldap.INVALID_CREDENTIALS):
 +        user.bind(password)
 +
 +    # Verify we can still bind with original password
 +    try:
 +        user.bind(PASSWORD)
 +    except ldap.LDAPError as e:
 +        log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
 +        assert False
 +
 +    log.info('test_password_modify_non_utf8: PASSED')
 +
 if __name__ == '__main__':
     # Run isolated
     # -s for DEBUG mode
 diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
 index a20984e0b..fb65d58b3 100644
 --- a/ldap/servers/slapd/modify.c
 +++ b/ldap/servers/slapd/modify.c
@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
      * flagged - leave mod attributes alone */
     if (!repl_op && !skip_modified_attrs && lastmod) {
         modify_update_last_modified_attr(pb, &smods);
 +        slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods));
     }
 +
     if (0 == slapi_mods_get_num_mods(&smods)) {
         /* nothing to do - no mods - this is not an error - just
            send back LDAP_SUCCESS */
@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
             /* encode password */
             if (pw_encodevals_ext(pb, sdn, va)) {
 -                slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
 -                send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
 +                slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, "
 +                    "check value is utf8 string.\n", slapi_entry_get_dn_const(e));
 +                send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, "
 +                    "check value is utf8 string.\n", 0, NULL);
                 valuearray_free(&va);
                 goto free_and_return;
             }
 -- 
 2.41.0
--- a/0002-Issue-6112-RFE-add-new-operation-note-for-MFA-authen.patch
+++ b/0002-Issue-6112-RFE-add-new-operation-note-for-MFA-authen.patch
@ -1,237 +0,0 @@
 From 3cd7d30628007f839436c417af6dd8a056c6a165 Mon Sep 17 00:00:00 2001
 From: Mark Reynolds <mreynolds@redhat.com>
 Date: Fri, 1 Mar 2024 11:28:17 -0500
 Subject: [PATCH 2/3] Issue 6112 - RFE - add new operation note for MFA
 authentications
 Add a new operation note to indicate that a MFA plugin performed the
 BIND.  This implies that the plugin must set the note itself as there is
 no other way to detect this:
    slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
 The purpose for this is for auditing needs
 Fixes: https://github.com/389ds/389-ds-base/issues/6112
 Reviewed by: spichugi(Thanks!)
 ---
 ldap/admin/src/logconv.pl         | 37 ++++++++++++++++++-------------
 ldap/servers/slapd/log.c          |  6 ++++-
 ldap/servers/slapd/result.c       |  2 +-
 ldap/servers/slapd/slapi-plugin.h |  1 +
 4 files changed, 28 insertions(+), 18 deletions(-)
 diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
 index 5ba91e99c..10bd5d2aa 100755
 --- a/ldap/admin/src/logconv.pl
 +++ b/ldap/admin/src/logconv.pl
@@ -2,11 +2,11 @@
 #
 # BEGIN COPYRIGHT BLOCK
 # Copyright (C) 2001 Sun Microsystems, Inc. Used by permission.
 -# Copyright (C) 2022 Red Hat, Inc.
 +# Copyright (C) 2010-2024 Red Hat, Inc.
 # All rights reserved.
 #
 # License: GPL (version 3 or any later version).
 -# See LICENSE for details. 
 +# See LICENSE for details.
 # END COPYRIGHT BLOCK
 #
@@ -218,6 +218,7 @@ my $sslClientFailedCount = 0;
 my $objectclassTopCount= 0;
 my $pagedSearchCount = 0;
 my $invalidFilterCount = 0;
 +my $mfaCount = 0;
 my $bindCount = 0;
 my $filterCount = 0;
 my $baseCount = 0;
@@ -407,7 +408,7 @@ sub statusreport {
 ##########################################
 #                                        #
 #         Parse Access Logs              #
 -#                                        # 
 +#                                        #
 ##########################################
 if ($files[$#files] =~ m/access.rotationinfo/) {
@@ -709,7 +710,7 @@ if($endTime){
 #
 # Get the start time in seconds
 -#  
 +#
 my $logStart = $start;
 my $startTotal = convertTimeToNanoseconds($logStart);
@@ -890,6 +891,7 @@ $etimeAvg = $totalEtime / $etimeCount;
 print sprintf "Average etime (elapsed time):  %.9f\n", $etimeAvg;
 print "\n";
 +print "Multi-factor Authentications:  $mfaCount\n";
 print "Proxied Auth Operations:       $proxiedAuthCount\n";
 print "Persistent Searches:           $persistentSrchCount\n";
 print "Internal Operations:           $internalOpCount\n";
@@ -1758,7 +1760,7 @@ if ($usage =~ /j/i || $verb eq "yes"){
 		$recCount++;
 	}
 	if ($objectclassTopCount > ($srchCount *.25)){
 -		print "\n $recCount.  You have a high number of searches that query the entire search base.  Although this is not necessarily bad, it could be resource intensive if the search base contains many entries.\n"; 
 +		print "\n $recCount.  You have a high number of searches that query the entire search base.  Although this is not necessarily bad, it could be resource intensive if the search base contains many entries.\n";
 		$recCount++;
 	}
 	if ($recCount == 1){
@@ -1792,7 +1794,7 @@ sub displayUsage {
 	print "         -h, --help         help/usage\n";
 	print "         -d, --rootDN       <Directory Managers DN>  default is \"cn=directory manager\"\n";
 -	print "         -D, --data         <Location for temporary data files>  default is \"/tmp\"\n";    
 +	print "         -D, --data         <Location for temporary data files>  default is \"/tmp\"\n";
 	print "         -s, --sizeLimit    <Number of results to return per catagory>  default is 20\n";
 	print "         -X, --excludeIP    <IP address to exclude from connection stats>  E.g. Load balancers\n";
 	print "         -v, --version      show version of tool\n";
@@ -1800,8 +1802,8 @@ sub displayUsage {
 	print "             E.g. \"[28/Mar/2002:13:14:22 -0800]\"\n";
 	print "         -E, --endTime      <time to stop analyzing logfile>\n";
 	print "             E.g. \"[28/Mar/2002:13:24:62 -0800]\"\n";
 -	print "         -m, --reportFileSecs  <CSV output file - per second stats>\n"; 
 -	print "         -M, --reportFileMins  <CSV output file - per minute stats>\n";	
 +	print "         -m, --reportFileSecs  <CSV output file - per second stats>\n";
 +	print "         -M, --reportFileMins  <CSV output file - per minute stats>\n";
 	print "         -B, --bind         <ALL | ANONYMOUS | \"Actual Bind DN\">\n";
 	print "	        -T, --minEtime     <minimum etime to report unindexed searches>\n";
 	print "         -V, --verbose      <enable verbose output - includes all stats listed below>\n";
@@ -2288,6 +2290,9 @@ sub parseLineNormal
 	if (m/ RESULT err=/ && m/ notes=[A-Z,]*P/){
 		$pagedSearchCount++;
 	}
 +	if (m/ RESULT err=/ && m/ notes=[A-Z,]*M/){
 +		$mfaCount++;
 +	}
 	if (m/ RESULT err=/ && m/ notes=[A-Z,]*F/){
 		$invalidFilterCount++;
 		$con = "";
@@ -2318,7 +2323,7 @@ sub parseLineNormal
 			if ($vlvconn[$i] eq $con && $vlvop[$i] eq $op){ $vlvNotesACount++; $isVlvNotes="1";}
 		}
 		if($isVlvNotes == 0){
 -			#  We don't want to record vlv unindexed searches for our regular "bad" 
 +			#  We don't want to record vlv unindexed searches for our regular "bad"
 			#  unindexed search stat, as VLV unindexed searches aren't that bad
 			$unindexedSrchCountNotesA++;
 			if($reportStats){ inc_stats('notesA',$s_stats,$m_stats); }
@@ -2345,7 +2350,7 @@ sub parseLineNormal
 			if ($vlvconn[$i] eq $con && $vlvop[$i] eq $op){ $vlvNotesUCount++; $isVlvNotes="1";}
 		}
 		if($isVlvNotes == 0){
 -			#  We don't want to record vlv unindexed searches for our regular "bad" 
 +			#  We don't want to record vlv unindexed searches for our regular "bad"
 			#  unindexed search stat, as VLV unindexed searches aren't that bad
 			$unindexedSrchCountNotesU++;
 			if($reportStats){ inc_stats('notesU',$s_stats,$m_stats); }
@@ -2586,7 +2591,7 @@ sub parseLineNormal
 		if ($errcode ne "0"){ $errorCount++;}
 		else { $successCount++;}
 	}
 -	if ($_ =~ /etime= *([0-9.]+)/ ) { 
 +	if ($_ =~ /etime= *([0-9.]+)/ ) {
 		my $etime_val = $1;
 		$totalEtime = $totalEtime + $1;
 		$etimeCount++;
@@ -2608,10 +2613,10 @@ sub parseLineNormal
 		if ($reportStats){ inc_stats_val('optime',$optime_val,$s_stats,$m_stats); }
 	}
 	if ($_ =~ / tag=101 / || $_ =~ / tag=111 / || $_ =~ / tag=100 / || $_ =~ / tag=115 /){
 -		if ($_ =~ / nentries= *([0-9]+)/i ){ 
 +		if ($_ =~ / nentries= *([0-9]+)/i ){
 			my $nents = $1;
 -			if ($usage =~ /n/i || $verb eq "yes"){ 
 -				$hashes->{nentries}->{$nents}++; 
 +			if ($usage =~ /n/i || $verb eq "yes"){
 +				$hashes->{nentries}->{$nents}++;
 			}
 		}
 	}
@@ -2621,7 +2626,7 @@ sub parseLineNormal
 	if (m/ EXT oid=/){
 		$extopCount++;
 		my $oid;
 -		if ($_ =~ /oid=\" *([0-9\.]+)/i ){ 
 +		if ($_ =~ /oid=\" *([0-9\.]+)/i ){
 			$oid = $1;
 			if ($usage =~ /x/i || $verb eq "yes"){$hashes->{oid}->{$oid}++; }
 		}
@@ -2921,7 +2926,7 @@ printClients
 	my $IPcount = "1";
 	foreach my $ip ( keys %connList ){   # Loop over all the IP addresses
 -		foreach my $bc (@bindConns){ # Loop over each bind conn number and compare it 
 +		foreach my $bc (@bindConns){ # Loop over each bind conn number and compare it
 			if($connList{$ip} =~ / $bc /){
 				print("        [$IPcount]  $ip\n");
 				$IPcount++;
 diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
 index 4aa905576..2c7bd933b 100644
 --- a/ldap/servers/slapd/log.c
 +++ b/ldap/servers/slapd/log.c
@@ -3892,6 +3892,7 @@ slapi_log_security(Slapi_PBlock *pb, const char *event_type, const char *msg)
     int isroot = 0;
     int rc = 0;
     uint64_t conn_id = 0;
 +    uint32_t operation_notes = 0;
     int32_t op_id = 0;
     json_object *log_json = NULL;
@@ -3916,6 +3917,8 @@ slapi_log_security(Slapi_PBlock *pb, const char *event_type, const char *msg)
     client_ip = pb_conn->c_ipaddr;
     server_ip = pb_conn->c_serveripaddr;
     ldap_version = pb_conn->c_ldapversion;
 +    operation_notes = slapi_pblock_get_operation_notes(pb);
 +
     if (saslmech) {
         external_bind = !strcasecmp(saslmech, LDAP_SASL_EXTERNAL);
     }
@@ -3982,7 +3985,8 @@ slapi_log_security(Slapi_PBlock *pb, const char *event_type, const char *msg)
         break;
     default:
         /* Simple auth */
 -        PR_snprintf(method_and_mech, sizeof(method_and_mech), "SIMPLE");
 +        PR_snprintf(method_and_mech, sizeof(method_and_mech), "%s",
 +                    (operation_notes & SLAPI_OP_NOTE_MFA_AUTH) ? "SIMPLE/MFA" : "SIMPLE");
     }
     /* Get the time */
 diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
 index 56ba6db8b..97af5a2b8 100644
 --- a/ldap/servers/slapd/result.c
 +++ b/ldap/servers/slapd/result.c
@@ -1946,11 +1946,11 @@ static struct slapi_note_map notemap[] = {
     {SLAPI_OP_NOTE_SIMPLEPAGED, "P", "Paged Search"},
     {SLAPI_OP_NOTE_FULL_UNINDEXED, "A", "Fully Unindexed Filter"},
     {SLAPI_OP_NOTE_FILTER_INVALID, "F", "Filter Element Missing From Schema"},
 +    {SLAPI_OP_NOTE_MFA_AUTH, "M", "Multi-factor Authentication"},
 };
 #define SLAPI_NOTEMAP_COUNT (sizeof(notemap) / sizeof(struct slapi_note_map))
 -
 /*
  * fill buf with a string representation of the bits present in notes.
  *
 diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
 index 4853e143b..12bc1f0aa 100644
 --- a/ldap/servers/slapd/slapi-plugin.h
 +++ b/ldap/servers/slapd/slapi-plugin.h
@@ -7323,6 +7323,7 @@ typedef enum _slapi_op_note_t {
     SLAPI_OP_NOTE_SIMPLEPAGED = 0x02,
     SLAPI_OP_NOTE_FULL_UNINDEXED = 0x04,
     SLAPI_OP_NOTE_FILTER_INVALID = 0x08,
 +    SLAPI_OP_NOTE_MFA_AUTH = 0x10,
 } slapi_op_note_t;
 -- 
 2.44.0
--- a/0003-Issue-6133-Move-slapi_pblock_set_flag_operation_note.patch
+++ b/0003-Issue-6133-Move-slapi_pblock_set_flag_operation_note.patch
@ -1,54 +0,0 @@
 From 189e078f574f586f6cff6f80081eded2c22c8868 Mon Sep 17 00:00:00 2001
 From: Mark Reynolds <mreynolds@redhat.com>
 Date: Tue, 26 Mar 2024 11:19:10 -0400
 Subject: [PATCH 3/3] Issue 6133 - Move slapi_pblock_set_flag_operation_notes()
 to slapi-plugin.h
 Description:
 slapi_pblock_set_flag_operation_notes() is currently only available in slapi-private.h, but with the latest changes at add "notes=M" it needs to be available to plugins.
 relates: https://github.com/389ds/389-ds-base/issues/6133
 Reviewed by: spichugi(Thanks!)
 ---
 ldap/servers/slapd/slapi-plugin.h  | 10 ++++++++++
 ldap/servers/slapd/slapi-private.h |  1 -
 2 files changed, 10 insertions(+), 1 deletion(-)
 diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
 index 12bc1f0aa..5d4af7c20 100644
 --- a/ldap/servers/slapd/slapi-plugin.h
 +++ b/ldap/servers/slapd/slapi-plugin.h
@@ -7326,6 +7326,16 @@ typedef enum _slapi_op_note_t {
     SLAPI_OP_NOTE_MFA_AUTH = 0x10,
 } slapi_op_note_t;
 +/**
 + * Set an operation note on an operation.  This will append a notes keyword
 + * in the access log result line for this operation
 + *
 + * \param pb - The slapi_pblock structure
 + * \param opnotes
 + * \return void
 + */
 +void slapi_pblock_set_operation_notes(Slapi_PBlock *pb, uint32_t opnotes);
 +
 /* Allows controls to be passed before operation object is created */
 #define SLAPI_CONTROLS_ARG 58
 diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
 index 17eedc2de..ee7659ac0 100644
 --- a/ldap/servers/slapd/slapi-private.h
 +++ b/ldap/servers/slapd/slapi-private.h
@@ -1510,7 +1510,6 @@ struct slapi_entry *slapi_pblock_get_pw_entry(Slapi_PBlock *pb);
 void slapi_pblock_set_pw_entry(Slapi_PBlock *pb, struct slapi_entry *entry);
 uint32_t slapi_pblock_get_operation_notes(Slapi_PBlock *pb);
 -void slapi_pblock_set_operation_notes(Slapi_PBlock *pb, uint32_t opnotes);
 void slapi_pblock_set_flag_operation_notes(Slapi_PBlock *pb, uint32_t opflag);
 void slapi_pblock_set_result_text_if_empty(Slapi_PBlock *pb, char *text);
 -- 
 2.44.0
--- a/0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch
+++ b/0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch
@ -1,31 +0,0 @@
 From 6c7047ad75016a7b767d70813a86b9a7b03ea49b Mon Sep 17 00:00:00 2001
 From: Simon Pichugin <spichugi@redhat.com>
 Date: Wed, 5 Jun 2024 17:24:00 -0700
 Subject: [PATCH] Issue 6188 - Add nsslapd-haproxy-trusted-ip to cn=schema
 (#6201)
 Description: Add HAProxy trusted IP address multi-valued attribute
 to cn=schema in 01core389.ldif
 Related: https://github.com/389ds/389-ds-base/issues/6188
 Reviewed by: @progier389 (Thanks!)
 ---
 ldap/schema/01core389.ldif | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
 index fad8bc2f9..c98e5b34b 100644
 --- a/ldap/schema/01core389.ldif
 +++ b/ldap/schema/01core389.ldif
@@ -331,6 +331,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2390 NAME 'nsds5ReplicaKeepAliveUpdateIn
 attributeTypes: ( 2.16.840.1.113730.3.1.2391 NAME 'dsEntryDN' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION SINGLE-VALUE USAGE directoryOperation X-ORIGIN '389 Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2392 NAME 'nsslapd-return-original-entrydn' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2393 NAME 'nsslapd-auditlog-display-attrs' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
 +attributeTypes: ( 2.16.840.1.113730.3.1.2398 NAME 'nsslapd-haproxy-trusted-ip' DESC '389 Directory Server defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN '389 Directory Server' )
 #
 # objectclasses
 #
 -- 
 2.45.2
--- a/0004-CVE-2024-5953.patch
+++ b/0004-CVE-2024-5953.patch
@ -1,145 +0,0 @@
 From 52a9ee6556a0467f5134fb6392ff1681a38f3252 Mon Sep 17 00:00:00 2001
 From: Pierre Rogier <progier@redhat.com>
 Date: Fri, 14 Jun 2024 13:27:10 +0200
 Subject: [PATCH] CVE-2024-5953
 ---
 .../tests/suites/password/regression_test.py  | 51 ++++++++++++++++++-
 ldap/servers/plugins/pwdstorage/md5_pwd.c     |  9 +++-
 ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c  |  6 +++
 3 files changed, 64 insertions(+), 2 deletions(-)
 diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
 index 4876ff435..160d6f01d 100644
 --- a/dirsrvtests/tests/suites/password/regression_test.py
 +++ b/dirsrvtests/tests/suites/password/regression_test.py
@@ -8,11 +8,12 @@
 import pytest
 import time
 import glob
 +import base64
 from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX
 from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB, DEFAULT_BENAME
 from lib389 import Entry
 from lib389.topologies import topology_m1 as topo_supplier
 -from lib389.idm.user import UserAccounts
 +from lib389.idm.user import UserAccounts, UserAccount
 from lib389.utils import ldap, os, logging, ensure_bytes, ds_is_newer, ds_supports_new_changelog
 from lib389.topologies import topology_st as topo
 from lib389.idm.organizationalunit import OrganizationalUnits
@@ -40,6 +41,13 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
 TEST_PASSWORDS2 = (
     'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123')
 +SUPPORTED_SCHEMES = (
 +    "{SHA}", "{SSHA}", "{SHA256}", "{SSHA256}",
 +    "{SHA384}", "{SSHA384}", "{SHA512}", "{SSHA512}",
 +    "{crypt}", "{NS-MTA-MD5}", "{clear}", "{MD5}",
 +    "{SMD5}", "{PBKDF2_SHA256}", "{PBKDF2_SHA512}",
 +    "{GOST_YESCRYPT}", "{PBKDF2-SHA256}", "{PBKDF2-SHA512}" )
 +
 def _check_unhashed_userpw(inst, user_dn, is_present=False):
     """Check if unhashed#user#password attribute is present or not in the changelog"""
     unhashed_pwd_attribute = 'unhashed#user#password'
@@ -319,6 +327,47 @@ def test_unhashed_pw_switch(topo_supplier):
         # Add debugging steps(if any)...
         pass
 +@pytest.mark.parametrize("scheme", SUPPORTED_SCHEMES )
 +def test_long_hashed_password(topo, create_user, scheme):
 +    """Check that hashed password with very long value does not cause trouble
 +
 +    :id: 252a1f76-114b-11ef-8a7a-482ae39447e5
 +    :setup: standalone Instance
 +    :parametrized: yes
 +    :steps:
 +        1. Add a test user user
 +        2. Set a long password with requested scheme
 +        3. Bind on that user using a wrong password
 +        4. Check that instance is still alive
 +        5. Remove the added user
 +    :expectedresults:
 +        1. Success
 +        2. Success
 +        3. Should get ldap.INVALID_CREDENTIALS exception
 +        4. Success
 +        5. Success
 +    """
 +    inst = topo.standalone
 +    inst.simple_bind_s(DN_DM, PASSWORD)
 +    users = UserAccounts(inst, DEFAULT_SUFFIX)
 +    # Make sure that server is started as this test may crash it
 +    inst.start()
 +    # Adding Test user (It may already exists if previous test failed)
 +    user2 = UserAccount(inst, dn='uid=test_user_1002,ou=People,dc=example,dc=com')
 +    if not user2.exists():
 +        user2 = users.create_test_user(uid=1002, gid=2002)
 +    # Setting hashed password
 +    passwd = 'A'*4000
 +    hashed_passwd = scheme.encode('utf-8') + base64.b64encode(passwd.encode('utf-8'))
 +    user2.replace('userpassword', hashed_passwd)
 +    # Bind on that user using a wrong password
 +    with pytest.raises(ldap.INVALID_CREDENTIALS):
 +        conn = user2.bind(PASSWORD)
 +    # Check that instance is still alive
 +    assert inst.status()
 +    # Remove the added user
 +    user2.delete()
 +
 if __name__ == '__main__':
     # Run isolated
 diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
 index 1e2cf58e7..b9a48d5ca 100644
 --- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
 +++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
@@ -37,6 +37,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
     unsigned char hash_out[MD5_HASH_LEN];
     unsigned char b2a_out[MD5_HASH_LEN * 2]; /* conservative */
     SECItem binary_item;
 +    size_t dbpwd_len = strlen(dbpwd);
     ctx = PK11_CreateDigestContext(SEC_OID_MD5);
     if (ctx == NULL) {
@@ -45,6 +46,12 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
         goto loser;
     }
 +    if (dbpwd_len >= sizeof b2a_out) {
 +        slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
 +                      "The hashed password stored in the user entry is longer than any valid md5 hash");
 +        goto loser;
 +    }
 +
     /* create the hash */
     PK11_DigestBegin(ctx);
     PK11_DigestOp(ctx, (const unsigned char *)userpwd, strlen(userpwd));
@@ -57,7 +64,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
     bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
     /* bver points to b2a_out upon success */
     if (bver) {
 -        rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd));
 +        rc = slapi_ct_memcmp(bver, dbpwd, dbpwd_len);
     } else {
         slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
                       "Could not base64 encode hashed value for password compare");
 diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
 index dcac4fcdd..82b8c9501 100644
 --- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
 +++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c
@@ -255,6 +255,12 @@ pbkdf2_sha256_pw_cmp(const char *userpwd, const char *dbpwd)
     passItem.data = (unsigned char *)userpwd;
     passItem.len = strlen(userpwd);
 +    if (pwdstorage_base64_decode_len(dbpwd, dbpwd_len) > sizeof dbhash) {
 +        /* Hashed value is too long and cannot match any value generated by pbkdf2_sha256_hash */
 +        slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value. (hashed value is too long)\n");
 +        return result;
 +    }
 +
     /* Decode the DBpwd to bytes from b64 */
     if (PL_Base64Decode(dbpwd, dbpwd_len, dbhash) == NULL) {
         slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Unable to base64 decode dbpwd value\n");
 -- 
 2.44.0
--- a/0005-CVE-2024-6237.patch
+++ b/0005-CVE-2024-6237.patch
@ -1,25 +0,0 @@
 From 323f74c69f84a8482413ecd73cf61d09cfc4a0a1 Mon Sep 17 00:00:00 2001
 From: Thierry Bordaz <tbordaz@redhat.com>
 Date: Mon, 24 Jun 2024 15:51:28 +0200
 Subject: [PATCH] CVE-2024-6237
 ---
 ldap/servers/plugins/syntaxes/inchain.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/ldap/servers/plugins/syntaxes/inchain.c b/ldap/servers/plugins/syntaxes/inchain.c
 index df19c973b..0a6a04e9f 100644
 --- a/ldap/servers/plugins/syntaxes/inchain.c
 +++ b/ldap/servers/plugins/syntaxes/inchain.c
@@ -277,7 +277,7 @@ inchain_values2keys(Slapi_PBlock *pb, Slapi_Value **vals, Slapi_Value ***ivals,
     slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &base_sdn);
     if (! slapi_attr_is_dn_syntax_type(mrTYPE)) {
 -        slapi_log_err(SLAPI_LOG_ERR, "inchain", "Requires distinguishedName syntax. AttributeDescription %s is not distinguishedName\n");
 +        slapi_log_err(SLAPI_LOG_ERR, "inchain", "Requires distinguishedName syntax. AttributeDescription %s is not distinguishedName\n", mrTYPE);
         result = (Slapi_Value **)slapi_ch_calloc(1, sizeof(Slapi_Value *));
         *ivals = result;
         return(0);
 -- 
 2.44.0
--- a/0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch
+++ b/0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch
@ -1,88 +0,0 @@
 From cf6cdd05b7ddab36a0196d614b7a28b4372cf801 Mon Sep 17 00:00:00 2001
 From: tbordaz <tbordaz@redhat.com>
 Date: Mon, 24 Jun 2024 13:41:35 +0200
 Subject: [PATCH] Issue 6227 - dsconf schema does not show inChain matching
 rule (#6228)
 Bug description:
 	The registered inChain MR does defined any matching rule
 	syntax (mr_syntax).
 	When dsconf reads the matching rules (read_schema_dse)
 	it only reports those which have OID and SYNTAX.
 	As a consequence InChain was not reported.
 Fix description:
 	The syntax defines that assersion syntax that is
 	distinguished name. Add this syntax to the register
 	struct
 relates: #6227
 Reviewed by: Pierre Rogier (Thanks !)
 ---
 .../tests/suites/filter/inchain_test.py       | 19 +++++++++++++++++++
 ldap/servers/plugins/syntaxes/inchain.c       |  4 ++--
 2 files changed, 21 insertions(+), 2 deletions(-)
 diff --git a/dirsrvtests/tests/suites/filter/inchain_test.py b/dirsrvtests/tests/suites/filter/inchain_test.py
 index c650b9374..d1d276edf 100644
 --- a/dirsrvtests/tests/suites/filter/inchain_test.py
 +++ b/dirsrvtests/tests/suites/filter/inchain_test.py
@@ -15,6 +15,7 @@ from lib389._constants import DEFAULT_SUFFIX, PW_DM, PLUGIN_MEMBER_OF
 from lib389.topologies import topology_st as topo
 from lib389.plugins import MemberOfPlugin
 +from lib389.schema import Schema
 from lib389.idm.user import UserAccount, UserAccounts
 from lib389.idm.account import Accounts
 from lib389.idm.account import Anonymous
@@ -812,6 +813,24 @@ def test_invalid_assertion(topo):
     memberof = topo.standalone.search_s(DEFAULT_SUFFIX, SCOPE_SUBTREE, "(member:%s:=%s)" % (INCHAIN_OID, user))
     assert len(memberof) == 0
 +def test_check_dsconf_matchingrule(topo):
 +    """Test that the matching rule 'inchain' is listed by dsconf
 +
 +    :id: b8dd4049-ccec-4316-bc9c-5aa5c5afcfbd
 +    :setup: Standalone Instance
 +    :steps:
 +        1. fetch matching rules from the schema
 +        2. Checks that matching rules contains inchaineMatch matching rule
 +    :expectedresults:
 +        1. Success
 +        2. Success
 +    """
 +    schema = Schema(topo.standalone)
 +    mrs = [ f"{mr.oid} {mr.names[0]}" for mr in schema.get_matchingrules() if len(mr.names) > 0 ]
 +    for mr in mrs:
 +        log.info("retrieved matching rules are: %s", mr)
 +    assert '1.2.840.113556.1.4.1941 inchainMatch' in mrs
 +
 if __name__ == "__main__":
     CURRENT_FILE = os.path.realpath(__file__)
     pytest.main("-s -v %s" % CURRENT_FILE)
 diff --git a/ldap/servers/plugins/syntaxes/inchain.c b/ldap/servers/plugins/syntaxes/inchain.c
 index 52d0c4994..df19c973b 100644
 --- a/ldap/servers/plugins/syntaxes/inchain.c
 +++ b/ldap/servers/plugins/syntaxes/inchain.c
@@ -38,7 +38,7 @@ static char *names[] = {"inchain", "inchain", LDAP_MATCHING_RULE_IN_CHAIN_OID, 0
 static Slapi_PluginDesc pdesc = {"inchain-matching-rule", VENDOR, DS_PACKAGE_VERSION,
                                  "inchain matching rule plugin"};
 -static const char *inchainMatch_names[] = {"inchainMatch", "1.2.840.113556.1.4.1941", NULL};
 +static const char *inchainMatch_names[] = {"inchainMatch", LDAP_MATCHING_RULE_IN_CHAIN_OID, NULL};
 static struct mr_plugin_def mr_plugin_table[] = {
     {
@@ -64,7 +64,7 @@ static struct mr_plugin_def mr_plugin_table[] = {
             "the AVA comparisons evaluate to Undefined and the remaining AVA "
             "comparisons return TRUE then the distinguishedNameMatch rule "
             "evaluates to Undefined.",
 -            NULL,
 +            DN_SYNTAX_OID,
             0,
             NULL /* dn only for now */
         },       /* matching rule desc */
 -- 
 2.45.2
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -46,8 +46,8 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
-Version:          2.5.1
+Version:          2.5.2
-Release:          2%{?dist}
+Release:          1%{?dist}
 License:          GPL-3.0-or-later AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (CC-BY-4.0 AND MIT) AND (MIT OR Apache-2.0) AND Unicode-DFS-2016 AND (MIT OR CC0-1.0) AND (MIT OR Unlicense) AND 0BSD AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND ISC AND MIT AND MIT AND ISC AND MPL-2.0 AND PSF-2.0
 URL:              https://www.port389.org
 Conflicts:        selinux-policy-base < 3.9.8
@ -58,53 +58,53 @@ Obsoletes:        %{name}-legacy-tools-debuginfo < 1.4.4.6
 Provides:         ldif2ldbm >= 0
 ##### Bundled cargo crates list - START #####
-Provides:  bundled(crate(addr2line)) = 0.21.0
+Provides:  bundled(crate(addr2line)) = 0.22.0
 Provides:  bundled(crate(adler)) = 1.0.2
 Provides:  bundled(crate(ahash)) = 0.7.8
 Provides:  bundled(crate(atty)) = 0.2.14
 Provides:  bundled(crate(autocfg)) = 1.3.0
-Provides:  bundled(crate(backtrace)) = 0.3.71
+Provides:  bundled(crate(backtrace)) = 0.3.73
 Provides:  bundled(crate(base64)) = 0.13.1
-Provides:  bundled(crate(bitflags)) = 2.5.0
+Provides:  bundled(crate(bitflags)) = 2.6.0
 Provides:  bundled(crate(byteorder)) = 1.5.0
 Provides:  bundled(crate(cbindgen)) = 0.26.0
-Provides:  bundled(crate(cc)) = 1.0.97
+Provides:  bundled(crate(cc)) = 1.1.7
 Provides:  bundled(crate(cfg-if)) = 1.0.0
 Provides:  bundled(crate(clap)) = 3.2.25
 Provides:  bundled(crate(clap_lex)) = 0.2.4
 Provides:  bundled(crate(concread)) = 0.2.21
 Provides:  bundled(crate(crossbeam)) = 0.8.4
-Provides:  bundled(crate(crossbeam-channel)) = 0.5.12
+Provides:  bundled(crate(crossbeam-channel)) = 0.5.13
 Provides:  bundled(crate(crossbeam-deque)) = 0.8.5
 Provides:  bundled(crate(crossbeam-epoch)) = 0.9.18
 Provides:  bundled(crate(crossbeam-queue)) = 0.3.11
-Provides:  bundled(crate(crossbeam-utils)) = 0.8.19
+Provides:  bundled(crate(crossbeam-utils)) = 0.8.20
-Provides:  bundled(crate(errno)) = 0.3.8
+Provides:  bundled(crate(errno)) = 0.3.9
 Provides:  bundled(crate(fastrand)) = 2.1.0
 Provides:  bundled(crate(fernet)) = 0.1.4
 Provides:  bundled(crate(foreign-types)) = 0.3.2
 Provides:  bundled(crate(foreign-types-shared)) = 0.1.1
 Provides:  bundled(crate(getrandom)) = 0.2.15
-Provides:  bundled(crate(gimli)) = 0.28.1
+Provides:  bundled(crate(gimli)) = 0.29.0
 Provides:  bundled(crate(hashbrown)) = 0.12.3
 Provides:  bundled(crate(heck)) = 0.4.1
 Provides:  bundled(crate(hermit-abi)) = 0.1.19
 Provides:  bundled(crate(indexmap)) = 1.9.3
-Provides:  bundled(crate(instant)) = 0.1.12
+Provides:  bundled(crate(instant)) = 0.1.13
 Provides:  bundled(crate(itoa)) = 1.0.11
-Provides:  bundled(crate(jobserver)) = 0.1.31
+Provides:  bundled(crate(jobserver)) = 0.1.32
-Provides:  bundled(crate(libc)) = 0.2.154
+Provides:  bundled(crate(libc)) = 0.2.155
-Provides:  bundled(crate(linux-raw-sys)) = 0.4.13
+Provides:  bundled(crate(linux-raw-sys)) = 0.4.14
 Provides:  bundled(crate(lock_api)) = 0.4.12
-Provides:  bundled(crate(log)) = 0.4.21
+Provides:  bundled(crate(log)) = 0.4.22
 Provides:  bundled(crate(lru)) = 0.7.8
-Provides:  bundled(crate(memchr)) = 2.7.2
+Provides:  bundled(crate(memchr)) = 2.7.4
-Provides:  bundled(crate(miniz_oxide)) = 0.7.2
+Provides:  bundled(crate(miniz_oxide)) = 0.7.4
-Provides:  bundled(crate(object)) = 0.32.2
+Provides:  bundled(crate(object)) = 0.36.2
 Provides:  bundled(crate(once_cell)) = 1.19.0
-Provides:  bundled(crate(openssl)) = 0.10.64
+Provides:  bundled(crate(openssl)) = 0.10.66
 Provides:  bundled(crate(openssl-macros)) = 0.1.1
-Provides:  bundled(crate(openssl-sys)) = 0.9.102
+Provides:  bundled(crate(openssl-sys)) = 0.9.103
 Provides:  bundled(crate(os_str_bytes)) = 6.6.1
 Provides:  bundled(crate(parking_lot)) = 0.11.2
 Provides:  bundled(crate(parking_lot_core)) = 0.8.6
@ -112,9 +112,9 @@ Provides:  bundled(crate(paste)) = 0.1.18
 Provides:  bundled(crate(paste-impl)) = 0.1.18
 Provides:  bundled(crate(pin-project-lite)) = 0.2.14
 Provides:  bundled(crate(pkg-config)) = 0.3.30
-Provides:  bundled(crate(ppv-lite86)) = 0.2.17
+Provides:  bundled(crate(ppv-lite86)) = 0.2.18
 Provides:  bundled(crate(proc-macro-hack)) = 0.5.20+deprecated
-Provides:  bundled(crate(proc-macro2)) = 1.0.82
+Provides:  bundled(crate(proc-macro2)) = 1.0.86
 Provides:  bundled(crate(quote)) = 1.0.36
 Provides:  bundled(crate(rand)) = 0.8.5
 Provides:  bundled(crate(rand_chacha)) = 0.3.1
@ -124,38 +124,40 @@ Provides:  bundled(crate(rustc-demangle)) = 0.1.24
 Provides:  bundled(crate(rustix)) = 0.38.34
 Provides:  bundled(crate(ryu)) = 1.0.18
 Provides:  bundled(crate(scopeguard)) = 1.2.0
-Provides:  bundled(crate(serde)) = 1.0.201
+Provides:  bundled(crate(serde)) = 1.0.204
-Provides:  bundled(crate(serde_derive)) = 1.0.201
+Provides:  bundled(crate(serde_derive)) = 1.0.204
-Provides:  bundled(crate(serde_json)) = 1.0.117
+Provides:  bundled(crate(serde_json)) = 1.0.121
 Provides:  bundled(crate(smallvec)) = 1.13.2
 Provides:  bundled(crate(strsim)) = 0.10.0
-Provides:  bundled(crate(syn)) = 2.0.61
+Provides:  bundled(crate(syn)) = 2.0.72
 Provides:  bundled(crate(tempfile)) = 3.10.1
 Provides:  bundled(crate(termcolor)) = 1.4.1
 Provides:  bundled(crate(textwrap)) = 0.16.1
-Provides:  bundled(crate(tokio)) = 1.37.0
+Provides:  bundled(crate(tokio)) = 1.39.2
-Provides:  bundled(crate(tokio-macros)) = 2.2.0
+Provides:  bundled(crate(tokio-macros)) = 2.4.0
 Provides:  bundled(crate(toml)) = 0.5.11
 Provides:  bundled(crate(unicode-ident)) = 1.0.12
 Provides:  bundled(crate(uuid)) = 0.8.2
 Provides:  bundled(crate(vcpkg)) = 0.2.15
-Provides:  bundled(crate(version_check)) = 0.9.4
+Provides:  bundled(crate(version_check)) = 0.9.5
 Provides:  bundled(crate(wasi)) = 0.11.0+wasi_snapshot_preview1
 Provides:  bundled(crate(winapi)) = 0.3.9
 Provides:  bundled(crate(winapi-i686-pc-windows-gnu)) = 0.4.0
 Provides:  bundled(crate(winapi-util)) = 0.1.8
 Provides:  bundled(crate(winapi-x86_64-pc-windows-gnu)) = 0.4.0
 Provides:  bundled(crate(windows-sys)) = 0.52.0
-Provides:  bundled(crate(windows-targets)) = 0.52.5
+Provides:  bundled(crate(windows-targets)) = 0.52.6
-Provides:  bundled(crate(windows_aarch64_gnullvm)) = 0.52.5
+Provides:  bundled(crate(windows_aarch64_gnullvm)) = 0.52.6
-Provides:  bundled(crate(windows_aarch64_msvc)) = 0.52.5
+Provides:  bundled(crate(windows_aarch64_msvc)) = 0.52.6
-Provides:  bundled(crate(windows_i686_gnu)) = 0.52.5
+Provides:  bundled(crate(windows_i686_gnu)) = 0.52.6
-Provides:  bundled(crate(windows_i686_gnullvm)) = 0.52.5
+Provides:  bundled(crate(windows_i686_gnullvm)) = 0.52.6
-Provides:  bundled(crate(windows_i686_msvc)) = 0.52.5
+Provides:  bundled(crate(windows_i686_msvc)) = 0.52.6
-Provides:  bundled(crate(windows_x86_64_gnu)) = 0.52.5
+Provides:  bundled(crate(windows_x86_64_gnu)) = 0.52.6
-Provides:  bundled(crate(windows_x86_64_gnullvm)) = 0.52.5
+Provides:  bundled(crate(windows_x86_64_gnullvm)) = 0.52.6
-Provides:  bundled(crate(windows_x86_64_msvc)) = 0.52.5
+Provides:  bundled(crate(windows_x86_64_msvc)) = 0.52.6
-Provides:  bundled(crate(zeroize)) = 1.7.0
+Provides:  bundled(crate(zerocopy)) = 0.6.6
 Provides:  bundled(crate(zerocopy-derive)) = 0.6.6
 Provides:  bundled(crate(zeroize)) = 1.8.1
 Provides:  bundled(crate(zeroize_derive)) = 1.4.2
 Provides:  bundled(npm(@aashutoshrathi/word-wrap)) = 1.2.6
 Provides:  bundled(npm(@eslint-community/eslint-utils)) = 4.4.0
@ -466,12 +468,6 @@ Source2:          %{name}-devel.README
 Source3:          https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
 %endif
 Source4:          389-ds-base.sysusers
 Patch01:          0001-CVE-2024-3657.patch
 Patch02:          0002-CVE-2024-2199.patch
 Patch03:          0003-Issue-6188-Add-nsslapd-haproxy-trusted-ip-to-cn-sche.patch
 Patch04:          0004-CVE-2024-5953.patch
 Patch05:          0005-CVE-2024-6237.patch
 Patch06:          0006-Issue-6227-dsconf-schema-does-not-show-inChain-match.patch
 %description
@ -915,6 +911,18 @@ exit 0
 %endif
 %changelog
 * Mon Aug 12 2024 Viktor Ashirov <vashirov@redhat.com> - 2.5.2-1
 - Bump version to 2.5.2-1
 - Resolves: RHEL-5108 - ns-slapd crash in referint_get_config
 - Resolves: RHEL-5113 - nsslapd-numlisteners limit is not enforced
 - Resolves: RHEL-5115 - `dscreate ds-root` accepts relative path
 - Resolves: RHEL-5131 - ldif2db can be very slow
 - Resolves: RHEL-5138 - Logconv.pl CSV file contains mismatched header and data columns
 - Resolves: RHEL-14760 - ns-slapd crash in vlvIndex_delete
 - Resolves: RHEL-17511 - nsslapd-idletimeout is ignored
 - Resolves: RHEL-49454 - perf search result investigation for many large static groups and members
 - Resolves: RHEL-49458 - subsuffix are not returned in one level scoped search
 * Tue Jul 09 2024 James Chapman <jachapma@redhat.com> - 2.5.1-2
 - Bump version to 2.5.1-2
 - Resolves: RHEL-44324 - unauthenticated user can trigger a DoS by sending a specific extended search request
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (jemalloc-5.3.0.tar.bz2) = 22907bb052096e2caffb6e4e23548aecc5cc9283dce476896a2b1127eee64170e3562fa2e7db9571298814a7a2c7df6e8d1fbe152bd3f3b0c1abec22a2de34b1
-SHA512 (389-ds-base-2.5.1.tar.bz2) = bb3c9b4f08787deccc70a653520438b386f8b45d69ab3a755ed67c6b2896fb1727a8710643e042d68af5126b3183ee6cd501816f476541566bad0727c99de36c
+SHA512 (389-ds-base-2.5.2.tar.bz2) = 20c4208c165b9a2778293f8e3111c9713775d2488e1a5adecaa5a49381768d371ba696a504f5bdac4c513579944f86111f0033818c75b7dd95f7212f7a2f1b47
`@ -1,2 +1,2 @@`
	`SHA512 (jemalloc-5.3.0.tar.bz2) = 22907bb052096e2caffb6e4e23548aecc5cc9283dce476896a2b1127eee64170e3562fa2e7db9571298814a7a2c7df6e8d1fbe152bd3f3b0c1abec22a2de34b1`	`SHA512 (jemalloc-5.3.0.tar.bz2) = 22907bb052096e2caffb6e4e23548aecc5cc9283dce476896a2b1127eee64170e3562fa2e7db9571298814a7a2c7df6e8d1fbe152bd3f3b0c1abec22a2de34b1`
	`SHA512 (389-ds-base-2.5.1.tar.bz2) = bb3c9b4f08787deccc70a653520438b386f8b45d69ab3a755ed67c6b2896fb1727a8710643e042d68af5126b3183ee6cd501816f476541566bad0727c99de36c`	`SHA512 (389-ds-base-2.5.2.tar.bz2) = 20c4208c165b9a2778293f8e3111c9713775d2488e1a5adecaa5a49381768d371ba696a504f5bdac4c513579944f86111f0033818c75b7dd95f7212f7a2f1b47`