diff --git a/0135-ipa-graceperiod-fix-memory-leaks.patch b/0135-ipa-graceperiod-fix-memory-leaks.patch
new file mode 100644
index 0000000..aca2951
--- /dev/null
+++ b/0135-ipa-graceperiod-fix-memory-leaks.patch
@@ -0,0 +1,41 @@
+From 15170f11de1a8cf9eccf9eef761f46e5f2c8fb7d Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Sat, 8 Nov 2025 00:40:42 +0100
+Subject: [PATCH] ipa-graceperiod: fix memory leaks
+
+Direct return of invalid grace limit bypassed cleanup code.
+`tmpstr` variable was not freed in all code paths.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+index 7a2d4f2aaea677d1fb3553fe49e6aa17c3e7a38c..bb8559e3e4c665b3aedc0d5ce66f4b9a6bb64bfe 100644
+--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
++++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
+@@ -448,7 +448,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
+         goto done;
+     } else if (grace_limit < -1) {
+         LOG_FATAL("Invalid passwordGraceLimit value %ld\n", grace_limit);
+-        return LDAP_OPERATIONS_ERROR;
++        ret = LDAP_OPERATIONS_ERROR;
++        goto done;
+     }
+ 
+     grace_user_time = slapi_entry_attr_get_int(target_entry, "passwordGraceUserTime");
+@@ -500,6 +501,7 @@ done:
+         slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
+     }
+     if (sdn) slapi_sdn_free(&sdn);
++    slapi_ch_free_string(&tmpstr);
+ 
+     LOG("preop returning %d: %s\n", ret, errstr ? errstr : "success\n");
+ 
+-- 
+2.52.0
+
diff --git a/0136-ipa-lockout-fix-memory-leaks.patch b/0136-ipa-lockout-fix-memory-leaks.patch
new file mode 100644
index 0000000..eecdcaf
--- /dev/null
+++ b/0136-ipa-lockout-fix-memory-leaks.patch
@@ -0,0 +1,38 @@
+From a7587b78b4c2c46e2ec9612903b10b75e3adf973 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Sat, 8 Nov 2025 00:44:35 +0100
+Subject: [PATCH] ipa-lockout: fix memory leaks
+
+Move cleanup of `unlock_time` to `done` label to ensure cleanup in all code paths.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+index ecb6d6df52b7e3c2239884e173c8498e651dff34..5142c79bcfcfa985a35d45f689a7c1d1ad3f4feb 100644
+--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
++++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+@@ -813,7 +813,6 @@ static int ipalockout_preop(Slapi_PBlock *pb)
+                 goto done;
+             }
+         }
+-        slapi_ch_free_string(&unlock_time);
+     }
+ 
+     max_fail = slapi_entry_attr_get_uint(policy_entry, "krbPwdMaxFailure");
+@@ -840,6 +839,7 @@ static int ipalockout_preop(Slapi_PBlock *pb)
+ 
+ done:
+     if (lastfail) slapi_ch_free_string(&lastfail);
++    if (unlock_time) slapi_ch_free_string(&unlock_time);
+     slapi_entry_free(target_entry);
+     slapi_entry_free(policy_entry);
+     if (values != NULL) {
+-- 
+2.52.0
+
diff --git a/0137-ipa-pwd-extop-fix-memory-leaks.patch b/0137-ipa-pwd-extop-fix-memory-leaks.patch
new file mode 100644
index 0000000..8199566
--- /dev/null
+++ b/0137-ipa-pwd-extop-fix-memory-leaks.patch
@@ -0,0 +1,75 @@
+From 2f32a199b443ede395e9f5f252a4e88394729766 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Sat, 8 Nov 2025 00:46:35 +0100
+Subject: [PATCH] ipa-pwd-extop: fix memory leaks
+
+`cur_pw` was allocated but not freed after password validation.
+`principal_expire` was allocated but not freed in all code paths.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 1 +
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c       | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+index ca48a12a68ffeca8dcb3f0ed46d789973aab2192..b2aa1c05fef6ccc6b1dfa583c00eba8a02f9cf2b 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+@@ -485,6 +485,7 @@ parse_req_done:
+ 
+             slapi_value_free(&cpw[0]);
+             slapi_value_free(&pw);
++            slapi_ch_free_string(&cur_pw);
+ 
+             if (ret != 0) {
+                 LOG_TRACE("Invalid password for '%s'!\n", dn);
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+index 0fdb7840bbe3d800270f60c58c1438a2d8267ba2..9e376efaf75643326c327d5594fbe1339ab63369 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+@@ -1516,6 +1516,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+ 
+             if (current_time > expire_time && expire_time > 0) {
+                 LOG_FATAL("kerberos principal in %s is expired\n", dn);
++                slapi_ch_free_string(&principal_expire);
+                 slapi_entry_free(entry);
+                 slapi_sdn_free(&sdn);
+                 slapi_send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+@@ -1535,6 +1536,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+         if (ret != 0) {
+             LOG_FATAL("ipapwd_gen_checks failed for '%s': %s\n",
+                       slapi_sdn_get_dn(sdn), errMesg);
++            slapi_ch_free_string(&principal_expire);
+             slapi_entry_free(entry);
+             slapi_sdn_free(&sdn);
+             return 0;
+@@ -1591,6 +1593,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+     /* Authenticate the user. */
+     ret = ipapwd_authenticate(dn, entry, credentials);
+     if (ret) {
++        slapi_ch_free_string(&principal_expire);
+         slapi_entry_free(entry);
+         slapi_sdn_free(&sdn);
+         return 0;
+@@ -1614,12 +1617,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+     }
+ #endif
+ 
++    slapi_ch_free_string(&principal_expire);
+     slapi_entry_free(entry);
+     slapi_sdn_free(&sdn);
+     return 0;
+ 
+ invalid_creds:
+     free_ipapwd_krbcfg(&krbcfg);
++    slapi_ch_free_string(&principal_expire);
+     slapi_entry_free(entry);
+     slapi_sdn_free(&sdn);
+     slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
+-- 
+2.52.0
+
diff --git a/0138-ipa-sidgen-fix-memory-leaks.patch b/0138-ipa-sidgen-fix-memory-leaks.patch
new file mode 100644
index 0000000..1b9518a
--- /dev/null
+++ b/0138-ipa-sidgen-fix-memory-leaks.patch
@@ -0,0 +1,91 @@
+From e13bd8ca5414b7396a1550ebe9e77f605be6ee48 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Sat, 8 Nov 2025 00:48:33 +0100
+Subject: [PATCH] ipa-sidgen: fix memory leaks
+
+In various code paths the `ctx` structure was freed, but not
+`ctx->base_dn` which may have been allocated.
+
+`sid` was duplicated, but the original memory was never freed.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c        | 9 ++++++++-
+ daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h        | 2 +-
+ daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 3 ++-
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
+index 35ecef228d7fac1e7009dbf97983089755aa6768..9c6354e014b55e92c6580720bca18b9b1843f7c5 100644
+--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
+@@ -66,6 +66,8 @@ static int ipa_sidgen_close(Slapi_PBlock *pb)
+     if (ret == 0) {
+         free_ranges(&ctx->ranges);
+         slapi_ch_free_string(&ctx->dom_sid);
++        slapi_ch_free_string(&ctx->base_dn);
++        free(ctx);
+     } else {
+         LOG_FATAL("Missing private plugin context.\n");
+     }
+@@ -202,7 +204,10 @@ static int ipa_sidgen_init_ctx(Slapi_PBlock *pb, struct ipa_sidgen_ctx **_ctx)
+ 
+ done:
+     if (ret != 0) {
+-        free(ctx);
++        if (ctx) {
++            slapi_ch_free_string(&ctx->base_dn);
++            free(ctx);
++        }
+     } else {
+         *_ctx = ctx;
+     }
+@@ -235,6 +240,8 @@ int ipa_sidgen_init(Slapi_PBlock *pb)
+                          (void *) ipa_sidgen_add_post_op) != 0 ||
+         slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, ctx) != 0) {
+         LOG_FATAL("failed to register plugin\n");
++        slapi_ch_free_string(&ctx->base_dn);
++        free(ctx);
+         ret = EFAIL;
+     }
+ 
+diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+index aec862796a8364de84e26fbca96a270a8fb508fc..fbae87e4d8ae71d9956b7ab97711cdc78f7dc506 100644
+--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
+@@ -74,7 +74,7 @@ struct range_info {
+ 
+ struct ipa_sidgen_ctx {
+     Slapi_ComponentId *plugin_id;
+-    const char *base_dn;
++    char *base_dn;
+     char *dom_sid;
+     struct range_info **ranges;
+ };
+diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+index 13f4de5416606df1911f14f60ab1af1a8ba0184b..b26c2df52b200be682bd8d39763c5303e9f2afc4 100644
+--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+@@ -51,7 +51,7 @@ int get_dom_sid(Slapi_ComponentId *plugin_id, const char *base_dn, char **_sid)
+     int search_result;
+     Slapi_Entry **search_entries = NULL;
+     int ret;
+-    const char *sid;
++    char *sid = NULL;
+ 
+     search_pb = slapi_pblock_new();
+     if (search_pb == NULL) {
+@@ -114,6 +114,7 @@ int get_dom_sid(Slapi_ComponentId *plugin_id, const char *base_dn, char **_sid)
+     ret = 0;
+ 
+ done:
++    slapi_ch_free_string(&sid);
+     slapi_free_search_results_internal(search_pb);
+     slapi_pblock_destroy(search_pb);
+ 
+-- 
+2.52.0
+
diff --git a/0139-ipa-range-check-fix-memory-leak.patch b/0139-ipa-range-check-fix-memory-leak.patch
new file mode 100644
index 0000000..2514547
--- /dev/null
+++ b/0139-ipa-range-check-fix-memory-leak.patch
@@ -0,0 +1,70 @@
+From 0fc7c49f4805fa4633b4b816d6edb35633bd975d Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Sat, 8 Nov 2025 00:57:49 +0100
+Subject: [PATCH] ipa-range-check: fix memory leak
+
+`ipa_range_check_close` function didn't do any cleanup.
+The `ctx` structure was freed, but not `ctx->base_dn` which may have
+been allocated.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ .../ipa-range-check/ipa_range_check.c          | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+index 5b53a2fe58e1ad0ad6067ea75287f023402bb1c4..37840cd4716741d4d3584a1cac4f447a4a733f9f 100644
+--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
++++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+@@ -76,7 +76,7 @@ Slapi_PluginDesc ipa_range_check_plugin_desc = {
+ 
+ struct ipa_range_check_ctx {
+     Slapi_ComponentId *plugin_id;
+-    const char *base_dn;
++    char *base_dn;
+ };
+ 
+ typedef enum {
+@@ -469,6 +469,15 @@ static int ipa_range_check_start(Slapi_PBlock *pb)
+ 
+ static int ipa_range_check_close(Slapi_PBlock *pb)
+ {
++    int ret;
++    struct ipa_range_check_ctx *ctx;
++
++    ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx);
++    if (ret == 0 && ctx != NULL) {
++        slapi_ch_free_string(&ctx->base_dn);
++        free(ctx);
++    }
++
+     return 0;
+ }
+ 
+@@ -752,7 +761,10 @@ static int ipa_range_check_init_ctx(Slapi_PBlock *pb,
+ 
+ done:
+     if (ret != 0) {
+-        free(ctx);
++        if (ctx) {
++            slapi_ch_free_string(&ctx->base_dn);
++            free(ctx);
++        }
+     } else {
+         *_ctx = ctx;
+     }
+@@ -787,6 +799,8 @@ int ipa_range_check_init(Slapi_PBlock *pb)
+                          (void *) ipa_range_check_add_pre_op) != 0 ||
+         slapi_pblock_set(pb, SLAPI_PLUGIN_PRIVATE, rc_ctx) != 0) {
+         LOG_FATAL("failed to register plugin\n");
++        slapi_ch_free_string(&rc_ctx->base_dn);
++        free(rc_ctx);
+         ret = EFAIL;
+     }
+ 
+-- 
+2.52.0
+
diff --git a/0140-ipa-extdom-extop-fix-memory-leaks.patch b/0140-ipa-extdom-extop-fix-memory-leaks.patch
new file mode 100644
index 0000000..8840bce
--- /dev/null
+++ b/0140-ipa-extdom-extop-fix-memory-leaks.patch
@@ -0,0 +1,94 @@
+From c1e1ff6121640d6a07d8c17edd5f15713649182e Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Sat, 8 Nov 2025 00:59:58 +0100
+Subject: [PATCH] ipa-extdom-extop: fix memory leaks
+
+In various code paths the `ctx` structure was freed, but not `ctx`
+resources (`base_dn`, `nss_ctx`, `extdom_instance_counter`) which may
+have been allocated.
+
+Plugin didn't have SLAPI_PLUGIN_CLOSE_FN registered, so context was
+never freed on server shutdown.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ .../ipa-extdom-extop/ipa_extdom_extop.c       | 39 ++++++++++++++++++-
+ 1 file changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+index 5d22f9f2d5a107cc265c9d257bdf20918cb74333..a180e3307ce1e9d6b9fb4569c909526f41c01c3d 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+@@ -171,6 +171,26 @@ static int ipa_extdom_start(Slapi_PBlock *pb)
+     return LDAP_SUCCESS;
+ }
+ 
++static int ipa_extdom_close(Slapi_PBlock *pb)
++{
++    int ret;
++    struct ipa_extdom_ctx *ctx;
++
++    ret = slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &ctx);
++    if (ret == 0 && ctx != NULL) {
++        if (ctx->extdom_instance_counter) {
++            slapi_counter_destroy(&ctx->extdom_instance_counter);
++        }
++        if (ctx->nss_ctx) {
++            back_extdom_free_context(&ctx->nss_ctx);
++        }
++        slapi_ch_free_string(&ctx->base_dn);
++        free(ctx);
++    }
++
++    return 0;
++}
++
+ static int ipa_extdom_extop(Slapi_PBlock *pb)
+ {
+     char *oid = NULL;
+@@ -360,7 +380,16 @@ static int ipa_extdom_init_ctx(Slapi_PBlock *pb, struct ipa_extdom_ctx **_ctx)
+ 
+ done:
+     if (ret) {
+-        free(ctx);
++        if (ctx) {
++            if (ctx->extdom_instance_counter) {
++                slapi_counter_destroy(&ctx->extdom_instance_counter);
++            }
++            if (ctx->nss_ctx) {
++                back_extdom_free_context(&ctx->nss_ctx);
++            }
++            slapi_ch_free_string(&ctx->base_dn);
++            free(ctx);
++        }
+     } else {
+         *_ctx = ctx;
+     }
+@@ -388,6 +417,10 @@ int ipa_extdom_init(Slapi_PBlock *pb)
+         ret = slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN,
+                                (void *)ipa_extdom_start);
+     }
++    if (!ret) {
++        ret = slapi_pblock_set(pb, SLAPI_PLUGIN_CLOSE_FN,
++                               (void *)ipa_extdom_close);
++    }
+     if (!ret) {
+         ret = slapi_pblock_set(pb, SLAPI_PLUGIN_EXT_OP_OIDLIST,
+                                ipa_extdom_oid_list);
+@@ -405,6 +438,10 @@ int ipa_extdom_init(Slapi_PBlock *pb)
+     }
+     if (ret) {
+         LOG("Failed to set plug-in version, function, and OID.\n" );
++        slapi_counter_destroy(&extdom_ctx->extdom_instance_counter);
++        back_extdom_free_context(&extdom_ctx->nss_ctx);
++        slapi_ch_free_string(&extdom_ctx->base_dn);
++        free(extdom_ctx);
+         return -1;
+     }
+ 
+-- 
+2.52.0
+
diff --git a/0141-ipa-enrollment-fix-memory-leaks.patch b/0141-ipa-enrollment-fix-memory-leaks.patch
new file mode 100644
index 0000000..fc33326
--- /dev/null
+++ b/0141-ipa-enrollment-fix-memory-leaks.patch
@@ -0,0 +1,45 @@
+From c3c4eeaa81c75cdd04d74d7407c0b7103ac7558e Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Sat, 8 Nov 2025 01:03:52 +0100
+Subject: [PATCH] ipa-enrollment: fix memory leaks
+
+`smods`, `fqdn`, `sdn` were not freed.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+index b72ad5ef1c81997d89b2f94528da516b5df3d285..3a70dd0a5594fc623e7e808ab8a734349a748a49 100644
+--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
++++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+@@ -137,7 +137,7 @@ ipa_join(Slapi_PBlock *pb)
+     int is_root=0;
+     char *krbLastPwdChange = NULL;
+     char *fqdn = NULL;
+-    Slapi_Mods *smods;
++    Slapi_Mods *smods = NULL;
+     char *attrlist[] = {"fqdn", "krbPrincipalKey", "krbLastPwdChange", "krbPrincipalName", NULL };
+     char * filter;
+ 
+@@ -329,8 +329,13 @@ free_and_return:
+     if (pbtm) {
+         slapi_pblock_destroy(pbtm);
+     }
++    if (smods) {
++        slapi_mods_free(&smods);
++    }
+ 
+     if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange);
++    if (fqdn) slapi_ch_free_string(&fqdn);
++    if (sdn) slapi_sdn_free(&sdn);
+ 
+     LOG("%s", errMesg ? errMesg : "success\n");
+     slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL);
+-- 
+2.52.0
+
diff --git a/0142-topology-fix-memory-leaks.patch b/0142-topology-fix-memory-leaks.patch
new file mode 100644
index 0000000..002d613
--- /dev/null
+++ b/0142-topology-fix-memory-leaks.patch
@@ -0,0 +1,51 @@
+From 98ad3653ca853932e2c754315540ba18a09c495c Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Sat, 8 Nov 2025 01:05:15 +0100
+Subject: [PATCH] topology: fix memory leaks
+
+`agmt_attr_val`, `targetHost` and internal search results pblock were
+not freed.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ daemons/ipa-slapi-plugins/topology/topology_util.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/topology/topology_util.c b/daemons/ipa-slapi-plugins/topology/topology_util.c
+index 3f9bf137fdcd398e12dfa7bfbcd9ccde3d773c99..cd3e70910d54bb4f1853ef68ea98d69f2f97ba7e 100644
+--- a/daemons/ipa-slapi-plugins/topology/topology_util.c
++++ b/daemons/ipa-slapi-plugins/topology/topology_util.c
+@@ -678,6 +678,7 @@ ipa_topo_util_update_agmt_list(TopoReplica *conf, TopoReplicaSegmentList *repl_s
+                                               mattrs[i],
+                                               segm_attr_val);
+                     }
++                    slapi_ch_free_string(&agmt_attr_val);
+ 
+                 }
+             }
+@@ -711,10 +712,10 @@ ipa_topo_util_update_agmt_list(TopoReplica *conf, TopoReplicaSegmentList *repl_s
+                 ipa_topo_cfg_segment_set_visited(conf, topo_segm);
+             }
+         }
++        slapi_ch_free_string(&targetHost);
+ 
+         repl_agmt = entries[++nentries];
+     }
+-    slapi_free_search_results_internal(pb);
+ 
+ update_only:
+     /* check if segments not covered by agreement exist
+@@ -724,6 +725,7 @@ update_only:
+                                     ipa_topo_get_plugin_hostname());
+ 
+ error_return:
++    slapi_free_search_results_internal(pb);
+     slapi_ch_free_string(&filter);
+     slapi_pblock_destroy(pb);
+     return rc;
+-- 
+2.52.0
+
diff --git a/0143-ipa-pwd-extop-free-krbcfg-in-all-exit-paths.patch b/0143-ipa-pwd-extop-free-krbcfg-in-all-exit-paths.patch
new file mode 100644
index 0000000..01e5032
--- /dev/null
+++ b/0143-ipa-pwd-extop-free-krbcfg-in-all-exit-paths.patch
@@ -0,0 +1,46 @@
+From 99625ed5df97f0921e6c6e03dbfec21aa0488ea9 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Wed, 19 Nov 2025 22:23:54 +0100
+Subject: [PATCH] ipa-pwd-extop: free krbcfg in all exit paths
+
+Add `free_ipapwd_krbcfg()` calls.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+index 9e376efaf75643326c327d5594fbe1339ab63369..70f0d7fcc8b8e8966022d5acd7a5089f010100eb 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+@@ -1536,6 +1536,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+         if (ret != 0) {
+             LOG_FATAL("ipapwd_gen_checks failed for '%s': %s\n",
+                       slapi_sdn_get_dn(sdn), errMesg);
++            free_ipapwd_krbcfg(&krbcfg);
+             slapi_ch_free_string(&principal_expire);
+             slapi_entry_free(entry);
+             slapi_sdn_free(&sdn);
+@@ -1593,6 +1594,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+     /* Authenticate the user. */
+     ret = ipapwd_authenticate(dn, entry, credentials);
+     if (ret) {
++        free_ipapwd_krbcfg(&krbcfg);
+         slapi_ch_free_string(&principal_expire);
+         slapi_entry_free(entry);
+         slapi_sdn_free(&sdn);
+@@ -1617,6 +1619,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+     }
+ #endif
+ 
++    free_ipapwd_krbcfg(&krbcfg);
+     slapi_ch_free_string(&principal_expire);
+     slapi_entry_free(entry);
+     slapi_sdn_free(&sdn);
+-- 
+2.52.0
+
diff --git a/0144-ipa-pwd-extop-fix-memory-leaks.patch b/0144-ipa-pwd-extop-fix-memory-leaks.patch
new file mode 100644
index 0000000..9f7e312
--- /dev/null
+++ b/0144-ipa-pwd-extop-fix-memory-leaks.patch
@@ -0,0 +1,43 @@
+From 859990a0b0a3694ee99db398a0ec513e4a02d5de Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Fri, 28 Nov 2025 12:19:05 +0100
+Subject: [PATCH] ipa-pwd-extop: fix memory leaks
+
+In `ipapwd_set_extradata` free `xdata` after it's not longer needed.  It
+was leaked because `slapi_value_new_berval()` makes a copy of the data.
+
+In `ipapwd_free_slapi_value_array` free `svals` (caller's pointer)
+instead of `sv` (local pointer).
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+index 114d20417d053ad7e822bd474eedf794b2c316d6..de60d4e7bf1b8f0e313e5883041d3e28c09022b9 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+@@ -1107,6 +1107,7 @@ int ipapwd_set_extradata(const char *dn,
+ 
+     slapi_value_free(&va[0]);
+     slapi_mods_free(&smods);
++    free(xdata);
+ 
+     return ret;
+ }
+@@ -1121,7 +1122,7 @@ void ipapwd_free_slapi_value_array(Slapi_Value ***svals)
+         }
+     }
+ 
+-    slapi_ch_free((void **)sv);
++    slapi_ch_free((void **)svals);
+ }
+ 
+ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg)
+-- 
+2.52.0
+
diff --git a/0145-ipa-pwd-extop-fix-memory-leaks-of-bind-DN.patch b/0145-ipa-pwd-extop-fix-memory-leaks-of-bind-DN.patch
new file mode 100644
index 0000000..c5d6121
--- /dev/null
+++ b/0145-ipa-pwd-extop-fix-memory-leaks-of-bind-DN.patch
@@ -0,0 +1,51 @@
+From efd6cc2bd9002c927823880eb77fab66cfb0e6a2 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 11 Dec 2025 10:08:35 +0100
+Subject: [PATCH] ipa-pwd-extop: fix memory leaks of bind DN
+
+In `ipapwd_chpwop()`, `ipapwd_setkeytab()`, and `ipapwd_getkeytab()`
+functions, `bindDN`/`bind_dn` is obtained via `slapi_pblock_get()` with
+SLAPI_CONN_DN which returns an allocated string. This string was never
+freed in the cleanup sections of these functions.
+
+Add `slapi_ch_free_string()` calls for the bind DN variables in the
+`free_and_return` sections of all three functions.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+index b2aa1c05fef6ccc6b1dfa583c00eba8a02f9cf2b..b50e4d5ca1e8fe89d5f67e22618415469eb5e4b5 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+@@ -650,6 +650,7 @@ free_and_return:
+ 		}
+ 		slapi_pblock_destroy(chpwop_pb);
+ 	}
++	slapi_ch_free_string(&bindDN);
+ 	slapi_ch_free_string(&oldPasswd);
+ 	slapi_ch_free_string(&newPasswd);
+ 	/* Either this is the same pointer that we allocated and set above,
+@@ -1372,6 +1373,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
+ 
+ 	/* Free anything that we allocated above */
+ free_and_return:
++	slapi_ch_free_string(&bindDN);
+ 	free(serviceName);
+ 	if (kset) ipapwd_keyset_free(&kset);
+ 
+@@ -1790,6 +1792,7 @@ free_and_return:
+     slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL);
+ 
+     /* Free anything that we allocated above */
++    slapi_ch_free_string(&bind_dn);
+     if (krbctx) krb5_free_context(krbctx);
+     free(kenctypes);
+     free(service_name);
+-- 
+2.52.0
+
diff --git a/0146-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_pre_add.patch b/0146-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_pre_add.patch
new file mode 100644
index 0000000..9718597
--- /dev/null
+++ b/0146-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_pre_add.patch
@@ -0,0 +1,61 @@
+From 52cf968dc91b557215c303e354bd770f52222390 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 11 Dec 2025 11:09:34 +0100
+Subject: [PATCH] ipa-pwd-extop: fix memory leaks in `ipapwd_pre_add()`
+
+In `ipapwd_pre_add()`, when processing password from entry extension,
+`userpw` was reassigned without freeing the previous value.
+Additionally, `enabled` obtained from `ipapwd_getIpaConfigAttr()` was
+never freed, and early returns bypassed the cleanup section causing
+memory leaks.
+
+Free `userpw` before reassigning it.
+Free `enabled` after use.
+Replace early `return 0` statements with `goto done` to ensure proper
+cleanup of all allocated resources.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+index 70f0d7fcc8b8e8966022d5acd7a5089f010100eb..b0162c49cd4db9684085c62ada4c30daf657b2e2 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+@@ -291,6 +291,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
+                                   slapi_sdn_get_dn(sdn), errMesg);
+                     goto done;
+                 }
++                slapi_ch_free_string(&userpw);
+                 userpw = slapi_ch_strdup(userpw_clear);
+             }
+ 
+@@ -302,8 +303,11 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
+                 if (NULL == enabled) {
+                     LOG("no ipaMigrationEnabled in config, assuming FALSE\n");
+                 } else if (0 == strcmp(enabled, "TRUE")) {
+-                    return 0;
++                    slapi_ch_free_string(&enabled);
++                    rc = LDAP_SUCCESS;
++                    goto done;
+                 }
++                slapi_ch_free_string(&enabled);
+ 
+                 /* With User Life Cycle, it could be a stage user that is activated.
+                  * The userPassword and krb keys were set while the user was a stage user.
+@@ -315,7 +319,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
+                     LOG("User Life Cycle: %s is a activated stage user "
+                         "(with prehashed password and krb keys)\n",
+                         sdn ? slapi_sdn_get_dn(sdn) : "unknown");
+-                    return 0;
++                    rc = LDAP_SUCCESS;
++                    goto done;
+                 }
+ 
+                 LOG("pre-hashed passwords are not valid\n");
+-- 
+2.52.0
+
diff --git a/0147-ipa-pwd-extop-fix-bind-DN-memory-leaks-in-pre-op-han.patch b/0147-ipa-pwd-extop-fix-bind-DN-memory-leaks-in-pre-op-han.patch
new file mode 100644
index 0000000..8b3119e
--- /dev/null
+++ b/0147-ipa-pwd-extop-fix-bind-DN-memory-leaks-in-pre-op-han.patch
@@ -0,0 +1,42 @@
+From c98a006be077c944612a69545463f1d8a66e8b92 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 11 Dec 2025 12:02:33 +0100
+Subject: [PATCH] ipa-pwd-extop: fix bind DN memory leaks in pre-op handlers
+
+In `ipapwd_pre_add()` and `ipapwd_pre_mod()`, `binddn` is obtained via
+`slapi_pblock_get()` with SLAPI_CONN_DN which returns an allocated
+string. This string was never freed after use.
+
+Add `slapi_ch_free_string(&binddn)` calls after the bind DN is no longer
+needed in both functions.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+index b0162c49cd4db9684085c62ada4c30daf657b2e2..8f8d0a0929105869d9df15339d8c447d890f92bf 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+@@ -379,6 +379,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
+                 break;
+             }
+         }
++        slapi_ch_free_string(&binddn);
+     }
+ 
+     pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+@@ -880,6 +881,7 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
+ 
+         slapi_sdn_free(&bdn);
+         slapi_sdn_free(&tdn);
++        slapi_ch_free_string(&binddn);
+     }
+ 
+     pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn));
+-- 
+2.52.0
+
diff --git a/0148-ipa-pwd-extop-fix-NT-hash-string-memory-leak.patch b/0148-ipa-pwd-extop-fix-NT-hash-string-memory-leak.patch
new file mode 100644
index 0000000..d3458ef
--- /dev/null
+++ b/0148-ipa-pwd-extop-fix-NT-hash-string-memory-leak.patch
@@ -0,0 +1,82 @@
+From 301cada8a1b5e7e5ad2c91111f51ef0649932eee Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 11 Dec 2025 13:13:45 +0100
+Subject: [PATCH] ipa-pwd-extop: fix NT hash string memory leak
+
+In `ipapwd_pre_add()` and `ipapwd_pre_mod()`, the `nt` string returned
+by `ipapwd_gen_hashes()` was only freed when `is_smb` was true.  When NT
+hashes are generated for `is_ipant` entries but `is_smb` is false, the
+`nt` string was leaked.
+
+Free `nt`, `ntvals` and `svals` unconditionally.
+
+Fix the error path in `ipapwd_pre_add()` where `nt` and `ntvals` were
+leaked when `slapi_entry_attr_replace_sv()` failed for `svals`.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+index 8f8d0a0929105869d9df15339d8c447d890f92bf..58f6926fe4f9894bc17f5ef34b02b5652cbb477f 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+@@ -422,22 +422,23 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
+                 LOG_FATAL("failed to set encoded values in entry\n");
+                 rc = LDAP_OPERATIONS_ERROR;
+                 ipapwd_free_slapi_value_array(&svals);
++                slapi_ch_free_string(&nt);
++                ipapwd_free_slapi_value_array(&ntvals);
+                 goto done;
+             }
+-
+-            ipapwd_free_slapi_value_array(&svals);
+         }
++        ipapwd_free_slapi_value_array(&svals);
+ 
+         if (nt && is_smb) {
+             /* set value */
+             slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
+-            slapi_ch_free_string(&nt);
+         }
++        slapi_ch_free_string(&nt);
+ 
+         if (ntvals && is_ipant) {
+             slapi_entry_attr_replace_sv(e, "ipaNTHash", ntvals);
+-            ipapwd_free_slapi_value_array(&ntvals);
+         }
++        ipapwd_free_slapi_value_array(&ntvals);
+ 
+         if (is_smb) {
+             /* with samba integration we need to also set sambaPwdLastSet or
+@@ -921,21 +922,21 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
+             /* replace values */
+             slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
+                                       "krbPrincipalKey", svals);
+-            ipapwd_free_slapi_value_array(&svals);
+         }
++        ipapwd_free_slapi_value_array(&svals);
+ 
+         if (nt && is_smb) {
+             /* replace value */
+             slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
+                                   "sambaNTPassword", nt);
+-            slapi_ch_free_string(&nt);
+         }
++        slapi_ch_free_string(&nt);
+ 
+         if (ntvals && is_ipant) {
+             slapi_mods_add_mod_values(smods, LDAP_MOD_REPLACE,
+                                       "ipaNTHash", ntvals);
+-            ipapwd_free_slapi_value_array(&ntvals);
+         }
++        ipapwd_free_slapi_value_array(&ntvals);
+ 
+         if (is_smb) {
+             /* with samba integration we need to also set sambaPwdLastSet or
+-- 
+2.52.0
+
diff --git a/0149-ipa-pwd-extop-fix-password-history-values-memory-lea.patch b/0149-ipa-pwd-extop-fix-password-history-values-memory-lea.patch
new file mode 100644
index 0000000..c397d74
--- /dev/null
+++ b/0149-ipa-pwd-extop-fix-password-history-values-memory-lea.patch
@@ -0,0 +1,44 @@
+From aa4a3fbd89ddbe2eecb3063a042fd815e6dd49d8 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 11 Dec 2025 14:34:47 +0100
+Subject: [PATCH] ipa-pwd-extop: fix password history values memory leak
+
+In `ipapwd_post_modadd()`, the `pwvals` array returned by
+`ipapwd_setPasswordHistory()` was passed to `slapi_mods_add_mod_values()`
+but never freed. The `slapi_mods_add_mod_values()` function makes a copy
+of the values, so the original array still needs to be freed.
+
+Add `ipapwd_free_slapi_value_array()` call in the cleanup section to
+free the array.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+index 58f6926fe4f9894bc17f5ef34b02b5652cbb477f..68281868f18c257ab4058fc743f5d67c8f0604f3 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+@@ -1080,7 +1080,7 @@ static int ipapwd_post_modadd(Slapi_PBlock *pb)
+     void *op;
+     struct ipapwd_operation *pwdop = NULL;
+     Slapi_Mods *smods;
+-    Slapi_Value **pwvals;
++    Slapi_Value **pwvals = NULL;
+     int ret;
+     char *errMsg = "Internal operations error\n";
+     struct ipapwd_krbcfg *krbcfg = NULL;
+@@ -1210,6 +1210,7 @@ done:
+     slapi_mods_free(&smods);
+     slapi_ch_free_string(&principal);
+     free_ipapwd_krbcfg(&krbcfg);
++    ipapwd_free_slapi_value_array(&pwvals);
+     return 0;
+ }
+ 
+-- 
+2.52.0
+
diff --git a/0150-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_gen_hashes-.patch b/0150-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_gen_hashes-.patch
new file mode 100644
index 0000000..f628b14
--- /dev/null
+++ b/0150-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_gen_hashes-.patch
@@ -0,0 +1,41 @@
+From 343c9a8ab8f5dd6af4217bf5cd66a2f5f9dcbbbd Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 11 Dec 2025 15:45:27 +0100
+Subject: [PATCH] ipa-pwd-extop: fix memory leaks in `ipapwd_gen_hashes()`
+ error path
+
+In `ipapwd_gen_hashes()`, when an error occurred after allocating output
+parameters, `*ntvals` was freed but `*nthash` was not.
+
+Add `slapi_ch_free_string(nthash)` to the error cleanup section.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+index 43ae6f0a645c8f3ff0fa2d147891f93efff0eb20..dd73c1f335733c314be8ff08b9d5982130cc75ff 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
+@@ -220,6 +220,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg,
+ 
+     *svals = NULL;
+     *nthash = NULL;
++    *ntvals = NULL;
+     *errMesg = NULL;
+ 
+     if (is_krb) {
+@@ -282,6 +283,7 @@ done:
+     if (rc) {
+         ipapwd_free_slapi_value_array(svals);
+         ipapwd_free_slapi_value_array(ntvals);
++        slapi_ch_free_string(nthash);
+     }
+ 
+     return rc;
+-- 
+2.52.0
+
diff --git a/0151-ipa-pwd-extop-fix-valueset-memory-leak-in-ipapwd_get.patch b/0151-ipa-pwd-extop-fix-valueset-memory-leak-in-ipapwd_get.patch
new file mode 100644
index 0000000..85cc697
--- /dev/null
+++ b/0151-ipa-pwd-extop-fix-valueset-memory-leak-in-ipapwd_get.patch
@@ -0,0 +1,35 @@
+From 40217032aa201313f8bdfcb22abe0088749574f1 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 11 Dec 2025 16:16:02 +0100
+Subject: [PATCH] ipa-pwd-extop: fix valueset memory leak in
+ `ipapwd_get_cur_kvno()`
+
+In `ipapwd_get_cur_kvno()`, the `Slapi_ValueSet` obtained via
+`slapi_attr_get_valueset()` was never freed. This function returns a
+copy of the valueset that must be freed by the caller using
+`slapi_valueset_free()`.
+
+Add `slapi_valueset_free(svs)` before returning from the function.
+
+Related: https://pagure.io/freeipa/issue/9895
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+index de60d4e7bf1b8f0e313e5883041d3e28c09022b9..7179b1dc3847df5c2cd88065a5bfa66d886daa14 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+@@ -786,6 +786,7 @@ next:
+         hint = slapi_valueset_next_value(svs, hint, &sv);
+     }
+ 
++    slapi_valueset_free(svs);
+     return kvno;
+ }
+ 
+-- 
+2.52.0
+
diff --git a/0152-ipa-pwd-extop-Don-t-manipulate-the-config-if-not-ret.patch b/0152-ipa-pwd-extop-Don-t-manipulate-the-config-if-not-ret.patch
new file mode 100644
index 0000000..aae7d03
--- /dev/null
+++ b/0152-ipa-pwd-extop-Don-t-manipulate-the-config-if-not-ret.patch
@@ -0,0 +1,41 @@
+From 53e568b8c5b0cd82568863cf582054244bf734d3 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 6 Jan 2026 14:44:50 -0500
+Subject: [PATCH] ipa-pwd-extop: Don't manipulate the config if not retrieved
+
+There is a non-zero chance that the Kerberos configuration can't
+be retrieved. If this fails it should report an error which will
+likely fail the operation but otherwise allow the server to
+remain running.
+
+A flag was added to not allow the Master key to be returned
+but since this manipulates *config and that is NULL...SEGV.
+
+Add a goto to skip that block in the case of failure.
+
+Credit to Viktor Ashirov for identifying the fix. All I did
+was write up the patch.
+
+Fixes: https://pagure.io/freeipa/issue/9914
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+index 7179b1dc3847df5c2cd88065a5bfa66d886daa14..0e69f3410737ea1787e611846f1a8801239f4d2f 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+@@ -585,6 +585,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg,
+         LOG_FATAL("Error Retrieving Master Key\n");
+         *errMesg = "Fatal Internal Error";
+         rc = LDAP_OPERATIONS_ERROR;
++        goto done;
+     }
+ 
+     /* do not return the master key if asked */
+-- 
+2.52.0
+
diff --git a/0153-ipatests-fix-kdcproxy-tests-against-AD.patch b/0153-ipatests-fix-kdcproxy-tests-against-AD.patch
new file mode 100644
index 0000000..0312580
--- /dev/null
+++ b/0153-ipatests-fix-kdcproxy-tests-against-AD.patch
@@ -0,0 +1,34 @@
+From 368da4f4f5e4d05aecf149a5773d8d0b4f28ff92 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Tue, 18 Nov 2025 11:17:27 +0100
+Subject: [PATCH] ipatests: fix kdcproxy tests against AD
+
+In recent kdcproxy commit 1773f28eeea72ec6efcd433d3b66595c44d1253f, the
+use of DNS discovery has been restricted to declared realms in order to
+mitigate CVE-2025-59088. The present commit update the
+TestHttpKdcProxy::test_ad_user_login_on_client_with_kdcproxy test to
+take this change into account.
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_http_kdc_proxy.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_http_kdc_proxy.py b/ipatests/test_integration/test_http_kdc_proxy.py
+index b5906bc4bf8de7000d2b8ec582cbacf6e2e05be0..d48a5dd953d58a002fe7247d98e27c82a72b6626 100644
+--- a/ipatests/test_integration/test_http_kdc_proxy.py
++++ b/ipatests/test_integration/test_http_kdc_proxy.py
+@@ -131,8 +131,8 @@ class TestHttpKdcProxy(IntegrationTest):
+         with tasks.remote_ini_file(self.master, paths.KDCPROXY_CONFIG) as conf:
+             conf.set('global', 'use_dns', 'true')
+             conf.set('global', 'configs', 'mit')
++            conf.add_section(self.ad.domain.realm)
+             if use_tcp:
+-                conf.add_section(self.ad.domain.realm)
+                 conf.set(self.ad.domain.realm, 'kerberos',
+                          'kerberos+tcp://{}:88'.format(self.ad.hostname))
+                 conf.set(self.ad.domain.realm, 'kpasswd',
+-- 
+2.52.0
+
diff --git a/0154-ipatests-add-extensions-to-server-certificates-for-C.patch b/0154-ipatests-add-extensions-to-server-certificates-for-C.patch
new file mode 100644
index 0000000..f745807
--- /dev/null
+++ b/0154-ipatests-add-extensions-to-server-certificates-for-C.patch
@@ -0,0 +1,81 @@
+From 8cfafeffd1ad5266b35a7eb796976e873278f500 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 14 May 2025 10:44:26 +0200
+Subject: [PATCH] ipatests: add extensions to server certificates for CAless
+ mode
+
+When installing the server in CA less mode, the tests generate
+server certificates but some extensions were missing.
+
+Generate server cert with an Authority Key Identifier extension
+using the CA's subject key identifier.
+
+Without this extension, replica installation fails with
+    certificate verify failed: Missing Authority Key Identifier
+in the step fetching the DM password from the server.
+
+Add KeyUsage and Extended Key Usage.
+
+Fixes: https://pagure.io/freeipa/issue/9787
+Related: https://github.com/dogtagpki/pki/issues/5051
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ .../integration/create_caless_pki.py          | 34 +++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py
+index 71d804c339cc71bc14e1f819639852e32b54c098..d06f1dd8c328628bd692c2abf3acfc88ba6a7408 100644
+--- a/ipatests/pytest_ipa/integration/create_caless_pki.py
++++ b/ipatests/pytest_ipa/integration/create_caless_pki.py
+@@ -199,6 +199,20 @@ def profile_server(builder, ca_nick, ca,
+             critical=False,
+         )
+ 
++    if ca:
++        try:
++            ski_ext = ca.cert.extensions.get_extension_for_class(
++                x509.SubjectKeyIdentifier)
++            builder = builder.add_extension(
++                x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
++                    ski_ext.value
++                ),
++                critical=False,
++            )
++        except x509.ExtensionNotFound:
++            # if the CA doesn't have a SKI, just ignore
++            pass
++
+     if badusage:
+         builder = builder.add_extension(
+             x509.KeyUsage(
+@@ -214,6 +228,26 @@ def profile_server(builder, ca_nick, ca,
+             ),
+             critical=False
+         )
++    else:
++        builder = builder.add_extension(
++            x509.KeyUsage(
++                digital_signature=True,
++                content_commitment=False,
++                key_encipherment=True,
++                data_encipherment=True,
++                key_agreement=False,
++                key_cert_sign=False,
++                crl_sign=False,
++                encipher_only=False,
++                decipher_only=False
++            ),
++            critical=False
++        )
++
++    builder = builder.add_extension(
++        x509.ExtendedKeyUsage([x509.ObjectIdentifier('1.3.6.1.5.5.7.3.1')]),
++        critical=False,
++    )
+ 
+     if wildcard:
+         names = [x509.DNSName(u'*.' + domain)]
+-- 
+2.52.0
+
diff --git a/0155-ipa-join-initialize-pointer.patch b/0155-ipa-join-initialize-pointer.patch
new file mode 100644
index 0000000..310a396
--- /dev/null
+++ b/0155-ipa-join-initialize-pointer.patch
@@ -0,0 +1,47 @@
+From 0f691463c379861ca5be88f99d02a313941a39d3 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 4 Feb 2026 09:21:14 +0100
+Subject: [PATCH] ipa-join: initialize pointer
+
+OpenScanHub detected an uninitialized pointer in ipa_join:
+Slapi_DN *sdn;
+...
+if (sdn) slapi_sdn_free(&sdn);
+
+Initialize to NULL
+Also initialize Slapi_Backend *be=NULL and char * filter=NULL
+to avoid potential issues.
+
+Fixes: https://pagure.io/freeipa/issue/9936
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+index 3a70dd0a5594fc623e7e808ab8a734349a748a49..2f8923e10310a8a6e19ac701070d6451915c3be3 100644
+--- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
++++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
+@@ -129,8 +129,8 @@ ipa_join(Slapi_PBlock *pb)
+     Slapi_PBlock *pbte = NULL;
+     Slapi_PBlock *pbtm = NULL;
+     Slapi_Entry *targetEntry=NULL;
+-    Slapi_DN *sdn;
+-    Slapi_Backend *be;
++    Slapi_DN *sdn=NULL;
++    Slapi_Backend *be=NULL;
+     Slapi_Entry **es = NULL;
+     int rc=0, ret=0, res;
+     size_t i;
+@@ -139,7 +139,7 @@ ipa_join(Slapi_PBlock *pb)
+     char *fqdn = NULL;
+     Slapi_Mods *smods = NULL;
+     char *attrlist[] = {"fqdn", "krbPrincipalKey", "krbLastPwdChange", "krbPrincipalName", NULL };
+-    char * filter;
++    char * filter=NULL;
+ 
+     int scope = LDAP_SCOPE_SUBTREE;
+     char *principal = NULL;
+-- 
+2.52.0
+
diff --git a/freeipa.spec b/freeipa.spec
index 2dd53f0..d893646 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -231,7 +231,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        24%{?rc_version:.%rc_version}%{?dist}.1
+Release:        24%{?rc_version:.%rc_version}.0.1%{?dist}.2
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -395,6 +395,27 @@ Patch0131:      0131-dns-disable-all-previous-Unbound-configuration-befor.patch
 Patch0132:      0132-Enforce-uniqueness-across-krbprincipalname-and-krbca.patch
 Patch0133:      0133-ipa-kdb-enforce-PAC-presence-on-TGT-for-TGS-REQ.patch
 Patch0134:      0134-ipatests-extend-test-for-unique-krbcanonicalname.patch
+Patch0135:      0135-ipa-graceperiod-fix-memory-leaks.patch
+Patch0136:      0136-ipa-lockout-fix-memory-leaks.patch
+Patch0137:      0137-ipa-pwd-extop-fix-memory-leaks.patch
+Patch0138:      0138-ipa-sidgen-fix-memory-leaks.patch
+Patch0139:      0139-ipa-range-check-fix-memory-leak.patch
+Patch0140:      0140-ipa-extdom-extop-fix-memory-leaks.patch
+Patch0141:      0141-ipa-enrollment-fix-memory-leaks.patch
+Patch0142:      0142-topology-fix-memory-leaks.patch
+Patch0143:      0143-ipa-pwd-extop-free-krbcfg-in-all-exit-paths.patch
+Patch0144:      0144-ipa-pwd-extop-fix-memory-leaks.patch
+Patch0145:      0145-ipa-pwd-extop-fix-memory-leaks-of-bind-DN.patch
+Patch0146:      0146-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_pre_add.patch
+Patch0147:      0147-ipa-pwd-extop-fix-bind-DN-memory-leaks-in-pre-op-han.patch
+Patch0148:      0148-ipa-pwd-extop-fix-NT-hash-string-memory-leak.patch
+Patch0149:      0149-ipa-pwd-extop-fix-password-history-values-memory-lea.patch
+Patch0150:      0150-ipa-pwd-extop-fix-memory-leaks-in-ipapwd_gen_hashes-.patch
+Patch0151:      0151-ipa-pwd-extop-fix-valueset-memory-leak-in-ipapwd_get.patch
+Patch0152:      0152-ipa-pwd-extop-Don-t-manipulate-the-config-if-not-ret.patch
+Patch0153:      0153-ipatests-fix-kdcproxy-tests-against-AD.patch
+Patch0154:      0154-ipatests-add-extensions-to-server-certificates-for-C.patch
+Patch0155:      0155-ipa-join-initialize-pointer.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -728,6 +749,7 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= %{httpd_version}
 Requires: systemd-units >= %{systemd_version}
+Requires: bind >= %{bind_version}
 %if 0%{?rhel} >= 8 && ! 0%{?eln}
 Requires: system-logos-ipa >= 80.4
 %endif
@@ -1208,7 +1230,8 @@ autoreconf -ivf
            %{enable_server_option} \
            %{with_ipatests_option} \
            %{with_ipa_join_xml_option} \
-           %{linter_options}
+           %{linter_options} \
+           --with-ipaplatform=rhel
 
 # run build in default dir
 # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
@@ -2057,6 +2080,16 @@ fi
 %endif
 
 %changelog
+* Wed Mar 18 2026 EL Errata <el-errata_ww@oracle.com> - 4.12.2-24.0.1.el10_1.2
+- Set IPAPLATFORM=rhel when build on Oracle Linux [Orabug: 29516674]
+- Add bind to ipa-server-common Requires [Orabug: 36518596]
+
+* Thu Feb 05 2026 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-24.2
+- Resolves: RHEL-141303 AddressSanitizer: SEGV ipa-pwd-extop/common.c:584 in ipapwd_gen_checks
+- Resolves: RHEL-141317 Memory leaks in IPA plugins
+- Resolves: RHEL-129968 Fix ipatests for kdcproxy after CVE-2025-59088 fix
+- Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate
+
 * Tue Sep 30 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-24.1
 - Resolves: RHEL-118447 CVE-2025-7493 ipa: Privilege escalation from host to domain admin in FreeIPA