389-ds-base - Debian Package Tracker

general

source: 389-ds-base (main)
version: 3.1.2+vendor1-2
maintainer: Debian FreeIPA Team (archive) (DMD)
uploaders: Timo Aaltonen [DMD]
arch: all any
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.4.4.11-2
o-o-sec: 1.4.4.11-2+deb11u1
oldstable: 2.3.1+dfsg1-1+deb12u1
stable: 3.1.2+dfsg1-1
unstable: 3.1.2+vendor1-2

versioned links

1.4.4.11-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.4.4.11-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.3.1+dfsg1-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.2+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.2+vendor1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

389-ds (1 bugs: 0, 1, 0, 0)
389-ds-base (4 bugs: 0, 4, 0, 0)
389-ds-base-dev
389-ds-base-libs
cockpit-389-ds (2 bugs: 1, 1, 0, 0)
python3-lib389

action needed

A new upstream version is available: 3.2.0 high

A new upstream version 3.2.0 is available, you should consider packaging it.

Created: 2025-11-26 Last update: 2026-04-25 16:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-14905: A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

Created: 2026-02-24 Last update: 2026-04-20 10:30

6 security issues in bullseye high

There are 6 open security issues in bullseye.

1 important issue:

CVE-2025-14905: A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

4 issues postponed or untriaged:

CVE-2023-1055: (needs triaging) A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.
CVE-2024-1062: (needs triaging) A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.
CVE-2024-6237: (postponed; to be fixed through a stable update) A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.
CVE-2025-2487: (postponed; to be fixed through a stable update) A flaw was found in the 389-ds-base LDAP Server. This issue occurs when issuing a Modify DN LDAP operation through the ldap protocol, when the function return value is not tested and a NULL pointer is dereferenced. If a privileged user performs a ldap MODDN operation after a failed operation, it could lead to a Denial of Service (DoS) or system crash.

1 ignored issue:

CVE-2022-1949: An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Created: 2026-02-24 Last update: 2026-04-20 10:30

5 security issues in bookworm high

There are 5 open security issues in bookworm.

1 important issue:

CVE-2025-14905: A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

4 issues left for the package maintainer to handle:

CVE-2023-1055: (needs triaging) A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.
CVE-2024-1062: (needs triaging) A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.
CVE-2024-6237: (needs triaging) A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.
CVE-2025-2487: (needs triaging) A flaw was found in the 389-ds-base LDAP Server. This issue occurs when issuing a Modify DN LDAP operation through the ldap protocol, when the function return value is not tested and a NULL pointer is dereferenced. If a privileged user performs a ldap MODDN operation after a failed operation, it could lead to a Denial of Service (DoS) or system crash.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2026-04-20 10:30

6 security issues in buster high

There are 6 open security issues in buster.

3 important issues:

CVE-2024-2199: A denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input.
CVE-2024-3657: A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service
CVE-2024-5953: A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password.

2 issues postponed or untriaged:

CVE-2023-1055: (needs triaging) A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.
CVE-2024-1062: (needs triaging) A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.

1 ignored issue:

CVE-2022-1949: An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.

Created: 2024-05-29 Last update: 2024-06-19 07:13

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2026-04-22 Last update: 2026-04-25 17:02

Depends on packages which need a new maintainer normal

The packages that 389-ds-base depends on which need a new maintainer are:

db5.3 (#1055356)
- Depends: libdb5.3t64
db-defaults (#1055344)
- Build-Depends: libdb-dev

Created: 2023-11-04 Last update: 2026-04-25 15:32

lintian reports 53 warnings normal

Lintian reports 53 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-18 Last update: 2026-04-20 21:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 3.1.4-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 5f05321422f3abcbdff74e3fdddae1e6a2197751
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 21:40:48 2026 +0300

    some archs require libdb-dev still

commit 64132c22285271179e4ed68a4ed41dd446143e97
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 20:49:42 2026 +0300

    Drop old vendoring cruft.

commit 28ab1f56dfba7063276f9de45b45c787da67df86
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 20:48:07 2026 +0300

    control: Drop unnecessary direct python dependencies from python3- lib389.

commit 1e89f93ffeca97056bda3daa582512907cfd2b45
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 20:43:31 2026 +0300

    control: Drop python3-packaging from (build-)depends.

commit d4f6babb5b13158c9b4ea57d3dfa1ff95ca16dc0
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 20:42:48 2026 +0300

    rules: Don't clean Cargo.toml.orig-files.

commit 05473d15b3bef30f1a416434240d377ebc757b48
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 20:35:03 2026 +0300

    Drop libdb-dev from build-depends, include a read-only implementation derived from rpm (librobdb.so). (Closes: #1119174)

commit 885f34a08f5bd93e534e887588f07fa2f5bbcfbe
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 20:31:41 2026 +0300

    patches: Fix nss includes.

commit 6989008f654c68f7ea4e74d7eafd3e449a76947b
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 20:29:54 2026 +0300

    Migrate to pybuild.

commit d32406eaf933c6ce08685a3e78f4ab19d68f37ec
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 10:37:19 2026 +0300

    watch: Updated.

commit f5d2bf7dcdd42587dce752cd91d260212a1d9e78
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 10:35:06 2026 +0300

    patches: Drop upstreamed patches.

commit 97728ef6d55227f1d9bcf495930cbd273b7e26fa
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 10:21:14 2026 +0300

    version bump

commit b0916a76e53d629e29b11b27752a2d3f0aca7e0e
Merge: 6143c90 09a3408
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 10:20:25 2026 +0300

    Merge branch 'upstream' into m

commit 6143c9025c8b7380618946c06e1ec21f57c6616d
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 10:16:56 2026 +0300

    releasing package 389-ds-base version 3.1.2+vendor1-2

commit 6a7ec5c1cb30c34c341cecd7b75bb3b553f9c6f0
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 10:02:13 2026 +0300

    patches: Fix CVE-2025-14905. (Closes: #1130910)

commit fd520c4f08190dd2444cd553daa689b6a00ac734
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Mon Apr 20 10:00:33 2026 +0300

    patches: Fix build with python 3.14.

commit 39be79eb0f652a484960d43bf7813d2121905f6c
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Fri Apr 17 16:43:08 2026 +0300

    releasing package 389-ds-base version 3.1.2+vendor1-1

commit 9212e29271c785da100e4345508bb6c44dc3043e
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Fri Apr 17 16:42:41 2026 +0300

    Use the upstream tarball with vendored dependencies. (FTBFS)
    
    * Use the upstream tarball with vendored dependencies. (FTBFS)
    * Add patches to fix with gcc15, current rustc.

commit 09a3408bd3512ea7da0c66231a1dd2b15cc93fbe
Author: Mark Reynolds <mreynolds@redhat.com>
Date:   Tue Dec 16 15:43:53 2025 -0500

    Bump version to 3.1.4

commit 7b2104c2eb21ed899d69757529bd997ea65a5310
Author: progier389 <progier@redhat.com>
Date:   Tue Dec 16 12:37:26 2025 +0100

    Issue: 7147 - entrycache_eviction_test is failing (#7148)
    
    Several reason explain the test failure:
    
    log buffereing is not disabled
    a race condition causing double free in slapi_re_exec_nt when several thread uses the same compiled regex
    The searched done during the test were silently unindexed so some entries were unexpectedly added to the entry cache
    Issue: #7147
    
    Reviewed by: @tbordaz, @droideck (Thanks!)

commit 40527f748240e03410557b04a4cd353942211af1
Author: Mark Reynolds <mreynolds@redhat.com>
Date:   Wed Dec 10 15:48:09 2025 -0500

    Issue 1793 - RFE - Dynamic lists - UI and CLI updates
    
    Description:
    
    Add UI and CLI support for the new dynamic lists configuration
    
    Relates: https://github.com/389ds/389-ds-base/issues/1793
    
    Reviewed by: spichugi(Thanks!)

commit 7ba274f346f7f82b6cd73f24bc9c04be66a8837d
Author: Simon Pichugin <spichugi@redhat.com>
Date:   Wed Dec 10 20:35:35 2025 -0800

    Issue 7119 - Fix DNA shared config replication test (#7143)
    
    Description: Modify test_dna_shared_config_replication to validate shared
    config updates through actual DNA value allocation rather than direct
    modification.
    Creates a user to trigger DNA allocation and verifies the dnaRemainingValues
    decrements and replicates correctly across all suppliers.
    
    Relates: https://github.com/389ds/389-ds-base/issues/7119
    
    Reviewed by: @tbordaz (Thanks!)

commit 97ae7306b75b344608a413c4d4f125f7ba0db3fe
Author: Simon Pichugin <spichugi@redhat.com>
Date:   Wed Dec 10 19:53:35 2025 -0800

    Issue 7081 - Repl Log Analysis - Implement data sampling with performance and timezone fixes (#7086)
    
    Description: Add configurable data sampling to handle large datasets efficiently.
    Implement three precision modes (fast/balanced/full) with uniform sampling on
    backend and client-side fallback sampling when datasets exceed file size limits.
    Track sampling metadata in JSON output and surface to users via UI notices.
    
    Optimize chart rendering with series caching and debounced resize handlers.
    Increase file size limits to 64 MiB and add proper async loading with
    cancellation tokens. Make timezone handling consistent with all timestamps
    timezone-aware throughout the stack. Add tracking for skipped directories,
    accurate end-time reporting, and per-tab loading states.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7081
    
    Reviewed by: @mreynolds389 (Thanks!)

commit 446f3a485e8c27c11a5647266d5434dffdc6641e
Author: Mark Reynolds <mreynolds@redhat.com>
Date:   Mon Dec 8 11:37:20 2025 -0500

    Issue 1793 - RFE - Implement dynamic lists
    
    Implement a backend feature to build dynamic content based of
    LDAP URI's. Configuration includes an identifying objectclass to mark
    an entry as a dynamic content entry. Another setting for the attribute
    that contains the LDAP URI, and an attribute for storing the dynamic
    content. Attributes specified in the LDAP URI override the content
    attribute and instead write that attribute's value into the dynamic
    content entry.
    
    Design doc: https://www.port389.org/docs/389ds/design/dynamic-lists-design.html
    
    Relates: https://github.com/389ds/389-ds-base/issues/1793
    
    Reviewed by: progier(Thanks!)

commit afffed9ede9fa729a26f482767f0f837faf8323f
Author: progier389 <progier@redhat.com>
Date:   Tue Dec 9 18:02:04 2025 +0100

    Issue 7112 - dsctrl dblib bdb2mdb core dumps and won't allow conversion (#7144)
    
    Avoid a crash we trying to free twice some bdb resources when read-only bdb is used.
    Just by making sure not to dereference NULL pointer.
    
    Issue: #7112
    
    Reviewed by: @mreynolds389 (Thanks!)

commit d9360cb81039ec87356aee01284ecb10f15bf96f
Author: Alex Kulberg <vectinx@yandex.ru>
Date:   Tue Dec 9 17:11:56 2025 +0300

    Issue 7053 - Remove memberof_del_dn_from_groups from MemberOf plugin (#7064)
    
    Bug Description:
    
    The member plugin creates redundant changes to the member attribute
    in groups when deleting a user, although the referential integrity
    of the member attribute should be controlled by the Referential Integrity plugin.
    Furthermore, memberof doesn't take replication of operations into account
    and performs the change on every server instance in the topology.
    
    Fix Description:
    
    Remove the `memberof_del_dn_from_groups` function from the MemberOf plugin,
    completely transferring responsibility for deleting users from groups
    to the Referential Integrity plugin.
    
    Relates: https://github.com/389ds/389-ds-base/issues/7053
    
    Reviewed by: @tbordaz

commit c341731ff1085b43a0816ded471029585857471b
Author: progier389 <progier@redhat.com>
Date:   Mon Dec 8 15:21:54 2025 +0100

    Issue 7138 - test_cleanallruv_repl does not restart supplier3 (#7139)
    
    Fix CI by ensuring that all suppliers are started when completing the test
    
    Issue: #7138
    
    Reviewed by: @droideck (Thanks!)

commit 4db2f3c6b2525e31ef9d4deda6d6f5797fd854e5
Author: Akshay Adhikari <aadhikar@redhat.com>
Date:   Mon Dec 8 16:24:06 2025 +0530

    Issue 6753 - Port ticket47921 test to indirect_cos_test using DSLdapObject (#7134)
    
    Description: The old ticket47921_test.py had compatibility issues.
    This ports the functionality to indirect_cos_test.py using modern DSLdapObject methods.
    
    Relates: https://github.com/389ds/389-ds-base/issues/6753
    
    Reviewed by: @progier389 (Thanks!)

commit f7156790d8e38f86a6495957e4fe4cb44a0bbc81
Author: James Chapman <jachapma@redhat.com>
Date:   Mon Dec 8 10:33:59 2025 +0000

    Issue 7128 - memory corruption in alias entry plugin (#7131)
    
    Description:
    The plugin was freeing the original search base sdn, leading
    to memory corruption during operation teardown.
    
    Fix:
    Track ownership of sdn values in the alias dereference loop, only free
    temp alias sdn's created by the plugin.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7128
    
    Reviewed by: @vashirov, @tbordaz  (Thank you)

commit 50ef48ad840da49cfacd80f5522db28223cb7c6e
Author: James Chapman <jachapma@redhat.com>
Date:   Mon Dec 8 10:20:42 2025 +0000

    Issue 7091 - Duplicate local password policy entries listed (#7092)
    
    Bug description:
    When listing local password policies, duplicate entries are shown
    if a subtree password policy exists under a sub suffix. The parent
    suffix search also returns the same policy, resulting in duplicates.
    
    Fix description:
    Add a check for duplicate policy entries when iterating over results from multiple suffixes.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7091
    
    Reviewed by: @droideck  (Thank you)

commit ff26302ec561a47209b5dfcb71a7f286bc304b97
Author: Viktor Ashirov <vashirov@redhat.com>
Date:   Mon Dec 8 08:58:25 2025 +0100

    Issue 7124 - BDB cursor race condition with transaction isolation (#7125)
    
    Bug Description:
    ASAN reported crashes in `__db_ditem_nolog()` with negative-size-param
    errors. Cursor operations without transaction isolation allowed
    concurrent page modifications to corrupt cursor state, leading to
    invalid memory access.
    
    The race condition occurs when:
    1. T1 opens a cursor without transaction protection
    2. T2 modifies the same index page
    3. T1 cursor operates on stale page metadata
    4. `__db_ditem_nolog()` calculates negative size for `memmove()`
    5. Crash: `AddressSanitizer: negative-size-param: (size=-8)`
    
    Reproducer: dirsrvtests/tests/stress/backend/bdb_cursor_race_test.py
    Crash under ASAN usually happens within 10-30 minutes, but sometimes it
    can run for hours without any crash.
    
    Fix Description:
    Implement transaction isolation for cursors in `idl_new_fetch()` and
    `idl_new_range_fetch()` by always calling `dblayer_read_txn_begin()`.
    
    In `bdb_txn_begin()` verify if the environment supports transactions
    (has DB_INIT_TXN flag) before attempting to begin a transaction.
    This prevents errors during offline import which uses a private
    environment without transaction support.
    
    In `bdb_public_new_cursor()` skip transaction usage when the database's
    environment doesn't support transactions.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7124
    
    Reviewed by: @progier389, @tbordaz (Thanks!)

commit 337e2c905a24c1c3b9e2bc32cb7be62f1908ddac
Author: progier389 <progier@redhat.com>
Date:   Fri Dec 5 17:20:18 2025 +0100

    Issue 6951 - Dynamic Certificate refresh phase 1 - Search support (#7117)
    
    First phase of Dynamic Certificate Refresh
    
    Implement a new backend handling cn=dynamiccertificates suffix
    and the code supporting search request to list and show nss db certificates
    
    issue: #6951
    
    Reviewed by: @vashirov (Thanks!)
    
    * Dynamic Certificate - Phase1- Search
    
    * Fix sourcery-ai remarks
    
    * Minor changes
    
    * Fix broken search and memory leaks
    
    Co-authored-by: Viktor Ashirov <vashirov@redhat.com>

commit 8fe7bfe6ba2a21bcee34c6a383f080b02ecc4683
Author: progier389 <progier@redhat.com>
Date:   Fri Dec 5 11:39:53 2025 +0100

    Issue 7132 - Keep alive entry updated too soon after an offline import (#7133)
    
    * Issue 7132 - Keep alive entry updated too soon after an offline import
    
    Problem: first keep alive update is done 30 seconds after restarting the server which may be before the other replica have the time to replicate local changes after a re-initialization.
    Solution: unify the timer management so that it starts after the keep alive interval (which is configurable) in the 3 following cases:
    
    server starts
    replica is enabled (i.e after bulk import)
    keep alive interval is changed (to avoid having to restart the server after configuration change)
    Also logs a warning if the keep alive interval is smaller than the maximum backoff timer value
    
    Issue: #7132
    
    Reviewed by: @tbordaz , @droideck (Thanks!)

commit 49ed4ad368406c8e1447b440b6115f599b2e9494
Author: Viktor Ashirov <vashirov@redhat.com>
Date:   Fri Dec 5 08:22:48 2025 +0100

    Issue 7135 - Not enough space for tests on GH runner (#7136)
    
    Description:
    Recently healthcheck tests started to fail with DSDSLE0001
    
    > The disk partition used by the server (/), either for the database,
    the configuration files, or the logs is over 90% full.
    
    A fresh runner has 78% free space:
    ```
    Filesystem      Size  Used Avail Use% Mounted on
    /dev/root        73G   57G   17G  78% /
    tmpfs           7.9G  172K  7.9G   1% /dev/shm
    tmpfs           3.2G  1.1M  3.2G   1% /run
    tmpfs           5.0M     0  5.0M   0% /run/lock
    /dev/sdb15      105M  6.1M   99M   6% /boot/efi
    /dev/sda1        74G  4.1G   66G   6% /mnt
    tmpfs           1.6G   12K  1.6G   1% /run/user/1001
    ```
    
    There is preinstalled software that we don't use, like dotnet, GHC,
    CodeQL, docker images. We can remove them as part of the CI job to free
    up disk space.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7135
    
    Reviewed by: @droideck (Thanks!)

commit 75e0e487545893a7b0d83f94f9264c10f8bb0353
Author: Viktor Ashirov <vashirov@redhat.com>
Date:   Thu Dec 4 22:09:13 2025 +0100

    Issue 7121 - LeakSanitizer: various leaks during replication (#7122)
    
    1. CSN Leaks
    
    In `resolve_attribute_state_deleted_to_present()` we set CSN set pointer
    to NULL without freeing the allocated memory.
    In `valueset_remove_valuearray()` we overwrite `csnset` pointer without
    freeing the existing `csnset`.
    
    2. Leak in replica_add_session_abort_control()
    
    Control's OID and value are allocated but never freed after
    `slapi_pblock_set`, which duplicates the control. Added cleanup to free
    `ctrl.ldctl_oid` and `ctrl.ldctl_value.bv_val` after `slapi_pblock_set`.
    
    3. LDAP controls leak
    
    `ldap_parse_result` allocates controls that are not being freed when not
    transferred to caller or on error paths.  Free `loc_returned_controls`
    in cleanup section and NULL the pointer after the transfer.
    
    `returned_controls` allocated in `conn_read_result_ex` are used to check
    for abort session control, but never freed before the next loop
    iteration.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7121
    
    Reviewed by: @progier389, @tbordaz (Thanks!)

commit 3dd7d2854a2d8b6e328b44912ec234263e8ef5fc
Author: Viktor Ashirov <vashirov@redhat.com>
Date:   Thu Dec 4 22:03:31 2025 +0100

    Issue 7115 - LeakSanitizer: leak in `slapd_bind_local_user()` (#7116)
    
    Bug Description:
    1. In `slapd_bind_local_user()` when checking LDAPI auth mappings,
    `slapi_search_internal_get_entry()` allocates and returns a duplicated
    entry. This entry was never freed before jumping to the `done:` label,
    causing a memory leak on each BIND operation.
    
    2. When LDAPI mapping points to a locked account or a non-existent entry
    `auth_dn` is allocated but not freed when `slapi_check_account_lock()`
    returns non-zero.
    
    3. When the root DN account is locked, `root_dn` is allocated via
    `config_get_rootdn()` but not freed when the account lock check fails.
    
    Fix Description:
    1. Free the duplicated `e` before jumping to the `done:` label.
    
    2. Free `auth_dn` when acount is locked or doesn't exist.
    
    3. Free `root_dn` when root account is locked.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7115
    
    Reviewed by: @mreynolds389, @droideck (Thanks!)

commit f697e71121c4d40dce2509bb1a57f8fbd0501cf8
Author: Viktor Ashirov <vashirov@redhat.com>
Date:   Thu Dec 4 21:56:28 2025 +0100

    Issue 7109 - AddressSanitizer: SEGV ldap/servers/slapd/csnset.c:302 in csnset_dup (#7114)
    
    Bug Description:
    In `extensible_candidates` we pass a `berval` struct directly to the
    pblock instead of `Slapi_Value`, which have different memory layouts.
    Reproducible with
    `dirsrvtests/tests/suites/filter/filter_index_match_test.py::test_do_extensible_search`.
    
    Fix Description:
    Convert the `berval` to `Slapi_Value` before passing to the pblock.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7109
    
    Reviewed by: @progier389 (Thanks!)

commit 764b500cee718bb05c107d592e918159bba6039e
Author: Simon Pichugin <spichugi@redhat.com>
Date:   Wed Dec 3 17:47:34 2025 -0800

    Issue 7119 - Harden DNA plugin locking for shared server list operations (#7120)
    
    Description: Hold dna_server_write_lock() across both the global list
    teardown and full rebuild in dna_load_shared_servers(), eliminating
    rare races where concurrent config updates could free or append entries
    while the list is being reconstructed.
    
    Guard dna_delete_global_servers() at shutdown behind the same lock,
    ensuring teardown doesn't run in parallel with active readers.
    
    Add comprehensive multi-supplier DNA test suite covering basic
    allocation, uniqueness, shared config replication, restart recovery,
    and range exhaustion scenarios.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7119
    
    Reviewed by: @tbordaz (Thanks!)

commit 1248019a74d8507733b9d03bee768a5f0fcea6db
Author: Mark Reynolds <mreynolds@redhat.com>
Date:   Thu Nov 6 08:31:19 2025 -0500

    Issue 7084 - UI - schema - sorting attributes breaks expanded row
    
    Description:
    
    When sorting attributes the expanded row is not properly set and it crashes
    the browser when trying to see it. The problem is that during sorting we
    are not transfering the "attribute data" to the new sorted row.
    
    Also fixed small issue in VlvIndexes where the wrong function name was
    used.
    
    Relates: https://github.com/389ds/389-ds-base/issues/7084
    
    Reviewed by: spichugi(Thanks!)

commit 12ab69e5d655df4c9db3de31e0ae4885144c7a9e
Author: Akshay Adhikari <aadhikar@redhat.com>
Date:   Thu Nov 27 15:40:40 2025 +0530

    Issue 6753 - Port ticket47910 test to logconv_test using DSLdapObject (#7098)
    
    Description:
    Port ticket47910_test.py(file removed) to logconv_test.py with new tests for logconv
    time filtering (-S/-E options). Fixes dataclass access bug in logconv.py
    and adds proper error exit codes.
    
    Relates: https://github.com/389ds/389-ds-base/issues/6753
    
    Reviewed by: @jchapma (Thanks!)

commit 67d8c649538560ea0e4cea763c46185c4817249a
Author: Akshay Adhikari <aadhikar@redhat.com>
Date:   Wed Nov 26 15:33:53 2025 +0530

    Issue 6753 - Port ticket47920 test to ldap_controls_test using DSLdapObject (#7103)
    
    Description:
    The old ticket47920_test.py had compatibility issues.
    This ports the functionality to ldap_controls_test.py using modern DSLdapObject methods.
    
    Relates: https://github.com/389ds/389-ds-base/issues/6753
    
    Reviewed by: @droideck (Thanks!)

commit 2876e7672dce8307f053b80a4ff412b3993da02e
Author: Mark Reynolds <mreynolds@redhat.com>
Date:   Tue Nov 18 15:04:45 2025 -0500

    Issue 7007 - Improve paged result search locking
    
    Description:
    
    Hold the paged result connection hash mutex while acquiring the global
    connection paged result lock. Otherwise there is a window where the
    mutex could be rmoved and lead to a crash
    
    Relates: https://github.com/389ds/389-ds-base/issues/7007
    
    Reviewed by: progier, spichugi, and tbordaz(Thanks!!!)

commit 9d068856f460d70d9f1ba1bc96b33f56e769cdf4
Author: Akshay Adhikari <aadhikar@redhat.com>
Date:   Tue Nov 25 15:12:07 2025 +0530

    Issue 7041 - Add WebUI test for group member management (#7111)
    
    Description: Added test for group member add/remove functionality via checkboxes,
    testing both single and multiple member deletions.
    
    Relates: https://github.com/389ds/389-ds-base/issues/7041
    
    Reviewed by: @mreynolds389, @droideck

commit 3bd703cf129fef43cff86c21a2cc8ef331794c56
Author: Simon Pichugin <spichugi@redhat.com>
Date:   Thu Nov 20 14:34:50 2025 -0800

    Issue 3555 - UI - Fix audit issue with npm - glob (#7107)
    
    Description: Run npm audit fix to address the vulnerability
    in glob.
    
    Relates: https://github.com/389ds/389-ds-base/issues/3555
    
    Reviewed by: @vashirov (Thanks!)

commit 7df263085999f256caa88f753e79f87d58c1733d
Author: Lenka Doudova <mirielka@users.noreply.github.com>
Date:   Wed Nov 19 07:01:12 2025 +0100

    Issue 7089 - Fix dsconf certificate list (#7090)
    
    Description:
    Fixing regex matching for listing certificates to also match a single
    character certificate name instead of failing the 'dsconf security
    certificate list' command
    
    Relates: #7089
    Author: Lenka Doudova
    Reviewer: James Chapman

commit e86c212878ba692af340c14413b2f8bdcad8f514
Author: Akshay Adhikari <aadhikar@redhat.com>
Date:   Tue Nov 18 21:57:10 2025 +0530

    Issue 7076, 6992, 6784, 6214 - Fix CI test failures (#7077)
    
    - Fixed import test bugs in regression_test.py (cleanup handler, LDIF permissions) -
      https://github.com/389ds/389-ds-base/issues/6992
    - Fixed ModRDN cache corruption on failed operations (parent update check, cache cleanup)
    - Fixed attribute uniqueness test fixture cleanup in attruniq_test.py
    - mproved test stability by fixing race conditions in replication, healthcheck,
      web UI, memberOf, and basic tests.
    - Fixed entrycache_eviction_test.py to track incremental log counts instead of cumulative -
      https://github.com/389ds/389-ds-base/issues/6784
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7076
    Relates: https://github.com/389ds/389-ds-base/issues/6992
    Relates: https://github.com/389ds/389-ds-base/issues/6784
    Fixes: https://github.com/389ds/389-ds-base/issues/6214
    
    Reviewed by: @vashirov, @progier389 (Thanks!)

commit cf277a9420639d9e95fbf14982bcefca2cb0c781
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Nov 17 19:57:18 2025 -0800

    Bump js-yaml from 4.1.0 to 4.1.1 in /src/cockpit/389-console (#7097)
    
    Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1.
    - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
    - [Commits](https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1)
    
    ---
    updated-dependencies:
    - dependency-name: js-yaml
      dependency-version: 4.1.1
      dependency-type: indirect
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

commit 8ac17d60030e29c84ced9f0ce61c16504695b3fc
Author: Simon Pichugin <spichugi@redhat.com>
Date:   Thu Nov 13 11:56:45 2025 -0800

    Issue 7069 - Fix error reporting in HAProxy trusted IP parsing (#7094)
    
    Description: Add missing errorbuf population in haproxy_parse_trusted_ips()
    for CIDR validation failures.
    Initialize parse_errorbuf to zero to fix Coverity warning.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7069
    
    Reviewed by: progier389, mreynolds389 (Thanks!!)

commit dbc4b2ed70526c03bfedb2474c0205cf1ca6c17b
Author: Viktor Ashirov <vashirov@redhat.com>
Date:   Mon Nov 10 13:20:28 2025 +0100

    Issue 7049 - RetroCL plugin generates invalid LDIF
    
    Bug Description:
    When a replicated modification marked with LDAP_MOD_IGNORE is logged,
    `changes` attribute contains invalid LDIF:
    
    ```
    replace: modifiersName
    modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config
    -
    modifyTimestamp: 20250903092211Z
    -
    ```
    Line `replace: modifyTimestamp` is missing.
    
    A similar issue is present in audit log:
    ```
    time: 20251031064114
    dn: ou=tuser,dc=example,dc=com
    result: 0
    changetype: modify
    add: objectClass
    objectClass: nsMemberOf
    -
    replace: modifiersName
    modifiersName: cn=MemberOf Plugin,cn=plugins,cn=config
    -
    -
    ```
    Dash separator is logged, while the operation is not.
    This issue is not present wheh JSON format is used.
    
    Fix Description:
    * retrocl_po.c: add a default case to skip the entire modification if it
      has LDAP_MOD_IGNORE flag.
    * auditlog.c: write the dash separator only if operation type is not
      LDAP_MOD_IGNORE
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7049
    
    Reviewed by: @progier389 (Thanks!)

commit 2a782b8f290a25476d4d5bfd4d976315fe36753c
Author: tbordaz <tbordaz@redhat.com>
Date:   Fri Nov 7 15:41:40 2025 +0100

    Issue 7055 - Online initialization of consumers fails with error -23 (#7075)
    
    Bug description:
            During a total initialization, if the supplier is not able
            to send a new entry because the consumer is LDAP_BUSY,
            then it returns a failure (CONN_OPERATION_FAILED).
            The failure ends the replication session
    
    Fix description:
            Instead of failing it should retry (maxretry=5)
    
    fixes: #7055
    
    Reviewed by: Pierre Rogier (thanks)

commit 717541d198f194ac2df7b5a0e7f81c4bb0e60ada
Author: Lenka Doudova <mirielka@users.noreply.github.com>
Date:   Fri Nov 7 14:46:26 2025 +0100

    Issue 6753 - Remove ticket 47900 test (#7087)
    
    Description:
    Removing ticket 47900 test since the tescases are already covered by
    dirsrvtests/tests/suites/password/pwdAdmin_test.py
    
    Relates: #6753
    Author: Lenka Doudova
    Reviewer: Barbora Simonova

commit 52fa2944b4b27b40aab8b67190d98c7252314e40
Author: Lenka Doudova <mirielka@users.noreply.github.com>
Date:   Fri Nov 7 14:46:00 2025 +0100

    Issue 6753 - Port ticket 49008 test (#7080)
    
    Description:
    Porting ticket 49008 test into
    dirsrvtests/tests/suites/replication/ruvstore_test.py::test_ruv_after_aborted_plugin_operation.
    
    Relates: #6753
    Author: Lenka Doudova
    Assisted by: Cursor
    Reviewer: Pierre Rogier

commit e7c55aa0370664caa7b152ab2dee27e3b3e4facb
Author: James Chapman <jachapma@redhat.com>
Date:   Fri Nov 7 09:57:02 2025 +0000

    Issue 7042 - Enable global_backend_lock when memberofallbackend is enabled (#7043)
    
    Description: When the memberOf plugin is configured with memberOfAllBackends=on
    option, concurrent updates to group memberships across multiple backends can lead
    to deadlock.
    
    Fix: A healthcheck was added to detect this configuration and alert the user to the
    potential deadlock risk.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7042
    
    Reviewed by: @droideck, @firstyear, @tbordaz, @progier389  (Thank you)

commit 427aebb1ac1e2b45c0caa916964c7a03cc5c5a62
Author: Mark Reynolds <mreynolds@redhat.com>
Date:   Mon Nov 3 16:24:50 2025 -0500

    Issue 7078 - audit json logging does not encode binary values
    
    Description:
    
    Audit log does encode binary values, and this breaks the UI when it tries
    displaying the log contents. When the value is not "printable" base64
    encode it.
    
    Relates: https://github.com/389ds/389-ds-base/issues/7078
    
    Reviewed by: progier & spichugi(Thanks!!)

commit 2df7244effb8b83c86f507dfb56ddf62dc74093a
Author: Simon Pichugin <spichugi@redhat.com>
Date:   Tue Nov 4 17:09:00 2025 -0800

    Issue 7069 - Add Subnet/CIDR Support for HAProxy Trusted IPs (#7070)
    
    Description: nsslapd-haproxy-trusted-ip now supports CIDR notation
    (192.168.0.0/24, 2001:db8::/32) instead of requiring individual IPs
    for each address in a subnet. This makes it practical to trust entire
    HAProxy network ranges without manually adding hundreds of entries.
    
    The implementation includes CIDR parsing with validation, netmask
    precomputation for performance, and support for mixing individual IPs
    and subnets. Added comprehensive tests for subnet matching, edge cases,
    and malformed input validation. Updated Cockpit console UI accordingly.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7069
    
    Reviewed by: @mreynolds389 (Thanks!)

commit 1d72eeaaa414d64246df5163f802cfba9da65a76
Author: Viktor Ashirov <vashirov@redhat.com>
Date:   Tue Nov 4 12:05:51 2025 +0100

    Issue 7056 - DSBLE0007 doesn't generate remediation steps for missing indexes
    
    Bug Description:
    dsctl healthcheck doesn't generate remediation steps for missing
    indexes, instead it prints an error message:
    
    ```
    - Unable to check index ancestorId: No object exists given the filter criteria: ancestorId (&(&(objectclass=nsIndex))(|(cn=ancestorId)))
    ```
    
    Fix Description:
    Catch `ldap.NO_SUCH_OBJECT` when index is missing and generate
    remediation instructions.
    Update remediation instructions for missing index.
    Fix failing tests due to missing idlistscanlimit.
    
    Fixes: https://github.com/389ds/389-ds-base/issues/7056
    
    Reviewed by: @progier389, @droideck (Thank you!)

commit fcfaad5a0a82eea816b547822b55c369bc9cf649
Author: Timo Aaltonen <tjaalton@debian.org>
Date:   Wed Jun 25 12:34:39 2025 +0300

    control: Add libcrypt-dev to build-depends. (Closes: #1106912)

Created: 2025-06-25 Last update: 2026-04-20 20:01

debian/patches: 8 patches to forward upstream low

Among the 8 debian patches available in version 3.1.2+vendor1-2 of the package, we noticed the following issues:

8 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-20 13:00

Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2025-04-11 Last update: 2025-04-11 22:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.6.0).

Created: 2022-05-11 Last update: 2026-04-20 09:17

testing migrations

This package will soon be part of the auto-openssl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for 389-ds-base (- to 3.1.2+vendor1-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating 389-ds-base would introduce bugs in testing: #1083298, #1111889
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/3/389-ds-base.html
- ∙ ∙ Autopkgtest for 389-ds-base/3.1.2+vendor1-2: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproduced on ppc64el
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- ∙ ∙ 5 days old (needed 2 days)
- Not considered

news

[rss feed]

[2026-04-20] Accepted 389-ds-base 3.1.2+vendor1-2 (source) into unstable (Timo Aaltonen)
[2026-04-17] Accepted 389-ds-base 3.1.2+vendor1-1 (source) into unstable (Timo Aaltonen)
[2025-10-08] 389-ds-base REMOVED from testing (Debian testing watch)
[2025-04-12] 389-ds-base 3.1.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2025-04-10] Accepted 389-ds-base 3.1.2+dfsg1-1 (source) into unstable (Timo Aaltonen)
[2025-01-25] Accepted 389-ds-base 2.3.1+dfsg1-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andrew Shadura)
[2025-01-19] Accepted 389-ds-base 1.4.4.11-2+deb11u1 (source) into oldstable-security (Andrej Shadura) (signed by: Andrew Shadura)
[2025-01-08] Accepted 389-ds-base 3.1.1+dfsg1-3 (source) into unstable (Timo Aaltonen)
[2024-12-10] 389-ds-base REMOVED from testing (Debian testing watch)
[2024-10-04] 389-ds-base 3.1.1+dfsg1-2 MIGRATED to testing (Debian testing watch)
[2024-10-02] Accepted 389-ds-base 3.1.1+dfsg1-2 (source) into unstable (Timo Aaltonen)
[2024-08-09] 389-ds-base 3.1.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-08-07] Accepted 389-ds-base 3.1.1+dfsg1-1 (source) into unstable (Timo Aaltonen)
[2024-07-17] 389-ds-base REMOVED from testing (Debian testing watch)
[2024-06-08] 389-ds-base 2.4.5+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-06-03] 389-ds-base REMOVED from testing (Debian testing watch)
[2024-05-03] 389-ds-base 2.4.5+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-04-25] Accepted 389-ds-base 3.0.2+dfsg1-1 (source) into experimental (Timo Aaltonen)
[2024-04-15] Accepted 389-ds-base 2.4.5+dfsg1-1 (source) into unstable (Timo Aaltonen)
[2024-02-13] 389-ds-base 2.4.4+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2024-02-13] 389-ds-base 2.4.4+dfsg1-3 MIGRATED to testing (Debian testing watch)
[2024-02-10] Accepted 389-ds-base 2.4.4+dfsg1-3 (source) into unstable (Timo Aaltonen)
[2024-01-08] Accepted 389-ds-base 2.4.4+dfsg1-1 (source) into unstable (Timo Aaltonen)
[2023-12-30] 389-ds-base 2.3.4+dfsg1-1.1 MIGRATED to testing (Debian testing watch)
[2023-12-28] Accepted 389-ds-base 2.3.4+dfsg1-1.1 (source) into unstable (Bo YU) (signed by: bage@debian.org)
[2023-11-10] 389-ds-base REMOVED from testing (Debian testing watch)
[2023-07-01] 389-ds-base 2.3.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2023-07-01] 389-ds-base 2.3.4+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2023-06-19] Accepted 389-ds-base 2.3.4+dfsg1-1 (source) into unstable (Timo Aaltonen)
[2023-04-24] Accepted 389-ds-base 1.4.0.21-1+deb10u1 (source) into oldstable (Anton Gladky)

bugs [bug history graph]

all: 12
RC: 2
I&N: 8
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 53)
buildd: logs, cross
popcon
browse source code
other distros
security tracker
l10n (-, 100)
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.1.2+vendor1-2
7 bugs