diff --git a/SOURCES/0024-Ticket-50905-intermittent-SSL-hang-with-rhds.patch b/SOURCES/0024-Ticket-50905-intermittent-SSL-hang-with-rhds.patch
new file mode 100644
index 0000000..3af4844
--- /dev/null
+++ b/SOURCES/0024-Ticket-50905-intermittent-SSL-hang-with-rhds.patch
@@ -0,0 +1,60 @@
+From 14e3bea927c33a97ca8aed937b6edd9ce4557d24 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Fri, 3 Apr 2020 15:23:10 +0200
+Subject: [PATCH] Ticket 50905 - intermittent SSL hang with rhds
+
+Bug Description:
+ On a successfull sasl bind, a new IO layer (sasl_io_enable) is registered on top of
+ the connection. Then sasl bind sends the successful result. Registration is
+ done while sasl bind thread holds c_mutex but result is sent while the c_mutex
+ is released.
+
+ If a new operation comes in just after c_mutex was released it is
+ possible that sasl bind sends the result while the new IO layer is pushed.
+ IO layers is partially initialized at that time. It can create sigseg or
+ deadlock or...
+
+Fix Description:
+ The fix is to protect the send result from IO layer push.
+ i.e. move send_ldap_result into c_mutex
+
+https://pagure.io/389-ds-base/issue/50905
+
+Reviewed by: Mark Reynolds (Thanks !!)
+
+Platforms tested: F29
+
+Flag Day: no
+
+Doc impact: no
+---
+ ldap/servers/slapd/saslbind.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
+index 0907c623f..ef29acf71 100644
+--- a/ldap/servers/slapd/saslbind.c
++++ b/ldap/servers/slapd/saslbind.c
+@@ -1118,12 +1118,16 @@ sasl_check_result:
+ /* Enable SASL I/O on the connection */
+ PR_EnterMonitor(pb_conn->c_mutex);
+ connection_set_io_layer_cb(pb_conn, sasl_io_enable, NULL, NULL);
++
++ /* send successful result before sasl_io_enable can be pushed by another incoming op */
++ send_ldap_result(pb, LDAP_SUCCESS, NULL, NULL, 0, NULL);
++
+ PR_ExitMonitor(pb_conn->c_mutex);
++ } else {
++ /* send successful result */
++ send_ldap_result(pb, LDAP_SUCCESS, NULL, NULL, 0, NULL);
+ }
+
+- /* send successful result */
+- send_ldap_result(pb, LDAP_SUCCESS, NULL, NULL, 0, NULL);
+-
+ /* remove the sasl data from the pblock */
+ slapi_pblock_set(pb, SLAPI_BIND_RET_SASLCREDS, NULL);
+
+--
+2.25.4
+
diff --git a/SOURCES/0026-Ticket-51068-deadlock-when-updating-the-schema.patch b/SOURCES/0026-Ticket-51068-deadlock-when-updating-the-schema.patch
new file mode 100644
index 0000000..2f48907
--- /dev/null
+++ b/SOURCES/0026-Ticket-51068-deadlock-when-updating-the-schema.patch
@@ -0,0 +1,224 @@
+From 3b589a2bfc33f407cf2c23dc6896566bb8e2acdf Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Tue, 5 May 2020 17:44:01 +0200
+Subject: [PATCH] Ticket 51068 - deadlock when updating the schema
+
+Bug Description:
+ It exists a 3 threads deadlock scenario. It involves state change plugins when it
+ calls schema_changed_callback. So the trigger is a change of schema (direct or via
+ replication). The scenario is
+ MOD(cn=schema) hold StateChange lock wait for vattr lock
+ SRCH hold vattr lock wait for DB page
+ MOD hold DB page wait for StateChange lock
+
+Fix Description:
+ Statechange lock protects the list of registered callbacks.
+ lock is a mutex where actually registration of callback is only done
+ at startup. Later the list is only lookup.
+ Making statechange lock a rwlock suppresses the deadlock scenario
+ as MODs will only acquire in read StateChange lock.
+ It should also improve performance as at the moment all MODs are serialized
+ on that lock
+ In order to prevent writer starvation a new slapi_new_rwlock_prio
+ create rwlock with priority to writers.
+
+https://pagure.io/389-ds-base/issue/51068
+
+Reviewed by: Mark Reynolds, William Brown
+
+Platforms tested: 30
+
+Flag Day: no
+
+Doc impact: no
+---
+ .../servers/plugins/statechange/statechange.c | 24 ++++++++++--------
+ ldap/servers/slapd/slapi-plugin.h | 16 ++++++++++++
+ ldap/servers/slapd/slapi2nspr.c | 25 +++++++++++++++++++
+ ldap/servers/slapd/vattr.c | 2 +-
+ 4 files changed, 55 insertions(+), 12 deletions(-)
+
+diff --git a/ldap/servers/plugins/statechange/statechange.c b/ldap/servers/plugins/statechange/statechange.c
+index f89b394c6..0a3838b5e 100644
+--- a/ldap/servers/plugins/statechange/statechange.c
++++ b/ldap/servers/plugins/statechange/statechange.c
+@@ -40,7 +40,7 @@ static SCNotify *head; /* a place to start in the list */
+ #define SCN_PLUGIN_SUBSYSTEM "statechange-plugin" /* used for logging */
+
+ static void *api[5];
+-static Slapi_Mutex *buffer_lock = 0;
++static Slapi_RWLock *buffer_lock = 0;
+ static PRUint64 g_plugin_started = 0;
+
+ /*
+@@ -140,7 +140,7 @@ statechange_start(Slapi_PBlock *pb __attribute__((unused)))
+ api[3] = (void *)_statechange_unregister_all;
+ api[4] = (void *)_statechange_vattr_cache_invalidator_callback;
+
+- if (0 == (buffer_lock = slapi_new_mutex())) /* we never free this mutex */
++ if (0 == (buffer_lock = slapi_new_rwlock()))
+ {
+ /* badness */
+ slapi_log_err(SLAPI_LOG_ERR, SCN_PLUGIN_SUBSYSTEM, "statechange_start - Failed to create lock\n");
+@@ -180,7 +180,9 @@ statechange_close(Slapi_PBlock *pb __attribute__((unused)))
+ slapi_counter_destroy(&op_counter);
+
+ slapi_apib_unregister(StateChange_v1_0_GUID);
+- slapi_destroy_mutex(buffer_lock);
++ if (buffer_lock) {
++ slapi_destroy_rwlock(buffer_lock);
++ }
+ buffer_lock = NULL;
+
+ slapi_log_err(SLAPI_LOG_TRACE, SCN_PLUGIN_SUBSYSTEM, "<-- statechange_close\n");
+@@ -240,7 +242,7 @@ statechange_post_op(Slapi_PBlock *pb, int modtype)
+ slapi_log_err(SLAPI_LOG_TRACE, SCN_PLUGIN_SUBSYSTEM, "--> statechange_post_op\n");
+
+ /* evaluate this operation against the notification entries */
+- slapi_lock_mutex(buffer_lock);
++ slapi_rwlock_rdlock(buffer_lock);
+ if (head) {
+ slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn);
+ if (NULL == sdn) {
+@@ -290,7 +292,7 @@ statechange_post_op(Slapi_PBlock *pb, int modtype)
+ } while (notify && notify != head);
+ }
+ bail:
+- slapi_unlock_mutex(buffer_lock);
++ slapi_rwlock_unlock(buffer_lock);
+ slapi_log_err(SLAPI_LOG_TRACE, SCN_PLUGIN_SUBSYSTEM, "<-- statechange_post_op\n");
+
+ return SLAPI_PLUGIN_SUCCESS; /* always succeed */
+@@ -338,7 +340,7 @@ _statechange_register(char *caller_id, char *dn, char *filter, void *caller_data
+ }
+ item->func = func;
+
+- slapi_lock_mutex(buffer_lock);
++ slapi_rwlock_wrlock(buffer_lock);
+ if (head == NULL) {
+ head = item;
+ head->next = head;
+@@ -349,7 +351,7 @@ _statechange_register(char *caller_id, char *dn, char *filter, void *caller_data
+ head->prev = item;
+ item->prev->next = item;
+ }
+- slapi_unlock_mutex(buffer_lock);
++ slapi_rwlock_unlock(buffer_lock);
+ slapi_ch_free_string(&writable_filter);
+
+ ret = SLAPI_PLUGIN_SUCCESS;
+@@ -371,7 +373,7 @@ _statechange_unregister(char *dn, char *filter, notify_callback thefunc)
+ return ret;
+ }
+
+- slapi_lock_mutex(buffer_lock);
++ slapi_rwlock_wrlock(buffer_lock);
+
+ if ((func = statechange_find_notify(dn, filter, thefunc))) {
+ func->prev->next = func->next;
+@@ -392,7 +394,7 @@ _statechange_unregister(char *dn, char *filter, notify_callback thefunc)
+ slapi_ch_free((void **)&func);
+ }
+
+- slapi_unlock_mutex(buffer_lock);
++ slapi_rwlock_unlock(buffer_lock);
+ slapi_counter_decrement(op_counter);
+
+ return ret;
+@@ -410,7 +412,7 @@ _statechange_unregister_all(char *caller_id, caller_data_free_callback callback)
+ return;
+ }
+
+- slapi_lock_mutex(buffer_lock);
++ slapi_rwlock_wrlock(buffer_lock);
+
+ if (notify) {
+ do {
+@@ -441,7 +443,7 @@ _statechange_unregister_all(char *caller_id, caller_data_free_callback callback)
+ } while (notify != start_notify && notify != NULL);
+ }
+
+- slapi_unlock_mutex(buffer_lock);
++ slapi_rwlock_unlock(buffer_lock);
+ slapi_counter_decrement(op_counter);
+ }
+
+diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
+index 679bdbb5c..865d83b9b 100644
+--- a/ldap/servers/slapd/slapi-plugin.h
++++ b/ldap/servers/slapd/slapi-plugin.h
+@@ -6126,6 +6126,22 @@ void slapi_destroy_condvar(Slapi_CondVar *cvar);
+ int slapi_wait_condvar(Slapi_CondVar *cvar, struct timeval *timeout);
+ int slapi_notify_condvar(Slapi_CondVar *cvar, int notify_all);
+
++/**
++ * Creates a new read/write lock
++ * If prio_writer the rwlock gives priority on writers
++ * else it give priority on readers (default)
++ *
++ * \return A pointer to a \c Slapi_RWLock
++ *
++ * \note Free the returned lock by calling slapi_destroy_rwlock() when finished
++ *
++ * \see slapi_destroy_rwlock()
++ * \see slapi_rwlock_rdlock()
++ * \see slapi_rwlock_wrlock()
++ * \see slapi_rwlock_unlock()
++ */
++Slapi_RWLock *slapi_new_rwlock_prio(int32_t prio_writer);
++
+ /**
+ * Creates a new read/write lock.
+ *
+diff --git a/ldap/servers/slapd/slapi2nspr.c b/ldap/servers/slapd/slapi2nspr.c
+index b3e6d94c2..232d1599e 100644
+--- a/ldap/servers/slapd/slapi2nspr.c
++++ b/ldap/servers/slapd/slapi2nspr.c
+@@ -181,6 +181,31 @@ slapi_notify_condvar(Slapi_CondVar *cvar, int notify_all)
+ return (prrc == PR_SUCCESS ? 1 : 0);
+ }
+
++Slapi_RWLock *
++slapi_new_rwlock_prio(int32_t prio_writer)
++{
++#ifdef USE_POSIX_RWLOCKS
++ pthread_rwlock_t *rwlock = NULL;
++ pthread_rwlockattr_t attr;
++
++ pthread_rwlockattr_init(&attr);
++ if (prio_writer) {
++ pthread_rwlockattr_setkind_np(&attr, PTHREAD_RWLOCK_PREFER_WRITER_NONRECURSIVE_NP);
++ } else {
++ pthread_rwlockattr_setkind_np(&attr, PTHREAD_RWLOCK_PREFER_READER_NP);
++ }
++
++ rwlock = (pthread_rwlock_t *)slapi_ch_malloc(sizeof(pthread_rwlock_t));
++ if (rwlock) {
++ pthread_rwlock_init(rwlock, &attr);
++ }
++
++ return ((Slapi_RWLock *)rwlock);
++#else
++ return ((Slapi_RWLock *)PR_NewRWLock(PR_RWLOCK_RANK_NONE, "slapi_rwlock"));
++#endif
++}
++
+ Slapi_RWLock *
+ slapi_new_rwlock(void)
+ {
+diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
+index 852a887ce..eef444270 100644
+--- a/ldap/servers/slapd/vattr.c
++++ b/ldap/servers/slapd/vattr.c
+@@ -1996,7 +1996,7 @@ vattr_map_create(void)
+ return ENOMEM;
+ }
+
+- the_map->lock = slapi_new_rwlock();
++ the_map->lock = slapi_new_rwlock_prio(1 /* priority on writers */);
+ if (NULL == the_map) {
+ slapd_nasty(sourcefile, 3, 0);
+ return ENOMEM;
+--
+2.26.2
+
diff --git a/SOURCES/0027-Issue-50745-ns-slapd-hangs-during-CleanAllRUV-tests.patch b/SOURCES/0027-Issue-50745-ns-slapd-hangs-during-CleanAllRUV-tests.patch
new file mode 100644
index 0000000..e9ce0d3
--- /dev/null
+++ b/SOURCES/0027-Issue-50745-ns-slapd-hangs-during-CleanAllRUV-tests.patch
@@ -0,0 +1,70 @@
+From b69687377d6afd973a8bc27d8d34bf8069943a9d Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 19 May 2020 11:25:13 -0400
+Subject: [PATCH] Issue 50745: ns-slapd hangs during CleanAllRUV tests
+
+Bug Description:
+ The hang condition:
+ - is not systematic
+ - occurs in rare case, for example here during the deletion of a replica.
+ - a thread is waiting for a dblock that an other thread "forgot" to
+ release.
+ - have always existed, at least since 1.4.0 but likely since 1.2.x
+
+ When deleting a replica, the replica is retrieved from
+ mapping tree structure (mtnode).
+ The replica is also retrieved through the mapping tree
+ when writing updates to the changelog.
+
+ When deleting the replica, mapping tree structure is cleared
+ after the changelog is deleted (that can take some cycles).
+ There is a window where an update can retrieve the replica,
+ from the not yet cleared MT, while the changelog being removed.
+
+ At the end, the update will update the changelog that is
+ currently removed and keeps an unfree lock in the DB.
+
+Fix description:
+ Ideally mapping tree should be protected by a lock but it
+ is not done systematically (e.g. slapi_get_mapping_tree_node).
+ Using a lock looks an overkill and can probably introduce
+ deadlock and performance hit.
+ The idea of the fix is to reduce the window, moving the
+ mapping tree clear before the changelog removal.
+
+https://pagure.io/389-ds-base/issue/50745
+
+Reviewed by: Mark Reynolds, Ludwig Krispenz
+---
+ ldap/servers/plugins/replication/repl5_replica_config.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
+index 80a079784..95b7fa50e 100644
+--- a/ldap/servers/plugins/replication/repl5_replica_config.c
++++ b/ldap/servers/plugins/replication/repl5_replica_config.c
+@@ -735,18 +735,18 @@ replica_config_delete(Slapi_PBlock *pb __attribute__((unused)),
+ PR_ASSERT(mtnode_ext);
+
+ if (mtnode_ext->replica) {
++ Object *repl_obj = mtnode_ext->replica;
+ /* remove object from the hash */
+ r = (Replica *)object_get_data(mtnode_ext->replica);
++ mtnode_ext->replica = NULL;
+ PR_ASSERT(r);
+ /* The changelog for this replica is no longer valid, so we should remove it. */
+ slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "replica_config_delete - "
+ "The changelog for replica %s is no longer valid since "
+ "the replica config is being deleted. Removing the changelog.\n",
+ slapi_sdn_get_dn(replica_get_root(r)));
+- cl5DeleteDBSync(mtnode_ext->replica);
++ cl5DeleteDBSync(repl_obj);
+ replica_delete_by_name(replica_get_name(r));
+- object_release(mtnode_ext->replica);
+- mtnode_ext->replica = NULL;
+ }
+
+ PR_Unlock(s_configLock);
+--
+2.26.2
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index d718cc4..40aa433 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -39,7 +39,7 @@
Summary: 389 Directory Server (%{variant})
Name: 389-ds-base
Version: 1.3.10.1
-Release: %{?relprefix}9%{?prerel}%{?dist}
+Release: %{?relprefix}14%{?prerel}%{?dist}
License: GPLv3+
URL: https://www.port389.org/
Group: System Environment/Daemons
@@ -169,6 +169,10 @@ Patch20: 0020-Ticket-50857-Memory-leak-in-ACI-using-IP-subject.patch
Patch21: 0021-Ticket-50709-cont-Several-memory-leaks-reported-by-V.patch
Patch22: 0022-fix-for-50542-crashes-in-filter-tests.patch
Patch23: 0023-Ticket-49623-cont-cenotaph-errors-on-modrdn-operatio.patch
+Patch24: 0024-Ticket-50905-intermittent-SSL-hang-with-rhds.patch
+# Patch25: 0025-Issue-50940-Permissions-of-some-shipped-directories-.patch
+Patch26: 0026-Ticket-51068-deadlock-when-updating-the-schema.patch
+Patch27: 0027-Issue-50745-ns-slapd-hangs-during-CleanAllRUV-tests.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -308,7 +312,7 @@ popd
sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/%{pkgname}/script-templates/template-*.pl
# exclude 32-bit platforms from running tests
-%if %{_arch} != "s390x" && %{_arch} != "s390" && %{_arch} != "i386" && %{_arch} != "ppc"
+%if %{_arch} == "x86_64"
%check
# This checks the code, if it fails it prints why, then re-raises the fail to shortcircuit the rpm build.
if ! make DESTDIR="$RPM_BUILD_ROOT" check; then cat ./test-suite.log && false; fi
@@ -521,6 +525,27 @@ fi
%{_sysconfdir}/%{pkgname}/dirsrvtests
%changelog
+* Mon Jun 15 2020 Mark Reynolds <mreynolds@redhat.com> - 1.3.10.1-14
+- Bump version to 1.3.10.1-14
+- Resolves: Bug 1814603 - revert patch as it conflicts with 389-admin package
+
+* Thu Jun 4 2020 Mark Reynolds <mreynolds@redhat.com> - 1.3.10.1-13
+- Bump version to 1.3.10.1-13
+- Resolves: Bug 1842469 - ns-slapd hangs during CleanAllRUV tests
+
+* Fri May 29 2020 Mark Reynolds <mreynolds@redhat.com> - 1.3.10.1-12
+- Bump version to 1.3.10.1-12
+- Resolves: Bug 1814603 - 389-base-ds expected file permissions
+
+* Fri May 29 2020 Mark Reynolds <mreynolds@redhat.com> - 1.3.10.1-11
+- Bump version to 1.3.10.1-11
+- Resolves: Bug 1839173 - ipa ns-slapd 3 threads deadlock, db pages, state_change lock, write vattr lock
+
+* Tue May 19 2020 Mark Reynolds <mreynolds@redhat.com> - 1.3.10.1-10
+- Bump version to 1.3.10.1-10
+- Resolves: Bug 1814603 - 389-base-ds expected file permissions in package don't match final runtime permissions
+- Resolves: Bug 1836171 - intermittent SSL hang with rhds
+
* Mon Apr 6 2020 Mark Reynolds <mreynolds@redhat.com> - 1.3.10.1-9
- Bump version to 1.3.10.1-9
- Resolves: Bug 1817933 - cenotaph errors on modrdn operations