diff --git a/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch b/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch
new file mode 100644
index 0000000..b0bc6a8
--- /dev/null
+++ b/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch
@@ -0,0 +1,263 @@
+From 9a8ee0954699da05501ded2900a834584346ef85 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Mon, 25 Nov 2019 10:59:44 +0100
+Subject: [PATCH] Ticket 50736 - RetroCL trimming may crash at shutdown if
+ trimming configuration is invalid
+
+Bug Description:
+	If config of retroCL trimming contains invalid value for trim-interval
+        and/or maxage, then the trimming initialization is skipped.
+        In such case the trimming structures are not allocated and if they
+        are freed at shutdown it triggers a crash
+
+Fix Description:
+        When trimming mechanism is stopped (at shutdown) check that
+        it was successfully initialized before freeing the structs
+
+https://pagure.io/389-ds-base/issue/50736
+
+Reviewed by: Mark Reynolds
+
+Platforms tested: F30
+
+Flag Day: no
+
+Doc impact: no
+---
+ .../suites/replication/changelog_test.py      | 185 ++++++++++++++++++
+ ldap/servers/plugins/retrocl/retrocl_trim.c   |  17 +-
+ 2 files changed, 196 insertions(+), 6 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/replication/changelog_test.py b/dirsrvtests/tests/suites/replication/changelog_test.py
+index 0b6b886f3..0d3e85bb2 100755
+--- a/dirsrvtests/tests/suites/replication/changelog_test.py
++++ b/dirsrvtests/tests/suites/replication/changelog_test.py
+@@ -16,6 +16,12 @@ from lib389.replica import Replicas
+ from lib389.idm.user import UserAccounts
+ from lib389.topologies import topology_m2 as topo
+ from lib389._constants import *
++from lib389.plugins import RetroChangelogPlugin
++from lib389.dseldif import DSEldif
++from lib389.tasks import *
++from lib389.utils import *
++
++pytestmark = pytest.mark.tier1
+ 
+ TEST_ENTRY_NAME = 'replusr'
+ NEW_RDN_NAME = 'cl5usr'
+@@ -235,6 +241,185 @@ def test_verify_changelog_offline_backup(topo):
+     _check_changelog_ldif(topo, changelog_ldif)
+ 
+ 
++@pytest.mark.ds47669
++def test_changelog_maxage(topo, changelog_init):
++    """Check nsslapd-changelog max age values
++
++    :id: d284ff27-03b2-412c-ac74-ac4f2d2fae3b
++    :setup: Replication with two master, change nsslapd-changelogdir to
++    '/var/lib/dirsrv/slapd-master1/changelog' and
++    set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++    :steps:
++        1. Set nsslapd-changelogmaxage in cn=changelog5,cn=config to values - '12345','10s','30M','12h','2D','4w'
++        2. Set nsslapd-changelogmaxage in cn=changelog5,cn=config to values - '-123','xyz'
++
++    :expectedresults:
++        1. Operation should be successful
++        2. Operation should be unsuccessful
++     """
++    log.info('1. Test nsslapd-changelogmaxage in cn=changelog5,cn=config')
++
++    # bind as directory manager
++    topo.ms["master1"].log.info("Bind as %s" % DN_DM)
++    topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD)
++
++    add_and_check(topo, CHANGELOG, MAXAGE, '12345', True)
++    add_and_check(topo, CHANGELOG, MAXAGE, '10s', True)
++    add_and_check(topo, CHANGELOG, MAXAGE, '30M', True)
++    add_and_check(topo, CHANGELOG, MAXAGE, '12h', True)
++    add_and_check(topo, CHANGELOG, MAXAGE, '2D', True)
++    add_and_check(topo, CHANGELOG, MAXAGE, '4w', True)
++    add_and_check(topo, CHANGELOG, MAXAGE, '-123', False)
++    add_and_check(topo, CHANGELOG, MAXAGE, 'xyz', False)
++
++
++@pytest.mark.ds47669
++def test_ticket47669_changelog_triminterval(topo, changelog_init):
++    """Check nsslapd-changelog triminterval values
++
++    :id: 8f850c37-7e7c-49dd-a4e0-9344638616d6
++    :setup: Replication with two master, change nsslapd-changelogdir to
++    '/var/lib/dirsrv/slapd-master1/changelog' and
++    set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++    :steps:
++        1. Set nsslapd-changelogtrim-interval in cn=changelog5,cn=config to values -
++           '12345','10s','30M','12h','2D','4w'
++        2. Set nsslapd-changelogtrim-interval in cn=changelog5,cn=config to values - '-123','xyz'
++
++    :expectedresults:
++        1. Operation should be successful
++        2. Operation should be unsuccessful
++     """
++    log.info('2. Test nsslapd-changelogtrim-interval in cn=changelog5,cn=config')
++
++    # bind as directory manager
++    topo.ms["master1"].log.info("Bind as %s" % DN_DM)
++    topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD)
++
++    add_and_check(topo, CHANGELOG, TRIMINTERVAL, '12345', True)
++    add_and_check(topo, CHANGELOG, TRIMINTERVAL, '10s', True)
++    add_and_check(topo, CHANGELOG, TRIMINTERVAL, '30M', True)
++    add_and_check(topo, CHANGELOG, TRIMINTERVAL, '12h', True)
++    add_and_check(topo, CHANGELOG, TRIMINTERVAL, '2D', True)
++    add_and_check(topo, CHANGELOG, TRIMINTERVAL, '4w', True)
++    add_and_check(topo, CHANGELOG, TRIMINTERVAL, '-123', False)
++    add_and_check(topo, CHANGELOG, TRIMINTERVAL, 'xyz', False)
++
++
++@pytest.mark.ds47669
++def test_changelog_compactdbinterval(topo, changelog_init):
++    """Check nsslapd-changelog compactdbinterval values
++
++    :id: 0f4b3118-9dfa-4c2a-945c-72847b42a48c
++    :setup: Replication with two master, change nsslapd-changelogdir to
++    '/var/lib/dirsrv/slapd-master1/changelog' and
++    set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++    :steps:
++        1. Set nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config to values -
++           '12345','10s','30M','12h','2D','4w'
++        2. Set nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config to values -
++           '-123','xyz'
++
++    :expectedresults:
++        1. Operation should be successful
++        2. Operation should be unsuccessful
++     """
++    log.info('3. Test nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config')
++
++    # bind as directory manager
++    topo.ms["master1"].log.info("Bind as %s" % DN_DM)
++    topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD)
++
++    add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '12345', True)
++    add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '10s', True)
++    add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '30M', True)
++    add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '12h', True)
++    add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '2D', True)
++    add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '4w', True)
++    add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '-123', False)
++    add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, 'xyz', False)
++
++
++@pytest.mark.ds47669
++def test_retrochangelog_maxage(topo, changelog_init):
++    """Check nsslapd-retrochangelog max age values
++
++    :id: 0cb84d81-3e86-4dbf-84a2-66aefd8281db
++    :setup: Replication with two master, change nsslapd-changelogdir to
++    '/var/lib/dirsrv/slapd-master1/changelog' and
++    set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++    :steps:
++        1. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to values -
++           '12345','10s','30M','12h','2D','4w'
++        2. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to values -
++           '-123','xyz'
++
++    :expectedresults:
++        1. Operation should be successful
++        2. Operation should be unsuccessful
++     """
++    log.info('4. Test nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config')
++
++    # bind as directory manager
++    topo.ms["master1"].log.info("Bind as %s" % DN_DM)
++    topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD)
++
++    add_and_check(topo, RETROCHANGELOG, MAXAGE, '12345', True)
++    add_and_check(topo, RETROCHANGELOG, MAXAGE, '10s', True)
++    add_and_check(topo, RETROCHANGELOG, MAXAGE, '30M', True)
++    add_and_check(topo, RETROCHANGELOG, MAXAGE, '12h', True)
++    add_and_check(topo, RETROCHANGELOG, MAXAGE, '2D', True)
++    add_and_check(topo, RETROCHANGELOG, MAXAGE, '4w', True)
++    add_and_check(topo, RETROCHANGELOG, MAXAGE, '-123', False)
++    add_and_check(topo, RETROCHANGELOG, MAXAGE, 'xyz', False)
++
++    topo.ms["master1"].log.info("ticket47669 was successfully verified.")
++
++@pytest.mark.ds50736
++def test_retrochangelog_trimming_crash(topo, changelog_init):
++    """Check that when retroCL nsslapd-retrocthangelog contains invalid
++    value, then the instance does not crash at shutdown
++
++    :id: 5d9bd7ca-e9bf-4be9-8fc8-902aa5513052
++    :setup: Replication with two master, change nsslapd-changelogdir to
++    '/var/lib/dirsrv/slapd-master1/changelog' and
++    set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++    :steps:
++        1. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to value '-1'
++           This value is invalid. To disable retroCL trimming it should be set to 0
++        2. Do several restart
++        3. check there is no 'Detected Disorderly Shutdown' message (crash)
++        4. restore valid value for nsslapd-changelogmaxage '1w'
++
++    :expectedresults:
++        1. Operation should be successful
++        2. Operation should be successful
++        3. Operation should be successful
++        4. Operation should be successful
++     """
++    log.info('1. Test retroCL trimming crash in cn=Retro Changelog Plugin,cn=plugins,cn=config')
++
++    # set the nsslapd-changelogmaxage directly on dse.ldif
++    # because the set value is invalid
++    topo.ms["master1"].log.info("ticket50736 start verification")
++    topo.ms["master1"].stop()
++    retroPlugin = RetroChangelogPlugin(topo.ms["master1"])
++    dse_ldif = DSEldif(topo.ms["master1"])
++    dse_ldif.replace(retroPlugin.dn, 'nsslapd-changelogmaxage', '-1')
++    topo.ms["master1"].start()
++
++    # The crash should be systematic, but just in case do several restart
++    # with a delay to let all plugin init
++    for i in range(5):
++        time.sleep(1)
++        topo.ms["master1"].stop()
++        topo.ms["master1"].start()
++
++    assert not topo.ms["master1"].detectDisorderlyShutdown()
++
++    topo.ms["master1"].log.info("ticket 50736 was successfully verified.")
++
++
+ if __name__ == '__main__':
+     # Run isolated
+     # -s for DEBUG mode
+diff --git a/ldap/servers/plugins/retrocl/retrocl_trim.c b/ldap/servers/plugins/retrocl/retrocl_trim.c
+index a46534984..0378eb7f6 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_trim.c
++++ b/ldap/servers/plugins/retrocl/retrocl_trim.c
+@@ -481,11 +481,16 @@ retrocl_init_trimming(void)
+ void
+ retrocl_stop_trimming(void)
+ {
+-    retrocl_trimming = 0;
+-    if (retrocl_trim_ctx) {
+-        slapi_eq_cancel(retrocl_trim_ctx);
+-        retrocl_trim_ctx = NULL;
++    if (retrocl_trimming) {
++        /* RetroCL trimming config was valid and trimming struct allocated
++         * Let's free them
++         */
++        retrocl_trimming = 0;
++        if (retrocl_trim_ctx) {
++            slapi_eq_cancel(retrocl_trim_ctx);
++            retrocl_trim_ctx = NULL;
++        }
++        PR_DestroyLock(ts.ts_s_trim_mutex);
++        ts.ts_s_trim_mutex = NULL;
+     }
+-    PR_DestroyLock(ts.ts_s_trim_mutex);
+-    ts.ts_s_trim_mutex = NULL;
+ }
+-- 
+2.21.1
+
diff --git a/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch b/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch
new file mode 100644
index 0000000..0eeb397
--- /dev/null
+++ b/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch
@@ -0,0 +1,37 @@
+From 37449e509f4a4253bacea57adf6c1d860eaaf1bb Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 2 Aug 2019 12:07:07 -0400
+Subject: [PATCH] Issue 50529 -  LDAP server returning PWP controls in
+ different sequence
+
+Description:  The server returns password policy controls in different orders
+              depending on the state of grace logins.  The requested control,
+              if any, should be returned first, followed by any controls the
+              server might add.
+
+relates: https://pagure.io/389-ds-base/issue/50529
+
+Reviewed by: mreynolds (one line commit rule)
+---
+ ldap/servers/slapd/pw_mgmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
+index befac50cd..ca76fc12f 100644
+--- a/ldap/servers/slapd/pw_mgmt.c
++++ b/ldap/servers/slapd/pw_mgmt.c
+@@ -207,10 +207,10 @@ skip:
+ 
+         /* password expired and user exceeded limit of grace attemps.
+          * Send result and also the control */
+-        slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
+         if (pwresponse_req) {
+             slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED);
+         }
++        slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
+         slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
+                                "password expired!", 0, NULL);
+ 
+-- 
+2.21.1
+
diff --git a/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch b/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch
new file mode 100644
index 0000000..4441022
--- /dev/null
+++ b/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch
@@ -0,0 +1,153 @@
+From c0f3b0c3c95aad6b67a80643bbf389acf7aa191d Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Thu, 29 Aug 2019 15:51:56 +0200
+Subject: [PATCH] Issue 50572 - After running cl-dump dbdir/cldb/*ldif.done are
+ not deleted
+
+Description: By default, remove ldif.done files after running cl-dump.
+Add an option '-l' which allows keep the files.
+Update man files.
+
+https://pagure.io/389-ds-base/issue/50572
+
+Reviewed by: firstyear, mreynolds (Thanks!)
+---
+ ldap/admin/src/scripts/cl-dump.pl | 23 +++++++++++++++--------
+ man/man1/cl-dump.1                | 11 +++++++----
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/ldap/admin/src/scripts/cl-dump.pl b/ldap/admin/src/scripts/cl-dump.pl
+index f4ad5dd33..2e7f20413 100755
+--- a/ldap/admin/src/scripts/cl-dump.pl
++++ b/ldap/admin/src/scripts/cl-dump.pl
+@@ -5,7 +5,7 @@
+ # All rights reserved.
+ #
+ # License: GPL (version 3 or any later version).
+-# See LICENSE for details. 
++# See LICENSE for details.
+ # END COPYRIGHT BLOCK
+ ###################################################################################
+ #
+@@ -13,7 +13,7 @@
+ #
+ # SYNOPSIS:
+ #  cl-dump.pl [-h host] [-p port] [-D bind-dn] -w bind-password | -P bind-cert
+-#       [-r replica-roots] [-o output-file] [-c] [-v]
++#       [-r replica-roots] [-o output-file] [-c] [-l] [-v]
+ #
+ #  cl-dump.pl -i changelog-ldif-file-with-base64encoding [-o output-file] [-c]
+ #
+@@ -22,7 +22,7 @@
+ #
+ # OPTIONS:
+ #    -c Dump and interpret CSN only. This option can be used with or
+-#       without -i option. 
++#       without -i option.
+ #
+ #    -D bind-dn
+ #       Directory server's bind DN. Default to "cn=Directory Manager" if
+@@ -32,6 +32,8 @@
+ #       Directory server's host. Default to the server where the script
+ #       is running.
+ #
++#    -l Preserve generated ldif.done files from changelogdir
++#
+ #    -i changelog-ldif-file-with-base64encoding
+ #       If you already have a ldif-like changelog, but the changes
+ #       in that file are encoded, you may use this option to
+@@ -68,7 +70,7 @@
+ # all of this nonsense can be omitted if the mozldapsdk and perldap are
+ # installed in the operating system locations (e.g. /usr/lib /usr/lib/perl5)
+ 
+-$usage="Usage: $0 [-h host] [-p port] [-D bind-dn] [-w bind-password | -P bind-cert] [-r replica-roots] [-o output-file] [-c] [-v]\n\n       $0 -i changelog-ldif-file-with-base64encoding [-o output-file] [-c]\n";
++$usage="Usage: $0 [-h host] [-p port] [-D bind-dn] [-w bind-password | -P bind-cert] [-r replica-roots] [-o output-file] [-c] [-l] [-v]\n\n       $0 -i changelog-ldif-file-with-base64encoding [-o output-file] [-c]\n";
+ 
+ use Getopt::Std;			# Parse command line arguments
+ use Mozilla::LDAP::Conn;		# LDAP module for Perl
+@@ -86,7 +88,7 @@ $version = "Directory Server Changelog Dump - Version 1.0";
+ 	$| = 1;
+ 
+ 	# Check for legal options
+-	if (!getopts('h:p:D:w:P:r:o:cvi:')) {
++	if (!getopts('h:p:D:w:P:r:o:clvi:')) {
+ 		print $usage;
+ 		exit -1;
+ 	}
+@@ -123,7 +125,7 @@ sub validateArgs
+ 	if ($opt_o && ! open (OUTPUT, ">$opt_o")) {
+ 		print "Can't create output file $opt_o\n";
+ 		$rc = -1;
+-	} 
++	}
+ 	# Open STDOUT if option -o is missing
+ 	open (OUTPUT, ">-") if !$opt_o;
+ 
+@@ -194,10 +196,15 @@ sub cl_dump_and_decode
+ 			else {
+ 				&cl_decode ($_);
+ 			}
+-			# Test op -M doesn't work well so we use rename
++			# Test op -M doesn't work well so we use rename/remove
+ 			# here to avoid reading the same ldif file more
+ 			# than once.
+-			rename ($ldif, "$ldif.done");
++			if ($opt_l) {
++				rename ($ldif, "$ldif.done");
++			} else {
++				# Remove the file - default behaviou when '-l' is not specified
++				unlink ($ldif)
++			}
+ 		}
+ 		&print_header ($replica, "Not Found") if !$gotldif;
+ 	}
+diff --git a/man/man1/cl-dump.1 b/man/man1/cl-dump.1
+index db736aca9..fbb836a72 100644
+--- a/man/man1/cl-dump.1
++++ b/man/man1/cl-dump.1
+@@ -20,7 +20,7 @@ cl-dump \- Dump and decode Directory Server replication change log
+ .SH SYNOPSIS
+ .B cl\-dump
+ [\fI\-h host\fR] [\fI\-p port\fR] [\fI\-D bind\(hydn\fR] \-w bind\(hypassword | \-P bind\(hycert
+-       [\fI\-r replica\(hyroots\fR] [\fI\-o output\(hyfile\fR] [\fI\-c\fR] [\fI\-v\fR]
++       [\fI\-r replica\(hyroots\fR] [\fI\-o output\(hyfile\fR] [\fI\-c\fR] [\fI\-l\fR] [\fI\-v\fR]
+ 
+ .PP
+ .B cl\-dump
+@@ -30,12 +30,12 @@ cl-dump \- Dump and decode Directory Server replication change log
+ Dump and decode Directory Server replication change log
+ .PP
+ .\" TeX users may be more comfortable with the \fB<whatever>\fP and
+-.\" \fI<whatever>\fP escape sequences to invode bold face and italics, 
++.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
+ .\" respectively.
+ .SH OPTIONS
+ A summary of options is included below.
+ .TP
+-.B \-c 
++.B \-c
+ Dump and interpret CSN only. This option can be used with or
+ without \-i option.
+ .TP
+@@ -47,6 +47,9 @@ the option is omitted.
+ Directory server's host. Default to the server where the script
+ is running.
+ .TP
++.B \-l
++Preserve generated ldif.done files from changelogdir
++.TP
+ .B \-i changelog\(hyldif\(hyfile\(hywith\(hybase64encoding
+ If you already have a ldif-like changelog, but the changes
+ in that file are encoded, you may use this option to
+@@ -66,7 +69,7 @@ Specify replica roots whose changelog you want to dump. The replica
+ roots may be separated by comma. All the replica roots would be
+ dumped if the option is omitted.
+ .TP
+-.B \-v 
++.B \-v
+ Print the version of this script.
+ .TP
+ .B \-w bind\(hypassword
+-- 
+2.21.1
+
diff --git a/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch b/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch
new file mode 100644
index 0000000..975ce26
--- /dev/null
+++ b/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch
@@ -0,0 +1,32 @@
+From c8977a03f2c65978ad7977030d55bc830bc1f852 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 16 Oct 2019 16:52:59 -0400
+Subject: [PATCH] Issue 50655 - access log etime is not properly formatted
+
+Description:  The wrong printf format was used for displaying the nanosecond etime
+              in the access log.
+
+relates: https://pagure.io/389-ds-base/issue/50655
+
+Reviewed by: firstyear(Thanks!)
+---
+ ldap/servers/slapd/result.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
+index d9f431cc5..393b3f6cd 100644
+--- a/ldap/servers/slapd/result.c
++++ b/ldap/servers/slapd/result.c
+@@ -1920,7 +1920,8 @@ log_result(Slapi_PBlock *pb, Operation *op, int err, ber_tag_t tag, int nentries
+     struct timespec o_hr_time_end;
+     slapi_operation_time_elapsed(op, &o_hr_time_end);
+ 
+-    snprintf(etime, ETIME_BUFSIZ, "%" PRId64 ".%010" PRId64 "", (int64_t)o_hr_time_end.tv_sec, (int64_t)o_hr_time_end.tv_nsec);
++
++    snprintf(etime, ETIME_BUFSIZ, "%" PRId64 ".%.09" PRId64 "", (int64_t)o_hr_time_end.tv_sec, (int64_t)o_hr_time_end.tv_nsec);
+ 
+     slapi_pblock_get(pb, SLAPI_OPERATION_NOTES, &operation_notes);
+ 
+-- 
+2.21.1
+
diff --git a/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch b/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch
new file mode 100644
index 0000000..27b3324
--- /dev/null
+++ b/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch
@@ -0,0 +1,35 @@
+From 5c4e9f2017ba6c0415fe8352587db61dd9451ee4 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 20 Jan 2020 13:16:36 -0500
+Subject: [PATCH] Issue 50834 - Incorrectly setting the NSS default SSL version
+ max
+
+Description:  We've been using the wrong function to get the NSS max
+              version We were calling SSL_VersionRangeGetSupported()
+              which gets the versions NSS "can" handle, but
+              SSL_VersionRangeGetDefault() gets the versions that
+              are actually "enabled".
+
+relates: https://pagure.io/389-ds-base/issue/50834
+
+Reviewed by: mreynolds(one line commit rule)
+---
+ ldap/servers/slapd/ssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
+index ed054db44..c71e3019b 100644
+--- a/ldap/servers/slapd/ssl.c
++++ b/ldap/servers/slapd/ssl.c
+@@ -1164,7 +1164,7 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr
+     char *certdir;
+     char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
+     /* Get the range of the supported SSL version */
+-    SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
++    SSL_VersionRangeGetDefault(ssl_variant_stream, &enabledNSSVersions);
+ 
+     (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
+     (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
+-- 
+2.21.1
+
diff --git a/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch b/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch
new file mode 100644
index 0000000..90f1370
--- /dev/null
+++ b/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch
@@ -0,0 +1,43 @@
+From 572ed29e447141f532f2d84f9ea78c48308ad684 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Fri, 7 Jun 2019 11:35:46 +0200
+Subject: [PATCH] Ticket 50428 - Log the actual base DN when the search fails
+ with "invalid attribute request"
+
+Bug Description:
+	When a search request contains invalid parameters (attribute list with empty attribute
+	name, unknown scope, invalid filter..) the search is rejected but the access log
+	contains a wrong base search: ... SRCH base="(null)"...
+	This is because it does not use for logging the variable that gather the actual base ('rawbase')
+
+Fix Description:
+	Use 'rawbase' value for logging
+
+https://pagure.io/389-ds-base/issue/50428
+
+Reviewed by: Mark Reynolds
+
+Platforms tested: F28
+
+Flag Day: no
+
+Doc impact: no
+---
+ ldap/servers/slapd/search.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
+index 7e253f535..2a9979552 100644
+--- a/ldap/servers/slapd/search.c
++++ b/ldap/servers/slapd/search.c
+@@ -154,6 +154,7 @@ do_search(Slapi_PBlock *pb)
+             goto free_and_return;
+         }
+     }
++    base = rawbase;
+ 
+     /*
+      * ignore negative time and size limits since they make no sense
+-- 
+2.21.1
+
diff --git a/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch b/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch
new file mode 100644
index 0000000..3836923
--- /dev/null
+++ b/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch
@@ -0,0 +1,146 @@
+From c629c7ffe35bb2a09ad4dfa60d56fb01a51915d0 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 2 Aug 2019 14:36:24 -0400
+Subject: [PATCH] Issue 50530 - Directory Server not RFC 4511 compliant with
+ requested attr "1.1"
+
+Bug Description:  A regression was introduced some time back that changed the
+                  behavior of how the server handled the "1.1" requested attribute
+                  in a search request.  If "1.1" was requested along with other
+                  attributes then no attibutes were returned, but in this case "1.1"
+                  is expected to be ignroed.
+
+Fix Description:  Only comply with "1.1" if it is the only requested attribute
+
+relates: https://pagure.io/389-ds-base/issue/50530
+
+Reviewed by: firstyear(Thanks!)
+---
+ dirsrvtests/tests/suites/basic/basic_test.py | 57 +++++++++++++++++---
+ ldap/servers/slapd/result.c                  |  7 ++-
+ 2 files changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
+index 0f7536b63..cea4f6bfe 100644
+--- a/dirsrvtests/tests/suites/basic/basic_test.py
++++ b/dirsrvtests/tests/suites/basic/basic_test.py
+@@ -28,6 +28,7 @@ log = logging.getLogger(__name__)
+ USER1_DN = 'uid=user1,' + DEFAULT_SUFFIX
+ USER2_DN = 'uid=user2,' + DEFAULT_SUFFIX
+ USER3_DN = 'uid=user3,' + DEFAULT_SUFFIX
++USER4_DN = 'uid=user4,' + DEFAULT_SUFFIX
+ 
+ ROOTDSE_DEF_ATTR_LIST = ('namingContexts',
+                          'supportedLDAPVersion',
+@@ -409,8 +410,8 @@ def test_basic_acl(topology_st, import_example_ldif):
+                                              'uid': 'user1',
+                                              'userpassword': PASSWORD})))
+     except ldap.LDAPError as e:
+-        log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN
+-                  + ': error ' + e.message['desc'])
++        log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN +
++                  ': error ' + e.message['desc'])
+         assert False
+ 
+     try:
+@@ -421,8 +422,8 @@ def test_basic_acl(topology_st, import_example_ldif):
+                                              'uid': 'user2',
+                                              'userpassword': PASSWORD})))
+     except ldap.LDAPError as e:
+-        log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN
+-                  + ': error ' + e.message['desc'])
++        log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN +
++                  ': error ' + e.message['desc'])
+         assert False
+ 
+     #
+@@ -572,6 +573,50 @@ def test_basic_searches(topology_st, import_example_ldif):
+     log.info('test_basic_searches: PASSED')
+ 
+ 
++@pytest.fixture(scope="module")
++def add_test_entry(topology_st, request):
++    # Add test entry
++    topology_st.standalone.add_s(Entry((USER4_DN,
++                                        {'objectclass': "top extensibleObject".split(),
++                                         'cn': 'user1', 'uid': 'user1'})))
++
++
++search_params = [(['1.1'], 'cn', False),
++                 (['1.1', 'cn'], 'cn', True),
++                 (['+'], 'nsUniqueId', True),
++                 (['*'], 'cn', True),
++                 (['cn'], 'cn', True)]
++@pytest.mark.parametrize("attrs, attr, present", search_params)
++def test_search_req_attrs(topology_st, add_test_entry, attrs, attr, present):
++    """Test requested attributes in search operations.
++    :id: 426a59ff-49b8-4a70-b377-0c0634a29b6e
++    :setup: Standalone instance
++    :steps:
++         1. Test "1.1" does not return any attributes.
++         2. Test "1.1" is ignored if there are other requested attributes
++         3. Test "+" returns all operational attributes
++         4. Test "*" returns all attributes
++         5. Test requested attributes
++
++    :expectedresults:
++         1. Success
++         2. Success
++         3. Success
++         4. Success
++         5. Success
++    """
++
++    log.info("Testing attrs: {} attr: {} present: {}".format(attrs, attr, present))
++    entry = topology_st.standalone.search_s(USER4_DN,
++                                            ldap.SCOPE_BASE,
++                                            'objectclass=top',
++                                            attrs)
++    if present:
++        assert entry[0].hasAttr(attr)
++    else:
++        assert not entry[0].hasAttr(attr)
++
++
+ def test_basic_referrals(topology_st, import_example_ldif):
+     """Test LDAP server in referral mode.
+ 
+@@ -716,8 +761,8 @@ def test_basic_systemctl(topology_st, import_example_ldif):
+     log.info('Attempting to start the server with broken dse.ldif...')
+     try:
+         topology_st.standalone.start()
+-    except:
+-        log.info('Server failed to start as expected')
++    except Exception as e:
++        log.info('Server failed to start as expected: ' + str(e))
+     log.info('Check the status...')
+     assert (not topology_st.standalone.status())
+     log.info('Server failed to start as expected')
+diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
+index 393b3f6cd..61e7a70f9 100644
+--- a/ldap/servers/slapd/result.c
++++ b/ldap/servers/slapd/result.c
+@@ -1546,6 +1546,8 @@ send_ldap_search_entry_ext(
+      * "+" means all operational attributes (rfc3673)
+      * operational attributes are only retrieved if they are named
+      * specifically or when "+" is specified.
++     * In the case of "1.1", if there are other requested attributes
++     * then "1.1" should be ignored.
+      */
+ 
+     /* figure out if we want all user attributes or no attributes at all */
+@@ -1560,7 +1562,10 @@ send_ldap_search_entry_ext(
+             if (strcmp(LDAP_ALL_USER_ATTRS, attrs[i]) == 0) {
+                 alluserattrs = 1;
+             } else if (strcmp(LDAP_NO_ATTRS, attrs[i]) == 0) {
+-                noattrs = 1;
++                /* "1.1" is only valid if it's the only requested attribute */
++                if (i == 0 && attrs[1] == NULL) {
++                    noattrs = 1;
++                }
+             } else if (strcmp(LDAP_ALL_OPERATIONAL_ATTRS, attrs[i]) == 0) {
+                 alloperationalattrs = 1;
+             } else {
+-- 
+2.21.1
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 59c8cef..ac72c06 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -39,7 +39,7 @@
 Summary:          389 Directory Server (%{variant})
 Name:             389-ds-base
 Version:          1.3.9.1
-Release:          %{?relprefix}12%{?prerel}%{?dist}
+Release:          %{?relprefix}13%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org/
 Group:            System Environment/Daemons
@@ -187,6 +187,13 @@ Patch38:          0038-Issue-49850-ldbm_get_nonleaf_ids-slow-for-databases-.patc
 Patch39:          0039-Ticket-49850-cont-fix-crash-in-ldbm_non_leaf.patch
 Patch40:          0040-Issue-50538-cleanAllRUV-task-limit-is-not-enforced-f.patch
 Patch41:          0041-Fix-cherry-pick-error-for-cleanAllRUV-issue.patch
+Patch42:          0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch
+Patch43:          0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch
+Patch44:          0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch
+Patch45:          0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch
+Patch46:          0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch
+Patch47:          0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch
+Patch48:          0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch
 
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@@ -539,6 +546,17 @@ fi
 %{_sysconfdir}/%{pkgname}/dirsrvtests
 
 %changelog
+* Wed Feb 12 2020 Mark Reynolds <mreynolds@redhat.com> - 1.3.9.1-13
+- Bump version to 1.3.9.1-13
+- Resolves: Bug 1801693 - ns-slapd is crashing while restarting ipactl
+- Resolves: Bug 1801695 - LDAP server returning controltype in different sequence
+- Resolves: Bug 1801700 - After running cl-dump dbdir/cldb/*ldif.done are not deleted
+- Resolves: Bug 1801701 - etime displayed has an order of magnitude 10 times smaller than it should be
+- Resolves: Bug 1801702 - Regression: NSS has interop problems as server when using limited cipher list
+- Resolves: Bug 1801704 - Log the actual base DN when the search fails with "invalid attribute request"
+- Resolves: Bug 1801705 - Directory Server 10 not RFC 4511 compliant
+- Resolves: Bug 1801706 - Replace error by warning in the state machine defined in repl5_inc_run
+
 * Fri Nov 1 2019 Mark Reynolds <mreynolds@redhat.com> - 1.3.9.1-12
 - Bump version to 1.3.9.1-12
 - Resolves: Bug 1767622 - CleanAllRUV task limit not enforced