diff --git a/SOURCES/0083-Ticket-49410-opened-connection-can-remain-no-longer-.patch b/SOURCES/0083-Ticket-49410-opened-connection-can-remain-no-longer-.patch
new file mode 100644
index 0000000..a94aa80
--- /dev/null
+++ b/SOURCES/0083-Ticket-49410-opened-connection-can-remain-no-longer-.patch
@@ -0,0 +1,58 @@
+From 72f541fd317321fbd0395dcaa77830aa8b5d35b6 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Wed, 15 Nov 2017 16:38:28 +0100
+Subject: [PATCH] Ticket 49410 - opened connection can remain no longer poll,
+ like hanging
+
+Bug Description:
+ Some opened connection are no longer poll.
+ Those connections has 'gettingber' toggle set although there is
+ no more worker thread reading it.
+ The reason they have gettingber set is that the last
+ operation had 'persistent search' flag. With such flag
+ gettingber is not reset.
+ persistent flag is set even when no persistent search/sync_repl
+ was received on the connection.
+ The problem is that the flag is tested on the wrong operation.
+ The tested operation can be
+ - the first operation when the connection entered in turbo mode
+ - the previous operation if several ops PDUs were read on the network
+ - accessing random memory
+
+ In theory testing the flag can lead to sigsev even
+ if it never crash
+
+Fix Description:
+ The fix is to use the operation that is in the pblock
+ In such case pb_op is no longer used, so we can get rid of it.
+ In addition make pb_conn a local variable where it is used
+
+https://pagure.io/389-ds-base/issue/49410
+
+Reviewed by: Ludwig Krispenz, Mark Reynolds
+
+Platforms tested: F26
+
+Flag Day: no
+
+Doc impact: no
+---
+ ldap/servers/slapd/connection.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
+index 359b59a4d..c00c88578 100644
+--- a/ldap/servers/slapd/connection.c
++++ b/ldap/servers/slapd/connection.c
+@@ -1540,6 +1540,8 @@ connection_threadmain()
+ }
+
+ if (!thread_turbo_flag && !more_data) {
++ Connection *pb_conn = NULL;
++
+ /* If more data is left from the previous connection_read_operation,
+ we should finish the op now. Client might be thinking it's
+ done sending the request and wait for the response forever.
+--
+2.13.6
+
diff --git a/SOURCES/0084-Ticket-48118-backport-changelog-can-be-erronously-re.patch b/SOURCES/0084-Ticket-48118-backport-changelog-can-be-erronously-re.patch
new file mode 100644
index 0000000..14787e1
--- /dev/null
+++ b/SOURCES/0084-Ticket-48118-backport-changelog-can-be-erronously-re.patch
@@ -0,0 +1,237 @@
+From b0d593b001d4ef1fb19348335fb39bd45b31764c Mon Sep 17 00:00:00 2001
+From: Ludwig Krispenz <lkrispen@redhat.com>
+Date: Fri, 8 Dec 2017 14:26:06 +0100
+Subject: [PATCH] Ticket 48118 - backport - changelog can be erronously rebuilt
+ at startup
+
+---
+ ldap/servers/plugins/replication/cl5_api.c | 39 ++++++++++++++++++++++
+ ldap/servers/plugins/replication/repl5.h | 1 -
+ ldap/servers/plugins/replication/repl5_replica.c | 39 ++--------------------
+ .../plugins/replication/repl5_replica_config.c | 2 --
+ 4 files changed, 41 insertions(+), 40 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
+index 5c2233f82..1ce8d081f 100644
+--- a/ldap/servers/plugins/replication/cl5_api.c
++++ b/ldap/servers/plugins/replication/cl5_api.c
+@@ -304,6 +304,8 @@ static void _cl5ReadBerval (struct berval *bv, char** buff);
+ static void _cl5WriteBerval (struct berval *bv, char** buff);
+ static int _cl5ReadBervals (struct berval ***bv, char** buff, unsigned int size);
+ static int _cl5WriteBervals (struct berval **bv, char** buff, u_int32_t *size);
++static int32_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv);
++static int32_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg);
+
+ /* replay iteration */
+ #ifdef FOR_DEBUGGING
+@@ -2885,6 +2887,36 @@ static int _cl5WriteBervals (struct berval **bv, char** buff, u_int32_t *size)
+ return CL5_SUCCESS;
+ }
+
++static int32_t
++_cl5CheckCSNinCL(const ruv_enum_data *element, void *arg)
++{
++ CL5DBFile *file = (CL5DBFile *)arg;
++ int rc = 0;
++
++ DBT key = {0}, data = {0};
++ char csnStr[CSN_STRSIZE];
++
++ /* construct the key */
++ key.data = csn_as_string(element->csn, PR_FALSE, csnStr);
++ key.size = CSN_STRSIZE;
++
++ data.flags = DB_DBT_MALLOC;
++
++ rc = file->db->get(file->db, NULL /*txn*/, &key, &data, 0);
++
++ slapi_ch_free(&(data.data));
++ return rc;
++}
++
++static int32_t
++_cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv)
++{
++ int rc = 0;
++
++ rc = ruv_enumerate_elements(maxruv, _cl5CheckCSNinCL, (void *)file);
++
++ return rc;
++}
+ /* upgrade from db33 to db41
+ * 1. Run recovery on the database environment using the DB_ENV->open method
+ * 2. Remove any Berkeley DB environment using the DB_ENV->remove method
+@@ -4248,6 +4280,13 @@ static int _cl5WriteRUV (CL5DBFile *file, PRBool purge)
+ rc = ruv_to_bervals(file->maxRUV, &vals);
+ }
+
++ if (!purge && _cl5CheckMaxRUV(file, file->maxRUV)) {
++ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name_cl,
++ "_cl5WriteRUV - changelog maxRUV not found in changelog for file %s\n",
++ file->name);
++ return CL5_DB_ERROR;
++ }
++
+ key.size = CSN_STRSIZE;
+
+ rc = _cl5WriteBervals (vals, &buff, &data.size);
+diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
+index 718f64ef1..9c4789f9e 100644
+--- a/ldap/servers/plugins/replication/repl5.h
++++ b/ldap/servers/plugins/replication/repl5.h
+@@ -620,7 +620,6 @@ Object *replica_get_for_backend (const char *be_name);
+ void replica_set_purge_delay (Replica *r, PRUint32 purge_delay);
+ void replica_set_tombstone_reap_interval (Replica *r, long interval);
+ void replica_update_ruv_consumer (Replica *r, RUV *supplier_ruv);
+-void replica_set_ruv_dirty (Replica *r);
+ Slapi_Entry *get_in_memory_ruv(Slapi_DN *suffix_sdn);
+ int replica_write_ruv (Replica *r);
+ char *replica_get_dn(Replica *r);
+diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
+index 7927ac30a..3c7281a42 100644
+--- a/ldap/servers/plugins/replication/repl5_replica.c
++++ b/ldap/servers/plugins/replication/repl5_replica.c
+@@ -46,7 +46,6 @@ struct replica {
+ char* legacy_purl; /* partial url of the legacy supplier */
+ ReplicaId repl_rid; /* replicaID */
+ Object *repl_ruv; /* replica update vector */
+- PRBool repl_ruv_dirty; /* Dirty flag for ruv */
+ CSNPL *min_csn_pl; /* Pending list for minimal CSN */
+ void *csn_pl_reg_id; /* registration assignment for csn callbacks */
+ unsigned long repl_state_flags; /* state flags */
+@@ -855,7 +854,6 @@ replica_set_ruv (Replica *r, RUV *ruv)
+ }
+
+ r->repl_ruv = object_new((void*)ruv, (FNFree)ruv_destroy);
+- r->repl_ruv_dirty = PR_TRUE;
+
+ replica_unlock(r->repl_lock);
+ }
+@@ -941,11 +939,6 @@ replica_update_ruv(Replica *r, const CSN *updated_csn, const char *replica_purl)
+ slapi_sdn_get_dn(r->repl_root),
+ csn_as_string(updated_csn, PR_FALSE, csn_str));
+ }
+- else
+- {
+- /* RUV updated - mark as dirty */
+- r->repl_ruv_dirty = PR_TRUE;
+- }
+ }
+ else
+ {
+@@ -1526,8 +1519,6 @@ replica_dump(Replica *r)
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\tupdate dn: %s\n",
+ updatedn_list? updatedn_list : "not configured");
+ slapi_ch_free_string(&updatedn_list);
+- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\truv: %s configured and is %sdirty\n",
+- r->repl_ruv ? "" : "not", r->repl_ruv_dirty ? "" : "not ");
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\tCSN generator: %s configured\n",
+ r->repl_csngen ? "" : "not");
+ /* JCMREPL - Dump Referrals */
+@@ -1877,7 +1868,6 @@ int replica_check_for_data_reload (Replica *r, void *arg)
+
+ ruv_force_csn_update_from_ruv(upper_bound_ruv, r_ruv,
+ "Force update of database RUV (from CL RUV) -> ", SLAPI_LOG_NOTICE);
+- replica_set_ruv_dirty(r);
+ }
+
+ } else {
+@@ -2994,12 +2984,6 @@ replica_write_ruv (Replica *r)
+
+ replica_lock(r->repl_lock);
+
+- if (!r->repl_ruv_dirty)
+- {
+- replica_unlock(r->repl_lock);
+- return rc;
+- }
+-
+ PR_ASSERT (r->repl_ruv);
+
+ ruv_to_smod ((RUV*)object_get_data(r->repl_ruv), &smod);
+@@ -3034,19 +3018,13 @@ replica_write_ruv (Replica *r)
+ /* ruv does not exist - create one */
+ replica_lock(r->repl_lock);
+
+- if (rc == LDAP_SUCCESS)
+- {
+- r->repl_ruv_dirty = PR_FALSE;
+- }
+- else if (rc == LDAP_NO_SUCH_OBJECT)
++ if (rc == LDAP_NO_SUCH_OBJECT)
+ {
+ /* this includes an internal operation - but since this only happens
+ during server startup - its ok that we have lock around it */
+ rc = _replica_configure_ruv (r, PR_TRUE);
+- if (rc == 0)
+- r->repl_ruv_dirty = PR_FALSE;
+ }
+- else /* error */
++ else if (rc != LDAP_SUCCESS) /* error */
+ {
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name,
+ "replica_write_ruv - Failed to update RUV tombstone for %s; "
+@@ -3570,7 +3548,6 @@ replica_create_ruv_tombstone(Replica *r)
+
+ if (ruv_init_new(csnstr, r->repl_rid, purl, &ruv) == RUV_SUCCESS){
+ r->repl_ruv = object_new((void*)ruv, (FNFree)ruv_destroy);
+- r->repl_ruv_dirty = PR_TRUE;
+ return_value = LDAP_SUCCESS;
+ } else {
+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_create_ruv_tombstone - "
+@@ -3610,8 +3587,6 @@ replica_create_ruv_tombstone(Replica *r)
+ slapi_add_internal_pb(pb);
+ e = NULL; /* add consumes e, upon success or failure */
+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &return_value);
+- if (return_value == LDAP_SUCCESS)
+- r->repl_ruv_dirty = PR_FALSE;
+
+ done:
+ slapi_entry_free (e);
+@@ -3930,7 +3905,6 @@ replica_strip_cleaned_rids(Replica *r)
+ ruv_get_cleaned_rids(ruv, rid);
+ while(rid[i] != 0){
+ ruv_delete_replica(ruv, rid[i]);
+- replica_set_ruv_dirty(r);
+ if (replica_write_ruv(r)) {
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name,
+ "replica_strip_cleaned_rids - Failed to write RUV\n");
+@@ -4052,15 +4026,6 @@ replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv)
+ }
+ }
+
+-void
+-replica_set_ruv_dirty(Replica *r)
+-{
+- PR_ASSERT(r);
+- replica_lock(r->repl_lock);
+- r->repl_ruv_dirty = PR_TRUE;
+- replica_unlock(r->repl_lock);
+-}
+-
+ PRBool
+ replica_is_state_flag_set(Replica *r, PRInt32 flag)
+ {
+diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
+index 814f1cac0..128c9423a 100644
+--- a/ldap/servers/plugins/replication/repl5_replica_config.c
++++ b/ldap/servers/plugins/replication/repl5_replica_config.c
+@@ -1034,7 +1034,6 @@ replica_config_change_type_and_id (Replica *r, const char *new_type,
+ replica_reset_csn_pl(r);
+ }
+ ruv_delete_replica(ruv, oldrid);
+- replica_set_ruv_dirty(r);
+ cl5CleanRUV(oldrid);
+ replica_set_csn_assigned(r);
+ }
+@@ -1454,7 +1453,6 @@ replica_execute_cleanruv_task (Object *r, ReplicaId rid, char *returntext /* not
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+ rc = ruv_delete_replica(local_ruv, rid);
+- replica_set_ruv_dirty(replica);
+ if (replica_write_ruv(replica)) {
+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "cleanAllRUV_task - Could not write RUV\n");
+ }
+--
+2.13.6
+
diff --git a/SOURCES/0085-Ticket-49495-Fix-memory-management-is-vattr.patch b/SOURCES/0085-Ticket-49495-Fix-memory-management-is-vattr.patch
new file mode 100644
index 0000000..77f8311
--- /dev/null
+++ b/SOURCES/0085-Ticket-49495-Fix-memory-management-is-vattr.patch
@@ -0,0 +1,293 @@
+From d1236b0d3917b024a252b4d6acf823a975182d3b Mon Sep 17 00:00:00 2001
+From: William Brown <firstyear@redhat.com>
+Date: Mon, 11 Dec 2017 15:48:24 +0100
+Subject: [PATCH] Ticket 49495 - Fix memory management is vattr.
+
+Bug Description: During the fix for
+https://pagure.io/389-ds-base/issue/49436 a issue was exposed
+in how registration of attributes to cos work. With the change
+to handle -> attr link, this exposed that cos treats each attribute
+and template pair as a new type for the handle. As aresult, this
+caused the sp_list to create a long linked list of M*N entries
+for each attr - template value. Obviously, this is extremely
+slow to traverse during a search!
+
+Fix Description: Undo part of the SLL next change and convert
+to reference counting. The issue remains that there is a defect
+in how cos handles attribute registration, but this can not be
+resolved without a significant rearchitecture of the code
+related to virtual attributes.
+
+https://pagure.io/389-ds-base/issue/49495
+
+Author: wibrown
+
+Review by: tbordaz, lkrispen (Thanks!)
+
+Note: includes backport of incr and decr for rc
+---
+ ldap/servers/plugins/cos/cos_cache.c | 28 ++++------
+ ldap/servers/slapd/slapi-plugin.h | 21 ++++++++
+ ldap/servers/slapd/slapi_counter.c | 30 +++++++++++
+ ldap/servers/slapd/vattr.c | 100 +++++++++++++++++++++--------------
+ 4 files changed, 122 insertions(+), 57 deletions(-)
+
+diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
+index 0e93183d2..74261af87 100644
+--- a/ldap/servers/plugins/cos/cos_cache.c
++++ b/ldap/servers/plugins/cos/cos_cache.c
+@@ -275,7 +275,7 @@ static Slapi_Mutex *start_lock;
+ static Slapi_Mutex *stop_lock;
+ static Slapi_CondVar *something_changed = NULL;
+ static Slapi_CondVar *start_cond = NULL;
+-
++static vattr_sp_handle *vattr_handle = NULL;
+
+ /*
+ cos_cache_init
+@@ -313,6 +313,15 @@ int cos_cache_init(void)
+ goto out;
+ }
+
++ if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
++ cos_cache_vattr_get,
++ cos_cache_vattr_compare,
++ cos_cache_vattr_types) != 0) {
++ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider\n");
++ ret = -1;
++ goto out;
++ }
++
+ /* grab the views interface */
+ if (slapi_apib_get_interface(Views_v1_0_GUID, &views_api)) {
+ /* lets be tolerant if views is disabled */
+@@ -872,22 +881,7 @@ cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
+ dnVals[valIndex]->bv_val);
+ }
+
+- /*
+- * Each SP_handle is associated to one and only one vattr.
+- * We could consider making this a single function rather
+- * than the double-call.
+- */
+-
+- vattr_sp_handle *vattr_handle = NULL;
+-
+- if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
+- cos_cache_vattr_get,
+- cos_cache_vattr_compare,
+- cos_cache_vattr_types) != 0) {
+- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider for %s\n", dnVals[valIndex]->bv_val);
+- } else {
+- slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);
+- }
++ slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);
+
+ } /* if(attrType is cosAttribute) */
+
+diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
+index 4084945f4..16aa1b711 100644
+--- a/ldap/servers/slapd/slapi-plugin.h
++++ b/ldap/servers/slapd/slapi-plugin.h
+@@ -8063,6 +8063,27 @@ int slapi_is_special_rdn(const char *rdn, int flag);
+ */
+ void DS_Sleep(PRIntervalTime ticks);
+
++/**
++ * Increment a 64bitintegral atomicly
++ *
++ * \param ptr - pointer to integral to increment
++ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
++ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
++ * \return - new value of ptr
++ */
++uint64_t slapi_atomic_incr_64(uint64_t *ptr, int memorder);
++
++/**
++ * Decrement a 64bitintegral atomicly
++ *
++ * \param ptr - pointer to integral to decrement
++ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
++ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
++ * \return - new value of ptr
++ */
++uint64_t slapi_atomic_decr_64(uint64_t *ptr, int memorder);
++
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/ldap/servers/slapd/slapi_counter.c b/ldap/servers/slapd/slapi_counter.c
+index 9904fe964..59e5223ad 100644
+--- a/ldap/servers/slapd/slapi_counter.c
++++ b/ldap/servers/slapd/slapi_counter.c
+@@ -269,3 +269,33 @@ uint64_t slapi_counter_get_value(Slapi_Counter *counter)
+ return value;
+ }
+
++/*
++ * atomic increment functions (64bit)
++ */
++uint64_t
++slapi_atomic_incr_64(uint64_t *ptr, int memorder)
++{
++#ifdef ATOMIC_64BIT_OPERATIONS
++ return __atomic_add_fetch_8(ptr, 1, memorder);
++#else
++ PRInt32 *pr_ptr = (PRInt32 *)ptr;
++ return PR_AtomicIncrement(pr_ptr);
++#endif
++}
++
++/*
++ * atomic decrement functions (64bit)
++ */
++
++uint64_t
++slapi_atomic_decr_64(uint64_t *ptr, int memorder)
++{
++#ifdef ATOMIC_64BIT_OPERATIONS
++ return __atomic_sub_fetch_8(ptr, 1, memorder);
++#else
++ PRInt32 *pr_ptr = (PRInt32 *)ptr;
++ return PR_AtomicDecrement(pr_ptr);
++#endif
++}
++
++
+diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
+index 84e01cd62..adf44b0b6 100644
+--- a/ldap/servers/slapd/vattr.c
++++ b/ldap/servers/slapd/vattr.c
+@@ -1529,10 +1529,12 @@ struct _vattr_sp {
+ typedef struct _vattr_sp vattr_sp;
+
+ /* Service provider handle */
+-struct _vattr_sp_handle {
+- vattr_sp *sp;
+- struct _vattr_sp_handle *next; /* So we can link them together in the map */
+- void *hint; /* Hint to the SP */
++struct _vattr_sp_handle
++{
++ vattr_sp *sp;
++ struct _vattr_sp_handle *next; /* So we can link them together in the map */
++ void *hint; /* Hint to the SP */
++ uint64_t rc;
+ };
+
+ /* Calls made by Service Providers */
+@@ -1758,7 +1760,7 @@ is a separate thing in the insterests of stability.
+
+ */
+
+-#define VARRT_MAP_HASHTABLE_SIZE 10
++#define VARRT_MAP_HASHTABLE_SIZE 32
+
+ /* Attribute map oject */
+ /* Needs to contain: a linked list of pointers to provider handles handles,
+@@ -1849,7 +1851,10 @@ vattr_map_entry_free(vattr_map_entry *vae)
+ vattr_sp_handle *list_entry = vae->sp_list;
+ while (list_entry != NULL) {
+ vattr_sp_handle *next_entry = list_entry->next;
+- slapi_ch_free((void **)&list_entry);
++ if (slapi_atomic_decr_64(&(list_entry->rc), __ATOMIC_RELAXED) == 0) {
++ /* Only free on RC 0 */
++ slapi_ch_free((void **)&list_entry);
++ }
+ list_entry = next_entry;
+ }
+ slapi_ch_free_string(&(vae->type_name));
+@@ -2268,41 +2273,56 @@ to handle the calls on it, but return nothing */
+ *
+ * Better idea, is that regattr should just take the fn pointers
+ * and callers never *see* the sp_handle structure at all.
++ *
++ * This leaves us with some quirks today. First: if you have plugin A
++ * and B, A registers attr 1 and B 1 and 2, it's possible that if you
++ * register A1 first, then B1, you have B->A in next. Then when you
++ * register B2, because we take 0==result from map_lookup, we add sp
++ * "as is" to the map. This means that B2 now has the same next to A1
++ * handle. This won't add a bug, because A1 won't be able to service the
++ * attr, but it could cause some head scratching ...
++ *
++ * Again, to fix this, the whole vattr external interface needs a
++ * redesign ... :(
+ */
+-
+-int vattr_map_sp_insert(char *type_to_add, vattr_sp_handle *sp, void *hint)
+-{
+- int result = 0;
+- vattr_map_entry *map_entry = NULL;
+- /* Is this type already there ? */
+- result = vattr_map_lookup(type_to_add,&map_entry);
+- /* If it is, add this SP to the list, safely even if readers are traversing the list at the same time */
+- if (0 == result) {
+- int found = 0;
+- vattr_sp_handle *list_entry = NULL;
+- /* Walk the list checking that the daft SP isn't already here */
+- for (list_entry = map_entry->sp_list ; list_entry; list_entry = list_entry->next) {
+- if (list_entry == sp) {
+- found = 1;
+- break;
+- }
+- }
+- /* If it is, we do nothing */
+- if(found) {
+- return 0;
+- }
+- /* We insert the SP handle into the linked list at the head */
+- sp->next = map_entry->sp_list;
+- map_entry->sp_list = sp;
+- } else {
+- /* If not, add it */
+- map_entry = vattr_map_entry_new(type_to_add,sp,hint);
+- if (NULL == map_entry) {
+- return ENOMEM;
+- }
+- return vattr_map_insert(map_entry);
+- }
+- return 0;
++int
++vattr_map_sp_insert(char *type_to_add, vattr_sp_handle *sp, void *hint)
++{
++ int result = 0;
++ vattr_map_entry *map_entry = NULL;
++ /* Is this type already there ? */
++ result = vattr_map_lookup(type_to_add, &map_entry);
++ /* If it is, add this SP to the list, safely even if readers are traversing the list at the same time */
++ if (0 == result) {
++ int found = 0;
++ vattr_sp_handle *list_entry = NULL;
++ /* Walk the list checking that the daft SP isn't already here */
++ for (list_entry = map_entry->sp_list; list_entry; list_entry = list_entry->next) {
++ if (list_entry == sp) {
++ found = 1;
++ break;
++ }
++ }
++ /* If it is, we do nothing */
++ if (found) {
++ return 0;
++ }
++ /* Increase the ref count of the sphandle */
++ slapi_atomic_incr_64(&(sp->rc), __ATOMIC_RELAXED);
++ /* We insert the SP handle into the linked list at the head */
++ sp->next = map_entry->sp_list;
++ map_entry->sp_list = sp;
++ } else {
++ /* If not, add it */
++ /* Claim a reference on the sp ... */
++ slapi_atomic_incr_64(&(sp->rc), __ATOMIC_RELAXED);
++ map_entry = vattr_map_entry_new(type_to_add, sp, hint);
++ if (NULL == map_entry) {
++ return ENOMEM;
++ }
++ return vattr_map_insert(map_entry);
++ }
++ return 0;
+ }
+
+ /*
+--
+2.13.6
+
diff --git a/SOURCES/0086-CVE-2017-15134-389-ds-base-Remote-DoS-via-search-fil.patch b/SOURCES/0086-CVE-2017-15134-389-ds-base-Remote-DoS-via-search-fil.patch
new file mode 100644
index 0000000..23d764e
--- /dev/null
+++ b/SOURCES/0086-CVE-2017-15134-389-ds-base-Remote-DoS-via-search-fil.patch
@@ -0,0 +1,117 @@
+From 040c492b4beb0efcd34b8420f682187441767055 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 16 Jan 2018 09:46:49 -0500
+Subject: [PATCH] CVE-2017-15134 389-ds-base: Remote DoS via search filters in
+ slapi_filter_sprintf
+
+Description: Improper handling of a search filter in slapi_filter_sprintf
+ in slapd/util.c can lead to remote server crash and denial
+ of service.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1529117
+---
+ ldap/servers/slapd/util.c | 36 +++++++++++++++++++++++++++++++-----
+ 1 file changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
+index 4ff6d4141..ffeeff6f3 100644
+--- a/ldap/servers/slapd/util.c
++++ b/ldap/servers/slapd/util.c
+@@ -224,9 +224,10 @@ escape_string_for_filename(const char *str, char buf[BUFSIZ])
+
+ struct filter_ctx {
+ char *buf;
+- char attr[ATTRSIZE];
++ char *attr;
+ int attr_position;
+ int attr_found;
++ size_t attr_size;
+ int buf_size;
+ int buf_len;
+ int next_arg_needs_esc_norm;
+@@ -265,7 +266,7 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
+ * Start collecting the attribute name so we can use the correct
+ * syntax normalization func.
+ */
+- if(ctx->attr_found == 0 && ctx->attr_position < (ATTRSIZE - 1)){
++ if(ctx->attr_found == 0 && ctx->attr_position < (ctx->attr_size - 1)) {
+ if(ctx->attr[0] == '\0'){
+ if(strstr(val,"=")){
+ /* we have an attr we need to record */
+@@ -279,6 +280,14 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
+ * attr with val. The next pass should be '=', otherwise we will
+ * reset it.
+ */
++ if (slen > ctx->attr_size) {
++ if (ctx->attr_size == ATTRSIZE) {
++ ctx->attr = slapi_ch_calloc(sizeof(char), slen+1);
++ } else {
++ ctx->attr = slapi_ch_realloc(ctx->attr, sizeof(char) * (slen+1));
++ }
++ ctx->attr_size = slen+1;
++ }
+ memcpy(ctx->attr, val, slen);
+ ctx->attr_position = slen;
+ }
+@@ -288,9 +297,20 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
+ } else {
+ if(special_attr_char(val[0])){
+ /* this is not an attribute, we should not be collecting this, reset everything */
+- memset(ctx->attr, '\0', ATTRSIZE);
++ memset(ctx->attr, '\0', ctx->attr_size);
+ ctx->attr_position = 0;
+ } else {
++ /* we can be adding char by char and overrun allocated size */
++ if (ctx->attr_position >= ctx->attr_size) {
++ if (ctx->attr_size == ATTRSIZE) {
++ char *ctxattr = slapi_ch_calloc(sizeof(char), ctx->attr_size + ATTRSIZE);
++ memcpy(ctxattr, ctx->attr, ctx->attr_size);
++ ctx->attr = ctxattr;
++ } else {
++ ctx->attr = slapi_ch_realloc(ctx->attr, sizeof(char) * (ctx->attr_size + ATTRSIZE));
++ }
++ ctx->attr_size = ctx->attr_size + ATTRSIZE;
++ }
+ memcpy(ctx->attr + ctx->attr_position, val, 1);
+ ctx->attr_position++;
+ }
+@@ -363,7 +383,7 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
+ ctx->next_arg_needs_esc_norm = 0;
+ ctx->attr_found = 0;
+ ctx->attr_position = 0;
+- memset(ctx->attr, '\0', ATTRSIZE);
++ memset(ctx->attr, '\0', ctx->attr_size);
+ slapi_ch_free_string(&buf);
+
+ return filter_len;
+@@ -402,13 +422,15 @@ slapi_filter_sprintf(const char *fmt, ...)
+ {
+ struct filter_ctx ctx = {0};
+ va_list args;
++ char attr_static[ATTRSIZE] = {0};
+ char *buf;
+ int rc;
+
+ buf = slapi_ch_calloc(sizeof(char), FILTER_BUF + 1);
+ ctx.buf = buf;
+- memset(ctx.attr,'\0', ATTRSIZE);
+ ctx.attr_position = 0;
++ ctx.attr = attr_static;
++ ctx.attr_size = ATTRSIZE;
+ ctx.attr_found = 0;
+ ctx.buf_len = FILTER_BUF;
+ ctx.buf_size = 0;
+@@ -424,6 +446,10 @@ slapi_filter_sprintf(const char *fmt, ...)
+ }
+ va_end(args);
+
++ if (ctx.attr_size > ATTRSIZE) {
++ slapi_ch_free_string(&ctx.attr);
++ }
++
+ return ctx.buf;
+ }
+
+--
+2.13.6
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index ed028d0..61d84f7 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -30,7 +30,7 @@
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 1.3.6.1
-Release: %{?relprefix}24%{?prerel}%{?dist}
+Release: %{?relprefix}26%{?prerel}%{?dist}
License: GPLv3+
URL: https://www.port389.org/
Group: System Environment/Daemons
@@ -216,6 +216,10 @@ Patch79: 0079-Ticket-49439-cleanallruv-is-not-logging-information.patch
Patch80: 0080-Ticket-49436-double-free-in-COS-in-some-conditions.patch
Patch81: 0081-Ticket-49441-Import-crashes-with-large-indexed-binar.patch
Patch82: 0082-Ticket-49431-replicated-MODRDN-fails-breaking-replic.patch
+Patch83: 0083-Ticket-49410-opened-connection-can-remain-no-longer-.patch
+Patch84: 0084-Ticket-48118-backport-changelog-can-be-erronously-re.patch
+Patch85: 0085-Ticket-49495-Fix-memory-management-is-vattr.patch
+Patch86: 0086-CVE-2017-15134-389-ds-base-Remote-DoS-via-search-fil.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -368,6 +372,10 @@ cp %{SOURCE2} README.devel
%patch80 -p1
%patch81 -p1
%patch82 -p1
+%patch83 -p1
+%patch84 -p1
+%patch85 -p1
+%patch86 -p1
%build
@@ -600,6 +608,16 @@ fi
%{_sysconfdir}/%{pkgname}/dirsrvtests
%changelog
+* Tue Jan 16 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.6.1-26
+- Bump version to 1.3.6.1-25
+- Resolves: Bug 1534430 - crash in slapi_filter_sprintf
+
+* Mon Dec 18 2017 Mark Reynolds <mreynolds@redhat.com> - 1.3.6.1-25
+- Bump version to 1.3.6.1-25
+- Resolves: Bug 1526928 - search with CoS attribute is getting slower after modifying/adding CosTemplate
+- Resolves: Bug 1523505 - opened connection are hanging, no longer poll
+- Resolves: Bug 1523507 - IPA server replication broken, after DS stop-start, due to changelog reset
+
* Fri Nov 10 2017 Mark Reynolds <mreynolds@redhat.com> - 1.3.6.1-24
- Bump version to 1.3.6.1-24
- Resolves: Bug 1508978 - replicated MODRDN fails breaking replication