diff --git a/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch b/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch
new file mode 100644
index 0000000..9543a1b
--- /dev/null
+++ b/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch
@@ -0,0 +1,48 @@
+From 49ca93665ac6c2faf6077d6a8dc33cbea6bd0fc9 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Tue, 4 Apr 2017 10:44:55 +0200
+Subject: [PATCH] Ticket 49209 - Hang due to omitted replica lock release
+
+Bug Description:
+ When an operation is canceled (failure), its csn is aborted
+ and removed from the pending list.
+ If at that time the pending list is empty or the csn is not found
+ in that list, the cancel callback forgots to release the replica lock
+
+Fix Description:
+ Release replica lock systematically, whether cnsplRemove fails or not
+
+https://pagure.io/389-ds-base/issue/49209
+
+Reviewed by: Mark Reynolds (thanks Mark !!)
+
+Platforms tested: F23
+
+Flag Day: no
+
+Doc impact: no
+
+(cherry picked from commit 7dc991b16b97bacb69ddb334358e27e1220ca27b)
+(cherry picked from commit 071cadabb035fbca354a233adbeba82616be3d19)
+---
+ ldap/servers/plugins/replication/repl5_replica.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
+index 602653a..9b3cec5 100644
+--- a/ldap/servers/plugins/replication/repl5_replica.c
++++ b/ldap/servers/plugins/replication/repl5_replica.c
+@@ -3669,7 +3669,9 @@ abort_csn_callback(const CSN *csn, void *data)
+ {
+ int rc = csnplRemove(r->min_csn_pl, csn);
+ if (rc) {
+- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "csnplRemove failed");
++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
++ "abort_csn_callback - csnplRemove failed");
++ replica_unlock(r->repl_lock);
+ return;
+ }
+ }
+--
+2.9.3
+
diff --git a/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch b/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch
new file mode 100644
index 0000000..e3a6454
--- /dev/null
+++ b/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch
@@ -0,0 +1,38 @@
+From fea1b0b59b8c3a2bfdb294b274b6572d42075a00 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 17 Apr 2017 17:06:19 -0400
+Subject: [PATCH] Issue 49221 - During an upgrade the provided localhost name
+ is ignored
+
+Description: If the FullMachine name, or localhost, is provided in an INF
+ it is ignored during the upgrade the value of nsslapd-localhost
+ from the current server is used instead. We should only override
+ the localhost value if it is missing.
+
+https://pagure.io/389-ds-base/issue/49221
+
+Reviewed by: nhosoi(Thanks!)
+
+(cherry picked from commit 8979cc699a7bd0459a9285f66dca472e8108b1ad)
+---
+ ldap/admin/src/scripts/DSUpdate.pm.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/admin/src/scripts/DSUpdate.pm.in b/ldap/admin/src/scripts/DSUpdate.pm.in
+index e84a9a9..8b24b47 100644
+--- a/ldap/admin/src/scripts/DSUpdate.pm.in
++++ b/ldap/admin/src/scripts/DSUpdate.pm.in
+@@ -435,7 +435,9 @@ sub initInfFromInst {
+ my $servid = $inst;
+ $servid =~ s/slapd-//;
+
+- $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost");
++ if (!$inf->{General}->{FullMachineName}) {
++ $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost");
++ }
+ $inf->{General}->{SuiteSpotUserID} = $entry->getValue("nsslapd-localuser");
+ $inf->{slapd}->{ServerPort} = $entry->getValue("nsslapd-port");
+ $inf->{slapd}->{ldapifilepath} = $entry->getValue("nsslapd-ldapifilepath");
+--
+2.9.3
+
diff --git a/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch b/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch
new file mode 100644
index 0000000..b7cb112
--- /dev/null
+++ b/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch
@@ -0,0 +1,36 @@
+From c101544797e0b563bc0955934a74a4dc25a5b467 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 22 Mar 2017 10:18:13 -0400
+Subject: [PATCH] Issue 49188 - retrocl can crash server at shutdown
+
+Description: We do not calloc enough elements when processing nsslapd-attribute
+ from the retrocl plugin configuration. This causes invalid memory
+ to be freed at shutdown(via slapi_ch_array_free).
+
+https://pagure.io/389-ds-base/issue/49188
+
+Reviewed by: mreynolds(one line commit rule)
+
+(cherry picked from commit b2f76abe10bfbe621308410a1e7f41287cf2ff9e)
+---
+ ldap/servers/plugins/retrocl/retrocl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
+index 0b336d5..6167e88 100644
+--- a/ldap/servers/plugins/retrocl/retrocl.c
++++ b/ldap/servers/plugins/retrocl/retrocl.c
+@@ -468,8 +468,8 @@ static int retrocl_start (Slapi_PBlock *pb)
+
+ retrocl_nattributes = n;
+
+- retrocl_attributes = (char **)slapi_ch_calloc(n, sizeof(char *));
+- retrocl_aliases = (char **)slapi_ch_calloc(n, sizeof(char *));
++ retrocl_attributes = (char **)slapi_ch_calloc(n + 1, sizeof(char *));
++ retrocl_aliases = (char **)slapi_ch_calloc(n + 1, sizeof(char *));
+
+ slapi_log_error(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME, "Attributes:\n");
+
+--
+2.9.3
+
diff --git a/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch b/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch
new file mode 100644
index 0000000..0805c10
--- /dev/null
+++ b/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch
@@ -0,0 +1,159 @@
+From 9f1d12e3de174964b02e6507494fe3de1aca1766 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 20 Mar 2017 15:08:45 -0400
+Subject: [PATCH] Issue 49095 - targetattr wildcard evaluation is incorrectly
+ case sensitive
+
+Description: When processing an aci that uses a wildcard targetattr, the
+ comparision should be done using case insensitive functions.
+
+https://pagure.io/389-ds-base/issue/49095
+
+Reviewed by: firstyear(Thanks!)
+
+(cherry picked from commit fdf78dca6c34b32522443c82ddd4c3c7ef04da80)
+---
+ dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++
+ ldap/servers/plugins/acl/acl.c | 10 ++--
+ 2 files changed, 90 insertions(+), 5 deletions(-)
+ create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py
+
+diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py
+new file mode 100644
+index 0000000..04f92b2
+--- /dev/null
++++ b/dirsrvtests/tests/tickets/ticket49095_test.py
+@@ -0,0 +1,85 @@
++import time
++import ldap
++import logging
++import pytest
++from lib389 import DirSrv, Entry, tools, tasks
++from lib389.tools import DirSrvTools
++from lib389._constants import *
++from lib389.properties import *
++from lib389.tasks import *
++from lib389.utils import *
++from lib389.topologies import topology_st as topo
++
++DEBUGGING = os.getenv("DEBUGGING", default=False)
++if DEBUGGING:
++ logging.getLogger(__name__).setLevel(logging.DEBUG)
++else:
++ logging.getLogger(__name__).setLevel(logging.INFO)
++log = logging.getLogger(__name__)
++
++USER_DN = 'uid=testuser,dc=example,dc=com'
++acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
++ '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
++ '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
++ '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)']
++
++
++def test_ticket49095(topo):
++ """Check that target attrbiutes with wildcards are case insensitive
++ """
++
++ # Add an entry
++ try:
++ topo.standalone.add_s(Entry((USER_DN, {
++ 'objectclass': 'top extensibleObject'.split(),
++ 'uid': 'testuser',
++ 'telephonenumber': '555-555-5555'
++ })))
++ except ldap.LDAPError as e:
++ log.fatal('Failed to add test user: ' + e.message['desc'])
++ assert False
++
++ for aci in acis:
++ # Add ACI
++ try:
++ topo.standalone.modify_s(DEFAULT_SUFFIX,
++ [(ldap.MOD_REPLACE, 'aci', aci)])
++
++ except ldap.LDAPError as e:
++ log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc'])
++ assert False
++
++ # Set Anonymous Bind to test aci
++ try:
++ topo.standalone.simple_bind_s("", "")
++ except ldap.LDAPError as e:
++ log.fatal('Failed to bind anonymously: ' + e.message['desc'])
++ assert False
++
++ # Search for entry - should not get any results
++ try:
++ entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE,
++ 'telephonenumber=*')
++ if entry:
++ log.fatal('The entry was incorrectly returned')
++ assert False
++ except ldap.LDAPError as e:
++ log.fatal('Failed to search anonymously: ' + e.message['desc'])
++ assert False
++
++ # Set root DN Bind so we can update aci's
++ try:
++ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
++ except ldap.LDAPError as e:
++ log.fatal('Failed to bind anonymously: ' + e.message['desc'])
++ assert False
++
++ log.info("Test Passed")
++
++
++if __name__ == '__main__':
++ # Run isolated
++ # -s for DEBUG mode
++ CURRENT_FILE = os.path.realpath(__file__)
++ pytest.main("-s %s" % CURRENT_FILE)
++
+diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
+index ba6b774..1caa88a 100644
+--- a/ldap/servers/plugins/acl/acl.c
++++ b/ldap/servers/plugins/acl/acl.c
+@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
+ }
+
+ /* this assumes that str and the filter components are already
+- * normalized. If not, it shoul be done
++ * normalized. If not, it should be done
+ */
+ if ( initial != NULL) {
+ len = strlen(initial);
+ if (exact_match) {
+- int rc = strncmp(p, initial, len);
++ int rc = strncasecmp(p, initial, len);
+ if (rc) {
+ return ACL_FALSE;
+ } else {
+ p += len;
+ }
+ } else {
+- p = strstr(p, initial);
++ p = strcasestr(p, initial);
+ if (p) {
+ p += len;
+ } else {
+@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
+
+ if ( any != NULL) {
+ for (i = 0; any && any[i] != NULL; i++) {
+- p = strstr(p, any[i]);
++ p = strcasestr(p, any[i]);
+ if (p) {
+ p += strlen(any[i]);
+ } else {
+@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
+ len = strlen(final);
+ tlen = strlen(p);
+ if (len > tlen) return ACL_FALSE;
+- if (strcmp(p+tlen-len, final)) return ACL_FALSE;
++ if (strcasecmp(p+tlen-len, final)) return ACL_FALSE;
+ }
+
+ return ACL_TRUE;
+--
+2.9.3
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 14f5c8e..d73444d 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -34,7 +34,7 @@
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 1.3.5.10
-Release: %{?relprefix}20%{?prerel}%{?dist}
+Release: %{?relprefix}21%{?prerel}%{?dist}
License: GPLv3+
URL: https://www.port389.org/
Group: System Environment/Daemons
@@ -208,6 +208,10 @@ Patch69: 0069-fix-for-reg-in-49008-check-if-ruv-element-exists.patch
Patch70: 0070-Ticket-49121-ns-slapd-crashes-in-ldif_sput-due-to-th.patch
Patch71: 0071-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch
Patch72: 0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch
+Patch73: 0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch
+Patch74: 0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch
+Patch75: 0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch
+Patch76: 0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -366,6 +370,10 @@ cp %{SOURCE2} README.devel
%patch70 -p1
%patch71 -p1
%patch72 -p1
+%patch73 -p1
+%patch74 -p1
+%patch75 -p1
+%patch76 -p1
%build
%if %{use_nunc_stans}
@@ -603,6 +611,13 @@ fi
%{_sysconfdir}/%{pkgname}/dirsrvtests
%changelog
+* Mon Apr 24 2017 Mark Reynolds <mreynolds@redhat.com> - 1.3.5.10-21
+- Bump verison to 1.3.5.10-21
+- Resolves: Bug 1440654 - Possible deadlock while installing an ipa replica
+- Resolves: Bug 1445178 - Silent install localhost issue
+- Resolves: Bug 1445177 - retrocl crash at shutdown
+- Resolves: Bug 1445176 - case sensitivity in acl
+
* Mon Apr 3 2017 Mark Reynolds <mreynolds@redhat.com> - 1.3.5.10-20
- Bump version to 1.3.5.10-20
- Resolves: bug 1437005 - CVE-2017-2668 389-ds-base: Remote crash via crafted LDAP messages