diff --git a/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch b/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch
new file mode 100644
index 0000000..9543a1b
--- /dev/null
+++ b/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch
@@ -0,0 +1,48 @@
+From 49ca93665ac6c2faf6077d6a8dc33cbea6bd0fc9 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Tue, 4 Apr 2017 10:44:55 +0200
+Subject: [PATCH] Ticket 49209 - Hang due to omitted replica lock release
+
+Bug Description:
+    When an operation is canceled (failure), its csn is aborted
+    and removed from the pending list.
+    If at that time the pending list is empty or the csn is not found
+    in that list, the cancel callback forgots to release the replica lock
+
+Fix Description:
+    Release replica lock systematically, whether cnsplRemove fails or not
+
+https://pagure.io/389-ds-base/issue/49209
+
+Reviewed by: Mark Reynolds (thanks Mark !!)
+
+Platforms tested: F23
+
+Flag Day: no
+
+Doc impact: no
+
+(cherry picked from commit 7dc991b16b97bacb69ddb334358e27e1220ca27b)
+(cherry picked from commit 071cadabb035fbca354a233adbeba82616be3d19)
+---
+ ldap/servers/plugins/replication/repl5_replica.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
+index 602653a..9b3cec5 100644
+--- a/ldap/servers/plugins/replication/repl5_replica.c
++++ b/ldap/servers/plugins/replication/repl5_replica.c
+@@ -3669,7 +3669,9 @@ abort_csn_callback(const CSN *csn, void *data)
+     {
+         int rc = csnplRemove(r->min_csn_pl, csn);
+         if (rc) {
+-            slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "csnplRemove failed");
++            slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, 
++                    "abort_csn_callback - csnplRemove failed");
++            replica_unlock(r->repl_lock);
+             return;
+         }
+     }
+-- 
+2.9.3
+
diff --git a/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch b/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch
new file mode 100644
index 0000000..e3a6454
--- /dev/null
+++ b/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch
@@ -0,0 +1,38 @@
+From fea1b0b59b8c3a2bfdb294b274b6572d42075a00 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 17 Apr 2017 17:06:19 -0400
+Subject: [PATCH] Issue 49221 - During an upgrade the provided localhost name
+ is ignored
+
+Description:  If the FullMachine name, or localhost, is provided in an INF
+              it is ignored during the upgrade the value of nsslapd-localhost
+              from the current server is used instead.  We should only override
+              the localhost value if it is missing.
+
+https://pagure.io/389-ds-base/issue/49221
+
+Reviewed by: nhosoi(Thanks!)
+
+(cherry picked from commit 8979cc699a7bd0459a9285f66dca472e8108b1ad)
+---
+ ldap/admin/src/scripts/DSUpdate.pm.in | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/admin/src/scripts/DSUpdate.pm.in b/ldap/admin/src/scripts/DSUpdate.pm.in
+index e84a9a9..8b24b47 100644
+--- a/ldap/admin/src/scripts/DSUpdate.pm.in
++++ b/ldap/admin/src/scripts/DSUpdate.pm.in
+@@ -435,7 +435,9 @@ sub initInfFromInst {
+     my $servid = $inst;
+     $servid =~ s/slapd-//;
+ 
+-    $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost");
++    if (!$inf->{General}->{FullMachineName}) {
++        $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost");
++    }
+     $inf->{General}->{SuiteSpotUserID} = $entry->getValue("nsslapd-localuser");
+     $inf->{slapd}->{ServerPort} = $entry->getValue("nsslapd-port");
+     $inf->{slapd}->{ldapifilepath} = $entry->getValue("nsslapd-ldapifilepath");
+-- 
+2.9.3
+
diff --git a/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch b/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch
new file mode 100644
index 0000000..b7cb112
--- /dev/null
+++ b/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch
@@ -0,0 +1,36 @@
+From c101544797e0b563bc0955934a74a4dc25a5b467 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 22 Mar 2017 10:18:13 -0400
+Subject: [PATCH] Issue 49188 - retrocl can crash server at shutdown
+
+Description:  We do not calloc enough elements when processing nsslapd-attribute
+              from the retrocl plugin configuration.  This causes invalid memory
+              to be freed at shutdown(via slapi_ch_array_free).
+
+https://pagure.io/389-ds-base/issue/49188
+
+Reviewed by: mreynolds(one line commit rule)
+
+(cherry picked from commit b2f76abe10bfbe621308410a1e7f41287cf2ff9e)
+---
+ ldap/servers/plugins/retrocl/retrocl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
+index 0b336d5..6167e88 100644
+--- a/ldap/servers/plugins/retrocl/retrocl.c
++++ b/ldap/servers/plugins/retrocl/retrocl.c
+@@ -468,8 +468,8 @@ static int retrocl_start (Slapi_PBlock *pb)
+ 
+         retrocl_nattributes = n;
+ 
+-        retrocl_attributes = (char **)slapi_ch_calloc(n, sizeof(char *));
+-        retrocl_aliases = (char **)slapi_ch_calloc(n, sizeof(char *));
++        retrocl_attributes = (char **)slapi_ch_calloc(n + 1, sizeof(char *));
++        retrocl_aliases = (char **)slapi_ch_calloc(n + 1, sizeof(char *));
+ 
+         slapi_log_error(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME, "Attributes:\n");
+ 
+-- 
+2.9.3
+
diff --git a/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch b/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch
new file mode 100644
index 0000000..0805c10
--- /dev/null
+++ b/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch
@@ -0,0 +1,159 @@
+From 9f1d12e3de174964b02e6507494fe3de1aca1766 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 20 Mar 2017 15:08:45 -0400
+Subject: [PATCH] Issue 49095 - targetattr wildcard evaluation is incorrectly
+ case sensitive
+
+Description:  When processing an aci that uses a wildcard targetattr, the
+              comparision should be done using case insensitive functions.
+
+https://pagure.io/389-ds-base/issue/49095
+
+Reviewed by: firstyear(Thanks!)
+
+(cherry picked from commit fdf78dca6c34b32522443c82ddd4c3c7ef04da80)
+---
+ dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++
+ ldap/servers/plugins/acl/acl.c                | 10 ++--
+ 2 files changed, 90 insertions(+), 5 deletions(-)
+ create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py
+
+diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py
+new file mode 100644
+index 0000000..04f92b2
+--- /dev/null
++++ b/dirsrvtests/tests/tickets/ticket49095_test.py
+@@ -0,0 +1,85 @@
++import time
++import ldap
++import logging
++import pytest
++from lib389 import DirSrv, Entry, tools, tasks
++from lib389.tools import DirSrvTools
++from lib389._constants import *
++from lib389.properties import *
++from lib389.tasks import *
++from lib389.utils import *
++from lib389.topologies import topology_st as topo
++
++DEBUGGING = os.getenv("DEBUGGING", default=False)
++if DEBUGGING:
++    logging.getLogger(__name__).setLevel(logging.DEBUG)
++else:
++    logging.getLogger(__name__).setLevel(logging.INFO)
++log = logging.getLogger(__name__)
++
++USER_DN = 'uid=testuser,dc=example,dc=com'
++acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
++        '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
++        '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)',
++        '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)']
++
++
++def test_ticket49095(topo):
++    """Check that target attrbiutes with wildcards are case insensitive
++    """
++
++    # Add an entry
++    try:
++        topo.standalone.add_s(Entry((USER_DN, {
++            'objectclass': 'top extensibleObject'.split(),
++            'uid': 'testuser',
++            'telephonenumber': '555-555-5555'
++        })))
++    except ldap.LDAPError as e:
++            log.fatal('Failed to add test user: ' + e.message['desc'])
++            assert False
++
++    for aci in acis:
++        # Add ACI
++        try:
++            topo.standalone.modify_s(DEFAULT_SUFFIX,
++                          [(ldap.MOD_REPLACE, 'aci', aci)])
++
++        except ldap.LDAPError as e:
++            log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc'])
++            assert False
++
++        # Set Anonymous Bind to test aci
++        try:
++            topo.standalone.simple_bind_s("", "")
++        except ldap.LDAPError as e:
++            log.fatal('Failed to bind anonymously: ' + e.message['desc'])
++            assert False
++
++        # Search for entry - should not get any results
++        try:
++            entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE,
++                                             'telephonenumber=*')
++            if entry:
++                log.fatal('The entry was incorrectly returned')
++                assert False
++        except ldap.LDAPError as e:
++            log.fatal('Failed to search anonymously: ' + e.message['desc'])
++            assert False
++
++        # Set root DN Bind so we can update aci's
++        try:
++            topo.standalone.simple_bind_s(DN_DM, PASSWORD)
++        except ldap.LDAPError as e:
++            log.fatal('Failed to bind anonymously: ' + e.message['desc'])
++            assert False
++
++    log.info("Test Passed")
++
++
++if __name__ == '__main__':
++    # Run isolated
++    # -s for DEBUG mode
++    CURRENT_FILE = os.path.realpath(__file__)
++    pytest.main("-s %s" % CURRENT_FILE)
++
+diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
+index ba6b774..1caa88a 100644
+--- a/ldap/servers/plugins/acl/acl.c
++++ b/ldap/servers/plugins/acl/acl.c
+@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
+ 	}
+ 
+ 	/* this assumes that str and the filter components are already
+-	 * normalized. If not, it shoul be done
++	 * normalized. If not, it should be done
+ 	 */
+ 	if ( initial != NULL) {
+ 		len = strlen(initial);
+ 		if (exact_match) {
+-			int rc = strncmp(p, initial, len);
++			int rc = strncasecmp(p, initial, len);
+ 			if (rc) {
+ 				return ACL_FALSE;
+ 			} else {
+ 				p += len;
+ 			}  
+ 		} else {
+-			p = strstr(p, initial);
++			p = strcasestr(p, initial);
+ 			if (p) {
+ 				p += len;
+ 			} else {
+@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
+ 
+ 	if ( any != NULL) {
+ 		for (i = 0;  any && any[i] != NULL; i++) {
+-			p = strstr(p, any[i]);
++			p = strcasestr(p, any[i]);
+ 			if (p) {
+ 				p += strlen(any[i]);
+ 			} else {
+@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match)
+ 		len = strlen(final);
+ 		tlen = strlen(p);
+ 		if (len > tlen) return ACL_FALSE;
+-		if (strcmp(p+tlen-len, final)) return ACL_FALSE;
++		if (strcasecmp(p+tlen-len, final)) return ACL_FALSE;
+ 	}
+ 
+ 	return ACL_TRUE;
+-- 
+2.9.3
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 14f5c8e..d73444d 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -34,7 +34,7 @@
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          1.3.5.10
-Release:          %{?relprefix}20%{?prerel}%{?dist}
+Release:          %{?relprefix}21%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org/
 Group:            System Environment/Daemons
@@ -208,6 +208,10 @@ Patch69:          0069-fix-for-reg-in-49008-check-if-ruv-element-exists.patch
 Patch70:          0070-Ticket-49121-ns-slapd-crashes-in-ldif_sput-due-to-th.patch
 Patch71:          0071-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch
 Patch72:          0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch
+Patch73:          0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch
+Patch74:          0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch
+Patch75:          0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch
+Patch76:          0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch
 
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@@ -366,6 +370,10 @@ cp %{SOURCE2} README.devel
 %patch70 -p1
 %patch71 -p1
 %patch72 -p1
+%patch73 -p1
+%patch74 -p1
+%patch75 -p1
+%patch76 -p1
 
 %build
 %if %{use_nunc_stans}
@@ -603,6 +611,13 @@ fi
 %{_sysconfdir}/%{pkgname}/dirsrvtests
 
 %changelog
+* Mon Apr 24 2017 Mark Reynolds <mreynolds@redhat.com> - 1.3.5.10-21
+- Bump verison to 1.3.5.10-21
+- Resolves: Bug 1440654 - Possible deadlock while installing an ipa replica
+- Resolves: Bug 1445178 - Silent install localhost issue
+- Resolves: Bug 1445177 - retrocl crash at shutdown
+- Resolves: Bug 1445176 - case sensitivity in acl
+
 * Mon Apr 3 2017 Mark Reynolds <mreynolds@redhat.com> - 1.3.5.10-20
 - Bump version to 1.3.5.10-20
 - Resolves: bug 1437005 - CVE-2017-2668 389-ds-base: Remote crash via crafted LDAP messages