diff --git a/SOURCES/0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch b/SOURCES/0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch
new file mode 100644
index 0000000..0ee9710
--- /dev/null
+++ b/SOURCES/0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch
@@ -0,0 +1,110 @@
+From 2310b48089755fb5b8e3dedf12e8a786b9819c19 Mon Sep 17 00:00:00 2001
+From: tbordaz <tbordaz@redhat.com>
+Date: Thu, 18 Aug 2022 11:17:30 +0200
+Subject: [PATCH] Issue 5418 - Sync_repl may crash while managing invalid
+ cookie (#5420)
+
+Bug description:
+	If the servers receives an invalid cookie without separator '#',
+	it parses it into an empty cookie (Sync_Cookie) instead of a NULL
+	cookie (failure).
+	Later it sigsegv when using the empty cookie.
+
+Fix description:
+	If the parsing fails return NULL
+
+relates: #5418
+
+Reviewed by: Viktor Ashirov, Mark Reynolds, William Brown, Simon
+ Pichugin (thanks !)
+---
+ .../suites/syncrepl_plugin/basic_test.py      | 76 +++++++++++++++++++
+ 1 file changed, 76 insertions(+)
+
+diff --git a/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py b/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
+index 533460e8f..375517693 100644
+--- a/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
++++ b/dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
+@@ -594,3 +594,79 @@ def test_sync_repl_cenotaph(topo_m2, request):
+                 pass
+ 
+     request.addfinalizer(fin)
++
++def test_sync_repl_invalid_cookie(topology, request):
++    """Test sync_repl with invalid cookie
++
++    :id: 8fa4a8f8-acf4-42a5-90f1-6ba1d8080e46
++    :setup: install a standalone instance
++    :steps:
++        1. reset instance to standard (no retroCL, no sync_repl, no dynamic plugin)
++        2. Enable retroCL/content_sync
++        3. Establish a sync_repl connection
++        4. Tests servers results to search with invalid cookie
++        5. Add/delete an user entry to check the server is up and running
++    :expectedresults:
++        1. Should succeeds
++        2. Should succeeds
++        3. Should succeeds
++        4. Should succeeds
++        5. Should succeeds
++    """
++
++    # Reset the instance in a default config
++    # Disable content sync plugin
++    topology.standalone.restart()
++    topology.standalone.plugins.disable(name=PLUGIN_REPL_SYNC)
++
++    # Disable retro changelog
++    topology.standalone.plugins.disable(name=PLUGIN_RETRO_CHANGELOG)
++
++    # Disable dynamic plugins
++    topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-dynamic-plugins', b'off')])
++    topology.standalone.restart()
++
++    # Enable retro changelog
++    topology.standalone.plugins.enable(name=PLUGIN_RETRO_CHANGELOG)
++
++    # Enbale content sync plugin
++    topology.standalone.plugins.enable(name=PLUGIN_REPL_SYNC)
++    topology.standalone.restart()
++
++    # Setup the syncer
++    sync = ISyncRepl(topology.standalone)
++
++    # Test invalid cookies
++    cookies = ('#', '##', 'a#a#a', 'a#a#1', 'foo')
++    for invalid_cookie in cookies:
++        log.info('Testing cookie: %s' % invalid_cookie)
++        try:
++            ldap_search = sync.syncrepl_search(base=DEFAULT_SUFFIX,
++                                               scope=ldap.SCOPE_SUBTREE,
++                                               attrlist=['objectclass', 'cn', 'homedirectory', 'sn','uid'],
++                                               filterstr='(|(objectClass=groupofnames)(objectClass=person))',
++                                               mode='refreshOnly',
++                                               cookie=invalid_cookie)
++            poll_result = sync.syncrepl_poll(all=1)
++
++            log.fatal('Invalid cookie accepted!')
++            assert False
++        except Exception as e:
++            log.info('Invalid cookie correctly rejected: {}'.format(e.args[0]['info']))
++            pass
++
++    # check that the server is still up and running
++    users = UserAccounts(topology.standalone, DEFAULT_SUFFIX)
++    user = users.create_test_user(uid=1000)
++
++    # Success
++    log.info('Test complete')
++
++    def fin():
++        topology.standalone.restart()
++        try:
++            user.delete()
++        except:
++            pass
++
++    request.addfinalizer(fin)
+-- 
+2.37.3
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index c3d1ed3..1aa1f64 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -48,7 +48,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          1.4.3.28
-Release:          %{?relprefix}7%{?prerel}%{?dist}
+Release:          %{?relprefix}8%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org
 Group:            System Environment/Daemons
@@ -268,6 +268,7 @@ Patch16:          0016-Issue-4775-Add-entryuuid-CLI-and-Fixup-4776.patch
 Patch17:          0017-Issue-4775-Fix-cherry-pick-error.patch
 Patch18:          0018-Issue-5221-User-with-expired-password-can-still-logi.patch
 Patch19:          0019-Issue-5242-Craft-message-may-crash-the-server-5243.patch
+Patch20:          0020-Issue-5418-Sync_repl-may-crash-while-managing-invali.patch
 
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@@ -887,6 +888,10 @@ exit 0
 %doc README.md
 
 %changelog
+* Tue Oct 11 2022 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.28-8
+- Bump version to 1.4.3.28-8
+- Resolves: Bug 2131743 - SIGSEGV in sync_repl
+
 * Thu May 19 2022 Thierry Bordaz <tbordaz@redhat.com> - 1.4.3.28-7
 - Bump version to 1.4.3.28-7
 - Resolves: Bug 2081008 - CVE-2022-0996 389-ds:1.4/389-ds-base: expired password was still allowed to access the database