Security update for 389-ds

Announcement ID: SUSE-SU-2026:20927-1
Release Date: 2026-03-24T17:50:31Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2025-14905 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • CVE-2025-14905 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2025-14905 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Enterprise Server - BCI 16.0

An update that solves one vulnerability can now be installed.

Description:

This update for 389-ds fixes the following issue:

Update to 389-ds 3.0.6~git249.6688af9b2:

  • CVE-2025-14905: heap buffer overflow due to improper size calculation in schema_attr_enum_callback can lead to DoS and RCE (bsc#1258727).

Changelog:

  • Issue 7277 - UI - Fix Japanese translation for "Successfully updated group" in Cockpit UI (#7278)
  • Issue 7275 - UI - Improve password policy field validation in Cockpit UI (#7276)
  • Issue 7279 - UI - Fix typo in export certificate dialog (#7280)
  • Issue 7273 - In a chaining environment binding as remote user causes an invalid error in the logs
  • Issue 7271 - plugins that create threads need to update active thread count
  • Issue 5853 - Update concread to 0.5.10
  • Issue 7053 - Remove memberof_del_dn_from_groups from MemberOf plugin (#7064)
  • Issue 7223 - Remove integerOrderingMatch requirement for parentid (#7264)
  • Issue 7066/7052 - allow password history to be set to zero and remove history
  • Issue 7223 - Use lexicographical order for ancestorid (#7256)
  • Issue 7213 - (2nd) MDB_BAD_VALSIZE error while handling VLV (#7258)
  • Issue 7184 - (2nd) argparse.HelpFormatter _format_actions_usage() is deprecated (#7257)
  • Issue - CLI - dsctl db2index needs some hardening with MBD
  • Issue 7248 - CLI - attribute uniqueness - fix usage for exclude subtree option
  • Issue 7231 - Sync repl tests fail in FIPS mode due to non FIPS compliant crypto (#7232)
  • Issue 7121 - (2nd) LeakSanitizer: various leaks during replication (#7212)
  • Issue 6947 - Fix health_system_indexes_test.py
  • Issue 7076 - Fix revert_cache() never called in modrdn (#7220)
  • Issue 7076, 6992, 6784, 6214 - Fix CI test failures (#7077)
  • Issue 7096 - (2nd) During replication online total init the function idl_id_is_in_idlist is not scaling with large database (#7205)
  • Issue 3555 - UI - Fix audit issue with npm - @isaacs/brace-expansion (#7228)
  • Issue 7223 - Add dsctl index-check command for offline index repair
  • Issue 7223 - Detect and log index ordering mismatch during backend startup
  • Issue 7223 - Add upgrade function to remove ancestorid index config entry
  • Issue 7223 - Add upgrade function to remove nsIndexIDListScanLimit from parentid
  • Issue 7223 - Revert index scan limits for system indexes
  • Issue 6542 - RPM build errors on Fedora 42
  • Issue 7224 - CI Test - Simplify test_reserve_descriptor_validation (#7225)
  • Issue 7194 - Repl Log Analysis - Add CSN propagation details (#7195)
  • Issue 7213 - MDB_BAD_VALSIZE error while handling VLV (#7214)
  • Issue 7027 - (2nd) 389-ds-base OpenScanHub Leaks Detected (#7211)
  • Issue 7184 - argparse.HelpFormatter _format_actions_usage() is deprecated
  • Issue 7198 - Web console doesn't show sub-suffix when parent-suffix points to an entry (#7202)
  • Issue 7189 - DSBLE0007 generates incorrect remediation commands for scan limits
  • Bump lodash from 4.17.21 to 4.17.23 in /src/cockpit/389-console (#7203)
  • Issue 7172 - (2nd) Index ordering mismatch after upgrade (#7180)
  • Issue 7172 - Index ordering mismatch after upgrade (#7173)
  • Issue - Revise paged result search locking
  • Issue 7096 - During replication online total init the function idl_id_is_in_idlist is not scaling with large database (#7145)
  • Revert "Issue 7160 - Add lib389 version sync check to configure (#7165)"
  • Issue 7160 - Add lib389 version sync check to configure (#7165)
  • Issue 7049 - RetroCL plugin generates invalid LDIF
  • Issue 7150 - Compressed access log rotations skipped, accesslog-list out of sync (#7151)
  • Restore definition for slapi_entry_attr_get_valuearray
  • Issue 1793 - RFE - Dynamic lists - UI and CLI updates
  • Issue 7119 - Fix DNA shared config replication test (#7143)
  • Issue 7081 - Repl Log Analysis - Implement data sampling with performance and timezone fixes (#7086)
  • Issue 1793 - RFE - Implement dynamic lists
  • Issue 6753 - Port ticket tests
  • Issue 6753 - Port and fix ticket 47823 tests
  • Issue 6753 - Add 'add_exclude_subtree' and 'remove_exclude_subtree' methods to Attribute uniqueness plugin
  • Issue 6753 - Port ticket test 48026
  • Issue 7128 - memory corruption in alias entry plugin (#7131)
  • Issue 7091 - Duplicate local password policy entries listed (#7092)
  • Issue 7124 - BDB cursor race condition with transaction isolation (#7125)
  • Issue 7132 - Keep alive entry updated too soon after an offline import (#7133)
  • Issue 7121 - LeakSanitizer: various leaks during replication (#7122)
  • Issue 7115 - LeakSanitizer: leak in slapd_bind_local_user() (#7116)
  • Issue 7109 - AddressSanitizer: SEGV ldap/servers/slapd/csnset.c:302 in csnset_dup (#7114)
  • Issue 7056 - DSBLE0007 doesn't generate remediation steps for missing indexes
  • Issue 7119 - Harden DNA plugin locking for shared server list operations (#7120)
  • Issue 7084 - UI - schema - sorting attributes breaks expanded row
  • Issue 7007 - Improve paged result search locking
  • Issue 3555 - UI - Fix audit issue with npm - glob (#7107)
  • Issue 6846 - Attribute uniqueness is not enforced with modrdn (#7026)
  • Issue 6901 - Update changelog trimming logging - fix tests
  • Issue 6901 - Update changelog trimming logging
  • Bump js-yaml from 4.1.0 to 4.1.1 in /src/cockpit/389-console (#7097)
  • Issue 7069 - Fix error reporting in HAProxy trusted IP parsing (#7094)
  • Issue 7055 - Online initialization of consumers fails with error -23 (#7075)
  • Issue 7042 - Enable global_backend_lock when memberofallbackend is enabled (#7043)
  • Issue 7078 - audit json logging does not encode binary values
  • Issue 7069 - Add Subnet/CIDR Support for HAProxy Trusted IPs (#7070)
  • Issue 6660 - CLI, UI - Improve replication log analyzer usability (#7062)
  • Issue 7065 - A search filter containing a non normalized DN assertion does not return matching entries (#7068)
  • Issue 7071 - search filter (&(cn:dn:=groups)) no longer returns results
  • Issue 7073 - Add NDN cache size configuration and enforcement tests (#7074)
  • Issue 7041 - CLI/UI - memberOf - no way to add/remove specific group filters
  • Issue 7061 - CLI/UI - Improve error messages for dsconf localpwp list
  • Issue 7059 - UI - unable to upload pem file
  • Issue 7032 - The new ipahealthcheck test ipahealthcheck.ds.backends.BackendsCheck raises CRITICAL issue (#7036)
  • Issue 7047 - MemberOf plugin logs null attribute name on fixup task completion (#7048)
  • Issue 7044 - RFE - index sudoHost by default (#7046)
  • Issue 6979 - Improve the way to detect asynchronous operations in the access logs (#6980)
  • Issue 7035 - RFE - memberOf - adding scoping for specific groups
  • Issue - CLI/UI - Add option to delete all replication conflict entries
  • Issue 7033 - lib389 - basic plugin status not in JSON
  • Issue 7023 - UI - if first instance that is loaded is stopped it breaks parts of the UI
  • Issue 7027 - 389-ds-base OpenScanHub Leaks Detected (#7028)
  • Issue 6966 - On large DB, unlimited IDL scan limit reduce the SRCH performance (#6967)
  • Issue 6660 - UI - Improve replication log analysis charts and usability (#6968)
  • Issue 6982 - UI - MemberOf shared config does not validate DN properly (#6983)
  • Issue 7021 - Units for changing MDB max size are not consistent across different tools (#7022)
  • Issue 6954 - do not delete referrals on chain_on_update backend
  • Issue 7018 - BUG - prevent stack depth being hit (#7019)
  • Issue 6928 - The parentId attribute is indexed with improper matching rule
  • Issue 6933 - When deferred memberof update is enabled after the server crashed it should not launch memberof fixup task by default (#6935)
  • Issue 6904 - Fix config_test.py::test_lmdb_config
  • Issue 7014 - memberOf - ignored deferred updates with LMDB
  • Issue 7012 - improve dscrl dbverify result when backend does not exists (#7013)
  • Issue 6929 - Compilation failure with rust-1.89 on Fedora ELN
  • Issue 6990 - UI - Replace deprecated Select components with new TypeaheadSelect (#6996)
  • Issue 6990 - UI - Fix typeahead Select fields losing values on Enter keypress (#6991)
  • Issue 6887 - Enhance logconv.py to add support for JSON access logs (#6889)
  • Issue 6985 - Some logconv CI tests fail with BDB (#6986)
  • Issue 6891 - JSON logging - add wrapper function that checks for NULL
  • Issue 6977 - UI - Show error message when trying to use unavailable ports (#6978)
  • Issue 6956 - More UI fixes
  • Issue 6947 - Revise time skew check in healthcheck tool and add option to exclude checks
  • Issue 6805 - RFE - Multiple backend entry cache tuning
  • Issue 6843 - Add CI tests for logconv.py (#6856)
  • Issue - UI - update Radio handlers and LDAP entries last modified time
  • Issue 6660 - UI - Fix minor typo (#6955)
  • Issue 6910 - Fix latest coverity issues
  • Issue 6919 - numSubordinates/tombstoneNumSubordinates are inconsisten... (#6920)
  • Issue 6663 - Fix NULL subsystem crash in JSON error logging (#6883)
  • Issue 6940 - dsconf monitor server fails with ldapi:// due to absent server ID (#6941)
  • Issue 6936 - Make user/subtree policy creation idempotent (#6937)
  • Issue 6865 - AddressSanitizer: leak in agmt_update_init_status
  • Issue 6848 - AddressSanitizer: leak in do_search
  • Issue 6850 - AddressSanitizer: memory leak in mdb_init
  • Issue 6778 - Memory leak in roles_cache_create_object_from_entry part 2
  • Issue 6778 - Memory leak in roles_cache_create_object_from_entry
  • Issue 6181 - RFE - Allow system to manage uid/gid at startup
  • Issues 6913, 6886, 6250 - Adjust xfail marks (#6914)
  • Issue 6768 - ns-slapd crashes when a referral is added (#6780)
  • Issue 6468 - CLI - Fix default error log level
  • Issue 6339 - Address Coverity scan issues in memberof and bdb_layer (#6353)
  • Issue 6897 - Fix disk monitoring test failures and improve test maintainability (#6898)
  • Issue 6884 - Mask password hashes in audit logs (#6885)
  • Issue 6594 - Add test for numSubordinates replication consistency with tombstones (#6862)
  • Issue 6250 - Add test for entryUSN overflow on failed add operations (#6821)
  • Issue 6895 - Crash if repl keep alive entry can not be created
  • Issue 6893 - Log user that is updated during password modify extended operation
  • Issue 6772 - dsconf - Replicas with the "consumer" role allow for viewing and modification of their changelog. (#6773)
  • Issue 6888 - Missing access JSON logging for TLS/Client auth
  • Issue 6680 - instance read-only mode is broken (#6681)
  • Issue 6878 - Prevent repeated disconnect logs during shutdown (#6879)
  • Issue 6872 - compressed log rotation creates files with world readable permission
  • Issue 6859 - str2filter is not fully applying matching rules
  • Issue 6868 - UI - schema attribute table expansion break after moving to a new page
  • Issue 6854 - Refactor for improved data management (#6855)
  • Issue 6756 - CLI, UI - Properly handle disabled NDN cache (#6757)
  • Issue 6857 - uiduniq: allow specifying match rules in the filter
  • Issue 6838 - lib389/replica.py is using nonexistent datetime.UTC in Python 3.9
  • Issue 6822 - Backend creation cleanup and Database UI tab error handling (#6823)
  • Issue 6782 - Improve paged result locking
  • Issue 6825 - RootDN Access Control Plugin with wildcards for IP addre... (#6826)
  • Issue 6736 - Exception thrown by dsconf instance repl get_ruv (#6742)
  • Issue 6819 - Incorrect pwdpolicysubentry returned for an entry with user password policy
  • Issue 6553 - Update concread to 0.5.6 (#6824)
  • Issue 1081 - Add a CI test (#6063)
  • Issue 6761 - Password modify extended operation should skip password policy checks when executed by root DN
  • Issue 6791 - crash in liblmdb during instance shutdown (#6793)
  • Issue 6641 - modrdn fails when a user is member of multiple groups (#6643)
  • Issue 6776 - Enabling audit log makes slapd coredump
  • Issue 6534 - CI fails with Fedora 41 and DNF5
  • Issue 6787 - Improve error message when bulk import connection is closed
  • Issue 6727 - RFE - database compaction interval should be persistent
  • Issue 6438 - Add basic dsidm organizational unit tests
  • Issue 6439 - Fix dsidm service get_dn option
  • Issue 5120 - ns-slapd doesn't start in referral mode (#6763)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server - BCI 16.0
    zypper in -t patch SUSE-SLES-16.0-434=1

Package List:

  • SUSE Linux Enterprise Server - BCI 16.0 (aarch64 ppc64le s390x x86_64)
    • 389-ds-snmp-debuginfo-3.0.6~git249.6688af9b2-160000.1.1
    • libsvrcore0-debuginfo-3.0.6~git249.6688af9b2-160000.1.1
    • 389-ds-debuginfo-3.0.6~git249.6688af9b2-160000.1.1
    • 389-ds-snmp-3.0.6~git249.6688af9b2-160000.1.1
    • 389-ds-devel-3.0.6~git249.6688af9b2-160000.1.1
    • 389-ds-3.0.6~git249.6688af9b2-160000.1.1
    • 389-ds-debugsource-3.0.6~git249.6688af9b2-160000.1.1
    • lib389-3.0.6~git249.6688af9b2-160000.1.1
    • libsvrcore0-3.0.6~git249.6688af9b2-160000.1.1

References: