<div class="container">
<h1>Security update for 389-ds</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:20927-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-03-24T17:50:31Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258727">bsc#1258727</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-14905.html">CVE-2025-14905</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-14905</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.6</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-14905</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.2</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-14905</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.2</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server - BCI 16.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for 389-ds fixes the following issue:</p>
<p>Update to 389-ds 3.0.6~git249.6688af9b2:</p>
<ul>
<li>CVE-2025-14905: heap buffer overflow due to improper size calculation in <code>schema_attr_enum_callback</code> can lead to DoS
and RCE (bsc#1258727).</li>
</ul>
<p>Changelog:</p>
<ul>
<li>Issue 7277 - UI - Fix Japanese translation for "Successfully updated group" in Cockpit UI (#7278)</li>
<li>Issue 7275 - UI - Improve password policy field validation in Cockpit UI (#7276)</li>
<li>Issue 7279 - UI - Fix typo in export certificate dialog (#7280)</li>
<li>Issue 7273 - In a chaining environment binding as remote user causes an invalid error in the logs</li>
<li>Issue 7271 - plugins that create threads need to update active thread count</li>
<li>Issue 5853 - Update concread to 0.5.10</li>
<li>Issue 7053 - Remove memberof_del_dn_from_groups from MemberOf plugin (#7064)</li>
<li>Issue 7223 - Remove integerOrderingMatch requirement for parentid (#7264)</li>
<li>Issue 7066/7052 - allow password history to be set to zero and remove history</li>
<li>Issue 7223 - Use lexicographical order for ancestorid (#7256)</li>
<li>Issue 7213 - (2nd) MDB_BAD_VALSIZE error while handling VLV (#7258)</li>
<li>Issue 7184 - (2nd) argparse.HelpFormatter _format_actions_usage() is deprecated (#7257)</li>
<li>Issue - CLI - dsctl db2index needs some hardening with MBD</li>
<li>Issue 7248 - CLI - attribute uniqueness - fix usage for exclude subtree option</li>
<li>Issue 7231 - Sync repl tests fail in FIPS mode due to non FIPS compliant crypto (#7232)</li>
<li>Issue 7121 - (2nd) LeakSanitizer: various leaks during replication (#7212)</li>
<li>Issue 6947 - Fix health_system_indexes_test.py</li>
<li>Issue 7076 - Fix revert_cache() never called in modrdn (#7220)</li>
<li>Issue 7076, 6992, 6784, 6214 - Fix CI test failures (#7077)</li>
<li>Issue 7096 - (2nd) During replication online total init the function idl_id_is_in_idlist is not scaling with large
database (#7205)</li>
<li>Issue 3555 - UI - Fix audit issue with npm - @isaacs/brace-expansion (#7228)</li>
<li>Issue 7223 - Add dsctl index-check command for offline index repair</li>
<li>Issue 7223 - Detect and log index ordering mismatch during backend startup</li>
<li>Issue 7223 - Add upgrade function to remove ancestorid index config entry</li>
<li>Issue 7223 - Add upgrade function to remove nsIndexIDListScanLimit from parentid</li>
<li>Issue 7223 - Revert index scan limits for system indexes</li>
<li>Issue 6542 - RPM build errors on Fedora 42</li>
<li>Issue 7224 - CI Test - Simplify test_reserve_descriptor_validation (#7225)</li>
<li>Issue 7194 - Repl Log Analysis - Add CSN propagation details (#7195)</li>
<li>Issue 7213 - MDB_BAD_VALSIZE error while handling VLV (#7214)</li>
<li>Issue 7027 - (2nd) 389-ds-base OpenScanHub Leaks Detected (#7211)</li>
<li>Issue 7184 - argparse.HelpFormatter _format_actions_usage() is deprecated</li>
<li>Issue 7198 - Web console doesn't show sub-suffix when parent-suffix points to an entry (#7202)</li>
<li>Issue 7189 - DSBLE0007 generates incorrect remediation commands for scan limits</li>
<li>Bump lodash from 4.17.21 to 4.17.23 in /src/cockpit/389-console (#7203)</li>
<li>Issue 7172 - (2nd) Index ordering mismatch after upgrade (#7180)</li>
<li>Issue 7172 - Index ordering mismatch after upgrade (#7173)</li>
<li>Issue - Revise paged result search locking</li>
<li>Issue 7096 - During replication online total init the function idl_id_is_in_idlist is not scaling with large
database (#7145)</li>
<li>Revert "Issue 7160 - Add lib389 version sync check to configure (#7165)"</li>
<li>Issue 7160 - Add lib389 version sync check to configure (#7165)</li>
<li>Issue 7049 - RetroCL plugin generates invalid LDIF</li>
<li>Issue 7150 - Compressed access log rotations skipped, accesslog-list out of sync (#7151)</li>
<li>Restore definition for slapi_entry_attr_get_valuearray</li>
<li>Issue 1793 - RFE - Dynamic lists - UI and CLI updates</li>
<li>Issue 7119 - Fix DNA shared config replication test (#7143)</li>
<li>Issue 7081 - Repl Log Analysis - Implement data sampling with performance and timezone fixes (#7086)</li>
<li>Issue 1793 - RFE - Implement dynamic lists</li>
<li>Issue 6753 - Port ticket tests</li>
<li>Issue 6753 - Port and fix ticket 47823 tests</li>
<li>Issue 6753 - Add 'add_exclude_subtree' and 'remove_exclude_subtree' methods to Attribute uniqueness plugin</li>
<li>Issue 6753 - Port ticket test 48026</li>
<li>Issue 7128 - memory corruption in alias entry plugin (#7131)</li>
<li>Issue 7091 - Duplicate local password policy entries listed (#7092)</li>
<li>Issue 7124 - BDB cursor race condition with transaction isolation (#7125)</li>
<li>Issue 7132 - Keep alive entry updated too soon after an offline import (#7133)</li>
<li>Issue 7121 - LeakSanitizer: various leaks during replication (#7122)</li>
<li>Issue 7115 - LeakSanitizer: leak in <code>slapd_bind_local_user()</code> (#7116)</li>
<li>Issue 7109 - AddressSanitizer: SEGV ldap/servers/slapd/csnset.c:302 in csnset_dup (#7114)</li>
<li>Issue 7056 - DSBLE0007 doesn't generate remediation steps for missing indexes</li>
<li>Issue 7119 - Harden DNA plugin locking for shared server list operations (#7120)</li>
<li>Issue 7084 - UI - schema - sorting attributes breaks expanded row</li>
<li>Issue 7007 - Improve paged result search locking</li>
<li>Issue 3555 - UI - Fix audit issue with npm - glob (#7107)</li>
<li>Issue 6846 - Attribute uniqueness is not enforced with modrdn (#7026)</li>
<li>Issue 6901 - Update changelog trimming logging - fix tests</li>
<li>Issue 6901 - Update changelog trimming logging</li>
<li>Bump js-yaml from 4.1.0 to 4.1.1 in /src/cockpit/389-console (#7097)</li>
<li>Issue 7069 - Fix error reporting in HAProxy trusted IP parsing (#7094)</li>
<li>Issue 7055 - Online initialization of consumers fails with error -23 (#7075)</li>
<li>Issue 7042 - Enable global_backend_lock when memberofallbackend is enabled (#7043)</li>
<li>Issue 7078 - audit json logging does not encode binary values</li>
<li>Issue 7069 - Add Subnet/CIDR Support for HAProxy Trusted IPs (#7070)</li>
<li>Issue 6660 - CLI, UI - Improve replication log analyzer usability (#7062)</li>
<li>Issue 7065 - A search filter containing a non normalized DN assertion does not return matching entries (#7068)</li>
<li>Issue 7071 - search filter (&(cn:dn:=groups)) no longer returns results</li>
<li>Issue 7073 - Add NDN cache size configuration and enforcement tests (#7074)</li>
<li>Issue 7041 - CLI/UI - memberOf - no way to add/remove specific group filters</li>
<li>Issue 7061 - CLI/UI - Improve error messages for dsconf localpwp list</li>
<li>Issue 7059 - UI - unable to upload pem file</li>
<li>Issue 7032 - The new ipahealthcheck test ipahealthcheck.ds.backends.BackendsCheck raises CRITICAL issue (#7036)</li>
<li>Issue 7047 - MemberOf plugin logs null attribute name on fixup task completion (#7048)</li>
<li>Issue 7044 - RFE - index sudoHost by default (#7046)</li>
<li>Issue 6979 - Improve the way to detect asynchronous operations in the access logs (#6980)</li>
<li>Issue 7035 - RFE - memberOf - adding scoping for specific groups</li>
<li>Issue - CLI/UI - Add option to delete all replication conflict entries</li>
<li>Issue 7033 - lib389 - basic plugin status not in JSON</li>
<li>Issue 7023 - UI - if first instance that is loaded is stopped it breaks parts of the UI</li>
<li>Issue 7027 - 389-ds-base OpenScanHub Leaks Detected (#7028)</li>
<li>Issue 6966 - On large DB, unlimited IDL scan limit reduce the SRCH performance (#6967)</li>
<li>Issue 6660 - UI - Improve replication log analysis charts and usability (#6968)</li>
<li>Issue 6982 - UI - MemberOf shared config does not validate DN properly (#6983)</li>
<li>Issue 7021 - Units for changing MDB max size are not consistent across different tools (#7022)</li>
<li>Issue 6954 - do not delete referrals on chain_on_update backend</li>
<li>Issue 7018 - BUG - prevent stack depth being hit (#7019)</li>
<li>Issue 6928 - The parentId attribute is indexed with improper matching rule</li>
<li>Issue 6933 - When deferred memberof update is enabled after the server crashed it should not launch memberof fixup
task by default (#6935)</li>
<li>Issue 6904 - Fix config_test.py::test_lmdb_config</li>
<li>Issue 7014 - memberOf - ignored deferred updates with LMDB</li>
<li>Issue 7012 - improve dscrl dbverify result when backend does not exists (#7013)</li>
<li>Issue 6929 - Compilation failure with rust-1.89 on Fedora ELN</li>
<li>Issue 6990 - UI - Replace deprecated Select components with new TypeaheadSelect (#6996)</li>
<li>Issue 6990 - UI - Fix typeahead Select fields losing values on Enter keypress (#6991)</li>
<li>Issue 6887 - Enhance logconv.py to add support for JSON access logs (#6889)</li>
<li>Issue 6985 - Some logconv CI tests fail with BDB (#6986)</li>
<li>Issue 6891 - JSON logging - add wrapper function that checks for NULL</li>
<li>Issue 6977 - UI - Show error message when trying to use unavailable ports (#6978)</li>
<li>Issue 6956 - More UI fixes</li>
<li>Issue 6947 - Revise time skew check in healthcheck tool and add option to exclude checks</li>
<li>Issue 6805 - RFE - Multiple backend entry cache tuning</li>
<li>Issue 6843 - Add CI tests for logconv.py (#6856)</li>
<li>Issue - UI - update Radio handlers and LDAP entries last modified time</li>
<li>Issue 6660 - UI - Fix minor typo (#6955)</li>
<li>Issue 6910 - Fix latest coverity issues</li>
<li>Issue 6919 - numSubordinates/tombstoneNumSubordinates are inconsisten... (#6920)</li>
<li>Issue 6663 - Fix NULL subsystem crash in JSON error logging (#6883)</li>
<li>Issue 6940 - dsconf monitor server fails with ldapi:// due to absent server ID (#6941)</li>
<li>Issue 6936 - Make user/subtree policy creation idempotent (#6937)</li>
<li>Issue 6865 - AddressSanitizer: leak in agmt_update_init_status</li>
<li>Issue 6848 - AddressSanitizer: leak in do_search</li>
<li>Issue 6850 - AddressSanitizer: memory leak in mdb_init</li>
<li>Issue 6778 - Memory leak in roles_cache_create_object_from_entry part 2</li>
<li>Issue 6778 - Memory leak in roles_cache_create_object_from_entry</li>
<li>Issue 6181 - RFE - Allow system to manage uid/gid at startup</li>
<li>Issues 6913, 6886, 6250 - Adjust xfail marks (#6914)</li>
<li>Issue 6768 - ns-slapd crashes when a referral is added (#6780)</li>
<li>Issue 6468 - CLI - Fix default error log level</li>
<li>Issue 6339 - Address Coverity scan issues in memberof and bdb_layer (#6353)</li>
<li>Issue 6897 - Fix disk monitoring test failures and improve test maintainability (#6898)</li>
<li>Issue 6884 - Mask password hashes in audit logs (#6885)</li>
<li>Issue 6594 - Add test for numSubordinates replication consistency with tombstones (#6862)</li>
<li>Issue 6250 - Add test for entryUSN overflow on failed add operations (#6821)</li>
<li>Issue 6895 - Crash if repl keep alive entry can not be created</li>
<li>Issue 6893 - Log user that is updated during password modify extended operation</li>
<li>Issue 6772 - dsconf - Replicas with the "consumer" role allow for viewing and modification of their
changelog. (#6773)</li>
<li>Issue 6888 - Missing access JSON logging for TLS/Client auth</li>
<li>Issue 6680 - instance read-only mode is broken (#6681)</li>
<li>Issue 6878 - Prevent repeated disconnect logs during shutdown (#6879)</li>
<li>Issue 6872 - compressed log rotation creates files with world readable permission</li>
<li>Issue 6859 - str2filter is not fully applying matching rules</li>
<li>Issue 6868 - UI - schema attribute table expansion break after moving to a new page</li>
<li>Issue 6854 - Refactor for improved data management (#6855)</li>
<li>Issue 6756 - CLI, UI - Properly handle disabled NDN cache (#6757)</li>
<li>Issue 6857 - uiduniq: allow specifying match rules in the filter</li>
<li>Issue 6838 - lib389/replica.py is using nonexistent datetime.UTC in Python 3.9</li>
<li>Issue 6822 - Backend creation cleanup and Database UI tab error handling (#6823)</li>
<li>Issue 6782 - Improve paged result locking</li>
<li>Issue 6825 - RootDN Access Control Plugin with wildcards for IP addre... (#6826)</li>
<li>Issue 6736 - Exception thrown by dsconf instance repl get_ruv (#6742)</li>
<li>Issue 6819 - Incorrect pwdpolicysubentry returned for an entry with user password policy</li>
<li>Issue 6553 - Update concread to 0.5.6 (#6824)</li>
<li>Issue 1081 - Add a CI test (#6063)</li>
<li>Issue 6761 - Password modify extended operation should skip password policy checks when executed by root DN</li>
<li>Issue 6791 - crash in liblmdb during instance shutdown (#6793)</li>
<li>Issue 6641 - modrdn fails when a user is member of multiple groups (#6643)</li>
<li>Issue 6776 - Enabling audit log makes slapd coredump</li>
<li>Issue 6534 - CI fails with Fedora 41 and DNF5</li>
<li>Issue 6787 - Improve error message when bulk import connection is closed</li>
<li>Issue 6727 - RFE - database compaction interval should be persistent</li>
<li>Issue 6438 - Add basic dsidm organizational unit tests</li>
<li>Issue 6439 - Fix dsidm service get_dn option</li>
<li>Issue 5120 - ns-slapd doesn't start in referral mode (#6763)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server - BCI 16.0
<br/>
<code>zypper in -t patch SUSE-SLES-16.0-434=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server - BCI 16.0 (aarch64 ppc64le s390x x86_64)
<ul>
<li>389-ds-snmp-debuginfo-3.0.6~git249.6688af9b2-160000.1.1</li>
<li>libsvrcore0-debuginfo-3.0.6~git249.6688af9b2-160000.1.1</li>
<li>389-ds-debuginfo-3.0.6~git249.6688af9b2-160000.1.1</li>
<li>389-ds-snmp-3.0.6~git249.6688af9b2-160000.1.1</li>
<li>389-ds-devel-3.0.6~git249.6688af9b2-160000.1.1</li>
<li>389-ds-3.0.6~git249.6688af9b2-160000.1.1</li>
<li>389-ds-debugsource-3.0.6~git249.6688af9b2-160000.1.1</li>
<li>lib389-3.0.6~git249.6688af9b2-160000.1.1</li>
<li>libsvrcore0-3.0.6~git249.6688af9b2-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-14905.html">https://www.suse.com/security/cve/CVE-2025-14905.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1258727">https://bugzilla.suse.com/show_bug.cgi?id=1258727</a>
</li>
</ul>
</div>