SUSE-SU-2026:20927-1: important: Security update for 389-ds
SLE-UPDATES
null at suse.de
Wed Apr 1 12:37:50 UTC 2026
# Security update for 389-ds
Announcement ID: SUSE-SU-2026:20927-1
Release Date: 2026-03-24T17:50:31Z
Rating: important
References:
* bsc#1258727
Cross-References:
* CVE-2025-14905
CVSS scores:
* CVE-2025-14905 ( SUSE ): 8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2025-14905 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-14905 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* SUSE Linux Enterprise Server - BCI 16.0
An update that solves one vulnerability can now be installed.
## Description:
This update for 389-ds fixes the following issue:
Update to 389-ds 3.0.6~git249.6688af9b2:
* CVE-2025-14905: heap buffer overflow due to improper size calculation in
`schema_attr_enum_callback` can lead to DoS and RCE (bsc#1258727).
Changelog:
* Issue 7277 - UI - Fix Japanese translation for "Successfully updated group"
in Cockpit UI (#7278)
* Issue 7275 - UI - Improve password policy field validation in Cockpit UI
(#7276)
* Issue 7279 - UI - Fix typo in export certificate dialog (#7280)
* Issue 7273 - In a chaining environment binding as remote user causes an
invalid error in the logs
* Issue 7271 - plugins that create threads need to update active thread count
* Issue 5853 - Update concread to 0.5.10
* Issue 7053 - Remove memberof_del_dn_from_groups from MemberOf plugin (#7064)
* Issue 7223 - Remove integerOrderingMatch requirement for parentid (#7264)
* Issue 7066/7052 - allow password history to be set to zero and remove
history
* Issue 7223 - Use lexicographical order for ancestorid (#7256)
* Issue 7213 - (2nd) MDB_BAD_VALSIZE error while handling VLV (#7258)
* Issue 7184 - (2nd) argparse.HelpFormatter _format_actions_usage() is
deprecated (#7257)
* Issue - CLI - dsctl db2index needs some hardening with MBD
* Issue 7248 - CLI - attribute uniqueness - fix usage for exclude subtree
option
* Issue 7231 - Sync repl tests fail in FIPS mode due to non FIPS compliant
crypto (#7232)
* Issue 7121 - (2nd) LeakSanitizer: various leaks during replication (#7212)
* Issue 6947 - Fix health_system_indexes_test.py
* Issue 7076 - Fix revert_cache() never called in modrdn (#7220)
* Issue 7076, 6992, 6784, 6214 - Fix CI test failures (#7077)
* Issue 7096 - (2nd) During replication online total init the function
idl_id_is_in_idlist is not scaling with large database (#7205)
* Issue 3555 - UI - Fix audit issue with npm - @isaacs/brace-expansion (#7228)
* Issue 7223 - Add dsctl index-check command for offline index repair
* Issue 7223 - Detect and log index ordering mismatch during backend startup
* Issue 7223 - Add upgrade function to remove ancestorid index config entry
* Issue 7223 - Add upgrade function to remove nsIndexIDListScanLimit from
parentid
* Issue 7223 - Revert index scan limits for system indexes
* Issue 6542 - RPM build errors on Fedora 42
* Issue 7224 - CI Test - Simplify test_reserve_descriptor_validation (#7225)
* Issue 7194 - Repl Log Analysis - Add CSN propagation details (#7195)
* Issue 7213 - MDB_BAD_VALSIZE error while handling VLV (#7214)
* Issue 7027 - (2nd) 389-ds-base OpenScanHub Leaks Detected (#7211)
* Issue 7184 - argparse.HelpFormatter _format_actions_usage() is deprecated
* Issue 7198 - Web console doesn't show sub-suffix when parent-suffix points
to an entry (#7202)
* Issue 7189 - DSBLE0007 generates incorrect remediation commands for scan
limits
* Bump lodash from 4.17.21 to 4.17.23 in /src/cockpit/389-console (#7203)
* Issue 7172 - (2nd) Index ordering mismatch after upgrade (#7180)
* Issue 7172 - Index ordering mismatch after upgrade (#7173)
* Issue - Revise paged result search locking
* Issue 7096 - During replication online total init the function
idl_id_is_in_idlist is not scaling with large database (#7145)
* Revert "Issue 7160 - Add lib389 version sync check to configure (#7165)"
* Issue 7160 - Add lib389 version sync check to configure (#7165)
* Issue 7049 - RetroCL plugin generates invalid LDIF
* Issue 7150 - Compressed access log rotations skipped, accesslog-list out of
sync (#7151)
* Restore definition for slapi_entry_attr_get_valuearray
* Issue 1793 - RFE - Dynamic lists - UI and CLI updates
* Issue 7119 - Fix DNA shared config replication test (#7143)
* Issue 7081 - Repl Log Analysis - Implement data sampling with performance
and timezone fixes (#7086)
* Issue 1793 - RFE - Implement dynamic lists
* Issue 6753 - Port ticket tests
* Issue 6753 - Port and fix ticket 47823 tests
* Issue 6753 - Add 'add_exclude_subtree' and 'remove_exclude_subtree' methods
to Attribute uniqueness plugin
* Issue 6753 - Port ticket test 48026
* Issue 7128 - memory corruption in alias entry plugin (#7131)
* Issue 7091 - Duplicate local password policy entries listed (#7092)
* Issue 7124 - BDB cursor race condition with transaction isolation (#7125)
* Issue 7132 - Keep alive entry updated too soon after an offline import
(#7133)
* Issue 7121 - LeakSanitizer: various leaks during replication (#7122)
* Issue 7115 - LeakSanitizer: leak in `slapd_bind_local_user()` (#7116)
* Issue 7109 - AddressSanitizer: SEGV ldap/servers/slapd/csnset.c:302 in
csnset_dup (#7114)
* Issue 7056 - DSBLE0007 doesn't generate remediation steps for missing
indexes
* Issue 7119 - Harden DNA plugin locking for shared server list operations
(#7120)
* Issue 7084 - UI - schema - sorting attributes breaks expanded row
* Issue 7007 - Improve paged result search locking
* Issue 3555 - UI - Fix audit issue with npm - glob (#7107)
* Issue 6846 - Attribute uniqueness is not enforced with modrdn (#7026)
* Issue 6901 - Update changelog trimming logging - fix tests
* Issue 6901 - Update changelog trimming logging
* Bump js-yaml from 4.1.0 to 4.1.1 in /src/cockpit/389-console (#7097)
* Issue 7069 - Fix error reporting in HAProxy trusted IP parsing (#7094)
* Issue 7055 - Online initialization of consumers fails with error -23 (#7075)
* Issue 7042 - Enable global_backend_lock when memberofallbackend is enabled
(#7043)
* Issue 7078 - audit json logging does not encode binary values
* Issue 7069 - Add Subnet/CIDR Support for HAProxy Trusted IPs (#7070)
* Issue 6660 - CLI, UI - Improve replication log analyzer usability (#7062)
* Issue 7065 - A search filter containing a non normalized DN assertion does
not return matching entries (#7068)
* Issue 7071 - search filter (&(cn:dn:=groups)) no longer returns results
* Issue 7073 - Add NDN cache size configuration and enforcement tests (#7074)
* Issue 7041 - CLI/UI - memberOf - no way to add/remove specific group filters
* Issue 7061 - CLI/UI - Improve error messages for dsconf localpwp list
* Issue 7059 - UI - unable to upload pem file
* Issue 7032 - The new ipahealthcheck test
ipahealthcheck.ds.backends.BackendsCheck raises CRITICAL issue (#7036)
* Issue 7047 - MemberOf plugin logs null attribute name on fixup task
completion (#7048)
* Issue 7044 - RFE - index sudoHost by default (#7046)
* Issue 6979 - Improve the way to detect asynchronous operations in the access
logs (#6980)
* Issue 7035 - RFE - memberOf - adding scoping for specific groups
* Issue - CLI/UI - Add option to delete all replication conflict entries
* Issue 7033 - lib389 - basic plugin status not in JSON
* Issue 7023 - UI - if first instance that is loaded is stopped it breaks
parts of the UI
* Issue 7027 - 389-ds-base OpenScanHub Leaks Detected (#7028)
* Issue 6966 - On large DB, unlimited IDL scan limit reduce the SRCH
performance (#6967)
* Issue 6660 - UI - Improve replication log analysis charts and usability
(#6968)
* Issue 6982 - UI - MemberOf shared config does not validate DN properly
(#6983)
* Issue 7021 - Units for changing MDB max size are not consistent across
different tools (#7022)
* Issue 6954 - do not delete referrals on chain_on_update backend
* Issue 7018 - BUG - prevent stack depth being hit (#7019)
* Issue 6928 - The parentId attribute is indexed with improper matching rule
* Issue 6933 - When deferred memberof update is enabled after the server
crashed it should not launch memberof fixup task by default (#6935)
* Issue 6904 - Fix config_test.py::test_lmdb_config
* Issue 7014 - memberOf - ignored deferred updates with LMDB
* Issue 7012 - improve dscrl dbverify result when backend does not exists
(#7013)
* Issue 6929 - Compilation failure with rust-1.89 on Fedora ELN
* Issue 6990 - UI - Replace deprecated Select components with new
TypeaheadSelect (#6996)
* Issue 6990 - UI - Fix typeahead Select fields losing values on Enter
keypress (#6991)
* Issue 6887 - Enhance logconv.py to add support for JSON access logs (#6889)
* Issue 6985 - Some logconv CI tests fail with BDB (#6986)
* Issue 6891 - JSON logging - add wrapper function that checks for NULL
* Issue 6977 - UI - Show error message when trying to use unavailable ports
(#6978)
* Issue 6956 - More UI fixes
* Issue 6947 - Revise time skew check in healthcheck tool and add option to
exclude checks
* Issue 6805 - RFE - Multiple backend entry cache tuning
* Issue 6843 - Add CI tests for logconv.py (#6856)
* Issue - UI - update Radio handlers and LDAP entries last modified time
* Issue 6660 - UI - Fix minor typo (#6955)
* Issue 6910 - Fix latest coverity issues
* Issue 6919 - numSubordinates/tombstoneNumSubordinates are inconsisten...
(#6920)
* Issue 6663 - Fix NULL subsystem crash in JSON error logging (#6883)
* Issue 6940 - dsconf monitor server fails with ldapi:// due to absent server
ID (#6941)
* Issue 6936 - Make user/subtree policy creation idempotent (#6937)
* Issue 6865 - AddressSanitizer: leak in agmt_update_init_status
* Issue 6848 - AddressSanitizer: leak in do_search
* Issue 6850 - AddressSanitizer: memory leak in mdb_init
* Issue 6778 - Memory leak in roles_cache_create_object_from_entry part 2
* Issue 6778 - Memory leak in roles_cache_create_object_from_entry
* Issue 6181 - RFE - Allow system to manage uid/gid at startup
* Issues 6913, 6886, 6250 - Adjust xfail marks (#6914)
* Issue 6768 - ns-slapd crashes when a referral is added (#6780)
* Issue 6468 - CLI - Fix default error log level
* Issue 6339 - Address Coverity scan issues in memberof and bdb_layer (#6353)
* Issue 6897 - Fix disk monitoring test failures and improve test
maintainability (#6898)
* Issue 6884 - Mask password hashes in audit logs (#6885)
* Issue 6594 - Add test for numSubordinates replication consistency with
tombstones (#6862)
* Issue 6250 - Add test for entryUSN overflow on failed add operations (#6821)
* Issue 6895 - Crash if repl keep alive entry can not be created
* Issue 6893 - Log user that is updated during password modify extended
operation
* Issue 6772 - dsconf - Replicas with the "consumer" role allow for viewing
and modification of their changelog. (#6773)
* Issue 6888 - Missing access JSON logging for TLS/Client auth
* Issue 6680 - instance read-only mode is broken (#6681)
* Issue 6878 - Prevent repeated disconnect logs during shutdown (#6879)
* Issue 6872 - compressed log rotation creates files with world readable
permission
* Issue 6859 - str2filter is not fully applying matching rules
* Issue 6868 - UI - schema attribute table expansion break after moving to a
new page
* Issue 6854 - Refactor for improved data management (#6855)
* Issue 6756 - CLI, UI - Properly handle disabled NDN cache (#6757)
* Issue 6857 - uiduniq: allow specifying match rules in the filter
* Issue 6838 - lib389/replica.py is using nonexistent datetime.UTC in Python
3.9
* Issue 6822 - Backend creation cleanup and Database UI tab error handling
(#6823)
* Issue 6782 - Improve paged result locking
* Issue 6825 - RootDN Access Control Plugin with wildcards for IP addre...
(#6826)
* Issue 6736 - Exception thrown by dsconf instance repl get_ruv (#6742)
* Issue 6819 - Incorrect pwdpolicysubentry returned for an entry with user
password policy
* Issue 6553 - Update concread to 0.5.6 (#6824)
* Issue 1081 - Add a CI test (#6063)
* Issue 6761 - Password modify extended operation should skip password policy
checks when executed by root DN
* Issue 6791 - crash in liblmdb during instance shutdown (#6793)
* Issue 6641 - modrdn fails when a user is member of multiple groups (#6643)
* Issue 6776 - Enabling audit log makes slapd coredump
* Issue 6534 - CI fails with Fedora 41 and DNF5
* Issue 6787 - Improve error message when bulk import connection is closed
* Issue 6727 - RFE - database compaction interval should be persistent
* Issue 6438 - Add basic dsidm organizational unit tests
* Issue 6439 - Fix dsidm service get_dn option
* Issue 5120 - ns-slapd doesn't start in referral mode (#6763)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server - BCI 16.0
zypper in -t patch SUSE-SLES-16.0-434=1
## Package List:
* SUSE Linux Enterprise Server - BCI 16.0 (aarch64 ppc64le s390x x86_64)
* 389-ds-snmp-debuginfo-3.0.6~git249.6688af9b2-160000.1.1
* libsvrcore0-debuginfo-3.0.6~git249.6688af9b2-160000.1.1
* 389-ds-debuginfo-3.0.6~git249.6688af9b2-160000.1.1
* 389-ds-snmp-3.0.6~git249.6688af9b2-160000.1.1
* 389-ds-devel-3.0.6~git249.6688af9b2-160000.1.1
* 389-ds-3.0.6~git249.6688af9b2-160000.1.1
* 389-ds-debugsource-3.0.6~git249.6688af9b2-160000.1.1
* lib389-3.0.6~git249.6688af9b2-160000.1.1
* libsvrcore0-3.0.6~git249.6688af9b2-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-14905.html
* https://bugzilla.suse.com/show_bug.cgi?id=1258727
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260401/65c44559/attachment.htm>
More information about the sle-updates
mailing list