SUSE alert openSUSE-SU-2026:20415-1 (389-ds)

From:
             
 
null@suse.de
To:
             
 
security-announce@lists.opensuse.org
Subject:
             
 
openSUSE-SU-2026:20415-1: important: Security update for 389-ds
Date:
             
 
Sat, 28 Mar 2026 17:51:57 +0100
Message-ID:
             
 
<20260328165157.54CCCFD57@maintenance.suse.de>
Archive-link:
             
 
Article
openSUSE security update: security update for 389-ds
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20415-1
Rating: important
References:

  * bsc#1258727



Cross-References:

  * CVE-2025-14905



CVSS scores:

  * CVE-2025-14905 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-14905 ( SUSE ): 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves one vulnerability and has one bug fix can now be installed.

Description:

This update for 389-ds fixes the following issue:

Update to 389-ds 3.0.6~git249.6688af9b2:

- CVE-2025-14905: heap buffer overflow due to improper size calculation in
`schema_attr_enum_callback` can lead to DoS
  and RCE (bsc#1258727).

Changelog:

 * Issue 7277 - UI - Fix Japanese translation for "Successfully updated group" in Cockpit UI
(#7278)
 * Issue 7275 - UI - Improve password policy field validation in Cockpit UI (#7276)
 * Issue 7279 - UI - Fix typo in export certificate dialog (#7280)
 * Issue 7273 - In a chaining environment binding as remote user causes an invalid error in the
logs
 * Issue 7271 - plugins that create threads need to update active thread count
 * Issue 5853 - Update concread to 0.5.10
 * Issue 7053 - Remove memberof_del_dn_from_groups from MemberOf plugin (#7064)
 * Issue 7223 - Remove integerOrderingMatch requirement for parentid (#7264)
 * Issue 7066/7052 - allow password history to be set to zero and remove history
 * Issue 7223 - Use lexicographical order for ancestorid (#7256)
 * Issue 7213 - (2nd) MDB_BAD_VALSIZE error while handling VLV (#7258)
 * Issue 7184 - (2nd) argparse.HelpFormatter _format_actions_usage() is deprecated (#7257)
 * Issue - CLI - dsctl db2index needs some hardening with MBD
 * Issue 7248 - CLI - attribute uniqueness - fix usage for exclude subtree option
 * Issue 7231 - Sync repl tests fail in FIPS mode due to non FIPS compliant crypto (#7232)
 * Issue 7121 - (2nd) LeakSanitizer: various leaks during replication (#7212)
 * Issue 6947 - Fix health_system_indexes_test.py
 * Issue 7076 - Fix revert_cache() never called in modrdn (#7220)
 * Issue 7076, 6992, 6784, 6214 - Fix CI test failures (#7077)
 * Issue 7096 - (2nd) During replication online total init the function idl_id_is_in_idlist is not
scaling with large
   database (#7205)
 * Issue 3555 - UI - Fix audit issue with npm - @isaacs/brace-expansion (#7228)
 * Issue 7223 - Add dsctl index-check command for offline index repair
 * Issue 7223 - Detect and log index ordering mismatch during backend startup
 * Issue 7223 - Add upgrade function to remove ancestorid index config entry
 * Issue 7223 - Add upgrade function to remove nsIndexIDListScanLimit from parentid
 * Issue 7223 - Revert index scan limits for system indexes
 * Issue 6542 - RPM build errors on Fedora 42
 * Issue 7224 - CI Test - Simplify test_reserve_descriptor_validation (#7225)
 * Issue 7194 - Repl Log Analysis - Add CSN propagation details (#7195)
 * Issue 7213 - MDB_BAD_VALSIZE error while handling VLV (#7214)
 * Issue 7027 - (2nd) 389-ds-base OpenScanHub Leaks Detected (#7211)
 * Issue 7184 - argparse.HelpFormatter _format_actions_usage() is deprecated
 * Issue 7198 - Web console doesn't show sub-suffix when parent-suffix points to an entry (#7202)
 * Issue 7189 - DSBLE0007 generates incorrect remediation commands for scan limits
 * Bump lodash from 4.17.21 to 4.17.23 in /src/cockpit/389-console (#7203)
 * Issue 7172 - (2nd) Index ordering mismatch after upgrade (#7180)
 * Issue 7172 - Index ordering mismatch after upgrade (#7173)
 * Issue - Revise paged result search locking
 * Issue 7096 - During replication online total init the function idl_id_is_in_idlist is not
scaling with large
   database (#7145)
 * Revert "Issue 7160 - Add lib389 version sync check to configure (#7165)"
 * Issue 7160 - Add lib389 version sync check to configure (#7165)
 * Issue 7049 - RetroCL plugin generates invalid LDIF
 * Issue 7150 - Compressed access log rotations skipped, accesslog-list out of sync (#7151)
 * Restore definition for slapi_entry_attr_get_valuearray
 * Issue 1793 - RFE - Dynamic lists - UI and CLI updates
 * Issue 7119 - Fix DNA shared config replication test (#7143)
 * Issue 7081 - Repl Log Analysis - Implement data sampling with performance and timezone fixes
(#7086)
 * Issue 1793 - RFE - Implement dynamic lists
 * Issue 6753 - Port ticket tests
 * Issue 6753 - Port and fix ticket 47823 tests
 * Issue 6753 - Add 'add_exclude_subtree' and 'remove_exclude_subtree' methods to Attribute
uniqueness plugin
 * Issue 6753 - Port ticket test 48026
 * Issue 7128 - memory corruption in alias entry plugin (#7131)
 * Issue 7091 - Duplicate local password policy entries listed (#7092)
 * Issue 7124 - BDB cursor race condition with transaction isolation (#7125)
 * Issue 7132 - Keep alive entry updated too soon after an offline import (#7133)
 * Issue 7121 - LeakSanitizer: various leaks during replication (#7122)
 * Issue 7115 - LeakSanitizer: leak in `slapd_bind_local_user()` (#7116)
 * Issue 7109 - AddressSanitizer: SEGV ldap/servers/slapd/csnset.c:302 in csnset_dup (#7114)
 * Issue 7056 - DSBLE0007 doesn't generate remediation steps for missing indexes
 * Issue 7119 - Harden DNA plugin locking for shared server list operations (#7120)
 * Issue 7084 - UI - schema - sorting attributes breaks expanded row
 * Issue 7007 - Improve paged result search locking
 * Issue 3555 - UI - Fix audit issue with npm - glob (#7107)
 * Issue 6846 - Attribute uniqueness is not enforced with modrdn (#7026)
 * Issue 6901 - Update changelog trimming logging - fix tests
 * Issue 6901 - Update changelog trimming logging
 * Bump js-yaml from 4.1.0 to 4.1.1 in /src/cockpit/389-console (#7097)
 * Issue 7069 - Fix error reporting in HAProxy trusted IP parsing (#7094)
 * Issue 7055 - Online initialization of consumers fails with error -23 (#7075)
 * Issue 7042 - Enable global_backend_lock when memberofallbackend is enabled (#7043)
 * Issue 7078 - audit json logging does not encode binary values
 * Issue 7069 - Add Subnet/CIDR Support for HAProxy Trusted IPs (#7070)
 * Issue 6660 - CLI, UI - Improve replication log analyzer usability (#7062)
 * Issue 7065 - A search filter containing a non normalized DN assertion does not return matching
entries (#7068)
 * Issue 7071 - search filter (&(cn:dn:=groups)) no longer returns results
 * Issue 7073 - Add NDN cache size configuration and enforcement tests (#7074)
 * Issue 7041 - CLI/UI - memberOf - no way to add/remove specific group filters
 * Issue 7061 - CLI/UI - Improve error messages for dsconf localpwp list
 * Issue 7059 - UI - unable to upload pem file
 * Issue 7032 - The new ipahealthcheck test ipahealthcheck.ds.backends.BackendsCheck raises
CRITICAL issue (#7036)
 * Issue 7047 - MemberOf plugin logs null attribute name on fixup task completion (#7048)
 * Issue 7044 - RFE - index sudoHost by default (#7046)
 * Issue 6979 - Improve the way to detect asynchronous operations in the access logs (#6980)
 * Issue 7035 - RFE - memberOf - adding scoping for specific groups
 * Issue - CLI/UI - Add option to delete all replication conflict entries
 * Issue 7033 - lib389 - basic plugin status not in JSON
 * Issue 7023 - UI - if first instance that is loaded is stopped it breaks parts of the UI
 * Issue 7027 - 389-ds-base OpenScanHub Leaks Detected (#7028)
 * Issue 6966 - On large DB, unlimited IDL scan limit reduce the SRCH performance (#6967)
 * Issue 6660 - UI - Improve replication log analysis charts and usability (#6968)
 * Issue 6982 - UI - MemberOf shared config does not validate DN properly (#6983)
 * Issue 7021 - Units for changing MDB max size are not consistent across different tools (#7022)
 * Issue 6954 - do not delete referrals on chain_on_update backend
 * Issue 7018 - BUG - prevent stack depth being hit (#7019)
 * Issue 6928 - The parentId attribute is indexed with improper matching rule
 * Issue 6933 - When deferred memberof update is enabled after the server crashed it should not
launch memberof fixup
   task by default (#6935)
 * Issue 6904 - Fix config_test.py::test_lmdb_config
 * Issue 7014 - memberOf - ignored deferred updates with LMDB
 * Issue 7012 - improve dscrl dbverify result when backend does not exists (#7013)
 * Issue 6929 - Compilation failure with rust-1.89 on Fedora ELN
 * Issue 6990 - UI - Replace deprecated Select components with new TypeaheadSelect (#6996)
 * Issue 6990 - UI - Fix typeahead Select fields losing values on Enter keypress (#6991)
 * Issue 6887 - Enhance logconv.py to add support for JSON access logs (#6889)
 * Issue 6985 - Some logconv CI tests fail with BDB (#6986)
 * Issue 6891 - JSON logging - add wrapper function that checks for NULL
 * Issue 6977 - UI - Show error message when trying to use unavailable ports (#6978)
 * Issue 6956 - More UI fixes
 * Issue 6947 - Revise time skew check in healthcheck tool and add option to exclude checks
 * Issue 6805 - RFE - Multiple backend entry cache tuning
 * Issue 6843 - Add CI tests for logconv.py (#6856)
 * Issue - UI - update Radio handlers and LDAP entries last modified time
 * Issue 6660 - UI - Fix minor typo (#6955)
 * Issue 6910 - Fix latest coverity issues
 * Issue 6919 - numSubordinates/tombstoneNumSubordinates are inconsisten... (#6920)
 * Issue 6663 - Fix NULL subsystem crash in JSON error logging (#6883)
 * Issue 6940 - dsconf monitor server fails with ldapi:// due to absent server ID (#6941)
 * Issue 6936 - Make user/subtree policy creation idempotent (#6937)
 * Issue 6865 - AddressSanitizer: leak in agmt_update_init_status
 * Issue 6848 - AddressSanitizer: leak in do_search
 * Issue 6850 - AddressSanitizer: memory leak in mdb_init
 * Issue 6778 - Memory leak in roles_cache_create_object_from_entry part 2
 * Issue 6778 - Memory leak in roles_cache_create_object_from_entry
 * Issue 6181 - RFE - Allow system to manage uid/gid at startup
 * Issues 6913, 6886, 6250 - Adjust xfail marks (#6914)
 * Issue 6768 - ns-slapd crashes when a referral is added (#6780)
 * Issue 6468 - CLI - Fix default error log level
 * Issue 6339 - Address Coverity scan issues in memberof and bdb_layer (#6353)
 * Issue 6897 - Fix disk monitoring test failures and improve test maintainability (#6898)
 * Issue 6884 - Mask password hashes in audit logs (#6885)
 * Issue 6594 - Add test for numSubordinates replication consistency with tombstones (#6862)
 * Issue 6250 - Add test for entryUSN overflow on failed add operations (#6821)
 * Issue 6895 - Crash if repl keep alive entry can not be created
 * Issue 6893 - Log user that is updated during password modify extended operation
 * Issue 6772 - dsconf - Replicas with the "consumer" role allow for viewing and modification of
their
   changelog. (#6773)
 * Issue 6888 - Missing access JSON logging for TLS/Client auth
 * Issue 6680 - instance read-only mode is broken (#6681)
 * Issue 6878 - Prevent repeated disconnect logs during shutdown (#6879)
 * Issue 6872 - compressed log rotation creates files with world readable permission
 * Issue 6859 - str2filter is not fully applying matching rules
 * Issue 6868 - UI - schema attribute table expansion break after moving to a new page
 * Issue 6854 - Refactor for improved data management (#6855)
 * Issue 6756 - CLI, UI - Properly handle disabled NDN cache (#6757)
 * Issue 6857 - uiduniq: allow specifying match rules in the filter
 * Issue 6838 - lib389/replica.py is using nonexistent datetime.UTC in Python 3.9
 * Issue 6822 - Backend creation cleanup and Database UI tab error handling (#6823)
 * Issue 6782 - Improve paged result locking
 * Issue 6825 - RootDN Access Control Plugin with wildcards for IP addre... (#6826)
 * Issue 6736 - Exception thrown by dsconf instance repl get_ruv (#6742)
 * Issue 6819 - Incorrect pwdpolicysubentry returned for an entry with user password policy
 * Issue 6553 - Update concread to 0.5.6 (#6824)
 * Issue 1081 - Add a CI test (#6063)
 * Issue 6761 - Password modify extended operation should skip password policy checks when executed
by root DN
 * Issue 6791 - crash in liblmdb during instance shutdown (#6793)
 * Issue 6641 - modrdn fails when a user is member of multiple groups (#6643)
 * Issue 6776 - Enabling audit log makes slapd coredump
 * Issue 6534 - CI fails with Fedora 41 and DNF5
 * Issue 6787 - Improve error message when bulk import connection is closed
 * Issue 6727 - RFE - database compaction interval should be persistent
 * Issue 6438 - Add basic dsidm organizational unit tests
 * Issue 6439 - Fix dsidm service get_dn option
 * Issue 5120 - ns-slapd doesn't start in referral mode (#6763)


Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-434=1

Package List:

- openSUSE Leap 16.0:

  389-ds-3.0.6~git249.6688af9b2-160000.1.1
  389-ds-devel-3.0.6~git249.6688af9b2-160000.1.1
  389-ds-snmp-3.0.6~git249.6688af9b2-160000.1.1
  lib389-3.0.6~git249.6688af9b2-160000.1.1
  libsvrcore0-3.0.6~git249.6688af9b2-160000.1.1

References:

  * https://www.suse.com/security/cve/CVE-2025-14905.html