RLSA-2026:26456

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Security Fix(es):

• 389-ds-base: 389-ds-base: unbounded LDAP controls count in getldapmessagecontrols_ext() causes CPU and heap amplification (remote DoS) (CVE-2026-9064)

Bug Fix(es) and Enhancement(s):

• DS 12 does not handle escape char in bind user [rhel-10.2.z] (JIRA:Rocky Linux-170271)

• dnaSharedConfig: "dnaPortNum: 0" [rhel-10.2.z] (JIRA:Rocky Linux-170276)

• Memory leaks in syncrepl plugin during persistent search operations [rhel-10.2.z] (JIRA:Rocky Linux-170281)

• access log - suspicious wtime optime negative and large values in internal op [rhel-10.2.z] (JIRA:Rocky Linux-170363)

• An online reinitialization with LMDB is terminating the receiving server [rhel-10.2.z] (JIRA:Rocky Linux-170478)

• dsctl healthcheck DSMOLE0001 inaccurate recommendations when there is more than 1 LDAP backend [rhel-10.2.z] (JIRA:Rocky Linux-170481)

• Possible memory leak when using the Retro Changelog plugin. [rhel-10.2.z] (JIRA:Rocky Linux-170515)

• [RFE] Add OS-level thread names to all server threads [rhel-10.2.z] (JIRA:Rocky Linux-174526)

• Online export is failing when using the option "-s" [rhel-10.2.z] (JIRA:Rocky Linux-180718)

• Server shutdown during online reindex may lead to data loss [rhel-10.2.z] (JIRA:Rocky Linux-183897)

• Error: NssSsl.addcert() got an unexpected keyword argument 'inputfile' [rhel-10.2.z] (JIRA:Rocky Linux-183898)

• Replication errors in logs [rhel-10.2.z] (JIRA:Rocky Linux-183899)

• Substring index produces empty results and can crash when non-default nsSubStrBegin/nsSubStrEnd lengths are configured [rhel-10.2.z] (JIRA:Rocky Linux-183900)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.