import 389-ds-base-1.4.3.8-5.module+el8.3.0+7569+08175a8a

2025-02-23 16:22:54 +00:00 · 2020-08-27 18:39:49 +00:00 · 2020-08-27 18:39:49 +00:00 · ab20a93ad1
commit ab20a93ad1
parent 5873faf08d
4 changed files with 606 additions and 1 deletions
--- a/SOURCES/0023-Issue-51086-Fix-instance-name-length-for-interactive.patch
+++ b/SOURCES/0023-Issue-51086-Fix-instance-name-length-for-interactive.patch
@ -0,0 +1,33 @@
 From 5e0a2d34f1c03a7d6a1c8591896a21e122d90d6b Mon Sep 17 00:00:00 2001
 From: Simon Pichugin <spichugi@redhat.com>
 Date: Thu, 23 Jul 2020 23:45:18 +0200
 Subject: [PATCH] Issue 51086 - Fix instance name length for interactive
 install
 Description: Instance name lenght is not properly validated
 during interactive install. Add a check during a user input.
 https://pagure.io/389-ds-base/issue/51086
 Reviewed by: mreynolds (Thanks!)
 ---
 src/lib389/lib389/instance/setup.py | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py
 index f5fc5495d..45c7dfdd4 100644
 --- a/src/lib389/lib389/instance/setup.py
 +++ b/src/lib389/lib389/instance/setup.py
@@ -308,6 +308,9 @@ class SetupDs(object):
             val = input('\nEnter the instance name [{}]: '.format(slapd['instance_name'])).rstrip()
             if val != "":
 +                if len(val) > 80:
 +                    print("Server identifier should not be longer than 80 symbols")
 +                    continue
                 if not all(ord(c) < 128 for c in val):
                     print("Server identifier can not contain non ascii characters")
                     continue
 -- 
 2.26.2
--- a/SOURCES/0024-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch
+++ b/SOURCES/0024-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch
@ -0,0 +1,360 @@
 From 3e11020fa7a79d335a02c001435aabcf59aaa622 Mon Sep 17 00:00:00 2001
 From: Mark Reynolds <mreynolds@redhat.com>
 Date: Fri, 24 Jul 2020 12:14:44 -0400
 Subject: [PATCH] Issue 51129 - SSL alert: The value of sslVersionMax "TLS1.3"
 is higher than the supported version
 Bug Description:  If you try and set the sslVersionMax higher than the
                  default range, but within the supported range, you
                  would still get an error and the server would reset
                  the max to "default" max value.
 Fix Description:  Keep track of both the supported and default SSL ranges,
                  and correctly use each range for value validation.  If
                  the value is outside the supported range, then use default
                  value, etc, but do not check the requested range against
                  the default range.  We only use the default range if
                  there is no specified min or max in the config, or if
                  a invalid min or max value is set in the config.
                  Also, refactored the range variable names to be more
                  accurate:
                     enabledNSSVersions -->  defaultNSSVersions
                     emin, emax         -->  dmin, dmax
 relates: https://pagure.io/389-ds-base/issue/51129
 Reviewed by: firstyear(Thanks!)
 ---
 ldap/servers/slapd/ssl.c        | 155 ++++++++++++++++----------------
 src/lib389/lib389/dirsrv_log.py |   2 +-
 2 files changed, 81 insertions(+), 76 deletions(-)
 diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
 index 846106b42..7206cafd2 100644
 --- a/ldap/servers/slapd/ssl.c
 +++ b/ldap/servers/slapd/ssl.c
@@ -50,11 +50,11 @@
  ******************************************************************************/
 #define DEFVERSION "TLS1.2"
 -#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_2
 extern char *slapd_SSL3ciphers;
 extern symbol_t supported_ciphers[];
 -static SSLVersionRange enabledNSSVersions;
 +static SSLVersionRange defaultNSSVersions;
 +static SSLVersionRange supportedNSSVersions;
 static SSLVersionRange slapdNSSVersions;
@@ -1014,15 +1014,24 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr
     int create_certdb = 0;
     PRUint32 nssFlags = 0;
     char *certdir;
 -    char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
 -    /* Get the range of the supported SSL version */
 -    SSL_VersionRangeGetDefault(ssl_variant_stream, &enabledNSSVersions);
 +    char dmin[VERSION_STR_LENGTH], dmax[VERSION_STR_LENGTH];
 +    char smin[VERSION_STR_LENGTH], smax[VERSION_STR_LENGTH];
 -    (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
 -    (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
 +    /* Get the range of the supported SSL version */
 +    SSL_VersionRangeGetSupported(ssl_variant_stream, &supportedNSSVersions);
 +    (void)slapi_getSSLVersion_str(supportedNSSVersions.min, smin, sizeof(smin));
 +    (void)slapi_getSSLVersion_str(supportedNSSVersions.max, smax, sizeof(smax));
 +
 +    /* Get the enabled default range */
 +    SSL_VersionRangeGetDefault(ssl_variant_stream, &defaultNSSVersions);
 +    (void)slapi_getSSLVersion_str(defaultNSSVersions.min, dmin, sizeof(dmin));
 +    (void)slapi_getSSLVersion_str(defaultNSSVersions.max, dmax, sizeof(dmax));
     slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization",
                   "slapd_nss_init - Supported range by NSS: min: %s, max: %s\n",
 -                  emin, emax);
 +                  smin, smax);
 +    slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization",
 +                  "slapd_nss_init - Enabled default range by NSS: min: %s, max: %s\n",
 +                  dmin, dmax);
     /* set in slapd_bootstrap_config,
        thus certdir is available even if config_available is false
@@ -1344,21 +1353,21 @@ static int
 set_NSS_version(char *val, PRUint16 *rval, int ismin)
 {
     char *vp;
 -    char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
 +    char dmin[VERSION_STR_LENGTH], dmax[VERSION_STR_LENGTH];
     if (NULL == rval) {
         return 1;
     }
 -    (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
 -    (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
 +    (void)slapi_getSSLVersion_str(defaultNSSVersions.min, dmin, sizeof(dmin));
 +    (void)slapi_getSSLVersion_str(defaultNSSVersions.max, dmax, sizeof(dmax));
     if (!strncasecmp(val, SSLSTR, SSLLEN)) { /* ssl# NOT SUPPORTED */
         if (ismin) {
 -            slapd_SSL_warn("SSL3 is no longer supported.  Using NSS default min value: %s\n", emin);
 -            (*rval) = enabledNSSVersions.min;
 +            slapd_SSL_warn("SSL3 is no longer supported.  Using NSS default min value: %s", dmin);
 +            (*rval) = defaultNSSVersions.min;
         } else {
 -            slapd_SSL_warn("SSL3 is no longer supported.  Using NSS default max value: %s\n", emax);
 -            (*rval) = enabledNSSVersions.max;
 +            slapd_SSL_warn("SSL3 is no longer supported.  Using NSS default max value: %s", dmax);
 +            (*rval) = defaultNSSVersions.max;
         }
     } else if (!strncasecmp(val, TLSSTR, TLSLEN)) { /* tls# */
         float tlsv;
@@ -1366,122 +1375,122 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
         sscanf(vp, "%4f", &tlsv);
         if (tlsv < 1.1f) { /* TLS1.0 */
             if (ismin) {
 -                if (enabledNSSVersions.min > CURRENT_DEFAULT_SSL_VERSION) {
 +                if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
                     slapd_SSL_warn("The value of sslVersionMin "
                                    "\"%s\" is lower than the supported version; "
                                    "the default value \"%s\" is used.",
 -                                   val, emin);
 -                    (*rval) = enabledNSSVersions.min;
 +                                   val, dmin);
 +                    (*rval) = defaultNSSVersions.min;
                 } else {
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
                 }
             } else {
 -                if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
 +                if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) {
                     /* never happens */
                     slapd_SSL_warn("The value of sslVersionMax "
                                    "\"%s\" is higher than the supported version; "
                                    "the default value \"%s\" is used.",
 -                                   val, emax);
 -                    (*rval) = enabledNSSVersions.max;
 +                                   val, dmax);
 +                    (*rval) = defaultNSSVersions.max;
                 } else {
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
                 }
             }
         } else if (tlsv < 1.2f) { /* TLS1.1 */
             if (ismin) {
 -                if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) {
 +                if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_1) {
                     slapd_SSL_warn("The value of sslVersionMin "
                                    "\"%s\" is lower than the supported version; "
                                    "the default value \"%s\" is used.",
 -                                   val, emin);
 -                    (*rval) = enabledNSSVersions.min;
 +                                   val, dmin);
 +                    (*rval) = defaultNSSVersions.min;
                 } else {
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
                 }
             } else {
 -                if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
 +                if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
                     /* never happens */
                     slapd_SSL_warn("The value of sslVersionMax "
                                    "\"%s\" is higher than the supported version; "
                                    "the default value \"%s\" is used.",
 -                                   val, emax);
 -                    (*rval) = enabledNSSVersions.max;
 +                                   val, dmax);
 +                    (*rval) = defaultNSSVersions.max;
                 } else {
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_1;
                 }
             }
         } else if (tlsv < 1.3f) { /* TLS1.2 */
             if (ismin) {
 -                if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {
 +                if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {
                     slapd_SSL_warn("The value of sslVersionMin "
                                    "\"%s\" is lower than the supported version; "
                                    "the default value \"%s\" is used.",
 -                                   val, emin);
 -                    (*rval) = enabledNSSVersions.min;
 +                                   val, dmin);
 +                    (*rval) = defaultNSSVersions.min;
                 } else {
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
                 }
             } else {
 -                if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_2) {
 +                if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_2) {
                     /* never happens */
                     slapd_SSL_warn("The value of sslVersionMax "
                                    "\"%s\" is higher than the supported version; "
                                    "the default value \"%s\" is used.",
 -                                   val, emax);
 -                    (*rval) = enabledNSSVersions.max;
 +                                   val, dmax);
 +                    (*rval) = defaultNSSVersions.max;
                 } else {
                     (*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
                 }
             }
         } else if (tlsv < 1.4f) { /* TLS1.3 */
 -                    if (ismin) {
 -                        if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_3) {
 -                            slapd_SSL_warn("The value of sslVersionMin "
 -                                           "\"%s\" is lower than the supported version; "
 -                                           "the default value \"%s\" is used.",
 -                                           val, emin);
 -                            (*rval) = enabledNSSVersions.min;
 -                        } else {
 -                            (*rval) = SSL_LIBRARY_VERSION_TLS_1_3;
 -                        }
 -                    } else {
 -                        if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) {
 -                            /* never happens */
 -                            slapd_SSL_warn("The value of sslVersionMax "
 -                                           "\"%s\" is higher than the supported version; "
 -                                           "the default value \"%s\" is used.",
 -                                           val, emax);
 -                            (*rval) = enabledNSSVersions.max;
 -                        } else {
 -                            (*rval) = SSL_LIBRARY_VERSION_TLS_1_3;
 -                        }
 -                    }
 +            if (ismin) {
 +                if (supportedNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_3) {
 +                    slapd_SSL_warn("The value of sslVersionMin "
 +                                   "\"%s\" is lower than the supported version; "
 +                                   "the default value \"%s\" is used.",
 +                                   val, dmin);
 +                    (*rval) = defaultNSSVersions.min;
 +                } else {
 +                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_3;
 +                }
 +            } else {
 +                if (supportedNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_3) {
 +                    /* never happens */
 +                    slapd_SSL_warn("The value of sslVersionMax "
 +                                   "\"%s\" is higher than the supported version; "
 +                                   "the default value \"%s\" is used.",
 +                                   val, dmax);
 +                    (*rval) = defaultNSSVersions.max;
 +                } else {
 +                    (*rval) = SSL_LIBRARY_VERSION_TLS_1_3;
 +                }
 +            }
         } else { /* Specified TLS is newer than supported */
             if (ismin) {
                 slapd_SSL_warn("The value of sslVersionMin "
                                "\"%s\" is out of the range of the supported version; "
                                "the default value \"%s\" is used.",
 -                               val, emin);
 -                (*rval) = enabledNSSVersions.min;
 +                               val, dmin);
 +                (*rval) = defaultNSSVersions.min;
             } else {
                 slapd_SSL_warn("The value of sslVersionMax "
                                "\"%s\" is out of the range of the supported version; "
                                "the default value \"%s\" is used.",
 -                               val, emax);
 -                (*rval) = enabledNSSVersions.max;
 +                               val, dmax);
 +                (*rval) = defaultNSSVersions.max;
             }
         }
     } else {
         if (ismin) {
             slapd_SSL_warn("The value of sslVersionMin "
                            "\"%s\" is invalid; the default value \"%s\" is used.",
 -                           val, emin);
 -            (*rval) = enabledNSSVersions.min;
 +                           val, dmin);
 +            (*rval) = defaultNSSVersions.min;
         } else {
             slapd_SSL_warn("The value of sslVersionMax "
                            "\"%s\" is invalid; the default value \"%s\" is used.",
 -                           val, emax);
 -            (*rval) = enabledNSSVersions.max;
 +                           val, dmax);
 +            (*rval) = defaultNSSVersions.max;
         }
     }
     return 0;
@@ -1511,10 +1520,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
     char *tmpDir;
     Slapi_Entry *e = NULL;
     PRBool fipsMode = PR_FALSE;
 -    PRUint16 NSSVersionMin = enabledNSSVersions.min;
 -    PRUint16 NSSVersionMax = enabledNSSVersions.max;
 +    PRUint16 NSSVersionMin = defaultNSSVersions.min;
 +    PRUint16 NSSVersionMax = defaultNSSVersions.max;
     char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
 -    char newmax[VERSION_STR_LENGTH];
     int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
     int_fast16_t renegotiation = (int_fast16_t)SSL_RENEGOTIATE_REQUIRES_XTN;
@@ -1875,12 +1883,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
         if (NSSVersionMin > NSSVersionMax) {
             (void)slapi_getSSLVersion_str(NSSVersionMin, mymin, sizeof(mymin));
             (void)slapi_getSSLVersion_str(NSSVersionMax, mymax, sizeof(mymax));
 -            slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".",
 +            slapd_SSL_warn("The min value of NSS version range \"%s\" is greater than the max value \"%s\".  Adjusting the max to match the miniumum.",
                            mymin, mymax);
 -            (void)slapi_getSSLVersion_str(enabledNSSVersions.max, newmax, sizeof(newmax));
 -            slapd_SSL_warn("Reset the max \"%s\" to supported max \"%s\".",
 -                           mymax, newmax);
 -            NSSVersionMax = enabledNSSVersions.max;
 +            NSSVersionMax = NSSVersionMin;
         }
     }
@@ -1896,7 +1901,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
     if (sslStatus != SECSuccess) {
         errorCode = PR_GetError();
         slapd_SSL_error("Security Initialization - "
 -                "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n",
 +                "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)",
                 mymin, mymax, errorCode, slapd_pr_strerror(errorCode));
     }
     /*
@@ -1926,13 +1931,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
             (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
             (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
             slapd_SSL_error("Security Initialization - "
 -                    "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n",
 +                    "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)",
                     mymin, mymax, errorCode, slapd_pr_strerror(errorCode));
         }
     } else {
         errorCode = PR_GetError();
         slapd_SSL_error("Security Initialization - ",
 -                "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)\n",
 +                "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)",
                 errorCode, slapd_pr_strerror(errorCode));
     }
@@ -2265,7 +2270,7 @@ slapd_SSL_client_auth(LDAP *ld)
         }
     } else {
         if (token == NULL) {
 -            slapd_SSL_warn("slapd_SSL_client_auth - certificate token was not found\n");
 +            slapd_SSL_warn("slapd_SSL_client_auth - certificate token was not found");
         }
         rc = -1;
     }
 diff --git a/src/lib389/lib389/dirsrv_log.py b/src/lib389/lib389/dirsrv_log.py
 index 7bed4bb17..ab8872051 100644
 --- a/src/lib389/lib389/dirsrv_log.py
 +++ b/src/lib389/lib389/dirsrv_log.py
@@ -207,7 +207,7 @@ class DirsrvAccessLog(DirsrvLog):
         return {
             'base': quoted_vals[0],
             'filter': quoted_vals[1],
 -            'timestamp': re.findall('\[(.*)\]', lines[0])[0],
 +            'timestamp': re.findall('[(.*)]', lines[0])[0],
             'scope': lines[0].split(' scope=', 1)[1].split(' ',1)[0]
         }
 -- 
 2.26.2
--- a/SOURCES/0025-Issue-50984-Memory-leaks-in-disk-monitoring.patch
+++ b/SOURCES/0025-Issue-50984-Memory-leaks-in-disk-monitoring.patch
@ -0,0 +1,202 @@
 From 68ca1de0f39c11056a57b03a544520bd6708d855 Mon Sep 17 00:00:00 2001
 From: Simon Pichugin <simon.pichugin@gmail.com>
 Date: Thu, 11 Jun 2020 15:39:59 +0200
 Subject: [PATCH] Issue 50984 - Memory leaks in disk monitoring
 Description: Fix the rest of the leaks in disk monitoring
 which are present when we shutdown while being below half
 of the threshold (at the start-up in main.c).
 Free directories, sockets and ports before going to cleanup.
 https://pagure.io/389-ds-base/issue/50984
 Reviewed by: mhonek, tbordaz (Thanks!)
 ---
 ldap/servers/slapd/daemon.c | 75 ++++++++++++++++++++-----------------
 ldap/servers/slapd/fe.h     |  1 +
 ldap/servers/slapd/main.c   | 49 +++++++++++++-----------
 3 files changed, 70 insertions(+), 55 deletions(-)
 diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
 index a70f40316..7091b570d 100644
 --- a/ldap/servers/slapd/daemon.c
 +++ b/ldap/servers/slapd/daemon.c
@@ -884,6 +884,46 @@ convert_pbe_des_to_aes(void)
     charray_free(attrs);
 }
 +void
 +slapd_sockets_ports_free(daemon_ports_t *ports_info)
 +{
 +    /* freeing PRFileDescs */
 +    PRFileDesc **fdesp = NULL;
 +    for (fdesp = ports_info->n_socket; fdesp && *fdesp; fdesp++) {
 +        PR_Close(*fdesp);
 +    }
 +    slapi_ch_free((void **)&ports_info->n_socket);
 +
 +    for (fdesp = ports_info->s_socket; fdesp && *fdesp; fdesp++) {
 +        PR_Close(*fdesp);
 +    }
 +    slapi_ch_free((void **)&ports_info->s_socket);
 +#if defined(ENABLE_LDAPI)
 +    for (fdesp = ports_info->i_socket; fdesp && *fdesp; fdesp++) {
 +        PR_Close(*fdesp);
 +    }
 +    slapi_ch_free((void **)&ports_info->i_socket);
 +#endif /* ENABLE_LDAPI */
 +
 +    /* freeing NetAddrs */
 +    PRNetAddr **nap;
 +    for (nap = ports_info->n_listenaddr; nap && *nap; nap++) {
 +        slapi_ch_free((void **)nap);
 +    }
 +    slapi_ch_free((void **)&ports_info->n_listenaddr);
 +
 +    for (nap = ports_info->s_listenaddr; nap && *nap; nap++) {
 +        slapi_ch_free((void **)nap);
 +    }
 +    slapi_ch_free((void **)&ports_info->s_listenaddr);
 +#if defined(ENABLE_LDAPI)
 +    for (nap = ports_info->i_listenaddr; nap && *nap; nap++) {
 +        slapi_ch_free((void **)nap);
 +    }
 +    slapi_ch_free((void **)&ports_info->i_listenaddr);
 +#endif
 +}
 +
 void
 slapd_daemon(daemon_ports_t *ports)
 {
@@ -1099,40 +1139,7 @@ slapd_daemon(daemon_ports_t *ports)
     /* free the listener indexes */
     slapi_ch_free((void **)&listener_idxs);
 -    for (fdesp = n_tcps; fdesp && *fdesp; fdesp++) {
 -        PR_Close(*fdesp);
 -    }
 -    slapi_ch_free((void **)&n_tcps);
 -
 -    for (fdesp = i_unix; fdesp && *fdesp; fdesp++) {
 -        PR_Close(*fdesp);
 -    }
 -    slapi_ch_free((void **)&i_unix);
 -
 -    for (fdesp = s_tcps; fdesp && *fdesp; fdesp++) {
 -        PR_Close(*fdesp);
 -    }
 -    slapi_ch_free((void **)&s_tcps);
 -
 -    /* freeing NetAddrs */
 -    {
 -        PRNetAddr **nap;
 -        for (nap = ports->n_listenaddr; nap && *nap; nap++) {
 -            slapi_ch_free((void **)nap);
 -        }
 -        slapi_ch_free((void **)&ports->n_listenaddr);
 -
 -        for (nap = ports->s_listenaddr; nap && *nap; nap++) {
 -            slapi_ch_free((void **)nap);
 -        }
 -        slapi_ch_free((void **)&ports->s_listenaddr);
 -#if defined(ENABLE_LDAPI)
 -        for (nap = ports->i_listenaddr; nap && *nap; nap++) {
 -            slapi_ch_free((void **)nap);
 -        }
 -        slapi_ch_free((void **)&ports->i_listenaddr);
 -#endif
 -    }
 +    slapd_sockets_ports_free(ports);
     op_thread_cleanup();
     housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */
 diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h
 index 2d9a0931b..9cd122881 100644
 --- a/ldap/servers/slapd/fe.h
 +++ b/ldap/servers/slapd/fe.h
@@ -120,6 +120,7 @@ int connection_table_iterate_active_connections(Connection_Table *ct, void *arg,
  */
 int signal_listner(void);
 int daemon_pre_setuid_init(daemon_ports_t *ports);
 +void slapd_sockets_ports_free(daemon_ports_t *ports_info);
 void slapd_daemon(daemon_ports_t *ports);
 void daemon_register_connection(void);
 int slapd_listenhost2addr(const char *listenhost, PRNetAddr ***addr);
 diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
 index e54b8e1c5..9e5219c4a 100644
 --- a/ldap/servers/slapd/main.c
 +++ b/ldap/servers/slapd/main.c
@@ -734,7 +734,6 @@ main(int argc, char **argv)
      * etc the backends need to start
      */
 -
     /* Important: up 'till here we could be running as root (on unix).
      * we believe that we've not created any files before here, otherwise
      * they'd be owned by root, which is bad. We're about to change identity
@@ -891,6 +890,34 @@ main(int argc, char **argv)
     }
     }
 +    if (config_get_disk_monitoring()) {
 +        char **dirs = NULL;
 +        char *dirstr = NULL;
 +        uint64_t disk_space = 0;
 +        int64_t threshold = 0;
 +        uint64_t halfway = 0;
 +        threshold = config_get_disk_threshold();
 +        halfway = threshold / 2;
 +        disk_mon_get_dirs(&dirs);
 +        dirstr = disk_mon_check_diskspace(dirs, threshold, &disk_space);
 +        if (dirstr != NULL && disk_space < halfway) {
 +            slapi_log_err(SLAPI_LOG_EMERG, "main",
 +                          "Disk Monitoring is enabled and disk space on (%s) is too far below the threshold(%" PRIu64 " bytes). Exiting now.\n",
 +                          dirstr, threshold);
 +            slapi_ch_array_free(dirs);
 +            /*
 +             * We should free the structs we allocated for sockets and addresses
 +             * as they would be freed at the slapd_daemon but it was not initiated
 +             * at that point of start-up.
 +             */
 +            slapd_sockets_ports_free(&ports_info);
 +            return_value = 1;
 +            goto cleanup;
 +        }
 +        slapi_ch_array_free(dirs);
 +        dirs = NULL;
 +    }
 +
     /* initialize the normalized DN cache */
     if (ndn_cache_init() != 0) {
         slapi_log_err(SLAPI_LOG_EMERG, "main", "Unable to create ndn cache\n");
@@ -940,26 +967,6 @@ main(int argc, char **argv)
         slapi_ch_free((void **)&versionstring);
     }
 -    if (config_get_disk_monitoring()) {
 -        char **dirs = NULL;
 -        char *dirstr = NULL;
 -        uint64_t disk_space = 0;
 -        int64_t threshold = 0;
 -        uint64_t halfway = 0;
 -        threshold = config_get_disk_threshold();
 -        halfway = threshold / 2;
 -        disk_mon_get_dirs(&dirs);
 -        dirstr = disk_mon_check_diskspace(dirs, threshold, &disk_space);
 -        if (dirstr != NULL && disk_space < halfway) {
 -            slapi_log_err(SLAPI_LOG_EMERG, "main",
 -                          "Disk Monitoring is enabled and disk space on (%s) is too far below the threshold(%" PRIu64 " bytes). Exiting now.\n",
 -                          dirstr, threshold);
 -            return_value = 1;
 -            goto cleanup;
 -        }
 -        slapi_ch_array_free(dirs);
 -        dirs = NULL;
 -    }
     /* log the max fd limit as it is typically set in env/systemd */
     slapi_log_err(SLAPI_LOG_INFO, "main",
             "Setting the maximum file descriptor limit to: %ld\n",
 -- 
 2.26.2
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@ -45,7 +45,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          1.4.3.8
-Release:          %{?relprefix}4%{?prerel}%{?dist}
+Release:          %{?relprefix}5%{?prerel}%{?dist}
 License:          GPLv3+
 URL:              https://www.port389.org
 Group:            System Environment/Daemons
@ -196,6 +196,9 @@ Patch19:          0019-Issue-51144-dsctl-fails-with-instance-names-that-con.patc
 Patch20:          0020-Ticket-49859-A-distinguished-value-can-be-missing-in.patch
 Patch21:          0021-Issue-49256-log-warning-when-thread-number-is-very-d.patch
 Patch22:          0022-Issue-51188-db2ldif-crashes-when-LDIF-file-can-t-be-.patch
 Patch23:          0023-Issue-51086-Fix-instance-name-length-for-interactive.patch
 Patch24:          0024-Issue-51129-SSL-alert-The-value-of-sslVersionMax-TLS.patch
 Patch25:          0025-Issue-50984-Memory-leaks-in-disk-monitoring.patch
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@ -813,6 +816,13 @@ exit 0
 %doc README.md
 %changelog
 * Wed Aug 5 2020 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.8-5
 - Bump version to 1.4.3.8-5
 - Resolves: Bug 1841086 - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version
 - Resolves: Bug 1800529 - Memory leaks in disk monitoring
 - Resolves: Bug 1748227 - Instance name length is not enforced
 - Resolves: Bug 1849418 - python3-lib389 pulls unnecessary bash-completion package
 * Fri Jun 26 2020 Mark Reynolds <mreynolds@redhat.com> - 1.4.3.8-4
 - Bump version to 1.4.3.8-4
 - Resolves: Bug 1806978 - ns-slapd crashes during db2ldif