diff -Nru openldap-2.6.5+dfsg/build/version.var openldap-2.6.6+dfsg/build/version.var
--- openldap-2.6.5+dfsg/build/version.var	2023-07-10 16:27:58.000000000 +0000
+++ openldap-2.6.6+dfsg/build/version.var	2023-07-31 18:09:15.000000000 +0000
@@ -15,9 +15,9 @@
 ol_package=OpenLDAP
 ol_major=2
 ol_minor=6
-ol_patch=5
-ol_api_inc=20605
+ol_patch=6
+ol_api_inc=20606
 ol_api_current=2
 ol_api_revision=200
 ol_api_age=0
-ol_release_date="2023/07/10"
+ol_release_date="2023/07/31"
diff -Nru openldap-2.6.5+dfsg/CHANGES openldap-2.6.6+dfsg/CHANGES
--- openldap-2.6.5+dfsg/CHANGES	2023-07-10 16:27:58.000000000 +0000
+++ openldap-2.6.6+dfsg/CHANGES	2023-07-31 18:09:15.000000000 +0000
@@ -1,5 +1,10 @@
 OpenLDAP 2.6 Change Log
 
+OpenLDAP 2.6.6 Release (2023/07/31)
+	Fixed slapd cn=config incorrect handling of paused (ITS#10045)
+	Fixed slapd-meta to account for MOD ops being optional (ITS#10067)
+	Fixed slapd-asyncmeta to account for MOD ops being optional (ITS#10067)
+
 OpenLDAP 2.6.5 Release (2023/07/10)
 	Fixed libldap handling of TCP KEEPALIVE options (ITS#10015)
 	Fixed libldap with async connections (ITS#10023)
diff -Nru openldap-2.6.5+dfsg/debian/changelog openldap-2.6.6+dfsg/debian/changelog
--- openldap-2.6.5+dfsg/debian/changelog	2023-07-27 17:18:18.000000000 +0000
+++ openldap-2.6.6+dfsg/debian/changelog	2023-08-02 23:53:17.000000000 +0000
@@ -1,3 +1,31 @@
+openldap (2.6.6+dfsg-1~exp1ubuntu1) mantic; urgency=medium
+
+  * Merge with Debian unstable (LP: #2028721). Remaining changes:
+    - Enable AppArmor support:
+      + d/apparmor-profile: add AppArmor profile
+      + d/rules: use dh_apparmor
+      + d/control: Build-Depends on dh-apparmor
+      + d/slapd.README.Debian: add note about AppArmor
+    - Enable ufw support:
+      + d/control: suggest ufw.
+      + d/rules: install ufw profile.
+      + d/slapd.ufw.profile: add ufw profile.
+    - d/{rules,slapd.py}: Add apport hook.
+    - d/rules: better regexp to match the Maintainer tag in d/control,
+      needed in the Ubuntu case because of XSBC-Original-Maintainer
+      (Closes #960448, LP #1875697)
+    - d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the
+      smbk5pwd DEP8 test (LP #2004560)
+      [ Partially incorporated by Debian. ]
+
+ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Wed, 02 Aug 2023 19:53:17 -0400
+
+openldap (2.6.6+dfsg-1~exp1) experimental; urgency=medium
+
+  * New upstream version 2.6.6+dfsg
+
+ -- Sergio Durigan Junior <sergiodj@debian.org>  Mon, 31 Jul 2023 18:24:38 -0400
+
 openldap (2.6.5+dfsg-1~exp1ubuntu1) mantic; urgency=medium
 
   * Merge with Debian unstable (LP: #2028721). Remaining changes:
diff -Nru openldap-2.6.5+dfsg/doc/guide/admin/guide.html openldap-2.6.6+dfsg/doc/guide/admin/guide.html
--- openldap-2.6.5+dfsg/doc/guide/admin/guide.html	2023-07-10 19:42:07.000000000 +0000
+++ openldap-2.6.6+dfsg/doc/guide/admin/guide.html	2023-07-31 20:08:53.000000000 +0000
@@ -23,7 +23,7 @@
 <DIV CLASS="title">
 <H1 CLASS="doc-title">OpenLDAP Software 2.6 Administrator's Guide</H1>
 <ADDRESS CLASS="doc-author">The OpenLDAP Project &lt;<A HREF="https://www.openldap.org/">https://www.openldap.org/</A>&gt;</ADDRESS>
-<ADDRESS CLASS="doc-modified">10 July 2023</ADDRESS>
+<ADDRESS CLASS="doc-modified">31 July 2023</ADDRESS>
 <BR CLEAR="All">
 </DIV>
 <DIV CLASS="contents">
diff -Nru openldap-2.6.5+dfsg/servers/slapd/back-asyncmeta/modify.c openldap-2.6.6+dfsg/servers/slapd/back-asyncmeta/modify.c
--- openldap-2.6.5+dfsg/servers/slapd/back-asyncmeta/modify.c	2023-07-10 16:27:58.000000000 +0000
+++ openldap-2.6.6+dfsg/servers/slapd/back-asyncmeta/modify.c	2023-07-31 18:09:15.000000000 +0000
@@ -67,21 +67,15 @@
 
 	for ( i = 0, ml = op->orm_modlist; ml; i++ ,ml = ml->sml_next )
 		;
-	if (i > 0) {
-		mods = op->o_tmpalloc( sizeof( LDAPMod )*i, op->o_tmpmemctx );
-	}
 
-	if ( mods == NULL ) {
-		rs->sr_err = LDAP_OTHER;
-		retcode = META_SEARCH_ERR;
-		goto doreturn;
-	}
-	modv = ( LDAPMod ** )op->o_tmpalloc( ( i + 1 )*sizeof( LDAPMod * ), op->o_tmpmemctx );
+	modv = op->o_tmpalloc( ( i + 1 )*sizeof( LDAPMod * ) + i*sizeof( LDAPMod ),
+			op->o_tmpmemctx );
 	if ( modv == NULL ) {
 		rs->sr_err = LDAP_OTHER;
 		retcode = META_SEARCH_ERR;
 		goto doreturn;
 	}
+	mods = (LDAPMod *)&modv[ i + 1 ];
 
 	isupdate = be_shadow_update( op );
 	for ( i = 0, ml = op->orm_modlist; ml; ml = ml->sml_next ) {
@@ -224,6 +218,8 @@
 		op->o_tmpfree( mdn.bv_val, op->o_tmpmemctx );
 	}
 
+	op->o_tmpfree( modv, op->o_tmpmemctx );
+
 doreturn:;
 	Debug( LDAP_DEBUG_TRACE, "%s <<< asyncmeta_back_modify_start[%p]=%d\n", op->o_log_prefix, msc, candidates[candidate].sr_msgid );
 	return retcode;
diff -Nru openldap-2.6.5+dfsg/servers/slapd/back-meta/modify.c openldap-2.6.6+dfsg/servers/slapd/back-meta/modify.c
--- openldap-2.6.5+dfsg/servers/slapd/back-meta/modify.c	2023-07-10 16:27:58.000000000 +0000
+++ openldap-2.6.6+dfsg/servers/slapd/back-meta/modify.c	2023-07-31 18:09:15.000000000 +0000
@@ -74,18 +74,8 @@
 	for ( i = 0, ml = op->orm_modlist; ml; i++ ,ml = ml->sml_next )
 		;
 
-	mods = ch_malloc( sizeof( LDAPMod )*i );
-	if ( mods == NULL ) {
-		rs->sr_err = LDAP_OTHER;
-		send_ldap_result( op, rs );
-		goto cleanup;
-	}
-	modv = ( LDAPMod ** )ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) );
-	if ( modv == NULL ) {
-		rs->sr_err = LDAP_OTHER;
-		send_ldap_result( op, rs );
-		goto cleanup;
-	}
+	modv = ch_malloc( ( i + 1 )*sizeof( LDAPMod * ) + i*sizeof( LDAPMod ) );
+	mods = (LDAPMod *)&modv[ i + 1 ];
 
 	dc.ctx = "modifyAttrDN";
 	isupdate = be_shadow_update( op );
@@ -206,11 +196,10 @@
 	}
 	if ( modv != NULL ) {
 		for ( i = 0; modv[ i ]; i++ ) {
-			free( modv[ i ]->mod_bvalues );
+			ch_free( modv[ i ]->mod_bvalues );
 		}
 	}
-	free( mods );
-	free( modv );
+	ch_free( modv );
 
 	if ( mc ) {
 		meta_back_release_conn( mi, mc );
diff -Nru openldap-2.6.5+dfsg/servers/slapd/bconfig.c openldap-2.6.6+dfsg/servers/slapd/bconfig.c
--- openldap-2.6.5+dfsg/servers/slapd/bconfig.c	2023-07-10 16:27:58.000000000 +0000
+++ openldap-2.6.6+dfsg/servers/slapd/bconfig.c	2023-07-31 18:09:15.000000000 +0000
@@ -5762,7 +5762,7 @@
 		dopause = 0;
 	if ( op->o_abandon ) {
 		rs->sr_err = SLAPD_ABANDON;
-		goto out;
+		goto unpause;
 	}
 
 	ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock );
@@ -5833,10 +5833,11 @@
 out2:;
 	ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock );
 
-out:;
+unpause:;
 	if ( dopause )
 		slap_unpause_server();
 
+out:;
 	{	int repl = op->o_dont_replicate;
 		if ( rs->sr_err == LDAP_COMPARE_TRUE ) {
 			rs->sr_text = NULL; /* Set after config_add_internal */
@@ -6355,7 +6356,7 @@
 			do_pause = 0;
 		if ( op->o_abandon ) {
 			rs->sr_err = SLAPD_ABANDON;
-			goto out;
+			goto unpause;
 		}
 	}
 	ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock );
@@ -6403,9 +6404,10 @@
 	}
 
 	ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock );
-out:
+unpause:;
 	if ( do_pause )
 		slap_unpause_server();
+out:
 	if ( num_ctrls ) rs->sr_ctrls = ctrls;
 	send_ldap_result( op, rs );
 	slap_graduate_commit_csn( op );
@@ -6576,7 +6578,7 @@
 		dopause = 0;
 	if ( op->o_abandon ) {
 		rs->sr_err = SLAPD_ABANDON;
-		goto out;
+		goto unpause;
 	}
 
 	ldap_pvt_thread_rdwr_wlock( &cfb->cb_rwlock );
@@ -6661,9 +6663,10 @@
 
 	ldap_pvt_thread_rdwr_wunlock( &cfb->cb_rwlock );
 
-out:
+unpause:
 	if ( dopause )
 		slap_unpause_server();
+out:
 	if ( num_ctrls ) rs->sr_ctrls = ctrls;
 	send_ldap_result( op, rs );
 	return rs->sr_err;