diff --git a/.cirrus.yml b/.cirrus.yml
index 88ffb16c76..446116bb5b 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -14,9 +14,9 @@ config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WOR
 no_spicy_config: &NO_SPICY_CONFIG --build-type=release --disable-broker-tests --disable-spicy --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install --ccache --enable-werror
 binary_config: &BINARY_CONFIG --prefix=$CIRRUS_WORKING_DIR/install --libdir=$CIRRUS_WORKING_DIR/install/lib --binary-package --enable-static-broker --enable-static-binpac --disable-broker-tests --build-type=Release --ccache --enable-werror
-asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --disable-spicy --ccache
-ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --disable-spicy --ccache --enable-werror
-tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --disable-spicy --ccache --enable-werror
+asan_sanitizer_config: &ASAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address --enable-fuzzers --enable-coverage --ccache --enable-werror
+ubsan_sanitizer_config: &UBSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=undefined --enable-fuzzers --ccache --enable-werror
+tsan_sanitizer_config: &TSAN_SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=thread --enable-fuzzers --ccache --enable-werror
 
 resources_template: &RESOURCES_TEMPLATE
   cpu: *CPUS
diff --git a/CHANGES b/CHANGES
index 8039297725..dfc7fb6e91 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,45 @@
+7.1.0-dev.99 | 2024-08-06 20:08:37 +0200
+
+  * Bump auxil/spicy to latest development snapshot (Arne Welzel, Corelight)
+
+  * spicy/runtime-support: Switch ParameterMismatch::_fmt to static (Arne Welzel, Corelight)
+
+    UBSAN's vptr sanitize isn't happy with the call to _fmt()
+    in its member initializer list.
+
+        $ zeek -r Traces/ssh/single-conn.trace .tmp/spicy.event-args-mismatch/test.hlto .tmp/spicy.event-args-mismatch/event-args-mismatch.zeek
+        <...>/src/include/zeek/spicy/runtime-support.h:80:29: runtime error: member call on address 0x511000369540 which does not point to an object of type 'zeek::spicy::rt::ParameterMismatch'
+        0x511000369540: note: object has invalid vptr
+         00 00 00 00  be be be be be be be be  be be be be be be be be  be be be be be be be be  be be be be
+                      ^~~~~~~~~~~~~~~~~~~~~~~
+                      invalid vptr
+            #0 0x7f9c9977b019 in zeek::spicy::rt::ParameterMismatch::ParameterMismatch(std::basic_string_view<char, std::char_traits<char>>, zeek::IntrusivePtr<zeek::Type> const&, std::basic_string_view<char, std::char_traits<char>>) <...>/src/include/zeek/spicy/runtime-support.h:80:29
+            #1 0x7f9c9977a6a2 in zeek::spicy::rt::to_val(hilti::rt::Bytes const&, zeek::IntrusivePtr<zeek::Type> const&) <...>/src/include/zeek/spicy/runtime-support.h:562:15
+
+  * coverage/lcov_html: Ignore testing/btest/.tmp (Arne Welzel, Corelight)
+
+    gcda/gcno files in the btest/.tmp directory are from .htlo files
+    referencing ephemeral cc files. No need to include these.
+
+  * cirrus: Do not disable Spicy for sanitizer builds (Arne Welzel, Corelight)
+
+  * ldap: Avoid unset m$opcode (Arne Welzel, Corelight)
+
+    Initial fuzzing caused a bind response to arrive before a bind request,
+    resulting in an unset field expression error:
+
+        expression error in base/protocols/ldap/main.zeek, line 270: field value missing (LDAP::m$opcode)
+
+    Prevent this by ensuring m$opcode is set and raising instead.
+
+  * GH-3860: fuzzers: Add LDAP fuzzing (Arne Welzel, Corelight)
+
+    LDAP supports both, UDP and TCP as separate analyzers. The corpus
+    is identical, however. Started to hit the TLS analyzer fairly
+    quickly, too.
+
+    Closes #3860
+
 7.1.0-dev.92 | 2024-08-06 09:01:40 -0700
 
   * Don't install empty ZAM directories (Tim Wojtulewicz, Corelight)
diff --git a/VERSION b/VERSION
index d4c566df5e..8652984ad5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.1.0-dev.92
+7.1.0-dev.99
diff --git a/auxil/spicy b/auxil/spicy
index 4c5c26bf34..7cddc357ff 160000
--- a/auxil/spicy
+++ b/auxil/spicy
@@ -1 +1 @@
-Subproject commit 4c5c26bf34c2cf2cedf56270e84f1271fcf94465
+Subproject commit 7cddc357ff83175984e19037f1f8062a69cf2030
diff --git a/scripts/base/protocols/ldap/main.zeek b/scripts/base/protocols/ldap/main.zeek
index da4a21871c..1e23c7bf84 100644
--- a/scripts/base/protocols/ldap/main.zeek
+++ b/scripts/base/protocols/ldap/main.zeek
@@ -229,6 +229,10 @@ event LDAP::message(c: connection,
                              fmt("%s: %s -> %s", message_id, m$opcode, opcode_str), "LDAP");
       }
 
+      m$opcode = opcode_str;
+    } else if ( ! m?$opcode ) {
+      # This can happen if we see a bind response before the bind request.
+      Reporter::conn_weird("LDAP_bind_without_opcode", c, fmt("%s: %s", message_id, opcode_str), "LDAP");
       m$opcode = opcode_str;
     }
 
diff --git a/src/fuzzers/CMakeLists.txt b/src/fuzzers/CMakeLists.txt
index 41a46dc64a..5a4b13f888 100644
--- a/src/fuzzers/CMakeLists.txt
+++ b/src/fuzzers/CMakeLists.txt
@@ -107,6 +107,8 @@ add_generic_analyzer_fuzz_target(dhcp udp)
 add_generic_analyzer_fuzz_target(dnp3_tcp)
 add_generic_analyzer_fuzz_target(dtls udp)
 add_generic_analyzer_fuzz_target(irc)
+add_generic_analyzer_fuzz_target(ldap_udp udp)
+add_generic_analyzer_fuzz_target(ldap_tcp tcp)
 add_generic_analyzer_fuzz_target(modbus)
 add_generic_analyzer_fuzz_target(mqtt)
 add_generic_analyzer_fuzz_target(mysql)
diff --git a/src/fuzzers/corpora/ldap_tcp-corpus.zip b/src/fuzzers/corpora/ldap_tcp-corpus.zip
new file mode 100644
index 0000000000..e95f0c4b53
Binary files /dev/null and b/src/fuzzers/corpora/ldap_tcp-corpus.zip differ
diff --git a/src/fuzzers/corpora/ldap_udp-corpus.zip b/src/fuzzers/corpora/ldap_udp-corpus.zip
new file mode 100644
index 0000000000..e95f0c4b53
Binary files /dev/null and b/src/fuzzers/corpora/ldap_udp-corpus.zip differ
diff --git a/src/spicy/runtime-support.h b/src/spicy/runtime-support.h
index 9ffef2d9d0..0397dc86cc 100644
--- a/src/spicy/runtime-support.h
+++ b/src/spicy/runtime-support.h
@@ -80,7 +80,7 @@ public:
         : ParameterMismatch(_fmt(have, want)) {}
 
 private:
-    std::string _fmt(const std::string_view& have, const TypePtr& want) {
+    static std::string _fmt(const std::string_view& have, const TypePtr& want) {
         ODesc d;
         want->Describe(&d);
         return hilti::rt::fmt("cannot convert Spicy value of type '%s' to Zeek value of type '%s'", have,
diff --git a/testing/coverage/lcov_html.sh b/testing/coverage/lcov_html.sh
index ba8c8a37df..be65e4add4 100755
--- a/testing/coverage/lcov_html.sh
+++ b/testing/coverage/lcov_html.sh
@@ -116,7 +116,7 @@ verify_run "which lcov" \
 
 # 4. Create a "tracefile" through lcov, which is necessary to create output later on.
 echo -n "Creating tracefile for output generation... "
-verify_run "lcov --no-external --capture --directory . --output-file $COVERAGE_FILE"
+verify_run "lcov --no-external --capture --directory . --exclude 'testing/btest/.tmp/*' --output-file $COVERAGE_FILE"
 
 # 5. Remove a number of 3rdparty and "extra" files that shouldn't be included in the
 # Zeek coverage numbers.