- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,

- incorporate upstream patch to fix a NULL pointer dereference while processing
  certain TGS requests (CVE-2013-1416, #950342)

- incorporate upstream patch to fix a NULL pointer dereference when the client
  supplies an otherwise-normal-looking PKINIT request (CVE-2013-1415, #917909)
- add patch to avoid dereferencing a NULL pointer in the KDC when handling a
  draft9 PKINIT request (#917909, CVE-2012-1016)

- make -server conflict with older versions of SELinux policy that didn't
  allow us to use eventfds, which libverto's backend may depend on in order
  to properly shut down a multi-worker KDC (#871524)

- cut down the number of times we load SELinux labeling configuration from
  a minimum of two times to actually one (#852455)

- pull up the patch to correct a possible NULL pointer dereference in
  kadmind (CVE-2012-1013, #827517)

- selinux: reliably reset the file creation context after setting it when we
  flush replay caches, in cases where there was none explicitly set beforehand
  (#813883)

- add candidate patch to fix a NULL pointer dereference while processing TGS
  requests (MITKRB5-SA-2011-007, #754046)

- handle a harder-to-trigger assertion failure that starts cropping up when we
  exit the transmit loop on time (#746341)
- apply upstream patch to fix a null pointer derference with the LDAP kdb
  backend (CVE-2011-1527), an assertion failure with multiple kdb backends
  (CVE-2011-1528), and a null pointer dereference with multiple kdb backends
  (CVE-2011-1529) (MITKRB5-SA-2011-006, #740085)

- apply upstream patch to fix a null pointer derference with the LDAP kdb
  backend (CVE-2011-1527), an assertion failure with multiple kdb backends
  (CVE-2011-1528), and a null pointer dereference with multiple kdb backends
  (CVE-2011-1529) (#740084)

- apply upstream patch to fix a null pointer derference with the LDAP kdb
  backend (CVE-2011-1527), an assertion failure with multiple kdb backends
  (CVE-2011-1528), and a null pointer dereference with multiple kdb backends
  (CVE-2011-1529) (#740084)

- apply upstream patch by way of Burt Holzman to fall back to a non-referral
  method in cases where we might be derailed by a KDC that rejects the
  canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#714866)

- kadmind: add upstream patch to fix free() on an invalid pointer (#696342,
  MITKRB5-SA-2011-004, CVE-2011-0285)

- kadmind: add upstream patch to fix free() on an invalid pointer (#696341,
  MITKRB5-SA-2011-004, CVE-2011-0285)

- add revised upstream patch to fix double-free in KDC while returning
  typed-data with errors (CVE-2011-0284, #681564)

- add upstream patches to fix standalone kpropd exiting if the per-client
  child process exits with an error, and hang or crash in the KDC when using
  the LDAP kdb backend (CVE-2010-4022, CVE-2011-0281, CVE-2011-0282, #671101)

- pull up crypto changes made between 1.8.2 and 1.8.3 to fix upstream #6751,
  assumed to already be there for the next fix
- incorporate candidate patch to fix various issues from MITKRB5-SA-2010-007
  (CVE-2010-1323, CVE-2010-1324, CVE-2010-4020, #651962)

- incorporate candidate patch to fix uninitialized pointer crash in the KDC
  (CVE-2010-1322, #636336)

- build with -fstack-protector-all instead of the default -fstack-protector,
  so that we add checking to more functions (i.e., all of them) (#629950)
- also link binaries with -Wl,-z,relro,-z,now (part of #629950)