diff --git a/bnc#897874-CVE-2014-5351.diff b/bnc#897874-CVE-2014-5351.diff
new file mode 100644
index 0000000..c6b5146
--- /dev/null
+++ b/bnc#897874-CVE-2014-5351.diff
@@ -0,0 +1,49 @@
+diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
+index 5d358bd..d4e74cc 100644
+--- a/src/lib/kadm5/srv/svr_principal.c
++++ b/src/lib/kadm5/srv/svr_principal.c
+@@ -344,6 +344,20 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
+     *passptr = NULL;
+ }
+ 
++/* Return the number of keys with the newest kvno.  Assumes that all key data
++ * with the newest kvno are at the front of the key data array. */
++static int
++count_new_keys(int n_key_data, krb5_key_data *key_data)
++{
++    int n;
++
++    for (n = 1; n < n_key_data; n++) {
++        if (key_data[n - 1].key_data_kvno != key_data[n].key_data_kvno)
++            return n;
++    }
++    return n_key_data;
++}
++
+ kadm5_ret_t
+ kadm5_create_principal(void *server_handle,
+                        kadm5_principal_ent_t entry, long mask,
+@@ -1593,7 +1607,7 @@ kadm5_randkey_principal_3(void *server_handle,
+     osa_princ_ent_rec           adb;
+     krb5_int32                  now;
+     kadm5_policy_ent_rec        pol;
+-    int                         ret, last_pwd;
++    int                         ret, last_pwd, n_new_keys;
+     krb5_boolean                have_pol = FALSE;
+     kadm5_server_handle_t       handle = server_handle;
+     krb5_keyblock               *act_mkey;
+@@ -1686,8 +1700,9 @@ kadm5_randkey_principal_3(void *server_handle,
+     kdb->fail_auth_count = 0;
+ 
+     if (keyblocks) {
+-        ret = decrypt_key_data(handle->context,
+-                               kdb->n_key_data, kdb->key_data,
++        /* Return only the new keys added by krb5_dbe_crk. */
++        n_new_keys = count_new_keys(kdb->n_key_data, kdb->key_data);
++        ret = decrypt_key_data(handle->context, n_new_keys, kdb->key_data,
+                                keyblocks, n_keys);
+         if (ret)
+             goto done;
+-- 
+1.8.5.2
+
diff --git a/krb5.changes b/krb5.changes
index d272f7f..3e6db84 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,4 +1,10 @@
 -------------------------------------------------------------------
+Tue Sep 23 13:25:33 UTC 2014 - varkoly@suse.com
+
+-  bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal 
+- added patches:
+  * bnc#897874-CVE-2014-5351.diff
+-------------------------------------------------------------------
 Sat Aug 30 22:29:28 UTC 2014 - andreas.stieger@gmx.de
 
 - krb5 5.12.2:
diff --git a/krb5.spec b/krb5.spec
index 080863a..a180d6b 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -83,6 +83,7 @@ Patch12:        krb5-1.12-selinux-label.patch
 Patch13:        krb5-1.9-debuginfo.patch
 Patch14:        krb5-kvno-230379.patch
 Patch20:        krb5-1.12-doxygen.patch
+Patch21:        bnc#897874-CVE-2014-5351.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -203,6 +204,7 @@ Include Files for Development
 %patch13 -p0
 %patch14 -p1
 %patch20 -p1
+%patch21 -p1
 
 %build
 # needs to be re-generated