diff --git a/krb5-1.6.3-post.dif b/krb5-1.6.3-post.dif
index d136ad3..da018c7 100644
--- a/krb5-1.6.3-post.dif
+++ b/krb5-1.6.3-post.dif
@@ -2867,3 +2867,190 @@ Index: src/util/profile/prof_init.c
  	    for (fs = files; !PROFILE_LAST_FILESPEC(*fs); fs++) {
  		retval = profile_open_file(*fs, &new_file);
  		/* if this file is missing, skip to the next */
+Index: src/kdc/network.c
+===================================================================
+--- src/kdc/network.c	(Revision 20580)
++++ src/kdc/network.c	(Revision 20587)
+@@ -277,6 +277,12 @@
+     struct connection *newconn;
+     void *tmp;
+ 
++    if (sock > FD_SETSIZE) {
++	data->retval = EMFILE;	/* XXX */
++	com_err(data->prog, 0,
++		"file descriptor number %d too high", sock);
++	return 0;
++    }
+     newconn = malloc(sizeof(*newconn));
+     if (newconn == 0) {
+ 	data->retval = errno;
+@@ -360,6 +366,12 @@
+ 		paddr(addr));
+ 	return -1;
+     }
++    if (sock > FD_SETSIZE) {
++	close(sock);
++	com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high",
++		sock, paddr(addr));
++	return -1;
++    }
+     if (setreuseaddr(sock, 1) < 0)
+ 	com_err(data->prog, errno,
+ 		"Cannot enable SO_REUSEADDR on fd %d", sock);
+@@ -791,6 +803,10 @@
+     s = accept(conn->fd, addr, &addrlen);
+     if (s < 0)
+ 	return;
++    if (s > FD_SETSIZE) {
++	close(s);
++	return;
++    }
+     setnbio(s), setnolinger(s);
+ 
+     sockdata.prog = prog;
+Index: src/lib/gssapi/krb5/accept_sec_context.c
+===================================================================
+--- src/lib/gssapi/krb5/accept_sec_context.c	(Revision 20580)
++++ src/lib/gssapi/krb5/accept_sec_context.c	(Revision 20587)
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2000, 2004  by the Massachusetts Institute of Technology.
++ * Copyright 2000, 2004, 2008 by the Massachusetts Institute of Technology.
+  * All Rights Reserved.
+  *
+  * Export of this software from the United States of America may
+@@ -249,6 +249,7 @@
+    krb5_data option;
+    const gss_OID_desc *mech_used = NULL;
+    OM_uint32 major_status = GSS_S_FAILURE;
++   OM_uint32 tmp_minor_status;
+    krb5_error krb_error_data;
+    krb5_data scratch;
+    gss_cred_id_t cred_handle = NULL;
+@@ -903,13 +904,14 @@
+ 
+    if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) {
+        ctx->k5_context = context;
+-       return(major_status);
++       context = NULL;
++       goto done;
+    }
+ 
+    /* from here on is the real "fail" code */
+ 
+    if (ctx)
+-       (void) krb5_gss_delete_sec_context(minor_status, 
++       (void) krb5_gss_delete_sec_context(&tmp_minor_status, 
+ 					  (gss_ctx_id_t *) &ctx, NULL);
+    if (deleg_cred) { /* free memory associated with the deleg credential */
+        if (deleg_cred->ccache)
+@@ -936,10 +938,9 @@
+    if (decode_req_message) {
+        krb5_ap_req 	* request;
+ 	   
+-       if (decode_krb5_ap_req(&ap_req, &request)) {
+-	   krb5_free_context(context);
+-	   return (major_status);
+-       }
++       if (decode_krb5_ap_req(&ap_req, &request))
++	   goto done;
++
+        if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED)
+ 	   gss_flags |= GSS_C_MUTUAL_FLAG;
+        krb5_free_ap_req(context, request);
+@@ -967,20 +968,16 @@
+        krb_error_data.server = cred->princ;
+ 
+        code = krb5_mk_error(context, &krb_error_data, &scratch);
+-       if (code) {
+-	   krb5_free_context(context);
+-	   return (major_status);
+-       }
++       if (code)
++           goto done;
+ 
+        tmsglen = scratch.length;
+        toktype = KG_TOK_CTX_ERROR;
+ 
+        token.length = g_token_size(mech_used, tmsglen);
+        token.value = (unsigned char *) xmalloc(token.length);
+-       if (!token.value) {
+-	   krb5_free_context(context);
+-	   return (major_status);
+-       }
++       if (!token.value) 
++           goto done;
+ 
+        ptr = token.value;
+        g_make_token_header(mech_used, tmsglen, &ptr, toktype);
+@@ -990,9 +987,13 @@
+ 
+        *output_token = token;
+    }
++
++  done:
+    if (!verifier_cred_handle && cred_handle) {
+-	   krb5_gss_release_cred(minor_status, &cred_handle);
++       krb5_gss_release_cred(&tmp_minor_status, &cred_handle);
+    }
+-   krb5_free_context(context);
++   if (context) {
++       krb5_free_context(context);
++   }
+    return (major_status);
+ }
+Index: src/lib/comerr32.def
+===================================================================
+--- src/lib/comerr32.def	(Revision 20580)
++++ src/lib/comerr32.def	(Revision 20587)
+@@ -3,10 +3,10 @@
+ HEAPSIZE	8192
+ 
+ EXPORTS
+-	com_err
+-	com_err_va
+-	error_message
+-	add_error_table
+-	remove_error_table
+-	set_com_err_hook
+-	reset_com_err_hook
++	com_err			@2
++	com_err_va		@3
++	error_message		@4
++	add_error_table	   	@1
++	remove_error_table	@5
++	set_com_err_hook	@6
++	reset_com_err_hook	@7
+Index: src/lib/kadm5/srv/svr_principal.c
+===================================================================
+--- src/lib/kadm5/srv/svr_principal.c	(Revision 20580)
++++ src/lib/kadm5/srv/svr_principal.c	(Revision 20587)
+@@ -2099,7 +2099,8 @@
+      * inexact match on the enctype; this behavior will go away when
+      * the key storage architecture gets redesigned for 1.3.
+      */
+-    keyblock->enctype = ktype;
++    if (ktype != -1)
++        keyblock->enctype = ktype;
+ 
+     if (kvnop)
+ 	 *kvnop = key_data->key_data_kvno;
+Index: src/lib/krb5/os/sendto_kdc.c
+===================================================================
+--- src/lib/krb5/os/sendto_kdc.c	(Revision 20580)
++++ src/lib/krb5/os/sendto_kdc.c	(Revision 20587)
+@@ -654,6 +654,12 @@
+ 	dprint("socket: %m creating with af %d\n", state->err, ai->ai_family);
+ 	return -1;		/* try other hosts */
+     }
++    if (fd >= FD_SETSIZE) {
++	close(fd);
++	state->err = EMFILE;
++	dprint("socket: fd %d too high\n", fd);
++	return -1;
++    }
+     /* Make it non-blocking.  */
+     if (ai->ai_socktype == SOCK_STREAM) {
+ 	static const int one = 1;
+
+
diff --git a/krb5-doc.spec b/krb5-doc.spec
index 8af3980..f35d458 100644
--- a/krb5-doc.spec
+++ b/krb5-doc.spec
@@ -14,7 +14,7 @@
 Name:           krb5-doc
 BuildRequires:  ghostscript-library latex2html texlive
 Version:        1.6.3
-Release:        96
+Release:        101
 %define srcRoot krb5-1.6.3
 Summary:        MIT Kerberos5 Implementation--Documentation
 License:        X11/MIT
diff --git a/krb5-plugins.spec b/krb5-plugins.spec
index 16c3af4..3af5250 100644
--- a/krb5-plugins.spec
+++ b/krb5-plugins.spec
@@ -14,7 +14,7 @@
 
 Name:           krb5-plugins
 Version:        1.6.3
-Release:        11
+Release:        12
 BuildRequires:  bison krb5-devel ncurses-devel openldap2-devel
 %define srcRoot krb5-1.6.3
 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
diff --git a/krb5.changes b/krb5.changes
index 13f3a51..541504f 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de
+
+- add new fixes to post 1.6.3 patch
+  * fix mem leak in krb5_gss_accept_sec_context()
+  * keep minor_status
+  * kadm5_decrypt_key: A ktype of -1 is documented as meaning 
+    "to be ignored" 
+  * Reject socket fds > FD_SETSIZE
+
 -------------------------------------------------------------------
 Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de
 
diff --git a/krb5.spec b/krb5.spec
index fa895d1..74353e4 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -13,7 +13,7 @@
 
 Name:           krb5
 Version:        1.6.3
-Release:        58
+Release:        62
 BuildRequires:  bison libcom_err-devel ncurses-devel
 %if %{suse_version} > 1010
 BuildRequires:  keyutils keyutils-devel
@@ -554,6 +554,13 @@ rm -rf %{buildroot}
 %{_mandir}/man1/krb5-config.1*
 
 %changelog
+* Mon Jul 28 2008 mc@suse.de
+- add new fixes to post 1.6.3 patch
+  * fix mem leak in krb5_gss_accept_sec_context()
+  * keep minor_status
+  * kadm5_decrypt_key: A ktype of -1 is documented as meaning
+  "to be ignored"
+  * Reject socket fds > FD_SETSIZE
 * Fri Jul 25 2008 mc@suse.de
 - add patches from SVN post 1.6.3
   * krb5_string_to_keysalts: Fix an infinite loop