diff --git a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
index c730c5e..ebd651c 100644
--- a/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+++ b/pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
@@ -2,7 +2,7 @@ Index: src/auth.c
 ===================================================================
 --- src/auth.c.orig
 +++ src/auth.c
-@@ -425,9 +425,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
+@@ -435,9 +435,13 @@ pam_sm_setcred(pam_handle_t *pamh, int f
  		return pam_sm_open_session(pamh, flags, argc, argv);
  	}
  	if (flags & (PAM_REINITIALIZE_CRED | PAM_REFRESH_CRED)) {
@@ -22,7 +22,7 @@ Index: src/sly.c
 ===================================================================
 --- src/sly.c.orig
 +++ src/sly.c
-@@ -146,6 +146,21 @@ _pam_krb5_sly_looks_unsafe(void)
+@@ -148,6 +148,21 @@ _pam_krb5_sly_looks_unsafe(void)
  	return 0;
  }
  
@@ -44,9 +44,9 @@ Index: src/sly.c
  int
  _pam_krb5_sly_maybe_refresh(pam_handle_t *pamh, int flags,
  			    int argc, PAM_KRB5_MAYBE_CONST char **argv)
-@@ -159,6 +174,20 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -161,6 +176,20 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	int i, retval, stored;
- 	char *v5ccname, *v4tktfile;
+ 	char *v5ccname, *v5filename, *v4tktfile;
  
 +	uid_t save_euid = geteuid();
 +	gid_t save_egid = getegid();
@@ -65,7 +65,7 @@ Index: src/sly.c
  	/* Inexpensive checks. */
  	switch (_pam_krb5_sly_looks_unsafe()) {
  	case 0:
-@@ -166,18 +195,22 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -168,18 +197,22 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  		break;
  	case 1:
  		warn("won't refresh credentials while running under sudo");
@@ -88,7 +88,7 @@ Index: src/sly.c
  		return PAM_SERVICE_ERR;
  		break;
  	}
-@@ -185,6 +218,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -187,6 +220,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	/* Initialize Kerberos. */
  	if (_pam_krb5_init_ctx(&ctx, argc, argv) != 0) {
  		warn("error initializing Kerberos");
@@ -96,7 +96,7 @@ Index: src/sly.c
  		return PAM_SERVICE_ERR;
  	}
  
-@@ -193,6 +227,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -195,6 +229,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	if (i != PAM_SUCCESS) {
  		warn("could not identify user name");
  		krb5_free_context(ctx);
@@ -104,7 +104,7 @@ Index: src/sly.c
  		return i;
  	}
  
-@@ -201,6 +236,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -203,6 +238,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  	if (options == NULL) {
  		warn("error parsing options (shouldn't happen)");
  		krb5_free_context(ctx);
@@ -112,7 +112,7 @@ Index: src/sly.c
  		return PAM_SERVICE_ERR;
  	}
  	if (options->debug) {
-@@ -222,6 +258,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -224,6 +260,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  		}
  		_pam_krb5_options_free(pamh, ctx, options);
  		krb5_free_context(ctx);
@@ -120,7 +120,7 @@ Index: src/sly.c
  		return retval;
  	}
  
-@@ -233,6 +270,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -235,6 +272,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  		_pam_krb5_user_info_free(ctx, userinfo);
  		_pam_krb5_options_free(pamh, ctx, options);
  		krb5_free_context(ctx);
@@ -128,7 +128,7 @@ Index: src/sly.c
  		return PAM_IGNORE;
  	}
  
-@@ -244,6 +282,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+@@ -246,6 +284,7 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
  		_pam_krb5_user_info_free(ctx, userinfo);
  		_pam_krb5_options_free(pamh, ctx, options);
  		krb5_free_context(ctx);
@@ -136,9 +136,9 @@ Index: src/sly.c
  		return PAM_SERVICE_ERR;
  	}
  
-@@ -331,5 +370,6 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
- 		      pam_strerror(pamh, retval));
- 	}
+@@ -338,5 +377,6 @@ _pam_krb5_sly_maybe_refresh(pam_handle_t
+ 	_pam_krb5_options_free(pamh, ctx, options);
+ 	krb5_free_context(ctx);
  
 +	_restore_privs(save_euid, save_egid);
  	return retval;
diff --git a/pam_krb5-2.2.17-1.tar.bz2 b/pam_krb5-2.2.17-1.tar.bz2
deleted file mode 100644
index 0e4cac8..0000000
--- a/pam_krb5-2.2.17-1.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d5ade59c5d545a194583e9d0fc5f44f017b64d6f02146193d7df7b8ef3f81815
-size 326785
diff --git a/pam_krb5-2.2.19-1.tar.bz2 b/pam_krb5-2.2.19-1.tar.bz2
new file mode 100644
index 0000000..01cc7ce
--- /dev/null
+++ b/pam_krb5-2.2.19-1.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5444bc0e94dc57474adec8f9086a099c287596392db4ba0ac79e7903dfd653dd
+size 336213
diff --git a/pam_krb5-2.2.19-fix-format-error.dif b/pam_krb5-2.2.19-fix-format-error.dif
new file mode 100644
index 0000000..0ad2799
--- /dev/null
+++ b/pam_krb5-2.2.19-fix-format-error.dif
@@ -0,0 +1,13 @@
+Index: pam_krb5-2.2.19-1/src/v5.c
+===================================================================
+--- pam_krb5-2.2.19-1.orig/src/v5.c
++++ pam_krb5-2.2.19-1/src/v5.c
+@@ -787,7 +787,7 @@ v5_get_creds(krb5_context ctx,
+ 				}
+ 				free(opt);
+ 			} else {
+-				warn("error resolving preauth option \"%s\" ",
++				warn("error resolving preauth option \"%s\" "
+ 				     "to a useful value",
+ 				     options->preauth_options[i]);
+ 			}
diff --git a/pam_krb5.changes b/pam_krb5.changes
index 32abbd1..76181d2 100644
--- a/pam_krb5.changes
+++ b/pam_krb5.changes
@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Fri Oct 26 11:00:16 CEST 2007 - mc@suse.de
+
+- version 2.2.19: 
+  * the "keytab" option can now be used to specify a custom location
+    for a given service from within krb5.conf
+  * log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH
+    if LOG_AUTHPRIV is not defined) instead of the application's default
+    or LOG_USER
+  * added the "pkinit_identity" option to provide a way to specify
+    where the user's public-key credentials are, and "pkinit_flags" to
+    specify arbitrary flags for libkrb5 (Heimdal only)
+  * added the "preauth_options" option to provide a way to specify
+    arbitrary preauthentication options to libkrb5 (MIT only)
+  * added the "ccname_template" option to provide a way to specify
+    where the user's credentials should be stored, so that KEYRING:
+    credential caches can be deployed at will.
+
 -------------------------------------------------------------------
 Tue Aug  7 11:03:59 CEST 2007 - mc@suse.de
 
diff --git a/pam_krb5.spec b/pam_krb5.spec
index 2b46253..b1ddb85 100644
--- a/pam_krb5.spec
+++ b/pam_krb5.spec
@@ -1,5 +1,5 @@
 #
-# spec file for package pam_krb5 (Version 2.2.17)
+# spec file for package pam_krb5 (Version 2.2.19)
 #
 # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany.
 # This file and all modifications and additions to the pristine
@@ -16,14 +16,15 @@ BuildRequires:  krb5-client krb5-devel krb5-server openssl-devel pam-devel
 License:        GPL v2 or later
 Group:          Productivity/Networking/Security
 Provides:       pam_krb
-Autoreqprov:    on
-Version:        2.2.17
+AutoReqProv:    on
+Version:        2.2.19
 Release:        1
 Summary:        PAM Module for Kerberos Authentication
-URL:            http://sourceforge.net/projects/pam-krb5/
+Url:            http://sourceforge.net/projects/pam-krb5/
 Source:         pam_krb5-%{version}-%{PAM_RELEASE}.tar.bz2
 Patch1:         pam_krb5-2.2.0-0.5-configure_ac.dif
-Patch3:         pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+Patch2:         pam_krb5-2.2.11-1-refresh-drop-restore-priv.dif
+Patch3:         pam_krb5-2.2.19-fix-format-error.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -40,7 +41,8 @@ Authors:
 %prep
 %setup -q -n pam_krb5-%{version}-%{PAM_RELEASE}
 %patch1
-%patch3
+%patch2
+%patch3 -p1
 
 %build
 %{suse_update_config -f}
@@ -54,7 +56,6 @@ make %{?jobs:-j%jobs}
 make check
 
 %install
-rm -rf $RPM_BUILD_ROOT
 make install DESTDIR=$RPM_BUILD_ROOT
 ln -sf pam_krb5.so $RPM_BUILD_ROOT/%_lib/security/pam_krb5afs.so
 rm -f $RPM_BUILD_ROOT/%_lib/security/*.la
@@ -71,8 +72,22 @@ rm -rf $RPM_BUILD_ROOT
 %attr(755,root,root) /%{_lib}/security/pam_krb5/pam_krb5_storetmp
 %attr(444,root,root) %_mandir/man*/*.*
 %attr(755,root,root) /usr/bin/afs5log
-
 %changelog
+* Fri Oct 26 2007 - mc@suse.de
+- version 2.2.19:
+  * the "keytab" option can now be used to specify a custom location
+  for a given service from within krb5.conf
+  * log messages are now logged with facility LOG_AUTHPRIV (or LOG_AUTH
+  if LOG_AUTHPRIV is not defined) instead of the application's default
+  or LOG_USER
+  * added the "pkinit_identity" option to provide a way to specify
+  where the user's public-key credentials are, and "pkinit_flags" to
+  specify arbitrary flags for libkrb5 (Heimdal only)
+  * added the "preauth_options" option to provide a way to specify
+  arbitrary preauthentication options to libkrb5 (MIT only)
+  * added the "ccname_template" option to provide a way to specify
+  where the user's credentials should be stored, so that KEYRING:
+  credential caches can be deployed at will.
 * Tue Aug 07 2007 - mc@suse.de
 - version 2.2.17:
   * corrected a typo in the pam_krb5(8) man page