diff --git a/krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch b/krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
new file mode 100644
index 0000000..6507492
--- /dev/null
+++ b/krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
@@ -0,0 +1,14 @@
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+index ce851ea..df5934c 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
+             j++;
+             last = i + 1;
+
+-            currkvno = key_data[i].key_data_kvno;
++            if (i < n_key_data - 1)
++                currkvno = key_data[i + 1].key_data_kvno;
+         }
+     }
+     ret[num_versions] = NULL;
diff --git a/krb5-mini.changes b/krb5-mini.changes
index 7512d1c..8634f46 100644
--- a/krb5-mini.changes
+++ b/krb5-mini.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Aug  8 15:55:01 UTC 2014 - ckornacker@suse.com
+
+- buffer overrun in kadmind with LDAP backend
+  CVE-2014-4345 (bnc#891082)
+  krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch 
+
 -------------------------------------------------------------------
 Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
 
diff --git a/krb5-mini.spec b/krb5-mini.spec
index 83c5f9b..033de82 100644
--- a/krb5-mini.spec
+++ b/krb5-mini.spec
@@ -86,6 +86,7 @@ Patch15:        krb5-master-keyring-kdcsync.patch
 Patch16:        krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
 Patch17:        krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
 Patch18:        krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+Patch19:        krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -209,6 +210,7 @@ Include Files for Development
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1
 
 %build
 # needs to be re-generated
diff --git a/krb5.changes b/krb5.changes
index 7512d1c..8634f46 100644
--- a/krb5.changes
+++ b/krb5.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Aug  8 15:55:01 UTC 2014 - ckornacker@suse.com
+
+- buffer overrun in kadmind with LDAP backend
+  CVE-2014-4345 (bnc#891082)
+  krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch 
+
 -------------------------------------------------------------------
 Mon Jul 28 09:22:06 UTC 2014 - ckornacker@suse.com
 
diff --git a/krb5.spec b/krb5.spec
index 5162e60..9ba9a10 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -86,6 +86,7 @@ Patch15:        krb5-master-keyring-kdcsync.patch
 Patch16:        krb5-1.12-CVE-2014-4341-CVE-2014-4342.patch
 Patch17:        krb5-1.12-CVE-2014-4343-Fix-double-free-in-SPNEGO.patch
 Patch18:        krb5-1.12-CVE-2014-4344-Fix-null-deref-in-SPNEGO-acceptor.patch
+Patch19:        krb5-1.12-CVE-2014-4345-buffer-overrun-in-kadmind-with-LDAP-backend.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         mktemp, grep, /bin/touch, coreutils
 PreReq:         %fillup_prereq 
@@ -209,6 +210,7 @@ Include Files for Development
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1
 
 %build
 # needs to be re-generated