Index: /server/common/patches/krb5-kuserok-scripts.patch
===================================================================
--- /server/common/patches/krb5-kuserok-scripts.patch	(revision 1068)
+++ /server/common/patches/krb5-kuserok-scripts.patch	(revision 1069)
@@ -18,6 +18,6 @@
 # See /COPYRIGHT in this repository for more information.
 #
---- krb5-1.4.3/src/lib/krb5/os/kuserok.c.old    2006-09-09 19:03:33.000000000 -0400
-+++ krb5-1.4.3/src/lib/krb5/os/kuserok.c        2006-09-09 19:50:48.000000000 -0400
+--- krb5-1.6.3/src/lib/krb5/os/kuserok.c.old	2009-04-08 06:17:06.000000000 -0400
++++ krb5-1.6.3/src/lib/krb5/os/kuserok.c	2009-04-08 06:17:18.000000000 -0400
 @@ -31,6 +31,7 @@
  #if !defined(_WIN32)		/* Not yet for Windows */
@@ -28,5 +28,5 @@
  #if defined(_AIX) && defined(_IBMR2)
  #include <sys/access.h>
-@@ -64,7 +65,6 @@
+@@ -71,7 +72,6 @@
  {
      struct stat sbuf;
@@ -36,5 +36,5 @@
      FILE *fp;
      char kuser[MAX_USERNAME];
-@@ -72,70 +72,35 @@
+@@ -79,70 +79,35 @@
      char linebuf[BUFSIZ];
      char *newline;
@@ -80,10 +80,22 @@
 -	free(princname);
 -	return(FALSE);
--    }
++    if ((pid = fork()) == -1) {
++       free(princname);
++       return(FALSE);
+     }
 -    if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) {
 -	fclose(fp);
 -	free(princname);
 -	return(FALSE);
--    }
++    if (pid == 0) {
++       char *args[4];
++#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
++       args[0] = ADMOF_PATH;
++       args[1] = (char *) luser;
++       args[2] = princname;
++       args[3] = NULL;
++       execv(ADMOF_PATH, args);
++       exit(1);
+     }
 -
 -    /* check each line */
@@ -102,22 +114,7 @@
 -	if (!newline)
 -	    while (((gobble = getc(fp)) != EOF) && gobble != '\n');
--    }
-+    if ((pid = fork()) == -1) {
-+       free(princname);
-+       return(FALSE);
-+    }
-+    if (pid == 0) {
-+       char *args[4];
-+#define ADMOF_PATH "/usr/local/sbin/ssh-admof"
-+       args[0] = ADMOF_PATH;
-+       args[1] = (char *) luser;
-+       args[2] = princname;
-+       args[3] = NULL;
-+       execv(ADMOF_PATH, args);
-+       exit(1);
-+    }
 +    if (waitpid(pid, &status, 0) > 0 && WIFEXITED(status) && WEXITSTATUS(status) == 33) {
 +       isok=TRUE;
-+    }
+     }
 +    
      free(princname);
Index: /server/fedora/specs/krb5.spec.patch
===================================================================
--- /server/fedora/specs/krb5.spec.patch	(revision 1068)
+++ /server/fedora/specs/krb5.spec.patch	(revision 1069)
@@ -1,4 +1,4 @@
---- krb5.spec.old	2008-08-05 13:46:07.000000000 -0400
-+++ krb5.spec	2009-01-27 21:30:00.000000000 -0500
+--- krb5.spec.old	2009-04-08 06:26:23.000000000 -0400
++++ krb5.spec	2009-04-08 06:29:20.000000000 -0400
 @@ -16,7 +16,7 @@
  Summary: The Kerberos network authentication system.
@@ -10,14 +10,14 @@
  # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar
  Source0: krb5-%{version}.tar.gz
-@@ -102,6 +102,8 @@
- Patch78: krb5-1.6.3-lucid-acceptor.patch
- Patch79: krb5-trunk-ftp_mget_case.patch
+@@ -105,6 +105,8 @@
+ Patch82: krb5-CVE-2009-0846.patch
+ Patch83: krb5-CVE-2009-0847.patch
  
 +Patch1000: krb5-kuserok-scripts.patch
 +
- License: MIT
+ License: MIT, freely distributable.
  URL: http://web.mit.edu/kerberos/www/
  Group: System Environment/Libraries
-@@ -143,6 +145,7 @@
+@@ -146,6 +148,7 @@
  Group: System Environment/Libraries
  Prereq: grep, /sbin/ldconfig, sh-utils
@@ -27,8 +27,8 @@
  %description libs
  Kerberos is a network authentication system. The krb5-libs package
-@@ -1383,6 +1386,7 @@
- %patch77 -p0 -b .2007-5971
- %patch78 -p0 -b .lucid_acceptor
- %patch79 -p0 -b .ftp_mget_case
+@@ -1389,6 +1392,7 @@
+ %patch81 -p1 -b .CVE-2009-0844-0845-2
+ %patch82 -p1 -b .CVE-2009-0846
+ %patch83 -p1 -b .CVE-2009-0847
 +%patch1000 -p1 -b .kuserok
  cp src/krb524/README README.krb524