diff --git a/krb5-MITKRB5SA-2005-001.patch b/krb5-MITKRB5SA-2005-001.patch
new file mode 100644
index 0000000..cc40c4c
--- /dev/null
+++ b/krb5-MITKRB5SA-2005-001.patch
@@ -0,0 +1,95 @@
+Index: telnet.c
+===================================================================
+RCS file: /cvs/krbdev/krb5/src/appl/telnet/telnet/telnet.c,v
+retrieving revision 5.18
+diff -c -r5.18 telnet.c
+*** telnet.c	15 Nov 2002 20:21:35 -0000	5.18
+- --- telnet.c	15 Mar 2005 18:59:32 -0000
+***************
+*** 1475,1480 ****
+- --- 1475,1482 ----
+  	unsigned char flags;
+  	cc_t value;
+  {
++ 	if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
++ 		return;
+  	if ((*slc_replyp++ = func) == IAC)
+  		*slc_replyp++ = IAC;
+  	if ((*slc_replyp++ = flags) == IAC)
+***************
+*** 1488,1498 ****
+  {
+      register int len;
+  
+- -     *slc_replyp++ = IAC;
+- -     *slc_replyp++ = SE;
+      len = slc_replyp - slc_reply;
+!     if (len <= 6)
+  	return;
+      if (NETROOM() > len) {
+  	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+  	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+- --- 1490,1501 ----
+  {
+      register int len;
+  
+      len = slc_replyp - slc_reply;
+!     if (len <= 4 || (len + 2 > sizeof(slc_reply)))
+  	return;
++     *slc_replyp++ = IAC;
++     *slc_replyp++ = SE;
++     len += 2;
+      if (NETROOM() > len) {
+  	ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
+  	printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
+***************
+*** 1645,1650 ****
+- --- 1648,1654 ----
+  	register unsigned char *ep;
+  {
+  	register unsigned char *vp, c;
++ 	unsigned int len, olen, elen;
+  
+  	if (opt_reply == NULL)		/*XXX*/
+  		return;			/*XXX*/
+***************
+*** 1662,1680 ****
+  		return;
+  	}
+  	vp = env_getvalue(ep);
+! 	if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
+! 				strlen((char *)ep) + 6 > opt_replyend)
+  	{
+! 		register unsigned int len;
+! 		opt_replyend += OPT_REPLY_SIZE;
+! 		len = opt_replyend - opt_reply;
+  		opt_reply = (unsigned char *)realloc(opt_reply, len);
+  		if (opt_reply == NULL) {
+  /*@*/			printf("env_opt_add: realloc() failed!!!\n");
+  			opt_reply = opt_replyp = opt_replyend = NULL;
+  			return;
+  		}
+! 		opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+  		opt_replyend = opt_reply + len;
+  	}
+  	if (opt_welldefined((char *) ep))
+- --- 1666,1684 ----
+  		return;
+  	}
+  	vp = env_getvalue(ep);
+! 	elen = 2 * (vp ? strlen((char *)vp) : 0) +
+! 		2 * strlen((char *)ep) + 6;
+! 	if ((opt_replyend - opt_replyp) < elen)
+  	{
+! 		len = opt_replyend - opt_reply + elen;
+! 		olen = opt_replyp - opt_reply;
+  		opt_reply = (unsigned char *)realloc(opt_reply, len);
+  		if (opt_reply == NULL) {
+  /*@*/			printf("env_opt_add: realloc() failed!!!\n");
+  			opt_reply = opt_replyp = opt_replyend = NULL;
+  			return;
+  		}
+! 		opt_replyp = opt_reply + olen;
+  		opt_replyend = opt_reply + len;
+  	}
+  	if (opt_welldefined((char *) ep))
diff --git a/krb5.spec b/krb5.spec
index 7b01ddb..198dded 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -7,7 +7,7 @@
 Summary: The Kerberos network authentication system.
 Name: krb5
 Version: 1.4
-Release: 2
+Release: 3
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.4/krb5-1.4-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -59,8 +59,8 @@ Patch27: krb5-1.3.3-rcp-sendlarge.patch
 Patch28: krb5-1.3.5-gethostbyname_r.patch
 Patch29: krb5-1.3.5-kprop-mktemp.patch
 Patch30: krb5-1.3.4-send-pr-tempfile.patch
-Patch31: krb5-1.3.5-krsh-deadlock.patch
 Patch32: krb5-1.4-ncurses.patch
+Patch33: krb5-MITKRB5SA-2005-001.patch
 License: MIT, freely distributable.
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -126,6 +126,13 @@ workstation.
 
 %changelog
 # - XXX krb5_init_ets is gone now, what to do?
+* Wed Mar 23 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4-3
+- drop krshd patch for now
+
+* Thu Mar 17 2005 Nalin Dahyabhai <nalin@redhat.com>
+- add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469)
+- add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468)
+
 * Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 1.4-2
 - don't include <term.h> into the telnet client when we're not using curses
 
@@ -807,8 +814,10 @@ workstation.
 %patch28 -p1 -b .gethostbyname_r
 %patch29 -p1 -b .kprop-mktemp
 %patch30 -p1 -b .send-pr-tempfile
-%patch31 -p1 -b .krsh-deadlock
 %patch32 -p1 -b .ncurses
+pushd src/appl/telnet/telnet
+%patch33 -p0 -b .MITKRB5SA-2005-001
+popd
 cp src/krb524/README README.krb524
 find . -type f -name "*.info-dir" -exec rm -fv "{}" ";"
 gzip doc/*.ps