release the GSSAPI server credential handle immediately after the GSSAPI security context is established

cyrus-sasl-2.1.23-release-server_creds.patch

@@ -0,0 +1,14 @@
+--- cyrus-sasl/plugins/gssapi.c
++++ cyrus-sasl/plugins/gssapi.c
+@@ -782,6 +782,11 @@ gssapi_server_mech_step(void *conn_conte
+ 	}
+ 	
+ 	if (maj_stat == GSS_S_COMPLETE) {
++	    /* Release server creds which are no longer needed */
++            if ( text->server_creds != GSS_C_NO_CREDENTIAL) {
++	        maj_stat = gss_release_cred(&min_stat, &text->server_creds);
++	        text->server_creds = GSS_C_NO_CREDENTIAL;
++            }
+ 	    /* Switch to ssf negotiation */
+ 	    text->state = SASL_GSSAPI_STATE_SSFCAP;
+ 	}

cyrus-sasl.spec

@@ -48,6 +48,7 @@ Patch41: cyrus-sasl-2.1.23-db5.patch
 Patch42: cyrus-sasl-2.1.23-relro.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=816250
 Patch43: cyrus-sasl-2.1.23-null-crypt.patch
+Patch44: cyrus-sasl-2.1.23-release-server_creds.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
@@ -185,6 +186,7 @@ chmod -x include/*.h
 %patch41 -p1 -b .db5
 %patch42 -p1 -b .relro
 %patch43 -p1 -b .null-crypt
+%patch44 -p1 -b .release-server_creds
 
 %build
 # FIXME - we remove these files directly so that we can avoid using the -f