diff --git a/Try-harder-to-avoid-password-change-replay-errors.patch b/Try-harder-to-avoid-password-change-replay-errors.patch
new file mode 100644
index 0000000..814043e
--- /dev/null
+++ b/Try-harder-to-avoid-password-change-replay-errors.patch
@@ -0,0 +1,91 @@
+From ad8e02485791023dcf66ef4612616f03895ceeb3 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 4 Mar 2022 00:45:00 -0500
+Subject: [PATCH] Try harder to avoid password change replay errors
+
+Commit d7b3018d338fc9c989c3fa17505870f23c3759a8 (ticket 7905) changed
+change_set_password() to prefer TCP.  However, because UDP_LAST falls
+back to UDP after one second, we can still get a replay error due to a
+dropped packet, before the TCP layer has a chance to retry.
+
+Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
+TCP fails completely without reaching a server.  In sendto_kdc.c,
+implement an ONLY_UDP transport strategy to allow the UDP fallback.
+
+ticket: 9037
+---
+ src/lib/krb5/os/changepw.c   |  9 ++++++++-
+ src/lib/krb5/os/os-proto.h   |  1 +
+ src/lib/krb5/os/sendto_kdc.c | 12 ++++++++----
+ 3 files changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
+index 9f968da7f..c59232586 100644
+--- a/src/lib/krb5/os/changepw.c
++++ b/src/lib/krb5/os/changepw.c
+@@ -255,9 +255,16 @@ change_set_password(krb5_context context,
+     callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup;
+     krb5_free_data_contents(callback_ctx.context, &chpw_rep);
+ 
++    /* UDP retransmits may be seen as replays.  Only try UDP after other
++     * transports fail completely. */
+     code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
+-                     &sl, UDP_LAST, &callback_info, &chpw_rep,
++                     &sl, NO_UDP, &callback_info, &chpw_rep,
+                      ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
++    if (code == KRB5_KDC_UNREACH) {
++        code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm,
++                         &sl, ONLY_UDP, &callback_info, &chpw_rep,
++                         ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL);
++    }
+     if (code)
+         goto cleanup;
+ 
+diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
+index a985f2aec..91d2791ce 100644
+--- a/src/lib/krb5/os/os-proto.h
++++ b/src/lib/krb5/os/os-proto.h
+@@ -49,6 +49,7 @@ typedef enum {
+     UDP_FIRST = 0,
+     UDP_LAST,
+     NO_UDP,
++    ONLY_UDP
+ } k5_transport_strategy;
+ 
+ /* A single server hostname or address. */
+diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
+index 0eedec175..c7f5d861a 100644
+--- a/src/lib/krb5/os/sendto_kdc.c
++++ b/src/lib/krb5/os/sendto_kdc.c
+@@ -802,11 +802,14 @@ resolve_server(krb5_context context, const krb5_data *realm,
+     int err, result;
+     char portbuf[PORT_LENGTH];
+ 
+-    /* Skip UDP entries if we don't want UDP. */
++    /* Skip entries excluded by the strategy. */
+     if (strategy == NO_UDP && entry->transport == UDP)
+         return 0;
++    if (strategy == ONLY_UDP && entry->transport != UDP &&
++        entry->transport != TCP_OR_UDP)
++        return 0;
+ 
+-    transport = (strategy == UDP_FIRST) ? UDP : TCP;
++    transport = (strategy == UDP_FIRST || strategy == ONLY_UDP) ? UDP : TCP;
+     if (entry->hostname == NULL) {
+         /* Added by a module, so transport is either TCP or UDP. */
+         ai.ai_socktype = socktype_for_transport(entry->transport);
+@@ -850,8 +853,9 @@ resolve_server(krb5_context context, const krb5_data *realm,
+     }
+ 
+     /* For TCP_OR_UDP entries, add each address again with the non-preferred
+-     * transport, unless we are avoiding UDP.  Flag these as deferred. */
+-    if (retval == 0 && entry->transport == TCP_OR_UDP && strategy != NO_UDP) {
++     * transport, if there is one.  Flag these as deferred. */
++    if (retval == 0 && entry->transport == TCP_OR_UDP &&
++        (strategy == UDP_FIRST || strategy == UDP_LAST)) {
+         transport = (strategy == UDP_FIRST) ? TCP : UDP;
+         for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
+             a->ai_socktype = socktype_for_transport(transport);
+-- 
+2.35.1
+
diff --git a/krb5.spec b/krb5.spec
index fe94759..a88aa4d 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.1
-Release: %{?zdpd}17%{?dist}
+Release: %{?zdpd}18%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@@ -92,6 +92,7 @@ Patch27: Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
 Patch28: Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
 Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
 Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
+Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -648,6 +649,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Apr 26 2022 Julien Rische <jrische@redhat.com> - 1.19.1-18
+- Try harder to avoid password change replay errors
+- Resolves: rhbz#2075186
+
 * Mon Mar 14 2022 Julien Rische <jrische@redhat.com> - 1.19.1-15
 - Use SHA-256 instead of SHA-1 for PKINIT CMS digest