diff --git a/krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch b/krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
new file mode 100644
index 0000000..e96c360
--- /dev/null
+++ b/krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
@@ -0,0 +1,63 @@
+From d1f707024f1d0af6e54a18885322d70fa15ec4d3 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 5 Dec 2014 14:01:39 -0500
+Subject: [PATCH] Fix LDAP misused policy name crash [CVE-2014-5353]
+
+In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
+successfully with no results, return KRB5_KDB_NOENTRY instead of
+returning success with a zeroed-out policy object.  This fixes a null
+dereference when an admin attempts to use an LDAP ticket policy name
+as a password policy name.
+
+CVE-2014-5353:
+
+In MIT krb5, when kadmind is configured to use LDAP for the KDC
+database, an authenticated remote attacker can cause a NULL dereference
+by attempting to use a named ticket policy object as a password policy
+for a principal.  The attacker needs to be authenticated as a user who
+has the elevated privilege for setting password policy by adding or
+modifying principals.
+
+Queries to LDAP scoped to the krbPwdPolicy object class will correctly
+not return entries of other classes, such as ticket policy objects, but
+may return success with no returned elements if an object with the
+requested DN exists in a different object class.  In this case, the
+routine to retrieve a password policy returned success with a password
+policy object that consisted entirely of zeroed memory.  In particular,
+accesses to the policy name will dereference a NULL pointer.  KDC
+operation does not access the policy name field, but most kadmin
+operations involving the principal with incorrect password policy
+will trigger the crash.
+
+Thanks to Patrik Kis for reporting this problem.
+
+CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
+
+[kaduk@mit.edu: CVE description and CVSS score]
+
+ticket: 8051 (new)
+target_version: 1.13.1
+tags: pullup
+---
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+index 522773e..6779f51 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c
+@@ -314,10 +314,11 @@ krb5_ldap_get_password_policy_from_dn(krb5_context context, char *pol_name,
+     LDAP_SEARCH(pol_dn, LDAP_SCOPE_BASE, "(objectclass=krbPwdPolicy)", password_policy_attributes);
+ 
+     ent=ldap_first_entry(ld, result);
+-    if (ent != NULL) {
+-        if ((st = populate_policy(context, ld, ent, pol_name, *policy)) != 0)
+-            goto cleanup;
++    if (ent == NULL) {
++        st = KRB5_KDB_NOENTRY;
++        goto cleanup;
+     }
++    st = populate_policy(context, ld, ent, pol_name, *policy);
+ 
+ cleanup:
+     ldap_msgfree(result);
diff --git a/krb5.spec b/krb5.spec
index 7d824f3..5fec982 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -43,7 +43,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.13
-Release: 2%{?dist}
+Release: 3%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -94,6 +94,7 @@ Patch105: krb5-kvno-230379.patch
 Patch129: krb5-1.11-run_user_0.patch
 Patch134: krb5-1.11-kpasswdtest.patch
 Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
+Patch137: krb5-CVE_2014_5353_fix_LDAP_misused_policy_name_crash.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -315,6 +316,8 @@ ln NOTICE LICENSE
 %patch136 -p1
 %endif
 
+%patch137 -p1
+
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
 
@@ -985,12 +988,16 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
-* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0
+* Wed Dec 17 2014 Roland Mainz <rmainz@redhat.com> - 1.13-3
+- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
+  name crash"  
+
+* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-2
 - Bump 1%%{?dist} to 2%%{?dist} to workaround RPM sort issue
   which would lead yum updates to treat the last alpha as newer
   than the final version.  
 
-* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-0
+* Wed Oct 29 2014 Roland Mainz <rmainz@redhat.com> - 1.13-1
 - Update from krb5-1.13-alpha1 to final krb5-1.13
 - Removed patch for CVE-2014-5351 (#1145425) "krb5: current
   keys returned when randomizing the keys for a service principal" -