diff --git a/krb5-trunk-gss_delete_sec.patch b/krb5-trunk-gss_delete_sec.patch
new file mode 100644
index 0000000..c40022c
--- /dev/null
+++ b/krb5-trunk-gss_delete_sec.patch
@@ -0,0 +1,27 @@
+Author: ghudson
+Date:   Mon May 9 17:28:07 2011 +0000
+
+    ticket: 6908
+    subject: Delete sec context properly in gss_krb5_export_lucid_sec_context
+    target_version: 1.9.2
+    tags: pullup
+    
+    Since r21690, gss_krb5_export_lucid_sec_context() has been passing a
+    union context to krb5_gss_delete_sec_context(), causing a crash as the
+    krb5 routine attempts to interpret a union context structure as a krb5
+    GSS context.  Call the mechglue gss_delete_sec_context instead.
+    
+    
+    svn://anonsvn.mit.edu:/krb5/trunk@24917
+
+--- a/src/lib/gssapi/krb5/krb5_gss_glue.c
++++ b/src/lib/gssapi/krb5/krb5_gss_glue.c
+@@ -196,7 +196,7 @@ gss_krb5_export_lucid_sec_context(OM_uint32 *minor_status,
+     /* Clean up the context state (it is an error for
+      * someone to attempt to use this context again)
+      */
+-    (void)krb5_gss_delete_sec_context(minor_status, context_handle, NULL);
++    (void)gss_delete_sec_context(minor_status, context_handle, NULL);
+     *context_handle = GSS_C_NO_CONTEXT;
+ 
+     generic_gss_release_buffer_set(&minor, &data_set);
diff --git a/krb5.spec b/krb5.spec
index 4f5bda9..1041f26 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -58,6 +58,7 @@ Patch81: krb5-1.9-canonicalize-fallback.patch
 Patch82: krb5-1.9.1-ai_addrconfig.patch
 Patch83: krb5-1.9.1-ai_addrconfig2.patch
 Patch84: krb5-1.9.1-sendto_poll.patch
+Patch85: krb5-trunk-gss_delete_sec.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -207,6 +208,7 @@ ln -s NOTICE LICENSE
 %patch82 -p0 -b .ai_addrconfig
 %patch83 -p0 -b .ai_addrconfig2
 %patch84 -p0 -b .sendto_poll
+%patch85 -p1 -b .gss_delete_sec
 gzip doc/*.ps
 
 sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex
@@ -670,6 +672,8 @@ exit 0
 - build shared libraries with partial RELRO support (#723995)
 - filter out potentially multiple instances of -Wl,-z,relro from krb5-config
   output, now that it's in the buildroot's default LDFLAGS
+- pull in a patch to fix losing track of the replay cache FD, from SVN by
+  way of Kevin Coffman
 
 * Wed Jul 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-7
 - kadmind.init: drop the attempt to detect no-database-present errors (#723723)