diff --git a/Fix-minor-static-analysis-defects.patch b/Fix-minor-static-analysis-defects.patch
new file mode 100644
index 0000000..653bce1
--- /dev/null
+++ b/Fix-minor-static-analysis-defects.patch
@@ -0,0 +1,106 @@
+From c3d96fca46cb2cc3ee9f4c2e2a4ed98bad3e310a Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 15 Oct 2020 18:15:29 -0400
+Subject: [PATCH] Fix minor static analysis defects
+
+Remove an unused variable in krb5_ldap_create().  Handle the return
+value from krb5_dbe_get_string() in the certauth test plugin module.
+Handle the return value from k5_expand_path_tokens() in
+k5_rc_default().  Remove dead assignments in
+krb5_get_credentials_for_user() and kg_accept_krb5().
+
+[ghudson@mit.edu: squashed and edited commit message; simplified
+k5_rc_default() change]
+
+(cherry picked from commit b27461141810fddd299764928649148c5d0e99f3)
+---
+ src/lib/gssapi/krb5/accept_sec_context.c       | 4 +---
+ src/lib/krb5/krb/s4u_creds.c                   | 1 -
+ src/lib/krb5/rcache/rc_base.c                  | 2 ++
+ src/plugins/certauth/test/main.c               | 3 +++
+ src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c | 4 ----
+ 5 files changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
+index 3d5b84b15..e2c5e2b59 100644
+--- a/src/lib/gssapi/krb5/accept_sec_context.c
++++ b/src/lib/gssapi/krb5/accept_sec_context.c
+@@ -671,7 +671,7 @@ kg_accept_krb5(minor_status, context_handle,
+     krb5_auth_context auth_context = NULL;
+     krb5_ticket * ticket = NULL;
+     const gss_OID_desc *mech_used = NULL;
+-    OM_uint32 major_status = GSS_S_FAILURE;
++    OM_uint32 major_status;
+     OM_uint32 tmp_minor_status;
+     krb5_error krb_error_data;
+     krb5_data scratch;
+@@ -878,8 +878,6 @@ kg_accept_krb5(minor_status, context_handle,
+     if (major_status != GSS_S_COMPLETE)
+         goto fail;
+ 
+-    major_status = GSS_S_FAILURE;
+-
+     if (exts->iakerb.conv && !exts->iakerb.verified) {
+         major_status = GSS_S_BAD_SIG;
+         goto fail;
+diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
+index d8f486dc6..35a8843e5 100644
+--- a/src/lib/krb5/krb/s4u_creds.c
++++ b/src/lib/krb5/krb/s4u_creds.c
+@@ -714,7 +714,6 @@ krb5_get_credentials_for_user(krb5_context context, krb5_flags options,
+         } else if (code != KRB5_CC_NOTFOUND && code != KRB5_CC_NOT_KTYPE) {
+             goto cleanup;
+         }
+-        code = 0;
+     }
+ 
+     /* Note the authdata we asked for in the output creds. */
+diff --git a/src/lib/krb5/rcache/rc_base.c b/src/lib/krb5/rcache/rc_base.c
+index 5f456d1f3..f9a482318 100644
+--- a/src/lib/krb5/rcache/rc_base.c
++++ b/src/lib/krb5/rcache/rc_base.c
+@@ -56,6 +56,8 @@ k5_rc_default(krb5_context context, krb5_rcache *rc_out)
+                            &profstr) == 0 && profstr != NULL) {
+         ret = k5_expand_path_tokens(context, profstr, &rcname);
+         profile_release_string(profstr);
++        if (ret)
++            return ret;
+         ret = k5_rc_resolve(context, rcname, rc_out);
+         free(rcname);
+         return ret;
+diff --git a/src/plugins/certauth/test/main.c b/src/plugins/certauth/test/main.c
+index d4633b8cd..7e7a3ef4c 100644
+--- a/src/plugins/certauth/test/main.c
++++ b/src/plugins/certauth/test/main.c
+@@ -171,6 +171,9 @@ test2_authorize(krb5_context context, krb5_certauth_moddata moddata,
+ 
+     ret = krb5_dbe_get_string(context, (krb5_db_entry *)db_entry, "hwauth",
+                               &strval);
++    if (ret)
++        goto cleanup;
++
+     ret = (strval != NULL) ? KRB5_CERTAUTH_HWAUTH : 0;
+     krb5_dbe_free_string(context, strval);
+ 
+diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+index 5b57c799a..2d6605666 100644
+--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c
+@@ -55,7 +55,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
+     krb5_error_code status = 0;
+     krb5_ldap_realm_params *rparams = NULL;
+     krb5_ldap_context *ldap_context=NULL;
+-    krb5_boolean realm_obj_created = FALSE;
+     int mask = 0;
+ 
+     /* Clear the global error string */
+@@ -109,9 +108,6 @@ krb5_ldap_create(krb5_context context, char *conf_section, char **db_args)
+     if ((status = krb5_ldap_create_realm(context, rparams, mask)))
+         goto cleanup;
+ 
+-    /* We just created the Realm container. Here starts our transaction tracking */
+-    realm_obj_created = TRUE;
+-
+     /* verify realm object */
+     if ((status = krb5_ldap_read_realm_params(context,
+                                               rparams->realm_name,
diff --git a/krb5.spec b/krb5.spec
index 30396a5..3cc61cf 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.2
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 27%{?dist}
+Release: 28%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-%{version}%{prerelease}.tar.gz
@@ -80,6 +80,7 @@ Patch41: Allow-aliases-when-matching-U2U-second-ticket.patch
 Patch42: Refactor-KDC-authdata-list-management-helpers.patch
 Patch43: Avoid-passing-DB-entry-structures-in-KDC.patch
 Patch44: Minimize-usage-of-tgs_server-in-KDC.patch
+Patch45: Fix-minor-static-analysis-defects.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -640,6 +641,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Fri Oct 23 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-28
+- Fix minor static analysis defects
+
 * Wed Oct 21 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-27
 - Fix build of previous