diff --git a/SOURCES/Change-impersonator-check-code.patch b/SOURCES/Change-impersonator-check-code.patch
index 27cf421..4cc5de9 100644
--- a/SOURCES/Change-impersonator-check-code.patch
+++ b/SOURCES/Change-impersonator-check-code.patch
@@ -13,8 +13,8 @@ Merges: #172
 (cherry picked from commit 73b50c0b2799f0aed53337a6516b8e1a27279ebf)
 ---
  proxy/configure.ac   |   3 +
- proxy/src/gp_creds.c | 147 ++++++++++++++++++++++++++++++++-----------
- 2 files changed, 112 insertions(+), 38 deletions(-)
+ proxy/src/gp_creds.c | 145 ++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 111 insertions(+), 37 deletions(-)
 
 diff --git a/proxy/configure.ac b/proxy/configure.ac
 index 63c0edf..c52dbb6 100644
@@ -74,8 +74,12 @@ index 171a724..95a1c48 100644
          goto done;
      }
  
-+    err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator",
-+                             &config);
+-    /* if we find an impersonator entry we bail as that is not authorized,
+-     * if it were then gpcall->service->allow_const_deleg would have caused
+-     * the ealier check to return GSS_S_COMPLETE already */
+     err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator",
+                              &config);
+-    if (!err) {
 +    if (err == 0) {
 +        *impersonator = strndup(config.data, config.length);
 +        if (!*impersonator) {
@@ -85,10 +89,14 @@ index 171a724..95a1c48 100644
 +            ret_min = 0;
 +            ret_maj = GSS_S_COMPLETE;
 +        }
-+        krb5_free_data_contents(context, &config);
+         krb5_free_data_contents(context, &config);
+-        ret_min = 0;
+-        ret_maj = GSS_S_UNAUTHORIZED;
+-    } else if (err != KRB5_CC_NOTFOUND) {
 +    } else {
-+        ret_min = err;
-+        ret_maj = GSS_S_FAILURE;
+         ret_min = err;
+         ret_maj = GSS_S_FAILURE;
+-    } else {
 +    }
 +
 +done:
@@ -178,22 +186,13 @@ index 171a724..95a1c48 100644
 +    ret_maj = get_impersonator_name(&ret_min, cred, &impersonator);
 +    if (ret_maj) goto done;
 +
-     /* if we find an impersonator entry we bail as that is not authorized,
-      * if it were then gpcall->service->allow_const_deleg would have caused
-      * the ealier check to return GSS_S_COMPLETE already */
--    err = krb5_cc_get_config(context, ccache, NULL, "proxy_impersonator",
--                             &config);
--    if (!err) {
--        krb5_free_data_contents(context, &config);
++    /* if we find an impersonator entry we bail as that is not authorized,
++     * if it were then gpcall->service->allow_const_deleg would have caused
++     * the ealier check to return GSS_S_COMPLETE already */
 +    if (impersonator != NULL) {
          ret_min = 0;
-         ret_maj = GSS_S_UNAUTHORIZED;
--    } else if (err != KRB5_CC_NOTFOUND) {
--        ret_min = err;
--        ret_maj = GSS_S_FAILURE;
--    } else {
--        ret_min = 0;
 -        ret_maj = GSS_S_COMPLETE;
++        ret_maj = GSS_S_UNAUTHORIZED;
      }
  
  done:
diff --git a/SOURCES/Fix-double-free-of-popt-context-when-querying-versio.patch b/SOURCES/Fix-double-free-of-popt-context-when-querying-versio.patch
new file mode 100644
index 0000000..5837abd
--- /dev/null
+++ b/SOURCES/Fix-double-free-of-popt-context-when-querying-versio.patch
@@ -0,0 +1,28 @@
+From 3203f956cd77c43b6432b01d2d82950e9dac3580 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 24 Aug 2017 15:13:52 -0400
+Subject: [PATCH] Fix double free of popt context when querying version
+
+This is a non-exploitable, cosmetic issue which causes a segfault (in
+some cases) rather than a clean exit of the program.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Merges: #209
+(cherry picked from commit 6ef4eb72bef742ed1ebb2824df5a600819e19666)
+---
+ proxy/src/gssproxy.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/proxy/src/gssproxy.c b/proxy/src/gssproxy.c
+index 3b6a16e..3221615 100644
+--- a/proxy/src/gssproxy.c
++++ b/proxy/src/gssproxy.c
+@@ -202,7 +202,6 @@ int main(int argc, const char *argv[])
+ 
+     if (opt_version) {
+         puts(VERSION""DISTRO_VERSION""PRERELEASE_VERSION);
+-        poptFreeContext(pc);
+         ret = 0;
+         goto cleanup;
+     }
diff --git a/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch b/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch
index f1099e8..ff32fb0 100644
--- a/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch
+++ b/SOURCES/Properly-locate-credentials-in-collection-caches-in-.patch
@@ -11,9 +11,9 @@ Reviewed-by: Simo Sorce <simo@redhat.com>
 Merges: #221
 (cherry picked from commit 670240a6cd4d5e2ecf13e481621098693cdbaa89)
 ---
- proxy/src/mechglue/gpp_creds.c  | 81 +++++++++++++++++++++++----------
+ proxy/src/mechglue/gpp_creds.c  | 77 ++++++++++++++++++++++++---------
  proxy/src/mechglue/gss_plugin.h |  2 +-
- 2 files changed, 59 insertions(+), 24 deletions(-)
+ 2 files changed, 57 insertions(+), 22 deletions(-)
 
 diff --git a/proxy/src/mechglue/gpp_creds.c b/proxy/src/mechglue/gpp_creds.c
 index 3ebd726..187ada7 100644
@@ -86,21 +86,19 @@ index 3ebd726..187ada7 100644
           * principal name, they are blackholed.  We either have to change the
           * name (at which point the file grows forever) or flash the cache on
           * every update. */
--        ret = krb5_cc_initialize(ctx, ccache, cred.client);
--        if (ret != 0) {
 +        ret = krb5_cc_default(ctx, &ccache);
 +        if (ret)
-             goto done;
--        }
++            goto done;
 +
-+        ret = krb5_cc_initialize(ctx, ccache, cred.client);
+         ret = krb5_cc_initialize(ctx, ccache, cred.client);
+-        if (ret != 0) {
 +        if (ret != 0)
 +            goto done;
 +
 +        ret = krb5_cc_store_cred(ctx, ccache, &cred);
 +        goto done;
-     }
- 
++    }
++
 +    ret = krb5_cc_cache_match(ctx, cred.client, &ccache);
 +    if (ret == KRB5_CC_NOTFOUND) {
 +        /* A new ccache within the collection whose name is based off the
@@ -113,15 +111,15 @@ index 3ebd726..187ada7 100644
 +        cc_type = strndup(cc_name, p - cc_name);
 +        if (!cc_type) {
 +            ret = ENOMEM;
-+            goto done;
-+        }
+             goto done;
+         }
 +
 +        ret = krb5_cc_new_unique(ctx, cc_type, NULL, &ccache);
 +        free(cc_type);
-+    }
+     }
 +    if (ret)
 +        goto done;
-+
+ 
      ret = krb5_cc_store_cred(ctx, ccache, &cred);
 +    if (ret)
 +        goto done;
diff --git a/SOURCES/Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch b/SOURCES/Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch
new file mode 100644
index 0000000..a94074d
--- /dev/null
+++ b/SOURCES/Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch
@@ -0,0 +1,31 @@
+From c97c8e8b4a1db36a2658d1f054a33e830dbcfa7c Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 2 Oct 2018 14:52:18 -0400
+Subject: [PATCH] Update docs to reflect actual behavior of krb5_principal
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Reviewed-by: Simo Sorce <simo@redhat.com>
+Merges: #235
+(cherry picked from commit ffb05b5eeb9aa818690e5eece5ab6d84cf8fc24b)
+---
+ proxy/man/gssproxy.conf.5.xml | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/proxy/man/gssproxy.conf.5.xml b/proxy/man/gssproxy.conf.5.xml
+index abb6745..7874c6e 100644
+--- a/proxy/man/gssproxy.conf.5.xml
++++ b/proxy/man/gssproxy.conf.5.xml
+@@ -307,7 +307,12 @@
+                 <varlistentry>
+                     <term>krb5_principal (string)</term>
+                     <listitem>
+-                        <para>The krb5 principal to be used by this service.</para>
++                        <para>
++                            The krb5 principal to be used preferred for this
++                            service, if one isn't requested by the
++                            application.  Note that this does not enforce use
++                            of this specific name; it only sets a default.
++                        </para>
+                         <para>Default: krb5_principal = </para>
+                     </listitem>
+                     </varlistentry>
diff --git a/SPECS/gssproxy.spec b/SPECS/gssproxy.spec
index a667d8b..154df99 100644
--- a/SPECS/gssproxy.spec
+++ b/SPECS/gssproxy.spec
@@ -1,6 +1,6 @@
 Name:		gssproxy
 Version:	0.7.0
-Release:	26%{?dist}
+Release:	28%{?dist}
 Summary:	GSSAPI Proxy
 
 Group:		System Environment/Libraries
@@ -61,6 +61,8 @@ Patch43: Handle-gss_import_cred-failure-when-importing-gssx-c.patch
 Patch44: Include-length-when-using-krb5_c_decrypt.patch
 Patch45: Change-the-way-we-handle-encrypted-buffers.patch
 Patch46: Avoid-uninitialized-free-when-allocating-buffers.patch
+Patch47: Update-docs-to-reflect-actual-behavior-of-krb5_princ.patch
+Patch48: Fix-double-free-of-popt-context-when-querying-versio.patch
 
 ### Dependencies ###
 
@@ -153,6 +155,8 @@ A proxy for GSSAPI credential handling
 %patch44 -p2 -b .Include-length-when-using-krb5_c_decrypt
 %patch45 -p2 -b .Change-the-way-we-handle-encrypted-buffers
 %patch46 -p2 -b .Avoid-uninitialized-free-when-allocating-buffers
+%patch47 -p2 -b .Update-docs-to-reflect-actual-behavior-of-krb5_princ
+%patch48 -p2 -b .Fix-double-free-of-popt-context-when-querying-versio
 
 %build
 autoreconf -f -i
@@ -215,6 +219,14 @@ rm -rf -- "%{buildroot}"
 
 
 %changelog
+* Thu Sep 19 2019 Robbie Harwood <rharwood@redhat.com> 0.7.0-28
+- Fix double free of popt context when querying version
+- Resolves: #1752810
+
+* Mon Jul 22 2019 Robbie Harwood <rharwood@redhat.com> 0.7.0-27
+- Update docs to reflect actual behavior of krb5_principal
+- Resolves: #1553094
+
 * Wed May 01 2019 Robbie Harwood <rharwood@redhat.com> 0.7.0-26
 - Avoid uninitialized free when allocating buffers
 - Resolves: #1699331