diff --git a/SOURCES/krb5-cve-2018-20217.patch b/SOURCES/krb5-cve-2018-20217.patch
new file mode 100644
index 0000000..ce21e1a
--- /dev/null
+++ b/SOURCES/krb5-cve-2018-20217.patch
@@ -0,0 +1,72 @@
+From 5e6d1796106df8ba6bc1973ee0917c170d929086 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Mon, 3 Dec 2018 02:33:07 +0200
+Subject: [PATCH] Ignore password attributes for S4U2Self requests
+
+For consistency with Windows KDCs, allow protocol transition to work
+even if the password has expired or needs changing.
+
+Also, when looking up an enterprise principal with an AS request,
+treat ERR_KEY_EXP as confirmation that the client is present in the
+realm.
+
+[ghudson@mit.edu: added comment in kdc_process_s4u2self_req(); edited
+commit message]
+
+ticket: 8763 (new)
+tags: pullup
+target_version: 1.17
+---
+ src/kdc/kdc_util.c           | 5 +++++
+ src/lib/krb5/krb/s4u_creds.c | 2 +-
+ src/tests/gssapi/t_s4u.py    | 8 ++++++++
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 6d53173fb0..6517a213cd 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1574,6 +1574,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm,
+ 
+         memset(&no_server, 0, sizeof(no_server));
+ 
++        /* Ignore password expiration and needchange attributes (as Windows
++         * does), since S4U2Self is not password authentication. */
++        princ->pw_expiration = 0;
++        clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE);
++
+         code = validate_as_request(kdc_active_realm, request, *princ,
+                                    no_server, kdc_time, status, &e_data);
+         if (code) {
+diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c
+index d2fdcb3f16..614ed41908 100644
+--- a/src/lib/krb5/krb/s4u_creds.c
++++ b/src/lib/krb5/krb/s4u_creds.c
+@@ -117,7 +117,7 @@ s4u_identify_user(krb5_context context,
+     code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL,
+                              opts, krb5_get_as_key_noop, &userid, &use_master,
+                              NULL);
+-    if (code == 0 || code == KRB5_PREAUTH_FAILED) {
++    if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) {
+         *canon_user = userid.user;
+         userid.user = NULL;
+         code = 0;
+diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
+index fd29e1a270..84f3fbd752 100755
+--- a/src/tests/gssapi/t_s4u.py
++++ b/src/tests/gssapi/t_s4u.py
+@@ -20,6 +20,14 @@
+ # Get forwardable creds for service1 in the default cache.
+ realm.kinit(service1, None, ['-f', '-k'])
+ 
++# Try S4U2Self for user with a restricted password.
++realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ])
++realm.run(['./t_s4u', 'e:user', '-'])
++realm.run([kadminl, 'modprinc', '-needchange',
++          '-pwexpire', '1/1/2000', realm.user_princ])
++realm.run(['./t_s4u', 'e:user', '-'])
++realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ])
++
+ # Try krb5 -> S4U2Proxy with forwardable user creds.  This should fail
+ # at the S4U2Proxy step since the DB2 back end currently has no
+ # support for allowing it.
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index bc5177a..f5584ea 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -12,7 +12,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.15.1
-Release: 37%{?dist}
+Release: 37%{?dist}.0.1
 
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
@@ -128,6 +128,8 @@ Patch214: Add-libkrb5support-hex-functions-and-tests.patch
 Patch215: Add-a-hash-table-implementation-to-libkrb5support.patch
 Patch216: Use-a-hash-table-for-MEMORY-ccache-resolution.patch
 
+Patch10000: krb5-cve-2018-20217.patch
+
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
 Group: System Environment/Libraries
@@ -388,6 +390,8 @@ ONLY by kerberos itself. Do not depend on this package.
 %patch215 -p1 -b .Add-a-hash-table-implementation-to-libkrb5support
 %patch216 -p1 -b .Use-a-hash-table-for-MEMORY-ccache-resolution
 
+%patch10000 -p1 -b .cve-2018-20217
+
 ln NOTICE LICENSE
 
 chmod u+x src/util/paste-kdcproxy.py
@@ -892,6 +896,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Fri Mar  1 2019 Pablo Greco <pablo@fliagreco.com.ar> - 1.15.1-37.0.1
+- Backport fix for CVE-2018-20217
+
 * Tue Dec 18 2018 Robbie Harwood <rharwood@redhat.com> - 1.15.1-37
 - Bring back builtin crypto (openssl broke too many FIPS setups)
 - Resolves: #1657890