diff --git a/SOURCES/krb5-1.15-krad-eof.patch b/SOURCES/krb5-1.15-krad-eof.patch
new file mode 100644
index 0000000..6ed72ea
--- /dev/null
+++ b/SOURCES/krb5-1.15-krad-eof.patch
@@ -0,0 +1,49 @@
+From 7fd9fc07cbccef7a6e682057e1560e5b343cb9ff Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Fri, 30 Sep 2016 10:03:33 -0400
+Subject: [PATCH] Properly handle EOF condition on libkrad sockets
+
+In the previous code, when the remote peer performed an orderly shutdown
+on the socket, libkrad would enter a state in which all future requests
+timed out.  Instead, if the peer shuts down its socket, we need to
+attempt to reopen it.
+
+ticket: 8504 (new)
+target_version: 1.14-next
+tags: pullup
+
+(cherry picked from commit 248497427d5a45225817b6c22e9224e8ad969872)
+---
+ src/lib/krad/remote.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
+index df3de3a..68cd16f 100644
+--- a/src/lib/krad/remote.c
++++ b/src/lib/krad/remote.c
+@@ -329,16 +329,15 @@ on_io_read(krad_remote *rr)
+     /* Read the packet. */
+     i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
+              pktlen, 0);
+-    if (i < 0) {
+-        /* Should we try again? */
+-        if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
+-            return;
+ 
+-        /* The socket is unrecoverable. */
++    /* On these errors, try again. */
++    if (i < 0 && (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
++        return;
++
++    /* On any other errors or on EOF, the socket is unrecoverable. */
++    if (i <= 0) {
+         remote_shutdown(rr);
+         return;
+-    } else if (i == 0) {
+-        remote_del_flags(rr, FLAGS_READ);
+     }
+ 
+     /* If we have a partial read or just the header, try again. */
+-- 
+2.10.1
+
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index 36ac156..1351a7e 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.1
-Release: 26%{?dist}
+Release: 27%{?dist}
 
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
@@ -80,6 +80,7 @@ Patch150: krb5-1.15-kadmin-kprop-port-test.patch
 Patch151: krb5-1.14.4-CVE-2016-3120.patch
 Patch152: krb5-1.14.4-SNI-HTTP-Host.patch
 Patch153: krb5-1.14.4-Fix-responder-without-preauth.patch
+Patch154: krb5-1.15-krad-eof.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -304,6 +305,7 @@ chmod u+x src/util/paste-kdcproxy.py
 %patch151 -p1 -b .CVE-2016-3120
 %patch152 -p1 -b .SNI-HTTP-Host
 %patch153 -p1 -b .Fix-responder-without-preauth
+%patch154 -p1 -b .krad-eof
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -853,6 +855,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Nov 02 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-27
+- Properly handle EOF on libkrad sockets
+- Resolves: #1382449
+
 * Wed Aug 17 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-26
 - Use responder in non-preauth AS reqs
 - Resolves: #1363690