diff -Nru krb5-1.13.2+dfsg/debian/changelog krb5-1.13.2+dfsg/debian/changelog
--- krb5-1.13.2+dfsg/debian/changelog	2019-01-11 15:47:14.000000000 +0000
+++ krb5-1.13.2+dfsg/debian/changelog	2020-11-11 14:24:44.000000000 +0000
@@ -1,3 +1,12 @@
+krb5 (1.13.2+dfsg-5ubuntu2.2) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: Unbounded recursion
+    - debian/patches/CVE-2020-28196.patch: adds recursion limit for ASN.1
+      indefinite lenghts in src/lib/krb5/asn.1/asn1_encode.c.
+    - CVE-2020-28196
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Wed, 11 Nov 2020 11:24:12 -0300
+
 krb5 (1.13.2+dfsg-5ubuntu2.1) xenial-security; urgency=medium
 
   * SECURITY UPDATE: DoS (NULL pointer dereference) via a crafted request to
diff -Nru krb5-1.13.2+dfsg/debian/patches/CVE-2020-28196.patch krb5-1.13.2+dfsg/debian/patches/CVE-2020-28196.patch
--- krb5-1.13.2+dfsg/debian/patches/CVE-2020-28196.patch	1970-01-01 00:00:00.000000000 +0000
+++ krb5-1.13.2+dfsg/debian/patches/CVE-2020-28196.patch	2020-11-12 12:58:04.000000000 +0000
@@ -0,0 +1,91 @@
+From 57415dda6cf04e73ffc3723be518eddfae599bfd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Sat, 31 Oct 2020 17:07:05 -0400
+Subject: [PATCH] Add recursion limit for ASN.1 indefinite lengths
+
+The libkrb5 ASN.1 decoder supports BER indefinite lengths.  It
+computes the tag length using recursion; the lack of a recursion limit
+allows an attacker to overrun the stack and cause the process to
+crash.  Reported by Demi Obenour.
+
+CVE-2020-28196:
+
+In MIT krb5 releases 1.11 and later, an unauthenticated attacker can
+cause a denial of service for any client or server to which it can
+send an ASN.1-encoded Kerberos message of sufficient length.
+
+ticket: 8959 (new)
+tags: pullup
+target_version: 1.18-next
+target_version: 1.17-next
+diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
+index b9770a1..e7f0397 100644
+--- a/src/lib/krb5/asn.1/asn1_encode.c
++++ b/src/lib/krb5/asn.1/asn1_encode.c
+@@ -393,7 +393,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len, size_t *retlen)
+ static asn1_error_code
+ get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out,
+         const unsigned char **contents_out, size_t *clen_out,
+-        const unsigned char **remainder_out, size_t *rlen_out)
++        const unsigned char **remainder_out, size_t *rlen_out, int recursion)
+ {
+     asn1_error_code ret;
+     unsigned char o;
+@@ -431,9 +431,11 @@ get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out,
+         /* Indefinite form (should not be present in DER, but we accept it). */
+         if (tag_out->construction != CONSTRUCTED)
+             return ASN1_MISMATCH_INDEF;
++        if (recursion >= 32)
++            return ASN1_OVERFLOW;
+         p = asn1;
+         while (!(len >= 2 && p[0] == 0 && p[1] == 0)) {
+-            ret = get_tag(p, len, &t, &c, &clen, &p, &len);
++            ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1);
+             if (ret)
+                 return ret;
+         }
+@@ -652,7 +654,7 @@ split_der(asn1buf *buf, unsigned char *const *der, size_t len,
+     const unsigned char *contents, *remainder;
+     size_t clen, rlen;
+ 
+-    ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen);
++    ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0);
+     if (ret)
+         return ret;
+     if (rlen != 0)
+@@ -1259,7 +1261,7 @@ decode_atype(const taginfo *t, const unsigned char *asn1,
+         const unsigned char *rem;
+         size_t rlen;
+         if (!tag->implicit) {
+-            ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen);
++            ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0);
+             if (ret)
+                 return ret;
+             /* Note: we don't check rlen (it should be 0). */
+@@ -1481,7 +1483,7 @@ decode_sequence(const unsigned char *asn1, size_t len,
+     for (i = 0; i < seq->n_fields; i++) {
+         if (len == 0)
+             break;
+-        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
++        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
+         if (ret)
+             goto error;
+         /*
+@@ -1539,7 +1541,7 @@ decode_sequence_of(const unsigned char *asn1, size_t len,
+     *seq_out = NULL;
+     *count_out = 0;
+     while (len > 0) {
+-        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
++        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
+         if (ret)
+             goto error;
+         if (!check_atype_tag(elemtype, &t)) {
+@@ -1625,7 +1627,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a,
+ 
+     *retrep = NULL;
+     ret = get_tag((unsigned char *)code->data, code->length, &t, &contents,
+-                  &clen, &remainder, &rlen);
++                  &clen, &remainder, &rlen, 0);
+     if (ret)
+         return ret;
+     /* rlen should be 0, but we don't check it (and due to padding in
diff -Nru krb5-1.13.2+dfsg/debian/patches/series krb5-1.13.2+dfsg/debian/patches/series
--- krb5-1.13.2+dfsg/debian/patches/series	2019-01-10 20:03:49.000000000 +0000
+++ krb5-1.13.2+dfsg/debian/patches/series	2020-11-11 14:24:04.000000000 +0000
@@ -25,3 +25,4 @@
 CVE-2017-11368-2.patch
 CVE-2017-11462.patch
 CVE-2018-5729-CVE-2018-5730.patch
+CVE-2020-28196.patch