diff -Nru krb5-1.19.2/debian/changelog krb5-1.19.2/debian/changelog
--- krb5-1.19.2/debian/changelog	2021-10-27 20:04:42.000000000 +0000
+++ krb5-1.19.2/debian/changelog	2022-02-21 20:05:20.000000000 +0000
@@ -1,3 +1,11 @@
+krb5 (1.19.2-2) unstable; urgency=medium
+
+  * Standards version 4.6.0; no change
+  * kpropd: run after network.target, Closes: #948820
+  * krb5-kdc: Remove /var from PidFile, Closes: #982009
+
+ -- Sam Hartman <hartmans@debian.org>  Mon, 21 Feb 2022 13:05:20 -0700
+
 krb5 (1.19.2-1) experimental; urgency=medium
 
   * New Upstream version
diff -Nru krb5-1.19.2/debian/control krb5-1.19.2/debian/control
--- krb5-1.19.2/debian/control	2021-10-27 20:04:42.000000000 +0000
+++ krb5-1.19.2/debian/control	2022-02-21 19:08:34.000000000 +0000
@@ -7,7 +7,7 @@
  libssl-dev,  ss-dev,
  libverto-dev (>= 0.2.4), pkg-config
 Build-Depends-Indep: python3, python3-cheetah, python3-lxml, python3-sphinx, doxygen, doxygen-latex, tex-gyre
-Standards-Version: 4.5.0
+Standards-Version: 4.6.0
 Maintainer: Sam Hartman <hartmans@debian.org>
 Uploaders: Russ Allbery <rra@debian.org>, Benjamin Kaduk <kaduk@mit.edu>
 Homepage: http://web.mit.edu/kerberos/
diff -Nru krb5-1.19.2/debian/krb5-admin-server.service krb5-1.19.2/debian/krb5-admin-server.service
--- krb5-1.19.2/debian/krb5-admin-server.service	2021-10-27 20:04:42.000000000 +0000
+++ krb5-1.19.2/debian/krb5-admin-server.service	2022-02-21 19:58:33.000000000 +0000
@@ -11,6 +11,10 @@
 ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 Restart=on-abnormal
+ProtectProc=invisible
+PrivateDevices=yes
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
 
 [Install]
 WantedBy=multi-user.target
diff -Nru krb5-1.19.2/debian/krb5-kdc.service krb5-1.19.2/debian/krb5-kdc.service
--- krb5-1.19.2/debian/krb5-kdc.service	2021-10-27 20:04:42.000000000 +0000
+++ krb5-1.19.2/debian/krb5-kdc.service	2022-02-21 19:58:33.000000000 +0000
@@ -4,7 +4,7 @@
 
 [Service]
 Type=forking
-PIDFile=/var/run/krb5-kdc.pid
+PIDFile=/run/krb5-kdc.pid
 ExecReload=/bin/kill -HUP $MAINPID
 EnvironmentFile=-/etc/default/krb5-kdc
 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS
@@ -13,6 +13,10 @@
 ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 Restart=on-abnormal
+ProtectProc=invisible
+PrivateDevices=yes
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
 
 
 [Install]
diff -Nru krb5-1.19.2/debian/krb5-kpropd.service krb5-1.19.2/debian/krb5-kpropd.service
--- krb5-1.19.2/debian/krb5-kpropd.service	2021-08-29 22:20:54.000000000 +0000
+++ krb5-1.19.2/debian/krb5-kpropd.service	2022-02-21 19:58:33.000000000 +0000
@@ -1,7 +1,7 @@
 [Unit]
 Description=Kerberos 5 slave KDC update server
 Conflicts=krb5-admin-server.service
-
+After=network.target
 [Service]
 ExecReload=/bin/kill -HUP $MAINPID
 EnvironmentFile=-/etc/default/krb5-kpropd
@@ -10,6 +10,10 @@
 ReadOnlyDirectories=/
 ReadWriteDirectories=/var/tmp /tmp /var/lib/krb5kdc /var/run /run
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+ProtectProc=invisible
+PrivateDevices=yes
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
 
 [Install]
 WantedBy=multi-user.target