diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/Manifest b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/Manifest
index dfcf9ea639..01cfe46566 100644
--- a/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/Manifest
@@ -1 +1,2 @@
 DIST krb5-1.18.2.tar.gz 8713927 BLAKE2B f0eb34e67adcb86f347c59ec6ef74970a57530cc56336a84909f852cd6135079ea89828e77c906a272f54e0faf6a4a0497f2b648446eb9d048d1c51e4ec513af SHA512 7cbb1b28e677fea3e0794e93951f3caaa2c49bb1175dd187951e72a466cc69d96c3b833d838000fe911c1a437d96a558e550f27c53a8b332fb9dfc7cbb7ec44c
+DIST krb5-1.18.3.tar.gz 8715312 BLAKE2B 4f6ad4a529e7578e83d82b43c2cada33bce1dca5081ec826ee06a713f82520b783f72ec56d2ce289e10d1ddcfaa079491e43f21c035b214d244bb80e6b2a1c9f SHA512 cf0bf6cf8f622fa085954e6da998d952cf64dc7ccc319972ed81ea0542089cabf2d0e8243df84da01ad6f40584768ca2f02d108630c6741fa7b3d7d98c887c01
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/files/CVE-2020-28196.patch b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/files/CVE-2020-28196.patch
new file mode 100644
index 0000000000..486078437e
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/files/CVE-2020-28196.patch
@@ -0,0 +1,71 @@
+diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
+index a160cf4fe8..cd6b879f77 100644
+--- a/lib/krb5/asn.1/asn1_encode.c
++++ b/lib/krb5/asn.1/asn1_encode.c
+@@ -356,7 +356,7 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len)
+ static krb5_error_code
+ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
+         const uint8_t **contents_out, size_t *clen_out,
+-        const uint8_t **remainder_out, size_t *rlen_out)
++        const uint8_t **remainder_out, size_t *rlen_out, int recursion)
+ {
+     krb5_error_code ret;
+     uint8_t o;
+@@ -394,9 +394,11 @@ get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out,
+         /* Indefinite form (should not be present in DER, but we accept it). */
+         if (tag_out->construction != CONSTRUCTED)
+             return ASN1_MISMATCH_INDEF;
++        if (recursion >= 32)
++            return ASN1_OVERFLOW;
+         p = asn1;
+         while (!(len >= 2 && p[0] == 0 && p[1] == 0)) {
+-            ret = get_tag(p, len, &t, &c, &clen, &p, &len);
++            ret = get_tag(p, len, &t, &c, &clen, &p, &len, recursion + 1);
+             if (ret)
+                 return ret;
+         }
+@@ -613,7 +615,7 @@ split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out)
+     const uint8_t *contents, *remainder;
+     size_t clen, rlen;
+ 
+-    ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen);
++    ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen, 0);
+     if (ret)
+         return ret;
+     if (rlen != 0)
+@@ -1199,7 +1201,7 @@ decode_atype(const taginfo *t, const uint8_t *asn1, size_t len,
+         const uint8_t *rem;
+         size_t rlen;
+         if (!tag->implicit) {
+-            ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen);
++            ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen, 0);
+             if (ret)
+                 return ret;
+             /* Note: we don't check rlen (it should be 0). */
+@@ -1420,7 +1422,7 @@ decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq,
+     for (i = 0; i < seq->n_fields; i++) {
+         if (len == 0)
+             break;
+-        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
++        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
+         if (ret)
+             goto error;
+         /*
+@@ -1478,7 +1480,7 @@ decode_sequence_of(const uint8_t *asn1, size_t len,
+     *seq_out = NULL;
+     *count_out = 0;
+     while (len > 0) {
+-        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len);
++        ret = get_tag(asn1, len, &t, &contents, &clen, &asn1, &len, 0);
+         if (ret)
+             goto error;
+         if (!check_atype_tag(elemtype, &t)) {
+@@ -1584,7 +1586,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a,
+ 
+     *retrep = NULL;
+     ret = get_tag((uint8_t *)code->data, code->length, &t, &contents,
+-                  &clen, &remainder, &rlen);
++                  &clen, &remainder, &rlen, 0);
+     if (ret)
+         return ret;
+     /* rlen should be 0, but we don't check it (and due to padding in
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/metadata.xml b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/metadata.xml
index 70f026233c..ea5af54c10 100644
--- a/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/metadata.xml
@@ -5,7 +5,6 @@
   <email>kerberos@gentoo.org</email>
   <name>Kerberos</name>
 </maintainer>
-<longdescription>Kerberos 5 reference implementation from MIT</longdescription>
 <use>
   <flag name="doc">
     Creates and installs the API and implementation
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.2-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.2-r2.ebuild
similarity index 99%
rename from sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.2-r1.ebuild
rename to sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.2-r2.ebuild
index 9b83aa0a7d..ffa3b45e66 100644
--- a/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.2-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.2-r2.ebuild
@@ -63,6 +63,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
 	"${FILESDIR}/${PN}_dont_create_run.patch"
 	"${FILESDIR}/${PN}-1.18-libressl.patch"
+	"${FILESDIR}/CVE-2020-28196.patch"
 )
 
 MULTILIB_CHOST_TOOLS=(
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.3.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.3.ebuild
new file mode 100644
index 0000000000..135ea3b3c5
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/mit-krb5/mit-krb5-1.18.3.ebuild
@@ -0,0 +1,167 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6,7} )
+inherit autotools flag-o-matic multilib-minimal python-any-r1 systemd toolchain-funcs
+
+MY_P="${P/mit-}"
+P_DIR=$(ver_cut 1-2)
+DESCRIPTION="MIT Kerberos V"
+HOMEPAGE="https://web.mit.edu/kerberos/www/"
+SRC_URI="https://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}.tar.gz"
+
+LICENSE="openafs-krb5-a BSD MIT OPENLDAP BSD-2 HPND BSD-4 ISC RSA CC-BY-SA-3.0 || ( BSD-2 GPL-2+ )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
+IUSE="cpu_flags_x86_aes doc +keyutils libressl lmdb nls openldap +pkinit selinux +threads test xinetd"
+
+# Test suite requires network access
+RESTRICT="test"
+
+DEPEND="
+	!!app-crypt/heimdal
+	>=sys-libs/e2fsprogs-libs-1.42.9[${MULTILIB_USEDEP}]
+	|| (
+		>=dev-libs/libverto-0.2.5[libev,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[libevent,${MULTILIB_USEDEP}]
+		>=dev-libs/libverto-0.2.5[tevent,${MULTILIB_USEDEP}]
+	)
+	keyutils? ( >=sys-apps/keyutils-1.5.8:=[${MULTILIB_USEDEP}] )
+	lmdb? ( dev-db/lmdb )
+	nls? ( sys-devel/gettext[${MULTILIB_USEDEP}] )
+	openldap? ( >=net-nds/openldap-2.4.38-r1[${MULTILIB_USEDEP}] )
+	pkinit? (
+		!libressl? ( >=dev-libs/openssl-1.0.1h-r2:0=[${MULTILIB_USEDEP}] )
+		libressl? ( dev-libs/libressl:0=[${MULTILIB_USEDEP}] )
+	)
+	xinetd? ( sys-apps/xinetd )
+	"
+BDEPEND="
+	${PYTHON_DEPS}
+	virtual/yacc
+	cpu_flags_x86_aes? (
+		amd64? ( dev-lang/yasm )
+		x86? ( dev-lang/yasm )
+	)
+	doc? ( virtual/latex-base )
+	test? (
+		${PYTHON_DEPS}
+		dev-lang/tcl:0
+		dev-util/dejagnu
+		dev-util/cmocka
+	)"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-kerberos )"
+
+S=${WORKDIR}/${MY_P}/src
+
+PATCHES=(
+	"${FILESDIR}/${PN}-1.12_warn_cflags.patch"
+	"${FILESDIR}/${PN}-config_LDFLAGS-r1.patch"
+	"${FILESDIR}/${PN}-1.16.3-libressl-r1.patch"
+	"${FILESDIR}/${PN}_dont_create_run.patch"
+	"${FILESDIR}/${PN}-1.18-libressl.patch"
+)
+
+MULTILIB_CHOST_TOOLS=(
+	/usr/bin/krb5-config
+)
+
+src_prepare() {
+	default
+	# Make sure we always use the system copies.
+	rm -rf util/{et,ss,verto}
+	sed -i 's:^[[:space:]]*util/verto$::' configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	# QA
+	append-flags -fno-strict-aliasing
+	append-flags -fno-strict-overflow
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	ECONF_SOURCE=${S} \
+	WARN_CFLAGS="set" \
+	econf \
+		$(use_with openldap ldap) \
+		"$(multilib_native_use_with test tcl "${EPREFIX}/usr")" \
+		$(use_enable nls) \
+		$(use_enable pkinit) \
+		$(use_enable threads thread-support) \
+		$(use_with lmdb) \
+		$(use_with keyutils) \
+		--without-hesiod \
+		--enable-shared \
+		--with-system-et \
+		--with-system-ss \
+		--enable-dns-for-realm \
+		--enable-kdc-lookaside-cache \
+		--with-system-verto \
+		--disable-rpath \
+		\
+		AR="$(tc-getAR)"
+}
+
+multilib_src_compile() {
+	emake -j1
+}
+
+multilib_src_test() {
+	multilib_is_native_abi && emake -j1 check
+}
+
+multilib_src_install() {
+	emake \
+		DESTDIR="${D}" \
+		EXAMPLEDIR="${EPREFIX}/usr/share/doc/${PF}/examples" \
+		install
+}
+
+multilib_src_install_all() {
+	# default database dir
+	keepdir /var/lib/krb5kdc
+
+	cd ..
+	dodoc README
+
+	if use doc; then
+		dodoc -r doc/html
+		docinto pdf
+		dodoc doc/pdf/*.pdf
+	fi
+
+	newinitd "${FILESDIR}"/mit-krb5kadmind.initd-r2 mit-krb5kadmind
+	newinitd "${FILESDIR}"/mit-krb5kdc.initd-r2 mit-krb5kdc
+	newinitd "${FILESDIR}"/mit-krb5kpropd.initd-r2 mit-krb5kpropd
+	newconfd "${FILESDIR}"/mit-krb5kadmind.confd mit-krb5kadmind
+	newconfd "${FILESDIR}"/mit-krb5kdc.confd mit-krb5kdc
+	newconfd "${FILESDIR}"/mit-krb5kpropd.confd mit-krb5kpropd
+
+	systemd_newunit "${FILESDIR}"/mit-krb5kadmind.service mit-krb5kadmind.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kdc.service mit-krb5kdc.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.service mit-krb5kpropd.service
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd_at.service "mit-krb5kpropd@.service"
+	systemd_newunit "${FILESDIR}"/mit-krb5kpropd.socket mit-krb5kpropd.socket
+
+	insinto /etc
+	newins "${ED}/usr/share/doc/${PF}/examples/krb5.conf" krb5.conf.example
+	insinto /var/lib/krb5kdc
+	newins "${ED}/usr/share/doc/${PF}/examples/kdc.conf" kdc.conf.example
+
+	if use openldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/plugins/kdb/ldap/libkdb_ldap/kerberos.schema"
+	fi
+
+	if use xinetd ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/kpropd.xinetd" kpropd
+	fi
+}