diff --git a/.cvsignore b/.cvsignore
index 70b22bb..c0ac9d0 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -4,3 +4,4 @@ pam_krb5-2.3.2-1.tar.gz
 pam_krb5-2.3.3-1.tar.gz
 pam_krb5-2.3.4-1.tar.gz
 pam_krb5-2.3.5-1.tar.gz
+pam_krb5-2.3.6-1.tar.gz
diff --git a/pam_krb5.spec b/pam_krb5.spec
index 7d19eb5..671d8fe 100644
--- a/pam_krb5.spec
+++ b/pam_krb5.spec
@@ -1,6 +1,6 @@
 Summary: A Pluggable Authentication Module for Kerberos 5.
 Name: pam_krb5
-Version: 2.3.5
+Version: 2.3.6
 Release: 1%{?dist}
 Source0: pam_krb5-%{version}-1.tar.gz
 License: BSD or LGPLv2+
@@ -50,7 +50,15 @@ sed -ri -e 's|/lib(64)?/|/\$LIB/|g' $RPM_BUILD_ROOT/%{_mandir}/man*/pam_krb5*.8*
 %doc README* COPYING* ChangeLog NEWS
 
 %changelog
-* Tue May 26 2009 Nalin Dahyabhai <nalin@redhat.com> - 2.3.5-1
+* Mon Jun 15 2009 Nalin Dahyabhai <nalin@redhat.com> - 2.3.6-1
+- prefer keys for services matching the pattern host/*@clientrealm when
+  validating (#450776)
+
+* Fri Jun  5 2009 Nalin Dahyabhai <nalin@redhat.com> - 2.3.5-1
+- when we get asked for the user's long-term key, use a plain Password:
+  prompt value rather than the library-supplied one
+
+* Tue May 26 2009 Nalin Dahyabhai <nalin@redhat.com>
 - catch the case where we pass a NULL initial password into libkrb5 and
   it uses our callback to ask us for the password for the user using a
   principal name, and reject that (#502602)
diff --git a/sources b/sources
index f808e6e..1d23f98 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-24978d4b0886e6cc83baa00124937143  pam_krb5-2.3.5-1.tar.gz
+6c4f99d1f9777a51871023b35c98d26f  pam_krb5-2.3.6-1.tar.gz