diff --git a/NEWS b/NEWS
index d4ec29560..bcb022eb6 100644
--- a/NEWS
+++ b/NEWS
@@ -59,7 +59,9 @@ ver 0.20 (not yet released)
 * switch the code base to C++14
   - GCC 4.9 or clang 3.4 (or newer) recommended
 
-ver 0.19.20 (not yet released)
+ver 0.19.20 (2016/12/09)
+* protocol
+  - "setprio" re-enqueues old song if priority has been raised
 * decoder
   - ffmpeg: ignore empty packets
   - pcm: fix corruption bug with partial frames (after short read)
@@ -67,6 +69,7 @@ ver 0.19.20 (not yet released)
 * output
   - winmm: fix 8 bit playback
 * fix gcc 7.0 -Wimplicit-fallthrough
+* systemd: paranoid security settings
 
 ver 0.19.19 (2016/08/23)
 * decoder
diff --git a/src/LogInit.cxx b/src/LogInit.cxx
index 705bae8f3..12d9ea9a9 100644
--- a/src/LogInit.cxx
+++ b/src/LogInit.cxx
@@ -45,7 +45,7 @@ static constexpr Domain log_domain("log");
 
 #ifndef ANDROID
 
-static int out_fd;
+static int out_fd = -1;
 static AllocatedPath out_path = AllocatedPath::Null();
 
 static void redirect_logs(int fd)
diff --git a/src/queue/Queue.cxx b/src/queue/Queue.cxx
index f42b1763e..3e2b0d74c 100644
--- a/src/queue/Queue.cxx
+++ b/src/queue/Queue.cxx
@@ -427,14 +427,15 @@ Queue::SetPriority(unsigned position, uint8_t priority, int after_order,
 
 		if (_order < (unsigned)after_order) {
 			/* the specified song has been played already
-			   - enqueue it only if its priority has just
-			   become bigger than the current one's */
+			   - enqueue it only if its priority has been
+			   increased and is now bigger than the
+			   current one's */
 
 			const unsigned after_position =
 				OrderToPosition(after_order);
 			const Item *after_item =
 				&items[after_position];
-			if (old_priority > after_item->priority ||
+			if (priority <= old_priority ||
 			    priority <= after_item->priority)
 				/* priority hasn't become bigger */
 				return true;
diff --git a/systemd/mpd.service.in b/systemd/mpd.service.in
index f48c0f0e4..7b0218bf2 100644
--- a/systemd/mpd.service.in
+++ b/systemd/mpd.service.in
@@ -14,6 +14,15 @@ LimitRTTIME=infinity
 # disallow writing to /usr, /bin, /sbin, ...
 ProtectSystem=yes
 
+# more paranoid security settings
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+
 [Install]
 WantedBy=multi-user.target
 Also=mpd.socket