diff --git a/SOURCES/sudo-1.9.5-sudoedit-selinux.patch b/SOURCES/sudo-1.9.5-sudoedit-selinux.patch
new file mode 100644
index 0000000..ece57bd
--- /dev/null
+++ b/SOURCES/sudo-1.9.5-sudoedit-selinux.patch
@@ -0,0 +1,11 @@
+diff -up ./src/sudo_edit.c.rest ./src/sudo_edit.c
+--- ./src/sudo_edit.c.rest	2021-11-21 18:41:09.420657680 +0100
++++ ./src/sudo_edit.c	2021-11-21 18:42:23.214272777 +0100
+@@ -878,6 +878,7 @@ selinux_edit_create_tfiles(struct comman
+         }
+         close(tfd);
+     }
++    ret = nfiles;
+ 
+ done:
+     /* Contents of tf will be freed by caller. */
diff --git a/SOURCES/sudo-1.9.7-krb5ccname.patch b/SOURCES/sudo-1.9.7-krb5ccname.patch
new file mode 100644
index 0000000..4339423
--- /dev/null
+++ b/SOURCES/sudo-1.9.7-krb5ccname.patch
@@ -0,0 +1,54 @@
+diff -up ./plugins/sudoers/auth/pam.c.krb5ccname ./plugins/sudoers/auth/pam.c
+--- ./plugins/sudoers/auth/pam.c.krb5ccname	2019-10-28 13:27:38.000000000 +0100
++++ ./plugins/sudoers/auth/pam.c	2021-12-06 11:14:15.580226222 +0100
+@@ -119,10 +119,10 @@ conv_filter_init(void)
+ 
+ 	/*
+ 	 * Messages from PAM account management when trusted mode is enabled:
+-	 *  1 Last   successful login for %s: %s  
+-	 *  2 Last   successful login for %s: %s on %s 
+-	 *  3 Last unsuccessful login for %s: %s      
+-	 *  4 Last unsuccessful login for %s: %s on %s 
++	 *  1 Last   successful login for %s: %s
++	 *  2 Last   successful login for %s: %s on %s
++	 *  3 Last unsuccessful login for %s: %s
++	 *  4 Last unsuccessful login for %s: %s on %s
+ 	 */
+ 	if ((catd = catopen("pam_comsec", NL_CAT_LOCALE)) != -1) {
+ 	    maxfilters += 4;
+@@ -290,6 +290,7 @@ sudo_pam_init_quiet(struct passwd *pw, s
+ int
+ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
++    const char *envccname;
+     const char *s;
+     int *pam_status = (int *) auth->data;
+     debug_decl(sudo_pam_verify, SUDOERS_DEBUG_AUTH)
+@@ -298,8 +299,27 @@ sudo_pam_verify(struct passwd *pw, char
+     getpass_error = false;	/* set by converse if user presses ^C */
+     conv_callback = callback;	/* passed to conversation function */
+ 
++	/* Set KRB5CCNAME from the user environment if not set to propagate this
++	 * information to PAM modules that may use it to authentication. */
++	envccname = sudo_getenv("KRB5CCNAME");
++	if (envccname == NULL && user_ccname != NULL) {
++		if (sudo_setenv("KRB5CCNAME", user_ccname, true) != 0) {
++			sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
++			"unable to set KRB5CCNAME");
++			debug_return_int(AUTH_FAILURE);
++		}
++	}
++
+     /* PAM_SILENT prevents the authentication service from generating output. */
+     *pam_status = pam_authenticate(pamh, PAM_SILENT);
++
++	/* Restore KRB5CCNAME to its original value. */
++	if (envccname == NULL && sudo_unsetenv("KRB5CCNAME") != 0) {
++		sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
++		"unable to restore KRB5CCNAME");
++		debug_return_int(AUTH_FAILURE);
++	}
++
+     if (getpass_error) {
+ 	/* error or ^C from tgetpass() */
+ 	debug_return_int(AUTH_INTR);
diff --git a/SOURCES/sudo-1.9.7-sigchild.patch b/SOURCES/sudo-1.9.7-sigchild.patch
new file mode 100644
index 0000000..94fcc94
--- /dev/null
+++ b/SOURCES/sudo-1.9.7-sigchild.patch
@@ -0,0 +1,35 @@
+From 727056e0c9519d8eecde801e950b35f2f69c72e2 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Fri, 23 Apr 2021 07:41:27 -0600
+Subject: [PATCH] Make sure SIGCHLD is not ignored when sudo is executed. If
+ SIGCHLD is ignored there is a race condition between when the process is
+ executed and when the SIGCHLD handler is installed. This fixes the bug
+ described by GitHub PR #98
+
+---
+ src/signal.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/src/signal.c b/src/signal.c
+index 7f90d707b..866b64790 100644
+--- a/src/signal.c
++++ b/src/signal.c
+@@ -133,6 +133,18 @@ init_signals(void)
+ 	    case SIGTTOU:
+ 		/* Don't install these until exec time. */
+ 		break;
++	    case SIGCHLD:
++		/* Sudo needs to be able to catch SIGCHLD. */
++		if (ss->sa.sa_handler == SIG_IGN) {
++		    sudo_debug_printf(SUDO_DEBUG_INFO,
++			"will restore signal %d on exec", SIGCHLD);
++		    ss->restore = true;
++		}
++		if (sigaction(SIGCHLD, &sa, NULL) != 0) {
++		    sudo_warn(U_("unable to set handler for signal %d"),
++			SIGCHLD);
++		}
++		break;
+ 	    default:
+ 		if (ss->sa.sa_handler != SIG_IGN) {
+ 		    if (sigaction(ss->signo, &sa, NULL) != 0) {
diff --git a/SOURCES/sudo-1.9.7-utmp-leak.patch b/SOURCES/sudo-1.9.7-utmp-leak.patch
new file mode 100644
index 0000000..5c45ae6
--- /dev/null
+++ b/SOURCES/sudo-1.9.7-utmp-leak.patch
@@ -0,0 +1,22 @@
+From 3fc3a07a03ef74fde99db40ce9ef43ccab336205 Mon Sep 17 00:00:00 2001
+From: MertsA <andrewmerts@gmail.com>
+Date: Fri, 23 Jul 2021 03:36:05 -0700
+Subject: [PATCH] Rewind utmp file pointer after searching for entry
+
+getutline() advances the file pointer until it matches or reaches EOF. pututline() starts from the current position in utmp. This rewinds the file pointer to the beginning to avoid allocating additional spurious utmp entries.
+---
+ src/utmp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/utmp.c b/src/utmp.c
+index 544a37519..952bf3043 100644
+--- a/src/utmp.c
++++ b/src/utmp.c
+@@ -210,6 +210,7 @@ utmp_login(const char *from_line, const char *to_line, int ttyfd,
+ 	memset(&utbuf, 0, sizeof(utbuf));
+ 	strncpy(utbuf.ut_line, from_line, sizeof(utbuf.ut_line));
+ 	ut_old = sudo_getutline(&utbuf);
++	sudo_setutent();
+     }
+     utmp_fill(to_line, user, ut_old, &utbuf);
+     if (sudo_pututline(&utbuf) != NULL)
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 6b5bddc..ea0036c 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.8.29
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: ISC
 Group: Applications/System
 URL: https://www.sudo.ws/
@@ -67,6 +67,15 @@ Patch16: sudo-1.9.5-CVE-2021-23240-3.patch
 Patch17: sudo-1.9.5-CVE-2021-23240-4.patch
 Patch18: sudo-1.9.5-CVE-2021-23240-5.patch
 
+# 2029551 - sudoedit does not work with selinux args
+Patch19: sudo-1.9.5-sudoedit-selinux.patch
+# 1999751 - Request to backport https://www.sudo.ws/repos/sudo/rev/b4c91a0f72e7 to RHEL 8
+Patch20: sudo-1.9.7-sigchild.patch
+# 1917379 - [RFE] pass KRB5CCNAME to pam_authenticate environment if available
+Patch21: sudo-1.9.7-krb5ccname.patch
+# 1986572 - utmp resource leak in sudo
+Patch22: sudo-1.9.7-utmp-leak.patch
+
 %description
 Sudo (superuser do) allows a system administrator to give certain
 users (or groups of users) the ability to run some (or all) commands
@@ -113,6 +122,12 @@ plugins that use %{name}.
 %patch17 -p1 -b .symbolic-link-attack-4
 %patch18 -p1 -b .symbolic-link-attack-5
 
+%patch19 -p1 -b .sudoedit-selinux
+
+%patch20 -p1 -b .sigchild
+%patch21 -p1 -b .krb5ccname
+%patch22 -p1 -b .utmp-leak
+
 %build
 # Remove bundled copy of zlib
 rm -rf zlib/
@@ -271,6 +286,17 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/sudo_plugin.8*
 
 %changelog
+* Mon Dec 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-8
+RHEL 8.6.0 ERRATUM
+- sudoedit does not work with selinux args
+Resolves: rhbz#2029551
+- Make sure SIGCHLD is not ignored when sudo is executed
+Resolves: rhbz#1999751
+- [RFE] pass KRB5CCNAME to pam_authenticate environment if available
+Resolves: rhbz#1917379
+- utmp resource leak in sudo
+Resolves: rhbz#1986572
+
 * Tue Feb 02 2021 Radovan Sroka <rsroka@redhat.com> - 1.8.29-7
 - RHEL 8.4 ERRATUM
 - CVE-2021-3156